2 sptps.c -- Simple Peer-to-Peer Security
3 Copyright (C) 2011-2015 Guus Sliepen <guus@tinc-vpn.org>,
4 2010 Brandon L. Black <blblack@gmail.com>
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 2 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License along
17 with this program; if not, write to the Free Software Foundation, Inc.,
18 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
23 #include "chacha-poly1305/chacha-poly1305.h"
32 #include <openssl/evp.h>
35 unsigned int sptps_replaywin = 16;
38 Nonce MUST be exchanged first (done)
39 Signatures MUST be done over both nonces, to guarantee the signature is fresh
40 Otherwise: if ECDHE key of one side is compromised, it can be reused!
42 Add explicit tag to beginning of structure to distinguish the client and server when signing. (done)
44 Sign all handshake messages up to ECDHE kex with long-term public keys. (done)
46 HMACed KEX finished message to prevent downgrade attacks and prove you have the right key material (done by virtue of Ed25519 over the whole ECDHE exchange?)
48 Explicit close message needs to be added.
50 Maybe do add some alert messages to give helpful error messages? Not more than TLS sends.
52 Use counter mode instead of OFB. (done)
54 Make sure ECC operations are fixed time (aka prevent side-channel attacks).
57 void sptps_log_quiet(sptps_t *s, int s_errno, const char *format, va_list ap) {
64 void sptps_log_stderr(sptps_t *s, int s_errno, const char *format, va_list ap) {
68 vfprintf(stderr, format, ap);
72 void (*sptps_log)(sptps_t *s, int s_errno, const char *format, va_list ap) = sptps_log_stderr;
74 // Log an error message.
75 static bool error(sptps_t *s, int s_errno, const char *format, ...) ATTR_FORMAT(printf, 3, 4);
76 static bool error(sptps_t *s, int s_errno, const char *format, ...) {
83 sptps_log(s, s_errno, format, ap);
91 static void warning(sptps_t *s, const char *format, ...) ATTR_FORMAT(printf, 2, 3);
92 static void warning(sptps_t *s, const char *format, ...) {
95 sptps_log(s, 0, format, ap);
99 static sptps_kex_t *new_sptps_kex(void) {
100 return xzalloc(sizeof(sptps_kex_t));
103 static void free_sptps_kex(sptps_kex_t *kex) {
104 xzfree(kex, sizeof(sptps_kex_t));
107 static sptps_key_t *new_sptps_key(void) {
108 return xzalloc(sizeof(sptps_key_t));
111 static void free_sptps_key(sptps_key_t *key) {
112 xzfree(key, sizeof(sptps_key_t));
115 static bool cipher_init(uint8_t suite, void **ctx, const sptps_key_t *keys, bool key_half) {
116 const uint8_t *key = key_half ? keys->key1 : keys->key0;
119 case SPTPS_CHACHA_POLY1305:
120 *ctx = chacha_poly1305_init();
121 return ctx && chacha_poly1305_set_key(*ctx, key);
123 case SPTPS_AES256_GCM:
125 *ctx = EVP_CIPHER_CTX_new();
131 return EVP_EncryptInit_ex(*ctx, EVP_aes_256_gcm(), NULL, NULL, NULL)
132 && EVP_CIPHER_CTX_ctrl(*ctx, EVP_CTRL_AEAD_SET_IVLEN, 4, NULL)
133 && EVP_EncryptInit_ex(*ctx, NULL, NULL, key, key + 32);
141 static void cipher_exit(uint8_t suite, void *ctx) {
143 case SPTPS_CHACHA_POLY1305:
144 chacha_poly1305_exit(ctx);
147 case SPTPS_AES256_GCM:
149 EVP_CIPHER_CTX_free(ctx);
158 static bool cipher_encrypt(uint8_t suite, void *ctx, uint32_t seqno, const uint8_t *in, size_t inlen, uint8_t *out, size_t *outlen) {
160 case SPTPS_CHACHA_POLY1305:
161 chacha_poly1305_encrypt(ctx, seqno, in, inlen, out, outlen);
164 case SPTPS_AES256_GCM:
167 if(!EVP_EncryptInit_ex(ctx, NULL, NULL, NULL, (uint8_t *)&seqno)) {
171 int outlen1 = 0, outlen2 = 0;
173 if(!EVP_EncryptUpdate(ctx, out, &outlen1, in, (int)inlen)) {
177 if(!EVP_EncryptFinal_ex(ctx, out + outlen1, &outlen2)) {
183 if(!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, 16, out + outlen1)) {
203 static bool cipher_decrypt(uint8_t suite, void *ctx, uint32_t seqno, const uint8_t *in, size_t inlen, uint8_t *out, size_t *outlen) {
205 case SPTPS_CHACHA_POLY1305:
206 return chacha_poly1305_decrypt(ctx, seqno, in, inlen, out, outlen);
208 case SPTPS_AES256_GCM:
217 if(!EVP_DecryptInit_ex(ctx, NULL, NULL, NULL, (uint8_t *)&seqno)) {
221 int outlen1 = 0, outlen2 = 0;
223 if(!EVP_DecryptUpdate(ctx, out, &outlen1, in, (int)inlen)) {
227 if(!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, 16, (void *)(in + inlen))) {
231 if(!EVP_DecryptFinal_ex(ctx, out + outlen1, &outlen2)) {
236 *outlen = outlen1 + outlen2;
249 // Send a record (datagram version, accepts all record types, handles encryption and authentication).
250 static bool send_record_priv_datagram(sptps_t *s, uint8_t type, const void *data, uint16_t len) {
251 uint8_t *buffer = alloca(len + SPTPS_DATAGRAM_OVERHEAD);
252 // Create header with sequence number, length and record type
253 uint32_t seqno = s->outseqno++;
255 memcpy(buffer, &seqno, 4);
257 memcpy(buffer + 5, data, len);
260 // If first handshake has finished, encrypt and HMAC
261 if(!cipher_encrypt(s->cipher_suite, s->outcipher, seqno, buffer + 4, len + 1, buffer + 4, NULL)) {
262 return error(s, EINVAL, "Failed to encrypt message");
265 return s->send_data(s->handle, type, buffer, len + SPTPS_DATAGRAM_OVERHEAD);
267 // Otherwise send as plaintext
268 return s->send_data(s->handle, type, buffer, len + SPTPS_DATAGRAM_HEADER);
271 // Send a record (private version, accepts all record types, handles encryption and authentication).
272 static bool send_record_priv(sptps_t *s, uint8_t type, const void *data, uint16_t len) {
274 return send_record_priv_datagram(s, type, data, len);
277 uint8_t *buffer = alloca(len + SPTPS_OVERHEAD);
279 // Create header with sequence number, length and record type
280 uint32_t seqno = s->outseqno++;
281 uint16_t netlen = len;
283 memcpy(buffer, &netlen, 2);
285 memcpy(buffer + 3, data, len);
288 // If first handshake has finished, encrypt and HMAC
289 if(!cipher_encrypt(s->cipher_suite, s->outcipher, seqno, buffer + 2, len + 1, buffer + 2, NULL)) {
290 return error(s, EINVAL, "Failed to encrypt message");
293 return s->send_data(s->handle, type, buffer, len + SPTPS_OVERHEAD);
295 // Otherwise send as plaintext
296 return s->send_data(s->handle, type, buffer, len + SPTPS_HEADER);
300 // Send an application record.
301 bool sptps_send_record(sptps_t *s, uint8_t type, const void *data, uint16_t len) {
302 // Sanity checks: application cannot send data before handshake is finished,
303 // and only record types 0..127 are allowed.
305 return error(s, EINVAL, "Handshake phase not finished yet");
308 if(type >= SPTPS_HANDSHAKE) {
309 return error(s, EINVAL, "Invalid application record type");
312 return send_record_priv(s, type, data, len);
315 // Send a Key EXchange record, containing a random nonce and an ECDHE public key.
316 static bool send_kex(sptps_t *s) {
317 // Make room for our KEX message, which we will keep around since send_sig() needs it.
322 s->mykex = new_sptps_kex();
324 // Set version byte to zero.
325 s->mykex->version = SPTPS_VERSION;
326 s->mykex->preferred_suite = s->preferred_suite;
327 s->mykex->cipher_suites = s->cipher_suites;
329 // Create a random nonce.
330 randomize(s->mykex->nonce, ECDH_SIZE);
332 // Create a new ECDH public key.
333 if(!(s->ecdh = ecdh_generate_public(s->mykex->pubkey))) {
334 return error(s, EINVAL, "Failed to generate ECDH public key");
337 return send_record_priv(s, SPTPS_HANDSHAKE, s->mykex, sizeof(sptps_kex_t));
340 static size_t sigmsg_len(size_t labellen) {
341 return 1 + 2 * sizeof(sptps_kex_t) + labellen;
344 static void fill_msg(uint8_t *msg, bool initiator, const sptps_kex_t *kex0, const sptps_kex_t *kex1, const sptps_t *s) {
345 *msg = initiator, msg++;
346 memcpy(msg, kex0, sizeof(*kex0)), msg += sizeof(*kex0);
347 memcpy(msg, kex1, sizeof(*kex1)), msg += sizeof(*kex1);
348 memcpy(msg, s->label, s->labellen);
351 // Send a SIGnature record, containing an Ed25519 signature over both KEX records.
352 static bool send_sig(sptps_t *s) {
353 // Concatenate both KEX messages, plus tag indicating if it is from the connection originator, plus label
354 size_t msglen = sigmsg_len(s->labellen);
355 uint8_t *msg = alloca(msglen);
356 fill_msg(msg, s->initiator, s->mykex, s->hiskex, s);
359 size_t siglen = ecdsa_size(s->mykey);
360 uint8_t *sig = alloca(siglen);
362 if(!ecdsa_sign(s->mykey, msg, msglen, sig)) {
363 return error(s, EINVAL, "Failed to sign SIG record");
366 // Send the SIG exchange record.
367 return send_record_priv(s, SPTPS_HANDSHAKE, sig, siglen);
370 // Generate key material from the shared secret created from the ECDHE key exchange.
371 static bool generate_key_material(sptps_t *s, const uint8_t *shared, size_t len) {
372 // Allocate memory for key material
373 s->key = new_sptps_key();
375 // Create the HMAC seed, which is "key expansion" + session label + server nonce + client nonce
376 const size_t msglen = sizeof("key expansion") - 1;
377 const size_t seedlen = msglen + s->labellen + ECDH_SIZE * 2;
378 uint8_t *seed = alloca(seedlen);
381 memcpy(ptr, "key expansion", msglen);
384 memcpy(ptr, (s->initiator ? s->mykex : s->hiskex)->nonce, ECDH_SIZE);
387 memcpy(ptr, (s->initiator ? s->hiskex : s->mykex)->nonce, ECDH_SIZE);
390 memcpy(ptr, s->label, s->labellen);
392 // Use PRF to generate the key material
393 if(!prf(shared, len, seed, seedlen, s->key->both, sizeof(sptps_key_t))) {
394 return error(s, EINVAL, "Failed to generate key material");
400 // Send an ACKnowledgement record.
401 static bool send_ack(sptps_t *s) {
402 return send_record_priv(s, SPTPS_HANDSHAKE, "", 0);
405 // Receive an ACKnowledgement record.
406 static bool receive_ack(sptps_t *s, const uint8_t *data, uint16_t len) {
410 return error(s, EIO, "Invalid ACK record length");
413 if(!cipher_init(s->cipher_suite, &s->incipher, s->key, s->initiator)) {
414 return error(s, EINVAL, "Failed to initialize cipher");
417 free_sptps_key(s->key);
424 static uint8_t select_cipher_suite(uint16_t mask, uint8_t pref1, uint8_t pref2) {
425 // Check if there is a viable preference, if so select the lowest one
426 uint8_t selection = 255;
428 if(mask & (1U << pref1)) {
432 if(pref2 < selection && (mask & (1U << pref2))) {
436 // Otherwise, select the lowest cipher suite both sides support
437 if(selection == 255) {
440 while(!(mask & 1U)) {
449 // Receive a Key EXchange record, respond by sending a SIG record.
