From ca2a2fad9ef8b019efb4d85de74ebd904d27454f23ad7487d93ecf3782bcd96c Mon Sep 17 00:00:00 2001
From: Sergey Matveev <stargrave@stargrave.org>
Date: Tue, 16 Apr 2024 00:50:34 +0300
Subject: [PATCH] SipHash24 for short messages is much faster and secure enough
---
cmd/client/main.go | 63 ++++++++++++++++++++++-----------------------
cmd/server/main.go | 40 ++++++++++++----------------
cmd/server/peer.go | 2 ++
doc/features.texi | 8 +++---
doc/index.texi | 2 +-
doc/integrity.texi | 4 +--
doc/proto.texi | 8 +++---
go.mod | 1 +
go.sum | 2 ++
internal/noise.go | 2 +-
internal/var.go | 2 --
internal/version.go | 2 +-
12 files changed, 66 insertions(+), 70 deletions(-)
diff --git a/cmd/client/main.go b/cmd/client/main.go
index fadaf51..6ac7509 100644
--- a/cmd/client/main.go
+++ b/cmd/client/main.go
@@ -32,13 +32,13 @@ import (
"strings"
"time"
+ "github.com/dchest/siphash"
"github.com/flynn/noise"
"github.com/jroimartin/gocui"
"go.stargrave.org/opus/v2"
vors "go.stargrave.org/vors/internal"
"golang.org/x/crypto/blake2s"
"golang.org/x/crypto/chacha20"
- "golang.org/x/crypto/poly1305"
)
type Stream struct {
@@ -268,14 +268,20 @@ func main() {
}
}
- var keyOur []byte
+ var keyCiphOur []byte
+ var keyMACOur []byte
{
- h, err := blake2s.New256(hs.ChannelBinding())
+ xof, err := blake2s.NewXOF(32+16, nil)
if err != nil {
log.Fatalln(err)
}
- h.Write([]byte(vors.NoisePrologue))
- keyOur = h.Sum(nil)
+ xof.Write([]byte(vors.NoisePrologue))
+ xof.Write(hs.ChannelBinding())
+ buf := make([]byte, 32+16)
+ if _, err = io.ReadFull(xof, buf); err != nil {
+ log.Fatalln(err)
+ }
+ keyCiphOur, keyMACOur = buf[:32], buf[32:]
}
seen := time.Now()
@@ -352,6 +358,7 @@ func main() {
if err != nil {
log.Fatal(err)
}
+ keyCiph, keyMAC := key[:32], key[32:]
stream := &Stream{
name: name,
in: make(chan []byte, 1<<10),
@@ -402,9 +409,8 @@ func main() {
}
var ciph *chacha20.Cipher
- var macKey [32]byte
- var mac *poly1305.MAC
- tag := make([]byte, poly1305.TagSize)
+ mac := siphash.New(keyMAC)
+ tag := make([]byte, siphash.Size)
var ctr uint32
pcm := make([]int16, vors.FrameLen)
nonce := make([]byte, 12)
@@ -413,26 +419,23 @@ func main() {
var lastDur int
for buf := range stream.in {
copy(nonce[len(nonce)-4:], buf)
- ciph, err = chacha20.NewUnauthenticatedCipher(key, nonce)
- if err != nil {
- log.Fatal(err)
- }
- clear(macKey[:])
- ciph.XORKeyStream(macKey[:], macKey[:])
- ciph.SetCounter(1)
- mac = poly1305.New(&macKey)
- if _, err = mac.Write(buf[4 : len(buf)-vors.TagLen]); err != nil {
+ mac.Reset()
+ if _, err = mac.Write(buf[: len(buf)-siphash.Size]); err != nil {
log.Fatal(err)
}
mac.Sum(tag[:0])
if subtle.ConstantTimeCompare(
- tag[:vors.TagLen],
- buf[len(buf)-vors.TagLen:],
+ tag[:siphash.Size],
+ buf[len(buf)-siphash.Size:],
) != 1 {
stream.stats.bads++
continue
}
- pkt = buf[4 : len(buf)-vors.TagLen]
+ ciph, err = chacha20.NewUnauthenticatedCipher(keyCiph, nonce)
+ if err != nil {
+ log.Fatal(err)
+ }
+ pkt = buf[4 : len(buf)-siphash.Size]
ciph.XORKeyStream(pkt, pkt)
ctr = binary.BigEndian.Uint32(nonce[len(nonce)-4:])
@@ -532,7 +535,7 @@ func main() {
log.Println("wrong addr:", from)
continue
}
- if n <= 4+vors.TagLen {
+ if n <= 4+siphash.Size {
log.Println("too small:", n)
continue
}
@@ -573,9 +576,8 @@ func main() {
}
<-LoggerReady
var ciph *chacha20.Cipher
- var macKey [32]byte
- var mac *poly1305.MAC
- tag := make([]byte, poly1305.TagSize)
+ mac := siphash.New(keyMACOur)
+ tag := make([]byte, siphash.Size)
buf := make([]byte, 2*vors.FrameLen)
pcm := make([]int16, vors.FrameLen)
nonce := make([]byte, 12)
@@ -608,21 +610,18 @@ func main() {
incr(nonce[len(nonce)-3:])
copy(buf, nonce[len(nonce)-4:])
- ciph, err = chacha20.NewUnauthenticatedCipher(keyOur, nonce)
+ ciph, err = chacha20.NewUnauthenticatedCipher(keyCiphOur, nonce)
if err != nil {
log.Fatal(err)
}
- clear(macKey[:])
- ciph.XORKeyStream(macKey[:], macKey[:])
- ciph.SetCounter(1)
ciph.XORKeyStream(buf[4:4+n], buf[4:4+n])
- mac = poly1305.New(&macKey)
- if _, err = mac.Write(buf[4 : 4+n]); err != nil {
+ mac.Reset()
+ if _, err = mac.Write(buf[: 4+n]); err != nil {
log.Fatal(err)
}
mac.Sum(tag[:0])
- copy(buf[4+n:], tag[:vors.TagLen])
- pkt = buf[:4+n+vors.TagLen]
+ copy(buf[4+n:], tag)
+ pkt = buf[:4+n+siphash.Size]
OurStats.pkts++
OurStats.bytes += vors.IPHdrLen(srvAddrUDP.IP) + 8 + uint64(len(pkt))
diff --git a/cmd/server/main.go b/cmd/server/main.go
index 514e8fe..b6b7255 100644
--- a/cmd/server/main.go
+++ b/cmd/server/main.go
@@ -33,12 +33,11 @@ import (
"strings"
"time"
+ "github.com/dchest/siphash"
"github.com/flynn/noise"
"github.com/jroimartin/gocui"
vors "go.stargrave.org/vors/internal"
"golang.org/x/crypto/blake2s"
- "golang.org/x/crypto/chacha20"
- "golang.org/x/crypto/poly1305"
)
var (
@@ -257,12 +256,17 @@ func newPeer(conn *net.TCPConn) {
}
{
- h, err := blake2s.New256(hs.ChannelBinding())
+ xof, err := blake2s.NewXOF(32+16, nil)
if err != nil {
log.Fatalln(err)
}
- h.Write([]byte(vors.NoisePrologue))
- peer.key = h.Sum(nil)
+ xof.Write([]byte(vors.NoisePrologue))
+ xof.Write(hs.ChannelBinding())
+ peer.key = make([]byte, 32+16)
+ if _, err = io.ReadFull(xof, peer.key); err != nil {
+ log.Fatalln(err)
+ }
+ peer.mac = siphash.New(peer.key[32:])
}
{
@@ -379,11 +383,7 @@ func main() {
var err error
var sid byte
var peer *Peer
- var ciph *chacha20.Cipher
- var macKey [32]byte
- var mac *poly1305.MAC
- tag := make([]byte, poly1305.TagSize)
- nonce := make([]byte, 12)
+ tag := make([]byte, siphash.Size)
for {
n, from, err = lnUDP.ReadFromUDP(buf)
if err != nil {
@@ -422,27 +422,19 @@ func main() {
if n == 1 {
continue
}
- if n <= 4+vors.TagLen {
+ if n <= 4+siphash.Size {
peer.stats.bads++
continue
}
- copy(nonce[len(nonce)-4:], buf)
- ciph, err = chacha20.NewUnauthenticatedCipher(peer.key, nonce)
- if err != nil {
- log.Fatal(err)
- }
- clear(macKey[:])
- ciph.XORKeyStream(macKey[:], macKey[:])
- ciph.SetCounter(1)
- mac = poly1305.New(&macKey)
- if _, err = mac.Write(buf[4 : n-vors.TagLen]); err != nil {
+ peer.mac.Reset()
+ if _, err = peer.mac.Write(buf[: n-siphash.Size]); err != nil {
log.Fatal(err)
}
- mac.Sum(tag[:0])
+ peer.mac.Sum(tag[:0])
if subtle.ConstantTimeCompare(
- tag[:vors.TagLen],
- buf[n-vors.TagLen:n],
+ tag[:siphash.Size],
+ buf[n-siphash.Size:n],
) != 1 {
peer.stats.bads++
continue
diff --git a/cmd/server/peer.go b/cmd/server/peer.go
index d1e078a..82c569d 100644
--- a/cmd/server/peer.go
+++ b/cmd/server/peer.go
@@ -1,6 +1,7 @@
package main
import (
+ "hash"
"log/slog"
"net"
"sync"
@@ -29,6 +30,7 @@ type Peer struct {
sid byte
addr *net.UDPAddr
key []byte
+ mac hash.Hash
stats *Stats
room *Room
diff --git a/doc/features.texi b/doc/features.texi
index 8987ded..27f5881 100644
--- a/doc/features.texi
+++ b/doc/features.texi
@@ -11,9 +11,11 @@ is single client speaking at one time.
Concealment) and DTX (discontinuous transmission) features enabled.
Optional VAD (voice activity detection).
-@item Noise protocol-based handshake over TCP between client and server
-for creating authenticated encrypted channel and authentication based on
-server's public key knowledge.
+@item Noise protocol-based 0-RTT handshake over TCP between client and
+server for creating authenticated encrypted channel and authentication
+based on server's public key knowledge.
+
+@item Fast ChaCha20 encryption with SipHash24 message authentication.
@item Rooms, optionally password protected.
diff --git a/doc/index.texi b/doc/index.texi
index b1b19ee..b1c2fb9 100644
--- a/doc/index.texi
+++ b/doc/index.texi
@@ -43,7 +43,7 @@ stop trying to use and revive legacy obsolete IPv4. Either use some
overlay network on top of it, or VPN, whatever.
@item Mono-cypher, mono-codec protocol. The @url{https://opus-codec.org/, Opus}
-audio codec is perfect for VoIP tasks. ChaCha20-Poly1305 is more than
+audio codec is perfect for VoIP tasks. ChaCha20 is more than
appropriate and satisfies as fast and secure encryption solution.
@float
diff --git a/doc/integrity.texi b/doc/integrity.texi
index e26a34d..59815f8 100644
--- a/doc/integrity.texi
+++ b/doc/integrity.texi
@@ -6,6 +6,6 @@ that you retrieved trusted and untampered software.
Its fingerprint: @code{SHA256:qmlbyzvDRNXGJNxteapAWOmJRrBrZ7afLsEqr36M6kA}.
@example
-$ ssh-keygen -Y verify -f PUBKEY-SSH.pub -I vors@@cypherpunks.ru -n file \
- -s vors-@value{VERSION}.tar.zst.sig < vors-@value{VERSION}.tar.zst
+$ ssh-keygen -Y verify -f PUBKEY-SSH.pub -I vors@@stargrave.org -n file \
+ -s vors-@value{VERSION}.tar.zst.sig <vors-@value{VERSION}.tar.zst
@end example
diff --git a/doc/proto.texi b/doc/proto.texi
index b420984..a1af4d4 100644
--- a/doc/proto.texi
+++ b/doc/proto.texi
@@ -10,10 +10,10 @@ Each frame has a single byte stream identifier (unique identifier of the
participant) and 24-bit big-endian packet counter. Reordered packets are
dropped. 24-bit counter is long enough for very long talk sessions.
-Each packet is encrypted with ChaCha20-Poly1305. The key is generated
-during the handshake procedure with the server and is shared among the
-other participants. The stream identifier together with the packet
-counter is used as a nonce. Only 64-bits of Poly1305 are used.
+Each packet is encrypted with ChaCha20 and authenticated with SipHash24.
+The keys are generated during the handshake procedure with the server
+and is shared among the other participants. The stream identifier
+together with the packet counter is used as a nonce.
It is tuned for 24Kbps bandwidth. But remember that it has additional 8B
of MAC tag, 4B VoRS, 8B UDP and 40B IPv6 headers.
diff --git a/go.mod b/go.mod
index 0276bb7..563ffc7 100644
--- a/go.mod
+++ b/go.mod
@@ -3,6 +3,7 @@ module go.stargrave.org/vors
go 1.21
require (
+ github.com/dchest/siphash v1.2.3
github.com/dustin/go-humanize v1.0.1
github.com/flynn/noise v1.1.0
github.com/jroimartin/gocui v0.5.0
diff --git a/go.sum b/go.sum
index c4ccfe2..4646fd1 100644
--- a/go.sum
+++ b/go.sum
@@ -1,3 +1,5 @@
+github.com/dchest/siphash v1.2.3 h1:QXwFc8cFOR2dSa/gE6o/HokBMWtLUaNDVd+22aKHeEA=
+github.com/dchest/siphash v1.2.3/go.mod h1:0NvQU092bT0ipiFN++/rXm69QG9tVxLAlQHIXMPAkHc=
github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
github.com/flynn/noise v1.1.0 h1:KjPQoQCEFdZDiP03phOvGi11+SVVhBG2wOWAorLsstg=
diff --git a/internal/noise.go b/internal/noise.go
index 5e4b883..365a39c 100644
--- a/internal/noise.go
+++ b/internal/noise.go
@@ -8,7 +8,7 @@ import (
"github.com/flynn/noise"
)
-const NoisePrologue = "VoRS v1"
+const NoisePrologue = "VoRS v2"
var NoiseCipherSuite = noise.NewCipherSuite(
noise.DH25519,
diff --git a/internal/var.go b/internal/var.go
index 8236a4d..0ef1d5a 100644
--- a/internal/var.go
+++ b/internal/var.go
@@ -6,8 +6,6 @@ import (
)
const (
- TagLen = 8
-
CmdPing = "PING"
CmdPong = "PONG"
CmdAdd = "ADD"
diff --git a/internal/version.go b/internal/version.go
index 28dd1a0..f454ea5 100644
--- a/internal/version.go
+++ b/internal/version.go
@@ -3,7 +3,7 @@ package internal
import "runtime"
const (
- Version = "1.0.0"
+ Version = "2.0.0"
Warranty = `Copyright (C) 2024 Sergey Matveev
This program is free software: you can redistribute it and/or modify
--
2.51.0