Startseite Erkunden Hilfe
Anmelden
cpp
/
ZeroTierOne
Mirror von https://github.com/zerotier/ZeroTierOne
2
0
Fork 0
Dateien Issues 0 Wiki
Struktur: df346a6df6
Branches Tags
ZeroTierOne
/
node
/
Protocol.cpp

Protocol.cpp 6.2 KB
Verlauf Originalformat

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184 
  1. /*
    2. 

  2.  * Copyright (c)2013-2020 ZeroTier, Inc.
    3. 

  3.  *
    4. 

  4.  * Use of this software is governed by the Business Source License included
    5. 

  5.  * in the LICENSE.TXT file in the project's root directory.
    6. 

  6.  *
    7. 

  7.  * Change Date: 2024-01-01
    8. 

  8.  *
    9. 

  9.  * On the date above, in accordance with the Business Source License, use
    10. 

  10.  * of this software will be governed by version 2.0 of the Apache License.
    11. 

  11.  */
    12. 

  12. /****/
    13. 

  13. 

  14. #include "Protocol.hpp"
    15. 

  15. #include "Buf.hpp"
    16. 

  16. #include "Utils.hpp"
    17. 

  17. 

  18. #if defined(__GCC__) && (defined(__amd64) || defined(__amd64__) || defined(__x86_64) || defined(__x86_64__) || defined(__AMD64) || defined(__AMD64__) || defined(_M_X64))
    19. 

  19. #define ZT_PACKET_USE_ATOMIC_INTRINSICS
    20. 

  20. #endif
    21. 

  21. #ifndef ZT_PACKET_USE_ATOMIC_INTRINSICS
    22. 

  22. #include <atomic>
    23. 

  23. #endif
    24. 

  24. 

  25. namespace ZeroTier {
    26. 

  26. namespace Protocol {
    27. 

  27. 

  28. namespace {
    29. 

  29. 

  30. const uint64_t ZEROES32[4] = { 0,0,0,0 };
    31. 

  31. 

  32. /**
    33. 

  33.  * Deterministically mangle a 256-bit crypto key based on packet
    34. 

  34.  *
    35. 

  35.  * This uses extra data from the packet to mangle the secret, giving us an
    36. 

  36.  * effective IV that is somewhat more than 64 bits. This is "free" for
    37. 

  37.  * Salsa20 since it has negligible key setup time so using a different
    38. 

  38.  * key each time is fine.
    39. 

  39.  *
    40. 

  40.  * @param in Input key (32 bytes)
    41. 

  41.  * @param out Output buffer (32 bytes)
    42. 

  42.  */
    43. 

  43. ZT_ALWAYS_INLINE void _salsa20MangleKey(const uint8_t *const in,uint8_t *const out,const Buf< Header > &packet,const unsigned int packetSize)
    44. 

  44. {
    45. 

  45. 	// IV and source/destination addresses. Using the addresses divides the
    46. 

  46. 	// key space into two halves-- A->B and B->A (since order will change).
    47. 

  47. 	for(int i=0;i<18;++i) // 8 + (ZT_ADDRESS_LENGTH * 2) == 18
    48. 

  48. 		out[i] = in[i] ^ packet.data.bytes[i];
    49. 

  49. 

  50. 	// Flags, but with hop count masked off. Hop count is altered by forwarding
    51. 

  51. 	// nodes. It's one of the only parts of a packet modifiable by people
    52. 

  52. 	// without the key.
    53. 

  53. 	out[18] = in[18] ^ (packet.data.fields.flags & 0xf8U);
    54. 

  54. 

  55. 	// Raw packet size in bytes -- thus each packet size defines a new
    56. 

  56. 	// key space.
    57. 

  57. 	out[19] = in[19] ^ (uint8_t)packetSize;
    58. 

  58. 	out[20] = in[20] ^ (uint8_t)(packetSize >> 8U); // little endian
    59. 

  59. 

  60. 	// Rest of raw key is used unchanged
    61. 

  61. 	for(int i=21;i<32;++i)
    62. 

  62. 		out[i] = in[i];
    63. 

  63. }
    64. 

  64. 

  65. unsigned long long _initPacketID()
    66. 

  66. {
    67. 

  67. 	unsigned long long tmp = 0;
    68. 

