X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~mdw/git/tripe/blobdiff_plain/426c0bc6709a82bebb9e21e8dd7914d8091d6dfd..7631176f5c140b9c77fa865ef3b2287fd574e4d7:/keyset.c diff --git a/keyset.c b/keyset.c index cf041499..6aa68a95 100644 --- a/keyset.c +++ b/keyset.c @@ -1,6 +1,6 @@ /* -*-c-*- * - * $Id: keyset.c,v 1.3 2001/02/16 21:39:55 mdw Exp $ + * $Id: keyset.c,v 1.9 2003/10/15 09:29:38 mdw Exp $ * * Handling of symmetric keysets * @@ -29,6 +29,28 @@ /*----- Revision history --------------------------------------------------* * * $Log: keyset.c,v $ + * Revision 1.9 2003/10/15 09:29:38 mdw + * Cosmetic fix to changelog comment. + * + * Revision 1.8 2003/07/13 11:19:49 mdw + * Incompatible protocol fix! Include message type code under MAC tag to + * prevent cut-and-paste from key-exchange messages to general packet + * transport. + * + * Revision 1.7 2003/05/17 11:00:47 mdw + * Don't make scary messages just because one key didn't work on a message: + * only be frightened if they all fail. Set initial keyset refcount + * correctly. + * + * Revision 1.6 2003/04/06 10:26:35 mdw + * Report peer name on decrypt errors. + * + * Revision 1.5 2001/06/19 22:07:43 mdw + * Change the encrypted packet format to be non-malleable. + * + * Revision 1.4 2001/06/16 14:06:40 mdw + * Quantify collision probabilities for the stated data volume bounds. + * * Revision 1.3 2001/02/16 21:39:55 mdw * Major overhaul. Separate functions for manipulating keysets from * functions for manipulating keyset lists. Introduce a concept of @@ -48,6 +70,13 @@ /*----- Tunable parameters ------------------------------------------------*/ +/* --- Note on size limits --- * + * + * For a 64-bit block cipher (e.g., Blowfish), the probability of a collision + * occurring after 32 MB is less than %$2^{-21}$%, and the probability of a + * collision occurring after 64 MB is less than %$2^{-19}$%. + */ + #define T_EXP MIN(60) /* Expiry time for a key */ #define T_REGEN MIN(45) /* Regeneration time for a key */ #define SZ_EXP MEG(64) /* Expiry data size for a key */ @@ -59,9 +88,34 @@ /*----- Low-level packet encryption and decryption ------------------------*/ +/* --- Encrypted data format --- * + * + * Let %$p_i$% be the %$i$%-th plaintext message, with type %$t$%. We first + * compute + * + * %$c_i = \mathcal{E}\textrm{-CBC}_{K_{\text{E}}}(p_i)$% + * + * as the CBC-ciphertext of %$p_i$%, and then + * + * %$\sigma_i = \mathcal{T}_{K_{\text{M}}}(t, i, c_i)$% + * + * as a MAC on the %%\emph{ciphertext}%%. The message sent is then the pair + * %$(\sigma_i, c_i)$%. This construction is provably secure in the NM-CCA + * sense (assuming that the cipher is IND-CPA, and the MAC is SUF-CMA) + * [Bellare and Namprempre]. + * + * This also ensures that, assuming the key is good, we have a secure channel + * [Krawczyk]. Actually, [Krawczyk] shows that, if the cipher is either a + * simple stream cipher or a block cipher in CBC mode, we can use the MAC- + * then-encrypt scheme and still have a