Specify start of extended encryption.

node/Packet.cpp

@@ -1005,9 +1005,13 @@ static inline int LZ4_decompress_safe(const char* source, char* dest, int compre
 
 const unsigned char Packet::ZERO_KEY[32] = { 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 };
 
-void Packet::armor(const void *key,bool encryptPayload,const AES aesKeys[2])
+void Packet::armor(const void *key,bool encryptPayload,bool extendedArmor,const AES aesKeys[2],const Identity &identity)
 {
 	uint8_t *const data = reinterpret_cast<uint8_t *>(unsafeData());
+
+	if (extendedArmor) {
+	}
+
 	if ((aesKeys) && (encryptPayload)) {
 		setCipher(ZT_PROTO_CIPHER_SUITE__AES_GMAC_SIV);
 
@@ -1066,7 +1070,7 @@ void Packet::armor(const void *key,bool encryptPayload,const AES aesKeys[2])
 	}
 }
 
-bool Packet::dearmor(const void *key,const AES aesKeys[2])
+bool Packet::dearmor(const void *key,const AES aesKeys[2],const Identity &identity)
 {
 	uint8_t *const data = reinterpret_cast<uint8_t *>(unsafeData());
 	const unsigned int payloadLen = size() - ZT_PACKET_IDX_VERB;

node/Packet.hpp

@@ -29,6 +29,7 @@
 #include "AES.hpp"
 #include "Utils.hpp"
 #include "Buffer.hpp"
+#include "Identity.hpp"
 
 /**
  * Protocol version -- incremented only for major changes
@@ -180,6 +181,11 @@
 #define ZT_PACKET_IDX_VERB 27
 #define ZT_PACKET_IDX_PAYLOAD 28
 
+/**
+ * Index where extended armor encryption starts (right after flags, before MAC)
+ */
+#define ZT_PACKET_IDX_EXTENDED_ARMOR_START ZT_PACKET_IDX_MAC
+
 /**
  * Packet buffer size (can be changed)
  */
@@ -744,12 +750,12 @@ public:
 		 *
 		 * ERROR response payload:
 		 *   <[8] 64-bit network ID>
-     *   <[2] 16-bit length of error-related data (optional)>
+		 *   <[2] 16-bit length of error-related data (optional)>
-     *   <[...] error-related data (optional)>
+		 *   <[...] error-related data (optional)>
-     *
+		 *
-     * Error related data is a Dictionary containing things like a URL
+		 * Error related data is a Dictionary containing things like a URL
-     * for authentication or a human-readable error message, and is
+		 * for authentication or a human-readable error message, and is
-     * optional and may be absent or empty.
+		 * optional and may be absent or empty.
 		 */
 		VERB_NETWORK_CONFIG_REQUEST = 0x0b,
 
@@ -1283,7 +1289,7 @@ public:
 	 * @param encryptPayload If true, encrypt packet payload, else just MAC
 	 * @param aesKeys If non-NULL these are the two keys for AES-GMAC-SIV
 	 */
-	void armor(const void *key,bool encryptPayload,const AES aesKeys[2]);
+	void armor(const void *key,bool encryptPayload,bool extendedArmor,const AES aesKeys[2],const Identity &identity);
 
 	/**
 	 * Verify and (if encrypted) decrypt packet
@@ -1296,7 +1302,7 @@ public:
 	 * @param aesKeys If non-NULL these are the two keys for AES-GMAC-SIV
 	 * @return False if packet is invalid or failed MAC authenticity check
 	 */
-	bool dearmor(const void *key,const AES aesKeys[2]);
+	bool dearmor(const void *key,const AES aesKeys[2],const Identity &identity);
 
 	/**
 	 * Encrypt/decrypt a separately armored portion of a packet