changed aes transform to cipher text stealing mode

include/aes.h

@@ -28,6 +28,10 @@
 #include <openssl/evp.h>
 #include <openssl/err.h>
 
+
+#define AES_BLOCK_SIZE           16
+#define AES_IV_SIZE             (AES_BLOCK_SIZE)
+
 #define AES256_KEY_BYTES (256/8)
 #define AES192_KEY_BYTES (192/8)
 #define AES128_KEY_BYTES (128/8)
@@ -48,10 +52,10 @@ typedef struct aes_context_t {
 
 
 int aes_cbc_encrypt (unsigned char *out, const unsigned char *in, size_t in_len,
-                     unsigned char *iv, aes_context_t *ctx);
+                     const unsigned char *iv, aes_context_t *ctx);
 
 int aes_cbc_decrypt (unsigned char *out, const unsigned char *in, size_t in_len,
-                     unsigned char *iv, aes_context_t *ctx);
+                     const unsigned char *iv, aes_context_t *ctx);
 
 int aes_ecb_decrypt (unsigned char *out, const unsigned char *in, aes_context_t *ctx);
 

src/aes.c

@@ -45,7 +45,7 @@ static char *openssl_err_as_string (void) {
 /* ****************************************************** */
 
 int aes_cbc_encrypt (unsigned char *out, const unsigned char *in, size_t in_len,
-                     unsigned char *iv, aes_context_t *ctx) {
+                     const unsigned char *iv, aes_context_t *ctx) {
 
 #ifdef HAVE_OPENSSL_1_1
   int evp_len;
@@ -75,20 +75,21 @@ int aes_cbc_encrypt (unsigned char *out, const unsigned char *in, size_t in_len,
 
   EVP_CIPHER_CTX_reset(ctx->enc_ctx);
 #else
+  uint8_t tmp_iv[AES_IV_SIZE];
+  memcpy (tmp_iv, iv, AES_IV_SIZE);
   AES_cbc_encrypt(in,                // source
                   out,               // destination
                   in_len,            // enc size
                   &(ctx->enc_key),
-                  iv,
+                  tmp_iv,
                   AES_ENCRYPT);
-  memset(iv, 0, AES_BLOCK_SIZE);
 #endif
 }
 
 /* ****************************************************** */
 
 int aes_cbc_decrypt (unsigned char *out, const unsigned char *in, size_t in_len,
-                     unsigned char *iv, aes_context_t *ctx) {
+                     const unsigned char *iv, aes_context_t *ctx) {
 
 #ifdef HAVE_OPENSSL_1_1
   int evp_len;
@@ -118,13 +119,14 @@ int aes_cbc_decrypt (unsigned char *out, const unsigned char *in, size_t in_len,
 
   EVP_CIPHER_CTX_reset(ctx->dec_ctx);
 #else
+  uint8_t tmp_iv[AES_IV_SIZE];
+  memcpy (tmp_iv, iv, AES_IV_SIZE);
   AES_cbc_encrypt(in,                // source
                   out,               // destination
                   in_len,            // enc size
                   &(ctx->dec_key),
-                  iv,
+                  tmp_iv,
                   AES_DECRYPT);
-    memset(iv, 0, AES_BLOCK_SIZE);
 #endif
 
   return 0;

src/transform_aes.c

@@ -22,8 +22,6 @@
 #ifdef N2N_HAVE_AES
 
 
-#define AES_BLOCK_SIZE           16
-
 // size of random value prepended to plaintext defaults to AES BLOCK_SIZE;
 // gradually abandoning security, lower values could be chosen;
 // however, minimum transmission size with cipher text stealing scheme is one
@@ -31,11 +29,9 @@
 // might encounter an issue with lower values here
 #define AES_PREAMBLE_SIZE       (AES_BLOCK_SIZE)
 
-#define AES_IV_SIZE             (AES_BLOCK_SIZE)
-
 // cbc mode is being used with random value prepended to plaintext
 // instead of iv so, actual iv is null_iv
-uint8_t null_iv[AES_IV_SIZE] = {0};
+const uint8_t null_iv[AES_IV_SIZE] = {0};
 
 typedef struct transop_aes {
   aes_context_t       *ctx;