On Thu, Apr 18, 2019 at 11:41:46AM -0700, Eric Biggers wrote: > > I'm not necessarily opposed to doing this, but if we're assuming that untested, > arbitrarily broken algorithms may be registered with the crypto API under any > name, "ghash" could easily still be broken even if it declares a 16-byte digest > size. Verifying the digest size is just an extra sanity check; we're really > still relying on the implementation to be correct. (Same for the ccm patch.) The check is not so much for the purpose of producing the correct output for the given algorithm, since as you correctly stated that would rely on the correctness of the underlying algorithm. It is more about not crashing when the underlying algorithm has a geometry that is completely different (e.g., by overwriting the digest buffer). Come to think of it, perhaps we should check the geometry of algorithms even when self-tests are compiled out. That way these checks could be replaced by a simple name check. This would be good anyway because the self-tests may indeed crash if an algorithm with an incorrect geometry is used. Cheers, -- Email: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt