Re: [PATCH v2 5/7] crypto: gcm - fix incompatibility between "gcm" and "gcm_base"

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Apr 18, 2019 at 11:41:46AM -0700, Eric Biggers wrote:
>
> I'm not necessarily opposed to doing this, but if we're assuming that untested,
> arbitrarily broken algorithms may be registered with the crypto API under any
> name, "ghash" could easily still be broken even if it declares a 16-byte digest
> size.  Verifying the digest size is just an extra sanity check; we're really
> still relying on the implementation to be correct.  (Same for the ccm patch.)

The check is not so much for the purpose of producing the correct
output for the given algorithm, since as you correctly stated that
would rely on the correctness of the underlying algorithm.  It is
more about not crashing when the underlying algorithm has a geometry
that is completely different (e.g., by overwriting the digest
buffer).

Come to think of it, perhaps we should check the geometry of
algorithms even when self-tests are compiled out.  That way these
checks could be replaced by a simple name check.

This would be good anyway because the self-tests may indeed crash
if an algorithm with an incorrect geometry is used.

Cheers,
-- 
Email: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt



[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]

  Powered by Linux