1 /* dtls -- a very basic DTLS implementation
2  *
3  * Copyright (C) 2011--2012 Olaf Bergmann <bergmann@tzi.org>
4  * Copyright (C) 2013 Hauke Mehrtens <hauke@hauke-m.de>
5  *
6  * Permission is hereby granted, free of charge, to any person
7  * obtaining a copy of this software and associated documentation
8  * files (the "Software"), to deal in the Software without
9  * restriction, including without limitation the rights to use, copy,
10  * modify, merge, publish, distribute, sublicense, and/or sell copies
11  * of the Software, and to permit persons to whom the Software is
12  * furnished to do so, subject to the following conditions:
13  *
14  * The above copyright notice and this permission notice shall be
15  * included in all copies or substantial portions of the Software.
16  *
17  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
18  * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
19  * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
20  * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
21  * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
22  * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
23  * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
24  * SOFTWARE.
25  */
26 
27 #ifndef _DTLS_CRYPTO_H_
28 #define _DTLS_CRYPTO_H_
29 
30 #include <stdlib.h>		/* for rand() and srand() */
31 #include <stdint.h>
32 
33 #include "t_list.h"
34 
35 #include "aes/rijndael.h"
36 
37 #include "global.h"
38 #include "state.h"
39 #include "numeric.h"
40 #include "hmac.h"
41 #include "ccm.h"
42 
43 /* TLS_PSK_WITH_AES_128_CCM_8 */
44 #define DTLS_MAC_KEY_LENGTH    0
45 #define DTLS_KEY_LENGTH        16 /* AES-128 */
46 #define DTLS_BLK_LENGTH        16 /* AES-128 */
47 #define DTLS_MAC_LENGTH        DTLS_HMAC_DIGEST_SIZE
48 #define DTLS_IV_LENGTH         4  /* length of nonce_explicit */
49 
50 /**
51  * Maximum size of the generated keyblock. Note that MAX_KEYBLOCK_LENGTH must
52  * be large enough to hold the pre_master_secret, i.e. twice the length of the
53  * pre-shared key + 1.
54  */
55 #define MAX_KEYBLOCK_LENGTH  \
56   (2 * DTLS_MAC_KEY_LENGTH + 2 * DTLS_KEY_LENGTH + 2 * DTLS_IV_LENGTH)
57 
58 /** Length of DTLS master_secret */
59 #define DTLS_MASTER_SECRET_LENGTH 48
60 #define DTLS_RANDOM_LENGTH 32
61 
62 typedef enum { AES128=0
63 } dtls_crypto_alg;
64 
65 typedef enum {
66   DTLS_ECDH_CURVE_SECP256R1
67 } dtls_ecdh_curve;
68 
69 /** Crypto context for TLS_PSK_WITH_AES_128_CCM_8 cipher suite. */
70 typedef struct {
71   rijndael_ctx ctx;		       /**< AES-128 encryption context */
72 } aes128_ccm_t;
73 
74 typedef struct dtls_cipher_context_t {
75   /** numeric identifier of this cipher suite in host byte order. */
76   aes128_ccm_t data;		/**< The crypto context */
77 } dtls_cipher_context_t;
78 
79 typedef struct {
80   uint8 own_eph_priv[32];
81   uint8 other_eph_pub_x[32];
82   uint8 other_eph_pub_y[32];
83   uint8 other_pub_x[32];
84   uint8 other_pub_y[32];
85 } dtls_handshake_parameters_ecdsa_t;
86 
87 /* This is the maximal supported length of the psk client identity and psk
88  * server identity hint */
89 #define DTLS_PSK_MAX_CLIENT_IDENTITY_LEN   32
90 
91 /* This is the maximal supported length of the pre-shared key. */
92 #define DTLS_PSK_MAX_KEY_LEN 32
93 
94 typedef struct {
95   uint16_t id_length;
96   unsigned char identity[DTLS_PSK_MAX_CLIENT_IDENTITY_LEN];
97 } dtls_handshake_parameters_psk_t;
98 
99 typedef struct {
100   dtls_compression_t compression;	/**< compression method */
101 
102   dtls_cipher_t cipher;		/**< cipher type */
103   uint16_t epoch;	     /**< counter for cipher state changes*/
104   uint64_t rseq;	     /**< sequence number of last record sent */
105 
106   /**
107    * The key block generated from PRF applied to client and server
108    * random bytes. The actual size is given by the selected cipher and
109    * can be calculated using dtls_kb_size(). Use \c dtls_kb_ macros to
110    * access the components of the key block.
111    */
112   uint8 key_block[MAX_KEYBLOCK_LENGTH];
113 } dtls_security_parameters_t;
114 
115 typedef struct {
116   union {
117     struct random_t {
118       uint8 client[DTLS_RANDOM_LENGTH];	/**< client random gmt and bytes */
119       uint8 server[DTLS_RANDOM_LENGTH];	/**< server random gmt and bytes */
120     } random;
121     /** the session's master secret */
122     uint8 master_secret[DTLS_MASTER_SECRET_LENGTH];
123   } tmp;
124   LIST_STRUCT(reorder_queue);	/**< the packets to reorder */
125   dtls_hs_state_t hs_state;  /**< handshake protocol status */
126 
127   dtls_compression_t compression;		/**< compression method */
128   dtls_cipher_t cipher;		/**< cipher type */
129   unsigned int do_client_auth:1;
130   union {
131 #ifdef DTLS_ECC
132     dtls_handshake_parameters_ecdsa_t ecdsa;
133 #endif /* DTLS_ECC */
134 #ifdef DTLS_PSK
135     dtls_handshake_parameters_psk_t psk;
136 #endif /* DTLS_PSK */
137   } keyx;
138 } dtls_handshake_parameters_t;
139 
140 /* The following macros provide access to the components of the
141  * key_block in the security parameters. */
142 
143 #define dtls_kb_client_mac_secret(Param, Role) ((Param)->key_block)
144 #define dtls_kb_server_mac_secret(Param, Role)				\
145   (dtls_kb_client_mac_secret(Param, Role) + DTLS_MAC_KEY_LENGTH)
146 #define dtls_kb_remote_mac_secret(Param, Role)				\
147   ((Role) == DTLS_SERVER						\
148    ? dtls_kb_client_mac_secret(Param, Role)				\
149    : dtls_kb_server_mac_secret(Param, Role))
150 #define dtls_kb_local_mac_secret(Param, Role)				\
151   ((Role) == DTLS_CLIENT						\
152    ? dtls_kb_client_mac_secret(Param, Role)				\
153    : dtls_kb_server_mac_secret(Param, Role))
154 #define dtls_kb_mac_secret_size(Param, Role) DTLS_MAC_KEY_LENGTH
155 #define dtls_kb_client_write_key(Param, Role)				\
156   (dtls_kb_server_mac_secret(Param, Role) + DTLS_MAC_KEY_LENGTH)
157 #define dtls_kb_server_write_key(Param, Role)				\
158   (dtls_kb_client_write_key(Param, Role) + DTLS_KEY_LENGTH)
159 #define dtls_kb_remote_write_key(Param, Role)				\
160   ((Role) == DTLS_SERVER						\
161    ? dtls_kb_client_write_key(Param, Role)				\
162    : dtls_kb_server_write_key(Param, Role))
163 #define dtls_kb_local_write_key(Param, Role)				\
164   ((Role) == DTLS_CLIENT						\
165    ? dtls_kb_client_write_key(Param, Role)				\
166    : dtls_kb_server_write_key(Param, Role))
167 #define dtls_kb_key_size(Param, Role) DTLS_KEY_LENGTH
168 #define dtls_kb_client_iv(Param, Role)					\
169   (dtls_kb_server_write_key(Param, Role) + DTLS_KEY_LENGTH)
170 #define dtls_kb_server_iv(Param, Role)					\
171   (dtls_kb_client_iv(Param, Role) + DTLS_IV_LENGTH)
172 #define dtls_kb_remote_iv(Param, Role)					\
173   ((Role) == DTLS_SERVER						\
174    ? dtls_kb_client_iv(Param, Role)					\
175    : dtls_kb_server_iv(Param, Role))
176 #define dtls_kb_local_iv(Param, Role)					\
177   ((Role) == DTLS_CLIENT						\
178    ? dtls_kb_client_iv(Param, Role)					\
179    : dtls_kb_server_iv(Param, Role))
180 #define dtls_kb_iv_size(Param, Role) DTLS_IV_LENGTH
181 
182 #define dtls_kb_size(Param, Role)					\
183   (2 * (dtls_kb_mac_secret_size(Param, Role) +				\
184 	dtls_kb_key_size(Param, Role) + dtls_kb_iv_size(Param, Role)))
185 
186 /* just for consistency */
187 #define dtls_kb_digest_size(Param, Role) DTLS_MAC_LENGTH
188 
189 /**
190  * Expands the secret and key to a block of DTLS_HMAC_MAX
191  * size according to the algorithm specified in section 5 of
192  * RFC 4346.
