added encryption step

include/header_encryption.h

@@ -22,7 +22,7 @@ uint32_t packet_header_decrypt (uint8_t packet[], uint16_t packet_len,
 
 
 int32_t packet_header_encrypt (uint8_t packet[], uint8_t header_len, he_context_t * ctx,
-                               uint16_t checksum);
+                               he_context_t * ctx_iv, uint16_t checksum);
 
 
 void packet_header_setup_key (const char * community_name, he_context_t ** ctx,

src/edge_utils.c

@@ -744,7 +744,7 @@ static void send_register_super(n2n_edge_t * eee,
 
   if(eee->conf.header_encryption == HEADER_ENCRYPTION_ENABLED)
     packet_header_encrypt (pktbuf, idx, eee->conf.header_encryption_ctx,
-                                        pearson_hash_16 (pktbuf, idx));
+                                        eee->conf.header_iv_ctx, pearson_hash_16 (pktbuf, idx));
 
   /* sent = */ sendto_sock(eee->udp_sock, pktbuf, idx, supernode);
 }
@@ -776,7 +776,7 @@ static void send_query_peer( n2n_edge_t * eee,
 
   if(eee->conf.header_encryption == HEADER_ENCRYPTION_ENABLED)
     packet_header_encrypt (pktbuf, idx, eee->conf.header_encryption_ctx,
-                                        pearson_hash_16 (pktbuf, idx));
+                                        eee->conf.header_iv_ctx, pearson_hash_16 (pktbuf, idx));
 
   sendto_sock( eee->udp_sock, pktbuf, idx, &(eee->supernode) );
 }
@@ -823,7 +823,7 @@ static void send_register(n2n_edge_t * eee,
 
   if(eee->conf.header_encryption == HEADER_ENCRYPTION_ENABLED)
     packet_header_encrypt (pktbuf, idx, eee->conf.header_encryption_ctx,
-                                        pearson_hash_16 (pktbuf, idx));
+                                        eee->conf.header_iv_ctx, pearson_hash_16 (pktbuf, idx));
 
   /* sent = */ sendto_sock(eee->udp_sock, pktbuf, idx, remote_peer);
 }
@@ -866,7 +866,7 @@ static void send_register_ack(n2n_edge_t * eee,
 
   if(eee->conf.header_encryption == HEADER_ENCRYPTION_ENABLED)
     packet_header_encrypt (pktbuf, idx, eee->conf.header_encryption_ctx,
-                                        pearson_hash_16 (pktbuf, idx));
+                                        eee->conf.header_iv_ctx, pearson_hash_16 (pktbuf, idx));
 
   /* sent = */ sendto_sock(eee->udp_sock, pktbuf, idx, remote_peer);
 }
@@ -1474,7 +1474,7 @@ static void send_packet2net(n2n_edge_t * eee,
 
   if(eee->conf.header_encryption == HEADER_ENCRYPTION_ENABLED)
     packet_header_encrypt (pktbuf, headerIdx, eee->conf.header_encryption_ctx,
-                                              pearson_hash_16 (pktbuf, idx));
+                                              eee->conf.header_iv_ctx, pearson_hash_16 (pktbuf, idx));
 
 #ifdef MTU_ASSERT_VALUE
   {

src/header_encryption.c

@@ -57,7 +57,7 @@ uint32_t packet_header_decrypt (uint8_t packet[], uint16_t packet_len,
 /* ********************************************************************** */
 
 int32_t packet_header_encrypt (uint8_t packet[], uint8_t header_len, he_context_t * ctx,
-                               uint16_t checksum) {
+                               he_context_t * ctx_iv, uint16_t checksum) {
 
   uint8_t iv[16];
   uint16_t *iv16 = (uint16_t*)&iv;
@@ -76,6 +76,8 @@ int32_t packet_header_encrypt (uint8_t packet[], uint8_t header_len, he_context_
   iv16[4] = n2n_rand ();
   iv16[5] = htobe16 (checksum);
   iv32[3] = htobe32 (magic);
+  // blend checksum into 96-bit IV
+  speck_he_iv_encrypt (iv, (speck_context_t*)ctx_iv);
 
   memcpy (packet, iv, 16);
   packet[15] = header_len;

src/sn.c

@@ -587,7 +587,7 @@ static int process_udp(n2n_sn_t * sss,
 
       if (comm->header_encryption == HEADER_ENCRYPTION_ENABLED)
         packet_header_encrypt (rec_buf, oldEncx, comm->header_encryption_ctx,
-                                                 pearson_hash_16 (rec_buf, encx));
+                                                 comm->header_iv_ctx, pearson_hash_16 (rec_buf, encx));
     } else {
       /* Already from a supernode. Nothing to modify, just pass to
        * destination. */
@@ -599,7 +599,7 @@ static int process_udp(n2n_sn_t * sss,
 
       if (comm->header_encryption == HEADER_ENCRYPTION_ENABLED)
         packet_header_encrypt (rec_buf, idx, comm->header_encryption_ctx,
-                                             pearson_hash_16 (rec_buf, udp_size));
+                                             comm->header_iv_ctx, pearson_hash_16 (rec_buf, udp_size));
     }
 
     /* Common section to forward the final product. */
@@ -663,7 +663,7 @@ static int process_udp(n2n_sn_t * sss,
 
       if (comm->header_encryption == HEADER_ENCRYPTION_ENABLED)
         packet_header_encrypt (rec_buf, encx, comm->header_encryption_ctx,
-                                              pearson_hash_16 (rec_buf, encx));
+                                              comm->header_iv_ctx, pearson_hash_16 (rec_buf, encx));
 
 
       try_forward(sss, comm, &cmn, reg.dstMac, rec_buf, encx); /* unicast only */
@@ -736,7 +736,7 @@ static int process_udp(n2n_sn_t * sss,
 
       if (comm->header_encryption == HEADER_ENCRYPTION_ENABLED)
         packet_header_encrypt (ackbuf, encx, comm->header_encryption_ctx,
-                                             pearson_hash_16 (ackbuf, encx));
+                                             comm->header_iv_ctx, pearson_hash_16 (ackbuf, encx));
 
       sendto(sss->sock, ackbuf, encx, 0,
 	     (struct sockaddr *)sender_sock, sizeof(struct sockaddr_in));
@@ -784,7 +784,7 @@ static int process_udp(n2n_sn_t * sss,
 
       if (comm->header_encryption == HEADER_ENCRYPTION_ENABLED)
         packet_header_encrypt (encbuf, encx, comm->header_encryption_ctx,
-                                             pearson_hash_16 (encbuf, encx));
+                                             comm->header_iv_ctx, pearson_hash_16 (encbuf, encx));
 
       sendto( sss->sock, encbuf, encx, 0,
 	      (struct sockaddr *)sender_sock, sizeof(struct sockaddr_in) );

src/sn_utils.c

@@ -513,7 +513,7 @@ static int process_udp(n2n_sn_t * sss,
 
       if (comm->header_encryption == HEADER_ENCRYPTION_ENABLED)
         packet_header_encrypt (rec_buf, oldEncx, comm->header_encryption_ctx,
-                                                 pearson_hash_16 (rec_buf, encx));
+                                                 comm->header_iv_ctx, pearson_hash_16 (rec_buf, encx));
 
     } else {
       /* Already from a supernode. Nothing to modify, just pass to
@@ -526,7 +526,7 @@ static int process_udp(n2n_sn_t * sss,
 
       if (comm->header_encryption == HEADER_ENCRYPTION_ENABLED)
         packet_header_encrypt (rec_buf, idx, comm->header_encryption_ctx,
-                                             pearson_hash_16 (rec_buf, udp_size));
+                                             comm->header_iv_ctx, pearson_hash_16 (rec_buf, udp_size));
     }
 
     /* Common section to forward the final product. */
@@ -590,7 +590,7 @@ static int process_udp(n2n_sn_t * sss,
 
       if (comm->header_encryption == HEADER_ENCRYPTION_ENABLED)
         packet_header_encrypt (rec_buf, encx, comm->header_encryption_ctx,
-                                             pearson_hash_16 (rec_buf, encx));
+                                             comm->header_iv_ctx, pearson_hash_16 (rec_buf, encx));
 
       try_forward(sss, comm, &cmn, reg.dstMac, rec_buf, encx); /* unicast only */
     } else
@@ -662,7 +662,7 @@ static int process_udp(n2n_sn_t * sss,
 
       if (comm->header_encryption == HEADER_ENCRYPTION_ENABLED)
         packet_header_encrypt (ackbuf, encx, comm->header_encryption_ctx,
-                                             pearson_hash_16 (ackbuf, encx));
+                                             comm->header_iv_ctx, pearson_hash_16 (ackbuf, encx));
 
       sendto(sss->sock, ackbuf, encx, 0,
 	     (struct sockaddr *)sender_sock, sizeof(struct sockaddr_in));
@@ -710,7 +710,7 @@ static int process_udp(n2n_sn_t * sss,
 
       if (comm->header_encryption == HEADER_ENCRYPTION_ENABLED)
         packet_header_encrypt (encbuf, encx, comm->header_encryption_ctx,
-                                             pearson_hash_16 (encbuf, encx));
+                                             comm->header_iv_ctx, pearson_hash_16 (encbuf, encx));
 
       sendto( sss->sock, encbuf, encx, 0,
 	      (struct sockaddr *)sender_sock, sizeof(struct sockaddr_in) );