• Eric Biggers's avatar
    crypto: cts - don't support empty messages · c31a8719
    Eric Biggers authored
    My patches to make testmgr fuzz algorithms against their generic
    implementation detected that the arm64 implementations of
    "cts(cbc(aes))" handle empty messages differently from the cts template.
    Namely, the arm64 implementations forbids (with -EINVAL) all messages
    shorter than the block size, including the empty message; but the cts
    template permits empty messages as a special case.
    
    No user should be CTS-encrypting/decrypting empty messages, but we need
    to keep the behavior consistent.  Unfortunately, as noted in the source
    of OpenSSL's CTS implementation [1], there's no common specification for
    CTS.  This makes it somewhat debatable what the behavior should be.
    
    However, all CTS specifications seem to agree that messages shorter than
    the block size are not allowed, and OpenSSL follows this in both CTS
    conventions it implements.  It would also simplify the user-visible
    semantics to have empty messages no longer be a special case.
    
    Therefore, make the cts template return -EINVAL on *all* messages
    shorter than the block size, including the empty message.
    
    [1] https://github.com/openssl/openssl/blob/master/crypto/modes/cts128.cSigned-off-by: default avatarEric Biggers <ebiggers@google.com>
    Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
    c31a8719
cts.c 12 KB