keyDerivation.cpp

   1 /*
   2  *  anytun
   3  *
   4  *  The secure anycast tunneling protocol (satp) defines a protocol used
   5  *  for communication between any combination of unicast and anycast
   6  *  tunnel endpoints.  It has less protocol overhead than IPSec in Tunnel
   7  *  mode and allows tunneling of every ETHER TYPE protocol (e.g.
   8  *  ethernet, ip, arp ...). satp directly includes cryptography and
   9  *  message authentication based on the methodes used by SRTP.  It is
  10  *  intended to deliver a generic, scaleable and secure solution for
  11  *  tunneling and relaying of packets of any protocol.
  12  *
  13  *
  14  *  Copyright (C) 2007 anytun.org <satp@wirdorange.org>
  15  *
  16  *  This program is free software; you can redistribute it and/or modify
  17  *  it under the terms of the GNU General Public License version 2
  18  *  as published by the Free Software Foundation.
  19  *
  20  *  This program is distributed in the hope that it will be useful,
  21  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
  22  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  23  *  GNU General Public License for more details.
  24  *
  25  *  You should have received a copy of the GNU General Public License
  26  *  along with this program (see the file COPYING included with this
  27  *  distribution); if not, write to the Free Software Foundation, Inc.,
  28  *  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
  29  */
  30
  31
  32 #include "log.h"
  33 #include "keyDerivation.h"
  34 #include "mpi.h"
  35 #include "threadUtils.hpp"
  36
  37 #include <stdexcept>
  38 #include <iostream>
  39 #include <string>
  40
  41 #include <gcrypt.h>
  42
  43
  44 void KeyDerivation::setLogKDRate(const uint8_t log_rate)
  45 {
  46   Lock lock(mutex_);
  47   if( log_rate < 49 )
  48     ld_kdr_ = log_rate;
  49 }
  50
  51 //****** NullKeyDerivation ******
  52
  53 void NullKeyDerivation::generate(satp_prf_label label, seq_nr_t seq_nr, Buffer& key)
  54 {
  55   for(u_int32_t i=0; i < key.getLength(); ++i) key[i] = 0;
  56 }
  57
  58 //****** AesIcmKeyDerivation ******
  59
  60 AesIcmKeyDerivation::~AesIcmKeyDerivation()
  61 {
  62   Lock lock(mutex_);
  63   if(cipher_)
  64     gcry_cipher_close( cipher_ );
  65 }
  66
  67 void AesIcmKeyDerivation::updateMasterKey()
  68 {
  69   if(!cipher_)
  70     return;
  71
  72   gcry_error_t err = gcry_cipher_setkey( cipher_, master_key_.getBuf(), master_key_.getLength() );
  73   if( err )
  74     cLog.msg(Log::PRIO_ERR) << "KeyDerivation::updateMasterKey: Failed to set cipher key: " << gpg_strerror( err );
  75 }
  76
  77 void AesIcmKeyDerivation::init(Buffer key, Buffer salt)
  78 {
  79   Lock lock(mutex_);
  80   if(cipher_)
  81     gcry_cipher_close( cipher_ );
  82
  83   // TODO: hardcoded size
  84   gcry_error_t err = gcry_cipher_open( &cipher_, GCRY_CIPHER_AES128, GCRY_CIPHER_MODE_CTR, 0 );
  85   if( err ) {
  86     cLog.msg(Log::PRIO_ERR) << "KeyDerivation::init: Failed to open cipher: " << gpg_strerror( err );
  87     return;
  88   }
  89
  90   master_salt_ = SyncBuffer(salt);
  91   master_key_ = SyncBuffer(key);
  92
  93   updateMasterKey();
  94 }
  95
  96 void AesIcmKeyDerivation::generate(satp_prf_label label, seq_nr_t seq_nr, Buffer& key)
  97 {
  98   Lock lock(mutex_);
  99   if(!cipher_)
 100   {
 101     cLog.msg(Log::PRIO_ERR) << "KeyDerivation::generate: cipher not opened";
 102     return;
 103   }
 104
 105   gcry_error_t err = gcry_cipher_reset( cipher_ );
 106   if( err )
 107     cLog.msg(Log::PRIO_ERR) << "KeyDerivation::generate: Failed to reset cipher: " << gpg_strerror( err );
 108
 109   // see at: http://tools.ietf.org/html/rfc3711#section-4.3
 110   // *  Let r = index DIV key_derivation_rate (with DIV as defined above).
 111   // *  Let key_id = <label> || r.
 112   // *  Let x = key_id XOR master_salt, where key_id and master_salt are
 113   //    aligned so that their least significant bits agree (right-
 114   //    alignment).
 115   //
 116
 117   Mpi r(48); // ld(kdr) <= 48
 118   if( ld_kdr_ == -1 )    // means key_derivation_rate = 0
 119     r = 0;  // TODO: no new key should be generated if r == 0, except it is the first time
 120   else
 121   {
 122     Mpi seq(32);
 123     seq = seq_nr;
 124     Mpi rate(48);
 125     rate = 1;
 126     rate = rate.mul2exp(ld_kdr_);
 127     r = seq / rate;
 128   }
 129       // TODO: generate key only if index % r == 0, except it is the first time
 130
 131   Mpi key_id(128);                                                   // TODO: hardcoded size
 132   Mpi l(128);                                                 // TODO: hardcoded size
 133   l = label;
 134   key_id = l.mul2exp(48) + r;
 135
 136   Mpi salt(master_salt_.getBuf(), master_salt_.getLength());
 137   Mpi x(128);                                                        // TODO: hardcoded size
 138   x = key_id ^ salt;
 139
 140   u_int32_t written;
 141   u_int8_t *ctr_buf = x.mul2exp(16).getNewBuf(&written);         // TODO: hardcoded size
 142   err = gcry_cipher_setctr( cipher_ , ctr_buf, written );
 143   delete[] ctr_buf;
 144
 145   if( err )
 146     cLog.msg(Log::PRIO_ERR) << "KeyDerivation::generate: Failed to set CTR: " << gpg_strerror( err );
 147
 148   for(u_int32_t i=0; i < key.getLength(); ++i) key[i] = 0;
 149   err = gcry_cipher_encrypt( cipher_, key, key.getLength(), NULL, 0);
 150   if( err )
 151     cLog.msg(Log::PRIO_ERR) << "KeyDerivation::generate: Failed to generate cipher bitstream: " << gpg_strerror( err );
 152 }
 153