Received: by 2002:a25:868d:0:0:0:0:0 with SMTP id z13csp3715229ybk;
        Tue, 19 May 2020 11:12:45 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJz9M3ZpMzeo217d/v+CXOE7WvipBsbO5RRbomMV/MRAutn7eNGH1QauP7q4gMluWQi9Tr1l
X-Received: by 2002:a05:6402:1770:: with SMTP id da16mr191561edb.122.1589911965526;
        Tue, 19 May 2020 11:12:45 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1589911965; cv=none;
        d=google.com; s=arc-20160816;
        b=Cy4zaYVlQaSWyM/yt4yX9smu3gt6dlpLHVO3+36sugbvIFSY8sCDaBX6AbF4AVhn64
         6kcLeL1Jhj+6OxJlKu+4m+IRQ2juvxsjGaxGEsd05WKLXd6eYUVTQhFE9L0Zt4po0ril
         rMW/kV3xvsUf1Q1/z3PJHWcx4u71XBf5ZeqNj1ZJFCZ1RUPSPqIzdcxjg8uqMEgvvzRo
         ymQLpzyUEwHU633IZ1w45Yo8MoOTFbKxHD0HgRhI0+mvAqarRkvp+Vl8Sydkc4oVW2q/
         rc8/8ynBku9PteUTFvEN9suJeLb+prOQCr8FwOejrVMlWM8r7E2pTK05ESsotO4Utfgp
         dq9g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from
         :dkim-signature;
        bh=BVJ986S46z5eMMgU9ShpvE8/hjf/iG5QeOVuCq4HVNM=;
        b=ydKlMDEX9xdsOqQnmKsNiPgd+Zn5mnEm81Pn8NFmvLw6MoTNRxvu6sxVOIonX/ytaP
         6jZAcf0th1y9u1DB5hf8lyxsqq3ZIzR2xGBCsiJPqJ3SF8LTBUQD9JLgRvxaRadmhatg
         z5t2kJbOoIdz/enDAavX9XZwHO/08Ih079cTr5moo/2eT7iKlNzbWQgAe1wwUi6hlAHg
         OsXZKY5MZW7Reze6ZTkt/fgoZEFYSb6JRYTWgq6IvWbQYzJILSsFHxM+IxsR46sneRpx
         YSczoQCA922jN6MVJ44g9Okjg2xiyD4LikLnkrPuZOeFh0nEnhlZ3bqQoQdmB8QKnu/i
         16SQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=fail header.i=@chronox.de header.s=strato-dkim-0002 header.b=jpBMnXcI;
       spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org
Return-Path: <linux-crypto-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id p12si344984ejd.130.2020.05.19.11.12.15;
        Tue, 19 May 2020 11:12:45 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=fail header.i=@chronox.de header.s=strato-dkim-0002 header.b=jpBMnXcI;
       spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727911AbgESSLg (ORCPT <rfc822;zhijun.chen.lk@gmail.com>
        + 99 others); Tue, 19 May 2020 14:11:36 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35014 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726510AbgESSLf (ORCPT
        <rfc822;linux-crypto@vger.kernel.org>);
        Tue, 19 May 2020 14:11:35 -0400
Received: from mo6-p01-ob.smtp.rzone.de (mo6-p01-ob.smtp.rzone.de [IPv6:2a01:238:20a:202:5301::10])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 772AAC08C5C0
        for <linux-crypto@vger.kernel.org>; Tue, 19 May 2020 11:11:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1589911893;
        s=strato-dkim-0002; d=chronox.de;
        h=References:In-Reply-To:Message-ID:Date:Subject:Cc:To:From:
        X-RZG-CLASS-ID:X-RZG-AUTH:From:Subject:Sender;
        bh=BVJ986S46z5eMMgU9ShpvE8/hjf/iG5QeOVuCq4HVNM=;
        b=jpBMnXcIVdTzZg7oSXTuoS+rMVfcmU5JvaG/MxSq+q7aiCOhOn/3gJM1SMQ5uG3mQ/
        7lbVc96ZA7n+jdo3RFWEE8v7erJrmMkUkwPzxBvsw0HknqYMARWQdezl5BOZjmkPQBOq
        hzUMkdNRlCvB1TVAs4iQFLpc42xC2iAA7B1KmyOS2mb0IsDF3+x7HIuGDsAeZtUXtZSR
        mFdfqE/P8hUWX/9ELClQsLAzTSVxj6QBN/9DjrWuSE36CESCWOc0aKiGd7/GAJGtF0Ha
        ASfcNFo3/Npm4P6brkpNdhTIQb5fO/Ocd2NKuwG8tfOiadaHNbbfVd8CaqYBGji8QsYl
        2ZnA==
X-RZG-AUTH: ":P2ERcEykfu11Y98lp/T7+hdri+uKZK8TKWEqNyiHySGSa9k9xmwdNnzGHXPbI/Sc5g=="
X-RZG-CLASS-ID: mo00
Received: from tauon.chronox.de
        by smtp.strato.de (RZmta 46.7.0 DYNA|AUTH)
        with ESMTPSA id k09005w4JIBX127
        (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256 bits))
        (Client did not present a certificate);
        Tue, 19 May 2020 20:11:33 +0200 (CEST)
From:   Stephan Mueller <smueller@chronox.de>
To:     Ard Biesheuvel <ardb@kernel.org>
Cc:     Eric Biggers <ebiggers@kernel.org>,
        Ard Biesheuvel <ard.biesheuvel@linaro.org>,
        Linux Crypto Mailing List <linux-crypto@vger.kernel.org>
Subject: Re: ARM CE: CTS IV handling
Date:   Tue, 19 May 2020 20:11:33 +0200
Message-ID: <1997915.ptA6GT1cFu@tauon.chronox.de>
In-Reply-To: <CAMj1kXEiijbgq=P53+qKjEzuneiinDbwyBacpMWtcN2YwEKWKA@mail.gmail.com>
References: <4311723.JCXmkh6OgN@tauon.chronox.de> <CAMj1kXFfY+1LcJPGw7P8RPAN+Rts2ZJQwO6++WZSTFm3qbwaww@mail.gmail.com> <CAMj1kXEiijbgq=P53+qKjEzuneiinDbwyBacpMWtcN2YwEKWKA@mail.gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="us-ascii"
Sender: linux-crypto-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-crypto.vger.kernel.org>
X-Mailing-List: linux-crypto@vger.kernel.org

