2 sptps.c -- Simple Peer-to-Peer Security
3 Copyright (C) 2011-2013 Guus Sliepen <guus@tinc-vpn.org>,
4 2010 Brandon L. Black <blblack@gmail.com>
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 2 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License along
17 with this program; if not, write to the Free Software Foundation, Inc.,
18 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
31 unsigned int sptps_replaywin = 16;
34 Nonce MUST be exchanged first (done)
35 Signatures MUST be done over both nonces, to guarantee the signature is fresh
36 Otherwise: if ECDHE key of one side is compromised, it can be reused!
38 Add explicit tag to beginning of structure to distinguish the client and server when signing. (done)
40 Sign all handshake messages up to ECDHE kex with long-term public keys. (done)
42 HMACed KEX finished message to prevent downgrade attacks and prove you have the right key material (done by virtue of ECDSA over the whole ECDHE exchange?)
44 Explicit close message needs to be added.
46 Maybe do add some alert messages to give helpful error messages? Not more than TLS sends.
48 Use counter mode instead of OFB. (done)
50 Make sure ECC operations are fixed time (aka prevent side-channel attacks).
53 void sptps_log_quiet(sptps_t *s, int s_errno, const char *format, va_list ap) {
56 void sptps_log_stderr(sptps_t *s, int s_errno, const char *format, va_list ap) {
57 vfprintf(stderr, format, ap);
61 void (*sptps_log)(sptps_t *s, int s_errno, const char *format, va_list ap) = sptps_log_stderr;
63 // Log an error message.
64 static bool error(sptps_t *s, int s_errno, const char *format, ...) {
68 sptps_log(s, s_errno, format, ap);
76 static void warning(sptps_t *s, const char *format, ...) {
79 sptps_log(s, 0, format, ap);
83 // Send a record (datagram version, accepts all record types, handles encryption and authentication).
84 static bool send_record_priv_datagram(sptps_t *s, uint8_t type, const char *data, uint16_t len) {
85 char buffer[len + 21UL];
87 // Create header with sequence number, length and record type
88 uint32_t seqno = htonl(s->outseqno++);
90 memcpy(buffer, &seqno, 4);
94 // If first handshake has finished, encrypt and HMAC
95 if(!cipher_set_counter(s->outcipher, &seqno, sizeof seqno))
96 return error(s, EINVAL, "Failed to set counter");
98 if(!cipher_gcm_encrypt_start(s->outcipher, buffer + 4, 1, buffer + 4, NULL))
99 return error(s, EINVAL, "Error encrypting record");
101 if(!cipher_gcm_encrypt_finish(s->outcipher, data, len, buffer + 5, NULL))
102 return error(s, EINVAL, "Error encrypting record");
104 return s->send_data(s->handle, type, buffer, len + 21UL);
106 // Otherwise send as plaintext
107 memcpy(buffer + 5, data, len);
108 return s->send_data(s->handle, type, buffer, len + 5UL);
111 // Send a record (private version, accepts all record types, handles encryption and authentication).
112 static bool send_record_priv(sptps_t *s, uint8_t type, const char *data, uint16_t len) {
114 return send_record_priv_datagram(s, type, data, len);
116 char buffer[len + 19UL];
118 // Create header with sequence number, length and record type
119 uint32_t seqno = htonl(s->outseqno++);
120 uint16_t netlen = htons(len);
122 memcpy(buffer, &netlen, 2);
126 // If first handshake has finished, encrypt and HMAC
127 if(!cipher_set_counter(s->outcipher, &seqno, 4))
128 return error(s, EINVAL, "Failed to set counter");
130 if(!cipher_gcm_encrypt_start(s->outcipher, buffer, 3, buffer, NULL))
131 return error(s, EINVAL, "Error encrypting record");
133 if(!cipher_gcm_encrypt_finish(s->outcipher, data, len, buffer + 3, NULL))
134 return error(s, EINVAL, "Error encrypting record");
136 return s->send_data(s->handle, type, buffer, len + 19UL);
138 // Otherwise send as plaintext
139 memcpy(buffer + 3, data, len);
140 return s->send_data(s->handle, type, buffer, len + 3UL);
144 // Send an application record.
145 bool sptps_send_record(sptps_t *s, uint8_t type, const char *data, uint16_t len) {
146 // Sanity checks: application cannot send data before handshake is finished,
147 // and only record types 0..127 are allowed.
149 return error(s, EINVAL, "Handshake phase not finished yet");
151 if(type >= SPTPS_HANDSHAKE)
152 return error(s, EINVAL, "Invalid application record type");
154 return send_record_priv(s, type, data, len);
157 // Send a Key EXchange record, containing a random nonce and an ECDHE public key.
158 static bool send_kex(sptps_t *s) {
159 size_t keylen = ECDH_SIZE;
161 // Make room for our KEX message, which we will keep around since send_sig() needs it.
164 s->mykex = realloc(s->mykex, 1 + 32 + keylen);
166 return error(s, errno, strerror(errno));
168 // Set version byte to zero.
169 s->mykex[0] = SPTPS_VERSION;
171 // Create a random nonce.
172 randomize(s->mykex + 1, 32);
174 // Create a new ECDH public key.
175 if(!(s->ecdh = ecdh_generate_public(s->mykex + 1 + 32)))
176 return error(s, EINVAL, "Failed to generate ECDH public key");
178 return send_record_priv(s, SPTPS_HANDSHAKE, s->mykex, 1 + 32 + keylen);
181 // Send a SIGnature record, containing an ECDSA signature over both KEX records.
182 static bool send_sig(sptps_t *s) {
183 size_t keylen = ECDH_SIZE;
184 size_t siglen = ecdsa_size(s->mykey);
186 // Concatenate both KEX messages, plus tag indicating if it is from the connection originator, plus label
187 char msg[(1 + 32 + keylen) * 2 + 1 + s->labellen];
190 msg[0] = s->initiator;
191 memcpy(msg + 1, s->mykex, 1 + 32 + keylen);
192 memcpy(msg + 1 + 33 + keylen, s->hiskex, 1 + 32 + keylen);
193 memcpy(msg + 1 + 2 * (33 + keylen), s->label, s->labellen);
196 if(!ecdsa_sign(s->mykey, msg, sizeof msg, sig))
197 return error(s, EINVAL, "Failed to sign SIG record");
199 // Send the SIG exchange record.
200 return send_record_priv(s, SPTPS_HANDSHAKE, sig, sizeof sig);
203 // Generate key material from the shared secret created from the ECDHE key exchange.
204 static bool generate_key_material(sptps_t *s, const char *shared, size_t len) {
205 // Initialise cipher and digest structures if necessary
207 s->incipher = cipher_open_by_name("aes-256-gcm");
208 s->outcipher = cipher_open_by_name("aes-256-gcm");
209 if(!s->incipher || !s->outcipher)
210 return error(s, EINVAL, "Failed to open cipher");
213 // Allocate memory for key material
214 size_t keylen = cipher_keylength(s->incipher) + cipher_keylength(s->outcipher);
216 s->key = realloc(s->key, keylen);
218 return error(s, errno, strerror(errno));
220 // Create the HMAC seed, which is "key expansion" + session label + server nonce + client nonce
221 char seed[s->labellen + 64 + 13];
222 strcpy(seed, "key expansion");
224 memcpy(seed + 13, s->mykex + 1, 32);
225 memcpy(seed + 45, s->hiskex + 1, 32);
227 memcpy(seed + 13, s->hiskex + 1, 32);
228 memcpy(seed + 45, s->mykex + 1, 32);
230 memcpy(seed + 77, s->label, s->labellen);
232 // Use PRF to generate the key material
233 if(!prf(shared, len, seed, s->labellen + 64 + 13, s->key, keylen))
234 return error(s, EINVAL, "Failed to generate key material");
239 // Send an ACKnowledgement record.
240 static bool send_ack(sptps_t *s) {
241 return send_record_priv(s, SPTPS_HANDSHAKE, "", 0);
244 // Receive an ACKnowledgement record.
245 static bool receive_ack(sptps_t *s, const char *data, uint16_t len) {
247 return error(s, EIO, "Invalid ACK record length");
250 if(!cipher_set_counter_key(s->incipher, s->key))
251 return error(s, EINVAL, "Failed to set counter");
253 if(!cipher_set_counter_key(s->incipher, s->key + cipher_keylength(s->outcipher)))
254 return error(s, EINVAL, "Failed to set counter");
264 // Receive a Key EXchange record, respond by sending a SIG record.
265 static bool receive_kex(sptps_t *s, const char *data, uint16_t len) {
266 // Verify length of the HELLO record
267 if(len != 1 + 32 + ECDH_SIZE)
268 return error(s, EIO, "Invalid KEX record length");
270 // Ignore version number for now.
272 // Make a copy of the KEX message, send_sig() and receive_sig() need it
274 return error(s, EINVAL, "Received a second KEX message before first has been processed");
275 s->hiskex = realloc(s->hiskex, len);
277 return error(s, errno, strerror(errno));
279 memcpy(s->hiskex, data, len);
284 // Receive a SIGnature record, verify it, if it passed, compute the shared secret and calculate the session keys.
285 static bool receive_sig(sptps_t *s, const char *data, uint16_t len) {
286 size_t keylen = ECDH_SIZE;
287 size_t siglen = ecdsa_size(s->hiskey);
289 // Verify length of KEX record.
291 return error(s, EIO, "Invalid KEX record length");
293 // Concatenate both KEX messages, plus tag indicating if it is from the connection originator
294 char msg[(1 + 32 + keylen) * 2 + 1 + s->labellen];
296 msg[0] = !s->initiator;
297 memcpy(msg + 1, s->hiskex, 1 + 32 + keylen);
298 memcpy(msg + 1 + 33 + keylen, s->mykex, 1 + 32 + keylen);
299 memcpy(msg + 1 + 2 * (33 + keylen), s->label, s->labellen);
302 if(!ecdsa_verify(s->hiskey, msg, sizeof msg, data))
303 return error(s, EIO, "Failed to verify SIG record");
305 // Compute shared secret.
306 char shared[ECDH_SHARED_SIZE];
307 if(!ecdh_compute_shared(s->ecdh, s->hiskex + 1 + 32, shared))
308 return error(s, EINVAL, "Failed to compute ECDH shared secret");
311 // Generate key material from shared secret.
312 if(!generate_key_material(s, shared, sizeof shared))
321 // Send cipher change record
322 if(s->outstate && !send_ack(s))
325 // TODO: only set new keys after ACK has been set/received
327 if(!cipher_set_counter_key(s->outcipher, s->key + cipher_keylength(s->incipher)))
328 return error(s, EINVAL, "Failed to set counter");
330 if(!cipher_set_counter_key(s->outcipher, s->key))
331 return error(s, EINVAL, "Failed to set counter");
337 // Force another Key EXchange (for testing purposes).
338 bool sptps_force_kex(sptps_t *s) {
339 if(!s->outstate || s->state != SPTPS_SECONDARY_KEX)
340 return error(s, EINVAL, "Cannot force KEX in current state");
342 s->state = SPTPS_KEX;
346 // Receive a handshake record.
347 static bool receive_handshake(sptps_t *s, const char *data, uint16_t len) {
348 // Only a few states to deal with handshaking.
350 case SPTPS_SECONDARY_KEX:
351 // We receive a secondary KEX request, first respond by sending our own.
355 // We have sent our KEX request, we expect our peer to sent one as well.
356 if(!receive_kex(s, data, len))
358 s->state = SPTPS_SIG;
361 // If we already sent our secondary public ECDH key, we expect the peer to send his.
362 if(!receive_sig(s, data, len))
365 s->state = SPTPS_ACK;
368 if(!receive_ack(s, NULL, 0))
370 s->receive_record(s->handle, SPTPS_HANDSHAKE, NULL, 0);
371 s->state = SPTPS_SECONDARY_KEX;
376 // We expect a handshake message to indicate transition to the new keys.
377 if(!receive_ack(s, data, len))
379 s->receive_record(s->handle, SPTPS_HANDSHAKE, NULL, 0);
380 s->state = SPTPS_SECONDARY_KEX;
382 // TODO: split ACK into a VERify and ACK?
384 return error(s, EIO, "Invalid session state %d", s->state);
388 // Check datagram for valid HMAC
389 bool sptps_verify_datagram(sptps_t *s, const char *data, size_t len) {
390 if(!s->instate || len < 21)
391 return error(s, EIO, "Received short packet");
393 // TODO: just decrypt without updating the replay window
398 // Receive incoming data, datagram version.
399 static bool sptps_receive_data_datagram(sptps_t *s, const char *data, size_t len) {
400 if(len < (s->instate ? 21 : 5))
401 return error(s, EIO, "Received short packet");
404 memcpy(&seqno, data, 4);
405 seqno = ntohl(seqno);
408 if(seqno != s->inseqno)
409 return error(s, EIO, "Invalid packet seqno: %d != %d", seqno, s->inseqno);
411 s->inseqno = seqno + 1;
413 uint8_t type = data[4];
415 if(type != SPTPS_HANDSHAKE)
416 return error(s, EIO, "Application record received before handshake finished");
418 return receive_handshake(s, data + 5, len - 5);
425 if(!cipher_set_counter(s->incipher, data, sizeof seqno))
426 return error(s, EINVAL, "Failed to set counter");
429 if(!cipher_gcm_decrypt(s->incipher, data + 4, len - 4, buffer, &outlen))
430 return error(s, EIO, "Failed to decrypt and verify packet");
432 // Replay protection using a sliding window of configurable size.
433 // s->inseqno is expected sequence number
434 // seqno is received sequence number
435 // s->late[] is a circular buffer, a 1 bit means a packet has not been received yet
436 // The circular buffer contains bits for sequence numbers from s->inseqno - s->replaywin * 8 to (but excluding) s->inseqno.
438 if(seqno != s->inseqno) {
439 if(seqno >= s->inseqno + s->replaywin * 8) {
440 // Prevent packets that jump far ahead of the queue from causing many others to be dropped.
441 if(s->farfuture++ < s->replaywin >> 2)
442 return error(s, EIO, "Packet is %d seqs in the future, dropped (%u)\n", seqno - s->inseqno, s->farfuture);
444 // Unless we have seen lots of them, in which case we consider the others lost.
445 warning(s, "Lost %d packets\n", seqno - s->inseqno);
446 // Mark all packets in the replay window as being late.
447 memset(s->late, 255, s->replaywin);
448 } else if (seqno < s->inseqno) {
449 // If the sequence number is farther in the past than the bitmap goes, or if the packet was already received, drop it.
450 if((s->inseqno >= s->replaywin * 8 && seqno < s->inseqno - s->replaywin * 8) || !(s->late[(seqno / 8) % s->replaywin] & (1 << seqno % 8)))
451 return error(s, EIO, "Received late or replayed packet, seqno %d, last received %d\n", seqno, s->inseqno);
453 // We missed some packets. Mark them in the bitmap as being late.
454 for(int i = s->inseqno; i < seqno; i++)
455 s->late[(i / 8) % s->replaywin] |= 1 << i % 8;
459 // Mark the current packet as not being late.
460 s->late[(seqno / 8) % s->replaywin] &= ~(1 << seqno % 8);
464 if(seqno >= s->inseqno)
465 s->inseqno = seqno + 1;
472 // Append a NULL byte for safety.
