Received: by 2002:a25:8b12:0:0:0:0:0 with SMTP id i18csp1216499ybl; Fri, 9 Aug 2019 23:06:20 -0700 (PDT) X-Google-Smtp-Source: APXvYqxgjaTM0ukd3ZsKAxXYSg3VE15HhSwg4CT5V43nn8fJ2+8XoFi9tGljiz2w0nooAjGA+IF3 X-Received: by 2002:a17:90a:d592:: with SMTP id v18mr8086899pju.135.1565417180540; Fri, 09 Aug 2019 23:06:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1565417180; cv=none; d=google.com; s=arc-20160816; b=ERk1iATdF+UbVx+66mvs2O4aYiVCtG/hUNnx8nCx8LeavHIR1SmXgAnEVkgqFGrXsq ZT+yM7bKp/u9P7sdYv+gsZBHNXoVwvBPxFTSSTWUmBx9H3yF1utSNHyMwDCIt4e/2SwX Dqwy1Axk1fMxh4zx4I5Mik/WdMT0dPzHPblq5lvewNG7D9G6YCHVNue+/kwHvSHafOJv jEEW/AhJZTmsaym8I/CwwmOIVN5thQqwDqVDG16QV9AptLm/lcJCf1LaM+BTAWvgI6FN juudDmW+g8T43lFq38R0TUE+ToElTpWEQDtUS+4xOGKMHJLu7e8hALmmq03y7UbMefGn ABCQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=5Lgoei1OiaGivHZGPM1QdgwH3pKrZ+eW6K5UWSbL7nI=; b=Ezq6Ox2yOrbgVKTfulf6zll7sAhn4VmBKmp7rAyAM7lDZ84uzvo4dTuY/ZpAEN0kgl GI857nFoSYEIixD4GjzLcTIYys/6QYsynmPGWum6eCDTePW3liiY6u3ZXTk4yW7BdDeV RbV9DbOL5F4m0w2OdYCeAeYbSmITCxaaNnfvi7vBe8bdvuMwGEiFdXzk3PiQ+UHE81zS nc8g31pYSCf21P3sMThAZAAoZWigAD5fMXPMUkuGLL7j47VrAOcK0aGLZ4uB5zOeKOvj aiHGN+4Xi7VbKGBuDKDcLZsy+bQohEOsLKzHi0usxEbgYETmYV046neQmKhlsZbXRQpK 24JA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=RBt+tojv; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id cp2si54465182plb.437.2019.08.09.23.05.51; Fri, 09 Aug 2019 23:06:20 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=RBt+tojv; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725601AbfHJGFo (ORCPT + 99 others); Sat, 10 Aug 2019 02:05:44 -0400 Received: from mail-wm1-f46.google.com ([209.85.128.46]:36938 "EHLO mail-wm1-f46.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725468AbfHJGFn (ORCPT ); Sat, 10 Aug 2019 02:05:43 -0400 Received: by mail-wm1-f46.google.com with SMTP id z23so7355060wmf.2 for ; Fri, 09 Aug 2019 23:05:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=5Lgoei1OiaGivHZGPM1QdgwH3pKrZ+eW6K5UWSbL7nI=; b=RBt+tojvDGJEjPV2Ey34J393omMn9w6d1GE4FSq1vtmsisW3ryU5uDVBZ5L/mvwTmm 9g/d97F08muCk/zm9TirCNeCKsfsgzp1QQgCI3g+LRzMRk1RgYjg5Kx9nIdc6iLtktx+ D7f34gqILCt/Nn0GORodxDk7GPYJQKOC2XGyvDtQQem3bT0Khllq6B36i9VDhJNGoe2A zYiMI1+jA/9ZpnZUy9WKiYTouwd/syOlN8AQuVe0K5RH5oEJfJvcVsKuOdtaKtwiUKuA OIGdv/bZk9Wj07XOesBLXu+AF4jIhyhisObAiWT7bHLcZDQFrP5G8zmxv6qLO55FwvZs YvJg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=5Lgoei1OiaGivHZGPM1QdgwH3pKrZ+eW6K5UWSbL7nI=; b=Y9JWvd3MJH+h8blNP+2GoRqq4+z6WFpE6zxxqa3EDi16NGh0L+SxVLT3pFPwcKGbZw Ojnd4dolj8QripwOhDOre7Fw+Jh8/a4nUfWyAqWeYc0+Er9kNZvE1PJT54jGT8jfqmi8 ZvmO5/KMWdgHfl/yv1Xjg+Pzdc3OyI4J/ZA4kZxMC6tayyE/1OHxgv5RekfnVeImQ039 NLB1012LUkN6GE5HJmU4TOIV28Vn9aMmsHEmrH2ziVsAQ03fouTL/uwUVkOyYDD7ITst