src/keyDerivation.cpp

   1 /*
   2  *  anytun
   3  *
   4  *  The secure anycast tunneling protocol (satp) defines a protocol used
   5  *  for communication between any combination of unicast and anycast
   6  *  tunnel endpoints.  It has less protocol overhead than IPSec in Tunnel
   7  *  mode and allows tunneling of every ETHER TYPE protocol (e.g.
   8  *  ethernet, ip, arp ...). satp directly includes cryptography and
   9  *  message authentication based on the methodes used by SRTP.  It is
  10  *  intended to deliver a generic, scaleable and secure solution for
  11  *  tunneling and relaying of packets of any protocol.
  12  *
  13  *
  14  *  Copyright (C) 2007-2008 Othmar Gsenger, Erwin Nindl,
  15  *                          Christian Pointner <satp@wirdorange.org>
  16  *
  17  *  This file is part of Anytun.
  18  *
  19  *  Anytun is free software: you can redistribute it and/or modify
  20  *  it under the terms of the GNU General Public License version 3 as
  21  *  published by the Free Software Foundation.
  22  *
  23  *  Anytun is distributed in the hope that it will be useful,
  24  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
  25  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  26  *  GNU General Public License for more details.
  27  *
  28  *  You should have received a copy of the GNU General Public License
  29  *  along with anytun.  If not, see <http://www.gnu.org/licenses/>.
  30  */
  31
  32
  33 #include "log.h"
  34 #include "keyDerivation.h"
  35 #include "threadUtils.hpp"
  36 #include "datatypes.h"
  37
  38 #include <stdexcept>
  39 #include <iostream>
  40 #include <string>
  41
  42 #ifndef NOCRYPT
  43 #include <gcrypt.h>
  44 #include "mpi.h"
  45 #endif
  46
  47 void KeyDerivation::setLogKDRate(const u_int8_t log_rate)
  48 {
  49   Lock lock(mutex_);
  50   if( log_rate < 49 )
  51     ld_kdr_ = log_rate;
  52 }
  53
  54 //****** NullKeyDerivation ******
  55
  56 void NullKeyDerivation::generate(satp_prf_label label, seq_nr_t seq_nr, Buffer& key)
  57 {
  58   for(u_int32_t i=0; i < key.getLength(); ++i) key[i] = 0;
  59 }
  60
  61 #ifndef NOCRYPT
  62 //****** AesIcmKeyDerivation ******
  63
  64 AesIcmKeyDerivation::~AesIcmKeyDerivation()
  65 {
  66   Lock lock(mutex_);
  67   if(cipher_)
  68     gcry_cipher_close( cipher_ );
  69 }
  70
  71 void AesIcmKeyDerivation::updateMasterKey()
  72 {
  73   if(!cipher_)
  74     return;
  75
  76   gcry_error_t err = gcry_cipher_setkey( cipher_, master_key_.getBuf(), master_key_.getLength() );
  77   if( err ) {
  78     char buf[STERROR_TEXT_MAX];
  79     buf[0] = 0;
  80     cLog.msg(Log::PRIO_ERR) << "KeyDerivation::updateMasterKey: Failed to set cipher key: " << gpg_strerror_r(err, buf, STERROR_TEXT_MAX);
  81   }
  82 }
  83
  84 void AesIcmKeyDerivation::init(Buffer key, Buffer salt)
  85 {
  86   Lock lock(mutex_);
  87   if(cipher_)
  88     gcry_cipher_close( cipher_ );
  89
  90   // TODO: hardcoded size
  91   gcry_error_t err = gcry_cipher_open( &cipher_, GCRY_CIPHER_AES128, GCRY_CIPHER_MODE_CTR, 0 );
  92   if( err ) {
  93     char buf[STERROR_TEXT_MAX];
  94     buf[0] = 0;
  95     cLog.msg(Log::PRIO_ERR) << "KeyDerivation::init: Failed to open cipher: " << gpg_strerror_r(err, buf, STERROR_TEXT_MAX);
  96     return;
  97   }
  98
  99   master_salt_ = SyncBuffer(salt);
 100   master_key_ = SyncBuffer(key);
 101
 102   updateMasterKey();
 103 }
 104
 105 void AesIcmKeyDerivation::generate(satp_prf_label label, seq_nr_t seq_nr, Buffer& key)
 106 {
 107   Lock lock(mutex_);
 108   if(!cipher_)
 109   {
 110     cLog.msg(Log::PRIO_ERR) << "KeyDerivation::generate: cipher not opened";
 111     return;
 112   }
 113
 114   gcry_error_t err = gcry_cipher_reset( cipher_ );
 115   if( err ) {
 116     char buf[STERROR_TEXT_MAX];
 117     buf[0] = 0;
 118     cLog.msg(Log::PRIO_ERR) << "KeyDerivation::generate: Failed to reset cipher: " << gpg_strerror_r(err, buf, STERROR_TEXT_MAX);
 119   }
 120
 121   // see at: http://tools.ietf.org/html/rfc3711#section-4.3
 122   // *  Let r = index DIV key_derivation_rate (with DIV as defined above).
 123   // *  Let key_id = <label> || r.
 124   // *  Let x = key_id XOR master_salt, where key_id and master_salt are
 125   //    aligned so that their least significant bits agree (right-
 126   //    alignment).
 127   //
 128
 129   Mpi r(48); // ld(kdr) <= 48
 130   if( ld_kdr_ == -1 )    // means key_derivation_rate = 0
 131     r = 0;  // TODO: no new key should be generated if r == 0, except it is the first time
 132   else
 133   {
 134     Mpi seq(32);
 135     seq = seq_nr;
 136     Mpi rate(48);
 137     rate = 1;
 138     rate = rate.mul2exp(ld_kdr_);
 139     r = seq / rate;
 140   }
 141       // TODO: generate key only if index % r == 0, except it is the first time
 142
 143   Mpi key_id(128);                                                   // TODO: hardcoded size
 144   Mpi l(128);                                                 // TODO: hardcoded size
 145   l = label;
 146   key_id = l.mul2exp(48) + r;
 147
 148   Mpi salt(master_salt_.getBuf(), master_salt_.getLength());
 149   Mpi x(128);                                                        // TODO: hardcoded size
 150   x = key_id ^ salt;
 151
 152   size_t written;
 153   u_int8_t *ctr_buf = x.mul2exp(16).getNewBuf(&written);         // TODO: hardcoded size
 154   err = gcry_cipher_setctr( cipher_ , ctr_buf, written );
 155   delete[] ctr_buf;
 156
 157   if( err ) {
 158     char buf[STERROR_TEXT_MAX];
 159     buf[0] = 0;
 160     cLog.msg(Log::PRIO_ERR) << "KeyDerivation::generate: Failed to set CTR: " << gpg_strerror_r(err, buf, STERROR_TEXT_MAX);
 161   }
 162
 163   for(u_int32_t i=0; i < key.getLength(); ++i) key[i] = 0;
 164   err = gcry_cipher_encrypt( cipher_, key, key.getLength(), NULL, 0);
 165   if( err ) {
 166     char buf[STERROR_TEXT_MAX];
 167     buf[0] = 0;
 168     cLog.msg(Log::PRIO_ERR) << "KeyDerivation::generate: Failed to generate cipher bitstream: " << gpg_strerror_r(err, buf, STERROR_TEXT_MAX);
 169   }
 170 }
 171 #endif
 172