~mdw / tripe / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
server/admin.c: Remove spurious `ping' in usage message.
[tripe] / server / keyset.c
1 /* -*-c-*-
2 *
3 * Handling of symmetric keysets
4 *
5 * (c) 2001 Straylight/Edgeware
6 */
7
8 /*----- Licensing notice --------------------------------------------------*
9 *
10 * This file is part of Trivial IP Encryption (TrIPE).
11 *
12 * TrIPE is free software: you can redistribute it and/or modify it under
13 * the terms of the GNU General Public License as published by the Free
14 * Software Foundation; either version 3 of the License, or (at your
15 * option) any later version.
16 *
17 * TrIPE is distributed in the hope that it will be useful, but WITHOUT
18 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
19 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
20 * for more details.
21 *
22 * You should have received a copy of the GNU General Public License
23 * along with TrIPE. If not, see <https://www.gnu.org/licenses/>.
24 */
25
26 /*----- Header files ------------------------------------------------------*/
27
28 #include "tripe.h"
29
30 /*----- Handy macros ------------------------------------------------------*/
31
32 #define KEYOK(ks, now) ((ks)->sz_exp > 0 && (ks)->t_exp > now)
33
34 /*----- Low-level packet encryption and decryption ------------------------*/
35
36 /* --- Encrypted data format --- *
37 *
38 * Let %$p_i$% be the %$i$%-th plaintext message, with type %$t$%. We first
39 * compute
40 *
41 * %$c_i = \mathcal{E}\textrm{-CBC}_{K_{\text{E}}}(p_i)$%
42 *
43 * as the CBC-ciphertext of %$p_i$%, and then
44 *
45 * %$\sigma_i = \mathcal{T}_{K_{\text{M}}}(t, i, c_i)$%
46 *
47 * as a MAC on the %%\emph{ciphertext}%%. The message sent is then the pair
48 * %$(\sigma_i, c_i)$%. This construction is provably secure in the NM-CCA
49 * sense (assuming that the cipher is IND-CPA, and the MAC is SUF-CMA)
50 * [Bellare and Namprempre].
51 *
52 * This also ensures that, assuming the key is good, we have a secure channel
53 * [Krawczyk]. Actually, [Krawczyk] shows that, if the cipher is either a
54 * simple stream cipher or a block cipher in CBC mode, we can use the MAC-
55 * then-encrypt scheme and still have a secure channel. However, I like the
56 * NM-CCA guarantee from [Bellare and Namprempre]. I'm less worried about
57 * the Horton Principle [Wagner and Schneier].
58 */
59
60 /* --- @doencrypt@ --- *
61 *
62 * Arguments: @keyset *ks@ = pointer to keyset to use
63 * @unsigned ty@ = type of message this is
64 * @buf *b@ = pointer to an input buffer
65 * @buf *bb@ = pointer to an output buffer
66 *
67 * Returns: Zero if OK; @KSERR_REGEN@ if it's time to generate new keys.
68 * Also returns zero if there was insufficient buffer space, but
69 * the buffer is broken in this case.
70 *
71 * Use: Encrypts a message with the given key. We assume that the
72 * keyset is OK to use.
73 */
74
75 static int doencrypt(keyset *ks, unsigned ty, buf *b, buf *bb)
76 {
77 int rc;
78 size_t sz = BLEFT(b);
79 size_t osz, nsz;
80
81 /* --- Initial tracing --- */
82
83 IF_TRACING(T_KEYSET, {
84 trace(T_KEYSET,
85 "keyset: encrypting packet %lu (type 0x%02x) using keyset %u",
86 (unsigned long)ks->oseq, ty, ks->seq);
87 trace_block(T_CRYPTO, "crypto: plaintext packet", BCUR(b), sz);
88 })
89
90 /* --- Apply the bulk-crypto transformation --- */
91
92 rc = ks->bulk->ops->encrypt(ks->bulk, ty, b, bb, ks->oseq);
93 if (rc || !BOK(bb)) return (rc);
94 ks->oseq++;
95
96 /* --- Do the necessary accounting for data volume --- */
97
98 osz = ks->sz_exp;
99 nsz = osz > sz ? osz - sz : 0;
100 if (osz >= ks->sz_regen && ks->sz_regen > nsz) {
101 T( trace(T_KEYSET, "keyset: keyset %u data regen limit exceeded -- "
102 "forcing exchange", ks->seq); )
103 rc = KSERR_REGEN;
104 }
105 ks->sz_exp = nsz;
106
107 /* --- We're done --- */
108
109 return (rc);
110 }
111
112 /* --- @dodecrypt@ --- *
113 *
114 * Arguments: @keyset *ks@ = pointer to keyset to use
115 * @unsigned ty@ = expected type code
116 * @buf *b@ = pointer to an input buffer
117 * @buf *bb@ = pointer to an output buffer
118 * @uint32 *seq@ = where to store the sequence number
119 *
120 * Returns: Zero on success; @KSERR_DECRYPT@ on failure.
121 *
122 * Use: Attempts to decrypt a message with the given key. No other
123 * checking (e.g., sequence number checks) is performed. We
124 * assume that the keyset is OK to use, and that there is
125 * sufficient output buffer space reserved. If the decryption
126 * is successful, the buffer pointer is moved past the decrypted
127 * packet, and the packet's sequence number is stored in @*seq@.
128 */
129
130 static int dodecrypt(keyset *ks, unsigned ty, buf *b, buf *bb, uint32 *seq)
131 {
132 const octet *q = BCUR(bb);
133 int rc;
134
135 IF_TRACING(T_KEYSET, {
136 trace(T_KEYSET,
137 "keyset: try decrypting packet (type 0x%02x) using keyset %u",
138 ty, ks->seq);
139 trace_block(T_CRYPTO, "crypto: ciphertext packet", BCUR(b), BLEFT(b));
140 })
141
142 rc = ks->bulk->ops->decrypt(ks->bulk, ty, b, bb, seq);
143 if (rc) return (rc);
144
145 IF_TRACING(T_KEYSET, {
146 trace(T_KEYSET, "keyset: decrypted OK (sequence = %lu)",
147 (unsigned long)*seq);
148 trace_block(T_CRYPTO, "crypto: decrypted packet", q, BCUR(bb) - q);
149 })
150 return (0);
151 }
152
153 /*----- Operations on a single keyset -------------------------------------*/
154
155 /* --- @ks_drop@ --- *
156 *
157 * Arguments: @keyset *ks@ = pointer to a keyset
158 *
159 * Returns: ---
160 *
161 * Use: Decrements a keyset's reference counter. If the counter hits
162 * zero, the keyset is freed.
163 */
164
165 void ks_drop(keyset *ks)
166 {
167 if (--ks->ref) return;
168 ks->bulk->ops->freectx(ks->bulk);
169 DESTROY(ks);
170 }
171
172 /* --- @ks_gen@ --- *
173 *
174 * Arguments: @deriveargs *a@ = key derivation parameters (modified)
175 * @peer *p@ = pointer to peer information
176 *
177 * Returns: A pointer to the new keyset.
178 *
179 * Use: Derives a new keyset from the given key material. This will
180 * set the @what@, @f@, and @hc@ members in @*a@; other members
181 * must be filled in by the caller.
182 *
183 * The new key is marked so that it won't be selected for output
184 * by @ksl_encrypt@. You can still encrypt data with it by
185 * calling @ks_encrypt@ directly.
186 */
187
188 keyset *ks_gen(deriveargs *a, peer *p)
189 {
190 keyset *ks = CREATE(keyset);
191 time_t now = time(0);
192 const algswitch *algs = &p->kx.kpriv->algs;
193 T( static unsigned seq = 0; )
194
195 T( trace(T_KEYSET, "keyset: adding new keyset %u", seq); )
196
197 a->what = "tripe-"; a->f = DF_IN | DF_OUT; a->hc = algs->h;
198 ks->bulk = algs->bulk->ops->genkeys(algs->bulk, a);
199 ks->bulk->ops = algs->bulk->ops;
200
201 T( ks->seq = seq++; )
202 ks->ref = 1;
203 ks->t_exp = now + T_EXP;
204 ks->sz_exp = algs->bulk->ops->expsz(algs->bulk);
205 ks->sz_regen = ks->sz_exp/2;
206 ks->oseq = 0;
207 seq_reset(&ks->iseq);
208 ks->next = 0;
209 ks->p = p;
210 ks->f = KSF_LISTEN;
211 return (ks);
212 }
213
214 /* --- @ks_activate@ --- *
215 *
216 * Arguments: @keyset *ks@ = pointer to a keyset
217 *
218 * Returns: ---
219 *
220 * Use: Activates a keyset, so that it can be used for encrypting
221 * outgoing messages.