aKfLuBtSS8ZJHxMM7vK07l2rszsRxoABx+ysMMb7R6KxTawK3MA8Fblq02w8O6l8HZlU o7wA== X-Gm-Message-State: APjAAAU2GBE8pZHyREV7w148RU79mGsNyLG5T1MCbpQib1JIGC9xpo86 cFa1QdHS9AcEIXKAcutLmV/pPHGfIR7niw7kVCe/Hg== X-Received: by 2002:a05:600c:20c1:: with SMTP id y1mr15217982wmm.10.1565417141418; Fri, 09 Aug 2019 23:05:41 -0700 (PDT) MIME-Version: 1.0 References: <1565245094-8584-1-git-send-email-pvanleeuwen@verimatrix.com> <1353558c-ea2f-b94b-a570-4ca8f3a653ee@gmail.com> In-Reply-To: <1353558c-ea2f-b94b-a570-4ca8f3a653ee@gmail.com> From: Ard Biesheuvel Date: Sat, 10 Aug 2019 09:05:30 +0300 Message-ID: Subject: Re: [PATCHv2] crypto: xts - Add support for Cipher Text Stealing To: Milan Broz Cc: Pascal Van Leeuwen , Pascal van Leeuwen , "open list:HARDWARE RANDOM NUMBER GENERATOR CORE" , Herbert Xu , "David S. Miller" Content-Type: text/plain; charset="UTF-8" Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org On Thu, 8 Aug 2019 at 16:11, Milan Broz wrote: > > On 08/08/2019 12:37, Ard Biesheuvel wrote: > >>> True. Which is another historical mistake imo, since XTS is only > >>> specified for AES, but I digress ... :-) > >>> > >> Yes, I was also surprised by the use of XTS with other blockciphers. > >> It sort of violates the don't roll your own crypto paradigm ... > >> (although some might argue that XTS is supposed to be secure if the > >> underlying blockcipher is, regardless of what that cipher actually is) > >> > > > > That doesn't really matter. What matters is that nobody took a careful > > look whether XTS combined with other ciphers is a good idea before > > throwing it out into the world. > > Couldn't resist, but tell that to TrueCrypt authors (if you know them :) > > They used XTS for other AES candidates (Serpent, Twofish, also in > chained modes together). > > Older versions used LRW mode, doing the same. > Even implementing LRW over Blowfish that has 8-byte block size, so you > need GF(2^64) operations - that is luckily not implemented in Linux kernel > crypto API :-) > > VeraCrypt continued the tradition, adding the Camellia and > Kuznyetchik (actually discussed GOST standard) to the XTS mix. > > But without sarcasm, I do want to support this for users, > we can map (but not create) such images in cryptsetup, and it is partially > reason I want dm-crypt to be fully configurable... > The cat is already out of the bag, so we're stuck with it in any case. But going forward, I'd like to apply a bit more sanity to which combinations of modes we support, which is why I was skeptical about eboiv potentially being used by authenc(hmac(crc32),lrw(blowfish)) while it is only intended for use with cbc(aes).