summaryrefslogtreecommitdiffstats
path: root/src/plugins/crypto_native/aes_cbc.c
diff options
context:
space:
mode:
authorBenoît Ganne <bganne@cisco.com>2022-01-19 10:09:42 +0100
committerDamjan Marion <dmarion@0xa5.net>2023-03-06 17:15:24 +0000
commit063549f9605c018618670ecb6c5bbbdbedd62c04 (patch)
tree278242f135d25eaabee714bcb919318cf0afc08f /src/plugins/crypto_native/aes_cbc.c
parentf471e3339f12049531d2ead015d82f117d8fd936 (diff)
crypto: remove VNET_CRYPTO_OP_FLAG_INIT_IV flag
IV requirements vary wildly with the selected mode of operation. For example, for AES-CBC the IV must be unpredictable whereas for AES counter mode (CTR or GCM), it can be predictable but reusing an IV with the same key material is catastrophic. Because of that, it is hard to generate IV in a generic way, and it is better left to the crypto user (eg. IPsec). Type: improvement Change-Id: I32689c591d8c6572b8d37c4d24f175ea6132d3ec Signed-off-by: Benoît Ganne <bganne@cisco.com>
Diffstat (limited to 'src/plugins/crypto_native/aes_cbc.c')
-rw-r--r--src/plugins/crypto_native/aes_cbc.c37
1 files changed, 2 insertions, 35 deletions
diff --git a/src/plugins/crypto_native/aes_cbc.c b/src/plugins/crypto_native/aes_cbc.c
index 20b6fd61499..7896c8814b1 100644
--- a/src/plugins/crypto_native/aes_cbc.c
+++ b/src/plugins/crypto_native/aes_cbc.c
@@ -234,8 +234,6 @@ aes_ops_enc_aes_cbc (vlib_main_t * vm, vnet_crypto_op_t * ops[],
u32 n_ops, aes_key_size_t ks)
{
crypto_native_main_t *cm = &crypto_native_main;
- crypto_native_per_thread_data_t *ptd =
- vec_elt_at_index (cm->per_thread_data, vm->thread_index);
int rounds = AES_KEY_ROUNDS (ks);
u8 placeholder[8192];
u32 i, j, count, n_left = n_ops;
@@ -269,15 +267,7 @@ more:
}
else
{
- u8x16 t;
- if (ops[0]->flags & VNET_CRYPTO_OP_FLAG_INIT_IV)
- {
- t = ptd->cbc_iv[i];
- *(u8x16u *) ops[0]->iv = t;
- ptd->cbc_iv[i] = aes_enc_round (t, t);
- }
- else
- t = aes_block_load (ops[0]->iv);
+ u8x16 t = aes_block_load (ops[0]->iv);
#if __VAES__
rq[i] = t;
#else
@@ -486,27 +476,6 @@ crypto_native_aes_cbc_init_slm (vlib_main_t * vm)
#endif
{
crypto_native_main_t *cm = &crypto_native_main;
- crypto_native_per_thread_data_t *ptd;
- clib_error_t *err = 0;
- int fd;
-
- if ((fd = open ("/dev/urandom", O_RDONLY)) < 0)
- return clib_error_return_unix (0, "failed to open '/dev/urandom'");
-
- /* *INDENT-OFF* */
- vec_foreach (ptd, cm->per_thread_data)
- {
- for (int i = 0; i < 4; i++)
- {
- if (read(fd, ptd->cbc_iv, sizeof (ptd->cbc_iv)) !=
- sizeof (ptd->cbc_iv))
- {
- err = clib_error_return_unix (0, "'/dev/urandom' read failure");
- goto error;
- }
- }
- }
- /* *INDENT-ON* */
#define _(x) \
vnet_crypto_register_ops_handler (vm, cm->crypto_engine_index, \
@@ -519,9 +488,7 @@ crypto_native_aes_cbc_init_slm (vlib_main_t * vm)
foreach_aes_cbc_handler_type;
#undef _
-error:
- close (fd);
- return err;
+ return 0;
}
/*