]> git.meshlink.io Git - meshlink/blobdiff - src/sptps.c
projects / meshlink / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Avoid allocating packet buffers unnecessarily.
[meshlink] / src / sptps.c
diff --git a/src/sptps.c b/src/sptps.c
index 12c6c7f022b83fbf89adc2e536932415f4365fd6..ed1f67ff95afd11ac1adfd6f6b95edcca72bf7de 100644 (file)
--- a/src/sptps.c
+++ b/src/sptps.c
@@ -1,6 +1,6 @@
 /*
     sptps.c -- Simple Peer-to-Peer Security
-    Copyright (C) 2011 Guus Sliepen <guus@tinc-vpn.org>,
+    Copyright (C) 2014-2017 Guus Sliepen <guus@meshlink.io>
 
     This program is free software; you can redistribute it and/or modify
     it under the terms of the GNU General Public License as published by
@@ -19,11 +19,11 @@
 
 #include "system.h"
 
-#include "cipher.h"
+#include "chacha-poly1305/chacha-poly1305.h"
 #include "crypto.h"
-#include "digest.h"
 #include "ecdh.h"
 #include "ecdsa.h"
+#include "logger.h"
 #include "prf.h"
 #include "sptps.h"
 
@@ -47,85 +47,112 @@
    Make sure ECC operations are fixed time (aka prevent side-channel attacks).
 */
 
+void sptps_log_quiet(sptps_t *s, int s_errno, const char *format, va_list ap) {
+       (void)s;
+       (void)s_errno;
+       (void)format;
+       (void)ap;
+
+       assert(format);
+}
+
+void sptps_log_stderr(sptps_t *s, int s_errno, const char *format, va_list ap) {
+       (void)s;
+       (void)s_errno;
+
+       assert(format);
+
+       vfprintf(stderr, format, ap);
+       fputc('\n', stderr);
+}
+
+void (*sptps_log)(sptps_t *s, int s_errno, const char *format, va_list ap) = sptps_log_quiet;
+
 // Log an error message.
-static bool error(sptps_t *s, int s_errno, const char *msg) {
-       fprintf(stderr, "SPTPS error: %s\n", msg);
+static bool error(sptps_t *s, int s_errno, const char *format, ...) {
+       assert(s_errno);
+       assert(format);
+
+       if(format) {
+               va_list ap;
+               va_start(ap, format);
+               sptps_log(s, s_errno, format, ap);
+               va_end(ap);
+       }
+
        errno = s_errno;
        return false;
 }
 
+static void warning(sptps_t *s, const char *format, ...) {
+       assert(format);
+
+       va_list ap;
+       va_start(ap, format);
+       sptps_log(s, 0, format, ap);
+       va_end(ap);
+}
+
 // Send a record (datagram version, accepts all record types, handles encryption and authentication).
-static bool send_record_priv_datagram(sptps_t *s, uint8_t type, const char *data, uint16_t len) {
-       char buffer[len + 23UL];
+static bool send_record_priv_datagram(sptps_t *s, uint8_t type, const void *data, uint16_t len) {
+       char buffer[len + 21UL];
 
        // Create header with sequence number, length and record type
-       uint32_t seqno = htonl(s->outseqno++);
-       uint16_t netlen = htons(len);
-
-       memcpy(buffer, &netlen, 2);
-       memcpy(buffer + 2, &seqno, 4);
-       buffer[6] = type;
+       uint32_t seqno = s->outseqno++;
+       uint32_t netseqno = ntohl(seqno);
 
-       // Add plaintext (TODO: avoid unnecessary copy)
-       memcpy(buffer + 7, data, len);
+       memcpy(buffer, &netseqno, 4);
+       buffer[4] = type;
+       memcpy(buffer + 5, data, len);
 
        if(s->outstate) {
                // If first handshake has finished, encrypt and HMAC
-               cipher_set_counter(&s->outcipher, &seqno, sizeof seqno);
-               if(!cipher_counter_xor(&s->outcipher, buffer + 6, len + 1UL, buffer + 6))
-                       return false;
-
-               if(!digest_create(&s->outdigest, buffer, len + 7UL, buffer + 7UL + len))
-                       return false;
-
-               return s->send_data(s->handle, type, buffer + 2, len + 21UL);
+               chacha_poly1305_encrypt(s->outcipher, seqno, buffer + 4, len + 1, buffer + 4, NULL);
+               return s->send_data(s->handle, type, buffer, len + 21UL);
        } else {
                // Otherwise send as plaintext
-               return s->send_data(s->handle, type, buffer + 2, len + 5UL);
+               return s->send_data(s->handle, type, buffer, len + 5UL);
        }
 }
 // Send a record (private version, accepts all record types, handles encryption and authentication).
-static bool send_record_priv(sptps_t *s, uint8_t type, const char *data, uint16_t len) {
-       if(s->datagram)
+static bool send_record_priv(sptps_t *s, uint8_t type, const void *data, uint16_t len) {
+       if(s->datagram) {
                return send_record_priv_datagram(s, type, data, len);
+       }
 
