Received: by 2002:a25:b794:0:0:0:0:0 with SMTP id n20csp5920853ybh; Wed, 7 Aug 2019 13:50:34 -0700 (PDT) X-Google-Smtp-Source: APXvYqzOuQ0sPzdOcxh5mamC4U1ttmLZWr7viGnl7GBhgzsNo4WYOa38L1vMcpsy9O1UmIcWOjeU X-Received: by 2002:a65:6288:: with SMTP id f8mr9216892pgv.292.1565211034778; Wed, 07 Aug 2019 13:50:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1565211034; cv=none; d=google.com; s=arc-20160816; b=HMZPEkm8Qc2k6FMqTG/we/d5KXd5Myq9SMpK4q0vG5o6kmFhQAb7yytEjx1KB3UvIE a7fhDOxyDZP3A1hBc3DypRWC+CRIT/ibgeBu4oAuAPEJvRfftx0fZfsPliB06nd27gK5 GY8HgnOq5UW9mIM1Q2jc3dGbWKkdJfoZCf1DbYPG32h/SMHsFUkz/jdrfNWSm1IJ+0ob uGy3IhvO2bsi0DYi2GTFkthZ9Z8c6562LAR6j4+/VvhYcVbEuKL3svwsLrCYwKTz/zhS 0SvAnH/TLzhZ3CSvrx+AnlDM3FY4lDand14LVQTBwm4S9r0pGGmF4/5VECm60cbPYIY4 EP4g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=iNrWyfe14EceBCcyBHxBfD+ggPp/iRoNtelJDekGiAI=; b=VnzTvlMQJ1KvqBbVoD4FbaPR9w6sNpdLraDX0ZXvXrOi55NKMwbK/n+VdLlG3trxsc J6XDni9R8t1CCEbUBhmYf3QfuUexFUVcO+j0PFsRXT6N/hcmzMQ8Ey13LLueivWrhV70 U2Bd2Rc5JGikqzfiXLn9xJQuvrfOyY/QDeRtFBUeOO7VTVC3TIq2DnK3vLDTo1kkgdMr AlpFmycV1dbf40sWTfDoEryXr8JQAv7xt8YhlPjjfy6CK0AbWCTKZyOiKqY3ec493hkY E+HKmk+qXAv5vfLufITuEkyZcdsQXY8sntkcOfldYn1rOSDm9TGzekqNXHbsXsnlrdei SuDA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=WhUUpvBZ; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b35si960723pla.157.2019.08.07.13.50.12; Wed, 07 Aug 2019 13:50:34 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=WhUUpvBZ; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389413AbfHGUcr (ORCPT + 99 others); Wed, 7 Aug 2019 16:32:47 -0400 Received: from mail-pl1-f193.google.com ([209.85.214.193]:36798 "EHLO mail-pl1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2389420AbfHGUcr (ORCPT ); Wed, 7 Aug 2019 16:32:47 -0400 Received: by mail-pl1-f193.google.com with SMTP id k8so42489906plt.3 for ; Wed, 07 Aug 2019 13:32:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=iNrWyfe14EceBCcyBHxBfD+ggPp/iRoNtelJDekGiAI=; b=WhUUpvBZt2uzgtZrwRpApkr3h2AQ8OSv5m4AP1aPd3RRubs5ynFGruDQi1el+rqdYh EPKR9HgmTHlo0wmUFAbix83zfvGpmAbURQda5r3qhIgG8FWGmXPzN0LOU9aGp6dnry/W MSO5tdbF3/fqI4jx7Syk6h9Nvi/l7f1X4Iurxf4LCGvCDokG/Ft2coCtAFxpKFBMIz2N iJHFfyINB99M3YpKn1JYNKol+u6QBz9bqVYqPoThPEIxBQbeQS1sERoX2vyld4TFIhl9 ZERm6mSr5g2s+7lFnAtLU93LIDk5JMKN4ujp3Ay9csyTRSVirzfgFMfjavnYTUcluBOw 3fxw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=iNrWyfe14EceBCcyBHxBfD+ggPp/iRoNtelJDekGiAI=; b=s3KCPeInl4+AW1pG0VQMxD4dqhUDK9FoZnkUrZr5UhZUOf3SI/nzcIAQFXFBl0w3CG pv7Zm7HFol0o/IlGQAObxH/uJkECzuv0aafaXfurnFUgvnBEn/VHWec8K8kIbhasO5Gr 3romuT8d5MnhE265ZO7L1LXP844JoBPOEIhxmucxMtyTcxp7d+nmxtp+ZMIVvUqMgO6a pXI5cAUd2iL138BrDZr+cLO2xmjXqIcE+4AbrCFvLp7DDWdSaDFd6zTR0jYkd+cpfFmT d4JBSHhCmyToz9xqYHBJGTFErWLMuTcfFS06swVwZ7InYHxIEW35azbjvKm4oJ+x9qZQ pamA== X-Gm-Message-State: APjAAAXzYNLzJbrybEs6ezgcW9O/QqmBrs0CynDx2l95LX0qmIAecKlq rUUVHVHSHZmabsvzqNLce1ACa32nnNti/L6K2uQ= X-Received: by 2002:a62:e716:: with SMTP id s22mr11253638pfh.250.1565209966420; Wed, 07 Aug 2019 13:32:46 -0700 (PDT) MIME-Version: 1.0 References: <1565074510-8480-1-git-send-email-pvanleeuwen@verimatrix.com> <5bf9d0be-3ba4-8903-f1b9-93aa32106274@gmail.com> <52a11506-0047-a7e7-4fa0-ba8d465b843c@gmail.com> <46f76b06-004e-c08a-3ef3-4ba9fdc61d91@gmail.com> In-Reply-To: <46f76b06-004e-c08a-3ef3-4ba9fdc61d91@gmail.com> From: =?UTF-8?B?T25kcmVqIE1vc27DocSNZWs=?= Date: Wed, 7 Aug 2019 22:32:35 +0200 Message-ID: Subject: Re: [PATCH] crypto: xts - Add support for Cipher Text Stealing To: Milan Broz Cc: Pascal Van Leeuwen , Pascal van Leeuwen , "linux-crypto@vger.kernel.org" , "rsnel@cube.dyndns.org" , "herbert@gondor.apana.org.au" , "davem@davemloft.net" Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org st 7. 8. 2019 o 19:44 Milan Broz nap=C3=ADsal(a): > On 07/08/2019 17:13, Pascal Van Leeuwen wrote: > >>>> Seems there is no mistake in your code, it is some bug in aesni_inte= l implementation. > >>>> If I disable this module, it works as expected (with aes generic and= aes_i586). > >>>> > >>> That's odd though, considering there is a dedicated xts-aes-ni implem= entation, > >>> i.e. I would not expect that to end up at the generic xts wrapper at = all? > >> > >> Note it is 32bit system, AESNI XTS is under #ifdef CONFIG_X86_64 so it= is not used. > >> > > Ok, so I guess no one bothered to make an optimized XTS version for i38= 6. > > I quickly browsed through the code - took me a while to realise the ass= embly is > > "backwards" compared to the original Intel definition :-) - but I did n= ot spot > > anything obvious :-( > > > >> I guess it only ECB part ... > > Mystery solved, the skcipher subreq must be te last member in the struct. > (Some comments in Adiantum code mentions it too, so I do not think it > just hides the corruption after the struct. Seems like another magic requ= irement > in crypto API :-) Oh, yes, this makes sense! I would have noticed this immediately if I had looked carefully at the struct definition :) The reason is that the skcipher_request struct is followed by a variable-length request context. So when you want to nest requests, you need to make the subrequest the last member and declare your request context size as: size of your request context struct + size of the sub-algorithm's request context. It is a bit confusing, but it is the only reasonable way to support variably sized context and at the same time keep the whole request in a single allocation. > > This chunk is enough to fix it for me: > > --- a/crypto/xts.c > +++ b/crypto/xts.c > @@ -33,8 +33,8 @@ struct xts_instance_ctx { > > struct rctx { > le128 t, tcur; > - struct skcipher_request subreq; > int rem_bytes, is_encrypt; > + struct skcipher_request subreq; > }; > > While at it, shouldn't be is_encrypt bool? > > Thanks, > Milan