/*
sptps.c -- Simple Peer-to-Peer Security
- Copyright (C) 2011-2013 Guus Sliepen <guus@tinc-vpn.org>,
+ Copyright (C) 2011-2015 Guus Sliepen <guus@tinc-vpn.org>,
2010 Brandon L. Black <blblack@gmail.com>
This program is free software; you can redistribute it and/or modify
#include "system.h"
-#include "cipher.h"
-#include "crypto.h"
-#include "digest.h"
+#include "chacha-poly1305/chacha-poly1305.h"
#include "ecdh.h"
#include "ecdsa.h"
-#include "logger.h"
#include "prf.h"
#include "sptps.h"
+#include "random.h"
+#include "xalloc.h"
unsigned int sptps_replaywin = 16;
Sign all handshake messages up to ECDHE kex with long-term public keys. (done)
- HMACed KEX finished message to prevent downgrade attacks and prove you have the right key material (done by virtue of ECDSA over the whole ECDHE exchange?)
+ HMACed KEX finished message to prevent downgrade attacks and prove you have the right key material (done by virtue of Ed25519 over the whole ECDHE exchange?)
Explicit close message needs to be added.
*/
void sptps_log_quiet(sptps_t *s, int s_errno, const char *format, va_list ap) {
+ (void)s;
+ (void)s_errno;
+ (void)format;
+ (void)ap;
}
void sptps_log_stderr(sptps_t *s, int s_errno, const char *format, va_list ap) {
+ (void)s;
+ (void)s_errno;
+
vfprintf(stderr, format, ap);
fputc('\n', stderr);
}
void (*sptps_log)(sptps_t *s, int s_errno, const char *format, va_list ap) = sptps_log_stderr;
// Log an error message.
+static bool error(sptps_t *s, int s_errno, const char *format, ...) ATTR_FORMAT(printf, 3, 4);
static bool error(sptps_t *s, int s_errno, const char *format, ...) {
+ (void)s;
+ (void)s_errno;
+
if(format) {
va_list ap;
va_start(ap, format);
return false;
}
+static void warning(sptps_t *s, const char *format, ...) ATTR_FORMAT(printf, 2, 3);
static void warning(sptps_t *s, const char *format, ...) {
va_list ap;
va_start(ap, format);
va_end(ap);
}
-// Send a record (datagram version, accepts all record types, handles encryption and authentication).
-static bool send_record_priv_datagram(sptps_t *s, uint8_t type, const char *data, uint16_t len) {
- char buffer[len + 23UL];
+static sptps_kex_t *new_sptps_kex(void) {
+ return xzalloc(sizeof(sptps_kex_t));
+}
- // Create header with sequence number, length and record type
- uint32_t seqno = htonl(s->outseqno++);
- uint16_t netlen = htons(len);
+static void free_sptps_kex(sptps_kex_t *kex) {
+ xzfree(kex, sizeof(sptps_kex_t));
+}
- memcpy(buffer, &netlen, 2);
- memcpy(buffer + 2, &seqno, 4);
- buffer[6] = type;
+static sptps_key_t *new_sptps_key(void) {
+ return xzalloc(sizeof(sptps_key_t));
+}
- // Add plaintext (TODO: avoid unnecessary copy)
- memcpy(buffer + 7, data, len);
+static void free_sptps_key(sptps_key_t *key) {
+ xzfree(key, sizeof(sptps_key_t));
+}
- if(s->outstate) {
- // If first handshake has finished, encrypt and HMAC
- if(!cipher_set_counter(s->outcipher, &seqno, sizeof seqno))
- return false;
+// Send a record (datagram version, accepts all record types, handles encryption and authentication).
+static bool send_record_priv_datagram(sptps_t *s, uint8_t type, const void *data, uint16_t len) {
+ uint8_t *buffer = alloca(len + 21UL);
- if(!cipher_counter_xor(s->outcipher, buffer + 6, len + 1UL, buffer + 6))
- return false;
+ // Create header with sequence number, length and record type
+ uint32_t seqno = s->outseqno++;
+ uint32_t netseqno = ntohl(seqno);
- if(!digest_create(s->outdigest, buffer, len + 7UL, buffer + 7UL + len))
- return false;
+ memcpy(buffer, &netseqno, 4);
+ buffer[4] = type;
+ memcpy(buffer + 5, data, len);
- return s->send_data(s->handle, type, buffer + 2, len + 21UL);
+ if(s->outstate) {
+ // If first handshake has finished, encrypt and HMAC
+ chacha_poly1305_encrypt(s->outcipher, seqno, buffer + 4, len + 1, buffer + 4, NULL);
+ return s->send_data(s->handle, type, buffer, len + 21UL);
} else {
// Otherwise send as plaintext
- return s->send_data(s->handle, type, buffer + 2, len + 5UL);
+ return s->send_data(s->handle, type, buffer, len + 5UL);
}
}
// Send a record (private version, accepts all record types, handles encryption and authentication).
-static bool send_record_priv(sptps_t *s, uint8_t type, const char *data, uint16_t len) {
- if(s->datagram)
+static bool send_record_priv(sptps_t *s, uint8_t type, const void *data, uint16_t len) {
+ if(s->datagram) {
return send_record_priv_datagram(s, type, data, len);
+ }
- char buffer[len + 23UL];
+ uint8_t *buffer = alloca(len + 19UL);
// Create header with sequence number, length and record type
- uint32_t seqno = htonl(s->outseqno++);
+ uint32_t seqno = s->outseqno++;
uint16_t netlen = htons(len);
- memcpy(buffer, &seqno, 4);
- memcpy(buffer + 4, &netlen, 2);
- buffer[6] = type;
-
- // Add plaintext (TODO: avoid unnecessary copy)
- memcpy(buffer + 7, data, len);
+ memcpy(buffer, &netlen, 2);
+ buffer[2] = type;
+ memcpy(buffer + 3, data, len);
if(s->outstate) {
// If first handshake has finished, encrypt and HMAC
- if(!cipher_counter_xor(s->outcipher, buffer + 4, len + 3UL, buffer + 4))
- return false;
-
- if(!digest_create(s->outdigest, buffer, len + 7UL, buffer + 7UL + len))
- return false;
-
- return s->send_data(s->handle, type, buffer + 4, len + 19UL);
+ chacha_poly1305_encrypt(s->outcipher, seqno, buffer + 2, len + 1, buffer + 2, NULL);
+ return s->send_data(s->handle, type, buffer, len + 19UL);
} else {
// Otherwise send as plaintext
- return s->send_data(s->handle, type, buffer + 4, len + 3UL);
+ return s->send_data(s->handle, type, buffer, len + 3UL);
}
}
// Send an application record.
-bool sptps_send_record(sptps_t *s, uint8_t type, const char *data, uint16_t len) {
+bool sptps_send_record(sptps_t *s, uint8_t type, const void *data, uint16_t len) {
// Sanity checks: application cannot send data before handshake is finished,
// and only record types 0..127 are allowed.
- if(!s->outstate)
+ if(!s->outstate) {
return error(s, EINVAL, "Handshake phase not finished yet");
+ }
- if(type >= SPTPS_HANDSHAKE)
+ if(type >= SPTPS_HANDSHAKE) {
return error(s, EINVAL, "Invalid application record type");
+ }
return send_record_priv(s, type, data, len);
}
// Send a Key EXchange record, containing a random nonce and an ECDHE public key.
static bool send_kex(sptps_t *s) {
- size_t keylen = ECDH_SIZE;
-
// Make room for our KEX message, which we will keep around since send_sig() needs it.
- if(s->mykex)
- abort();
- s->mykex = realloc(s->mykex, 1 + 32 + keylen);
- if(!s->mykex)
- return error(s, errno, strerror(errno));
+ if(s->mykex) {
+ return false;
+ }
+
+ s->mykex = new_sptps_kex();
// Set version byte to zero.
- s->mykex[0] = SPTPS_VERSION;
+ s->mykex->version = SPTPS_VERSION;
// Create a random nonce.
- randomize(s->mykex + 1, 32);
+ randomize(s->mykex->nonce, ECDH_SIZE);
// Create a new ECDH public key.
- if(!(s->ecdh = ecdh_generate_public(s->mykex + 1 + 32)))
- return false;
+ if(!(s->ecdh = ecdh_generate_public(s->mykex->pubkey))) {
+ return error(s, EINVAL, "Failed to generate ECDH public key");
+ }
- return send_record_priv(s, SPTPS_HANDSHAKE, s->mykex, 1 + 32 + keylen);
+ return send_record_priv(s, SPTPS_HANDSHAKE, s->mykex, sizeof(sptps_kex_t));
}
-// Send a SIGnature record, containing an ECDSA signature over both KEX records.
-static bool send_sig(sptps_t *s) {
- size_t keylen = ECDH_SIZE;
- size_t siglen = ecdsa_size(s->mykey);
+static size_t sigmsg_len(size_t labellen) {
+ return 1 + 2 * sizeof(sptps_kex_t) + labellen;
+}
- // Concatenate both KEX messages, plus tag indicating if it is from the connection originator, plus label
- char msg[(1 + 32 + keylen) * 2 + 1 + s->labellen];
- char sig[siglen];
+static void fill_msg(uint8_t *msg, bool initiator, const sptps_kex_t *kex0, const sptps_kex_t *kex1, const sptps_t *s) {
+ *msg = initiator, msg++;
+ memcpy(msg, kex0, sizeof(*kex0)), msg += sizeof(*kex0);
+ memcpy(msg, kex1, sizeof(*kex1)), msg += sizeof(*kex1);
+ memcpy(msg, s->label, s->labellen);
+}
- msg[0] = s->initiator;
- memcpy(msg + 1, s->mykex, 1 + 32 + keylen);
- memcpy(msg + 1 + 33 + keylen, s->hiskex, 1 + 32 + keylen);
- memcpy(msg + 1 + 2 * (33 + keylen), s->label, s->labellen);
+// Send a SIGnature record, containing an Ed25519 signature over both KEX records.