-       char buffer[len + 23UL];
+       char buffer[len + 19UL];
 
        // Create header with sequence number, length and record type
-       uint32_t seqno = htonl(s->outseqno++);
+       uint32_t seqno = s->outseqno++;
        uint16_t netlen = htons(len);
 
-       memcpy(buffer, &seqno, 4);
-       memcpy(buffer + 4, &netlen, 2);
-       buffer[6] = type;
-
-       // Add plaintext (TODO: avoid unnecessary copy)
-       memcpy(buffer + 7, data, len);
+       memcpy(buffer, &netlen, 2);
+       buffer[2] = type;
+       memcpy(buffer + 3, data, len);
 
        if(s->outstate) {
                // If first handshake has finished, encrypt and HMAC
-               if(!cipher_counter_xor(&s->outcipher, buffer + 4, len + 3UL, buffer + 4))
-                       return false;
-
-               if(!digest_create(&s->outdigest, buffer, len + 7UL, buffer + 7UL + len))
-                       return false;
-
-               return s->send_data(s->handle, type, buffer + 4, len + 19UL);
+               chacha_poly1305_encrypt(s->outcipher, seqno, buffer + 2, len + 1, buffer + 2, NULL);
+               return s->send_data(s->handle, type, buffer, len + 19UL);
        } else {
                // Otherwise send as plaintext
-               return s->send_data(s->handle, type, buffer + 4, len + 3UL);
+               return s->send_data(s->handle, type, buffer, len + 3UL);
        }
 }
 
 // Send an application record.
-bool sptps_send_record(sptps_t *s, uint8_t type, const char *data, uint16_t len) {
+bool sptps_send_record(sptps_t *s, uint8_t type, const void *data, uint16_t len) {
+       assert(!len || data);
+
        // Sanity checks: application cannot send data before handshake is finished,
        // and only record types 0..127 are allowed.
-       if(!s->outstate)
+       if(!s->outstate) {
                return error(s, EINVAL, "Handshake phase not finished yet");
+       }
 
-       if(type >= SPTPS_HANDSHAKE)
+       if(type >= SPTPS_HANDSHAKE) {
                return error(s, EINVAL, "Invalid application record type");
+       }
 
        return send_record_priv(s, type, data, len);
 }
@@ -135,11 +162,15 @@ static bool send_kex(sptps_t *s) {
        size_t keylen = ECDH_SIZE;
 
        // Make room for our KEX message, which we will keep around since send_sig() needs it.
-       if(s->mykex)
-               abort();
+       if(s->mykex) {
+               return false;
+       }
+
        s->mykex = realloc(s->mykex, 1 + 32 + keylen);
-       if(!s->mykex)
+
+       if(!s->mykex) {
                return error(s, errno, strerror(errno));
+       }
 
        // Set version byte to zero.
        s->mykex[0] = SPTPS_VERSION;
@@ -148,8 +179,9 @@ static bool send_kex(sptps_t *s) {
        randomize(s->mykex + 1, 32);
 
        // Create a new ECDH public key.
-       if(!ecdh_generate_public(&s->ecdh, s->mykex + 1 + 32))
-               return false;
+       if(!(s->ecdh = ecdh_generate_public(s->mykex + 1 + 32))) {
+               return error(s, EINVAL, "Failed to generate ECDH public key");
+       }
 
        return send_record_priv(s, SPTPS_HANDSHAKE, s->mykex, 1 + 32 + keylen);
 }
@@ -157,7 +189,7 @@ static bool send_kex(sptps_t *s) {
 // Send a SIGnature record, containing an ECDSA signature over both KEX records.
 static bool send_sig(sptps_t *s) {
        size_t keylen = ECDH_SIZE;
-       size_t siglen = ecdsa_size(&s->mykey);
+       size_t siglen = ecdsa_size(s->mykey);
 
        // Concatenate both KEX messages, plus tag indicating if it is from the connection originator, plus label
        char msg[(1 + 32 + keylen) * 2 + 1 + s->labellen];
@@ -169,36 +201,42 @@ static bool send_sig(sptps_t *s) {
        memcpy(msg + 1 + 2 * (33 + keylen), s->label, s->labellen);
 