473 buffer[len - 20] = 0;
475 uint8_t type = buffer[0];
477 if(type < SPTPS_HANDSHAKE) {
479 return error(s, EIO, "Application record received before handshake finished");
480 if(!s->receive_record(s->handle, type, buffer + 1, len - 21))
482 } else if(type == SPTPS_HANDSHAKE) {
483 if(!receive_handshake(s, buffer + 1, len - 21))
486 return error(s, EIO, "Invalid record type %d", type);
492 // Receive incoming data. Check if it contains a complete record, if so, handle it.
493 bool sptps_receive_data(sptps_t *s, const char *data, size_t len) {
495 return error(s, EIO, "Invalid session state zero");
498 return sptps_receive_data_datagram(s, data, len);
501 // First read the 2 length bytes.
503 size_t toread = 2 - s->buflen;
507 memcpy(s->inbuf + s->buflen, data, toread);
513 // Exit early if we don't have the full length.
517 // Update sequence number.
519 uint32_t seqno = htonl(s->inseqno++);
521 // Decrypt the length bytes
524 if(!cipher_set_counter(s->incipher, &seqno, 4))
525 return error(s, EINVAL, "Failed to set counter");
527 if(!cipher_gcm_decrypt_start(s->incipher, s->inbuf, 2, &s->reclen, NULL))
528 return error(s, EINVAL, "Failed to decrypt record");
530 memcpy(&s->reclen, s->inbuf, 2);
533 s->reclen = ntohs(s->reclen);
535 // If we have the length bytes, ensure our buffer can hold the whole request.
536 s->inbuf = realloc(s->inbuf, s->reclen + 19UL);
538 return error(s, errno, strerror(errno));
540 // Exit early if we have no more data to process.
545 // Read up to the end of the record.
546 size_t toread = s->reclen + (s->instate ? 19UL : 3UL) - s->buflen;
550 memcpy(s->inbuf + s->buflen, data, toread);
555 // If we don't have a whole record, exit.
556 if(s->buflen < s->reclen + (s->instate ? 19UL : 3UL))
559 // Check HMAC and decrypt.
561 if(!cipher_gcm_decrypt_finish(s->incipher, s->inbuf + 2UL, s->reclen + 17UL, s->inbuf + 2UL, NULL))
562 return error(s, EINVAL, "Failed to decrypt and verify record");
565 // Append a NULL byte for safety.
566 s->inbuf[s->reclen + 3UL] = 0;
568 uint8_t type = s->inbuf[2];
570 if(type < SPTPS_HANDSHAKE) {
572 return error(s, EIO, "Application record received before handshake finished");
573 if(!s->receive_record(s->handle, type, s->inbuf + 3, s->reclen))
575 } else if(type == SPTPS_HANDSHAKE) {
576 if(!receive_handshake(s, s->inbuf + 3, s->reclen))
579 return error(s, EIO, "Invalid record type %d", type);
588 // Start a SPTPS session.
589 bool sptps_start(sptps_t *s, void *handle, bool initiator, bool datagram, ecdsa_t *mykey, ecdsa_t *hiskey, const char *label, size_t labellen, send_data_t send_data, receive_record_t receive_record) {
590 // Initialise struct sptps
591 memset(s, 0, sizeof *s);
594 s->initiator = initiator;
595 s->datagram = datagram;
598 s->replaywin = sptps_replaywin;
600 s->late = malloc(s->replaywin);
602 return error(s, errno, strerror(errno));
603 memset(s->late, 0, s->replaywin);
606 s->label = malloc(labellen);
608 return error(s, errno, strerror(errno));
611 s->inbuf = malloc(7);
613 return error(s, errno, strerror(errno));
617 memcpy(s->label, label, labellen);
618 s->labellen = labellen;
620 s->send_data = send_data;
621 s->receive_record = receive_record;
623 // Do first KEX immediately
624 s->state = SPTPS_KEX;
628 // Stop a SPTPS session.
629 bool sptps_stop(sptps_t *s) {
630 // Clean up any resources.
631 cipher_close(s->incipher);
632 cipher_close(s->outcipher);
633 digest_close(s->indigest);
634 digest_close(s->outdigest);
642 memset(s, 0, sizeof *s);