On Fri, May 29, 2020 at 10:20:27AM +0200, Ard Biesheuvel wrote: > > But many implementation do not return an output IV at all. The only > mode that requires it (for the selftests to pass) is CBC. Most modes can be chained, e.g., CBC, PCBC, OFB, CFB and CTR. As it stands algif_skcipher requres all algorithms to support chaining. > For XTS, we would have to carry some metadata around that tells you > whether the initial encryption of the IV has occurred or not. In the You're right, XTS in its current form cannot be chained. So we do need a way to mark that for algif_skcipher. > CTS case, you need two swap the last two blocks of ciphertext at the > very end. CTS can be easily chained. You just need to always keep two blocks from being processed until you reach the end. Cheers, -- Email: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt