jmg
/
lora-irrigation
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Implement a secure ICS protocol targeting LoRa Node151 microcontroller for controlling irrigation.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
163 Commits
4 Branches
18 MiB
 
 
 
 
 
 
Tree: e7e742150d
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'e7e742150d'
${ noResults }
lora-irrigation/strobe/strobe.h

421 lines
15 KiB
Raw Blame History 

  1. /**

  2.  * @file strobe.h

  3.  * @copyright

  4.  *   Copyright (c) 2015-2016 Cryptography Research, Inc.  \n

  5.  *   Released under the MIT License.  See LICENSE.txt for license information.

  6.  * @author Mike Hamburg

  7.  * @brief Strobe lite protocol instances.

  8.  */

  9. #ifndef __STROBE_H__

  10. #define __STROBE_H__

  11. 

  12. /* TODO: Implement state compaction, particularly for PRNG state */

  13. /* TODO: Test this against the Python reference. */

  14. 

  15. #include <stdint.h>

  16. #include <stdlib.h>

  17. #include <assert.h>

  18. #include <string.h>

  19. #include <sys/types.h>

  20. 

  21. #include "strobe_config.h"

  22. 

  23. /**

  24.  * A control word holds flags and other information that control a STROBE operation.

  25.  * Defined below.

  26.  */

  27. typedef uint32_t control_word_t;

  28. 

  29. /* Strobe object, below */

  30. struct strobe_s;

  31. 

  32. /** Initialize a STROBE object, using the description as a domain separator. */

  33. void strobe_init (

  34.     struct strobe_s *__restrict__ strobe,

  35.     const uint8_t *description,

  36.     size_t desclen

  37. );

  38. 

  39. /** Underlying duplex primitive. */

  40. ssize_t strobe_duplex (

  41.    struct strobe_s *__restrict__ strobe,

  42.    control_word_t flags,

  43.    uint8_t *inside,

  44.    ssize_t len

  45. );

  46. 

  47. /**

  48.  * More complex duplex primitive.

  49.  * First reads/writes metadata based on control_flags, then data.  Can pass

  50.  * -len instead of len when reading.  This means any length up to len.

  51.  * Returns the number of data bytes read, or <0 on error.

  52.  */

  53. ssize_t strobe_operate (

  54.     struct strobe_s *__restrict__ strobe,

  55.     control_word_t control_flags,

  56.     uint8_t *inside,

  57.     ssize_t len

  58. );

  59. 

  60. #if STROBE_SUPPORT_PRNG

  61. /** Seed the generator with len bytes of randomness. */

  62. void strobe_seed_prng(const uint8_t *data, ssize_t len);

  63. 

  64. /**

  65.  * Fill *data with len bytes of randomness.

  66.  * Return <0 if the generator is not seeded.

  67.  */

  68. int __attribute__((warn_unused_result))

  69.     strobe_randomize(uint8_t *data, ssize_t len);

  70. #endif /* STROBE_SUPPORT_PRNG */

  71. 

  72. /* Flags as defined in the paper */

  73. #define FLAG_I (1<<0) /**< Inbound */

  74. #define FLAG_A (1<<1) /**< Has application-side data (eg, not a MAC) */

  75. #define FLAG_C (1<<2) /**< Uses encryption or rekeying. */

  76. #define FLAG_T (1<<3) /**< Send or receive data via transport */

  77. #define FLAG_M (1<<4) /**< Operation carries metadata. */

  78. 

  79. #define FLAG_META_I (1<<20) /**< Metadata has I */

  80. #define FLAG_META_A (1<<21) /**< Metadata has A (always set) */

  81. #define FLAG_META_C (1<<22) /**< Metadata has C */

  82. #define FLAG_META_T (1<<23) /**< Metadata has T */

  83. #define FLAG_META_M (1<<24) /**< Metadata has M (always set) */

  84. #define GET_META_FLAGS(cw) (((cw) >> 20) & 0x3F)

  85. 

  86. #define FLAG_MORE     (1<<28) /**< Continue a streaming operation. */

  87. #define FLAG_NO_DATA  (1<<29) /**< Just send/recv the metadata, not the data. */

  88. 

