X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~mdw/git/tripe/blobdiff_plain/e6b06b6b61b4b877937d4a56ba704d3f18154dc2..786989941b7b4504f0234c4a318f929802e981ad:/server/keyset.c diff --git a/server/keyset.c b/server/keyset.c new file mode 100644 index 00000000..bb2397fc --- /dev/null +++ b/server/keyset.c @@ -0,0 +1,598 @@ +/* -*-c-*- + * + * $Id$ + * + * Handling of symmetric keysets + * + * (c) 2001 Straylight/Edgeware + */ + +/*----- Licensing notice --------------------------------------------------* + * + * This file is part of Trivial IP Encryption (TrIPE). + * + * TrIPE is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * TrIPE is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with TrIPE; if not, write to the Free Software Foundation, + * Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + */ + +/*----- Header files ------------------------------------------------------*/ + +#include "tripe.h" + +/*----- Tunable parameters ------------------------------------------------*/ + +/* --- Note on size limits --- * + * + * For a 64-bit block cipher (e.g., Blowfish), the probability of a collision + * occurring after 32 MB is less than %$2^{-21}$%, and the probability of a + * collision occurring after 64 MB is less than %$2^{-19}$%. These could be + * adjusted dependent on the encryption scheme, but it's too much pain. + */ + +#define T_EXP MIN(60) /* Expiry time for a key */ +#define T_REGEN MIN(45) /* Regeneration time for a key */ +#define SZ_EXP MEG(64) /* Expiry data size for a key */ +#define SZ_REGEN MEG(32) /* Data size threshold for regen */ + +/*----- Handy macros ------------------------------------------------------*/ + +#define KEYOK(ks, now) ((ks)->sz_exp > 0 && (ks)->t_exp > now) + +#define SEQSZ 4 /* Size of sequence number packet */ + +/*----- Low-level packet encryption and decryption ------------------------*/ + +/* --- Encrypted data format --- * + * + * Let %$p_i$% be the %$i$%-th plaintext message, with type %$t$%. We first + * compute + * + * %$c_i = \mathcal{E}\textrm{-CBC}_{K_{\text{E}}}(p_i)$% + * + * as the CBC-ciphertext of %$p_i$%, and then + * + * %$\sigma_i = \mathcal{T}_{K_{\text{M}}}(t, i, c_i)$% + * + * as a MAC on the %%\emph{ciphertext}%%. The message sent is then the pair + * %$(\sigma_i, c_i)$%. This construction is provably secure in the NM-CCA + * sense (assuming that the cipher is IND-CPA, and the MAC is SUF-CMA) + * [Bellare and Namprempre]. + * + * This also ensures that, assuming the key is good, we have a secure channel + * [Krawczyk]. Actually, [Krawczyk] shows that, if the cipher is either a + * simple stream cipher or a block cipher in CBC mode, we can use the MAC- + * then-encrypt scheme and still have a secure channel. However, I like the + * NM-CCA guarantee from [Bellare and Namprempre]. I'm less worried about + * the Horton Principle [Wagner and Schneier]. + */ + +/* --- @doencrypt@ --- * + * + * Arguments: @keyset *ks@ = pointer to keyset to use + * @unsigned ty@ = type of message this is + * @buf *b@ = pointer to an input buffer + * @buf *bb@ = pointer to an output buffer + * + * Returns: Zero if OK, nonzero if a new key is required. + * + * Use: Encrypts a message with the given key. We assume that the + * keyset is OK to use. + */ + +static int doencrypt(keyset *ks, unsigned ty, buf *b, buf *bb) +{ + ghash *h; + gcipher *c = ks->cout; + const octet *p = BCUR(b); + size_t sz = BLEFT(b); + octet *qmac, *qseq, *qiv, *qpk; + uint32 oseq; + size_t ivsz = GC_CLASS(c)->blksz; + size_t tagsz = ks->tagsz; + size_t osz, nsz; + octet t[4]; + int rc = 0; + + /* --- Allocate the required buffer space --- */ + + if (buf_ensure(bb, tagsz + SEQSZ + ivsz + sz)) + return (0); /* Caution! */ + qmac = BCUR(bb); qseq = qmac + tagsz; qiv = qseq + SEQSZ; qpk = qiv + ivsz; + BSTEP(bb, tagsz + SEQSZ + ivsz + sz); + STORE32(t, ty); + + oseq = ks->oseq++; STORE32(qseq, oseq); + IF_TRACING(T_KEYSET, { + trace(T_KEYSET, "keyset: encrypting packet %lu using keyset %u", + (unsigned long)oseq, ks->seq); + trace_block(T_CRYPTO, "crypto: plaintext packet", p, sz); + }) + + /* --- Encrypt the packet --- */ + + if (ivsz) { + rand_get(RAND_GLOBAL, qiv, ivsz); + GC_SETIV(c, qiv); + IF_TRACING(T_KEYSET, { + trace_block(T_CRYPTO, "crypto: initialization vector", qiv, ivsz); + }) + } + GC_ENCRYPT(c, p, qpk, sz); + IF_TRACING(T_KEYSET, { + trace_block(T_CRYPTO, "crypto: encrypted packet", qpk, sz); + }) + + /* --- Now compute the MAC --- */ + + if (tagsz) { + h = GM_INIT(ks->mout); + GH_HASH(h, t, sizeof(t)); + GH_HASH(h, qseq, SEQSZ + ivsz + sz); + memcpy(qmac, GH_DONE(h, 0), tagsz); + GH_DESTROY(h); + IF_TRACING(T_KEYSET, { + trace_block(T_CRYPTO, "crypto: computed MAC", qmac, tagsz); + }) + } + + /* --- Deduct the packet size from the key's data life --- */ + + osz = ks->sz_exp; + if (osz > sz) + nsz = osz - sz; + else + nsz = 0; + if (osz >= SZ_REGEN && nsz < SZ_REGEN) { + T( trace(T_KEYSET, "keyset: keyset %u data regen limit exceeded -- " + "forcing exchange", ks->seq); ) + rc = -1; + } + ks->sz_exp = nsz; + return (rc); +} + +/* --- @dodecrypt@ --- * + * + * Arguments: @keyset *ks@ = pointer to keyset to use + * @unsigned ty@ = expected type code + * @buf *b@ = pointer to an input buffer + * @buf *bb@ = pointer to an output buffer + * @uint32 *seq@ = where to store the sequence number + * + * Returns: Zero if OK, nonzero if it failed. + * + * Use: Attempts to decrypt a message with the given key. No other + * checking (e.g., sequence number checks) is performed. We + * assume that the keyset is OK to use, and that there is + * sufficient output buffer space reserved. If the decryption + * is successful, the buffer pointer is moved past the decrypted + * packet, and the packet's sequence number is stored in @*seq@. + */ + +static int dodecrypt(keyset *ks, unsigned ty, buf *b, buf *bb, uint32 *seq) +{ + const octet *pmac, *piv, *pseq, *ppk; + size_t psz = BLEFT(b); + size_t sz; + octet *q = BCUR(bb); + ghash *h; + gcipher *c = ks->cin; + size_t ivsz = GC_CLASS(c)->blksz; + size_t tagsz = ks->tagsz; + octet *mac; + int eq; + octet t[4]; + + /* --- Break up the packet into its components --- */ + + if (psz < ivsz + SEQSZ + tagsz) { + T( trace(T_KEYSET, "keyset: block too small for keyset %u", ks->seq); ) + return (-1); + } + sz = psz - ivsz - SEQSZ - tagsz; + pmac = BCUR(b); pseq = pmac + tagsz; piv = pseq + SEQSZ; ppk = piv + ivsz; + STORE32(t, ty); + + IF_TRACING(T_KEYSET, { + trace(T_KEYSET, "keyset: decrypting using keyset %u", ks->seq); + trace_block(T_CRYPTO, "crypto: ciphertext packet", ppk, sz); + }) + + /* --- Verify the MAC on the packet --- */ + + if (tagsz) { + h = GM_INIT(ks->min); + GH_HASH(h, t, sizeof(t)); + GH_HASH(h, pseq, SEQSZ + ivsz + sz); + mac = GH_DONE(h, 0); + eq = !memcmp(mac, pmac, tagsz); + IF_TRACING(T_KEYSET, { + trace_block(T_CRYPTO, "crypto: computed MAC", mac, tagsz); + }) + GH_DESTROY(h); + if (!eq) { + IF_TRACING(T_KEYSET, { + trace(T_KEYSET, "keyset: incorrect MAC: decryption failed"); + trace_block(T_CRYPTO, "crypto: expected MAC", pmac, tagsz); + }) + return (-1); + } + } + + /* --- Decrypt the packet --- */ + + if (ivsz) { + GC_SETIV(c, piv); + IF_TRACING(T_KEYSET, { + trace_block(T_CRYPTO, "crypto: initialization vector", piv, ivsz); + }) + } + GC_DECRYPT(c, ppk, q, sz); + if (seq) + *seq = LOAD32(pseq); + IF_TRACING(T_KEYSET, { + trace(T_KEYSET, "keyset: decrypted OK (sequence = %lu)", + (unsigned long)LOAD32(pseq)); + trace_block(T_CRYPTO, "crypto: decrypted packet", q, sz); + }) + BSTEP(bb, sz); + return (0); +} + +/*----- Operations on a single keyset -------------------------------------*/ + +/* --- @ks_drop@ --- * + * + * Arguments: @keyset *ks@ = pointer to a keyset + * + * Returns: --- + * + * Use: Decrements a keyset's reference counter. If the counter hits + * zero, the keyset is freed. + */ + +void ks_drop(keyset *ks) +{ + if (--ks->ref) + return; + GC_DESTROY(ks->cin); + GC_DESTROY(ks->cout); + GM_DESTROY(ks->min); + GM_DESTROY(ks->mout); + DESTROY(ks); +} + +/* --- @ks_gen@ --- * + * + * Arguments: @const void *k@ = pointer to key material + * @size_t x, y, z@ = offsets into key material (see below) + * @peer *p@ = pointer to peer information + * + * Returns: A pointer to the new keyset. + * + * Use: Derives a new keyset from the given key material. The + * offsets @x@, @y@ and @z@ separate the key material into three + * parts. Between the @k@ and @k + x@ is `my' contribution to + * the key material; between @k + x@ and @k + y@ is `your' + * contribution; and between @k + y@ and @k + z@ is a shared + * value we made together. These are used to construct two + * pairs of symmetric keys. Each pair consists of an encryption + * key and a message authentication key. One pair is used for + * outgoing messages, the other for incoming messages. + * + * The new key is marked so that it won't be selected for output + * by @ksl_encrypt@. You can still encrypt data with it by + * calling @ks_encrypt@ directly. + */ + +keyset *ks_gen(const void *k, size_t x, size_t y, size_t z, peer *p) +{ + ghash *h; + const octet *hh; + keyset *ks = CREATE(keyset); + time_t now = time(0); + const octet *pp = k; + T( static unsigned seq = 0; ) + + T( trace(T_KEYSET, "keyset: adding new keyset %u", seq); ) + + /* --- Construct the various keys --- * + * + * This is done with macros, because it's quite tedious. + */ + +#define MINE GH_HASH(h, pp, x) +#define YOURS GH_HASH(h, pp + x, y - x) +#define OURS GH_HASH(h, pp + y, z - y) + +#define HASH_in MINE; YOURS; OURS +#define HASH_out YOURS; MINE; OURS +#define INIT_c(k) GC_INIT(algs.c, (k), algs.cksz) +#define INIT_m(k) GM_KEY(algs.m, (k), algs.mksz) +#define STR_c "encryption" +#define STR_m "integrity" +#define STR_in "incoming" +#define STR_out "outgoing" + +#define SETKEY(a, dir) do { \ + h = GH_INIT(algs.h); \ + HASH_STRING(h, "tripe-" STR_##a); \ + HASH_##dir; \ + hh = GH_DONE(h, 0); \ + IF_TRACING(T_KEYSET, { \ + trace_block(T_CRYPTO, "crypto: " STR_##dir " key " STR_##a, \ + hh, algs.a##ksz); \ + }) \ + ks->a##dir = INIT_##a(hh); \ + GH_DESTROY(h); \ +} while (0) + + SETKEY(c, in); SETKEY(c, out); + SETKEY(m, in); SETKEY(m, out); + +#undef MINE +#undef YOURS +#undef OURS +#undef STR_c +#undef STR_m +#undef STR_in +#undef STR_out +#undef INIT_c +#undef INIT_m +#undef HASH_in +#undef HASH_out +#undef SETKEY + + T( ks->seq = seq++; ) + ks->ref = 1; + ks->t_exp = now + T_EXP; + ks->sz_exp = SZ_EXP; + ks->oseq = 0; + seq_reset(&ks->iseq); + ks->next = 0; + ks->p = p; + ks->f = KSF_LISTEN; + ks->tagsz = algs.tagsz; + return (ks); +} + +/* --- @ks_tregen@ --- * + * + * Arguments: @keyset *ks@ = pointer to a keyset + * + * Returns: The time at which moves ought to be made to replace this key. + */ + +time_t ks_tregen(keyset *ks) { return (ks->t_exp - T_EXP + T_REGEN); } + +/* --- @ks_activate@ --- * + * + * Arguments: @keyset *ks@ = pointer to a keyset + * + * Returns: --- + * + * Use: Activates a keyset, so that it can be used for encrypting + * outgoing messages. + */ + +void ks_activate(keyset *ks) +{ + if (ks->f & KSF_LISTEN) { + T( trace(T_KEYSET, "keyset: activating keyset %u", ks->seq); ) + ks->f &= ~KSF_LISTEN; + } +} + +/* --- @ks_encrypt@ --- * + * + * Arguments: @keyset *ks@ = pointer to a keyset + * @unsigned ty@ = message type + * @buf *b@ = pointer to input buffer + * @buf *bb@ = pointer to output buffer + * + * Returns: Zero if OK, nonzero if the key needs replacing. If the + * encryption failed, the output buffer is broken and zero is + * returned. + * + * Use: Encrypts a block of data using the key. Note that the `key + * ought to be replaced' notification is only ever given once + * for each key. Also note that this call forces a keyset to be + * used even if it's marked as not for data output. + */ + +int ks_encrypt(keyset *ks, unsigned ty, buf *b, buf *bb) +{ + time_t now = time(0); + + if (!KEYOK(ks, now)) { + buf_break(bb); + return (0); + } + return (doencrypt(ks, ty, b, bb)); +} + +/* --- @ks_decrypt@ --- * + * + * Arguments: @keyset *ks@ = pointer to a keyset + * @unsigned ty@ = expected type code + * @buf *b@ = pointer to an input buffer + * @buf *bb@ = pointer to an output buffer + * + * Returns: Zero on success, or nonzero if there was some problem. + * + * Use: Attempts to decrypt a message using a given key. Note that + * requesting decryption with a key directly won't clear a + * marking that it's not for encryption. + */ + +int ks_decrypt(keyset *ks, unsigned ty, buf *b, buf *bb) +{ + time_t now = time(0); + uint32 seq; + + if (!KEYOK(ks, now) || + buf_ensure(bb, BLEN(b)) || + dodecrypt(ks, ty, b, bb, &seq) || + seq_check(&ks->iseq, seq, "SYMM")) + return (-1); + return (0); +} + +/*----- Keyset list handling ----------------------------------------------*/ + +/* --- @ksl_free@ --- * + * + * Arguments: @keyset **ksroot@ = pointer to keyset list head + * + * Returns: --- + * + * Use: Frees (releases references to) all of the keys in a keyset. + */ + +void ksl_free(keyset **ksroot) +{ + keyset *ks, *ksn; + for (ks = *ksroot; ks; ks = ksn) { + ksn = ks->next; + ks->f &= ~KSF_LINK; + ks_drop(ks); + } +} + +/* --- @ksl_link@ --- * + * + * Arguments: @keyset **ksroot@ = pointer to keyset list head + * @keyset *ks@ = pointer to a keyset + * + * Returns: --- + * + * Use: Links a keyset into a list. A keyset can only be on one list + * at a time. Bad things happen otherwise. + */ + +void ksl_link(keyset **ksroot, keyset *ks) +{ + assert(!(ks->f & KSF_LINK)); + ks->next = *ksroot; + *ksroot = ks; + ks->f |= KSF_LINK; + ks->ref++; +} + +/* --- @ksl_prune@ --- * + * + * Arguments: @keyset **ksroot@ = pointer to keyset list head + * + * Returns: --- + * + * Use: Prunes the keyset list by removing keys which mustn't be used + * any more. + */ + +void ksl_prune(keyset **ksroot) +{ + time_t now = time(0); + + while (*ksroot) { + keyset *ks = *ksroot; + + if (ks->t_exp <= now) { + T( trace(T_KEYSET, "keyset: expiring keyset %u (time limit reached)", + ks->seq); ) + goto kill; + } else if (ks->sz_exp == 0) { + T( trace(T_KEYSET, "keyset: expiring keyset %u (data limit reached)", + ks->seq); ) + goto kill; + } else { + ksroot = &ks->next; + continue; + } + + kill: + *ksroot = ks->next; + ks->f &= ~KSF_LINK; + ks_drop(ks); + } +} + +/* --- @ksl_encrypt@ --- * + * + * Arguments: @keyset **ksroot@ = pointer to keyset list head + * @unsigned ty@ = message type + * @buf *b@ = pointer to input buffer + * @buf *bb@ = pointer to output buffer + * + * Returns: Nonzero if a new key is needed. + * + * Use: Encrypts a packet. + */ + +int ksl_encrypt(keyset **ksroot, unsigned ty, buf *b, buf *bb) +{ + time_t now = time(0); + keyset *ks = *ksroot; + + for (;;) { + if (!ks) { + T( trace(T_KEYSET, "keyset: no suitable keysets found"); ) + buf_break(bb); + return (-1); + } + if (KEYOK(ks, now) && !(ks->f & KSF_LISTEN)) + break; + ks = ks->next; + } + + return (doencrypt(ks, ty, b, bb)); +} + +/* --- @ksl_decrypt@ --- * + * + * Arguments: @keyset **ksroot@ = pointer to keyset list head + * @unsigned ty@ = expected type code + * @buf *b@ = pointer to input buffer + * @buf *bb@ = pointer to output buffer + * + * Returns: Nonzero if the packet couldn't be decrypted. + * + * Use: Decrypts a packet. + */ + +int ksl_decrypt(keyset **ksroot, unsigned ty, buf *b, buf *bb) +{ + time_t now = time(0); + keyset *ks; + uint32 seq; + + if (buf_ensure(bb, BLEN(b))) + return (-1); + + for (ks = *ksroot; ks; ks = ks->next) { + if (!KEYOK(ks, now)) + continue; + if (!dodecrypt(ks, ty, b, bb, &seq)) { + if (ks->f & KSF_LISTEN) { + T( trace(T_KEYSET, "keyset: implicitly activating keyset %u", + ks->seq); ) + ks->f &= ~KSF_LISTEN; + } + return (seq_check(&ks->iseq, seq, "SYMM")); + } + } + T( trace(T_KEYSET, "keyset: no matching keys, or incorrect MAC"); ) + return (-1); +} + +/*----- That's all, folks -------------------------------------------------*/