On Mon, 17 Jun 2019 at 16:35, Milan Broz <gmazyland@xxxxxxxxx> wrote: > > On 17/06/2019 15:59, Ard Biesheuvel wrote: > > > > So my main question/showstopper at the moment is: which modes do we > > need to support for ESSIV? Only CBC? Any skcipher? Or both skciphers > > and AEADs? > > Support, or cover by internal test? I think you nee to support everything > what dmcrypt currently allows, if you want to port dmcrypt to new API. > > I know of many systems that use aes-xts-essiv:sha256 (it does not make sense > much but people just use it). > > Some people use serpent and twofish, but we allow any cipher that fits... > Sure, that is all fine > For the start, run this > https://gitlab.com/cryptsetup/cryptsetup/blob/master/tests/mode-test > > In other words, if you add some additional limit, we are breaking backward compatibility. > (Despite the configuration is "wrong" from the security point of view.) > Yes, but breaking backward compatibility only happens if you break something that is actually being *used*. So sure, xts(aes)-essiv:sha256 makes no sense but people use it anyway. But is that also true for, say, gcm(aes)-essiv:sha256 ?