Some prep work to make room for perfect forward security (PFS). Will not affect existing clients.

2024-12-30 09:48:54 +00:00 · 2015-05-13 18:53:37 -07:00 · 2015-05-13 18:53:37 -07:00 · a8835cd8b3
commit a8835cd8b3
parent bdce679d84
2 changed files with 20 additions and 21 deletions
--- a/node/Packet.cpp
+++ b/node/Packet.cpp
@ -118,8 +118,6 @@ bool Packet::dearmor(const void *key)
 			s20.decrypt(payload,payload,payloadLen);
 		return true;
 	} else if (cs == ZT_PROTO_CIPHER_SUITE__C25519_AES256_GCM) {
 		return false; // not implemented yet
 	} else return false; // unrecognized cipher suite
 }
--- a/node/Packet.hpp
+++ b/node/Packet.hpp
@ -99,14 +99,12 @@
 #define ZT_PROTO_CIPHER_SUITE__C25519_POLY1305_SALSA2012 1
 /**
- * Cipher suite: Curve25519/AES256-GCM
+ * DEPRECATED payload encrypted flag, will be removed for re-use soon.
 *
- * This specifies AES256 in GCM mode using GCM's built-in authentication
+ * This has been replaced by the two-bit cipher suite selection field where
- * with Curve25519 elliptic curve Diffie-Hellman.
+ * a value of 0 indicated unencrypted (but authenticated) messages.
 *
 * (Not implemented yet in client but reserved for future use.)
 */
-#define ZT_PROTO_CIPHER_SUITE__C25519_AES256_GCM 2
+#define ZT_PROTO_FLAG_ENCRYPTED 0x80
 /**
 * Header flag indicating that a packet is fragmented
@ -116,6 +114,13 @@
 */
 #define ZT_PROTO_FLAG_FRAGMENTED 0x40
 /**
 * Flag indicating encryption with a PFS session key
 *
 * Not used yet -- for future PFS session re-keying support.
 */
 #define ZT_PROTO_FLAG_PFS_SESSION 0x20
 /**
 * Verb flag indicating payload is compressed with LZ4
 */
@ -293,9 +298,9 @@ namespace ZeroTier {
 * 
 * Packets smaller than 28 bytes are invalid and silently discarded.
 *
- * The flags/cipher/hops bit field is: FFCCCHHH where C is a 3-bit cipher
+ * The flags/cipher/hops bit field is: FFFCCHHH where C is a 2-bit cipher
- * selection allowing up to 8 cipher suites, F is flags (reserved, currently
+ * selection allowing up to 4 cipher suites, F is outside-envelope flags,
- * all zero), and H is hop count.
+ * and H is hop count.
 *
 * The three-bit hop count is the only part of a packet that is mutable in
 * transit without invalidating the MAC. All other bits in the packet are
@ -968,25 +973,21 @@ public:
 	 */
 	inline unsigned int cipher() const
 	{
-		//return (((unsigned int)(*this)[ZT_PACKET_IDX_FLAGS] & 0x38) >> 3);
+		// Note: this uses the new cipher spec field, which is incompatible with <1.0.0 peers
-		// Use DEPRECATED 0x80 "encrypted" flag -- this will go away once there are no more <1.0.0 peers on the net
+		return (((unsigned int)(*this)[ZT_PACKET_IDX_FLAGS] & 0x18) >> 3);
 		return (((*this)[ZT_PACKET_IDX_FLAGS] & 0x80) == 0) ? ZT_PROTO_CIPHER_SUITE__C25519_POLY1305_NONE : ZT_PROTO_CIPHER_SUITE__C25519_POLY1305_SALSA2012;
 	}
 	/**
 	 * Set this packet's cipher suite
 	 *
 	 * This normally shouldn't be called directly as armor() will set it after
 	 * encrypting and MACing the packet.
 	 */
 	inline void setCipher(unsigned int c)
 	{
 		unsigned char &b = (*this)[ZT_PACKET_IDX_FLAGS];
-		b = (b & 0xc7) | (unsigned char)((c << 3) & 0x38);
+		b = (b & 0xe7) | (unsigned char)((c << 3) & 0x18); // bits: FFFCCHHH
-		// Set both the new cipher suite spec field and the old DEPRECATED "encrypted" flag as long as there's <1.0.0 peers online
+		// DEPRECATED "encrypted" flag -- used by pre-1.0.3 peers
 		if (c == ZT_PROTO_CIPHER_SUITE__C25519_POLY1305_SALSA2012)
-			b |= 0x80;
+			b |= ZT_PROTO_FLAG_ENCRYPTED;
-		else b &= 0x7f;
+		else b &= (~ZT_PROTO_FLAG_ENCRYPTED);
 	}
 	/**