jmg
/
lora-irrigation
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Implement a secure ICS protocol targeting LoRa Node151 microcontroller for controlling irrigation.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
25 Commits
4 Branches
18 MiB
 
 
 
 
 
 
Tree: df2aac27e6
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'df2aac27e6'
${ noResults }
lora-irrigation/strobe/strobe.c

472 lines
13 KiB
Raw Blame History 

  1. /**

  2.  * @cond internal

  3.  * @file strobe.c

  4.  * @copyright

  5.  *   Copyright (c) 2015-2016 Cryptography Research, Inc.  \n

  6.  *   Released under the MIT License.  See LICENSE.txt for license information.

  7.  * @author Mike Hamburg

  8.  * @brief Strobe protocol code.

  9.  */

  10. 

  11. #define __STDC_WANT_LIB_EXT1__ 1 /* for memset_s */

  12. #include <assert.h>

  13. #include <stdint.h>

  14. #include <string.h>

  15. #include <limits.h> /* for INT_MAX */

  16. 

  17. #include "strobe.h"

  18. #if X25519_SUPPORT_SIGN || X25519_SUPPORT_VERIFY || STROBE_CONVENIENCE_ECDH

  19. #include "x25519.h"

  20. #endif

  21. 

  22. /* Sets the security level at 128 bits (but this holds even

  23.  * when the attacker has lots of data).

  24.  */

  25. #define CAPACITY_BITS (2*STROBE_INTEROP_SECURITY_BITS)

  26. 

  27. /* Internal rate is 2 bytes less than sponge's "rate" */

  28. #define PAD_BYTES 2

  29. #define RATE_INNER ((25*sizeof(kword_t)-CAPACITY_BITS/8))

  30. #define RATE (RATE_INNER-PAD_BYTES)

  31. 

  32. /* Pull in a Keccak-F implementation.  Use the target-specific

  33.  * asm one if available.

  34.  */

  35. #include "keccak_f.c.inc"

  36. 

  37. /* These padding bytes are applied before F.  They are

  38.  * required for parseability.  Their values are chosen

  39.  * for compatibilty with cSHAKE.

  40.  */

  41. #define SHAKE_XOR_RATE 0x80

  42. #define SHAKE_XOR_MARK 0x04

  43. 

  44. #ifndef MIN

  45. #define MIN(x,y) (((x)<(y)) ? (x) : (y))

  46. #endif

  47. 

  48. /* Mark current position and state, and run F.

  49.  * Should be compatible with CSHAKE.

  50.  */

  51. static void

  52. _run_f (strobe_s *strobe, unsigned int p) {

  53.     strobe->state.b[p] ^= strobe->pos_begin;

  54.     strobe->pos_begin = 0;

  55.     strobe->state.b[p+1] ^= SHAKE_XOR_MARK;

  56.     strobe->state.b[RATE+1] ^= SHAKE_XOR_RATE;

  57.     keccak_f(&strobe->state);

  58. }

  59. 

  60. /* Place a "mark" in the hash, which is distinct from the effect of writing any byte

  61.  * into the hash.  Then write the new mode into the hash.

  62.  */

  63. static inline void

  64. _strobe_mark(strobe_s *strobe, unsigned int * pptr, uint8_t flags) {

  65.     unsigned int p = *pptr;

  66. 

  67.     /* This flag (in the param flags byte) indicates that the

  68.      * object's role (as initiator or responder) has already

  69.      * been determined.

  70.      */

  71.     const uint8_t FLAG_HAVE_ROLE = 1<<2;

  72. 

  73.     /* Mark the state */

  74.     strobe->state.b[p++] ^= strobe->pos_begin;

  75.     strobe->pos_begin = p;

  76.     if (p >= RATE) { _run_f(strobe,p); p = 0; }

  77. 

  78.     /* Adjust the direction based on transport */

  79.     if (flags & FLAG_T) {

  80.         if (!(strobe->flags & FLAG_HAVE_ROLE)) {

  81.             /* Set who is initiator and who is responder */

  82.             strobe->flags |= FLAG_HAVE_ROLE | (flags & FLAG_I);

  83.         }

  84.         strobe->state.b[p] ^= strobe->flags & FLAG_I;

  85.     }

  86. 

  87.     /* Absorb the rest of the mode marker */

  88.     strobe->state.b[p++] ^= flags;

  89.     uint8_t flags_that_cause_runf = FLAG_C;

  90.     if (p >= RATE || (flags & flags_that_cause_runf)) { _run_f(strobe,p); p = 0; }

  91.     *pptr = p;

  92. }

  93. 

