[API-NEXT,v1,1/1] api: crypto: deprecate per-session IV

Message ID 1494990006-20867-2-git-send-email-odpbot@yandex.ru
State New
Headers show
Series
  • [API-NEXT,v1,1/1] api: crypto: deprecate per-session IV
Related show

Commit Message

Github ODP bot May 17, 2017, 3 a.m.
From: Dmitry Eremin-Solenikov <dmitry.ereminsolenikov@linaro.org>


Per-session IV (in it's current form) are static IVs used (possibly) for
several packets, and so they degradate security of genrated packets.
Instead of modifying semantics of IV wrt processed packets, etc. let's
deprecate (and in future remove) this IV altogether and enforce
applications to always specify correct IV in the per-packet operation
params.

Signed-off-by: Dmitry Eremin-Solenikov <dmitry.ereminsolenikov@linaro.org>

---
/** Email created from pull request 32 (lumag:crypto-no-iv)
 ** https://github.com/Linaro/odp/pull/32
 ** Patch: https://github.com/Linaro/odp/pull/32.patch
 ** Base sha: f4c213cccc49b4b28557506ad19fba49b872d24f
 ** Merge commit sha: 276cbed78b033c6adb79f5ca173e0731a4e97450
 **/
 example/ipsec/odp_ipsec.c                          |  13 +-
 example/ipsec/odp_ipsec_cache.c                    |  15 +-
 example/ipsec/odp_ipsec_cache.h                    |   1 -
 include/odp/api/spec/crypto.h                      |  18 +-
 .../linux-generic/include/odp_crypto_internal.h    |   4 +
 platform/linux-generic/odp_crypto.c                |  65 +++-
 test/common_plat/performance/odp_crypto.c          |  11 +-
 .../validation/api/crypto/odp_crypto_test_inp.c    | 340 +++------------------
 8 files changed, 122 insertions(+), 345 deletions(-)

Patch

diff --git a/example/ipsec/odp_ipsec.c b/example/ipsec/odp_ipsec.c
index 9ed3aa2..f211c9e 100644
--- a/example/ipsec/odp_ipsec.c
+++ b/example/ipsec/odp_ipsec.c
@@ -694,7 +694,7 @@  pkt_disposition_e do_ipsec_in_classify(odp_packet_t pkt,
 	if (esp) {
 		params.cipher_range.offset = ipv4_data_p(ip) + hdr_len - buf;
 		params.cipher_range.length = ipv4_data_len(ip) - hdr_len;
-		params.override_iv_ptr = esp->iv;
+		params.iv_ptr = esp->iv;
 	}
 
 	/* Issue crypto request */
@@ -884,7 +884,15 @@  pkt_disposition_e do_ipsec_out_classify(odp_packet_t pkt,
 		trl_len = encrypt_len - ip_data_len;
 
 		esp->spi = odp_cpu_to_be_32(entry->esp.spi);
-		memcpy(esp + 1, entry->state.iv, entry->esp.iv_len);
+
+		/* Generate an IV */
+		if (entry->esp.iv_len) {
+			int32_t size = entry->esp.iv_len;
+			int32_t ret = odp_random_data(esp->iv, size, 1);
+
+			if (ret != size)
+				abort();
+		}
 
 		esp_t = (odph_esptrl_t *)(ip_data + encrypt_len) - 1;
 		esp_t->pad_len     = trl_len - sizeof(*esp_t);
@@ -894,6 +902,7 @@  pkt_disposition_e do_ipsec_out_classify(odp_packet_t pkt,
 			esp_t->next_header = ip->proto;
 		ip->proto = ODPH_IPPROTO_ESP;
 
+		params.iv_ptr = esp->iv;
 		params.cipher_range.offset = ip_data - buf;
 		params.cipher_range.length = encrypt_len;
 	}
diff --git a/example/ipsec/odp_ipsec_cache.c b/example/ipsec/odp_ipsec_cache.c
index b2a91c2..b63791a 100644
--- a/example/ipsec/odp_ipsec_cache.c
+++ b/example/ipsec/odp_ipsec_cache.c
@@ -86,13 +86,11 @@  int create_ipsec_cache_entry(sa_db_entry_t *cipher_sa,
 		params.cipher_alg  = cipher_sa->alg.u.cipher;
 		params.cipher_key.data  = cipher_sa->key.data;
 		params.cipher_key.length  = cipher_sa->key.length;
-		params.iv.data = entry->state.iv;
-		params.iv.length = cipher_sa->iv_len;
+		params.iv_length = cipher_sa->iv_len;
 		mode = cipher_sa->mode;
 	} else {
 		params.cipher_alg = ODP_CIPHER_ALG_NULL;
-		params.iv.data = NULL;
-		params.iv.length = 0;
+		params.iv_length = 0;
 	}
 
 	/* Auth */
@@ -105,15 +103,6 @@  int create_ipsec_cache_entry(sa_db_entry_t *cipher_sa,
 		params.auth_alg = ODP_AUTH_ALG_NULL;
 	}
 
-	/* Generate an IV */
-	if (params.iv.length) {
-		int32_t size = params.iv.length;
-
-		int32_t ret = odp_random_data(params.iv.data, size, 1);
-		if (ret != size)
-			return -1;
-	}
-
 	/* Synchronous session create for now */
 	if (odp_crypto_session_create(&params, &session, &ses_create_rc))
 		return -1;
diff --git a/example/ipsec/odp_ipsec_cache.h b/example/ipsec/odp_ipsec_cache.h
index 7a4b95c..53c9538 100644
--- a/example/ipsec/odp_ipsec_cache.h
+++ b/example/ipsec/odp_ipsec_cache.h
@@ -56,7 +56,6 @@  typedef struct ipsec_cache_entry_s {
 		odp_crypto_session_t session;  /**< Crypto session handle */
 		uint32_t      esp_seq;         /**< ESP TX sequence number */
 		uint32_t      ah_seq;          /**< AH TX sequence number */
-		uint8_t       iv[MAX_IV_LEN];  /**< ESP IV storage */
 		odp_u16be_t    tun_hdr_id;     /**< Tunnel header IP ID */
 	} state;
 } ipsec_cache_entry_t;
diff --git a/include/odp/api/spec/crypto.h b/include/odp/api/spec/crypto.h
index c47d314..19dd8b0 100644
--- a/include/odp/api/spec/crypto.h
+++ b/include/odp/api/spec/crypto.h
@@ -234,14 +234,14 @@  typedef struct odp_crypto_key {
 /**
  * Crypto API IV structure
  */
-typedef struct odp_crypto_iv {
+typedef struct ODP_DEPRECATE(odp_crypto_iv) {
 	/** IV data */
 	uint8_t *data;
 
