2 sptps.c -- Simple Peer-to-Peer Security
3 Copyright (C) 2011-2015 Guus Sliepen <guus@tinc-vpn.org>,
4 2010 Brandon L. Black <blblack@gmail.com>
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 2 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License along
17 with this program; if not, write to the Free Software Foundation, Inc.,
18 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
23 #include "chacha-poly1305/chacha-poly1305.h"
31 unsigned int sptps_replaywin = 16;
34 Nonce MUST be exchanged first (done)
35 Signatures MUST be done over both nonces, to guarantee the signature is fresh
36 Otherwise: if ECDHE key of one side is compromised, it can be reused!
38 Add explicit tag to beginning of structure to distinguish the client and server when signing. (done)
40 Sign all handshake messages up to ECDHE kex with long-term public keys. (done)
42 HMACed KEX finished message to prevent downgrade attacks and prove you have the right key material (done by virtue of Ed25519 over the whole ECDHE exchange?)
44 Explicit close message needs to be added.
46 Maybe do add some alert messages to give helpful error messages? Not more than TLS sends.
48 Use counter mode instead of OFB. (done)
50 Make sure ECC operations are fixed time (aka prevent side-channel attacks).
53 void sptps_log_quiet(sptps_t *s, int s_errno, const char *format, va_list ap) {
60 void sptps_log_stderr(sptps_t *s, int s_errno, const char *format, va_list ap) {
64 vfprintf(stderr, format, ap);
68 void (*sptps_log)(sptps_t *s, int s_errno, const char *format, va_list ap) = sptps_log_stderr;
70 // Log an error message.
71 static bool error(sptps_t *s, int s_errno, const char *format, ...) ATTR_FORMAT(printf, 3, 4);
72 static bool error(sptps_t *s, int s_errno, const char *format, ...) {
79 sptps_log(s, s_errno, format, ap);
87 static void warning(sptps_t *s, const char *format, ...) ATTR_FORMAT(printf, 2, 3);
88 static void warning(sptps_t *s, const char *format, ...) {
91 sptps_log(s, 0, format, ap);
95 static sptps_kex_t *new_sptps_kex(void) {
96 return xzalloc(sizeof(sptps_kex_t));
99 static void free_sptps_kex(sptps_kex_t *kex) {
100 xzfree(kex, sizeof(sptps_kex_t));
103 static sptps_key_t *new_sptps_key(void) {
104 return xzalloc(sizeof(sptps_key_t));
107 static void free_sptps_key(sptps_key_t *key) {
108 xzfree(key, sizeof(sptps_key_t));
111 // Send a record (datagram version, accepts all record types, handles encryption and authentication).
112 static bool send_record_priv_datagram(sptps_t *s, uint8_t type, const void *data, uint16_t len) {
113 uint8_t *buffer = alloca(len + 21UL);
115 // Create header with sequence number, length and record type
116 uint32_t seqno = s->outseqno++;
117 uint32_t netseqno = ntohl(seqno);
119 memcpy(buffer, &netseqno, 4);
121 memcpy(buffer + 5, data, len);
124 // If first handshake has finished, encrypt and HMAC
125 chacha_poly1305_encrypt(s->outcipher, seqno, buffer + 4, len + 1, buffer + 4, NULL);
126 return s->send_data(s->handle, type, buffer, len + 21UL);
128 // Otherwise send as plaintext
129 return s->send_data(s->handle, type, buffer, len + 5UL);
132 // Send a record (private version, accepts all record types, handles encryption and authentication).
133 static bool send_record_priv(sptps_t *s, uint8_t type, const void *data, uint16_t len) {
135 return send_record_priv_datagram(s, type, data, len);
138 uint8_t *buffer = alloca(len + 19UL);
140 // Create header with sequence number, length and record type
141 uint32_t seqno = s->outseqno++;
142 uint16_t netlen = htons(len);
144 memcpy(buffer, &netlen, 2);
146 memcpy(buffer + 3, data, len);
149 // If first handshake has finished, encrypt and HMAC
150 chacha_poly1305_encrypt(s->outcipher, seqno, buffer + 2, len + 1, buffer + 2, NULL);
151 return s->send_data(s->handle, type, buffer, len + 19UL);
153 // Otherwise send as plaintext
154 return s->send_data(s->handle, type, buffer, len + 3UL);
158 // Send an application record.
159 bool sptps_send_record(sptps_t *s, uint8_t type, const void *data, uint16_t len) {
160 // Sanity checks: application cannot send data before handshake is finished,
161 // and only record types 0..127 are allowed.
163 return error(s, EINVAL, "Handshake phase not finished yet");
166 if(type >= SPTPS_HANDSHAKE) {
167 return error(s, EINVAL, "Invalid application record type");
170 return send_record_priv(s, type, data, len);
173 // Send a Key EXchange record, containing a random nonce and an ECDHE public key.
174 static bool send_kex(sptps_t *s) {
175 // Make room for our KEX message, which we will keep around since send_sig() needs it.
180 s->mykex = new_sptps_kex();
182 // Set version byte to zero.
183 s->mykex->version = SPTPS_VERSION;
185 // Create a random nonce.
186 randomize(s->mykex->nonce, ECDH_SIZE);
188 // Create a new ECDH public key.
189 if(!(s->ecdh = ecdh_generate_public(s->mykex->pubkey))) {
190 return error(s, EINVAL, "Failed to generate ECDH public key");
193 return send_record_priv(s, SPTPS_HANDSHAKE, s->mykex, sizeof(sptps_kex_t));
196 static size_t sigmsg_len(size_t labellen) {
197 return 1 + 2 * sizeof(sptps_kex_t) + labellen;
200 static void fill_msg(uint8_t *msg, bool initiator, const sptps_kex_t *kex0, const sptps_kex_t *kex1, const sptps_t *s) {
201 *msg = initiator, msg++;
202 memcpy(msg, kex0, sizeof(*kex0)), msg += sizeof(*kex0);
203 memcpy(msg, kex1, sizeof(*kex1)), msg += sizeof(*kex1);
204 memcpy(msg, s->label, s->labellen);
207 // Send a SIGnature record, containing an Ed25519 signature over both KEX records.
208 static bool send_sig(sptps_t *s) {
209 // Concatenate both KEX messages, plus tag indicating if it is from the connection originator, plus label
210 size_t msglen = sigmsg_len(s->labellen);
211 uint8_t *msg = alloca(msglen);
212 fill_msg(msg, s->initiator, s->mykex, s->hiskex, s);
215 size_t siglen = ecdsa_size(s->mykey);
216 uint8_t *sig = alloca(siglen);
218 if(!ecdsa_sign(s->mykey, msg, msglen, sig)) {
219 return error(s, EINVAL, "Failed to sign SIG record");
222 // Send the SIG exchange record.
223 return send_record_priv(s, SPTPS_HANDSHAKE, sig, siglen);
226 // Generate key material from the shared secret created from the ECDHE key exchange.
227 static bool generate_key_material(sptps_t *s, const uint8_t *shared, size_t len) {
228 // Initialise cipher and digest structures if necessary
230 s->incipher = chacha_poly1305_init();
231 s->outcipher = chacha_poly1305_init();
233 if(!s->incipher || !s->outcipher) {
234 return error(s, EINVAL, "Failed to open cipher");
238 // Allocate memory for key material
239 s->key = new_sptps_key();
241 // Create the HMAC seed, which is "key expansion" + session label + server nonce + client nonce
242 const size_t msglen = sizeof("key expansion") - 1;
243 const size_t seedlen = msglen + s->labellen + ECDH_SIZE * 2;
244 uint8_t *seed = alloca(seedlen);
247 memcpy(ptr, "key expansion", msglen);
250 memcpy(ptr, (s->initiator ? s->mykex : s->hiskex)->nonce, ECDH_SIZE);
253 memcpy(ptr, (s->initiator ? s->hiskex : s->mykex)->nonce, ECDH_SIZE);
256 memcpy(ptr, s->label, s->labellen);
258 // Use PRF to generate the key material
259 if(!prf(shared, len, seed, seedlen, s->key->both, sizeof(sptps_key_t))) {
260 return error(s, EINVAL, "Failed to generate key material");
266 // Send an ACKnowledgement record.
