symmetricstate.c

Go to the documentation of this file.

/*
 * Copyright (C) 2016 Southern Storm Software, Pty Ltd.
 *
 * Permission is hereby granted, free of charge, to any person obtaining a
 * copy of this software and associated documentation files (the "Software"),
 * to deal in the Software without restriction, including without limitation
 * the rights to use, copy, modify, merge, publish, distribute, sublicense,
 * and/or sell copies of the Software, and to permit persons to whom the
 * Software is furnished to do so, subject to the following conditions:
 *
 * The above copyright notice and this permission notice shall be included
 * in all copies or substantial portions of the Software.
 *
 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
 * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
 * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
 * DEALINGS IN THE SOFTWARE.
 */

#include "internal.h"
#include <string.h>

static int noise_symmetricstate_new
    (NoiseSymmetricState **state, const char *name, const NoiseProtocolId *id)
{
    NoiseSymmetricState *new_state;
    size_t name_len;
    size_t hash_len;
    int err;

    /* Construct a state object and initialize it */
    new_state = noise_new(NoiseSymmetricState);
    if (!new_state)
        return NOISE_ERROR_NO_MEMORY;
    new_state->id = *id;
    err = noise_cipherstate_new_by_id(&(new_state->cipher), id->cipher_id);
    if (err != NOISE_ERROR_NONE) {
        noise_symmetricstate_free(new_state);
        return err;
    }
    err = noise_hashstate_new_by_id(&(new_state->hash), id->hash_id);
    if (err != NOISE_ERROR_NONE) {
        noise_symmetricstate_free(new_state);
        return err;
    }

    /* Check the hash length against the maximum, just in case someone
       adds a new hash algorithm in the future with longer output.
       If this happens, modify NOISE_MAX_HASHLEN in internal.h accordingly */
    hash_len = noise_hashstate_get_hash_length(new_state->hash);
    if (hash_len > NOISE_MAX_HASHLEN) {
        noise_symmetricstate_free(new_state);
        return NOISE_ERROR_NOT_APPLICABLE;
    }

    /* The key length must also be less than or equal to the hash length */
    if (noise_cipherstate_get_key_length(new_state->cipher) > hash_len) {
        noise_symmetricstate_free(new_state);
        return NOISE_ERROR_NOT_APPLICABLE;
    }

    /* Initialize the chaining key "ck" and the handshake hash "h" from
       the protocol name.  If the name is too long, hash it down first */
    name_len = strlen(name);
    if (name_len <= hash_len) {
        memcpy(new_state->h, name, name_len);
        memset(new_state->h + name_len, 0, hash_len - name_len);
    } else {
        noise_hashstate_hash_one
            (new_state->hash, (const uint8_t *)name, name_len,
             new_state->h, hash_len);
    }
    memcpy(new_state->ck, new_state->h, hash_len);

    /* Ready to go */
    *state = new_state;
    return NOISE_ERROR_NONE;
}

int noise_symmetricstate_new_by_id
    (NoiseSymmetricState **state, const NoiseProtocolId *id)
{
    char name[NOISE_MAX_PROTOCOL_NAME];
    int err;

    /* Validate the parameters */
    if (!state)
        return NOISE_ERROR_INVALID_PARAM;
    *state = 0;
    if (!id)
        return NOISE_ERROR_INVALID_PARAM;

    /* Format the full protocol name from the identifiers.  We need the
       full name because the handshake hash is initialized from the name */
    err = noise_protocol_id_to_name(name, sizeof(name), id);
    if (err != NOISE_ERROR_NONE)
        return err;

    /* Create the SymmetricState object */
    return noise_symmetricstate_new(state, name, id);
}

int noise_symmetricstate_new_by_name
    (NoiseSymmetricState **state, const char *name)
{
    NoiseProtocolId id;
    size_t name_len;
    int err;

    /* Validate the parameters */
    if (!state)
        return NOISE_ERROR_INVALID_PARAM;
    *state = 0;
    if (!name)
        return NOISE_ERROR_INVALID_PARAM;

    /* Parse the protocol identifier and validate the names */
    name_len = strlen(name);
    err = noise_protocol_name_to_id(&id, name, name_len);
    if (err != NOISE_ERROR_NONE)
        return err;

    /* Create the SymmetricState object */
    return noise_symmetricstate_new(state, name, &id);
}

int noise_symmetricstate_free(NoiseSymmetricState *state)
{
    /* Bail out if no symmetric state */
    if (!state)
        return NOISE_ERROR_INVALID_PARAM;

    /* Free the sub objects that are hanging off the symmetricstate */
    if (state->cipher)
        noise_cipherstate_free(state->cipher);
    if (state->hash)
        noise_hashstate_free(state->hash);

    /* Clean and free the memory for "state" */
    noise_free(state, state->size);
    return NOISE_ERROR_NONE;
}

int noise_symmetricstate_get_protocol_id
    (const NoiseSymmetricState *state, NoiseProtocolId *id)
{
    /* Validate the parameters */
    if (!state || !id)
        return NOISE_ERROR_INVALID_PARAM;

    /* Copy the internal id block to the parameter */
    *id = state->id;
    return NOISE_ERROR_NONE;
}

int noise_symmetricstate_mix_key
    (NoiseSymmetricState *state, const uint8_t *input, size_t size)
{
    uint8_t temp_k[NOISE_MAX_HASHLEN];
    size_t hash_len;
    size_t key_len;

    /* Validate the parameters */
    if (!state || !input)
        return NOISE_ERROR_INVALID_PARAM;

    /* If the state has been split, then we cannot do this */
    if (!state->cipher)
        return NOISE_ERROR_INVALID_STATE;

    /* Mix the input data in using HKDF */
    hash_len = noise_hashstate_get_hash_length(state->hash);
    key_len = noise_cipherstate_get_key_length(state->cipher);
    noise_hashstate_hkdf
        (state->hash, state->ck, hash_len, input, size,
         state->ck, hash_len, temp_k, key_len);

    /* Change the cipher key, or set it for the first time */
    noise_cipherstate_init_key(state->cipher, temp_k, key_len);
    noise_clean(temp_k, sizeof(temp_k));
    return NOISE_ERROR_NONE;
}

int noise_symmetricstate_mix_hash
    (NoiseSymmetricState *state, const uint8_t *input, size_t size)
{
    size_t hash_len;

    /* Validate the parameters */
    if (!state || !input)
        return NOISE_ERROR_INVALID_PARAM;

    /* If the state has been split, then we cannot do this */
    if (!state->cipher)
        return NOISE_ERROR_INVALID_STATE;

    /* Mix the input data into "h" */
    hash_len = noise_hashstate_get_hash_length(state->hash);
    noise_hashstate_hash_two
        (state->hash, state->h, hash_len, input, size, state->h, hash_len);
    return NOISE_ERROR_NONE;
}

int noise_symmetricstate_encrypt_and_hash
    (NoiseSymmetricState *state, NoiseBuffer *buffer)
{
    size_t hash_len;
    int err;

    /* Validate the parameters */
    if (!state || !buffer || !(buffer->data))
        return NOISE_ERROR_INVALID_PARAM;

    /* If the state has been split, then we cannot do this */
    if (!state->cipher)
        return NOISE_ERROR_INVALID_STATE;

    /* Encrypt the plaintext using the underlying cipher */
    hash_len = noise_hashstate_get_hash_length(state->hash);
    err = noise_cipherstate_encrypt_with_ad
        (state->cipher, state->h, hash_len, buffer);
    if (err != NOISE_ERROR_NONE)
        return err;

    /* Feed the ciphertext into the handshake hash */
    noise_symmetricstate_mix_hash(state, buffer->data, buffer->size);
    return NOISE_ERROR_NONE;
}

int noise_symmetricstate_decrypt_and_hash
    (NoiseSymmetricState *state, NoiseBuffer *buffer)
{
    uint8_t temp[NOISE_MAX_HASHLEN];
    size_t hash_len;
    int err;

    /* Validate the parameters */
    if (!state || !buffer || !(buffer->data))
        return NOISE_ERROR_INVALID_PARAM;

    /* If the state has been split, then we cannot do this */
    if (!state->cipher)
        return NOISE_ERROR_INVALID_STATE;

