crypto: remove VNET_CRYPTO_OP_FLAG_INIT_IV flag

IV requirements vary wildly with the selected mode of operation. For example, for AES-CBC the IV must be unpredictable whereas for AES counter mode (CTR or GCM), it can be predictable but reusing an IV with the same key material is catastrophic. Because of that, it is hard to generate IV in a generic way, and it is better left to the crypto user (eg. IPsec). Type: improvement Change-Id: I32689c591d8c6572b8d37c4d24f175ea6132d3ec Signed-off-by: Benoît Ganne <bganne@cisco.com>
author: Benoît Ganne <bganne@cisco.com> 2022-01-19 10:09:42 +0100
committer: Damjan Marion <dmarion@0xa5.net> 2023-03-06 17:15:24 +0000
commit: 063549f9605c018618670ecb6c5bbbdbedd62c04 (patch)
tree: 278242f135d25eaabee714bcb919318cf0afc08f /src/plugins/crypto_native
parent: f471e3339f12049531d2ead015d82f117d8fd936 (diff)
3 files changed, 6 insertions, 56 deletions
diff --git a/src/plugins/crypto_native/aes_cbc.c b/src/plugins/crypto_native/aes_cbc.c
index 20b6fd61499..7896c8814b1 100644
--- a/src/plugins/crypto_native/aes_cbc.c
+++ b/src/plugins/crypto_native/aes_cbc.c
@@ -234,8 +234,6 @@ aes_ops_enc_aes_cbc (vlib_main_t * vm, vnet_crypto_op_t * ops[],
 		     u32 n_ops, aes_key_size_t ks)
 {
   crypto_native_main_t *cm = &crypto_native_main;
-  crypto_native_per_thread_data_t *ptd =
-    vec_elt_at_index (cm->per_thread_data, vm->thread_index);
   int rounds = AES_KEY_ROUNDS (ks);
   u8 placeholder[8192];
   u32 i, j, count, n_left = n_ops;
@@ -269,15 +267,7 @@ more:
 	  }
 	else
 	  {
-	    u8x16 t;
-	    if (ops[0]->flags & VNET_CRYPTO_OP_FLAG_INIT_IV)
-	      {
-		t = ptd->cbc_iv[i];
-		*(u8x16u *) ops[0]->iv = t;
-		ptd->cbc_iv[i] = aes_enc_round (t, t);
-	      }
-	    else
-	      t = aes_block_load (ops[0]->iv);
+	    u8x16 t = aes_block_load (ops[0]->iv);
 #if __VAES__
 	    rq[i] = t;
 #else
@@ -486,27 +476,6 @@ crypto_native_aes_cbc_init_slm (vlib_main_t * vm)
 #endif
 {
   crypto_native_main_t *cm = &crypto_native_main;
-  crypto_native_per_thread_data_t *ptd;
-  clib_error_t *err = 0;
-  int fd;
-
-  if ((fd = open ("/dev/urandom", O_RDONLY)) < 0)
-    return clib_error_return_unix (0, "failed to open '/dev/urandom'");
-
-  /* *INDENT-OFF* */
-  vec_foreach (ptd, cm->per_thread_data)
-    {
-      for (int i = 0; i < 4; i++)
-	{
-	  if (read(fd, ptd->cbc_iv, sizeof (ptd->cbc_iv)) !=
-	      sizeof (ptd->cbc_iv))
-	    {
-	      err = clib_error_return_unix (0, "'/dev/urandom' read failure");
-	      goto error;
-	    }
-	}
-    }
-  /* *INDENT-ON* */
 
 #define _(x) \
   vnet_crypto_register_ops_handler (vm, cm->crypto_engine_index, \
@@ -519,9 +488,7 @@ crypto_native_aes_cbc_init_slm (vlib_main_t * vm)
   foreach_aes_cbc_handler_type;
 #undef _
 
-error:
-  close (fd);
-  return err;
+  return 0;
 }
 
 /*
diff --git a/src/plugins/crypto_native/crypto_native.h b/src/plugins/crypto_native/crypto_native.h
index d5c33daa1a6..3bad14ea2df 100644
--- a/src/plugins/crypto_native/crypto_native.h
+++ b/src/plugins/crypto_native/crypto_native.h
@@ -22,14 +22,7 @@ typedef void *(crypto_native_key_fn_t) (vnet_crypto_key_t * key);
 
 typedef struct
 {
-  CLIB_CACHE_LINE_ALIGN_MARK (cacheline0);
-  u8x16 cbc_iv[16];
-} crypto_native_per_thread_data_t;
-
-typedef struct
-{
   u32 crypto_engine_index;
-  crypto_native_per_thread_data_t *per_thread_data;
   crypto_native_key_fn_t *key_fn[VNET_CRYPTO_N_ALGS];
   void **key_data;
 } crypto_native_main_t;
diff --git a/src/plugins/crypto_native/main.c b/src/plugins/crypto_native/main.c
index 32bbbb13652..712c333bce9 100644
--- a/src/plugins/crypto_native/main.c
+++ b/src/plugins/crypto_native/main.c
@@ -63,16 +63,12 @@ clib_error_t *
 crypto_native_init (vlib_main_t * vm)
 {
   crypto_native_main_t *cm = &crypto_native_main;
-  vlib_thread_main_t *tm = vlib_get_thread_main ();
   clib_error_t *error = 0;
 
   if (clib_cpu_supports_x86_aes () == 0 &&
       clib_cpu_supports_aarch64_aes () == 0)
     return 0;
 
-  vec_validate_aligned (cm->per_thread_data, tm->n_vlib_mains - 1,
-			CLIB_CACHE_LINE_BYTES);
-
   cm->crypto_engine_index =
     vnet_crypto_register_engine (vm, "native", 100,
 				 "Native ISA Optimized Crypto");
@@ -96,7 +92,7 @@ crypto_native_init (vlib_main_t * vm)
     error = clib_error_return (0, "No AES CBC implemenation available");
 
   if (error)
-    goto error;
+    return error;
 
 #if __x86_64__
   if (clib_cpu_supports_pclmulqdq ())
@@ -113,7 +109,7 @@ crypto_native_init (vlib_main_t * vm)
 	error = clib_error_return (0, "No AES GCM implemenation available");
 
       if (error)
-	goto error;
+	return error;
     }
 #endif
 #if __aarch64__
@@ -123,18 +119,12 @@ crypto_native_init (vlib_main_t * vm)
     error = clib_error_return (0, "No AES GCM implemenation available");
 
   if (error)
-    goto error;
+    return error;
 #endif
 
   vnet_crypto_register_key_handler (vm, cm->crypto_engine_index,
 				    crypto_native_key_handler);
-
-
-error:
-  if (error)
-    vec_free (cm->per_thread_data);
-
-  return error;
+  return 0;
 }
 
 /* *INDENT-OFF* */
author	Benoît Ganne <bganne@cisco.com>	2022-01-19 10:09:42 +0100
committer	Damjan Marion <dmarion@0xa5.net>	2023-03-06 17:15:24 +0000
commit	063549f9605c018618670ecb6c5bbbdbedd62c04 (patch)
tree	278242f135d25eaabee714bcb919318cf0afc08f /src/plugins/crypto_native
parent	f471e3339f12049531d2ead015d82f117d8fd936 (diff)