On Wed, 19 Jun 2019 at 17:18, Ondrej Mosnáček <omosnacek@xxxxxxxxx> wrote: > > Hi Ard, > > ut 18. 6. 2019 o 23:28 Ard Biesheuvel <ard.biesheuvel@xxxxxxxxxx> napísal(a): > > Implement a template that wraps a (skcipher,cipher,shash) or > > (aead,cipher,shash) tuple so that we can consolidate the ESSIV handling > > in fscrypt and dm-crypt and move it into the crypto API. This will result > > in better test coverage, and will allow future changes to make the bare > > cipher interface internal to the crypto subsystem, in order to increase > > robustness of the API against misuse. > > > > Note that especially the AEAD handling is a bit complex, and is tightly > > coupled to the way dm-crypt combines AEAD based on the authenc() template > > with the ESSIV handling. > > Wouldn't it work better to have a template only for skcipher and in > dm-crypt just inject the essiv() template into the cipher string? For > example: "authenc(hmac(sha256),cbc(aes))-essiv:sha256" -> > "authenc(hmac(sha256),essiv(cbc(aes),aes,sha256))". That seems to me a > much simpler hack. (But maybe I'm missing some issue in that > approach...) > Unfortunately, that doesn't work. When using AEADs, dm-crypt also puts the IV in the AAD area.