On Wed, Nov 29, 2023 at 01:04:21PM -0800, Eric Biggers wrote: > > I don't think that's accurate. CBC and CTR are the only skciphers for which > this behavior is actually tested. Everything else, not just stream ciphers but > all other skciphers, can be assumed to be broken. Even when I added the tests > for "output IV" for CBC and CTR back in 2019 (because I perhaps > over-simplisticly just considered those to be missing tests), many > implementations failed and had to be fixed. So I think it's fair to say that > this is not really something that has ever actually been important or even > supported, despite what the intent of the algif_skcipher code may have been. We > could choose to onboard new algorithms to that convention one by one, but we'd > need to add the tests and fix everything failing them, which will be a lot. OK I was perhaps a bit over the top, but it is certainly the case that for IPsec encryption algorithms, all the underlying algorithms are able to support chaining. I concede that the majority of disk encryption algorithms do not. I'm not worried about the amount of work here since most of it could be done at the same as the lskcipher conversion which is worthy in and of itself. Cheers, -- Email: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt