2 sptps.c -- Simple Peer-to-Peer Security
3 Copyright (C) 2014 Guus Sliepen <guus@meshlink.io>
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License as published by
7 the Free Software Foundation; either version 2 of the License, or
8 (at your option) any later version.
10 This program is distributed in the hope that it will be useful,
11 but WITHOUT ANY WARRANTY; without even the implied warranty of
12 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 GNU General Public License for more details.
15 You should have received a copy of the GNU General Public License along
16 with this program; if not, write to the Free Software Foundation, Inc.,
17 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22 #include "chacha-poly1305/chacha-poly1305.h"
30 unsigned int sptps_replaywin = 16;
33 Nonce MUST be exchanged first (done)
34 Signatures MUST be done over both nonces, to guarantee the signature is fresh
35 Otherwise: if ECDHE key of one side is compromised, it can be reused!
37 Add explicit tag to beginning of structure to distinguish the client and server when signing. (done)
39 Sign all handshake messages up to ECDHE kex with long-term public keys. (done)
41 HMACed KEX finished message to prevent downgrade attacks and prove you have the right key material (done by virtue of ECDSA over the whole ECDHE exchange?)
43 Explicit close message needs to be added.
45 Maybe do add some alert messages to give helpful error messages? Not more than TLS sends.
47 Use counter mode instead of OFB. (done)
49 Make sure ECC operations are fixed time (aka prevent side-channel attacks).
52 void sptps_log_quiet(sptps_t *s, int s_errno, const char *format, va_list ap) {
55 void sptps_log_stderr(sptps_t *s, int s_errno, const char *format, va_list ap) {
56 vfprintf(stderr, format, ap);
60 void (*sptps_log)(sptps_t *s, int s_errno, const char *format, va_list ap) = sptps_log_stderr;
62 // Log an error message.
63 static bool error(sptps_t *s, int s_errno, const char *format, ...) {
67 sptps_log(s, s_errno, format, ap);
75 static void warning(sptps_t *s, const char *format, ...) {
78 sptps_log(s, 0, format, ap);
82 // Send a record (datagram version, accepts all record types, handles encryption and authentication).
83 static bool send_record_priv_datagram(sptps_t *s, uint8_t type, const char *data, uint16_t len) {
84 char buffer[len + 21UL];
86 // Create header with sequence number, length and record type
87 uint32_t seqno = s->outseqno++;
88 uint32_t netseqno = ntohl(seqno);
90 memcpy(buffer, &netseqno, 4);
92 memcpy(buffer + 5, data, len);
95 // If first handshake has finished, encrypt and HMAC
96 chacha_poly1305_encrypt(s->outcipher, seqno, buffer + 4, len + 1, buffer + 4, NULL);
97 return s->send_data(s->handle, type, buffer, len + 21UL);
99 // Otherwise send as plaintext
100 return s->send_data(s->handle, type, buffer, len + 5UL);
103 // Send a record (private version, accepts all record types, handles encryption and authentication).
104 static bool send_record_priv(sptps_t *s, uint8_t type, const char *data, uint16_t len) {
106 return send_record_priv_datagram(s, type, data, len);
108 char buffer[len + 19UL];
110 // Create header with sequence number, length and record type
111 uint32_t seqno = s->outseqno++;
112 uint16_t netlen = htons(len);
114 memcpy(buffer, &netlen, 2);
116 memcpy(buffer + 3, data, len);
119 // If first handshake has finished, encrypt and HMAC
120 chacha_poly1305_encrypt(s->outcipher, seqno, buffer + 2, len + 1, buffer + 2, NULL);
121 return s->send_data(s->handle, type, buffer, len + 19UL);
123 // Otherwise send as plaintext
124 return s->send_data(s->handle, type, buffer, len + 3UL);
128 // Send an application record.
129 bool sptps_send_record(sptps_t *s, uint8_t type, const char *data, uint16_t len) {
130 // Sanity checks: application cannot send data before handshake is finished,
131 // and only record types 0..127 are allowed.
133 return error(s, EINVAL, "Handshake phase not finished yet");
135 if(type >= SPTPS_HANDSHAKE)
136 return error(s, EINVAL, "Invalid application record type");
138 return send_record_priv(s, type, data, len);
141 // Send a Key EXchange record, containing a random nonce and an ECDHE public key.
142 static bool send_kex(sptps_t *s) {
143 size_t keylen = ECDH_SIZE;
145 // Make room for our KEX message, which we will keep around since send_sig() needs it.
148 s->mykex = realloc(s->mykex, 1 + 32 + keylen);
150 return error(s, errno, strerror(errno));
152 // Set version byte to zero.
153 s->mykex[0] = SPTPS_VERSION;
155 // Create a random nonce.
