[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

(racoon 447) [PATCH] Use AES provided by OpenSSL

To: racoon@kame.net
Subject: (racoon 447) [PATCH] Use AES provided by OpenSSL
From: Michal Ludvig <michal-bsd@logix.cz>
Date: Tue, 23 Mar 2004 15:37:45 +0100 (CET)
Delivered-to: racoon-archive@kame.net
Delivered-to: racoon-outgoing@kame.net
Delivered-to: racoon@kame.net
Reply-to: racoon@kame.net
Sender: owner-racoon@kame.net

Hi all,

I'd like to merge as much of Linux' IPsec-tools back to KAME tree as
possible to make future synchronising in both ways easier. I'm not sure
what is the right place for sending patches for KAME's racoon, setkey,
etc. For now I'll send some simple ones here. Let me know if there is a
better list...

The attached patch makes racoon use the AES routines provided by OpenSSL
(if available).

Michal Ludvig
-- 
* A mouse is a device used to point at the xterm you want to type in.
* Personal homepage - http://www.logix.cz/michal

--- kame/racoon/crypto_openssl.c	2003-11-13 20:51:43.000000000 +0100
+++ head/src/racoon/crypto_openssl.c	2004-03-23 13:52:06.000000000 +0100
@@ -75,7 +77,9 @@
 #endif
 #include <openssl/cast.h>
 #include <openssl/err.h>
-#ifdef HAVE_OPENSSL_RIJNDAEL_H
+#if defined(HAVE_OPENSSL_AES_H)
+#include <openssl/aes.h>
+#elif defined(HAVE_OPENSSL_RIJNDAEL_H)
 #include <openssl/rijndael.h>
 #else
 #include "crypto/rijndael/rijndael-api-fst.h"
@@ -279,6 +283,10 @@ eay_check_x509cert(cert, CApath)
 	if (csc == NULL)
 		goto end;
 	X509_STORE_CTX_init(csc, cert_ctx, x509, NULL);
+#if OPENSSL_VERSION_NUMBER >= 0x00907000L
+	X509_STORE_CTX_set_flags (csc, X509_V_FLAG_CRL_CHECK);
+	X509_STORE_CTX_set_flags (csc, X509_V_FLAG_CRL_CHECK_ALL);
+#endif
 	error = X509_verify_cert(csc);
 	X509_STORE_CTX_cleanup(csc);
 #else
@@ -979,8 +987,10 @@ eay_des_encrypt(data, key, iv)
 	des_key_schedule ks;
 #endif
 
+#ifndef USE_NEW_DES_API
 	if (data->l % 8)
 		return NULL;
+#endif
 
 #ifdef USE_NEW_DES_API
 	if (DES_key_sched((void *)key->v, &ks) != 0)
@@ -1434,6 +1439,7 @@ eay_cast_keylen(len)
 /*
  * AES(RIJNDAEL)-CBC
  */
+#ifndef HAVE_OPENSSL_AES_H
 vchar_t *
 eay_aes_encrypt(data, key, iv)
 	vchar_t *data, *key, *iv;
@@ -1485,6 +1491,45 @@ eay_aes_decrypt(data, key, iv)
 
 	return res;
 }
+#else
+vchar_t *
+eay_aes_encrypt(data, key, iv)
+       vchar_t *data, *key, *iv;
+{
+	vchar_t *res;
+	AES_KEY ks;
+
+	AES_set_encrypt_key(key->v, key->l * 8, &ks);
+
+	/* allocate buffer for result */
+	if ((res = vmalloc(data->l)) == NULL)
+	    return NULL;
+
+	/* encryption data */
+	AES_cbc_encrypt(data->v, res->v, data->l,
+	                &ks, iv->v, AES_ENCRYPT);
+	return res;
+}
+
+vchar_t *
+eay_aes_decrypt(data, key, iv)
+       vchar_t *data, *key, *iv;
+{
+	vchar_t *res;
+	AES_KEY ks;
+
+	AES_set_decrypt_key(key->v, key->l * 8, &ks);
+
+	/* allocate buffer for result */
+	if ((res = vmalloc(data->l)) == NULL)
+	    return NULL;
+
+	/* decryption data */
+	AES_cbc_encrypt(data->v, res->v, data->l,
+	                &ks, iv->v, AES_DECRYPT);
+	return res;
+}
+#endif
 
 int
 eay_aes_weakkey(key)
--- kame/racoon/configure.in	2004-03-23 14:26:10.000000000 +0100
+++ head/src/racoon/configure.in	2004-03-15 09:30:52.000000000 +0100
@@ -645,13 +683,13 @@ AC_CHECK_HEADERS($ideaheader $rc5header 
 fi
 AC_CHECK_HEADERS(openssl/cversion.h openssl/opensslv.h)
 
+# checking rijndael
+missing_aes="yes"
 AC_SUBST(CRYPTOBJS)
-
-dnl checking rijndael
-AC_CHECK_HEADER(openssl/rijndael.h, [], [
-	CPPFLAGS="$CPPFLAGS -I./missing"
+AC_CHECK_HEADERS([openssl/aes.h openssl/rijndael.h], [missing_aes="no"], [])
+if test $missing_aes = "yes"; then
 	CRYPTOBJS="$CRYPTOBJS rijndael-api-fst.o rijndael-alg-fst.o"
-])
+fi
 
 dnl checking sha2
 AC_MSG_CHECKING(sha2 support)

Prev by Date: (racoon 446) Re: Yahoo!
Next by Date: (racoon 448) [PATCH] Fix 'null' encryption in setkey.
Previous by thread: (racoon 446) Re: Yahoo!
Next by thread: (racoon 448) [PATCH] Fix 'null' encryption in setkey.
Index(es):
- Date
- Thread