Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp1926724ybi; Thu, 18 Jul 2019 00:28:36 -0700 (PDT) X-Google-Smtp-Source: APXvYqwBqlQn2aREJGaIzocuXRikL+4l7zFaFOgr2se2Go2NPw4ysChXWc8jTQhd/MeOfVz87Uv8 X-Received: by 2002:a17:902:d917:: with SMTP id c23mr48447499plz.248.1563434916131; Thu, 18 Jul 2019 00:28:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1563434916; cv=none; d=google.com; s=arc-20160816; b=Yls42hcZYtLN0iYCXfUnScJIpgGj/DF0hMceBaUuehJ0anTWL2L1f8L2jXnzTh67hl kb/TA4mI+B6Ktk959N79DqZtvRwZ+ryVZPIpsP14M8N5Yf0DEUGE/AUxCd6bekv9KdHt Yz4XPIKT59DQ1yz0aM83atF/NEQhhOg9tbmUPOKnJG7DtgIWRYJkXaZR826ockAGSgoS jShhnCwI/9/0CnwH1oNQdyvhcigJTivYVyX77JbHotBOLfMCobFPIQ8ehvWR4NYIB6Kn nQVaBtzCVTM+CH50ozdwZ5U7DxB8sCqjZSu0kVfYprQRDUpGAdD0LcIl9Y1c8TsTYFWd yqhA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=zllCHY/cRVRmhrsSL2iE9WJ0AIohaFe+eHpEOu+sQFU=; b=UfdrXD/RF1qfAFNcXkNZe7FlX9x9O2jqZCt14f1/8FfhsHwWCFRm8P7GJ3Y/XbFjse ajraLkzM2Rlr5bhSPRHGlfbHHg1lOYNMzg0Aoqmqy7ngrFY6zp9HeExpKWZOGlFLQi0V SCOP50yQnI0e/SCoEzXtC9IOO4elrHmxIAEZlnemB/keP3hb2arvf7eoO/4xFKbSHJsZ ZLsDKfyVL3y1bnm2R+2aFQWoCTFUL9Z/CWkwqp4ERPQwIDCBUW7xZwpBiQbmChArTr5s vWnOwIAHHibCBQxmrnvsAIl2LB5/zR+rXDnf/UlYbcKD2ykE3o/LcI95gaTC/QjW9qVG HWmw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=DIY9XY4h; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l68si24712532plb.416.2019.07.18.00.28.21; Thu, 18 Jul 2019 00:28:36 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=DIY9XY4h; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726386AbfGRH2R (ORCPT + 99 others); Thu, 18 Jul 2019 03:28:17 -0400 Received: from mail-wr1-f54.google.com ([209.85.221.54]:35425 "EHLO mail-wr1-f54.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726304AbfGRH2R (ORCPT ); Thu, 18 Jul 2019 03:28:17 -0400 Received: by mail-wr1-f54.google.com with SMTP id y4so27482118wrm.2 for ; Thu, 18 Jul 2019 00:28:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=zllCHY/cRVRmhrsSL2iE9WJ0AIohaFe+eHpEOu+sQFU=; b=DIY9XY4hX0T14cuJ8OXQjvqwvkd8HuXVjCn8+rlK9CzCPUk7Z2b9cQCkW050Iw+bU3 vzsaPfEoTSeO6wjM8un9rUwFoJQg6XOcDGUMF6e2S7S0OHJVV5qVVl6IrSZbp+PM/qWF K5ZQGoj8N1RHbS4JLMDLW3PCncnpUjzLBMTlO0VSNquypJAHwbRAnWdedaIrbkrEp/Fn +shvmAqjwoOYk8T81uHzdFlQ9YHyTodFR+bomNzRarWRE99eoj2xS5rNnM+DicYvBy+F u+cEWVtXyuCSFvcNE3PSdP/+ahNIQpZiWjkIjH4126nhKXJi20AxH03Rk6qz4HepOBvI J84A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=zllCHY/cRVRmhrsSL2iE9WJ0AIohaFe+eHpEOu+sQFU=; b=UurnyJAscadE6eoevtk+FcEXJqEYTsK1Dp7Na0Rl3htxRrTxqO2jq7s+ItLqQhJhod Jp9PkBN0xYCfZtv3REWjybPTAhVbdM0zH4y2Gs42I9nd+S1hs9Ro/UwAXCtFElu9GpYk WGg9nxB3nzf2c+hcaPUXe18SeWlv4AhxZqNXnkvrmSkvzSIHIm/m3Lhp+bKIRKvHr2hV MDAl6gj+0QbjXeZsRHeWiP36Cx++T9v0Je83MxuKOf35rCOTRmo/SoK1mvUwtt/vjo/R DZptbL0CqI5LQcsD9ffpoI0H/ElKx9QSLvCgPsr2DaAqMlWZVUTCy46ItKboAhFne9Dj DgZQ== X-Gm-Message-State: APjAAAUwrfawunVU8k5xQ6Nnqt1E7AzFWV46EDm4xc1SI8xjkU3Clwak 5Zxc720ACh+zaKwQX6kHTQZLE9hBryWbpiMH8qHLMQ== X-Received: by 2002:adf:e8c2:: with SMTP id k2mr33687652wrn.198.1563434894890; Thu, 18 Jul 2019 00:28:14 -0700 (PDT) MIME-Version: 1.0 References: <20190716221639.GA44406@gmail.com> <20190717172823.GA205944@gmail.com> <20190718065223.4xaefcwjoxvujntw@gondor.apana.org.au> <20190718072154.m2umem24x4grbf6w@gondor.apana.org.au> In-Reply-To: <20190718072154.m2umem24x4grbf6w@gondor.apana.org.au> From: Ard Biesheuvel Date: Thu, 18 Jul 2019 09:28:03 +0200 Message-ID: Subject: Re: xts fuzz testing and lack of ciphertext stealing support To: Herbert Xu Cc: Horia Geanta , "linux-crypto@vger.kernel.org" , "dm-devel@redhat.com" Content-Type: text/plain; charset="UTF-8" Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org On Thu, 18 Jul 2019 at 09:22, Herbert Xu wrote: > > On Thu, Jul 18, 2019 at 09:15:39AM +0200, Ard Biesheuvel wrote: > > > > Not just the generic implementation: there are numerous synchronous > > and asynchronous implementations of xts(aes) in the kernel that would > > have to be fixed, while there are no in-kernel users that actually > > rely on CTS. Also, in the cbc case, we support CTS by wrapping it into > > another template, i.e., cts(cbc(aes)). > > > > So retroactively redefining what xts(...) means seems like a bad idea > > to me. If we want to support XTS ciphertext stealing for the benefit > > of userland, let's do so via the existing cts template, and add > > support for wrapping XTS to it. > > XTS without stealing should be renamed as XEX. Sure you can then > wrap it inside cts to form xts but the end result needs to be called > xts. > If we were adding XTS to the kernel today, then I would agree with you. But xts() has an established meaning now, and I don't think it makes sense to update all implementations for a theoretical use case, given that no portable userland code can rely on the correct semantics today, since CAAM is the only one that implements them correctly. In any case, I won't have time to fix the ARM or arm64 implementations (or review the changes if someone else steps up) until the end of September.