diff options
| -rw-r--r-- | crypto/drbg.c | 14 |
1 files changed, 11 insertions, 3 deletions
diff --git a/crypto/drbg.c b/crypto/drbg.c index 99fa8f89fb3e..3f0b7e0f8bac 100644 --- a/crypto/drbg.c +++ b/crypto/drbg.c | |||
| @@ -446,8 +446,16 @@ static int drbg_ctr_bcc(struct drbg_state *drbg, | |||
| 446 | * length: drbg_blocklen(drbg) | 446 | * length: drbg_blocklen(drbg) |
| 447 | * temp | 447 | * temp |
| 448 | * start: iv + drbg_blocklen(drbg) | 448 | * start: iv + drbg_blocklen(drbg) |
| 449 | * length: (drbg_keylen(drbg) + drbg_blocklen(drbg) == | 449 | * length: drbg_satelen(drbg) + drbg_blocklen(drbg) |
| 450 | * drbg_statelen(drbg)) | 450 | * note: temp is the buffer that the BCC function operates |
| 451 | * on. BCC operates blockwise. drbg_statelen(drbg) | ||
| 452 | * is sufficient when the DRBG state length is a multiple | ||
| 453 | * of the block size. For AES192 (and maybe other ciphers) | ||
| 454 | * this is not correct and the length for temp is | ||
| 455 | * insufficient (yes, that also means for such ciphers, | ||
| 456 | * the final output of all BCC rounds are truncated). | ||
| 457 | * Therefore, add drbg_blocklen(drbg) to cover all | ||
| 458 | * possibilities. | ||
| 451 | */ | 459 | */ |
| 452 | 460 | ||
| 453 | /* Derivation Function for CTR DRBG as defined in 10.4.2 */ | 461 | /* Derivation Function for CTR DRBG as defined in 10.4.2 */ |
| @@ -1205,7 +1213,7 @@ static inline int drbg_alloc_state(struct drbg_state *drbg) | |||
| 1205 | drbg_statelen(drbg) + /* df_data */ | 1213 | drbg_statelen(drbg) + /* df_data */ |
| 1206 | drbg_blocklen(drbg) + /* pad */ | 1214 | drbg_blocklen(drbg) + /* pad */ |
| 1207 | drbg_blocklen(drbg) + /* iv */ | 1215 | drbg_blocklen(drbg) + /* iv */ |
| 1208 | drbg_statelen(drbg); /* temp */ | 1216 | drbg_statelen(drbg) + drbg_blocklen(drbg); /* temp */ |
| 1209 | else | 1217 | else |
| 1210 | sb_size = drbg_statelen(drbg) + drbg_blocklen(drbg); | 1218 | sb_size = drbg_statelen(drbg) + drbg_blocklen(drbg); |
| 1211 | 1219 | ||