2 sptps.c -- Simple Peer-to-Peer Security
3 Copyright (C) 2014-2017 Guus Sliepen <guus@meshlink.io>
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License as published by
7 the Free Software Foundation; either version 2 of the License, or
8 (at your option) any later version.
10 This program is distributed in the hope that it will be useful,
11 but WITHOUT ANY WARRANTY; without even the implied warranty of
12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 GNU General Public License for more details.
15 You should have received a copy of the GNU General Public License along
16 with this program; if not, write to the Free Software Foundation, Inc.,
17 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22 #include "chacha-poly1305/chacha-poly1305.h"
31 Nonce MUST be exchanged first (done)
32 Signatures MUST be done over both nonces, to guarantee the signature is fresh
33 Otherwise: if ECDHE key of one side is compromised, it can be reused!
35 Add explicit tag to beginning of structure to distinguish the client and server when signing. (done)
37 Sign all handshake messages up to ECDHE kex with long-term public keys. (done)
39 HMACed KEX finished message to prevent downgrade attacks and prove you have the right key material (done by virtue of ECDSA over the whole ECDHE exchange?)
41 Explicit close message needs to be added.
43 Maybe do add some alert messages to give helpful error messages? Not more than TLS sends.
45 Use counter mode instead of OFB. (done)
47 Make sure ECC operations are fixed time (aka prevent side-channel attacks).
50 void sptps_log_quiet(sptps_t *s, int s_errno, const char *format, va_list ap) {
57 void sptps_log_stderr(sptps_t *s, int s_errno, const char *format, va_list ap) {
60 vfprintf(stderr, format, ap);
64 void (*sptps_log)(sptps_t *s, int s_errno, const char *format, va_list ap) = sptps_log_quiet;
66 // Log an error message.
67 static bool error(sptps_t *s, int s_errno, const char *format, ...) {
71 sptps_log(s, s_errno, format, ap);
79 static void warning(sptps_t *s, const char *format, ...) {
82 sptps_log(s, 0, format, ap);
86 // Send a record (datagram version, accepts all record types, handles encryption and authentication).
87 static bool send_record_priv_datagram(sptps_t *s, uint8_t type, const void *data, uint16_t len) {
88 char buffer[len + 21UL];
90 // Create header with sequence number, length and record type
91 uint32_t seqno = s->outseqno++;
92 uint32_t netseqno = ntohl(seqno);
94 memcpy(buffer, &netseqno, 4);
96 memcpy(buffer + 5, data, len);
99 // If first handshake has finished, encrypt and HMAC
100 chacha_poly1305_encrypt(s->outcipher, seqno, buffer + 4, len + 1, buffer + 4, NULL);
101 return s->send_data(s->handle, type, buffer, len + 21UL);
103 // Otherwise send as plaintext
104 return s->send_data(s->handle, type, buffer, len + 5UL);
107 // Send a record (private version, accepts all record types, handles encryption and authentication).
108 static bool send_record_priv(sptps_t *s, uint8_t type, const void *data, uint16_t len) {
110 return send_record_priv_datagram(s, type, data, len);
113 char buffer[len + 19UL];
115 // Create header with sequence number, length and record type
116 uint32_t seqno = s->outseqno++;
117 uint16_t netlen = htons(len);
119 memcpy(buffer, &netlen, 2);
121 memcpy(buffer + 3, data, len);
124 // If first handshake has finished, encrypt and HMAC
125 chacha_poly1305_encrypt(s->outcipher, seqno, buffer + 2, len + 1, buffer + 2, NULL);
126 return s->send_data(s->handle, type, buffer, len + 19UL);
128 // Otherwise send as plaintext
129 return s->send_data(s->handle, type, buffer, len + 3UL);
133 // Send an application record.
134 bool sptps_send_record(sptps_t *s, uint8_t type, const void *data, uint16_t len) {
135 // Sanity checks: application cannot send data before handshake is finished,
136 // and only record types 0..127 are allowed.
