4 * The secure anycast tunneling protocol (satp) defines a protocol used
5 * for communication between any combination of unicast and anycast
6 * tunnel endpoints. It has less protocol overhead than IPSec in Tunnel
7 * mode and allows tunneling of every ETHER TYPE protocol (e.g.
8 * ethernet, ip, arp ...). satp directly includes cryptography and
9 * message authentication based on the methods used by SRTP. It is
10 * intended to deliver a generic, scaleable and secure solution for
11 * tunneling and relaying of packets of any protocol.
14 * Copyright (C) 2007-2014 Markus Grüneis, Othmar Gsenger, Erwin Nindl,
15 * Christian Pointner <satp@wirdorange.org>
17 * This file is part of Anytun.
19 * Anytun is free software: you can redistribute it and/or modify
20 * it under the terms of the GNU General Public License as published by
21 * the Free Software Foundation, either version 3 of the License, or
24 * Anytun is distributed in the hope that it will be useful,
25 * but WITHOUT ANY WARRANTY; without even the implied warranty of
26 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
27 * GNU General Public License for more details.
29 * You should have received a copy of the GNU General Public License
30 * along with Anytun. If not, see <http://www.gnu.org/licenses/>.
32 * In addition, as a special exception, the copyright holders give
33 * permission to link the code of portions of this program with the
34 * OpenSSL library under certain conditions as described in each
35 * individual source file, and distribute linked combinations
37 * You must obey the GNU General Public License in all respects
38 * for all of the code used other than OpenSSL. If you modify
39 * file(s) with this exception, you may extend this exception to your
40 * version of the file(s), but you are not obligated to do so. If you
41 * do not wish to do so, delete this exception statement from your
42 * version. If you delete this exception statement from all source
43 * files in the program, then also delete it here.
48 #include "anytunError.h"
49 #include "keyDerivation.h"
50 #include "threadUtils.hpp"
51 #include "datatypes.h"
63 #if defined(USE_SSL_CRYPTO)
64 #include <openssl/crypto.h>
65 #include <openssl/sha.h>
66 #include <openssl/modes.h>
67 #elif defined(USE_NETTLE)
68 #include <nettle/sha1.h>
69 #include <nettle/sha2.h>
70 #include <nettle/ctr.h>
76 void KeyDerivation::setRole(const role_t role)
78 WritersLock lock(mutex_);
80 cLog.msg(Log::PRIO_NOTICE) << "KeyDerivation: using role " << role_;
85 void KeyDerivation::calcMasterKey(std::string passphrase, uint16_t length)
87 cLog.msg(Log::PRIO_NOTICE) << "KeyDerivation: calculating master key from passphrase";
89 cLog.msg(Log::PRIO_ERROR) << "KeyDerivation: bad master key length";
93 #if defined(USE_SSL_CRYPTO)
94 if(length > SHA256_DIGEST_LENGTH) {
95 #elif defined(USE_NETTLE)
96 if(length > SHA256_DIGEST_SIZE) {
97 #else // USE_GCRYPT is the default
98 if(length > gcry_md_get_algo_dlen(GCRY_MD_SHA256)) {
100 cLog.msg(Log::PRIO_ERROR) << "KeyDerivation: master key too long for passphrase algorithm";
104 #if defined(USE_SSL_CRYPTO)
105 Buffer digest(uint32_t(SHA256_DIGEST_LENGTH));
106 SHA256(reinterpret_cast<const unsigned char*>(passphrase.c_str()), passphrase.length(), digest.getBuf());
107 #elif defined(USE_NETTLE)
108 Buffer digest(uint32_t(SHA256_DIGEST_SIZE));
109 struct sha256_ctx ctx;
111 sha256_update(&ctx, passphrase.length(), reinterpret_cast<const unsigned char*>(passphrase.c_str()));
112 sha256_digest(&ctx, digest.getLength(), digest.getBuf());
113 #else // USE_GCRYPT is the default
114 Buffer digest(static_cast<uint32_t>(gcry_md_get_algo_dlen(GCRY_MD_SHA256)));
