On Wed, 26 Jun 2019 at 06:11, Eric Biggers <ebiggers@xxxxxxxxxx> wrote: > > On Sat, Jun 22, 2019 at 09:34:01PM +0200, Ard Biesheuvel wrote: > > This started out as an attempt to provide synchronous SIMD based GCM > > on 32-bit ARM, but along the way, I ended up changing and cleaning up > > so many things that it is more of a general AES cleanup now rather than > > anything else. > > ... > > I'm seeing the following self-tests failures with this patchset applied: > > On arm32: > > [ 20.956118] alg: skcipher: ctr-aes-ce-sync encryption test failed (wrong result) on test vector 0, cfg="random: inplace use_digest nosimd src_divs=[100.0%@+3650] iv_offset=9" > [ 28.344185] alg: skcipher: ctr-aes-neonbs-sync encryption test failed (wrong result) on test vector 0, cfg="random: inplace use_final nosimd src_divs=[16.88%@+3, <flush>39.11%@+1898, <reimport>44.1%@+5] iv_offset=13" > > On arm64: > > [ 15.528433] alg: skcipher: ctr-aes-ce encryption test failed (wrong result) on test vector 0, cfg="random: use_digest nosimd src_divs=[100.0%@+4078]" > [ 20.080914] alg: skcipher: ctr-aes-neon encryption test failed (wrong result) on test vector 0, cfg="random: inplace use_final nosimd src_divs=[50.90%@+255, <flush,nosimd>49.10%@+25]" > > Maybe a bug in crypto_ctr_encrypt_walk()? > Yes. I was using the skcipher blocksize rather than the chunksize for the transformation, which is obviously incorrect.