4 * uAnytun is a tiny implementation of SATP. Unlike Anytun which is a full
5 * featured implementation uAnytun has no support for multiple connections
6 * or synchronisation. It is a small single threaded implementation intended
7 * to act as a client on small platforms.
8 * The secure anycast tunneling protocol (satp) defines a protocol used
9 * for communication between any combination of unicast and anycast
10 * tunnel endpoints. It has less protocol overhead than IPSec in Tunnel
11 * mode and allows tunneling of every ETHER TYPE protocol (e.g.
12 * ethernet, ip, arp ...). satp directly includes cryptography and
13 * message authentication based on the methods used by SRTP. It is
14 * intended to deliver a generic, scaleable and secure solution for
15 * tunneling and relaying of packets of any protocol.
18 * Copyright (C) 2007-2014 Christian Pointner <equinox@anytun.org>
20 * This file is part of uAnytun.
22 * uAnytun is free software: you can redistribute it and/or modify
23 * it under the terms of the GNU General Public License as published by
24 * the Free Software Foundation, either version 3 of the License, or
27 * uAnytun is distributed in the hope that it will be useful,
28 * but WITHOUT ANY WARRANTY; without even the implied warranty of
29 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
30 * GNU General Public License for more details.
32 * You should have received a copy of the GNU General Public License
33 * along with uAnytun. If not, see <http://www.gnu.org/licenses/>.
35 * In addition, as a special exception, the copyright holders give
36 * permission to link the code of portions of this program with the
37 * OpenSSL library under certain conditions as described in each
38 * individual source file, and distribute linked combinations
40 * You must obey the GNU General Public License in all respects
41 * for all of the code used other than OpenSSL. If you modify
42 * file(s) with this exception, you may extend this exception to your
43 * version of the file(s), but you are not obligated to do so. If you
44 * do not wish to do so, delete this exception statement from your
45 * version. If you delete this exception statement from all source
46 * files in the program, then also delete it here.
49 #include "datatypes.h"
51 #include "key_derivation.h"
53 #if defined(USE_SSL_CRYPTO)
54 #include <openssl/crypto.h>
55 #include <openssl/sha.h>
56 #include <openssl/modes.h>
57 #elif defined(USE_NETTLE)
58 #include <nettle/sha1.h>
59 #include <nettle/sha2.h>
60 #include <nettle/ctr.h>
68 int key_derivation_init(key_derivation_t* kd, const char* type, role_t role, const char* passphrase, u_int8_t* key, u_int32_t key_len, u_int8_t* salt, u_int32_t salt_len)
76 kd->type_ = kd_unknown;
77 if(!strcmp(type, "null"))
79 else if(!strncmp(type, "aes-ctr", 7)) {
80 kd->type_ = kd_aes_ctr;
82 kd->key_length_ = KD_AESCTR_DEFAULT_KEY_LENGTH;
84 else if(type[7] != '-')
87 const char* tmp = &type[8];
88 kd->key_length_ = atoi(tmp);
92 log_printf(ERROR, "unknown key derivation type");
97 case ROLE_LEFT: log_printf(NOTICE, "key derivation role: left"); break;
98 case ROLE_RIGHT: log_printf(NOTICE, "key derivation role: right"); break;
99 default: log_printf(NOTICE, "key derivation role: unknown"); break;
104 kd->master_key_.buf_ = NULL;
105 kd->master_key_.length_ = 0;
108 kd->master_key_.buf_ = malloc(key_len);
109 if(!kd->master_key_.buf_)
111 memcpy(kd->master_key_.buf_, key, key_len);
112 kd->master_key_.length_ = key_len;
116 kd->master_salt_.buf_ = NULL;
117 kd->master_salt_.length_ = 0;
120 kd->master_salt_.buf_ = malloc(salt_len);
121 if(!kd->master_salt_.buf_) {
122 if(kd->master_key_.buf_)
123 free(kd->master_key_.buf_);
126 memcpy(kd->master_salt_.buf_, salt, salt_len);
127 kd->master_salt_.length_ = salt_len;
131 if(kd->type_ == kd_aes_ctr)
132 ret = key_derivation_aesctr_init(kd, passphrase);
135 key_derivation_close(kd);
140 #ifndef NO_PASSPHRASE
141 int key_derivation_generate_master_key(key_derivation_t* kd, const char* passphrase, u_int16_t key_length)
143 if(!kd || !passphrase)
146 if(kd->master_key_.buf_) {
147 log_printf(WARNING, "master key and passphrase provided, ignoring passphrase");
150 log_printf(NOTICE, "using passphrase to generate master key");
152 if(!key_length || (key_length % 8)) {
153 log_printf(ERROR, "bad master key length");
157 #if defined(USE_SSL_CRYPTO)
158 if(key_length > (SHA256_DIGEST_LENGTH * 8)) {
159 #elif defined(USE_NETTLE)
160 if(key_length > (SHA256_DIGEST_SIZE * 8)) {
161 #else // USE_GCRYPT is the default
162 if(key_length > (gcry_md_get_algo_dlen(GCRY_MD_SHA256) * 8)) {
164 log_printf(ERROR, "master key too long for passphrase algorithm");
169 #if defined(USE_SSL_CRYPTO)
170 digest.length_ = SHA256_DIGEST_LENGTH;
171 #elif defined(USE_NETTLE)
172 digest.length_ = SHA256_DIGEST_SIZE;
173 #else // USE_GCRYPT is the default
174 digest.length_ = gcry_md_get_algo_dlen(GCRY_MD_SHA256);
176 digest.buf_ = malloc(digest.length_);
181 #if defined(USE_SSL_CRYPTO)
182 SHA256((const u_int8_t*)passphrase, strlen(passphrase), digest.buf_);
183 #elif defined(USE_NETTLE)
184 struct sha256_ctx ctx;
186 sha256_update(&ctx, strlen(passphrase), (const u_int8_t*)passphrase);
187 sha256_digest(&ctx, digest.length_, digest.buf_);
188 #else // USE_GCRYPT is the default
189 gcry_md_hash_buffer(GCRY_MD_SHA256, digest.buf_, passphrase, strlen(passphrase));
192 kd->master_key_.length_ = key_length/8;
193 kd->master_key_.buf_ = malloc(kd->master_key_.length_);
194 if(!kd->master_key_.buf_) {
195 kd->master_key_.length_ = 0;
200 memcpy(kd->master_key_.buf_, &digest.buf_[digest.length_ - kd->master_key_.length_], kd->master_key_.length_);
206 int key_derivation_generate_master_salt(key_derivation_t* kd, const char* passphrase, u_int16_t salt_length)
208 if(!kd || !passphrase)
211 if(kd->master_salt_.buf_) {
212 log_printf(WARNING, "master salt and passphrase provided, ignoring passphrase");
215 log_printf(NOTICE, "using passphrase to generate master salt");
217 if(!salt_length || (salt_length % 8)) {
218 log_printf(ERROR, "bad master salt length");
222 #if defined(USE_SSL_CRYPTO)
223 if(salt_length > (SHA_DIGEST_LENGTH * 8)) {
224 #elif defined(USE_NETTLE)
225 if(salt_length > (SHA1_DIGEST_SIZE * 8)) {
226 #else // USE_GCRYPT is the default
227 if(salt_length > (gcry_md_get_algo_dlen(GCRY_MD_SHA1) * 8)) {
229 log_printf(ERROR, "master salt too long for passphrase algorithm");
234 #if defined(USE_SSL_CRYPTO)
235 digest.length_ = SHA_DIGEST_LENGTH;
236 #elif defined(USE_NETTLE)
237 digest.length_ = SHA1_DIGEST_SIZE;
238 #else // USE_GCRYPT is the default
239 digest.length_ = gcry_md_get_algo_dlen(GCRY_MD_SHA1);
241 digest.buf_ = malloc(digest.length_);
245 #if defined(USE_SSL_CRYPTO)
246 SHA1((const u_int8_t*)passphrase, strlen(passphrase), digest.buf_);
247 #elif defined(USE_NETTLE)
250 sha1_update(&ctx, strlen(passphrase), (const u_int8_t*)passphrase);
251 sha1_digest(&ctx, digest.length_, digest.buf_);
252 #else // USE_GCRYPT is the default
253 gcry_md_hash_buffer(GCRY_MD_SHA1, digest.buf_, passphrase, strlen(passphrase));
256 kd->master_salt_.length_ = salt_length/8;
257 kd->master_salt_.buf_ = malloc(kd->master_salt_.length_);
258 if(!kd->master_salt_.buf_) {
259 kd->master_salt_.length_ = 0;
264 memcpy(kd->master_salt_.buf_, &digest.buf_[digest.length_ - kd->master_salt_.length_], kd->master_salt_.length_);
271 void key_derivation_close(key_derivation_t* kd)
276 if(kd->type_ == kd_aes_ctr)
277 key_derivation_aesctr_close(kd);
279 if(kd->master_key_.buf_)
280 free(kd->master_key_.buf_);
281 if(kd->master_salt_.buf_)
282 free(kd->master_salt_.buf_);
285 int key_derivation_generate(key_derivation_t* kd, key_derivation_dir_t dir, satp_prf_label_t label, seq_nr_t seq_nr, u_int8_t* key, u_int32_t len)
290 if(label >= LABEL_NIL) {
291 log_printf(ERROR, "unknown label 0x%02X", label);
296 if(kd->type_ == kd_null)
297 ret = key_derivation_null_generate(key, len);
298 else if(kd->type_ == kd_aes_ctr)
299 ret = key_derivation_aesctr_generate(kd, dir, label, seq_nr, key, len);
301 log_printf(ERROR, "unknown key derivation type");
307 satp_prf_label_t convert_label(role_t role, key_derivation_dir_t dir, satp_prf_label_t label)
311 if(dir == kd_outbound) {
312 if(role == ROLE_LEFT) return LABEL_LEFT_ENC;
313 if(role == ROLE_RIGHT) return LABEL_RIGHT_ENC;
316 if(role == ROLE_LEFT) return LABEL_RIGHT_ENC;
317 if(role == ROLE_RIGHT) return LABEL_LEFT_ENC;
322 if(dir == kd_outbound) {
323 if(role == ROLE_LEFT) return LABEL_LEFT_SALT;
324 if(role == ROLE_RIGHT) return LABEL_RIGHT_SALT;
327 if(role == ROLE_LEFT) return LABEL_RIGHT_SALT;
328 if(role == ROLE_RIGHT) return LABEL_LEFT_SALT;
333 if(dir == kd_outbound) {
334 if(role == ROLE_LEFT) return LABEL_LEFT_AUTH;
335 if(role == ROLE_RIGHT) return LABEL_RIGHT_AUTH;
338 if(role == ROLE_LEFT) return LABEL_RIGHT_AUTH;
339 if(role == ROLE_RIGHT) return LABEL_LEFT_AUTH;
348 /* ---------------- NULL Key Derivation ---------------- */
350 int key_derivation_null_generate(u_int8_t* key, u_int32_t len)
356 /* ---------------- AES-Ctr Key Derivation ---------------- */
358 int key_derivation_aesctr_init(key_derivation_t* kd, const char* passphrase)
365 kd->params_ = malloc(sizeof(key_derivation_aesctr_param_t));
369 key_derivation_aesctr_param_t* params = kd->params_;
374 #ifndef NO_PASSPHRASE
376 int ret = key_derivation_generate_master_key(kd, passphrase, kd->key_length_);
379 ret = key_derivation_generate_master_salt(kd, passphrase, KD_AESCTR_SALT_LENGTH*8);
385 #if defined(USE_SSL_CRYPTO)
386 int ret = AES_set_encrypt_key(kd->master_key_.buf_, kd->master_key_.length_*8, ¶ms->aes_key_);
388 log_printf(ERROR, "failed to set key derivation ssl aes-key (code: %d)", ret);
391 #elif defined(USE_NETTLE)
392 aes_set_encrypt_key(¶ms->ctx_, kd->master_key_.length_, kd->master_key_.buf_);
393 #else // USE_GCRYPT is the default
395 switch(kd->key_length_) {
396 case 128: algo = GCRY_CIPHER_AES128; break;
397 case 192: algo = GCRY_CIPHER_AES192; break;
398 case 256: algo = GCRY_CIPHER_AES256; break;
400 log_printf(ERROR, "key derivation key length of %d Bits is not supported", kd->key_length_);
405 gcry_error_t err = gcry_cipher_open(¶ms->handle_, algo, GCRY_CIPHER_MODE_CTR, 0);
407 log_printf(ERROR, "failed to open key derivation cipher: %s", gcry_strerror(err));
411 err = gcry_cipher_setkey(params->handle_, kd->master_key_.buf_, kd->master_key_.length_);
413 log_printf(ERROR, "failed to set key derivation key: %s", gcry_strerror(err));
421 void key_derivation_aesctr_close(key_derivation_t* kd)
428 key_derivation_aesctr_param_t* params = kd->params_;
430 gcry_cipher_close(params->handle_);
437 int key_derivation_aesctr_calc_ctr(key_derivation_t* kd, key_derivation_dir_t dir, satp_prf_label_t label, seq_nr_t seq_nr)
439 if(!kd || !kd->params_)
442 key_derivation_aesctr_param_t* params = kd->params_;
444 if(kd->master_salt_.length_ != KD_AESCTR_SALT_LENGTH) {
445 log_printf(ERROR, "master salt has wrong length");
448 memcpy(params->ctr_.salt_.buf_, kd->master_salt_.buf_, KD_AESCTR_SALT_LENGTH);
449 params->ctr_.salt_.zero_ = 0;
450 params->ctr_.params_.label_ ^= SATP_PRF_LABEL_T_HTON(convert_label(kd->role_, dir, label));
451 params->ctr_.params_.seq_ ^= SEQ_NR_T_HTON(seq_nr);
456 int key_derivation_aesctr_generate(key_derivation_t* kd, key_derivation_dir_t dir, satp_prf_label_t label, seq_nr_t seq_nr, u_int8_t* key, u_int32_t len)
458 if(!kd || !kd->params_ || !kd->master_key_.buf_ || !kd->master_salt_.buf_) {
459 log_printf(ERROR, "key derivation not initialized or no key or salt set");
463 key_derivation_aesctr_param_t* params = kd->params_;
465 if(key_derivation_aesctr_calc_ctr(kd, dir, label, seq_nr)) {
466 log_printf(ERROR, "failed to calculate key derivation CTR");
470 #if defined(USE_SSL_CRYPTO)
471 if(KD_AESCTR_CTR_LENGTH != AES_BLOCK_SIZE) {
472 log_printf(ERROR, "failed to set key derivation CTR: size doesn't fit");
477 memset(params->ecount_buf_, 0, AES_BLOCK_SIZE);
478 CRYPTO_ctr128_encrypt(key, key, len, ¶ms->aes_key_, params->ctr_.buf_, params->ecount_buf_, &num, (block128_f)AES_encrypt);
479 #elif defined(USE_NETTLE)
480 if(KD_AESCTR_CTR_LENGTH != AES_BLOCK_SIZE) {
481 log_printf(ERROR, "failed to set cipher CTR: size doesn't fit");
485 ctr_crypt(¶ms->ctx_, (nettle_crypt_func *)(aes_encrypt), AES_BLOCK_SIZE, params->ctr_.buf_, len, key, key);
486 #else // USE_GCRYPT is the default
487 gcry_error_t err = gcry_cipher_reset(params->handle_);
489 log_printf(ERROR, "failed to reset key derivation cipher: %s", gcry_strerror(err));
493 err = gcry_cipher_setctr(params->handle_, params->ctr_.buf_, KD_AESCTR_CTR_LENGTH);
495 log_printf(ERROR, "failed to set key derivation CTR: %s", gcry_strerror(err));
500 err = gcry_cipher_encrypt(params->handle_, key, len, NULL, 0);
502 log_printf(ERROR, "failed to generate key derivation bitstream: %s", gcry_strerror(err));