diff options
| author | Adam Ierymenko <adam.ierymenko@gmail.com> | 2017-02-06 07:39:38 -0800 |
|---|---|---|
| committer | Adam Ierymenko <adam.ierymenko@gmail.com> | 2017-02-06 07:39:38 -0800 |
| commit | 803f74634a7e88e4e2781e4b8df7afeda3d968be (patch) | |
| tree | 602ae5aa230d4142aabe0a0f1ea81587f3c2e0dc | |
| parent | f85a630a6438261fd21c149f32a77283e7bf76a3 (diff) | |
| download | infinitytier-803f74634a7e88e4e2781e4b8df7afeda3d968be.tar.gz infinitytier-803f74634a7e88e4e2781e4b8df7afeda3d968be.zip | |
Tweak how we do crypto of the masked portions of HELLO just to be more "boring" in the DJB sense.
| -rw-r--r-- | node/Packet.cpp | 6 | ||||
| -rw-r--r-- | node/Packet.hpp | 12 |
2 files changed, 11 insertions, 7 deletions
diff --git a/node/Packet.cpp b/node/Packet.cpp index a1bb3132..e685bcaa 100644 --- a/node/Packet.cpp +++ b/node/Packet.cpp @@ -2026,9 +2026,11 @@ bool Packet::dearmor(const void *key) void Packet::cryptField(const void *key,unsigned int start,unsigned int len) { unsigned char mangledKey[32]; - uint64_t iv = Utils::hton((uint64_t)start ^ at<uint64_t>(ZT_PACKET_IDX_IV)); + unsigned char macKey[32]; _salsa20MangleKey((const unsigned char *)key,mangledKey); - Salsa20 s20(mangledKey,256,&iv); + mangledKey[0] ^= 1; // slightly alter key for this use case as an added guard against key stream reuse + Salsa20 s20(mangledKey,256,field(ZT_PACKET_IDX_IV,8)); + s20.crypt12(ZERO_KEY,macKey,sizeof(macKey)); // discard the first 32 bytes of key stream (the ones use for MAC in armor()) as a precaution unsigned char *const ptr = field(start,len); s20.crypt12(ptr,ptr,len); } diff --git a/node/Packet.hpp b/node/Packet.hpp index 4859dafd..b736b84a 100644 --- a/node/Packet.hpp +++ b/node/Packet.hpp @@ -1353,16 +1353,18 @@ public: /** * Encrypt/decrypt a separately armored portion of a packet * - * This keys using the same key in the same way as armor/dearmor, but - * uses a different IV computed from the packet's IV plus the starting - * point index. - * * This currently uses Salsa20/12, but any message that uses this should - * incorporate a cipher selector to permit this to be changed later. + * incorporate a cipher selector to permit this to be changed later. To + * ensure that key stream is not reused, the key is slightly altered for + * this use case and the same initial 32 keystream bytes that are taken + * for MAC in ordinary armor() are also skipped here. * * This is currently only used to mask portions of HELLO as an extra * security precation since most of that message is sent in the clear. * + * This must NEVER be used more than once in the same packet, as doing + * so will result in re-use of the same key stream. + * * @param key 32-byte key * @param start Start of encrypted portion * @param len Length of encrypted portion |