diff --git a/include/aes.h b/include/aes.h index 9725841..6dbc303 100644 --- a/include/aes.h +++ b/include/aes.h @@ -28,6 +28,10 @@ #include #include + +#define AES_BLOCK_SIZE 16 +#define AES_IV_SIZE (AES_BLOCK_SIZE) + #define AES256_KEY_BYTES (256/8) #define AES192_KEY_BYTES (192/8) #define AES128_KEY_BYTES (128/8) @@ -48,10 +52,10 @@ typedef struct aes_context_t { int aes_cbc_encrypt (unsigned char *out, const unsigned char *in, size_t in_len, - unsigned char *iv, aes_context_t *ctx); + const unsigned char *iv, aes_context_t *ctx); int aes_cbc_decrypt (unsigned char *out, const unsigned char *in, size_t in_len, - unsigned char *iv, aes_context_t *ctx); + const unsigned char *iv, aes_context_t *ctx); int aes_ecb_decrypt (unsigned char *out, const unsigned char *in, aes_context_t *ctx); diff --git a/src/aes.c b/src/aes.c index 62d1b4f..20b0621 100644 --- a/src/aes.c +++ b/src/aes.c @@ -45,7 +45,7 @@ static char *openssl_err_as_string (void) { /* ****************************************************** */ int aes_cbc_encrypt (unsigned char *out, const unsigned char *in, size_t in_len, - unsigned char *iv, aes_context_t *ctx) { + const unsigned char *iv, aes_context_t *ctx) { #ifdef HAVE_OPENSSL_1_1 int evp_len; @@ -75,20 +75,21 @@ int aes_cbc_encrypt (unsigned char *out, const unsigned char *in, size_t in_len, EVP_CIPHER_CTX_reset(ctx->enc_ctx); #else + uint8_t tmp_iv[AES_IV_SIZE]; + memcpy (tmp_iv, iv, AES_IV_SIZE); AES_cbc_encrypt(in, // source out, // destination in_len, // enc size &(ctx->enc_key), - iv, + tmp_iv, AES_ENCRYPT); - memset(iv, 0, AES_BLOCK_SIZE); #endif } /* ****************************************************** */ int aes_cbc_decrypt (unsigned char *out, const unsigned char *in, size_t in_len, - unsigned char *iv, aes_context_t *ctx) { + const unsigned char *iv, aes_context_t *ctx) { #ifdef HAVE_OPENSSL_1_1 int evp_len; @@ -118,13 +119,14 @@ int aes_cbc_decrypt (unsigned char *out, const unsigned char *in, size_t in_len, EVP_CIPHER_CTX_reset(ctx->dec_ctx); #else + uint8_t tmp_iv[AES_IV_SIZE]; + memcpy (tmp_iv, iv, AES_IV_SIZE); AES_cbc_encrypt(in, // source out, // destination in_len, // enc size &(ctx->dec_key), - iv, + tmp_iv, AES_DECRYPT); - memset(iv, 0, AES_BLOCK_SIZE); #endif return 0; diff --git a/src/transform_aes.c b/src/transform_aes.c index 0b9fb6a..caf99ed 100644 --- a/src/transform_aes.c +++ b/src/transform_aes.c @@ -22,8 +22,6 @@ #ifdef N2N_HAVE_AES -#define AES_BLOCK_SIZE 16 - // size of random value prepended to plaintext defaults to AES BLOCK_SIZE; // gradually abandoning security, lower values could be chosen; // however, minimum transmission size with cipher text stealing scheme is one @@ -31,11 +29,9 @@ // might encounter an issue with lower values here #define AES_PREAMBLE_SIZE (AES_BLOCK_SIZE) -#define AES_IV_SIZE (AES_BLOCK_SIZE) - // cbc mode is being used with random value prepended to plaintext // instead of iv so, actual iv is null_iv -uint8_t null_iv[AES_IV_SIZE] = {0}; +const uint8_t null_iv[AES_IV_SIZE] = {0}; typedef struct transop_aes { aes_context_t *ctx;