115 gcry_md_hash_buffer(GCRY_MD_SHA256, digest.getBuf(), passphrase.c_str(), passphrase.length());
117 master_key_.setLength(length);
119 std::memcpy(master_key_.getBuf(), &digest.getBuf()[digest.getLength() - master_key_.getLength()], master_key_.getLength());
122 void KeyDerivation::calcMasterSalt(std::string passphrase, uint16_t length)
124 cLog.msg(Log::PRIO_NOTICE) << "KeyDerivation: calculating master salt from passphrase";
126 cLog.msg(Log::PRIO_ERROR) << "KeyDerivation: bad master salt length";
130 #if defined(USE_SSL_CRYPTO)
131 if(length > SHA_DIGEST_LENGTH) {
132 #elif defined(USE_NETTLE)
133 if(length > SHA1_DIGEST_SIZE) {
134 #else // USE_GCRYPT is the default
135 if(length > gcry_md_get_algo_dlen(GCRY_MD_SHA1)) {
137 cLog.msg(Log::PRIO_ERROR) << "KeyDerivation: master key too long for passphrase algorithm";
141 #if defined(USE_SSL_CRYPTO)
142 Buffer digest(uint32_t(SHA_DIGEST_LENGTH));
143 SHA1(reinterpret_cast<const unsigned char*>(passphrase.c_str()), passphrase.length(), digest.getBuf());
144 #elif defined(USE_NETTLE)
145 Buffer digest(uint32_t(SHA1_DIGEST_SIZE));
148 sha1_update(&ctx, passphrase.length(), reinterpret_cast<const unsigned char*>(passphrase.c_str()));
149 sha1_digest(&ctx, digest.getLength(), digest.getBuf());
150 #else // USE_GCRYPT is the default
151 Buffer digest(static_cast<uint32_t>(gcry_md_get_algo_dlen(GCRY_MD_SHA1)));
152 gcry_md_hash_buffer(GCRY_MD_SHA1, digest.getBuf(), passphrase.c_str(), passphrase.length());
154 master_salt_.setLength(length);
156 std::memcpy(master_salt_.getBuf(), &digest.getBuf()[digest.getLength() - master_salt_.getLength()], master_salt_.getLength());
161 satp_prf_label_t KeyDerivation::convertLabel(kd_dir_t dir, satp_prf_label_t label)
165 if(dir == KD_OUTBOUND) {
166 if(role_ == ROLE_LEFT) { return LABEL_LEFT_ENC; }
167 if(role_ == ROLE_RIGHT) { return LABEL_RIGHT_ENC; }
169 if(role_ == ROLE_LEFT) { return LABEL_RIGHT_ENC; }
170 if(role_ == ROLE_RIGHT) { return LABEL_LEFT_ENC; }
175 if(dir == KD_OUTBOUND) {
176 if(role_ == ROLE_LEFT) { return LABEL_LEFT_SALT; }
177 if(role_ == ROLE_RIGHT) { return LABEL_RIGHT_SALT; }
179 if(role_ == ROLE_LEFT) { return LABEL_RIGHT_SALT; }
180 if(role_ == ROLE_RIGHT) { return LABEL_LEFT_SALT; }
185 if(dir == KD_OUTBOUND) {
186 if(role_ == ROLE_LEFT) { return LABEL_LEFT_AUTH; }
187 if(role_ == ROLE_RIGHT) { return LABEL_RIGHT_AUTH; }
189 if(role_ == ROLE_LEFT) { return LABEL_RIGHT_AUTH; }
190 if(role_ == ROLE_RIGHT) { return LABEL_LEFT_AUTH; }
199 //****** NullKeyDerivation ******
201 bool NullKeyDerivation::generate(kd_dir_t dir, satp_prf_label_t label, seq_nr_t seq_nr, Buffer& key)
203 std::memset(key.getBuf(), 0, key.getLength());
208 //****** AesIcmKeyDerivation ******
210 AesIcmKeyDerivation::AesIcmKeyDerivation() : KeyDerivation(DEFAULT_KEY_LENGTH)
212 #if defined(USE_GCRYPT)
213 for(int i=0; i<2; i++) {
219 AesIcmKeyDerivation::AesIcmKeyDerivation(uint16_t key_length) : KeyDerivation(key_length)
221 #if defined(USE_GCRYPT)
222 for(int i=0; i<2; i++) {
228 AesIcmKeyDerivation::~AesIcmKeyDerivation()
230 WritersLock lock(mutex_);
231 #if defined(USE_GCRYPT)
232 for(int i=0; i<2; i++)
234 gcry_cipher_close(handle_[i]);
239 void AesIcmKeyDerivation::init(Buffer key, Buffer salt, std::string passphrase)
241 WritersLock lock(mutex_);
243 is_initialized_ = false;
244 #ifndef NO_PASSPHRASE
245 if(passphrase != "" && !key.getLength()) {
246 calcMasterKey(passphrase, key_length_/8);
248 master_key_ = SyncBuffer(key);
251 if(passphrase != "" && !salt.getLength()) {
252 calcMasterSalt(passphrase, SALT_LENGTH);
254 master_salt_ = SyncBuffer(salt);
257 master_key_ = SyncBuffer(key);
258 master_salt_ = SyncBuffer(salt);
264 void AesIcmKeyDerivation::updateMasterKey()
266 if(master_key_.getLength()*8 != key_length_) {
