2 sptps.c -- Simple Peer-to-Peer Security
3 Copyright (C) 2011-2015 Guus Sliepen <guus@tinc-vpn.org>,
4 2010 Brandon L. Black <blblack@gmail.com>
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 2 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License along
17 with this program; if not, write to the Free Software Foundation, Inc.,
18 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
23 #include "chacha-poly1305/chacha-poly1305.h"
31 unsigned int sptps_replaywin = 16;
34 Nonce MUST be exchanged first (done)
35 Signatures MUST be done over both nonces, to guarantee the signature is fresh
36 Otherwise: if ECDHE key of one side is compromised, it can be reused!
38 Add explicit tag to beginning of structure to distinguish the client and server when signing. (done)
40 Sign all handshake messages up to ECDHE kex with long-term public keys. (done)
42 HMACed KEX finished message to prevent downgrade attacks and prove you have the right key material (done by virtue of Ed25519 over the whole ECDHE exchange?)
44 Explicit close message needs to be added.
46 Maybe do add some alert messages to give helpful error messages? Not more than TLS sends.
48 Use counter mode instead of OFB. (done)
50 Make sure ECC operations are fixed time (aka prevent side-channel attacks).
53 void sptps_log_quiet(sptps_t *s, int s_errno, const char *format, va_list ap) {
56 void sptps_log_stderr(sptps_t *s, int s_errno, const char *format, va_list ap) {
57 vfprintf(stderr, format, ap);
61 void (*sptps_log)(sptps_t *s, int s_errno, const char *format, va_list ap) = sptps_log_stderr;
63 // Log an error message.
64 static bool error(sptps_t *s, int s_errno, const char *format, ...) {
68 sptps_log(s, s_errno, format, ap);
76 static void warning(sptps_t *s, const char *format, ...) {
79 sptps_log(s, 0, format, ap);
83 // Send a record (datagram version, accepts all record types, handles encryption and authentication).
84 static bool send_record_priv_datagram(sptps_t *s, uint8_t type, const void *data, uint16_t len) {
85 char buffer[len + 21UL];
87 // Create header with sequence number, length and record type
88 uint32_t seqno = s->outseqno++;
89 uint32_t netseqno = ntohl(seqno);
91 memcpy(buffer, &netseqno, 4);
93 memcpy(buffer + 5, data, len);
96 // If first handshake has finished, encrypt and HMAC
97 chacha_poly1305_encrypt(s->outcipher, seqno, buffer + 4, len + 1, buffer + 4, NULL);
98 return s->send_data(s->handle, type, buffer, len + 21UL);
100 // Otherwise send as plaintext
101 return s->send_data(s->handle, type, buffer, len + 5UL);
104 // Send a record (private version, accepts all record types, handles encryption and authentication).
105 static bool send_record_priv(sptps_t *s, uint8_t type, const void *data, uint16_t len) {
107 return send_record_priv_datagram(s, type, data, len);
110 char buffer[len + 19UL];
112 // Create header with sequence number, length and record type
113 uint32_t seqno = s->outseqno++;
114 uint16_t netlen = htons(len);
116 memcpy(buffer, &netlen, 2);
118 memcpy(buffer + 3, data, len);
121 // If first handshake has finished, encrypt and HMAC
122 chacha_poly1305_encrypt(s->outcipher, seqno, buffer + 2, len + 1, buffer + 2, NULL);
123 return s->send_data(s->handle, type, buffer, len + 19UL);
125 // Otherwise send as plaintext
126 return s->send_data(s->handle, type, buffer, len + 3UL);
130 // Send an application record.
131 bool sptps_send_record(sptps_t *s, uint8_t type, const void *data, uint16_t len) {
132 // Sanity checks: application cannot send data before handshake is finished,
133 // and only record types 0..127 are allowed.
135 return error(s, EINVAL, "Handshake phase not finished yet");
138 if(type >= SPTPS_HANDSHAKE) {
139 return error(s, EINVAL, "Invalid application record type");
142 return send_record_priv(s, type, data, len);
145 // Send a Key EXchange record, containing a random nonce and an ECDHE public key.
146 static bool send_kex(sptps_t *s) {
147 size_t keylen = ECDH_SIZE;
149 // Make room for our KEX message, which we will keep around since send_sig() needs it.
154 s->mykex = realloc(s->mykex, 1 + 32 + keylen);
157 return error(s, errno, strerror(errno));
160 // Set version byte to zero.
161 s->mykex[0] = SPTPS_VERSION;
163 // Create a random nonce.
164 randomize(s->mykex + 1, 32);
166 // Create a new ECDH public key.
167 if(!(s->ecdh = ecdh_generate_public(s->mykex + 1 + 32))) {
168 return error(s, EINVAL, "Failed to generate ECDH public key");
171 return send_record_priv(s, SPTPS_HANDSHAKE, s->mykex, 1 + 32 + keylen);
174 // Send a SIGnature record, containing an Ed25519 signature over both KEX records.
175 static bool send_sig(sptps_t *s) {
176 size_t keylen = ECDH_SIZE;
177 size_t siglen = ecdsa_size(s->mykey);
179 // Concatenate both KEX messages, plus tag indicating if it is from the connection originator, plus label
180 char msg[(1 + 32 + keylen) * 2 + 1 + s->labellen];
183 msg[0] = s->initiator;
184 memcpy(msg + 1, s->mykex, 1 + 32 + keylen);
185 memcpy(msg + 1 + 33 + keylen, s->hiskex, 1 + 32 + keylen);
186 memcpy(msg + 1 + 2 * (33 + keylen), s->label, s->labellen);
189 if(!ecdsa_sign(s->mykey, msg, sizeof(msg), sig)) {
190 return error(s, EINVAL, "Failed to sign SIG record");
193 // Send the SIG exchange record.
194 return send_record_priv(s, SPTPS_HANDSHAKE, sig, sizeof(sig));
197 // Generate key material from the shared secret created from the ECDHE key exchange.
198 static bool generate_key_material(sptps_t *s, const char *shared, size_t len) {
199 // Initialise cipher and digest structures if necessary
201 s->incipher = chacha_poly1305_init();
202 s->outcipher = chacha_poly1305_init();
204 if(!s->incipher || !s->outcipher) {
205 return error(s, EINVAL, "Failed to open cipher");
209 // Allocate memory for key material
210 size_t keylen = 2 * CHACHA_POLY1305_KEYLEN;
212 s->key = realloc(s->key, keylen);
215 return error(s, errno, strerror(errno));
218 // Create the HMAC seed, which is "key expansion" + session label + server nonce + client nonce
219 char seed[s->labellen + 64 + 13];
220 memcpy(seed, "key expansion", 13);
223 memcpy(seed + 13, s->mykex + 1, 32);
224 memcpy(seed + 45, s->hiskex + 1, 32);
226 memcpy(seed + 13, s->hiskex + 1, 32);
227 memcpy(seed + 45, s->mykex + 1, 32);
230 memcpy(seed + 77, s->label, s->labellen);
232 // Use PRF to generate the key material
233 if(!prf(shared, len, seed, s->labellen + 64 + 13, s->key, keylen)) {
234 return error(s, EINVAL, "Failed to generate key material");
240 // Send an ACKnowledgement record.
241 static bool send_ack(sptps_t *s) {
242 return send_record_priv(s, SPTPS_HANDSHAKE, "", 0);
245 // Receive an ACKnowledgement record.
246 static bool receive_ack(sptps_t *s, const char *data, uint16_t len) {
248 return error(s, EIO, "Invalid ACK record length");
252 if(!chacha_poly1305_set_key(s->incipher, s->key)) {
253 return error(s, EINVAL, "Failed to set counter");
256 if(!chacha_poly1305_set_key(s->incipher, s->key + CHACHA_POLY1305_KEYLEN)) {
257 return error(s, EINVAL, "Failed to set counter");
268 // Receive a Key EXchange record, respond by sending a SIG record.