450 static bool receive_kex(sptps_t *s, const uint8_t *data, uint16_t len) {
451 // Verify length of the HELLO record
453 if(len != sizeof(sptps_kex_t)) {
454 return error(s, EIO, "Invalid KEX record length");
457 if(*data != SPTPS_VERSION) {
458 return error(s, EINVAL, "Received incorrect version %d", *data);
462 memcpy(&suites, data + 2, 2);
463 suites &= s->cipher_suites;
466 return error(s, EIO, "No matching cipher suites");
469 s->cipher_suite = select_cipher_suite(suites, s->preferred_suite, data[1] & 0xf);
471 // Make a copy of the KEX message, send_sig() and receive_sig() need it
473 return error(s, EINVAL, "Received a second KEX message before first has been processed");
476 s->hiskex = new_sptps_kex();
477 memcpy(s->hiskex, data, sizeof(sptps_kex_t));
486 // Receive a SIGnature record, verify it, if it passed, compute the shared secret and calculate the session keys.
487 static bool receive_sig(sptps_t *s, const uint8_t *data, uint16_t len) {
488 // Verify length of KEX record.
489 if(len != ecdsa_size(s->hiskey)) {
490 return error(s, EIO, "Invalid KEX record length");
493 // Concatenate both KEX messages, plus tag indicating if it is from the connection originator
494 const size_t msglen = sigmsg_len(s->labellen);
495 uint8_t *msg = alloca(msglen);
496 fill_msg(msg, !s->initiator, s->hiskex, s->mykex, s);
499 if(!ecdsa_verify(s->hiskey, msg, msglen, data)) {
500 return error(s, EIO, "Failed to verify SIG record");
503 // Compute shared secret.
504 uint8_t shared[ECDH_SHARED_SIZE];
506 if(!ecdh_compute_shared(s->ecdh, s->hiskex->pubkey, shared)) {
507 memzero(shared, sizeof(shared));
508 return error(s, EINVAL, "Failed to compute ECDH shared secret");
513 // Generate key material from shared secret.
514 bool generated = generate_key_material(s, shared, sizeof(shared));
515 memzero(shared, sizeof(shared));
521 if(!s->initiator && !send_sig(s)) {
525 free_sptps_kex(s->mykex);
528 free_sptps_kex(s->hiskex);
531 // Send cipher change record
532 if(s->outstate && !send_ack(s)) {
536 if(!cipher_init(s->cipher_suite, &s->outcipher, s->key, !s->initiator)) {
537 return error(s, EINVAL, "Failed to initialize cipher");
543 // Force another Key EXchange (for testing purposes).
544 bool sptps_force_kex(sptps_t *s) {
545 if(!s->outstate || s->state != SPTPS_SECONDARY_KEX) {
546 return error(s, EINVAL, "Cannot force KEX in current state");
549 s->state = SPTPS_KEX;
553 // Receive a handshake record.
554 static bool receive_handshake(sptps_t *s, const uint8_t *data, uint16_t len) {
555 // Only a few states to deal with handshaking.
557 case SPTPS_SECONDARY_KEX:
559 // We receive a secondary KEX request, first respond by sending our own.
567 // We have sent our KEX request, we expect our peer to sent one as well.
568 if(!receive_kex(s, data, len)) {
572 s->state = SPTPS_SIG;
577 // If we already sent our secondary public ECDH key, we expect the peer to send his.
578 if(!receive_sig(s, data, len)) {
583 s->state = SPTPS_ACK;
587 if(!receive_ack(s, NULL, 0)) {
591 s->receive_record(s->handle, SPTPS_HANDSHAKE, NULL, 0);
592 s->state = SPTPS_SECONDARY_KEX;
599 // We expect a handshake message to indicate transition to the new keys.
600 if(!receive_ack(s, data, len)) {
604 s->receive_record(s->handle, SPTPS_HANDSHAKE, NULL, 0);
605 s->state = SPTPS_SECONDARY_KEX;
608 // TODO: split ACK into a VERify and ACK?
