2 sptps.c -- Simple Peer-to-Peer Security
3 Copyright (C) 2011-2015 Guus Sliepen <guus@tinc-vpn.org>,
4 2010 Brandon L. Black <blblack@gmail.com>
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 2 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License along
17 with this program; if not, write to the Free Software Foundation, Inc.,
18 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
23 #include "chacha-poly1305/chacha-poly1305.h"
31 unsigned int sptps_replaywin = 16;
34 Nonce MUST be exchanged first (done)
35 Signatures MUST be done over both nonces, to guarantee the signature is fresh
36 Otherwise: if ECDHE key of one side is compromised, it can be reused!
38 Add explicit tag to beginning of structure to distinguish the client and server when signing. (done)
40 Sign all handshake messages up to ECDHE kex with long-term public keys. (done)
42 HMACed KEX finished message to prevent downgrade attacks and prove you have the right key material (done by virtue of Ed25519 over the whole ECDHE exchange?)
44 Explicit close message needs to be added.
46 Maybe do add some alert messages to give helpful error messages? Not more than TLS sends.
48 Use counter mode instead of OFB. (done)
50 Make sure ECC operations are fixed time (aka prevent side-channel attacks).
53 void sptps_log_quiet(sptps_t *s, int s_errno, const char *format, va_list ap) {
60 void sptps_log_stderr(sptps_t *s, int s_errno, const char *format, va_list ap) {
64 vfprintf(stderr, format, ap);
68 void (*sptps_log)(sptps_t *s, int s_errno, const char *format, va_list ap) = sptps_log_stderr;
70 // Log an error message.
71 static bool error(sptps_t *s, int s_errno, const char *format, ...) {
78 sptps_log(s, s_errno, format, ap);
86 static void warning(sptps_t *s, const char *format, ...) {
89 sptps_log(s, 0, format, ap);
93 // Send a record (datagram version, accepts all record types, handles encryption and authentication).
94 static bool send_record_priv_datagram(sptps_t *s, uint8_t type, const void *data, uint16_t len) {
95 uint8_t *buffer = alloca(len + 21UL);
97 // Create header with sequence number, length and record type
98 uint32_t seqno = s->outseqno++;
99 uint32_t netseqno = ntohl(seqno);
101 memcpy(buffer, &netseqno, 4);
103 memcpy(buffer + 5, data, len);
106 // If first handshake has finished, encrypt and HMAC
107 chacha_poly1305_encrypt(s->outcipher, seqno, buffer + 4, len + 1, buffer + 4, NULL);
108 return s->send_data(s->handle, type, buffer, len + 21UL);
110 // Otherwise send as plaintext
111 return s->send_data(s->handle, type, buffer, len + 5UL);
114 // Send a record (private version, accepts all record types, handles encryption and authentication).
115 static bool send_record_priv(sptps_t *s, uint8_t type, const void *data, uint16_t len) {
117 return send_record_priv_datagram(s, type, data, len);
120 uint8_t *buffer = alloca(len + 19UL);
122 // Create header with sequence number, length and record type
123 uint32_t seqno = s->outseqno++;
124 uint16_t netlen = htons(len);
126 memcpy(buffer, &netlen, 2);
128 memcpy(buffer + 3, data, len);
131 // If first handshake has finished, encrypt and HMAC
132 chacha_poly1305_encrypt(s->outcipher, seqno, buffer + 2, len + 1, buffer + 2, NULL);
133 return s->send_data(s->handle, type, buffer, len + 19UL);
135 // Otherwise send as plaintext
136 return s->send_data(s->handle, type, buffer, len + 3UL);
140 // Send an application record.
141 bool sptps_send_record(sptps_t *s, uint8_t type, const void *data, uint16_t len) {
142 // Sanity checks: application cannot send data before handshake is finished,
143 // and only record types 0..127 are allowed.
145 return error(s, EINVAL, "Handshake phase not finished yet");
148 if(type >= SPTPS_HANDSHAKE) {
149 return error(s, EINVAL, "Invalid application record type");
152 return send_record_priv(s, type, data, len);
155 // Send a Key EXchange record, containing a random nonce and an ECDHE public key.
156 static bool send_kex(sptps_t *s) {
157 size_t keylen = ECDH_SIZE;
159 // Make room for our KEX message, which we will keep around since send_sig() needs it.
164 s->mykex = realloc(s->mykex, 1 + 32 + keylen);
167 return error(s, errno, strerror(errno));
170 // Set version byte to zero.
171 s->mykex[0] = SPTPS_VERSION;
173 // Create a random nonce.
174 randomize(s->mykex + 1, 32);
176 // Create a new ECDH public key.
177 if(!(s->ecdh = ecdh_generate_public(s->mykex + 1 + 32))) {
178 return error(s, EINVAL, "Failed to generate ECDH public key");
181 return send_record_priv(s, SPTPS_HANDSHAKE, s->mykex, 1 + 32 + keylen);
184 // Send a SIGnature record, containing an Ed25519 signature over both KEX records.
185 static bool send_sig(sptps_t *s) {
186 size_t keylen = ECDH_SIZE;
187 size_t siglen = ecdsa_size(s->mykey);
189 // Concatenate both KEX messages, plus tag indicating if it is from the connection originator, plus label
190 const size_t msglen = (1 + 32 + keylen) * 2 + 1 + s->labellen;
191 uint8_t *msg = alloca(msglen);
192 uint8_t *sig = alloca(siglen);
194 msg[0] = s->initiator;
195 memcpy(msg + 1, s->mykex, 1 + 32 + keylen);
196 memcpy(msg + 1 + 33 + keylen, s->hiskex, 1 + 32 + keylen);
197 memcpy(msg + 1 + 2 * (33 + keylen), s->label, s->labellen);
200 if(!ecdsa_sign(s->mykey, msg, msglen, sig)) {
201 return error(s, EINVAL, "Failed to sign SIG record");
204 // Send the SIG exchange record.
205 return send_record_priv(s, SPTPS_HANDSHAKE, sig, siglen);
208 // Generate key material from the shared secret created from the ECDHE key exchange.
209 static bool generate_key_material(sptps_t *s, const uint8_t *shared, size_t len) {
210 // Initialise cipher and digest structures if necessary
212 s->incipher = chacha_poly1305_init();
213 s->outcipher = chacha_poly1305_init();
215 if(!s->incipher || !s->outcipher) {
216 return error(s, EINVAL, "Failed to open cipher");
220 // Allocate memory for key material
221 size_t keylen = 2 * CHACHA_POLY1305_KEYLEN;
223 s->key = realloc(s->key, keylen);
226 return error(s, errno, strerror(errno));
229 // Create the HMAC seed, which is "key expansion" + session label + server nonce + client nonce
230 uint8_t *seed = alloca(s->labellen + 64 + 13);
231 memcpy(seed, "key expansion", 13);
234 memcpy(seed + 13, s->mykex + 1, 32);
235 memcpy(seed + 45, s->hiskex + 1, 32);
237 memcpy(seed + 13, s->hiskex + 1, 32);
238 memcpy(seed + 45, s->mykex + 1, 32);
241 memcpy(seed + 77, s->label, s->labellen);
243 // Use PRF to generate the key material
244 if(!prf(shared, len, seed, s->labellen + 64 + 13, s->key, keylen)) {
245 return error(s, EINVAL, "Failed to generate key material");
251 // Send an ACKnowledgement record.
252 static bool send_ack(sptps_t *s) {
253 return send_record_priv(s, SPTPS_HANDSHAKE, "", 0);
256 // Receive an ACKnowledgement record.
257 static bool receive_ack(sptps_t *s, const uint8_t *data, uint16_t len) {
261 return error(s, EIO, "Invalid ACK record length");
265 if(!chacha_poly1305_set_key(s->incipher, s->key)) {
266 return error(s, EINVAL, "Failed to set counter");
269 if(!chacha_poly1305_set_key(s->incipher, s->key + CHACHA_POLY1305_KEYLEN)) {
270 return error(s, EINVAL, "Failed to set counter");
281 // Receive a Key EXchange record, respond by sending a SIG record.
