Re: [PATCH v2 5/7] crypto: gcm - fix incompatibility between "gcm" and "gcm_base"

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Apr 18, 2019 at 10:00:06PM +0800, Herbert Xu wrote:
> Eric Biggers <ebiggers@xxxxxxxxxx> wrote:
> >
> > @@ -638,7 +637,7 @@ static int crypto_gcm_create_common(struct crypto_template *tmpl,
> >                goto err_free_inst;
> > 
> >        err = -EINVAL;
> > -       if (ghash->digestsize != 16)
> > +       if (strcmp(ghash->base.cra_name, "ghash") != 0)
> >                goto err_drop_ghash;
> 
> We should keep both tests because the self-tests can be compiled
> out so there is no guarantee that something claiming to be ghash
> actually is ghash.
> 

I'm not necessarily opposed to doing this, but if we're assuming that untested,
arbitrarily broken algorithms may be registered with the crypto API under any
name, "ghash" could easily still be broken even if it declares a 16-byte digest
size.  Verifying the digest size is just an extra sanity check; we're really
still relying on the implementation to be correct.  (Same for the ccm patch.)

- Eric



[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]

  Powered by Linux