From 4c55f3eaa5afbd2e5205070ad465c7b07c768d21 Mon Sep 17 00:00:00 2001
From: Adam Ierymenko <adam.ierymenko@zerotier.com>
Date: Wed, 16 Oct 2019 06:03:32 -0700
Subject: [PATCH] Work in progress

---
 node/Constants.hpp |  2 +-
 node/Identity.cpp  | 13 ++++++----
 node/Identity.hpp  |  6 ++---
 node/Packet.hpp    | 60 ++++++++++++++++++++++++++++++----------------
 4 files changed, 52 insertions(+), 29 deletions(-)

diff --git a/node/Constants.hpp b/node/Constants.hpp
index 0f5470448..d6da00f01 100644
--- a/node/Constants.hpp
+++ b/node/Constants.hpp
@@ -219,7 +219,7 @@
 /**
  * Maximum number of packet fragments we'll support (protocol limit: 16)
  */
-#define ZT_MAX_PACKET_FRAGMENTS 10
+#define ZT_MAX_PACKET_FRAGMENTS 12
 
 /**
  * Size of RX queue in packets
diff --git a/node/Identity.cpp b/node/Identity.cpp
index 6e46d8cf2..08377eb5b 100644
--- a/node/Identity.cpp
+++ b/node/Identity.cpp
@@ -101,8 +101,7 @@ void Identity::generate(const Type t)
 
 	if (t == P384) {
 		ECC384GenerateKey(_pub.p384,_priv.p384);
-		SHA384(digest,_pub.c25519,ZT_C25519_PUBLIC_KEY_LEN,_pub.p384,ZT_ECC384_PUBLIC_KEY_SIZE);
-		ECC384ECDSASign(_priv.p384,digest,_pub.p384s);
+		C25519::sign(_priv.c25519,_pub.c25519,&_pub,ZT_C25519_PUBLIC_KEY_LEN + ZT_ECC384_PUBLIC_KEY_SIZE,_pub.p384s);
 	}
 }
 
@@ -113,9 +112,13 @@ bool Identity::locallyValidate() const
 	if (_address.isReserved())
 		return false;
 
-	if (_type == P384) {
-		SHA384(digest,_pub.c25519,ZT_C25519_PUBLIC_KEY_LEN,_pub.p384,ZT_ECC384_PUBLIC_KEY_SIZE);
-		if (!ECC384ECDSAVerify(_pub.p384,digest,_pub.p384s))
+	switch(_type) {
+		case C25519:
+			break;
+		case P384:
+			if (!C25519::verify(_pub.c25519,&_pub,ZT_C25519_PUBLIC_KEY_LEN + ZT_ECC384_PUBLIC_KEY_SIZE,_pub.p384s,ZT_C25519_SIGNATURE_LEN))
+				return false;
+		default:
 			return false;
 	}
 
diff --git a/node/Identity.hpp b/node/Identity.hpp
index 98a6becd8..a54a0f94c 100644
--- a/node/Identity.hpp
+++ b/node/Identity.hpp
@@ -293,7 +293,7 @@ public:
 				b.append((uint8_t)P384);
 				b.append(_pub.c25519,ZT_C25519_PUBLIC_KEY_LEN);
 				b.append(_pub.p384,ZT_ECC384_PUBLIC_KEY_SIZE);
-				b.append(_pub.p384s,ZT_ECC384_SIGNATURE_SIZE);
+				b.append(_pub.p384s,ZT_C25519_SIGNATURE_LEN);
 				if ((_hasPrivate)&&(includePrivate)) {
 					b.append((uint8_t)(ZT_C25519_PRIVATE_KEY_LEN + ZT_ECC384_PRIVATE_KEY_SIZE));
 					b.append(_priv.c25519,ZT_C25519_PRIVATE_KEY_LEN);
@@ -351,7 +351,7 @@ public:
 				p += ZT_C25519_PUBLIC_KEY_LEN;
 				memcpy(_pub.p384,b.field(p,ZT_ECC384_PUBLIC_KEY_SIZE),ZT_ECC384_PUBLIC_KEY_SIZE);
 				p += ZT_ECC384_PUBLIC_KEY_SIZE;
-				memcpy(_pub.p384s,b.field(p,ZT_ECC384_SIGNATURE_SIZE),ZT_ECC384_SIGNATURE_SIZE);
+				memcpy(_pub.p384s,b.field(p,ZT_C25519_SIGNATURE_LEN),ZT_C25519_SIGNATURE_LEN);
 				p += ZT_ECC384_SIGNATURE_SIZE;
 				pkl = (unsigned int)b[p++];
 				if (pkl) {
@@ -451,7 +451,7 @@ private:
 	ZT_PACKED_STRUCT(struct { // don't re-order these
 		uint8_t c25519[ZT_C25519_PUBLIC_KEY_LEN];
 		uint8_t p384[ZT_ECC384_PUBLIC_KEY_SIZE];
-		uint8_t p384s[ZT_ECC384_SIGNATURE_SIZE]; // signature of type 0 key with p384
+		uint8_t p384s[ZT_C25519_SIGNATURE_LEN]; // signature of both keys with ed25519 to confirm type 0 extension to type 1
 	}) _pub;
 };
 
