Re: [PATCH 15/15] wifi: mac80211: Use AES-CMAC library in aes_s2v()

From: Eric Biggers

Date: Thu Feb 19 2026 - 17:15:35 EST

On Thu, Feb 19, 2026 at 12:01:14PM +0100, Johannes Berg wrote:
> On Wed, 2026-02-18 at 13:35 -0800, Eric Biggers wrote:
> > Now that AES-CMAC has a library API, convert aes_s2v() to use it instead
> > of a "cmac(aes)" crypto_shash. The result is faster and simpler code.
> >
> > It's also more reliable, since with the library the only step that can
> > fail is preparing the key. In contrast, crypto_shash_digest(),
> > crypto_shash_init(), crypto_shash_update(), and crypto_shash_final()
> > could all fail and return an errno value. aes_s2v() ignored these
> > errors, which was a bug. So that bug is fixed as well.
> >
> > As part of this, change the prototype of aes_s2v() to take the raw key
> > directly instead of a prepared key. Its only two callers prepare a key
> > for each call, so it might as well be done directly in aes_s2v().
> >
> > Since this removes the last dependency on the "cmac(aes)" crypto_shash
> > from mac80211, also remove the 'select CRYPTO_CMAC'.
> >
>
> > -static int aes_s2v(struct crypto_shash *tfm,
> > +static int aes_s2v(const u8 *in_key, size_t key_len,
> > size_t num_elem, const u8 *addr[], size_t len[], u8 *v)
> > {
> > u8 d[AES_BLOCK_SIZE], tmp[AES_BLOCK_SIZE] = {};
> > - SHASH_DESC_ON_STACK(desc, tfm);
> > + struct aes_cmac_key key;
> > + struct aes_cmac_ctx ctx;
> > size_t i;
> > + int res;
> >
> > - desc->tfm = tfm;
> > + res = aes_cmac_preparekey(&key, in_key, key_len);
> > + if (res)
> > + return res;
>
> Same here, maybe, technically, but also doesn't matter.
>
> Acked-by: Johannes Berg <johannes@xxxxxxxxxxxxxxxx>
>
> johannes

In this case aes_s2v() wouldn't otherwise be able to fail, so ignoring
the aes_cmac_preparekey() return value would indeed be a simplification.

However, since the key length isn't a compile-time constant here, we'd
have to rely on non-local validation, which isn't ideal.

To ignore the return value entirely I'd prefer a static_assert that the
length is equal to one of AES_KEYSIZE_*, which isn't possible here.

It's actually not clear to me where the length validation happens before
here. nl80211_associate() for example just copies the length from
userspace without validating it. ieee80211_mgd_assoc() only checks that
the length is at most FILS_MAX_KEK_LEN (64).

- Eric