Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp2820004ybi; Mon, 17 Jun 2019 10:55:58 -0700 (PDT) X-Google-Smtp-Source: APXvYqzpAEIFTYYYfktkczieZPWd8m4imVahHsbuRzcRRGYhZbn3g2X2vTZvVKfnPEKtvwZ/dE2a X-Received: by 2002:a17:902:28e9:: with SMTP id f96mr61571281plb.114.1560793990889; Mon, 17 Jun 2019 10:53:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1560793990; cv=none; d=google.com; s=arc-20160816; b=mwUcAY94nxpt03JGYQ+uNYbeQ2p3D/oyAKfhe7J/Y2DSMTf7Y/OrL9bKCfTNXMjQEg GdXWOGt1axQF9tkVcyIwI17X0L6igE2aqkg34o2LLo/y9aYFzUgd4UGB4hYjSrBGUrwO R8gKnq9EsqLuhCrDoxFddvTvFlYpSXfaj9Y1rtmF35uwbRcH3UgXIlE+mOGYcs2qdcJy 4/fABi/zoFqjGO9rbeuQfsQ/mS+RlyPBM3P4hxwPGAzzW3krupHGRWlsedUjDuBq9wwf OETZczE7Xl43hvahFPjO4Zxkyw2Z0R4whvqPApLDmhqbsl0+eqIHVUHfc6b6f/9KQXqa /LgA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:openpgp:from:references:cc:to:subject:dkim-signature; bh=FMNyAGci+1vv5qg7rKwKydEtDLbo9Wlt1X0ych19Ewc=; b=aweasgKkZq7qcQYaWJWGQ/z3tj0GdymUOZ9OHoL1pnWgEK52pjRnI5AQkFPI7DL3sO 2uTqa/El0LPGStrafoJzA61K5fD1/vhodVvj0JSppr7BpgiaOtHroNiZCDJAdXWtpEpF x5uNNYUHeh1uZvMyqstowU88aee4gV27jxfXb3Tth9t9bduB9YNdG2Xwtwl3kERWfq5p /Zdy21c6+wyLfGR110arz4sF2Bv5wZIiL83Z8dId9U78pN956vnxlIqUaZ4xPcOEv1UL isQUoRrqALPRukTiMIk6AttsErNOoraCxOr5CowY2lABwCrVUspzfvigYLQwEvHoY16z bU8Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=urmUSgh9; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e8si10987219pgs.308.2019.06.17.10.52.54; Mon, 17 Jun 2019 10:53:10 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=urmUSgh9; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725995AbfFQRwj (ORCPT + 99 others); Mon, 17 Jun 2019 13:52:39 -0400 Received: from mail-wr1-f67.google.com ([209.85.221.67]:36602 "EHLO mail-wr1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726047AbfFQRwj (ORCPT ); Mon, 17 Jun 2019 13:52:39 -0400 Received: by mail-wr1-f67.google.com with SMTP id n4so2860813wrs.3; Mon, 17 Jun 2019 10:52:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:openpgp:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=FMNyAGci+1vv5qg7rKwKydEtDLbo9Wlt1X0ych19Ewc=; b=urmUSgh9tF3F62J4bEZmojsMD4JAHsM3KUMy4kiZL62eDAvkdCtyuPW/UKA3Ica0uW 0ZTLGLk+2Z1otWThtmM2jSTJCg6gIuDD9p2loMDnCEJjcgYvh1CYxWhD1FzuAhtuGp/z SiAoGTI8xItGjWpW5D/uL0U+ZbRRXhT6bE9ihyJLQblbgEFvExO6WO1xp+mxTMCKv5Ff b7EzOfK2aAYRmqttRzor8ZPw7jiGCAsjp6naQt7282xLNZHjLHrnN/nmrgfVghrIBx3k X4SFiWzKEbg5tuCgUH0+XTdfHN9uzvUp4iwCVTyHyG3O+sBbD21yYQk5p7ycHi4f/eJZ fIXQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:openpgp:message-id :date:user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=FMNyAGci+1vv5qg7rKwKydEtDLbo9Wlt1X0ych19Ewc=; b=KHFvJhAlnKDW6TSoUzPIj1IFiaw4st0ReOpl4TDqp4/sc3MCQ0BPM5sCor2gaERJvV R6Fhk39U8Oi2YyQRbXdUCmImTL7tF0MWiMLNI/mL77AE8M6lpZz1m3XjIi9E7D1cQAoR XxXRL9C9gmV8lBYEKqyWsUzDYAqtEVPd/LBn2vYraoNBn28HlYWL0smKEXw+a11B7ygb coMAviXmKe+l/GRlGnDeD4i+spGm4vXc4yrQvRBe5ugHjOnF8QRus2zviEFOym1rGCU9 cTzRgNTsl6csJ3LNBv7HBCsxMwvNfUL2yT7gaiRakApaUbRh5kQ4NQkmcd0mwv0GNp1h +7Fw== X-Gm-Message-State: APjAAAVYyqFjJhmfNmzK560IM0CB1e+Dlq8jVEFvkAFSBub/u/PVwSTl t/Y4w/TM9nyOcz83TVQ5nrS6uY1qQQJRMg== X-Received: by 2002:a5d:4d84:: with SMTP id b4mr25495595wru.242.1560793956857; Mon, 17 Jun 2019 10:52:36 -0700 (PDT) Received: from [192.168.2.28] (39.35.broadband4.iol.cz. [85.71.35.39]) by