 	/** IV length in bytes */
 	uint32_t length;
 
-} odp_crypto_iv_t;
+} ODP_DEPRECATE(odp_crypto_iv_t);
 
 /**
  * Crypto API data range specifier
@@ -285,8 +285,11 @@  typedef struct odp_crypto_session_param_t {
 	 */
 	odp_crypto_key_t cipher_key;
 
-	/** Cipher Initialization Vector (IV) */
-	odp_crypto_iv_t iv;
+	/** @deprecated use iv_length and per-packet IV instead */
+	ODP_DEPRECATE(odp_crypto_iv_t) ODP_DEPRECATE(iv);
+
+	/** Cipher Initialization Vector (IV) length */
+	uint32_t iv_length;
 
 	/** Authentication algorithm
 	 *
@@ -359,8 +362,11 @@  typedef struct odp_crypto_op_param_t {
 	 */
 	odp_packet_t out_pkt;
 
-	/** Override session IV pointer */
-	uint8_t *override_iv_ptr;
+	/** @deprecated use iv_ptr instead */
+	uint8_t *ODP_DEPRECATE(override_iv_ptr);
+
+	/** IV pointer */
+	uint8_t *iv_ptr;
 
 	/** Offset from start of packet for hash result
 	 *
diff --git a/platform/linux-generic/include/odp_crypto_internal.h b/platform/linux-generic/include/odp_crypto_internal.h
index 515cefa..78f87e0 100644
--- a/platform/linux-generic/include/odp_crypto_internal.h
+++ b/platform/linux-generic/include/odp_crypto_internal.h
@@ -7,6 +7,8 @@ 
 #ifndef ODP_CRYPTO_INTERNAL_H_
 #define ODP_CRYPTO_INTERNAL_H_
 
+#include <odp/api/deprecated.h>
+
 #ifdef __cplusplus
 extern "C" {
 #endif
@@ -40,8 +42,10 @@  struct odp_crypto_generic_session {
 	odp_bool_t do_cipher_first;
 
 	struct {
+#if ODP_DEPRECATED_API
 		/* Copy of session IV data */
 		uint8_t iv_data[MAX_IV_LEN];
+#endif
 
 		union {
 			struct {
diff --git a/platform/linux-generic/odp_crypto.c b/platform/linux-generic/odp_crypto.c
index dfeb9f3..bfbef38 100644
--- a/platform/linux-generic/odp_crypto.c
+++ b/platform/linux-generic/odp_crypto.c
@@ -184,10 +184,14 @@  odp_crypto_alg_err_t aes_encrypt(odp_crypto_op_param_t *param,
 	unsigned char iv_enc[AES_BLOCK_SIZE];
 	void *iv_ptr;
 
-	if (param->override_iv_ptr)
+	if (param->iv_ptr)
+		iv_ptr = param->iv_ptr;
+#if ODP_DEPRECATED_API
+	else if (param->override_iv_ptr)
 		iv_ptr = param->override_iv_ptr;
 	else if (session->p.iv.data)
 		iv_ptr = session->cipher.iv_data;
+#endif
 	else
 		return ODP_CRYPTO_ALG_ERR_IV_INVALID;
 
@@ -216,10 +220,14 @@  odp_crypto_alg_err_t aes_decrypt(odp_crypto_op_param_t *param,
 	unsigned char iv_enc[AES_BLOCK_SIZE];
 	void *iv_ptr;
 
-	if (param->override_iv_ptr)
+	if (param->iv_ptr)
+		iv_ptr = param->iv_ptr;
+#if ODP_DEPRECATED_API
+	else if (param->override_iv_ptr)
 		iv_ptr = param->override_iv_ptr;
 	else if (session->p.iv.data)
 		iv_ptr = session->cipher.iv_data;
+#endif
 	else
 		return ODP_CRYPTO_ALG_ERR_IV_INVALID;
 
@@ -241,9 +249,14 @@  odp_crypto_alg_err_t aes_decrypt(odp_crypto_op_param_t *param,
 
 static int process_aes_param(odp_crypto_generic_session_t *session)
 {
-	/* Verify IV len is either 0 or 16 */
-	if (!((0 == session->p.iv.length) || (16 == session->p.iv.length)))
+	/* Verify IV len is 16 */
+#if ODP_DEPRECATED_API
+	if (!((16 == session->p.iv_length) || (16 == session->p.iv.length)))
+		return -1;
+#else
+	if (16 != session->p.iv_length)
 		return -1;
+#endif
 
 	/* Set function */
 	if (ODP_CRYPTO_OP_ENCODE == session->p.op) {
@@ -273,10 +286,14 @@  odp_crypto_alg_err_t aes_gcm_encrypt(odp_crypto_op_param_t *param,
 	void *iv_ptr;
 	uint8_t *tag = data + param->hash_result_offset;
 
-	if (param->override_iv_ptr)
+	if (param->iv_ptr)
+		iv_ptr = param->iv_ptr;
+#if ODP_DEPRECATED_API
+	else if (param->override_iv_ptr)
 		iv_ptr = param->override_iv_ptr;
 	else if (session->p.iv.data)
 		iv_ptr = session->cipher.iv_data;
+#endif
 	else
 		return ODP_CRYPTO_ALG_ERR_IV_INVALID;
 