  94. /* The core duplex mode */

  95. ssize_t strobe_duplex (

  96.     strobe_s *strobe,

  97.     control_word_t flags,

  98.     uint8_t *inside,

  99.     ssize_t len

  100. ) { 

  101.     /* Sanity check */

  102.     assert(strobe->position < RATE);

  103. 

  104.     if (len < 0) {

  105.         assert(0);

  106.         /* In production mode, no assert, but at least signal an error */

  107.         return -1;

  108.     }

  109. 

  110. #if STROBE_SANITY_CHECK_FLAGS

  111.     /* Sanity check flags against what flags we know and are implementing. */

  112.     control_word_t known_flags = FLAG_I|FLAG_A|FLAG_C|FLAG_T|FLAG_M;

  113.     known_flags|= FLAG_META_I|FLAG_META_A|FLAG_META_C|FLAG_META_T|FLAG_META_M;

  114.     known_flags|= CW_LENGTH_BYTES(0xF);

  115.     known_flags|= 0xFF00;

  116.     known_flags|= FLAG_MORE|FLAG_NO_DATA;

  117. #if STROBE_SUPPORT_FLAG_POST

  118.     known_flags|= FLAG_POST_RATCHET|FLAG_POST_MAC;

  119. #endif

  120.     if (flags &~ known_flags) {

  121.         assert(0);

  122.         /* In production mode, no assert, but at least signal an error */

  123.         return -1;

  124.     }

  125. #endif

  126. 

  127.     ssize_t len2 = len, ret = 0;

  128.     uint8_t cumul = 0;

  129.     uint8_t s2s = -1;

  130.     uint8_t s2o = (flags & FLAG_C) ? -1 : 0;

  131.     if ((flags & FLAG_I) || !(flags & FLAG_T)) s2s ^= s2o; // duplex <-> unduplex

  132. 

  133.     unsigned int p = strobe->position;

  134.     assert (p < RATE);

  135.     if (!(flags & FLAG_MORE))

  136.     {

  137.         /* Mark the beginning of the operation in the strobe state */

  138.         _strobe_mark(strobe, &p, flags);

  139.     }

  140. 

  141.     /* Figure out where to write input and output */

  142.     const uint8_t *in = NULL;

  143.     uint8_t *out = NULL;

  144.     ssize_t avail = 0;

  145. 

  146.     if (!(flags & FLAG_A)) {

  147.         inside = NULL;

  148.     }

  149. 

  150.     if (flags & FLAG_I) {

  151.         out = inside;

  152.     } else {

  153.         in = inside;

  154.     }

  155. 

  156.     while (len > 0) {

  157.         /* First iteration will just skip to read section ... */

  158.         len -= avail;

  159. 

  160.         for (; avail; avail--) {

  161.             assert (p < RATE);    

  162.             uint8_t s = strobe->state.b[p], i = in ? *in++ : 0, o;

  163. 

  164.             o = i ^ (s&s2o);

  165.             strobe->state.b[p++] = i ^ (s & s2s);

  166.             cumul |= o;

  167.             if (out) *out++ = o;

  168. 

  169.             if (p >= RATE) {

  170.                 _run_f(strobe,p);

  171.                 p = 0;

  172.             }

  173.         }

  174. 

  175.         /* Get more data */

  176.         if (strobe->io == NULL || !(flags & FLAG_T)) {

  177.             /* Nothing to write; leave output as NULL */

  178.             avail = len;

  179.         } else if ((flags & FLAG_I) && len > 0) {

  180.             /* Read from wire */

  181.             avail = strobe->io->read(&strobe->io_ctx, &in, len);

  182.         } else {

  183.             /* Write to wire.  On the last iteration, len=0. */

  184.             avail = strobe->io->write(&strobe->io_ctx, &out, len);

  185.         }

  186. 

  187.         if (avail < 0) {

  188.             /* IO fail! */

  189.             strobe->position = p;

  190.             return -1;

  191.         } else if (avail > len) {

  192.             avail = len;

  193.         }

  194.     }

  195. 

  196.     if ((flags & (0xF | FLAG_I)) == (TYPE_MAC | FLAG_I)) {

  197.         /* Check MAC */

  198.         ret = cumul ? -1 : len2;

  199.     } else {

  200.         ret = len2;

  201.     }

  202. 

  203.     strobe->position = p;

  204.     return ret;

  205. }

  206. 

