2 sptps.c -- Simple Peer-to-Peer Security
3 Copyright (C) 2011 Guus Sliepen <guus@tinc-vpn.org>,
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License as published by
7 the Free Software Foundation; either version 2 of the License, or
8 (at your option) any later version.
10 This program is distributed in the hope that it will be useful,
11 but WITHOUT ANY WARRANTY; without even the implied warranty of
12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 GNU General Public License for more details.
15 You should have received a copy of the GNU General Public License along
16 with this program; if not, write to the Free Software Foundation, Inc.,
17 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
31 Nonce MUST be exchanged first (done)
32 Signatures MUST be done over both nonces, to guarantee the signature is fresh
33 Otherwise: if ECDHE key of one side is compromised, it can be reused!
35 Add explicit tag to beginning of structure to distinguish the client and server when signing. (done)
37 Sign all handshake messages up to ECDHE kex with long-term public keys. (done)
39 HMACed KEX finished message to prevent downgrade attacks and prove you have the right key material (done by virtue of ECDSA over the whole ECDHE exchange?)
41 Explicit close message needs to be added.
43 Maybe do add some alert messages to give helpful error messages? Not more than TLS sends.
45 Use counter mode instead of OFB. (done)
47 Make sure ECC operations are fixed time (aka prevent side-channel attacks).
50 // Log an error message.
51 static bool error(sptps_t *s, int s_errno, const char *msg) {
52 fprintf(stderr, "SPTPS error: %s\n", msg);
57 // Send a record (datagram version, accepts all record types, handles encryption and authentication).
58 static bool send_record_priv_datagram(sptps_t *s, uint8_t type, const char *data, uint16_t len) {
59 char buffer[len + 23UL];
61 // Create header with sequence number, length and record type
62 uint32_t seqno = htonl(s->outseqno++);
63 uint16_t netlen = htons(len);
65 memcpy(buffer, &netlen, 2);
66 memcpy(buffer + 2, &seqno, 4);
69 // Add plaintext (TODO: avoid unnecessary copy)
70 memcpy(buffer + 7, data, len);
73 // If first handshake has finished, encrypt and HMAC
74 cipher_set_counter(&s->outcipher, &seqno, sizeof seqno);
75 if(!cipher_counter_xor(&s->outcipher, buffer + 6, len + 1UL, buffer + 6))
78 if(!digest_create(&s->outdigest, buffer, len + 7UL, buffer + 7UL + len))
81 return s->send_data(s->handle, type, buffer + 2, len + 21UL);
83 // Otherwise send as plaintext
84 return s->send_data(s->handle, type, buffer + 2, len + 5UL);
87 // Send a record (private version, accepts all record types, handles encryption and authentication).
88 static bool send_record_priv(sptps_t *s, uint8_t type, const char *data, uint16_t len) {
90 return send_record_priv_datagram(s, type, data, len);
92 char buffer[len + 23UL];
94 // Create header with sequence number, length and record type
95 uint32_t seqno = htonl(s->outseqno++);
96 uint16_t netlen = htons(len);
98 memcpy(buffer, &seqno, 4);
99 memcpy(buffer + 4, &netlen, 2);
102 // Add plaintext (TODO: avoid unnecessary copy)
103 memcpy(buffer + 7, data, len);
106 // If first handshake has finished, encrypt and HMAC
107 if(!cipher_counter_xor(&s->outcipher, buffer + 4, len + 3UL, buffer + 4))
110 if(!digest_create(&s->outdigest, buffer, len + 7UL, buffer + 7UL + len))
113 return s->send_data(s->handle, type, buffer + 4, len + 19UL);
115 // Otherwise send as plaintext
116 return s->send_data(s->handle, type, buffer + 4, len + 3UL);
120 // Send an application record.
121 bool sptps_send_record(sptps_t *s, uint8_t type, const char *data, uint16_t len) {
122 // Sanity checks: application cannot send data before handshake is finished,
123 // and only record types 0..127 are allowed.
125 return error(s, EINVAL, "Handshake phase not finished yet");
127 if(type >= SPTPS_HANDSHAKE)
128 return error(s, EINVAL, "Invalid application record type");
130 return send_record_priv(s, type, data, len);
133 // Send a Key EXchange record, containing a random nonce and an ECDHE public key.
134 static bool send_kex(sptps_t *s) {
135 size_t keylen = ECDH_SIZE;
137 // Make room for our KEX message, which we will keep around since send_sig() needs it.
140 s->mykex = realloc(s->mykex, 1 + 32 + keylen);
142 return error(s, errno, strerror(errno));
144 // Set version byte to zero.
145 s->mykex[0] = SPTPS_VERSION;
147 // Create a random nonce.
148 randomize(s->mykex + 1, 32);
150 // Create a new ECDH public key.
151 if(!ecdh_generate_public(&s->ecdh, s->mykex + 1 + 32))
154 return send_record_priv(s, SPTPS_HANDSHAKE, s->mykex, 1 + 32 + keylen);
157 // Send a SIGnature record, containing an ECDSA signature over both KEX records.
158 static bool send_sig(sptps_t *s) {
159 size_t keylen = ECDH_SIZE;
160 size_t siglen = ecdsa_size(&s->mykey);
162 // Concatenate both KEX messages, plus tag indicating if it is from the connection originator, plus label
163 char msg[(1 + 32 + keylen) * 2 + 1 + s->labellen];
166 msg[0] = s->initiator;
167 memcpy(msg + 1, s->mykex, 1 + 32 + keylen);
168 memcpy(msg + 1 + 33 + keylen, s->hiskex, 1 + 32 + keylen);
169 memcpy(msg + 1 + 2 * (33 + keylen), s->label, s->labellen);
172 if(!ecdsa_sign(&s->mykey, msg, sizeof msg, sig))
175 // Send the SIG exchange record.
176 return send_record_priv(s, SPTPS_HANDSHAKE, sig, sizeof sig);
179 // Generate key material from the shared secret created from the ECDHE key exchange.
180 static bool generate_key_material(sptps_t *s, const char *shared, size_t len) {
181 // Initialise cipher and digest structures if necessary
184 = cipher_open_by_name(&s->incipher, "aes-256-ecb")
185 && cipher_open_by_name(&s->outcipher, "aes-256-ecb")
186 && digest_open_by_name(&s->indigest, "sha256", 16)
187 && digest_open_by_name(&s->outdigest, "sha256", 16);
192 // Allocate memory for key material
193 size_t keylen = digest_keylength(&s->indigest) + digest_keylength(&s->outdigest) + cipher_keylength(&s->incipher) + cipher_keylength(&s->outcipher);
195 s->key = realloc(s->key, keylen);
197 return error(s, errno, strerror(errno));
199 // Create the HMAC seed, which is "key expansion" + session label + server nonce + client nonce
200 char seed[s->labellen + 64 + 13];
201 strcpy(seed, "key expansion");
203 memcpy(seed + 13, s->mykex + 1, 32);
204 memcpy(seed + 45, s->hiskex + 1, 32);
206 memcpy(seed + 13, s->hiskex + 1, 32);
207 memcpy(seed + 45, s->mykex + 1, 32);
209 memcpy(seed + 78, s->label, s->labellen);
211 // Use PRF to generate the key material
212 if(!prf(shared, len, seed, s->labellen + 64 + 13, s->key, keylen))
218 // Send an ACKnowledgement record.
219 static bool send_ack(sptps_t *s) {
220 return send_record_priv(s, SPTPS_HANDSHAKE, "", 0);
223 // Receive an ACKnowledgement record.
224 static bool receive_ack(sptps_t *s, const char *data, uint16_t len) {
226 return error(s, EIO, "Invalid ACK record length");
230 = cipher_set_counter_key(&s->incipher, s->key)
231 && digest_set_key(&s->indigest, s->key + cipher_keylength(&s->incipher), digest_keylength(&s->indigest));
236 = cipher_set_counter_key(&s->incipher, s->key + cipher_keylength(&s->outcipher) + digest_keylength(&s->outdigest))
237 && digest_set_key(&s->indigest, s->key + cipher_keylength(&s->outcipher) + digest_keylength(&s->outdigest) + cipher_keylength(&s->incipher), digest_keylength(&s->indigest));
249 // Receive a Key EXchange record, respond by sending a SIG record.
250 static bool receive_kex(sptps_t *s, const char *data, uint16_t len) {
251 // Verify length of the HELLO record
252 if(len != 1 + 32 + ECDH_SIZE)
253 return error(s, EIO, "Invalid KEX record length");
255 // Ignore version number for now.
257 // Make a copy of the KEX message, send_sig() and receive_sig() need it
260 s->hiskex = realloc(s->hiskex, len);
262 return error(s, errno, strerror(errno));
264 memcpy(s->hiskex, data, len);
269 // Receive a SIGnature record, verify it, if it passed, compute the shared secret and calculate the session keys.
270 static bool receive_sig(sptps_t *s, const char *data, uint16_t len) {
271 size_t keylen = ECDH_SIZE;
272 size_t siglen = ecdsa_size(&s->hiskey);
274 // Verify length of KEX record.
276 return error(s, EIO, "Invalid KEX record length");
278 // Concatenate both KEX messages, plus tag indicating if it is from the connection originator
279 char msg[(1 + 32 + keylen) * 2 + 1 + s->labellen];
281 msg[0] = !s->initiator;
282 memcpy(msg + 1, s->hiskex, 1 + 32 + keylen);
283 memcpy(msg + 1 + 33 + keylen, s->mykex, 1 + 32 + keylen);
284 memcpy(msg + 1 + 2 * (33 + keylen), s->label, s->labellen);
287 if(!ecdsa_verify(&s->hiskey, msg, sizeof msg, data))
290 // Compute shared secret.
291 char shared[ECDH_SHARED_SIZE];
292 if(!ecdh_compute_shared(&s->ecdh, s->hiskex + 1 + 32, shared))
295 // Generate key material from shared secret.
296 if(!generate_key_material(s, shared, sizeof shared))
305 // Send cipher change record
306 if(s->outstate && !send_ack(s))
309 // TODO: only set new keys after ACK has been set/received
312 = cipher_set_counter_key(&s->outcipher, s->key + cipher_keylength(&s->incipher) + digest_keylength(&s->indigest))
313 && digest_set_key(&s->outdigest, s->key + cipher_keylength(&s->incipher) + digest_keylength(&s->indigest) + cipher_keylength(&s->outcipher), digest_keylength(&s->outdigest));
318 = cipher_set_counter_key(&s->outcipher, s->key)
319 && digest_set_key(&s->outdigest, s->key + cipher_keylength(&s->outcipher), digest_keylength(&s->outdigest));
327 // Force another Key EXchange (for testing purposes).
328 bool sptps_force_kex(sptps_t *s) {
329 if(!s->outstate || s->state != SPTPS_SECONDARY_KEX)
330 return error(s, EINVAL, "Cannot force KEX in current state");
332 s->state = SPTPS_KEX;
336 // Receive a handshake record.
337 static bool receive_handshake(sptps_t *s, const char *data, uint16_t len) {
338 // Only a few states to deal with handshaking.
339 fprintf(stderr, "Received handshake message, current state %d\n", s->state);
341 case SPTPS_SECONDARY_KEX:
342 // We receive a secondary KEX request, first respond by sending our own.
346 // We have sent our KEX request, we expect our peer to sent one as well.
347 if(!receive_kex(s, data, len))
349 s->state = SPTPS_SIG;
352 // If we already sent our secondary public ECDH key, we expect the peer to send his.
353 if(!receive_sig(s, data, len))
356 s->state = SPTPS_ACK;
359 if(!receive_ack(s, NULL, 0))
361 s->receive_record(s->handle, SPTPS_HANDSHAKE, NULL, 0);
362 s->state = SPTPS_SECONDARY_KEX;
367 // We expect a handshake message to indicate transition to the new keys.
368 if(!receive_ack(s, data, len))
370 s->receive_record(s->handle, SPTPS_HANDSHAKE, NULL, 0);
371 s->state = SPTPS_SECONDARY_KEX;
373 // TODO: split ACK into a VERify and ACK?
375 return error(s, EIO, "Invalid session state");
379 // Check datagram for valid HMAC
380 bool sptps_verify_datagram(sptps_t *s, const char *data, size_t len) {
381 if(!s->instate || len < 21)
384 char buffer[len + 23];
385 uint16_t netlen = htons(len - 21);
387 memcpy(buffer, &netlen, 2);
388 memcpy(buffer + 2, data, len);
390 return digest_verify(&s->indigest, buffer, len - 14, buffer + len - 14);
393 // Receive incoming data, datagram version.
394 static bool sptps_receive_data_datagram(sptps_t *s, const char *data, size_t len) {
395 if(len < (s->instate ? 21 : 5))
396 return error(s, EIO, "Received short packet");
399 memcpy(&seqno, data, 4);
400 seqno = ntohl(seqno);
403 if(seqno != s->inseqno) {
404 fprintf(stderr, "Received invalid packet seqno: %d != %d\n", seqno, s->inseqno);
405 return error(s, EIO, "Invalid packet seqno");
408 s->inseqno = seqno + 1;
410 uint8_t type = data[4];
412 if(type != SPTPS_HANDSHAKE)
413 return error(s, EIO, "Application record received before handshake finished");
415 return receive_handshake(s, data + 5, len - 5);
418 if(seqno < s->inseqno) {
419 fprintf(stderr, "Received late or replayed packet: %d < %d\n", seqno, s->inseqno);
423 if(seqno > s->inseqno)
424 fprintf(stderr, "Missed %d packets\n", seqno - s->inseqno);
426 s->inseqno = seqno + 1;
428 uint16_t netlen = htons(len - 21);
430 char buffer[len + 23];
432 memcpy(buffer, &netlen, 2);
433 memcpy(buffer + 2, data, len);
435 memcpy(&seqno, buffer + 2, 4);
437 // Check HMAC and decrypt.