@@ -338,10 +355,14 @@  odp_crypto_alg_err_t aes_gcm_decrypt(odp_crypto_op_param_t *param,
 	void *iv_ptr;
 	uint8_t *tag   = data + param->hash_result_offset;
 
-	if (param->override_iv_ptr)
+	if (param->iv_ptr)
+		iv_ptr = param->iv_ptr;
+#if ODP_DEPRECATED_API
+	else if (param->override_iv_ptr)
 		iv_ptr = param->override_iv_ptr;
 	else if (session->p.iv.data)
 		iv_ptr = session->cipher.iv_data;
+#endif
 	else
 		return ODP_CRYPTO_ALG_ERR_IV_INVALID;
 
@@ -392,6 +413,13 @@  odp_crypto_alg_err_t aes_gcm_decrypt(odp_crypto_op_param_t *param,
 
 static int process_aes_gcm_param(odp_crypto_generic_session_t *session)
 {
+	uint32_t iv_length = session->p.iv_length;
+
+#if ODP_DEPRECATED_API
+	if (0 != session->p.iv.length)
+		iv_length = session->p.iv.length;
+#endif
+
 	/* Verify Key len is 16 */
 	if (session->p.cipher_key.length != 16)
 		return -1;
@@ -409,7 +437,7 @@  static int process_aes_gcm_param(odp_crypto_generic_session_t *session)
 	}
 
 	EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_IVLEN,
-			    session->p.iv.length, NULL);
+			    iv_length, NULL);
 	if (ODP_CRYPTO_OP_ENCODE == session->p.op) {
 		EVP_EncryptInit_ex(ctx, NULL, NULL,
 				   session->p.cipher_key.data, NULL);
@@ -430,10 +458,14 @@  odp_crypto_alg_err_t des_encrypt(odp_crypto_op_param_t *param,
 	DES_cblock iv;
 	void *iv_ptr;
 
-	if (param->override_iv_ptr)
+	if (param->iv_ptr)
+		iv_ptr = param->iv_ptr;
+#if ODP_DEPRECATED_API
+	else if (param->override_iv_ptr)
 		iv_ptr = param->override_iv_ptr;
 	else if (session->p.iv.data)
 		iv_ptr = session->cipher.iv_data;
+#endif
 	else
 		return ODP_CRYPTO_ALG_ERR_IV_INVALID;
 
@@ -468,10 +500,14 @@  odp_crypto_alg_err_t des_decrypt(odp_crypto_op_param_t *param,
 	DES_cblock iv;
 	void *iv_ptr;
 
-	if (param->override_iv_ptr)
+	if (param->iv_ptr)
+		iv_ptr = param->iv_ptr;
+#if ODP_DEPRECATED_API
+	else if (param->override_iv_ptr)
 		iv_ptr = param->override_iv_ptr;
 	else if (session->p.iv.data)
 		iv_ptr = session->cipher.iv_data;
+#endif
 	else
 		return ODP_CRYPTO_ALG_ERR_IV_INVALID;
 
@@ -500,9 +536,14 @@  odp_crypto_alg_err_t des_decrypt(odp_crypto_op_param_t *param,
 
 static int process_des_param(odp_crypto_generic_session_t *session)
 {
-	/* Verify IV len is either 0 or 8 */
-	if (!((0 == session->p.iv.length) || (8 == session->p.iv.length)))
+	/* Verify IV len is 8 */
+#if ODP_DEPRECATED_API
+	if (!((8 == session->p.iv_length) || (8 == session->p.iv.length)))
+		return -1;
+#else
+	if (8 != session->p.iv_length)
 		return -1;
+#endif
 
 	/* Set function */
 	if (ODP_CRYPTO_OP_ENCODE == session->p.op)
@@ -679,6 +720,7 @@  odp_crypto_session_create(odp_crypto_session_param_t *param,
 	session->p = *param;
 
 	/* Copy IV data */
+#if ODP_DEPRECATED_API
 	if (session->p.iv.data) {
 		if (session->p.iv.length > MAX_IV_LEN) {
 			ODP_DBG("Maximum IV length exceeded\n");
@@ -689,6 +731,7 @@  odp_crypto_session_create(odp_crypto_session_param_t *param,
 		memcpy(session->cipher.iv_data, session->p.iv.data,
 		       session->p.iv.length);
 	}
+#endif
 
