#include "system.h"
-#include "cipher.h"
+#include "chacha-poly1305/chacha-poly1305.h"
#include "crypto.h"
-#include "digest.h"
#include "ecdh.h"
#include "ecdsa.h"
#include "logger.h"
// Send a record (datagram version, accepts all record types, handles encryption and authentication).
static bool send_record_priv_datagram(sptps_t *s, uint8_t type, const char *data, uint16_t len) {
- char buffer[len + 23UL];
+ char buffer[len + 21UL];
// Create header with sequence number, length and record type
- uint32_t seqno = htonl(s->outseqno++);
- uint16_t netlen = htons(len);
-
- memcpy(buffer, &netlen, 2);
- memcpy(buffer + 2, &seqno, 4);
- buffer[6] = type;
+ uint32_t seqno = s->outseqno++;
+ uint32_t netseqno = ntohl(seqno);
- // Add plaintext (TODO: avoid unnecessary copy)
- memcpy(buffer + 7, data, len);
+ memcpy(buffer, &netseqno, 4);
+ buffer[4] = type;
+ memcpy(buffer + 5, data, len);
if(s->outstate) {
// If first handshake has finished, encrypt and HMAC
- if(!cipher_set_counter(s->outcipher, &seqno, sizeof seqno))
- return false;
-
- if(!cipher_counter_xor(s->outcipher, buffer + 6, len + 1UL, buffer + 6))
- return false;
-
- if(!digest_create(s->outdigest, buffer, len + 7UL, buffer + 7UL + len))
- return false;
-
- return s->send_data(s->handle, type, buffer + 2, len + 21UL);
+ chacha_poly1305_encrypt(s->outcipher, seqno, buffer + 4, len + 1, buffer + 4, NULL);
+ return s->send_data(s->handle, type, buffer, len + 21UL);
} else {
// Otherwise send as plaintext
- return s->send_data(s->handle, type, buffer + 2, len + 5UL);
+ return s->send_data(s->handle, type, buffer, len + 5UL);
}
}
// Send a record (private version, accepts all record types, handles encryption and authentication).
if(s->datagram)
return send_record_priv_datagram(s, type, data, len);
- char buffer[len + 23UL];
+ char buffer[len + 19UL];
// Create header with sequence number, length and record type
- uint32_t seqno = htonl(s->outseqno++);
+ uint32_t seqno = s->outseqno++;
uint16_t netlen = htons(len);
- memcpy(buffer, &seqno, 4);
- memcpy(buffer + 4, &netlen, 2);
- buffer[6] = type;
-
- // Add plaintext (TODO: avoid unnecessary copy)
- memcpy(buffer + 7, data, len);
+ memcpy(buffer, &netlen, 2);
+ buffer[2] = type;
+ memcpy(buffer + 3, data, len);
if(s->outstate) {
// If first handshake has finished, encrypt and HMAC
- if(!cipher_counter_xor(s->outcipher, buffer + 4, len + 3UL, buffer + 4))
- return false;
-
- if(!digest_create(s->outdigest, buffer, len + 7UL, buffer + 7UL + len))
- return false;
-
- return s->send_data(s->handle, type, buffer + 4, len + 19UL);
+ chacha_poly1305_encrypt(s->outcipher, seqno, buffer + 2, len + 1, buffer + 2, NULL);
+ return s->send_data(s->handle, type, buffer, len + 19UL);
} else {
// Otherwise send as plaintext
- return s->send_data(s->handle, type, buffer + 4, len + 3UL);
+ return s->send_data(s->handle, type, buffer, len + 3UL);
}
}
// Make room for our KEX message, which we will keep around since send_sig() needs it.
if(s->mykex)
- abort();
+ return false;
s->mykex = realloc(s->mykex, 1 + 32 + keylen);
if(!s->mykex)
return error(s, errno, strerror(errno));
// Create a new ECDH public key.
if(!(s->ecdh = ecdh_generate_public(s->mykex + 1 + 32)))
- return false;
+ return error(s, EINVAL, "Failed to generate ECDH public key");
return send_record_priv(s, SPTPS_HANDSHAKE, s->mykex, 1 + 32 + keylen);
}
// Sign the result.
