diff --git a/briar-api/src/org/briarproject/api/transport/TransportConstants.java b/briar-api/src/org/briarproject/api/transport/TransportConstants.java index ae3a6c3daf9af55555e07023020a8a3ac0932629..defd1649820341c6b784ec77e3cfaaf2f90d139f 100644 --- a/briar-api/src/org/briarproject/api/transport/TransportConstants.java +++ b/briar-api/src/org/briarproject/api/transport/TransportConstants.java @@ -8,12 +8,12 @@ public interface TransportConstants { /** The length of the pseudo-random tag in bytes. */ int TAG_LENGTH = 16; - /** The length of the stream header IV in bytes. */ - int STREAM_HEADER_IV_LENGTH = 24; - /** The length of the message authentication code (MAC) in bytes. */ int MAC_LENGTH = 16; + /** The length of the stream header initialisation vector (IV) in bytes. */ + int STREAM_HEADER_IV_LENGTH = 24; + /** The length of the stream header in bytes. */ int STREAM_HEADER_LENGTH = STREAM_HEADER_IV_LENGTH + SecretKey.LENGTH + MAC_LENGTH; @@ -21,8 +21,11 @@ public interface TransportConstants { /** The length of the frame initalisation vector (IV) in bytes. */ int FRAME_IV_LENGTH = 24; + /** The length of the frame header payload in bytes. */ + int FRAME_HEADER_PAYLOAD_LENGTH = 4; + /** The length of the frame header in bytes. */ - int FRAME_HEADER_LENGTH = 4 + MAC_LENGTH; + int FRAME_HEADER_LENGTH = FRAME_HEADER_PAYLOAD_LENGTH + MAC_LENGTH; /** The maximum length of a frame in bytes, including the header and MAC. */ int MAX_FRAME_LENGTH = 1024; diff --git a/briar-core/src/org/briarproject/crypto/CryptoComponentImpl.java b/briar-core/src/org/briarproject/crypto/CryptoComponentImpl.java index 97350169935db0e25b560f5ea9c79c27ce7bcef9..c4cde4aea314511e1a5ce4a63b7ad526f6921c30 100644 --- a/briar-core/src/org/briarproject/crypto/CryptoComponentImpl.java +++ b/briar-core/src/org/briarproject/crypto/CryptoComponentImpl.java @@ -17,12 +17,10 @@ import org.briarproject.api.transport.TransportKeys; import org.briarproject.util.ByteUtils; import org.briarproject.util.StringUtils; import org.spongycastle.crypto.AsymmetricCipherKeyPair; -import org.spongycastle.crypto.BlockCipher; import org.spongycastle.crypto.CipherParameters; import org.spongycastle.crypto.Digest; import org.spongycastle.crypto.agreement.ECDHCBasicAgreement; import org.spongycastle.crypto.digests.SHA256Digest; -import org.spongycastle.crypto.engines.AESLightEngine; import org.spongycastle.crypto.generators.ECKeyPairGenerator; import org.spongycastle.crypto.generators.PKCS5S2ParametersGenerator; import org.spongycastle.crypto.params.ECKeyGenerationParameters; @@ -30,6 +28,7 @@ import org.spongycastle.crypto.params.ECPrivateKeyParameters; import org.spongycastle.crypto.params.ECPublicKeyParameters; import org.spongycastle.crypto.params.KeyParameter; +import java.nio.charset.Charset; import java.security.GeneralSecurityException; import java.security.SecureRandom; import java.util.ArrayList; @@ -57,33 +56,31 @@ class CryptoComponentImpl implements CryptoComponent { private static final int PBKDF_TARGET_MILLIS = 500; private static final int PBKDF_SAMPLES = 30; + private static byte[] ascii(String s) { + return s.getBytes(Charset.forName("US-ASCII")); + } + // KDF label for master key derivation - private static final byte[] MASTER = { 'M', 'A', 'S', 'T', 'E', 'R' }; + private static final byte[] MASTER = ascii("MASTER"); // KDF labels for confirmation code derivation - private static final byte[] A_CONFIRM = - { 'A', '_', 'C', 'O', 'N', 'F', 'I', 'R', 'M' }; - private static final byte[] B_CONFIRM = - { 'B', '_', 'C', 'O', 'N', 'F', 'I', 'R', 'M' }; + private static final byte[] A_CONFIRM = ascii("ALICE_CONFIRMATION_CODE"); + private static final byte[] B_CONFIRM = ascii("BOB_CONFIRMATION_CODE"); // KDF labels for invitation stream header key derivation - private static final byte[] A_INVITE = - { 'A', '_', 'I', 'N', 'V', 'I', 'T', 'E' }; - private static final byte[] B_INVITE = - { 'B', '_', 'I', 'N', 'V', 'I', 'T', 'E' }; + private static final byte[] A_INVITE = ascii("ALICE_INVITATION_KEY"); + private static final byte[] B_INVITE = ascii("BOB_INVITATION_KEY"); // KDF labels for signature nonce derivation - private static final byte[] A_NONCE = { 'A', '_', 'N', 'O', 'N', 'C', 'E' }; - private static final byte[] B_NONCE = { 'B', '_', 'N', 'O', 'N', 'C', 'E' }; + private static final byte[] A_NONCE = ascii("ALICE_SIGNATURE_NONCE"); + private static final byte[] B_NONCE = ascii("BOB_SIGNATURE_NONCE"); // KDF label for group salt derivation - private static final byte[] SALT = { 'S', 'A', 'L', 'T' }; + private static final byte[] SALT = ascii("SALT"); // KDF labels for tag key derivation - private static final byte[] A_TAG = { 'A', '_', 'T', 'A', 'G' }; - private static final byte[] B_TAG = { 'B', '_', 'T', 'A', 'G' }; + private static final byte[] A_TAG = ascii("ALICE_TAG_KEY"); + private static final byte[] B_TAG = ascii("BOB_TAG_KEY"); // KDF labels for header key derivation - private static final byte[] A_HEADER = - { 'A', '_', 'H', 'E', 'A', 'D', 'E', 'R' }; - private static final byte[] B_HEADER = - { 'B', '_', 'H', 'E', 'A', 'D', 'E', 'R' }; + private static final byte[] A_HEADER = ascii("ALICE_HEADER_KEY"); + private static final byte[] B_HEADER = ascii("BOB_HEADER_KEY"); // KDF label for key rotation - private static final byte[] ROTATE = { 'R', 'O', 'T', 'A', 'T', 'E' }; + private static final byte[] ROTATE = ascii("ROTATE"); private final SecureRandom secureRandom; private final ECKeyPairGenerator agreementKeyPairGenerator; @@ -290,8 +287,8 @@ class CryptoComponentImpl implements CryptoComponent { } private SecretKey rotateKey(SecretKey k, long rotationPeriod) { - byte[] period = new byte[4]; - ByteUtils.writeUint32(rotationPeriod, period, 0); + byte[] period = new byte[8]; + ByteUtils.writeUint64(rotationPeriod, period, 0); return new SecretKey(macKdf(k, ROTATE, period)); } @@ -311,14 +308,19 @@ class CryptoComponentImpl implements CryptoComponent { if (tag.length < TAG_LENGTH) throw new IllegalArgumentException(); if (streamNumber < 0 || streamNumber > MAX_32_BIT_UNSIGNED) throw new IllegalArgumentException(); - for (int i = 0; i < TAG_LENGTH; i++) tag[i] = 0; - ByteUtils.writeUint32(streamNumber, tag, 0); - BlockCipher cipher = new AESLightEngine(); - if (cipher.getBlockSize() != TAG_LENGTH) - throw new IllegalStateException(); - KeyParameter k = new KeyParameter(tagKey.getBytes()); - cipher.init(true, k); - cipher.processBlock(tag, 0, tag, 0); + // Initialise the PRF + Digest prf = new Blake2sDigest(tagKey.getBytes()); + // The output of the PRF must be long enough to use as a key + int macLength = prf.getDigestSize(); + if (macLength < TAG_LENGTH) throw new IllegalStateException(); + // The input is the stream number as a 64-bit integer + byte[] input = new byte[8]; + ByteUtils.writeUint64(streamNumber, input, 0); + prf.update(input, 0, input.length); + byte[] mac = new byte[macLength]; + prf.doFinal(mac, 0); + // The output is the first TAG_LENGTH bytes of the MAC + System.arraycopy(mac, 0, tag, 0, TAG_LENGTH); } public byte[] encryptWithPassword(byte[] input, String password) { diff --git a/briar-core/src/org/briarproject/crypto/FrameEncoder.java b/briar-core/src/org/briarproject/crypto/FrameEncoder.java index