156 randomize(s->mykex + 1, 32);
158 // Create a new ECDH public key.
159 if(!(s->ecdh = ecdh_generate_public(s->mykex + 1 + 32)))
160 return error(s, EINVAL, "Failed to generate ECDH public key");
162 return send_record_priv(s, SPTPS_HANDSHAKE, s->mykex, 1 + 32 + keylen);
165 // Send a SIGnature record, containing an ECDSA signature over both KEX records.
166 static bool send_sig(sptps_t *s) {
167 size_t keylen = ECDH_SIZE;
168 size_t siglen = ecdsa_size(s->mykey);
170 // Concatenate both KEX messages, plus tag indicating if it is from the connection originator, plus label
171 char msg[(1 + 32 + keylen) * 2 + 1 + s->labellen];
174 msg[0] = s->initiator;
175 memcpy(msg + 1, s->mykex, 1 + 32 + keylen);
176 memcpy(msg + 1 + 33 + keylen, s->hiskex, 1 + 32 + keylen);
177 memcpy(msg + 1 + 2 * (33 + keylen), s->label, s->labellen);
180 if(!ecdsa_sign(s->mykey, msg, sizeof msg, sig))
181 return error(s, EINVAL, "Failed to sign SIG record");
183 // Send the SIG exchange record.
184 return send_record_priv(s, SPTPS_HANDSHAKE, sig, sizeof sig);
187 // Generate key material from the shared secret created from the ECDHE key exchange.
188 static bool generate_key_material(sptps_t *s, const char *shared, size_t len) {
189 // Initialise cipher and digest structures if necessary
191 s->incipher = chacha_poly1305_init();
192 s->outcipher = chacha_poly1305_init();
193 if(!s->incipher || !s->outcipher)
194 return error(s, EINVAL, "Failed to open cipher");
197 // Allocate memory for key material
198 size_t keylen = 2 * CHACHA_POLY1305_KEYLEN;
200 s->key = realloc(s->key, keylen);
202 return error(s, errno, strerror(errno));
204 // Create the HMAC seed, which is "key expansion" + session label + server nonce + client nonce
205 char seed[s->labellen + 64 + 13];
206 strcpy(seed, "key expansion");
208 memcpy(seed + 13, s->mykex + 1, 32);
209 memcpy(seed + 45, s->hiskex + 1, 32);
211 memcpy(seed + 13, s->hiskex + 1, 32);
212 memcpy(seed + 45, s->mykex + 1, 32);
214 memcpy(seed + 77, s->label, s->labellen);
216 // Use PRF to generate the key material
217 if(!prf(shared, len, seed, s->labellen + 64 + 13, s->key, keylen))
218 return error(s, EINVAL, "Failed to generate key material");
223 // Send an ACKnowledgement record.
224 static bool send_ack(sptps_t *s) {
225 return send_record_priv(s, SPTPS_HANDSHAKE, "", 0);
228 // Receive an ACKnowledgement record.
229 static bool receive_ack(sptps_t *s, const char *data, uint16_t len) {
231 return error(s, EIO, "Invalid ACK record length");
234 if(!chacha_poly1305_set_key(s->incipher, s->key))
235 return error(s, EINVAL, "Failed to set counter");
237 if(!chacha_poly1305_set_key(s->incipher, s->key + CHACHA_POLY1305_KEYLEN))
238 return error(s, EINVAL, "Failed to set counter");
248 // Receive a Key EXchange record, respond by sending a SIG record.
249 static bool receive_kex(sptps_t *s, const char *data, uint16_t len) {
250 // Verify length of the HELLO record
251 if(len != 1 + 32 + ECDH_SIZE)
252 return error(s, EIO, "Invalid KEX record length");
254 // Ignore version number for now.
256 // Make a copy of the KEX message, send_sig() and receive_sig() need it
258 return error(s, EINVAL, "Received a second KEX message before first has been processed");
259 s->hiskex = realloc(s->hiskex, len);
261 return error(s, errno, strerror(errno));
263 memcpy(s->hiskex, data, len);
268 // Receive a SIGnature record, verify it, if it passed, compute the shared secret and calculate the session keys.
269 static bool receive_sig(sptps_t *s, const char *data, uint16_t len) {
270 size_t keylen = ECDH_SIZE;
271 size_t siglen = ecdsa_size(s->hiskey);
273 // Verify length of KEX record.