  89. #if STROBE_SUPPORT_FLAG_POST

  90. /**

  91.  * Post-op ratchet and/or MAC.

  92.  *

  93.  * TODO: I might want to remove these, because some details of how this is

  94.  * done might be application-specific.  In particular, some applications will

  95.  * want to frame their MACs on the wire, and some will not.

  96.  */

  97. #define FLAG_POST_RATCHET (1<<30) /**< Ratchet state after */

  98. #define FLAG_POST_MAC     (1<<31) /**< Send/receive MAC after */

  99. #endif

  100. 

  101. /* Operation types as defined in the paper */

  102. #define TYPE_AD FLAG_A /**< Context data, not sent to trensport */

  103. #define TYPE_KEY (FLAG_A | FLAG_C) /**< Symmetric key, not sent to transport */

  104. #define TYPE_CLR (FLAG_T | FLAG_A) /**< Data to be sent in the clear */

  105. #define TYPE_ENC (FLAG_T | FLAG_A | FLAG_C) /**< Data sent encrypted */

  106. #define TYPE_MAC (FLAG_T | FLAG_C) /**< Message authentication code */

  107. #define TYPE_RATCHET FLAG_C    /**< Erase data to prevent rollback */

  108. #define TYPE_PRF (FLAG_I | FLAG_A | FLAG_C) /**< Return pseudorandom hash */

  109. 

  110. /** For operate, have (n)-byte little-endian length field. */

  111. #define CW_LENGTH_BYTES(n) ((uint32_t)(n)<<16)

  112. 

  113. #define STROBE_CW_GET_LENGTH_BYTES(cw) ((cw)>>16 & 0xF)

  114. 

  115. #define MAKE_IMPLICIT(cw) ((cw) &~ (FLAG_T | FLAG_META_T))

  116. #define MAKE_LENGTHLESS(cw) ((cw) &~ CW_LENGTH_BYTES(0x0F))

  117. 

  118. #define GET_CONTROL_TAG(cw) (((cw)>>8)&0xFF)

  119. #define CONTROL_WORD(w,value,flags) enum { w=value<<8|flags|FLAG_META_A|FLAG_META_M }

  120. 

  121. /* Recommended control words */

  122. /* 0x00-0x0F: symmetric cryptography */

  123. CONTROL_WORD(SYM_SCHEME     , 0x00, TYPE_CLR | CW_LENGTH_BYTES(2) | FLAG_META_T );

  124. CONTROL_WORD(SYM_KEY        , 0x01, TYPE_KEY );

  125. CONTROL_WORD(APP_PLAINTEXT  , 0x02, TYPE_CLR | CW_LENGTH_BYTES(2) | FLAG_META_T );

  126. CONTROL_WORD(APP_CIPHERTEXT , 0x03, TYPE_ENC | CW_LENGTH_BYTES(2) | FLAG_META_T );

  127. CONTROL_WORD(NONCE          , 0x04, TYPE_CLR | CW_LENGTH_BYTES(2) | FLAG_META_T );

  128. CONTROL_WORD(AUTH_DATA      , 0x05, TYPE_CLR | CW_LENGTH_BYTES(2) | FLAG_META_T );

  129. CONTROL_WORD(MAC            , 0x06, TYPE_MAC | CW_LENGTH_BYTES(2) );

  130. CONTROL_WORD(HASH           , 0x07, TYPE_PRF | CW_LENGTH_BYTES(2) );

  131. CONTROL_WORD(DERIVE_KEY     , 0x08, TYPE_PRF | CW_LENGTH_BYTES(2) );

  132. CONTROL_WORD(BE_SLOW        , 0x0C, TYPE_RATCHET | CW_LENGTH_BYTES(4) );

  133. CONTROL_WORD(SIV_PT_INNER   , 0x0D, TYPE_CLR ); /* FUTURE: implement SIV */

  134. CONTROL_WORD(SIV_MAC_OUTER  , 0x0E, TYPE_CLR );

  135. CONTROL_WORD(RATCHET        , 0x0F, TYPE_RATCHET );

  136. 

  137. /* 0x10-0x1F: Asymmetric key exchange and encryption */

  138. CONTROL_WORD(KEM_SCHEME     , 0x10, TYPE_CLR | CW_LENGTH_BYTES(2) | FLAG_META_T );

  139. CONTROL_WORD(PUBLIC_KEY     , 0x11, TYPE_CLR | CW_LENGTH_BYTES(2) | FLAG_META_T );

  140. CONTROL_WORD(KEM_EPH        , 0x12, TYPE_CLR | CW_LENGTH_BYTES(2) | FLAG_META_T );

  141. CONTROL_WORD(KEM_RESULT     , 0x13, TYPE_KEY );

  142. 

  143. /* 0x18-0x1F: Signatures */

  144. CONTROL_WORD(SIG_SCHEME     , 0x18, TYPE_CLR | CW_LENGTH_BYTES(2) | FLAG_META_T );

  145. CONTROL_WORD(SIG_EPH        , 0x19, TYPE_CLR | CW_LENGTH_BYTES(2) | FLAG_META_T );

  146. CONTROL_WORD(SIG_CHALLENGE  , 0x1A, TYPE_PRF | CW_LENGTH_BYTES(2) );

  147. CONTROL_WORD(SIG_RESPONSE   , 0x1B, TYPE_ENC | CW_LENGTH_BYTES(2) | FLAG_META_T );

  148. CONTROL_WORD(SIG_DETERM     , 0x1C, TYPE_PRF | CW_LENGTH_BYTES(2) );

  149. 

  150. /* 0x20-0x2F: header and other metadata */

  151. CONTROL_WORD(HANDSHAKE      , 0x20, TYPE_CLR | CW_LENGTH_BYTES(2) | FLAG_META_T );

  152. CONTROL_WORD(VERSION        , 0x21, TYPE_CLR | CW_LENGTH_BYTES(2) | FLAG_META_T );

  153. CONTROL_WORD(CIPHERSUITE    , 0x22, TYPE_CLR | CW_LENGTH_BYTES(2) | FLAG_META_T );

  154. CONTROL_WORD(META_PLAINTEXT , 0x24, TYPE_CLR | CW_LENGTH_BYTES(2) | FLAG_META_T );

  155. CONTROL_WORD(META_CIPHERTEXT, 0x25, TYPE_CLR | CW_LENGTH_BYTES(2) | FLAG_META_T );

  156. CONTROL_WORD(CERTIFICATE    , 0x26, TYPE_CLR | CW_LENGTH_BYTES(2) | FLAG_META_T );

  157. CONTROL_WORD(ENCRYPTED_CERT , 0x27, TYPE_ENC | CW_LENGTH_BYTES(2) | FLAG_META_T );

  158. CONTROL_WORD(OVER           , 0x2E, TYPE_MAC | CW_LENGTH_BYTES(2) | FLAG_META_T );

  159. CONTROL_WORD(CLOSE          , 0x2F, TYPE_MAC | CW_LENGTH_BYTES(2) | FLAG_META_T );

  160. 

  161. /* 0x30-0x3F: Certificates.

  162.  *

  163.  * These are still experimental and unimplemented, and will probably change.

  164.  * The intention is that certs should look something like this:

  165.  *

  166.  * CERT_VERSION 1

  167.  * CERT_SERIAL .{0,32} ? # for revocation, else omitted

  168.  * CERT_VALIDITY? # omitted if your devices aren't tracking time or can't update

  169.  * CERT_PURPOSE .*? # if your application makes such a distinction

  170.  * ((CERT_REC_PRE .* CERT_REC_POST .*) | (CERT_NAME .*))

  171.  *      ^ if the cert is an intermediate      ^ if it isn't an intermediate

  172.  * (CERT_PK_SCHEME PUBLIC_KEY)+ # Limited to 1? Could have multiple?  Dunno.

  173.  *

  174.  * CERT_COMMENT *

  175.  * (SIG_SCHEME SIG_CHAL SIG_EPH SIG_RESPONSE)+ # or similar depending on sig scheme

  176.  *    ^ Possibly this should be limited to 1.

  177.  *

  178.  * If your application uses cert chains, they would be given in separate CERTIFICATE

  179.  * (or ENCRYPTED_CERT) messages, in order from CA to leaf.  At any time, the client

  180.  * could track "what's the most recent trusted intermediate which has authority over

  181.  * the name I'm trying to contact."  Then if there are multiple certifying chains, the

  182.  * untrusted ones would be ignored.

  183.  */

  184. CONTROL_WORD(CERT_VERSION   , 0x30, TYPE_CLR | CW_LENGTH_BYTES(2) | FLAG_META_T );

  185. CONTROL_WORD(CERT_SERIAL    , 0x31, TYPE_CLR | CW_LENGTH_BYTES(2) | FLAG_META_T );

  186. CONTROL_WORD(CERT_VALIDITY  , 0x32, TYPE_CLR | CW_LENGTH_BYTES(2) | FLAG_META_T );

  187. CONTROL_WORD(CERT_PURPOSE   , 0x33, TYPE_CLR | CW_LENGTH_BYTES(2) | FLAG_META_T );

  188. CONTROL_WORD(CERT_REC_PRE   , 0x34, TYPE_CLR | CW_LENGTH_BYTES(2) | FLAG_META_T );

  189. CONTROL_WORD(CERT_REC_POST  , 0x35, TYPE_CLR | CW_LENGTH_BYTES(2) | FLAG_META_T );

  190. CONTROL_WORD(CERT_NAME      , 0x36, TYPE_CLR | CW_LENGTH_BYTES(2) | FLAG_META_T );

  191. CONTROL_WORD(CERT_PK_SCHEME , 0x37, TYPE_CLR | CW_LENGTH_BYTES(2) | FLAG_META_T );

  192. CONTROL_WORD(CERT_COMMENT   , 0x3F, TYPE_CLR | CW_LENGTH_BYTES(2) | FLAG_META_T );

  193. 

  194. #if STROBE_INTEROP_F_BITS == 1600

  195. #define kword_t uint64_t

  196. #elif STROBE_INTEROP_F_BITS == 800

  197. #define kword_t uint32_t

  198. #elif STROBE_INTEROP_F_BITS == 400

  199. #define kword_t uint16_t

  200. #else

  201. #error "Strobe supports only Keccak-F{400,800,1600}"

  202. #endif

  203. 

  204. /* IO callback context.  Opaque to STROBE. */

  205. typedef struct {

  206.     void *a, *b; /**< Two pointers for use by the callback context. */

  207. #if STROBE_IO_CTX_HAS_FD

  208.     int fd; /**< A file descriptor, or whatever. */

  209. #endif

  210. } strobe_io_ctx_s;

  211. 

  212. /** Callback context */

  213. typedef struct {

  214.     // FUTURE: make these return two values?

  215.     /**

  216.      * Read up to [size] bytes of data.  Set the buffer to where it

  217.      * points, and return how many bytes were actually read.

  218.      */

  219.     ssize_t (*read)  (strobe_io_ctx_s *ctx, const uint8_t **buffer, ssize_t size);

  220. 

  221.     /**

  222.      * The write callback is trickier.

  223.      *

  224.      * The first call returns a buffer to write the data to.

  225.      *

  226.      * The next call writes that data out, and returns a new (or more likely,

  227.      * the same) buffer.

  228.      */

  229.     ssize_t (*write) (strobe_io_ctx_s *ctx, uint8_t **buffer,       ssize_t size);

  230. } strobe_io_callbacks_s;

  231. extern const strobe_io_callbacks_s strobe_io_cb_buffer, strobe_io_cb_const_buffer;

  232. 

  233. /** Keccak's domain: 25 words of size b/25, or b/8 bytes. */

  234. typedef union {

  235.     kword_t w[25]; uint8_t b[25*sizeof(kword_t)/sizeof(uint8_t)];

  236. } kdomain_s;

  237. 

  238. /** The main strobe state object. */

  239. typedef struct strobe_s {

  240.     kdomain_s state;

  241.     uint8_t position, pos_begin, flags;

  242. 

  243.     const strobe_io_callbacks_s *io;

  244.     strobe_io_ctx_s io_ctx;

  245. } strobe_s, strobe_t[1];

  246. 

  247. #if STROBE_CW_MAX_LENGTH_BYTES <= 1

  248. typedef uint8_t strobe_length_t;

  249. #elif STROBE_CW_MAX_LENGTH_BYTES <= 2

  250. typedef uint16_t strobe_length_t;

  251. #elif STROBE_CW_MAX_LENGTH_BYTES <= 4

  252. typedef uint32_t strobe_length_t;

  253. #elif STROBE_CW_MAX_LENGTH_BYTES <= 8

  254. typedef uint64_t strobe_length_t;

  255. #elif STROBE_CW_MAX_LENGTH_BYTES <= 16

  256. typedef uint128_t strobe_length_t;

  257. #else

  258. #error "Can't deal with >128-bit length fields'"

  259. #endif

  260. 

  261. typedef struct {

  262.     uint8_t control;

  263.     strobe_length_t len; 

  264. } __attribute__((packed)) strobe_serialized_control_t;

  265. 

  266. /* Protocol building blocks */

  267. #define TRY(foo) do { ssize_t _ret = (foo); if (_ret < 0) return _ret; } while(0)

  268. 

  269. /**

  270.  * Destroy a STROBE object by writing zeros over it.

  271.  * NB: if you don't have C11's memset_s, the compiler might optimize this call

  272.  * away!

  273.  */

  274. static inline void strobe_destroy(strobe_t strobe) {

  275. #ifdef __STDC_LIB_EXT1__

  276.     memset_s(strobe,sizeof(*strobe),0,sizeof(*strobe));

  277. #else

  278.     memset(strobe,0,sizeof(*strobe));

  279. #endif

  280. }

  281. 

  282. /**

  283.  * Detach the I/O from a STROBE object.

  284.  */

  285. static inline void strobe_detach(strobe_t strobe) {

  286.     strobe->io = NULL;

  287.     /* Not really relevant: */

  288.     // strobe->io_ctx.a = strobe->io_ctx.b = NULL;

  289. }

  290. 

  291. /** Reverse the role of a STROBE object (i.e. to emulate the other guy). */

  292. static inline void strobe_reverse(strobe_t strobe) {

  293.     strobe->flags ^= FLAG_I;

  294. }

  295. 

  296. /** Attach a buffer to a strobe object. */

  297. static inline void strobe_attach_buffer(strobe_t strobe, uint8_t *start, size_t length) {

  298.     strobe->io = &strobe_io_cb_buffer;

  299.     strobe->io_ctx.a = start;

  300.     strobe->io_ctx.b = start+length;

  301. }

  302. 

  303. /** Attach a buffer to a strobe object. */

  304. static inline void strobe_attach_const_buffer(strobe_t strobe, uint8_t *start, size_t length) {

  305.     strobe->io = &strobe_io_cb_const_buffer;

  306.     strobe->io_ctx.a = start;

  307.     strobe->io_ctx.b = start+length;

  308. }

  309. 

  310. /** Same as operate, but only for sending data or putting it into the sponge. */

  311. static inline ssize_t strobe_put (

  312.     strobe_s *__restrict__ strobe,

  313.     control_word_t control_flags,

  314.     const uint8_t *inside,

  315.     ssize_t len

  316. ) {

  317.     assert(!(control_flags & (FLAG_M|FLAG_I|FLAG_META_I)));

  318.     return strobe_operate(strobe,control_flags,(uint8_t *)inside,len);

  319. }

  320. 

  321. /** Receive data or extract it from the sponge. */

  322. static inline ssize_t strobe_get (

  323.     strobe_s *__restrict__ strobe,

  324.     control_word_t control_flags,

  325.     uint8_t *inside,

  326.     ssize_t len

  327. ) {

  328.     assert(!(control_flags & FLAG_M));

  329.     assert((control_flags & (FLAG_T|FLAG_C)) != 0);

  330.     control_flags |= FLAG_I;

  331.     if (control_flags & FLAG_META_T) control_flags |= FLAG_META_I;

  332.     return strobe_operate(strobe,control_flags,(uint8_t *)inside,len);

  333. }

  334. 

  335. /* Endian swaps */

  336. #if __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__

  337. static inline kword_t eswap_letoh(kword_t w) { return w; }

  338. static inline kword_t eswap_htole(kword_t w) { return w; }

  339. static inline uint16_t eswap_letoh_16(uint16_t w) { return w; }

  340. static inline uint16_t eswap_htole_16(uint16_t w) { return w; }

  341. static inline uint32_t eswap_letoh_32(uint32_t w) { return w; }

  342. static inline uint32_t eswap_htole_32(uint32_t w) { return w; }

  343. static inline uint64_t eswap_letoh_64(uint64_t w) { return w; }

  344. static inline uint64_t eswap_htole_64(uint64_t w) { return w; }

  345. static inline strobe_length_t eswap_letoh_sl(strobe_length_t w) { return w; }

  346. static inline strobe_length_t eswap_htole_sl(strobe_length_t w) { return w; }

  347. #else

  348. #error "Fix eswap() on non-little-endian machine"

  349. #endif

  350. 

  351. /**

  352.  * Receive just control/metadata from the other party.

  353.  * This is for complex protocols where you may not know what will come next.

  354.  */

  355. static inline ssize_t strobe_get_control (

  356.     strobe_s *__restrict__ strobe,

  357.     strobe_serialized_control_t *cw,

  358.     uint32_t flags

  359. ) {

  360.     unsigned int length_bytes = STROBE_CW_GET_LENGTH_BYTES(flags);

  361.     control_word_t cwf = GET_META_FLAGS(flags) | FLAG_I | FLAG_T;

  362. 

  363.     cw->len = 0;

  364.     ssize_t ret = strobe_duplex(strobe, cwf, (uint8_t *)cw, sizeof(cw->control) + length_bytes);

  365. 

  366.     /* Probably a nop, allowing tailcall, except we're inline anyway */

  367.     cw->len = eswap_letoh_sl(cw->len);

  368.     return ret;

  369. }

  370. 

  371. static inline ssize_t strobe_put_mac( strobe_t strobe ) {

  372.     return strobe_operate(strobe, MAC, NULL, STROBE_INTEROP_MAC_BYTES);

  373. }

  374. 

  375. static inline ssize_t strobe_get_mac(strobe_t strobe ) {

  376.     return strobe_operate(strobe, MAC|FLAG_I, NULL, STROBE_INTEROP_MAC_BYTES);

  377. }

  378. 

  379. static inline ssize_t strobe_key (

  380.     strobe_t strobe,

  381.     control_word_t cw,

  382.     const uint8_t *data,

  383.     uint16_t len

  384. ) {

  385.     assert(!(cw & FLAG_T));

  386.     return strobe_put(strobe, cw, data, len);

  387. }

  388. 

  389. #if STROBE_CONVENIENCE_ECDH

  390. int strobe_eph_ecdh (

  391.     strobe_t strobe,

  392.     int i_go_first

  393. );

  394. #endif

  395. 

  396. #if X25519_SUPPORT_SIGN

  397. int strobe_session_sign (

  398.     strobe_t strobe,

  399.     const uint8_t my_seckey[32],

  400.     const uint8_t my_pubkey[32]

  401. );

  402. #endif

  403. 

  404. #if X25519_SUPPORT_VERIFY

  405. int strobe_session_verify (

  406.     strobe_t strobe,

  407.     const uint8_t their_pubkey[32]

  408. );

  409. #if STROBE_SUPPORT_CERT_VERIFY

  410. /* Parse a signature but don't verify it.

  411.  * Useful for intermediate certs we don't trust.

  412.  */

  413. int strobe_session_dont_verify (

  414.     strobe_t strobe,

  415.     const uint8_t their_pubkey[32]

  416. );

  417. #endif

  418. #endif

  419. 

  420. #endif /* __STROBE_H__ */