  207. /* Outer duplex mode: this one handles control words and reading/writing lengths. */

  208. static ssize_t strobe_operate_0 (

  209.     strobe_s *__restrict__ strobe,

  210.     uint32_t flags,

  211.     uint8_t *inside,

  212.     ssize_t len

  213. ) {

  214.     unsigned int length_bytes = STROBE_CW_GET_LENGTH_BYTES(flags);

  215.     control_word_t cwf = GET_META_FLAGS(flags);

  216. 

  217.     int more = flags & FLAG_MORE;

  218. 

  219.     int receiving_the_length = (cwf & FLAG_I) && length_bytes > 0 && !more;

  220. 

  221.     if (len < 0 && !receiving_the_length) {

  222.         assert(((void)"strobe_operate length < 0, but not receiving the length",0));

  223.         /* In case assertions are off... */

  224.         return -1;

  225.     }

  226. 

  227.     /* Read/write the control word */

  228.     strobe_serialized_control_t str = {

  229.         GET_CONTROL_TAG(flags),

  230.         receiving_the_length ? 0 : eswap_htole_sl(len)

  231.     };

  232.     if (!more) {

  233.         TRY(strobe_duplex(strobe, cwf, (uint8_t *)&str, sizeof(str.control) + length_bytes));

  234.     }

  235.     str.len = eswap_letoh_sl(str.len);

  236. 

  237.     // Check received control word and length

  238.     if (  str.control != GET_CONTROL_TAG(flags)

  239.        || str.len > INT_MAX

  240.        || ((ssize_t)(len + str.len) > 0 && (ssize_t)str.len != len)

  241.     ) {

  242.         return -1;

  243.     }

  244.     len = str.len;

  245. 

  246.     if (flags & FLAG_NO_DATA) return 0;

  247. 

  248.     return strobe_duplex(strobe, flags, inside, len);

  249. }

  250. 

  251. ssize_t __attribute__((noinline)) strobe_operate (

  252.     strobe_s *__restrict__ strobe,

  253.     uint32_t flags,

  254.     uint8_t *inside,

  255.     ssize_t len

  256. ) {

  257. #if STROBE_SUPPORT_FLAG_POST

  258.     int ret;

  259.     TRY(( ret = strobe_operate_0(strobe, flags, inside, len) ));

  260.     if (flags & FLAG_POST_RATCHET) {

  261.         assert(!(flags & FLAG_MORE));

  262.         strobe_operate_0(strobe, RATCHET, NULL, STROBE_INTEROP_RATCHET_BYTES);

  263.     }

  264.     if (flags & FLAG_POST_MAC) {

  265.         assert(!(flags & FLAG_MORE));

  266.         control_word_t cwmac = MAC | (flags & (FLAG_I | FLAG_META_I | FLAG_META_T));

  267.         TRY( strobe_operate_0(strobe, cwmac, NULL, STROBE_INTEROP_MAC_BYTES) );

  268.     }

  269.     return ret;

  270. #else

  271.     /* Not supporting FLAG_POST_RATCHET or FLAG_POST_MAC */

  272.     return strobe_operate_0(strobe, flags, inside, len);

  273. #endif

  274. }

  275. 

  276. static ssize_t cb_buffer_write(strobe_io_ctx_s *ctx, uint8_t **buffer, ssize_t size) {

  277.     uint8_t *a = ctx->a, *b = ctx->b;

  278.     ssize_t avail = b-a;

  279.     if (size < 0 || size > avail) return -1;

  280.     ctx->a = a+size;

  281.     *buffer = a;

  282.     return avail;

  283. }

  284. 

  285. static ssize_t cb_buffer_dont_write(strobe_io_ctx_s *ctx, uint8_t **buffer, ssize_t size) {

  286.     (void)ctx;

  287.     *buffer = NULL;

  288.     if (size) return -1;

  289.     return 0;

  290. }

  291. 

  292. const strobe_io_callbacks_s strobe_io_cb_buffer = {

  293.     (ssize_t (*)(strobe_io_ctx_s *, const uint8_t **, ssize_t))cb_buffer_write, cb_buffer_write

  294. }, strobe_io_cb_const_buffer = {

  295.     (ssize_t (*)(strobe_io_ctx_s *, const uint8_t **, ssize_t))cb_buffer_write, cb_buffer_dont_write

  296. };

  297. 

