Ard Biesheuvel <ardb@xxxxxxxxxx> wrote: > Stephan reports that the arm64 implementation of cts(cbc(aes)) deviates > from the generic implementation in what it returns as the output IV. So > fix this, and add some test vectors to catch other non-compliant > implementations. > > Stephan, could you provide a reference for the NIST validation tool and > how it flags this behaviour as non-compliant? Thanks. I think our CTS and XTS are both broken with respect to af_alg. The reason we use output IVs in general is to support chaining which is required by algif_skcipher to break up large requests into smaller ones. For CTS and XTS that simply doesn't work. So we should fix this by changing algif_skcipher to not do chaining (and hence drop support for large requests like algif_aead) for algorithms like CTS/XTS. Cheers, -- Email: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt