Save a little bit of RAM by getting rid of overkill CMWC4096 non-crypto PRNG and replacing it with a simple non-crypto PRNG that just uses Salsa20.

node/CMWC4096.hpp

@@ -1,91 +0,0 @@
-/*
- * ZeroTier One - Network Virtualization Everywhere
- * Copyright (C) 2011-2015  ZeroTier, Inc.
- *
- * This program is free software: you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program.  If not, see <http://www.gnu.org/licenses/>.
- *
- * --
- *
- * ZeroTier may be used and distributed under the terms of the GPLv3, which
- * are available at: http://www.gnu.org/licenses/gpl-3.0.html
- *
- * If you would like to embed ZeroTier into a commercial application or
- * redistribute it in a modified binary form, please contact ZeroTier Networks
- * LLC. Start here: http://www.zerotier.com/
- */
-
-#ifndef ZT_CMWC4096_HPP
-#define ZT_CMWC4096_HPP
-
-#include <stdint.h>
-#include "Utils.hpp"
-
-namespace ZeroTier {
-
-/** 
- * Complement Multiply With Carry random number generator
- *
- * Based on original code posted to Usenet in the public domain by
- * George Marsaglia. Period is approximately 2^131086.
- *
- * This is not used for cryptographic purposes but for a very fast
- * and high-quality PRNG elsewhere in the code.
- */
-class CMWC4096
-{
-public:
-	/**
-	 * Construct and initialize from secure random source
-	 */
-	CMWC4096()
-		throw()
-	{
-		Utils::getSecureRandom(Q,sizeof(Q));
-		Utils::getSecureRandom(&c,sizeof(c));
-		c %= 809430660;
-		i = 4095;
-	}
-
-	inline uint32_t next32()
-		throw()
-	{
-		uint32_t __i = ++i & 4095;
-		const uint64_t t = (18782ULL * (uint64_t)Q[__i]) + (uint64_t)c;
-		c = (uint32_t)(t >> 32);
-		uint32_t x = c + (uint32_t)t;
-		const uint32_t p = (uint32_t)(x < c); x += p; c += p;
-		return (Q[__i] = 0xfffffffe - x);
-	}
-
-	inline uint64_t next64()
-		throw()
-	{
-		return ((((uint64_t)next32()) << 32) ^ (uint64_t)next32());
-	}
-
-	inline double nextDouble()
-		throw()
-	{
-		return ((double)(next32()) / 4294967296.0);
-	}
-
-private:
-	uint32_t Q[4096];
-	uint32_t c;
-	uint32_t i;
-};
-
-} // namespace ZeroTier
-
-#endif

node/Multicaster.cpp

@@ -35,7 +35,6 @@
 #include "Switch.hpp"
 #include "Packet.hpp"
 #include "Peer.hpp"
-#include "CMWC4096.hpp"
 #include "C25519.hpp"
 #include "CertificateOfMembership.hpp"
 
@@ -97,7 +96,7 @@ unsigned int Multicaster::gather(const Address &queryingPeer,uint64_t nwid,const
 		// will return different subsets of a large multicast group.
 		k = 0;
 		while ((added < limit)&&(k < gs->second.members.size())&&((appendTo.size() + ZT_ADDRESS_LENGTH) <= ZT_UDP_DEFAULT_PAYLOAD_MTU)) {
-			rptr = (unsigned int)RR->prng->next32();
+			rptr = (unsigned int)RR->node->prng();
 
 restart_member_scan:
 			a = gs->second.members[rptr % (unsigned int)gs->second.members.size()].address.toInt();
@@ -171,7 +170,7 @@ void Multicaster::send(
 		for(unsigned long i=0;i<gs.members.size();++i)
 			indexes[i] = i;
 		for(unsigned long i=(unsigned long)gs.members.size()-1;i>0;--i) {
-			unsigned long j = RR->prng->next32() % (i + 1);
+			unsigned long j = (unsigned long)RR->node->prng() % (i + 1);
 			unsigned long tmp = indexes[j];
 			indexes[j] = indexes[i];
 			indexes[i] = tmp;

node/Node.cpp

@@ -37,7 +37,6 @@
 #include "Node.hpp"
 #include "RuntimeEnvironment.hpp"
 #include "NetworkController.hpp"
-#include "CMWC4096.hpp"
 #include "Switch.hpp"
 #include "Multicaster.hpp"
 #include "AntiRecursion.hpp"
@@ -76,6 +75,7 @@ Node::Node(
 	_eventCallback(eventCallback),
 	_networks(),
 	_networks_m(),
+	_prngStreamPtr(0),
 	_now(now),
 	_lastPingCheck(0),
 	_lastHousekeepingRun(0)
@@ -85,6 +85,15 @@ Node::Node(
 	_newestVersionSeen[2] = ZEROTIER_ONE_VERSION_REVISION;
 	_online = false;
 
+	// Use Salsa20 alone as a high-quality non-crypto PRNG
+	{
+		char foo[32];
+		Utils::getSecureRandom(foo,32);
+		_prng.init(foo,256,foo,8);
+		memset(_prngStream,0,sizeof(_prngStream));
+		_prng.encrypt(_prngStream,_prngStream,sizeof(_prngStream));
+	}
+
 	std::string idtmp(dataStoreGet("identity.secret"));
 	if ((!idtmp.length())||(!RR->identity.fromString(idtmp))||(!RR->identity.hasPrivate())) {
 		TRACE("identity.secret not found, generating...");
@@ -103,7 +112,6 @@ Node::Node(
 	}
 
 	try {
-		RR->prng = new CMWC4096();
 		RR->sw = new Switch(RR);
 		RR->mc = new Multicaster(RR);
 		RR->antiRec = new AntiRecursion();
@@ -115,7 +123,6 @@ Node::Node(
 		delete RR->antiRec;
 		delete RR->mc;
 		delete RR->sw;
-		delete RR->prng;
 		throw;
 	}
 
@@ -146,7 +153,6 @@ Node::~Node()
 	delete RR->antiRec;
 	delete RR->mc;
 	delete RR->sw;
-	delete RR->prng;
 }
 
 ZT1_ResultCode Node::processWirePacket(
@@ -510,6 +516,14 @@ void Node::postTrace(const char *module,unsigned int line,const char *fmt,...)
 }
 #endif // ZT_TRACE
 
+uint64_t Node::prng()
+{
+	unsigned int p = (++_prngStreamPtr % (sizeof(_prngStream) / sizeof(uint64_t)));
+	if (!p)
+		_prng.encrypt(_prngStream,_prngStream,sizeof(_prngStream));
+	return _prngStream[p];
+}
+
 } // namespace ZeroTier
 
 /****************************************************************************/

node/Node.hpp

@@ -44,6 +44,7 @@
 #include "MAC.hpp"
 #include "Network.hpp"
 #include "Path.hpp"
+#include "Salsa20.hpp"
 
 #undef TRACE
 #ifdef ZT_TRACE
@@ -219,6 +220,11 @@ public:
 	void postTrace(const char *module,unsigned int line,const char *fmt,...);
 #endif
 
+	/**
+	 * @return Next 64-bit random number (not for cryptographic use)
+	 */
+	uint64_t prng();
+
 private:
 	inline SharedPtr<Network> _network(uint64_t nwid) const
 	{
@@ -253,6 +259,10 @@ private:
 
 	Mutex _backgroundTasksLock;
 
+	unsigned int _prngStreamPtr;
+	Salsa20 _prng;
+	uint64_t _prngStream[16]; // repeatedly encrypted with _prng to yield a high-quality non-crypto PRNG stream
+
 	uint64_t _now;
 	uint64_t _lastPingCheck;
 	uint64_t _lastHousekeepingRun;

node/RuntimeEnvironment.hpp

@@ -38,7 +38,6 @@ namespace ZeroTier {
 class NodeConfig;
 class Switch;
 class Topology;
-class CMWC4096;
 class Node;
 class Multicaster;
 class AntiRecursion;
@@ -55,7 +54,6 @@ public:
 		node(n),
 		identity(),
 		localNetworkController((NetworkController *)0),
-		prng((CMWC4096 *)0),
 		sw((Switch *)0),
 		mc((Multicaster *)0),
 		antiRec((AntiRecursion *)0),
@@ -83,7 +81,6 @@ public:
 	 * These are constant and never null after startup unless indicated.
 	 */
 
-	CMWC4096 *prng;
 	Switch *sw;
 	Multicaster *mc;
 	AntiRecursion *antiRec;

node/Switch.cpp

@@ -42,7 +42,6 @@
 #include "InetAddress.hpp"
 #include "Topology.hpp"
 #include "Peer.hpp"
-#include "CMWC4096.hpp"
 #include "AntiRecursion.hpp"
 #include "Packet.hpp"
 
@@ -236,7 +235,7 @@ void Switch::onLocalEthernet(const SharedPtr<Network> &network,const MAC &from,c
 				while (numBridges < ZT_MAX_BRIDGE_SPAM) {
 					if (ab == nconf->activeBridges().end())
 						ab = nconf->activeBridges().begin();
-					if (((unsigned long)RR->prng->next32() % (unsigned long)nconf->activeBridges().size()) == 0) {
+					if (((unsigned long)RR->node->prng() % (unsigned long)nconf->activeBridges().size()) == 0) {
 						bridges[numBridges++] = *ab;
 						++ab;
 					} else ++ab;
@@ -327,7 +326,7 @@ bool Switch::unite(const Address &p1,const Address &p2,bool force)
 	 * the order we make each attempted NAT-t favor one or the other going
 	 * first, meaning if it doesn't succeed the first time it might the second
 	 * and so forth. */
-	unsigned int alt = RR->prng->next32() & 1;
+	unsigned int alt = (unsigned int)RR->node->prng() & 1;
 	unsigned int completed = alt + 2;
 	while (alt != completed) {
 		if ((alt & 1) == 0) {