| Message ID | 568AD989.8060802@gmx.de (mailing list archive) |
|---|---|
| State | Changes Requested |
| Delegated to: | Herbert Xu |
| Headers | show |
On Mon, Jan 04, 2016 at 09:43:53PM +0100, Thomas Egerer wrote: > Similar to CTR mode selecting CRYPTO_SEQIV, CBC mode requires echainiv > and has to select CRYPTO_ECHAINIV in order to work properly. This solves > the issues caused by a misconfiguration as described in [1]. > > [1] https://lists.strongswan.org/pipermail/users/2015-December/009074.html > > Signed-off-by: Thomas Egerer <hakke_007@gmx.de> Please patch net/ipvX/Kconfig instead as ECHAINIV is only used by IPsec. Thanks,
On 01/08/2016 10:48 AM, Herbert Xu wrote: > On Mon, Jan 04, 2016 at 09:43:53PM +0100, Thomas Egerer wrote: >> Similar to CTR mode selecting CRYPTO_SEQIV, CBC mode requires echainiv >> and has to select CRYPTO_ECHAINIV in order to work properly. This solves >> the issues caused by a misconfiguration as described in [1]. >> >> [1] https://lists.strongswan.org/pipermail/users/2015-December/009074.html >> >> Signed-off-by: Thomas Egerer <hakke_007@gmx.de> > > Please patch net/ipvX/Kconfig instead as ECHAINIV is only used > by IPsec. This does not seem right to me. By depending on CRYPTO_CBC in a particular Kconfig, I would expect the 'default algorithm for CBC' to be transitively selected with it. It's what CRYPTO_CTR does. There are a couple of places that use select CRYPTO_CBC but not CRYPTO_ECHAINIV (ext4, wusbcore, md to mention a few). Wouldn't these end up unusable too, if CBC-mode doesn't activate echainiv? Cheers, Thomas > Thanks, > -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Sun, Jan 10, 2016 at 09:16:34PM +0100, Thomas Egerer wrote: > On 01/08/2016 10:48 AM, Herbert Xu wrote: > > > Please patch net/ipvX/Kconfig instead as ECHAINIV is only used > > by IPsec. > This does not seem right to me. By depending on CRYPTO_CBC in a particular > Kconfig, I would expect the 'default algorithm for CBC' to be transitively > selected with it. It's what CRYPTO_CTR does. There are a couple of places > that use select CRYPTO_CBC but not CRYPTO_ECHAINIV (ext4, wusbcore, md > to mention a few). Wouldn't these end up unusable too, if CBC-mode doesn't > activate echainiv? All of those other users should work without echainiv so why would they need to select it? Cheers,
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On January 11, 2016 4:33:49 AM GMT+01:00, Herbert Xu <herbert@gondor.apana.org.au> wrote: >On Sun, Jan 10, 2016 at 09:16:34PM +0100, Thomas Egerer wrote: >> On 01/08/2016 10:48 AM, Herbert Xu wrote: >> >> > Please patch net/ipvX/Kconfig instead as ECHAINIV is only used >> > by IPsec. >> This does not seem right to me. By depending on CRYPTO_CBC in a >particular >> Kconfig, I would expect the 'default algorithm for CBC' to be >transitively >> selected with it. It's what CRYPTO_CTR does. There are a couple of >places >> that use select CRYPTO_CBC but not CRYPTO_ECHAINIV (ext4, wusbcore, >md >> to mention a few). Wouldn't these end up unusable too, if CBC-mode >doesn't >> activate echainiv? > >All of those other users should work without echainiv so why would >they need to select it? I was under the impression that ECHAINIV was the default IV generator for CBC. At least that's what the help text said. Upon further investigation I found that the default is either chainiv or eseqiv (according to crypto_default_geniv). In this case it's true, net/ipvx/Kconfig files need to be patched. >Cheers, - -- Sent from a mobile device. Please excuse my brevity. -----BEGIN PGP SIGNATURE----- Version: APG v1.1.1 iQI+BAEBCgAoBQJWk4WiIRxUaG9tYXMgRWdlcmVyIDxoYWtrZV8wMDdAZ214LmRl PgAKCRBit9TjYqwUxr2pD/0U0wcx2oOSpQNNfUKAI1hPmFx1PNI5m9HkozKS0rms rpg56qdI+zBUBu9Xka0wZI4/UUBDA7DXzI+6kfqDZ+viBJFpCErRK9Be7hRZ7MGi tq3BMg3xT6j6twxcDbpJV4qQPIjE/Y9/Mfgo1EuXVIctsLOAnSfRWXMp5X0zgwy8 1orhxFGyMCE2PRNQGgBSolJPHplVvioEGp9BcRMI+y4o5rBrjyWUG6AlwzMJTc89 QZ1XF8dKRymnpUiau84WcQsL6MG8y8ofZhLkbaoFFaa1jE1eu6DH2wSk3eiYX84o ky3OJHcWbo4VWfTx6MM7eZ1DVeTs3iQ8bF/OIpsR1fR+jI336xK8cM4f+TaMXKlJ pqe3oOv/tE4q6IUCnRsah1x1ipIjcReesr0vCyiMw03E2JP+duOp/RtGp3TX1/49 avJDHKC6Sgg3r8+MDUsyBnYxglYAvwaNmOnE09KLzqzfKapdqv3FGDC8titI3edZ 6RJPxBnbYBFnkqhUDZ0u6tE7SJSDUe6zd+0Ruod7dgilhr8XlI+bWawh5b/SmHjp i8pVDnEn30iTG/ogCduLsP4J0K3Oimb42fsXf3/vIoA/mZC7+uuIQJk6BxahW5Wq k3bhDSk/HGYGeTQ76vsqv+O9b33FiOgmcHrCrxjp1CtT3bQNHX6Od6glcFjOnugr fg== =+i8R -----END PGP SIGNATURE----- -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Mon, Jan 11, 2016 at 11:36:18AM +0100, Thomas Egerer wrote: > > I was under the impression that ECHAINIV was the default IV generator for CBC. At least that's what the help text said. Upon further investigation I found that the default is either chainiv or eseqiv (according to crypto_default_geniv). In this case it's true, net/ipvx/Kconfig files need to be patched. Perhaps we also need to patch the help test. Only IPsec uses IV generation through echainiv/eseqiv. Thanks,
diff --git a/crypto/Kconfig b/crypto/Kconfig index 7240821..893d93f 100644 --- a/crypto/Kconfig +++ b/crypto/Kconfig @@ -284,6 +284,7 @@ comment "Block modes" config CRYPTO_CBC tristate "CBC support" select CRYPTO_BLKCIPHER + select CRYPTO_ECHAINIV select CRYPTO_MANAGER help CBC: Cipher Block Chaining mode
Similar to CTR mode selecting CRYPTO_SEQIV, CBC mode requires echainiv and has to select CRYPTO_ECHAINIV in order to work properly. This solves the issues caused by a misconfiguration as described in [1]. [1] https://lists.strongswan.org/pipermail/users/2015-December/009074.html Signed-off-by: Thomas Egerer <hakke_007@gmx.de> --- crypto/Kconfig | 1 + 1 file changed, 1 insertion(+)