Looking at the xts128.c code, it looks like the "tweak" is recalculated from scratch every time CRYPTO_xts128_encrypt() is called:
memcpy(tweak.c, iv, 16); (*ctx->block2)(tweak.c,tweak.c,ctx->key2); It seems like this would break the chaining between successive calls to EVP_CipherUpdate, requiring that the plaintext be encrypted in its entirety with one call to EVP_CipherUpdate. Other chaining modes preserve the chaining state in the context (CTR mode, for example, saves the "num"). There's nothing in the XTS context structure that would preserve the "tweak", though. Am I missing where this chaining occurs? Or is this a bug? Or is it a requirement that XTS mode only use a single call to EVP_CipherUpdate per data stream? (which seems to violate the definition of EVP_CipherUpdate.) I saw this in openssl-1.0.1, but I've checked that the relevant code in openssl-1.0.1e is no different. Thanks, Greg Bryant Technical Leader Cisco Systems, Inc.