Re: ARM CE: CTS IV handling

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Am Dienstag, 19. Mai 2020, 19:53:57 CEST schrieb Ard Biesheuvel:

Hi Ard,

> On Tue, 19 May 2020 at 19:50, Ard Biesheuvel <ardb@xxxxxxxxxx> wrote:
> > On Tue, 19 May 2020 at 19:35, Stephan Mueller <smueller@xxxxxxxxxx> wrote:
> > > Am Dienstag, 19. Mai 2020, 18:21:01 CEST schrieb Ard Biesheuvel:
> > > 
> > > Hi Ard,
> > > 
> > > > To be honest, this looks like the API is being used incorrectly. Is
> > > > this a similar issue to the one Herbert spotted recently with the CTR
> > > > code?
> > > > 
> > > > When you say 'leaving the TFM untouched' do you mean the skcipher
> > > > request? The TFM should not retain any per-request state in the first
> > > > place.
> > > > 
> > > > The skcipher request struct is not meant to retain any state either -
> > > > the API simply does not support incremental encryption if the input is
> > > > not a multiple of the chunksize.
> > > > 
> > > > Could you give some sample code on how you are using the API in this
> > > > case?
> > > 
> > > What I am doing technically is to allocate a new tfm and request at the
> > > beginning and then reuse the TFM and request. In that sense, I think I
> > > violate that constraint.
> > > 
> > > But in order to implement such repetition, I can surely clear / allocate
> > > a new TFM. But in order to get that right, I need the resulting IV
> > > after the cipher operation.
> > > 
> > > This IV that I get after the cipher operation completes is different
> > > between C and CE.
> > 
> > So is the expected output IV simply the last block of ciphertext that
> > was generated (as usual), but located before the truncated block in
> > the output?
> 
> If so, does the below fix the encrypt case?

I think it is.

But, allow me to take that patch to my test system for verification.
> 
> index cf618d8f6cec..22f190a44689 100644
> --- a/arch/arm64/crypto/aes-modes.S
> +++ b/arch/arm64/crypto/aes-modes.S
> @@ -275,6 +275,7 @@ AES_FUNC_START(aes_cbc_cts_encrypt)
>         add             x4, x0, x4
>         st1             {v0.16b}, [x4]                  /* overlapping
> stores */ st1             {v1.16b}, [x0]
> +       st1             {v1.16b}, [x5]
>         ret
>  AES_FUNC_END(aes_cbc_cts_encrypt)


Ciao
Stephan





[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]

  Powered by Linux