Am Dienstag, 19. Mai 2020, 19:53:57 CEST schrieb Ard Biesheuvel: Hi Ard, > On Tue, 19 May 2020 at 19:50, Ard Biesheuvel <ardb@xxxxxxxxxx> wrote: > > On Tue, 19 May 2020 at 19:35, Stephan Mueller <smueller@xxxxxxxxxx> wrote: > > > Am Dienstag, 19. Mai 2020, 18:21:01 CEST schrieb Ard Biesheuvel: > > > > > > Hi Ard, > > > > > > > To be honest, this looks like the API is being used incorrectly. Is > > > > this a similar issue to the one Herbert spotted recently with the CTR > > > > code? > > > > > > > > When you say 'leaving the TFM untouched' do you mean the skcipher > > > > request? The TFM should not retain any per-request state in the first > > > > place. > > > > > > > > The skcipher request struct is not meant to retain any state either - > > > > the API simply does not support incremental encryption if the input is > > > > not a multiple of the chunksize. > > > > > > > > Could you give some sample code on how you are using the API in this > > > > case? > > > > > > What I am doing technically is to allocate a new tfm and request at the > > > beginning and then reuse the TFM and request. In that sense, I think I > > > violate that constraint. > > > > > > But in order to implement such repetition, I can surely clear / allocate > > > a new TFM. But in order to get that right, I need the resulting IV > > > after the cipher operation. > > > > > > This IV that I get after the cipher operation completes is different > > > between C and CE. > > > > So is the expected output IV simply the last block of ciphertext that > > was generated (as usual), but located before the truncated block in > > the output? > > If so, does the below fix the encrypt case? I think it is. But, allow me to take that patch to my test system for verification. > > index cf618d8f6cec..22f190a44689 100644 > --- a/arch/arm64/crypto/aes-modes.S > +++ b/arch/arm64/crypto/aes-modes.S > @@ -275,6 +275,7 @@ AES_FUNC_START(aes_cbc_cts_encrypt) > add x4, x0, x4 > st1 {v0.16b}, [x4] /* overlapping > stores */ st1 {v1.16b}, [x0] > + st1 {v1.16b}, [x5] > ret > AES_FUNC_END(aes_cbc_cts_encrypt) Ciao Stephan