610 return error(s, EIO, "Invalid session state %d", s->state);
614 static bool sptps_check_seqno(sptps_t *s, uint32_t seqno, bool update_state) {
615 // Replay protection using a sliding window of configurable size.
616 // s->inseqno is expected sequence number
617 // seqno is received sequence number
618 // s->late[] is a circular buffer, a 1 bit means a packet has not been received yet
619 // The circular buffer contains bits for sequence numbers from s->inseqno - s->replaywin * 8 to (but excluding) s->inseqno.
621 if(seqno != s->inseqno) {
622 if(seqno >= s->inseqno + s->replaywin * 8) {
623 // Prevent packets that jump far ahead of the queue from causing many others to be dropped.
624 bool farfuture = s->farfuture < s->replaywin >> 2;
631 return update_state ? error(s, EIO, "Packet is %d seqs in the future, dropped (%u)\n", seqno - s->inseqno, s->farfuture) : false;
634 // Unless we have seen lots of them, in which case we consider the others lost.
636 warning(s, "Lost %d packets\n", seqno - s->inseqno);
640 // Mark all packets in the replay window as being late.
641 memset(s->late, 255, s->replaywin);
643 } else if(seqno < s->inseqno) {
644 // If the sequence number is farther in the past than the bitmap goes, or if the packet was already received, drop it.
645 if((s->inseqno >= s->replaywin * 8 && seqno < s->inseqno - s->replaywin * 8) || !(s->late[(seqno / 8) % s->replaywin] & (1 << seqno % 8))) {
646 return update_state ? error(s, EIO, "Received late or replayed packet, seqno %d, last received %d\n", seqno, s->inseqno) : false;
648 } else if(update_state) {
649 // We missed some packets. Mark them in the bitmap as being late.
650 for(uint32_t i = s->inseqno; i < seqno; i++) {
651 s->late[(i / 8) % s->replaywin] |= 1 << i % 8;
657 // Mark the current packet as not being late.
658 s->late[(seqno / 8) % s->replaywin] &= ~(1 << seqno % 8);
664 if(seqno >= s->inseqno) {
665 s->inseqno = seqno + 1;
678 // Check datagram for valid HMAC
679 bool sptps_verify_datagram(sptps_t *s, const void *vdata, size_t len) {
680 if(!s->instate || len < 21) {
681 return error(s, EIO, "Received short packet");
684 const uint8_t *data = vdata;
686 memcpy(&seqno, data, 4);
688 if(!sptps_check_seqno(s, seqno, false)) {
692 uint8_t *buffer = alloca(len);
693 return cipher_decrypt(s->cipher_suite, s->incipher, seqno, data + 4, len - 4, buffer, NULL);
696 // Receive incoming data, datagram version.
697 static bool sptps_receive_data_datagram(sptps_t *s, const uint8_t *data, size_t len) {
698 if(len < (s->instate ? 21 : 5)) {
699 return error(s, EIO, "Received short packet");
703 memcpy(&seqno, data, 4);
708 if(seqno != s->inseqno) {
709 return error(s, EIO, "Invalid packet seqno: %d != %d", seqno, s->inseqno);
712 s->inseqno = seqno + 1;
714 uint8_t type = *(data++);
717 if(type != SPTPS_HANDSHAKE) {
718 return error(s, EIO, "Application record received before handshake finished");
721 return receive_handshake(s, data, len);
726 uint8_t *buffer = alloca(len);
729 if(!cipher_decrypt(s->cipher_suite, s->incipher, seqno, data, len, buffer, &outlen)) {
730 return error(s, EIO, "Failed to decrypt and verify packet");
733 if(!sptps_check_seqno(s, seqno, true)) {
737 // Append a NULL byte for safety.
743 uint8_t type = *(data++);
746 if(type < SPTPS_HANDSHAKE) {
748 return error(s, EIO, "Application record received before handshake finished");
751 if(!s->receive_record(s->handle, type, data, len)) {
754 } else if(type == SPTPS_HANDSHAKE) {
755 if(!receive_handshake(s, data, len)) {
759 return error(s, EIO, "Invalid record type %d", type);
765 // Receive incoming data. Check if it contains a complete record, if so, handle it.