222 */
223
224 void ks_activate(keyset *ks)
225 {
226 if (ks->f & KSF_LISTEN) {
227 T( trace(T_KEYSET, "keyset: activating keyset %u", ks->seq); )
228 ks->f &= ~KSF_LISTEN;
229 }
230 }
231
232 /* --- @ks_encrypt@ --- *
233 *
234 * Arguments: @keyset *ks@ = pointer to a keyset
235 * @unsigned ty@ = message type
236 * @buf *b@ = pointer to input buffer
237 * @buf *bb@ = pointer to output buffer
238 *
239 * Returns: Zero if successful; @KSERR_REGEN@ if we should negotiate a
240 * new key; @KSERR_NOKEYS@ if the key is not usable. Also
241 * returns zero if there was insufficient buffer (but the output
242 * buffer is broken in this case).
243 *
244 * Use: Encrypts a block of data using the key. Note that the `key
245 * ought to be replaced' notification is only ever given once
246 * for each key. Also note that this call forces a keyset to be
247 * used even if it's marked as not for data output.
248 *
249 * The encryption transform is permitted to corrupt @buf_u@ for
250 * its own purposes. Neither the source nor destination should
251 * be within @buf_u@; and callers mustn't expect anything stored
252 * in @buf_u@ to still
253 */
254
255 int ks_encrypt(keyset *ks, unsigned ty, buf *b, buf *bb)
256 {
257 time_t now = time(0);
258
259 if (!KEYOK(ks, now)) {
260 buf_break(bb);
261 return (KSERR_NOKEYS);
262 }
263 return (doencrypt(ks, ty, b, bb));
264 }
265
266 /* --- @ks_decrypt@ --- *
267 *
268 * Arguments: @keyset *ks@ = pointer to a keyset
269 * @unsigned ty@ = expected type code
270 * @buf *b@ = pointer to an input buffer
271 * @buf *bb@ = pointer to an output buffer
272 *
273 * Returns: Zero on success; @KSERR_...@ on failure. Also returns
274 * zero if there was insufficient buffer (but the output buffer
275 * is broken in this case).
276 *
277 * Use: Attempts to decrypt a message using a given key. Note that
278 * requesting decryption with a key directly won't clear a
279 * marking that it's not for encryption.
280 *
281 * The decryption transform is permitted to corrupt @buf_u@ for
282 * its own purposes. Neither the source nor destination should
283 * be within @buf_u@; and callers mustn't expect anything stored
284 * in @buf_u@ to still
285 */
286
287 int ks_decrypt(keyset *ks, unsigned ty, buf *b, buf *bb)
288 {
289 time_t now = time(0);
290 uint32 seq;
291 int err;
292
293 if (!KEYOK(ks, now)) return (KSERR_DECRYPT);
294 if (buf_ensure(bb, BLEN(b))) return (0);
295 if ((err = dodecrypt(ks, ty, b, bb, &seq)) != 0) return (err);
296 if (seq_check(&ks->iseq, seq, "SYMM")) return (KSERR_SEQ);
297 return (0);
298 }
299
300 /*----- Keyset list handling ----------------------------------------------*/
301
302 /* --- @ksl_free@ --- *
303 *
304 * Arguments: @keyset **ksroot@ = pointer to keyset list head
305 *
306 * Returns: ---
307 *
308 * Use: Frees (releases references to) all of the keys in a keyset.
309 */
310
311 void ksl_free(keyset **ksroot)
312 {
313 keyset *ks, *ksn;
314 for (ks = *ksroot; ks; ks = ksn) {
315 ksn = ks->next;
316 ks->f &= ~KSF_LINK;
317 ks_drop(ks);
318 }
319 }
320
321 /* --- @ksl_link@ --- *
322 *
323 * Arguments: @keyset **ksroot@ = pointer to keyset list head
324 * @keyset *ks@ = pointer to a keyset
325 *
326 * Returns: ---
327 *
328 * Use: Links a keyset into a list. A keyset can only be on one list
329 * at a time. Bad things happen otherwise.
330 */
331
332 void ksl_link(keyset **ksroot, keyset *ks)
333 {
334 assert(!(ks->f & KSF_LINK));
335 ks->next = *ksroot;
336 *ksroot = ks;
337 ks->f |= KSF_LINK;
338 ks->ref++;
339 }
340
341 /* --- @ksl_prune@ --- *
342 *
343 * Arguments: @keyset **ksroot@ = pointer to keyset list head
344 *
345 * Returns: ---
346 *
347 * Use: Prunes the keyset list by removing keys which mustn't be used
348 * any more.
349 */
350
351 void ksl_prune(keyset **ksroot)
352 {
353 time_t now = time(0);
354
355 while (*ksroot) {
356 keyset *ks = *ksroot;
357
358 if (ks->t_exp <= now) {
359 T( trace(T_KEYSET, "keyset: expiring keyset %u (time limit reached)",
360 ks->seq); )
361 goto kill;
362 } else if (ks->sz_exp == 0) {
363 T( trace(T_KEYSET, "keyset: expiring keyset %u (data limit reached)",
364 ks->seq); )
365 goto kill;
366 } else {
367 ksroot = &ks->next;
368 continue;
369 }
370
371 kill:
372 *ksroot = ks->next;
373 ks->f &= ~KSF_LINK;
374 ks_drop(ks);
375 }
376 }
377
378 /* --- @ksl_encrypt@ --- *
379 *
380 * Arguments: @keyset **ksroot@ = pointer to keyset list head
381 * @unsigned ty@ = message type
382 * @buf *b@ = pointer to input buffer
383 * @buf *bb@ = pointer to output buffer
384 *
385 * Returns: Zero if successful; @KSERR_REGEN@ if it's time to negotiate a
386 * new key; @KSERR_NOKEYS@ if there are no suitable keys
387 * available. Also returns zero if there was insufficient
388 * buffer space (but the output buffer is broken in this case).
389 *
390 * Use: Encrypts a packet.
391 */
392
393 int ksl_encrypt(keyset **ksroot, unsigned ty, buf *b, buf *bb)
394 {
395 time_t now = time(0);
396 keyset *ks = *ksroot;
397
398 for (;;) {
399 if (!ks) {
400 T( trace(T_KEYSET, "keyset: no suitable keysets found"); )
401 buf_break(bb);
402 return (KSERR_NOKEYS);
403 }
404 if (KEYOK(ks, now) && !(ks->f & KSF_LISTEN))
405 break;
406 ks = ks->next;
407 }
408
409 return (doencrypt(ks, ty, b, bb));
410 }
411
412 /* --- @ksl_decrypt@ --- *
413 *
414 * Arguments: @keyset **ksroot@ = pointer to keyset list head
415 * @unsigned ty@ = expected type code
416 * @buf *b@ = pointer to input buffer
417 * @buf *bb@ = pointer to output buffer
418 *
419 * Returns: Zero on success; @KSERR_DECRYPT@ on failure. Also returns
420 * zero if there was insufficient buffer (but the output buffer
421 * is broken in this case).
422 *
423 * Use: Decrypts a packet.
424 */
425
426 int ksl_decrypt(keyset **ksroot, unsigned ty, buf *b, buf *bb)
427 {
428 time_t now = time(0);
429 keyset *ks;
430 uint32 seq;
431 int err;
432
433 if (buf_ensure(bb, BLEN(b)))
434 return (0);
435
436 for (ks = *ksroot; ks; ks = ks->next) {
437 if (!KEYOK(ks, now))
438 continue;
439 if ((err = dodecrypt(ks, ty, b, bb, &seq)) == 0) {
440 if (ks->f & KSF_LISTEN) {
441 T( trace(T_KEYSET, "keyset: implicitly activating keyset %u",
442 ks->seq); )
443 ks->f &= ~KSF_LISTEN;
444 }
445 if (seq_check(&ks->iseq, seq, "SYMM"))
446 return (KSERR_SEQ);
447 else
448 return (0);
449 }
450 if (err != KSERR_DECRYPT) return (err);
451 }
452 T( trace(T_KEYSET, "keyset: no matching keys, or incorrect MAC"); )
453 return (KSERR_DECRYPT);
454 }
455
456 /*----- That's all, folks -------------------------------------------------*/
Trivial IP Encryption: a simple VPN