AES works! Only with this or newer nodes. Uses salsa with older ones as usual.

node/AES.hpp

@@ -376,9 +376,8 @@ public:
 		 */
 		ZT_INLINE void finish1() noexcept
 		{
-			uint64_t tmp[2];
-
 			// Compute 128-bit GMAC tag.
+			uint64_t tmp[2];
 			_gmac.finish(reinterpret_cast<uint8_t *>(tmp));
 
 			// Shorten to 64 bits, concatenate with message IV, and encrypt with AES to

node/Constants.hpp

@@ -201,11 +201,6 @@
  */
 #define ZT_TX_QUEUE_SIZE 32
 
-/**
- * Length of secret key in bytes -- 256-bit -- do not change
- */
-#define ZT_PEER_SECRET_KEY_LENGTH 32
-
 /**
  * Minimum delay between timer task checks to prevent thrashing
  */

node/Identity.hpp

@@ -173,13 +173,12 @@ public:
 	 *
 	 * @param id Identity to agree with
 	 * @param key Result parameter to fill with key bytes
-	 * @param klen Length of key in bytes
 	 * @return Was agreement successful?
 	 */
-	inline bool agree(const Identity &id,void *key,unsigned int klen) const
+	inline bool agree(const Identity &id,void *const key) const
 	{
 		if (_privateKey) {
-			C25519::agree(*_privateKey,id._publicKey,key,klen);
+			C25519::agree(*_privateKey,id._publicKey,key,ZT_SYMMETRIC_KEY_SIZE);
 			return true;
 		}
 		return false;

node/IncomingPacket.cpp

@@ -286,8 +286,8 @@ bool IncomingPacket::_doHELLO(const RuntimeEnvironment *RR,void *tPtr,const bool
 				if (!RR->node->rateGateIdentityVerification(now,_path->address()))
 					return true;
 
-				uint8_t key[ZT_PEER_SECRET_KEY_LENGTH];
-				if (RR->identity.agree(id,key,ZT_PEER_SECRET_KEY_LENGTH)) {
+				uint8_t key[ZT_SYMMETRIC_KEY_SIZE];
+				if (RR->identity.agree(id,key)) {
 					if (dearmor(key, peer->aesKeysIfSupported())) { // ensure packet is authentic, otherwise drop
 						RR->t->incomingPacketDroppedHELLO(tPtr,_path,pid,fromAddress,"address collision");
 						Packet outp(id.address(),RR->identity.address(),Packet::VERB_ERROR);

node/Packet.cpp

@@ -881,7 +881,6 @@ void Packet::armor(const void *key,bool encryptPayload,const AES aesKeys[2])
 	uint8_t *const data = reinterpret_cast<uint8_t *>(unsafeData());
 	if ((aesKeys) && (encryptPayload)) {
 		char tmp0[16],tmp1[16];
-		printf("AES armor %.16llx %s -> %s %u\n",*reinterpret_cast<const uint64_t *>(data),Address(data + ZT_PACKET_IDX_SOURCE,5).toString(tmp0),Address(data + ZT_PACKET_IDX_DEST,5).toString(tmp1),size());
 		setCipher(ZT_PROTO_CIPHER_SUITE__AES_GMAC_SIV);
 
 		uint8_t *const payload = data + ZT_PACKET_IDX_VERB;
@@ -899,7 +898,7 @@ void Packet::armor(const void *key,bool encryptPayload,const AES aesKeys[2])
 		Utils::copy<8>(data,tag);
 		Utils::copy<8>(data + ZT_PACKET_IDX_MAC,tag + 1);
 #else
-		*reinterpret_cast<uint64_t *>(data) = tag[0];
+		*reinterpret_cast<uint64_t *>(data + ZT_PACKET_IDX_IV) = tag[0];
 		*reinterpret_cast<uint64_t *>(data + ZT_PACKET_IDX_MAC) = tag[1];
 #endif
 	} else {
@@ -947,20 +946,21 @@ bool Packet::dearmor(const void *key,const AES aesKeys[2])
 
 	if (cs == ZT_PROTO_CIPHER_SUITE__AES_GMAC_SIV) {
 		if (aesKeys) {
-			printf("AES dearmor\n");
-			AES::GMACSIVDecryptor dec(aesKeys[0],aesKeys[1]);
-
 			uint64_t tag[2];
 #ifdef ZT_NO_UNALIGNED_ACCESS
 			Utils::copy<8>(tag, data);
 			Utils::copy<8>(tag + 1, data + ZT_PACKET_IDX_MAC);
 #else
-			tag[0] = *reinterpret_cast<uint64_t *>(data);
+			tag[0] = *reinterpret_cast<uint64_t *>(data + ZT_PACKET_IDX_IV);
 			tag[1] = *reinterpret_cast<uint64_t *>(data + ZT_PACKET_IDX_MAC);
 #endif
 
+			AES::GMACSIVDecryptor dec(aesKeys[0],aesKeys[1]);
 			dec.init(tag, payload);
+			const uint8_t oldFlags = data[ZT_PACKET_IDX_FLAGS];
+			data[ZT_PACKET_IDX_FLAGS] &= 0xf8;
 			dec.aad(data + ZT_PACKET_IDX_DEST,11);
+			data[ZT_PACKET_IDX_FLAGS] = oldFlags;
 			dec.update(payload, payloadLen);
 			return dec.finish();
 		}

node/Peer.cpp

@@ -58,16 +58,15 @@ Peer::Peer(const RuntimeEnvironment *renv,const Identity &myIdentity,const Ident
 	_bondingPolicy(0),
 	_lastComputedAggregateMeanLatency(0)
 {
-	if (!myIdentity.agree(peerIdentity,_key,ZT_PEER_SECRET_KEY_LENGTH)) {
+	if (!myIdentity.agree(peerIdentity,_key))
 		throw ZT_EXCEPTION_INVALID_ARGUMENT;
-	}
 
-	uint8_t ktmp[48];
+	uint8_t ktmp[ZT_SYMMETRIC_KEY_SIZE];
 	KBKDFHMACSHA384(_key,ZT_KBKDF_LABEL_AES_GMAC_SIV_K0,0,0,ktmp);
 	_aesKeys[0].init(ktmp);
 	KBKDFHMACSHA384(_key,ZT_KBKDF_LABEL_AES_GMAC_SIV_K1,0,0,ktmp);
-	_aesKeys[0].init(ktmp);
-	Utils::burn(ktmp, 48);
+	_aesKeys[1].init(ktmp);
+	Utils::burn(ktmp,ZT_SYMMETRIC_KEY_SIZE);
 }
 
 void Peer::received(

node/Peer.hpp

@@ -533,11 +533,11 @@ public:
 	 */
 	inline int8_t bondingPolicy() { return _bondingPolicy; }
 
-	const AES *aesKeysIfSupported() const
-	{ return (const AES *)0; }
-
 	//const AES *aesKeysIfSupported() const
-	//{ return (_vProto >= 12) ? _aesKeys : (const AES *)0; }
+	//{ return (const AES *)0; }
+
+	const AES *aesKeysIfSupported() const
+	{ return (_vProto >= 12) ? _aesKeys : (const AES *)0; }
 
 private:
 	struct _PeerPath
@@ -548,7 +548,7 @@ private:
 		long priority; // >= 1, higher is better
 	};
 
-	uint8_t _key[ZT_PEER_SECRET_KEY_LENGTH];
+	uint8_t _key[ZT_SYMMETRIC_KEY_SIZE];
 	AES _aesKeys[2];
 
 	const RuntimeEnvironment *RR;