|
|
|
|
@ -98,6 +98,17 @@
|
|
|
|
|
*/ |
|
|
|
|
#define ZT_PROTO_CIPHER_SUITE__C25519_POLY1305_SALSA2012 1 |
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Cipher suite: PFS negotiated ephemeral cipher suite and authentication |
|
|
|
|
* |
|
|
|
|
* This message is encrypted with the latest negotiated ephemeral (PFS) |
|
|
|
|
* key pair and cipher suite. If authentication fails, VERB_SET_EPHEMERAL_KEY |
|
|
|
|
* may be sent to renegotiate ephemeral keys. To prevent attacks, this |
|
|
|
|
* attempted renegotiation should be limited to some sane rate such as |
|
|
|
|
* once per second. |
|
|
|
|
*/ |
|
|
|
|
#define ZT_PROTO_CIPHER_SUITE__EPHEMERAL 7 |
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* DEPRECATED payload encrypted flag, will be removed for re-use soon. |
|
|
|
|
* |
|
|
|
|
@ -114,13 +125,6 @@
|
|
|
|
|
*/ |
|
|
|
|
#define ZT_PROTO_FLAG_FRAGMENTED 0x40 |
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Flag indicating encryption with a PFS session key |
|
|
|
|
* |
|
|
|
|
* Not used yet -- for future PFS session re-keying support. |
|
|
|
|
*/ |
|
|
|
|
#define ZT_PROTO_FLAG_PFS_SESSION 0x20 |
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Verb flag indicating payload is compressed with LZ4 |
|
|
|
|
*/ |
|
|
|
|
@ -186,6 +190,17 @@
|
|
|
|
|
#define ZT_PROTO_DEST_ADDRESS_TYPE_IPV4 4 |
|
|
|
|
#define ZT_PROTO_DEST_ADDRESS_TYPE_IPV6 6 |
|
|
|
|
|
|
|
|
|
// Ephemeral key record flags
|
|
|
|
|
#define ZT_PROTO_EPHEMERAL_KEY_FLAG_FIPS 0x01 |
|
|
|
|
|
|
|
|
|
// Ephemeral key record symmetric cipher types
|
|
|
|
|
#define ZT_PROTO_EPHEMERAL_KEY_SYMMETRIC_CIPHER_SALSA2012_POLY1305 0x01 |
|
|
|
|
#define ZT_PROTO_EPHEMERAL_KEY_SYMMETRIC_CIPHER_AES256_GCM 0x02 |
|
|
|
|
|
|
|
|
|
// Ephemeral key record public key types
|
|
|
|
|
#define ZT_PROTO_EPHEMERAL_KEY_PK_C25519 0x01 |
|
|
|
|
#define ZT_PROTO_EPHEMERAL_KEY_PK_NISTP256 0x02 |
|
|
|
|
|
|
|
|
|
// Field incides for parsing verbs -------------------------------------------
|
|
|
|
|
|
|
|
|
|
// Some verbs have variable-length fields. Those aren't fully defined here
|
|
|
|
|
@ -298,8 +313,8 @@ namespace ZeroTier {
|
|
|
|
|
*
|
|
|
|
|
* Packets smaller than 28 bytes are invalid and silently discarded. |
|
|
|
|
* |
|
|
|
|
* The flags/cipher/hops bit field is: FFFCCHHH where C is a 2-bit cipher |
|
|
|
|
* selection allowing up to 4 cipher suites, F is outside-envelope flags, |
|
|
|
|
* The flags/cipher/hops bit field is: FFCCCHHH where C is a 3-bit cipher |
|
|
|
|
* selection allowing up to 7 cipher suites, F is outside-envelope flags, |
|
|
|
|
* and H is hop count. |
|
|
|
|
* |
|
|
|
|
* The three-bit hop count is the only part of a packet that is mutable in |
|
|
|
|
@ -752,7 +767,59 @@ public:
|
|
|
|
|
* <[6] multicast group MAC> |
|
|
|
|
* <[4] 32-bit multicast group ADI> |
|
|
|
|
*/ |
|
|
|
|
VERB_MULTICAST_FRAME = 14 |
|
|
|
|
VERB_MULTICAST_FRAME = 14, |
|
|
|
|
|
|
|
|
|
/* Ephemeral (PFS) key push:
|