138 return error(s, EINVAL, "Handshake phase not finished yet");
141 if(type >= SPTPS_HANDSHAKE) {
142 return error(s, EINVAL, "Invalid application record type");
145 return send_record_priv(s, type, data, len);
148 // Send a Key EXchange record, containing a random nonce and an ECDHE public key.
149 static bool send_kex(sptps_t *s) {
150 size_t keylen = ECDH_SIZE;
152 // Make room for our KEX message, which we will keep around since send_sig() needs it.
157 s->mykex = realloc(s->mykex, 1 + 32 + keylen);
160 return error(s, errno, strerror(errno));
163 // Set version byte to zero.
164 s->mykex[0] = SPTPS_VERSION;
166 // Create a random nonce.
167 randomize(s->mykex + 1, 32);
169 // Create a new ECDH public key.
170 if(!(s->ecdh = ecdh_generate_public(s->mykex + 1 + 32))) {
171 return error(s, EINVAL, "Failed to generate ECDH public key");
174 return send_record_priv(s, SPTPS_HANDSHAKE, s->mykex, 1 + 32 + keylen);
177 // Send a SIGnature record, containing an ECDSA signature over both KEX records.
178 static bool send_sig(sptps_t *s) {
179 size_t keylen = ECDH_SIZE;
180 size_t siglen = ecdsa_size(s->mykey);
182 // Concatenate both KEX messages, plus tag indicating if it is from the connection originator, plus label
183 char msg[(1 + 32 + keylen) * 2 + 1 + s->labellen];
186 msg[0] = s->initiator;
187 memcpy(msg + 1, s->mykex, 1 + 32 + keylen);
188 memcpy(msg + 1 + 33 + keylen, s->hiskex, 1 + 32 + keylen);
189 memcpy(msg + 1 + 2 * (33 + keylen), s->label, s->labellen);
192 if(!ecdsa_sign(s->mykey, msg, sizeof(msg), sig)) {
193 return error(s, EINVAL, "Failed to sign SIG record");
196 // Send the SIG exchange record.
197 return send_record_priv(s, SPTPS_HANDSHAKE, sig, sizeof(sig));
200 // Generate key material from the shared secret created from the ECDHE key exchange.
201 static bool generate_key_material(sptps_t *s, const char *shared, size_t len) {
202 // Initialise cipher and digest structures if necessary
204 s->incipher = chacha_poly1305_init();
205 s->outcipher = chacha_poly1305_init();
207 if(!s->incipher || !s->outcipher) {
208 return error(s, EINVAL, "Failed to open cipher");
212 // Allocate memory for key material
213 size_t keylen = 2 * CHACHA_POLY1305_KEYLEN;
215 s->key = realloc(s->key, keylen);
218 return error(s, errno, strerror(errno));
221 // Create the HMAC seed, which is "key expansion" + session label + server nonce + client nonce
222 char seed[s->labellen + 64 + 13];
223 strcpy(seed, "key expansion");
226 memcpy(seed + 13, s->mykex + 1, 32);
227 memcpy(seed + 45, s->hiskex + 1, 32);
229 memcpy(seed + 13, s->hiskex + 1, 32);
230 memcpy(seed + 45, s->mykex + 1, 32);
233 memcpy(seed + 77, s->label, s->labellen);
235 // Use PRF to generate the key material
236 if(!prf(shared, len, seed, s->labellen + 64 + 13, s->key, keylen)) {
237 return error(s, EINVAL, "Failed to generate key material");
243 // Send an ACKnowledgement record.
244 static bool send_ack(sptps_t *s) {
245 return send_record_priv(s, SPTPS_HANDSHAKE, "", 0);
248 // Receive an ACKnowledgement record.
249 static bool receive_ack(sptps_t *s, const char *data, uint16_t len) {
253 return error(s, EIO, "Invalid ACK record length");
257 if(!chacha_poly1305_set_key(s->incipher, s->key)) {
258 return error(s, EINVAL, "Failed to set counter");
261 if(!chacha_poly1305_set_key(s->incipher, s->key + CHACHA_POLY1305_KEYLEN)) {
262 return error(s, EINVAL, "Failed to set counter");
273 // Receive a Key EXchange record, respond by sending a SIG record.
