From 23b2712400628095bcf8fa5406d93f5440269d69 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Adrien=20B=C3=A9raud?= <adrien.beraud@savoirfairelinux.com>
Date: Tue, 10 Jan 2017 23:34:21 -0500
Subject: [PATCH] dht: use SHA265 instead of SHA512 for the op token

The op token is renewed regularly (around every 30 minutes),
so SHA256 provides enough security for this non-sensitive token.
SHA256 takes 32 bytes instead of 64 bytes for SHA512,
and the token is included in every listen requests,
renewed every 30 seconds, and every answer to get.
In the context of limited bandwith usage, using SHA256 seems more appropriate.
This change is backward and forward compatible.
---
 include/opendht/dht.h | 2 +-
 src/dht.cpp           | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/include/opendht/dht.h b/include/opendht/dht.h
index 8d1303db..82e7136d 100644
--- a/include/opendht/dht.h
+++ b/include/opendht/dht.h
@@ -348,7 +348,7 @@ private:
 
     static constexpr std::chrono::seconds REANNOUNCE_MARGIN {10};
 
-    static constexpr size_t TOKEN_SIZE {64};
+    static constexpr size_t TOKEN_SIZE {32};
 
     // internal structures
     struct SearchNode;
diff --git a/src/dht.cpp b/src/dht.cpp
index 21441970..72a29ffd 100644
--- a/src/dht.cpp
+++ b/src/dht.cpp
@@ -2461,8 +2461,8 @@ Dht::makeToken(const sockaddr *sa, bool old) const
     Blob ret {};
     ret.resize(sz);
     gnutls_datum_t gnudata = {data.data(), (unsigned int)data.size()};
-    if (gnutls_fingerprint(GNUTLS_DIG_SHA512, &gnudata, ret.data(), &sz) != GNUTLS_E_SUCCESS)
-        throw DhtException("Can't compute SHA512");
+    if (gnutls_fingerprint(GNUTLS_DIG_SHA256, &gnudata, ret.data(), &sz) != GNUTLS_E_SUCCESS)
+        throw DhtException("Can't compute SHA256");
     ret.resize(sz);
     return ret;
 }
-- 
GitLab