Agree that XTS specific deviation should have been documented similar to some of the AEAD ciphers with EVP interface.
Thanks, Thulasi. On Tue, 1 Oct 2019 at 08:46, Norm Green <norm.gr...@gemtalksystems.com> wrote: > Could be, but that's not how EVP_CipherUpdate is documented to work. If > this is an XTS mode limitation and not a bug, shouldn't the limitation be > documented on a man page somewhere? And shouldn't my second call to > EVP_CipherUpdate fail? > > Norm Green > > > On 9/30/2019 8:04 PM, Thulasi Goriparthi wrote: > > As 512 byte blocks are independently encrypted, they should be decrypted > similarly. This is how XTS mode is defined. > i.e Try to decrypt 512 byte blocks separately with two CipherUpdates. > > Thanks, > Thulasi. > > On Tue, 1 Oct 2019 at 06:43, Norm Green <norm.gr...@gemtalksystems.com> > wrote: > >> Hi all, >> >> I'm using OpenSSL 1.1.1d on Linux with the cipher EVP_aes_256_xts() in >> order to write database/disk encryption software. >> >> When encrypting, I have problems if I call EVP_CipherUpdate() and >> encrypt the data in chunks. Encrypting only works when I encrypt the >> entire payload with one and only one call to EVP_CipherUpdate. >> >> If I try to break the data into chunks (and make more than one call to >> EVP_CipherUpdate), then decrypting the data produces garbage after the >> first chunk that was encrypted >> When decrypting, I always decrypt all data in one call to >> EVP_CipherUpdate . >> >> For example, when encrypting 1024 bytes, this pseudo-code sequence works: >> >> char payload[1024]; >> char encrypted[1024]; >> int destSize = sizeof(encrypted); >> EVP_CipherInit_ex(); >> EVP_CipherUpdate(ctx, encrypted, &destSize, payload, sizeof(payload)); >> EVP_CipherFinal(); (produces no additional data) >> >> However if I break the 1024 payload into 2 x 512 byte chunks, decrypting >> the entire 1024 bytes of cipher text produces garbage every time: >> >> char payload[1024]; >> char encrypted[1024]; >> int destSize = sizeof(encrypted); >> EVP_CipherInit_ex(); >> EVP_CipherUpdate(ctx, encrypted, &destSize, payload, 512); // first chunk >> destSize -= 512; >> EVP_CipherUpdate(ctx, &encrypted[512], &destSize, &payload[512], 512); >> // second chunk >> EVP_CipherFinal(); (produces no additional data) >> >> I have a short C program that demonstrates the problem that I can post >> if necessary. >> >> Can anyone explain what's going on? >> >> Norm Green >> CTO, GemTalk Systems Inc. >> > >
