blended checksum into header iv

src/edge_utils.c

@@ -258,7 +258,7 @@ n2n_edge_t* edge_init(const tuntap_dev *dev, const n2n_edge_conf_t *conf, int *r
   /* Set the key schedule (context) for header encryption if enabled */
   if(conf->header_encryption == HEADER_ENCRYPTION_ENABLED) {
     traceEvent(TRACE_NORMAL, "Header encryption is enabled.");
-    packet_header_setup_key ((char *)(conf->community_name), &(eee->conf.header_encryption_ctx));
+    packet_header_setup_key ((char *)(conf->community_name), &(eee->conf.header_encryption_ctx),&(eee->conf.header_iv_ctx));
   }
 
   if(eee->transop.no_encryption)
@@ -743,7 +743,8 @@ static void send_register_super(n2n_edge_t * eee,
 	     sock_to_cstr(sockbuf, supernode));
 
   if(eee->conf.header_encryption == HEADER_ENCRYPTION_ENABLED)
-    packet_header_encrypt (pktbuf, idx, eee->conf.header_encryption_ctx);
+    packet_header_encrypt (pktbuf, idx, eee->conf.header_encryption_ctx,
+                                        pearson_hash_16 (pktbuf, idx));
 
   /* sent = */ sendto_sock(eee->udp_sock, pktbuf, idx, supernode);
 }
@@ -774,7 +775,8 @@ static void send_query_peer( n2n_edge_t * eee,
   traceEvent( TRACE_DEBUG, "send QUERY_PEER to supernode" );
 
   if(eee->conf.header_encryption == HEADER_ENCRYPTION_ENABLED)
-    packet_header_encrypt (pktbuf, idx, eee->conf.header_encryption_ctx);
+    packet_header_encrypt (pktbuf, idx, eee->conf.header_encryption_ctx,
+                                        pearson_hash_16 (pktbuf, idx));
 
   sendto_sock( eee->udp_sock, pktbuf, idx, &(eee->supernode) );
 }
@@ -820,7 +822,8 @@ static void send_register(n2n_edge_t * eee,
 	     sock_to_cstr(sockbuf, remote_peer));
 
   if(eee->conf.header_encryption == HEADER_ENCRYPTION_ENABLED)
-    packet_header_encrypt (pktbuf, idx, eee->conf.header_encryption_ctx);
+    packet_header_encrypt (pktbuf, idx, eee->conf.header_encryption_ctx,
+                                        pearson_hash_16 (pktbuf, idx));
 
   /* sent = */ sendto_sock(eee->udp_sock, pktbuf, idx, remote_peer);
 }
@@ -862,7 +865,8 @@ static void send_register_ack(n2n_edge_t * eee,
 	     sock_to_cstr(sockbuf, remote_peer));
 
   if(eee->conf.header_encryption == HEADER_ENCRYPTION_ENABLED)
-    packet_header_encrypt (pktbuf, idx, eee->conf.header_encryption_ctx);
+    packet_header_encrypt (pktbuf, idx, eee->conf.header_encryption_ctx,
+                                        pearson_hash_16 (pktbuf, idx));
 
   /* sent = */ sendto_sock(eee->udp_sock, pktbuf, idx, remote_peer);
 }
@@ -1459,8 +1463,7 @@ static void send_packet2net(n2n_edge_t * eee,
   idx=0;
   encode_PACKET(pktbuf, &idx, &cmn, &pkt);
 
-  if(eee->conf.header_encryption == HEADER_ENCRYPTION_ENABLED)
+  uint16_t headerIdx = idx;
-    packet_header_encrypt (pktbuf, idx, eee->conf.header_encryption_ctx);
 
   idx += eee->transop.fwd(&eee->transop,
 			  pktbuf+idx, N2N_PKT_BUF_SIZE-idx,
@@ -1469,6 +1472,10 @@ static void send_packet2net(n2n_edge_t * eee,
   traceEvent(TRACE_DEBUG, "Encode %u B PACKET [%u B data, %u B overhead] transform %u",
 	     (u_int)idx, (u_int)len, (u_int)(idx-len), tx_transop_idx);
 
