On 25/01/2019 20:16, Andrew Tucker wrote:
> I was doing some comparisons of XTS and GCM mode using the EVP APIs and found
> a
> discrepancy that seems to be an issue with XTS.
>
> In GCM mode if the buffer is encrypted in one call to EVP_EncryptUpdate or
> with
> several calls with smaller buffers the resulting ciphertext is the same, as I
> would expect. With XTS mode, calling EVP_EncryptUpdate results in the same
> ciphertext for the same plaintext and does not match the results when the
> buffer
> is encrypted with one call to EVP_EncryptUpdate.
>
> I would expect that the counter is incremented in both XTS and GCM mode in the
> same way and that in both cases the output would match regardless of the
> encryption block size.
>
> A simple repro test is attached. If you run it you can see that the output
> "GCM in one block" matches the output for "GCM in 16 byte blocks" and the
> outputs do not match for XTS.
>
> I am using OpenSSL v1.02p but I have tried with other versions and got the
> same
> results.
>
> Am I misunderstanding the use of XTS mode or is this an issue with OpenSSL?
Please see my previous post on this topic here:
https://mta.openssl.org/pipermail/openssl-users/2019-January/009781.html
PRs welcome to improve the documentation in this area.
Matt
