On Fri, Dec 04, 2020 at 02:59:35PM +0000, David Howells wrote:
> Hi Chuck, Bruce,
>
> Why is gss_krb5_crypto.c using an auxiliary cipher? For reference, the
> gss_krb5_aes_encrypt() code looks like the attached.
>
> >From what I can tell, in AES mode, the difference between the main cipher and
> the auxiliary cipher is that the latter is "cbc(aes)" whereas the former is
> "cts(cbc(aes))" - but they have the same key.
>
> Reading up on CTS, I'm guessing the reason it's like this is that CTS is the
> same as the non-CTS, except for the last two blocks, but the non-CTS one is
> more efficient.
CTS is cipher-text stealing, isn't it? I think it was Kevin Coffman
that did that, and I don't remember the history. I thought it was
required by some spec or peer implementation (maybe Windows?) but I
really don't remember. It may predate git. I'll dig around and see
what I can find.
--b.
>
> David
> ---
> nbytes = buf->len - offset - GSS_KRB5_TOK_HDR_LEN;
> nblocks = (nbytes + blocksize - 1) / blocksize;
> cbcbytes = 0;
> if (nblocks > 2)
> cbcbytes = (nblocks - 2) * blocksize;
>
> memset(desc.iv, 0, sizeof(desc.iv));
>
> if (cbcbytes) {
> SYNC_SKCIPHER_REQUEST_ON_STACK(req, aux_cipher);
>
> desc.pos = offset + GSS_KRB5_TOK_HDR_LEN;
> desc.fragno = 0;
> desc.fraglen = 0;
> desc.pages = pages;
> desc.outbuf = buf;
> desc.req = req;
>
> skcipher_request_set_sync_tfm(req, aux_cipher);
> skcipher_request_set_callback(req, 0, NULL, NULL);
>
> sg_init_table(desc.infrags, 4);
> sg_init_table(desc.outfrags, 4);
>
> err = xdr_process_buf(buf, offset + GSS_KRB5_TOK_HDR_LEN,
> cbcbytes, encryptor, &desc);
> skcipher_request_zero(req);
> if (err)
> goto out_err;
> }
>
> /* Make sure IV carries forward from any CBC results. */
> err = gss_krb5_cts_crypt(cipher, buf,
> offset + GSS_KRB5_TOK_HDR_LEN + cbcbytes,
> desc.iv, pages, 1);
> if (err) {
> err = GSS_S_FAILURE;
> goto out_err;
> }