diff --git a/node/Packet.hpp b/node/Packet.hpp
index 8b1ce718f..6595dce3b 100644
--- a/node/Packet.hpp
+++ b/node/Packet.hpp
@@ -824,38 +824,58 @@ public:
   	VERB_WILL_RELAY = 0x17,
 
 		/**
-		 * Multicast frame (since 2.x, 0x0e is deprecated multicast frame):
-		 *   <[1] 8-bit propagation depth or 0xff to not propagate>
-		 *   <[1] 8-bit flags>
+		 * Multipurpose VL2 network multicast:
+		 *   <[5] start of range of addresses for propagation>
+		 *   <[5] end of range of addresses for propagation>
+		 *   <[1] 8-bit propagation depth / hops>
+		 *   <[1] 8-bit length of bloom filter in 256-byte/2048-bit chunks>
+		 *   <[...] propagation bloom filter>
+		 *   [... start of signed portion ...]
 		 *   <[8] 64-bit timestamp>
-		 *   <[5] 40-bit address of sending member>
 		 *   <[8] 64-bit network ID>
+		 *   <[5] 40-bit address of sender>
+		 *   <[2] 16-bit length of multicast payload>
+		 *   [... start multicast payload ...]
+		 *   <[1] 8-bit payload type>
+		 *   [... end multicast payload and signed portion ...]
+		 *   <[2] 16-bit length of signature or 0 if not present>
+		 *   <[...] signature of signed portion>
+		 *
+		 * Payload type 0x00: multicast frame:
 		 *   <[6] MAC address of multicast group>
 		 *   <[4] 32-bit ADI of multicast group>
 		 *   <[6] 48-bit source MAC of packet or all 0 if from sender>
 		 *   <[2] 16-bit ethertype>
-		 *   <[2] 16-bit length of payload>
 		 *   <[...] ethernet payload>
-		 *   <[2] 16-bit length of signature or 0 if not present>
-		 *   <[...] signature of fields after propagation depth>
-		 */
-		VERB_MULTICAST = 0x18,
-
-		/**
-		 * Multicast subscription/unsubscription request:
-		 *   <[1] 8-bit propagation depth of 0xff to not propagate>
-		 *   <[1] 8-bit flags>
-		 *   <[8] 64-bit timestamp>
-		 *   <[5] 40-bit address of subscribing/unsubscribing member>
-		 *   <[8] 64-bit network ID>
+		 *
+		 * Payload type 0x01: multicast subscribe:
 		 *   <[2] 16-bit number of multicast group IDs to subscribe>
 		 *   <[...] series of 32-bit multicast group IDs>
+		 *
+		 * Payload type 0x02: multicast unsubscribe:
 		 *   <[2] 16-bit number of multicast group IDs to unsubscribe>
 		 *   <[...] series of 32-bit multicast group IDs>
-		 *   <[2] 16-bit length of signature or 0 if not present>
-		 *   <[...] signature of fields after propagation depth>
+		 *
+		 * This is the common packet structure for VL2 network-level multicasts
+		 * and is used for multicast frames, multicast group subscribe and
+		 * unsubscribe, and could be used in the future for other purposes such
+		 * as credential propagation or diagnostics.
+		 *
+		 * The header contains an address range, bloom filter, and depth/hop
+		 * counter. The bloom filter tracks which nodes have seen this multicast,
+		 * with bits being set prior to send. The range allows the total set of
+		 * subscribers to be partitioned in the case of huge networks that would
+		 * saturate the bloom filter or have collisions. The propagation depth
+		 * allows propagation to stop at some maximum value, and the value 0xff
+		 * can be used to indicate that further propagation is not desired.
+		 *
+		 * Logic connected to the parsing of the multicast payload will determine
+		 * whether or not and to whom this multicast is propagated. Subscribe and
+		 * unsubscribe messages are propagated to online nodes up to a maximum
+		 * depth, while frames have the added constraint of being propagated only
+		 * to nodes that subscribe to the target multicast group.
 		 */
-		VERB_MULTICAST_SUBSCRIBE = 0x19,
+		VERB_VL2_MULTICAST = 0x18,
 
 		// protocol max: 0x1f
 	};