crypto-openssl: use no padding for encrypt/decrypt

 Internaly, vpp uses it's own padding, so all the data
is padded using blocksize in /src/vnet/ipsec/ipsec.c

 Openssl should add it's own padding, but the data
is already padded. So on decrypt stage when padding
should be removed, it can't be done. And it produces
error `bad decrypt`
 Previous versions of openSSL decrypted data almost
at the beginning of EVP_DecryptUpdate/EVP_DecryptFinal_ex
and produced the same error, but data was already decrypted.
Now it's not, so some algorithms could have some problems
 with it

PS. openSSL 3.x.x

Type: fix

Signed-off-by: Vladimir Ratnikov <[email protected]>
Change-Id: If715a80228548b4e588cee222968d9da9024c438

diff --git a/src/plugins/crypto_openssl/main.c b/src/plugins/crypto_openssl/main.c
index c0f7ee2..251e75d 100644 (file)
--- a/src/plugins/crypto_openssl/main.c
+++ b/src/plugins/crypto_openssl/main.c
@@ -109,9 +109,6 @@ openssl_ops_enc_cbc (vlib_main_t *vm, vnet_crypto_op_t *ops[],
 
       EVP_EncryptInit_ex (ctx, cipher, NULL, key->data, op->iv);
 
-      if (op->flags & VNET_CRYPTO_OP_FLAG_CHAINED_BUFFERS)
-       EVP_CIPHER_CTX_set_padding (ctx, 0);
-
       if (op->flags & VNET_CRYPTO_OP_FLAG_CHAINED_BUFFERS)
        {
          chp = chunks + op->chunk_index;
@@ -167,9 +164,6 @@ openssl_ops_dec_cbc (vlib_main_t *vm, vnet_crypto_op_t *ops[],
 
       EVP_DecryptInit_ex (ctx, cipher, NULL, key->data, op->iv);
 
-      if (op->flags & VNET_CRYPTO_OP_FLAG_CHAINED_BUFFERS)
-       EVP_CIPHER_CTX_set_padding (ctx, 0);
-
       if (op->flags & VNET_CRYPTO_OP_FLAG_CHAINED_BUFFERS)
        {
          chp = chunks + op->chunk_index;
@@ -518,6 +512,7 @@ crypto_openssl_init (vlib_main_t * vm)
   vec_foreach (ptd, per_thread_data)
   {
     ptd->evp_cipher_ctx = EVP_CIPHER_CTX_new ();
+    EVP_CIPHER_CTX_set_padding (ptd->evp_cipher_ctx, 0);
 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
     ptd->hmac_ctx = HMAC_CTX_new ();
     ptd->hash_ctx = EVP_MD_CTX_create ();