193  *
194  * \param h       Identifier of the hash function to use.
195  * \param key     The secret.
196  * \param keylen  Length of \p key.
197  * \param seed    The seed.
198  * \param seedlen Length of \p seed.
199  * \param buf     Output buffer where the result is XORed into
200  *                The buffe must be capable to hold at least
201  *                \p buflen bytes.
202  * \return The actual number of bytes written to \p buf or 0
203  * on error.
204  */
205 size_t dtls_p_hash(dtls_hashfunc_t h,
206 		   const unsigned char *key, size_t keylen,
207 		   const unsigned char *label, size_t labellen,
208 		   const unsigned char *random1, size_t random1len,
209 		   const unsigned char *random2, size_t random2len,
210 		   unsigned char *buf, size_t buflen);
211 
212 /**
213  * This function implements the TLS PRF for DTLS_VERSION. For version
214  * 1.0, the PRF is P_MD5 ^ P_SHA1 while version 1.2 uses
215  * P_SHA256. Currently, the actual PRF is selected at compile time.
216  */
217 size_t dtls_prf(const unsigned char *key, size_t keylen,
218 		const unsigned char *label, size_t labellen,
219 		const unsigned char *random1, size_t random1len,
220 		const unsigned char *random2, size_t random2len,
221 		unsigned char *buf, size_t buflen);
222 
223 /**
224  * Calculates MAC for record + cleartext packet and places the result
225  * in \p buf. The given \p hmac_ctx must be initialized with the HMAC
226  * function to use and the proper secret. As the DTLS mac calculation
227  * requires data from the record header, \p record must point to a
228  * buffer of at least \c sizeof(dtls_record_header_t) bytes. Usually,
229  * the remaining packet will be encrypted, therefore, the cleartext
230  * is passed separately in \p packet.
231  *
232  * \param hmac_ctx  The HMAC context to use for MAC calculation.
233  * \param record    The record header.
234  * \param packet    Cleartext payload to apply the MAC to.
235  * \param length    Size of \p packet.
236  * \param buf       A result buffer that is large enough to hold
237  *                  the generated digest.
238  */
239 void dtls_mac(dtls_hmac_context_t *hmac_ctx,
240 	      const unsigned char *record,
241 	      const unsigned char *packet, size_t length,
242 	      unsigned char *buf);
243 
244 /**
245  * Encrypts the specified \p src of given \p length, writing the
246  * result to \p buf. The cipher implementation may add more data to
247  * the result buffer such as an initialization vector or padding
248  * (e.g. for block cipers in CBC mode). The caller therefore must
249  * ensure that \p buf provides sufficient storage to hold the result.
250  * Usually this means ( 2 + \p length / blocksize ) * blocksize.  The
251  * function returns a value less than zero on error or otherwise the
252  * number of bytes written.
253  *
254  * \param ctx    The cipher context to use.
255  * \param src    The data to encrypt.
256  * \param length The actual size of of \p src.
257  * \param buf    The result buffer. \p src and \p buf must not
258  *               overlap.
259  * \param aad    additional data for AEAD ciphers
260  * \param aad_length actual size of @p aad
261  * \return The number of encrypted bytes on success, less than zero
262  *         otherwise.
263  */
264 int dtls_encrypt(const unsigned char *src, size_t length,
265 		 unsigned char *buf,
266 		 unsigned char *nounce,
267 		 unsigned char *key, size_t keylen,
268 		 const unsigned char *aad, size_t aad_length);
269 
270 /**
271  * Decrypts the given buffer \p src of given \p length, writing the
272  * result to \p buf. The function returns \c -1 in case of an error,
273  * or the number of bytes written. Note that for block ciphers, \p
274  * length must be a multiple of the cipher's block size. A return
275  * value between \c 0 and the actual length indicates that only \c n-1
276  * block have been processed. Unlike dtls_encrypt(), the source
277  * and destination of dtls_decrypt() may overlap.
278  *
279  * \param ctx     The cipher context to use.
280  * \param src     The buffer to decrypt.
281  * \param length  The length of the input buffer.
282  * \param buf     The result buffer.
283  * \param aad     additional authentication data for AEAD ciphers
284  * \param aad_length actual size of @p aad
285  * \return Less than zero on error, the number of decrypted bytes
286  *         otherwise.
287  */
288 int dtls_decrypt(const unsigned char *src, size_t length,
289 		 unsigned char *buf,
290 		 unsigned char *nounce,
291 		 unsigned char *key, size_t keylen,
292 		 const unsigned char *a_data, size_t a_data_length);
293 
294 /* helper functions */
295 
296 /**
297  * Generates pre_master_sercet from given PSK and fills the result
298  * according to the "plain PSK" case in section 2 of RFC 4279.
299  * Diffie-Hellman and RSA key exchange are currently not supported.
300  *
301  * @param key    The shared key.
302  * @param keylen Length of @p key in bytes.
303  * @param result The derived pre master secret.
304  * @return The actual length of @p result.
305  */
306 int dtls_psk_pre_master_secret(unsigned char *key, size_t keylen,
307 			       unsigned char *result, size_t result_len);
308 
309 #define DTLS_EC_KEY_SIZE 32
310 
311 int dtls_ecdh_pre_master_secret(unsigned char *priv_key,
312 				unsigned char *pub_key_x,
313                                 unsigned char *pub_key_y,
314                                 size_t key_size,
315                                 unsigned char *result,
316                                 size_t result_len);
317 
318 void dtls_ecdsa_generate_key(unsigned char *priv_key,
319 			     unsigned char *pub_key_x,
320 			     unsigned char *pub_key_y,
321 			     size_t key_size);
322 
323 void dtls_ecdsa_create_sig_hash(const unsigned char *priv_key, size_t key_size,
324 				const unsigned char *sign_hash, size_t sign_hash_size,
325 				uint32_t point_r[9], uint32_t point_s[9]);
326 
327 void dtls_ecdsa_create_sig(const unsigned char *priv_key, size_t key_size,
328 			   const unsigned char *client_random, size_t client_random_size,
329 			   const unsigned char *server_random, size_t server_random_size,
330 			   const unsigned char *keyx_params, size_t keyx_params_size,
331 			   uint32_t point_r[9], uint32_t point_s[9]);
332 
333 int dtls_ecdsa_verify_sig_hash(const unsigned char *pub_key_x,
334 			       const unsigned char *pub_key_y, size_t key_size,
335 			       const unsigned char *sign_hash, size_t sign_hash_size,
336 			       unsigned char *result_r, unsigned char *result_s);
337 
338 int dtls_ecdsa_verify_sig(const unsigned char *pub_key_x,
339 			  const unsigned char *pub_key_y, size_t key_size,
340 			  const unsigned char *client_random, size_t client_random_size,
341 			  const unsigned char *server_random, size_t server_random_size,
342 			  const unsigned char *keyx_params, size_t keyx_params_size,
343 			  unsigned char *result_r, unsigned char *result_s);
344 
345 int dtls_ec_key_from_uint32_asn1(const uint32_t *key, size_t key_size,
346 				 unsigned char *buf);
347 
348 
349 dtls_handshake_parameters_t *dtls_handshake_new();
350 
351 void dtls_handshake_free(dtls_handshake_parameters_t *handshake);
352 
353 dtls_security_parameters_t *dtls_security_new();
354 
355 void dtls_security_free(dtls_security_parameters_t *security);
356 void crypto_init();
357 
358 #endif /* _DTLS_CRYPTO_H_ */
359 
360