diff --git a/src/edge_utils.c b/src/edge_utils.c index ca054b2..5183972 100644 --- a/src/edge_utils.c +++ b/src/edge_utils.c @@ -258,7 +258,7 @@ n2n_edge_t* edge_init(const tuntap_dev *dev, const n2n_edge_conf_t *conf, int *r /* Set the key schedule (context) for header encryption if enabled */ if(conf->header_encryption == HEADER_ENCRYPTION_ENABLED) { traceEvent(TRACE_NORMAL, "Header encryption is enabled."); - packet_header_setup_key ((char *)(conf->community_name), &(eee->conf.header_encryption_ctx)); + packet_header_setup_key ((char *)(conf->community_name), &(eee->conf.header_encryption_ctx),&(eee->conf.header_iv_ctx)); } if(eee->transop.no_encryption) @@ -743,7 +743,8 @@ static void send_register_super(n2n_edge_t * eee, sock_to_cstr(sockbuf, supernode)); if(eee->conf.header_encryption == HEADER_ENCRYPTION_ENABLED) - packet_header_encrypt (pktbuf, idx, eee->conf.header_encryption_ctx); + packet_header_encrypt (pktbuf, idx, eee->conf.header_encryption_ctx, + pearson_hash_16 (pktbuf, idx)); /* sent = */ sendto_sock(eee->udp_sock, pktbuf, idx, supernode); } @@ -774,7 +775,8 @@ static void send_query_peer( n2n_edge_t * eee, traceEvent( TRACE_DEBUG, "send QUERY_PEER to supernode" ); if(eee->conf.header_encryption == HEADER_ENCRYPTION_ENABLED) - packet_header_encrypt (pktbuf, idx, eee->conf.header_encryption_ctx); + packet_header_encrypt (pktbuf, idx, eee->conf.header_encryption_ctx, + pearson_hash_16 (pktbuf, idx)); sendto_sock( eee->udp_sock, pktbuf, idx, &(eee->supernode) ); } @@ -820,7 +822,8 @@ static void send_register(n2n_edge_t * eee, sock_to_cstr(sockbuf, remote_peer)); if(eee->conf.header_encryption == HEADER_ENCRYPTION_ENABLED) - packet_header_encrypt (pktbuf, idx, eee->conf.header_encryption_ctx); + packet_header_encrypt (pktbuf, idx, eee->conf.header_encryption_ctx, + pearson_hash_16 (pktbuf, idx)); /* sent = */ sendto_sock(eee->udp_sock, pktbuf, idx, remote_peer); } @@ -862,7 +865,8 @@ static void send_register_ack(n2n_edge_t * eee, sock_to_cstr(sockbuf, remote_peer)); if(eee->conf.header_encryption == HEADER_ENCRYPTION_ENABLED) - packet_header_encrypt (pktbuf, idx, eee->conf.header_encryption_ctx); + packet_header_encrypt (pktbuf, idx, eee->conf.header_encryption_ctx, + pearson_hash_16 (pktbuf, idx)); /* sent = */ sendto_sock(eee->udp_sock, pktbuf, idx, remote_peer); } @@ -1459,8 +1463,7 @@ static void send_packet2net(n2n_edge_t * eee, idx=0; encode_PACKET(pktbuf, &idx, &cmn, &pkt); - if(eee->conf.header_encryption == HEADER_ENCRYPTION_ENABLED) - packet_header_encrypt (pktbuf, idx, eee->conf.header_encryption_ctx); + uint16_t headerIdx = idx; idx += eee->transop.fwd(&eee->transop, pktbuf+idx, N2N_PKT_BUF_SIZE-idx, @@ -1469,6 +1472,10 @@ static void send_packet2net(n2n_edge_t * eee, traceEvent(TRACE_DEBUG, "Encode %u B PACKET [%u B data, %u B overhead] transform %u", (u_int)idx, (u_int)len, (u_int)(idx-len), tx_transop_idx); + if(eee->conf.header_encryption == HEADER_ENCRYPTION_ENABLED) + packet_header_encrypt (pktbuf, headerIdx, eee->conf.header_encryption_ctx, + pearson_hash_16 (pktbuf, idx)); + #ifdef MTU_ASSERT_VALUE { const u_int eth_udp_overhead = ETH_FRAMESIZE + IP4_MIN_SIZE + UDP_SIZE; diff --git a/src/sn.c b/src/sn.c index ec6d211..87c40ce 100644 --- a/src/sn.c +++ b/src/sn.c @@ -408,7 +408,7 @@ static int load_allowed_sn_community(n2n_sn_t *sss, char *path) { /* we do not know if header encryption is used in this community, * first packet will show. just in case, setup the key. */ s->header_encryption = HEADER_ENCRYPTION_UNKNOWN; - packet_header_setup_key (s->community, &(s->header_encryption_ctx)); + packet_header_setup_key (s->community, &(s->header_encryption_ctx), &(s->header_iv_ctx)); HASH_ADD_STR(sss->communities, community, s); num_communities++; @@ -580,12 +580,14 @@ static int process_udp(n2n_sn_t * sss, /* Re-encode the header. */ encode_PACKET(encbuf, &encx, &cmn2, &pkt); - - if (comm->header_encryption == HEADER_ENCRYPTION_ENABLED) - packet_header_encrypt (rec_buf, encx, comm->header_encryption_ctx); + uint16_t oldEncx = encx; /* Copy the original payload unchanged */ encode_buf(encbuf, &encx, (udp_buf + idx), (udp_size - idx)); + + if (comm->header_encryption == HEADER_ENCRYPTION_ENABLED) + packet_header_encrypt (rec_buf, oldEncx, comm->header_encryption_ctx, + pearson_hash_16 (rec_buf, encx)); } else { /* Already from a supernode. Nothing to modify, just pass to * destination. */ @@ -596,7 +598,8 @@ static int process_udp(n2n_sn_t * sss, encx = udp_size; if (comm->header_encryption == HEADER_ENCRYPTION_ENABLED) - packet_header_encrypt (rec_buf, idx, comm->header_encryption_ctx); + packet_header_encrypt (rec_buf, idx, comm->header_encryption_ctx, + pearson_hash_16 (rec_buf, udp_size)); } /* Common section to forward the final product. */ @@ -647,7 +650,7 @@ static int process_udp(n2n_sn_t * sss, /* Re-encode the header. */ encode_REGISTER(encbuf, &encx, &cmn2, ®); - +// !!! does this ever happen? does REGISTER ever come with a payload ??? !!! /* Copy the original payload unchanged */ encode_buf(encbuf, &encx, (udp_buf + idx), (udp_size - idx)); } else { @@ -659,7 +662,9 @@ static int process_udp(n2n_sn_t * sss, } if (comm->header_encryption == HEADER_ENCRYPTION_ENABLED) - packet_header_encrypt (rec_buf, idx, comm->header_encryption_ctx); + packet_header_encrypt (rec_buf, encx, comm->header_encryption_ctx, + pearson_hash_16 (rec_buf, encx)); + try_forward(sss, comm, &cmn, reg.dstMac, rec_buf, encx); /* unicast only */ } else @@ -730,7 +735,8 @@ static int process_udp(n2n_sn_t * sss, encode_REGISTER_SUPER_ACK(ackbuf, &encx, &cmn2, &ack); if (comm->header_encryption == HEADER_ENCRYPTION_ENABLED) - packet_header_encrypt (ackbuf, encx, comm->header_encryption_ctx); + packet_header_encrypt (ackbuf, encx, comm->header_encryption_ctx, + pearson_hash_16 (ackbuf, encx)); sendto(sss->sock, ackbuf, encx, 0, (struct sockaddr *)sender_sock, sizeof(struct sockaddr_in)); @@ -777,7 +783,8 @@ static int process_udp(n2n_sn_t * sss, encode_PEER_INFO( encbuf, &encx, &cmn2, &pi ); if (comm->header_encryption == HEADER_ENCRYPTION_ENABLED) - packet_header_encrypt (encbuf, encx, comm->header_encryption_ctx); + packet_header_encrypt (encbuf, encx, comm->header_encryption_ctx, + pearson_hash_16 (encbuf, encx)); sendto( sss->sock, encbuf, encx, 0, (struct sockaddr *)sender_sock, sizeof(struct sockaddr_in) ); diff --git a/src/sn_utils.c b/src/sn_utils.c index 2c8ef90..d176b11 100644 --- a/src/sn_utils.c +++ b/src/sn_utils.c @@ -506,12 +506,15 @@ static int process_udp(n2n_sn_t * sss, /* Re-encode the header. */ encode_PACKET(encbuf, &encx, &cmn2, &pkt); - - if (comm->header_encryption == HEADER_ENCRYPTION_ENABLED) - packet_header_encrypt (rec_buf, encx, comm->header_encryption_ctx); + uint16_t oldEncx = encx; /* Copy the original payload unchanged */ encode_buf(encbuf, &encx, (udp_buf + idx), (udp_size - idx)); + + if (comm->header_encryption == HEADER_ENCRYPTION_ENABLED) + packet_header_encrypt (rec_buf, oldEncx, comm->header_encryption_ctx, + pearson_hash_16 (rec_buf, encx)); + } else { /* Already from a supernode. Nothing to modify, just pass to * destination. */ @@ -522,7 +525,8 @@ static int process_udp(n2n_sn_t * sss, encx = udp_size; if (comm->header_encryption == HEADER_ENCRYPTION_ENABLED) - packet_header_encrypt (rec_buf, idx, comm->header_encryption_ctx); + packet_header_encrypt (rec_buf, idx, comm->header_encryption_ctx, + pearson_hash_16 (rec_buf, udp_size)); } /* Common section to forward the final product. */ @@ -573,7 +577,7 @@ static int process_udp(n2n_sn_t * sss, /* Re-encode the header. */ encode_REGISTER(encbuf, &encx, &cmn2, ®); - +// !!! does this ever happen? does REGISTER ever come with a payload ??? !!! /* Copy the original payload unchanged */ encode_buf(encbuf, &encx, (udp_buf + idx), (udp_size - idx)); } else { @@ -585,7 +589,8 @@ static int process_udp(n2n_sn_t * sss, } if (comm->header_encryption == HEADER_ENCRYPTION_ENABLED) - packet_header_encrypt (rec_buf, idx, comm->header_encryption_ctx); + packet_header_encrypt (rec_buf, encx, comm->header_encryption_ctx, + pearson_hash_16 (rec_buf, encx)); try_forward(sss, comm, &cmn, reg.dstMac, rec_buf, encx); /* unicast only */ } else @@ -656,7 +661,8 @@ static int process_udp(n2n_sn_t * sss, encode_REGISTER_SUPER_ACK(ackbuf, &encx, &cmn2, &ack); if (comm->header_encryption == HEADER_ENCRYPTION_ENABLED) - packet_header_encrypt (ackbuf, encx, comm->header_encryption_ctx); + packet_header_encrypt (ackbuf, encx, comm->header_encryption_ctx, + pearson_hash_16 (ackbuf, encx)); sendto(sss->sock, ackbuf, encx, 0, (struct sockaddr *)sender_sock, sizeof(struct sockaddr_in)); @@ -703,7 +709,8 @@ static int process_udp(n2n_sn_t * sss, encode_PEER_INFO( encbuf, &encx, &cmn2, &pi ); if (comm->header_encryption == HEADER_ENCRYPTION_ENABLED) - packet_header_encrypt (encbuf, encx, comm->header_encryption_ctx); + packet_header_encrypt (encbuf, encx, comm->header_encryption_ctx, + pearson_hash_16 (encbuf, encx)); sendto( sss->sock, encbuf, encx, 0, (struct sockaddr *)sender_sock, sizeof(struct sockaddr_in) );