+  if(eee->conf.header_encryption == HEADER_ENCRYPTION_ENABLED)
+    packet_header_encrypt (pktbuf, headerIdx, eee->conf.header_encryption_ctx,
+                                              pearson_hash_16 (pktbuf, idx));
+
 #ifdef MTU_ASSERT_VALUE
   {
     const u_int eth_udp_overhead = ETH_FRAMESIZE + IP4_MIN_SIZE + UDP_SIZE;

src/sn.c

@@ -408,7 +408,7 @@ static int load_allowed_sn_community(n2n_sn_t *sss, char *path) {
       /* we do not know if header encryption is used in this community,
        * first packet will show. just in case, setup the key.           */
       s->header_encryption = HEADER_ENCRYPTION_UNKNOWN;
-      packet_header_setup_key (s->community, &(s->header_encryption_ctx));
+      packet_header_setup_key (s->community, &(s->header_encryption_ctx), &(s->header_iv_ctx));
       HASH_ADD_STR(sss->communities, community, s);
 
       num_communities++;
@@ -580,12 +580,14 @@ static int process_udp(n2n_sn_t * sss,
 
       /* Re-encode the header. */
       encode_PACKET(encbuf, &encx, &cmn2, &pkt);
-
+      uint16_t oldEncx = encx;
-      if (comm->header_encryption == HEADER_ENCRYPTION_ENABLED)
-        packet_header_encrypt (rec_buf, encx, comm->header_encryption_ctx);
 
       /* Copy the original payload unchanged */
       encode_buf(encbuf, &encx, (udp_buf + idx), (udp_size - idx));
+
+      if (comm->header_encryption == HEADER_ENCRYPTION_ENABLED)
+        packet_header_encrypt (rec_buf, oldEncx, comm->header_encryption_ctx,
+                                                 pearson_hash_16 (rec_buf, encx));
     } else {
       /* Already from a supernode. Nothing to modify, just pass to
        * destination. */
@@ -596,7 +598,8 @@ static int process_udp(n2n_sn_t * sss,
       encx = udp_size;
 
       if (comm->header_encryption == HEADER_ENCRYPTION_ENABLED)
-        packet_header_encrypt (rec_buf, idx, comm->header_encryption_ctx);
+        packet_header_encrypt (rec_buf, idx, comm->header_encryption_ctx,
+                                             pearson_hash_16 (rec_buf, udp_size));
     }
 
     /* Common section to forward the final product. */
@@ -647,7 +650,7 @@ static int process_udp(n2n_sn_t * sss,
 
 	/* Re-encode the header. */
 	encode_REGISTER(encbuf, &encx, &cmn2, &reg);
-
+// !!! does this ever happen? does REGISTER ever come with a payload ??? !!!
 	/* Copy the original payload unchanged */
 	encode_buf(encbuf, &encx, (udp_buf + idx), (udp_size - idx));
       } else {
@@ -659,7 +662,9 @@ static int process_udp(n2n_sn_t * sss,
       }
 
       if (comm->header_encryption == HEADER_ENCRYPTION_ENABLED)
-        packet_header_encrypt (rec_buf, idx, comm->header_encryption_ctx);
+        packet_header_encrypt (rec_buf, encx, comm->header_encryption_ctx,
+                                              pearson_hash_16 (rec_buf, encx));
+
 
       try_forward(sss, comm, &cmn, reg.dstMac, rec_buf, encx); /* unicast only */
     } else
@@ -730,7 +735,8 @@ static int process_udp(n2n_sn_t * sss,
       encode_REGISTER_SUPER_ACK(ackbuf, &encx, &cmn2, &ack);
 
       if (comm->header_encryption == HEADER_ENCRYPTION_ENABLED)
-        packet_header_encrypt (ackbuf, encx, comm->header_encryption_ctx);
+        packet_header_encrypt (ackbuf, encx, comm->header_encryption_ctx,
+                                             pearson_hash_16 (ackbuf, encx));
 
       sendto(sss->sock, ackbuf, encx, 0,
 	     (struct sockaddr *)sender_sock, sizeof(struct sockaddr_in));
@@ -777,7 +783,8 @@ static int process_udp(n2n_sn_t * sss,
       encode_PEER_INFO( encbuf, &encx, &cmn2, &pi );
 
