Ard Biesheuvel <ard.biesheuvel@xxxxxxxxxx> wrote: > > + * The typical use of this template is to instantiate the skcipher > + * 'essiv(cbc(aes),aes,sha256)', which is the only instantiation used by > + * fscrypt, and the most relevant one for dm-crypt. However, dm-crypt > + * also permits ESSIV to be used in combination with the authenc template, > + * e.g., 'essiv(authenc(hmac(sha256),cbc(aes)),aes,sha256)', in which case > + * we need to instantiate an aead that accepts the same special key format > + * as the authenc template, and deals with the way the encrypted IV is > + * embedded into the AAD area of the aead request. This means the AEAD > + * flavor produced by this template is tightly coupled to the way dm-crypt > + * happens to use it. IIRC only authenc is allowed in dm-crypt currently in conjunction with ESSIV. Does it ever allow a different hash algorithm in authenc compared to the one used for ESSIV? IOW given essiv(authenc(hmac(X),cbc(Y)),Z,U) is it currently possible for X != U or Y != Z? If not then let's just make the algorithm name be essiv(Y,X). Because this is legacy stuff, I don't want it to support any more than what is currently being supported by dm-crypt. Similary for the skcipher case, given essiv(cbc(X),Y,Z) is it ever possible for X != Y? If not then we should just make the algorithm name essiv(X,Z). Thanks, -- Email: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt