2 sptps.c -- Simple Peer-to-Peer Security
3 Copyright (C) 2011-2012 Guus Sliepen <guus@tinc-vpn.org>,
4 2010 Brandon L. Black <blblack@gmail.com>
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 2 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License along
17 with this program; if not, write to the Free Software Foundation, Inc.,
18 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
31 unsigned int sptps_replaywin = 16;
34 Nonce MUST be exchanged first (done)
35 Signatures MUST be done over both nonces, to guarantee the signature is fresh
36 Otherwise: if ECDHE key of one side is compromised, it can be reused!
38 Add explicit tag to beginning of structure to distinguish the client and server when signing. (done)
40 Sign all handshake messages up to ECDHE kex with long-term public keys. (done)
42 HMACed KEX finished message to prevent downgrade attacks and prove you have the right key material (done by virtue of ECDSA over the whole ECDHE exchange?)
44 Explicit close message needs to be added.
46 Maybe do add some alert messages to give helpful error messages? Not more than TLS sends.
48 Use counter mode instead of OFB. (done)
50 Make sure ECC operations are fixed time (aka prevent side-channel attacks).
53 // Log an error message.
54 static bool error(sptps_t *s, int s_errno, const char *msg) {
55 fprintf(stderr, "SPTPS error: %s\n", msg);
60 // Send a record (datagram version, accepts all record types, handles encryption and authentication).
61 static bool send_record_priv_datagram(sptps_t *s, uint8_t type, const char *data, uint16_t len) {
62 char buffer[len + 23UL];
64 // Create header with sequence number, length and record type
65 uint32_t seqno = htonl(s->outseqno++);
66 uint16_t netlen = htons(len);
68 memcpy(buffer, &netlen, 2);
69 memcpy(buffer + 2, &seqno, 4);
72 // Add plaintext (TODO: avoid unnecessary copy)
73 memcpy(buffer + 7, data, len);
76 // If first handshake has finished, encrypt and HMAC
77 cipher_set_counter(&s->outcipher, &seqno, sizeof seqno);
78 if(!cipher_counter_xor(&s->outcipher, buffer + 6, len + 1UL, buffer + 6))
81 if(!digest_create(&s->outdigest, buffer, len + 7UL, buffer + 7UL + len))
84 return s->send_data(s->handle, type, buffer + 2, len + 21UL);
86 // Otherwise send as plaintext
87 return s->send_data(s->handle, type, buffer + 2, len + 5UL);
90 // Send a record (private version, accepts all record types, handles encryption and authentication).
91 static bool send_record_priv(sptps_t *s, uint8_t type, const char *data, uint16_t len) {
93 return send_record_priv_datagram(s, type, data, len);
95 char buffer[len + 23UL];
97 // Create header with sequence number, length and record type
98 uint32_t seqno = htonl(s->outseqno++);
99 uint16_t netlen = htons(len);
101 memcpy(buffer, &seqno, 4);
102 memcpy(buffer + 4, &netlen, 2);
105 // Add plaintext (TODO: avoid unnecessary copy)
106 memcpy(buffer + 7, data, len);
109 // If first handshake has finished, encrypt and HMAC
110 if(!cipher_counter_xor(&s->outcipher, buffer + 4, len + 3UL, buffer + 4))
113 if(!digest_create(&s->outdigest, buffer, len + 7UL, buffer + 7UL + len))
116 return s->send_data(s->handle, type, buffer + 4, len + 19UL);
118 // Otherwise send as plaintext
119 return s->send_data(s->handle, type, buffer + 4, len + 3UL);
123 // Send an application record.
124 bool sptps_send_record(sptps_t *s, uint8_t type, const char *data, uint16_t len) {
125 // Sanity checks: application cannot send data before handshake is finished,
126 // and only record types 0..127 are allowed.
128 return error(s, EINVAL, "Handshake phase not finished yet");
130 if(type >= SPTPS_HANDSHAKE)
131 return error(s, EINVAL, "Invalid application record type");
133 return send_record_priv(s, type, data, len);
136 // Send a Key EXchange record, containing a random nonce and an ECDHE public key.
137 static bool send_kex(sptps_t *s) {
138 size_t keylen = ECDH_SIZE;
140 // Make room for our KEX message, which we will keep around since send_sig() needs it.
143 s->mykex = realloc(s->mykex, 1 + 32 + keylen);
145 return error(s, errno, strerror(errno));
147 // Set version byte to zero.
148 s->mykex[0] = SPTPS_VERSION;
150 // Create a random nonce.
151 randomize(s->mykex + 1, 32);
153 // Create a new ECDH public key.
154 if(!ecdh_generate_public(&s->ecdh, s->mykex + 1 + 32))
157 return send_record_priv(s, SPTPS_HANDSHAKE, s->mykex, 1 + 32 + keylen);
160 // Send a SIGnature record, containing an ECDSA signature over both KEX records.
161 static bool send_sig(sptps_t *s) {
162 size_t keylen = ECDH_SIZE;
163 size_t siglen = ecdsa_size(&s->mykey);
165 // Concatenate both KEX messages, plus tag indicating if it is from the connection originator, plus label
166 char msg[(1 + 32 + keylen) * 2 + 1 + s->labellen];
169 msg[0] = s->initiator;
170 memcpy(msg + 1, s->mykex, 1 + 32 + keylen);
171 memcpy(msg + 1 + 33 + keylen, s->hiskex, 1 + 32 + keylen);
172 memcpy(msg + 1 + 2 * (33 + keylen), s->label, s->labellen);
175 if(!ecdsa_sign(&s->mykey, msg, sizeof msg, sig))
178 // Send the SIG exchange record.
179 return send_record_priv(s, SPTPS_HANDSHAKE, sig, sizeof sig);
182 // Generate key material from the shared secret created from the ECDHE key exchange.
183 static bool generate_key_material(sptps_t *s, const char *shared, size_t len) {
184 // Initialise cipher and digest structures if necessary
187 = cipher_open_by_name(&s->incipher, "aes-256-ecb")
188 && cipher_open_by_name(&s->outcipher, "aes-256-ecb")
189 && digest_open_by_name(&s->indigest, "sha256", 16)
190 && digest_open_by_name(&s->outdigest, "sha256", 16);
195 // Allocate memory for key material
196 size_t keylen = digest_keylength(&s->indigest) + digest_keylength(&s->outdigest) + cipher_keylength(&s->incipher) + cipher_keylength(&s->outcipher);
198 s->key = realloc(s->key, keylen);
200 return error(s, errno, strerror(errno));
202 // Create the HMAC seed, which is "key expansion" + session label + server nonce + client nonce
203 char seed[s->labellen + 64 + 13];
204 strcpy(seed, "key expansion");
206 memcpy(seed + 13, s->mykex + 1, 32);
207 memcpy(seed + 45, s->hiskex + 1, 32);
209 memcpy(seed + 13, s->hiskex + 1, 32);
210 memcpy(seed + 45, s->mykex + 1, 32);
212 memcpy(seed + 77, s->label, s->labellen);
214 // Use PRF to generate the key material
215 if(!prf(shared, len, seed, s->labellen + 64 + 13, s->key, keylen))
221 // Send an ACKnowledgement record.
222 static bool send_ack(sptps_t *s) {
223 return send_record_priv(s, SPTPS_HANDSHAKE, "", 0);
226 // Receive an ACKnowledgement record.
227 static bool receive_ack(sptps_t *s, const char *data, uint16_t len) {
229 return error(s, EIO, "Invalid ACK record length");
233 = cipher_set_counter_key(&s->incipher, s->key)
234 && digest_set_key(&s->indigest, s->key + cipher_keylength(&s->incipher), digest_keylength(&s->indigest));
239 = cipher_set_counter_key(&s->incipher, s->key + cipher_keylength(&s->outcipher) + digest_keylength(&s->outdigest))
240 && digest_set_key(&s->indigest, s->key + cipher_keylength(&s->outcipher) + digest_keylength(&s->outdigest) + cipher_keylength(&s->incipher), digest_keylength(&s->indigest));
252 // Receive a Key EXchange record, respond by sending a SIG record.
253 static bool receive_kex(sptps_t *s, const char *data, uint16_t len) {
254 // Verify length of the HELLO record
255 if(len != 1 + 32 + ECDH_SIZE)
256 return error(s, EIO, "Invalid KEX record length");
258 // Ignore version number for now.
260 // Make a copy of the KEX message, send_sig() and receive_sig() need it
263 s->hiskex = realloc(s->hiskex, len);
265 return error(s, errno, strerror(errno));
267 memcpy(s->hiskex, data, len);
272 // Receive a SIGnature record, verify it, if it passed, compute the shared secret and calculate the session keys.
273 static bool receive_sig(sptps_t *s, const char *data, uint16_t len) {
274 size_t keylen = ECDH_SIZE;
275 size_t siglen = ecdsa_size(&s->hiskey);
277 // Verify length of KEX record.
279 return error(s, EIO, "Invalid KEX record length");
281 // Concatenate both KEX messages, plus tag indicating if it is from the connection originator
282 char msg[(1 + 32 + keylen) * 2 + 1 + s->labellen];
284 msg[0] = !s->initiator;
285 memcpy(msg + 1, s->hiskex, 1 + 32 + keylen);
286 memcpy(msg + 1 + 33 + keylen, s->mykex, 1 + 32 + keylen);
287 memcpy(msg + 1 + 2 * (33 + keylen), s->label, s->labellen);
290 if(!ecdsa_verify(&s->hiskey, msg, sizeof msg, data))
293 // Compute shared secret.
294 char shared[ECDH_SHARED_SIZE];
295 if(!ecdh_compute_shared(&s->ecdh, s->hiskex + 1 + 32, shared))
298 // Generate key material from shared secret.
299 if(!generate_key_material(s, shared, sizeof shared))
308 // Send cipher change record
309 if(s->outstate && !send_ack(s))
312 // TODO: only set new keys after ACK has been set/received
315 = cipher_set_counter_key(&s->outcipher, s->key + cipher_keylength(&s->incipher) + digest_keylength(&s->indigest))
316 && digest_set_key(&s->outdigest, s->key + cipher_keylength(&s->incipher) + digest_keylength(&s->indigest) + cipher_keylength(&s->outcipher), digest_keylength(&s->outdigest));
321 = cipher_set_counter_key(&s->outcipher, s->key)
322 && digest_set_key(&s->outdigest, s->key + cipher_keylength(&s->outcipher), digest_keylength(&s->outdigest));
330 // Force another Key EXchange (for testing purposes).
331 bool sptps_force_kex(sptps_t *s) {
332 if(!s->outstate || s->state != SPTPS_SECONDARY_KEX)
333 return error(s, EINVAL, "Cannot force KEX in current state");
335 s->state = SPTPS_KEX;
339 // Receive a handshake record.
340 static bool receive_handshake(sptps_t *s, const char *data, uint16_t len) {
341 // Only a few states to deal with handshaking.
343 case SPTPS_SECONDARY_KEX:
344 // We receive a secondary KEX request, first respond by sending our own.
348 // We have sent our KEX request, we expect our peer to sent one as well.
349 if(!receive_kex(s, data, len))
351 s->state = SPTPS_SIG;
354 // If we already sent our secondary public ECDH key, we expect the peer to send his.
355 if(!receive_sig(s, data, len))
358 s->state = SPTPS_ACK;
361 if(!receive_ack(s, NULL, 0))
363 s->receive_record(s->handle, SPTPS_HANDSHAKE, NULL, 0);
364 s->state = SPTPS_SECONDARY_KEX;
369 // We expect a handshake message to indicate transition to the new keys.
370 if(!receive_ack(s, data, len))
372 s->receive_record(s->handle, SPTPS_HANDSHAKE, NULL, 0);
373 s->state = SPTPS_SECONDARY_KEX;
375 // TODO: split ACK into a VERify and ACK?
377 return error(s, EIO, "Invalid session state");
381 // Check datagram for valid HMAC
382 bool sptps_verify_datagram(sptps_t *s, const char *data, size_t len) {
383 if(!s->instate || len < 21)
386 char buffer[len + 23];
387 uint16_t netlen = htons(len - 21);
389 memcpy(buffer, &netlen, 2);
390 memcpy(buffer + 2, data, len);
392 return digest_verify(&s->indigest, buffer, len - 14, buffer + len - 14);
395 // Receive incoming data, datagram version.
396 static bool sptps_receive_data_datagram(sptps_t *s, const char *data, size_t len) {
397 if(len < (s->instate ? 21 : 5))
398 return error(s, EIO, "Received short packet");
401 memcpy(&seqno, data, 4);
402 seqno = ntohl(seqno);
405 if(seqno != s->inseqno) {
406 fprintf(stderr, "Received invalid packet seqno: %d != %d\n", seqno, s->inseqno);
407 return error(s, EIO, "Invalid packet seqno");
410 s->inseqno = seqno + 1;
412 uint8_t type = data[4];
414 if(type != SPTPS_HANDSHAKE)
415 return error(s, EIO, "Application record received before handshake finished");
417 return receive_handshake(s, data + 5, len - 5);
420 // Replay protection using a sliding window of configurable size.
421 // s->inseqno is expected sequence number
422 // seqno is received sequence number
423 // s->late[] is a circular buffer, a 1 bit means a packet has not been received yet
424 // The circular buffer contains bits for sequence numbers from s->inseqno - s->replaywin * 8 to (but excluding) s->inseqno.
426 if(seqno != s->inseqno) {
427 if(seqno >= s->inseqno + s->replaywin * 8) {
428 // Prevent packets that jump far ahead of the queue from causing many others to be dropped.
429 if(s->farfuture++ < s->replaywin >> 2) {
430 fprintf(stderr, "Packet is %d seqs in the future, dropped (%u)\n", seqno - s->inseqno, s->farfuture);
433 // Unless we have seen lots of them, in which case we consider the others lost.
434 fprintf(stderr, "Lost %d packets\n", seqno - s->inseqno);
435 memset(s->late, 0, s->replaywin);
436 } else if (seqno < s->inseqno) {
437 // If the sequence number is farther in the past than the bitmap goes, or if the packet was already received, drop it.
438 if((s->inseqno >= s->replaywin * 8 && seqno < s->inseqno - s->replaywin * 8) || !(s->late[(seqno / 8) % s->replaywin] & (1 << seqno % 8))) {
439 fprintf(stderr, "Received late or replayed packet, seqno %d, last received %d", seqno, s->inseqno);
443 // We missed some packets. Mark them in the bitmap as being late.
444 for(int i = s->inseqno; i < seqno; i++)
445 s->late[(i / 8) % s->replaywin] |= 1 << i % 8;
449 // Mark the current packet as not being late.
450 s->late[(seqno / 8) % s->replaywin] &= ~(1 << seqno % 8);
454 if(seqno > s->inseqno)
455 s->inseqno = seqno + 1;
457 uint16_t netlen = htons(len - 21);
459 char buffer[len + 23];
461 memcpy(buffer, &netlen, 2);
462 memcpy(buffer + 2, data, len);
464 memcpy(&seqno, buffer + 2, 4);
466 // Check HMAC and decrypt.
467 if(!digest_verify(&s->indigest, buffer, len - 14, buffer + len - 14))
468 return error(s, EIO, "Invalid HMAC");
470 cipher_set_counter(&s->incipher, &seqno, sizeof seqno);
471 if(!cipher_counter_xor(&s->incipher, buffer + 6, len - 4, buffer + 6))
474 // Append a NULL byte for safety.
