Received: by 2002:a25:b794:0:0:0:0:0 with SMTP id n20csp5748769ybh; Wed, 7 Aug 2019 10:44:44 -0700 (PDT) X-Google-Smtp-Source: APXvYqwEA8SGX9mVAAp9xWAzj2tVJcXsY8FOJSXyHlkuL5NxxIXx0Fao4LLlaIoY0+VExCPrUwC8 X-Received: by 2002:aa7:8218:: with SMTP id k24mr10129942pfi.221.1565199884796; Wed, 07 Aug 2019 10:44:44 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1565199884; cv=none; d=google.com; s=arc-20160816; b=LU62IYMSnuELTKVo5U7OJxr2szuHpI7SVhIbjhFPqn5y3DS31jAB+4rA1NLHTbYDcY OZJpsNx/Oe1PD5ij6pHH4KeeU5tkgIhdPucMSasiwHT3/KRR99qsIzZaLbItmA2TBZ50 hlH1YnMtDGp5VVzIdaF996Np4W3g4k1B876zvT3Fweu0F7dLiDojQouJlSIaetWX1YPZ tcDndbBvylwNh8C7Dhdej7pqxjYtrUQsIJhfVVAq2pweoE30nQ6IczRmJkh7+ViuQaUD E5dael30Nk0X3aevo16cxCsuwxDc32brIT/f3EL1fdS4Aj3FDR6UL5D9CjcUEsko078S JLww== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:openpgp:from:references:cc:to:subject:dkim-signature; bh=wo3nEGAkLOpA+UYnrX7HewWZPxXPoldMl2fw5CMEKQY=; b=fT1GndsT1zCGn+FnuGnSeQ6HoStvJ0VgoU8PE6+USbxYN8P/CAwZ00IR6HmbS112fE S/KHyjphOU6DG3Oqvda3goBuFbdEc5UjWwlNTaZg5wQBbhyU5GmD9wmdimsG5LoatZHk nwgzNxh+u3Iz3K1FVXyrl3qRHUd8J9Aikx+bi7+7MjOw6BAAZPDQWHgOxdfhKaVYol2m ANn+/H5ZmMTYmf7ryG1EprDJbVMRkNvtb7AeiiKfjksfo8al7GDCjNI4+62783JdWL3j 7UDr994ioAf/JjxPXWr9BHwxvafM7CA8eUj4+VVKjrrmYRE7EI3ZPkEOKUBzRnC1wY0t abSg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=NeuZX4IL; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 92si45891333plc.217.2019.08.07.10.44.22; Wed, 07 Aug 2019 10:44:44 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=NeuZX4IL; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730180AbfHGRYd (ORCPT + 99 others); Wed, 7 Aug 2019 13:24:33 -0400 Received: from mail-wr1-f44.google.com ([209.85.221.44]:44858 "EHLO mail-wr1-f44.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729804AbfHGRYd (ORCPT ); Wed, 7 Aug 2019 13:24:33 -0400 Received: by mail-wr1-f44.google.com with SMTP id p17so92149949wrf.11 for ; Wed, 07 Aug 2019 10:24:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:openpgp:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=wo3nEGAkLOpA+UYnrX7HewWZPxXPoldMl2fw5CMEKQY=; b=NeuZX4ILVKJaqD+Mub9t4ESBnhqQDy/d2+pKZJqMje+BOjXlR1sEYkyiZngEe1OrNp EKBA7XgOw8bttAAc2Snkoo65J3FP3x+BnpzeWpQuPbGjPCYfXdDcggFiu/1kv9cHHP0c Csct/zoPff7MrA439MSypSH8MEN9udGp2Ppw6MCGesWojxdSE0Z2+JrbORvPhoEaQqT/ l6xV+FBO1TPms3VnyFWuzpc6GGfLEKTzy/INlVOrdrg1M5IFz7i+ib44n/CylD7qfbxx nFPiUF+XEJIhjRDSp7uh+My1WWzGeuH3yIxxN5LS2vjNPITpTICqumndxIGFHucxmyia SDew== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:openpgp:message-id :date:user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=wo3nEGAkLOpA+UYnrX7HewWZPxXPoldMl2fw5CMEKQY=; b=ecMI75AvQ/57dY5kbNuZWhpKRG93BRduiaVaCnADR/GDgOrAd0jzP4/Wnx4rheysBd 