IPSEC-MB: Use random & non-repeating IV (VPP-1642)
hard code IV and key lengths based on cipher.
Init IV from random data, use AES instruction to rotate.
Change-Id: I13a6507d12267b823c528660a903787baeba47a0
Signed-off-by: Neale Ranns <nranns@cisco.com>
diff --git a/src/vnet/ipsec/esp_decrypt.c b/src/vnet/ipsec/esp_decrypt.c
index de951d1..fc4a99a 100644
--- a/src/vnet/ipsec/esp_decrypt.c
+++ b/src/vnet/ipsec/esp_decrypt.c
@@ -232,9 +232,7 @@
vec_add2_aligned (ptd->crypto_ops, op, 1, CLIB_CACHE_LINE_BYTES);
vnet_crypto_op_init (op, sa0->crypto_dec_op_id);
op->key = sa0->crypto_key.data;
- op->key_len = sa0->crypto_key.len;
op->iv = payload;
- op->iv_len = cpd.iv_sz;
op->src = op->dst = payload += cpd.iv_sz;
op->len = len;
op->user_data = b - bufs;
@@ -287,7 +285,7 @@
bi = op->user_data;
if (op->status == VNET_CRYPTO_OP_STATUS_FAIL_BAD_HMAC)
- err = ESP_DECRYPT_ERROR_INTEG_ERROR;
+ err = ESP_DECRYPT_ERROR_DECRYPTION_FAILED;
else
err = ESP_DECRYPT_ERROR_CRYPTO_ENGINE_ERROR;