[openssl-users] issue with EVP_EncryptUpdate in XTS mode?

[Andrew Tucker]

I was doing some comparisons of XTS and GCM mode using the EVP APIs and
found a discrepancy that seems to be an issue with XTS.

In GCM mode if the buffer is encrypted in one call to EVP_EncryptUpdate or
with several calls with smaller buffers the resulting ciphertext is the
same, as I would expect.   With XTS mode, calling EVP_EncryptUpdate results
in the same ciphertext for the same plaintext and does not match the
results when the buffer is encrypted with one call to EVP_EncryptUpdate.

I would expect that the counter is incremented in both XTS and GCM mode in
the same way and that in both cases the output would match regardless of
the encryption block size.

A simple repro test is attached.    If you run it you can see that the
output "GCM in one block" matches the output for "GCM in 16 byte blocks"
and the outputs do not match for XTS.

I am using OpenSSL v1.02p but I have tried with other versions and got the
same results.

Am I misunderstanding the use of XTS mode or is this an issue with OpenSSL?

Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20190125/d0db3ddb/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: xtsgcmtest.c
Type: application/octet-stream
Size: 3354 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20190125/d0db3ddb/attachment.obj>