EVP_aes_256_xts() problems with multiple calls to EVP_CipherUpdate

Thulasi Goriparthi thulasi.goriparthi at gmail.com
Tue Oct 1 04:25:59 UTC 2019 

Agree that XTS specific deviation should have been documented similar to
some of the AEAD ciphers with EVP interface.

Thanks,
Thulasi.

On Tue, 1 Oct 2019 at 08:46, Norm Green <norm.green at gemtalksystems.com>
wrote:

> Could be, but that's not how EVP_CipherUpdate is documented to work.  If
> this is an XTS mode limitation and not a bug, shouldn't the limitation be
> documented on a man page somewhere?  And shouldn't my second call to
> EVP_CipherUpdate fail?
>
> Norm Green
>
>
> On 9/30/2019 8:04 PM, Thulasi Goriparthi wrote:
>
> As 512 byte blocks are independently encrypted, they should be decrypted
> similarly. This is how XTS mode is defined.
> i.e Try to decrypt 512 byte blocks separately with two CipherUpdates.
>
> Thanks,
> Thulasi.
>
> On Tue, 1 Oct 2019 at 06:43, Norm Green <norm.green at gemtalksystems.com>
> wrote:
>
>> Hi all,
>>
>> I'm using OpenSSL 1.1.1d on Linux with the cipher EVP_aes_256_xts() in
>> order to write database/disk encryption software.
>>
>> When encrypting, I have problems if I call EVP_CipherUpdate() and
>> encrypt the data in chunks. Encrypting only works when I encrypt the
>> entire payload with one and only one call to EVP_CipherUpdate.
>>
>> If I try to break the data into chunks (and make more than one call to
>> EVP_CipherUpdate), then decrypting the data produces garbage after the
>> first chunk that was encrypted
>> When decrypting, I always decrypt all data in one call to
>> EVP_CipherUpdate .
>>
>> For example, when encrypting 1024 bytes, this pseudo-code sequence works:
>>
>> char payload[1024];
>> char encrypted[1024];
>> int destSize = sizeof(encrypted);
>> EVP_CipherInit_ex();
>> EVP_CipherUpdate(ctx, encrypted, &destSize, payload, sizeof(payload));
>> EVP_CipherFinal(); (produces no additional data)
>>
>> However if I break the 1024 payload into 2 x 512 byte chunks, decrypting
>> the entire 1024 bytes of cipher text produces garbage every time:
>>
>> char payload[1024];
>> char encrypted[1024];
>> int destSize = sizeof(encrypted);
>> EVP_CipherInit_ex();
>> EVP_CipherUpdate(ctx, encrypted, &destSize, payload, 512); // first chunk
>> destSize -= 512;
>> EVP_CipherUpdate(ctx, &encrypted[512], &destSize, &payload[512], 512);
>> // second chunk
>> EVP_CipherFinal(); (produces no additional data)
>>
>> I have a short C program that demonstrates the problem that I can post
>> if necessary.
>>
>> Can anyone explain what's going on?
>>
>> Norm Green
>> CTO, GemTalk Systems Inc.
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20191001/29e54e7a/attachment-0001.html>

More information about the openssl-users mailing list