On Mon, 8 Apr 2019 at 20:28, Eric Biggers <ebiggers@xxxxxxxxxx> wrote: > > On Sun, Apr 07, 2019 at 07:12:43PM +0000, Pascal Van Leeuwen wrote: > > > > Fact is, there are at least 2 hardware device drivers NOT doing this - and > > I want to bet a nice sum of money there will be more - and that this has > > not been noticed prior to adding these tests to testmgr, otherwise this > > would have been fixed by now. Which seems to confirm that there is no > > real use case for this functionality. > > > > I really shouldn't have to say this, but just because something hasn't been > reported doesn't mean it's not a real problem. Someone could easily be affected > by one of these bugs where crypto drivers produce the wrong output, and never > notice it because their use case doesn't involve checking the output against > another implementation. Or, perhaps they noticed but never reported it > upstream. Or perhaps they didn't have the time or skill to debug the problem so > just they disabled the broken driver, or used No Crypto instead. > > That's why we have tests -- so bugs can be detected immediately rather than > maybe years out in the field after causing critical security vulnerabilities. > Perhaps we could wire this up using a CRYPTO_ALG flag? I.e., implementations that need the compliant behavior (such as cts) check for the flag, and the asynchronous implementations produce two versions, where the one that lacks the flag has a higher priority. That way, we don't take the performance hit in cases where it is not needed.
