fe8de3da13
Switch the FILS AEAD code to use a cmac(aes) shash instantiated by the crypto API rather than reusing the open coded implementation in aes_cmac_vector(). This makes the code more understandable, and allows platforms to implement cmac(aes) in a more secure (*) and efficient way than is typically possible when using the AES cipher directly. So replace the crypto_cipher by a crypto_shash, and update the aes_s2v() routine to call the shash interface directly. * In particular, the generic table based AES implementation is sensitive to known-plaintext timing attacks on the key, to which AES based MAC algorithms are especially vulnerable, given that their plaintext is not usually secret. Time invariant alternatives are available (e.g., based on SIMD algorithms), but may incur a setup cost that is prohibitive when operating on a single block at a time, which is why they don't usually expose the cipher API. Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
22 lines
718 B
C
22 lines
718 B
C
/*
|
|
* Copyright 2008, Jouni Malinen <j@w1.fi>
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License version 2 as
|
|
* published by the Free Software Foundation.
|
|
*/
|
|
|
|
#ifndef AES_CMAC_H
|
|
#define AES_CMAC_H
|
|
|
|
#include <linux/crypto.h>
|
|
|
|
struct crypto_cipher *ieee80211_aes_cmac_key_setup(const u8 key[],
|
|
size_t key_len);
|
|
void ieee80211_aes_cmac(struct crypto_cipher *tfm, const u8 *aad,
|
|
const u8 *data, size_t data_len, u8 *mic);
|
|
void ieee80211_aes_cmac_256(struct crypto_cipher *tfm, const u8 *aad,
|
|
const u8 *data, size_t data_len, u8 *mic);
|
|
void ieee80211_aes_cmac_key_free(struct crypto_cipher *tfm);
|
|
|
|
#endif /* AES_CMAC_H */
|