On Thu, May 28, 2020 at 10:33:25AM +0200, Ard Biesheuvel wrote: > > The reason we return output IVs for CBC is because our generic > implementation of CTS can wrap any CBC implementation, and relies on > this output IV rather than grabbing it from the ciphertext directly > (which may be tricky and is best left up to the CBC code) No that's not the main reason. The main user of chaining is algif_skcipher. > So if you are saying that we should never split up algif_skcipher > requests into multiple calls into the underlying skcipher, then I > agree with you. Even if the generic CTS seems to work more or less as > expected by, e.g., the NIST validation tool, this is unspecified > behavior, and definitely broken in various other places. I was merely suggesting that requests to CTS/XTS shouldn't be split up. Doing it for others would be a serious regression. However, having looked at this it would seem that the effort in marking CTS/XTS is not that different to just adding support to hold the last two blocks of data so that CTS/XTS can support chaining. I'll work on this. Cheers, -- Email: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt