diff options
Diffstat (limited to 'node')
| -rw-r--r-- | node/Identity.cpp | 5 | ||||
| -rw-r--r-- | node/NodeConfig.cpp | 5 | ||||
| -rw-r--r-- | node/Packet.hpp | 9 | ||||
| -rw-r--r-- | node/Salsa20.cpp | 7 | ||||
| -rw-r--r-- | node/Salsa20.hpp | 11 |
5 files changed, 26 insertions, 11 deletions
diff --git a/node/Identity.cpp b/node/Identity.cpp index 0ea3dc18..d50c56fe 100644 --- a/node/Identity.cpp +++ b/node/Identity.cpp @@ -48,6 +48,9 @@ // Step distance for mixing genmem[] #define ZT_IDENTITY_GEN_MEMORY_MIX_STEP 1024 +// Rounds used for Salsa20 step +#define ZT_IDENTITY_GEN_SALSA20_ROUNDS 20 + namespace ZeroTier { // A memory-hard composition of SHA-512 and Salsa20 for hashcash hashing @@ -58,7 +61,7 @@ static inline void _computeMemoryHardHash(const void *publicKey,unsigned int pub // Generate genmem[] bytes of Salsa20 key stream memset(genmem,0,ZT_IDENTITY_GEN_MEMORY); - Salsa20 s20(digest,256,(char *)digest + 32); + Salsa20 s20(digest,256,(char *)digest + 32,ZT_IDENTITY_GEN_SALSA20_ROUNDS); s20.encrypt(genmem,genmem,ZT_IDENTITY_GEN_MEMORY); // Do something to genmem[] that iteratively makes every value diff --git a/node/NodeConfig.cpp b/node/NodeConfig.cpp index 0dda8da7..f26cd8ea 100644 --- a/node/NodeConfig.cpp +++ b/node/NodeConfig.cpp @@ -49,6 +49,7 @@ #include "Logger.hpp" #include "Topology.hpp" #include "Demarc.hpp" +#include "Packet.hpp" #include "InetAddress.hpp" #include "Peer.hpp" #include "Salsa20.hpp" @@ -283,7 +284,7 @@ std::vector< Buffer<ZT_NODECONFIG_MAX_PACKET_SIZE> > NodeConfig::encodeControlMe Utils::getSecureRandom(iv,8); memcpy(packet.field(8,8),iv,8); - Salsa20 s20(key,256,iv); + Salsa20 s20(key,256,iv,ZT_PROTO_SALSA20_ROUNDS); s20.encrypt(packet.field(16,packet.size() - 16),packet.field(16,packet.size() - 16),packet.size() - 16); memcpy(keytmp,key,32); @@ -322,7 +323,7 @@ bool NodeConfig::decodeControlMessagePacket(const void *key,const void *data,uns if (!Utils::secureEq(packet.field(0,8),poly1305tag,8)) return false; - Salsa20 s20(key,256,packet.field(8,8)); + Salsa20 s20(key,256,packet.field(8,8),ZT_PROTO_SALSA20_ROUNDS); s20.decrypt(packet.field(16,packet.size() - 16),packet.field(16,packet.size() - 16),packet.size() - 16); conversationId = packet.at<uint32_t>(16); diff --git a/node/Packet.hpp b/node/Packet.hpp index 486faebb..aeb5d0bb 100644 --- a/node/Packet.hpp +++ b/node/Packet.hpp @@ -92,6 +92,11 @@ */ #define ZT_PROTO_VERB_FLAG_COMPRESSED 0x80 +/** + * Rounds used for Salsa20 encryption in ZT + */ +#define ZT_PROTO_SALSA20_ROUNDS 12 + // Indices of fields in normal packet header -- do not change as this // might require both code rework and will break compatibility. #define ZT_PACKET_IDX_IV 0 @@ -852,7 +857,7 @@ public: else (*this)[ZT_PACKET_IDX_FLAGS] &= (char)(~ZT_PROTO_FLAG_ENCRYPTED); _mangleKey((const unsigned char *)key,mangledKey); - Salsa20 s20(mangledKey,256,field(ZT_PACKET_IDX_IV,8)); + Salsa20 s20(mangledKey,256,field(ZT_PACKET_IDX_IV,8),ZT_PROTO_SALSA20_ROUNDS); // MAC key is always the first 32 bytes of the Salsa20 key stream // This is the same construction DJB's NaCl library uses @@ -880,7 +885,7 @@ public: unsigned char *const payload = field(ZT_PACKET_IDX_VERB,payloadLen); _mangleKey((const unsigned char *)key,mangledKey); - Salsa20 s20(mangledKey,256,field(ZT_PACKET_IDX_IV,8)); + Salsa20 s20(mangledKey,256,field(ZT_PACKET_IDX_IV,8),ZT_PROTO_SALSA20_ROUNDS); s20.encrypt(ZERO_KEY,macKey,sizeof(macKey)); Poly1305::compute(mac,payload,payloadLen,macKey); diff --git a/node/Salsa20.cpp b/node/Salsa20.cpp index d80ea28d..b634dd69 100644 --- a/node/Salsa20.cpp +++ b/node/Salsa20.cpp @@ -29,7 +29,7 @@ namespace ZeroTier { static const char *sigma = "expand 32-byte k"; static const char *tau = "expand 16-byte k"; -void Salsa20::init(const void *key,unsigned int kbits,const void *iv) +void Salsa20::init(const void *key,unsigned int kbits,const void *iv,unsigned int rounds) throw() { const char *constants; @@ -59,6 +59,8 @@ void Salsa20::init(const void *key,unsigned int kbits,const void *iv) _state[5] = U8TO32_LITTLE(constants + 4); _state[10] = U8TO32_LITTLE(constants + 8); _state[15] = U8TO32_LITTLE(constants + 12); + + _roundsDiv2 = rounds / 2; } void Salsa20::encrypt(const void *in,void *out,unsigned int bytes) @@ -114,7 +116,8 @@ void Salsa20::encrypt(const void *in,void *out,unsigned int bytes) x13 = j13; x14 = j14; x15 = j15; - for (i = 20;i > 0;i -= 2) { + //for (i = 20;i > 0;i -= 2) { + for(i=0;i<_roundsDiv2;++i) { x4 = XOR( x4,ROTATE(PLUS( x0,x12), 7)); x8 = XOR( x8,ROTATE(PLUS( x4, x0), 9)); x12 = XOR(x12,ROTATE(PLUS( x8, x4),13)); diff --git a/node/Salsa20.hpp b/node/Salsa20.hpp index fa95ed39..9f34ba78 100644 --- a/node/Salsa20.hpp +++ b/node/Salsa20.hpp @@ -14,7 +14,7 @@ namespace ZeroTier { /** - * Salsa20/20 stream cipher + * Salsa20 stream cipher */ class Salsa20 { @@ -25,11 +25,12 @@ public: * @param key Key bits * @param kbits Number of key bits: 128 or 256 (recommended) * @param iv 64-bit initialization vector + * @param rounds Number of rounds: 8, 12, or 20 */ - Salsa20(const void *key,unsigned int kbits,const void *iv) + Salsa20(const void *key,unsigned int kbits,const void *iv,unsigned int rounds) throw() { - init(key,kbits,iv); + init(key,kbits,iv,rounds); } /** @@ -38,8 +39,9 @@ public: * @param key Key bits * @param kbits Number of key bits: 128 or 256 (recommended) * @param iv 64-bit initialization vector + * @param rounds Number of rounds: 8, 12, or 20 */ - void init(const void *key,unsigned int kbits,const void *iv) + void init(const void *key,unsigned int kbits,const void *iv,unsigned int rounds) throw(); /** @@ -67,6 +69,7 @@ public: private: uint32_t _state[16]; + unsigned int _roundsDiv2; }; } // namespace ZeroTier |