Received: by 2002:a05:7412:419a:b0:f3:1519:9f41 with SMTP id i26csp4915211rdh;
        Wed, 29 Nov 2023 14:44:46 -0800 (PST)
X-Google-Smtp-Source: AGHT+IHuV9mRdeSyyJVFE0PYiv8n4g/Y56l/nu7YvviZ7v1HXoChYGh+ddV2SnmiCMJlU3pR2/v+
X-Received: by 2002:a05:6a00:1914:b0:68f:f38d:f76c with SMTP id y20-20020a056a00191400b0068ff38df76cmr21922414pfi.6.1701297886269;
        Wed, 29 Nov 2023 14:44:46 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1701297886; cv=none;
        d=google.com; s=arc-20160816;
        b=JWP//d/+eRWe5o5vAU9KNNiZ9LsaWC6gyzTGtkmktkzFY+XMt3T+NH4zfQNnTPkPwg
         T0TUWMTceMi8HSBapFclryGSp4zWMD6vJAOoGKTwJKbkjbv5U/wJyH3DewB0e3upH4L5
         TxnFtBkrNfVLQy6sGu5WPW64q10go7HnSXDwF/Wau+us8wQz3QsXY842oMr5J2J+Yiw/
         83P6An2SnIyG5gBrZZeJBt/qKeaYHToWpDZU5dBl6VQO8hsDPLSHDbwhMjlBlmyfZNh8
         SM+fCfZVtLIQG/4TeZUDxfYSZmlAi1oRCmgnn5W6JI1bp06g1E+Bq30CA3MAJSvFZOsm
         y5BA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=in-reply-to:content-disposition:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:message-id:subject:cc
         :to:from:date:dkim-signature;
        bh=zBGdxL9bXisd5TfSK8B1aDRhLDOMwCqYJ5DGW7rN9BA=;
        fh=UDWDhAO7lJRReNZvubywdGsu9mvQhvlekph1HTPfwkE=;
        b=utZdjFK+ZjxdpCmwgJRIGR07S7G7EdMUJveJv2E8mXYeq4dJnBN1GHrEE2lTEuX3Y2
         Ah6RPfiDEN1pJ9fkI5oN7z2W8nOWN23rLdhj7/13v8UEGggHOYyGgtEdxX2DzDSGIuVK
         3XCq9ratzk6utA34ddpRESnr5Jprn7H68F2d3emGobu46NUdfScezRsw1A5xWbfVJ3vK
         IhVm4EQ4sszNut9ggJuPM960sl3v8d8unDdVsxGpfBGipuZNbPkMsMg7T6S2PNFECkWf
         /HvvGahVrTEz91zfwli4NW/ZH3LbbTlE3ID2CZKEuLGDNo8x1rIoeGw02LZjGnwDbDZu
         65uw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=qquxI+wI;
       spf=pass (google.com: domain of linux-crypto+bounces-394-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-crypto+bounces-394-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-crypto+bounces-394-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1])
        by mx.google.com with ESMTPS id 143-20020a630195000000b005c2017e77c0si14806324pgb.475.2023.11.29.14.44.46
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 29 Nov 2023 14:44:46 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-crypto+bounces-394-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=qquxI+wI;
       spf=pass (google.com: domain of linux-crypto+bounces-394-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-crypto+bounces-394-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sv.mirrors.kernel.org (Postfix) with ESMTPS id B6F6B281A42
	for <linux.lists.archive@gmail.com>; Wed, 29 Nov 2023 22:44:45 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 7140147A59
	for <linux.lists.archive@gmail.com>; Wed, 29 Nov 2023 22:44:45 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="qquxI+wI"
X-Original-To: linux-crypto@vger.kernel.org
Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 407FA5DF34
	for <linux-crypto@vger.kernel.org>; Wed, 29 Nov 2023 21:04:22 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id A1745C433C8;
	Wed, 29 Nov 2023 21:04:22 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1701291862;
	bh=/o5a4nfDEoRYUg8eNQ+jUw6KM0gP1yZnCE4P1jOIGn4=;
	h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
	b=qquxI+wIjSokMpA5LkqaZ0pDFu5NR2GuhZQfQboj2U61zHZuAOKGVd3QOSl+UWqxM
	 C3zStFxNL4jRSDAKFklMQFkW8HlxIAbnCCkzgjMBlQB3o8+e6PKhzJKvUjx49ZGhEw
	 ETds7I6Zj7a6dhT+/jqq4wq3flmAs1okOqDl/nKKqo2rvxRH8XccWMRjD8DZ6NegBx
	 VEHHQwT+Lfdv8sQOTySZW7cTpvwhVmWM0pZ1EEftu4l55gepU11E0RBn0oS+15ClTd
	 IzjacRjl6ejMT7dulEjrEFkao8o41e1DMEQwb13vb3CX0tKioleFAXBjF3dTTkofsS
	 8uAsW6JOb9oYg==
Date: Wed, 29 Nov 2023 13:04:21 -0800
From: Eric Biggers <ebiggers@kernel.org>
To: Herbert Xu <herbert@gondor.apana.org.au>
Cc: Linux Crypto Mailing List <linux-crypto@vger.kernel.org>,
	Ard Biesheuvel <ardb@kernel.org>
Subject: Re: [PATCH 0/4] crypto: Fix chaining support for stream ciphers
 (arc4 only for now)
Message-ID: <20231129210421.GD1174@sol.localdomain>
References: <20230914082828.895403-5-herbert@gondor.apana.org.au>
 <20230920062551.GB2739@sol.localdomain>
 <ZQvHUc9rd4ud2NCB@gondor.apana.org.au>
 <20230922031030.GB935@sol.localdomain>
 <ZVb38sHNJYJ9x0po@gondor.apana.org.au>
 <20231117054231.GC972@sol.localdomain>
 <ZVctSuGp2SgRUjAM@gondor.apana.org.au>
 <ZWB6jQv4jjBTrRGB@gondor.apana.org.au>
 <20231127222803.GC1463@sol.localdomain>
 <ZWbZEnSPIP5aHydB@gondor.apana.org.au>
Precedence: bulk
X-Mailing-List: linux-crypto@vger.kernel.org
List-Id: <linux-crypto.vger.kernel.org>
List-Subscribe: <mailto:linux-crypto+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-crypto+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <ZWbZEnSPIP5aHydB@gondor.apana.org.au>

On Wed, Nov 29, 2023 at 02:24:18PM +0800, Herbert Xu wrote:
> On Mon, Nov 27, 2023 at 02:28:03PM -0800, Eric Biggers wrote:
> >
> > As far as I can tell, currently "chaining" is only implemented by CBC and CTR.
> > So this really seems like an issue in AF_ALG, not the skcipher API per se.
> > AF_ALG should not support splitting up encryption/decryption operations on
> > algorithms that don't support it.
> 
> Yes I can see your view.  But it really is only a very small number
> of algorithms (basically arc4 and chacha) that are currently broken
> in this way.  CTS is similarly broken but for a different reason.

I don't think that's accurate.  CBC and CTR are the only skciphers for which
this behavior is actually tested.  Everything else, not just stream ciphers but
all other skciphers, can be assumed to be broken.  Even when I added the tests
for "output IV" for CBC and CTR back in 2019 (because I perhaps
over-simplisticly just considered those to be missing tests), many
implementations failed and had to be fixed.  So I think it's fair to say that
this is not really something that has ever actually been important or even
supported, despite what the intent of the algif_skcipher code may have been.  We
could choose to onboard new algorithms to that convention one by one, but we'd
need to add the tests and fix everything failing them, which will be a lot.

- Eric