  68. 	Utils::getSecureRandom(&tmp,sizeof(tmp));
    69. 

  69. 	tmp >>= 31U;
    70. 

  70. 	tmp |= (((uint64_t)time(nullptr)) & 0xffffffffULL) << 33U;
    71. 

  71. 	return tmp;
    72. 

  72. }
    73. 

  73. #ifdef ZT_PACKET_USE_ATOMIC_INTRINSICS
    74. 

  74. unsigned long long _packetIdCtr = _initPacketID();
    75. 

  75. #else
    76. 

  76. static std::atomic<unsigned long long> _packetIdCtr(_initPacketID());
    77. 

  77. #endif
    78. 

  78. 

  79. } // anonymous namespace
    80. 

  80. 

  81. void _armor(Buf< Header > &packet,const unsigned int packetSize,const uint8_t key[ZT_PEER_SECRET_KEY_LENGTH],const uint8_t cipherSuite)
    82. 

  82. {
    83. 

  83. 	packet.data.fields.flags = (packet.data.fields.flags & 0xc7U) | ((cipherSuite << 3U) & 0x38U); // FFCCCHHH
    84. 

  84. 	if (cipherSuite == ZT_PROTO_CIPHER_SUITE__AES_GCM) {
    85. 

  85. 		// TODO
    86. 

  86. 	} else if (cipherSuite != ZT_PROTO_CIPHER_SUITE__NONE) {
    87. 

  87. 		uint8_t mangledKey[ZT_PEER_SECRET_KEY_LENGTH],macKey[ZT_POLY1305_KEY_LEN];
    88. 

  88. 		uint64_t mac[2];
    89. 

  89. 

  90. 		_salsa20MangleKey(key,mangledKey,packet,packetSize);
    91. 

  91. 		Salsa20 s20(mangledKey,&(packet.data.fields.packetId));
    92. 

  92. 		s20.crypt12(ZEROES32,macKey,sizeof(macKey));
    93. 

  93. 

  94. 		uint8_t *payload = packet.data.bytes + ZT_PROTO_PACKET_ENCRYPTED_SECTION_START;
    95. 

  95. 		const unsigned int payloadLen = packetSize - ZT_PROTO_PACKET_ENCRYPTED_SECTION_START;
    96. 

  96. 

  97. 		if (cipherSuite == ZT_PROTO_CIPHER_SUITE__POLY1305_SALSA2012)
    98. 

  98. 			s20.crypt12(payload,payload,payloadLen);
    99. 

  99. 

  100. 		poly1305(mac,payload,payloadLen,macKey);
    101. 

  101. 		packet.data.fields.mac = mac[0];
    102. 

  102. 	}
    103. 

  103. }
    104. 

  104. 

  105. int _dearmor(Buf< Header > &packet,const unsigned int packetSize,const uint8_t key[ZT_PEER_SECRET_KEY_LENGTH])
    106. 

  106. {
    107. 

  107. 	const int cipherSuite = (int)(packet.data.fields.flags & 0x38U);
    108. 

  108. 	if (cipherSuite == ZT_PROTO_CIPHER_SUITE__AES_GCM) {
    109. 

  109. 		// TODO
    110. 

  110. 	} else if (cipherSuite != ZT_PROTO_CIPHER_SUITE__NONE) {
    111. 

  111. 		uint8_t mangledKey[ZT_PEER_SECRET_KEY_LENGTH],macKey[ZT_POLY1305_KEY_LEN];
    112. 

  112. 		uint64_t mac[2];
    113. 

  113. 

  114. 		_salsa20MangleKey(key,mangledKey,packet,packetSize);
    115. 

  115. 		Salsa20 s20(mangledKey,&(packet.data.fields.packetId));
    116. 

  116. 		s20.crypt12(ZEROES32,macKey,sizeof(macKey));
    117. 

  117. 

  118. 		uint8_t *payload = packet.data.bytes + ZT_PROTO_PACKET_ENCRYPTED_SECTION_START;
    119. 

  119. 		const unsigned int payloadLen = packetSize - ZT_PROTO_PACKET_ENCRYPTED_SECTION_START;
    120. 

  120. 

  121. 		if (cipherSuite == ZT_PROTO_CIPHER_SUITE__POLY1305_SALSA2012)
    122. 