7969HuhkVLmRJuZZPG65tQuSCoUEn02Z50+rXsPAykAyNjDFcJIO9D8vxrsxf5k/Hiar MLEKeNsGcR7ypYfCHrTlpcCmYrTN4HLlkWLVg+aNCb7w+kGypvgKfo/vMtDiESC41QdM FT+pxIVHU5vU1r3ZYZPTg81UNX5HdaBQTPgZPW/8XD2g3M4UD/VOKBijj2i231InIfoN Kd0BWZy2cpc5m2BVVrDIQeH/jKZdR2MdgfFEqc3EYFi9lXQYP/GgucNHU6JKsMJRL67v dGCw== X-Gm-Message-State: APjAAAUybmobzkiLZJZHfsygmzxA3KY0HRLWFEqRsvAEvKmf23BNgWSE f2CF8+HG1W8wcXjULx1aFYQAqFRJRyI= X-Received: by 2002:a5d:618d:: with SMTP id j13mr11826320wru.195.1565198671385; Wed, 07 Aug 2019 10:24:31 -0700 (PDT) Received: from [192.168.2.28] (39.35.broadband4.iol.cz. [85.71.35.39]) by smtp.gmail.com with ESMTPSA id s2sm344971wmj.33.2019.08.07.10.24.30 (version=TLS1_3 cipher=AEAD-AES128-GCM-SHA256 bits=128/128); Wed, 07 Aug 2019 10:24:30 -0700 (PDT) Subject: Re: [PATCH] crypto: xts - Add support for Cipher Text Stealing To: Pascal Van Leeuwen , Pascal van Leeuwen , "linux-crypto@vger.kernel.org" Cc: "rsnel@cube.dyndns.org" , "herbert@gondor.apana.org.au" , "davem@davemloft.net" References: <1565074510-8480-1-git-send-email-pvanleeuwen@verimatrix.com> <5bf9d0be-3ba4-8903-f1b9-93aa32106274@gmail.com> <52a11506-0047-a7e7-4fa0-ba8d465b843c@gmail.com> From: Milan Broz Openpgp: preference=signencrypt Message-ID: <46f76b06-004e-c08a-3ef3-4ba9fdc61d91@gmail.com> Date: Wed, 7 Aug 2019 19:24:29 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org On 07/08/2019 17:13, Pascal Van Leeuwen wrote: >>>> Seems there is no mistake in your code, it is some bug in aesni_intel implementation. >>>> If I disable this module, it works as expected (with aes generic and aes_i586). >>>> >>> That's odd though, considering there is a dedicated xts-aes-ni implementation, >>> i.e. I would not expect that to end up at the generic xts wrapper at all? >> >> Note it is 32bit system, AESNI XTS is under #ifdef CONFIG_X86_64 so it is not used. >> > Ok, so I guess no one bothered to make an optimized XTS version for i386. > I quickly browsed through the code - took me a while to realise the assembly is > "backwards" compared to the original Intel definition :-) - but I did not spot > anything obvious :-( > >> I guess it only ECB part ... Mystery solved, the skcipher subreq must be te last member in the struct. (Some comments in Adiantum code mentions it too, so I do not think it just hides the corruption after the struct. Seems like another magic requirement in crypto API :-) This chunk is enough to fix it for me: --- a/crypto/xts.c +++ b/crypto/xts.c @@ -33,8 +33,8 @@ struct xts_instance_ctx { struct rctx { le128 t, tcur; - struct skcipher_request subreq; int rem_bytes, is_encrypt; + struct skcipher_request subreq; }; While at it, shouldn't be is_encrypt bool? Thanks, Milan