275 return error(s, EIO, "Invalid KEX record length");
277 // Concatenate both KEX messages, plus tag indicating if it is from the connection originator
278 char msg[(1 + 32 + keylen) * 2 + 1 + s->labellen];
280 msg[0] = !s->initiator;
281 memcpy(msg + 1, s->hiskex, 1 + 32 + keylen);
282 memcpy(msg + 1 + 33 + keylen, s->mykex, 1 + 32 + keylen);
283 memcpy(msg + 1 + 2 * (33 + keylen), s->label, s->labellen);
286 if(!ecdsa_verify(s->hiskey, msg, sizeof msg, data))
287 return error(s, EIO, "Failed to verify SIG record");
289 // Compute shared secret.
290 char shared[ECDH_SHARED_SIZE];
291 if(!ecdh_compute_shared(s->ecdh, s->hiskex + 1 + 32, shared))
292 return error(s, EINVAL, "Failed to compute ECDH shared secret");
295 // Generate key material from shared secret.
296 if(!generate_key_material(s, shared, sizeof shared))
305 // Send cipher change record
306 if(s->outstate && !send_ack(s))
309 // TODO: only set new keys after ACK has been set/received
311 if(!chacha_poly1305_set_key(s->outcipher, s->key + CHACHA_POLY1305_KEYLEN))
312 return error(s, EINVAL, "Failed to set key");
314 if(!chacha_poly1305_set_key(s->outcipher, s->key))
315 return error(s, EINVAL, "Failed to set key");
321 // Force another Key EXchange (for testing purposes).
322 bool sptps_force_kex(sptps_t *s) {
323 if(!s->outstate || s->state != SPTPS_SECONDARY_KEX)
324 return error(s, EINVAL, "Cannot force KEX in current state");
326 s->state = SPTPS_KEX;
330 // Receive a handshake record.
331 static bool receive_handshake(sptps_t *s, const char *data, uint16_t len) {
332 // Only a few states to deal with handshaking.
334 case SPTPS_SECONDARY_KEX:
335 // We receive a secondary KEX request, first respond by sending our own.
339 // We have sent our KEX request, we expect our peer to sent one as well.
340 if(!receive_kex(s, data, len))
342 s->state = SPTPS_SIG;
345 // If we already sent our secondary public ECDH key, we expect the peer to send his.
346 if(!receive_sig(s, data, len))
349 s->state = SPTPS_ACK;
352 if(!receive_ack(s, NULL, 0))
354 s->receive_record(s->handle, SPTPS_HANDSHAKE, NULL, 0);
355 s->state = SPTPS_SECONDARY_KEX;
360 // We expect a handshake message to indicate transition to the new keys.
361 if(!receive_ack(s, data, len))
363 s->receive_record(s->handle, SPTPS_HANDSHAKE, NULL, 0);
364 s->state = SPTPS_SECONDARY_KEX;
366 // TODO: split ACK into a VERify and ACK?
368 return error(s, EIO, "Invalid session state %d", s->state);
372 // Check datagram for valid HMAC
373 bool sptps_verify_datagram(sptps_t *s, const char *data, size_t len) {
374 if(!s->instate || len < 21)
375 return error(s, EIO, "Received short packet");
377 // TODO: just decrypt without updating the replay window
382 // Receive incoming data, datagram version.
383 static bool sptps_receive_data_datagram(sptps_t *s, const char *data, size_t len) {
384 if(len < (s->instate ? 21 : 5))
385 return error(s, EIO, "Received short packet");
388 memcpy(&seqno, data, 4);
389 seqno = ntohl(seqno);
392 if(seqno != s->inseqno)
393 return error(s, EIO, "Invalid packet seqno: %d != %d", seqno, s->inseqno);
395 s->inseqno = seqno + 1;
397 uint8_t type = data[4];
399 if(type != SPTPS_HANDSHAKE)
400 return error(s, EIO, "Application record received before handshake finished");
402 return receive_handshake(s, data + 5, len - 5);
411 if(!chacha_poly1305_decrypt(s->incipher, seqno, data + 4, len - 4, buffer, &outlen))
412 return error(s, EIO, "Failed to decrypt and verify packet");
414 // Replay protection using a sliding window of configurable size.
415 // s->inseqno is expected sequence number
416 // seqno is received sequence number
417 // s->late[] is a circular buffer, a 1 bit means a packet has not been received yet
418 // The circular buffer contains bits for sequence numbers from s->inseqno - s->replaywin * 8 to (but excluding) s->inseqno.
420 if(seqno != s->inseqno) {
421 if(seqno >= s->inseqno + s->replaywin * 8) {
422 // TODO: Prevent packets that jump far ahead of the queue from causing many others to be dropped.
423 warning(s, "Lost %d packets\n", seqno - s->inseqno);
424 // Mark all packets in the replay window as being late.
425 memset(s->late, 255, s->replaywin);
426 } else if (seqno < s->inseqno) {
427 // If the sequence number is farther in the past than the bitmap goes, or if the packet was already received, drop it.
