1 /* dtls -- a very basic DTLS implementation 2 * 3 * Copyright (C) 2011--2012 Olaf Bergmann <bergmann@tzi.org> 4 * Copyright (C) 2013 Hauke Mehrtens <hauke@hauke-m.de> 5 * 6 * Permission is hereby granted, free of charge, to any person 7 * obtaining a copy of this software and associated documentation 8 * files (the "Software"), to deal in the Software without 9 * restriction, including without limitation the rights to use, copy, 10 * modify, merge, publish, distribute, sublicense, and/or sell copies 11 * of the Software, and to permit persons to whom the Software is 12 * furnished to do so, subject to the following conditions: 13 * 14 * The above copyright notice and this permission notice shall be 15 * included in all copies or substantial portions of the Software. 16 * 17 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 18 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 19 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND 20 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS 21 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN 22 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 23 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 24 * SOFTWARE. 25 */ 26 27 #ifndef _DTLS_CRYPTO_H_ 28 #define _DTLS_CRYPTO_H_ 29 30 #include <stdlib.h> /* for rand() and srand() */ 31 #include <stdint.h> 32 33 #include "t_list.h" 34 35 #include "aes/rijndael.h" 36 37 #include "global.h" 38 #include "state.h" 39 #include "numeric.h" 40 #include "hmac.h" 41 #include "ccm.h" 42 43 /* TLS_PSK_WITH_AES_128_CCM_8 */ 44 #define DTLS_MAC_KEY_LENGTH 0 45 #define DTLS_KEY_LENGTH 16 /* AES-128 */ 46 #define DTLS_BLK_LENGTH 16 /* AES-128 */ 47 #define DTLS_MAC_LENGTH DTLS_HMAC_DIGEST_SIZE 48 #define DTLS_IV_LENGTH 4 /* length of nonce_explicit */ 49 50 /** 51 * Maximum size of the generated keyblock. Note that MAX_KEYBLOCK_LENGTH must 52 * be large enough to hold the pre_master_secret, i.e. twice the length of the 53 * pre-shared key + 1. 54 */ 55 #define MAX_KEYBLOCK_LENGTH \ 56 (2 * DTLS_MAC_KEY_LENGTH + 2 * DTLS_KEY_LENGTH + 2 * DTLS_IV_LENGTH) 57 58 /** Length of DTLS master_secret */ 59 #define DTLS_MASTER_SECRET_LENGTH 48 60 #define DTLS_RANDOM_LENGTH 32 61 62 typedef enum { AES128=0 63 } dtls_crypto_alg; 64 65 typedef enum { 66 DTLS_ECDH_CURVE_SECP256R1 67 } dtls_ecdh_curve; 68 69 /** Crypto context for TLS_PSK_WITH_AES_128_CCM_8 cipher suite. */ 70 typedef struct { 71 rijndael_ctx ctx; /**< AES-128 encryption context */ 72 } aes128_ccm_t; 73 74 typedef struct dtls_cipher_context_t { 75 /** numeric identifier of this cipher suite in host byte order. */ 76 aes128_ccm_t data; /**< The crypto context */ 77 } dtls_cipher_context_t; 78 79 typedef struct { 80 uint8 own_eph_priv[32]; 81 uint8 other_eph_pub_x[32]; 82 uint8 other_eph_pub_y[32]; 83 uint8 other_pub_x[32]; 84 uint8 other_pub_y[32]; 85 } dtls_handshake_parameters_ecdsa_t; 86 87 /* This is the maximal supported length of the psk client identity and psk 88 * server identity hint */ 89 #define DTLS_PSK_MAX_CLIENT_IDENTITY_LEN 32 90 91 /* This is the maximal supported length of the pre-shared key. */ 92 #define DTLS_PSK_MAX_KEY_LEN 32 93 94 typedef struct { 95 uint16_t id_length; 96 unsigned char identity[DTLS_PSK_MAX_CLIENT_IDENTITY_LEN]; 97 } dtls_handshake_parameters_psk_t; 98 99 typedef struct { 100 dtls_compression_t compression; /**< compression method */ 101 102 dtls_cipher_t cipher; /**< cipher type */ 103 uint16_t epoch; /**< counter for cipher state changes*/ 104 uint64_t rseq; /**< sequence number of last record sent */ 105 106 /** 107 * The key block generated from PRF applied to client and server 108 * random bytes. The actual size is given by the selected cipher and 109 * can be calculated using dtls_kb_size(). Use \c dtls_kb_ macros to 110 * access the components of the key block. 111 */ 112 uint8 key_block[MAX_KEYBLOCK_LENGTH]; 113 } dtls_security_parameters_t; 114 115 typedef struct { 116 union { 117 struct random_t { 118 uint8 client[DTLS_RANDOM_LENGTH]; /**< client random gmt and bytes */ 119 uint8 server[DTLS_RANDOM_LENGTH]; /**< server random gmt and bytes */ 120 } random; 121 /** the session's master secret */ 122 uint8 master_secret[DTLS_MASTER_SECRET_LENGTH]; 123 } tmp; 124 LIST_STRUCT(reorder_queue); /**< the packets to reorder */ 125 dtls_hs_state_t hs_state; /**< handshake protocol status */ 126 127 dtls_compression_t compression; /**< compression method */ 128 dtls_cipher_t cipher; /**< cipher type */ 129 unsigned int do_client_auth:1; 130 union { 131 #ifdef DTLS_ECC 132 dtls_handshake_parameters_ecdsa_t ecdsa; 133 #endif /* DTLS_ECC */ 134 #ifdef DTLS_PSK 135 dtls_handshake_parameters_psk_t psk; 136 #endif /* DTLS_PSK */ 137 } keyx; 138 } dtls_handshake_parameters_t; 139 140 /* The following macros provide access to the components of the 141 * key_block in the security parameters. */ 142 143 #define dtls_kb_client_mac_secret(Param, Role) ((Param)->key_block) 144 #define dtls_kb_server_mac_secret(Param, Role) \ 145 (dtls_kb_client_mac_secret(Param, Role) + DTLS_MAC_KEY_LENGTH) 146 #define dtls_kb_remote_mac_secret(Param, Role) \ 147 ((Role) == DTLS_SERVER \ 148 ? dtls_kb_client_mac_secret(Param, Role) \ 149 : dtls_kb_server_mac_secret(Param, Role)) 150 #define dtls_kb_local_mac_secret(Param, Role) \ 151 ((Role) == DTLS_CLIENT \ 152 ? dtls_kb_client_mac_secret(Param, Role) \ 153 : dtls_kb_server_mac_secret(Param, Role)) 154 #define dtls_kb_mac_secret_size(Param, Role) DTLS_MAC_KEY_LENGTH 155 #define dtls_kb_client_write_key(Param, Role) \ 156 (dtls_kb_server_mac_secret(Param, Role) + DTLS_MAC_KEY_LENGTH) 157 #define dtls_kb_server_write_key(Param, Role) \ 158 (dtls_kb_client_write_key(Param, Role) + DTLS_KEY_LENGTH) 159 #define dtls_kb_remote_write_key(Param, Role) \ 160 ((Role) == DTLS_SERVER \ 161 ? dtls_kb_client_write_key(Param, Role) \ 162 : dtls_kb_server_write_key(Param, Role)) 163 #define dtls_kb_local_write_key(Param, Role) \ 164 ((Role) == DTLS_CLIENT \ 165 ? dtls_kb_client_write_key(Param, Role) \ 166 : dtls_kb_server_write_key(Param, Role)) 167 #define dtls_kb_key_size(Param, Role) DTLS_KEY_LENGTH 168 #define dtls_kb_client_iv(Param, Role) \ 169 (dtls_kb_server_write_key(Param, Role) + DTLS_KEY_LENGTH) 170 #define dtls_kb_server_iv(Param, Role) \ 171 (dtls_kb_client_iv(Param, Role) + DTLS_IV_LENGTH) 172 #define dtls_kb_remote_iv(Param, Role) \ 173 ((Role) == DTLS_SERVER \ 174 ? dtls_kb_client_iv(Param, Role) \ 175 : dtls_kb_server_iv(Param, Role)) 176 #define dtls_kb_local_iv(Param, Role) \ 177 ((Role) == DTLS_CLIENT \ 178 ? dtls_kb_client_iv(Param, Role) \ 179 : dtls_kb_server_iv(Param, Role)) 180 #define dtls_kb_iv_size(Param, Role) DTLS_IV_LENGTH 181 182 #define dtls_kb_size(Param, Role) \ 183 (2 * (dtls_kb_mac_secret_size(Param, Role) + \ 184 dtls_kb_key_size(Param, Role) + dtls_kb_iv_size(Param, Role))) 185 186 /* just for consistency */ 187 #define dtls_kb_digest_size(Param, Role) DTLS_MAC_LENGTH 188 189 /** 190 * Expands the secret and key to a block of DTLS_HMAC_MAX 191 * size according to the algorithm specified in section 5 of 192 * RFC 4346. 