|
|
|
|
* <[8] 64-bit PFS key set ID sender holds for recipient (0==none)> |
|
|
|
|
* <[8] 64-bit PFS key set ID of this key set> |
|
|
|
|
* [... begin PFS key record ...] |
|
|
|
|
* <[1] flags> |
|
|
|
|
* <[1] symmetric cipher ID> |
|
|
|
|
* <[1] public key type ID> |
|
|
|
|
* <[2] public key length in bytes> |
|
|
|
|
* <[2] identity signature length in bytes (0 for none)> |
|
|
|
|
* <[...] public key> |
|
|
|
|
* <[...] signature of sender's ZT identity with public key> |
|
|
|
|
* [... additional records may follow up to max packet length ...] |
|
|
|
|
* |
|
|
|
|
* This message is sent to negotiate an ephemeral key. If the recipient's |
|
|
|
|
* current key pair for the sender does not match the one the sender |
|
|
|
|
* claims to have on file, it must respond with its own SET_EPHEMERAL_KEY. |
|
|
|
|
* |
|
|
|
|
* PFS key IDs are random and must not be zero, since zero indicates that |
|
|
|
|
* the sender does not have an ephemeral key on file for the recipient. |
|
|
|
|
* |
|
|
|
|
* For each public key, the sender may sign its ZeroTier identity (public |
|
|
|
|
* portion only) using the associated digital signature algorithm. This |
|
|
|
|
* permits the extension of FIPS-compliant cryptographic algorithms to |
|
|
|
|
* cover verification of the identity for full FIPS compliant mode. For |
|
|
|
|
* non-FIPS mode, this is optional. If no signature is included the |
|
|
|
|
* signature length field must be zero. |
|
|
|
|
* |
|
|
|
|
* One or more records may be sent. If multiple records are present, |
|
|
|
|
* the first record with common symmetric cipher, public key type, |
|
|
|
|
* and relevant flags must be used. |
|
|
|
|
* |
|
|
|
|
* Flags (all unspecified flags must be zero): |
|
|
|
|
* 0x01 - FIPS mode, only use record if FIPS compliant crypto in use |
|
|
|
|
* |
|
|
|
|
* Symmetric cipher IDs: |
|
|
|
|
* 0x01 - Salsa20/12 with Poly1305 authentication (ZT default) |
|
|
|
|
* 0x02 - AES256-GCM combined crypto and authentication |
|
|
|
|
* |
|
|
|
|
* Public key types: |
|
|
|
|
* 0x01 - Curve25519 ECDH with SHA-512 KDF, Ed25519 signatures |
|
|
|
|
* 0x02 - NIST P-256 ECDH with SHA-512 KDF, ECDSA signatures |
|
|
|
|
* |
|
|
|
|
* Once both peers have a PFS key, they will attempt to send PFS key |
|
|
|
|
* encrypted messages with the PFS flag set using the negotiated |
|
|
|
|
* cipher/auth type. |
|
|
|
|
* |
|
|
|
|
* Note: most of these features such as FIPS and other cipher suites are |
|
|
|
|
* not implemented yet. They're just specified in the protocol for future |
|
|
|
|
* use to support e.g. FIPS requirements. |
|
|
|
|
*/ |
|
|
|
|
VERB_SET_EPHEMERAL_KEY = 15 |
|
|
|
|
}; |
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
@ -824,7 +891,7 @@ public:
|
|
|
|
|
Buffer<ZT_PROTO_MAX_PACKET_LENGTH>(ZT_PROTO_MIN_PACKET_LENGTH) |
|
|
|
|
{ |
|
|
|
|
Utils::getSecureRandom(field(ZT_PACKET_IDX_IV,8),8); |
|
|
|
|
(*this)[ZT_PACKET_IDX_FLAGS] = 0; // zero flags and hops
|
|
