ipsec: Use IV generator to encrypt ESP messages

2 files changed, 7 insertions, 9 deletions

diff --git a/src/libipsec/esp_packet.c b/src/libipsec/esp_packet.c
index 61389daa4..1b8625ca7 100644
--- a/src/libipsec/esp_packet.c
+++ b/src/libipsec/esp_packet.c
@@ -283,7 +283,7 @@ METHOD(esp_packet_t, encrypt, status_t,
 	u_int32_t next_seqno;
 	size_t blocksize, plainlen;
 	aead_t *aead;
-	rng_t *rng;
+	iv_gen_t *iv_gen;
 
 	this->packet->set_data(this->packet, chunk_empty);
 
@@ -293,13 +293,13 @@ METHOD(esp_packet_t, encrypt, status_t,
 		return FAILED;
 	}
 
-	rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
-	if (!rng)
+	aead = esp_context->get_aead(esp_context);
+	iv_gen = aead->get_iv_gen(aead);
+	if (!iv_gen)
 	{
-		DBG1(DBG_ESP, "ESP encryption failed: could not find RNG");
+		DBG1(DBG_ESP, "ESP encryption failed: no IV generator");
 		return NOT_FOUND;
 	}
-	aead = esp_context->get_aead(esp_context);
 
 	blocksize = aead->get_block_size(aead);
 	iv.len = aead->get_iv_size(aead);
@@ -319,14 +319,12 @@ METHOD(esp_packet_t, encrypt, status_t,
 	writer->write_uint32(writer, next_seqno);
 
 	iv = writer->skip(writer, iv.len);
-	if (!rng->get_bytes(rng, iv.len, iv.ptr))
+	if (!iv_gen->get_iv(iv_gen, iv.len, iv.ptr))
 	{
 		DBG1(DBG_ESP, "ESP encryption failed: could not generate IV");
 		writer->destroy(writer);
-		rng->destroy(rng);
 		return FAILED;
 	}
-	rng->destroy(rng);
 
 	/* plain-/ciphertext will start here */
 	ciphertext = writer->get_buf(writer);
diff --git a/src/libipsec/esp_packet.h b/src/libipsec/esp_packet.h
index ce8645825..f1941a3ba 100644
--- a/src/libipsec/esp_packet.h
+++ b/src/libipsec/esp_packet.h
@@ -91,7 +91,7 @@ struct esp_packet_t {
 	 * @return					- SUCCESS if encrypted
 	 *							- FAILED if sequence number cycled or any of the
 	 *							  cryptographic functions failed
-	 *							- NOT_FOUND if no suitable RNG could be found
+	 *							- NOT_FOUND if no suitable IV generator provided
 	 */
 	status_t (*encrypt)(esp_packet_t *this, esp_context_t *esp_context,
 						u_int32_t spi);