From c483f75fb43ee8a60bc8824e8931f6161ef6d717 Mon Sep 17 00:00:00 2001 From: Adam Ierymenko Date: Thu, 15 Aug 2019 15:32:16 -0700 Subject: [PATCH] cleanup --- node/IncomingPacket.cpp | 2 +- node/Packet.cpp | 10 ++--- node/Packet.hpp | 85 +++-------------------------------------- 3 files changed, 11 insertions(+), 86 deletions(-) diff --git a/node/IncomingPacket.cpp b/node/IncomingPacket.cpp index f39c78281..78332a40d 100644 --- a/node/IncomingPacket.cpp +++ b/node/IncomingPacket.cpp @@ -70,7 +70,7 @@ bool IncomingPacket::tryDecode(const RuntimeEnvironment *RR,void *tPtr) RR->t->incomingPacketMessageAuthenticationFailure(tPtr,_path,packetId(),sourceAddress,hops(),"path not trusted"); return true; } - } else if ((c == ZT_PROTO_CIPHER_SUITE__C25519_POLY1305_NONE)&&(verb() == Packet::VERB_HELLO)) { + } else if ((c == ZT_PROTO_CIPHER_SUITE__POLY1305_NONE)&&(verb() == Packet::VERB_HELLO)) { // Only HELLO is allowed in the clear, but will still have a MAC return _doHELLO(RR,tPtr,false); } diff --git a/node/Packet.cpp b/node/Packet.cpp index 8f38fe78c..f20b54368 100644 --- a/node/Packet.cpp +++ b/node/Packet.cpp @@ -895,7 +895,7 @@ void Packet::armor(const void *key,bool encryptPayload) uint8_t *const data = reinterpret_cast(unsafeData()); // Set flag now, since it affects key mangle function - setCipher(encryptPayload ? ZT_PROTO_CIPHER_SUITE__C25519_POLY1305_SALSA2012 : ZT_PROTO_CIPHER_SUITE__C25519_POLY1305_NONE); + setCipher(encryptPayload ? ZT_PROTO_CIPHER_SUITE__POLY1305_SALSA2012 : ZT_PROTO_CIPHER_SUITE__POLY1305_NONE); _salsa20MangleKey((const unsigned char *)key,mangledKey); @@ -933,11 +933,11 @@ bool Packet::dearmor(const void *key) unsigned char *const payload = data + ZT_PACKET_IDX_VERB; const unsigned int cs = cipher(); - if ((cs == ZT_PROTO_CIPHER_SUITE__C25519_POLY1305_NONE)||(cs == ZT_PROTO_CIPHER_SUITE__C25519_POLY1305_SALSA2012)) { + if ((cs == ZT_PROTO_CIPHER_SUITE__POLY1305_NONE)||(cs == ZT_PROTO_CIPHER_SUITE__POLY1305_SALSA2012)) { _salsa20MangleKey((const unsigned char *)key,mangledKey); if (ZT_HAS_FAST_CRYPTO()) { uint64_t keyStream[(ZT_PROTO_MAX_PACKET_LENGTH + 64 + 8) / 8]; - ZT_FAST_SINGLE_PASS_SALSA2012(keyStream,((cs == ZT_PROTO_CIPHER_SUITE__C25519_POLY1305_SALSA2012) ? (payloadLen + 64) : 64),(data + ZT_PACKET_IDX_IV),mangledKey); + ZT_FAST_SINGLE_PASS_SALSA2012(keyStream,((cs == ZT_PROTO_CIPHER_SUITE__POLY1305_SALSA2012) ? (payloadLen + 64) : 64),(data + ZT_PACKET_IDX_IV),mangledKey); uint64_t mac[2]; poly1305(mac,payload,payloadLen,keyStream); #ifdef ZT_NO_TYPE_PUNNING @@ -947,7 +947,7 @@ bool Packet::dearmor(const void *key) if ((*reinterpret_cast(data + ZT_PACKET_IDX_MAC)) != mac[0]) // also secure, constant time return false; #endif - if (cs == ZT_PROTO_CIPHER_SUITE__C25519_POLY1305_SALSA2012) + if (cs == ZT_PROTO_CIPHER_SUITE__POLY1305_SALSA2012) Salsa20::memxor(data + ZT_PACKET_IDX_VERB,reinterpret_cast(keyStream + 8),payloadLen); } else { Salsa20 s20(mangledKey,data + ZT_PACKET_IDX_IV); @@ -962,7 +962,7 @@ bool Packet::dearmor(const void *key) if ((*reinterpret_cast(data + ZT_PACKET_IDX_MAC)) != mac[0]) // also secure, constant time return false; #endif - if (cs == ZT_PROTO_CIPHER_SUITE__C25519_POLY1305_SALSA2012) + if (cs == ZT_PROTO_CIPHER_SUITE__POLY1305_SALSA2012) s20.crypt12(payload,payload,payloadLen); } diff --git a/node/Packet.hpp b/node/Packet.hpp index 52e248d0d..3a2780ded 100644 --- a/node/Packet.hpp +++ b/node/Packet.hpp @@ -94,26 +94,14 @@ #define ZT_PROTO_MAX_HOPS 7 /** - * Cipher suite: Curve25519/Poly1305/Salsa20/12/NOCRYPT - * - * This specifies Poly1305 MAC using a 32-bit key derived from the first - * 32 bytes of a Salsa20/12 keystream as in the Salsa20/12 cipher suite, - * but the payload is not encrypted. This is currently only used to send - * HELLO since that's the public key specification packet and must be - * sent in the clear. Key agreement is performed using Curve25519 elliptic - * curve Diffie-Hellman. + * Cipher suite: Poly1305/NONE */ -#define ZT_PROTO_CIPHER_SUITE__C25519_POLY1305_NONE 0 +#define ZT_PROTO_CIPHER_SUITE__POLY1305_NONE 0 /** - * Cipher suite: Curve25519/Poly1305/Salsa20/12 - * - * This specifies Poly1305 using the first 32 bytes of a Salsa20/12 key - * stream as its one-time-use key followed by payload encryption with - * the remaining Salsa20/12 key stream. Key agreement is performed using - * Curve25519 elliptic curve Diffie-Hellman. + * Cipher suite: Poly1305/Salsa2012 */ -#define ZT_PROTO_CIPHER_SUITE__C25519_POLY1305_SALSA2012 1 +#define ZT_PROTO_CIPHER_SUITE__POLY1305_SALSA2012 1 /** * Cipher suite: NONE @@ -147,69 +135,6 @@ */ #define ZT_PROTO_VERB_FLAG_COMPRESSED 0x80 -/** - * Rounds used for Salsa20 encryption in ZT - * - * Discussion: - * - * DJB (Salsa20's designer) designed Salsa20 with a significant margin of 20 - * rounds, but has said repeatedly that 12 is likely sufficient. So far (as of - * July 2015) there are no published attacks against 12 rounds, let alone 20. - * - * In cryptography, a "break" means something different from what it means in - * common discussion. If a cipher is 256 bits strong and someone finds a way - * to reduce key search to 254 bits, this constitutes a "break" in the academic - * literature. 254 bits is still far beyond what can be leveraged to accomplish - * a "break" as most people would understand it -- the actual decryption and - * reading of traffic. - * - * Nevertheless, "attacks only get better" as cryptographers like to say. As - * a result, they recommend not using anything that's shown any weakness even - * if that weakness is so far only meaningful to academics. It may be a sign - * of a deeper problem. - * - * So why choose a lower round count? - * - * Turns out the speed difference is nontrivial. On a Macbook Pro (Core i3) 20 - * rounds of SSE-optimized Salsa20 achieves ~508mb/sec/core, while 12 rounds - * hits ~832mb/sec/core. ZeroTier is designed for multiple objectives: - * security, simplicity, and performance. In this case a deference was made - * for performance. - * - * Meta discussion: - * - * The cipher is not the thing you should be paranoid about. - * - * I'll qualify that. If the cipher is known to be weak, like RC4, or has a - * key size that is too small, like DES, then yes you should worry about - * the cipher. - * - * But if the cipher is strong and your adversary is anyone other than the - * intelligence apparatus of a major superpower, you are fine in that - * department. - * - * Go ahead. Search for the last ten vulnerabilities discovered in SSL. Not - * a single one involved the breaking of a cipher. Now broaden your search. - * Look for issues with SSH, IPSec, etc. The only cipher-related issues you - * will find might involve the use of RC4 or MD5, algorithms with known - * issues or small key/digest sizes. But even weak ciphers are difficult to - * exploit in the real world -- you usually need a lot of data and a lot of - * compute time. No, virtually EVERY security vulnerability you will find - * involves a problem with the IMPLEMENTATION not with the cipher. - * - * A flaw in ZeroTier's protocol or code is incredibly, unbelievably - * more likely than a flaw in Salsa20 or any other cipher or cryptographic - * primitive it uses. We're talking odds of dying in a car wreck vs. odds of - * being personally impacted on the head by a meteorite. Nobody without a - * billion dollar budget is going to break into your network by actually - * cracking Salsa20/12 (or even /8) in the field. - * - * So stop worrying about the cipher unless you are, say, the Kremlin and your - * adversary is the NSA and the GCHQ. In that case... well that's above my - * pay grade. I'll just say defense in depth. - */ -#define ZT_PROTO_SALSA20_ROUNDS 12 - /** * PUSH_DIRECT_PATHS flag: forget path */ @@ -1174,7 +1099,7 @@ public: unsigned char &b = (*this)[ZT_PACKET_IDX_FLAGS]; b = (b & 0xc7) | (unsigned char)((c << 3) & 0x38); // bits: FFCCCHHH // Set DEPRECATED "encrypted" flag -- used by pre-1.0.3 peers - if (c == ZT_PROTO_CIPHER_SUITE__C25519_POLY1305_SALSA2012) + if (c == ZT_PROTO_CIPHER_SUITE__POLY1305_SALSA2012) b |= ZT_PROTO_FLAG_ENCRYPTED; else b &= (~ZT_PROTO_FLAG_ENCRYPTED); }