projects / tinc / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Use SPTPS when ExperimentalProtocol is enabled.
[tinc] / src / sptps.c
diff --git a/src/sptps.c b/src/sptps.c
index dc602e3..5088d65 100644 (file)
--- a/src/sptps.c
+++ b/src/sptps.c
@@ -27,9 +27,6 @@
 #include "prf.h"
 #include "sptps.h"
 
-char *logfilename;
-#include "utils.c"
-
 /*
    Nonce MUST be exchanged first (done)
    Signatures MUST be done over both nonces, to guarantee the signature is fresh
@@ -45,7 +42,7 @@ char *logfilename;
 
    Maybe do add some alert messages to give helpful error messages? Not more than TLS sends.
 
-   Use counter mode instead of OFB.
+   Use counter mode instead of OFB. (done)
 
    Make sure ECC operations are fixed time (aka prevent side-channel attacks).
 */
@@ -59,32 +56,31 @@ static bool error(sptps_t *s, int s_errno, const char *msg) {
 
 // Send a record (private version, accepts all record types, handles encryption and authentication).
 static bool send_record_priv(sptps_t *s, uint8_t type, const char *data, uint16_t len) {
-       char plaintext[len + 23];
-       char ciphertext[len + 19];
+       char buffer[len + 23UL];
 
        // Create header with sequence number, length and record type
        uint32_t seqno = htonl(s->outseqno++);
        uint16_t netlen = htons(len);
 
-       memcpy(plaintext, &seqno, 4);
-       memcpy(plaintext + 4, &netlen, 2);
-       plaintext[6] = type;
+       memcpy(buffer, &seqno, 4);
+       memcpy(buffer + 4, &netlen, 2);
+       buffer[6] = type;
 
        // Add plaintext (TODO: avoid unnecessary copy)
-       memcpy(plaintext + 7, data, len);
+       memcpy(buffer + 7, data, len);
 
        if(s->outstate) {
                // If first handshake has finished, encrypt and HMAC
-               if(!digest_create(&s->outdigest, plaintext, len + 7, plaintext + 7 + len))
+               if(!cipher_counter_xor(&s->outcipher, buffer + 4, len + 3UL, buffer + 4))
                        return false;
 
-               if(!cipher_encrypt(&s->outcipher, plaintext + 4, sizeof ciphertext, ciphertext, NULL, false))
+               if(!digest_create(&s->outdigest, buffer, len + 7UL, buffer + 7UL + len))
                        return false;
 
-               return s->send_data(s->handle, ciphertext, len + 19);
+               return s->send_data(s->handle, buffer + 4, len + 19UL);
        } else {
                // Otherwise send as plaintext
-               return s->send_data(s->handle, plaintext + 4, len + 3);
+               return s->send_data(s->handle, buffer + 4, len + 3UL);
        }
 }
 
@@ -149,8 +145,8 @@ static bool generate_key_material(sptps_t *s, const char *shared, size_t len) {
        // Initialise cipher and digest structures if necessary
        if(!s->outstate) {
                bool result
-                       =  cipher_open_by_name(&s->incipher, "aes-256-ofb")
-                       && cipher_open_by_name(&s->outcipher, "aes-256-ofb")
+                       =  cipher_open_by_name(&s->incipher, "aes-256-ecb")
+                       && cipher_open_by_name(&s->outcipher, "aes-256-ecb")
                        && digest_open_by_name(&s->indigest, "sha256", 16)
                        && digest_open_by_name(&s->outdigest, "sha256", 16);
                if(!result)
@@ -191,10 +187,27 @@ static bool send_ack(sptps_t *s) {
 // Receive an ACKnowledgement record.
 static bool receive_ack(sptps_t *s, const char *data, uint16_t len) {
        if(len)
-               return false;
+               return error(s, EIO, "Invalid ACK record length");
+
+       if(s->initiator) {
+               bool result
+                       = cipher_set_counter_key(&s->incipher, s->key)
+                       && digest_set_key(&s->indigest, s->key + cipher_keylength(&s->incipher), digest_keylength(&s->indigest));
+               if(!result)
+                       return false;
+       } else {
+               bool result
+                       = cipher_set_counter_key(&s->incipher, s->key + cipher_keylength(&s->outcipher) + digest_keylength(&s->outdigest))
+                       && digest_set_key(&s->indigest, s->key + cipher_keylength(&s->outcipher) + digest_keylength(&s->outdigest) + cipher_keylength(&s->incipher), digest_keylength(&s->indigest));
+               if(!result)
+                       return false;
+       }
 