       if (comm->header_encryption == HEADER_ENCRYPTION_ENABLED)
-        packet_header_encrypt (encbuf, encx, comm->header_encryption_ctx);
+        packet_header_encrypt (encbuf, encx, comm->header_encryption_ctx,
+                                             pearson_hash_16 (encbuf, encx));
 
       sendto( sss->sock, encbuf, encx, 0,
 	      (struct sockaddr *)sender_sock, sizeof(struct sockaddr_in) );

src/sn_utils.c

@@ -506,12 +506,15 @@ static int process_udp(n2n_sn_t * sss,
 
       /* Re-encode the header. */
       encode_PACKET(encbuf, &encx, &cmn2, &pkt);
-
+      uint16_t oldEncx = encx;
-      if (comm->header_encryption == HEADER_ENCRYPTION_ENABLED)
-        packet_header_encrypt (rec_buf, encx, comm->header_encryption_ctx);
 
       /* Copy the original payload unchanged */
       encode_buf(encbuf, &encx, (udp_buf + idx), (udp_size - idx));
+
+      if (comm->header_encryption == HEADER_ENCRYPTION_ENABLED)
+        packet_header_encrypt (rec_buf, oldEncx, comm->header_encryption_ctx,
+                                                 pearson_hash_16 (rec_buf, encx));
+
     } else {
       /* Already from a supernode. Nothing to modify, just pass to
        * destination. */
@@ -522,7 +525,8 @@ static int process_udp(n2n_sn_t * sss,
       encx = udp_size;
 
       if (comm->header_encryption == HEADER_ENCRYPTION_ENABLED)
-        packet_header_encrypt (rec_buf, idx, comm->header_encryption_ctx);
+        packet_header_encrypt (rec_buf, idx, comm->header_encryption_ctx,
+                                             pearson_hash_16 (rec_buf, udp_size));
     }
 
     /* Common section to forward the final product. */
@@ -573,7 +577,7 @@ static int process_udp(n2n_sn_t * sss,
 
 	/* Re-encode the header. */
 	encode_REGISTER(encbuf, &encx, &cmn2, &reg);
-
+// !!! does this ever happen? does REGISTER ever come with a payload ??? !!!
 	/* Copy the original payload unchanged */
 	encode_buf(encbuf, &encx, (udp_buf + idx), (udp_size - idx));
       } else {
@@ -585,7 +589,8 @@ static int process_udp(n2n_sn_t * sss,
       }
 
       if (comm->header_encryption == HEADER_ENCRYPTION_ENABLED)
-        packet_header_encrypt (rec_buf, idx, comm->header_encryption_ctx);
+        packet_header_encrypt (rec_buf, encx, comm->header_encryption_ctx,
+                                             pearson_hash_16 (rec_buf, encx));
 
       try_forward(sss, comm, &cmn, reg.dstMac, rec_buf, encx); /* unicast only */
     } else
@@ -656,7 +661,8 @@ static int process_udp(n2n_sn_t * sss,
       encode_REGISTER_SUPER_ACK(ackbuf, &encx, &cmn2, &ack);
 
       if (comm->header_encryption == HEADER_ENCRYPTION_ENABLED)
-        packet_header_encrypt (ackbuf, encx, comm->header_encryption_ctx);
+        packet_header_encrypt (ackbuf, encx, comm->header_encryption_ctx,
+                                             pearson_hash_16 (ackbuf, encx));
 
       sendto(sss->sock, ackbuf, encx, 0,
 	     (struct sockaddr *)sender_sock, sizeof(struct sockaddr_in));
@@ -703,7 +709,8 @@ static int process_udp(n2n_sn_t * sss,
       encode_PEER_INFO( encbuf, &encx, &cmn2, &pi );
 
       if (comm->header_encryption == HEADER_ENCRYPTION_ENABLED)
-        packet_header_encrypt (encbuf, encx, comm->header_encryption_ctx);
+        packet_header_encrypt (encbuf, encx, comm->header_encryption_ctx,
+                                             pearson_hash_16 (encbuf, encx));
 
       sendto( sss->sock, encbuf, encx, 0,
 	      (struct sockaddr *)sender_sock, sizeof(struct sockaddr_in) );