On Fri, Jun 07, 2019 at 04:49:41PM +0200, Ard Biesheuvel wrote: > One of the issues that I would like to see addressed in the crypto API > is they way the cipher abstraction is used. In general, a cipher should > never be used directly, and so it would be much better to clean up the > existing uses of ciphers outside of the crypto subsystem itself, so that > we can make the cipher abstraction part of the internal API, only to > be used by templates or crypto drivers that require them as a callback. > > As a first step, this series moves all users of the 'arc4' cipher to > the ecb(arc4) skcipher, which happens to be implemented by the same > driver, and is already a stream cipher, given that ARC4_BLOCK_SIZE > actually evaluates to 1. > > Next step would be to switch the users of the 'des' and 'aes' ciphers > to other interfaces that are more appropriate, either ecb(...) or a > library interface, which may be more appropriate in some cases. In any > case, the end result should be that ciphers are no longer used outside > of crypto/ and drivers/crypto/ > > This series is presented as an RFC, since I am mostly interested in > discussing the above, but I prefer to do so in the context of actual > patches rather than an abstract discussion. > > Ard Biesheuvel (3): > net/mac80211: switch to skcipher interface for arc4 > lib80211/tkip: switch to skcipher interface for arc4 > lib80211/wep: switch to skcipher interface for arc4 > The way the crypto API exposes ARC4 is definitely broken. It treats it as a block cipher (with a block size of 1 byte...), when it's actually a stream cipher. Also, it violates the API by modifying the key during each encryption. Since ARC4 is fast in software and is "legacy" crypto that people shouldn't be using, and the users call it on virtual addresses, perhaps we should instead remove it from the crypto API and provide a library function arc4_crypt()? We'd lose support for ARC4 in three hardware drivers, but are there real users who really are using ARC4 and need those to get acceptable performance? Note that they aren't being used in the cases where the 'cipher' API is currently being used, so it would only be the current 'skcipher' users that might matter. Someone could theoretically be using "ecb(arc4)" via AF_ALG or dm-crypt, but it seems unlikely... As for removing the "cipher" API entirely, we'd have to consider how to convert all the current users, not just ARC4, so that would be a somewhat different discussion. How do you propose to handle dm-crypt and fscrypt which use the cipher API to do ESSIV? - Eric