On Wed, May 15, 2019 at 01:35:16PM +0000, Horia Geanta wrote: > On 5/15/2019 4:22 PM, Sascha Hauer wrote: > > Hi Fabio, > > > > On Wed, May 15, 2019 at 10:17:19AM -0300, Fabio Estevam wrote: > >> Hi Sascha, > >> > >> On Wed, May 15, 2019 at 10:09 AM Sascha Hauer <s.hauer@xxxxxxxxxxxxxx> wrote: > >>> > >>> Hi, > >>> > >>> ctr(aes) is broken in current kernel (v5.1+). It may have been broken > >>> for longer, but the crypto tests now check for a correct output IV. The > >>> testmgr answers with: > >>> > >>> alg: skcipher: ctr-aes-caam encryption test failed (wrong output IV) on test vector 0, cfg="in-place" > >>> > >>> output IV is this, which is the last 16 bytes of the encrypted message: > >>> 00000000: 1e 03 1d da 2f be 03 d1 79 21 70 a0 f3 00 9c ee > >>> > >>> It should look like this instead, which is input IV + 4: > >>> 00000000: f0 f1 f2 f3 f4 f5 f6 f7 f8 f9 fa fb fc fd ff 03 > >>> > >>> I have no idea how to fix this as I don't know how to get the output IV > >>> back from the CAAM. Any ideas? > >> > >> Is this problem similar to this one? > >> https://www.mail-archive.com/linux-crypto@xxxxxxxxxxxxxxx/msg37512.html > > > > Different algo, different hardware, but yes, it seems to be the same > > type of failure. > > > For talitos, the problem is the lack of IV update. > > For caam, the problem is incorrect IV update (output IV is equal to last > ciphertext block, which is correect for cbc, but not for ctr mode). > > I am working at a fix, but it takes longer since I would like to program the > accelerator to the save the IV (and not do counter increment in SW, which > created problems for many other implementations). Thanks for working on it. I'd be glad to test it once you have something. Thanks Sascha -- Pengutronix e.K. | | Industrial Linux Solutions | http://www.pengutronix.de/ | Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