        // Sign the result.
-       if(!ecdsa_sign(&s->mykey, msg, sizeof msg, sig))
-               return false;
+       if(!ecdsa_sign(s->mykey, msg, sizeof(msg), sig)) {
+               return error(s, EINVAL, "Failed to sign SIG record");
+       }
 
        // Send the SIG exchange record.
-       return send_record_priv(s, SPTPS_HANDSHAKE, sig, sizeof sig);
+       return send_record_priv(s, SPTPS_HANDSHAKE, sig, sizeof(sig));
 }
 
 // Generate key material from the shared secret created from the ECDHE key exchange.
 static bool generate_key_material(sptps_t *s, const char *shared, size_t len) {
+       assert(shared);
+       assert(len);
+
        // Initialise cipher and digest structures if necessary
        if(!s->outstate) {
-               bool result
-                       =  cipher_open_by_name(&s->incipher, "aes-256-ecb")
-                       && cipher_open_by_name(&s->outcipher, "aes-256-ecb")
-                       && digest_open_by_name(&s->indigest, "sha256", 16)
-                       && digest_open_by_name(&s->outdigest, "sha256", 16);
-               if(!result)
-                       return false;
+               s->incipher = chacha_poly1305_init();
+               s->outcipher = chacha_poly1305_init();
+
+               if(!s->incipher || !s->outcipher) {
+                       return error(s, EINVAL, "Failed to open cipher");
+               }
        }
 
        // Allocate memory for key material
-       size_t keylen = digest_keylength(&s->indigest) + digest_keylength(&s->outdigest) + cipher_keylength(&s->incipher) + cipher_keylength(&s->outcipher);
+       size_t keylen = 2 * CHACHA_POLY1305_KEYLEN;
 
        s->key = realloc(s->key, keylen);
-       if(!s->key)
+
+       if(!s->key) {
                return error(s, errno, strerror(errno));
+       }
 
        // Create the HMAC seed, which is "key expansion" + session label + server nonce + client nonce
        char seed[s->labellen + 64 + 13];
        strcpy(seed, "key expansion");
+
        if(s->initiator) {
                memcpy(seed + 13, s->mykex + 1, 32);
                memcpy(seed + 45, s->hiskex + 1, 32);
@@ -206,11 +244,13 @@ static bool generate_key_material(sptps_t *s, const char *shared, size_t len) {
                memcpy(seed + 13, s->hiskex + 1, 32);
                memcpy(seed + 45, s->mykex + 1, 32);
        }
-       memcpy(seed + 78, s->label, s->labellen);
+
+       memcpy(seed + 77, s->label, s->labellen);
 
        // Use PRF to generate the key material
-       if(!prf(shared, len, seed, s->labellen + 64 + 13, s->key, keylen))
-               return false;
+       if(!prf(shared, len, seed, s->labellen + 64 + 13, s->key, keylen)) {
+               return error(s, EINVAL, "Failed to generate key material");
+       }
 
        return true;
 }
@@ -222,21 +262,20 @@ static bool send_ack(sptps_t *s) {
 
 // Receive an ACKnowledgement record.
 static bool receive_ack(sptps_t *s, const char *data, uint16_t len) {
-       if(len)
+       (void)data;
+
+       if(len) {
                return error(s, EIO, "Invalid ACK record length");
+       }
 
        if(s->initiator) {
-               bool result
-                       = cipher_set_counter_key(&s->incipher, s->key)
-                       && digest_set_key(&s->indigest, s->key + cipher_keylength(&s->incipher), digest_keylength(&s->indigest));
-               if(!result)
-                       return false;
+               if(!chacha_poly1305_set_key(s->incipher, s->key)) {
+                       return error(s, EINVAL, "Failed to set counter");
+               }
        } else {
-               bool result
-                       = cipher_set_counter_key(&s->incipher, s->key + cipher_keylength(&s->outcipher) + digest_keylength(&s->outdigest))
-                       && digest_set_key(&s->indigest, s->key + cipher_keylength(&s->outcipher) + digest_keylength(&s->outdigest) + cipher_keylength(&s->incipher), digest_keylength(&s->indigest));
-               if(!result)
-                       return false;
+               if(!chacha_poly1305_set_key(s->incipher, s->key + CHACHA_POLY1305_KEYLEN)) {
+                       return error(s, EINVAL, "Failed to set counter");
+               }
        }
 
        free(s->key);
@@ -249,17 +288,22 @@ static bool receive_ack(sptps_t *s, const char *data, uint16_t len) {
 // Receive a Key EXchange record, respond by sending a SIG record.
 static bool receive_kex(sptps_t *s, const char *data, uint16_t len) {
        // Verify length of the HELLO record
-       if(len != 1 + 32 + ECDH_SIZE)
+       if(len != 1 + 32 + ECDH_SIZE) {
                return error(s, EIO, "Invalid KEX record length");
+       }
 
        // Ignore version number for now.
 