  122. 			s20.crypt12(payload,payload,payloadLen);
    123. 

  123. 

  124. 		poly1305(mac,payload,payloadLen,macKey);
    125. 

  125. 		if (packet.data.fields.mac != mac[0])
    126. 

  126. 			return -1;
    127. 

  127. 	}
    128. 

  128. 	return cipherSuite;
    129. 

  129. }
    130. 

  130. 

  131. unsigned int _compress(Buf< Header > &packet,const unsigned int packetSize)
    132. 

  132. {
    133. 

  133. 	uint8_t tmp[ZT_BUF_MEM_SIZE + 32];
    134. 

  134. 

  135. 	if ((packet.data.fields.verb & ZT_PROTO_VERB_FLAG_COMPRESSED) != 0) // sanity check for multiple calls to compress()
    136. 

  136. 		return packetSize;
    137. 

  137. 

  138. 	const unsigned int uncompressedLen = packetSize - ZT_PROTO_PACKET_PAYLOAD_START;
    139. 

  139. 	const int compressedLen = LZ4_compress_fast(
    140. 

  140. 		reinterpret_cast<const char *>(packet.data.bytes + ZT_PROTO_PACKET_PAYLOAD_START),
    141. 

  141. 	  reinterpret_cast<char *>(tmp),
    142. 

  142. 		(int)uncompressedLen,
    143. 

  143. 		sizeof(tmp) - ZT_PROTO_PACKET_PAYLOAD_START);
    144. 

  144. 	if ((compressedLen > 0)&&(compressedLen < uncompressedLen)) {
    145. 

  145. 		packet.data.fields.verb |= ZT_PROTO_VERB_FLAG_COMPRESSED;
    146. 

  146. 		memcpy(packet.data.bytes + ZT_PROTO_PACKET_PAYLOAD_START,tmp,compressedLen);
    147. 

  147. 		return (unsigned int)compressedLen + ZT_PROTO_PACKET_PAYLOAD_START;
    148. 

  148. 	}
    149. 

  149. 

  150. 	return packetSize;
    151. 

  151. }
    152. 

  152. 

  153. int _uncompress(Buf< Header > &packet,const unsigned int packetSize)
    154. 

  154. {
    155. 

  155. 	uint8_t tmp[ZT_BUF_MEM_SIZE];
    156. 

  156. 

  157. 	if ((packet.data.fields.verb & ZT_PROTO_VERB_FLAG_COMPRESSED) == 0)
    158. 

  158. 		return (int)packetSize;
    159. 

  159. 

  160. 	const int uncompressedLen = LZ4_decompress_safe(
    161. 

  161. 		reinterpret_cast<const char *>(packet.data.bytes + ZT_PROTO_PACKET_PAYLOAD_START),
    162. 

  162. 		reinterpret_cast<char *>(tmp),
    163. 

  163. 		(int)(packetSize - ZT_PROTO_PACKET_PAYLOAD_START),
    164. 

  164. 		sizeof(tmp) - ZT_PROTO_PACKET_PAYLOAD_START);
    165. 

  165. 

  166. 	if ((uncompressedLen > 0)&&(uncompressedLen <= (sizeof(tmp) - ZT_PROTO_PACKET_PAYLOAD_START))) {
    167. 

  167. 		packet.data.fields.verb &= (uint8_t)(~((uint8_t)ZT_PROTO_VERB_FLAG_COMPRESSED));
    168. 

  168. 		memcpy(packet.data.bytes + ZT_PROTO_PACKET_PAYLOAD_START,tmp,uncompressedLen);
    169. 

  169. 		return uncompressedLen + ZT_PROTO_PACKET_PAYLOAD_START;
    170. 

  170. 	}
    171. 

  171. 	return -1;
    172. 

  172. }
    173. 

  173. 

  174. uint64_t getPacketId()
    175. 

  175. {
    176. 

  176. #ifdef ZT_PACKET_USE_ATOMIC_INTRINSICS
    177. 

  177. 	return __sync_add_and_fetch(&_packetIdCtr,1ULL);
    178. 

  178. #else
    179. 

  179. 	return ++_packetIdCtr;
    180. 

  180. #endif
    181. 

  181. }
    182. 

  182. 

  183. } // namespace Protocol
    184. 

  184. } // namespace ZeroTier
    185.