274 static bool receive_kex(sptps_t *s, const char *data, uint16_t len) {
275 // Verify length of the HELLO record
276 if(len != 1 + 32 + ECDH_SIZE) {
277 return error(s, EIO, "Invalid KEX record length");
280 // Ignore version number for now.
282 // Make a copy of the KEX message, send_sig() and receive_sig() need it
284 return error(s, EINVAL, "Received a second KEX message before first has been processed");
287 s->hiskex = realloc(s->hiskex, len);
290 return error(s, errno, strerror(errno));
293 memcpy(s->hiskex, data, len);
298 // Receive a SIGnature record, verify it, if it passed, compute the shared secret and calculate the session keys.
299 static bool receive_sig(sptps_t *s, const char *data, uint16_t len) {
300 size_t keylen = ECDH_SIZE;
301 size_t siglen = ecdsa_size(s->hiskey);
303 // Verify length of KEX record.
305 return error(s, EIO, "Invalid KEX record length");
308 // Concatenate both KEX messages, plus tag indicating if it is from the connection originator
309 char msg[(1 + 32 + keylen) * 2 + 1 + s->labellen];
311 msg[0] = !s->initiator;
312 memcpy(msg + 1, s->hiskex, 1 + 32 + keylen);
313 memcpy(msg + 1 + 33 + keylen, s->mykex, 1 + 32 + keylen);
314 memcpy(msg + 1 + 2 * (33 + keylen), s->label, s->labellen);
317 if(!ecdsa_verify(s->hiskey, msg, sizeof(msg), data)) {
318 return error(s, EIO, "Failed to verify SIG record");
321 // Compute shared secret.
322 char shared[ECDH_SHARED_SIZE];
324 if(!ecdh_compute_shared(s->ecdh, s->hiskex + 1 + 32, shared)) {
325 return error(s, EINVAL, "Failed to compute ECDH shared secret");
330 // Generate key material from shared secret.
331 if(!generate_key_material(s, shared, sizeof(shared))) {
341 // Send cipher change record
342 if(s->outstate && !send_ack(s)) {
346 // TODO: only set new keys after ACK has been set/received
348 if(!chacha_poly1305_set_key(s->outcipher, s->key + CHACHA_POLY1305_KEYLEN)) {
349 return error(s, EINVAL, "Failed to set key");
352 if(!chacha_poly1305_set_key(s->outcipher, s->key)) {
353 return error(s, EINVAL, "Failed to set key");
360 // Force another Key EXchange (for testing purposes).
361 bool sptps_force_kex(sptps_t *s) {
362 if(!s->outstate || s->state != SPTPS_SECONDARY_KEX) {
363 return error(s, EINVAL, "Cannot force KEX in current state");
366 s->state = SPTPS_KEX;
370 // Receive a handshake record.
371 static bool receive_handshake(sptps_t *s, const char *data, uint16_t len) {
372 // Only a few states to deal with handshaking.
374 case SPTPS_SECONDARY_KEX:
376 // We receive a secondary KEX request, first respond by sending our own.
384 // We have sent our KEX request, we expect our peer to sent one as well.
385 if(!receive_kex(s, data, len)) {
389 s->state = SPTPS_SIG;
394 // If we already sent our secondary public ECDH key, we expect the peer to send his.
395 if(!receive_sig(s, data, len)) {
400 s->state = SPTPS_ACK;
404 if(!receive_ack(s, NULL, 0)) {
408 s->receive_record(s->handle, SPTPS_HANDSHAKE, NULL, 0);
409 s->state = SPTPS_SECONDARY_KEX;
416 // We expect a handshake message to indicate transition to the new keys.
417 if(!receive_ack(s, data, len)) {
421 s->receive_record(s->handle, SPTPS_HANDSHAKE, NULL, 0);
422 s->state = SPTPS_SECONDARY_KEX;
425 // TODO: split ACK into a VERify and ACK?