+static bool send_sig(sptps_t *s) {
+ // Concatenate both KEX messages, plus tag indicating if it is from the connection originator, plus label
+ size_t msglen = sigmsg_len(s->labellen);
+ uint8_t *msg = alloca(msglen);
+ fill_msg(msg, s->initiator, s->mykex, s->hiskex, s);
// Sign the result.
- if(!ecdsa_sign(s->mykey, msg, sizeof msg, sig))
- return false;
+ size_t siglen = ecdsa_size(s->mykey);
+ uint8_t *sig = alloca(siglen);
+
+ if(!ecdsa_sign(s->mykey, msg, msglen, sig)) {
+ return error(s, EINVAL, "Failed to sign SIG record");
+ }
// Send the SIG exchange record.
- return send_record_priv(s, SPTPS_HANDSHAKE, sig, sizeof sig);
+ return send_record_priv(s, SPTPS_HANDSHAKE, sig, siglen);
}
// Generate key material from the shared secret created from the ECDHE key exchange.
-static bool generate_key_material(sptps_t *s, const char *shared, size_t len) {
+static bool generate_key_material(sptps_t *s, const uint8_t *shared, size_t len) {
// Initialise cipher and digest structures if necessary
if(!s->outstate) {
- s->incipher = cipher_open_by_name("aes-256-ecb");
- s->outcipher = cipher_open_by_name("aes-256-ecb");
- s->indigest = digest_open_by_name("sha256", 16);
- s->outdigest = digest_open_by_name("sha256", 16);
- if(!s->incipher || !s->outcipher || !s->indigest || !s->outdigest)
- return false;
+ s->incipher = chacha_poly1305_init();
+ s->outcipher = chacha_poly1305_init();
+
+ if(!s->incipher || !s->outcipher) {
+ return error(s, EINVAL, "Failed to open cipher");
+ }
}
// Allocate memory for key material
- size_t keylen = digest_keylength(s->indigest) + digest_keylength(s->outdigest) + cipher_keylength(s->incipher) + cipher_keylength(s->outcipher);
-
- s->key = realloc(s->key, keylen);
- if(!s->key)
- return error(s, errno, strerror(errno));
+ s->key = new_sptps_key();
// Create the HMAC seed, which is "key expansion" + session label + server nonce + client nonce
- char seed[s->labellen + 64 + 13];
- strcpy(seed, "key expansion");
- if(s->initiator) {
- memcpy(seed + 13, s->mykex + 1, 32);
- memcpy(seed + 45, s->hiskex + 1, 32);
- } else {
- memcpy(seed + 13, s->hiskex + 1, 32);
- memcpy(seed + 45, s->mykex + 1, 32);
- }
- memcpy(seed + 77, s->label, s->labellen);
+ const size_t msglen = sizeof("key expansion") - 1;
+ const size_t seedlen = msglen + s->labellen + ECDH_SIZE * 2;
+ uint8_t *seed = alloca(seedlen);
+
+ uint8_t *ptr = seed;
+ memcpy(ptr, "key expansion", msglen);
+ ptr += msglen;
+
+ memcpy(ptr, (s->initiator ? s->mykex : s->hiskex)->nonce, ECDH_SIZE);
+ ptr += ECDH_SIZE;
+
+ memcpy(ptr, (s->initiator ? s->hiskex : s->mykex)->nonce, ECDH_SIZE);
+ ptr += ECDH_SIZE;
+
+ memcpy(ptr, s->label, s->labellen);
// Use PRF to generate the key material
- if(!prf(shared, len, seed, s->labellen + 64 + 13, s->key, keylen))
- return false;
+ if(!prf(shared, len, seed, seedlen, s->key->both, sizeof(sptps_key_t))) {
+ return error(s, EINVAL, "Failed to generate key material");
+ }
return true;
}
}
// Receive an ACKnowledgement record.
-static bool receive_ack(sptps_t *s, const char *data, uint16_t len) {
- if(len)
+static bool receive_ack(sptps_t *s, const uint8_t *data, uint16_t len) {
+ (void)data;
+
+ if(len) {
return error(s, EIO, "Invalid ACK record length");
+ }
- if(s->initiator) {
- bool result
- = cipher_set_counter_key(s->incipher, s->key)
- && digest_set_key(s->indigest, s->key + cipher_keylength(s->incipher), digest_keylength(s->indigest));
- if(!result)
- return false;
- } else {
- bool result
- = cipher_set_counter_key(s->incipher, s->key + cipher_keylength(s->outcipher) + digest_keylength(s->outdigest))
- && digest_set_key(s->indigest, s->key + cipher_keylength(s->outcipher) + digest_keylength(s->outdigest) + cipher_keylength(s->incipher), digest_keylength(s->indigest));
- if(!result)
- return false;
+ uint8_t *key = s->initiator ? s->key->key0 : s->key->key1;
+
+ if(!chacha_poly1305_set_key(s->incipher, key)) {
+ return error(s, EINVAL, "Failed to set counter");
}
- free(s->key);
+ free_sptps_key(s->key);
s->key = NULL;
s->instate = true;
}
// Receive a Key EXchange record, respond by sending a SIG record.
-static bool receive_kex(sptps_t *s, const char *data, uint16_t len) {
+static bool receive_kex(sptps_t *s, const uint8_t *data, uint16_t len) {
// Verify length of the HELLO record
- if(len != 1 + 32 + ECDH_SIZE)
+ if(len != sizeof(sptps_kex_t)) {
return error(s, EIO, "Invalid KEX record length");
+ }
- // Ignore version number for now.
+ if(*data != SPTPS_VERSION) {
+ return error(s, EINVAL, "Received incorrect version %d", *data);
+ }
// Make a copy of the KEX message, send_sig() and receive_sig() need it
- if(s->hiskex)
- abort();
- s->hiskex = realloc(s->hiskex, len);
- if(!s->hiskex)
- return error(s, errno, strerror(errno));
+ if(s->hiskex) {
+ return error(s, EINVAL, "Received a second KEX message before first has been processed");
+ }
- memcpy(s->hiskex, data, len);
+ s->hiskex = new_sptps_kex();
+ memcpy(s->hiskex, data, sizeof(sptps_kex_t));
- return send_sig(s);
+ if(s->initiator) {
+ return send_sig(s);
+ } else {
+ return true;
+ }
}
// Receive a SIGnature record, verify it, if it passed, compute the shared secret and calculate the session keys.
-static bool receive_sig(sptps_t *s, const char *data, uint16_t len) {
- size_t keylen = ECDH_SIZE;
- size_t siglen = ecdsa_size(s->hiskey);
-
+static bool receive_sig(sptps_t *s, const uint8_t *data, uint16_t len) {
// Verify length of KEX record.
- if(len != siglen)
+ if(len != ecdsa_size(s->hiskey)) {
return error(s, EIO, "Invalid KEX record length");
+ }
// Concatenate both KEX messages, plus tag indicating if it is from the connection originator
- char msg[(1 + 32 + keylen) * 2 + 1 + s->labellen];
-
- msg[0] = !s->initiator;
- memcpy(msg + 1, s->hiskex, 1 + 32 + keylen);
- memcpy(msg + 1 + 33 + keylen, s->mykex, 1 + 32 + keylen);
- memcpy(msg + 1 + 2 * (33 + keylen), s->label, s->labellen);
+ const size_t msglen = sigmsg_len(s->labellen);
+ uint8_t *msg = alloca(msglen);
+ fill_msg(msg, !s->initiator, s->hiskex, s->mykex, s);
// Verify signature.
- if(!ecdsa_verify(s->hiskey, msg, sizeof msg, data))
- return false;
+ if(!ecdsa_verify(s->hiskey, msg, msglen, data)) {
+ return error(s, EIO, "Failed to verify SIG record");
+ }
// Compute shared secret.
- char shared[ECDH_SHARED_SIZE];
- if(!ecdh_compute_shared(s->ecdh, s->hiskex + 1 + 32, shared))
- return false;
+ uint8_t shared[ECDH_SHARED_SIZE];
+
+ if(!ecdh_compute_shared(s->ecdh, s->hiskex->pubkey, shared)) {
+ memzero(shared, sizeof(shared));
+ return error(s, EINVAL, "Failed to compute ECDH shared secret");
+ }
+
s->ecdh = NULL;
// Generate key material from shared secret.
- if(!generate_key_material(s, shared, sizeof shared))
+ bool generated = generate_key_material(s, shared, sizeof(shared));
+ memzero(shared, sizeof(shared));
+
+ if(!generated) {
return false;
+ }
- free(s->mykex);
- free(s->hiskex);
+ if(!s->initiator && !send_sig(s)) {
+ return false;
+ }
+ free_sptps_kex(s->mykex);
s->mykex = NULL;
+
+ free_sptps_kex(s->hiskex);
s->hiskex = NULL;
// Send cipher change record
- if(s->outstate && !send_ack(s))
+ if(s->outstate && !send_ack(s)) {
return false;
+ }
// TODO: only set new keys after ACK has been set/received
- if(s->initiator) {
- bool result
- = cipher_set_counter_key(s->outcipher, s->key + cipher_keylength(s->incipher) + digest_keylength(s->indigest))
- && digest_set_key(s->outdigest, s->key + cipher_keylength(s->incipher) + digest_keylength(s->indigest) + cipher_keylength(s->outcipher), digest_keylength(s->outdigest));
- if(!result)
- return false;
- } else {
- bool result
- = cipher_set_counter_key(s->outcipher, s->key)
- && digest_set_key(s->outdigest, s->key + cipher_keylength(s->outcipher), digest_keylength(s->outdigest));
- if(!result)
- return false;
+ uint8_t *key = s->initiator ? s->key->key1 : s->key->key0;
+
+ if(!chacha_poly1305_set_key(s->outcipher, key)) {
+ return error(s, EINVAL, "Failed to set key");
}
return true;
// Force another Key EXchange (for testing purposes).
bool sptps_force_kex(sptps_t *s) {
- if(!s->outstate || s->state != SPTPS_SECONDARY_KEX)
+ if(!s->outstate || s->state != SPTPS_SECONDARY_KEX) {
return error(s, EINVAL, "Cannot force KEX in current state");
+ }
s->state = SPTPS_KEX;
return send_kex(s);
}
// Receive a handshake record.
-static bool receive_handshake(sptps_t *s, const char *data, uint16_t len) {
+static bool receive_handshake(sptps_t *s, const uint8_t *data, uint16_t len) {
// Only a few states to deal with handshaking.
switch(s->state) {
- case SPTPS_SECONDARY_KEX:
- // We receive a secondary KEX request, first respond by sending our own.
- if(!send_kex(s))
- return false;
- case SPTPS_KEX:
- // We have sent our KEX request, we expect our peer to sent one as well.
- if(!receive_kex(s, data, len))
- return false;
- s->state = SPTPS_SIG;
- return true;
- case SPTPS_SIG:
- // If we already sent our secondary public ECDH key, we expect the peer to send his.
- if(!receive_sig(s, data, len))
- return false;
- if(s->outstate)
- s->state = SPTPS_ACK;
- else {
- s->outstate = true;
- if(!receive_ack(s, NULL, 0))
- return false;
- s->receive_record(s->handle, SPTPS_HANDSHAKE, NULL, 0);
- s->state = SPTPS_SECONDARY_KEX;
- }
+ case SPTPS_SECONDARY_KEX:
- return true;
- case SPTPS_ACK:
- // We expect a handshake message to indicate transition to the new keys.
- if(!receive_ack(s, data, len))
- return false;
- s->receive_record(s->handle, SPTPS_HANDSHAKE, NULL, 0);
- s->state = SPTPS_SECONDARY_KEX;
- return true;
- // TODO: split ACK into a VERify and ACK?
- default:
- return error(s, EIO, "Invalid session state");
- }
-}
-
-// Check datagram for valid HMAC
-bool sptps_verify_datagram(sptps_t *s, const char *data, size_t len) {
- if(!s->instate || len < 21)
- return false;
+ // We receive a secondary KEX request, first respond by sending our own.
+ if(!send_kex(s)) {
+ return false;
+ }
- char buffer[len + 23];
- uint16_t netlen = htons(len - 21);
+ // Fall through
+ case SPTPS_KEX:
- memcpy(buffer, &netlen, 2);
- memcpy(buffer + 2, data, len);
-
- return digest_verify(s->indigest, buffer, len - 14, buffer + len - 14);
-}
+ // We have sent our KEX request, we expect our peer to sent one as well.
+ if(!receive_kex(s, data, len)) {
+ return false;
+ }
-// Receive incoming data, datagram version.
-static bool sptps_receive_data_datagram(sptps_t *s, const char *data, size_t len) {
- if(len < (s->instate ? 21 : 5))
- return error(s, EIO, "Received short packet");
+ s->state = SPTPS_SIG;
+ return true;
- uint32_t seqno;
- memcpy(&seqno, data, 4);
- seqno = ntohl(seqno);
+ case SPTPS_SIG:
- if(!s->instate) {
- if(seqno != s->inseqno)
- return error(s, EIO, "Invalid packet seqno: %d != %d", seqno, s->inseqno);
+ // If we already sent our secondary public ECDH key, we expect the peer to send his.
+ if(!receive_sig(s, data, len)) {
+ return false;
+ }
- s->inseqno = seqno + 1;
+ if(s->outstate) {
+ s->state = SPTPS_ACK;
+ } else {
+ s->outstate = true;
- uint8_t type = data[4];
+ if(!receive_ack(s, NULL, 0)) {
+ return false;
+ }
- if(type != SPTPS_HANDSHAKE)
- return error(s, EIO, "Application record received before handshake finished");
+ s->receive_record(s->handle, SPTPS_HANDSHAKE, NULL, 0);
+ s->state = SPTPS_SECONDARY_KEX;
+ }
- return receive_handshake(s, data + 5, len - 5);
- }
+ return true;
- // Check HMAC.
- uint16_t netlen = htons(len - 21);
+ case SPTPS_ACK:
- char buffer[len + 23];
+ // We expect a handshake message to indicate transition to the new keys.
+ if(!receive_ack(s, data, len)) {
+ return false;
+ }
- memcpy(buffer, &netlen, 2);
- memcpy(buffer + 2, data, len);
+ s->receive_record(s->handle, SPTPS_HANDSHAKE, NULL, 0);
+ s->state = SPTPS_SECONDARY_KEX;
+ return true;
- if(!digest_verify(s->indigest, buffer, len - 14, buffer + len - 14))
- return error(s, EIO, "Invalid HMAC");
+ // TODO: split ACK into a VERify and ACK?
+ default:
+ return error(s, EIO, "Invalid session state %d", s->state);
+ }
+}
+static bool sptps_check_seqno(sptps_t *s, uint32_t seqno, bool update_state) {
// Replay protection using a sliding window of configurable size.
// s->inseqno is expected sequence number
// seqno is received sequence number
if(seqno != s->inseqno) {
if(seqno >= s->inseqno + s->replaywin * 8) {
// Prevent packets that jump far ahead of the queue from causing many others to be dropped.
- if(s->farfuture++ < s->replaywin >> 2)
- return error(s, EIO, "Packet is %d seqs in the future, dropped (%u)\n", seqno - s->inseqno, s->farfuture);
+ bool farfuture = s->farfuture < s->replaywin >> 2;
+
+ if(update_state) {
+ s->farfuture++;
+ }
+
+ if(farfuture) {
+ return update_state ? error(s, EIO, "Packet is %d seqs in the future, dropped (%u)\n", seqno - s->inseqno, s->farfuture) : false;
+ }
// Unless we have seen lots of them, in which case we consider the others lost.
- warning(s, "Lost %d packets\n", seqno - s->inseqno);
- memset(s->late, 0, s->replaywin);
- } else if (seqno < s->inseqno) {
+ if(update_state) {
+ warning(s, "Lost %d packets\n", seqno - s->inseqno);
+ }
+
+ if(update_state) {
+ // Mark all packets in the replay window as being late.
+ memset(s->late, 255, s->replaywin);
+ }
+ } else if(seqno < s->inseqno) {
// If the sequence number is farther in the past than the bitmap goes, or if the packet was already received, drop it.
- if((s->inseqno >= s->replaywin * 8 && seqno < s->inseqno - s->replaywin * 8) || !(s->late[(seqno / 8) % s->replaywin] & (1 << seqno % 8)))
- return error(s, EIO, "Received late or replayed packet, seqno %d, last received %d\n", seqno, s->inseqno);
- } else {
+ if((s->inseqno >= s->replaywin * 8 && seqno < s->inseqno - s->replaywin * 8) || !(s->late[(seqno / 8) % s->replaywin] & (1 << seqno % 8))) {
+ return update_state ? error(s, EIO, "Received late or replayed packet, seqno %d, last received %d\n", seqno, s->inseqno) : false;
+ }
+ } else if(update_state) {
// We missed some packets. Mark them in the bitmap as being late.
- for(int i = s->inseqno; i < seqno; i++)
+ for(uint32_t i = s->inseqno; i < seqno; i++) {
s->late[(i / 8) % s->replaywin] |= 1 << i % 8;
+ }
}
}
- // Mark the current packet as not being late.
- s->late[(seqno / 8) % s->replaywin] &= ~(1 << seqno % 8);
- s->farfuture = 0;
+ if(update_state) {
+ // Mark the current packet as not being late.
+ s->late[(seqno / 8) % s->replaywin] &= ~(1 << seqno % 8);
+ s->farfuture = 0;
+ }
}
- if(seqno > s->inseqno)
- s->inseqno = seqno + 1;
+ if(update_state) {
+ if(seqno >= s->inseqno) {
+ s->inseqno = seqno + 1;
+ }
- if(!s->inseqno)
- s->received = 0;
- else
- s->received++;
+ if(!s->inseqno) {
+ s->received = 0;
+ } else {
+ s->received++;
+ }
+ }
- // Decrypt.
- memcpy(&seqno, buffer + 2, 4);
- if(!cipher_set_counter(s->incipher, &seqno, sizeof seqno))
+ return true;
+}
+
+// Check datagram for valid HMAC
+bool sptps_verify_datagram(sptps_t *s, const void *vdata, size_t len) {
+ if(!s->instate || len < 21) {
+ return error(s, EIO, "Received short packet");
+ }
+
+ const uint8_t *data = vdata;
+ uint32_t seqno;
+ memcpy(&seqno, data, 4);
+ seqno = ntohl(seqno);
+
+ if(!sptps_check_seqno(s, seqno, false)) {
return false;
- if(!cipher_counter_xor(s->incipher, buffer + 6, len - 4, buffer + 6))
+ }
+
+ uint8_t *buffer = alloca(len);
+ size_t outlen;
+ return chacha_poly1305_decrypt(s->incipher, seqno, data + 4, len - 4, buffer, &outlen);
+}
+
+// Receive incoming data, datagram version.
+static bool sptps_receive_data_datagram(sptps_t *s, const uint8_t *data, size_t len) {
+ if(len < (s->instate ? 21 : 5)) {
+ return error(s, EIO, "Received short packet");
+ }
+
+ uint32_t seqno;
+ memcpy(&seqno, data, 4);
+ seqno = ntohl(seqno);
+ data += 4;
+ len -= 4;
+
+ if(!s->instate) {
+ if(seqno != s->inseqno) {
+ return error(s, EIO, "Invalid packet seqno: %d != %d", seqno, s->inseqno);
+ }
+
+ s->inseqno = seqno + 1;
+
+ uint8_t type = *(data++);
+ len--;
+
+ if(type != SPTPS_HANDSHAKE) {
+ return error(s, EIO, "Application record received before handshake finished");
+ }
+
+ return receive_handshake(s, data, len);
+ }
+
+ // Decrypt
+
+ uint8_t *buffer = alloca(len);
+ size_t outlen;
+
+ if(!chacha_poly1305_decrypt(s->incipher, seqno, data, len, buffer, &outlen)) {
+ return error(s, EIO, "Failed to decrypt and verify packet");
+ }
+
+ if(!sptps_check_seqno(s, seqno, true)) {
return false;
+ }
// Append a NULL byte for safety.
- buffer[len - 14] = 0;
+ buffer[outlen] = 0;
+
+ data = buffer;
+ len = outlen;
- uint8_t type = buffer[6];
+ uint8_t type = *(data++);
+ len--;
if(type < SPTPS_HANDSHAKE) {
- if(!s->instate)
+ if(!s->instate) {
return error(s, EIO, "Application record received before handshake finished");
- if(!s->receive_record(s->handle, type, buffer + 7, len - 21))
+ }
+
+ if(!s->receive_record(s->handle, type, data, len)) {
return false;
+ }
} else if(type == SPTPS_HANDSHAKE) {
- if(!receive_handshake(s, buffer + 7, len - 21))
+ if(!receive_handshake(s, data, len)) {
return false;
+ }
} else {
- return error(s, EIO, "Invalid record type");
+ return error(s, EIO, "Invalid record type %d", type);
}
return true;
}
// Receive incoming data. Check if it contains a complete record, if so, handle it.
-bool sptps_receive_data(sptps_t *s, const char *data, size_t len) {
- if(!s->state)
- return error(s, EIO, "Invalid session state");
+size_t sptps_receive_data(sptps_t *s, const void *vdata, size_t len) {
+ const uint8_t *data = vdata;
+ size_t total_read = 0;
- if(s->datagram)
- return sptps_receive_data_datagram(s, data, len);
+ if(!s->state) {
+ return error(s, EIO, "Invalid session state zero");
+ }
- while(len) {
- // First read the 2 length bytes.
- if(s->buflen < 6) {
- size_t toread = 6 - s->buflen;
- if(toread > len)
- toread = len;
+ if(s->datagram) {
+ return sptps_receive_data_datagram(s, data, len) ? len : false;
+ }
- memcpy(s->inbuf + s->buflen, data, toread);
+ // First read the 2 length bytes.
+ if(s->buflen < 2) {
+ size_t toread = 2 - s->buflen;
- s->buflen += toread;
- len -= toread;
- data += toread;
+ if(toread > len) {
+ toread = len;
+ }
- // Exit early if we don't have the full length.
- if(s->buflen < 6)
- return true;
+ memcpy(s->inbuf + s->buflen, data, toread);
- // Decrypt the length bytes
+ total_read += toread;
+ s->buflen += toread;
+ len -= toread;
+ data += toread;
- if(s->instate) {
- if(!cipher_counter_xor(s->incipher, s->inbuf + 4, 2, &s->reclen))
- return false;
- } else {
- memcpy(&s->reclen, s->inbuf + 4, 2);
- }
+ // Exit early if we don't have the full length.
+ if(s->buflen < 2) {
+ return total_read;
+ }
- s->reclen = ntohs(s->reclen);
+ // Get the length bytes
- // If we have the length bytes, ensure our buffer can hold the whole request.
- s->inbuf = realloc(s->inbuf, s->reclen + 23UL);
- if(!s->inbuf)
- return error(s, errno, strerror(errno));
+ memcpy(&s->reclen, s->inbuf, 2);
+ s->reclen = ntohs(s->reclen);
- // Add sequence number.
- uint32_t seqno = htonl(s->inseqno++);
- memcpy(s->inbuf, &seqno, 4);
+ // If we have the length bytes, ensure our buffer can hold the whole request.
+ s->inbuf = realloc(s->inbuf, s->reclen + 19UL);
- // Exit early if we have no more data to process.
- if(!len)
- return true;
+ if(!s->inbuf) {
+ return error(s, errno, "%s", strerror(errno));
}
- // Read up to the end of the record.
- size_t toread = s->reclen + (s->instate ? 23UL : 7UL) - s->buflen;
- if(toread > len)
- toread = len;
+ // Exit early if we have no more data to process.
+ if(!len) {
+ return total_read;
+ }
+ }
- memcpy(s->inbuf + s->buflen, data, toread);
- s->buflen += toread;
- len -= toread;
- data += toread;
+ // Read up to the end of the record.
+ size_t toread = s->reclen + (s->instate ? 19UL : 3UL) - s->buflen;
- // If we don't have a whole record, exit.
- if(s->buflen < s->reclen + (s->instate ? 23UL : 7UL))
- return true;
+ if(toread > len) {
+ toread = len;
+ }
- // Check HMAC and decrypt.
- if(s->instate) {
- if(!digest_verify(s->indigest, s->inbuf, s->reclen + 7UL, s->inbuf + s->reclen + 7UL))
- return error(s, EIO, "Invalid HMAC");
+ memcpy(s->inbuf + s->buflen, data, toread);
+ total_read += toread;
+ s->buflen += toread;
- if(!cipher_counter_xor(s->incipher, s->inbuf + 6UL, s->reclen + 1UL, s->inbuf + 6UL))
- return false;
+ // If we don't have a whole record, exit.
+ if(s->buflen < s->reclen + (s->instate ? 19UL : 3UL)) {
+ return total_read;
+ }
+
+ // Update sequence number.
+
+ uint32_t seqno = s->inseqno++;
+
+ // Check HMAC and decrypt.
+ if(s->instate) {
+ if(!chacha_poly1305_decrypt(s->incipher, seqno, s->inbuf + 2UL, s->reclen + 17UL, s->inbuf + 2UL, NULL)) {
+ return error(s, EINVAL, "Failed to decrypt and verify record");
}
+ }
- // Append a NULL byte for safety.
- s->inbuf[s->reclen + 7UL] = 0;
+ // Append a NULL byte for safety.
+ s->inbuf[s->reclen + 3UL] = 0;
- uint8_t type = s->inbuf[6];
+ uint8_t type = s->inbuf[2];
- if(type < SPTPS_HANDSHAKE) {
- if(!s->instate)
- return error(s, EIO, "Application record received before handshake finished");
- if(!s->receive_record(s->handle, type, s->inbuf + 7, s->reclen))
- return false;
- } else if(type == SPTPS_HANDSHAKE) {
- if(!receive_handshake(s, s->inbuf + 7, s->reclen))
- return false;
- } else {
- return error(s, EIO, "Invalid record type");
+ if(type < SPTPS_HANDSHAKE) {
+ if(!s->instate) {
+ return error(s, EIO, "Application record received before handshake finished");
}
- s->buflen = 4;
+ if(!s->receive_record(s->handle, type, s->inbuf + 3, s->reclen)) {
+ return false;
+ }
+ } else if(type == SPTPS_HANDSHAKE) {
+ if(!receive_handshake(s, s->inbuf + 3, s->reclen)) {
+ return false;
+ }
+ } else {
+ return error(s, EIO, "Invalid record type %d", type);
}
- return true;
+ s->buflen = 0;
+
+ return total_read;
}
// Start a SPTPS session.
-bool sptps_start(sptps_t *s, void *handle, bool initiator, bool datagram, ecdsa_t *mykey, ecdsa_t *hiskey, const char *label, size_t labellen, send_data_t send_data, receive_record_t receive_record) {
+bool sptps_start(sptps_t *s, void *handle, bool initiator, bool datagram, ecdsa_t *mykey, ecdsa_t *hiskey, const void *label, size_t labellen, send_data_t send_data, receive_record_t receive_record) {
// Initialise struct sptps
- memset(s, 0, sizeof *s);
+ memset(s, 0, sizeof(*s));
s->handle = handle;
s->initiator = initiator;
s->mykey = mykey;
s->hiskey = hiskey;
s->replaywin = sptps_replaywin;
+
if(s->replaywin) {
s->late = malloc(s->replaywin);
- if(!s->late)
- return error(s, errno, strerror(errno));
+
+ if(!s->late) {
+ return error(s, errno, "%s", strerror(errno));
+ }
+
+ memset(s->late, 0, s->replaywin);
}
s->label = malloc(labellen);
- if(!s->label)
- return error(s, errno, strerror(errno));
+
+ if(!s->label) {
+ return error(s, errno, "%s", strerror(errno));
+ }
if(!datagram) {
s->inbuf = malloc(7);
- if(!s->inbuf)
- return error(s, errno, strerror(errno));
- s->buflen = 4;
- memset(s->inbuf, 0, 4);
+
+ if(!s->inbuf) {
+ return error(s, errno, "%s", strerror(errno));
+ }
+
+ s->buflen = 0;
}
memcpy(s->label, label, labellen);
// Stop a SPTPS session.
bool sptps_stop(sptps_t *s) {
// Clean up any resources.
- cipher_close(s->incipher);
- cipher_close(s->outcipher);
- digest_close(s->indigest);
- digest_close(s->outdigest);
+ chacha_poly1305_exit(s->incipher);
+ chacha_poly1305_exit(s->outcipher);
ecdh_free(s->ecdh);
free(s->inbuf);
- free(s->mykex);
- free(s->hiskex);
- free(s->key);
+ free_sptps_kex(s->mykex);
+ free_sptps_kex(s->hiskex);
+ free_sptps_key(s->key);
free(s->label);
free(s->late);
- memset(s, 0, sizeof *s);
+ memset(s, 0, sizeof(*s));
return true;
}
projects / tinc / blobdiff