ZeroTierOne/node/Identity.cpp

173 lines
5.2 KiB
C++
Raw Normal View History

/*
* ZeroTier One - Global Peer to Peer Ethernet
* Copyright (C) 2012-2013 ZeroTier Networks LLC
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
* --
*
* ZeroTier may be used and distributed under the terms of the GPLv3, which
* are available at: http://www.gnu.org/licenses/gpl-3.0.html
*
* If you would like to embed ZeroTier into a commercial application or
* redistribute it in a modified binary form, please contact ZeroTier Networks
* LLC. Start here: http://www.zerotier.com/
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>
#include "Identity.hpp"
namespace ZeroTier {
void Identity::generate()
{
C25519::Pair kp;
do {
kp = C25519::generate();
_address = deriveAddress(kp.pub.data,kp.pub.size());
} while (_address.isReserved());
_publicKey = kp.pub;
if (!_privateKey)
_privateKey = new C25519::Private();
*_privateKey = kp.priv;
unsigned char tmp[ZT_ADDRESS_LENGTH + ZT_C25519_PUBLIC_KEY_LEN];
_address.copyTo(tmp,ZT_ADDRESS_LENGTH);
memcpy(tmp + ZT_ADDRESS_LENGTH,_publicKey.data,ZT_C25519_PUBLIC_KEY_LEN);
_signature = C25519::sign(kp,tmp,sizeof(tmp));
}
bool Identity::locallyValidate(bool doAddressDerivationCheck) const
{
unsigned char tmp[ZT_ADDRESS_LENGTH + ZT_C25519_PUBLIC_KEY_LEN];
_address.copyTo(tmp,ZT_ADDRESS_LENGTH);
memcpy(tmp + ZT_ADDRESS_LENGTH,_publicKey.data,ZT_C25519_PUBLIC_KEY_LEN);
if (!C25519::verify(_publicKey,tmp,sizeof(tmp),_signature))
return false;
if ((doAddressDerivationCheck)&&(deriveAddress(_publicKey.data,_publicKey.size()) != _address))
return false;
return true;
}
std::string Identity::toString(bool includePrivate) const
{
std::string r;
r.append(_address.toString());
r.append(":2:"); // 2 == IDENTITY_TYPE_C25519
r.append(Utils::hex(_publicKey.data,_publicKey.size()));
r.push_back(':');
r.append(Utils::hex(_signature.data,_signature.size()));
if ((_privateKey)&&(includePrivate)) {
r.push_back(':');
r.append(Utils::hex(_privateKey.data,_privateKey.size()));
}
return r;
}
bool Identity::fromString(const char *str)
{
char *saveptr = (char *)0;
char tmp[4096];
if (!Utils::scopy(tmp,sizeof(tmp),str))
return false;
delete _privateKey;
_privateKey = (C25519::Private *)0;
int fno = 0;
for(char *f=Utils::stok(tmp,":",&saveptr);(f);f=Utils::stok((char *)0,":",&saveptr)) {
switch(fno++) {
case 0:
_address = Address(f);
if (_address.isReserved())
return false;
break;
case 1:
if (strcmp(f,"2"))
return false;
break;
case 2:
if (Utils::unhex(f,_publicKey.data,_publicKey.size()) != _publicKey.size())
return false;
break;
case 3:
if (Utils::unhex(f,_signature.data,_signature.size()) != _signature.size())
return false;
break;
case 4:
_privateKey = new C25519::Private();
if (Utils::unhex(f,_privateKey->data,_privateKey->size()) != _privateKey->size())
return false;
break;
default:
return false;
}
}
if (fno < 4)
return false;
return true;
}
// These are fixed parameters and can't be changed without a new
// identity type.
#define ZT_IDENTITY_DERIVEADDRESS_DIGESTS 540672
#define ZT_IDENTITY_DERIVEADDRESS_ROUNDS 4
Address Identity::deriveAddress(const void *keyBytes,unsigned int keyLen)
{
/*
* Sequential memory-hard algorithm wedding address to public key
*
* Conventional hashcash with long computations and quick verifications
* unfortunately cannot be used here. If that were used, it would be
* equivalently costly to simply increment/vary the public key and find
* a collision as it would be to find the address. We need something
* that creates a costly 1:~1 mapping from key to address, hence this
* algorithm.
*
* Search for "sequential memory hard algorithm" for academic references
* to similar concepts.
*/
unsigned char finalDigest[ZT_SHA512_DIGEST_LEN];
unsigned char *digests = new unsigned char[ZT_SHA512_DIGEST_LEN * ZT_IDENTITY_DERIVEADDRESS_DIGESTS];
SHA512::hash(finalDigest,keyBytes,keyLen);
for(unsigned int i=0;i<(unsigned int)sizeof(digests);++i)
digests[i] = ((const unsigned char *)keyBytes)[i % keyLen];
for(unsigned int r=0;r<ZT_IDENTITY_DERIVEADDRESS_ROUNDS;++r) {
for(unsigned int i=0;i<(ZT_SHA512_DIGEST_LEN * ZT_IDENTITY_DERIVEADDRESS_DIGESTS);++i)
digests[i] ^= finalDigest[i % ZT_SHA512_DIGEST_LEN];
for(unsigned int d=0;d<ZT_IDENTITY_DERIVEADDRESS_DIGESTS;++d)
SHA512::hash(digests + (ZT_SHA512_DIGEST_LEN * d),digests,ZT_SHA512_DIGEST_LEN * ZT_IDENTITY_DERIVEADDRESS_DIGESTS);
SHA512::hash(finalDigest,digests,ZT_SHA512_DIGEST_LEN * ZT_IDENTITY_DERIVEADDRESS_DIGESTS);
}
delete [] digests;
return Address(finalDigest,ZT_ADDRESS_LENGTH); // first 5 bytes of dig[]
}
} // namespace ZeroTier