smtp.gmail.com with ESMTPSA id u2sm292638wmc.3.2019.06.17.10.52.35 (version=TLS1_3 cipher=AEAD-AES128-GCM-SHA256 bits=128/128); Mon, 17 Jun 2019 10:52:36 -0700 (PDT) Subject: Re: [RFC PATCH 0/3] crypto: switch to shash for ESSIV generation To: Ard Biesheuvel Cc: Gilad Ben-Yossef , Eric Biggers , device-mapper development , linux-fscrypt@vger.kernel.org, Linux Crypto Mailing List , Herbert Xu References: <20190614083404.20514-1-ard.biesheuvel@linaro.org> <20190616204419.GE923@sol.localdomain> <8e58230a-cf0e-5a81-886b-6aa72a8e5265@gmail.com> <90214c3d-55ef-cc3a-3a04-f200d6f96cfd@gmail.com> From: Milan Broz Openpgp: preference=signencrypt Message-ID: <900cdd2e-eccc-3188-fdb0-911e713e0cda@gmail.com> Date: Mon, 17 Jun 2019 19:52:35 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.7.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org On 17/06/2019 19:29, Ard Biesheuvel wrote: > On Mon, 17 Jun 2019 at 19:05, Milan Broz wrote: >> >> On 17/06/2019 16:39, Ard Biesheuvel wrote: >>>> >>>> In other words, if you add some additional limit, we are breaking backward compatibility. >>>> (Despite the configuration is "wrong" from the security point of view.) >>>> >>> >>> Yes, but breaking backward compatibility only happens if you break >>> something that is actually being *used*. So sure, >>> xts(aes)-essiv:sha256 makes no sense but people use it anyway. But is >>> that also true for, say, gcm(aes)-essiv:sha256 ? >> >> These should not be used. The only way when ESSIV can combine with AEAD mode >> is when you combine length-preserving mode with additional integrity tag, for example >> >> # cryptsetup luksFormat -c aes-cbc-essiv:sha256 --integrity hmac-sha256 /dev/sdb >> >> it will produce this dm-crypt cipher spec: >> capi:authenc(hmac(sha256),cbc(aes))-essiv:sha256 >> >> the authenc(hmac(sha256),cbc(aes)) is direct crypto API cipher composition, the essiv:sha256 >> IV is processed inside dm-crypt as IV. >> >> So if authenc() composition is problem, then yes, I am afraid these can be used in reality. >> >> But for things like gcm(aes)-essiv:sha256 (IOW real AEAD mode with ESSIV) - these are >> not supported by cryptsetup (we support only random IV in this case), so these should >> not be used anywhere. >> > > OK, understood. Unfortunately, that means that the essiv template > should be dynamically instantiated as either a aead or a skcipher > depending on the context, but perhaps this is not a big deal in > reality, I will check. > > One final question before I can proceed with my v2: in > crypt_ctr_blkdev_cipher(), do you think we could change the code to > look at the cipher string rather than the name of the actual cipher? > In practice, I don't think they can be different, but in order to be > able to instantiate > 'essiv(authenc(hmac(sha256),cbc(aes)),sha256,aes)', the cipher part > needs to be parsed before the TFM(s) are instantiated. You mean to replace crypto_tfm_alg_name() with the cipher string from the device-mapper table constructor? I hope I am not missing anything, but it should be ok. It just could fail later (in tfm init). The constructor is de-facto atomic step for device-mapper, I think it does not matter when it fails, the effect of failure is the same for userspace. Milan