On 25/01/2019 20:16, Andrew Tucker wrote: > I was doing some comparisons of XTS and GCM mode using the EVP APIs and found a > discrepancy that seems to be an issue with XTS. > > In GCM mode if the buffer is encrypted in one call to EVP_EncryptUpdate or with > several calls with smaller buffers the resulting ciphertext is the same, as I > would expect. With XTS mode, calling EVP_EncryptUpdate results in the same > ciphertext for the same plaintext and does not match the results when the buffer > is encrypted with one call to EVP_EncryptUpdate. > > I would expect that the counter is incremented in both XTS and GCM mode in the > same way and that in both cases the output would match regardless of the > encryption block size. > > A simple repro test is attached. If you run it you can see that the output > "GCM in one block" matches the output for "GCM in 16 byte blocks" and the > outputs do not match for XTS. > > I am using OpenSSL v1.02p but I have tried with other versions and got the same > results. > > Am I misunderstanding the use of XTS mode or is this an issue with OpenSSL? Please see my previous post on this topic here: https://mta.openssl.org/pipermail/openssl-users/2019-January/009781.html PRs welcome to improve the documentation in this area. Matt
