#include "system.h"
-#include "cipher.h"
+#include "chacha-poly1305/chacha-poly1305.h"
#include "crypto.h"
-#include "digest.h"
#include "ecdh.h"
#include "ecdsa.h"
#include "logger.h"
Sign all handshake messages up to ECDHE kex with long-term public keys. (done)
- HMACed KEX finished message to prevent downgrade attacks and prove you have the right key material (done by virtue of ECDSA over the whole ECDHE exchange?)
+ HMACed KEX finished message to prevent downgrade attacks and prove you have the right key material (done by virtue of Ed25519 over the whole ECDHE exchange?)
Explicit close message needs to be added.
// Send a record (datagram version, accepts all record types, handles encryption and authentication).
static bool send_record_priv_datagram(sptps_t *s, uint8_t type, const char *data, uint16_t len) {
- char buffer[len + 23UL];
+ char buffer[len + 21UL];
// Create header with sequence number, length and record type
- uint32_t seqno = htonl(s->outseqno++);
- uint16_t netlen = htons(len);
-
- memcpy(buffer, &netlen, 2);
- memcpy(buffer + 2, &seqno, 4);
- buffer[6] = type;
+ uint32_t seqno = s->outseqno++;
+ uint32_t netseqno = ntohl(seqno);
- // Add plaintext (TODO: avoid unnecessary copy)
- memcpy(buffer + 7, data, len);
+ memcpy(buffer, &netseqno, 4);
+ buffer[4] = type;
+ memcpy(buffer + 5, data, len);
if(s->outstate) {
// If first handshake has finished, encrypt and HMAC
- if(!cipher_set_counter(s->outcipher, &seqno, sizeof seqno))
- return false;
-
- if(!cipher_counter_xor(s->outcipher, buffer + 6, len + 1UL, buffer + 6))
- return false;
-
- if(!digest_create(s->outdigest, buffer, len + 7UL, buffer + 7UL + len))
- return false;
-
- return s->send_data(s->handle, type, buffer + 2, len + 21UL);
+ chacha_poly1305_encrypt(s->outcipher, seqno, buffer + 4, len + 1, buffer + 4, NULL);
+ return s->send_data(s->handle, type, buffer, len + 21UL);
} else {
// Otherwise send as plaintext
- return s->send_data(s->handle, type, buffer + 2, len + 5UL);
+ return s->send_data(s->handle, type, buffer, len + 5UL);
}
}
// Send a record (private version, accepts all record types, handles encryption and authentication).
if(s->datagram)
return send_record_priv_datagram(s, type, data, len);
- char buffer[len + 23UL];
+ char buffer[len + 19UL];
// Create header with sequence number, length and record type
- uint32_t seqno = htonl(s->outseqno++);
+ uint32_t seqno = s->outseqno++;
uint16_t netlen = htons(len);
- memcpy(buffer, &seqno, 4);
- memcpy(buffer + 4, &netlen, 2);
- buffer[6] = type;
-
- // Add plaintext (TODO: avoid unnecessary copy)
- memcpy(buffer + 7, data, len);
+ memcpy(buffer, &netlen, 2);
+ buffer[2] = type;
+ memcpy(buffer + 3, data, len);
if(s->outstate) {
// If first handshake has finished, encrypt and HMAC
- if(!cipher_counter_xor(s->outcipher, buffer + 4, len + 3UL, buffer + 4))
- return false;
-
- if(!digest_create(s->outdigest, buffer, len + 7UL, buffer + 7UL + len))
- return false;
-
- return s->send_data(s->handle, type, buffer + 4, len + 19UL);
+ chacha_poly1305_encrypt(s->outcipher, seqno, buffer + 2, len + 1, buffer + 2, NULL);
+ return s->send_data(s->handle, type, buffer, len + 19UL);
} else {
// Otherwise send as plaintext
- return s->send_data(s->handle, type, buffer + 4, len + 3UL);
+ return s->send_data(s->handle, type, buffer, len + 3UL);
}
}
// Make room for our KEX message, which we will keep around since send_sig() needs it.
if(s->mykex)
- abort();
+ return false;
s->mykex = realloc(s->mykex, 1 + 32 + keylen);
if(!s->mykex)
return error(s, errno, strerror(errno));
// Create a new ECDH public key.
if(!(s->ecdh = ecdh_generate_public(s->mykex + 1 + 32)))
- return false;
+ return error(s, EINVAL, "Failed to generate ECDH public key");
return send_record_priv(s, SPTPS_HANDSHAKE, s->mykex, 1 + 32 + keylen);
}
-// Send a SIGnature record, containing an ECDSA signature over both KEX records.
