2 sptps.c -- Simple Peer-to-Peer Security
3 Copyright (C) 2011-2013 Guus Sliepen <guus@tinc-vpn.org>,
4 2010 Brandon L. Black <blblack@gmail.com>
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 2 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License along
17 with this program; if not, write to the Free Software Foundation, Inc.,
18 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
32 unsigned int sptps_replaywin = 16;
35 Nonce MUST be exchanged first (done)
36 Signatures MUST be done over both nonces, to guarantee the signature is fresh
37 Otherwise: if ECDHE key of one side is compromised, it can be reused!
39 Add explicit tag to beginning of structure to distinguish the client and server when signing. (done)
41 Sign all handshake messages up to ECDHE kex with long-term public keys. (done)
43 HMACed KEX finished message to prevent downgrade attacks and prove you have the right key material (done by virtue of ECDSA over the whole ECDHE exchange?)
45 Explicit close message needs to be added.
47 Maybe do add some alert messages to give helpful error messages? Not more than TLS sends.
49 Use counter mode instead of OFB. (done)
51 Make sure ECC operations are fixed time (aka prevent side-channel attacks).
54 void sptps_log_quiet(sptps_t *s, int s_errno, const char *format, va_list ap) {
57 void sptps_log_stderr(sptps_t *s, int s_errno, const char *format, va_list ap) {
58 vfprintf(stderr, format, ap);
62 void (*sptps_log)(sptps_t *s, int s_errno, const char *format, va_list ap) = sptps_log_stderr;
64 // Log an error message.
65 static bool error(sptps_t *s, int s_errno, const char *format, ...) {
69 sptps_log(s, s_errno, format, ap);
77 static void warning(sptps_t *s, const char *format, ...) {
80 sptps_log(s, 0, format, ap);
84 // Send a record (datagram version, accepts all record types, handles encryption and authentication).
85 static bool send_record_priv_datagram(sptps_t *s, uint8_t type, const char *data, uint16_t len) {
86 char buffer[len + 23UL];
88 // Create header with sequence number, length and record type
89 uint32_t seqno = htonl(s->outseqno++);
90 uint16_t netlen = htons(len);
92 memcpy(buffer, &netlen, 2);
93 memcpy(buffer + 2, &seqno, 4);
96 // Add plaintext (TODO: avoid unnecessary copy)
97 memcpy(buffer + 7, data, len);
100 // If first handshake has finished, encrypt and HMAC
101 if(!cipher_set_counter(s->outcipher, &seqno, sizeof seqno))
104 if(!cipher_counter_xor(s->outcipher, buffer + 6, len + 1UL, buffer + 6))
107 if(!digest_create(s->outdigest, buffer, len + 7UL, buffer + 7UL + len))
110 return s->send_data(s->handle, type, buffer + 2, len + 21UL);
112 // Otherwise send as plaintext
113 return s->send_data(s->handle, type, buffer + 2, len + 5UL);
116 // Send a record (private version, accepts all record types, handles encryption and authentication).
117 static bool send_record_priv(sptps_t *s, uint8_t type, const char *data, uint16_t len) {
119 return send_record_priv_datagram(s, type, data, len);
121 char buffer[len + 23UL];
123 // Create header with sequence number, length and record type
124 uint32_t seqno = htonl(s->outseqno++);
125 uint16_t netlen = htons(len);
127 memcpy(buffer, &seqno, 4);
128 memcpy(buffer + 4, &netlen, 2);
131 // Add plaintext (TODO: avoid unnecessary copy)
132 memcpy(buffer + 7, data, len);
135 // If first handshake has finished, encrypt and HMAC
136 if(!cipher_counter_xor(s->outcipher, buffer + 4, len + 3UL, buffer + 4))
139 if(!digest_create(s->outdigest, buffer, len + 7UL, buffer + 7UL + len))
142 return s->send_data(s->handle, type, buffer + 4, len + 19UL);
144 // Otherwise send as plaintext
145 return s->send_data(s->handle, type, buffer + 4, len + 3UL);
149 // Send an application record.
150 bool sptps_send_record(sptps_t *s, uint8_t type, const char *data, uint16_t len) {
151 // Sanity checks: application cannot send data before handshake is finished,
152 // and only record types 0..127 are allowed.
154 return error(s, EINVAL, "Handshake phase not finished yet");
156 if(type >= SPTPS_HANDSHAKE)
157 return error(s, EINVAL, "Invalid application record type");
159 return send_record_priv(s, type, data, len);
162 // Send a Key EXchange record, containing a random nonce and an ECDHE public key.
163 static bool send_kex(sptps_t *s) {
164 size_t keylen = ECDH_SIZE;
166 // Make room for our KEX message, which we will keep around since send_sig() needs it.
169 s->mykex = realloc(s->mykex, 1 + 32 + keylen);
171 return error(s, errno, strerror(errno));
173 // Set version byte to zero.
174 s->mykex[0] = SPTPS_VERSION;
176 // Create a random nonce.
177 randomize(s->mykex + 1, 32);
179 // Create a new ECDH public key.
180 if(!(s->ecdh = ecdh_generate_public(s->mykex + 1 + 32)))
183 return send_record_priv(s, SPTPS_HANDSHAKE, s->mykex, 1 + 32 + keylen);
186 // Send a SIGnature record, containing an ECDSA signature over both KEX records.
187 static bool send_sig(sptps_t *s) {
188 size_t keylen = ECDH_SIZE;
189 size_t siglen = ecdsa_size(s->mykey);
191 // Concatenate both KEX messages, plus tag indicating if it is from the connection originator, plus label
192 char msg[(1 + 32 + keylen) * 2 + 1 + s->labellen];
195 msg[0] = s->initiator;
196 memcpy(msg + 1, s->mykex, 1 + 32 + keylen);
197 memcpy(msg + 1 + 33 + keylen, s->hiskex, 1 + 32 + keylen);
198 memcpy(msg + 1 + 2 * (33 + keylen), s->label, s->labellen);
201 if(!ecdsa_sign(s->mykey, msg, sizeof msg, sig))
204 // Send the SIG exchange record.
205 return send_record_priv(s, SPTPS_HANDSHAKE, sig, sizeof sig);
208 // Generate key material from the shared secret created from the ECDHE key exchange.
209 static bool generate_key_material(sptps_t *s, const char *shared, size_t len) {
210 // Initialise cipher and digest structures if necessary
212 s->incipher = cipher_open_by_name("aes-256-ecb");
213 s->outcipher = cipher_open_by_name("aes-256-ecb");
214 s->indigest = digest_open_by_name("sha256", 16);
215 s->outdigest = digest_open_by_name("sha256", 16);
216 if(!s->incipher || !s->outcipher || !s->indigest || !s->outdigest)
220 // Allocate memory for key material
221 size_t keylen = digest_keylength(s->indigest) + digest_keylength(s->outdigest) + cipher_keylength(s->incipher) + cipher_keylength(s->outcipher);
223 s->key = realloc(s->key, keylen);
225 return error(s, errno, strerror(errno));
227 // Create the HMAC seed, which is "key expansion" + session label + server nonce + client nonce
228 char seed[s->labellen + 64 + 13];
229 strcpy(seed, "key expansion");
231 memcpy(seed + 13, s->mykex + 1, 32);
232 memcpy(seed + 45, s->hiskex + 1, 32);
234 memcpy(seed + 13, s->hiskex + 1, 32);
235 memcpy(seed + 45, s->mykex + 1, 32);
237 memcpy(seed + 77, s->label, s->labellen);
239 // Use PRF to generate the key material
240 if(!prf(shared, len, seed, s->labellen + 64 + 13, s->key, keylen))
246 // Send an ACKnowledgement record.
247 static bool send_ack(sptps_t *s) {
248 return send_record_priv(s, SPTPS_HANDSHAKE, "", 0);
251 // Receive an ACKnowledgement record.
252 static bool receive_ack(sptps_t *s, const char *data, uint16_t len) {
254 return error(s, EIO, "Invalid ACK record length");
258 = cipher_set_counter_key(s->incipher, s->key)
259 && digest_set_key(s->indigest, s->key + cipher_keylength(s->incipher), digest_keylength(s->indigest));
264 = cipher_set_counter_key(s->incipher, s->key + cipher_keylength(s->outcipher) + digest_keylength(s->outdigest))
265 && digest_set_key(s->indigest, s->key + cipher_keylength(s->outcipher) + digest_keylength(s->outdigest) + cipher_keylength(s->incipher), digest_keylength(s->indigest));
277 // Receive a Key EXchange record, respond by sending a SIG record.
278 static bool receive_kex(sptps_t *s, const char *data, uint16_t len) {
279 // Verify length of the HELLO record
280 if(len != 1 + 32 + ECDH_SIZE)
281 return error(s, EIO, "Invalid KEX record length");
283 // Ignore version number for now.
285 // Make a copy of the KEX message, send_sig() and receive_sig() need it
288 s->hiskex = realloc(s->hiskex, len);
290 return error(s, errno, strerror(errno));
292 memcpy(s->hiskex, data, len);
297 // Receive a SIGnature record, verify it, if it passed, compute the shared secret and calculate the session keys.
298 static bool receive_sig(sptps_t *s, const char *data, uint16_t len) {
299 size_t keylen = ECDH_SIZE;
300 size_t siglen = ecdsa_size(s->hiskey);
302 // Verify length of KEX record.
304 return error(s, EIO, "Invalid KEX record length");
306 // Concatenate both KEX messages, plus tag indicating if it is from the connection originator
307 char msg[(1 + 32 + keylen) * 2 + 1 + s->labellen];
309 msg[0] = !s->initiator;
310 memcpy(msg + 1, s->hiskex, 1 + 32 + keylen);
311 memcpy(msg + 1 + 33 + keylen, s->mykex, 1 + 32 + keylen);
312 memcpy(msg + 1 + 2 * (33 + keylen), s->label, s->labellen);
315 if(!ecdsa_verify(s->hiskey, msg, sizeof msg, data))
318 // Compute shared secret.
319 char shared[ECDH_SHARED_SIZE];
320 if(!ecdh_compute_shared(s->ecdh, s->hiskex + 1 + 32, shared))
324 // Generate key material from shared secret.
325 if(!generate_key_material(s, shared, sizeof shared))
334 // Send cipher change record
335 if(s->outstate && !send_ack(s))
338 // TODO: only set new keys after ACK has been set/received
341 = cipher_set_counter_key(s->outcipher, s->key + cipher_keylength(s->incipher) + digest_keylength(s->indigest))
342 && digest_set_key(s->outdigest, s->key + cipher_keylength(s->incipher) + digest_keylength(s->indigest) + cipher_keylength(s->outcipher), digest_keylength(s->outdigest));
347 = cipher_set_counter_key(s->outcipher, s->key)
348 && digest_set_key(s->outdigest, s->key + cipher_keylength(s->outcipher), digest_keylength(s->outdigest));
356 // Force another Key EXchange (for testing purposes).
357 bool sptps_force_kex(sptps_t *s) {
358 if(!s->outstate || s->state != SPTPS_SECONDARY_KEX)
359 return error(s, EINVAL, "Cannot force KEX in current state");
361 s->state = SPTPS_KEX;
365 // Receive a handshake record.
366 static bool receive_handshake(sptps_t *s, const char *data, uint16_t len) {
367 // Only a few states to deal with handshaking.
369 case SPTPS_SECONDARY_KEX:
370 // We receive a secondary KEX request, first respond by sending our own.
374 // We have sent our KEX request, we expect our peer to sent one as well.
375 if(!receive_kex(s, data, len))
377 s->state = SPTPS_SIG;
380 // If we already sent our secondary public ECDH key, we expect the peer to send his.
381 if(!receive_sig(s, data, len))
384 s->state = SPTPS_ACK;
387 if(!receive_ack(s, NULL, 0))
389 s->receive_record(s->handle, SPTPS_HANDSHAKE, NULL, 0);
390 s->state = SPTPS_SECONDARY_KEX;
395 // We expect a handshake message to indicate transition to the new keys.
396 if(!receive_ack(s, data, len))
398 s->receive_record(s->handle, SPTPS_HANDSHAKE, NULL, 0);
399 s->state = SPTPS_SECONDARY_KEX;
401 // TODO: split ACK into a VERify and ACK?
403 return error(s, EIO, "Invalid session state %d", s->state);
407 // Check datagram for valid HMAC
408 bool sptps_verify_datagram(sptps_t *s, const char *data, size_t len) {
409 if(!s->instate || len < 21)
412 char buffer[len + 23];
413 uint16_t netlen = htons(len - 21);
415 memcpy(buffer, &netlen, 2);
416 memcpy(buffer + 2, data, len);
418 return digest_verify(s->indigest, buffer, len - 14, buffer + len - 14);
421 // Receive incoming data, datagram version.
422 static bool sptps_receive_data_datagram(sptps_t *s, const char *data, size_t len) {
423 if(len < (s->instate ? 21 : 5))
424 return error(s, EIO, "Received short packet");
427 memcpy(&seqno, data, 4);
428 seqno = ntohl(seqno);
431 if(seqno != s->inseqno)
432 return error(s, EIO, "Invalid packet seqno: %d != %d", seqno, s->inseqno);
434 s->inseqno = seqno + 1;
436 uint8_t type = data[4];
438 if(type != SPTPS_HANDSHAKE)
439 return error(s, EIO, "Application record received before handshake finished");
441 return receive_handshake(s, data + 5, len - 5);
445 uint16_t netlen = htons(len - 21);
447 char buffer[len + 23];
449 memcpy(buffer, &netlen, 2);
450 memcpy(buffer + 2, data, len);
452 if(!digest_verify(s->indigest, buffer, len - 14, buffer + len - 14))
453 return error(s, EIO, "Invalid HMAC");
455 // Replay protection using a sliding window of configurable size.
456 // s->inseqno is expected sequence number
457 // seqno is received sequence number
458 // s->late[] is a circular buffer, a 1 bit means a packet has not been received yet
459 // The circular buffer contains bits for sequence numbers from s->inseqno - s->replaywin * 8 to (but excluding) s->inseqno.
461 if(seqno != s->inseqno) {
462 if(seqno >= s->inseqno + s->replaywin * 8) {
463 // Prevent packets that jump far ahead of the queue from causing many others to be dropped.
464 if(s->farfuture++ < s->replaywin >> 2)
465 return error(s, EIO, "Packet is %d seqs in the future, dropped (%u)\n", seqno - s->inseqno, s->farfuture);
467 // Unless we have seen lots of them, in which case we consider the others lost.
468 warning(s, "Lost %d packets\n", seqno - s->inseqno);
469 memset(s->late, 0, s->replaywin);
470 } else if (seqno < s->inseqno) {
471 // If the sequence number is farther in the past than the bitmap goes, or if the packet was already received, drop it.
472 if((s->inseqno >= s->replaywin * 8 && seqno < s->inseqno - s->replaywin * 8) || !(s->late[(seqno / 8) % s->replaywin] & (1 << seqno % 8)))
473 return error(s, EIO, "Received late or replayed packet, seqno %d, last received %d\n", seqno, s->inseqno);
475 // We missed some packets. Mark them in the bitmap as being late.
476 for(int i = s->inseqno; i < seqno; i++)
477 s->late[(i / 8) % s->replaywin] |= 1 << i % 8;
481 // Mark the current packet as not being late.
482 s->late[(seqno / 8) % s->replaywin] &= ~(1 << seqno % 8);
486 if(seqno > s->inseqno)
487 s->inseqno = seqno + 1;
495 memcpy(&seqno, buffer + 2, 4);
496 if(!cipher_set_counter(s->incipher, &seqno, sizeof seqno))
498 if(!cipher_counter_xor(s->incipher, buffer + 6, len - 4, buffer + 6))
501 // Append a NULL byte for safety.
