Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp2500142ybi; Thu, 18 Jul 2019 09:19:59 -0700 (PDT) X-Google-Smtp-Source: APXvYqy8pniyr+y8pP1tuZa/S2sHUtuOwpAd6Hvv/wnCcSSDvHapQi1RbsvekuBxP36RmxEkN8qW X-Received: by 2002:a17:902:9349:: with SMTP id g9mr50186501plp.262.1563466799426; Thu, 18 Jul 2019 09:19:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1563466799; cv=none; d=google.com; s=arc-20160816; b=zPnAVDi10ZwKBEh6e4jInz3RG0slY5mwFcVLbuJS4noDJyHERyFAk26FI0FkERNQVQ BgYjSNT+j+kbFBOI7RO4isGrOkKSqbOYSQTDaZjKB/O+MNdQqKDX/MsN7Dyn5SJX/NxS nL5b4glERdECKRnE9m0bgM6oyrXt/SokQF/jiFCZGLqq423EHi42Hy+aHqe0SGGjbHOe dmcKBxpRiNsR0E69GmcjVPUeEouzEMgQ1qkCoxfmXS8ArbShmK3e2C70TokdWkIaYp0h HyEdfadGCbCTUL1FVBNK3Gx4AgbzLsQN5naA9imbrgVK6egbqZgmHo4DqUj2s+tLMcVL Jvaw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=r3GlNBVst9t8jRnUchWq6hQTL9LZJ3mgIWLVfA8vl2E=; b=Whyl/VN57TsSJ/Z9ppBLobRj08GoW/rhsZH42rac4f7NOi5goTraUvxbKkum83BZd9 tCnMcA7nPO0RYkF+o6d03KcVw7nrFCN1kCg+n7jZaboH7pme1geQKReAldZd4/ULGu37 PkYJMM8M5ZWraKT+2LNToKJ2r81D7F0EJq18xrYb2sywjeUjnQ42V+mHywRgSy9FVVBd 7T6xRY+hYEjY+DWraM4LVXp7ahxb1eNaNdBZVjKiKFLySlWsd4Ge932h7rC1XD+TTzqr MxD03QaT5wUS/jXOpbxlO3bckT4xnMHX/78LT/H2NIE1KRdHU0odCMbebNLbzveUDGtk oLJw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=cAvaFYYn; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 21si1239310pgh.148.2019.07.18.09.19.39; Thu, 18 Jul 2019 09:19:59 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=cAvaFYYn; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727740AbfGRQTi (ORCPT + 99 others); Thu, 18 Jul 2019 12:19:38 -0400 Received: from mail-wr1-f41.google.com ([209.85.221.41]:38312 "EHLO mail-wr1-f41.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726040AbfGRQTi (ORCPT ); Thu, 18 Jul 2019 12:19:38 -0400 Received: by mail-wr1-f41.google.com with SMTP id g17so29364193wrr.5 for ; Thu, 18 Jul 2019 09:19:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=r3GlNBVst9t8jRnUchWq6hQTL9LZJ3mgIWLVfA8vl2E=; b=cAvaFYYna2pGYnNS54i+OV8AOmRUdbYBQRhlr+pzWwELtS5raoT2vgQpCKklNjlWU6 VLffcf3pnj+YtCji6HT/XXsk70R9wkcG6akf+SzUELz1oiWpVwe6DKpAknAUa1fM+MKp EkWxzOWiQgaAxMvXQPUQPP2X7pi7WW3TwJLPvWY4o0mIvh1pVSbMqeIiGV0WtoQrThnC AgIdDiTjjB6ajoy0MqfFMMixvHcCFMks2f6E+ayof3vHv3CrAIDJ2AId3EUaYCMeks6d 7PvkM/cZkQuhm5r/GpSe4/xruRWpWC+TN5lACj4Ux6wIOCmnLzmFxBqytDy6E3mH9xww wSWA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=r3GlNBVst9t8jRnUchWq6hQTL9LZJ3mgIWLVfA8vl2E=; b=asrZ8VAVx9kDuQjgSTqShAsaYM1PxV7WxFrgfmqhucFRgW9rHFtFbgAvmiOV8roScI 0dZPJFkfen7YHUlM6ZTrgutjYtDoetm8H5a7xeKJwi2pd87MZqGun2fDACid+EHqpcn8 aivyAlwyizkpfL6RXwsNq5v8UzVWHcHAwhksiRO0a41GMW9Y9uMXzdw6La2b4dmgr0I8 SuIpBa0Xk42zhvlcrlWfBJHNAjPlHBOAc+BbahRldlcctCMNMh+CU6G2k2gBFKzRjb5r y4pCdAB7Ea7FWjbtI0Rh1/L/Iv0kp63JR9/tNRdrsv7WZ8sKlXEeAKYcAG2BhkyBJzzL GXQA== X-Gm-Message-State: APjAAAXIEk+kLoSfYqpPBWRcgIsvlnlSIGUGCanyAX3Xp52lMl3pAVqO HjYaQvAtku+Wlj7aivnm7a9RGIPkckDI+9sdJQOJzw== X-Received: by 2002:adf:e8c2:: with SMTP id k2mr36541175wrn.198.1563466775933; Thu, 18 Jul 2019 09:19:35 -0700 (PDT) MIME-Version: 1.0 References: <20190717172823.GA205944@gmail.com> <20190718065223.4xaefcwjoxvujntw@gondor.apana.org.au> <20190718072154.m2umem24x4grbf6w@gondor.apana.org.au> <36e78459-1594-6d19-0ab4-95b03a6de036@gmail.com> <20190718152908.xiuze3kb3fdc7ov6@gondor.apana.org.au> <20190718155140.b6ig3zq22askmfpy@gondor.apana.org.au> In-Reply-To: <20190718155140.b6ig3zq22askmfpy@gondor.apana.org.au> From: Ard Biesheuvel Date: Thu, 18 Jul 2019 18:19:24 +0200 Message-ID: Subject: Re: xts fuzz testing and lack of ciphertext stealing support To: Herbert Xu Cc: Pascal Van Leeuwen , Milan Broz , Horia Geanta , "linux-crypto@vger.kernel.org" , "dm-devel@redhat.com" Content-Type: text/plain; charset="UTF-8" Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org On Thu, 18 Jul 2019 at 17:51, Herbert Xu wrote: > > On Thu, Jul 18, 2019 at 03:43:28PM +0000, Pascal Van Leeuwen wrote: > > > > Hmmm ... so the generic CTS template would have to figure out whether it is wrapped > > around ECB, CBC, XTS or whatever and then adjust to that? > > That's not hard to do. Right now cts only supports cbc. IOW > if you pass it anything else it will refuse to instantiate. > > > For XTS, you have this additional curve ball being thrown in called the "tweak". > > For encryption, the underlying "xts" would need to be able to chain the tweak, > > from what I've seen of the source the implementation cannot do that. > > You simply use the underlying xts for the first n - 2 blocks and > do the last two by hand. > OK, so it appears the XTS ciphertext stealing algorithm does not include the peculiar reordering of the 2 final blocks, which means that the kernel's implementation of XTS already conforms to the spec for inputs that are a multiple of the block size. The reason I am not a fan of making any changes here is that there are no in-kernel users that require ciphertext stealing for XTS, nor is anyone aware of any reason why we should be adding it to the userland interface. So we are basically adding dead code so that we are theoretically compliant in a way that we will never exercise in practice. Note that for software algorithms such as the bit sliced NEON implementation of AES, which can only operate on 8 AES blocks at a time, doing the final 2 blocks sequentially is going to seriously impact performance. This means whatever wrapper we invent around xex() (or whatever we call it) should go out of its way to ensure that the common, non-CTS case does not regress in performance, and the special handling is only invoked when necessary (which will be never).