+// Send a SIGnature record, containing an Ed25519 signature over both KEX records.
static bool send_sig(sptps_t *s) {
size_t keylen = ECDH_SIZE;
size_t siglen = ecdsa_size(s->mykey);
// Sign the result.
if(!ecdsa_sign(s->mykey, msg, sizeof msg, sig))
- return false;
+ return error(s, EINVAL, "Failed to sign SIG record");
// Send the SIG exchange record.
return send_record_priv(s, SPTPS_HANDSHAKE, sig, sizeof sig);
static bool generate_key_material(sptps_t *s, const char *shared, size_t len) {
// Initialise cipher and digest structures if necessary
if(!s->outstate) {
- s->incipher = cipher_open_by_name("aes-256-ecb");
- s->outcipher = cipher_open_by_name("aes-256-ecb");
- s->indigest = digest_open_by_name("sha256", 16);
- s->outdigest = digest_open_by_name("sha256", 16);
- if(!s->incipher || !s->outcipher || !s->indigest || !s->outdigest)
- return false;
+ s->incipher = chacha_poly1305_init();
+ s->outcipher = chacha_poly1305_init();
+ if(!s->incipher || !s->outcipher)
+ return error(s, EINVAL, "Failed to open cipher");
}
// Allocate memory for key material
- size_t keylen = digest_keylength(s->indigest) + digest_keylength(s->outdigest) + cipher_keylength(s->incipher) + cipher_keylength(s->outcipher);
+ size_t keylen = 2 * CHACHA_POLY1305_KEYLEN;
s->key = realloc(s->key, keylen);
if(!s->key)
// Use PRF to generate the key material
if(!prf(shared, len, seed, s->labellen + 64 + 13, s->key, keylen))
- return false;
+ return error(s, EINVAL, "Failed to generate key material");
return true;
}
return error(s, EIO, "Invalid ACK record length");
if(s->initiator) {
- bool result
- = cipher_set_counter_key(s->incipher, s->key)
- && digest_set_key(s->indigest, s->key + cipher_keylength(s->incipher), digest_keylength(s->indigest));
- if(!result)
- return false;
+ if(!chacha_poly1305_set_key(s->incipher, s->key))
+ return error(s, EINVAL, "Failed to set counter");
} else {
- bool result
- = cipher_set_counter_key(s->incipher, s->key + cipher_keylength(s->outcipher) + digest_keylength(s->outdigest))
- && digest_set_key(s->indigest, s->key + cipher_keylength(s->outcipher) + digest_keylength(s->outdigest) + cipher_keylength(s->incipher), digest_keylength(s->indigest));
- if(!result)
- return false;
+ if(!chacha_poly1305_set_key(s->incipher, s->key + CHACHA_POLY1305_KEYLEN))
+ return error(s, EINVAL, "Failed to set counter");
}
free(s->key);
// Make a copy of the KEX message, send_sig() and receive_sig() need it
if(s->hiskex)
- abort();
+ return error(s, EINVAL, "Received a second KEX message before first has been processed");
s->hiskex = realloc(s->hiskex, len);
if(!s->hiskex)
return error(s, errno, strerror(errno));
// Verify signature.
if(!ecdsa_verify(s->hiskey, msg, sizeof msg, data))
- return false;
+ return error(s, EIO, "Failed to verify SIG record");
// Compute shared secret.
char shared[ECDH_SHARED_SIZE];
if(!ecdh_compute_shared(s->ecdh, s->hiskex + 1 + 32, shared))
- return false;
+ return error(s, EINVAL, "Failed to compute ECDH shared secret");
s->ecdh = NULL;
// Generate key material from shared secret.