193 * 194 * \param h Identifier of the hash function to use. 195 * \param key The secret. 196 * \param keylen Length of \p key. 197 * \param seed The seed. 198 * \param seedlen Length of \p seed. 199 * \param buf Output buffer where the result is XORed into 200 * The buffe must be capable to hold at least 201 * \p buflen bytes. 202 * \return The actual number of bytes written to \p buf or 0 203 * on error. 204 */ 205 size_t dtls_p_hash(dtls_hashfunc_t h, 206 const unsigned char *key, size_t keylen, 207 const unsigned char *label, size_t labellen, 208 const unsigned char *random1, size_t random1len, 209 const unsigned char *random2, size_t random2len, 210 unsigned char *buf, size_t buflen); 211 212 /** 213 * This function implements the TLS PRF for DTLS_VERSION. For version 214 * 1.0, the PRF is P_MD5 ^ P_SHA1 while version 1.2 uses 215 * P_SHA256. Currently, the actual PRF is selected at compile time. 216 */ 217 size_t dtls_prf(const unsigned char *key, size_t keylen, 218 const unsigned char *label, size_t labellen, 219 const unsigned char *random1, size_t random1len, 220 const unsigned char *random2, size_t random2len, 221 unsigned char *buf, size_t buflen); 222 223 /** 224 * Calculates MAC for record + cleartext packet and places the result 225 * in \p buf. The given \p hmac_ctx must be initialized with the HMAC 226 * function to use and the proper secret. As the DTLS mac calculation 227 * requires data from the record header, \p record must point to a 228 * buffer of at least \c sizeof(dtls_record_header_t) bytes. Usually, 229 * the remaining packet will be encrypted, therefore, the cleartext 230 * is passed separately in \p packet. 231 * 232 * \param hmac_ctx The HMAC context to use for MAC calculation. 233 * \param record The record header. 234 * \param packet Cleartext payload to apply the MAC to. 235 * \param length Size of \p packet. 236 * \param buf A result buffer that is large enough to hold 237 * the generated digest. 238 */ 239 void dtls_mac(dtls_hmac_context_t *hmac_ctx, 240 const unsigned char *record, 241 const unsigned char *packet, size_t length, 242 unsigned char *buf); 243 244 /** 245 * Encrypts the specified \p src of given \p length, writing the 246 * result to \p buf. The cipher implementation may add more data to 247 * the result buffer such as an initialization vector or padding 248 * (e.g. for block cipers in CBC mode). The caller therefore must 249 * ensure that \p buf provides sufficient storage to hold the result. 250 * Usually this means ( 2 + \p length / blocksize ) * blocksize. The 251 * function returns a value less than zero on error or otherwise the 252 * number of bytes written. 253 * 254 * \param ctx The cipher context to use. 255 * \param src The data to encrypt. 256 * \param length The actual size of of \p src. 257 * \param buf The result buffer. \p src and \p buf must not 258 * overlap. 259 * \param aad additional data for AEAD ciphers 260 * \param aad_length actual size of @p aad 261 * \return The number of encrypted bytes on success, less than zero 262 * otherwise. 263 */ 264 int dtls_encrypt(const unsigned char *src, size_t length, 265 unsigned char *buf, 266 unsigned char *nounce, 267 unsigned char *key, size_t keylen, 268 const unsigned char *aad, size_t aad_length); 269 270 /** 271 * Decrypts the given buffer \p src of given \p length, writing the 272 * result to \p buf. The function returns \c -1 in case of an error, 273 * or the number of bytes written. Note that for block ciphers, \p 274 * length must be a multiple of the cipher's block size. A return 275 * value between \c 0 and the actual length indicates that only \c n-1 276 * block have been processed. Unlike dtls_encrypt(), the source 277 * and destination of dtls_decrypt() may overlap. 278 * 279 * \param ctx The cipher context to use. 280 * \param src The buffer to decrypt. 281 * \param length The length of the input buffer. 282 * \param buf The result buffer. 283 * \param aad additional authentication data for AEAD ciphers 284 * \param aad_length actual size of @p aad 285 * \return Less than zero on error, the number of decrypted bytes 286 * otherwise. 287 */ 288 int dtls_decrypt(const unsigned char *src, size_t length, 289 unsigned char *buf, 290 unsigned char *nounce, 291 unsigned char *key, size_t keylen, 292 const unsigned char *a_data, size_t a_data_length); 293 294 /* helper functions */ 295 296 /** 297 * Generates pre_master_sercet from given PSK and fills the result 298 * according to the "plain PSK" case in section 2 of RFC 4279. 299 * Diffie-Hellman and RSA key exchange are currently not supported. 300 * 301 * @param key The shared key. 302 * @param keylen Length of @p key in bytes. 303 * @param result The derived pre master secret. 304 * @return The actual length of @p result. 305 */ 306 int dtls_psk_pre_master_secret(unsigned char *key, size_t keylen, 307 unsigned char *result, size_t result_len); 308 309 #define DTLS_EC_KEY_SIZE 32 310 311 int dtls_ecdh_pre_master_secret(unsigned char *priv_key, 312 unsigned char *pub_key_x, 313 unsigned char *pub_key_y, 314 size_t key_size, 315 unsigned char *result, 316 size_t result_len); 317 318 void dtls_ecdsa_generate_key(unsigned char *priv_key, 319 unsigned char *pub_key_x, 320 unsigned char *pub_key_y, 321 size_t key_size); 322 323 void dtls_ecdsa_create_sig_hash(const unsigned char *priv_key, size_t key_size, 324 const unsigned char *sign_hash, size_t sign_hash_size, 325 uint32_t point_r[9], uint32_t point_s[9]); 326 327 void dtls_ecdsa_create_sig(const unsigned char *priv_key, size_t key_size, 328 const unsigned char *client_random, size_t client_random_size, 329 const unsigned char *server_random, size_t server_random_size, 330 const unsigned char *keyx_params, size_t keyx_params_size, 331 uint32_t point_r[9], uint32_t point_s[9]); 332 333 int dtls_ecdsa_verify_sig_hash(const unsigned char *pub_key_x, 334 const unsigned char *pub_key_y, size_t key_size, 335 const unsigned char *sign_hash, size_t sign_hash_size, 336 unsigned char *result_r, unsigned char *result_s); 337 338 int dtls_ecdsa_verify_sig(const unsigned char *pub_key_x, 339 const unsigned char *pub_key_y, size_t key_size, 340 const unsigned char *client_random, size_t client_random_size, 341 const unsigned char *server_random, size_t server_random_size, 342 const unsigned char *keyx_params, size_t keyx_params_size, 343 unsigned char *result_r, unsigned char *result_s); 344 345 int dtls_ec_key_from_uint32_asn1(const uint32_t *key, size_t key_size, 346 unsigned char *buf); 347 348 349 dtls_handshake_parameters_t *dtls_handshake_new(); 350 351 void dtls_handshake_free(dtls_handshake_parameters_t *handshake); 352 353 dtls_security_parameters_t *dtls_security_new(); 354 355 void dtls_security_free(dtls_security_parameters_t *security); 356 void crypto_init(); 357 358 #endif /* _DTLS_CRYPTO_H_ */ 359 360