if(!ecdsa_sign(s->mykey, msg, sizeof msg, sig))
- return false;
+ return error(s, EINVAL, "Failed to sign SIG record");
// Send the SIG exchange record.
return send_record_priv(s, SPTPS_HANDSHAKE, sig, sizeof sig);
static bool generate_key_material(sptps_t *s, const char *shared, size_t len) {
// Initialise cipher and digest structures if necessary
if(!s->outstate) {
- s->incipher = cipher_open_by_name("aes-256-ecb");
- s->outcipher = cipher_open_by_name("aes-256-ecb");
- s->indigest = digest_open_by_name("sha256", 16);
- s->outdigest = digest_open_by_name("sha256", 16);
- if(!s->incipher || !s->outcipher || !s->indigest || !s->outdigest)
- return false;
+ s->incipher = chacha_poly1305_init();
+ s->outcipher = chacha_poly1305_init();
+ if(!s->incipher || !s->outcipher)
+ return error(s, EINVAL, "Failed to open cipher");
}
// Allocate memory for key material
- size_t keylen = digest_keylength(s->indigest) + digest_keylength(s->outdigest) + cipher_keylength(s->incipher) + cipher_keylength(s->outcipher);
+ size_t keylen = 2 * CHACHA_POLY1305_KEYLEN;
s->key = realloc(s->key, keylen);
if(!s->key)
// Use PRF to generate the key material
if(!prf(shared, len, seed, s->labellen + 64 + 13, s->key, keylen))
- return false;
+ return error(s, EINVAL, "Failed to generate key material");
return true;
}
return error(s, EIO, "Invalid ACK record length");
if(s->initiator) {
- bool result
- = cipher_set_counter_key(s->incipher, s->key)
- && digest_set_key(s->indigest, s->key + cipher_keylength(s->incipher), digest_keylength(s->indigest));
- if(!result)
- return false;
+ if(!chacha_poly1305_set_key(s->incipher, s->key))
+ return error(s, EINVAL, "Failed to set counter");
} else {
- bool result
- = cipher_set_counter_key(s->incipher, s->key + cipher_keylength(s->outcipher) + digest_keylength(s->outdigest))
- && digest_set_key(s->indigest, s->key + cipher_keylength(s->outcipher) + digest_keylength(s->outdigest) + cipher_keylength(s->incipher), digest_keylength(s->indigest));
- if(!result)
- return false;
+ if(!chacha_poly1305_set_key(s->incipher, s->key + CHACHA_POLY1305_KEYLEN))
+ return error(s, EINVAL, "Failed to set counter");
}
free(s->key);
// Make a copy of the KEX message, send_sig() and receive_sig() need it
if(s->hiskex)
- abort();
+ return error(s, EINVAL, "Received a second KEX message before first has been processed");
s->hiskex = realloc(s->hiskex, len);
if(!s->hiskex)
return error(s, errno, strerror(errno));
// Verify signature.
if(!ecdsa_verify(s->hiskey, msg, sizeof msg, data))
- return false;
+ return error(s, EIO, "Failed to verify SIG record");
// Compute shared secret.
char shared[ECDH_SHARED_SIZE];
if(!ecdh_compute_shared(s->ecdh, s->hiskex + 1 + 32, shared))
- return false;
+ return error(s, EINVAL, "Failed to compute ECDH shared secret");
+ s->ecdh = NULL;
// Generate key material from shared secret.
if(!generate_key_material(s, shared, sizeof shared))
// TODO: only set new keys after ACK has been set/received
if(s->initiator) {
- bool result
- = cipher_set_counter_key(s->outcipher, s->key + cipher_keylength(s->incipher) + digest_keylength(s->indigest))
- && digest_set_key(s->outdigest, s->key + cipher_keylength(s->incipher) + digest_keylength(s->indigest) + cipher_keylength(s->outcipher), digest_keylength(s->outdigest));
- if(!result)
- return false;
+ if(!chacha_poly1305_set_key(s->outcipher, s->key + CHACHA_POLY1305_KEYLEN))
+ return error(s, EINVAL, "Failed to set key");
} else {
- bool result
- = cipher_set_counter_key(s->outcipher, s->key)
- && digest_set_key(s->outdigest, s->key + cipher_keylength(s->outcipher), digest_keylength(s->outdigest));
- if(!result)
- return false;
+ if(!chacha_poly1305_set_key(s->outcipher, s->key))
+ return error(s, EINVAL, "Failed to set key");
}
return true;
return true;
// TODO: split ACK into a VERify and ACK?