267 static bool send_ack(sptps_t *s) {
268 return send_record_priv(s, SPTPS_HANDSHAKE, "", 0);
271 // Receive an ACKnowledgement record.
272 static bool receive_ack(sptps_t *s, const uint8_t *data, uint16_t len) {
276 return error(s, EIO, "Invalid ACK record length");
279 uint8_t *key = s->initiator ? s->key->key0 : s->key->key1;
281 if(!chacha_poly1305_set_key(s->incipher, key)) {
282 return error(s, EINVAL, "Failed to set counter");
285 free_sptps_key(s->key);
292 // Receive a Key EXchange record, respond by sending a SIG record.
293 static bool receive_kex(sptps_t *s, const uint8_t *data, uint16_t len) {
294 // Verify length of the HELLO record
295 if(len != sizeof(sptps_kex_t)) {
296 return error(s, EIO, "Invalid KEX record length");
299 if(*data != SPTPS_VERSION) {
300 return error(s, EINVAL, "Received incorrect version %d", *data);
303 // Make a copy of the KEX message, send_sig() and receive_sig() need it
305 return error(s, EINVAL, "Received a second KEX message before first has been processed");
308 s->hiskex = new_sptps_kex();
309 memcpy(s->hiskex, data, sizeof(sptps_kex_t));
318 // Receive a SIGnature record, verify it, if it passed, compute the shared secret and calculate the session keys.
319 static bool receive_sig(sptps_t *s, const uint8_t *data, uint16_t len) {
320 // Verify length of KEX record.
321 if(len != ecdsa_size(s->hiskey)) {
322 return error(s, EIO, "Invalid KEX record length");
325 // Concatenate both KEX messages, plus tag indicating if it is from the connection originator
326 const size_t msglen = sigmsg_len(s->labellen);
327 uint8_t *msg = alloca(msglen);
328 fill_msg(msg, !s->initiator, s->hiskex, s->mykex, s);
331 if(!ecdsa_verify(s->hiskey, msg, msglen, data)) {
332 return error(s, EIO, "Failed to verify SIG record");
335 // Compute shared secret.
336 uint8_t shared[ECDH_SHARED_SIZE];
338 if(!ecdh_compute_shared(s->ecdh, s->hiskex->pubkey, shared)) {
339 memzero(shared, sizeof(shared));
340 return error(s, EINVAL, "Failed to compute ECDH shared secret");
345 // Generate key material from shared secret.
346 bool generated = generate_key_material(s, shared, sizeof(shared));
347 memzero(shared, sizeof(shared));
353 if(!s->initiator && !send_sig(s)) {
357 free_sptps_kex(s->mykex);
360 free_sptps_kex(s->hiskex);
363 // Send cipher change record
364 if(s->outstate && !send_ack(s)) {
368 // TODO: only set new keys after ACK has been set/received
369 uint8_t *key = s->initiator ? s->key->key1 : s->key->key0;
371 if(!chacha_poly1305_set_key(s->outcipher, key)) {
372 return error(s, EINVAL, "Failed to set key");
378 // Force another Key EXchange (for testing purposes).
379 bool sptps_force_kex(sptps_t *s) {
380 if(!s->outstate || s->state != SPTPS_SECONDARY_KEX) {
381 return error(s, EINVAL, "Cannot force KEX in current state");
384 s->state = SPTPS_KEX;
388 // Receive a handshake record.
389 static bool receive_handshake(sptps_t *s, const uint8_t *data, uint16_t len) {
390 // Only a few states to deal with handshaking.
392 case SPTPS_SECONDARY_KEX:
394 // We receive a secondary KEX request, first respond by sending our own.
402 // We have sent our KEX request, we expect our peer to sent one as well.
403 if(!receive_kex(s, data, len)) {
407 s->state = SPTPS_SIG;
412 // If we already sent our secondary public ECDH key, we expect the peer to send his.
413 if(!receive_sig(s, data, len)) {
418 s->state = SPTPS_ACK;
422 if(!receive_ack(s, NULL, 0)) {
426 s->receive_record(s->handle, SPTPS_HANDSHAKE, NULL, 0);
427 s->state = SPTPS_SECONDARY_KEX;
434 // We expect a handshake message to indicate transition to the new keys.