        // Make a copy of the KEX message, send_sig() and receive_sig() need it
-       if(s->hiskex)
-               abort();
+       if(s->hiskex) {
+               return error(s, EINVAL, "Received a second KEX message before first has been processed");
+       }
+
        s->hiskex = realloc(s->hiskex, len);
-       if(!s->hiskex)
+
+       if(!s->hiskex) {
                return error(s, errno, strerror(errno));
+       }
 
        memcpy(s->hiskex, data, len);
 
@@ -269,11 +313,12 @@ static bool receive_kex(sptps_t *s, const char *data, uint16_t len) {
 // Receive a SIGnature record, verify it, if it passed, compute the shared secret and calculate the session keys.
 static bool receive_sig(sptps_t *s, const char *data, uint16_t len) {
        size_t keylen = ECDH_SIZE;
-       size_t siglen = ecdsa_size(&s->hiskey);
+       size_t siglen = ecdsa_size(s->hiskey);
 
        // Verify length of KEX record.
-       if(len != siglen)
+       if(len != siglen) {
                return error(s, EIO, "Invalid KEX record length");
+       }
 
        // Concatenate both KEX messages, plus tag indicating if it is from the connection originator
        char msg[(1 + 32 + keylen) * 2 + 1 + s->labellen];
@@ -284,17 +329,23 @@ static bool receive_sig(sptps_t *s, const char *data, uint16_t len) {
        memcpy(msg + 1 + 2 * (33 + keylen), s->label, s->labellen);
 
        // Verify signature.
-       if(!ecdsa_verify(&s->hiskey, msg, sizeof msg, data))
-               return false;
+       if(!ecdsa_verify(s->hiskey, msg, sizeof(msg), data)) {
+               return error(s, EIO, "Failed to verify SIG record");
+       }
 
        // Compute shared secret.
        char shared[ECDH_SHARED_SIZE];
-       if(!ecdh_compute_shared(&s->ecdh, s->hiskex + 1 + 32, shared))
-               return false;
+
+       if(!ecdh_compute_shared(s->ecdh, s->hiskex + 1 + 32, shared)) {
+               return error(s, EINVAL, "Failed to compute ECDH shared secret");
+       }
+
+       s->ecdh = NULL;
 
        // Generate key material from shared secret.
-       if(!generate_key_material(s, shared, sizeof shared))
+       if(!generate_key_material(s, shared, sizeof(shared))) {
                return false;
+       }
 
        free(s->mykex);
        free(s->hiskex);
@@ -303,22 +354,19 @@ static bool receive_sig(sptps_t *s, const char *data, uint16_t len) {
        s->hiskex = NULL;
 
        // Send cipher change record
-       if(s->outstate && !send_ack(s))
+       if(s->outstate && !send_ack(s)) {
                return false;
+       }
 
        // TODO: only set new keys after ACK has been set/received
        if(s->initiator) {
-               bool result
-                       = cipher_set_counter_key(&s->outcipher, s->key + cipher_keylength(&s->incipher) + digest_keylength(&s->indigest))
-                       && digest_set_key(&s->outdigest, s->key + cipher_keylength(&s->incipher) + digest_keylength(&s->indigest) + cipher_keylength(&s->outcipher), digest_keylength(&s->outdigest));
-               if(!result)
-                       return false;
+               if(!chacha_poly1305_set_key(s->outcipher, s->key + CHACHA_POLY1305_KEYLEN)) {
+                       return error(s, EINVAL, "Failed to set key");
+               }
        } else {
-               bool result
-                       =  cipher_set_counter_key(&s->outcipher, s->key)
-                       && digest_set_key(&s->outdigest, s->key + cipher_keylength(&s->outcipher), digest_keylength(&s->outdigest));
-               if(!result)
-                       return false;
+               if(!chacha_poly1305_set_key(s->outcipher, s->key)) {
+                       return error(s, EINVAL, "Failed to set key");
+               }
        }
 
        return true;
@@ -326,8 +374,9 @@ static bool receive_sig(sptps_t *s, const char *data, uint16_t len) {
 
 // Force another Key EXchange (for testing purposes).
 bool sptps_force_kex(sptps_t *s) {
-       if(!s->outstate || s->state != SPTPS_SECONDARY_KEX)
+       if(!s->outstate || s->state != SPTPS_SECONDARY_KEX) {
                return error(s, EINVAL, "Cannot force KEX in current state");
+       }
 
        s->state = SPTPS_KEX;
        return send_kex(s);
@@ -336,64 +385,89 @@ bool sptps_force_kex(sptps_t *s) {
 // Receive a handshake record.
 static bool receive_handshake(sptps_t *s, const char *data, uint16_t len) {
        // Only a few states to deal with handshaking.
-       fprintf(stderr, "Received handshake message, current state %d\n", s->state);
        switch(s->state) {
-               case SPTPS_SECONDARY_KEX:
-                       // We receive a secondary KEX request, first respond by sending our own.
-                       if(!send_kex(s))
-                               return false;
-               case SPTPS_KEX:
-                       // We have sent our KEX request, we expect our peer to sent one as well.
-                       if(!receive_kex(s, data, len))
-                               return false;
-                       s->state = SPTPS_SIG;
-                       return true;
-               case SPTPS_SIG:
-                       // If we already sent our secondary public ECDH key, we expect the peer to send his.
-                       if(!receive_sig(s, data, len))
+       case SPTPS_SECONDARY_KEX:
+
+               // We receive a secondary KEX request, first respond by sending our own.
+               if(!send_kex(s)) {
+                       return false;
+               }
+
+       // fallthrough
+       case SPTPS_KEX:
+
+               // We have sent our KEX request, we expect our peer to sent one as well.
+               if(!receive_kex(s, data, len)) {
+                       return false;
+               }
+
+               s->state = SPTPS_SIG;
+               return true;
+
+       case SPTPS_SIG:
+
+               // If we already sent our secondary public ECDH key, we expect the peer to send his.
+               if(!receive_sig(s, data, len)) {
+                       return false;
+               }
+
+               if(s->outstate) {
+                       s->state = SPTPS_ACK;
+               } else {
+                       s->outstate = true;
+
+                       if(!receive_ack(s, NULL, 0)) {
                                return false;
-                       if(s->outstate)
-                               s->state = SPTPS_ACK;
-                       else {
-                               s->outstate = true;
-                               if(!receive_ack(s, NULL, 0))
-                                       return false;
-                               s->receive_record(s->handle, SPTPS_HANDSHAKE, NULL, 0);
-                               s->state = SPTPS_SECONDARY_KEX;
                        }
 
-                       return true;
-               case SPTPS_ACK:
-                       // We expect a handshake message to indicate transition to the new keys.
-                       if(!receive_ack(s, data, len))
-                               return false;
                        s->receive_record(s->handle, SPTPS_HANDSHAKE, NULL, 0);
                        s->state = SPTPS_SECONDARY_KEX;
-                       return true;
-               // TODO: split ACK into a VERify and ACK?
-               default:
-                       return error(s, EIO, "Invalid session state");
+               }
+
+               return true;
+
+       case SPTPS_ACK:
+
+               // We expect a handshake message to indicate transition to the new keys.
+               if(!receive_ack(s, data, len)) {
+                       return false;
+               }
+
+               s->receive_record(s->handle, SPTPS_HANDSHAKE, NULL, 0);
+               s->state = SPTPS_SECONDARY_KEX;
+               return true;
+
+       // TODO: split ACK into a VERify and ACK?
+       default:
+               return error(s, EIO, "Invalid session state %d", s->state);
        }
 }
 
 // Check datagram for valid HMAC
-bool sptps_verify_datagram(sptps_t *s, const char *data, size_t len) {
-       if(!s->instate || len < 21)
-               return false;
+bool sptps_verify_datagram(sptps_t *s, const void *data, size_t len) {
+       if(!s->instate) {
+               return error(s, EIO, "SPTPS state not ready to verify this datagram");
+       }
 
-       char buffer[len + 23];
-       uint16_t netlen = htons(len - 21);
+       if(len < 21) {
+               return error(s, EIO, "Received short packet in sptps_verify_datagram");
+       }
 
-       memcpy(buffer, &netlen, 2);
-       memcpy(buffer + 2, data, len);
+       uint32_t seqno;
+       memcpy(&seqno, data, 4);
+       seqno = ntohl(seqno);
+       // TODO: check whether seqno makes sense, to avoid CPU intensive decrypt
 
-       return digest_verify(&s->indigest, buffer, len - 14, buffer + len - 14);
+       return chacha_poly1305_verify(s->incipher, seqno, (const char *)data + 4, len - 4);
 }
 
 // Receive incoming data, datagram version.
-static bool sptps_receive_data_datagram(sptps_t *s, const char *data, size_t len) {
-       if(len < (s->instate ? 21 : 5))
-               return error(s, EIO, "Received short packet");
+static bool sptps_receive_data_datagram(sptps_t *s, const void *vdata, size_t len) {
+       const char *data = vdata;
+
+       if(len < (s->instate ? 21 : 5)) {
+               return error(s, EIO, "Received short packet in sptps_receive_data_datagram");
+       }
 
        uint32_t seqno;
        memcpy(&seqno, data, 4);
@@ -401,180 +475,253 @@ static bool sptps_receive_data_datagram(sptps_t *s, const char *data, size_t len
 
        if(!s->instate) {
                if(seqno != s->inseqno) {
-                       fprintf(stderr, "Received invalid packet seqno: %d != %d\n", seqno, s->inseqno);
-                       return error(s, EIO, "Invalid packet seqno");
+                       return error(s, EIO, "Invalid packet seqno: %d != %d", seqno, s->inseqno);
                }
 
                s->inseqno = seqno + 1;
 
                uint8_t type = data[4];
 
-               if(type != SPTPS_HANDSHAKE)
+               if(type != SPTPS_HANDSHAKE) {
                        return error(s, EIO, "Application record received before handshake finished");
+               }
 
                return receive_handshake(s, data + 5, len - 5);
        }
 
-       if(seqno < s->inseqno) {
-               fprintf(stderr, "Received late or replayed packet: %d < %d\n", seqno, s->inseqno);
-               return true;
-       }
+       // Decrypt
 
-       if(seqno > s->inseqno)
-               fprintf(stderr, "Missed %d packets\n", seqno - s->inseqno);
+       if(len > s->decrypted_buffer_len) {
+               s->decrypted_buffer_len *= 2;
+               char *new_buffer = realloc(s->decrypted_buffer, s->decrypted_buffer_len);
 
-       s->inseqno = seqno + 1;
+               if(!new_buffer) {
+                       return error(s, errno, strerror(errno));
+               }
 
-       uint16_t netlen = htons(len - 21);
+               s->decrypted_buffer = new_buffer;
+       }
 
-       char buffer[len + 23];
+       size_t outlen;
 
-       memcpy(buffer, &netlen, 2);
-       memcpy(buffer + 2, data, len);
+       if(!chacha_poly1305_decrypt(s->incipher, seqno, data + 4, len - 4, s->decrypted_buffer, &outlen)) {
+               return error(s, EIO, "Failed to decrypt and verify packet");
+       }
 
-       memcpy(&seqno, buffer + 2, 4);
+       // Replay protection using a sliding window of configurable size.
+       // s->inseqno is expected sequence number
+       // seqno is received sequence number
+       // s->late[] is a circular buffer, a 1 bit means a packet has not been received yet
+       // The circular buffer contains bits for sequence numbers from s->inseqno - s->replaywin * 8 to (but excluding) s->inseqno.
+       if(s->replaywin) {
+               if(seqno != s->inseqno) {
+                       if(seqno >= s->inseqno + s->replaywin * 8) {
+                               // TODO: Prevent packets that jump far ahead of the queue from causing many others to be dropped.
+                               warning(s, "Lost %d packets\n", seqno - s->inseqno);
+                               // Mark all packets in the replay window as being late.
+                               memset(s->late, 255, s->replaywin);
+                       } else if(seqno < s->inseqno) {
+                               // If the sequence number is farther in the past than the bitmap goes, or if the packet was already received, drop it.
+                               if((s->inseqno >= s->replaywin * 8 && seqno < s->inseqno - s->replaywin * 8) || !(s->late[(seqno / 8) % s->replaywin] & (1 << seqno % 8))) {
+                                       return error(s, EIO, "Received late or replayed packet, seqno %d, last received %d\n", seqno, s->inseqno);
+                               }
+                       } else {
+                               // We missed some packets. Mark them in the bitmap as being late.
+                               for(uint32_t i = s->inseqno; i < seqno; i++) {
+                                       s->late[(i / 8) % s->replaywin] |= 1 << i % 8;
+                               }
+                       }
+               }
 
-       // Check HMAC and decrypt.
-       if(!digest_verify(&s->indigest, buffer, len - 14, buffer + len - 14))
-               return error(s, EIO, "Invalid HMAC");
+               // Mark the current packet as not being late.
+               s->late[(seqno / 8) % s->replaywin] &= ~(1 << seqno % 8);
+       }
 
-       cipher_set_counter(&s->incipher, &seqno, sizeof seqno);
-       if(!cipher_counter_xor(&s->incipher, buffer + 6, len - 4, buffer + 6))
-               return false;
+       if(seqno >= s->inseqno) {
+               s->inseqno = seqno + 1;
+       }
+
+       if(!s->inseqno) {
+               s->received = 0;
+       } else {
+               s->received++;
+       }
 