default:
- return error(s, EIO, "Invalid session state");
+ return error(s, EIO, "Invalid session state %d", s->state);
}
}
// Check datagram for valid HMAC
bool sptps_verify_datagram(sptps_t *s, const char *data, size_t len) {
if(!s->instate || len < 21)
- return false;
-
- char buffer[len + 23];
- uint16_t netlen = htons(len - 21);
+ return error(s, EIO, "Received short packet");
- memcpy(buffer, &netlen, 2);
- memcpy(buffer + 2, data, len);
+ // TODO: just decrypt without updating the replay window
- return digest_verify(s->indigest, buffer, len - 14, buffer + len - 14);
+ return true;
}
// Receive incoming data, datagram version.
return receive_handshake(s, data + 5, len - 5);
}
- // Check HMAC.
- uint16_t netlen = htons(len - 21);
+ // Decrypt
- char buffer[len + 23];
+ char buffer[len];
- memcpy(buffer, &netlen, 2);
- memcpy(buffer + 2, data, len);
+ size_t outlen;
- if(!digest_verify(s->indigest, buffer, len - 14, buffer + len - 14))
- return error(s, EIO, "Invalid HMAC");
+ if(!chacha_poly1305_decrypt(s->incipher, seqno, data + 4, len - 4, buffer, &outlen))
+ return error(s, EIO, "Failed to decrypt and verify packet");
// Replay protection using a sliding window of configurable size.
// s->inseqno is expected sequence number
// Unless we have seen lots of them, in which case we consider the others lost.
warning(s, "Lost %d packets\n", seqno - s->inseqno);
- memset(s->late, 0, s->replaywin);
+ // Mark all packets in the replay window as being late.
+ memset(s->late, 255, s->replaywin);
} else if (seqno < s->inseqno) {
// If the sequence number is farther in the past than the bitmap goes, or if the packet was already received, drop it.
if((s->inseqno >= s->replaywin * 8 && seqno < s->inseqno - s->replaywin * 8) || !(s->late[(seqno / 8) % s->replaywin] & (1 << seqno % 8)))
s->farfuture = 0;
}
- if(seqno > s->inseqno)
+ if(seqno >= s->inseqno)
s->inseqno = seqno + 1;
if(!s->inseqno)
else
s->received++;
- // Decrypt.
- memcpy(&seqno, buffer + 2, 4);
- if(!cipher_set_counter(s->incipher, &seqno, sizeof seqno))
- return false;
- if(!cipher_counter_xor(s->incipher, buffer + 6, len - 4, buffer + 6))
- return false;
-
// Append a NULL byte for safety.
- buffer[len - 14] = 0;
+ buffer[len - 20] = 0;
- uint8_t type = buffer[6];
+ uint8_t type = buffer[0];
if(type < SPTPS_HANDSHAKE) {
if(!s->instate)
return error(s, EIO, "Application record received before handshake finished");
- if(!s->receive_record(s->handle, type, buffer + 7, len - 21))
- return false;
+ if(!s->receive_record(s->handle, type, buffer + 1, len - 21))
+ abort();
} else if(type == SPTPS_HANDSHAKE) {
- if(!receive_handshake(s, buffer + 7, len - 21))
- return false;
+ if(!receive_handshake(s, buffer + 1, len - 21))
+ abort();
} else {
- return error(s, EIO, "Invalid record type");
+ return error(s, EIO, "Invalid record type %d", type);
}
return true;
// Receive incoming data. Check if it contains a complete record, if so, handle it.
bool sptps_receive_data(sptps_t *s, const char *data, size_t len) {
+ if(!s->state)
+ return error(s, EIO, "Invalid session state zero");
+
if(s->datagram)
return sptps_receive_data_datagram(s, data, len);
while(len) {
// First read the 2 length bytes.
- if(s->buflen < 6) {
- size_t toread = 6 - s->buflen;
+ if(s->buflen < 2) {
+ size_t toread = 2 - s->buflen;
if(toread > len)
toread = len;
data += toread;
// Exit early if we don't have the full length.