435 if(!receive_ack(s, data, len)) {
439 s->receive_record(s->handle, SPTPS_HANDSHAKE, NULL, 0);
440 s->state = SPTPS_SECONDARY_KEX;
443 // TODO: split ACK into a VERify and ACK?
445 return error(s, EIO, "Invalid session state %d", s->state);
449 static bool sptps_check_seqno(sptps_t *s, uint32_t seqno, bool update_state) {
450 // Replay protection using a sliding window of configurable size.
451 // s->inseqno is expected sequence number
452 // seqno is received sequence number
453 // s->late[] is a circular buffer, a 1 bit means a packet has not been received yet
454 // The circular buffer contains bits for sequence numbers from s->inseqno - s->replaywin * 8 to (but excluding) s->inseqno.
456 if(seqno != s->inseqno) {
457 if(seqno >= s->inseqno + s->replaywin * 8) {
458 // Prevent packets that jump far ahead of the queue from causing many others to be dropped.
459 bool farfuture = s->farfuture < s->replaywin >> 2;
466 return update_state ? error(s, EIO, "Packet is %d seqs in the future, dropped (%u)\n", seqno - s->inseqno, s->farfuture) : false;
469 // Unless we have seen lots of them, in which case we consider the others lost.
471 warning(s, "Lost %d packets\n", seqno - s->inseqno);
475 // Mark all packets in the replay window as being late.
476 memset(s->late, 255, s->replaywin);
478 } else if(seqno < s->inseqno) {
479 // If the sequence number is farther in the past than the bitmap goes, or if the packet was already received, drop it.
480 if((s->inseqno >= s->replaywin * 8 && seqno < s->inseqno - s->replaywin * 8) || !(s->late[(seqno / 8) % s->replaywin] & (1 << seqno % 8))) {
481 return update_state ? error(s, EIO, "Received late or replayed packet, seqno %d, last received %d\n", seqno, s->inseqno) : false;
483 } else if(update_state) {
484 // We missed some packets. Mark them in the bitmap as being late.
485 for(uint32_t i = s->inseqno; i < seqno; i++) {
486 s->late[(i / 8) % s->replaywin] |= 1 << i % 8;
492 // Mark the current packet as not being late.
493 s->late[(seqno / 8) % s->replaywin] &= ~(1 << seqno % 8);
499 if(seqno >= s->inseqno) {
500 s->inseqno = seqno + 1;
513 // Check datagram for valid HMAC
514 bool sptps_verify_datagram(sptps_t *s, const void *vdata, size_t len) {
515 if(!s->instate || len < 21) {
516 return error(s, EIO, "Received short packet");
519 const uint8_t *data = vdata;
521 memcpy(&seqno, data, 4);
522 seqno = ntohl(seqno);
524 if(!sptps_check_seqno(s, seqno, false)) {
528 uint8_t *buffer = alloca(len);
530 return chacha_poly1305_decrypt(s->incipher, seqno, data + 4, len - 4, buffer, &outlen);
533 // Receive incoming data, datagram version.
534 static bool sptps_receive_data_datagram(sptps_t *s, const uint8_t *data, size_t len) {
535 if(len < (s->instate ? 21 : 5)) {
536 return error(s, EIO, "Received short packet");
540 memcpy(&seqno, data, 4);
541 seqno = ntohl(seqno);
546 if(seqno != s->inseqno) {
547 return error(s, EIO, "Invalid packet seqno: %d != %d", seqno, s->inseqno);
550 s->inseqno = seqno + 1;
552 uint8_t type = *(data++);
555 if(type != SPTPS_HANDSHAKE) {
556 return error(s, EIO, "Application record received before handshake finished");
559 return receive_handshake(s, data, len);
564 uint8_t *buffer = alloca(len);
567 if(!chacha_poly1305_decrypt(s->incipher, seqno, data, len, buffer, &outlen)) {
568 return error(s, EIO, "Failed to decrypt and verify packet");
571 if(!sptps_check_seqno(s, seqno, true)) {
575 // Append a NULL byte for safety.
581 uint8_t type = *(data++);
584 if(type < SPTPS_HANDSHAKE) {
586 return error(s, EIO, "Application record received before handshake finished");
589 if(!s->receive_record(s->handle, type, data, len)) {
592 } else if(type == SPTPS_HANDSHAKE) {
593 if(!receive_handshake(s, data, len)) {
597 return error(s, EIO, "Invalid record type %d", type);
603 // Receive incoming data. Check if it contains a complete record, if so, handle it.
604 size_t sptps_receive_data(sptps_t *s, const void *vdata, size_t len) {
605 const uint8_t *data = vdata;
606 size_t total_read = 0;
609 return error(s, EIO, "Invalid session state zero");
613 return sptps_receive_data_datagram(s, data, len) ? len : false;
616 // First read the 2 length bytes.
618 size_t toread = 2 - s->buflen;
624 memcpy(s->inbuf + s->buflen, data, toread);
626 total_read += toread;
631 // Exit early if we don't have the full length.
636 // Get the length bytes
638 memcpy(&s->reclen, s->inbuf, 2);
639 s->reclen = ntohs(s->reclen);
641 // If we have the length bytes, ensure our buffer can hold the whole request.
642 s->inbuf = realloc(s->inbuf, s->reclen + 19UL);
645 return error(s, errno, "%s", strerror(errno));
648 // Exit early if we have no more data to process.
654 // Read up to the end of the record.
655 size_t toread = s->reclen + (s->instate ? 19UL : 3UL) - s->buflen;
661 memcpy(s->inbuf + s->buflen, data, toread);
662 total_read += toread;
665 // If we don't have a whole record, exit.
666 if(s->buflen < s->reclen + (s->instate ? 19UL : 3UL)) {
670 // Update sequence number.
672 uint32_t seqno = s->inseqno++;
674 // Check HMAC and decrypt.
676 if(!chacha_poly1305_decrypt(s->incipher, seqno, s->inbuf + 2UL, s->reclen + 17UL, s->inbuf + 2UL, NULL)) {
677 return error(s, EINVAL, "Failed to decrypt and verify record");
681 // Append a NULL byte for safety.
682 s->inbuf[s->reclen + 3UL] = 0;
684 uint8_t type = s->inbuf[2];
686 if(type < SPTPS_HANDSHAKE) {
688 return error(s, EIO, "Application record received before handshake finished");
691 if(!s->receive_record(s->handle, type, s->inbuf + 3, s->reclen)) {
694 } else if(type == SPTPS_HANDSHAKE) {
695 if(!receive_handshake(s, s->inbuf + 3, s->reclen)) {
699 return error(s, EIO, "Invalid record type %d", type);
707 // Start a SPTPS session.
708 bool sptps_start(sptps_t *s, void *handle, bool initiator, bool datagram, ecdsa_t *mykey, ecdsa_t *hiskey, const void *label, size_t labellen, send_data_t send_data, receive_record_t receive_record) {
709 // Initialise struct sptps
710 memset(s, 0, sizeof(*s));
713 s->initiator = initiator;
714 s->datagram = datagram;
717 s->replaywin = sptps_replaywin;
720 s->late = malloc(s->replaywin);
723 return error(s, errno, "%s", strerror(errno));
726 memset(s->late, 0, s->replaywin);
729 s->label = malloc(labellen);
732 return error(s, errno, "%s", strerror(errno));
736 s->inbuf = malloc(7);
739 return error(s, errno, "%s", strerror(errno));
745 memcpy(s->label, label, labellen);
746 s->labellen = labellen;
748 s->send_data = send_data;
749 s->receive_record = receive_record;
751 // Do first KEX immediately
752 s->state = SPTPS_KEX;
756 // Stop a SPTPS session.
757 bool sptps_stop(sptps_t *s) {
758 // Clean up any resources.
759 chacha_poly1305_exit(s->incipher);
760 chacha_poly1305_exit(s->outcipher);
763 free_sptps_kex(s->mykex);
764 free_sptps_kex(s->hiskex);
765 free_sptps_key(s->key);
768 memset(s, 0, sizeof(*s));