475 buffer[len - 14] = 0;
477 uint8_t type = buffer[6];
479 if(type < SPTPS_HANDSHAKE) {
481 return error(s, EIO, "Application record received before handshake finished");
482 if(!s->receive_record(s->handle, type, buffer + 7, len - 21))
484 } else if(type == SPTPS_HANDSHAKE) {
485 if(!receive_handshake(s, buffer + 7, len - 21))
488 return error(s, EIO, "Invalid record type");
494 // Receive incoming data. Check if it contains a complete record, if so, handle it.
495 bool sptps_receive_data(sptps_t *s, const char *data, size_t len) {
497 return sptps_receive_data_datagram(s, data, len);
500 // First read the 2 length bytes.
502 size_t toread = 6 - s->buflen;
506 memcpy(s->inbuf + s->buflen, data, toread);
512 // Exit early if we don't have the full length.
516 // Decrypt the length bytes
519 if(!cipher_counter_xor(&s->incipher, s->inbuf + 4, 2, &s->reclen))
522 memcpy(&s->reclen, s->inbuf + 4, 2);
525 s->reclen = ntohs(s->reclen);
527 // If we have the length bytes, ensure our buffer can hold the whole request.
528 s->inbuf = realloc(s->inbuf, s->reclen + 23UL);
530 return error(s, errno, strerror(errno));
532 // Add sequence number.
533 uint32_t seqno = htonl(s->inseqno++);
534 memcpy(s->inbuf, &seqno, 4);
536 // Exit early if we have no more data to process.
541 // Read up to the end of the record.
542 size_t toread = s->reclen + (s->instate ? 23UL : 7UL) - s->buflen;
546 memcpy(s->inbuf + s->buflen, data, toread);
551 // If we don't have a whole record, exit.
552 if(s->buflen < s->reclen + (s->instate ? 23UL : 7UL))
555 // Check HMAC and decrypt.
557 if(!digest_verify(&s->indigest, s->inbuf, s->reclen + 7UL, s->inbuf + s->reclen + 7UL))
558 return error(s, EIO, "Invalid HMAC");
560 if(!cipher_counter_xor(&s->incipher, s->inbuf + 6UL, s->reclen + 1UL, s->inbuf + 6UL))
564 // Append a NULL byte for safety.
565 s->inbuf[s->reclen + 7UL] = 0;
567 uint8_t type = s->inbuf[6];
569 if(type < SPTPS_HANDSHAKE) {
571 return error(s, EIO, "Application record received before handshake finished");
572 if(!s->receive_record(s->handle, type, s->inbuf + 7, s->reclen))
574 } else if(type == SPTPS_HANDSHAKE) {
575 if(!receive_handshake(s, s->inbuf + 7, s->reclen))
578 return error(s, EIO, "Invalid record type");
587 // Start a SPTPS session.
588 bool sptps_start(sptps_t *s, void *handle, bool initiator, bool datagram, ecdsa_t mykey, ecdsa_t hiskey, const char *label, size_t labellen, send_data_t send_data, receive_record_t receive_record) {
589 // Initialise struct sptps
590 memset(s, 0, sizeof *s);
593 s->initiator = initiator;
594 s->datagram = datagram;
597 s->replaywin = sptps_replaywin;
599 s->late = malloc(s->replaywin);
601 return error(s, errno, strerror(errno));
604 s->label = malloc(labellen);
606 return error(s, errno, strerror(errno));
609 s->inbuf = malloc(7);
611 return error(s, errno, strerror(errno));
613 memset(s->inbuf, 0, 4);
616 memcpy(s->label, label, labellen);
617 s->labellen = labellen;
619 s->send_data = send_data;
620 s->receive_record = receive_record;
622 // Do first KEX immediately
623 s->state = SPTPS_KEX;
627 // Stop a SPTPS session.
628 bool sptps_stop(sptps_t *s) {
629 // Clean up any resources.
630 cipher_close(&s->incipher);
631 cipher_close(&s->outcipher);
632 digest_close(&s->indigest);
633 digest_close(&s->outdigest);
641 memset(s, 0, sizeof *s);