On Wed, Nov 29, 2023 at 02:24:18PM +0800, Herbert Xu wrote: > On Mon, Nov 27, 2023 at 02:28:03PM -0800, Eric Biggers wrote: > > > > As far as I can tell, currently "chaining" is only implemented by CBC and CTR. > > So this really seems like an issue in AF_ALG, not the skcipher API per se. > > AF_ALG should not support splitting up encryption/decryption operations on > > algorithms that don't support it. > > Yes I can see your view. But it really is only a very small number > of algorithms (basically arc4 and chacha) that are currently broken > in this way. CTS is similarly broken but for a different reason. I don't think that's accurate. CBC and CTR are the only skciphers for which this behavior is actually tested. Everything else, not just stream ciphers but all other skciphers, can be assumed to be broken. Even when I added the tests for "output IV" for CBC and CTR back in 2019 (because I perhaps over-simplisticly just considered those to be missing tests), many implementations failed and had to be fixed. So I think it's fair to say that this is not really something that has ever actually been important or even supported, despite what the intent of the algif_skcipher code may have been. We could choose to onboard new algorithms to that convention one by one, but we'd need to add the tests and fix everything failing them, which will be a lot. - Eric