// TODO: only set new keys after ACK has been set/received
if(s->initiator) {
- bool result
- = cipher_set_counter_key(s->outcipher, s->key + cipher_keylength(s->incipher) + digest_keylength(s->indigest))
- && digest_set_key(s->outdigest, s->key + cipher_keylength(s->incipher) + digest_keylength(s->indigest) + cipher_keylength(s->outcipher), digest_keylength(s->outdigest));
- if(!result)
- return false;
+ if(!chacha_poly1305_set_key(s->outcipher, s->key + CHACHA_POLY1305_KEYLEN))
+ return error(s, EINVAL, "Failed to set key");
} else {
- bool result
- = cipher_set_counter_key(s->outcipher, s->key)
- && digest_set_key(s->outdigest, s->key + cipher_keylength(s->outcipher), digest_keylength(s->outdigest));
- if(!result)
- return false;
+ if(!chacha_poly1305_set_key(s->outcipher, s->key))
+ return error(s, EINVAL, "Failed to set key");
}
return true;
return true;
// TODO: split ACK into a VERify and ACK?
default:
- return error(s, EIO, "Invalid session state");
+ return error(s, EIO, "Invalid session state %d", s->state);
}
}
// Check datagram for valid HMAC
bool sptps_verify_datagram(sptps_t *s, const char *data, size_t len) {
if(!s->instate || len < 21)
- return false;
-
- char buffer[len + 23];
- uint16_t netlen = htons(len - 21);
+ return error(s, EIO, "Received short packet");
- memcpy(buffer, &netlen, 2);
- memcpy(buffer + 2, data, len);
+ // TODO: just decrypt without updating the replay window
- return digest_verify(s->indigest, buffer, len - 14, buffer + len - 14);
+ return true;
}
// Receive incoming data, datagram version.
return receive_handshake(s, data + 5, len - 5);
}
- // Check HMAC.
- uint16_t netlen = htons(len - 21);
+ // Decrypt
- char buffer[len + 23];
+ char buffer[len];
- memcpy(buffer, &netlen, 2);
- memcpy(buffer + 2, data, len);
+ size_t outlen;
- if(!digest_verify(s->indigest, buffer, len - 14, buffer + len - 14))
- return error(s, EIO, "Invalid HMAC");
+ if(!chacha_poly1305_decrypt(s->incipher, seqno, data + 4, len - 4, buffer, &outlen))
+ return error(s, EIO, "Failed to decrypt and verify packet");
// Replay protection using a sliding window of configurable size.
// s->inseqno is expected sequence number
// Unless we have seen lots of them, in which case we consider the others lost.
warning(s, "Lost %d packets\n", seqno - s->inseqno);
- memset(s->late, 0, s->replaywin);
+ // Mark all packets in the replay window as being late.
+ memset(s->late, 255, s->replaywin);
} else if (seqno < s->inseqno) {
// If the sequence number is farther in the past than the bitmap goes, or if the packet was already received, drop it.
if((s->inseqno >= s->replaywin * 8 && seqno < s->inseqno - s->replaywin * 8) || !(s->late[(seqno / 8) % s->replaywin] & (1 << seqno % 8)))
s->farfuture = 0;
}
- if(seqno > s->inseqno)
+ if(seqno >= s->inseqno)
s->inseqno = seqno + 1;
if(!s->inseqno)
else
s->received++;
- // Decrypt.
- memcpy(&seqno, buffer + 2, 4);
- if(!cipher_set_counter(s->incipher, &seqno, sizeof seqno))
- return false;
- if(!cipher_counter_xor(s->incipher, buffer + 6, len - 4, buffer + 6))
- return false;
-
// Append a NULL byte for safety.
- buffer[len - 14] = 0;
+ buffer[len - 20] = 0;
- uint8_t type = buffer[6];
+ uint8_t type = buffer[0];
if(type < SPTPS_HANDSHAKE) {
if(!s->instate)
return error(s, EIO, "Application record received before handshake finished");
- if(!s->receive_record(s->handle, type, buffer + 7, len - 21))
- return false;
+ if(!s->receive_record(s->handle, type, buffer + 1, len - 21))
+ abort();
} else if(type == SPTPS_HANDSHAKE) {
- if(!receive_handshake(s, buffer + 7, len - 21))
- return false;
+ if(!receive_handshake(s, buffer + 1, len - 21))
+ abort();
} else {
- return error(s, EIO, "Invalid record type");
+ return error(s, EIO, "Invalid record type %d", type);
}
return true;
// Receive incoming data. Check if it contains a complete record, if so, handle it.
bool sptps_receive_data(sptps_t *s, const char *data, size_t len) {
if(!s->state)
- return error(s, EIO, "Invalid session state");
+ return error(s, EIO, "Invalid session state zero");
if(s->datagram)
return sptps_receive_data_datagram(s, data, len);
while(len) {
// First read the 2 length bytes.
