diff --git a/header_encryption.c b/header_encryption.c index 8f7ab97..1966819 100644 --- a/header_encryption.c +++ b/header_encryption.c @@ -2,13 +2,15 @@ #include -#include "n2n.h" #include "random_numbers.h" #include "pearson.h" #include "portable_endian.h" -#include +#include // !!! + + +#define HASH_FIND_COMMUNITY(head, name, out) HASH_FIND_STR(head, name, out) uint32_t packet_header_decrypt (uint8_t packet[], uint8_t packet_len, @@ -45,6 +47,9 @@ uint32_t packet_header_decrypt (uint8_t packet[], uint8_t packet_len, int32_t packet_header_decrypt_if_required (uint8_t packet[], uint16_t packet_len, struct sn_community *communities) { + struct sn_community *c, *tmp; + + if (packet_len < 20) return (-1); @@ -62,25 +67,28 @@ int32_t packet_header_decrypt_if_required (uint8_t packet[], uint16_t packet_len // most probably unencrypted - // TODO: - // !!! make sure, no downgrading happens here !!! - // NOT FOR DEFINETLY ENCRYPTED COMMUNITIES / NO DOWNGRADE, NO INJECTION - + // make sure, no downgrading happens here and no unencrypted packets can be + // injected in a community which definitely deals with encrypted headers + HASH_FIND_COMMUNITY(communities, (char *)&packet[04], c); + if (!c) + if (c->header_encryption == HEADER_ENCRYPTION_ENABLED) + return (-2); + // set 'no encryption' in case it is not set yet + c->header_encryption = HEADER_ENCRYPTION_NONE; return (HEADER_ENCRYPTION_NONE); } else { // most probably encrypted // cycle through the known communities (as keys) to eventually decrypt int32_t ret; - struct sn_community *c, *tmp; HASH_ITER (hh, communities, c, tmp) { // skip the definitely unencrypted communities if (c->header_encryption == HEADER_ENCRYPTION_NONE) continue; - if ( (ret = packet_header_decrypt (packet, packet_len, c->community, &(c->header_encryption_ctx))) ) { - // set to 'encrypted' + if ( (ret = packet_header_decrypt (packet, packet_len, c->community, c->header_encryption_ctx)) ) { + // set 'encrypted' in case it is not set yet c->header_encryption = HEADER_ENCRYPTION_ENABLED; - // no need to test any further + // no need to test further communities return (HEADER_ENCRYPTION_ENABLED); } } @@ -117,5 +125,5 @@ void packet_header_setup_key (char * community_name, he_context_t * ctx) { uint8_t key[16]; pearson_hash_128 (key, (uint8_t*)community_name, N2N_COMMUNITY_SIZE); - speck_expand_key_he (key, ctx); + speck_expand_key_he (key, (speck_context_t*)ctx); } diff --git a/header_encryption.h b/header_encryption.h index f8a31cb..a4395e0 100644 --- a/header_encryption.h +++ b/header_encryption.h @@ -1,17 +1,33 @@ + + +#ifndef _HEADER_ENCRYPTION_H_ +#define _HEADER_ENCRYPTION_H_ + + #include - #include "speck.h" -typedef speck_context_t he_context_t; +#include "n2n.h" +//define he_context_t speck_context_t +typedef struct speck_context_t he_context_t; + + +/* Header encryption indicators */ #define HEADER_ENCRYPTION_UNKNOWN 0 #define HEADER_ENCRYPTION_NONE 1 #define HEADER_ENCRYPTION_ENABLED 2 -uint32_t decrypt_packet_header (uint8_t packet[], uint8_t packet_len, +uint32_t packet_header_decrypt (uint8_t packet[], uint8_t packet_len, char * community_name, he_context_t * ctx); -int32_t encryt_packet_header (uint8_t packet[], uint8_t header_len, he_context_t * ctx); -int32_t encryt_packet_header (uint8_t packet[], uint8_t header_len, he_context_t * ctx); +int32_t packet_header_decrypt_if_required (uint8_t packet[], uint16_t packet_len, + struct sn_community * communities); + + +int32_t packet_header_encrypt (uint8_t packet[], uint8_t header_len, he_context_t * ctx); + + +#endif diff --git a/n2n.h b/n2n.h index c503bef..1cbb6b3 100644 --- a/n2n.h +++ b/n2n.h @@ -111,7 +111,6 @@ typedef struct ether_hdr ether_hdr_t; #include #include #include "minilzo.h" -#include "header_encryption.h" #define closesocket(a) close(a) #endif /* #ifndef WIN32 */ @@ -180,6 +179,9 @@ typedef struct tuntap_dev { bits of transform_id; will be obsolete as soon as compression gets its own field in the packet. REVISIT then. */ +/* forward delcaration of header encryption context, see 'header_encryption.h' */ +typedef struct speck_context_t he_context_t; + #define DEFAULT_MTU 1290 /** Uncomment this to enable the MTU check, then try to ssh to generate a fragmented packet. */ @@ -228,7 +230,7 @@ typedef struct n2n_edge_conf { n2n_route_t *routes; /**< Networks to route through n2n */ n2n_community_t community_name; /**< The community. 