502 buffer[len - 14] = 0;
504 uint8_t type = buffer[6];
506 if(type < SPTPS_HANDSHAKE) {
508 return error(s, EIO, "Application record received before handshake finished");
509 if(!s->receive_record(s->handle, type, buffer + 7, len - 21))
511 } else if(type == SPTPS_HANDSHAKE) {
512 if(!receive_handshake(s, buffer + 7, len - 21))
515 return error(s, EIO, "Invalid record type %d", type);
521 // Receive incoming data. Check if it contains a complete record, if so, handle it.
522 bool sptps_receive_data(sptps_t *s, const char *data, size_t len) {
524 return error(s, EIO, "Invalid session state zero");
527 return sptps_receive_data_datagram(s, data, len);
530 // First read the 2 length bytes.
532 size_t toread = 6 - s->buflen;
536 memcpy(s->inbuf + s->buflen, data, toread);
542 // Exit early if we don't have the full length.
546 // Decrypt the length bytes
549 if(!cipher_counter_xor(s->incipher, s->inbuf + 4, 2, &s->reclen))
552 memcpy(&s->reclen, s->inbuf + 4, 2);
555 s->reclen = ntohs(s->reclen);
557 // If we have the length bytes, ensure our buffer can hold the whole request.
558 s->inbuf = realloc(s->inbuf, s->reclen + 23UL);
560 return error(s, errno, strerror(errno));
562 // Add sequence number.
563 uint32_t seqno = htonl(s->inseqno++);
564 memcpy(s->inbuf, &seqno, 4);
566 // Exit early if we have no more data to process.
571 // Read up to the end of the record.
572 size_t toread = s->reclen + (s->instate ? 23UL : 7UL) - s->buflen;
576 memcpy(s->inbuf + s->buflen, data, toread);
581 // If we don't have a whole record, exit.
582 if(s->buflen < s->reclen + (s->instate ? 23UL : 7UL))
585 // Check HMAC and decrypt.
587 if(!digest_verify(s->indigest, s->inbuf, s->reclen + 7UL, s->inbuf + s->reclen + 7UL))
588 return error(s, EIO, "Invalid HMAC");
590 if(!cipher_counter_xor(s->incipher, s->inbuf + 6UL, s->reclen + 1UL, s->inbuf + 6UL))
594 // Append a NULL byte for safety.
595 s->inbuf[s->reclen + 7UL] = 0;
597 uint8_t type = s->inbuf[6];
599 if(type < SPTPS_HANDSHAKE) {
601 return error(s, EIO, "Application record received before handshake finished");
602 if(!s->receive_record(s->handle, type, s->inbuf + 7, s->reclen))
604 } else if(type == SPTPS_HANDSHAKE) {
605 if(!receive_handshake(s, s->inbuf + 7, s->reclen))
608 return error(s, EIO, "Invalid record type %d", type);
617 // Start a SPTPS session.
618 bool sptps_start(sptps_t *s, void *handle, bool initiator, bool datagram, ecdsa_t *mykey, ecdsa_t *hiskey, const char *label, size_t labellen, send_data_t send_data, receive_record_t receive_record) {
619 // Initialise struct sptps
620 memset(s, 0, sizeof *s);
623 s->initiator = initiator;
624 s->datagram = datagram;
627 s->replaywin = sptps_replaywin;
629 s->late = malloc(s->replaywin);
631 return error(s, errno, strerror(errno));
634 s->label = malloc(labellen);
636 return error(s, errno, strerror(errno));
639 s->inbuf = malloc(7);
641 return error(s, errno, strerror(errno));
643 memset(s->inbuf, 0, 4);
646 memcpy(s->label, label, labellen);
647 s->labellen = labellen;
649 s->send_data = send_data;
650 s->receive_record = receive_record;
652 // Do first KEX immediately
653 s->state = SPTPS_KEX;
657 // Stop a SPTPS session.
658 bool sptps_stop(sptps_t *s) {
659 // Clean up any resources.
660 cipher_close(s->incipher);
661 cipher_close(s->outcipher);
662 digest_close(s->indigest);
663 digest_close(s->outdigest);
671 memset(s, 0, sizeof *s);