  298. void strobe_init (

  299.     struct strobe_s *__restrict__ strobe,

  300.     const uint8_t *description,

  301.     size_t desclen

  302. ) {

  303.     const uint8_t proto[18] = {

  304.         1,RATE+PAD_BYTES,

  305.         1,0, /* Empty NIST perso string */

  306.         1,12*8, /* 12 = strlen("STROBEvX.Y.Z") */

  307.         'S','T','R','O','B','E',

  308.         'v',

  309.         '0'+STROBE_INTEROP_V_MAJOR,'.',

  310.         '0'+STROBE_INTEROP_V_MINOR,'.',

  311.         '0'+STROBE_INTEROP_V_PATCH,

  312.         /* Rest is 0s, which is already there because we memset it */

  313.     };

  314.     memset(strobe,0,sizeof(*strobe));

  315.     memcpy(strobe,proto,sizeof(proto));

  316.     keccak_f(&strobe->state);

  317. 

  318.     strobe_duplex(strobe,FLAG_A|FLAG_M,(uint8_t*)description,desclen);

  319. }

  320. 

  321. #if STROBE_SUPPORT_PRNG

  322. #if STROBE_SINGLE_THREAD

  323. static strobe_t tl_prng = {{{{0}},0,0,0,NULL,{NULL,NULL

  324. #if STROBE_IO_CTX_HAS_FD

  325.     ,0

  326. #endif

  327. }}};

  328. #else

  329. static _Thread_local strobe_t tl_prng = {{{{0}},0,0,0,NULL,{NULL,NULL

  330. #if STROBE_IO_CTX_HAS_FD

  331.     ,0

  332. #endif

  333. }}};

  334. #endif

  335. 

  336. #define FLAG_PRNG_INITED (1<<4)

  337. #define FLAG_PRNG_SEEDED (1<<5)

  338. int strobe_randomize(uint8_t *data, ssize_t len) {

  339.     if (!(tl_prng->flags & FLAG_PRNG_SEEDED)) {

  340.         return -1;

  341.     }

  342. #if STROBE_SUPPORT_POST_FLAGS

  343.     strobe_get(tl_prng,HASH|FLAG_POST_RATCHET,data,len);

  344. #else

  345.     strobe_get(tl_prng,HASH,data,len);

  346.     strobe_operate(tl_prng, RATCHET, NULL, STROBE_INTEROP_RATCHET_BYTES);

  347. #endif

  348.     return 0;

  349. }

  350. 

  351. void strobe_seed_prng(const uint8_t *data, ssize_t len) {

  352.     if (!(tl_prng->flags & FLAG_PRNG_INITED)) {

  353.         strobe_init(tl_prng,(const uint8_t *)"prng",4);

  354.     }

  355. #if STROBE_SUPPORT_POST_FLAGS

  356.     strobe_put(tl_prng,SYM_KEY|FLAG_POST_RATCHET,data,len);

  357. #else

  358.     strobe_put(tl_prng,SYM_KEY,data,len);

  359.     strobe_operate(tl_prng, RATCHET, NULL, STROBE_INTEROP_RATCHET_BYTES);

  360. #endif

  361.     tl_prng->flags |= (FLAG_PRNG_INITED | FLAG_PRNG_SEEDED);

  362. }

  363. #endif

  364. 

  365. #if X25519_SUPPORT_VERIFY

  366. int strobe_session_verify (

  367.     strobe_t strobe,

  368.     const uint8_t their_pubkey[EC_PUBLIC_BYTES]

  369. ) {

  370.     uint8_t nonce[EC_PUBLIC_BYTES], chal[EC_CHALLENGE_BYTES], resp[EC_PRIVATE_BYTES];

  371. 

  372.     /* TODO: use SIG_SCHEME to identify the signature scheme */

  373.     strobe_put(strobe, MAKE_IMPLICIT(PUBLIC_KEY), their_pubkey, EC_PUBLIC_BYTES);

  374.     TRY( strobe_get(strobe, SIG_EPH, nonce, EC_PUBLIC_BYTES) );

  375.     strobe_get(strobe, SIG_CHALLENGE, chal, EC_CHALLENGE_BYTES);

  376.     TRY( strobe_get(strobe, SIG_RESPONSE, resp, EC_PRIVATE_BYTES) );

  377.     return x25519_verify_p2(resp, chal, nonce, their_pubkey);

  378. }

  379. 

