On Sun, Dec 06, 2015 at 02:51:37AM +0100, Jason A. Donenfeld wrote: > Some ciphers actually support encrypting zero length plaintexts. For > example, many AEAD modes support this. The resulting ciphertext for > those winds up being only the authentication tag, which is a result of > the key, the iv, the additional data, and the fact that the plaintext > had zero length. The blkcipher constructors won't copy the IV to the > right place, however, when using a zero length input, resulting in > some significant problems when ciphers call their initialization > routines, only to find that the ->iv parameter is uninitialized. One > such example of this would be using chacha20poly1305 with a zero length > input, which then calls chacha20, which calls the key setup routine, > which eventually OOPSes due to the uninitialized ->iv member. > > Signed-off-by: Jason A. Donenfeld <ja...@zx2c4.com> > Cc: <sta...@vger.kernel.org>
Applied to crypto. -- Email: Herbert Xu <herb...@gondor.apana.org.au> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
