ipsec: Use IV generator to encrypt ESP messages
authorTobias Brunner <tobias@strongswan.org>
Mon, 5 Aug 2013 12:59:10 +0000 (14:59 +0200)
committerTobias Brunner <tobias@strongswan.org>
Fri, 11 Oct 2013 13:55:40 +0000 (15:55 +0200)
src/libipsec/esp_packet.c
src/libipsec/esp_packet.h

index 61389da..1b8625c 100644 (file)
@@ -283,7 +283,7 @@ METHOD(esp_packet_t, encrypt, status_t,
        u_int32_t next_seqno;
        size_t blocksize, plainlen;
        aead_t *aead;
-       rng_t *rng;
+       iv_gen_t *iv_gen;
 
        this->packet->set_data(this->packet, chunk_empty);
 
@@ -293,13 +293,13 @@ METHOD(esp_packet_t, encrypt, status_t,
                return FAILED;
        }
 
-       rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
-       if (!rng)
+       aead = esp_context->get_aead(esp_context);
+       iv_gen = aead->get_iv_gen(aead);
+       if (!iv_gen)
        {
-               DBG1(DBG_ESP, "ESP encryption failed: could not find RNG");
+               DBG1(DBG_ESP, "ESP encryption failed: no IV generator");
                return NOT_FOUND;
        }
-       aead = esp_context->get_aead(esp_context);
 
        blocksize = aead->get_block_size(aead);
        iv.len = aead->get_iv_size(aead);
@@ -319,14 +319,12 @@ METHOD(esp_packet_t, encrypt, status_t,
        writer->write_uint32(writer, next_seqno);
 
        iv = writer->skip(writer, iv.len);
-       if (!rng->get_bytes(rng, iv.len, iv.ptr))
+       if (!iv_gen->get_iv(iv_gen, iv.len, iv.ptr))
        {
                DBG1(DBG_ESP, "ESP encryption failed: could not generate IV");
                writer->destroy(writer);
-               rng->destroy(rng);
                return FAILED;
        }
-       rng->destroy(rng);
 
        /* plain-/ciphertext will start here */
        ciphertext = writer->get_buf(writer);
index ce86458..f1941a3 100644 (file)
@@ -91,7 +91,7 @@ struct esp_packet_t {
         * @return                                      - SUCCESS if encrypted
         *                                                      - FAILED if sequence number cycled or any of the
         *                                                        cryptographic functions failed
-        *                                                      - NOT_FOUND if no suitable RNG could be found
+        *                                                      - NOT_FOUND if no suitable IV generator provided
         */
        status_t (*encrypt)(esp_packet_t *this, esp_context_t *esp_context,
                                                u_int32_t spi);