secure channel. However, I like the + * NM-CCA guarantee from [Bellare and Namprempre]. I'm less worried about + * the Horton Principle [Wagner and Schneier]. + */ + /* --- @doencrypt@ --- * * * Arguments: @keyset *ks@ = pointer to keyset to use + * @unsigned ty@ = type of message this is * @buf *b@ = pointer to an input buffer * @buf *bb@ = pointer to an output buffer * @@ -71,44 +125,48 @@ * keyset is OK to use. */ -static int doencrypt(keyset *ks, buf *b, buf *bb) +static int doencrypt(keyset *ks, unsigned ty, buf *b, buf *bb) { ghash *h; gcipher *c; - size_t ivsz; const octet *p = BCUR(b); size_t sz = BLEFT(b); - octet *qiv, *qseq, *qpk; + octet *qmac, *qseq, *qiv, *qpk; uint32 oseq; size_t osz, nsz; + octet t[4]; int rc = 0; /* --- Allocate the required buffer space --- */ c = ks->cout; - ivsz = c->ops->c->blksz; - if (buf_ensure(bb, ivsz + 4 + sz)) + if (buf_ensure(bb, MACSZ + SEQSZ + IVSZ + sz)) return (0); /* Caution! */ - qiv = BCUR(bb); qseq = qiv + ivsz; qpk = qseq + 4; - BSTEP(bb, ivsz + 4 + sz); + qmac = BCUR(bb); qseq = qmac + MACSZ; qiv = qseq + SEQSZ; qpk = qiv + IVSZ; + BSTEP(bb, MACSZ + SEQSZ + IVSZ + sz); + STORE32(t, ty); - /* --- MAC and encrypt the packet --- */ + /* --- Encrypt the packet --- */ oseq = ks->oseq++; STORE32(qseq, oseq); - h = ks->mout->ops->init(ks->mout); - h->ops->hash(h, qseq, 4); - h->ops->hash(h, p, sz); - memcpy(qiv, h->ops->done(h, 0), ivsz); - h->ops->destroy(h); + rand_get(RAND_GLOBAL, qiv, IVSZ); + c->ops->setiv(c, qiv); + c->ops->encrypt(c, p, qpk, sz); IF_TRACING(T_KEYSET, { trace(T_KEYSET, "keyset: encrypting packet %lu using keyset %u", (unsigned long)oseq, ks->seq); - trace_block(T_CRYPTO, "crypto: computed MAC", qiv, ivsz); + trace_block(T_CRYPTO, "crypto: encrypted packet", qpk, sz); }) - c->ops->setiv(c, qiv); - c->ops->encrypt(c, p, qpk, sz); + + /* --- Now compute the MAC --- */ + + h = ks->mout->ops->init(ks->mout); + h->ops->hash(h, t, sizeof(t)); + h->ops->hash(h, qseq, SEQSZ + IVSZ + sz); + memcpy(qmac, h->ops->done(h, 0), MACSZ); + h->ops->destroy(h); IF_TRACING(T_KEYSET, { - trace_block(T_CRYPTO, "crypto: encrypted packet", qpk, sz); + trace_block(T_CRYPTO, "crypto: computed MAC", qmac, MACSZ); }) /* --- Deduct the packet size from the key's data life --- */ @@ -130,6 +188,7 @@ static int doencrypt(keyset *ks, buf *b, buf *bb) /* --- @dodecrypt@ --- * * * Arguments: @keyset *ks@ = pointer to keyset to use + * @unsigned ty@ = expected type code * @buf *b@ = pointer to an input buffer * @buf *bb@ = pointer to an output buffer * @uint32 *seq@ = where to store the sequence number @@ -144,9 +203,9 @@ static int doencrypt(keyset *ks, buf *b, buf *bb) * packet, and the packet's sequence number is stored in @*seq@. */ -static int dodecrypt(keyset *ks, buf *b, buf *bb, uint32 *seq) +static int dodecrypt(keyset *ks, unsigned ty, buf *b, buf *bb, uint32 *seq) { - const octet *piv, *pseq, *ppk; + const octet *pmac, *piv, *pseq, *ppk; size_t psz = BLEFT(b); size_t sz; octet *q = BCUR(bb); @@ -155,6 +214,7 @@ static int dodecrypt(keyset *ks, buf *b, buf *bb, uint32 *seq) size_t ivsz = c->ops->c->blksz; octet *mac; int eq; + octet t[4]; /* --- Break up the packet into its components --- */ @@ -162,31 +222,34 @@ static int dodecrypt(keyset *ks, buf *b, buf *bb, uint32 *seq) T( trace(T_KEYSET, "keyset: block too small for keyset %u", ks->seq); ) return (-1); } - sz = psz - ivsz - 4; - piv = BCUR(b); pseq = piv + ivsz; ppk = pseq + 4; + sz = psz - IVSZ - SEQSZ - MACSZ; + pmac = BCUR(b); pseq = pmac + MACSZ; piv = pseq + SEQSZ; ppk = piv + IVSZ; + STORE32(t, ty); - /* --- Attempt to decrypt the packet --- */ + /* --- Verify the MAC on the packet --- */ - c->ops->setiv(c, piv); - c->ops->decrypt(c, ppk, q, sz); h = ks->min->ops->init(ks->min); - h->ops->hash(h, pseq, 4); - h->ops->hash(h, q, sz); + h->ops->hash(h, t, sizeof(t)); + h->ops->hash(h, pseq, SEQSZ + IVSZ + sz); mac = h->ops->done(h, 0); - eq = !memcmp(mac, piv, ivsz); + eq = !memcmp(mac, pmac, MACSZ); IF_TRACING(T_KEYSET, { trace(T_KEYSET, "keyset: decrypting using keyset %u", ks->seq); - trace_block(T_CRYPTO, "crypto: computed MAC", mac, ivsz); + trace_block(T_CRYPTO, "crypto: computed MAC", mac, MACSZ); }) h->ops->destroy(h); if (!eq) { IF_TRACING(T_KEYSET, { - trace(T_KEYSET, "keyset: decryption failed"); - trace_block(T_CRYPTO, "crypto: expected MAC", piv, ivsz); - trace_block(T_CRYPTO, "crypto: invalid packet", q, sz); + trace(T_KEYSET, "keyset: incorrect MAC: decryption failed"); + trace_block(T_CRYPTO, "crypto: expected MAC", pmac, MACSZ); }) return (-1); } + + /* --- Decrypt the packet --- */ + + c->ops->setiv(c, piv); + c->ops->decrypt(c, ppk, q, sz); if (seq) *seq = LOAD32(pseq); IF_TRACING(T_KEYSET, { @@ -264,6 +327,7 @@ void ks_drop(keyset *ks) * * Arguments: @const void *k@ = pointer to key material * @size_t x, y, z@ = offsets into key material (see below) + * @peer *p@ = pointer to peer information * * Returns: A pointer to the new keyset. * @@ -282,13 +346,13 @@ void ks_drop(keyset *ks) * calling @ks_encrypt@ directly. */ -keyset *ks_gen(const void *k, size_t x, size_t y, size_t z) +keyset *ks_gen(const void *k, size_t x, size_t y, size_t z, peer *p) { HASH_CTX h; octet buf[HASHSZ]; keyset *ks = CREATE(keyset); time_t now = time(0); - const octet *p = k; + const octet *pp = k; T( static unsigned seq = 0; ) T( trace(T_KEYSET, "keyset: adding new keyset %u", seq); ) @@ -298,9 +362,9 @@ keyset *ks_gen(const void *k, size_t x, size_t y, size_t z) * This is done with macros, because it's quite tedious. */ -#define MINE HASH(&h, p, x) -#define YOURS HASH(&h, p + x, y - x) -#define OURS HASH(&h, p + y, z - y) +#define MINE HASH(&h, pp, x) +#define YOURS HASH(&h, pp + x, y - x) +#define OURS HASH(&h, pp + y, z - y) #define IN MINE; YOURS; OURS #define OUT YOURS; MINE; OURS @@ -333,11 +397,13 @@ keyset *ks_gen(const void *k, size_t x, size_t y, size_t z) #undef GETHASH T( ks->seq = seq++; ) + ks->ref = 1; ks->t_exp = now + T_EXP; ks->sz_exp = SZ_EXP; ks->oseq = ks->iseq = 0; ks->iwin = 0; ks->next = 0; + ks->p = p; ks->f = KSF_LISTEN; BURN(buf); return (ks); @@ -373,6 +439,7 @@ void ks_activate(keyset *ks) /* --- @ks_encrypt@ --- * * * Arguments: @keyset *ks@ = pointer to a keyset + * @unsigned ty@ = message type * @buf *b@ = pointer to input buffer * @buf *bb@ = pointer to output buffer * @@ -386,7 +453,7 @@ void ks_activate(keyset *ks) * used even if it's marked as not for data output. */ -int ks_encrypt(keyset *ks, buf *b, buf *bb) +int ks_encrypt(keyset *ks, unsigned ty, buf *b, buf *bb) { time_t now = time(0); @@ -394,12 +461,13 @@ int ks_encrypt(keyset *ks, buf *b, buf *bb) buf_break(bb); return (0); } - return (doencrypt(ks, b, bb)); + return (doencrypt(ks, ty, b, bb)); } /* --- @ks_decrypt@ --- * * * Arguments: @keyset *ks@ = pointer to a keyset + * @unsigned ty@ = expected type code * @buf *b@ = pointer to an input buffer * @buf *bb@ = pointer to an output buffer * @@ -410,14 +478,14 @@ int ks_encrypt(keyset *ks, buf *b, buf *bb) * marking that it's not for encryption. */ -int ks_decrypt(keyset *ks, buf *b, buf *bb) +int ks_decrypt(keyset *ks, unsigned ty, buf *b, buf *bb) { time_t now = time(0); uint32 seq; if (!KEYOK(ks, now) || buf_ensure(bb, BLEN(b)) || - dodecrypt(ks, b, bb, &seq) || + dodecrypt(ks, ty, b, bb, &seq) || dosequence(ks, seq)) return (-1); return (0); @@ -504,6 +572,7 @@ void ksl_prune(keyset **ksroot) /* --- @ksl_encrypt@ --- * * * Arguments: @keyset **ksroot@ = pointer to keyset list head + * @unsigned ty@ = message type * @buf *b@ = pointer to input buffer * @buf *bb@ = pointer to output buffer * @@ -512,7 +581,7 @@ void ksl_prune(keyset **ksroot) * Use: Encrypts a packet. */ -int ksl_encrypt(keyset **ksroot, buf *b, buf *bb) +int ksl_encrypt(keyset **ksroot, unsigned ty, buf *b, buf *bb) { time_t now = time(0); keyset *ks = *ksroot; @@ -528,12 +597,13 @@ int ksl_encrypt(keyset **ksroot, buf *b, buf *bb) ks = ks->next; } - return (doencrypt(ks, b, bb)); + return (doencrypt(ks, ty, b, bb)); } /* --- @ksl_decrypt@ --- * * * Arguments: @keyset **ksroot@ = pointer to keyset list head + * @unsigned ty@ = expected type code * @buf *b@ = pointer to input buffer * @buf *bb@ = pointer to output buffer * @@ -542,7 +612,7 @@ int ksl_encrypt(keyset **ksroot, buf *b, buf *bb) * Use: Decrypts a packet. */ -int ksl_decrypt(keyset **ksroot, buf *b, buf *bb) +int ksl_decrypt(keyset **ksroot, unsigned ty, buf *b, buf *bb) { time_t now = time(0); keyset *ks; @@ -554,7 +624,7 @@ int ksl_decrypt(keyset **ksroot, buf *b, buf *bb) for (ks = *ksroot; ks; ks = ks->next) { if (!KEYOK(ks, now)) continue; - if (!dodecrypt(ks, b, bb, &seq)) { + if (!dodecrypt(ks, ty, b, bb, &seq)) { if (ks->f & KSF_LISTEN) { T( trace(T_KEYSET, "keyset: implicitly activating keyset %u", ks->seq); ) @@ -563,7 +633,7 @@ int ksl_decrypt(keyset **ksroot, buf *b, buf *bb) return (dosequence(ks, seq)); } } - T( trace(T_KEYSET, "keyset: no matching keys"); ) + T( trace(T_KEYSET, "keyset: no matching keys, or incorrect MAC"); ) return (-1); }