766 size_t sptps_receive_data(sptps_t *s, const void *vdata, size_t len) {
767 const uint8_t *data = vdata;
768 size_t total_read = 0;
771 return error(s, EIO, "Invalid session state zero");
775 return sptps_receive_data_datagram(s, data, len) ? len : false;
778 // First read the 2 length bytes.
780 size_t toread = 2 - s->buflen;
786 memcpy(s->inbuf + s->buflen, data, toread);
788 total_read += toread;
793 // Exit early if we don't have the full length.
798 // Get the length bytes
800 memcpy(&s->reclen, s->inbuf, 2);
802 // If we have the length bytes, ensure our buffer can hold the whole request.
803 s->inbuf = realloc(s->inbuf, s->reclen + SPTPS_OVERHEAD);
806 return error(s, errno, "%s", strerror(errno));
809 // Exit early if we have no more data to process.
815 // Read up to the end of the record.
816 size_t toread = s->reclen + (s->instate ? SPTPS_OVERHEAD : SPTPS_HEADER) - s->buflen;
822 memcpy(s->inbuf + s->buflen, data, toread);
823 total_read += toread;
826 // If we don't have a whole record, exit.
827 if(s->buflen < s->reclen + (s->instate ? SPTPS_OVERHEAD : SPTPS_HEADER)) {
831 // Update sequence number.
833 uint32_t seqno = s->inseqno++;
835 // Check HMAC and decrypt.
837 if(!cipher_decrypt(s->cipher_suite, s->incipher, seqno, s->inbuf + 2UL, s->reclen + 17UL, s->inbuf + 2UL, NULL)) {
838 return error(s, EINVAL, "Failed to decrypt and verify record");
842 // Append a NULL byte for safety.
843 s->inbuf[s->reclen + SPTPS_HEADER] = 0;
845 uint8_t type = s->inbuf[2];
847 if(type < SPTPS_HANDSHAKE) {
849 return error(s, EIO, "Application record received before handshake finished");
852 if(!s->receive_record(s->handle, type, s->inbuf + 3, s->reclen)) {
855 } else if(type == SPTPS_HANDSHAKE) {
856 if(!receive_handshake(s, s->inbuf + 3, s->reclen)) {
860 return error(s, EIO, "Invalid record type %d", type);
868 // Start a SPTPS session.
869 bool sptps_start(sptps_t *s, const sptps_params_t *params) {
870 // Initialise struct sptps
871 memset(s, 0, sizeof(*s));
873 s->handle = params->handle;
874 s->initiator = params->initiator;
875 s->datagram = params->datagram;
876 s->mykey = params->mykey;
877 s->hiskey = params->hiskey;
878 s->replaywin = sptps_replaywin;
879 s->cipher_suites = params->cipher_suites ? params->cipher_suites & SPTPS_ALL_CIPHER_SUITES : SPTPS_ALL_CIPHER_SUITES;
880 s->preferred_suite = params->preferred_suite;
883 s->late = malloc(s->replaywin);
886 return error(s, errno, "%s", strerror(errno));
889 memset(s->late, 0, s->replaywin);
892 s->labellen = params->labellen ? params->labellen : strlen(params->label);
893 s->label = malloc(s->labellen);
896 return error(s, errno, "%s", strerror(errno));
899 memcpy(s->label, params->label, s->labellen);
902 s->inbuf = malloc(7);
905 return error(s, errno, "%s", strerror(errno));
912 s->send_data = params->send_data;
913 s->receive_record = params->receive_record;
915 // Do first KEX immediately
916 s->state = SPTPS_KEX;
920 // Stop a SPTPS session.
921 bool sptps_stop(sptps_t *s) {
922 // Clean up any resources.
923 cipher_exit(s->cipher_suite, s->incipher);
924 cipher_exit(s->cipher_suite, s->outcipher);
927 free_sptps_kex(s->mykex);
928 free_sptps_kex(s->hiskex);
929 free_sptps_key(s->key);
932 memset(s, 0, sizeof(*s));