-       // TODO: set cipher/digest keys
-       return error(s, ENOSYS, "receive_ack() not completely implemented yet");
+       free(s->key);
+       s->key = NULL;
+       s->instate = true;
+
+       return true;
 }
 
 // Receive a Key EXchange record, respond by sending a SIG record.
@@ -244,31 +257,32 @@ static bool receive_sig(sptps_t *s, const char *data, uint16_t len) {
        if(!generate_key_material(s, shared, sizeof shared))
                return false;
 
-       // Send cipher change record if necessary
-       //if(s->outstate && !send_ack(s))
-       //      return false;
+       free(s->mykex);
+       free(s->hiskex);
+
+       s->mykex = NULL;
+       s->hiskex = NULL;
+
+       // Send cipher change record
+       if(!send_ack(s))
+               return false;
 
        // TODO: only set new keys after ACK has been set/received
        if(s->initiator) {
                bool result
-                       =  cipher_set_key(&s->incipher, s->key, false)
-                       && digest_set_key(&s->indigest, s->key + cipher_keylength(&s->incipher), digest_keylength(&s->indigest))
-                       && cipher_set_key(&s->outcipher, s->key + cipher_keylength(&s->incipher) + digest_keylength(&s->indigest), true)
+                       = cipher_set_counter_key(&s->outcipher, s->key + cipher_keylength(&s->incipher) + digest_keylength(&s->indigest))
                        && digest_set_key(&s->outdigest, s->key + cipher_keylength(&s->incipher) + digest_keylength(&s->indigest) + cipher_keylength(&s->outcipher), digest_keylength(&s->outdigest));
                if(!result)
                        return false;
        } else {
                bool result
-                       =  cipher_set_key(&s->outcipher, s->key, true)
-                       && digest_set_key(&s->outdigest, s->key + cipher_keylength(&s->outcipher), digest_keylength(&s->outdigest))
-                       && cipher_set_key(&s->incipher, s->key + cipher_keylength(&s->outcipher) + digest_keylength(&s->outdigest), false)
-                       && digest_set_key(&s->indigest, s->key + cipher_keylength(&s->outcipher) + digest_keylength(&s->outdigest) + cipher_keylength(&s->incipher), digest_keylength(&s->indigest));
+                       =  cipher_set_counter_key(&s->outcipher, s->key)
+                       && digest_set_key(&s->outdigest, s->key + cipher_keylength(&s->outcipher), digest_keylength(&s->outdigest));
                if(!result)
                        return false;
        }
 
        s->outstate = true;
-       s->instate = true;
 
        return true;
 }
@@ -302,12 +316,13 @@ static bool receive_handshake(sptps_t *s, const char *data, uint16_t len) {
                        if(!receive_sig(s, data, len))
                                return false;
                        // s->state = SPTPS_ACK;
-                       s->state = SPTPS_SECONDARY_KEX;
+                       s->state = SPTPS_ACK;
                        return true;
                case SPTPS_ACK:
                        // We expect a handshake message to indicate transition to the new keys.
                        if(!receive_ack(s, data, len))
                                return false;
+                       s->receive_record(s->handle, SPTPS_HANDSHAKE, NULL, 0);
                        s->state = SPTPS_SECONDARY_KEX;
                        return true;
                // TODO: split ACK into a VERify and ACK?
@@ -325,26 +340,29 @@ bool receive_data(sptps_t *s, const char *data, size_t len) {
                        if(toread > len)
                                toread = len;
 
