• Ard Biesheuvel's avatar
    mac80211: fils_aead: Use crypto api CMAC shash rather than bare cipher · fe8de3da
    Ard Biesheuvel authored
    Switch the FILS AEAD code to use a cmac(aes) shash instantiated by the
    crypto API rather than reusing the open coded implementation in
    aes_cmac_vector(). This makes the code more understandable, and allows
    platforms to implement cmac(aes) in a more secure (*) and efficient way
    than is typically possible when using the AES cipher directly.
    
    So replace the crypto_cipher by a crypto_shash, and update the aes_s2v()
    routine to call the shash interface directly.
    
    * In particular, the generic table based AES implementation is sensitive
      to known-plaintext timing attacks on the key, to which AES based MAC
      algorithms are especially vulnerable, given that their plaintext is not
      usually secret. Time invariant alternatives are available (e.g., based
      on SIMD algorithms), but may incur a setup cost that is prohibitive when
      operating on a single block at a time, which is why they don't usually
      expose the cipher API.
    Signed-off-by: default avatarArd Biesheuvel <ard.biesheuvel@linaro.org>
    Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
    fe8de3da
Kconfig 9.41 KB