438 if(!digest_verify(&s->indigest, buffer, len - 14, buffer + len - 14))
439 return error(s, EIO, "Invalid HMAC");
441 cipher_set_counter(&s->incipher, &seqno, sizeof seqno);
442 if(!cipher_counter_xor(&s->incipher, buffer + 6, len - 4, buffer + 6))
445 // Append a NULL byte for safety.
446 buffer[len - 14] = 0;
448 uint8_t type = buffer[6];
450 if(type < SPTPS_HANDSHAKE) {
452 return error(s, EIO, "Application record received before handshake finished");
453 if(!s->receive_record(s->handle, type, buffer + 7, len - 21))
455 } else if(type == SPTPS_HANDSHAKE) {
456 if(!receive_handshake(s, buffer + 7, len - 21))
459 return error(s, EIO, "Invalid record type");
464 // Receive incoming data. Check if it contains a complete record, if so, handle it.
465 bool sptps_receive_data(sptps_t *s, const char *data, size_t len) {
467 return sptps_receive_data_datagram(s, data, len);
470 // First read the 2 length bytes.
472 size_t toread = 6 - s->buflen;
476 memcpy(s->inbuf + s->buflen, data, toread);
482 // Exit early if we don't have the full length.
486 // Decrypt the length bytes
489 if(!cipher_counter_xor(&s->incipher, s->inbuf + 4, 2, &s->reclen))
492 memcpy(&s->reclen, s->inbuf + 4, 2);
495 s->reclen = ntohs(s->reclen);
497 // If we have the length bytes, ensure our buffer can hold the whole request.
498 s->inbuf = realloc(s->inbuf, s->reclen + 23UL);
500 return error(s, errno, strerror(errno));
502 // Add sequence number.
503 uint32_t seqno = htonl(s->inseqno++);
504 memcpy(s->inbuf, &seqno, 4);
506 // Exit early if we have no more data to process.
511 // Read up to the end of the record.
512 size_t toread = s->reclen + (s->instate ? 23UL : 7UL) - s->buflen;
516 memcpy(s->inbuf + s->buflen, data, toread);
521 // If we don't have a whole record, exit.
522 if(s->buflen < s->reclen + (s->instate ? 23UL : 7UL))
525 // Check HMAC and decrypt.
527 if(!digest_verify(&s->indigest, s->inbuf, s->reclen + 7UL, s->inbuf + s->reclen + 7UL))
528 return error(s, EIO, "Invalid HMAC");
530 if(!cipher_counter_xor(&s->incipher, s->inbuf + 6UL, s->reclen + 1UL, s->inbuf + 6UL))
534 // Append a NULL byte for safety.
535 s->inbuf[s->reclen + 7UL] = 0;
537 uint8_t type = s->inbuf[6];
539 if(type < SPTPS_HANDSHAKE) {
541 return error(s, EIO, "Application record received before handshake finished");
542 if(!s->receive_record(s->handle, type, s->inbuf + 7, s->reclen))
544 } else if(type == SPTPS_HANDSHAKE) {
545 if(!receive_handshake(s, s->inbuf + 7, s->reclen))
548 return error(s, EIO, "Invalid record type");
557 // Start a SPTPS session.
558 bool sptps_start(sptps_t *s, void *handle, bool initiator, bool datagram, ecdsa_t mykey, ecdsa_t hiskey, const char *label, size_t labellen, send_data_t send_data, receive_record_t receive_record) {
559 // Initialise struct sptps
560 memset(s, 0, sizeof *s);
563 s->initiator = initiator;
564 s->datagram = datagram;
568 s->label = malloc(labellen);
570 return error(s, errno, strerror(errno));
573 s->inbuf = malloc(7);
575 return error(s, errno, strerror(errno));
577 memset(s->inbuf, 0, 4);
580 memcpy(s->label, label, labellen);
581 s->labellen = labellen;
583 s->send_data = send_data;
584 s->receive_record = receive_record;
586 // Do first KEX immediately
587 s->state = SPTPS_KEX;
591 // Stop a SPTPS session.
592 bool sptps_stop(sptps_t *s) {
593 // Clean up any resources.
projects / tinc / blob