prepared header iv encryption handling

include/header_encryption.h

@@ -21,7 +21,10 @@ uint32_t packet_header_decrypt (uint8_t packet[], uint16_t packet_len,
                                 char * community_name, he_context_t * ctx);
 
 
-int32_t packet_header_encrypt (uint8_t packet[], uint8_t header_len, he_context_t * ctx);
+int32_t packet_header_encrypt (uint8_t packet[], uint8_t header_len, he_context_t * ctx,
+                               uint16_t checksum);
 
 
-void packet_header_setup_key (const char * community_name, he_context_t ** ctx);
+void packet_header_setup_key (const char * community_name, he_context_t ** ctx,
+                                                           he_context_t ** ctx_iv);
+

include/n2n.h

@@ -221,6 +221,7 @@ typedef struct n2n_edge_conf {
   n2n_community_t     community_name;         /**< The community. 16 full octets. */
   uint8_t	      header_encryption;      /**< Header encryption indicator. */
   he_context_t	      *header_encryption_ctx; /**< Header encryption cipher context. */
+  he_context_t        *header_iv_ctx;	      /**< Header IV ecnryption cipher context, REMOVE as soon as seperte fileds for checksum and replay protection available */
   n2n_transform_t     transop_id;             /**< The transop to use. */
   uint16_t	      compression;	      /**< Compress outgoing data packets before encryption */
   uint16_t	      num_routes;	      /**< Number of routes in routes */
@@ -255,7 +256,8 @@ struct sn_community
 {
   char community[N2N_COMMUNITY_SIZE];
   uint8_t	      header_encryption;      /* Header encryption indicator. */
-  he_context_t      *header_encryption_ctx; /* Header encryption cipher context. */
+  he_context_t        *header_encryption_ctx; /* Header encryption cipher context. */
+  he_context_t        *header_iv_ctx;	      /* Header IV ecnryption cipher context, REMOVE as soon as seperte fileds for checksum and replay protection available */
   struct peer_info *edges; 		      /* Link list of registered edges. */
 
   UT_hash_handle hh; /* makes this structure hashable */

src/header_encryption.c

@@ -56,9 +56,11 @@ uint32_t packet_header_decrypt (uint8_t packet[], uint16_t packet_len,
 
 /* ********************************************************************** */
 
-int32_t packet_header_encrypt (uint8_t packet[], uint8_t header_len, he_context_t * ctx) {
+int32_t packet_header_encrypt (uint8_t packet[], uint8_t header_len, he_context_t * ctx,
+                               uint16_t checksum) {
 
   uint8_t iv[16];
+  uint16_t *iv16 = (uint16_t*)&iv;
   uint32_t *iv32 = (uint32_t*)&iv;
   uint64_t *iv64 = (uint64_t*)&iv;
   const uint32_t magic = 0x6E326E21; // = ASCII "n2n!"
@@ -71,7 +73,8 @@ int32_t packet_header_encrypt (uint8_t packet[], uint8_t header_len, he_context_
   memcpy (&packet[16], &packet[00], 4);
 
   iv64[0] = n2n_rand ();
-  iv32[2] = n2n_rand ();
+  iv16[4] = n2n_rand ();
+  iv16[5] = htobe16 (checksum);
   iv32[3] = htobe32 (magic);
 
   memcpy (packet, iv, 16);
@@ -83,11 +86,18 @@ int32_t packet_header_encrypt (uint8_t packet[], uint8_t header_len, he_context_
 
 /* ********************************************************************** */
 
-void packet_header_setup_key (const char * community_name, he_context_t ** ctx) {
+void packet_header_setup_key (const char * community_name, he_context_t ** ctx,
+                                                           he_context_t ** ctx_iv) {
 
   uint8_t key[16];
   pearson_hash_128 (key, (uint8_t*)community_name, N2N_COMMUNITY_SIZE);
 
   *ctx = (he_context_t*)calloc(1, sizeof (speck_context_t));
   speck_expand_key_he (key, (speck_context_t*)*ctx);
+
+  // hash again and use last 96 bit (skipping 4 bytes) as key for IV encryption
+  // REMOVE as soon as checksum and replay protection get their own fields
+  pearson_hash_128 (key, key, sizeof (key));
+  *ctx_iv = (he_context_t*)calloc(1, sizeof (speck_context_t));
+  speck_expand_key_he_iv (&key[4], (speck_context_t*)*ctx_iv);
 }