282 static bool receive_kex(sptps_t *s, const uint8_t *data, uint16_t len) {
283 // Verify length of the HELLO record
284 if(len != 1 + 32 + ECDH_SIZE) {
285 return error(s, EIO, "Invalid KEX record length");
288 // Ignore version number for now.
290 // Make a copy of the KEX message, send_sig() and receive_sig() need it
292 return error(s, EINVAL, "Received a second KEX message before first has been processed");
295 s->hiskex = realloc(s->hiskex, len);
298 return error(s, errno, strerror(errno));
301 memcpy(s->hiskex, data, len);
310 // Receive a SIGnature record, verify it, if it passed, compute the shared secret and calculate the session keys.
311 static bool receive_sig(sptps_t *s, const uint8_t *data, uint16_t len) {
312 size_t keylen = ECDH_SIZE;
313 size_t siglen = ecdsa_size(s->hiskey);
315 // Verify length of KEX record.
317 return error(s, EIO, "Invalid KEX record length");
320 // Concatenate both KEX messages, plus tag indicating if it is from the connection originator
321 const size_t msglen = (1 + 32 + keylen) * 2 + 1 + s->labellen;
322 uint8_t *msg = alloca(msglen);
324 msg[0] = !s->initiator;
325 memcpy(msg + 1, s->hiskex, 1 + 32 + keylen);
326 memcpy(msg + 1 + 33 + keylen, s->mykex, 1 + 32 + keylen);
327 memcpy(msg + 1 + 2 * (33 + keylen), s->label, s->labellen);
330 if(!ecdsa_verify(s->hiskey, msg, msglen, data)) {
331 return error(s, EIO, "Failed to verify SIG record");
334 // Compute shared secret.
335 uint8_t shared[ECDH_SHARED_SIZE];
337 if(!ecdh_compute_shared(s->ecdh, s->hiskex + 1 + 32, shared)) {
338 return error(s, EINVAL, "Failed to compute ECDH shared secret");
343 // Generate key material from shared secret.
344 if(!generate_key_material(s, shared, sizeof(shared))) {
348 if(!s->initiator && !send_sig(s)) {
358 // Send cipher change record
359 if(s->outstate && !send_ack(s)) {
363 // TODO: only set new keys after ACK has been set/received
365 if(!chacha_poly1305_set_key(s->outcipher, s->key + CHACHA_POLY1305_KEYLEN)) {
366 return error(s, EINVAL, "Failed to set key");
369 if(!chacha_poly1305_set_key(s->outcipher, s->key)) {
370 return error(s, EINVAL, "Failed to set key");
377 // Force another Key EXchange (for testing purposes).
378 bool sptps_force_kex(sptps_t *s) {
379 if(!s->outstate || s->state != SPTPS_SECONDARY_KEX) {
380 return error(s, EINVAL, "Cannot force KEX in current state");
383 s->state = SPTPS_KEX;
387 // Receive a handshake record.
388 static bool receive_handshake(sptps_t *s, const uint8_t *data, uint16_t len) {
389 // Only a few states to deal with handshaking.
391 case SPTPS_SECONDARY_KEX:
393 // We receive a secondary KEX request, first respond by sending our own.
401 // We have sent our KEX request, we expect our peer to sent one as well.
402 if(!receive_kex(s, data, len)) {
406 s->state = SPTPS_SIG;
411 // If we already sent our secondary public ECDH key, we expect the peer to send his.
412 if(!receive_sig(s, data, len)) {
417 s->state = SPTPS_ACK;
421 if(!receive_ack(s, NULL, 0)) {
425 s->receive_record(s->handle, SPTPS_HANDSHAKE, NULL, 0);
426 s->state = SPTPS_SECONDARY_KEX;
433 // We expect a handshake message to indicate transition to the new keys.
434 if(!receive_ack(s, data, len)) {
438 s->receive_record(s->handle, SPTPS_HANDSHAKE, NULL, 0);
439 s->state = SPTPS_SECONDARY_KEX;
442 // TODO: split ACK into a VERify and ACK?
444 return error(s, EIO, "Invalid session state %d", s->state);
448 static bool sptps_check_seqno(sptps_t *s, uint32_t seqno, bool update_state) {
449 // Replay protection using a sliding window of configurable size.
450 // s->inseqno is expected sequence number
451 // seqno is received sequence number
452 // s->late[] is a circular buffer, a 1 bit means a packet has not been received yet
453 // The circular buffer contains bits for sequence numbers from s->inseqno - s->replaywin * 8 to (but excluding) s->inseqno.
455 if(seqno != s->inseqno) {
456 if(seqno >= s->inseqno + s->replaywin * 8) {
457 // Prevent packets that jump far ahead of the queue from causing many others to be dropped.
458 bool farfuture = s->farfuture < s->replaywin >> 2;
465 return update_state ? error(s, EIO, "Packet is %d seqs in the future, dropped (%u)\n", seqno - s->inseqno, s->farfuture) : false;
468 // Unless we have seen lots of them, in which case we consider the others lost.
470 warning(s, "Lost %d packets\n", seqno - s->inseqno);
474 // Mark all packets in the replay window as being late.
475 memset(s->late, 255, s->replaywin);
477 } else if(seqno < s->inseqno) {
478 // If the sequence number is farther in the past than the bitmap goes, or if the packet was already received, drop it.
479 if((s->inseqno >= s->replaywin * 8 && seqno < s->inseqno - s->replaywin * 8) || !(s->late[(seqno / 8) % s->replaywin] & (1 << seqno % 8))) {
480 return update_state ? error(s, EIO, "Received late or replayed packet, seqno %d, last received %d\n", seqno, s->inseqno) : false;
482 } else if(update_state) {
483 // We missed some packets. Mark them in the bitmap as being late.
484 for(uint32_t i = s->inseqno; i < seqno; i++) {
485 s->late[(i / 8) % s->replaywin] |= 1 << i % 8;
491 // Mark the current packet as not being late.
492 s->late[(seqno / 8) % s->replaywin] &= ~(1 << seqno % 8);
498 if(seqno >= s->inseqno) {
499 s->inseqno = seqno + 1;
512 // Check datagram for valid HMAC
513 bool sptps_verify_datagram(sptps_t *s, const void *vdata, size_t len) {
514 if(!s->instate || len < 21) {
515 return error(s, EIO, "Received short packet");
518 const uint8_t *data = vdata;
520 memcpy(&seqno, data, 4);
521 seqno = ntohl(seqno);
523 if(!sptps_check_seqno(s, seqno, false)) {
527 uint8_t *buffer = alloca(len);
529 return chacha_poly1305_decrypt(s->incipher, seqno, data + 4, len - 4, buffer, &outlen);
532 // Receive incoming data, datagram version.
533 static bool sptps_receive_data_datagram(sptps_t *s, const uint8_t *data, size_t len) {
534 if(len < (s->instate ? 21 : 5)) {
535 return error(s, EIO, "Received short packet");
539 memcpy(&seqno, data, 4);
540 seqno = ntohl(seqno);
545 if(seqno != s->inseqno) {
546 return error(s, EIO, "Invalid packet seqno: %d != %d", seqno, s->inseqno);
549 s->inseqno = seqno + 1;
551 uint8_t type = *(data++);
554 if(type != SPTPS_HANDSHAKE) {
555 return error(s, EIO, "Application record received before handshake finished");
558 return receive_handshake(s, data, len);
563 uint8_t *buffer = alloca(len);
566 if(!chacha_poly1305_decrypt(s->incipher, seqno, data, len, buffer, &outlen)) {
567 return error(s, EIO, "Failed to decrypt and verify packet");
570 if(!sptps_check_seqno(s, seqno, true)) {
574 // Append a NULL byte for safety.
580 uint8_t type = *(data++);
583 if(type < SPTPS_HANDSHAKE) {
585 return error(s, EIO, "Application record received before handshake finished");
588 if(!s->receive_record(s->handle, type, data, len)) {
591 } else if(type == SPTPS_HANDSHAKE) {
592 if(!receive_handshake(s, data, len)) {
596 return error(s, EIO, "Invalid record type %d", type);
602 // Receive incoming data. Check if it contains a complete record, if so, handle it.
603 size_t sptps_receive_data(sptps_t *s, const void *vdata, size_t len) {
604 const uint8_t *data = vdata;
605 size_t total_read = 0;
608 return error(s, EIO, "Invalid session state zero");
612 return sptps_receive_data_datagram(s, data, len) ? len : false;
615 // First read the 2 length bytes.
617 size_t toread = 2 - s->buflen;
623 memcpy(s->inbuf + s->buflen, data, toread);
625 total_read += toread;
630 // Exit early if we don't have the full length.
635 // Get the length bytes
637 memcpy(&s->reclen, s->inbuf, 2);
638 s->reclen = ntohs(s->reclen);
640 // If we have the length bytes, ensure our buffer can hold the whole request.
641 s->inbuf = realloc(s->inbuf, s->reclen + 19UL);
644 return error(s, errno, strerror(errno));
647 // Exit early if we have no more data to process.
653 // Read up to the end of the record.
654 size_t toread = s->reclen + (s->instate ? 19UL : 3UL) - s->buflen;
660 memcpy(s->inbuf + s->buflen, data, toread);
661 total_read += toread;
664 // If we don't have a whole record, exit.
665 if(s->buflen < s->reclen + (s->instate ? 19UL : 3UL)) {
669 // Update sequence number.
671 uint32_t seqno = s->inseqno++;
673 // Check HMAC and decrypt.
675 if(!chacha_poly1305_decrypt(s->incipher, seqno, s->inbuf + 2UL, s->reclen + 17UL, s->inbuf + 2UL, NULL)) {
676 return error(s, EINVAL, "Failed to decrypt and verify record");
680 // Append a NULL byte for safety.
681 s->inbuf[s->reclen + 3UL] = 0;
683 uint8_t type = s->inbuf[2];
685 if(type < SPTPS_HANDSHAKE) {
687 return error(s, EIO, "Application record received before handshake finished");
690 if(!s->receive_record(s->handle, type, s->inbuf + 3, s->reclen)) {
693 } else if(type == SPTPS_HANDSHAKE) {
694 if(!receive_handshake(s, s->inbuf + 3, s->reclen)) {
698 return error(s, EIO, "Invalid record type %d", type);
706 // Start a SPTPS session.
707 bool sptps_start(sptps_t *s, void *handle, bool initiator, bool datagram, ecdsa_t *mykey, ecdsa_t *hiskey, const void *label, size_t labellen, send_data_t send_data, receive_record_t receive_record) {
708 // Initialise struct sptps
709 memset(s, 0, sizeof(*s));
712 s->initiator = initiator;
713 s->datagram = datagram;
716 s->replaywin = sptps_replaywin;
719 s->late = malloc(s->replaywin);
722 return error(s, errno, strerror(errno));
725 memset(s->late, 0, s->replaywin);
728 s->label = malloc(labellen);
731 return error(s, errno, strerror(errno));
735 s->inbuf = malloc(7);
738 return error(s, errno, strerror(errno));
744 memcpy(s->label, label, labellen);
745 s->labellen = labellen;
747 s->send_data = send_data;
748 s->receive_record = receive_record;
750 // Do first KEX immediately
751 s->state = SPTPS_KEX;
755 // Stop a SPTPS session.
756 bool sptps_stop(sptps_t *s) {
757 // Clean up any resources.
758 chacha_poly1305_exit(s->incipher);
759 chacha_poly1305_exit(s->outcipher);
767 memset(s, 0, sizeof(*s));