Maybe do add some alert messages to give helpful error messages? Not more than TLS sends.
- Use counter mode instead of OFB.
+ Use counter mode instead of OFB. (done)
Make sure ECC operations are fixed time (aka prevent side-channel attacks).
*/
if(!digest_create(&s->outdigest, plaintext, len + 7, plaintext + 7 + len))
return false;
- if(!cipher_encrypt(&s->outcipher, plaintext + 4, sizeof ciphertext, ciphertext, NULL, false))
+ if(!cipher_counter_xor(&s->outcipher, plaintext + 4, sizeof ciphertext, ciphertext))
return false;
return s->send_data(s->handle, ciphertext, len + 19);
// Initialise cipher and digest structures if necessary
if(!s->outstate) {
bool result
- = cipher_open_by_name(&s->incipher, "aes-256-ofb")
- && cipher_open_by_name(&s->outcipher, "aes-256-ofb")
+ = cipher_open_by_name(&s->incipher, "aes-256-ecb")
+ && cipher_open_by_name(&s->outcipher, "aes-256-ecb")
&& digest_open_by_name(&s->indigest, "sha256", 16)
&& digest_open_by_name(&s->outdigest, "sha256", 16);
if(!result)
// Receive an ACKnowledgement record.
static bool receive_ack(sptps_t *s, const char *data, uint16_t len) {
if(len)
- return false;
+ return error(s, EIO, "Invalid ACK record length");
+
+ if(s->initiator) {
+ bool result
+ = cipher_set_counter_key(&s->incipher, s->key)
+ && digest_set_key(&s->indigest, s->key + cipher_keylength(&s->incipher), digest_keylength(&s->indigest));
+ if(!result)
+ return false;
+ } else {
+ bool result
+ = cipher_set_counter_key(&s->incipher, s->key + cipher_keylength(&s->outcipher) + digest_keylength(&s->outdigest))
+ && digest_set_key(&s->indigest, s->key + cipher_keylength(&s->outcipher) + digest_keylength(&s->outdigest) + cipher_keylength(&s->incipher), digest_keylength(&s->indigest));
+ if(!result)
+ return false;
+ }
- // TODO: set cipher/digest keys
- return error(s, ENOSYS, "receive_ack() not completely implemented yet");
+ free(s->key);
+ s->key = NULL;
+ s->instate = true;
+
+ return true;
}
// Receive a Key EXchange record, respond by sending a SIG record.
if(!generate_key_material(s, shared, sizeof shared))
return false;
- // Send cipher change record if necessary
- //if(s->outstate && !send_ack(s))
- // return false;
+ free(s->mykex);
+ free(s->hiskex);
+
+ s->mykex = NULL;
+ s->hiskex = NULL;
+
+ // Send cipher change record
+ if(!send_ack(s))
+ return false;
// TODO: only set new keys after ACK has been set/received
if(s->initiator) {
bool result
- = cipher_set_key(&s->incipher, s->key, false)
- && digest_set_key(&s->indigest, s->key + cipher_keylength(&s->incipher), digest_keylength(&s->indigest))
- && cipher_set_key(&s->outcipher, s->key + cipher_keylength(&s->incipher) + digest_keylength(&s->indigest), true)
+ = cipher_set_counter_key(&s->outcipher, s->key + cipher_keylength(&s->incipher) + digest_keylength(&s->indigest))
&& digest_set_key(&s->outdigest, s->key + cipher_keylength(&s->incipher) + digest_keylength(&s->indigest) + cipher_keylength(&s->outcipher), digest_keylength(&s->outdigest));
if(!result)
return false;
} else {
bool result
- = cipher_set_key(&s->outcipher, s->key, true)
- && digest_set_key(&s->outdigest, s->key + cipher_keylength(&s->outcipher), digest_keylength(&s->outdigest))
- && cipher_set_key(&s->incipher, s->key + cipher_keylength(&s->outcipher) + digest_keylength(&s->outdigest), false)
- && digest_set_key(&s->indigest, s->key + cipher_keylength(&s->outcipher) + digest_keylength(&s->outdigest) + cipher_keylength(&s->incipher), digest_keylength(&s->indigest));
+ = cipher_set_counter_key(&s->outcipher, s->key)
+ && digest_set_key(&s->outdigest, s->key + cipher_keylength(&s->outcipher), digest_keylength(&s->outdigest));
if(!result)
return false;
}
s->outstate = true;
- s->instate = true;
return true;
}
if(!receive_sig(s, data, len))
return false;
// s->state = SPTPS_ACK;
- s->state = SPTPS_SECONDARY_KEX;
+ s->state = SPTPS_ACK;
return true;
case SPTPS_ACK:
// We expect a handshake message to indicate transition to the new keys.
toread = len;
if(s->instate) {
- if(!cipher_decrypt(&s->incipher, data, toread, s->inbuf + s->buflen, NULL, false))
+ if(!cipher_counter_xor(&s->incipher, data, toread, s->inbuf + s->buflen))
return false;
} else {
memcpy(s->inbuf + s->buflen, data, toread);
toread = len;
if(s->instate) {
- if(!cipher_decrypt(&s->incipher, data, toread, s->inbuf + s->buflen, NULL, false))
+ if(!cipher_counter_xor(&s->incipher, data, toread, s->inbuf + s->buflen))
return false;
} else {
memcpy(s->inbuf + s->buflen, data, toread);
// Handle record.
if(type < SPTPS_HANDSHAKE) {
+ if(!s->instate)
+ return error(s, EIO, "Application record received before handshake finished");
if(!s->receive_record(s->handle, type, s->inbuf + 7, reclen))
return false;
} else if(type == SPTPS_HANDSHAKE) {