On 2 February 2017 at 05:13, Herbert Xu <herb...@gondor.apana.org.au> wrote: > On Wed, Feb 01, 2017 at 08:08:09PM +0000, Ard Biesheuvel wrote: >> >> Could you please forward this patch to Linus as well? I noticed that the >> patch > > Sure, I will do that. > >> crypto: arm64/aes-blk - honour iv_out requirement in CBC and CTR modes >> >> is now in mainline, which means CCM is now broken on arm64, given that >> the iv_out requirement for CTR apparently isn't honored by *any* >> implementation, and CCM wrongly assumes that req->iv retains its value >> across the call into the CTR skcipher > > Hmm, I wonder why we don't see this breakage with the generic > CTR as it seems to do exactly the same thing. >
You are right: due to its construction, the CCM mode does not care about the incremented counter because it clears the counter part of the IV before encrypting the MAC. So this is caused by an optimization in my code rather than the CCM code being incorrect.