fix -C stream -c rand regression.

Because "STREAM" mode has separate init function and separate encryption function,
I had a mistake to put it into a wrong place at the first time I'd ported code to
tfcipher codebase. If you did encryptions with -C stream -c rand options applied in
the past, then, to decrypt such streams you must use zero counter value together with
omitting first counter bytes from stream.

This is especially disasterous if multiple encryptions were performed with same key
since STREAM here is effectively an OFB mode of operation.
Given that this mode encourages such usage patterns, I feel sorry for such a mistake.

Still, CTR mode is better than STREAM mode because it is seekable.
From CTR, STREAM differs only in being a nonseekable mode of operation, nothing more.

diff --git a/VERSION b/VERSION
index 98d9bcb75a685dfbfd60f611c309410152935b3d..3c032078a4a21c5c51d3c93d91717c1dabbb8cd0 100644 (file)
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-17
+18

diff --git a/tfcrypt.c b/tfcrypt.c
index c8664cca99aad14cbc4cb9e84c4bb964483f5b4a..8d01618ce361abcbf6821ff77ea7bc106bc1538c 100644 (file)
--- a/tfcrypt.c
+++ b/tfcrypt.c
@@ -920,8 +920,6 @@ _xts2genkey:        if (xwrite(krfd, pblk, TF_FROM_BITS(TFC_KEY_BITS)) == NOSIZE) xerro
        tfc_data_to_words64(&iseek_blocks, sizeof(iseek_blocks));
        tf_ctr_set(ctr, &iseek_blocks, sizeof(iseek_blocks));
 
-       if (ctr_mode == TFC_MODE_STREAM) tfe_init_iv(&tfe, key, ctr);
-
        switch (counter_opt) {
                case TFC_CTR_SHOW:
                        switch (do_outfmt) {
@@ -1003,6 +1001,8 @@ _ctrwagain:       lio = xwrite(dfd, pblk, lrem);
                delta_processed += ldone;
        }
 
+       if (ctr_mode == TFC_MODE_STREAM) tfe_init_iv(&tfe, key, ctr);
+
        errno = 0;
        do_stop = NO;
        while (1) {