267 cLog.msg(Log::PRIO_ERROR) << "KeyDerivation::updateMasterKey: key lengths don't match";
271 if(master_salt_.getLength() != SALT_LENGTH) {
272 cLog.msg(Log::PRIO_ERROR) << "KeyDerivation::updateMasterKey: salt lengths don't match";
276 #if defined(USE_SSL_CRYPTO)
277 for(int i=0; i<2; i++) {
278 int ret = AES_set_encrypt_key(master_key_.getBuf(), master_key_.getLength()*8, &aes_key_[i]);
280 cLog.msg(Log::PRIO_ERROR) << "KeyDerivation::updateMasterKey: Failed to set ssl key (code: " << ret << ")";
284 #elif defined(USE_NETTLE)
285 for(int i=0; i<2; i++) {
286 aes_set_encrypt_key(&(ctx_[i]), master_key_.getLength(), master_key_.getBuf());
288 #else // USE_GCRYPT is the default
290 switch(key_length_) {
292 algo = GCRY_CIPHER_AES128;
295 algo = GCRY_CIPHER_AES192;
298 algo = GCRY_CIPHER_AES256;
301 cLog.msg(Log::PRIO_ERROR) << "KeyDerivation::updateMasterKey: cipher key length of " << key_length_ << " Bits is not supported";
306 for(int i=0; i<2; i++) {
308 gcry_cipher_close(handle_[i]);
311 gcry_error_t err = gcry_cipher_open(&handle_[i], algo, GCRY_CIPHER_MODE_CTR, 0);
313 cLog.msg(Log::PRIO_ERROR) << "KeyDerivation::updateMasterKey: Failed to open cipher: " << AnytunGpgError(err);
317 err = gcry_cipher_setkey(handle_[i], master_key_.getBuf(), master_key_.getLength());
319 cLog.msg(Log::PRIO_ERROR) << "KeyDerivation::updateMasterKey: Failed to set cipher key: " << AnytunGpgError(err);
324 is_initialized_ = true;
327 std::string AesIcmKeyDerivation::printType()
329 ReadersLock lock(mutex_);
331 std::stringstream sstr;
332 sstr << "AesIcm" << key_length_ << "KeyDerivation";
336 bool AesIcmKeyDerivation::calcCtr(kd_dir_t dir, satp_prf_label_t label, seq_nr_t seq_nr)
338 if(master_salt_.getLength() != SALT_LENGTH) {
339 cLog.msg(Log::PRIO_ERROR) << "KeyDerivation::calcCtr: salt lengths don't match";
342 std::memcpy(ctr_[dir].salt_.buf_, master_salt_.getBuf(), SALT_LENGTH);
343 ctr_[dir].salt_.zero_ = 0;
344 ctr_[dir].params_.label_ ^= SATP_PRF_LABEL_T_HTON(convertLabel(dir, label));
345 ctr_[dir].params_.seq_ ^= SEQ_NR_T_HTON(seq_nr);
350 bool AesIcmKeyDerivation::generate(kd_dir_t dir, satp_prf_label_t label, seq_nr_t seq_nr, Buffer& key)
352 ReadersLock lock(mutex_);
354 if(!is_initialized_) {
358 if(!calcCtr(dir, label, seq_nr)) {
362 #if defined(USE_SSL_CRYPTO)
363 if(CTR_LENGTH != AES_BLOCK_SIZE) {
364 cLog.msg(Log::PRIO_ERROR) << "AesIcmCipher: Failed to set cipher CTR: size doesn't fit";
367 unsigned int num = 0;
368 std::memset(key.getBuf(), 0, key.getLength());
369 std::memset(ecount_buf_[dir], 0, AES_BLOCK_SIZE);
370 CRYPTO_ctr128_encrypt(key.getBuf(), key.getBuf(), key.getLength(), &aes_key_[dir], ctr_[dir].buf_, ecount_buf_[dir], &num, (block128_f)AES_encrypt);
371 #elif defined(USE_NETTLE)
372 if(CTR_LENGTH != AES_BLOCK_SIZE) {
373 cLog.msg(Log::PRIO_ERROR) << "AesIcmCipher: Failed to set cipher CTR: size doesn't fit";
376 std::memset(key.getBuf(), 0, key.getLength());
377 ctr_crypt(&(ctx_[dir]), (nettle_crypt_func *)(aes_encrypt), AES_BLOCK_SIZE, ctr_[dir].buf_, key.getLength(), key.getBuf(), key.getBuf());
378 #else // USE_GCRYPT is the default
379 gcry_error_t err = gcry_cipher_reset(handle_[dir]);
381 cLog.msg(Log::PRIO_ERROR) << "KeyDerivation::generate: Failed to reset cipher: " << AnytunGpgError(err);
384 err = gcry_cipher_setctr(handle_[dir], ctr_[dir].buf_, CTR_LENGTH);
386 cLog.msg(Log::PRIO_ERROR) << "KeyDerivation::generate: Failed to set CTR: " << AnytunGpgError(err);
390 std::memset(key.getBuf(), 0, key.getLength());
391 err = gcry_cipher_encrypt(handle_[dir], key, key.getLength(), NULL, 0);
393 cLog.msg(Log::PRIO_ERROR) << "KeyDerivation::generate: Failed to generate cipher bitstream: " << AnytunGpgError(err);