Roots now understand encrypted HELLO.

2025-06-05 03:53:44 +02:00 · 2024-09-26 19:47:57 -04:00 · 2024-09-26 19:47:57 -04:00 · 0ab4e2f750
commit 0ab4e2f750
parent 2316a45a45
4 changed files with 57 additions and 11 deletions
--- a/node/AES.hpp
+++ b/node/AES.hpp
@ -135,17 +135,8 @@ public:
 		while (len >= 16) {
 			_encryptSW((const uint8_t *)ctr,(uint8_t *)cenc);
 			ctr[1] = Utils::hton(++bctr);
 #ifdef ZT_NO_TYPE_PUNNING
 			for(unsigned int k=0;k<16;++k)
 				*(o++) = *(i++) ^ ((uint8_t *)cenc)[k];
 #else
 			*((uint64_t *)o) = *((const uint64_t *)i) ^ cenc[0];
 			o += 8;
 			i += 8;
 			*((uint64_t *)o) = *((const uint64_t *)i) ^ cenc[1];
 			o += 8;
 			i += 8;
 #endif
 			len -= 16;
 		}
--- a/node/Identity.hpp
+++ b/node/Identity.hpp
@ -447,7 +447,9 @@ public:
 	ZT_ALWAYS_INLINE unsigned long hashCode() const { return ((unsigned long)_address.toInt() + (unsigned long)_pub.c25519[0] + (unsigned long)_pub.c25519[1] + (unsigned long)_pub.c25519[2]); }
-private:
+	ZT_ALWAYS_INLINE const uint8_t *c25519SecretKey() const { return this->_priv.c25519; }
 	private:
 	Address _address;
 	Type _type;
 	bool _hasPrivate;
--- a/node/Packet.hpp
+++ b/node/Packet.hpp
@ -111,6 +111,17 @@
 */
 #define ZT_PROTO_FLAG_FRAGMENTED 0x40
 /**
 * Header flag indicating ephemeral keying and second encryption pass.
 *
 * If this is set, the packet will have an ephemeral key appended to it its payload
 * will be encrypted with AES-CTR using this ephemeral key and the packet's header
 * as an IV.
 *
 * Note that this is a reuse of a flag that has long been deprecated and ignored.
 */
 #define ZT_PROTO_FLAG_EXTENDED_ARMOR 0x80
 /**
 * Verb flag indicating payload is compressed with LZ4
 */
@ -1153,6 +1164,29 @@ public:
 		b = (b & 0xc7) | (unsigned char)((c << 3) & 0x38); // bits: FFCCCHHH
 	}
 	/**
     * @return True if packet is encrypted with an extra ephemeral key
     */
    inline bool extendedArmor() const
    {
        return (((unsigned char)(*this)[ZT_PACKET_IDX_FLAGS] & ZT_PROTO_FLAG_EXTENDED_ARMOR) != 0);
    }
    /**
     * Set this packet's extended armor flag
     *
     * @param f Extended armor flag value
     */
    inline void setExtendedArmor(bool f)
    {
        if (f) {
            (*this)[ZT_PACKET_IDX_FLAGS] |= (char)ZT_PROTO_FLAG_EXTENDED_ARMOR;
        }
        else {
            (*this)[ZT_PACKET_IDX_FLAGS] &= (char)(~ZT_PROTO_FLAG_EXTENDED_ARMOR);
        }
    }
 	/**
 	 * Get the trusted path ID for this packet (only meaningful if cipher is trusted path)
 	 *
--- a/root/root.cpp
+++ b/root/root.cpp
@ -61,6 +61,7 @@
 #include "../node/Packet.hpp"
 #include "../node/SharedPtr.hpp"
 #include "../node/Utils.hpp"
 #include "../node/AES.hpp"
 #include "../osdep/BlockingQueue.hpp"
 #include "../osdep/OSUtils.hpp"
 #include "geoip-html.h"
@ -265,6 +266,8 @@ static ZT_ALWAYS_INLINE std::array<uint64_t, 2> ip6ToH128(const InetAddress& ip)
    return i128;
 }
 #define ZT_PACKET_IDX_EXTENDED_ARMOR_START 19
 static void handlePacket(const int sock, const InetAddress* const ip, Packet& pkt)
 {
    char ipstr[128], ipstr2[128], astr[32], astr2[32], tmpstr[256];
@ -281,6 +284,23 @@ static void handlePacket(const int sock, const InetAddress* const ip, Packet& pk
    if ((! fragment) && (! pkt.fragmented()) && (dest == s_self.address())) {
        SharedPtr<RootPeer> peer;
        if ((pkt.cipher() == ZT_PROTO_CIPHER_SUITE__POLY1305_NONE) && pkt.extendedArmor()) {
            if (pkt.size() < (ZT_PROTO_MIN_PACKET_LENGTH + 32)) {
                return;
            }
            uint8_t ephemeralSymmetric[64];
            C25519::agree(s_self.c25519SecretKey(), (const uint8_t *)pkt.data() + (pkt.size() - 32), ephemeralSymmetric);
            SHA512(ephemeralSymmetric, ephemeralSymmetric, 32);
            AES cipher(ephemeralSymmetric);
            uint32_t ctrIv[4];
            memcpy(ctrIv, pkt.data(), 12);
            ctrIv[3] = 0;
            cipher.ctr((const uint8_t *)ctrIv, (const uint8_t *)pkt.data() + ZT_PACKET_IDX_EXTENDED_ARMOR_START, (pkt.size() - ZT_PACKET_IDX_EXTENDED_ARMOR_START) - 32, (uint8_t *)pkt.data() + ZT_PACKET_IDX_EXTENDED_ARMOR_START);
            pkt.setSize(pkt.size() - 32);
        }
        // If this is an un-encrypted HELLO, either learn a new peer or verify
        // that this is a peer we already know.
        if ((pkt.cipher() == ZT_PROTO_CIPHER_SUITE__POLY1305_NONE) && (pkt.verb() == Packet::VERB_HELLO)) {
@ -304,7 +324,6 @@ static void handlePacket(const int sock, const InetAddress* const ip, Packet& pk
                            pkt.reset(source, s_self.address(), Packet::VERB_ERROR);
                            pkt.append((uint8_t)Packet::VERB_HELLO);
                            pkt.append(origId);
                            ;
                            pkt.append((uint8_t)Packet::ERROR_IDENTITY_COLLISION);
                            pkt.armor(key, true);
                            sendto(sock, pkt.data(), pkt.size(), SENDTO_FLAGS, (const struct sockaddr*)ip, (socklen_t)((ip->ss_family == AF_INET) ? sizeof(struct sockaddr_in) : sizeof(struct sockaddr_in6)));