427 return error(s, EIO, "Invalid session state %d", s->state);
431 // Check datagram for valid HMAC
432 bool sptps_verify_datagram(sptps_t *s, const void *data, size_t len) {
434 return error(s, EIO, "SPTPS state not ready to verify this datagram");
438 return error(s, EIO, "Received short packet in sptps_verify_datagram");
442 memcpy(&seqno, data, 4);
443 seqno = ntohl(seqno);
444 // TODO: check whether seqno makes sense, to avoid CPU intensive decrypt
446 return chacha_poly1305_verify(s->incipher, seqno, (const char *)data + 4, len - 4);
449 // Receive incoming data, datagram version.
450 static bool sptps_receive_data_datagram(sptps_t *s, const void *vdata, size_t len) {
451 const char *data = vdata;
453 if(len < (s->instate ? 21 : 5)) {
454 return error(s, EIO, "Received short packet in sptps_receive_data_datagram");
458 memcpy(&seqno, data, 4);
459 seqno = ntohl(seqno);
462 if(seqno != s->inseqno) {
463 return error(s, EIO, "Invalid packet seqno: %d != %d", seqno, s->inseqno);
466 s->inseqno = seqno + 1;
468 uint8_t type = data[4];
470 if(type != SPTPS_HANDSHAKE) {
471 return error(s, EIO, "Application record received before handshake finished");
474 return receive_handshake(s, data + 5, len - 5);
479 if(len > s->decrypted_buffer_len) {
480 s->decrypted_buffer_len *= 2;
481 char *new_buffer = realloc(s->decrypted_buffer, s->decrypted_buffer_len);
484 return error(s, errno, strerror(errno));
487 s->decrypted_buffer = new_buffer;
492 if(!chacha_poly1305_decrypt(s->incipher, seqno, data + 4, len - 4, s->decrypted_buffer, &outlen)) {
493 return error(s, EIO, "Failed to decrypt and verify packet");
496 // Replay protection using a sliding window of configurable size.
497 // s->inseqno is expected sequence number
498 // seqno is received sequence number
499 // s->late[] is a circular buffer, a 1 bit means a packet has not been received yet
500 // The circular buffer contains bits for sequence numbers from s->inseqno - s->replaywin * 8 to (but excluding) s->inseqno.
502 if(seqno != s->inseqno) {
503 if(seqno >= s->inseqno + s->replaywin * 8) {
504 // TODO: Prevent packets that jump far ahead of the queue from causing many others to be dropped.
505 warning(s, "Lost %d packets\n", seqno - s->inseqno);
506 // Mark all packets in the replay window as being late.
507 memset(s->late, 255, s->replaywin);
508 } else if(seqno < s->inseqno) {
509 // If the sequence number is farther in the past than the bitmap goes, or if the packet was already received, drop it.
510 if((s->inseqno >= s->replaywin * 8 && seqno < s->inseqno - s->replaywin * 8) || !(s->late[(seqno / 8) % s->replaywin] & (1 << seqno % 8))) {
511 return error(s, EIO, "Received late or replayed packet, seqno %d, last received %d\n", seqno, s->inseqno);
514 // We missed some packets. Mark them in the bitmap as being late.
515 for(uint32_t i = s->inseqno; i < seqno; i++) {
516 s->late[(i / 8) % s->replaywin] |= 1 << i % 8;
521 // Mark the current packet as not being late.
522 s->late[(seqno / 8) % s->replaywin] &= ~(1 << seqno % 8);
525 if(seqno >= s->inseqno) {
526 s->inseqno = seqno + 1;
535 // Append a NULL byte for safety.
536 s->decrypted_buffer[len - 20] = 0;
538 uint8_t type = s->decrypted_buffer[0];
540 if(type < SPTPS_HANDSHAKE) {
542 return error(s, EIO, "Application record received before handshake finished");
545 if(!s->receive_record(s->handle, type, s->decrypted_buffer + 1, len - 21)) {
548 } else if(type == SPTPS_HANDSHAKE) {
549 if(!receive_handshake(s, s->decrypted_buffer + 1, len - 21)) {
553 return error(s, EIO, "Invalid record type %d", type);
559 // Receive incoming data. Check if it contains a complete record, if so, handle it.
