<div dir="ltr">Agree that XTS specific deviation should have been documented similar to some of the AEAD ciphers with EVP interface.<div><br></div><div>Thanks,</div><div>Thulasi.</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, 1 Oct 2019 at 08:46, Norm Green <<a href="mailto:norm.green@gemtalksystems.com">norm.green@gemtalksystems.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF">
Could be, but that's not how EVP_CipherUpdate is documented to
work. If this is an XTS mode limitation and not a bug, shouldn't
the limitation be documented on a man page somewhere? And shouldn't
my second call to EVP_CipherUpdate fail? <br>
<br>
Norm Green<br>
<br>
<br>
<div>On 9/30/2019 8:04 PM, Thulasi
Goriparthi wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">As 512 byte blocks are independently encrypted,
they should be decrypted similarly. This is how XTS mode is
defined.
<div>i.e Try to decrypt 512 byte blocks separately with two
CipherUpdates.</div>
<div><br>
</div>
<div>Thanks,</div>
<div>Thulasi.</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Tue, 1 Oct 2019 at 06:43,
Norm Green <<a href="mailto:norm.green@gemtalksystems.com" target="_blank">norm.green@gemtalksystems.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi
all,<br>
<br>
I'm using OpenSSL 1.1.1d on Linux with the cipher
EVP_aes_256_xts() in <br>
order to write database/disk encryption software.<br>
<br>
When encrypting, I have problems if I call EVP_CipherUpdate()
and <br>
encrypt the data in chunks. Encrypting only works when I
encrypt the <br>
entire payload with one and only one call to EVP_CipherUpdate.<br>
<br>
If I try to break the data into chunks (and make more than one
call to <br>
EVP_CipherUpdate), then decrypting the data produces garbage
after the <br>
first chunk that was encrypted<br>
When decrypting, I always decrypt all data in one call to
EVP_CipherUpdate .<br>
<br>
For example, when encrypting 1024 bytes, this pseudo-code
sequence works:<br>
<br>
char payload[1024];<br>
char encrypted[1024];<br>
int destSize = sizeof(encrypted);<br>
EVP_CipherInit_ex();<br>
EVP_CipherUpdate(ctx, encrypted, &destSize, payload,
sizeof(payload));<br>
EVP_CipherFinal(); (produces no additional data)<br>
<br>
However if I break the 1024 payload into 2 x 512 byte chunks,
decrypting <br>
the entire 1024 bytes of cipher text produces garbage every
time:<br>
<br>
char payload[1024];<br>
char encrypted[1024];<br>
int destSize = sizeof(encrypted);<br>
EVP_CipherInit_ex();<br>
EVP_CipherUpdate(ctx, encrypted, &destSize, payload, 512);
// first chunk<br>
destSize -= 512;<br>
EVP_CipherUpdate(ctx, &encrypted[512], &destSize,
&payload[512], 512); <br>
// second chunk<br>
EVP_CipherFinal(); (produces no additional data)<br>
<br>
I have a short C program that demonstrates the problem that I
can post <br>
if necessary.<br>
<br>
Can anyone explain what's going on?<br>
<br>
Norm Green<br>
CTO, GemTalk Systems Inc.<br>
</blockquote>
</div>
</blockquote>
<br>
</div>
</blockquote></div>