Looking at the xts128.c code, it looks like the "tweak" is recalculated from
scratch every time CRYPTO_xts128_encrypt() is called:
memcpy(tweak.c, iv, 16);
(*ctx->block2)(tweak.c,tweak.c,ctx->key2);
It seems like this would break the chaining between successive calls to
EVP_CipherUpdate, requiring that the plaintext be encrypted in its entirety
with one call to EVP_CipherUpdate. Other chaining modes preserve the chaining
state in the context (CTR mode, for example, saves the "num"). There's nothing
in the XTS context structure that would preserve the "tweak", though.
Am I missing where this chaining occurs? Or is this a bug? Or is it a
requirement that XTS mode only use a single call to EVP_CipherUpdate per data
stream? (which seems to violate the definition of EVP_CipherUpdate.)
I saw this in openssl-1.0.1, but I've checked that the relevant code in
openssl-1.0.1e is no different.
Thanks,
Greg Bryant
Technical Leader
Cisco Systems, Inc.