 	/* Derive order */
 	if (ODP_CRYPTO_OP_ENCODE == param->op)
diff --git a/test/common_plat/performance/odp_crypto.c b/test/common_plat/performance/odp_crypto.c
index b385797..fa4b817 100644
--- a/test/common_plat/performance/odp_crypto.c
+++ b/test/common_plat/performance/odp_crypto.c
@@ -186,10 +186,7 @@  static crypto_alg_config_t algs_config[] = {
 				.data = test_key24,
 				.length = sizeof(test_key24)
 			},
-			.iv = {
-				.data = test_iv,
-				.length = 8,
-			},
+			.iv_length = 8,
 			.auth_alg = ODP_AUTH_ALG_NULL
 		},
 	},
@@ -201,10 +198,7 @@  static crypto_alg_config_t algs_config[] = {
 				.data = test_key24,
 				.length = sizeof(test_key24)
 			},
-			.iv = {
-				.data = test_iv,
-				.length = 8,
-			},
+			.iv_length = 8,
 			.auth_alg = ODP_AUTH_ALG_MD5_HMAC,
 			.auth_key = {
 				.data = test_key16,
@@ -552,6 +546,7 @@  run_measure_one(crypto_args_t *cargs,
 				}
 				mem = odp_packet_data(newpkt);
 				memset(mem, 1, payload_length);
+				params.iv_ptr = test_iv;
 				params.pkt = newpkt;
 				params.out_pkt = cargs->in_place ? newpkt :
 						 ODP_PACKET_INVALID;
diff --git a/test/common_plat/validation/api/crypto/odp_crypto_test_inp.c b/test/common_plat/validation/api/crypto/odp_crypto_test_inp.c
index 24ea493..6c7a91d 100644
--- a/test/common_plat/validation/api/crypto/odp_crypto_test_inp.c
+++ b/test/common_plat/validation/api/crypto/odp_crypto_test_inp.c
@@ -67,7 +67,7 @@  static const char *cipher_alg_name(odp_cipher_alg_t cipher)
 static void alg_test(odp_crypto_op_t op,
 		     odp_bool_t should_fail,
 		     odp_cipher_alg_t cipher_alg,
-		     odp_crypto_iv_t ses_iv,
+		     uint32_t iv_length,
 		     uint8_t *op_iv_ptr,
 		     odp_crypto_key_t cipher_key,
 		     odp_auth_alg_t auth_alg,
@@ -155,7 +155,7 @@  static void alg_test(odp_crypto_op_t op,
 	/* Search for the test case */
 	for (i = 0; i < num; i++) {
 		if (cipher_capa[i].key_len == cipher_key.length &&
-		    cipher_capa[i].iv_len  == ses_iv.length) {
+		    cipher_capa[i].iv_len  == iv_length) {
 			found = 1;
 			break;
 		}
@@ -199,7 +199,7 @@  static void alg_test(odp_crypto_op_t op,
 	ses_params.compl_queue = suite_context.queue;
 	ses_params.output_pool = suite_context.pool;
 	ses_params.cipher_key = cipher_key;
-	ses_params.iv = ses_iv;
+	ses_params.iv_length = iv_length;
 	ses_params.auth_key = auth_key;
 
 	rc = odp_crypto_session_create(&ses_params, &session, &status);
@@ -236,8 +236,7 @@  static void alg_test(odp_crypto_op_t op,
 		op_params.auth_range.offset = data_off;
 		op_params.auth_range.length = plaintext_len;
 	}
-	if (op_iv_ptr)
-		op_params.override_iv_ptr = op_iv_ptr;
+	op_params.iv_ptr = op_iv_ptr;
 
 	op_params.hash_result_offset = plaintext_len;
 	if (0 != digest_len) {
@@ -440,52 +439,13 @@  static int check_alg_3des_cbc(void)
 }
 
 /* This test verifies the correctness of encode (plaintext -> ciphertext)
- * operation for 3DES_CBC algorithm. IV for the operation is the session IV.
- * In addition the test verifies if the implementation can use the
- * packet buffer as completion event buffer.*/
-void crypto_test_enc_alg_3des_cbc(void)
-{
-	odp_crypto_key_t cipher_key = { .data = NULL, .length = 0 },
-			 auth_key   = { .data = NULL, .length = 0 };
-	odp_crypto_iv_t iv;
-	unsigned int test_vec_num = (sizeof(tdes_cbc_reference_length) /
-				     sizeof(tdes_cbc_reference_length[0]));
-	unsigned int i;
-
-	for (i = 0; i < test_vec_num; i++) {
-		cipher_key.data = tdes_cbc_reference_key[i];
-		cipher_key.length = sizeof(tdes_cbc_reference_key[i]);
-		iv.data = tdes_cbc_reference_iv[i];
-		iv.length = sizeof(tdes_cbc_reference_iv[i]);
-
-		if (!check_cipher_options(ODP_CIPHER_ALG_3DES_CBC,
-					  cipher_key.length, iv.length))
-			continue;
-
-		alg_test(ODP_CRYPTO_OP_ENCODE,
-			 0,
-			 ODP_CIPHER_ALG_3DES_CBC,
-			 iv,
-			 NULL,
-			 cipher_key,
-			 ODP_AUTH_ALG_NULL,
-			 auth_key,
-			 NULL, NULL,
-			 tdes_cbc_reference_plaintext[i],
-			 tdes_cbc_reference_length[i],
-			 tdes_cbc_reference_ciphertext[i],
-			 tdes_cbc_reference_length[i], NULL, 0);
-	}
-}
-
-/* This test verifies the correctness of encode (plaintext -> ciphertext)
  * operation for 3DES_CBC algorithm. IV for the operation is the operation IV.
  * */
-void crypto_test_enc_alg_3des_cbc_ovr_iv(void)
+void crypto_test_enc_alg_3des_cbc(void)
 {
 	odp_crypto_key_t cipher_key = { .data = NULL, .length = 0 },
 			 auth_key   = { .data = NULL, .length = 0 };
-	odp_crypto_iv_t iv = { .data = NULL, .length = TDES_CBC_IV_LEN };
+	uint32_t iv_length = TDES_CBC_IV_LEN;
 	unsigned int test_vec_num = (sizeof(tdes_cbc_reference_length) /
 				     sizeof(tdes_cbc_reference_length[0]));
 	unsigned int i;
@@ -495,13 +455,13 @@  void crypto_test_enc_alg_3des_cbc_ovr_iv(void)
 		cipher_key.length = sizeof(tdes_cbc_reference_key[i]);
 
 		if (!check_cipher_options(ODP_CIPHER_ALG_3DES_CBC,
-					  cipher_key.length, iv.length))
+					  cipher_key.length, iv_length))
 			continue;
 
