diff options
author | Vladimir Ratnikov <vratnikov@netgate.com> | 2022-09-22 08:19:18 +0000 |
---|---|---|
committer | Damjan Marion <dmarion@0xa5.net> | 2022-09-27 15:11:07 +0000 |
commit | 05554c6e98f5bd088543f7b33aabc9b215d55cd0 (patch) | |
tree | f25b77c25e434f31a0fdd4f717eded48e87389ba /src/plugins | |
parent | 1834b04d20552e92da11719afddd5497f522273a (diff) |
crypto-openssl: use no padding for encrypt/decrypt
Internaly, vpp uses it's own padding, so all the data
is padded using blocksize in /src/vnet/ipsec/ipsec.c
Openssl should add it's own padding, but the data
is already padded. So on decrypt stage when padding
should be removed, it can't be done. And it produces
error `bad decrypt`
Previous versions of openSSL decrypted data almost
at the beginning of EVP_DecryptUpdate/EVP_DecryptFinal_ex
and produced the same error, but data was already decrypted.
Now it's not, so some algorithms could have some problems
with it
PS. openSSL 3.x.x
Type: fix
Signed-off-by: Vladimir Ratnikov <vratnikov@netgate.com>
Change-Id: If715a80228548b4e588cee222968d9da9024c438
Diffstat (limited to 'src/plugins')
-rw-r--r-- | src/plugins/crypto_openssl/main.c | 7 |
1 files changed, 1 insertions, 6 deletions
diff --git a/src/plugins/crypto_openssl/main.c b/src/plugins/crypto_openssl/main.c index c0f7ee206e1..251e75d6255 100644 --- a/src/plugins/crypto_openssl/main.c +++ b/src/plugins/crypto_openssl/main.c @@ -110,9 +110,6 @@ openssl_ops_enc_cbc (vlib_main_t *vm, vnet_crypto_op_t *ops[], EVP_EncryptInit_ex (ctx, cipher, NULL, key->data, op->iv); if (op->flags & VNET_CRYPTO_OP_FLAG_CHAINED_BUFFERS) - EVP_CIPHER_CTX_set_padding (ctx, 0); - - if (op->flags & VNET_CRYPTO_OP_FLAG_CHAINED_BUFFERS) { chp = chunks + op->chunk_index; u32 offset = 0; @@ -168,9 +165,6 @@ openssl_ops_dec_cbc (vlib_main_t *vm, vnet_crypto_op_t *ops[], EVP_DecryptInit_ex (ctx, cipher, NULL, key->data, op->iv); if (op->flags & VNET_CRYPTO_OP_FLAG_CHAINED_BUFFERS) - EVP_CIPHER_CTX_set_padding (ctx, 0); - - if (op->flags & VNET_CRYPTO_OP_FLAG_CHAINED_BUFFERS) { chp = chunks + op->chunk_index; u32 offset = 0; @@ -518,6 +512,7 @@ crypto_openssl_init (vlib_main_t * vm) vec_foreach (ptd, per_thread_data) { ptd->evp_cipher_ctx = EVP_CIPHER_CTX_new (); + EVP_CIPHER_CTX_set_padding (ptd->evp_cipher_ctx, 0); #if OPENSSL_VERSION_NUMBER >= 0x10100000L ptd->hmac_ctx = HMAC_CTX_new (); ptd->hash_ctx = EVP_MD_CTX_create (); |