16 full octets. */ uint8_t header_encryption; /**< Header encryption indicator. */ - he_context_t header_encryption_ctx; /**< Header encryption cipher context. */ + he_context_t *header_encryption_ctx; /**< Header encryption cipher context. */ n2n_transform_t transop_id; /**< The transop to use. */ uint16_t compression; /**< Compress outgoing data packets before encryption */ uint16_t num_routes; /**< Number of routes in routes */ @@ -259,6 +261,16 @@ typedef struct sn_stats time_t last_reg_super; /* Time when last REGISTER_SUPER was received. */ } sn_stats_t; + struct sn_community +{ + char community[N2N_COMMUNITY_SIZE]; + uint8_t header_encryption; /* Header encryption indicator. */ + he_context_t *header_encryption_ctx; /* Header encryption cipher context. */ + struct peer_info *edges; /* Link list of registered edges. */ + + UT_hash_handle hh; /* makes this structure hashable */ +}; + typedef struct n2n_sn { time_t start_time; /* Used to measure uptime. */ @@ -271,16 +283,6 @@ typedef struct sn_stats struct sn_community *communities; } n2n_sn_t; - struct sn_community -{ - char community[N2N_COMMUNITY_SIZE]; - uint8_t header_encryption; /* Header encryption indicator. */ - he_context_t header_encryption_ctx; /* Header encryption cipher context. */ - struct peer_info *edges; /* Link list of registered edges. */ - - UT_hash_handle hh; /* makes this structure hashable */ -}; - /* ************************************** */ #ifdef __ANDROID_NDK__ diff --git a/sn_utils.c b/sn_utils.c index ed1f85f..95a26b8 100644 --- a/sn_utils.c +++ b/sn_utils.c @@ -1,4 +1,5 @@ #include "n2n.h" +#include "header_encryption.h" #define HASH_FIND_COMMUNITY(head, name, out) HASH_FIND_STR(head, name, out) #define N2N_SN_LPORT_DEFAULT 7654 @@ -37,7 +38,7 @@ static int process_mgmt(n2n_sn_t *sss, static int process_udp(n2n_sn_t *sss, const struct sockaddr_in *sender_sock, - const uint8_t *udp_buf, + uint8_t *udp_buf, size_t udp_size, time_t now); @@ -372,13 +373,14 @@ static int process_mgmt(n2n_sn_t *sss, */ static int process_udp(n2n_sn_t *sss, const struct sockaddr_in *sender_sock, - const uint8_t *udp_buf, + uint8_t *udp_buf, size_t udp_size, time_t now) { n2n_common_t cmn; /* common fields in the packet header */ size_t rem; size_t idx; + int8_t he = HEADER_ENCRYPTION_UNKNOWN; size_t msg_type; uint8_t from_supernode; macstr_t mac_buf; @@ -390,6 +392,8 @@ static int process_udp(n2n_sn_t *sss, udp_size, intoa(ntohl(sender_sock->sin_addr.s_addr), buf, sizeof(buf)), ntohs(sender_sock->sin_port)); + he = packet_header_decrypt_if_required (udp_buf, udp_size, sss->communities); + /* Use decode_common() to determine the kind of packet then process it: * * REGISTER_SUPER adds an edge and generate a return REGISTER_SUPER_ACK @@ -781,4 +785,4 @@ int run_sn_loop(n2n_sn_t *sss, int *keep_running) sn_term(sss); return 0; -} \ No newline at end of file +} diff --git a/speck.c b/speck.c index 74a1426..a5ced78 100644 --- a/speck.c +++ b/speck.c @@ -3,7 +3,6 @@ // https://github.com/nsacyber/simon-speck-supercop/blob/master/crypto_stream/speck128256ctr/ #include -#include #include "portable_endian.h" #include "speck.h" diff --git a/speck.h b/speck.h index 51df36b..a456f77 100644 --- a/speck.h +++ b/speck.h @@ -6,6 +6,7 @@ #ifndef SPECK_H #define SPECK_H +#include #define u32 uint32_t #define u64 uint64_t