428 if((s->inseqno >= s->replaywin * 8 && seqno < s->inseqno - s->replaywin * 8) || !(s->late[(seqno / 8) % s->replaywin] & (1 << seqno % 8)))
429 return error(s, EIO, "Received late or replayed packet, seqno %d, last received %d\n", seqno, s->inseqno);
431 // We missed some packets. Mark them in the bitmap as being late.
432 for(int i = s->inseqno; i < seqno; i++)
433 s->late[(i / 8) % s->replaywin] |= 1 << i % 8;
437 // Mark the current packet as not being late.
438 s->late[(seqno / 8) % s->replaywin] &= ~(1 << seqno % 8);
441 if(seqno >= s->inseqno)
442 s->inseqno = seqno + 1;
449 // Append a NULL byte for safety.
450 buffer[len - 20] = 0;
452 uint8_t type = buffer[0];
454 if(type < SPTPS_HANDSHAKE) {
456 return error(s, EIO, "Application record received before handshake finished");
457 if(!s->receive_record(s->handle, type, buffer + 1, len - 21))
459 } else if(type == SPTPS_HANDSHAKE) {
460 if(!receive_handshake(s, buffer + 1, len - 21))
463 return error(s, EIO, "Invalid record type %d", type);
469 // Receive incoming data. Check if it contains a complete record, if so, handle it.
470 bool sptps_receive_data(sptps_t *s, const char *data, size_t len) {
472 return error(s, EIO, "Invalid session state zero");
475 return sptps_receive_data_datagram(s, data, len);
478 // First read the 2 length bytes.
480 size_t toread = 2 - s->buflen;
484 memcpy(s->inbuf + s->buflen, data, toread);
490 // Exit early if we don't have the full length.
494 // Get the length bytes
496 memcpy(&s->reclen, s->inbuf, 2);
497 s->reclen = ntohs(s->reclen);
499 // If we have the length bytes, ensure our buffer can hold the whole request.
500 s->inbuf = realloc(s->inbuf, s->reclen + 19UL);
502 return error(s, errno, strerror(errno));
504 // Exit early if we have no more data to process.
509 // Read up to the end of the record.
510 size_t toread = s->reclen + (s->instate ? 19UL : 3UL) - s->buflen;
514 memcpy(s->inbuf + s->buflen, data, toread);
519 // If we don't have a whole record, exit.
520 if(s->buflen < s->reclen + (s->instate ? 19UL : 3UL))
523 // Update sequence number.
525 uint32_t seqno = s->inseqno++;
527 // Check HMAC and decrypt.
529 if(!chacha_poly1305_decrypt(s->incipher, seqno, s->inbuf + 2UL, s->reclen + 17UL, s->inbuf + 2UL, NULL))
530 return error(s, EINVAL, "Failed to decrypt and verify record");
533 // Append a NULL byte for safety.
534 s->inbuf[s->reclen + 3UL] = 0;
536 uint8_t type = s->inbuf[2];
538 if(type < SPTPS_HANDSHAKE) {
540 return error(s, EIO, "Application record received before handshake finished");
541 if(!s->receive_record(s->handle, type, s->inbuf + 3, s->reclen))
543 } else if(type == SPTPS_HANDSHAKE) {
544 if(!receive_handshake(s, s->inbuf + 3, s->reclen))
547 return error(s, EIO, "Invalid record type %d", type);
556 // Start a SPTPS session.
557 bool sptps_start(sptps_t *s, void *handle, bool initiator, bool datagram, ecdsa_t *mykey, ecdsa_t *hiskey, const char *label, size_t labellen, send_data_t send_data, receive_record_t receive_record) {
558 // Initialise struct sptps
559 memset(s, 0, sizeof *s);
562 s->initiator = initiator;
563 s->datagram = datagram;
566 s->replaywin = sptps_replaywin;
568 s->late = malloc(s->replaywin);
570 return error(s, errno, strerror(errno));
571 memset(s->late, 0, s->replaywin);
574 s->label = malloc(labellen);
576 return error(s, errno, strerror(errno));
579 s->inbuf = malloc(7);
581 return error(s, errno, strerror(errno));
585 memcpy(s->label, label, labellen);
586 s->labellen = labellen;
588 s->send_data = send_data;
589 s->receive_record = receive_record;
591 // Do first KEX immediately
592 s->state = SPTPS_KEX;
596 // Stop a SPTPS session.
597 bool sptps_stop(sptps_t *s) {
598 // Clean up any resources.
599 chacha_poly1305_exit(s->incipher);
600 chacha_poly1305_exit(s->outcipher);
608 memset(s, 0, sizeof *s);
projects / meshlink / blob