Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp2797042ybi; Mon, 17 Jun 2019 10:36:34 -0700 (PDT) X-Google-Smtp-Source: APXvYqx59A32F9AbIPZqf1PB2fhHckweD1R18YcPS/C0yk/zc/PfwDR5ynt44/BItRIraYaS76c3 X-Received: by 2002:a17:90a:b294:: with SMTP id c20mr27726844pjr.16.1560792602594; Mon, 17 Jun 2019 10:30:02 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1560792602; cv=none; d=google.com; s=arc-20160816; b=1Eae1ex8idXsyuTj7mskUovkiS8ZtGsl5LGC11To7LjR48lGhTLE7NCT1jcf3FZq08 rwBMQ5RIV2I8RLduszBr02N3Iu8tGMcvzaodEEyG0Wvt8WORt8iON6ts9qGVEbF5YJHK fv2XfgcVPxfIaEfYT0mmr+tTqBDAp1njezQDHO2c/n/vnIZNmZzyoPXonHI++u464nvr mrtIJoWrJXnus9mORrwn14XEFINQ1+AtmPO/XqVUONRb96yo2vj2dvhiIuOqOHzOt1Nm mAaTggIPWiMdtFVHPWpFuflYgcOddGptR/Ge9GZxjVg4WGr8nh9NrYQQuhvL1vDLl0c9 AT/Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=Tx+RieQLyQ+lh9UZ5H0F2WZBvGEsSZxqyVbasY51tYI=; b=ukjOZvSupJR+3yGxDmJo5KFHhr5++kYph2OJL762S2Pz5o5mygmITzMEhcDvppfGLj 5B85FxTJTgFMIMPgf5MtO39ZZqp5vdCMhKV+r40RagopoYF/p4BYV7wCmldWKmCIJujT Y/fplpigVwwbRZihr3xYsw1GES96ygR1jrbfJVR7ae/yj667xFvRqSmaWvjCyn8biUsc dkDLINJjLRiBJsmyfged9/IBXgywHIKpVYqftQJSh4P3LvptrECeEHSm6kPhJ1kot5r3 4Z4STMjp8N4IixCZGC7blHCCuUcpdqWaxLqQiJgKqdQVpJO8GyG6/BzIaefkvzaYJO82 Av1g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=EvlURp56; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a19si7368049pgm.434.2019.06.17.10.29.48; Mon, 17 Jun 2019 10:30:02 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=EvlURp56; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726173AbfFQR3q (ORCPT + 99 others); Mon, 17 Jun 2019 13:29:46 -0400 Received: from mail-io1-f66.google.com ([209.85.166.66]:46137 "EHLO mail-io1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726005AbfFQR3p (ORCPT ); Mon, 17 Jun 2019 13:29:45 -0400 Received: by mail-io1-f66.google.com with SMTP id i10so22856767iol.13 for ; Mon, 17 Jun 2019 10:29:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Tx+RieQLyQ+lh9UZ5H0F2WZBvGEsSZxqyVbasY51tYI=; b=EvlURp56PD/fZX3/f33oR7xEaNAktTY52gbQTnuJRvCuz7+8Heh+Ogh2nsPdyPhnVb q9ugzxFcpzIBHr/3vlnj622rRRZNCvwBaTrDgMvzuhqEKsIpNRpwSPJH2A/mAavcwI+c t9lV5X0NeJSUF8ZrXKcB/RRwheqdUONQNKnMrhZ9oGfDargEMn9zhcznvPfFtKs0CTY5 3hLpyAFpTLDmasBUrothylE6kwy0X4ROxGkA31/Q5oZU4w9GcxajQ5tTg9Ua3ut4z2D8 G5syZjvMh9NeeIIzkkk44nw9+FAciFINwWM/6CRlfOXjjGHN9cXve/6nMvROqwqxWOvn zAFA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Tx+RieQLyQ+lh9UZ5H0F2WZBvGEsSZxqyVbasY51tYI=; b=W1fKAKkJrgX+DRI/jO/c7bpPWa8DHye2954EXUFsvcG0p94vy36TEpVyKBDFlrFrxL QL2Sl+9fkUI1+/25faxMTQ4ACoOXVdZ7DNnjYo4++7MpS/Sl7Xdao3IwA7YwFOSzomtB a1/8CnwwZFb+gGvpFNlm2L1NJMFXyt9J0xloewkFSy/a8K0jB9PgVdi3E4YJOTAyQSxc QiJBKlt2fr63sC3Q4Edkd0CP2XSGMt5Kpw7iJDy5munMeBo2oM9PIW5KAZv4vMEGM2Us RIe9xjnElRep7nzn5XCYTR47KoMVOUfBOfFvvwyhHfubgKjrAwQxEo6wuUit+L1/HrRS vCBA== X-Gm-Message-State: APjAAAXxYfE8wsYA69E4f8wGZbyDBbY7fl6NV9IN1wm7LYjnvRjIDduw Ydrqgie/VQmV7NZjjYOC9VwtcZxH4roeXzVH8YA21w== X-Received: by 2002:a5d:9456:: with SMTP id x22mr3034719ior.71.1560792580222; Mon, 17 Jun 2019 10:29:40 -0700 (PDT) MIME-Version: 1.0 References: <20190614083404.20514-1-ard.biesheuvel@linaro.org> <20190616204419.GE923@sol.localdomain> <8e58230a-cf0e-5a81-886b-6aa72a8e5265@gmail.com> <90214c3d-55ef-cc3a-3a04-f200d6f96cfd@gmail.com> In-Reply-To: From: Ard Biesheuvel Date: Mon, 17 Jun 2019 19:29:27 +0200 Message-ID: Subject: Re: [RFC PATCH 0/3] crypto: switch to shash for ESSIV generation To: Milan Broz Cc: Gilad Ben-Yossef , Eric Biggers , device-mapper development , linux-fscrypt@vger.kernel.org, Linux Crypto Mailing List , Herbert Xu Content-Type: text/plain; charset="UTF-8" Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org On Mon, 17 Jun 2019 at 19:05, Milan Broz wrote: > > On 17/06/2019 16:39, Ard Biesheuvel wrote: > >> > >> In other words, if you add some additional limit, we are breaking backward compatibility. > >> (Despite the configuration is "wrong" from the security point of view.) > >> > > > > Yes, but breaking backward compatibility only happens if you break > > something that is actually being *used*. So sure, > > xts(aes)-essiv:sha256 makes no sense but people use it anyway. But is > > that also true for, say, gcm(aes)-essiv:sha256 ? > > These should not be used. The only way when ESSIV can combine with AEAD mode > is when you combine length-preserving mode with additional integrity tag, for example > > # cryptsetup luksFormat -c aes-cbc-essiv:sha256 --integrity hmac-sha256 /dev/sdb > > it will produce this dm-crypt cipher spec: > capi:authenc(hmac(sha256),cbc(aes))-essiv:sha256 > > the authenc(hmac(sha256),cbc(aes)) is direct crypto API cipher composition, the essiv:sha256 > IV is processed inside dm-crypt as IV. > > So if authenc() composition is problem, then yes, I am afraid these can be used in reality. > > But for things like gcm(aes)-essiv:sha256 (IOW real AEAD mode with ESSIV) - these are > not supported by cryptsetup (we support only random IV in this case), so these should > not be used anywhere. > OK, understood. Unfortunately, that means that the essiv template should be dynamically instantiated as either a aead or a skcipher depending on the context, but perhaps this is not a big deal in reality, I will check. One final question before I can proceed with my v2: in crypt_ctr_blkdev_cipher(), do you think we could change the code to look at the cipher string rather than the name of the actual cipher? In practice, I don't think they can be different, but in order to be able to instantiate 'essiv(authenc(hmac(sha256),cbc(aes)),sha256,aes)', the cipher part needs to be parsed before the TFM(s) are instantiated.