|
|
|
(*this)[ZT_PACKET_IDX_FLAGS] = 0; // zero flags, cipher ID, and hops
|
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
@ -873,7 +940,7 @@ public:
|
|
|
|
|
Utils::getSecureRandom(field(ZT_PACKET_IDX_IV,8),8); |
|
|
|
|
setDestination(dest); |
|
|
|
|
setSource(source); |
|
|
|
|
(*this)[ZT_PACKET_IDX_FLAGS] = 0; // zero flags and hops
|
|
|
|
|
(*this)[ZT_PACKET_IDX_FLAGS] = 0; // zero flags, cipher ID, and hops
|
|
|
|
|
setVerb(v); |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
@ -884,34 +951,21 @@ public:
|
|
|
|
|
* technically different but otherwise identical copies of the same |
|
|
|
|
* packet. |
|
|
|
|
*/ |
|
|
|
|
inline void newInitializationVector() |
|
|
|
|
{ |
|
|
|
|
Utils::getSecureRandom(field(ZT_PACKET_IDX_IV,8),8); |
|
|
|
|
} |
|
|
|
|
inline void newInitializationVector() { Utils::getSecureRandom(field(ZT_PACKET_IDX_IV,8),8); } |
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Set this packet's destination |
|
|
|
|
*
|
|
|
|
|
* @param dest ZeroTier address of destination |
|
|
|
|
*/ |
|
|
|
|
inline void setDestination(const Address &dest) |
|
|
|
|
{ |
|
|
|
|
unsigned char *d = field(ZT_PACKET_IDX_DEST,ZT_ADDRESS_LENGTH); |
|
|
|
|
for(unsigned int i=0;i<ZT_ADDRESS_LENGTH;++i) |
|
|
|
|
d[i] = dest[i]; |
|
|
|
|
} |
|
|
|
|
inline void setDestination(const Address &dest) { dest.copyTo(field(ZT_PACKET_IDX_DEST,ZT_ADDRESS_LENGTH),ZT_ADDRESS_LENGTH); } |
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Set this packet's source |
|
|
|
|
*
|
|
|
|
|
* @param source ZeroTier address of source |
|
|
|
|
*/ |
|
|
|
|
inline void setSource(const Address &source) |
|
|
|
|
{ |
|
|
|
|
unsigned char *s = field(ZT_PACKET_IDX_SOURCE,ZT_ADDRESS_LENGTH); |
|
|
|
|
for(unsigned int i=0;i<ZT_ADDRESS_LENGTH;++i) |
|
|
|
|
s[i] = source[i]; |
|
|
|
|
} |
|
|
|
|
inline void setSource(const Address &source) { source.copyTo(field(ZT_PACKET_IDX_SOURCE,ZT_ADDRESS_LENGTH),ZT_ADDRESS_LENGTH); } |
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Get this packet's destination |
|
|
|
|
@ -974,7 +1028,7 @@ public:
|
|
|
|
|
inline unsigned int cipher() const |
|
|
|
|
{ |
|
|
|
|
// Note: this uses the new cipher spec field, which is incompatible with <1.0.0 peers
|
|
|
|
|
return (((unsigned int)(*this)[ZT_PACKET_IDX_FLAGS] & 0x18) >> 3); |
|
|
|
|
return (((unsigned int)(*this)[ZT_PACKET_IDX_FLAGS] & 0x38) >> 3); |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
@ -983,7 +1037,7 @@ public:
|
|
|
|
|
inline void setCipher(unsigned int c) |
|
|
|
|
{ |
|
|
|
|
unsigned char &b = (*this)[ZT_PACKET_IDX_FLAGS]; |
|
|
|
|
b = (b & 0xe7) | (unsigned char)((c << 3) & 0x18); // bits: FFFCCHHH
|
|
|
|
|
b = (b & 0xc7) | (unsigned char)((c << 3) & 0x38); // bits: FFCCCHHH
|
|
|
|
|
// DEPRECATED "encrypted" flag -- used by pre-1.0.3 peers
|
|
|
|
|
if (c == ZT_PROTO_CIPHER_SUITE__C25519_POLY1305_SALSA2012) |
|
|
|
|
b |= ZT_PROTO_FLAG_ENCRYPTED; |
|
|
|
|
|
Adam Ierymenko
11 years ago