- if(s->buflen < 6)
+ if(s->buflen < 2)
return true;
- // Decrypt the length bytes
-
- if(s->instate) {
- if(!cipher_counter_xor(s->incipher, s->inbuf + 4, 2, &s->reclen))
- return false;
- } else {
- memcpy(&s->reclen, s->inbuf + 4, 2);
- }
+ // Get the length bytes
+ memcpy(&s->reclen, s->inbuf, 2);
s->reclen = ntohs(s->reclen);
// If we have the length bytes, ensure our buffer can hold the whole request.
- s->inbuf = realloc(s->inbuf, s->reclen + 23UL);
+ s->inbuf = realloc(s->inbuf, s->reclen + 19UL);
if(!s->inbuf)
return error(s, errno, strerror(errno));
- // Add sequence number.
- uint32_t seqno = htonl(s->inseqno++);
- memcpy(s->inbuf, &seqno, 4);
-
// Exit early if we have no more data to process.
if(!len)
return true;
}
// Read up to the end of the record.
- size_t toread = s->reclen + (s->instate ? 23UL : 7UL) - s->buflen;
+ size_t toread = s->reclen + (s->instate ? 19UL : 3UL) - s->buflen;
if(toread > len)
toread = len;
data += toread;
// If we don't have a whole record, exit.
- if(s->buflen < s->reclen + (s->instate ? 23UL : 7UL))
+ if(s->buflen < s->reclen + (s->instate ? 19UL : 3UL))
return true;
+ // Update sequence number.
+
+ uint32_t seqno = s->inseqno++;
+
// Check HMAC and decrypt.
if(s->instate) {
- if(!digest_verify(s->indigest, s->inbuf, s->reclen + 7UL, s->inbuf + s->reclen + 7UL))
- return error(s, EIO, "Invalid HMAC");
-
- if(!cipher_counter_xor(s->incipher, s->inbuf + 6UL, s->reclen + 1UL, s->inbuf + 6UL))
- return false;
+ if(!chacha_poly1305_decrypt(s->incipher, seqno, s->inbuf + 2UL, s->reclen + 17UL, s->inbuf + 2UL, NULL))
+ return error(s, EINVAL, "Failed to decrypt and verify record");
}
// Append a NULL byte for safety.
- s->inbuf[s->reclen + 7UL] = 0;
+ s->inbuf[s->reclen + 3UL] = 0;
- uint8_t type = s->inbuf[6];
+ uint8_t type = s->inbuf[2];
if(type < SPTPS_HANDSHAKE) {
if(!s->instate)
return error(s, EIO, "Application record received before handshake finished");
- if(!s->receive_record(s->handle, type, s->inbuf + 7, s->reclen))
+ if(!s->receive_record(s->handle, type, s->inbuf + 3, s->reclen))
return false;
} else if(type == SPTPS_HANDSHAKE) {
- if(!receive_handshake(s, s->inbuf + 7, s->reclen))
+ if(!receive_handshake(s, s->inbuf + 3, s->reclen))
return false;
} else {
- return error(s, EIO, "Invalid record type");
+ return error(s, EIO, "Invalid record type %d", type);
}
- s->buflen = 4;
+ s->buflen = 0;
}
return true;
s->late = malloc(s->replaywin);
if(!s->late)
return error(s, errno, strerror(errno));
+ memset(s->late, 0, s->replaywin);
}
s->label = malloc(labellen);
s->inbuf = malloc(7);
if(!s->inbuf)
return error(s, errno, strerror(errno));
- s->buflen = 4;
- memset(s->inbuf, 0, 4);
+ s->buflen = 0;
}
memcpy(s->label, label, labellen);
// Stop a SPTPS session.
bool sptps_stop(sptps_t *s) {
// Clean up any resources.
- cipher_close(s->incipher);
- cipher_close(s->outcipher);
- digest_close(s->indigest);
- digest_close(s->outdigest);
+ chacha_poly1305_exit(s->incipher);
+ chacha_poly1305_exit(s->outcipher);
ecdh_free(s->ecdh);
free(s->inbuf);
free(s->mykex);