 		alg_test(ODP_CRYPTO_OP_ENCODE,
 			 0,
 			 ODP_CIPHER_ALG_3DES_CBC,
-			 iv,
+			 iv_length,
 			 tdes_cbc_reference_iv[i],
 			 cipher_key,
 			 ODP_AUTH_ALG_NULL,
@@ -523,47 +483,7 @@  void crypto_test_dec_alg_3des_cbc(void)
 {
 	odp_crypto_key_t cipher_key = { .data = NULL, .length = 0 },
 			 auth_key   = { .data = NULL, .length = 0 };
-	odp_crypto_iv_t iv = { .data = NULL, .length = 0 };
-	unsigned int test_vec_num = (sizeof(tdes_cbc_reference_length) /
-				     sizeof(tdes_cbc_reference_length[0]));
-	unsigned int i;
-
-	for (i = 0; i < test_vec_num; i++) {
-		cipher_key.data = tdes_cbc_reference_key[i];
-		cipher_key.length = sizeof(tdes_cbc_reference_key[i]);
-		iv.data = tdes_cbc_reference_iv[i];
-		iv.length = sizeof(tdes_cbc_reference_iv[i]);
-
-		if (!check_cipher_options(ODP_CIPHER_ALG_3DES_CBC,
-					  cipher_key.length, iv.length))
-			continue;
-
-		alg_test(ODP_CRYPTO_OP_DECODE,
-			 0,
-			 ODP_CIPHER_ALG_3DES_CBC,
-			 iv,
-			 NULL,
-			 cipher_key,
-			 ODP_AUTH_ALG_NULL,
-			 auth_key,
-			 NULL, NULL,
-			 tdes_cbc_reference_ciphertext[i],
-			 tdes_cbc_reference_length[i],
-			 tdes_cbc_reference_plaintext[i],
-			 tdes_cbc_reference_length[i], NULL, 0);
-	}
-}
-
-/* This test verifies the correctness of decode (ciphertext -> plaintext)
- * operation for 3DES_CBC algorithm. IV for the operation is the session IV
- * In addition the test verifies if the implementation can use the
- * packet buffer as completion event buffer.
- * */
-void crypto_test_dec_alg_3des_cbc_ovr_iv(void)
-{
-	odp_crypto_key_t cipher_key = { .data = NULL, .length = 0 },
-			 auth_key   = { .data = NULL, .length = 0 };
-	odp_crypto_iv_t iv = { .data = NULL, .length = TDES_CBC_IV_LEN };
+	uint32_t iv_length = TDES_CBC_IV_LEN;
 	unsigned int test_vec_num = (sizeof(tdes_cbc_reference_length) /
 				     sizeof(tdes_cbc_reference_length[0]));
 	unsigned int i;
@@ -573,13 +493,13 @@  void crypto_test_dec_alg_3des_cbc_ovr_iv(void)
 		cipher_key.length = sizeof(tdes_cbc_reference_key[i]);
 
 		if (!check_cipher_options(ODP_CIPHER_ALG_3DES_CBC,
-					  cipher_key.length, iv.length))
+					  cipher_key.length, iv_length))
 			continue;
 
 		alg_test(ODP_CRYPTO_OP_DECODE,
 			 0,
 			 ODP_CIPHER_ALG_3DES_CBC,
-			 iv,
+			 iv_length,
 			 tdes_cbc_reference_iv[i],
 			 cipher_key,
 			 ODP_AUTH_ALG_NULL,
@@ -605,7 +525,7 @@  void crypto_test_enc_alg_aes128_gcm(void)
 {
 	odp_crypto_key_t cipher_key = { .data = NULL, .length = 0 },
 			 auth_key   = { .data = NULL, .length = 0 };
-	odp_crypto_iv_t iv = { .data = NULL, .length = AES128_GCM_IV_LEN };
+	uint32_t iv_length = AES128_GCM_IV_LEN;
 	unsigned int test_vec_num = (sizeof(aes128_gcm_reference_length) /
 				     sizeof(aes128_gcm_reference_length[0]));
 	unsigned int i;
@@ -613,11 +533,9 @@  void crypto_test_enc_alg_aes128_gcm(void)
 	for (i = 0; i < test_vec_num; i++) {
 		cipher_key.data = aes128_gcm_reference_key[i];
 		cipher_key.length = sizeof(aes128_gcm_reference_key[i]);
-		iv.data = aes128_gcm_reference_iv[i];
-		iv.length = sizeof(aes128_gcm_reference_iv[i]);
 
 		if (!check_cipher_options(ODP_CIPHER_ALG_AES_GCM,
-					  cipher_key.length, iv.length))
+					  cipher_key.length, iv_length))
 			continue;
 		if (!check_auth_options(ODP_AUTH_ALG_AES_GCM,
 					auth_key.length, AES128_GCM_CHECK_LEN))
@@ -626,51 +544,7 @@  void crypto_test_enc_alg_aes128_gcm(void)
 		alg_test(ODP_CRYPTO_OP_ENCODE,
 			 0,
 			 ODP_CIPHER_ALG_AES_GCM,
-			 iv,
-			 NULL,
-			 cipher_key,
-			 ODP_AUTH_ALG_AES_GCM,
-			 auth_key,
-			 &aes128_gcm_cipher_range[i],
-			 &aes128_gcm_auth_range[i],
-			 aes128_gcm_reference_plaintext[i],
-			 aes128_gcm_reference_length[i],
-			 aes128_gcm_reference_ciphertext[i],
-			 aes128_gcm_reference_length[i],
-			 aes128_gcm_reference_ciphertext[i] +
-			 aes128_gcm_reference_length[i],
-			 AES128_GCM_CHECK_LEN);
-	}
-}
-
-/* This test verifies the correctness of encode (plaintext -> ciphertext)
- * operation for AES128_GCM algorithm. IV for the operation is the session IV.
- * In addition the test verifies if the implementation can use the
- * packet buffer as completion event buffer.*/
-void crypto_test_enc_alg_aes128_gcm_ovr_iv(void)
-{
-	odp_crypto_key_t cipher_key = { .data = NULL, .length = 0 },
-			 auth_key   = { .data = NULL, .length = 0 };
-	odp_crypto_iv_t iv = { .data = NULL, .length = AES128_GCM_IV_LEN };
-	unsigned int test_vec_num = (sizeof(aes128_gcm_reference_length) /
-				     sizeof(aes128_gcm_reference_length[0]));
-	unsigned int i;
-
-	for (i = 0; i < test_vec_num; i++) {
-		cipher_key.data = aes128_gcm_reference_key[i];
-		cipher_key.length = sizeof(aes128_gcm_reference_key[i]);
-
-		if (!check_cipher_options(ODP_CIPHER_ALG_AES_GCM,
-					  cipher_key.length, iv.length))
-			continue;
-		if (!check_auth_options(ODP_AUTH_ALG_AES_GCM,
-					auth_key.length, AES128_GCM_CHECK_LEN))
-			continue;
-
-		alg_test(ODP_CRYPTO_OP_ENCODE,
-			 0,
-			 ODP_CIPHER_ALG_AES_GCM,
-			 iv,
+			 iv_length,
 			 aes128_gcm_reference_iv[i],
 			 cipher_key,
 			 ODP_AUTH_ALG_AES_GCM,
@@ -696,7 +570,7 @@  void crypto_test_dec_alg_aes128_gcm(void)
 {
 	odp_crypto_key_t cipher_key = { .data = NULL, .length = 0 },
 			 auth_key   = { .data = NULL, .length = 0 };
-	odp_crypto_iv_t iv = { .data = NULL, .length = AES128_GCM_IV_LEN };
+	uint32_t iv_length = AES128_GCM_IV_LEN;
 	unsigned int test_vec_num = (sizeof(aes128_gcm_reference_length) /
 				     sizeof(aes128_gcm_reference_length[0]));
 	unsigned int i;
@@ -704,11 +578,9 @@  void crypto_test_dec_alg_aes128_gcm(void)
 	for (i = 0; i < test_vec_num; i++) {
 		cipher_key.data = aes128_gcm_reference_key[i];
 		cipher_key.length = sizeof(aes128_gcm_reference_key[i]);
-		iv.data = aes128_gcm_reference_iv[i];
-		iv.length = sizeof(aes128_gcm_reference_iv[i]);
 
