On Fri, Dec 04, 2020 at 02:59:35PM +0000, David Howells wrote: > Hi Chuck, Bruce, > > Why is gss_krb5_crypto.c using an auxiliary cipher? For reference, the > gss_krb5_aes_encrypt() code looks like the attached. > > >From what I can tell, in AES mode, the difference between the main cipher and > the auxiliary cipher is that the latter is "cbc(aes)" whereas the former is > "cts(cbc(aes))" - but they have the same key. > > Reading up on CTS, I'm guessing the reason it's like this is that CTS is the > same as the non-CTS, except for the last two blocks, but the non-CTS one is > more efficient. CTS is cipher-text stealing, isn't it? I think it was Kevin Coffman that did that, and I don't remember the history. I thought it was required by some spec or peer implementation (maybe Windows?) but I really don't remember. It may predate git. I'll dig around and see what I can find. --b. > > David > --- > nbytes = buf->len - offset - GSS_KRB5_TOK_HDR_LEN; > nblocks = (nbytes + blocksize - 1) / blocksize; > cbcbytes = 0; > if (nblocks > 2) > cbcbytes = (nblocks - 2) * blocksize; > > memset(desc.iv, 0, sizeof(desc.iv)); > > if (cbcbytes) { > SYNC_SKCIPHER_REQUEST_ON_STACK(req, aux_cipher); > > desc.pos = offset + GSS_KRB5_TOK_HDR_LEN; > desc.fragno = 0; > desc.fraglen = 0; > desc.pages = pages; > desc.outbuf = buf; > desc.req = req; > > skcipher_request_set_sync_tfm(req, aux_cipher); > skcipher_request_set_callback(req, 0, NULL, NULL); > > sg_init_table(desc.infrags, 4); > sg_init_table(desc.outfrags, 4); > > err = xdr_process_buf(buf, offset + GSS_KRB5_TOK_HDR_LEN, > cbcbytes, encryptor, &desc); > skcipher_request_zero(req); > if (err) > goto out_err; > } > > /* Make sure IV carries forward from any CBC results. */ > err = gss_krb5_cts_crypt(cipher, buf, > offset + GSS_KRB5_TOK_HDR_LEN + cbcbytes, > desc.iv, pages, 1); > if (err) { > err = GSS_S_FAILURE; > goto out_err; > }