269 static bool receive_kex(sptps_t *s, const char *data, uint16_t len) {
270 // Verify length of the HELLO record
271 if(len != 1 + 32 + ECDH_SIZE) {
272 return error(s, EIO, "Invalid KEX record length");
275 // Ignore version number for now.
277 // Make a copy of the KEX message, send_sig() and receive_sig() need it
279 return error(s, EINVAL, "Received a second KEX message before first has been processed");
282 s->hiskex = realloc(s->hiskex, len);
285 return error(s, errno, strerror(errno));
288 memcpy(s->hiskex, data, len);
297 // Receive a SIGnature record, verify it, if it passed, compute the shared secret and calculate the session keys.
298 static bool receive_sig(sptps_t *s, const char *data, uint16_t len) {
299 size_t keylen = ECDH_SIZE;
300 size_t siglen = ecdsa_size(s->hiskey);
302 // Verify length of KEX record.
304 return error(s, EIO, "Invalid KEX record length");
307 // Concatenate both KEX messages, plus tag indicating if it is from the connection originator
308 char msg[(1 + 32 + keylen) * 2 + 1 + s->labellen];
310 msg[0] = !s->initiator;
311 memcpy(msg + 1, s->hiskex, 1 + 32 + keylen);
312 memcpy(msg + 1 + 33 + keylen, s->mykex, 1 + 32 + keylen);
313 memcpy(msg + 1 + 2 * (33 + keylen), s->label, s->labellen);
316 if(!ecdsa_verify(s->hiskey, msg, sizeof(msg), data)) {
317 return error(s, EIO, "Failed to verify SIG record");
320 // Compute shared secret.
321 char shared[ECDH_SHARED_SIZE];
323 if(!ecdh_compute_shared(s->ecdh, s->hiskex + 1 + 32, shared)) {
324 return error(s, EINVAL, "Failed to compute ECDH shared secret");
329 // Generate key material from shared secret.
330 if(!generate_key_material(s, shared, sizeof(shared))) {
334 if(!s->initiator && !send_sig(s)) {
344 // Send cipher change record
345 if(s->outstate && !send_ack(s)) {
349 // TODO: only set new keys after ACK has been set/received
351 if(!chacha_poly1305_set_key(s->outcipher, s->key + CHACHA_POLY1305_KEYLEN)) {
352 return error(s, EINVAL, "Failed to set key");
355 if(!chacha_poly1305_set_key(s->outcipher, s->key)) {
356 return error(s, EINVAL, "Failed to set key");
363 // Force another Key EXchange (for testing purposes).
364 bool sptps_force_kex(sptps_t *s) {
365 if(!s->outstate || s->state != SPTPS_SECONDARY_KEX) {
366 return error(s, EINVAL, "Cannot force KEX in current state");
369 s->state = SPTPS_KEX;
373 // Receive a handshake record.
374 static bool receive_handshake(sptps_t *s, const char *data, uint16_t len) {
375 // Only a few states to deal with handshaking.
377 case SPTPS_SECONDARY_KEX:
379 // We receive a secondary KEX request, first respond by sending our own.
386 // We have sent our KEX request, we expect our peer to sent one as well.
387 if(!receive_kex(s, data, len)) {
391 s->state = SPTPS_SIG;
396 // If we already sent our secondary public ECDH key, we expect the peer to send his.
397 if(!receive_sig(s, data, len)) {
402 s->state = SPTPS_ACK;
406 if(!receive_ack(s, NULL, 0)) {
410 s->receive_record(s->handle, SPTPS_HANDSHAKE, NULL, 0);
411 s->state = SPTPS_SECONDARY_KEX;
418 // We expect a handshake message to indicate transition to the new keys.