 		if (!check_cipher_options(ODP_CIPHER_ALG_AES_GCM,
-					  cipher_key.length, iv.length))
+					  cipher_key.length, iv_length))
 			continue;
 		if (!check_auth_options(ODP_AUTH_ALG_AES_GCM,
 					auth_key.length, AES128_GCM_CHECK_LEN))
@@ -717,52 +589,7 @@  void crypto_test_dec_alg_aes128_gcm(void)
 		alg_test(ODP_CRYPTO_OP_DECODE,
 			 0,
 			 ODP_CIPHER_ALG_AES_GCM,
-			 iv,
-			 NULL,
-			 cipher_key,
-			 ODP_AUTH_ALG_AES_GCM,
-			 auth_key,
-			 &aes128_gcm_cipher_range[i],
-			 &aes128_gcm_auth_range[i],
-			 aes128_gcm_reference_ciphertext[i],
-			 aes128_gcm_reference_length[i] + AES128_GCM_CHECK_LEN,
-			 aes128_gcm_reference_plaintext[i],
-			 aes128_gcm_reference_length[i],
-			 aes128_gcm_reference_ciphertext[i] +
-			 aes128_gcm_reference_length[i],
-			 AES128_GCM_CHECK_LEN);
-	}
-}
-
-/* This test verifies the correctness of decode (ciphertext -> plaintext)
- * operation for 3DES_CBC algorithm. IV for the operation is the session IV
- * In addition the test verifies if the implementation can use the
- * packet buffer as completion event buffer.
- * */
-void crypto_test_dec_alg_aes128_gcm_ovr_iv(void)
-{
-	odp_crypto_key_t cipher_key = { .data = NULL, .length = 0 },
-			 auth_key   = { .data = NULL, .length = 0 };
-	odp_crypto_iv_t iv = { .data = NULL, .length = AES128_GCM_IV_LEN };
-	unsigned int test_vec_num = (sizeof(aes128_gcm_reference_length) /
-				     sizeof(aes128_gcm_reference_length[0]));
-	unsigned int i;
-
-	for (i = 0; i < test_vec_num; i++) {
-		cipher_key.data = aes128_gcm_reference_key[i];
-		cipher_key.length = sizeof(aes128_gcm_reference_key[i]);
-
-		if (!check_cipher_options(ODP_CIPHER_ALG_AES_GCM,
-					  cipher_key.length, iv.length))
-			continue;
-		if (!check_auth_options(ODP_AUTH_ALG_AES_GCM,
-					auth_key.length, AES128_GCM_CHECK_LEN))
-			continue;
-
-		alg_test(ODP_CRYPTO_OP_DECODE,
-			 0,
-			 ODP_CIPHER_ALG_AES_GCM,
-			 iv,
+			 iv_length,
 			 aes128_gcm_reference_iv[i],
 			 cipher_key,
 			 ODP_AUTH_ALG_AES_GCM,
@@ -785,52 +612,13 @@  static int check_alg_aes_cbc(void)
 }
 
