Back out NaCl since the old one with xmm6 salsa2012 does not support multi-block use and the new one is slower.

node/Node.cpp

@@ -50,7 +50,6 @@ Node::Node(void *uptr,void *tptr,const struct ZT_Node_Callbacks *callbacks,uint6
 	_RR(this),
 	RR(&_RR),
 	_uPtr(uptr),
-	_prngStreamPtr(0),
 	_now(now),
 	_lastPingCheck(0),
 	_lastHousekeepingRun(0)
@@ -59,19 +58,14 @@ Node::Node(void *uptr,void *tptr,const struct ZT_Node_Callbacks *callbacks,uint6
 		throw std::runtime_error("callbacks struct version mismatch");
 	memcpy(&_cb,callbacks,sizeof(ZT_Node_Callbacks));
 
+	Utils::getSecureRandom((void *)_prngState,sizeof(_prngState));
+
 	_online = false;
 
 	memset(_expectingRepliesToBucketPtr,0,sizeof(_expectingRepliesToBucketPtr));
 	memset(_expectingRepliesTo,0,sizeof(_expectingRepliesTo));
 	memset(_lastIdentityVerification,0,sizeof(_lastIdentityVerification));
 
-	// Use Salsa20 alone as a high-quality non-crypto PRNG
-	char foo[64];
-	Utils::getSecureRandom(foo,64);
-	_prng.init(foo,foo + 32);
-	memset(_prngStream,0,sizeof(_prngStream));
-	_prng.crypt12(_prngStream,_prngStream,sizeof(_prngStream));
-
 	std::string idtmp(dataStoreGet(tptr,"identity.secret"));
 	if ((!idtmp.length())||(!RR->identity.fromString(idtmp))||(!RR->identity.hasPrivate())) {
 		TRACE("identity.secret not found, generating...");
@@ -701,10 +695,14 @@ void Node::postTrace(const char *module,unsigned int line,const char *fmt,...)
 
 uint64_t Node::prng()
 {
-	unsigned int p = (++_prngStreamPtr % ZT_NODE_PRNG_BUF_SIZE);
-	if (!p)
-		_prng.crypt12(_prngStream,_prngStream,sizeof(_prngStream));
-	return _prngStream[p];
+	// https://en.wikipedia.org/wiki/Xorshift#xorshift.2B
+	uint64_t x = _prngState[0];
+	const uint64_t y = _prngState[1];
+	_prngState[0] = y;
+	x ^= x << 23;
+	const uint64_t z = x ^ y ^ (x >> 17) ^ (y >> 26);
+	_prngState[1] = z;
+	return z + y;
 }
 
 void Node::postCircuitTestReport(const ZT_CircuitTestReport *report)

node/Node.hpp

@@ -50,9 +50,6 @@
 #define ZT_EXPECTING_REPLIES_BUCKET_MASK1 255
 #define ZT_EXPECTING_REPLIES_BUCKET_MASK2 31
 
-// Size of PRNG stream buffer
-#define ZT_NODE_PRNG_BUF_SIZE 64
-
 namespace ZeroTier {
 
 class World;
@@ -312,13 +309,10 @@ private:
 
 	Mutex _backgroundTasksLock;
 
-	unsigned int _prngStreamPtr;
-	Salsa20 _prng;
-	uint64_t _prngStream[ZT_NODE_PRNG_BUF_SIZE]; // repeatedly encrypted with _prng to yield a high-quality non-crypto PRNG stream
-
 	uint64_t _now;
 	uint64_t _lastPingCheck;
 	uint64_t _lastHousekeepingRun;
+	volatile uint64_t _prngState[2];
 	bool _online;
 };
 

node/Salsa20.cpp

@@ -10,8 +10,6 @@
 #include "Constants.hpp"
 #include "Salsa20.hpp"
 
-#ifndef ZT_USE_LIBSODIUM
-
 #define ROTATE(v,c) (((v) << (c)) | ((v) >> (32 - (c))))
 #define XOR(v,w) ((v) ^ (w))
 #define PLUS(v,w) ((uint32_t)((v) + (w)))
@@ -1345,5 +1343,3 @@ void Salsa20::crypt20(const void *in,void *out,unsigned int bytes)
 }
 
