j3d1/tinc
1
0
Fork 0
Code Issues 1 Pull requests Releases Wiki Activity
tinc/src/sptps.c

644 lines
19 KiB
C
Raw Normal View History

Start of "Simple Peer-To-Peer Security" protocol. Encryption and authentication of the meta connection is spread out over meta.c and protocol_auth.c. The new protocol was added there as well, leading to spaghetti code. To improve things, the new protocol will now be implemented in sptps.[ch]. The goal is to have a very simplified version of TLS. There is a record layer, and there are only two record types: application data and handshake messages. The handshake message contains a random nonce, an ephemeral ECDH public key, and an ECDSA signature over the former. After the ECDH public keys are exchanged, a shared secret is calculated, and a TLS style PRF is used to generate the key material for the cipher and HMAC algorithm, and further communication is encrypted and authenticated. A lot of the simplicity comes from the fact that both sides must have each other's public keys in advance, and there are no options to choose. There will be one fixed cipher suite, and both peers always authenticate each other. (Inspiration taken from Ian Grigg's hypotheses[0].) There might be some compromise in the future, to enable or disable encryption, authentication and compression, but there will be no choice of algorithms. This will allow SPTPS to be built with a few embedded crypto algorithms instead of linking with huge crypto libraries. The API is also kept simple. There is a start and a stop function. All data necessary to make the connection work is passed in the start function. Instead having both send- and receive-record functions, there is a send-record function and a receive-data function. The latter will pass protocol data received from the peer to the SPTPS implementation, which will in turn call a receive-record callback function when necessary. This hides all the handshaking from the application, and is completely independent from any event loop or socket characteristics. [0] http://iang.org/ssl/hn_hypotheses_in_secure_protocol_design.html
2011-07-24 13:44:51 +00:00
/*
sptps.c -- Simple Peer-to-Peer Security
Don't log seqno failures in sptps_verify_datagram(). This function is not used for normal traffic, only when a packet from an unknown source is received and we need to check against candidates. No failures should be logger in this case; if the packet is really not valid this will be logged by handle_incoming_vpn_data().
2015-05-19 19:32:30 +00:00
Copyright (C) 2011-2015 Guus Sliepen <guus@tinc-vpn.org>,
Add Brandon Black's replay window code to SPTPS.
2012-07-31 18:39:15 +00:00
2010 Brandon L. Black <blblack@gmail.com>
Start of "Simple Peer-To-Peer Security" protocol. Encryption and authentication of the meta connection is spread out over meta.c and protocol_auth.c. The new protocol was added there as well, leading to spaghetti code. To improve things, the new protocol will now be implemented in sptps.[ch]. The goal is to have a very simplified version of TLS. There is a record layer, and there are only two record types: application data and handshake messages. The handshake message contains a random nonce, an ephemeral ECDH public key, and an ECDSA signature over the former. After the ECDH public keys are exchanged, a shared secret is calculated, and a TLS style PRF is used to generate the key material for the cipher and HMAC algorithm, and further communication is encrypted and authenticated. A lot of the simplicity comes from the fact that both sides must have each other's public keys in advance, and there are no options to choose. There will be one fixed cipher suite, and both peers always authenticate each other. (Inspiration taken from Ian Grigg's hypotheses[0].) There might be some compromise in the future, to enable or disable encryption, authentication and compression, but there will be no choice of algorithms. This will allow SPTPS to be built with a few embedded crypto algorithms instead of linking with huge crypto libraries. The API is also kept simple. There is a start and a stop function. All data necessary to make the connection work is passed in the start function. Instead having both send- and receive-record functions, there is a send-record function and a receive-data function. The latter will pass protocol data received from the peer to the SPTPS implementation, which will in turn call a receive-record callback function when necessary. This hides all the handshaking from the application, and is completely independent from any event loop or socket characteristics. [0] http://iang.org/ssl/hn_hypotheses_in_secure_protocol_design.html
2011-07-24 13:44:51 +00:00
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License along
with this program; if not, write to the Free Software Foundation, Inc.,
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
#include "system.h"
Use the ChaCha-Poly1305 cipher for the SPTPS protocol. The main reason to switch from AES-256-GCM to ChaCha-Poly1305 is to remove a dependency on OpenSSL, whose behaviour of the AES-256-GCM decryption function changes between versions. The source code for ChaCha-Pol1305 is small and in the public domain, and can therefore be easily included in tinc itself. Moreover, it is very fast even without using any optimized assembler, easily outperforming AES-256-GCM on platforms that don't have special AES instructions in hardware.
2014-04-14 19:43:45 +00:00
#include "chacha-poly1305/chacha-poly1305.h"
Start of "Simple Peer-To-Peer Security" protocol. Encryption and authentication of the meta connection is spread out over meta.c and protocol_auth.c. The new protocol was added there as well, leading to spaghetti code. To improve things, the new protocol will now be implemented in sptps.[ch]. The goal is to have a very simplified version of TLS. There is a record layer, and there are only two record types: application data and handshake messages. The handshake message contains a random nonce, an ephemeral ECDH public key, and an ECDSA signature over the former. After the ECDH public keys are exchanged, a shared secret is calculated, and a TLS style PRF is used to generate the key material for the cipher and HMAC algorithm, and further communication is encrypted and authenticated. A lot of the simplicity comes from the fact that both sides must have each other's public keys in advance, and there are no options to choose. There will be one fixed cipher suite, and both peers always authenticate each other. (Inspiration taken from Ian Grigg's hypotheses[0].) There might be some compromise in the future, to enable or disable encryption, authentication and compression, but there will be no choice of algorithms. This will allow SPTPS to be built with a few embedded crypto algorithms instead of linking with huge crypto libraries. The API is also kept simple. There is a start and a stop function. All data necessary to make the connection work is passed in the start function. Instead having both send- and receive-record functions, there is a send-record function and a receive-data function. The latter will pass protocol data received from the peer to the SPTPS implementation, which will in turn call a receive-record callback function when necessary. This hides all the handshaking from the application, and is completely independent from any event loop or socket characteristics. [0] http://iang.org/ssl/hn_hypotheses_in_secure_protocol_design.html
2011-07-24 13:44:51 +00:00
#include "crypto.h"
#include "ecdh.h"
#include "ecdsa.h"
Log more messages using logger().
2012-10-14 13:37:24 +00:00
#include "logger.h"
Start of "Simple Peer-To-Peer Security" protocol. Encryption and authentication of the meta connection is spread out over meta.c and protocol_auth.c. The new protocol was added there as well, leading to spaghetti code. To improve things, the new protocol will now be implemented in sptps.[ch]. The goal is to have a very simplified version of TLS. There is a record layer, and there are only two record types: application data and handshake messages. The handshake message contains a random nonce, an ephemeral ECDH public key, and an ECDSA signature over the former. After the ECDH public keys are exchanged, a shared secret is calculated, and a TLS style PRF is used to generate the key material for the cipher and HMAC algorithm, and further communication is encrypted and authenticated. A lot of the simplicity comes from the fact that both sides must have each other's public keys in advance, and there are no options to choose. There will be one fixed cipher suite, and both peers always authenticate each other. (Inspiration taken from Ian Grigg's hypotheses[0].) There might be some compromise in the future, to enable or disable encryption, authentication and compression, but there will be no choice of algorithms. This will allow SPTPS to be built with a few embedded crypto algorithms instead of linking with huge crypto libraries. The API is also kept simple. There is a start and a stop function. All data necessary to make the connection work is passed in the start function. Instead having both send- and receive-record functions, there is a send-record function and a receive-data function. The latter will pass protocol data received from the peer to the SPTPS implementation, which will in turn call a receive-record callback function when necessary. This hides all the handshaking from the application, and is completely independent from any event loop or socket characteristics. [0] http://iang.org/ssl/hn_hypotheses_in_secure_protocol_design.html
2011-07-24 13:44:51 +00:00
#include "prf.h"
#include "sptps.h"
Add Brandon Black's replay window code to SPTPS.
2012-07-31 18:39:15 +00:00
unsigned int sptps_replaywin = 16;
Update SPTPS protocol. * Exchange nonce and ECDH public key first, calculate the ECDSA signature over the complete key exchange. * Make an explicit distinction between client and server in the signatures. * Add more comments and replace some magic numbers by #defines. Thanks to Erik Tews for very helpful hints and comments!
2011-10-05 20:00:51 +00:00
/*
Nonce MUST be exchanged first (done)
Signatures MUST be done over both nonces, to guarantee the signature is fresh
Otherwise: if ECDHE key of one side is compromised, it can be reused!
Add explicit tag to beginning of structure to distinguish the client and server when signing. (done)
Sign all handshake messages up to ECDHE kex with long-term public keys. (done)
Rename ECDSA to Ed25519.
2014-05-18 18:47:04 +00:00
HMACed KEX finished message to prevent downgrade attacks and prove you have the right key material (done by virtue of Ed25519 over the whole ECDHE exchange?)
Update SPTPS protocol. * Exchange nonce and ECDH public key first, calculate the ECDSA signature over the complete key exchange. * Make an explicit distinction between client and server in the signatures. * Add more comments and replace some magic numbers by #defines. Thanks to Erik Tews for very helpful hints and comments!
2011-10-05 20:00:51 +00:00
Explicit close message needs to be added.
Maybe do add some alert messages to give helpful error messages? Not more than TLS sends.
Use counter mode encryption.
2011-10-06 07:34:34 +00:00
Use counter mode instead of OFB. (done)
Update SPTPS protocol. * Exchange nonce and ECDH public key first, calculate the ECDSA signature over the complete key exchange. * Make an explicit distinction between client and server in the signatures. * Add more comments and replace some magic numbers by #defines. Thanks to Erik Tews for very helpful hints and comments!
2011-10-05 20:00:51 +00:00
Make sure ECC operations are fixed time (aka prevent side-channel attacks).
*/
Log more messages using logger().
2012-10-14 13:37:24 +00:00
void sptps_log_quiet(sptps_t *s, int s_errno, const char *format, va_list ap) {
}
void sptps_log_stderr(sptps_t *s, int s_errno, const char *format, va_list ap) {
vfprintf(stderr, format, ap);
fputc('\n', stderr);
}
void (*sptps_log)(sptps_t *s, int s_errno, const char *format, va_list ap) = sptps_log_stderr;
Update SPTPS protocol. * Exchange nonce and ECDH public key first, calculate the ECDSA signature over the complete key exchange. * Make an explicit distinction between client and server in the signatures. * Add more comments and replace some magic numbers by #defines. Thanks to Erik Tews for very helpful hints and comments!
2011-10-05 20:00:51 +00:00
// Log an error message.
Log more messages using logger().
2012-10-14 13:37:24 +00:00
static bool error(sptps_t *s, int s_errno, const char *format, ...) {
if(format) {
va_list ap;
va_start(ap, format);
sptps_log(s, s_errno, format, ap);
va_end(ap);
}
Start of "Simple Peer-To-Peer Security" protocol. Encryption and authentication of the meta connection is spread out over meta.c and protocol_auth.c. The new protocol was added there as well, leading to spaghetti code. To improve things, the new protocol will now be implemented in sptps.[ch]. The goal is to have a very simplified version of TLS. There is a record layer, and there are only two record types: application data and handshake messages. The handshake message contains a random nonce, an ephemeral ECDH public key, and an ECDSA signature over the former. After the ECDH public keys are exchanged, a shared secret is calculated, and a TLS style PRF is used to generate the key material for the cipher and HMAC algorithm, and further communication is encrypted and authenticated. A lot of the simplicity comes from the fact that both sides must have each other's public keys in advance, and there are no options to choose. There will be one fixed cipher suite, and both peers always authenticate each other. (Inspiration taken from Ian Grigg's hypotheses[0].) There might be some compromise in the future, to enable or disable encryption, authentication and compression, but there will be no choice of algorithms. This will allow SPTPS to be built with a few embedded crypto algorithms instead of linking with huge crypto libraries. The API is also kept simple. There is a start and a stop function. All data necessary to make the connection work is passed in the start function. Instead having both send- and receive-record functions, there is a send-record function and a receive-data function. The latter will pass protocol data received from the peer to the SPTPS implementation, which will in turn call a receive-record callback function when necessary. This hides all the handshaking from the application, and is completely independent from any event loop or socket characteristics. [0] http://iang.org/ssl/hn_hypotheses_in_secure_protocol_design.html
2011-07-24 13:44:51 +00:00
errno = s_errno;
return false;
}
Log more messages using logger().
2012-10-14 13:37:24 +00:00
static void warning(sptps_t *s, const char *format, ...) {
va_list ap;
va_start(ap, format);
sptps_log(s, 0, format, ap);
va_end(ap);
}
Add datagram mode to the SPTPS protocol. * Everything is identical except the headers of the records. * Instead of sending explicit message length and having an implicit sequence number, datagram mode has an implicit message length and an explicit sequence number. * The sequence number is used to set the most significant bytes of the counter.
2012-03-18 15:42:02 +00:00
// Send a record (datagram version, accepts all record types, handles encryption and authentication).
Use void pointers for opaque data blobs in the SPTPS code.
2014-12-24 21:15:40 +00:00
static bool send_record_priv_datagram(sptps_t *s, uint8_t type, const void *data, uint16_t len) {
Use AES-256-GCM for the SPTPS protocol. It is faster than AES-256-CTR + HMAC-SHA256, especially on Intel chips with AES and PCLMULQDQ instructions.
2013-10-12 23:02:52 +00:00
char buffer[len + 21UL];
Add datagram mode to the SPTPS protocol. * Everything is identical except the headers of the records. * Instead of sending explicit message length and having an implicit sequence number, datagram mode has an implicit message length and an explicit sequence number. * The sequence number is used to set the most significant bytes of the counter.
2012-03-18 15:42:02 +00:00
// Create header with sequence number, length and record type
Use the ChaCha-Poly1305 cipher for the SPTPS protocol. The main reason to switch from AES-256-GCM to ChaCha-Poly1305 is to remove a dependency on OpenSSL, whose behaviour of the AES-256-GCM decryption function changes between versions. The source code for ChaCha-Pol1305 is small and in the public domain, and can therefore be easily included in tinc itself. Moreover, it is very fast even without using any optimized assembler, easily outperforming AES-256-GCM on platforms that don't have special AES instructions in hardware.
2014-04-14 19:43:45 +00:00
uint32_t seqno = s->outseqno++;
uint32_t netseqno = ntohl(seqno);
Add datagram mode to the SPTPS protocol. * Everything is identical except the headers of the records. * Instead of sending explicit message length and having an implicit sequence number, datagram mode has an implicit message length and an explicit sequence number. * The sequence number is used to set the most significant bytes of the counter.
2012-03-18 15:42:02 +00:00
Use the ChaCha-Poly1305 cipher for the SPTPS protocol. The main reason to switch from AES-256-GCM to ChaCha-Poly1305 is to remove a dependency on OpenSSL, whose behaviour of the AES-256-GCM decryption function changes between versions. The source code for ChaCha-Pol1305 is small and in the public domain, and can therefore be easily included in tinc itself. Moreover, it is very fast even without using any optimized assembler, easily outperforming AES-256-GCM on platforms that don't have special AES instructions in hardware.
2014-04-14 19:43:45 +00:00
memcpy(buffer, &netseqno, 4);
Use AES-256-GCM for the SPTPS protocol. It is faster than AES-256-CTR + HMAC-SHA256, especially on Intel chips with AES and PCLMULQDQ instructions.
2013-10-12 23:02:52 +00:00
buffer[4] = type;
Use the ChaCha-Poly1305 cipher for the SPTPS protocol. The main reason to switch from AES-256-GCM to ChaCha-Poly1305 is to remove a dependency on OpenSSL, whose behaviour of the AES-256-GCM decryption function changes between versions. The source code for ChaCha-Pol1305 is small and in the public domain, and can therefore be easily included in tinc itself. Moreover, it is very fast even without using any optimized assembler, easily outperforming AES-256-GCM on platforms that don't have special AES instructions in hardware.
2014-04-14 19:43:45 +00:00
memcpy(buffer + 5, data, len);
Add datagram mode to the SPTPS protocol. * Everything is identical except the headers of the records. * Instead of sending explicit message length and having an implicit sequence number, datagram mode has an implicit message length and an explicit sequence number. * The sequence number is used to set the most significant bytes of the counter.
2012-03-18 15:42:02 +00:00
if(s->outstate) {
// If first handshake has finished, encrypt and HMAC
Use the ChaCha-Poly1305 cipher for the SPTPS protocol. The main reason to switch from AES-256-GCM to ChaCha-Poly1305 is to remove a dependency on OpenSSL, whose behaviour of the AES-256-GCM decryption function changes between versions. The source code for ChaCha-Pol1305 is small and in the public domain, and can therefore be easily included in tinc itself. Moreover, it is very fast even without using any optimized assembler, easily outperforming AES-256-GCM on platforms that don't have special AES instructions in hardware.
2014-04-14 19:43:45 +00:00
chacha_poly1305_encrypt(s->outcipher, seqno, buffer + 4, len + 1, buffer + 4, NULL);
Use AES-256-GCM for the SPTPS protocol. It is faster than AES-256-CTR + HMAC-SHA256, especially on Intel chips with AES and PCLMULQDQ instructions.
2013-10-12 23:02:52 +00:00
return s->send_data(s->handle, type, buffer, len + 21UL);
Add datagram mode to the SPTPS protocol. * Everything is identical except the headers of the records. * Instead of sending explicit message length and having an implicit sequence number, datagram mode has an implicit message length and an explicit sequence number. * The sequence number is used to set the most significant bytes of the counter.
2012-03-18 15:42:02 +00:00
} else {
// Otherwise send as plaintext
Use AES-256-GCM for the SPTPS protocol. It is faster than AES-256-CTR + HMAC-SHA256, especially on Intel chips with AES and PCLMULQDQ instructions.
2013-10-12 23:02:52 +00:00
return s->send_data(s->handle, type, buffer, len + 5UL);
Add datagram mode to the SPTPS protocol. * Everything is identical except the headers of the records. * Instead of sending explicit message length and having an implicit sequence number, datagram mode has an implicit message length and an explicit sequence number. * The sequence number is used to set the most significant bytes of the counter.
2012-03-18 15:42:02 +00:00
}
}
Update SPTPS protocol. * Exchange nonce and ECDH public key first, calculate the ECDSA signature over the complete key exchange. * Make an explicit distinction between client and server in the signatures. * Add more comments and replace some magic numbers by #defines. Thanks to Erik Tews for very helpful hints and comments!
2011-10-05 20:00:51 +00:00
// Send a record (private version, accepts all record types, handles encryption and authentication).
Use void pointers for opaque data blobs in the SPTPS code.
2014-12-24 21:15:40 +00:00
static bool send_record_priv(sptps_t *s, uint8_t type, const void *data, uint16_t len) {
Add datagram mode to the SPTPS protocol. * Everything is identical except the headers of the records. * Instead of sending explicit message length and having an implicit sequence number, datagram mode has an implicit message length and an explicit sequence number. * The sequence number is used to set the most significant bytes of the counter.
2012-03-18 15:42:02 +00:00
if(s->datagram)
return send_record_priv_datagram(s, type, data, len);
Use AES-256-GCM for the SPTPS protocol. It is faster than AES-256-CTR + HMAC-SHA256, especially on Intel chips with AES and PCLMULQDQ instructions.
2013-10-12 23:02:52 +00:00
char buffer[len + 19UL];
Start of "Simple Peer-To-Peer Security" protocol. Encryption and authentication of the meta connection is spread out over meta.c and protocol_auth.c. The new protocol was added there as well, leading to spaghetti code. To improve things, the new protocol will now be implemented in sptps.[ch]. The goal is to have a very simplified version of TLS. There is a record layer, and there are only two record types: application data and handshake messages. The handshake message contains a random nonce, an ephemeral ECDH public key, and an ECDSA signature over the former. After the ECDH public keys are exchanged, a shared secret is calculated, and a TLS style PRF is used to generate the key material for the cipher and HMAC algorithm, and further communication is encrypted and authenticated. A lot of the simplicity comes from the fact that both sides must have each other's public keys in advance, and there are no options to choose. There will be one fixed cipher suite, and both peers always authenticate each other. (Inspiration taken from Ian Grigg's hypotheses[0].) There might be some compromise in the future, to enable or disable encryption, authentication and compression, but there will be no choice of algorithms. This will allow SPTPS to be built with a few embedded crypto algorithms instead of linking with huge crypto libraries. The API is also kept simple. There is a start and a stop function. All data necessary to make the connection work is passed in the start function. Instead having both send- and receive-record functions, there is a send-record function and a receive-data function. The latter will pass protocol data received from the peer to the SPTPS implementation, which will in turn call a receive-record callback function when necessary. This hides all the handshaking from the application, and is completely independent from any event loop or socket characteristics. [0] http://iang.org/ssl/hn_hypotheses_in_secure_protocol_design.html
2011-07-24 13:44:51 +00:00
// Create header with sequence number, length and record type
Use the ChaCha-Poly1305 cipher for the SPTPS protocol. The main reason to switch from AES-256-GCM to ChaCha-Poly1305 is to remove a dependency on OpenSSL, whose behaviour of the AES-256-GCM decryption function changes between versions. The source code for ChaCha-Pol1305 is small and in the public domain, and can therefore be easily included in tinc itself. Moreover, it is very fast even without using any optimized assembler, easily outperforming AES-256-GCM on platforms that don't have special AES instructions in hardware.
2014-04-14 19:43:45 +00:00
uint32_t seqno = s->outseqno++;
Start of "Simple Peer-To-Peer Security" protocol. Encryption and authentication of the meta connection is spread out over meta.c and protocol_auth.c. The new protocol was added there as well, leading to spaghetti code. To improve things, the new protocol will now be implemented in sptps.[ch]. The goal is to have a very simplified version of TLS. There is a record layer, and there are only two record types: application data and handshake messages. The handshake message contains a random nonce, an ephemeral ECDH public key, and an ECDSA signature over the former. After the ECDH public keys are exchanged, a shared secret is calculated, and a TLS style PRF is used to generate the key material for the cipher and HMAC algorithm, and further communication is encrypted and authenticated. A lot of the simplicity comes from the fact that both sides must have each other's public keys in advance, and there are no options to choose. There will be one fixed cipher suite, and both peers always authenticate each other. (Inspiration taken from Ian Grigg's hypotheses[0].) There might be some compromise in the future, to enable or disable encryption, authentication and compression, but there will be no choice of algorithms. This will allow SPTPS to be built with a few embedded crypto algorithms instead of linking with huge crypto libraries. The API is also kept simple. There is a start and a stop function. All data necessary to make the connection work is passed in the start function. Instead having both send- and receive-record functions, there is a send-record function and a receive-data function. The latter will pass protocol data received from the peer to the SPTPS implementation, which will in turn call a receive-record callback function when necessary. This hides all the handshaking from the application, and is completely independent from any event loop or socket characteristics. [0] http://iang.org/ssl/hn_hypotheses_in_secure_protocol_design.html
2011-07-24 13:44:51 +00:00
uint16_t netlen = htons(len);
Use AES-256-GCM for the SPTPS protocol. It is faster than AES-256-CTR + HMAC-SHA256, especially on Intel chips with AES and PCLMULQDQ instructions.
2013-10-12 23:02:52 +00:00
memcpy(buffer, &netlen, 2);
buffer[2] = type;
Use the ChaCha-Poly1305 cipher for the SPTPS protocol. The main reason to switch from AES-256-GCM to ChaCha-Poly1305 is to remove a dependency on OpenSSL, whose behaviour of the AES-256-GCM decryption function changes between versions. The source code for ChaCha-Pol1305 is small and in the public domain, and can therefore be easily included in tinc itself. Moreover, it is very fast even without using any optimized assembler, easily outperforming AES-256-GCM on platforms that don't have special AES instructions in hardware.
2014-04-14 19:43:45 +00:00
memcpy(buffer + 3, data, len);
Start of "Simple Peer-To-Peer Security" protocol. Encryption and authentication of the meta connection is spread out over meta.c and protocol_auth.c. The new protocol was added there as well, leading to spaghetti code. To improve things, the new protocol will now be implemented in sptps.[ch]. The goal is to have a very simplified version of TLS. There is a record layer, and there are only two record types: application data and handshake messages. The handshake message contains a random nonce, an ephemeral ECDH public key, and an ECDSA signature over the former. After the ECDH public keys are exchanged, a shared secret is calculated, and a TLS style PRF is used to generate the key material for the cipher and HMAC algorithm, and further communication is encrypted and authenticated. A lot of the simplicity comes from the fact that both sides must have each other's public keys in advance, and there are no options to choose. There will be one fixed cipher suite, and both peers always authenticate each other. (Inspiration taken from Ian Grigg's hypotheses[0].) There might be some compromise in the future, to enable or disable encryption, authentication and compression, but there will be no choice of algorithms. This will allow SPTPS to be built with a few embedded crypto algorithms instead of linking with huge crypto libraries. The API is also kept simple. There is a start and a stop function. All data necessary to make the connection work is passed in the start function. Instead having both send- and receive-record functions, there is a send-record function and a receive-data function. The latter will pass protocol data received from the peer to the SPTPS implementation, which will in turn call a receive-record callback function when necessary. This hides all the handshaking from the application, and is completely independent from any event loop or socket characteristics. [0] http://iang.org/ssl/hn_hypotheses_in_secure_protocol_design.html
2011-07-24 13:44:51 +00:00
Update SPTPS protocol. * Exchange nonce and ECDH public key first, calculate the ECDSA signature over the complete key exchange. * Make an explicit distinction between client and server in the signatures. * Add more comments and replace some magic numbers by #defines. Thanks to Erik Tews for very helpful hints and comments!
2011-10-05 20:00:51 +00:00
if(s->outstate) {
Start of "Simple Peer-To-Peer Security" protocol. Encryption and authentication of the meta connection is spread out over meta.c and protocol_auth.c. The new protocol was added there as well, leading to spaghetti code. To improve things, the new protocol will now be implemented in sptps.[ch]. The goal is to have a very simplified version of TLS. There is a record layer, and there are only two record types: application data and handshake messages. The handshake message contains a random nonce, an ephemeral ECDH public key, and an ECDSA signature over the former. After the ECDH public keys are exchanged, a shared secret is calculated, and a TLS style PRF is used to generate the key material for the cipher and HMAC algorithm, and further communication is encrypted and authenticated. A lot of the simplicity comes from the fact that both sides must have each other's public keys in advance, and there are no options to choose. There will be one fixed cipher suite, and both peers always authenticate each other. (Inspiration taken from Ian Grigg's hypotheses[0].) There might be some compromise in the future, to enable or disable encryption, authentication and compression, but there will be no choice of algorithms. This will allow SPTPS to be built with a few embedded crypto algorithms instead of linking with huge crypto libraries. The API is also kept simple. There is a start and a stop function. All data necessary to make the connection work is passed in the start function. Instead having both send- and receive-record functions, there is a send-record function and a receive-data function. The latter will pass protocol data received from the peer to the SPTPS implementation, which will in turn call a receive-record callback function when necessary. This hides all the handshaking from the application, and is completely independent from any event loop or socket characteristics. [0] http://iang.org/ssl/hn_hypotheses_in_secure_protocol_design.html
2011-07-24 13:44:51 +00:00
// If first handshake has finished, encrypt and HMAC
Use the ChaCha-Poly1305 cipher for the SPTPS protocol. The main reason to switch from AES-256-GCM to ChaCha-Poly1305 is to remove a dependency on OpenSSL, whose behaviour of the AES-256-GCM decryption function changes between versions. The source code for ChaCha-Pol1305 is small and in the public domain, and can therefore be easily included in tinc itself. Moreover, it is very fast even without using any optimized assembler, easily outperforming AES-256-GCM on platforms that don't have special AES instructions in hardware.
2014-04-14 19:43:45 +00:00
chacha_poly1305_encrypt(s->outcipher, seqno, buffer + 2, len + 1, buffer + 2, NULL);
Use AES-256-GCM for the SPTPS protocol. It is faster than AES-256-CTR + HMAC-SHA256, especially on Intel chips with AES and PCLMULQDQ instructions.
2013-10-12 23:02:52 +00:00
return s->send_data(s->handle, type, buffer, len + 19UL);
Start of "Simple Peer-To-Peer Security" protocol. Encryption and authentication of the meta connection is spread out over meta.c and protocol_auth.c. The new protocol was added there as well, leading to spaghetti code. To improve things, the new protocol will now be implemented in sptps.[ch]. The goal is to have a very simplified version of TLS. There is a record layer, and there are only two record types: application data and handshake messages. The handshake message contains a random nonce, an ephemeral ECDH public key, and an ECDSA signature over the former. After the ECDH public keys are exchanged, a shared secret is calculated, and a TLS style PRF is used to generate the key material for the cipher and HMAC algorithm, and further communication is encrypted and authenticated. A lot of the simplicity comes from the fact that both sides must have each other's public keys in advance, and there are no options to choose. There will be one fixed cipher suite, and both peers always authenticate each other. (Inspiration taken from Ian Grigg's hypotheses[0].) There might be some compromise in the future, to enable or disable encryption, authentication and compression, but there will be no choice of algorithms. This will allow SPTPS to be built with a few embedded crypto algorithms instead of linking with huge crypto libraries. The API is also kept simple. There is a start and a stop function. All data necessary to make the connection work is passed in the start function. Instead having both send- and receive-record functions, there is a send-record function and a receive-data function. The latter will pass protocol data received from the peer to the SPTPS implementation, which will in turn call a receive-record callback function when necessary. This hides all the handshaking from the application, and is completely independent from any event loop or socket characteristics. [0] http://iang.org/ssl/hn_hypotheses_in_secure_protocol_design.html
2011-07-24 13:44:51 +00:00
} else {
// Otherwise send as plaintext
Use AES-256-GCM for the SPTPS protocol. It is faster than AES-256-CTR + HMAC-SHA256, especially on Intel chips with AES and PCLMULQDQ instructions.
2013-10-12 23:02:52 +00:00
return s->send_data(s->handle, type, buffer, len + 3UL);
Start of "Simple Peer-To-Peer Security" protocol. Encryption and authentication of the meta connection is spread out over meta.c and protocol_auth.c. The new protocol was added there as well, leading to spaghetti code. To improve things, the new protocol will now be implemented in sptps.[ch]. The goal is to have a very simplified version of TLS. There is a record layer, and there are only two record types: application data and handshake messages. The handshake message contains a random nonce, an ephemeral ECDH public key, and an ECDSA signature over the former. After the ECDH public keys are exchanged, a shared secret is calculated, and a TLS style PRF is used to generate the key material for the cipher and HMAC algorithm, and further communication is encrypted and authenticated. A lot of the simplicity comes from the fact that both sides must have each other's public keys in advance, and there are no options to choose. There will be one fixed cipher suite, and both peers always authenticate each other. (Inspiration taken from Ian Grigg's hypotheses[0].) There might be some compromise in the future, to enable or disable encryption, authentication and compression, but there will be no choice of algorithms. This will allow SPTPS to be built with a few embedded crypto algorithms instead of linking with huge crypto libraries. The API is also kept simple. There is a start and a stop function. All data necessary to make the connection work is passed in the start function. Instead having both send- and receive-record functions, there is a send-record function and a receive-data function. The latter will pass protocol data received from the peer to the SPTPS implementation, which will in turn call a receive-record callback function when necessary. This hides all the handshaking from the application, and is completely independent from any event loop or socket characteristics. [0] http://iang.org/ssl/hn_hypotheses_in_secure_protocol_design.html
2011-07-24 13:44:51 +00:00
}
}
Update SPTPS protocol. * Exchange nonce and ECDH public key first, calculate the ECDSA signature over the complete key exchange. * Make an explicit distinction between client and server in the signatures. * Add more comments and replace some magic numbers by #defines. Thanks to Erik Tews for very helpful hints and comments!
2011-10-05 20:00:51 +00:00
// Send an application record.
Use void pointers for opaque data blobs in the SPTPS code.
2014-12-24 21:15:40 +00:00
bool sptps_send_record(sptps_t *s, uint8_t type, const void *data, uint16_t len) {
Start of "Simple Peer-To-Peer Security" protocol. Encryption and authentication of the meta connection is spread out over meta.c and protocol_auth.c. The new protocol was added there as well, leading to spaghetti code. To improve things, the new protocol will now be implemented in sptps.[ch]. The goal is to have a very simplified version of TLS. There is a record layer, and there are only two record types: application data and handshake messages. The handshake message contains a random nonce, an ephemeral ECDH public key, and an ECDSA signature over the former. After the ECDH public keys are exchanged, a shared secret is calculated, and a TLS style PRF is used to generate the key material for the cipher and HMAC algorithm, and further communication is encrypted and authenticated. A lot of the simplicity comes from the fact that both sides must have each other's public keys in advance, and there are no options to choose. There will be one fixed cipher suite, and both peers always authenticate each other. (Inspiration taken from Ian Grigg's hypotheses[0].) There might be some compromise in the future, to enable or disable encryption, authentication and compression, but there will be no choice of algorithms. This will allow SPTPS to be built with a few embedded crypto algorithms instead of linking with huge crypto libraries. The API is also kept simple. There is a start and a stop function. All data necessary to make the connection work is passed in the start function. Instead having both send- and receive-record functions, there is a send-record function and a receive-data function. The latter will pass protocol data received from the peer to the SPTPS implementation, which will in turn call a receive-record callback function when necessary. This hides all the handshaking from the application, and is completely independent from any event loop or socket characteristics. [0] http://iang.org/ssl/hn_hypotheses_in_secure_protocol_design.html
2011-07-24 13:44:51 +00:00
// Sanity checks: application cannot send data before handshake is finished,
// and only record types 0..127 are allowed.
Update SPTPS protocol. * Exchange nonce and ECDH public key first, calculate the ECDSA signature over the complete key exchange. * Make an explicit distinction between client and server in the signatures. * Add more comments and replace some magic numbers by #defines. Thanks to Erik Tews for very helpful hints and comments!
2011-10-05 20:00:51 +00:00
if(!s->outstate)
Start of "Simple Peer-To-Peer Security" protocol. Encryption and authentication of the meta connection is spread out over meta.c and protocol_auth.c. The new protocol was added there as well, leading to spaghetti code. To improve things, the new protocol will now be implemented in sptps.[ch]. The goal is to have a very simplified version of TLS. There is a record layer, and there are only two record types: application data and handshake messages. The handshake message contains a random nonce, an ephemeral ECDH public key, and an ECDSA signature over the former. After the ECDH public keys are exchanged, a shared secret is calculated, and a TLS style PRF is used to generate the key material for the cipher and HMAC algorithm, and further communication is encrypted and authenticated. A lot of the simplicity comes from the fact that both sides must have each other's public keys in advance, and there are no options to choose. There will be one fixed cipher suite, and both peers always authenticate each other. (Inspiration taken from Ian Grigg's hypotheses[0].) There might be some compromise in the future, to enable or disable encryption, authentication and compression, but there will be no choice of algorithms. This will allow SPTPS to be built with a few embedded crypto algorithms instead of linking with huge crypto libraries. The API is also kept simple. There is a start and a stop function. All data necessary to make the connection work is passed in the start function. Instead having both send- and receive-record functions, there is a send-record function and a receive-data function. The latter will pass protocol data received from the peer to the SPTPS implementation, which will in turn call a receive-record callback function when necessary. This hides all the handshaking from the application, and is completely independent from any event loop or socket characteristics. [0] http://iang.org/ssl/hn_hypotheses_in_secure_protocol_design.html
2011-07-24 13:44:51 +00:00
return error(s, EINVAL, "Handshake phase not finished yet");
Update SPTPS protocol. * Exchange nonce and ECDH public key first, calculate the ECDSA signature over the complete key exchange. * Make an explicit distinction between client and server in the signatures. * Add more comments and replace some magic numbers by #defines. Thanks to Erik Tews for very helpful hints and comments!
2011-10-05 20:00:51 +00:00
if(type >= SPTPS_HANDSHAKE)
Start of "Simple Peer-To-Peer Security" protocol. Encryption and authentication of the meta connection is spread out over meta.c and protocol_auth.c. The new protocol was added there as well, leading to spaghetti code. To improve things, the new protocol will now be implemented in sptps.[ch]. The goal is to have a very simplified version of TLS. There is a record layer, and there are only two record types: application data and handshake messages. The handshake message contains a random nonce, an ephemeral ECDH public key, and an ECDSA signature over the former. After the ECDH public keys are exchanged, a shared secret is calculated, and a TLS style PRF is used to generate the key material for the cipher and HMAC algorithm, and further communication is encrypted and authenticated. A lot of the simplicity comes from the fact that both sides must have each other's public keys in advance, and there are no options to choose. There will be one fixed cipher suite, and both peers always authenticate each other. (Inspiration taken from Ian Grigg's hypotheses[0].) There might be some compromise in the future, to enable or disable encryption, authentication and compression, but there will be no choice of algorithms. This will allow SPTPS to be built with a few embedded crypto algorithms instead of linking with huge crypto libraries. The API is also kept simple. There is a start and a stop function. All data necessary to make the connection work is passed in the start function. Instead having both send- and receive-record functions, there is a send-record function and a receive-data function. The latter will pass protocol data received from the peer to the SPTPS implementation, which will in turn call a receive-record callback function when necessary. This hides all the handshaking from the application, and is completely independent from any event loop or socket characteristics. [0] http://iang.org/ssl/hn_hypotheses_in_secure_protocol_design.html
2011-07-24 13:44:51 +00:00
return error(s, EINVAL, "Invalid application record type");
return send_record_priv(s, type, data, len);
}
Update SPTPS protocol. * Exchange nonce and ECDH public key first, calculate the ECDSA signature over the complete key exchange. * Make an explicit distinction between client and server in the signatures. * Add more comments and replace some magic numbers by #defines. Thanks to Erik Tews for very helpful hints and comments!
2011-10-05 20:00:51 +00:00
// Send a Key EXchange record, containing a random nonce and an ECDHE public key.
Start of "Simple Peer-To-Peer Security" protocol. Encryption and authentication of the meta connection is spread out over meta.c and protocol_auth.c. The new protocol was added there as well, leading to spaghetti code. To improve things, the new protocol will now be implemented in sptps.[ch]. The goal is to have a very simplified version of TLS. There is a record layer, and there are only two record types: application data and handshake messages. The handshake message contains a random nonce, an ephemeral ECDH public key, and an ECDSA signature over the former. After the ECDH public keys are exchanged, a shared secret is calculated, and a TLS style PRF is used to generate the key material for the cipher and HMAC algorithm, and further communication is encrypted and authenticated. A lot of the simplicity comes from the fact that both sides must have each other's public keys in advance, and there are no options to choose. There will be one fixed cipher suite, and both peers always authenticate each other. (Inspiration taken from Ian Grigg's hypotheses[0].) There might be some compromise in the future, to enable or disable encryption, authentication and compression, but there will be no choice of algorithms. This will allow SPTPS to be built with a few embedded crypto algorithms instead of linking with huge crypto libraries. The API is also kept simple. There is a start and a stop function. All data necessary to make the connection work is passed in the start function. Instead having both send- and receive-record functions, there is a send-record function and a receive-data function. The latter will pass protocol data received from the peer to the SPTPS implementation, which will in turn call a receive-record callback function when necessary. This hides all the handshaking from the application, and is completely independent from any event loop or socket characteristics. [0] http://iang.org/ssl/hn_hypotheses_in_secure_protocol_design.html
2011-07-24 13:44:51 +00:00
static bool send_kex(sptps_t *s) {
size_t keylen = ECDH_SIZE;
Update SPTPS protocol. * Exchange nonce and ECDH public key first, calculate the ECDSA signature over the complete key exchange. * Make an explicit distinction between client and server in the signatures. * Add more comments and replace some magic numbers by #defines. Thanks to Erik Tews for very helpful hints and comments!
2011-10-05 20:00:51 +00:00
// Make room for our KEX message, which we will keep around since send_sig() needs it.
Add datagram mode to the SPTPS protocol. * Everything is identical except the headers of the records. * Instead of sending explicit message length and having an implicit sequence number, datagram mode has an implicit message length and an explicit sequence number. * The sequence number is used to set the most significant bytes of the counter.
2012-03-18 15:42:02 +00:00
if(s->mykex)
Use AES-256-GCM for the SPTPS protocol. It is faster than AES-256-CTR + HMAC-SHA256, especially on Intel chips with AES and PCLMULQDQ instructions.
2013-10-12 23:02:52 +00:00
return false;
Update SPTPS protocol. * Exchange nonce and ECDH public key first, calculate the ECDSA signature over the complete key exchange. * Make an explicit distinction between client and server in the signatures. * Add more comments and replace some magic numbers by #defines. Thanks to Erik Tews for very helpful hints and comments!
2011-10-05 20:00:51 +00:00
s->mykex = realloc(s->mykex, 1 + 32 + keylen);
if(!s->mykex)
Start of "Simple Peer-To-Peer Security" protocol. Encryption and authentication of the meta connection is spread out over meta.c and protocol_auth.c. The new protocol was added there as well, leading to spaghetti code. To improve things, the new protocol will now be implemented in sptps.[ch]. The goal is to have a very simplified version of TLS. There is a record layer, and there are only two record types: application data and handshake messages. The handshake message contains a random nonce, an ephemeral ECDH public key, and an ECDSA signature over the former. After the ECDH public keys are exchanged, a shared secret is calculated, and a TLS style PRF is used to generate the key material for the cipher and HMAC algorithm, and further communication is encrypted and authenticated. A lot of the simplicity comes from the fact that both sides must have each other's public keys in advance, and there are no options to choose. There will be one fixed cipher suite, and both peers always authenticate each other. (Inspiration taken from Ian Grigg's hypotheses[0].) There might be some compromise in the future, to enable or disable encryption, authentication and compression, but there will be no choice of algorithms. This will allow SPTPS to be built with a few embedded crypto algorithms instead of linking with huge crypto libraries. The API is also kept simple. There is a start and a stop function. All data necessary to make the connection work is passed in the start function. Instead having both send- and receive-record functions, there is a send-record function and a receive-data function. The latter will pass protocol data received from the peer to the SPTPS implementation, which will in turn call a receive-record callback function when necessary. This hides all the handshaking from the application, and is completely independent from any event loop or socket characteristics. [0] http://iang.org/ssl/hn_hypotheses_in_secure_protocol_design.html
2011-07-24 13:44:51 +00:00
return error(s, errno, strerror(errno));
Update SPTPS protocol. * Exchange nonce and ECDH public key first, calculate the ECDSA signature over the complete key exchange. * Make an explicit distinction between client and server in the signatures. * Add more comments and replace some magic numbers by #defines. Thanks to Erik Tews for very helpful hints and comments!
2011-10-05 20:00:51 +00:00
// Set version byte to zero.
s->mykex[0] = SPTPS_VERSION;
// Create a random nonce.
randomize(s->mykex + 1, 32);
Start of "Simple Peer-To-Peer Security" protocol. Encryption and authentication of the meta connection is spread out over meta.c and protocol_auth.c. The new protocol was added there as well, leading to spaghetti code. To improve things, the new protocol will now be implemented in sptps.[ch]. The goal is to have a very simplified version of TLS. There is a record layer, and there are only two record types: application data and handshake messages. The handshake message contains a random nonce, an ephemeral ECDH public key, and an ECDSA signature over the former. After the ECDH public keys are exchanged, a shared secret is calculated, and a TLS style PRF is used to generate the key material for the cipher and HMAC algorithm, and further communication is encrypted and authenticated. A lot of the simplicity comes from the fact that both sides must have each other's public keys in advance, and there are no options to choose. There will be one fixed cipher suite, and both peers always authenticate each other. (Inspiration taken from Ian Grigg's hypotheses[0].) There might be some compromise in the future, to enable or disable encryption, authentication and compression, but there will be no choice of algorithms. This will allow SPTPS to be built with a few embedded crypto algorithms instead of linking with huge crypto libraries. The API is also kept simple. There is a start and a stop function. All data necessary to make the connection work is passed in the start function. Instead having both send- and receive-record functions, there is a send-record function and a receive-data function. The latter will pass protocol data received from the peer to the SPTPS implementation, which will in turn call a receive-record callback function when necessary. This hides all the handshaking from the application, and is completely independent from any event loop or socket characteristics. [0] http://iang.org/ssl/hn_hypotheses_in_secure_protocol_design.html
2011-07-24 13:44:51 +00:00
// Create a new ECDH public key.
Use conditional compilation for cryptographic functions. This gets rid of the rest of the symbolic links. However, as a consequence, the crypto header files have now moved to src/, and can no longer contain library-specific declarations. Therefore, cipher_t, digest_t, ecdh_t, ecdsa_t and rsa_t are now all opaque types, and only pointers to those types can be used.
2013-05-01 15:17:22 +00:00
if(!(s->ecdh = ecdh_generate_public(s->mykex + 1 + 32)))
Use AES-256-GCM for the SPTPS protocol. It is faster than AES-256-CTR + HMAC-SHA256, especially on Intel chips with AES and PCLMULQDQ instructions.
2013-10-12 23:02:52 +00:00
return error(s, EINVAL, "Failed to generate ECDH public key");
Start of "Simple Peer-To-Peer Security" protocol. Encryption and authentication of the meta connection is spread out over meta.c and protocol_auth.c. The new protocol was added there as well, leading to spaghetti code. To improve things, the new protocol will now be implemented in sptps.[ch]. The goal is to have a very simplified version of TLS. There is a record layer, and there are only two record types: application data and handshake messages. The handshake message contains a random nonce, an ephemeral ECDH public key, and an ECDSA signature over the former. After the ECDH public keys are exchanged, a shared secret is calculated, and a TLS style PRF is used to generate the key material for the cipher and HMAC algorithm, and further communication is encrypted and authenticated. A lot of the simplicity comes from the fact that both sides must have each other's public keys in advance, and there are no options to choose. There will be one fixed cipher suite, and both peers always authenticate each other. (Inspiration taken from Ian Grigg's hypotheses[0].) There might be some compromise in the future, to enable or disable encryption, authentication and compression, but there will be no choice of algorithms. This will allow SPTPS to be built with a few embedded crypto algorithms instead of linking with huge crypto libraries. The API is also kept simple. There is a start and a stop function. All data necessary to make the connection work is passed in the start function. Instead having both send- and receive-record functions, there is a send-record function and a receive-data function. The latter will pass protocol data received from the peer to the SPTPS implementation, which will in turn call a receive-record callback function when necessary. This hides all the handshaking from the application, and is completely independent from any event loop or socket characteristics. [0] http://iang.org/ssl/hn_hypotheses_in_secure_protocol_design.html
2011-07-24 13:44:51 +00:00
Update SPTPS protocol. * Exchange nonce and ECDH public key first, calculate the ECDSA signature over the complete key exchange. * Make an explicit distinction between client and server in the signatures. * Add more comments and replace some magic numbers by #defines. Thanks to Erik Tews for very helpful hints and comments!
2011-10-05 20:00:51 +00:00
return send_record_priv(s, SPTPS_HANDSHAKE, s->mykex, 1 + 32 + keylen);
}
Rename ECDSA to Ed25519.
2014-05-18 18:47:04 +00:00
// Send a SIGnature record, containing an Ed25519 signature over both KEX records.
Update SPTPS protocol. * Exchange nonce and ECDH public key first, calculate the ECDSA signature over the complete key exchange. * Make an explicit distinction between client and server in the signatures. * Add more comments and replace some magic numbers by #defines. Thanks to Erik Tews for very helpful hints and comments!
2011-10-05 20:00:51 +00:00
static bool send_sig(sptps_t *s) {
size_t keylen = ECDH_SIZE;
Use conditional compilation for cryptographic functions. This gets rid of the rest of the symbolic links. However, as a consequence, the crypto header files have now moved to src/, and can no longer contain library-specific declarations. Therefore, cipher_t, digest_t, ecdh_t, ecdsa_t and rsa_t are now all opaque types, and only pointers to those types can be used.
2013-05-01 15:17:22 +00:00
size_t siglen = ecdsa_size(s->mykey);
Update SPTPS protocol. * Exchange nonce and ECDH public key first, calculate the ECDSA signature over the complete key exchange. * Make an explicit distinction between client and server in the signatures. * Add more comments and replace some magic numbers by #defines. Thanks to Erik Tews for very helpful hints and comments!
2011-10-05 20:00:51 +00:00
Make sure the signature also covers the session label.
2012-03-18 20:24:46 +00:00
// Concatenate both KEX messages, plus tag indicating if it is from the connection originator, plus label
char msg[(1 + 32 + keylen) * 2 + 1 + s->labellen];
Update SPTPS protocol. * Exchange nonce and ECDH public key first, calculate the ECDSA signature over the complete key exchange. * Make an explicit distinction between client and server in the signatures. * Add more comments and replace some magic numbers by #defines. Thanks to Erik Tews for very helpful hints and comments!
2011-10-05 20:00:51 +00:00
char sig[siglen];
msg[0] = s->initiator;
memcpy(msg + 1, s->mykex, 1 + 32 + keylen);
Make sure the signature also covers the session label.
2012-03-18 20:24:46 +00:00
memcpy(msg + 1 + 33 + keylen, s->hiskex, 1 + 32 + keylen);
memcpy(msg + 1 + 2 * (33 + keylen), s->label, s->labellen);
Update SPTPS protocol. * Exchange nonce and ECDH public key first, calculate the ECDSA signature over the complete key exchange. * Make an explicit distinction between client and server in the signatures. * Add more comments and replace some magic numbers by #defines. Thanks to Erik Tews for very helpful hints and comments!
2011-10-05 20:00:51 +00:00
// Sign the result.
Use conditional compilation for cryptographic functions. This gets rid of the rest of the symbolic links. However, as a consequence, the crypto header files have now moved to src/, and can no longer contain library-specific declarations. Therefore, cipher_t, digest_t, ecdh_t, ecdsa_t and rsa_t are now all opaque types, and only pointers to those types can be used.
2013-05-01 15:17:22 +00:00
if(!ecdsa_sign(s->mykey, msg, sizeof msg, sig))
Use AES-256-GCM for the SPTPS protocol. It is faster than AES-256-CTR + HMAC-SHA256, especially on Intel chips with AES and PCLMULQDQ instructions.
2013-10-12 23:02:52 +00:00
return error(s, EINVAL, "Failed to sign SIG record");
Start of "Simple Peer-To-Peer Security" protocol. Encryption and authentication of the meta connection is spread out over meta.c and protocol_auth.c. The new protocol was added there as well, leading to spaghetti code. To improve things, the new protocol will now be implemented in sptps.[ch]. The goal is to have a very simplified version of TLS. There is a record layer, and there are only two record types: application data and handshake messages. The handshake message contains a random nonce, an ephemeral ECDH public key, and an ECDSA signature over the former. After the ECDH public keys are exchanged, a shared secret is calculated, and a TLS style PRF is used to generate the key material for the cipher and HMAC algorithm, and further communication is encrypted and authenticated. A lot of the simplicity comes from the fact that both sides must have each other's public keys in advance, and there are no options to choose. There will be one fixed cipher suite, and both peers always authenticate each other. (Inspiration taken from Ian Grigg's hypotheses[0].) There might be some compromise in the future, to enable or disable encryption, authentication and compression, but there will be no choice of algorithms. This will allow SPTPS to be built with a few embedded crypto algorithms instead of linking with huge crypto libraries. The API is also kept simple. There is a start and a stop function. All data necessary to make the connection work is passed in the start function. Instead having both send- and receive-record functions, there is a send-record function and a receive-data function. The latter will pass protocol data received from the peer to the SPTPS implementation, which will in turn call a receive-record callback function when necessary. This hides all the handshaking from the application, and is completely independent from any event loop or socket characteristics. [0] http://iang.org/ssl/hn_hypotheses_in_secure_protocol_design.html
2011-07-24 13:44:51 +00:00
Update SPTPS protocol. * Exchange nonce and ECDH public key first, calculate the ECDSA signature over the complete key exchange. * Make an explicit distinction between client and server in the signatures. * Add more comments and replace some magic numbers by #defines. Thanks to Erik Tews for very helpful hints and comments!
2011-10-05 20:00:51 +00:00
// Send the SIG exchange record.
return send_record_priv(s, SPTPS_HANDSHAKE, sig, sizeof sig);
Start of "Simple Peer-To-Peer Security" protocol. Encryption and authentication of the meta connection is spread out over meta.c and protocol_auth.c. The new protocol was added there as well, leading to spaghetti code. To improve things, the new protocol will now be implemented in sptps.[ch]. The goal is to have a very simplified version of TLS. There is a record layer, and there are only two record types: application data and handshake messages. The handshake message contains a random nonce, an ephemeral ECDH public key, and an ECDSA signature over the former. After the ECDH public keys are exchanged, a shared secret is calculated, and a TLS style PRF is used to generate the key material for the cipher and HMAC algorithm, and further communication is encrypted and authenticated. A lot of the simplicity comes from the fact that both sides must have each other's public keys in advance, and there are no options to choose. There will be one fixed cipher suite, and both peers always authenticate each other. (Inspiration taken from Ian Grigg's hypotheses[0].) There might be some compromise in the future, to enable or disable encryption, authentication and compression, but there will be no choice of algorithms. This will allow SPTPS to be built with a few embedded crypto algorithms instead of linking with huge crypto libraries. The API is also kept simple. There is a start and a stop function. All data necessary to make the connection work is passed in the start function. Instead having both send- and receive-record functions, there is a send-record function and a receive-data function. The latter will pass protocol data received from the peer to the SPTPS implementation, which will in turn call a receive-record callback function when necessary. This hides all the handshaking from the application, and is completely independent from any event loop or socket characteristics. [0] http://iang.org/ssl/hn_hypotheses_in_secure_protocol_design.html
2011-07-24 13:44:51 +00:00
}
Update SPTPS protocol. * Exchange nonce and ECDH public key first, calculate the ECDSA signature over the complete key exchange. * Make an explicit distinction between client and server in the signatures. * Add more comments and replace some magic numbers by #defines. Thanks to Erik Tews for very helpful hints and comments!
2011-10-05 20:00:51 +00:00
// Generate key material from the shared secret created from the ECDHE key exchange.
static bool generate_key_material(sptps_t *s, const char *shared, size_t len) {
Start of "Simple Peer-To-Peer Security" protocol. Encryption and authentication of the meta connection is spread out over meta.c and protocol_auth.c. The new protocol was added there as well, leading to spaghetti code. To improve things, the new protocol will now be implemented in sptps.[ch]. The goal is to have a very simplified version of TLS. There is a record layer, and there are only two record types: application data and handshake messages. The handshake message contains a random nonce, an ephemeral ECDH public key, and an ECDSA signature over the former. After the ECDH public keys are exchanged, a shared secret is calculated, and a TLS style PRF is used to generate the key material for the cipher and HMAC algorithm, and further communication is encrypted and authenticated. A lot of the simplicity comes from the fact that both sides must have each other's public keys in advance, and there are no options to choose. There will be one fixed cipher suite, and both peers always authenticate each other. (Inspiration taken from Ian Grigg's hypotheses[0].) There might be some compromise in the future, to enable or disable encryption, authentication and compression, but there will be no choice of algorithms. This will allow SPTPS to be built with a few embedded crypto algorithms instead of linking with huge crypto libraries. The API is also kept simple. There is a start and a stop function. All data necessary to make the connection work is passed in the start function. Instead having both send- and receive-record functions, there is a send-record function and a receive-data function. The latter will pass protocol data received from the peer to the SPTPS implementation, which will in turn call a receive-record callback function when necessary. This hides all the handshaking from the application, and is completely independent from any event loop or socket characteristics. [0] http://iang.org/ssl/hn_hypotheses_in_secure_protocol_design.html
2011-07-24 13:44:51 +00:00
// Initialise cipher and digest structures if necessary
Update SPTPS protocol. * Exchange nonce and ECDH public key first, calculate the ECDSA signature over the complete key exchange. * Make an explicit distinction between client and server in the signatures. * Add more comments and replace some magic numbers by #defines. Thanks to Erik Tews for very helpful hints and comments!
2011-10-05 20:00:51 +00:00
if(!s->outstate) {
Use the ChaCha-Poly1305 cipher for the SPTPS protocol. The main reason to switch from AES-256-GCM to ChaCha-Poly1305 is to remove a dependency on OpenSSL, whose behaviour of the AES-256-GCM decryption function changes between versions. The source code for ChaCha-Pol1305 is small and in the public domain, and can therefore be easily included in tinc itself. Moreover, it is very fast even without using any optimized assembler, easily outperforming AES-256-GCM on platforms that don't have special AES instructions in hardware.
2014-04-14 19:43:45 +00:00
s->incipher = chacha_poly1305_init();
s->outcipher = chacha_poly1305_init();
Use AES-256-GCM for the SPTPS protocol. It is faster than AES-256-CTR + HMAC-SHA256, especially on Intel chips with AES and PCLMULQDQ instructions.
2013-10-12 23:02:52 +00:00
if(!s->incipher || !s->outcipher)
return error(s, EINVAL, "Failed to open cipher");
Start of "Simple Peer-To-Peer Security" protocol. Encryption and authentication of the meta connection is spread out over meta.c and protocol_auth.c. The new protocol was added there as well, leading to spaghetti code. To improve things, the new protocol will now be implemented in sptps.[ch]. The goal is to have a very simplified version of TLS. There is a record layer, and there are only two record types: application data and handshake messages. The handshake message contains a random nonce, an ephemeral ECDH public key, and an ECDSA signature over the former. After the ECDH public keys are exchanged, a shared secret is calculated, and a TLS style PRF is used to generate the key material for the cipher and HMAC algorithm, and further communication is encrypted and authenticated. A lot of the simplicity comes from the fact that both sides must have each other's public keys in advance, and there are no options to choose. There will be one fixed cipher suite, and both peers always authenticate each other. (Inspiration taken from Ian Grigg's hypotheses[0].) There might be some compromise in the future, to enable or disable encryption, authentication and compression, but there will be no choice of algorithms. This will allow SPTPS to be built with a few embedded crypto algorithms instead of linking with huge crypto libraries. The API is also kept simple. There is a start and a stop function. All data necessary to make the connection work is passed in the start function. Instead having both send- and receive-record functions, there is a send-record function and a receive-data function. The latter will pass protocol data received from the peer to the SPTPS implementation, which will in turn call a receive-record callback function when necessary. This hides all the handshaking from the application, and is completely independent from any event loop or socket characteristics. [0] http://iang.org/ssl/hn_hypotheses_in_secure_protocol_design.html
2011-07-24 13:44:51 +00:00
}
// Allocate memory for key material
Use the ChaCha-Poly1305 cipher for the SPTPS protocol. The main reason to switch from AES-256-GCM to ChaCha-Poly1305 is to remove a dependency on OpenSSL, whose behaviour of the AES-256-GCM decryption function changes between versions. The source code for ChaCha-Pol1305 is small and in the public domain, and can therefore be easily included in tinc itself. Moreover, it is very fast even without using any optimized assembler, easily outperforming AES-256-GCM on platforms that don't have special AES instructions in hardware.
2014-04-14 19:43:45 +00:00
size_t keylen = 2 * CHACHA_POLY1305_KEYLEN;
Start of "Simple Peer-To-Peer Security" protocol. Encryption and authentication of the meta connection is spread out over meta.c and protocol_auth.c. The new protocol was added there as well, leading to spaghetti code. To improve things, the new protocol will now be implemented in sptps.[ch]. The goal is to have a very simplified version of TLS. There is a record layer, and there are only two record types: application data and handshake messages. The handshake message contains a random nonce, an ephemeral ECDH public key, and an ECDSA signature over the former. After the ECDH public keys are exchanged, a shared secret is calculated, and a TLS style PRF is used to generate the key material for the cipher and HMAC algorithm, and further communication is encrypted and authenticated. A lot of the simplicity comes from the fact that both sides must have each other's public keys in advance, and there are no options to choose. There will be one fixed cipher suite, and both peers always authenticate each other. (Inspiration taken from Ian Grigg's hypotheses[0].) There might be some compromise in the future, to enable or disable encryption, authentication and compression, but there will be no choice of algorithms. This will allow SPTPS to be built with a few embedded crypto algorithms instead of linking with huge crypto libraries. The API is also kept simple. There is a start and a stop function. All data necessary to make the connection work is passed in the start function. Instead having both send- and receive-record functions, there is a send-record function and a receive-data function. The latter will pass protocol data received from the peer to the SPTPS implementation, which will in turn call a receive-record callback function when necessary. This hides all the handshaking from the application, and is completely independent from any event loop or socket characteristics. [0] http://iang.org/ssl/hn_hypotheses_in_secure_protocol_design.html
2011-07-24 13:44:51 +00:00
s->key = realloc(s->key, keylen);
if(!s->key)
return error(s, errno, strerror(errno));
// Create the HMAC seed, which is "key expansion" + session label + server nonce + client nonce
char seed[s->labellen + 64 + 13];
strcpy(seed, "key expansion");
if(s->initiator) {
Update SPTPS protocol. * Exchange nonce and ECDH public key first, calculate the ECDSA signature over the complete key exchange. * Make an explicit distinction between client and server in the signatures. * Add more comments and replace some magic numbers by #defines. Thanks to Erik Tews for very helpful hints and comments!
2011-10-05 20:00:51 +00:00
memcpy(seed + 13, s->mykex + 1, 32);
memcpy(seed + 45, s->hiskex + 1, 32);
Start of "Simple Peer-To-Peer Security" protocol. Encryption and authentication of the meta connection is spread out over meta.c and protocol_auth.c. The new protocol was added there as well, leading to spaghetti code. To improve things, the new protocol will now be implemented in sptps.[ch]. The goal is to have a very simplified version of TLS. There is a record layer, and there are only two record types: application data and handshake messages. The handshake message contains a random nonce, an ephemeral ECDH public key, and an ECDSA signature over the former. After the ECDH public keys are exchanged, a shared secret is calculated, and a TLS style PRF is used to generate the key material for the cipher and HMAC algorithm, and further communication is encrypted and authenticated. A lot of the simplicity comes from the fact that both sides must have each other's public keys in advance, and there are no options to choose. There will be one fixed cipher suite, and both peers always authenticate each other. (Inspiration taken from Ian Grigg's hypotheses[0].) There might be some compromise in the future, to enable or disable encryption, authentication and compression, but there will be no choice of algorithms. This will allow SPTPS to be built with a few embedded crypto algorithms instead of linking with huge crypto libraries. The API is also kept simple. There is a start and a stop function. All data necessary to make the connection work is passed in the start function. Instead having both send- and receive-record functions, there is a send-record function and a receive-data function. The latter will pass protocol data received from the peer to the SPTPS implementation, which will in turn call a receive-record callback function when necessary. This hides all the handshaking from the application, and is completely independent from any event loop or socket characteristics. [0] http://iang.org/ssl/hn_hypotheses_in_secure_protocol_design.html
2011-07-24 13:44:51 +00:00
} else {
Update SPTPS protocol. * Exchange nonce and ECDH public key first, calculate the ECDSA signature over the complete key exchange. * Make an explicit distinction between client and server in the signatures. * Add more comments and replace some magic numbers by #defines. Thanks to Erik Tews for very helpful hints and comments!
2011-10-05 20:00:51 +00:00
memcpy(seed + 13, s->hiskex + 1, 32);
memcpy(seed + 45, s->mykex + 1, 32);
Start of "Simple Peer-To-Peer Security" protocol. Encryption and authentication of the meta connection is spread out over meta.c and protocol_auth.c. The new protocol was added there as well, leading to spaghetti code. To improve things, the new protocol will now be implemented in sptps.[ch]. The goal is to have a very simplified version of TLS. There is a record layer, and there are only two record types: application data and handshake messages. The handshake message contains a random nonce, an ephemeral ECDH public key, and an ECDSA signature over the former. After the ECDH public keys are exchanged, a shared secret is calculated, and a TLS style PRF is used to generate the key material for the cipher and HMAC algorithm, and further communication is encrypted and authenticated. A lot of the simplicity comes from the fact that both sides must have each other's public keys in advance, and there are no options to choose. There will be one fixed cipher suite, and both peers always authenticate each other. (Inspiration taken from Ian Grigg's hypotheses[0].) There might be some compromise in the future, to enable or disable encryption, authentication and compression, but there will be no choice of algorithms. This will allow SPTPS to be built with a few embedded crypto algorithms instead of linking with huge crypto libraries. The API is also kept simple. There is a start and a stop function. All data necessary to make the connection work is passed in the start function. Instead having both send- and receive-record functions, there is a send-record function and a receive-data function. The latter will pass protocol data received from the peer to the SPTPS implementation, which will in turn call a receive-record callback function when necessary. This hides all the handshaking from the application, and is completely independent from any event loop or socket characteristics. [0] http://iang.org/ssl/hn_hypotheses_in_secure_protocol_design.html
2011-07-24 13:44:51 +00:00
}
Fix off-by-one error. Apart from writing 1 byte beyond an array allocated on the stack, this slipped an unitialized byte in the seed used for key generation.
2012-10-06 14:53:43 +00:00
memcpy(seed + 77, s->label, s->labellen);
Start of "Simple Peer-To-Peer Security" protocol. Encryption and authentication of the meta connection is spread out over meta.c and protocol_auth.c. The new protocol was added there as well, leading to spaghetti code. To improve things, the new protocol will now be implemented in sptps.[ch]. The goal is to have a very simplified version of TLS. There is a record layer, and there are only two record types: application data and handshake messages. The handshake message contains a random nonce, an ephemeral ECDH public key, and an ECDSA signature over the former. After the ECDH public keys are exchanged, a shared secret is calculated, and a TLS style PRF is used to generate the key material for the cipher and HMAC algorithm, and further communication is encrypted and authenticated. A lot of the simplicity comes from the fact that both sides must have each other's public keys in advance, and there are no options to choose. There will be one fixed cipher suite, and both peers always authenticate each other. (Inspiration taken from Ian Grigg's hypotheses[0].) There might be some compromise in the future, to enable or disable encryption, authentication and compression, but there will be no choice of algorithms. This will allow SPTPS to be built with a few embedded crypto algorithms instead of linking with huge crypto libraries. The API is also kept simple. There is a start and a stop function. All data necessary to make the connection work is passed in the start function. Instead having both send- and receive-record functions, there is a send-record function and a receive-data function. The latter will pass protocol data received from the peer to the SPTPS implementation, which will in turn call a receive-record callback function when necessary. This hides all the handshaking from the application, and is completely independent from any event loop or socket characteristics. [0] http://iang.org/ssl/hn_hypotheses_in_secure_protocol_design.html
2011-07-24 13:44:51 +00:00
// Use PRF to generate the key material
if(!prf(shared, len, seed, s->labellen + 64 + 13, s->key, keylen))
Use AES-256-GCM for the SPTPS protocol. It is faster than AES-256-CTR + HMAC-SHA256, especially on Intel chips with AES and PCLMULQDQ instructions.
2013-10-12 23:02:52 +00:00
return error(s, EINVAL, "Failed to generate key material");
Start of "Simple Peer-To-Peer Security" protocol. Encryption and authentication of the meta connection is spread out over meta.c and protocol_auth.c. The new protocol was added there as well, leading to spaghetti code. To improve things, the new protocol will now be implemented in sptps.[ch]. The goal is to have a very simplified version of TLS. There is a record layer, and there are only two record types: application data and handshake messages. The handshake message contains a random nonce, an ephemeral ECDH public key, and an ECDSA signature over the former. After the ECDH public keys are exchanged, a shared secret is calculated, and a TLS style PRF is used to generate the key material for the cipher and HMAC algorithm, and further communication is encrypted and authenticated. A lot of the simplicity comes from the fact that both sides must have each other's public keys in advance, and there are no options to choose. There will be one fixed cipher suite, and both peers always authenticate each other. (Inspiration taken from Ian Grigg's hypotheses[0].) There might be some compromise in the future, to enable or disable encryption, authentication and compression, but there will be no choice of algorithms. This will allow SPTPS to be built with a few embedded crypto algorithms instead of linking with huge crypto libraries. The API is also kept simple. There is a start and a stop function. All data necessary to make the connection work is passed in the start function. Instead having both send- and receive-record functions, there is a send-record function and a receive-data function. The latter will pass protocol data received from the peer to the SPTPS implementation, which will in turn call a receive-record callback function when necessary. This hides all the handshaking from the application, and is completely independent from any event loop or socket characteristics. [0] http://iang.org/ssl/hn_hypotheses_in_secure_protocol_design.html
2011-07-24 13:44:51 +00:00
return true;
}
Update SPTPS protocol. * Exchange nonce and ECDH public key first, calculate the ECDSA signature over the complete key exchange. * Make an explicit distinction between client and server in the signatures. * Add more comments and replace some magic numbers by #defines. Thanks to Erik Tews for very helpful hints and comments!
2011-10-05 20:00:51 +00:00
// Send an ACKnowledgement record.
Start of "Simple Peer-To-Peer Security" protocol. Encryption and authentication of the meta connection is spread out over meta.c and protocol_auth.c. The new protocol was added there as well, leading to spaghetti code. To improve things, the new protocol will now be implemented in sptps.[ch]. The goal is to have a very simplified version of TLS. There is a record layer, and there are only two record types: application data and handshake messages. The handshake message contains a random nonce, an ephemeral ECDH public key, and an ECDSA signature over the former. After the ECDH public keys are exchanged, a shared secret is calculated, and a TLS style PRF is used to generate the key material for the cipher and HMAC algorithm, and further communication is encrypted and authenticated. A lot of the simplicity comes from the fact that both sides must have each other's public keys in advance, and there are no options to choose. There will be one fixed cipher suite, and both peers always authenticate each other. (Inspiration taken from Ian Grigg's hypotheses[0].) There might be some compromise in the future, to enable or disable encryption, authentication and compression, but there will be no choice of algorithms. This will allow SPTPS to be built with a few embedded crypto algorithms instead of linking with huge crypto libraries. The API is also kept simple. There is a start and a stop function. All data necessary to make the connection work is passed in the start function. Instead having both send- and receive-record functions, there is a send-record function and a receive-data function. The latter will pass protocol data received from the peer to the SPTPS implementation, which will in turn call a receive-record callback function when necessary. This hides all the handshaking from the application, and is completely independent from any event loop or socket characteristics. [0] http://iang.org/ssl/hn_hypotheses_in_secure_protocol_design.html
2011-07-24 13:44:51 +00:00
static bool send_ack(sptps_t *s) {
Update SPTPS protocol. * Exchange nonce and ECDH public key first, calculate the ECDSA signature over the complete key exchange. * Make an explicit distinction between client and server in the signatures. * Add more comments and replace some magic numbers by #defines. Thanks to Erik Tews for very helpful hints and comments!
2011-10-05 20:00:51 +00:00
return send_record_priv(s, SPTPS_HANDSHAKE, "", 0);
Start of "Simple Peer-To-Peer Security" protocol. Encryption and authentication of the meta connection is spread out over meta.c and protocol_auth.c. The new protocol was added there as well, leading to spaghetti code. To improve things, the new protocol will now be implemented in sptps.[ch]. The goal is to have a very simplified version of TLS. There is a record layer, and there are only two record types: application data and handshake messages. The handshake message contains a random nonce, an ephemeral ECDH public key, and an ECDSA signature over the former. After the ECDH public keys are exchanged, a shared secret is calculated, and a TLS style PRF is used to generate the key material for the cipher and HMAC algorithm, and further communication is encrypted and authenticated. A lot of the simplicity comes from the fact that both sides must have each other's public keys in advance, and there are no options to choose. There will be one fixed cipher suite, and both peers always authenticate each other. (Inspiration taken from Ian Grigg's hypotheses[0].) There might be some compromise in the future, to enable or disable encryption, authentication and compression, but there will be no choice of algorithms. This will allow SPTPS to be built with a few embedded crypto algorithms instead of linking with huge crypto libraries. The API is also kept simple. There is a start and a stop function. All data necessary to make the connection work is passed in the start function. Instead having both send- and receive-record functions, there is a send-record function and a receive-data function. The latter will pass protocol data received from the peer to the SPTPS implementation, which will in turn call a receive-record callback function when necessary. This hides all the handshaking from the application, and is completely independent from any event loop or socket characteristics. [0] http://iang.org/ssl/hn_hypotheses_in_secure_protocol_design.html
2011-07-24 13:44:51 +00:00
}
Update SPTPS protocol. * Exchange nonce and ECDH public key first, calculate the ECDSA signature over the complete key exchange. * Make an explicit distinction between client and server in the signatures. * Add more comments and replace some magic numbers by #defines. Thanks to Erik Tews for very helpful hints and comments!
2011-10-05 20:00:51 +00:00
// Receive an ACKnowledgement record.
Start of "Simple Peer-To-Peer Security" protocol. Encryption and authentication of the meta connection is spread out over meta.c and protocol_auth.c. The new protocol was added there as well, leading to spaghetti code. To improve things, the new protocol will now be implemented in sptps.[ch]. The goal is to have a very simplified version of TLS. There is a record layer, and there are only two record types: application data and handshake messages. The handshake message contains a random nonce, an ephemeral ECDH public key, and an ECDSA signature over the former. After the ECDH public keys are exchanged, a shared secret is calculated, and a TLS style PRF is used to generate the key material for the cipher and HMAC algorithm, and further communication is encrypted and authenticated. A lot of the simplicity comes from the fact that both sides must have each other's public keys in advance, and there are no options to choose. There will be one fixed cipher suite, and both peers always authenticate each other. (Inspiration taken from Ian Grigg's hypotheses[0].) There might be some compromise in the future, to enable or disable encryption, authentication and compression, but there will be no choice of algorithms. This will allow SPTPS to be built with a few embedded crypto algorithms instead of linking with huge crypto libraries. The API is also kept simple. There is a start and a stop function. All data necessary to make the connection work is passed in the start function. Instead having both send- and receive-record functions, there is a send-record function and a receive-data function. The latter will pass protocol data received from the peer to the SPTPS implementation, which will in turn call a receive-record callback function when necessary. This hides all the handshaking from the application, and is completely independent from any event loop or socket characteristics. [0] http://iang.org/ssl/hn_hypotheses_in_secure_protocol_design.html
2011-07-24 13:44:51 +00:00
static bool receive_ack(sptps_t *s, const char *data, uint16_t len) {
if(len)
Exchange ACK records to indicate switch to new keys. This allow application records to be sent while key renegotiation is still happening.
2011-10-06 13:32:12 +00:00
return error(s, EIO, "Invalid ACK record length");
Start of "Simple Peer-To-Peer Security" protocol. Encryption and authentication of the meta connection is spread out over meta.c and protocol_auth.c. The new protocol was added there as well, leading to spaghetti code. To improve things, the new protocol will now be implemented in sptps.[ch]. The goal is to have a very simplified version of TLS. There is a record layer, and there are only two record types: application data and handshake messages. The handshake message contains a random nonce, an ephemeral ECDH public key, and an ECDSA signature over the former. After the ECDH public keys are exchanged, a shared secret is calculated, and a TLS style PRF is used to generate the key material for the cipher and HMAC algorithm, and further communication is encrypted and authenticated. A lot of the simplicity comes from the fact that both sides must have each other's public keys in advance, and there are no options to choose. There will be one fixed cipher suite, and both peers always authenticate each other. (Inspiration taken from Ian Grigg's hypotheses[0].) There might be some compromise in the future, to enable or disable encryption, authentication and compression, but there will be no choice of algorithms. This will allow SPTPS to be built with a few embedded crypto algorithms instead of linking with huge crypto libraries. The API is also kept simple. There is a start and a stop function. All data necessary to make the connection work is passed in the start function. Instead having both send- and receive-record functions, there is a send-record function and a receive-data function. The latter will pass protocol data received from the peer to the SPTPS implementation, which will in turn call a receive-record callback function when necessary. This hides all the handshaking from the application, and is completely independent from any event loop or socket characteristics. [0] http://iang.org/ssl/hn_hypotheses_in_secure_protocol_design.html
2011-07-24 13:44:51 +00:00
Exchange ACK records to indicate switch to new keys. This allow application records to be sent while key renegotiation is still happening.
2011-10-06 13:32:12 +00:00
if(s->initiator) {
Use the ChaCha-Poly1305 cipher for the SPTPS protocol. The main reason to switch from AES-256-GCM to ChaCha-Poly1305 is to remove a dependency on OpenSSL, whose behaviour of the AES-256-GCM decryption function changes between versions. The source code for ChaCha-Pol1305 is small and in the public domain, and can therefore be easily included in tinc itself. Moreover, it is very fast even without using any optimized assembler, easily outperforming AES-256-GCM on platforms that don't have special AES instructions in hardware.
2014-04-14 19:43:45 +00:00
if(!chacha_poly1305_set_key(s->incipher, s->key))
Use AES-256-GCM for the SPTPS protocol. It is faster than AES-256-CTR + HMAC-SHA256, especially on Intel chips with AES and PCLMULQDQ instructions.
2013-10-12 23:02:52 +00:00
return error(s, EINVAL, "Failed to set counter");
Exchange ACK records to indicate switch to new keys. This allow application records to be sent while key renegotiation is still happening.
2011-10-06 13:32:12 +00:00
} else {
Use the ChaCha-Poly1305 cipher for the SPTPS protocol. The main reason to switch from AES-256-GCM to ChaCha-Poly1305 is to remove a dependency on OpenSSL, whose behaviour of the AES-256-GCM decryption function changes between versions. The source code for ChaCha-Pol1305 is small and in the public domain, and can therefore be easily included in tinc itself. Moreover, it is very fast even without using any optimized assembler, easily outperforming AES-256-GCM on platforms that don't have special AES instructions in hardware.
2014-04-14 19:43:45 +00:00
if(!chacha_poly1305_set_key(s->incipher, s->key + CHACHA_POLY1305_KEYLEN))
Use AES-256-GCM for the SPTPS protocol. It is faster than AES-256-CTR + HMAC-SHA256, especially on Intel chips with AES and PCLMULQDQ instructions.
2013-10-12 23:02:52 +00:00
return error(s, EINVAL, "Failed to set counter");
Exchange ACK records to indicate switch to new keys. This allow application records to be sent while key renegotiation is still happening.
2011-10-06 13:32:12 +00:00
}
free(s->key);
s->key = NULL;
s->instate = true;
return true;
Start of "Simple Peer-To-Peer Security" protocol. Encryption and authentication of the meta connection is spread out over meta.c and protocol_auth.c. The new protocol was added there as well, leading to spaghetti code. To improve things, the new protocol will now be implemented in sptps.[ch]. The goal is to have a very simplified version of TLS. There is a record layer, and there are only two record types: application data and handshake messages. The handshake message contains a random nonce, an ephemeral ECDH public key, and an ECDSA signature over the former. After the ECDH public keys are exchanged, a shared secret is calculated, and a TLS style PRF is used to generate the key material for the cipher and HMAC algorithm, and further communication is encrypted and authenticated. A lot of the simplicity comes from the fact that both sides must have each other's public keys in advance, and there are no options to choose. There will be one fixed cipher suite, and both peers always authenticate each other. (Inspiration taken from Ian Grigg's hypotheses[0].) There might be some compromise in the future, to enable or disable encryption, authentication and compression, but there will be no choice of algorithms. This will allow SPTPS to be built with a few embedded crypto algorithms instead of linking with huge crypto libraries. The API is also kept simple. There is a start and a stop function. All data necessary to make the connection work is passed in the start function. Instead having both send- and receive-record functions, there is a send-record function and a receive-data function. The latter will pass protocol data received from the peer to the SPTPS implementation, which will in turn call a receive-record callback function when necessary. This hides all the handshaking from the application, and is completely independent from any event loop or socket characteristics. [0] http://iang.org/ssl/hn_hypotheses_in_secure_protocol_design.html
2011-07-24 13:44:51 +00:00
}
Update SPTPS protocol. * Exchange nonce and ECDH public key first, calculate the ECDSA signature over the complete key exchange. * Make an explicit distinction between client and server in the signatures. * Add more comments and replace some magic numbers by #defines. Thanks to Erik Tews for very helpful hints and comments!
2011-10-05 20:00:51 +00:00
// Receive a Key EXchange record, respond by sending a SIG record.
Start of "Simple Peer-To-Peer Security" protocol. Encryption and authentication of the meta connection is spread out over meta.c and protocol_auth.c. The new protocol was added there as well, leading to spaghetti code. To improve things, the new protocol will now be implemented in sptps.[ch]. The goal is to have a very simplified version of TLS. There is a record layer, and there are only two record types: application data and handshake messages. The handshake message contains a random nonce, an ephemeral ECDH public key, and an ECDSA signature over the former. After the ECDH public keys are exchanged, a shared secret is calculated, and a TLS style PRF is used to generate the key material for the cipher and HMAC algorithm, and further communication is encrypted and authenticated. A lot of the simplicity comes from the fact that both sides must have each other's public keys in advance, and there are no options to choose. There will be one fixed cipher suite, and both peers always authenticate each other. (Inspiration taken from Ian Grigg's hypotheses[0].) There might be some compromise in the future, to enable or disable encryption, authentication and compression, but there will be no choice of algorithms. This will allow SPTPS to be built with a few embedded crypto algorithms instead of linking with huge crypto libraries. The API is also kept simple. There is a start and a stop function. All data necessary to make the connection work is passed in the start function. Instead having both send- and receive-record functions, there is a send-record function and a receive-data function. The latter will pass protocol data received from the peer to the SPTPS implementation, which will in turn call a receive-record callback function when necessary. This hides all the handshaking from the application, and is completely independent from any event loop or socket characteristics. [0] http://iang.org/ssl/hn_hypotheses_in_secure_protocol_design.html
2011-07-24 13:44:51 +00:00
static bool receive_kex(sptps_t *s, const char *data, uint16_t len) {
Update SPTPS protocol. * Exchange nonce and ECDH public key first, calculate the ECDSA signature over the complete key exchange. * Make an explicit distinction between client and server in the signatures. * Add more comments and replace some magic numbers by #defines. Thanks to Erik Tews for very helpful hints and comments!
2011-10-05 20:00:51 +00:00
// Verify length of the HELLO record
if(len != 1 + 32 + ECDH_SIZE)
return error(s, EIO, "Invalid KEX record length");
// Ignore version number for now.
// Make a copy of the KEX message, send_sig() and receive_sig() need it
Add datagram mode to the SPTPS protocol. * Everything is identical except the headers of the records. * Instead of sending explicit message length and having an implicit sequence number, datagram mode has an implicit message length and an explicit sequence number. * The sequence number is used to set the most significant bytes of the counter.
2012-03-18 15:42:02 +00:00
if(s->hiskex)
Use AES-256-GCM for the SPTPS protocol. It is faster than AES-256-CTR + HMAC-SHA256, especially on Intel chips with AES and PCLMULQDQ instructions.
2013-10-12 23:02:52 +00:00
return error(s, EINVAL, "Received a second KEX message before first has been processed");
Update SPTPS protocol. * Exchange nonce and ECDH public key first, calculate the ECDSA signature over the complete key exchange. * Make an explicit distinction between client and server in the signatures. * Add more comments and replace some magic numbers by #defines. Thanks to Erik Tews for very helpful hints and comments!
2011-10-05 20:00:51 +00:00
s->hiskex = realloc(s->hiskex, len);
if(!s->hiskex)
return error(s, errno, strerror(errno));
memcpy(s->hiskex, data, len);
return send_sig(s);
}
// Receive a SIGnature record, verify it, if it passed, compute the shared secret and calculate the session keys.
static bool receive_sig(sptps_t *s, const char *data, uint16_t len) {
Start of "Simple Peer-To-Peer Security" protocol. Encryption and authentication of the meta connection is spread out over meta.c and protocol_auth.c. The new protocol was added there as well, leading to spaghetti code. To improve things, the new protocol will now be implemented in sptps.[ch]. The goal is to have a very simplified version of TLS. There is a record layer, and there are only two record types: application data and handshake messages. The handshake message contains a random nonce, an ephemeral ECDH public key, and an ECDSA signature over the former. After the ECDH public keys are exchanged, a shared secret is calculated, and a TLS style PRF is used to generate the key material for the cipher and HMAC algorithm, and further communication is encrypted and authenticated. A lot of the simplicity comes from the fact that both sides must have each other's public keys in advance, and there are no options to choose. There will be one fixed cipher suite, and both peers always authenticate each other. (Inspiration taken from Ian Grigg's hypotheses[0].) There might be some compromise in the future, to enable or disable encryption, authentication and compression, but there will be no choice of algorithms. This will allow SPTPS to be built with a few embedded crypto algorithms instead of linking with huge crypto libraries. The API is also kept simple. There is a start and a stop function. All data necessary to make the connection work is passed in the start function. Instead having both send- and receive-record functions, there is a send-record function and a receive-data function. The latter will pass protocol data received from the peer to the SPTPS implementation, which will in turn call a receive-record callback function when necessary. This hides all the handshaking from the application, and is completely independent from any event loop or socket characteristics. [0] http://iang.org/ssl/hn_hypotheses_in_secure_protocol_design.html
2011-07-24 13:44:51 +00:00
size_t keylen = ECDH_SIZE;
Use conditional compilation for cryptographic functions. This gets rid of the rest of the symbolic links. However, as a consequence, the crypto header files have now moved to src/, and can no longer contain library-specific declarations. Therefore, cipher_t, digest_t, ecdh_t, ecdsa_t and rsa_t are now all opaque types, and only pointers to those types can be used.
2013-05-01 15:17:22 +00:00
size_t siglen = ecdsa_size(s->hiskey);
Start of "Simple Peer-To-Peer Security" protocol. Encryption and authentication of the meta connection is spread out over meta.c and protocol_auth.c. The new protocol was added there as well, leading to spaghetti code. To improve things, the new protocol will now be implemented in sptps.[ch]. The goal is to have a very simplified version of TLS. There is a record layer, and there are only two record types: application data and handshake messages. The handshake message contains a random nonce, an ephemeral ECDH public key, and an ECDSA signature over the former. After the ECDH public keys are exchanged, a shared secret is calculated, and a TLS style PRF is used to generate the key material for the cipher and HMAC algorithm, and further communication is encrypted and authenticated. A lot of the simplicity comes from the fact that both sides must have each other's public keys in advance, and there are no options to choose. There will be one fixed cipher suite, and both peers always authenticate each other. (Inspiration taken from Ian Grigg's hypotheses[0].) There might be some compromise in the future, to enable or disable encryption, authentication and compression, but there will be no choice of algorithms. This will allow SPTPS to be built with a few embedded crypto algorithms instead of linking with huge crypto libraries. The API is also kept simple. There is a start and a stop function. All data necessary to make the connection work is passed in the start function. Instead having both send- and receive-record functions, there is a send-record function and a receive-data function. The latter will pass protocol data received from the peer to the SPTPS implementation, which will in turn call a receive-record callback function when necessary. This hides all the handshaking from the application, and is completely independent from any event loop or socket characteristics. [0] http://iang.org/ssl/hn_hypotheses_in_secure_protocol_design.html
2011-07-24 13:44:51 +00:00
// Verify length of KEX record.
Update SPTPS protocol. * Exchange nonce and ECDH public key first, calculate the ECDSA signature over the complete key exchange. * Make an explicit distinction between client and server in the signatures. * Add more comments and replace some magic numbers by #defines. Thanks to Erik Tews for very helpful hints and comments!
2011-10-05 20:00:51 +00:00
if(len != siglen)
Start of "Simple Peer-To-Peer Security" protocol. Encryption and authentication of the meta connection is spread out over meta.c and protocol_auth.c. The new protocol was added there as well, leading to spaghetti code. To improve things, the new protocol will now be implemented in sptps.[ch]. The goal is to have a very simplified version of TLS. There is a record layer, and there are only two record types: application data and handshake messages. The handshake message contains a random nonce, an ephemeral ECDH public key, and an ECDSA signature over the former. After the ECDH public keys are exchanged, a shared secret is calculated, and a TLS style PRF is used to generate the key material for the cipher and HMAC algorithm, and further communication is encrypted and authenticated. A lot of the simplicity comes from the fact that both sides must have each other's public keys in advance, and there are no options to choose. There will be one fixed cipher suite, and both peers always authenticate each other. (Inspiration taken from Ian Grigg's hypotheses[0].) There might be some compromise in the future, to enable or disable encryption, authentication and compression, but there will be no choice of algorithms. This will allow SPTPS to be built with a few embedded crypto algorithms instead of linking with huge crypto libraries. The API is also kept simple. There is a start and a stop function. All data necessary to make the connection work is passed in the start function. Instead having both send- and receive-record functions, there is a send-record function and a receive-data function. The latter will pass protocol data received from the peer to the SPTPS implementation, which will in turn call a receive-record callback function when necessary. This hides all the handshaking from the application, and is completely independent from any event loop or socket characteristics. [0] http://iang.org/ssl/hn_hypotheses_in_secure_protocol_design.html
2011-07-24 13:44:51 +00:00
return error(s, EIO, "Invalid KEX record length");
Update SPTPS protocol. * Exchange nonce and ECDH public key first, calculate the ECDSA signature over the complete key exchange. * Make an explicit distinction between client and server in the signatures. * Add more comments and replace some magic numbers by #defines. Thanks to Erik Tews for very helpful hints and comments!
2011-10-05 20:00:51 +00:00
// Concatenate both KEX messages, plus tag indicating if it is from the connection originator
Make sure the signature also covers the session label.
2012-03-18 20:24:46 +00:00
char msg[(1 + 32 + keylen) * 2 + 1 + s->labellen];
Update SPTPS protocol. * Exchange nonce and ECDH public key first, calculate the ECDSA signature over the complete key exchange. * Make an explicit distinction between client and server in the signatures. * Add more comments and replace some magic numbers by #defines. Thanks to Erik Tews for very helpful hints and comments!
2011-10-05 20:00:51 +00:00
msg[0] = !s->initiator;
memcpy(msg + 1, s->hiskex, 1 + 32 + keylen);
Make sure the signature also covers the session label.
2012-03-18 20:24:46 +00:00
memcpy(msg + 1 + 33 + keylen, s->mykex, 1 + 32 + keylen);
memcpy(msg + 1 + 2 * (33 + keylen), s->label, s->labellen);
Update SPTPS protocol. * Exchange nonce and ECDH public key first, calculate the ECDSA signature over the complete key exchange. * Make an explicit distinction between client and server in the signatures. * Add more comments and replace some magic numbers by #defines. Thanks to Erik Tews for very helpful hints and comments!
2011-10-05 20:00:51 +00:00
Start of "Simple Peer-To-Peer Security" protocol. Encryption and authentication of the meta connection is spread out over meta.c and protocol_auth.c. The new protocol was added there as well, leading to spaghetti code. To improve things, the new protocol will now be implemented in sptps.[ch]. The goal is to have a very simplified version of TLS. There is a record layer, and there are only two record types: application data and handshake messages. The handshake message contains a random nonce, an ephemeral ECDH public key, and an ECDSA signature over the former. After the ECDH public keys are exchanged, a shared secret is calculated, and a TLS style PRF is used to generate the key material for the cipher and HMAC algorithm, and further communication is encrypted and authenticated. A lot of the simplicity comes from the fact that both sides must have each other's public keys in advance, and there are no options to choose. There will be one fixed cipher suite, and both peers always authenticate each other. (Inspiration taken from Ian Grigg's hypotheses[0].) There might be some compromise in the future, to enable or disable encryption, authentication and compression, but there will be no choice of algorithms. This will allow SPTPS to be built with a few embedded crypto algorithms instead of linking with huge crypto libraries. The API is also kept simple. There is a start and a stop function. All data necessary to make the connection work is passed in the start function. Instead having both send- and receive-record functions, there is a send-record function and a receive-data function. The latter will pass protocol data received from the peer to the SPTPS implementation, which will in turn call a receive-record callback function when necessary. This hides all the handshaking from the application, and is completely independent from any event loop or socket characteristics. [0] http://iang.org/ssl/hn_hypotheses_in_secure_protocol_design.html
2011-07-24 13:44:51 +00:00
// Verify signature.
Use conditional compilation for cryptographic functions. This gets rid of the rest of the symbolic links. However, as a consequence, the crypto header files have now moved to src/, and can no longer contain library-specific declarations. Therefore, cipher_t, digest_t, ecdh_t, ecdsa_t and rsa_t are now all opaque types, and only pointers to those types can be used.
2013-05-01 15:17:22 +00:00
if(!ecdsa_verify(s->hiskey, msg, sizeof msg, data))
Use AES-256-GCM for the SPTPS protocol. It is faster than AES-256-CTR + HMAC-SHA256, especially on Intel chips with AES and PCLMULQDQ instructions.
2013-10-12 23:02:52 +00:00
return error(s, EIO, "Failed to verify SIG record");
Start of "Simple Peer-To-Peer Security" protocol. Encryption and authentication of the meta connection is spread out over meta.c and protocol_auth.c. The new protocol was added there as well, leading to spaghetti code. To improve things, the new protocol will now be implemented in sptps.[ch]. The goal is to have a very simplified version of TLS. There is a record layer, and there are only two record types: application data and handshake messages. The handshake message contains a random nonce, an ephemeral ECDH public key, and an ECDSA signature over the former. After the ECDH public keys are exchanged, a shared secret is calculated, and a TLS style PRF is used to generate the key material for the cipher and HMAC algorithm, and further communication is encrypted and authenticated. A lot of the simplicity comes from the fact that both sides must have each other's public keys in advance, and there are no options to choose. There will be one fixed cipher suite, and both peers always authenticate each other. (Inspiration taken from Ian Grigg's hypotheses[0].) There might be some compromise in the future, to enable or disable encryption, authentication and compression, but there will be no choice of algorithms. This will allow SPTPS to be built with a few embedded crypto algorithms instead of linking with huge crypto libraries. The API is also kept simple. There is a start and a stop function. All data necessary to make the connection work is passed in the start function. Instead having both send- and receive-record functions, there is a send-record function and a receive-data function. The latter will pass protocol data received from the peer to the SPTPS implementation, which will in turn call a receive-record callback function when necessary. This hides all the handshaking from the application, and is completely independent from any event loop or socket characteristics. [0] http://iang.org/ssl/hn_hypotheses_in_secure_protocol_design.html
2011-07-24 13:44:51 +00:00
// Compute shared secret.
char shared[ECDH_SHARED_SIZE];
Use conditional compilation for cryptographic functions. This gets rid of the rest of the symbolic links. However, as a consequence, the crypto header files have now moved to src/, and can no longer contain library-specific declarations. Therefore, cipher_t, digest_t, ecdh_t, ecdsa_t and rsa_t are now all opaque types, and only pointers to those types can be used.
2013-05-01 15:17:22 +00:00
if(!ecdh_compute_shared(s->ecdh, s->hiskex + 1 + 32, shared))
Use AES-256-GCM for the SPTPS protocol. It is faster than AES-256-CTR + HMAC-SHA256, especially on Intel chips with AES and PCLMULQDQ instructions.
2013-10-12 23:02:52 +00:00
return error(s, EINVAL, "Failed to compute ECDH shared secret");
Don't free ephemeral ECDH keys twice. ecdh_compute_shared() was changed to immediately delete the ephemeral key after the shared secret was computed. Therefore, the pointer to the ecdh_t struct should be zeroed so it won't be freed again when a struct sptps_t is freed.
2013-05-11 12:13:23 +00:00
s->ecdh = NULL;
Start of "Simple Peer-To-Peer Security" protocol. Encryption and authentication of the meta connection is spread out over meta.c and protocol_auth.c. The new protocol was added there as well, leading to spaghetti code. To improve things, the new protocol will now be implemented in sptps.[ch]. The goal is to have a very simplified version of TLS. There is a record layer, and there are only two record types: application data and handshake messages. The handshake message contains a random nonce, an ephemeral ECDH public key, and an ECDSA signature over the former. After the ECDH public keys are exchanged, a shared secret is calculated, and a TLS style PRF is used to generate the key material for the cipher and HMAC algorithm, and further communication is encrypted and authenticated. A lot of the simplicity comes from the fact that both sides must have each other's public keys in advance, and there are no options to choose. There will be one fixed cipher suite, and both peers always authenticate each other. (Inspiration taken from Ian Grigg's hypotheses[0].) There might be some compromise in the future, to enable or disable encryption, authentication and compression, but there will be no choice of algorithms. This will allow SPTPS to be built with a few embedded crypto algorithms instead of linking with huge crypto libraries. The API is also kept simple. There is a start and a stop function. All data necessary to make the connection work is passed in the start function. Instead having both send- and receive-record functions, there is a send-record function and a receive-data function. The latter will pass protocol data received from the peer to the SPTPS implementation, which will in turn call a receive-record callback function when necessary. This hides all the handshaking from the application, and is completely independent from any event loop or socket characteristics. [0] http://iang.org/ssl/hn_hypotheses_in_secure_protocol_design.html
2011-07-24 13:44:51 +00:00
// Generate key material from shared secret.
Update SPTPS protocol. * Exchange nonce and ECDH public key first, calculate the ECDSA signature over the complete key exchange. * Make an explicit distinction between client and server in the signatures. * Add more comments and replace some magic numbers by #defines. Thanks to Erik Tews for very helpful hints and comments!
2011-10-05 20:00:51 +00:00
if(!generate_key_material(s, shared, sizeof shared))
Start of "Simple Peer-To-Peer Security" protocol. Encryption and authentication of the meta connection is spread out over meta.c and protocol_auth.c. The new protocol was added there as well, leading to spaghetti code. To improve things, the new protocol will now be implemented in sptps.[ch]. The goal is to have a very simplified version of TLS. There is a record layer, and there are only two record types: application data and handshake messages. The handshake message contains a random nonce, an ephemeral ECDH public key, and an ECDSA signature over the former. After the ECDH public keys are exchanged, a shared secret is calculated, and a TLS style PRF is used to generate the key material for the cipher and HMAC algorithm, and further communication is encrypted and authenticated. A lot of the simplicity comes from the fact that both sides must have each other's public keys in advance, and there are no options to choose. There will be one fixed cipher suite, and both peers always authenticate each other. (Inspiration taken from Ian Grigg's hypotheses[0].) There might be some compromise in the future, to enable or disable encryption, authentication and compression, but there will be no choice of algorithms. This will allow SPTPS to be built with a few embedded crypto algorithms instead of linking with huge crypto libraries. The API is also kept simple. There is a start and a stop function. All data necessary to make the connection work is passed in the start function. Instead having both send- and receive-record functions, there is a send-record function and a receive-data function. The latter will pass protocol data received from the peer to the SPTPS implementation, which will in turn call a receive-record callback function when necessary. This hides all the handshaking from the application, and is completely independent from any event loop or socket characteristics. [0] http://iang.org/ssl/hn_hypotheses_in_secure_protocol_design.html
2011-07-24 13:44:51 +00:00
return false;
Exchange ACK records to indicate switch to new keys. This allow application records to be sent while key renegotiation is still happening.
2011-10-06 13:32:12 +00:00
free(s->mykex);
free(s->hiskex);
s->mykex = NULL;
s->hiskex = NULL;
// Send cipher change record
Don't send an ACK message after the first key exchange in the SPTPS protocol.
2012-03-18 16:46:30 +00:00
if(s->outstate && !send_ack(s))
Exchange ACK records to indicate switch to new keys. This allow application records to be sent while key renegotiation is still happening.
2011-10-06 13:32:12 +00:00
return false;
Start of "Simple Peer-To-Peer Security" protocol. Encryption and authentication of the meta connection is spread out over meta.c and protocol_auth.c. The new protocol was added there as well, leading to spaghetti code. To improve things, the new protocol will now be implemented in sptps.[ch]. The goal is to have a very simplified version of TLS. There is a record layer, and there are only two record types: application data and handshake messages. The handshake message contains a random nonce, an ephemeral ECDH public key, and an ECDSA signature over the former. After the ECDH public keys are exchanged, a shared secret is calculated, and a TLS style PRF is used to generate the key material for the cipher and HMAC algorithm, and further communication is encrypted and authenticated. A lot of the simplicity comes from the fact that both sides must have each other's public keys in advance, and there are no options to choose. There will be one fixed cipher suite, and both peers always authenticate each other. (Inspiration taken from Ian Grigg's hypotheses[0].) There might be some compromise in the future, to enable or disable encryption, authentication and compression, but there will be no choice of algorithms. This will allow SPTPS to be built with a few embedded crypto algorithms instead of linking with huge crypto libraries. The API is also kept simple. There is a start and a stop function. All data necessary to make the connection work is passed in the start function. Instead having both send- and receive-record functions, there is a send-record function and a receive-data function. The latter will pass protocol data received from the peer to the SPTPS implementation, which will in turn call a receive-record callback function when necessary. This hides all the handshaking from the application, and is completely independent from any event loop or socket characteristics. [0] http://iang.org/ssl/hn_hypotheses_in_secure_protocol_design.html
2011-07-24 13:44:51 +00:00
Update SPTPS protocol. * Exchange nonce and ECDH public key first, calculate the ECDSA signature over the complete key exchange. * Make an explicit distinction between client and server in the signatures. * Add more comments and replace some magic numbers by #defines. Thanks to Erik Tews for very helpful hints and comments!
2011-10-05 20:00:51 +00:00
// TODO: only set new keys after ACK has been set/received
Start of "Simple Peer-To-Peer Security" protocol. Encryption and authentication of the meta connection is spread out over meta.c and protocol_auth.c. The new protocol was added there as well, leading to spaghetti code. To improve things, the new protocol will now be implemented in sptps.[ch]. The goal is to have a very simplified version of TLS. There is a record layer, and there are only two record types: application data and handshake messages. The handshake message contains a random nonce, an ephemeral ECDH public key, and an ECDSA signature over the former. After the ECDH public keys are exchanged, a shared secret is calculated, and a TLS style PRF is used to generate the key material for the cipher and HMAC algorithm, and further communication is encrypted and authenticated. A lot of the simplicity comes from the fact that both sides must have each other's public keys in advance, and there are no options to choose. There will be one fixed cipher suite, and both peers always authenticate each other. (Inspiration taken from Ian Grigg's hypotheses[0].) There might be some compromise in the future, to enable or disable encryption, authentication and compression, but there will be no choice of algorithms. This will allow SPTPS to be built with a few embedded crypto algorithms instead of linking with huge crypto libraries. The API is also kept simple. There is a start and a stop function. All data necessary to make the connection work is passed in the start function. Instead having both send- and receive-record functions, there is a send-record function and a receive-data function. The latter will pass protocol data received from the peer to the SPTPS implementation, which will in turn call a receive-record callback function when necessary. This hides all the handshaking from the application, and is completely independent from any event loop or socket characteristics. [0] http://iang.org/ssl/hn_hypotheses_in_secure_protocol_design.html
2011-07-24 13:44:51 +00:00
if(s->initiator) {
Use the ChaCha-Poly1305 cipher for the SPTPS protocol. The main reason to switch from AES-256-GCM to ChaCha-Poly1305 is to remove a dependency on OpenSSL, whose behaviour of the AES-256-GCM decryption function changes between versions. The source code for ChaCha-Pol1305 is small and in the public domain, and can therefore be easily included in tinc itself. Moreover, it is very fast even without using any optimized assembler, easily outperforming AES-256-GCM on platforms that don't have special AES instructions in hardware.
2014-04-14 19:43:45 +00:00
if(!chacha_poly1305_set_key(s->outcipher, s->key + CHACHA_POLY1305_KEYLEN))
return error(s, EINVAL, "Failed to set key");
Start of "Simple Peer-To-Peer Security" protocol. Encryption and authentication of the meta connection is spread out over meta.c and protocol_auth.c. The new protocol was added there as well, leading to spaghetti code. To improve things, the new protocol will now be implemented in sptps.[ch]. The goal is to have a very simplified version of TLS. There is a record layer, and there are only two record types: application data and handshake messages. The handshake message contains a random nonce, an ephemeral ECDH public key, and an ECDSA signature over the former. After the ECDH public keys are exchanged, a shared secret is calculated, and a TLS style PRF is used to generate the key material for the cipher and HMAC algorithm, and further communication is encrypted and authenticated. A lot of the simplicity comes from the fact that both sides must have each other's public keys in advance, and there are no options to choose. There will be one fixed cipher suite, and both peers always authenticate each other. (Inspiration taken from Ian Grigg's hypotheses[0].) There might be some compromise in the future, to enable or disable encryption, authentication and compression, but there will be no choice of algorithms. This will allow SPTPS to be built with a few embedded crypto algorithms instead of linking with huge crypto libraries. The API is also kept simple. There is a start and a stop function. All data necessary to make the connection work is passed in the start function. Instead having both send- and receive-record functions, there is a send-record function and a receive-data function. The latter will pass protocol data received from the peer to the SPTPS implementation, which will in turn call a receive-record callback function when necessary. This hides all the handshaking from the application, and is completely independent from any event loop or socket characteristics. [0] http://iang.org/ssl/hn_hypotheses_in_secure_protocol_design.html
2011-07-24 13:44:51 +00:00
} else {
Use the ChaCha-Poly1305 cipher for the SPTPS protocol. The main reason to switch from AES-256-GCM to ChaCha-Poly1305 is to remove a dependency on OpenSSL, whose behaviour of the AES-256-GCM decryption function changes between versions. The source code for ChaCha-Pol1305 is small and in the public domain, and can therefore be easily included in tinc itself. Moreover, it is very fast even without using any optimized assembler, easily outperforming AES-256-GCM on platforms that don't have special AES instructions in hardware.
2014-04-14 19:43:45 +00:00
if(!chacha_poly1305_set_key(s->outcipher, s->key))
return error(s, EINVAL, "Failed to set key");
Start of "Simple Peer-To-Peer Security" protocol. Encryption and authentication of the meta connection is spread out over meta.c and protocol_auth.c. The new protocol was added there as well, leading to spaghetti code. To improve things, the new protocol will now be implemented in sptps.[ch]. The goal is to have a very simplified version of TLS. There is a record layer, and there are only two record types: application data and handshake messages. The handshake message contains a random nonce, an ephemeral ECDH public key, and an ECDSA signature over the former. After the ECDH public keys are exchanged, a shared secret is calculated, and a TLS style PRF is used to generate the key material for the cipher and HMAC algorithm, and further communication is encrypted and authenticated. A lot of the simplicity comes from the fact that both sides must have each other's public keys in advance, and there are no options to choose. There will be one fixed cipher suite, and both peers always authenticate each other. (Inspiration taken from Ian Grigg's hypotheses[0].) There might be some compromise in the future, to enable or disable encryption, authentication and compression, but there will be no choice of algorithms. This will allow SPTPS to be built with a few embedded crypto algorithms instead of linking with huge crypto libraries. The API is also kept simple. There is a start and a stop function. All data necessary to make the connection work is passed in the start function. Instead having both send- and receive-record functions, there is a send-record function and a receive-data function. The latter will pass protocol data received from the peer to the SPTPS implementation, which will in turn call a receive-record callback function when necessary. This hides all the handshaking from the application, and is completely independent from any event loop or socket characteristics. [0] http://iang.org/ssl/hn_hypotheses_in_secure_protocol_design.html
2011-07-24 13:44:51 +00:00
}
return true;
}
Update SPTPS protocol. * Exchange nonce and ECDH public key first, calculate the ECDSA signature over the complete key exchange. * Make an explicit distinction between client and server in the signatures. * Add more comments and replace some magic numbers by #defines. Thanks to Erik Tews for very helpful hints and comments!
2011-10-05 20:00:51 +00:00
// Force another Key EXchange (for testing purposes).
Ensure all SPTPS functions are prefixed with sptps_.
2012-02-26 11:33:16 +00:00
bool sptps_force_kex(sptps_t *s) {
Update SPTPS protocol. * Exchange nonce and ECDH public key first, calculate the ECDSA signature over the complete key exchange. * Make an explicit distinction between client and server in the signatures. * Add more comments and replace some magic numbers by #defines. Thanks to Erik Tews for very helpful hints and comments!
2011-10-05 20:00:51 +00:00
if(!s->outstate || s->state != SPTPS_SECONDARY_KEX)
return error(s, EINVAL, "Cannot force KEX in current state");
s->state = SPTPS_KEX;
return send_kex(s);
}
// Receive a handshake record.
Start of "Simple Peer-To-Peer Security" protocol. Encryption and authentication of the meta connection is spread out over meta.c and protocol_auth.c. The new protocol was added there as well, leading to spaghetti code. To improve things, the new protocol will now be implemented in sptps.[ch]. The goal is to have a very simplified version of TLS. There is a record layer, and there are only two record types: application data and handshake messages. The handshake message contains a random nonce, an ephemeral ECDH public key, and an ECDSA signature over the former. After the ECDH public keys are exchanged, a shared secret is calculated, and a TLS style PRF is used to generate the key material for the cipher and HMAC algorithm, and further communication is encrypted and authenticated. A lot of the simplicity comes from the fact that both sides must have each other's public keys in advance, and there are no options to choose. There will be one fixed cipher suite, and both peers always authenticate each other. (Inspiration taken from Ian Grigg's hypotheses[0].) There might be some compromise in the future, to enable or disable encryption, authentication and compression, but there will be no choice of algorithms. This will allow SPTPS to be built with a few embedded crypto algorithms instead of linking with huge crypto libraries. The API is also kept simple. There is a start and a stop function. All data necessary to make the connection work is passed in the start function. Instead having both send- and receive-record functions, there is a send-record function and a receive-data function. The latter will pass protocol data received from the peer to the SPTPS implementation, which will in turn call a receive-record callback function when necessary. This hides all the handshaking from the application, and is completely independent from any event loop or socket characteristics. [0] http://iang.org/ssl/hn_hypotheses_in_secure_protocol_design.html
2011-07-24 13:44:51 +00:00
static bool receive_handshake(sptps_t *s, const char *data, uint16_t len) {
// Only a few states to deal with handshaking.
switch(s->state) {
Update SPTPS protocol. * Exchange nonce and ECDH public key first, calculate the ECDSA signature over the complete key exchange. * Make an explicit distinction between client and server in the signatures. * Add more comments and replace some magic numbers by #defines. Thanks to Erik Tews for very helpful hints and comments!
2011-10-05 20:00:51 +00:00
case SPTPS_SECONDARY_KEX:
// We receive a secondary KEX request, first respond by sending our own.
if(!send_kex(s))
return false;
case SPTPS_KEX:
// We have sent our KEX request, we expect our peer to sent one as well.
Start of "Simple Peer-To-Peer Security" protocol. Encryption and authentication of the meta connection is spread out over meta.c and protocol_auth.c. The new protocol was added there as well, leading to spaghetti code. To improve things, the new protocol will now be implemented in sptps.[ch]. The goal is to have a very simplified version of TLS. There is a record layer, and there are only two record types: application data and handshake messages. The handshake message contains a random nonce, an ephemeral ECDH public key, and an ECDSA signature over the former. After the ECDH public keys are exchanged, a shared secret is calculated, and a TLS style PRF is used to generate the key material for the cipher and HMAC algorithm, and further communication is encrypted and authenticated. A lot of the simplicity comes from the fact that both sides must have each other's public keys in advance, and there are no options to choose. There will be one fixed cipher suite, and both peers always authenticate each other. (Inspiration taken from Ian Grigg's hypotheses[0].) There might be some compromise in the future, to enable or disable encryption, authentication and compression, but there will be no choice of algorithms. This will allow SPTPS to be built with a few embedded crypto algorithms instead of linking with huge crypto libraries. The API is also kept simple. There is a start and a stop function. All data necessary to make the connection work is passed in the start function. Instead having both send- and receive-record functions, there is a send-record function and a receive-data function. The latter will pass protocol data received from the peer to the SPTPS implementation, which will in turn call a receive-record callback function when necessary. This hides all the handshaking from the application, and is completely independent from any event loop or socket characteristics. [0] http://iang.org/ssl/hn_hypotheses_in_secure_protocol_design.html
2011-07-24 13:44:51 +00:00
if(!receive_kex(s, data, len))
return false;
Update SPTPS protocol. * Exchange nonce and ECDH public key first, calculate the ECDSA signature over the complete key exchange. * Make an explicit distinction between client and server in the signatures. * Add more comments and replace some magic numbers by #defines. Thanks to Erik Tews for very helpful hints and comments!
2011-10-05 20:00:51 +00:00
s->state = SPTPS_SIG;
Start of "Simple Peer-To-Peer Security" protocol. Encryption and authentication of the meta connection is spread out over meta.c and protocol_auth.c. The new protocol was added there as well, leading to spaghetti code. To improve things, the new protocol will now be implemented in sptps.[ch]. The goal is to have a very simplified version of TLS. There is a record layer, and there are only two record types: application data and handshake messages. The handshake message contains a random nonce, an ephemeral ECDH public key, and an ECDSA signature over the former. After the ECDH public keys are exchanged, a shared secret is calculated, and a TLS style PRF is used to generate the key material for the cipher and HMAC algorithm, and further communication is encrypted and authenticated. A lot of the simplicity comes from the fact that both sides must have each other's public keys in advance, and there are no options to choose. There will be one fixed cipher suite, and both peers always authenticate each other. (Inspiration taken from Ian Grigg's hypotheses[0].) There might be some compromise in the future, to enable or disable encryption, authentication and compression, but there will be no choice of algorithms. This will allow SPTPS to be built with a few embedded crypto algorithms instead of linking with huge crypto libraries. The API is also kept simple. There is a start and a stop function. All data necessary to make the connection work is passed in the start function. Instead having both send- and receive-record functions, there is a send-record function and a receive-data function. The latter will pass protocol data received from the peer to the SPTPS implementation, which will in turn call a receive-record callback function when necessary. This hides all the handshaking from the application, and is completely independent from any event loop or socket characteristics. [0] http://iang.org/ssl/hn_hypotheses_in_secure_protocol_design.html
2011-07-24 13:44:51 +00:00
return true;
Update SPTPS protocol. * Exchange nonce and ECDH public key first, calculate the ECDSA signature over the complete key exchange. * Make an explicit distinction between client and server in the signatures. * Add more comments and replace some magic numbers by #defines. Thanks to Erik Tews for very helpful hints and comments!
2011-10-05 20:00:51 +00:00
case SPTPS_SIG:
Start of "Simple Peer-To-Peer Security" protocol. Encryption and authentication of the meta connection is spread out over meta.c and protocol_auth.c. The new protocol was added there as well, leading to spaghetti code. To improve things, the new protocol will now be implemented in sptps.[ch]. The goal is to have a very simplified version of TLS. There is a record layer, and there are only two record types: application data and handshake messages. The handshake message contains a random nonce, an ephemeral ECDH public key, and an ECDSA signature over the former. After the ECDH public keys are exchanged, a shared secret is calculated, and a TLS style PRF is used to generate the key material for the cipher and HMAC algorithm, and further communication is encrypted and authenticated. A lot of the simplicity comes from the fact that both sides must have each other's public keys in advance, and there are no options to choose. There will be one fixed cipher suite, and both peers always authenticate each other. (Inspiration taken from Ian Grigg's hypotheses[0].) There might be some compromise in the future, to enable or disable encryption, authentication and compression, but there will be no choice of algorithms. This will allow SPTPS to be built with a few embedded crypto algorithms instead of linking with huge crypto libraries. The API is also kept simple. There is a start and a stop function. All data necessary to make the connection work is passed in the start function. Instead having both send- and receive-record functions, there is a send-record function and a receive-data function. The latter will pass protocol data received from the peer to the SPTPS implementation, which will in turn call a receive-record callback function when necessary. This hides all the handshaking from the application, and is completely independent from any event loop or socket characteristics. [0] http://iang.org/ssl/hn_hypotheses_in_secure_protocol_design.html
2011-07-24 13:44:51 +00:00
// If we already sent our secondary public ECDH key, we expect the peer to send his.
Update SPTPS protocol. * Exchange nonce and ECDH public key first, calculate the ECDSA signature over the complete key exchange. * Make an explicit distinction between client and server in the signatures. * Add more comments and replace some magic numbers by #defines. Thanks to Erik Tews for very helpful hints and comments!
2011-10-05 20:00:51 +00:00
if(!receive_sig(s, data, len))
Start of "Simple Peer-To-Peer Security" protocol. Encryption and authentication of the meta connection is spread out over meta.c and protocol_auth.c. The new protocol was added there as well, leading to spaghetti code. To improve things, the new protocol will now be implemented in sptps.[ch]. The goal is to have a very simplified version of TLS. There is a record layer, and there are only two record types: application data and handshake messages. The handshake message contains a random nonce, an ephemeral ECDH public key, and an ECDSA signature over the former. After the ECDH public keys are exchanged, a shared secret is calculated, and a TLS style PRF is used to generate the key material for the cipher and HMAC algorithm, and further communication is encrypted and authenticated. A lot of the simplicity comes from the fact that both sides must have each other's public keys in advance, and there are no options to choose. There will be one fixed cipher suite, and both peers always authenticate each other. (Inspiration taken from Ian Grigg's hypotheses[0].) There might be some compromise in the future, to enable or disable encryption, authentication and compression, but there will be no choice of algorithms. This will allow SPTPS to be built with a few embedded crypto algorithms instead of linking with huge crypto libraries. The API is also kept simple. There is a start and a stop function. All data necessary to make the connection work is passed in the start function. Instead having both send- and receive-record functions, there is a send-record function and a receive-data function. The latter will pass protocol data received from the peer to the SPTPS implementation, which will in turn call a receive-record callback function when necessary. This hides all the handshaking from the application, and is completely independent from any event loop or socket characteristics. [0] http://iang.org/ssl/hn_hypotheses_in_secure_protocol_design.html
2011-07-24 13:44:51 +00:00
return false;
Don't send an ACK message after the first key exchange in the SPTPS protocol.
2012-03-18 16:46:30 +00:00
if(s->outstate)
s->state = SPTPS_ACK;
else {
s->outstate = true;
if(!receive_ack(s, NULL, 0))
return false;
s->receive_record(s->handle, SPTPS_HANDSHAKE, NULL, 0);
s->state = SPTPS_SECONDARY_KEX;
}
Start of "Simple Peer-To-Peer Security" protocol. Encryption and authentication of the meta connection is spread out over meta.c and protocol_auth.c. The new protocol was added there as well, leading to spaghetti code. To improve things, the new protocol will now be implemented in sptps.[ch]. The goal is to have a very simplified version of TLS. There is a record layer, and there are only two record types: application data and handshake messages. The handshake message contains a random nonce, an ephemeral ECDH public key, and an ECDSA signature over the former. After the ECDH public keys are exchanged, a shared secret is calculated, and a TLS style PRF is used to generate the key material for the cipher and HMAC algorithm, and further communication is encrypted and authenticated. A lot of the simplicity comes from the fact that both sides must have each other's public keys in advance, and there are no options to choose. There will be one fixed cipher suite, and both peers always authenticate each other. (Inspiration taken from Ian Grigg's hypotheses[0].) There might be some compromise in the future, to enable or disable encryption, authentication and compression, but there will be no choice of algorithms. This will allow SPTPS to be built with a few embedded crypto algorithms instead of linking with huge crypto libraries. The API is also kept simple. There is a start and a stop function. All data necessary to make the connection work is passed in the start function. Instead having both send- and receive-record functions, there is a send-record function and a receive-data function. The latter will pass protocol data received from the peer to the SPTPS implementation, which will in turn call a receive-record callback function when necessary. This hides all the handshaking from the application, and is completely independent from any event loop or socket characteristics. [0] http://iang.org/ssl/hn_hypotheses_in_secure_protocol_design.html
2011-07-24 13:44:51 +00:00
return true;
Update SPTPS protocol. * Exchange nonce and ECDH public key first, calculate the ECDSA signature over the complete key exchange. * Make an explicit distinction between client and server in the signatures. * Add more comments and replace some magic numbers by #defines. Thanks to Erik Tews for very helpful hints and comments!
2011-10-05 20:00:51 +00:00
case SPTPS_ACK:
// We expect a handshake message to indicate transition to the new keys.
Start of "Simple Peer-To-Peer Security" protocol. Encryption and authentication of the meta connection is spread out over meta.c and protocol_auth.c. The new protocol was added there as well, leading to spaghetti code. To improve things, the new protocol will now be implemented in sptps.[ch]. The goal is to have a very simplified version of TLS. There is a record layer, and there are only two record types: application data and handshake messages. The handshake message contains a random nonce, an ephemeral ECDH public key, and an ECDSA signature over the former. After the ECDH public keys are exchanged, a shared secret is calculated, and a TLS style PRF is used to generate the key material for the cipher and HMAC algorithm, and further communication is encrypted and authenticated. A lot of the simplicity comes from the fact that both sides must have each other's public keys in advance, and there are no options to choose. There will be one fixed cipher suite, and both peers always authenticate each other. (Inspiration taken from Ian Grigg's hypotheses[0].) There might be some compromise in the future, to enable or disable encryption, authentication and compression, but there will be no choice of algorithms. This will allow SPTPS to be built with a few embedded crypto algorithms instead of linking with huge crypto libraries. The API is also kept simple. There is a start and a stop function. All data necessary to make the connection work is passed in the start function. Instead having both send- and receive-record functions, there is a send-record function and a receive-data function. The latter will pass protocol data received from the peer to the SPTPS implementation, which will in turn call a receive-record callback function when necessary. This hides all the handshaking from the application, and is completely independent from any event loop or socket characteristics. [0] http://iang.org/ssl/hn_hypotheses_in_secure_protocol_design.html
2011-07-24 13:44:51 +00:00
if(!receive_ack(s, data, len))
return false;
Use SPTPS when ExperimentalProtocol is enabled.
2012-02-25 17:25:21 +00:00
s->receive_record(s->handle, SPTPS_HANDSHAKE, NULL, 0);
Update SPTPS protocol. * Exchange nonce and ECDH public key first, calculate the ECDSA signature over the complete key exchange. * Make an explicit distinction between client and server in the signatures. * Add more comments and replace some magic numbers by #defines. Thanks to Erik Tews for very helpful hints and comments!
2011-10-05 20:00:51 +00:00
s->state = SPTPS_SECONDARY_KEX;
Start of "Simple Peer-To-Peer Security" protocol. Encryption and authentication of the meta connection is spread out over meta.c and protocol_auth.c. The new protocol was added there as well, leading to spaghetti code. To improve things, the new protocol will now be implemented in sptps.[ch]. The goal is to have a very simplified version of TLS. There is a record layer, and there are only two record types: application data and handshake messages. The handshake message contains a random nonce, an ephemeral ECDH public key, and an ECDSA signature over the former. After the ECDH public keys are exchanged, a shared secret is calculated, and a TLS style PRF is used to generate the key material for the cipher and HMAC algorithm, and further communication is encrypted and authenticated. A lot of the simplicity comes from the fact that both sides must have each other's public keys in advance, and there are no options to choose. There will be one fixed cipher suite, and both peers always authenticate each other. (Inspiration taken from Ian Grigg's hypotheses[0].) There might be some compromise in the future, to enable or disable encryption, authentication and compression, but there will be no choice of algorithms. This will allow SPTPS to be built with a few embedded crypto algorithms instead of linking with huge crypto libraries. The API is also kept simple. There is a start and a stop function. All data necessary to make the connection work is passed in the start function. Instead having both send- and receive-record functions, there is a send-record function and a receive-data function. The latter will pass protocol data received from the peer to the SPTPS implementation, which will in turn call a receive-record callback function when necessary. This hides all the handshaking from the application, and is completely independent from any event loop or socket characteristics. [0] http://iang.org/ssl/hn_hypotheses_in_secure_protocol_design.html
2011-07-24 13:44:51 +00:00
return true;
Update SPTPS protocol. * Exchange nonce and ECDH public key first, calculate the ECDSA signature over the complete key exchange. * Make an explicit distinction between client and server in the signatures. * Add more comments and replace some magic numbers by #defines. Thanks to Erik Tews for very helpful hints and comments!
2011-10-05 20:00:51 +00:00
// TODO: split ACK into a VERify and ACK?
Start of "Simple Peer-To-Peer Security" protocol. Encryption and authentication of the meta connection is spread out over meta.c and protocol_auth.c. The new protocol was added there as well, leading to spaghetti code. To improve things, the new protocol will now be implemented in sptps.[ch]. The goal is to have a very simplified version of TLS. There is a record layer, and there are only two record types: application data and handshake messages. The handshake message contains a random nonce, an ephemeral ECDH public key, and an ECDSA signature over the former. After the ECDH public keys are exchanged, a shared secret is calculated, and a TLS style PRF is used to generate the key material for the cipher and HMAC algorithm, and further communication is encrypted and authenticated. A lot of the simplicity comes from the fact that both sides must have each other's public keys in advance, and there are no options to choose. There will be one fixed cipher suite, and both peers always authenticate each other. (Inspiration taken from Ian Grigg's hypotheses[0].) There might be some compromise in the future, to enable or disable encryption, authentication and compression, but there will be no choice of algorithms. This will allow SPTPS to be built with a few embedded crypto algorithms instead of linking with huge crypto libraries. The API is also kept simple. There is a start and a stop function. All data necessary to make the connection work is passed in the start function. Instead having both send- and receive-record functions, there is a send-record function and a receive-data function. The latter will pass protocol data received from the peer to the SPTPS implementation, which will in turn call a receive-record callback function when necessary. This hides all the handshaking from the application, and is completely independent from any event loop or socket characteristics. [0] http://iang.org/ssl/hn_hypotheses_in_secure_protocol_design.html
2011-07-24 13:44:51 +00:00
default:
Modified some error messages in src/sptps.c.
2013-05-14 00:57:35 +00:00
return error(s, EIO, "Invalid session state %d", s->state);
Start of "Simple Peer-To-Peer Security" protocol. Encryption and authentication of the meta connection is spread out over meta.c and protocol_auth.c. The new protocol was added there as well, leading to spaghetti code. To improve things, the new protocol will now be implemented in sptps.[ch]. The goal is to have a very simplified version of TLS. There is a record layer, and there are only two record types: application data and handshake messages. The handshake message contains a random nonce, an ephemeral ECDH public key, and an ECDSA signature over the former. After the ECDH public keys are exchanged, a shared secret is calculated, and a TLS style PRF is used to generate the key material for the cipher and HMAC algorithm, and further communication is encrypted and authenticated. A lot of the simplicity comes from the fact that both sides must have each other's public keys in advance, and there are no options to choose. There will be one fixed cipher suite, and both peers always authenticate each other. (Inspiration taken from Ian Grigg's hypotheses[0].) There might be some compromise in the future, to enable or disable encryption, authentication and compression, but there will be no choice of algorithms. This will allow SPTPS to be built with a few embedded crypto algorithms instead of linking with huge crypto libraries. The API is also kept simple. There is a start and a stop function. All data necessary to make the connection work is passed in the start function. Instead having both send- and receive-record functions, there is a send-record function and a receive-data function. The latter will pass protocol data received from the peer to the SPTPS implementation, which will in turn call a receive-record callback function when necessary. This hides all the handshaking from the application, and is completely independent from any event loop or socket characteristics. [0] http://iang.org/ssl/hn_hypotheses_in_secure_protocol_design.html
2011-07-24 13:44:51 +00:00
}
}
Implement sptps_verify_datagram(). Implementation of sptps_verify_datagram() was left as a TODO. This causes problems when using SPTPS in tinc, because this function is used in try_mac(), which itself is used in try_harder() to locate nodes sending UDP packets from unexpected addresses. In the current state this function always returns true, resulting in UDP addresses of random nodes getting changed which makes UDP communication fragile and unreliable. In addition, this makes UDP communication impossible through port translation and local discovery. This commit adds the missing implementation, thus fixing the issue.
2014-06-29 08:57:11 +00:00
static bool sptps_check_seqno(sptps_t *s, uint32_t seqno, bool update_state) {
// Replay protection using a sliding window of configurable size.
// s->inseqno is expected sequence number
// seqno is received sequence number
// s->late[] is a circular buffer, a 1 bit means a packet has not been received yet
// The circular buffer contains bits for sequence numbers from s->inseqno - s->replaywin * 8 to (but excluding) s->inseqno.
if(s->replaywin) {
if(seqno != s->inseqno) {
if(seqno >= s->inseqno + s->replaywin * 8) {
// Prevent packets that jump far ahead of the queue from causing many others to be dropped.
bool farfuture = s->farfuture < s->replaywin >> 2;
if (update_state)
s->farfuture++;
if(farfuture)
Don't log seqno failures in sptps_verify_datagram(). This function is not used for normal traffic, only when a packet from an unknown source is received and we need to check against candidates. No failures should be logger in this case; if the packet is really not valid this will be logged by handle_incoming_vpn_data().
2015-05-19 19:32:30 +00:00
return update_state ? error(s, EIO, "Packet is %d seqs in the future, dropped (%u)\n", seqno - s->inseqno, s->farfuture) : false;
Implement sptps_verify_datagram(). Implementation of sptps_verify_datagram() was left as a TODO. This causes problems when using SPTPS in tinc, because this function is used in try_mac(), which itself is used in try_harder() to locate nodes sending UDP packets from unexpected addresses. In the current state this function always returns true, resulting in UDP addresses of random nodes getting changed which makes UDP communication fragile and unreliable. In addition, this makes UDP communication impossible through port translation and local discovery. This commit adds the missing implementation, thus fixing the issue.
2014-06-29 08:57:11 +00:00
// Unless we have seen lots of them, in which case we consider the others lost.
Don't log seqno failures in sptps_verify_datagram(). This function is not used for normal traffic, only when a packet from an unknown source is received and we need to check against candidates. No failures should be logger in this case; if the packet is really not valid this will be logged by handle_incoming_vpn_data().
2015-05-19 19:32:30 +00:00
if(update_state)
warning(s, "Lost %d packets\n", seqno - s->inseqno);
Implement sptps_verify_datagram(). Implementation of sptps_verify_datagram() was left as a TODO. This causes problems when using SPTPS in tinc, because this function is used in try_mac(), which itself is used in try_harder() to locate nodes sending UDP packets from unexpected addresses. In the current state this function always returns true, resulting in UDP addresses of random nodes getting changed which makes UDP communication fragile and unreliable. In addition, this makes UDP communication impossible through port translation and local discovery. This commit adds the missing implementation, thus fixing the issue.
2014-06-29 08:57:11 +00:00
if (update_state) {
// Mark all packets in the replay window as being late.
memset(s->late, 255, s->replaywin);
}
} else if (seqno < s->inseqno) {
// If the sequence number is farther in the past than the bitmap goes, or if the packet was already received, drop it.
if((s->inseqno >= s->replaywin * 8 && seqno < s->inseqno - s->replaywin * 8) || !(s->late[(seqno / 8) % s->replaywin] & (1 << seqno % 8)))
Don't log seqno failures in sptps_verify_datagram(). This function is not used for normal traffic, only when a packet from an unknown source is received and we need to check against candidates. No failures should be logger in this case; if the packet is really not valid this will be logged by handle_incoming_vpn_data().
2015-05-19 19:32:30 +00:00
return update_state ? error(s, EIO, "Received late or replayed packet, seqno %d, last received %d\n", seqno, s->inseqno) : false;
Implement sptps_verify_datagram(). Implementation of sptps_verify_datagram() was left as a TODO. This causes problems when using SPTPS in tinc, because this function is used in try_mac(), which itself is used in try_harder() to locate nodes sending UDP packets from unexpected addresses. In the current state this function always returns true, resulting in UDP addresses of random nodes getting changed which makes UDP communication fragile and unreliable. In addition, this makes UDP communication impossible through port translation and local discovery. This commit adds the missing implementation, thus fixing the issue.
2014-06-29 08:57:11 +00:00
} else if (update_state) {
// We missed some packets. Mark them in the bitmap as being late.
for(int i = s->inseqno; i < seqno; i++)
s->late[(i / 8) % s->replaywin] |= 1 << i % 8;
}
}
if (update_state) {
// Mark the current packet as not being late.
s->late[(seqno / 8) % s->replaywin] &= ~(1 << seqno % 8);
s->farfuture = 0;
}
}
if (update_state) {
if(seqno >= s->inseqno)
s->inseqno = seqno + 1;
if(!s->inseqno)
s->received = 0;
else
s->received++;
}
return true;
}
Handle SPTPS datagrams in try_mac().
2012-07-31 18:36:35 +00:00
// Check datagram for valid HMAC
Use void pointers for opaque data blobs in the SPTPS code.
2014-12-24 21:15:40 +00:00
bool sptps_verify_datagram(sptps_t *s, const void *data, size_t len) {
Handle SPTPS datagrams in try_mac().
2012-07-31 18:36:35 +00:00
if(!s->instate || len < 21)
Use AES-256-GCM for the SPTPS protocol. It is faster than AES-256-CTR + HMAC-SHA256, especially on Intel chips with AES and PCLMULQDQ instructions.
2013-10-12 23:02:52 +00:00
return error(s, EIO, "Received short packet");
Handle SPTPS datagrams in try_mac().
2012-07-31 18:36:35 +00:00
Implement sptps_verify_datagram(). Implementation of sptps_verify_datagram() was left as a TODO. This causes problems when using SPTPS in tinc, because this function is used in try_mac(), which itself is used in try_harder() to locate nodes sending UDP packets from unexpected addresses. In the current state this function always returns true, resulting in UDP addresses of random nodes getting changed which makes UDP communication fragile and unreliable. In addition, this makes UDP communication impossible through port translation and local discovery. This commit adds the missing implementation, thus fixing the issue.
2014-06-29 08:57:11 +00:00
uint32_t seqno;
memcpy(&seqno, data, 4);
seqno = ntohl(seqno);
Verify seqno early in sptps_verify_datagram(). This is a slight optimization for sptps_verify_datagram(), which might come in handy since this function is called in a loop via try_harder(). It turns out that since sptps_verify_datagram() doesn't update any state, it doesn't matter in which order verifications are done. However, it does affect performance since it's much cheaper to check the seqno than to try to decrypt the packet. Since this function is called with the wrong node most of the time, it makes verification vastly faster for the majority of calls because the seqno will be wrong in most cases.
2014-06-30 13:03:17 +00:00
if (!sptps_check_seqno(s, seqno, false))
return false;
Handle SPTPS datagrams in try_mac().
2012-07-31 18:36:35 +00:00
Implement sptps_verify_datagram(). Implementation of sptps_verify_datagram() was left as a TODO. This causes problems when using SPTPS in tinc, because this function is used in try_mac(), which itself is used in try_harder() to locate nodes sending UDP packets from unexpected addresses. In the current state this function always returns true, resulting in UDP addresses of random nodes getting changed which makes UDP communication fragile and unreliable. In addition, this makes UDP communication impossible through port translation and local discovery. This commit adds the missing implementation, thus fixing the issue.
2014-06-29 08:57:11 +00:00
char buffer[len];
size_t outlen;
Verify seqno early in sptps_verify_datagram(). This is a slight optimization for sptps_verify_datagram(), which might come in handy since this function is called in a loop via try_harder(). It turns out that since sptps_verify_datagram() doesn't update any state, it doesn't matter in which order verifications are done. However, it does affect performance since it's much cheaper to check the seqno than to try to decrypt the packet. Since this function is called with the wrong node most of the time, it makes verification vastly faster for the majority of calls because the seqno will be wrong in most cases.
2014-06-30 13:03:17 +00:00
return chacha_poly1305_decrypt(s->incipher, seqno, data + 4, len - 4, buffer, &outlen);
Handle SPTPS datagrams in try_mac().
2012-07-31 18:36:35 +00:00
}
Add datagram mode to the SPTPS protocol. * Everything is identical except the headers of the records. * Instead of sending explicit message length and having an implicit sequence number, datagram mode has an implicit message length and an explicit sequence number. * The sequence number is used to set the most significant bytes of the counter.
2012-03-18 15:42:02 +00:00
// Receive incoming data, datagram version.
static bool sptps_receive_data_datagram(sptps_t *s, const char *data, size_t len) {
if(len < (s->instate ? 21 : 5))
return error(s, EIO, "Received short packet");
uint32_t seqno;
memcpy(&seqno, data, 4);
seqno = ntohl(seqno);
Trivial: make sptps_receive_data_datagram() a little more readable. The new code updates variables as stuff is being consumed, so that the reader doesn't have to do that in his head.
2015-05-17 16:51:05 +00:00
data += 4; len -= 4;
Add datagram mode to the SPTPS protocol. * Everything is identical except the headers of the records. * Instead of sending explicit message length and having an implicit sequence number, datagram mode has an implicit message length and an explicit sequence number. * The sequence number is used to set the most significant bytes of the counter.
2012-03-18 15:42:02 +00:00
if(!s->instate) {
Log more messages using logger().
2012-10-14 13:37:24 +00:00
if(seqno != s->inseqno)
return error(s, EIO, "Invalid packet seqno: %d != %d", seqno, s->inseqno);
Add datagram mode to the SPTPS protocol. * Everything is identical except the headers of the records. * Instead of sending explicit message length and having an implicit sequence number, datagram mode has an implicit message length and an explicit sequence number. * The sequence number is used to set the most significant bytes of the counter.
2012-03-18 15:42:02 +00:00
s->inseqno = seqno + 1;
Trivial: make sptps_receive_data_datagram() a little more readable. The new code updates variables as stuff is being consumed, so that the reader doesn't have to do that in his head.
2015-05-17 16:51:05 +00:00
uint8_t type = *(data++); len--;
Add datagram mode to the SPTPS protocol. * Everything is identical except the headers of the records. * Instead of sending explicit message length and having an implicit sequence number, datagram mode has an implicit message length and an explicit sequence number. * The sequence number is used to set the most significant bytes of the counter.
2012-03-18 15:42:02 +00:00
if(type != SPTPS_HANDSHAKE)
return error(s, EIO, "Application record received before handshake finished");
Trivial: make sptps_receive_data_datagram() a little more readable. The new code updates variables as stuff is being consumed, so that the reader doesn't have to do that in his head.
2015-05-17 16:51:05 +00:00
return receive_handshake(s, data, len);
Add datagram mode to the SPTPS protocol. * Everything is identical except the headers of the records. * Instead of sending explicit message length and having an implicit sequence number, datagram mode has an implicit message length and an explicit sequence number. * The sequence number is used to set the most significant bytes of the counter.
2012-03-18 15:42:02 +00:00
}
Use AES-256-GCM for the SPTPS protocol. It is faster than AES-256-CTR + HMAC-SHA256, especially on Intel chips with AES and PCLMULQDQ instructions.
2013-10-12 23:02:52 +00:00
// Decrypt
Check HMAC before sequence number.
2013-01-14 12:08:35 +00:00
Use AES-256-GCM for the SPTPS protocol. It is faster than AES-256-CTR + HMAC-SHA256, especially on Intel chips with AES and PCLMULQDQ instructions.
2013-10-12 23:02:52 +00:00
char buffer[len];
size_t outlen;
Trivial: make sptps_receive_data_datagram() a little more readable. The new code updates variables as stuff is being consumed, so that the reader doesn't have to do that in his head.
2015-05-17 16:51:05 +00:00
if(!chacha_poly1305_decrypt(s->incipher, seqno, data, len, buffer, &outlen))
Use AES-256-GCM for the SPTPS protocol. It is faster than AES-256-CTR + HMAC-SHA256, especially on Intel chips with AES and PCLMULQDQ instructions.
2013-10-12 23:02:52 +00:00
return error(s, EIO, "Failed to decrypt and verify packet");
Check HMAC before sequence number.
2013-01-14 12:08:35 +00:00
Implement sptps_verify_datagram(). Implementation of sptps_verify_datagram() was left as a TODO. This causes problems when using SPTPS in tinc, because this function is used in try_mac(), which itself is used in try_harder() to locate nodes sending UDP packets from unexpected addresses. In the current state this function always returns true, resulting in UDP addresses of random nodes getting changed which makes UDP communication fragile and unreliable. In addition, this makes UDP communication impossible through port translation and local discovery. This commit adds the missing implementation, thus fixing the issue.
2014-06-29 08:57:11 +00:00
if(!sptps_check_seqno(s, seqno, true))
return false;
Add datagram mode to the SPTPS protocol. * Everything is identical except the headers of the records. * Instead of sending explicit message length and having an implicit sequence number, datagram mode has an implicit message length and an explicit sequence number. * The sequence number is used to set the most significant bytes of the counter.
2012-03-18 15:42:02 +00:00
// Append a NULL byte for safety.
Trivial: make sptps_receive_data_datagram() a little more readable. The new code updates variables as stuff is being consumed, so that the reader doesn't have to do that in his head.
2015-05-17 16:51:05 +00:00
buffer[outlen] = 0;
data = buffer;
len = outlen;
Add datagram mode to the SPTPS protocol. * Everything is identical except the headers of the records. * Instead of sending explicit message length and having an implicit sequence number, datagram mode has an implicit message length and an explicit sequence number. * The sequence number is used to set the most significant bytes of the counter.
2012-03-18 15:42:02 +00:00
Trivial: make sptps_receive_data_datagram() a little more readable. The new code updates variables as stuff is being consumed, so that the reader doesn't have to do that in his head.
2015-05-17 16:51:05 +00:00
uint8_t type = *(data++); len--;
Add datagram mode to the SPTPS protocol. * Everything is identical except the headers of the records. * Instead of sending explicit message length and having an implicit sequence number, datagram mode has an implicit message length and an explicit sequence number. * The sequence number is used to set the most significant bytes of the counter.
2012-03-18 15:42:02 +00:00
if(type < SPTPS_HANDSHAKE) {
if(!s->instate)
return error(s, EIO, "Application record received before handshake finished");
Trivial: make sptps_receive_data_datagram() a little more readable. The new code updates variables as stuff is being consumed, so that the reader doesn't have to do that in his head.
2015-05-17 16:51:05 +00:00
if(!s->receive_record(s->handle, type, data, len))
Don't abort() willy-nilly in SPTPS code. If receive_handshake() or the receive_record() user callback returns an error, sptps_receive_data_datagram() crashes the entire process. This is heavy-handed, makes tinc very brittle to certain failures (i.e. unexpected packets), and is inconsistent with the rest of SPTPS code.
2015-03-08 17:32:39 +00:00
return false;
Use datagram SPTPS for packet exchange between nodes. When two nodes which support SPTPS want to send packets to each other, they now always use SPTPS. The node initiating the SPTPS session send the first SPTPS packet via an extended REQ_KEY messages. All other handshake messages are sent using ANS_KEY messages. This ensures that intermediate nodes using an older version of tinc can still help with NAT traversal. After the authentication phase is over, SPTPS packets are sent via UDP, or are encapsulated in extended REQ_KEY messages instead of PACKET messages.
2012-07-30 16:36:59 +00:00
} else if(type == SPTPS_HANDSHAKE) {
Trivial: make sptps_receive_data_datagram() a little more readable. The new code updates variables as stuff is being consumed, so that the reader doesn't have to do that in his head.
2015-05-17 16:51:05 +00:00
if(!receive_handshake(s, data, len))
Don't abort() willy-nilly in SPTPS code. If receive_handshake() or the receive_record() user callback returns an error, sptps_receive_data_datagram() crashes the entire process. This is heavy-handed, makes tinc very brittle to certain failures (i.e. unexpected packets), and is inconsistent with the rest of SPTPS code.
2015-03-08 17:32:39 +00:00
return false;
Add datagram mode to the SPTPS protocol. * Everything is identical except the headers of the records. * Instead of sending explicit message length and having an implicit sequence number, datagram mode has an implicit message length and an explicit sequence number. * The sequence number is used to set the most significant bytes of the counter.
2012-03-18 15:42:02 +00:00
} else {
Modified some error messages in src/sptps.c.
2013-05-14 00:57:35 +00:00
return error(s, EIO, "Invalid record type %d", type);
Add datagram mode to the SPTPS protocol. * Everything is identical except the headers of the records. * Instead of sending explicit message length and having an implicit sequence number, datagram mode has an implicit message length and an explicit sequence number. * The sequence number is used to set the most significant bytes of the counter.
2012-03-18 15:42:02 +00:00
}
return true;
}
Add Brandon Black's replay window code to SPTPS.
2012-07-31 18:39:15 +00:00
Update SPTPS protocol. * Exchange nonce and ECDH public key first, calculate the ECDSA signature over the complete key exchange. * Make an explicit distinction between client and server in the signatures. * Add more comments and replace some magic numbers by #defines. Thanks to Erik Tews for very helpful hints and comments!
2011-10-05 20:00:51 +00:00
// Receive incoming data. Check if it contains a complete record, if so, handle it.
Only read one record at a time in sptps_receive_data(). sptps_receive_data() always consumes the entire buffer passed to it, which is somewhat inflexible. This commit improves the interface so that sptps_receive_data() consumes at most one record. The goal is to allow non-SPTPS stuff to be interleaved with SPTPS records in a single TCP stream.
2015-05-10 18:28:11 +00:00
size_t sptps_receive_data(sptps_t *s, const void *data, size_t len) {
size_t total_read = 0;
Don't try to handle incoming data if sptps_start() has not been called yet.
2013-05-12 11:39:22 +00:00
if(!s->state)
Modified some error messages in src/sptps.c.
2013-05-14 00:57:35 +00:00
return error(s, EIO, "Invalid session state zero");
Don't try to handle incoming data if sptps_start() has not been called yet.
2013-05-12 11:39:22 +00:00
Add datagram mode to the SPTPS protocol. * Everything is identical except the headers of the records. * Instead of sending explicit message length and having an implicit sequence number, datagram mode has an implicit message length and an explicit sequence number. * The sequence number is used to set the most significant bytes of the counter.
2012-03-18 15:42:02 +00:00
if(s->datagram)
Only read one record at a time in sptps_receive_data(). sptps_receive_data() always consumes the entire buffer passed to it, which is somewhat inflexible. This commit improves the interface so that sptps_receive_data() consumes at most one record. The goal is to allow non-SPTPS stuff to be interleaved with SPTPS records in a single TCP stream.
2015-05-10 18:28:11 +00:00
return sptps_receive_data_datagram(s, data, len) ? len : false;
Add datagram mode to the SPTPS protocol. * Everything is identical except the headers of the records. * Instead of sending explicit message length and having an implicit sequence number, datagram mode has an implicit message length and an explicit sequence number. * The sequence number is used to set the most significant bytes of the counter.
2012-03-18 15:42:02 +00:00
Only read one record at a time in sptps_receive_data(). sptps_receive_data() always consumes the entire buffer passed to it, which is somewhat inflexible. This commit improves the interface so that sptps_receive_data() consumes at most one record. The goal is to allow non-SPTPS stuff to be interleaved with SPTPS records in a single TCP stream.
2015-05-10 18:28:11 +00:00
// First read the 2 length bytes.
if(s->buflen < 2) {
size_t toread = 2 - s->buflen;
if(toread > len)
toread = len;
Start of "Simple Peer-To-Peer Security" protocol. Encryption and authentication of the meta connection is spread out over meta.c and protocol_auth.c. The new protocol was added there as well, leading to spaghetti code. To improve things, the new protocol will now be implemented in sptps.[ch]. The goal is to have a very simplified version of TLS. There is a record layer, and there are only two record types: application data and handshake messages. The handshake message contains a random nonce, an ephemeral ECDH public key, and an ECDSA signature over the former. After the ECDH public keys are exchanged, a shared secret is calculated, and a TLS style PRF is used to generate the key material for the cipher and HMAC algorithm, and further communication is encrypted and authenticated. A lot of the simplicity comes from the fact that both sides must have each other's public keys in advance, and there are no options to choose. There will be one fixed cipher suite, and both peers always authenticate each other. (Inspiration taken from Ian Grigg's hypotheses[0].) There might be some compromise in the future, to enable or disable encryption, authentication and compression, but there will be no choice of algorithms. This will allow SPTPS to be built with a few embedded crypto algorithms instead of linking with huge crypto libraries. The API is also kept simple. There is a start and a stop function. All data necessary to make the connection work is passed in the start function. Instead having both send- and receive-record functions, there is a send-record function and a receive-data function. The latter will pass protocol data received from the peer to the SPTPS implementation, which will in turn call a receive-record callback function when necessary. This hides all the handshaking from the application, and is completely independent from any event loop or socket characteristics. [0] http://iang.org/ssl/hn_hypotheses_in_secure_protocol_design.html
2011-07-24 13:44:51 +00:00
Only read one record at a time in sptps_receive_data(). sptps_receive_data() always consumes the entire buffer passed to it, which is somewhat inflexible. This commit improves the interface so that sptps_receive_data() consumes at most one record. The goal is to allow non-SPTPS stuff to be interleaved with SPTPS records in a single TCP stream.
2015-05-10 18:28:11 +00:00
memcpy(s->inbuf + s->buflen, data, toread);
Start of "Simple Peer-To-Peer Security" protocol. Encryption and authentication of the meta connection is spread out over meta.c and protocol_auth.c. The new protocol was added there as well, leading to spaghetti code. To improve things, the new protocol will now be implemented in sptps.[ch]. The goal is to have a very simplified version of TLS. There is a record layer, and there are only two record types: application data and handshake messages. The handshake message contains a random nonce, an ephemeral ECDH public key, and an ECDSA signature over the former. After the ECDH public keys are exchanged, a shared secret is calculated, and a TLS style PRF is used to generate the key material for the cipher and HMAC algorithm, and further communication is encrypted and authenticated. A lot of the simplicity comes from the fact that both sides must have each other's public keys in advance, and there are no options to choose. There will be one fixed cipher suite, and both peers always authenticate each other. (Inspiration taken from Ian Grigg's hypotheses[0].) There might be some compromise in the future, to enable or disable encryption, authentication and compression, but there will be no choice of algorithms. This will allow SPTPS to be built with a few embedded crypto algorithms instead of linking with huge crypto libraries. The API is also kept simple. There is a start and a stop function. All data necessary to make the connection work is passed in the start function. Instead having both send- and receive-record functions, there is a send-record function and a receive-data function. The latter will pass protocol data received from the peer to the SPTPS implementation, which will in turn call a receive-record callback function when necessary. This hides all the handshaking from the application, and is completely independent from any event loop or socket characteristics. [0] http://iang.org/ssl/hn_hypotheses_in_secure_protocol_design.html
2011-07-24 13:44:51 +00:00
Only read one record at a time in sptps_receive_data(). sptps_receive_data() always consumes the entire buffer passed to it, which is somewhat inflexible. This commit improves the interface so that sptps_receive_data() consumes at most one record. The goal is to allow non-SPTPS stuff to be interleaved with SPTPS records in a single TCP stream.
2015-05-10 18:28:11 +00:00
total_read += toread;
s->buflen += toread;
len -= toread;
data += toread;
Fix whitespace.
2012-10-10 15:17:49 +00:00
Only read one record at a time in sptps_receive_data(). sptps_receive_data() always consumes the entire buffer passed to it, which is somewhat inflexible. This commit improves the interface so that sptps_receive_data() consumes at most one record. The goal is to allow non-SPTPS stuff to be interleaved with SPTPS records in a single TCP stream.
2015-05-10 18:28:11 +00:00
// Exit early if we don't have the full length.
if(s->buflen < 2)
return total_read;
Start of "Simple Peer-To-Peer Security" protocol. Encryption and authentication of the meta connection is spread out over meta.c and protocol_auth.c. The new protocol was added there as well, leading to spaghetti code. To improve things, the new protocol will now be implemented in sptps.[ch]. The goal is to have a very simplified version of TLS. There is a record layer, and there are only two record types: application data and handshake messages. The handshake message contains a random nonce, an ephemeral ECDH public key, and an ECDSA signature over the former. After the ECDH public keys are exchanged, a shared secret is calculated, and a TLS style PRF is used to generate the key material for the cipher and HMAC algorithm, and further communication is encrypted and authenticated. A lot of the simplicity comes from the fact that both sides must have each other's public keys in advance, and there are no options to choose. There will be one fixed cipher suite, and both peers always authenticate each other. (Inspiration taken from Ian Grigg's hypotheses[0].) There might be some compromise in the future, to enable or disable encryption, authentication and compression, but there will be no choice of algorithms. This will allow SPTPS to be built with a few embedded crypto algorithms instead of linking with huge crypto libraries. The API is also kept simple. There is a start and a stop function. All data necessary to make the connection work is passed in the start function. Instead having both send- and receive-record functions, there is a send-record function and a receive-data function. The latter will pass protocol data received from the peer to the SPTPS implementation, which will in turn call a receive-record callback function when necessary. This hides all the handshaking from the application, and is completely independent from any event loop or socket characteristics. [0] http://iang.org/ssl/hn_hypotheses_in_secure_protocol_design.html
2011-07-24 13:44:51 +00:00
Only read one record at a time in sptps_receive_data(). sptps_receive_data() always consumes the entire buffer passed to it, which is somewhat inflexible. This commit improves the interface so that sptps_receive_data() consumes at most one record. The goal is to allow non-SPTPS stuff to be interleaved with SPTPS records in a single TCP stream.
2015-05-10 18:28:11 +00:00
// Get the length bytes
Apply HMAC after encryption.
2012-02-25 14:18:15 +00:00
Only read one record at a time in sptps_receive_data(). sptps_receive_data() always consumes the entire buffer passed to it, which is somewhat inflexible. This commit improves the interface so that sptps_receive_data() consumes at most one record. The goal is to allow non-SPTPS stuff to be interleaved with SPTPS records in a single TCP stream.
2015-05-10 18:28:11 +00:00
memcpy(&s->reclen, s->inbuf, 2);
s->reclen = ntohs(s->reclen);
Apply HMAC after encryption.
2012-02-25 14:18:15 +00:00
Only read one record at a time in sptps_receive_data(). sptps_receive_data() always consumes the entire buffer passed to it, which is somewhat inflexible. This commit improves the interface so that sptps_receive_data() consumes at most one record. The goal is to allow non-SPTPS stuff to be interleaved with SPTPS records in a single TCP stream.
2015-05-10 18:28:11 +00:00
// If we have the length bytes, ensure our buffer can hold the whole request.
s->inbuf = realloc(s->inbuf, s->reclen + 19UL);
if(!s->inbuf)
return error(s, errno, strerror(errno));
Start of "Simple Peer-To-Peer Security" protocol. Encryption and authentication of the meta connection is spread out over meta.c and protocol_auth.c. The new protocol was added there as well, leading to spaghetti code. To improve things, the new protocol will now be implemented in sptps.[ch]. The goal is to have a very simplified version of TLS. There is a record layer, and there are only two record types: application data and handshake messages. The handshake message contains a random nonce, an ephemeral ECDH public key, and an ECDSA signature over the former. After the ECDH public keys are exchanged, a shared secret is calculated, and a TLS style PRF is used to generate the key material for the cipher and HMAC algorithm, and further communication is encrypted and authenticated. A lot of the simplicity comes from the fact that both sides must have each other's public keys in advance, and there are no options to choose. There will be one fixed cipher suite, and both peers always authenticate each other. (Inspiration taken from Ian Grigg's hypotheses[0].) There might be some compromise in the future, to enable or disable encryption, authentication and compression, but there will be no choice of algorithms. This will allow SPTPS to be built with a few embedded crypto algorithms instead of linking with huge crypto libraries. The API is also kept simple. There is a start and a stop function. All data necessary to make the connection work is passed in the start function. Instead having both send- and receive-record functions, there is a send-record function and a receive-data function. The latter will pass protocol data received from the peer to the SPTPS implementation, which will in turn call a receive-record callback function when necessary. This hides all the handshaking from the application, and is completely independent from any event loop or socket characteristics. [0] http://iang.org/ssl/hn_hypotheses_in_secure_protocol_design.html
2011-07-24 13:44:51 +00:00
Only read one record at a time in sptps_receive_data(). sptps_receive_data() always consumes the entire buffer passed to it, which is somewhat inflexible. This commit improves the interface so that sptps_receive_data() consumes at most one record. The goal is to allow non-SPTPS stuff to be interleaved with SPTPS records in a single TCP stream.
2015-05-10 18:28:11 +00:00
// Exit early if we have no more data to process.
if(!len)
return total_read;
}
Start of "Simple Peer-To-Peer Security" protocol. Encryption and authentication of the meta connection is spread out over meta.c and protocol_auth.c. The new protocol was added there as well, leading to spaghetti code. To improve things, the new protocol will now be implemented in sptps.[ch]. The goal is to have a very simplified version of TLS. There is a record layer, and there are only two record types: application data and handshake messages. The handshake message contains a random nonce, an ephemeral ECDH public key, and an ECDSA signature over the former. After the ECDH public keys are exchanged, a shared secret is calculated, and a TLS style PRF is used to generate the key material for the cipher and HMAC algorithm, and further communication is encrypted and authenticated. A lot of the simplicity comes from the fact that both sides must have each other's public keys in advance, and there are no options to choose. There will be one fixed cipher suite, and both peers always authenticate each other. (Inspiration taken from Ian Grigg's hypotheses[0].) There might be some compromise in the future, to enable or disable encryption, authentication and compression, but there will be no choice of algorithms. This will allow SPTPS to be built with a few embedded crypto algorithms instead of linking with huge crypto libraries. The API is also kept simple. There is a start and a stop function. All data necessary to make the connection work is passed in the start function. Instead having both send- and receive-record functions, there is a send-record function and a receive-data function. The latter will pass protocol data received from the peer to the SPTPS implementation, which will in turn call a receive-record callback function when necessary. This hides all the handshaking from the application, and is completely independent from any event loop or socket characteristics. [0] http://iang.org/ssl/hn_hypotheses_in_secure_protocol_design.html
2011-07-24 13:44:51 +00:00
Only read one record at a time in sptps_receive_data(). sptps_receive_data() always consumes the entire buffer passed to it, which is somewhat inflexible. This commit improves the interface so that sptps_receive_data() consumes at most one record. The goal is to allow non-SPTPS stuff to be interleaved with SPTPS records in a single TCP stream.
2015-05-10 18:28:11 +00:00
// Read up to the end of the record.
size_t toread = s->reclen + (s->instate ? 19UL : 3UL) - s->buflen;
if(toread > len)
toread = len;
Start of "Simple Peer-To-Peer Security" protocol. Encryption and authentication of the meta connection is spread out over meta.c and protocol_auth.c. The new protocol was added there as well, leading to spaghetti code. To improve things, the new protocol will now be implemented in sptps.[ch]. The goal is to have a very simplified version of TLS. There is a record layer, and there are only two record types: application data and handshake messages. The handshake message contains a random nonce, an ephemeral ECDH public key, and an ECDSA signature over the former. After the ECDH public keys are exchanged, a shared secret is calculated, and a TLS style PRF is used to generate the key material for the cipher and HMAC algorithm, and further communication is encrypted and authenticated. A lot of the simplicity comes from the fact that both sides must have each other's public keys in advance, and there are no options to choose. There will be one fixed cipher suite, and both peers always authenticate each other. (Inspiration taken from Ian Grigg's hypotheses[0].) There might be some compromise in the future, to enable or disable encryption, authentication and compression, but there will be no choice of algorithms. This will allow SPTPS to be built with a few embedded crypto algorithms instead of linking with huge crypto libraries. The API is also kept simple. There is a start and a stop function. All data necessary to make the connection work is passed in the start function. Instead having both send- and receive-record functions, there is a send-record function and a receive-data function. The latter will pass protocol data received from the peer to the SPTPS implementation, which will in turn call a receive-record callback function when necessary. This hides all the handshaking from the application, and is completely independent from any event loop or socket characteristics. [0] http://iang.org/ssl/hn_hypotheses_in_secure_protocol_design.html
2011-07-24 13:44:51 +00:00
Only read one record at a time in sptps_receive_data(). sptps_receive_data() always consumes the entire buffer passed to it, which is somewhat inflexible. This commit improves the interface so that sptps_receive_data() consumes at most one record. The goal is to allow non-SPTPS stuff to be interleaved with SPTPS records in a single TCP stream.
2015-05-10 18:28:11 +00:00
memcpy(s->inbuf + s->buflen, data, toread);
total_read += toread;
s->buflen += toread;
len -= toread;
data += toread;
Start of "Simple Peer-To-Peer Security" protocol. Encryption and authentication of the meta connection is spread out over meta.c and protocol_auth.c. The new protocol was added there as well, leading to spaghetti code. To improve things, the new protocol will now be implemented in sptps.[ch]. The goal is to have a very simplified version of TLS. There is a record layer, and there are only two record types: application data and handshake messages. The handshake message contains a random nonce, an ephemeral ECDH public key, and an ECDSA signature over the former. After the ECDH public keys are exchanged, a shared secret is calculated, and a TLS style PRF is used to generate the key material for the cipher and HMAC algorithm, and further communication is encrypted and authenticated. A lot of the simplicity comes from the fact that both sides must have each other's public keys in advance, and there are no options to choose. There will be one fixed cipher suite, and both peers always authenticate each other. (Inspiration taken from Ian Grigg's hypotheses[0].) There might be some compromise in the future, to enable or disable encryption, authentication and compression, but there will be no choice of algorithms. This will allow SPTPS to be built with a few embedded crypto algorithms instead of linking with huge crypto libraries. The API is also kept simple. There is a start and a stop function. All data necessary to make the connection work is passed in the start function. Instead having both send- and receive-record functions, there is a send-record function and a receive-data function. The latter will pass protocol data received from the peer to the SPTPS implementation, which will in turn call a receive-record callback function when necessary. This hides all the handshaking from the application, and is completely independent from any event loop or socket characteristics. [0] http://iang.org/ssl/hn_hypotheses_in_secure_protocol_design.html
2011-07-24 13:44:51 +00:00
Only read one record at a time in sptps_receive_data(). sptps_receive_data() always consumes the entire buffer passed to it, which is somewhat inflexible. This commit improves the interface so that sptps_receive_data() consumes at most one record. The goal is to allow non-SPTPS stuff to be interleaved with SPTPS records in a single TCP stream.
2015-05-10 18:28:11 +00:00
// If we don't have a whole record, exit.
if(s->buflen < s->reclen + (s->instate ? 19UL : 3UL))
return total_read;
Start of "Simple Peer-To-Peer Security" protocol. Encryption and authentication of the meta connection is spread out over meta.c and protocol_auth.c. The new protocol was added there as well, leading to spaghetti code. To improve things, the new protocol will now be implemented in sptps.[ch]. The goal is to have a very simplified version of TLS. There is a record layer, and there are only two record types: application data and handshake messages. The handshake message contains a random nonce, an ephemeral ECDH public key, and an ECDSA signature over the former. After the ECDH public keys are exchanged, a shared secret is calculated, and a TLS style PRF is used to generate the key material for the cipher and HMAC algorithm, and further communication is encrypted and authenticated. A lot of the simplicity comes from the fact that both sides must have each other's public keys in advance, and there are no options to choose. There will be one fixed cipher suite, and both peers always authenticate each other. (Inspiration taken from Ian Grigg's hypotheses[0].) There might be some compromise in the future, to enable or disable encryption, authentication and compression, but there will be no choice of algorithms. This will allow SPTPS to be built with a few embedded crypto algorithms instead of linking with huge crypto libraries. The API is also kept simple. There is a start and a stop function. All data necessary to make the connection work is passed in the start function. Instead having both send- and receive-record functions, there is a send-record function and a receive-data function. The latter will pass protocol data received from the peer to the SPTPS implementation, which will in turn call a receive-record callback function when necessary. This hides all the handshaking from the application, and is completely independent from any event loop or socket characteristics. [0] http://iang.org/ssl/hn_hypotheses_in_secure_protocol_design.html
2011-07-24 13:44:51 +00:00
Only read one record at a time in sptps_receive_data(). sptps_receive_data() always consumes the entire buffer passed to it, which is somewhat inflexible. This commit improves the interface so that sptps_receive_data() consumes at most one record. The goal is to allow non-SPTPS stuff to be interleaved with SPTPS records in a single TCP stream.
2015-05-10 18:28:11 +00:00
// Update sequence number.
Use the ChaCha-Poly1305 cipher for the SPTPS protocol. The main reason to switch from AES-256-GCM to ChaCha-Poly1305 is to remove a dependency on OpenSSL, whose behaviour of the AES-256-GCM decryption function changes between versions. The source code for ChaCha-Pol1305 is small and in the public domain, and can therefore be easily included in tinc itself. Moreover, it is very fast even without using any optimized assembler, easily outperforming AES-256-GCM on platforms that don't have special AES instructions in hardware.
2014-04-14 19:43:45 +00:00
Only read one record at a time in sptps_receive_data(). sptps_receive_data() always consumes the entire buffer passed to it, which is somewhat inflexible. This commit improves the interface so that sptps_receive_data() consumes at most one record. The goal is to allow non-SPTPS stuff to be interleaved with SPTPS records in a single TCP stream.
2015-05-10 18:28:11 +00:00
uint32_t seqno = s->inseqno++;
Use the ChaCha-Poly1305 cipher for the SPTPS protocol. The main reason to switch from AES-256-GCM to ChaCha-Poly1305 is to remove a dependency on OpenSSL, whose behaviour of the AES-256-GCM decryption function changes between versions. The source code for ChaCha-Pol1305 is small and in the public domain, and can therefore be easily included in tinc itself. Moreover, it is very fast even without using any optimized assembler, easily outperforming AES-256-GCM on platforms that don't have special AES instructions in hardware.
2014-04-14 19:43:45 +00:00
Only read one record at a time in sptps_receive_data(). sptps_receive_data() always consumes the entire buffer passed to it, which is somewhat inflexible. This commit improves the interface so that sptps_receive_data() consumes at most one record. The goal is to allow non-SPTPS stuff to be interleaved with SPTPS records in a single TCP stream.
2015-05-10 18:28:11 +00:00
// Check HMAC and decrypt.
if(s->instate) {
if(!chacha_poly1305_decrypt(s->incipher, seqno, s->inbuf + 2UL, s->reclen + 17UL, s->inbuf + 2UL, NULL))
return error(s, EINVAL, "Failed to decrypt and verify record");
}
Start of "Simple Peer-To-Peer Security" protocol. Encryption and authentication of the meta connection is spread out over meta.c and protocol_auth.c. The new protocol was added there as well, leading to spaghetti code. To improve things, the new protocol will now be implemented in sptps.[ch]. The goal is to have a very simplified version of TLS. There is a record layer, and there are only two record types: application data and handshake messages. The handshake message contains a random nonce, an ephemeral ECDH public key, and an ECDSA signature over the former. After the ECDH public keys are exchanged, a shared secret is calculated, and a TLS style PRF is used to generate the key material for the cipher and HMAC algorithm, and further communication is encrypted and authenticated. A lot of the simplicity comes from the fact that both sides must have each other's public keys in advance, and there are no options to choose. There will be one fixed cipher suite, and both peers always authenticate each other. (Inspiration taken from Ian Grigg's hypotheses[0].) There might be some compromise in the future, to enable or disable encryption, authentication and compression, but there will be no choice of algorithms. This will allow SPTPS to be built with a few embedded crypto algorithms instead of linking with huge crypto libraries. The API is also kept simple. There is a start and a stop function. All data necessary to make the connection work is passed in the start function. Instead having both send- and receive-record functions, there is a send-record function and a receive-data function. The latter will pass protocol data received from the peer to the SPTPS implementation, which will in turn call a receive-record callback function when necessary. This hides all the handshaking from the application, and is completely independent from any event loop or socket characteristics. [0] http://iang.org/ssl/hn_hypotheses_in_secure_protocol_design.html
2011-07-24 13:44:51 +00:00
Only read one record at a time in sptps_receive_data(). sptps_receive_data() always consumes the entire buffer passed to it, which is somewhat inflexible. This commit improves the interface so that sptps_receive_data() consumes at most one record. The goal is to allow non-SPTPS stuff to be interleaved with SPTPS records in a single TCP stream.
2015-05-10 18:28:11 +00:00
// Append a NULL byte for safety.
s->inbuf[s->reclen + 3UL] = 0;
Start of "Simple Peer-To-Peer Security" protocol. Encryption and authentication of the meta connection is spread out over meta.c and protocol_auth.c. The new protocol was added there as well, leading to spaghetti code. To improve things, the new protocol will now be implemented in sptps.[ch]. The goal is to have a very simplified version of TLS. There is a record layer, and there are only two record types: application data and handshake messages. The handshake message contains a random nonce, an ephemeral ECDH public key, and an ECDSA signature over the former. After the ECDH public keys are exchanged, a shared secret is calculated, and a TLS style PRF is used to generate the key material for the cipher and HMAC algorithm, and further communication is encrypted and authenticated. A lot of the simplicity comes from the fact that both sides must have each other's public keys in advance, and there are no options to choose. There will be one fixed cipher suite, and both peers always authenticate each other. (Inspiration taken from Ian Grigg's hypotheses[0].) There might be some compromise in the future, to enable or disable encryption, authentication and compression, but there will be no choice of algorithms. This will allow SPTPS to be built with a few embedded crypto algorithms instead of linking with huge crypto libraries. The API is also kept simple. There is a start and a stop function. All data necessary to make the connection work is passed in the start function. Instead having both send- and receive-record functions, there is a send-record function and a receive-data function. The latter will pass protocol data received from the peer to the SPTPS implementation, which will in turn call a receive-record callback function when necessary. This hides all the handshaking from the application, and is completely independent from any event loop or socket characteristics. [0] http://iang.org/ssl/hn_hypotheses_in_secure_protocol_design.html
2011-07-24 13:44:51 +00:00
Only read one record at a time in sptps_receive_data(). sptps_receive_data() always consumes the entire buffer passed to it, which is somewhat inflexible. This commit improves the interface so that sptps_receive_data() consumes at most one record. The goal is to allow non-SPTPS stuff to be interleaved with SPTPS records in a single TCP stream.
2015-05-10 18:28:11 +00:00
uint8_t type = s->inbuf[2];
Start of "Simple Peer-To-Peer Security" protocol. Encryption and authentication of the meta connection is spread out over meta.c and protocol_auth.c. The new protocol was added there as well, leading to spaghetti code. To improve things, the new protocol will now be implemented in sptps.[ch]. The goal is to have a very simplified version of TLS. There is a record layer, and there are only two record types: application data and handshake messages. The handshake message contains a random nonce, an ephemeral ECDH public key, and an ECDSA signature over the former. After the ECDH public keys are exchanged, a shared secret is calculated, and a TLS style PRF is used to generate the key material for the cipher and HMAC algorithm, and further communication is encrypted and authenticated. A lot of the simplicity comes from the fact that both sides must have each other's public keys in advance, and there are no options to choose. There will be one fixed cipher suite, and both peers always authenticate each other. (Inspiration taken from Ian Grigg's hypotheses[0].) There might be some compromise in the future, to enable or disable encryption, authentication and compression, but there will be no choice of algorithms. This will allow SPTPS to be built with a few embedded crypto algorithms instead of linking with huge crypto libraries. The API is also kept simple. There is a start and a stop function. All data necessary to make the connection work is passed in the start function. Instead having both send- and receive-record functions, there is a send-record function and a receive-data function. The latter will pass protocol data received from the peer to the SPTPS implementation, which will in turn call a receive-record callback function when necessary. This hides all the handshaking from the application, and is completely independent from any event loop or socket characteristics. [0] http://iang.org/ssl/hn_hypotheses_in_secure_protocol_design.html
2011-07-24 13:44:51 +00:00
Only read one record at a time in sptps_receive_data(). sptps_receive_data() always consumes the entire buffer passed to it, which is somewhat inflexible. This commit improves the interface so that sptps_receive_data() consumes at most one record. The goal is to allow non-SPTPS stuff to be interleaved with SPTPS records in a single TCP stream.
2015-05-10 18:28:11 +00:00
if(type < SPTPS_HANDSHAKE) {
if(!s->instate)
return error(s, EIO, "Application record received before handshake finished");
if(!s->receive_record(s->handle, type, s->inbuf + 3, s->reclen))
return false;
} else if(type == SPTPS_HANDSHAKE) {
if(!receive_handshake(s, s->inbuf + 3, s->reclen))
return false;
} else {
return error(s, EIO, "Invalid record type %d", type);
Start of "Simple Peer-To-Peer Security" protocol. Encryption and authentication of the meta connection is spread out over meta.c and protocol_auth.c. The new protocol was added there as well, leading to spaghetti code. To improve things, the new protocol will now be implemented in sptps.[ch]. The goal is to have a very simplified version of TLS. There is a record layer, and there are only two record types: application data and handshake messages. The handshake message contains a random nonce, an ephemeral ECDH public key, and an ECDSA signature over the former. After the ECDH public keys are exchanged, a shared secret is calculated, and a TLS style PRF is used to generate the key material for the cipher and HMAC algorithm, and further communication is encrypted and authenticated. A lot of the simplicity comes from the fact that both sides must have each other's public keys in advance, and there are no options to choose. There will be one fixed cipher suite, and both peers always authenticate each other. (Inspiration taken from Ian Grigg's hypotheses[0].) There might be some compromise in the future, to enable or disable encryption, authentication and compression, but there will be no choice of algorithms. This will allow SPTPS to be built with a few embedded crypto algorithms instead of linking with huge crypto libraries. The API is also kept simple. There is a start and a stop function. All data necessary to make the connection work is passed in the start function. Instead having both send- and receive-record functions, there is a send-record function and a receive-data function. The latter will pass protocol data received from the peer to the SPTPS implementation, which will in turn call a receive-record callback function when necessary. This hides all the handshaking from the application, and is completely independent from any event loop or socket characteristics. [0] http://iang.org/ssl/hn_hypotheses_in_secure_protocol_design.html
2011-07-24 13:44:51 +00:00
}
Only read one record at a time in sptps_receive_data(). sptps_receive_data() always consumes the entire buffer passed to it, which is somewhat inflexible. This commit improves the interface so that sptps_receive_data() consumes at most one record. The goal is to allow non-SPTPS stuff to be interleaved with SPTPS records in a single TCP stream.
2015-05-10 18:28:11 +00:00
s->buflen = 0;
return total_read;
Start of "Simple Peer-To-Peer Security" protocol. Encryption and authentication of the meta connection is spread out over meta.c and protocol_auth.c. The new protocol was added there as well, leading to spaghetti code. To improve things, the new protocol will now be implemented in sptps.[ch]. The goal is to have a very simplified version of TLS. There is a record layer, and there are only two record types: application data and handshake messages. The handshake message contains a random nonce, an ephemeral ECDH public key, and an ECDSA signature over the former. After the ECDH public keys are exchanged, a shared secret is calculated, and a TLS style PRF is used to generate the key material for the cipher and HMAC algorithm, and further communication is encrypted and authenticated. A lot of the simplicity comes from the fact that both sides must have each other's public keys in advance, and there are no options to choose. There will be one fixed cipher suite, and both peers always authenticate each other. (Inspiration taken from Ian Grigg's hypotheses[0].) There might be some compromise in the future, to enable or disable encryption, authentication and compression, but there will be no choice of algorithms. This will allow SPTPS to be built with a few embedded crypto algorithms instead of linking with huge crypto libraries. The API is also kept simple. There is a start and a stop function. All data necessary to make the connection work is passed in the start function. Instead having both send- and receive-record functions, there is a send-record function and a receive-data function. The latter will pass protocol data received from the peer to the SPTPS implementation, which will in turn call a receive-record callback function when necessary. This hides all the handshaking from the application, and is completely independent from any event loop or socket characteristics. [0] http://iang.org/ssl/hn_hypotheses_in_secure_protocol_design.html
2011-07-24 13:44:51 +00:00
}
Update SPTPS protocol. * Exchange nonce and ECDH public key first, calculate the ECDSA signature over the complete key exchange. * Make an explicit distinction between client and server in the signatures. * Add more comments and replace some magic numbers by #defines. Thanks to Erik Tews for very helpful hints and comments!
2011-10-05 20:00:51 +00:00
// Start a SPTPS session.
Use void pointers for opaque data blobs in the SPTPS code.
2014-12-24 21:15:40 +00:00
bool sptps_start(sptps_t *s, void *handle, bool initiator, bool datagram, ecdsa_t *mykey, ecdsa_t *hiskey, const void *label, size_t labellen, send_data_t send_data, receive_record_t receive_record) {
Start of "Simple Peer-To-Peer Security" protocol. Encryption and authentication of the meta connection is spread out over meta.c and protocol_auth.c. The new protocol was added there as well, leading to spaghetti code. To improve things, the new protocol will now be implemented in sptps.[ch]. The goal is to have a very simplified version of TLS. There is a record layer, and there are only two record types: application data and handshake messages. The handshake message contains a random nonce, an ephemeral ECDH public key, and an ECDSA signature over the former. After the ECDH public keys are exchanged, a shared secret is calculated, and a TLS style PRF is used to generate the key material for the cipher and HMAC algorithm, and further communication is encrypted and authenticated. A lot of the simplicity comes from the fact that both sides must have each other's public keys in advance, and there are no options to choose. There will be one fixed cipher suite, and both peers always authenticate each other. (Inspiration taken from Ian Grigg's hypotheses[0].) There might be some compromise in the future, to enable or disable encryption, authentication and compression, but there will be no choice of algorithms. This will allow SPTPS to be built with a few embedded crypto algorithms instead of linking with huge crypto libraries. The API is also kept simple. There is a start and a stop function. All data necessary to make the connection work is passed in the start function. Instead having both send- and receive-record functions, there is a send-record function and a receive-data function. The latter will pass protocol data received from the peer to the SPTPS implementation, which will in turn call a receive-record callback function when necessary. This hides all the handshaking from the application, and is completely independent from any event loop or socket characteristics. [0] http://iang.org/ssl/hn_hypotheses_in_secure_protocol_design.html
2011-07-24 13:44:51 +00:00
// Initialise struct sptps
memset(s, 0, sizeof *s);
s->handle = handle;
s->initiator = initiator;
Add datagram mode to the SPTPS protocol. * Everything is identical except the headers of the records. * Instead of sending explicit message length and having an implicit sequence number, datagram mode has an implicit message length and an explicit sequence number. * The sequence number is used to set the most significant bytes of the counter.
2012-03-18 15:42:02 +00:00
s->datagram = datagram;
Start of "Simple Peer-To-Peer Security" protocol. Encryption and authentication of the meta connection is spread out over meta.c and protocol_auth.c. The new protocol was added there as well, leading to spaghetti code. To improve things, the new protocol will now be implemented in sptps.[ch]. The goal is to have a very simplified version of TLS. There is a record layer, and there are only two record types: application data and handshake messages. The handshake message contains a random nonce, an ephemeral ECDH public key, and an ECDSA signature over the former. After the ECDH public keys are exchanged, a shared secret is calculated, and a TLS style PRF is used to generate the key material for the cipher and HMAC algorithm, and further communication is encrypted and authenticated. A lot of the simplicity comes from the fact that both sides must have each other's public keys in advance, and there are no options to choose. There will be one fixed cipher suite, and both peers always authenticate each other. (Inspiration taken from Ian Grigg's hypotheses[0].) There might be some compromise in the future, to enable or disable encryption, authentication and compression, but there will be no choice of algorithms. This will allow SPTPS to be built with a few embedded crypto algorithms instead of linking with huge crypto libraries. The API is also kept simple. There is a start and a stop function. All data necessary to make the connection work is passed in the start function. Instead having both send- and receive-record functions, there is a send-record function and a receive-data function. The latter will pass protocol data received from the peer to the SPTPS implementation, which will in turn call a receive-record callback function when necessary. This hides all the handshaking from the application, and is completely independent from any event loop or socket characteristics. [0] http://iang.org/ssl/hn_hypotheses_in_secure_protocol_design.html
2011-07-24 13:44:51 +00:00
s->mykey = mykey;
s->hiskey = hiskey;
Add Brandon Black's replay window code to SPTPS.
2012-07-31 18:39:15 +00:00
s->replaywin = sptps_replaywin;
if(s->replaywin) {
s->late = malloc(s->replaywin);
if(!s->late)
return error(s, errno, strerror(errno));
Fix the replay window in SPTPS.
2013-08-30 12:22:05 +00:00
memset(s->late, 0, s->replaywin);
Add Brandon Black's replay window code to SPTPS.
2012-07-31 18:39:15 +00:00
}
Start of "Simple Peer-To-Peer Security" protocol. Encryption and authentication of the meta connection is spread out over meta.c and protocol_auth.c. The new protocol was added there as well, leading to spaghetti code. To improve things, the new protocol will now be implemented in sptps.[ch]. The goal is to have a very simplified version of TLS. There is a record layer, and there are only two record types: application data and handshake messages. The handshake message contains a random nonce, an ephemeral ECDH public key, and an ECDSA signature over the former. After the ECDH public keys are exchanged, a shared secret is calculated, and a TLS style PRF is used to generate the key material for the cipher and HMAC algorithm, and further communication is encrypted and authenticated. A lot of the simplicity comes from the fact that both sides must have each other's public keys in advance, and there are no options to choose. There will be one fixed cipher suite, and both peers always authenticate each other. (Inspiration taken from Ian Grigg's hypotheses[0].) There might be some compromise in the future, to enable or disable encryption, authentication and compression, but there will be no choice of algorithms. This will allow SPTPS to be built with a few embedded crypto algorithms instead of linking with huge crypto libraries. The API is also kept simple. There is a start and a stop function. All data necessary to make the connection work is passed in the start function. Instead having both send- and receive-record functions, there is a send-record function and a receive-data function. The latter will pass protocol data received from the peer to the SPTPS implementation, which will in turn call a receive-record callback function when necessary. This hides all the handshaking from the application, and is completely independent from any event loop or socket characteristics. [0] http://iang.org/ssl/hn_hypotheses_in_secure_protocol_design.html
2011-07-24 13:44:51 +00:00
s->label = malloc(labellen);
if(!s->label)
return error(s, errno, strerror(errno));
Add datagram mode to the SPTPS protocol. * Everything is identical except the headers of the records. * Instead of sending explicit message length and having an implicit sequence number, datagram mode has an implicit message length and an explicit sequence number. * The sequence number is used to set the most significant bytes of the counter.
2012-03-18 15:42:02 +00:00
if(!datagram) {
s->inbuf = malloc(7);
if(!s->inbuf)
return error(s, errno, strerror(errno));
Use AES-256-GCM for the SPTPS protocol. It is faster than AES-256-CTR + HMAC-SHA256, especially on Intel chips with AES and PCLMULQDQ instructions.
2013-10-12 23:02:52 +00:00
s->buflen = 0;
Add datagram mode to the SPTPS protocol. * Everything is identical except the headers of the records. * Instead of sending explicit message length and having an implicit sequence number, datagram mode has an implicit message length and an explicit sequence number. * The sequence number is used to set the most significant bytes of the counter.
2012-03-18 15:42:02 +00:00
}
Start of "Simple Peer-To-Peer Security" protocol. Encryption and authentication of the meta connection is spread out over meta.c and protocol_auth.c. The new protocol was added there as well, leading to spaghetti code. To improve things, the new protocol will now be implemented in sptps.[ch]. The goal is to have a very simplified version of TLS. There is a record layer, and there are only two record types: application data and handshake messages. The handshake message contains a random nonce, an ephemeral ECDH public key, and an ECDSA signature over the former. After the ECDH public keys are exchanged, a shared secret is calculated, and a TLS style PRF is used to generate the key material for the cipher and HMAC algorithm, and further communication is encrypted and authenticated. A lot of the simplicity comes from the fact that both sides must have each other's public keys in advance, and there are no options to choose. There will be one fixed cipher suite, and both peers always authenticate each other. (Inspiration taken from Ian Grigg's hypotheses[0].) There might be some compromise in the future, to enable or disable encryption, authentication and compression, but there will be no choice of algorithms. This will allow SPTPS to be built with a few embedded crypto algorithms instead of linking with huge crypto libraries. The API is also kept simple. There is a start and a stop function. All data necessary to make the connection work is passed in the start function. Instead having both send- and receive-record functions, there is a send-record function and a receive-data function. The latter will pass protocol data received from the peer to the SPTPS implementation, which will in turn call a receive-record callback function when necessary. This hides all the handshaking from the application, and is completely independent from any event loop or socket characteristics. [0] http://iang.org/ssl/hn_hypotheses_in_secure_protocol_design.html
2011-07-24 13:44:51 +00:00
memcpy(s->label, label, labellen);
s->labellen = labellen;
s->send_data = send_data;
s->receive_record = receive_record;
// Do first KEX immediately
Update SPTPS protocol. * Exchange nonce and ECDH public key first, calculate the ECDSA signature over the complete key exchange. * Make an explicit distinction between client and server in the signatures. * Add more comments and replace some magic numbers by #defines. Thanks to Erik Tews for very helpful hints and comments!
2011-10-05 20:00:51 +00:00
s->state = SPTPS_KEX;
Start of "Simple Peer-To-Peer Security" protocol. Encryption and authentication of the meta connection is spread out over meta.c and protocol_auth.c. The new protocol was added there as well, leading to spaghetti code. To improve things, the new protocol will now be implemented in sptps.[ch]. The goal is to have a very simplified version of TLS. There is a record layer, and there are only two record types: application data and handshake messages. The handshake message contains a random nonce, an ephemeral ECDH public key, and an ECDSA signature over the former. After the ECDH public keys are exchanged, a shared secret is calculated, and a TLS style PRF is used to generate the key material for the cipher and HMAC algorithm, and further communication is encrypted and authenticated. A lot of the simplicity comes from the fact that both sides must have each other's public keys in advance, and there are no options to choose. There will be one fixed cipher suite, and both peers always authenticate each other. (Inspiration taken from Ian Grigg's hypotheses[0].) There might be some compromise in the future, to enable or disable encryption, authentication and compression, but there will be no choice of algorithms. This will allow SPTPS to be built with a few embedded crypto algorithms instead of linking with huge crypto libraries. The API is also kept simple. There is a start and a stop function. All data necessary to make the connection work is passed in the start function. Instead having both send- and receive-record functions, there is a send-record function and a receive-data function. The latter will pass protocol data received from the peer to the SPTPS implementation, which will in turn call a receive-record callback function when necessary. This hides all the handshaking from the application, and is completely independent from any event loop or socket characteristics. [0] http://iang.org/ssl/hn_hypotheses_in_secure_protocol_design.html
2011-07-24 13:44:51 +00:00
return send_kex(s);
}
Update SPTPS protocol. * Exchange nonce and ECDH public key first, calculate the ECDSA signature over the complete key exchange. * Make an explicit distinction between client and server in the signatures. * Add more comments and replace some magic numbers by #defines. Thanks to Erik Tews for very helpful hints and comments!
2011-10-05 20:00:51 +00:00
// Stop a SPTPS session.
Ensure all SPTPS functions are prefixed with sptps_.
2012-02-26 11:33:16 +00:00
bool sptps_stop(sptps_t *s) {
Start of "Simple Peer-To-Peer Security" protocol. Encryption and authentication of the meta connection is spread out over meta.c and protocol_auth.c. The new protocol was added there as well, leading to spaghetti code. To improve things, the new protocol will now be implemented in sptps.[ch]. The goal is to have a very simplified version of TLS. There is a record layer, and there are only two record types: application data and handshake messages. The handshake message contains a random nonce, an ephemeral ECDH public key, and an ECDSA signature over the former. After the ECDH public keys are exchanged, a shared secret is calculated, and a TLS style PRF is used to generate the key material for the cipher and HMAC algorithm, and further communication is encrypted and authenticated. A lot of the simplicity comes from the fact that both sides must have each other's public keys in advance, and there are no options to choose. There will be one fixed cipher suite, and both peers always authenticate each other. (Inspiration taken from Ian Grigg's hypotheses[0].) There might be some compromise in the future, to enable or disable encryption, authentication and compression, but there will be no choice of algorithms. This will allow SPTPS to be built with a few embedded crypto algorithms instead of linking with huge crypto libraries. The API is also kept simple. There is a start and a stop function. All data necessary to make the connection work is passed in the start function. Instead having both send- and receive-record functions, there is a send-record function and a receive-data function. The latter will pass protocol data received from the peer to the SPTPS implementation, which will in turn call a receive-record callback function when necessary. This hides all the handshaking from the application, and is completely independent from any event loop or socket characteristics. [0] http://iang.org/ssl/hn_hypotheses_in_secure_protocol_design.html
2011-07-24 13:44:51 +00:00
// Clean up any resources.
Use the ChaCha-Poly1305 cipher for the SPTPS protocol. The main reason to switch from AES-256-GCM to ChaCha-Poly1305 is to remove a dependency on OpenSSL, whose behaviour of the AES-256-GCM decryption function changes between versions. The source code for ChaCha-Pol1305 is small and in the public domain, and can therefore be easily included in tinc itself. Moreover, it is very fast even without using any optimized assembler, easily outperforming AES-256-GCM on platforms that don't have special AES instructions in hardware.
2014-04-14 19:43:45 +00:00
chacha_poly1305_exit(s->incipher);
chacha_poly1305_exit(s->outcipher);
Use conditional compilation for cryptographic functions. This gets rid of the rest of the symbolic links. However, as a consequence, the crypto header files have now moved to src/, and can no longer contain library-specific declarations. Therefore, cipher_t, digest_t, ecdh_t, ecdsa_t and rsa_t are now all opaque types, and only pointers to those types can be used.
2013-05-01 15:17:22 +00:00
ecdh_free(s->ecdh);
Start of "Simple Peer-To-Peer Security" protocol. Encryption and authentication of the meta connection is spread out over meta.c and protocol_auth.c. The new protocol was added there as well, leading to spaghetti code. To improve things, the new protocol will now be implemented in sptps.[ch]. The goal is to have a very simplified version of TLS. There is a record layer, and there are only two record types: application data and handshake messages. The handshake message contains a random nonce, an ephemeral ECDH public key, and an ECDSA signature over the former. After the ECDH public keys are exchanged, a shared secret is calculated, and a TLS style PRF is used to generate the key material for the cipher and HMAC algorithm, and further communication is encrypted and authenticated. A lot of the simplicity comes from the fact that both sides must have each other's public keys in advance, and there are no options to choose. There will be one fixed cipher suite, and both peers always authenticate each other. (Inspiration taken from Ian Grigg's hypotheses[0].) There might be some compromise in the future, to enable or disable encryption, authentication and compression, but there will be no choice of algorithms. This will allow SPTPS to be built with a few embedded crypto algorithms instead of linking with huge crypto libraries. The API is also kept simple. There is a start and a stop function. All data necessary to make the connection work is passed in the start function. Instead having both send- and receive-record functions, there is a send-record function and a receive-data function. The latter will pass protocol data received from the peer to the SPTPS implementation, which will in turn call a receive-record callback function when necessary. This hides all the handshaking from the application, and is completely independent from any event loop or socket characteristics. [0] http://iang.org/ssl/hn_hypotheses_in_secure_protocol_design.html
2011-07-24 13:44:51 +00:00
free(s->inbuf);
Update SPTPS protocol. * Exchange nonce and ECDH public key first, calculate the ECDSA signature over the complete key exchange. * Make an explicit distinction between client and server in the signatures. * Add more comments and replace some magic numbers by #defines. Thanks to Erik Tews for very helpful hints and comments!
2011-10-05 20:00:51 +00:00
free(s->mykex);
free(s->hiskex);
Start of "Simple Peer-To-Peer Security" protocol. Encryption and authentication of the meta connection is spread out over meta.c and protocol_auth.c. The new protocol was added there as well, leading to spaghetti code. To improve things, the new protocol will now be implemented in sptps.[ch]. The goal is to have a very simplified version of TLS. There is a record layer, and there are only two record types: application data and handshake messages. The handshake message contains a random nonce, an ephemeral ECDH public key, and an ECDSA signature over the former. After the ECDH public keys are exchanged, a shared secret is calculated, and a TLS style PRF is used to generate the key material for the cipher and HMAC algorithm, and further communication is encrypted and authenticated. A lot of the simplicity comes from the fact that both sides must have each other's public keys in advance, and there are no options to choose. There will be one fixed cipher suite, and both peers always authenticate each other. (Inspiration taken from Ian Grigg's hypotheses[0].) There might be some compromise in the future, to enable or disable encryption, authentication and compression, but there will be no choice of algorithms. This will allow SPTPS to be built with a few embedded crypto algorithms instead of linking with huge crypto libraries. The API is also kept simple. There is a start and a stop function. All data necessary to make the connection work is passed in the start function. Instead having both send- and receive-record functions, there is a send-record function and a receive-data function. The latter will pass protocol data received from the peer to the SPTPS implementation, which will in turn call a receive-record callback function when necessary. This hides all the handshaking from the application, and is completely independent from any event loop or socket characteristics. [0] http://iang.org/ssl/hn_hypotheses_in_secure_protocol_design.html
2011-07-24 13:44:51 +00:00
free(s->key);
free(s->label);
Add Brandon Black's replay window code to SPTPS.
2012-07-31 18:39:15 +00:00
free(s->late);
Fix memory leaks found by valgrind.
2012-10-09 14:27:28 +00:00
memset(s, 0, sizeof *s);
Start of "Simple Peer-To-Peer Security" protocol. Encryption and authentication of the meta connection is spread out over meta.c and protocol_auth.c. The new protocol was added there as well, leading to spaghetti code. To improve things, the new protocol will now be implemented in sptps.[ch]. The goal is to have a very simplified version of TLS. There is a record layer, and there are only two record types: application data and handshake messages. The handshake message contains a random nonce, an ephemeral ECDH public key, and an ECDSA signature over the former. After the ECDH public keys are exchanged, a shared secret is calculated, and a TLS style PRF is used to generate the key material for the cipher and HMAC algorithm, and further communication is encrypted and authenticated. A lot of the simplicity comes from the fact that both sides must have each other's public keys in advance, and there are no options to choose. There will be one fixed cipher suite, and both peers always authenticate each other. (Inspiration taken from Ian Grigg's hypotheses[0].) There might be some compromise in the future, to enable or disable encryption, authentication and compression, but there will be no choice of algorithms. This will allow SPTPS to be built with a few embedded crypto algorithms instead of linking with huge crypto libraries. The API is also kept simple. There is a start and a stop function. All data necessary to make the connection work is passed in the start function. Instead having both send- and receive-record functions, there is a send-record function and a receive-data function. The latter will pass protocol data received from the peer to the SPTPS implementation, which will in turn call a receive-record callback function when necessary. This hides all the handshaking from the application, and is completely independent from any event loop or socket characteristics. [0] http://iang.org/ssl/hn_hypotheses_in_secure_protocol_design.html
2011-07-24 13:44:51 +00:00
return true;
}
Reference in a new issue Copy permalink