- if(s->buflen < 6) {
- size_t toread = 6 - s->buflen;
+ if(s->buflen < 2) {
+ size_t toread = 2 - s->buflen;
if(toread > len)
toread = len;
data += toread;
// Exit early if we don't have the full length.
- if(s->buflen < 6)
+ if(s->buflen < 2)
return true;
- // Decrypt the length bytes
-
- if(s->instate) {
- if(!cipher_counter_xor(s->incipher, s->inbuf + 4, 2, &s->reclen))
- return false;
- } else {
- memcpy(&s->reclen, s->inbuf + 4, 2);
- }
+ // Get the length bytes
+ memcpy(&s->reclen, s->inbuf, 2);
s->reclen = ntohs(s->reclen);
// If we have the length bytes, ensure our buffer can hold the whole request.
- s->inbuf = realloc(s->inbuf, s->reclen + 23UL);
+ s->inbuf = realloc(s->inbuf, s->reclen + 19UL);
if(!s->inbuf)
return error(s, errno, strerror(errno));
- // Add sequence number.
- uint32_t seqno = htonl(s->inseqno++);
- memcpy(s->inbuf, &seqno, 4);
-
// Exit early if we have no more data to process.
if(!len)
return true;
}
// Read up to the end of the record.
- size_t toread = s->reclen + (s->instate ? 23UL : 7UL) - s->buflen;
+ size_t toread = s->reclen + (s->instate ? 19UL : 3UL) - s->buflen;
if(toread > len)
toread = len;
data += toread;
// If we don't have a whole record, exit.
- if(s->buflen < s->reclen + (s->instate ? 23UL : 7UL))
+ if(s->buflen < s->reclen + (s->instate ? 19UL : 3UL))
return true;
+ // Update sequence number.
+
+ uint32_t seqno = s->inseqno++;
+
// Check HMAC and decrypt.
if(s->instate) {
- if(!digest_verify(s->indigest, s->inbuf, s->reclen + 7UL, s->inbuf + s->reclen + 7UL))
- return error(s, EIO, "Invalid HMAC");
-
- if(!cipher_counter_xor(s->incipher, s->inbuf + 6UL, s->reclen + 1UL, s->inbuf + 6UL))
- return false;
+ if(!chacha_poly1305_decrypt(s->incipher, seqno, s->inbuf + 2UL, s->reclen + 17UL, s->inbuf + 2UL, NULL))
+ return error(s, EINVAL, "Failed to decrypt and verify record");
}
// Append a NULL byte for safety.
- s->inbuf[s->reclen + 7UL] = 0;
+ s->inbuf[s->reclen + 3UL] = 0;
- uint8_t type = s->inbuf[6];
+ uint8_t type = s->inbuf[2];
if(type < SPTPS_HANDSHAKE) {
if(!s->instate)
return error(s, EIO, "Application record received before handshake finished");
- if(!s->receive_record(s->handle, type, s->inbuf + 7, s->reclen))
+ if(!s->receive_record(s->handle, type, s->inbuf + 3, s->reclen))
return false;
} else if(type == SPTPS_HANDSHAKE) {
- if(!receive_handshake(s, s->inbuf + 7, s->reclen))
+ if(!receive_handshake(s, s->inbuf + 3, s->reclen))
return false;
} else {
- return error(s, EIO, "Invalid record type");
+ return error(s, EIO, "Invalid record type %d", type);
}
- s->buflen = 4;
+ s->buflen = 0;
}
return true;
s->late = malloc(s->replaywin);
if(!s->late)
return error(s, errno, strerror(errno));
+ memset(s->late, 0, s->replaywin);
}
s->label = malloc(labellen);
s->inbuf = malloc(7);
if(!s->inbuf)
return error(s, errno, strerror(errno));
- s->buflen = 4;
- memset(s->inbuf, 0, 4);
+ s->buflen = 0;
}
memcpy(s->label, label, labellen);
// Stop a SPTPS session.
bool sptps_stop(sptps_t *s) {
// Clean up any resources.
- cipher_close(s->incipher);
- cipher_close(s->outcipher);
- digest_close(s->indigest);
- digest_close(s->outdigest);
+ chacha_poly1305_exit(s->incipher);
+ chacha_poly1305_exit(s->outcipher);
ecdh_free(s->ecdh);
free(s->inbuf);
free(s->mykex);