560 bool sptps_receive_data(sptps_t *s, const void *data, size_t len) {
562 return error(s, EIO, "Invalid session state zero");
566 return sptps_receive_data_datagram(s, data, len);
569 const char *ptr = data;
572 // First read the 2 length bytes.
574 size_t toread = 2 - s->buflen;
580 memcpy(s->inbuf + s->buflen, ptr, toread);
586 // Exit early if we don't have the full length.
591 // Get the length bytes
593 memcpy(&s->reclen, s->inbuf, 2);
594 s->reclen = ntohs(s->reclen);
596 // If we have the length bytes, ensure our buffer can hold the whole request.
597 s->inbuf = realloc(s->inbuf, s->reclen + 19UL);
600 return error(s, errno, strerror(errno));
603 // Exit early if we have no more data to process.
609 // Read up to the end of the record.
610 size_t toread = s->reclen + (s->instate ? 19UL : 3UL) - s->buflen;
616 memcpy(s->inbuf + s->buflen, ptr, toread);
621 // If we don't have a whole record, exit.
622 if(s->buflen < s->reclen + (s->instate ? 19UL : 3UL)) {
626 // Update sequence number.
628 uint32_t seqno = s->inseqno++;
630 // Check HMAC and decrypt.
632 if(!chacha_poly1305_decrypt(s->incipher, seqno, s->inbuf + 2UL, s->reclen + 17UL, s->inbuf + 2UL, NULL)) {
633 return error(s, EINVAL, "Failed to decrypt and verify record");
637 // Append a NULL byte for safety.
638 s->inbuf[s->reclen + 3UL] = 0;
640 uint8_t type = s->inbuf[2];
642 if(type < SPTPS_HANDSHAKE) {
644 return error(s, EIO, "Application record received before handshake finished");
647 if(!s->receive_record(s->handle, type, s->inbuf + 3, s->reclen)) {
650 } else if(type == SPTPS_HANDSHAKE) {
651 if(!receive_handshake(s, s->inbuf + 3, s->reclen)) {
655 return error(s, EIO, "Invalid record type %d", type);
664 // Start a SPTPS session.
665 bool sptps_start(sptps_t *s, void *handle, bool initiator, bool datagram, ecdsa_t *mykey, ecdsa_t *hiskey, const char *label, size_t labellen, send_data_t send_data, receive_record_t receive_record) {
666 if(!s || !mykey || !hiskey || !label || !labellen || !send_data || !receive_record) {
667 return error(s, EINVAL, "Invalid argument to sptps_start()");
670 // Initialise struct sptps
671 memset(s, 0, sizeof(*s));
674 s->initiator = initiator;
675 s->datagram = datagram;
679 s->decrypted_buffer_len = 1024;
680 s->decrypted_buffer = malloc(s->decrypted_buffer_len);
682 if(!s->decrypted_buffer) {
683 return error(s, errno, strerror(errno));
687 s->late = malloc(s->replaywin);
690 return error(s, errno, strerror(errno));
693 memset(s->late, 0, s->replaywin);
696 s->label = malloc(labellen);
699 return error(s, errno, strerror(errno));
703 s->inbuf = malloc(7);
706 return error(s, errno, strerror(errno));
712 memcpy(s->label, label, labellen);
713 s->labellen = labellen;
715 s->send_data = send_data;
716 s->receive_record = receive_record;
718 // Do first KEX immediately
719 s->state = SPTPS_KEX;
723 // Stop a SPTPS session.
724 bool sptps_stop(sptps_t *s) {
725 // Clean up any resources.
726 chacha_poly1305_exit(s->incipher);
727 chacha_poly1305_exit(s->outcipher);
735 memset(s->decrypted_buffer, 0, s->decrypted_buffer_len);
736 free(s->decrypted_buffer);
737 memset(s, 0, sizeof(*s));