        // Append a NULL byte for safety.
-       buffer[len - 14] = 0;
+       s->decrypted_buffer[len - 20] = 0;
 
-       uint8_t type = buffer[6];
+       uint8_t type = s->decrypted_buffer[0];
 
        if(type < SPTPS_HANDSHAKE) {
-               if(!s->instate)
+               if(!s->instate) {
                        return error(s, EIO, "Application record received before handshake finished");
-               if(!s->receive_record(s->handle, type, buffer + 7, len - 21))
-                       return false;
+               }
+
+               if(!s->receive_record(s->handle, type, s->decrypted_buffer + 1, len - 21)) {
+                       abort();
+               }
        } else if(type == SPTPS_HANDSHAKE) {
-               if(!receive_handshake(s, buffer + 7, len - 21))
-                       return false;
+               if(!receive_handshake(s, s->decrypted_buffer + 1, len - 21)) {
+                       abort();
+               }
        } else {
-               return error(s, EIO, "Invalid record type");
+               return error(s, EIO, "Invalid record type %d", type);
        }
 
        return true;
 }
+
 // Receive incoming data. Check if it contains a complete record, if so, handle it.
-bool sptps_receive_data(sptps_t *s, const char *data, size_t len) {
-       if(s->datagram)
+bool sptps_receive_data(sptps_t *s, const void *data, size_t len) {
+       if(!s->state) {
+               return error(s, EIO, "Invalid session state zero");
+       }
+
+       if(s->datagram) {
                return sptps_receive_data_datagram(s, data, len);
+       }
+
+       const char *ptr = data;
 
        while(len) {
                // First read the 2 length bytes.
-               if(s->buflen < 6) {
-                       size_t toread = 6 - s->buflen;
-                       if(toread > len)
+               if(s->buflen < 2) {
+                       size_t toread = 2 - s->buflen;
+
+                       if(toread > len) {
                                toread = len;
+                       }
 
-                       memcpy(s->inbuf + s->buflen, data, toread);
+                       memcpy(s->inbuf + s->buflen, ptr, toread);
 
                        s->buflen += toread;
                        len -= toread;
-                       data += toread;
-               
+                       ptr += toread;
+
                        // Exit early if we don't have the full length.
-                       if(s->buflen < 6)
+                       if(s->buflen < 2) {
                                return true;
-
-                       // Decrypt the length bytes
-
-                       if(s->instate) {
-                               if(!cipher_counter_xor(&s->incipher, s->inbuf + 4, 2, &s->reclen))
-                                       return false;
-                       } else {
-                               memcpy(&s->reclen, s->inbuf + 4, 2);
                        }
 
+                       // Get the length bytes
+
+                       memcpy(&s->reclen, s->inbuf, 2);
                        s->reclen = ntohs(s->reclen);
 
                        // If we have the length bytes, ensure our buffer can hold the whole request.
-                       s->inbuf = realloc(s->inbuf, s->reclen + 23UL);
-                       if(!s->inbuf)
-                               return error(s, errno, strerror(errno));
+                       s->inbuf = realloc(s->inbuf, s->reclen + 19UL);
 
-                       // Add sequence number.
-                       uint32_t seqno = htonl(s->inseqno++);
-                       memcpy(s->inbuf, &seqno, 4);
+                       if(!s->inbuf) {
+                               return error(s, errno, strerror(errno));
+                       }
 
                        // Exit early if we have no more data to process.
-                       if(!len)
+                       if(!len) {
                                return true;
+                       }
                }
 
                // Read up to the end of the record.
-               size_t toread = s->reclen + (s->instate ? 23UL : 7UL) - s->buflen;
-               if(toread > len)
+               size_t toread = s->reclen + (s->instate ? 19UL : 3UL) - s->buflen;
+
+               if(toread > len) {
                        toread = len;
+               }
 
-               memcpy(s->inbuf + s->buflen, data, toread);
+               memcpy(s->inbuf + s->buflen, ptr, toread);
                s->buflen += toread;
                len -= toread;
-               data += toread;
+               ptr += toread;
 
                // If we don't have a whole record, exit.
-               if(s->buflen < s->reclen + (s->instate ? 23UL : 7UL))
+               if(s->buflen < s->reclen + (s->instate ? 19UL : 3UL)) {
                        return true;
+               }
+
+               // Update sequence number.
+
+               uint32_t seqno = s->inseqno++;
 