419 if(!receive_ack(s, data, len)) {
423 s->receive_record(s->handle, SPTPS_HANDSHAKE, NULL, 0);
424 s->state = SPTPS_SECONDARY_KEX;
427 // TODO: split ACK into a VERify and ACK?
429 return error(s, EIO, "Invalid session state %d", s->state);
433 static bool sptps_check_seqno(sptps_t *s, uint32_t seqno, bool update_state) {
434 // Replay protection using a sliding window of configurable size.
435 // s->inseqno is expected sequence number
436 // seqno is received sequence number
437 // s->late[] is a circular buffer, a 1 bit means a packet has not been received yet
438 // The circular buffer contains bits for sequence numbers from s->inseqno - s->replaywin * 8 to (but excluding) s->inseqno.
440 if(seqno != s->inseqno) {
441 if(seqno >= s->inseqno + s->replaywin * 8) {
442 // Prevent packets that jump far ahead of the queue from causing many others to be dropped.
443 bool farfuture = s->farfuture < s->replaywin >> 2;
450 return update_state ? error(s, EIO, "Packet is %d seqs in the future, dropped (%u)\n", seqno - s->inseqno, s->farfuture) : false;
453 // Unless we have seen lots of them, in which case we consider the others lost.
455 warning(s, "Lost %d packets\n", seqno - s->inseqno);
459 // Mark all packets in the replay window as being late.
460 memset(s->late, 255, s->replaywin);
462 } else if(seqno < s->inseqno) {
463 // If the sequence number is farther in the past than the bitmap goes, or if the packet was already received, drop it.
464 if((s->inseqno >= s->replaywin * 8 && seqno < s->inseqno - s->replaywin * 8) || !(s->late[(seqno / 8) % s->replaywin] & (1 << seqno % 8))) {
465 return update_state ? error(s, EIO, "Received late or replayed packet, seqno %d, last received %d\n", seqno, s->inseqno) : false;
467 } else if(update_state) {
468 // We missed some packets. Mark them in the bitmap as being late.
469 for(int i = s->inseqno; i < seqno; i++) {
470 s->late[(i / 8) % s->replaywin] |= 1 << i % 8;
476 // Mark the current packet as not being late.
477 s->late[(seqno / 8) % s->replaywin] &= ~(1 << seqno % 8);
483 if(seqno >= s->inseqno) {
484 s->inseqno = seqno + 1;
497 // Check datagram for valid HMAC
498 bool sptps_verify_datagram(sptps_t *s, const void *data, size_t len) {
499 if(!s->instate || len < 21) {
500 return error(s, EIO, "Received short packet");
504 memcpy(&seqno, data, 4);
505 seqno = ntohl(seqno);
507 if(!sptps_check_seqno(s, seqno, false)) {
513 return chacha_poly1305_decrypt(s->incipher, seqno, data + 4, len - 4, buffer, &outlen);
516 // Receive incoming data, datagram version.
517 static bool sptps_receive_data_datagram(sptps_t *s, const char *data, size_t len) {
518 if(len < (s->instate ? 21 : 5)) {
519 return error(s, EIO, "Received short packet");
523 memcpy(&seqno, data, 4);
524 seqno = ntohl(seqno);
529 if(seqno != s->inseqno) {
530 return error(s, EIO, "Invalid packet seqno: %d != %d", seqno, s->inseqno);
533 s->inseqno = seqno + 1;
535 uint8_t type = *(data++);
538 if(type != SPTPS_HANDSHAKE) {
539 return error(s, EIO, "Application record received before handshake finished");
542 return receive_handshake(s, data, len);
550 if(!chacha_poly1305_decrypt(s->incipher, seqno, data, len, buffer, &outlen)) {
551 return error(s, EIO, "Failed to decrypt and verify packet");
554 if(!sptps_check_seqno(s, seqno, true)) {
558 // Append a NULL byte for safety.