  380. #if STROBE_SUPPORT_CERT_VERIFY

  381. int strobe_session_dont_verify (

  382.     strobe_t strobe,

  383.     const uint8_t their_pubkey[EC_PUBLIC_BYTES]

  384. ) {

  385.     strobe_put(strobe, MAKE_IMPLICIT(PUBLIC_KEY), their_pubkey, EC_PUBLIC_BYTES);

  386.     TRY( strobe_get(strobe, SIG_EPH, NULL, EC_PUBLIC_BYTES) );

  387.     strobe_get(strobe, SIG_CHALLENGE, NULL, EC_CHALLENGE_BYTES);

  388.     return strobe_get(strobe, SIG_RESPONSE, NULL, EC_PRIVATE_BYTES);

  389. }

  390. #endif

  391. #endif

  392. 

  393. #if X25519_SUPPORT_SIGN

  394. int strobe_session_sign (

  395.     strobe_t strobe,

  396.     const uint8_t my_seckey[EC_PRIVATE_BYTES],

  397.     const uint8_t my_pubkey[EC_PUBLIC_BYTES]

  398. ) { 

  399.     uint8_t nonce[EC_PUBLIC_BYTES], chal[EC_CHALLENGE_BYTES], resp[EC_UNIFORM_BYTES];

  400. 

  401.     uint8_t *const eph_secret = resp;

  402.     /* The eph secret is put into resp; responding to it conveniently overwrites that. */

  403. 

  404.     /* FUTURE: an option not to put in public key, eg if it's already known to be

  405.      * in the session log

  406.      */

  407.     strobe_put(strobe, MAKE_IMPLICIT(PUBLIC_KEY), my_pubkey, EC_PUBLIC_BYTES);

  408. 

  409.     /* OK, sample the randomness */

  410. #if X25519_DETERMINISTIC_SIGS

  411.     {

  412.         strobe_t too;

  413.         memcpy(too,strobe,sizeof(too));

  414.         strobe_put(too,SYM_KEY,my_seckey,EC_PRIVATE_BYTES);

  415.         strobe_get(too,HASH,eph_secret,EC_UNIFORM_BYTES);

  416.         strobe_destroy(too);

  417.     }

  418. #else

  419.     TRY( strobe_randomize(eph_secret,EC_PRIVATE_BYTES) );

  420. #endif

  421. 

  422.     /* Nonce = g^eph */

  423.     x25519_base_uniform(nonce,resp);

  424.     TRY( strobe_put(strobe, SIG_EPH, nonce, EC_PUBLIC_BYTES) );

  425. 

  426.     /* Get the challenge */

  427.     strobe_get(strobe, SIG_CHALLENGE, chal, EC_CHALLENGE_BYTES);

  428. 

  429.     /* Respond */

  430.     x25519_sign_p2 (resp, chal, eph_secret, my_seckey);

  431.     TRY( strobe_put(strobe, SIG_RESPONSE, resp, EC_PRIVATE_BYTES) );

  432. 

  433. #if EC_UNIFORM_BYTES > EC_PRIVATE_BYTES

  434.     /* Doesn't happen for Curve25519, but clear the high bytes of the nonce

  435.      * if they're not overwritten. */

  436.     memset(resp,0,sizeof(resp));

  437. #endif

  438. 

  439.     return 0;

  440. }

  441. #endif

  442. 

  443. #if STROBE_CONVENIENCE_ECDH

  444. int strobe_eph_ecdh (

  445.     strobe_t strobe,

  446.     int i_go_first

  447. ) {

  448.     uint8_t e_pub[EC_PUBLIC_BYTES], e_sec[EC_PRIVATE_BYTES], e_oth[EC_PUBLIC_BYTES];

  449. 

  450.     /* SEND EPH */

  451.     TRY( strobe_randomize(e_sec,sizeof(e_sec)) );

  452.     x25519_base(e_pub,e_sec,1);

  453.     if (i_go_first)

  454.         TRY( strobe_put(strobe, KEM_EPH, e_pub, sizeof(e_pub)) );

  455. 

  456.     /* RECV EPH */

  457.     TRY( strobe_get(strobe, KEM_EPH, e_oth, sizeof(e_oth)) );

  458. 

  459.     /* SEND EPH */

  460.     if (!i_go_first)

  461.         TRY( strobe_put(strobe, KEM_EPH, e_pub, sizeof(e_pub)) );

  462. 

  463.     /* ECDH */

  464.     TRY( x25519(e_pub, e_sec, e_oth, 1) );

  465.     strobe_operate(strobe, KEM_RESULT, e_pub, sizeof(e_pub));

  466. 

  467.     return 0;

  468. }

  469. 

  470. #endif // STROBE_CONVENIENCE_ECDH