 } // namespace ZeroTier
-
-#endif // !ZT_USE_LIBSODIUM

node/Salsa20.hpp

@@ -15,77 +15,6 @@
 #include "Constants.hpp"
 #include "Utils.hpp"
 
-#ifdef ZT_USE_LIBSODIUM
-
-#include <sodium/crypto_stream_salsa20.h>
-#include <sodium/crypto_stream_salsa2012.h>
-
-namespace ZeroTier {
-
-/**
- * Salsa20 stream cipher
- */
-class Salsa20
-{
-public:
-	Salsa20() {}
-	~Salsa20() { Utils::burn(_k,sizeof(_k)); }
-
-	/**
-	 * @param key 256-bit (32 byte) key
-	 * @param iv 64-bit initialization vector
-	 */
-	Salsa20(const void *key,const void *iv)
-	{
-		memcpy(_k,key,32);
-		memcpy(&_iv,iv,8);
-	}
-
-	/**
-	 * Initialize cipher
-	 *
-	 * @param key Key bits
-	 * @param iv 64-bit initialization vector
-	 */
-	inline void init(const void *key,const void *iv)
-	{
-		memcpy(_k,key,32);
-		memcpy(&_iv,iv,8);
-	}
-
-	/**
-	 * Encrypt/decrypt data using Salsa20/12
-	 *
-	 * @param in Input data
-	 * @param out Output buffer
-	 * @param bytes Length of data
-	 */
-	inline void crypt12(const void *in,void *out,unsigned int bytes)
-	{
-		crypto_stream_salsa2012_xor(reinterpret_cast<unsigned char *>(out),reinterpret_cast<const unsigned char *>(in),bytes,reinterpret_cast<const unsigned char *>(&_iv),reinterpret_cast<const unsigned char *>(_k));
-	}
-
-	/**
-	 * Encrypt/decrypt data using Salsa20/20
-	 *
-	 * @param in Input data
-	 * @param out Output buffer
-	 * @param bytes Length of data
-	 */
-	inline void crypt20(const void *in,void *out,unsigned int bytes)
-	{
-		crypto_stream_salsa20_xor(reinterpret_cast<unsigned char *>(out),reinterpret_cast<const unsigned char *>(in),bytes,reinterpret_cast<const unsigned char *>(&_iv),reinterpret_cast<const unsigned char *>(_k));
-	}
-
-private:
-	uint64_t _k[4];
-	uint64_t _iv;
-};
-
-} // namespace ZeroTier
-
-#else // !ZT_USE_LIBSODIUM
-
 #if (!defined(ZT_SALSA20_SSE)) && (defined(__SSE2__) || defined(__WINDOWS__))
 #define ZT_SALSA20_SSE 1
 #endif
@@ -105,6 +34,11 @@ public:
 	Salsa20() {}
 	~Salsa20() { Utils::burn(&_state,sizeof(_state)); }
 
+	/**
+	 * If this returns true, crypt can only be done once
+	 */
+	static inline bool singleUseOnly() { return false; }
+
 	/**
 	 * @param key 256-bit (32 byte) key
 	 * @param iv 64-bit initialization vector
@@ -151,6 +85,4 @@ private:
 
 } // namespace ZeroTier
 
-#endif // ZT_USE_LIBSODIUM
-
 #endif

node/Utils.cpp

@@ -177,6 +177,7 @@ void Utils::getSecureRandom(void *buf,unsigned int bytes)
 			}
 			randomPtr = 0;
 			s20.crypt12(randomBuf,randomBuf,sizeof(randomBuf));
+			s20.init(randomBuf,randomBuf);
 		}
 		((uint8_t *)buf)[i] = randomBuf[randomPtr++];
 	}
@@ -209,6 +210,7 @@ void Utils::getSecureRandom(void *buf,unsigned int bytes)
 			}
 			randomPtr = 0;
 			s20.crypt12(randomBuf,randomBuf,sizeof(randomBuf));
+			s20.init(randomBuf,randomBuf);
 		}
 		((uint8_t *)buf)[i] = randomBuf[randomPtr++];
 	}