diff --git a/include/header_encryption.h b/include/header_encryption.h index 05e28a0..b84554a 100644 --- a/include/header_encryption.h +++ b/include/header_encryption.h @@ -22,7 +22,7 @@ uint32_t packet_header_decrypt (uint8_t packet[], uint16_t packet_len, int32_t packet_header_encrypt (uint8_t packet[], uint8_t header_len, he_context_t * ctx, - uint16_t checksum); + he_context_t * ctx_iv, uint16_t checksum); void packet_header_setup_key (const char * community_name, he_context_t ** ctx, diff --git a/src/edge_utils.c b/src/edge_utils.c index 5183972..825962c 100644 --- a/src/edge_utils.c +++ b/src/edge_utils.c @@ -744,7 +744,7 @@ static void send_register_super(n2n_edge_t * eee, if(eee->conf.header_encryption == HEADER_ENCRYPTION_ENABLED) packet_header_encrypt (pktbuf, idx, eee->conf.header_encryption_ctx, - pearson_hash_16 (pktbuf, idx)); + eee->conf.header_iv_ctx, pearson_hash_16 (pktbuf, idx)); /* sent = */ sendto_sock(eee->udp_sock, pktbuf, idx, supernode); } @@ -776,7 +776,7 @@ static void send_query_peer( n2n_edge_t * eee, if(eee->conf.header_encryption == HEADER_ENCRYPTION_ENABLED) packet_header_encrypt (pktbuf, idx, eee->conf.header_encryption_ctx, - pearson_hash_16 (pktbuf, idx)); + eee->conf.header_iv_ctx, pearson_hash_16 (pktbuf, idx)); sendto_sock( eee->udp_sock, pktbuf, idx, &(eee->supernode) ); } @@ -823,7 +823,7 @@ static void send_register(n2n_edge_t * eee, if(eee->conf.header_encryption == HEADER_ENCRYPTION_ENABLED) packet_header_encrypt (pktbuf, idx, eee->conf.header_encryption_ctx, - pearson_hash_16 (pktbuf, idx)); + eee->conf.header_iv_ctx, pearson_hash_16 (pktbuf, idx)); /* sent = */ sendto_sock(eee->udp_sock, pktbuf, idx, remote_peer); } @@ -866,7 +866,7 @@ static void send_register_ack(n2n_edge_t * eee, if(eee->conf.header_encryption == HEADER_ENCRYPTION_ENABLED) packet_header_encrypt (pktbuf, idx, eee->conf.header_encryption_ctx, - pearson_hash_16 (pktbuf, idx)); + eee->conf.header_iv_ctx, pearson_hash_16 (pktbuf, idx)); /* sent = */ sendto_sock(eee->udp_sock, pktbuf, idx, remote_peer); } @@ -1474,7 +1474,7 @@ static void send_packet2net(n2n_edge_t * eee, if(eee->conf.header_encryption == HEADER_ENCRYPTION_ENABLED) packet_header_encrypt (pktbuf, headerIdx, eee->conf.header_encryption_ctx, - pearson_hash_16 (pktbuf, idx)); + eee->conf.header_iv_ctx, pearson_hash_16 (pktbuf, idx)); #ifdef MTU_ASSERT_VALUE { diff --git a/src/header_encryption.c b/src/header_encryption.c index 948fd33..7bd9ae4 100644 --- a/src/header_encryption.c +++ b/src/header_encryption.c @@ -57,7 +57,7 @@ uint32_t packet_header_decrypt (uint8_t packet[], uint16_t packet_len, /* ********************************************************************** */ int32_t packet_header_encrypt (uint8_t packet[], uint8_t header_len, he_context_t * ctx, - uint16_t checksum) { + he_context_t * ctx_iv, uint16_t checksum) { uint8_t iv[16]; uint16_t *iv16 = (uint16_t*)&iv; @@ -76,6 +76,8 @@ int32_t packet_header_encrypt (uint8_t packet[], uint8_t header_len, he_context_ iv16[4] = n2n_rand (); iv16[5] = htobe16 (checksum); iv32[3] = htobe32 (magic); + // blend checksum into 96-bit IV + speck_he_iv_encrypt (iv, (speck_context_t*)ctx_iv); memcpy (packet, iv, 16); packet[15] = header_len; diff --git a/src/sn.c b/src/sn.c index 87c40ce..a7f508e 100644 --- a/src/sn.c +++ b/src/sn.c @@ -587,7 +587,7 @@ static int process_udp(n2n_sn_t * sss, if (comm->header_encryption == HEADER_ENCRYPTION_ENABLED) packet_header_encrypt (rec_buf, oldEncx, comm->header_encryption_ctx, - pearson_hash_16 (rec_buf, encx)); + comm->header_iv_ctx, pearson_hash_16 (rec_buf, encx)); } else { /* Already from a supernode. Nothing to modify, just pass to * destination. */ @@ -599,7 +599,7 @@ static int process_udp(n2n_sn_t * sss, if (comm->header_encryption == HEADER_ENCRYPTION_ENABLED) packet_header_encrypt (rec_buf, idx, comm->header_encryption_ctx, - pearson_hash_16 (rec_buf, udp_size)); + comm->header_iv_ctx, pearson_hash_16 (rec_buf, udp_size)); } /* Common section to forward the final product. */ @@ -663,7 +663,7 @@ static int process_udp(n2n_sn_t * sss, if (comm->header_encryption == HEADER_ENCRYPTION_ENABLED) packet_header_encrypt (rec_buf, encx, comm->header_encryption_ctx, - pearson_hash_16 (rec_buf, encx)); + comm->header_iv_ctx, pearson_hash_16 (rec_buf, encx)); try_forward(sss, comm, &cmn, reg.dstMac, rec_buf, encx); /* unicast only */ @@ -736,7 +736,7 @@ static int process_udp(n2n_sn_t * sss, if (comm->header_encryption == HEADER_ENCRYPTION_ENABLED) packet_header_encrypt (ackbuf, encx, comm->header_encryption_ctx, - pearson_hash_16 (ackbuf, encx)); + comm->header_iv_ctx, pearson_hash_16 (ackbuf, encx)); sendto(sss->sock, ackbuf, encx, 0, (struct sockaddr *)sender_sock, sizeof(struct sockaddr_in)); @@ -784,7 +784,7 @@ static int process_udp(n2n_sn_t * sss, if (comm->header_encryption == HEADER_ENCRYPTION_ENABLED) packet_header_encrypt (encbuf, encx, comm->header_encryption_ctx, - pearson_hash_16 (encbuf, encx)); + comm->header_iv_ctx, pearson_hash_16 (encbuf, encx)); sendto( sss->sock, encbuf, encx, 0, (struct sockaddr *)sender_sock, sizeof(struct sockaddr_in) ); diff --git a/src/sn_utils.c b/src/sn_utils.c index d176b11..fc7ba03 100644 --- a/src/sn_utils.c +++ b/src/sn_utils.c @@ -513,7 +513,7 @@ static int process_udp(n2n_sn_t * sss, if (comm->header_encryption == HEADER_ENCRYPTION_ENABLED) packet_header_encrypt (rec_buf, oldEncx, comm->header_encryption_ctx, - pearson_hash_16 (rec_buf, encx)); + comm->header_iv_ctx, pearson_hash_16 (rec_buf, encx)); } else { /* Already from a supernode. Nothing to modify, just pass to @@ -526,7 +526,7 @@ static int process_udp(n2n_sn_t * sss, if (comm->header_encryption == HEADER_ENCRYPTION_ENABLED) packet_header_encrypt (rec_buf, idx, comm->header_encryption_ctx, - pearson_hash_16 (rec_buf, udp_size)); + comm->header_iv_ctx, pearson_hash_16 (rec_buf, udp_size)); } /* Common section to forward the final product. */ @@ -590,7 +590,7 @@ static int process_udp(n2n_sn_t * sss, if (comm->header_encryption == HEADER_ENCRYPTION_ENABLED) packet_header_encrypt (rec_buf, encx, comm->header_encryption_ctx, - pearson_hash_16 (rec_buf, encx)); + comm->header_iv_ctx, pearson_hash_16 (rec_buf, encx)); try_forward(sss, comm, &cmn, reg.dstMac, rec_buf, encx); /* unicast only */ } else @@ -662,7 +662,7 @@ static int process_udp(n2n_sn_t * sss, if (comm->header_encryption == HEADER_ENCRYPTION_ENABLED) packet_header_encrypt (ackbuf, encx, comm->header_encryption_ctx, - pearson_hash_16 (ackbuf, encx)); + comm->header_iv_ctx, pearson_hash_16 (ackbuf, encx)); sendto(sss->sock, ackbuf, encx, 0, (struct sockaddr *)sender_sock, sizeof(struct sockaddr_in)); @@ -710,7 +710,7 @@ static int process_udp(n2n_sn_t * sss, if (comm->header_encryption == HEADER_ENCRYPTION_ENABLED) packet_header_encrypt (encbuf, encx, comm->header_encryption_ctx, - pearson_hash_16 (encbuf, encx)); + comm->header_iv_ctx, pearson_hash_16 (encbuf, encx)); sendto( sss->sock, encbuf, encx, 0, (struct sockaddr *)sender_sock, sizeof(struct sockaddr_in) );