 /* This test verifies the correctness of encode (plaintext -> ciphertext)
- * operation for AES128_CBC algorithm. IV for the operation is the session IV.
- * In addition the test verifies if the implementation can use the
- * packet buffer as completion event buffer.*/
-void crypto_test_enc_alg_aes128_cbc(void)
-{
-	odp_crypto_key_t cipher_key = { .data = NULL, .length = 0 },
-			 auth_key   = { .data = NULL, .length = 0 };
-	odp_crypto_iv_t iv;
-	unsigned int test_vec_num = (sizeof(aes128_cbc_reference_length) /
-				     sizeof(aes128_cbc_reference_length[0]));
-	unsigned int i;
-
-	for (i = 0; i < test_vec_num; i++) {
-		cipher_key.data = aes128_cbc_reference_key[i];
-		cipher_key.length = sizeof(aes128_cbc_reference_key[i]);
-		iv.data = aes128_cbc_reference_iv[i];
-		iv.length = sizeof(aes128_cbc_reference_iv[i]);
-
-		if (!check_cipher_options(ODP_CIPHER_ALG_AES_CBC,
-					  cipher_key.length, iv.length))
-			continue;
-
-		alg_test(ODP_CRYPTO_OP_ENCODE,
-			 0,
-			 ODP_CIPHER_ALG_AES_CBC,
-			 iv,
-			 NULL,
-			 cipher_key,
-			 ODP_AUTH_ALG_NULL,
-			 auth_key,
-			 NULL, NULL,
-			 aes128_cbc_reference_plaintext[i],
-			 aes128_cbc_reference_length[i],
-			 aes128_cbc_reference_ciphertext[i],
-			 aes128_cbc_reference_length[i], NULL, 0);
-	}
-}
-
-/* This test verifies the correctness of encode (plaintext -> ciphertext)
  * operation for AES128_CBC algorithm. IV for the operation is the operation IV.
  * */
-void crypto_test_enc_alg_aes128_cbc_ovr_iv(void)
+void crypto_test_enc_alg_aes128_cbc(void)
 {
 	odp_crypto_key_t cipher_key = { .data = NULL, .length = 0 },
 			 auth_key   = { .data = NULL, .length = 0 };
-	odp_crypto_iv_t iv = { .data = NULL, .length = AES128_CBC_IV_LEN };
+	uint32_t iv_length = AES128_CBC_IV_LEN;
 	unsigned int test_vec_num = (sizeof(aes128_cbc_reference_length) /
 				     sizeof(aes128_cbc_reference_length[0]));
 	unsigned int i;
@@ -840,13 +628,13 @@  void crypto_test_enc_alg_aes128_cbc_ovr_iv(void)
 		cipher_key.length = sizeof(aes128_cbc_reference_key[i]);
 
 		if (!check_cipher_options(ODP_CIPHER_ALG_AES_CBC,
-					  cipher_key.length, iv.length))
+					  cipher_key.length, iv_length))
 			continue;
 
 		alg_test(ODP_CRYPTO_OP_ENCODE,
 			 0,
 			 ODP_CIPHER_ALG_AES_CBC,
-			 iv,
+			 iv_length,
 			 aes128_cbc_reference_iv[i],
 			 cipher_key,
 			 ODP_AUTH_ALG_NULL,
@@ -868,47 +656,7 @@  void crypto_test_dec_alg_aes128_cbc(void)
 {
 	odp_crypto_key_t cipher_key = { .data = NULL, .length = 0 },
 			 auth_key   = { .data = NULL, .length = 0 };
-	odp_crypto_iv_t iv = { .data = NULL, .length = 0 };
-	unsigned int test_vec_num = (sizeof(aes128_cbc_reference_length) /
-				     sizeof(aes128_cbc_reference_length[0]));
-	unsigned int i;
-
-	for (i = 0; i < test_vec_num; i++) {
-		cipher_key.data = aes128_cbc_reference_key[i];
-		cipher_key.length = sizeof(aes128_cbc_reference_key[i]);
-		iv.data = aes128_cbc_reference_iv[i];
-		iv.length = sizeof(aes128_cbc_reference_iv[i]);
-
-		if (!check_cipher_options(ODP_CIPHER_ALG_AES_CBC,
-					  cipher_key.length, iv.length))
-			continue;
-
-		alg_test(ODP_CRYPTO_OP_DECODE,
-			 0,
-			 ODP_CIPHER_ALG_AES_CBC,
-			 iv,
-			 NULL,
-			 cipher_key,
-			 ODP_AUTH_ALG_NULL,
-			 auth_key,
-			 NULL, NULL,
-			 aes128_cbc_reference_ciphertext[i],
-			 aes128_cbc_reference_length[i],
-			 aes128_cbc_reference_plaintext[i],
-			 aes128_cbc_reference_length[i], NULL, 0);
-	}
-}
-
-/* This test verifies the correctness of decode (ciphertext -> plaintext)
- * operation for AES128_CBC algorithm. IV for the operation is the session IV
- * In addition the test verifies if the implementation can use the
- * packet buffer as completion event buffer.
- * */
-void crypto_test_dec_alg_aes128_cbc_ovr_iv(void)
-{
-	odp_crypto_key_t cipher_key = { .data = NULL, .length = 0 },
-			 auth_key   = { .data = NULL, .length = 0 };
-	odp_crypto_iv_t iv = { .data = NULL, .length = AES128_CBC_IV_LEN };
+	uint32_t iv_length = AES128_CBC_IV_LEN;
 	unsigned int test_vec_num = (sizeof(aes128_cbc_reference_length) /
 				     sizeof(aes128_cbc_reference_length[0]));
 	unsigned int i;
@@ -918,13 +666,13 @@  void crypto_test_dec_alg_aes128_cbc_ovr_iv(void)
 		cipher_key.length = sizeof(aes128_cbc_reference_key[i]);
 
 		if (!check_cipher_options(ODP_CIPHER_ALG_AES_CBC,
-					  cipher_key.length, iv.length))
+					  cipher_key.length, iv_length))
 			continue;
 
 		alg_test(ODP_CRYPTO_OP_DECODE,
 			 0,
 			 ODP_CIPHER_ALG_AES_CBC,
-			 iv,
+			 iv_length,
 			 aes128_cbc_reference_iv[i],
 			 cipher_key,
 			 ODP_AUTH_ALG_NULL,
@@ -953,7 +701,6 @@  void crypto_test_gen_alg_hmac_md5(void)
 {
 	odp_crypto_key_t cipher_key = { .data = NULL, .length = 0 },
 			 auth_key   = { .data = NULL, .length = 0 };
-	odp_crypto_iv_t iv = { .data = NULL, .length = 0 };
 
