Re: EVP_aes_256_xts() problems with multiple calls to EVP_CipherUpdate

Thulasi Goriparthi <thulasi.goriparthi@xxxxxxxxx> · Tue, 1 Oct 2019 09:55:59 +0530

Agree that XTS specific deviation should have been documented similar to some of the AEAD ciphers with EVP interface.
Thanks,
Thulasi.

On Tue, 1 Oct 2019 at 08:46, Norm Green <norm.green@xxxxxxxxxxxxxxxxxx> wrote:

    Could be, but that's not how EVP_CipherUpdate is documented to
    work.  If this is an XTS mode limitation and not a bug, shouldn't
    the limitation be documented on a man page somewhere?  And shouldn't
    my second call to EVP_CipherUpdate fail? 

    Norm Green

    On 9/30/2019 8:04 PM, Thulasi
      Goriparthi wrote:

      As 512 byte blocks are independently encrypted,
        they should be decrypted similarly. This is how XTS mode is
        defined.
        i.e Try to decrypt 512 byte blocks separately with two
          CipherUpdates.

        Thanks,
        Thulasi.

        On Tue, 1 Oct 2019 at 06:43,
          Norm Green <norm.green@xxxxxxxxxxxxxxxxxx>
          wrote:

        Hi
          all,

          I'm using OpenSSL 1.1.1d on Linux with the cipher
          EVP_aes_256_xts() in 

          order to write database/disk encryption software.

          When encrypting, I have problems if I call EVP_CipherUpdate()
          and 

          encrypt the data in chunks. Encrypting only works when I
          encrypt the 

          entire payload with one and only one call to EVP_CipherUpdate.

          If I try to break the data into chunks (and make more than one
          call to 

          EVP_CipherUpdate), then decrypting the data produces garbage
          after the 

          first chunk that was encrypted

          When decrypting, I always decrypt all data in one call to
          EVP_CipherUpdate .

          For example, when encrypting 1024 bytes, this pseudo-code
          sequence works:

          char payload[1024];

          char encrypted[1024];

          int destSize = sizeof(encrypted);

          EVP_CipherInit_ex();

          EVP_CipherUpdate(ctx, encrypted, &destSize, payload,
          sizeof(payload));

          EVP_CipherFinal(); (produces no additional data)

          However if I break the 1024 payload into 2 x 512 byte chunks,
          decrypting 

          the entire 1024 bytes of cipher text produces garbage every
          time:

          char payload[1024];

          char encrypted[1024];

          int destSize = sizeof(encrypted);

          EVP_CipherInit_ex();

          EVP_CipherUpdate(ctx, encrypted, &destSize, payload, 512);
          // first chunk

          destSize -= 512;

          EVP_CipherUpdate(ctx, &encrypted[512], &destSize,
          &payload[512], 512); 

          // second chunk

          EVP_CipherFinal(); (produces no additional data)

          I have a short C program that demonstrates the problem that I
          can post 

          if necessary.

          Can anyone explain what's going on?

          Norm Green

          CTO, GemTalk Systems Inc.