    /* Validate the input data length before we hash the data */
    if (buffer->size > NOISE_MAX_PAYLOAD_LEN)
        return NOISE_ERROR_INVALID_LENGTH;
    if (noise_cipherstate_has_key(state->cipher)) {
        if (buffer->size < noise_cipherstate_get_mac_length(state->cipher))
            return NOISE_ERROR_INVALID_LENGTH;
    }

    /* Feed the ciphertext into the handshake hash first.  We make a
       temporary copy of the hash.  If the decryption fails below,
       then we don't update the handshake hash with the bogus data */
    hash_len = noise_hashstate_get_hash_length(state->hash);
    noise_hashstate_hash_two
        (state->hash, state->h, hash_len,
         buffer->data, buffer->size, temp, hash_len);

    /* Decrypt the ciphertext using the underlying cipher */
    err = noise_cipherstate_decrypt_with_ad
        (state->cipher, state->h, hash_len, buffer);
    if (err != NOISE_ERROR_NONE) {
        noise_clean(temp, sizeof(temp));
        return err;
    }

    /* Update the handshake hash */
    memcpy(state->h, temp, hash_len);
    noise_clean(temp, sizeof(temp));
    return NOISE_ERROR_NONE;
}

size_t noise_symmetricstate_get_mac_length(const NoiseSymmetricState *state)
{
    /* Validate the parameter */
    if (!state)
        return 0;

    /* If the state has been split or the key has not been set, then zero */
    if (!state->cipher)
        return 0;
    if (!noise_cipherstate_has_key(state->cipher))
        return 0;

    /* Return the MAC length for the cipher */
    return noise_cipherstate_get_mac_length(state->cipher);
}

int noise_symmetricstate_split
    (NoiseSymmetricState *state, NoiseCipherState **c1, NoiseCipherState **c2)
{
    uint8_t temp_k1[NOISE_MAX_HASHLEN];
    uint8_t temp_k2[NOISE_MAX_HASHLEN];
    size_t hash_len;
    size_t key_len;

    /* Validate the parameters */
    if (!state)
        return NOISE_ERROR_INVALID_PARAM;
    if (!c1 && !c2)
        return NOISE_ERROR_INVALID_PARAM;
    if (c1)
        *c1 = 0;
    if (c2)
        *c2 = 0;

    /* If the state has already been split, then we cannot split again */
    if (!state->cipher)
        return NOISE_ERROR_INVALID_STATE;

    /* Generate the two encryption keys with HKDF */
    hash_len = noise_hashstate_get_hash_length(state->hash);
    key_len = noise_cipherstate_get_key_length(state->cipher);
    noise_hashstate_hkdf
        (state->hash, state->ck, hash_len, state->ck, 0,
         temp_k1, key_len, temp_k2, key_len);

    /* If we only need c2, then re-initialize the key in the internal
       cipher and copy it to c2 */
    if (!c1 && c2) {
        noise_cipherstate_init_key(state->cipher, temp_k2, key_len);
        *c2 = state->cipher;
        state->cipher = 0;
        noise_clean(temp_k1, sizeof(temp_k1));
        noise_clean(temp_k2, sizeof(temp_k2));
        return NOISE_ERROR_NONE;
    }

    /* Split a copy out of the cipher and give it the second key.
       We don't need to do this if the second CipherSuite is not required */
    if (c2) {
        *c2 = (*(state->cipher->create))();
        if (!(*c2)) {
            noise_clean(temp_k1, sizeof(temp_k1));
            noise_clean(temp_k2, sizeof(temp_k2));
            return NOISE_ERROR_NO_MEMORY;
        }
        noise_cipherstate_init_key(*c2, temp_k2, key_len);
    }

    /* Re-initialize the key in the internal cipher and copy it to c1 */
    noise_cipherstate_init_key(state->cipher, temp_k1, key_len);
    *c1 = state->cipher;
    state->cipher = 0;
    noise_clean(temp_k1, sizeof(temp_k1));
    noise_clean(temp_k2, sizeof(temp_k2));
    return NOISE_ERROR_NONE;
}