 	unsigned int test_vec_num = (sizeof(hmac_md5_reference_length) /
 				     sizeof(hmac_md5_reference_length[0]));
@@ -970,8 +717,8 @@  void crypto_test_gen_alg_hmac_md5(void)
 		alg_test(ODP_CRYPTO_OP_ENCODE,
 			 0,
 			 ODP_CIPHER_ALG_NULL,
-			 iv,
-			 iv.data,
+			 0,
+			 NULL,
 			 cipher_key,
 			 ODP_AUTH_ALG_MD5_HMAC,
 			 auth_key,
@@ -988,7 +735,6 @@  void crypto_test_check_alg_hmac_md5(void)
 {
 	odp_crypto_key_t cipher_key = { .data = NULL, .length = 0 },
 			 auth_key   = { .data = NULL, .length = 0 };
-	odp_crypto_iv_t iv = { .data = NULL, .length = 0 };
 	uint8_t wrong_digest[HMAC_MD5_DIGEST_LEN];
 
 	unsigned int test_vec_num = (sizeof(hmac_md5_reference_length) /
@@ -1008,8 +754,8 @@  void crypto_test_check_alg_hmac_md5(void)
 		alg_test(ODP_CRYPTO_OP_DECODE,
 			 0,
 			 ODP_CIPHER_ALG_NULL,
-			 iv,
-			 iv.data,
+			 0,
+			 NULL,
 			 cipher_key,
 			 ODP_AUTH_ALG_MD5_HMAC,
 			 auth_key,
@@ -1023,8 +769,8 @@  void crypto_test_check_alg_hmac_md5(void)
 		alg_test(ODP_CRYPTO_OP_DECODE,
 			 1,
 			 ODP_CIPHER_ALG_NULL,
-			 iv,
-			 iv.data,
+			 0,
+			 NULL,
 			 cipher_key,
 			 ODP_AUTH_ALG_MD5_HMAC,
 			 auth_key,
@@ -1053,7 +799,6 @@  void crypto_test_gen_alg_hmac_sha256(void)
 {
 	odp_crypto_key_t cipher_key = { .data = NULL, .length = 0 },
 			 auth_key   = { .data = NULL, .length = 0 };
-	odp_crypto_iv_t iv = { .data = NULL, .length = 0 };
 
 	unsigned int test_vec_num = (sizeof(hmac_sha256_reference_length) /
 				     sizeof(hmac_sha256_reference_length[0]));
@@ -1072,8 +817,8 @@  void crypto_test_gen_alg_hmac_sha256(void)
 		alg_test(ODP_CRYPTO_OP_ENCODE,
 			 0,
 			 ODP_CIPHER_ALG_NULL,
-			 iv,
-			 iv.data,
+			 0,
+			 NULL,
 			 cipher_key,
 			 ODP_AUTH_ALG_SHA256_HMAC,
 			 auth_key,
@@ -1090,7 +835,6 @@  void crypto_test_check_alg_hmac_sha256(void)
 {
 	odp_crypto_key_t cipher_key = { .data = NULL, .length = 0 },
 			 auth_key   = { .data = NULL, .length = 0 };
-	odp_crypto_iv_t iv = { .data = NULL, .length = 0 };
 	uint8_t wrong_digest[HMAC_SHA256_DIGEST_LEN];
 
 	unsigned int test_vec_num = (sizeof(hmac_sha256_reference_length) /
@@ -1112,8 +856,8 @@  void crypto_test_check_alg_hmac_sha256(void)
 		alg_test(ODP_CRYPTO_OP_DECODE,
 			 0,
 			 ODP_CIPHER_ALG_NULL,
-			 iv,
-			 iv.data,
+			 0,
+			 NULL,
 			 cipher_key,
 			 ODP_AUTH_ALG_SHA256_HMAC,
 			 auth_key,
@@ -1127,8 +871,8 @@  void crypto_test_check_alg_hmac_sha256(void)
 		alg_test(ODP_CRYPTO_OP_DECODE,
 			 1,
 			 ODP_CIPHER_ALG_NULL,
-			 iv,
-			 iv.data,
+			 0,
+			 NULL,
 			 cipher_key,
 			 ODP_AUTH_ALG_SHA256_HMAC,
 			 auth_key,
@@ -1190,26 +934,14 @@  odp_testinfo_t crypto_suite[] = {
 				  check_alg_3des_cbc),
 	ODP_TEST_INFO_CONDITIONAL(crypto_test_dec_alg_3des_cbc,
 				  check_alg_3des_cbc),
-	ODP_TEST_INFO_CONDITIONAL(crypto_test_enc_alg_3des_cbc_ovr_iv,
-				  check_alg_3des_cbc),
-	ODP_TEST_INFO_CONDITIONAL(crypto_test_dec_alg_3des_cbc_ovr_iv,
-				  check_alg_3des_cbc),
 	ODP_TEST_INFO_CONDITIONAL(crypto_test_enc_alg_aes128_cbc,
 				  check_alg_aes_cbc),
 	ODP_TEST_INFO_CONDITIONAL(crypto_test_dec_alg_aes128_cbc,
 				  check_alg_aes_cbc),
-	ODP_TEST_INFO_CONDITIONAL(crypto_test_enc_alg_aes128_cbc_ovr_iv,
-				  check_alg_aes_cbc),
-	ODP_TEST_INFO_CONDITIONAL(crypto_test_dec_alg_aes128_cbc_ovr_iv,
-				  check_alg_aes_cbc),
 	ODP_TEST_INFO_CONDITIONAL(crypto_test_enc_alg_aes128_gcm,
 				  check_alg_aes_gcm),
-	ODP_TEST_INFO_CONDITIONAL(crypto_test_enc_alg_aes128_gcm_ovr_iv,
-				  check_alg_aes_gcm),
 	ODP_TEST_INFO_CONDITIONAL(crypto_test_dec_alg_aes128_gcm,
 				  check_alg_aes_gcm),
-	ODP_TEST_INFO_CONDITIONAL(crypto_test_dec_alg_aes128_gcm_ovr_iv,
-				  check_alg_aes_gcm),
 	ODP_TEST_INFO_CONDITIONAL(crypto_test_gen_alg_hmac_md5,
 				  check_alg_hmac_md5),
 	ODP_TEST_INFO_CONDITIONAL(crypto_test_check_alg_hmac_md5,