                // Check HMAC and decrypt.
                if(s->instate) {
-                       if(!digest_verify(&s->indigest, s->inbuf, s->reclen + 7UL, s->inbuf + s->reclen + 7UL))
-                               return error(s, EIO, "Invalid HMAC");
-
-                       if(!cipher_counter_xor(&s->incipher, s->inbuf + 6UL, s->reclen + 1UL, s->inbuf + 6UL))
-                               return false;
+                       if(!chacha_poly1305_decrypt(s->incipher, seqno, s->inbuf + 2UL, s->reclen + 17UL, s->inbuf + 2UL, NULL)) {
+                               return error(s, EINVAL, "Failed to decrypt and verify record");
+                       }
                }
 
                // Append a NULL byte for safety.
-               s->inbuf[s->reclen + 7UL] = 0;
+               s->inbuf[s->reclen + 3UL] = 0;
 
-               uint8_t type = s->inbuf[6];
+               uint8_t type = s->inbuf[2];
 
                if(type < SPTPS_HANDSHAKE) {
-                       if(!s->instate)
+                       if(!s->instate) {
                                return error(s, EIO, "Application record received before handshake finished");
-                       if(!s->receive_record(s->handle, type, s->inbuf + 7, s->reclen))
+                       }
+
+                       if(!s->receive_record(s->handle, type, s->inbuf + 3, s->reclen)) {
                                return false;
+                       }
                } else if(type == SPTPS_HANDSHAKE) {
-                       if(!receive_handshake(s, s->inbuf + 7, s->reclen))
+                       if(!receive_handshake(s, s->inbuf + 3, s->reclen)) {
                                return false;
+                       }
                } else {
-                       return error(s, EIO, "Invalid record type");
+                       return error(s, EIO, "Invalid record type %d", type);
                }
 
-               s->buflen = 4;
+               s->buflen = 0;
        }
 
        return true;
 }
 
 // Start a SPTPS session.
-bool sptps_start(sptps_t *s, void *handle, bool initiator, bool datagram, ecdsa_t mykey, ecdsa_t hiskey, const char *label, size_t labellen, send_data_t send_data, receive_record_t receive_record) {
+bool sptps_start(sptps_t *s, void *handle, bool initiator, bool datagram, ecdsa_t *mykey, ecdsa_t *hiskey, const char *label, size_t labellen, send_data_t send_data, receive_record_t receive_record) {
+       if(!s || !mykey || !hiskey || !label || !labellen || !send_data || !receive_record) {
+               return error(s, EINVAL, "Invalid argument to sptps_start()");
+       }
+
        // Initialise struct sptps
-       memset(s, 0, sizeof *s);
+       memset(s, 0, sizeof(*s));
 
        s->handle = handle;
        s->initiator = initiator;
        s->datagram = datagram;
        s->mykey = mykey;
        s->hiskey = hiskey;
+       s->replaywin = 32;
+       s->decrypted_buffer_len = 1024;
+       s->decrypted_buffer = malloc(s->decrypted_buffer_len);
+
+       if(!s->decrypted_buffer) {
+               return error(s, errno, strerror(errno));
+       }
+
+       if(s->replaywin) {
+               s->late = malloc(s->replaywin);
+
+               if(!s->late) {
+                       return error(s, errno, strerror(errno));
+               }
+
+               memset(s->late, 0, s->replaywin);
+       }
 
        s->label = malloc(labellen);
-       if(!s->label)
+
+       if(!s->label) {
                return error(s, errno, strerror(errno));
+       }
 
        if(!datagram) {
                s->inbuf = malloc(7);
-               if(!s->inbuf)
+
+               if(!s->inbuf) {
                        return error(s, errno, strerror(errno));
-               s->buflen = 4;
-               memset(s->inbuf, 0, 4);
+               }
+
+               s->buflen = 0;
        }
 
        memcpy(s->label, label, labellen);
@@ -591,16 +738,17 @@ bool sptps_start(sptps_t *s, void *handle, bool initiator, bool datagram, ecdsa_
 // Stop a SPTPS session.
 bool sptps_stop(sptps_t *s) {
        // Clean up any resources.
-       ecdh_free(&s->ecdh);
+       chacha_poly1305_exit(s->incipher);
+       chacha_poly1305_exit(s->outcipher);
+       ecdh_free(s->ecdh);
        free(s->inbuf);
-       s->inbuf = NULL;
        free(s->mykex);
-       s->mykex = NULL;
        free(s->hiskex);
-       s->hiskex = NULL;
        free(s->key);
-       s->key = NULL;
        free(s->label);
-       s->label = NULL;
+       free(s->late);
+       memset(s->decrypted_buffer, 0, s->decrypted_buffer_len);
+       free(s->decrypted_buffer);
+       memset(s, 0, sizeof(*s));
        return true;
 }
MeshLink library, based on tinc 1.1