On Thu, 28 May 2020 at 09:33, Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> wrote: > > Ard Biesheuvel <ardb@xxxxxxxxxx> wrote: > > Stephan reports that the arm64 implementation of cts(cbc(aes)) deviates > > from the generic implementation in what it returns as the output IV. So > > fix this, and add some test vectors to catch other non-compliant > > implementations. > > > > Stephan, could you provide a reference for the NIST validation tool and > > how it flags this behaviour as non-compliant? Thanks. > > I think our CTS and XTS are both broken with respect to af_alg. > > The reason we use output IVs in general is to support chaining > which is required by algif_skcipher to break up large requests > into smaller ones. > > For CTS and XTS that simply doesn't work. So we should fix this > by changing algif_skcipher to not do chaining (and hence drop > support for large requests like algif_aead) for algorithms like > CTS/XTS. > The reason we return output IVs for CBC is because our generic implementation of CTS can wrap any CBC implementation, and relies on this output IV rather than grabbing it from the ciphertext directly (which may be tricky and is best left up to the CBC code) For CTS itself, as well as XTS, returning an output IV is meaningless, given that a) the implementations rely on the skcipher_walk infrastructure to present all input except the last bit in chunks that are a multiple of the block size, b) neither specification defines how chaining of inputs should work, regardless of whether the preceding input was a multiple of the block size or not. The CS3 mode that we implement for CTS swaps the final two blocks unconditionally. So even if the input is a whole multiple of the block size, the preceding ciphertext will turn out differently if any output happens to follow. For XTS, the IV is encrypted before processing the first block, so even if you do return an output IV, the subsequent invocations of the skcipher need to omit the encryption, which we don't implement currently. So if you are saying that we should never split up algif_skcipher requests into multiple calls into the underlying skcipher, then I agree with you. Even if the generic CTS seems to work more or less as expected by, e.g., the NIST validation tool, this is unspecified behavior, and definitely broken in various other places.
