ligang/vpp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

crypto, ipsec: change GCM IV handling

Browse Source 
- nonce construction out of salt and iv is ipsec specific so it should be
handled in ipsec code

- fixes GCM unit tests

- GCM IV is constructed out of simple counter, per RFC4106 section 3.1

Change-Id: Ib7712cc9612830daa737f5171d8384f1d361bb61
Signed-off-by: Damjan Marion <damarion@cisco.com>
This commit is contained in:
Damjan Marion
2019-04-25 18:28:31 +02:00
committed by Florin Coras
parent aaed170828
commit d97918ec67
5 changed files with 39 additions and 58 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/plugins/crypto_openssl/main.c
View File

@@ -118,18 +118,14 @@ openssl_ops_enc_gcm (vlib_main_t * vm, vnet_crypto_op_t * ops[], u32 n_ops,
{
vnet_crypto_op_t *op = ops[i];
vnet_crypto_key_t *key = vnet_crypto_get_key (op->key_index);
u32 nonce[3];
int len;
if (op->flags & VNET_CRYPTO_OP_FLAG_INIT_IV)
RAND_bytes (op->iv, 8);
nonce[0] = op->salt;
clib_memcpy_fast (nonce + 1, op->iv, 8);
EVP_EncryptInit_ex (ctx, cipher, 0, 0, 0);
EVP_CIPHER_CTX_ctrl (ctx, EVP_CTRL_GCM_SET_IVLEN, 12, NULL);
EVP_EncryptInit_ex (ctx, 0, 0, key->data, (u8 *) nonce);
EVP_EncryptInit_ex (ctx, 0, 0, key->data, op->iv);
if (op->aad_len)
EVP_EncryptUpdate (ctx, NULL, &len, op->aad, op->aad_len);
EVP_EncryptUpdate (ctx, op->dst, &len, op->src, op->len);