ligang/vpp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

crypto: remove VNET_CRYPTO_OP_FLAG_INIT_IV flag

Browse Source 
IV requirements vary wildly with the selected mode of operation. For
example, for AES-CBC the IV must be unpredictable whereas for AES
counter mode (CTR or GCM), it can be predictable but reusing an IV with
the same key material is catastrophic.
Because of that, it is hard to generate IV in a generic way, and it is
better left to the crypto user (eg. IPsec).

Type: improvement

Change-Id: I32689c591d8c6572b8d37c4d24f175ea6132d3ec
Signed-off-by: Benoît Ganne <bganne@cisco.com>
This commit is contained in:
Benoît Ganne
2022-01-19 10:09:42 +01:00
committed by Damjan Marion
parent f471e3339f
commit 063549f960
8 changed files with 9 additions and 133 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/plugins/crypto_openssl/main.c
View File

@@ -104,9 +104,6 @@ openssl_ops_enc_cbc (vlib_main_t *vm, vnet_crypto_op_t *ops[],
vnet_crypto_key_t *key = vnet_crypto_get_key (op->key_index);
int out_len = 0;
if (op->flags & VNET_CRYPTO_OP_FLAG_INIT_IV)
RAND_bytes (op->iv, iv_len);
EVP_EncryptInit_ex (ctx, cipher, NULL, key->data, op->iv);
if (op->flags & VNET_CRYPTO_OP_FLAG_CHAINED_BUFFERS)
@@ -215,9 +212,6 @@ openssl_ops_enc_aead (vlib_main_t *vm, vnet_crypto_op_t *ops[],
vnet_crypto_key_t *key = vnet_crypto_get_key (op->key_index);
int len = 0;
if (op->flags & VNET_CRYPTO_OP_FLAG_INIT_IV)
RAND_bytes (op->iv, 8);
EVP_EncryptInit_ex (ctx, cipher, 0, 0, 0);
if (is_gcm)
EVP_CIPHER_CTX_ctrl (ctx, EVP_CTRL_GCM_SET_IVLEN, 12, NULL);