On Fri, May 17, 2019 at 11:06:10AM -0700, Eric Biggers wrote: > From: Eric Biggers <ebiggers@xxxxxxxxxx> > > commit f699594d436960160f6d5ba84ed4a222f20d11cd upstream. > [Please apply to 4.4-stable.] > > GCM instances can be created by either the "gcm" template, which only > allows choosing the block cipher, e.g. "gcm(aes)"; or by "gcm_base", > which allows choosing the ctr and ghash implementations, e.g. > "gcm_base(ctr(aes-generic),ghash-generic)". > > However, a "gcm_base" instance prevents a "gcm" instance from being > registered using the same implementations. Nor will the instance be > found by lookups of "gcm". This can be used as a denial of service. > Moreover, "gcm_base" instances are never tested by the crypto > self-tests, even if there are compatible "gcm" tests. > > The root cause of these problems is that instances of the two templates > use different cra_names. Therefore, fix these problems by making > "gcm_base" instances set the same cra_name as "gcm" instances, e.g. > "gcm(aes)" instead of "gcm_base(ctr(aes-generic),ghash-generic)". > > This requires extracting the block cipher name from the name of the ctr > algorithm. It also requires starting to verify that the algorithms are > really ctr and ghash, not something else entirely. But it would be > bizarre if anyone were actually using non-gcm-compatible algorithms with > gcm_base, so this shouldn't break anyone in practice. > > Fixes: d00aa19b507b ("[CRYPTO] gcm: Allow block cipher parameter") > Cc: stable@xxxxxxxxxxxxxxx > Signed-off-by: Eric Biggers <ebiggers@xxxxxxxxxx> > Signed-off-by: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> > --- > crypto/gcm.c | 34 +++++++++++----------------------- > 1 file changed, 11 insertions(+), 23 deletions(-) Both now queued up, thanks. greg k-h