On Thu, Apr 18, 2019 at 10:00:06PM +0800, Herbert Xu wrote: > Eric Biggers <ebiggers@xxxxxxxxxx> wrote: > > > > @@ -638,7 +637,7 @@ static int crypto_gcm_create_common(struct crypto_template *tmpl, > > goto err_free_inst; > > > > err = -EINVAL; > > - if (ghash->digestsize != 16) > > + if (strcmp(ghash->base.cra_name, "ghash") != 0) > > goto err_drop_ghash; > > We should keep both tests because the self-tests can be compiled > out so there is no guarantee that something claiming to be ghash > actually is ghash. > I'm not necessarily opposed to doing this, but if we're assuming that untested, arbitrarily broken algorithms may be registered with the crypto API under any name, "ghash" could easily still be broken even if it declares a 16-byte digest size. Verifying the digest size is just an extra sanity check; we're really still relying on the implementation to be correct. (Same for the ccm patch.) - Eric