Am Dienstag, 19. Mai 2020, 19:53:57 CEST schrieb Ard Biesheuvel:

Hi Ard,

> On Tue, 19 May 2020 at 19:50, Ard Biesheuvel <ardb@kernel.org> wrote:
> > On Tue, 19 May 2020 at 19:35, Stephan Mueller <smueller@chronox.de> wrote:
> > > Am Dienstag, 19. Mai 2020, 18:21:01 CEST schrieb Ard Biesheuvel:
> > > 
> > > Hi Ard,
> > > 
> > > > To be honest, this looks like the API is being used incorrectly. Is
> > > > this a similar issue to the one Herbert spotted recently with the CTR
> > > > code?
> > > > 
> > > > When you say 'leaving the TFM untouched' do you mean the skcipher
> > > > request? The TFM should not retain any per-request state in the first
> > > > place.
> > > > 
> > > > The skcipher request struct is not meant to retain any state either -
> > > > the API simply does not support incremental encryption if the input is
> > > > not a multiple of the chunksize.
> > > > 
> > > > Could you give some sample code on how you are using the API in this
> > > > case?
> > > 
> > > What I am doing technically is to allocate a new tfm and request at the
> > > beginning and then reuse the TFM and request. In that sense, I think I
> > > violate that constraint.
> > > 
> > > But in order to implement such repetition, I can surely clear / allocate
> > > a new TFM. But in order to get that right, I need the resulting IV
> > > after the cipher operation.
> > > 
> > > This IV that I get after the cipher operation completes is different
> > > between C and CE.
> > 
> > So is the expected output IV simply the last block of ciphertext that
> > was generated (as usual), but located before the truncated block in
> > the output?
> 
> If so, does the below fix the encrypt case?

I think it is.

But, allow me to take that patch to my test system for verification.
> 
> index cf618d8f6cec..22f190a44689 100644
> --- a/arch/arm64/crypto/aes-modes.S
> +++ b/arch/arm64/crypto/aes-modes.S
> @@ -275,6 +275,7 @@ AES_FUNC_START(aes_cbc_cts_encrypt)
>         add             x4, x0, x4
>         st1             {v0.16b}, [x4]                  /* overlapping
> stores */ st1             {v1.16b}, [x0]
> +       st1             {v1.16b}, [x5]
>         ret
>  AES_FUNC_END(aes_cbc_cts_encrypt)


Ciao
Stephan