564 uint8_t type = *(data++);
567 if(type < SPTPS_HANDSHAKE) {
569 return error(s, EIO, "Application record received before handshake finished");
572 if(!s->receive_record(s->handle, type, data, len)) {
575 } else if(type == SPTPS_HANDSHAKE) {
576 if(!receive_handshake(s, data, len)) {
580 return error(s, EIO, "Invalid record type %d", type);
586 // Receive incoming data. Check if it contains a complete record, if so, handle it.
587 size_t sptps_receive_data(sptps_t *s, const void *data, size_t len) {
588 size_t total_read = 0;
591 return error(s, EIO, "Invalid session state zero");
595 return sptps_receive_data_datagram(s, data, len) ? len : false;
598 // First read the 2 length bytes.
600 size_t toread = 2 - s->buflen;
606 memcpy(s->inbuf + s->buflen, data, toread);
608 total_read += toread;
613 // Exit early if we don't have the full length.
618 // Get the length bytes
620 memcpy(&s->reclen, s->inbuf, 2);
621 s->reclen = ntohs(s->reclen);
623 // If we have the length bytes, ensure our buffer can hold the whole request.
624 s->inbuf = realloc(s->inbuf, s->reclen + 19UL);
627 return error(s, errno, strerror(errno));
630 // Exit early if we have no more data to process.
636 // Read up to the end of the record.
637 size_t toread = s->reclen + (s->instate ? 19UL : 3UL) - s->buflen;
643 memcpy(s->inbuf + s->buflen, data, toread);
644 total_read += toread;
647 // If we don't have a whole record, exit.
648 if(s->buflen < s->reclen + (s->instate ? 19UL : 3UL)) {
652 // Update sequence number.
654 uint32_t seqno = s->inseqno++;
656 // Check HMAC and decrypt.
658 if(!chacha_poly1305_decrypt(s->incipher, seqno, s->inbuf + 2UL, s->reclen + 17UL, s->inbuf + 2UL, NULL)) {
659 return error(s, EINVAL, "Failed to decrypt and verify record");
663 // Append a NULL byte for safety.
664 s->inbuf[s->reclen + 3UL] = 0;
666 uint8_t type = s->inbuf[2];
668 if(type < SPTPS_HANDSHAKE) {
670 return error(s, EIO, "Application record received before handshake finished");
673 if(!s->receive_record(s->handle, type, s->inbuf + 3, s->reclen)) {
676 } else if(type == SPTPS_HANDSHAKE) {
677 if(!receive_handshake(s, s->inbuf + 3, s->reclen)) {
681 return error(s, EIO, "Invalid record type %d", type);
689 // Start a SPTPS session.
690 bool sptps_start(sptps_t *s, void *handle, bool initiator, bool datagram, ecdsa_t *mykey, ecdsa_t *hiskey, const void *label, size_t labellen, send_data_t send_data, receive_record_t receive_record) {
691 // Initialise struct sptps
692 memset(s, 0, sizeof(*s));
695 s->initiator = initiator;
696 s->datagram = datagram;
699 s->replaywin = sptps_replaywin;
702 s->late = malloc(s->replaywin);
705 return error(s, errno, strerror(errno));
708 memset(s->late, 0, s->replaywin);
711 s->label = malloc(labellen);
714 return error(s, errno, strerror(errno));
718 s->inbuf = malloc(7);
721 return error(s, errno, strerror(errno));
727 memcpy(s->label, label, labellen);
728 s->labellen = labellen;
730 s->send_data = send_data;
731 s->receive_record = receive_record;
733 // Do first KEX immediately
734 s->state = SPTPS_KEX;
738 // Stop a SPTPS session.
739 bool sptps_stop(sptps_t *s) {
740 // Clean up any resources.
741 chacha_poly1305_exit(s->incipher);
742 chacha_poly1305_exit(s->outcipher);
750 memset(s, 0, sizeof(*s));