-                       if(s->instate) {
-                               if(!cipher_decrypt(&s->incipher, data, toread, s->inbuf + s->buflen, NULL, false))
-                                       return false;
-                       } else {
-                               memcpy(s->inbuf + s->buflen, data, toread);
-                       }
+                       memcpy(s->inbuf + s->buflen, data, toread);
 
                        s->buflen += toread;
                        len -= toread;
                        data += toread;
-
+               
                        // Exit early if we don't have the full length.
                        if(s->buflen < 6)
                                return true;
 
+                       // Decrypt the length bytes
+
+                       if(s->instate) {
+                               if(!cipher_counter_xor(&s->incipher, s->inbuf + 4, 2, &s->reclen))
+                                       return false;
+                       } else {
+                               memcpy(&s->reclen, s->inbuf + 4, 2);
+                       }
+
+                       s->reclen = ntohs(s->reclen);
+
                        // If we have the length bytes, ensure our buffer can hold the whole request.
-                       uint16_t reclen;
-                       memcpy(&reclen, s->inbuf + 4, 2);
-                       reclen = htons(reclen);
-                       s->inbuf = realloc(s->inbuf, reclen + 23UL);
+                       s->inbuf = realloc(s->inbuf, s->reclen + 23UL);
                        if(!s->inbuf)
                                return error(s, errno, strerror(errno));
 
@@ -358,41 +376,40 @@ bool receive_data(sptps_t *s, const char *data, size_t len) {
                }
 
                // Read up to the end of the record.
-               uint16_t reclen;
-               memcpy(&reclen, s->inbuf + 4, 2);
-               reclen = htons(reclen);
-               size_t toread = reclen + (s->instate ? 23UL : 7UL) - s->buflen;
+               size_t toread = s->reclen + (s->instate ? 23UL : 7UL) - s->buflen;
                if(toread > len)
                        toread = len;
 
-               if(s->instate) {
-                       if(!cipher_decrypt(&s->incipher, data, toread, s->inbuf + s->buflen, NULL, false))
-                               return false;
-               } else {
-                       memcpy(s->inbuf + s->buflen, data, toread);
-               }
-
+               memcpy(s->inbuf + s->buflen, data, toread);
                s->buflen += toread;
                len -= toread;
                data += toread;
 
                // If we don't have a whole record, exit.
-               if(s->buflen < reclen + (s->instate ? 23UL : 7UL))
+               if(s->buflen < s->reclen + (s->instate ? 23UL : 7UL))
                        return true;
 
-               // Check HMAC.
-               if(s->instate)
-                       if(!digest_verify(&s->indigest, s->inbuf, reclen + 7UL, s->inbuf + reclen + 7UL))
-                               error(s, EIO, "Invalid HMAC");
+               // Check HMAC and decrypt.
+               if(s->instate) {
+                       if(!digest_verify(&s->indigest, s->inbuf, s->reclen + 7UL, s->inbuf + s->reclen + 7UL))
+                               return error(s, EIO, "Invalid HMAC");
+
+                       if(!cipher_counter_xor(&s->incipher, s->inbuf + 6UL, s->reclen + 1UL, s->inbuf + 6UL))
+                               return false;
+               }
+
+               // Append a NULL byte for safety.
+               s->inbuf[s->reclen + 7UL] = 0;
 
                uint8_t type = s->inbuf[6];
 
-               // Handle record.
                if(type < SPTPS_HANDSHAKE) {
-                       if(!s->receive_record(s->handle, type, s->inbuf + 7, reclen))
+                       if(!s->instate)
+                               return error(s, EIO, "Application record received before handshake finished");
+                       if(!s->receive_record(s->handle, type, s->inbuf + 7, s->reclen))
                                return false;
                } else if(type == SPTPS_HANDSHAKE) {
-                       if(!receive_handshake(s, s->inbuf + 7, reclen))
+                       if(!receive_handshake(s, s->inbuf + 7, s->reclen))
                                return false;
                } else {
                        return error(s, EIO, "Invalid record type");
tinc, the VPN daemon