summaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorVladimir Ratnikov <vratnikov@netgate.com>2022-09-22 08:19:18 +0000
committerDamjan Marion <dmarion@0xa5.net>2022-09-27 15:11:07 +0000
commit05554c6e98f5bd088543f7b33aabc9b215d55cd0 (patch)
treef25b77c25e434f31a0fdd4f717eded48e87389ba /src
parent1834b04d20552e92da11719afddd5497f522273a (diff)
crypto-openssl: use no padding for encrypt/decrypt
Internaly, vpp uses it's own padding, so all the data is padded using blocksize in /src/vnet/ipsec/ipsec.c Openssl should add it's own padding, but the data is already padded. So on decrypt stage when padding should be removed, it can't be done. And it produces error `bad decrypt` Previous versions of openSSL decrypted data almost at the beginning of EVP_DecryptUpdate/EVP_DecryptFinal_ex and produced the same error, but data was already decrypted. Now it's not, so some algorithms could have some problems with it PS. openSSL 3.x.x Type: fix Signed-off-by: Vladimir Ratnikov <vratnikov@netgate.com> Change-Id: If715a80228548b4e588cee222968d9da9024c438
Diffstat (limited to 'src')
-rw-r--r--src/plugins/crypto_openssl/main.c7
1 files changed, 1 insertions, 6 deletions
diff --git a/src/plugins/crypto_openssl/main.c b/src/plugins/crypto_openssl/main.c
index c0f7ee206e1..251e75d6255 100644
--- a/src/plugins/crypto_openssl/main.c
+++ b/src/plugins/crypto_openssl/main.c
@@ -110,9 +110,6 @@ openssl_ops_enc_cbc (vlib_main_t *vm, vnet_crypto_op_t *ops[],
EVP_EncryptInit_ex (ctx, cipher, NULL, key->data, op->iv);
if (op->flags & VNET_CRYPTO_OP_FLAG_CHAINED_BUFFERS)
- EVP_CIPHER_CTX_set_padding (ctx, 0);
-
- if (op->flags & VNET_CRYPTO_OP_FLAG_CHAINED_BUFFERS)
{
chp = chunks + op->chunk_index;
u32 offset = 0;
@@ -168,9 +165,6 @@ openssl_ops_dec_cbc (vlib_main_t *vm, vnet_crypto_op_t *ops[],
EVP_DecryptInit_ex (ctx, cipher, NULL, key->data, op->iv);
if (op->flags & VNET_CRYPTO_OP_FLAG_CHAINED_BUFFERS)
- EVP_CIPHER_CTX_set_padding (ctx, 0);
-
- if (op->flags & VNET_CRYPTO_OP_FLAG_CHAINED_BUFFERS)
{
chp = chunks + op->chunk_index;
u32 offset = 0;
@@ -518,6 +512,7 @@ crypto_openssl_init (vlib_main_t * vm)
vec_foreach (ptd, per_thread_data)
{
ptd->evp_cipher_ctx = EVP_CIPHER_CTX_new ();
+ EVP_CIPHER_CTX_set_padding (ptd->evp_cipher_ctx, 0);
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
ptd->hmac_ctx = HMAC_CTX_new ();
ptd->hash_ctx = EVP_MD_CTX_create ();