efd03ed49bad9c530eb7851571f78fae0f5509a0..c2fb78f848800724c9354c6403e46a91b496cf49 100644 --- a/briar-core/src/org/briarproject/crypto/FrameEncoder.java +++ b/briar-core/src/org/briarproject/crypto/FrameEncoder.java @@ -2,26 +2,23 @@ package org.briarproject.crypto; import org.briarproject.util.ByteUtils; -import static org.briarproject.api.transport.TransportConstants.FRAME_HEADER_LENGTH; +import static org.briarproject.api.transport.TransportConstants.FRAME_HEADER_PAYLOAD_LENGTH; import static org.briarproject.api.transport.TransportConstants.FRAME_IV_LENGTH; import static org.briarproject.api.transport.TransportConstants.MAX_PAYLOAD_LENGTH; -import static org.briarproject.util.ByteUtils.MAX_32_BIT_UNSIGNED; class FrameEncoder { static void encodeIv(byte[] iv, long frameNumber, boolean header) { if (iv.length < FRAME_IV_LENGTH) throw new IllegalArgumentException(); - if (frameNumber < 0 || frameNumber > MAX_32_BIT_UNSIGNED) - throw new IllegalArgumentException(); - ByteUtils.writeUint32(frameNumber, iv, 0); - if (header) iv[4] = 1; - else iv[4] = 0; - for (int i = 5; i < FRAME_IV_LENGTH; i++) iv[i] = 0; + if (frameNumber < 0) throw new IllegalArgumentException(); + ByteUtils.writeUint64(frameNumber, iv, 0); + if (header) iv[0] |= 0x80; + for (int i = 8; i < FRAME_IV_LENGTH; i++) iv[i] = 0; } static void encodeHeader(byte[] header, boolean finalFrame, int payloadLength, int paddingLength) { - if (header.length < FRAME_HEADER_LENGTH) + if (header.length < FRAME_HEADER_PAYLOAD_LENGTH) throw new IllegalArgumentException(); if (payloadLength < 0) throw new IllegalArgumentException(); if (paddingLength < 0) throw new IllegalArgumentException(); @@ -33,19 +30,19 @@ class FrameEncoder { } static boolean isFinalFrame(byte[] header) { - if (header.length < FRAME_HEADER_LENGTH) + if (header.length < FRAME_HEADER_PAYLOAD_LENGTH) throw new IllegalArgumentException(); return (header[0] & 0x80) == 0x80; } static int getPayloadLength(byte[] header) { - if (header.length < FRAME_HEADER_LENGTH) + if (header.length < FRAME_HEADER_PAYLOAD_LENGTH) throw new IllegalArgumentException(); return ByteUtils.readUint16(header, 0) & 0x7FFF; } static int getPaddingLength(byte[] header) { - if (header.length < FRAME_HEADER_LENGTH) + if (header.length < FRAME_HEADER_PAYLOAD_LENGTH) throw new IllegalArgumentException(); return ByteUtils.readUint16(header, 2); } diff --git a/briar-core/src/org/briarproject/crypto/StreamDecrypterImpl.java b/briar-core/src/org/briarproject/crypto/StreamDecrypterImpl.java index 89e18bee6119fea1b02809d6f582a9f2696d93e5..5c041ba4d67c0027a29830e8c637a3f83071e85c 100644 --- a/briar-core/src/org/briarproject/crypto/StreamDecrypterImpl.java +++ b/briar-core/src/org/briarproject/crypto/StreamDecrypterImpl.java @@ -10,6 +10,7 @@ import java.io.InputStream; import java.security.GeneralSecurityException; import static org.briarproject.api.transport.TransportConstants.FRAME_HEADER_LENGTH; +import static org.briarproject.api.transport.TransportConstants.FRAME_HEADER_PAYLOAD_LENGTH; import static org.briarproject.api.transport.TransportConstants.FRAME_IV_LENGTH; import static org.briarproject.api.transport.TransportConstants.MAC_LENGTH; import static org.briarproject.api.transport.TransportConstants.MAX_FRAME_LENGTH; @@ -34,7 +35,7 @@ class StreamDecrypterImpl implements StreamDecrypter { this.cipher = cipher; this.streamHeaderKey = streamHeaderKey; frameIv = new byte[FRAME_IV_LENGTH]; - frameHeader = new byte[FRAME_HEADER_LENGTH]; + frameHeader = new byte[FRAME_HEADER_PAYLOAD_LENGTH]; frameCiphertext = new byte[MAX_FRAME_LENGTH]; frameKey = null; frameNumber = 0; @@ -46,6 +47,8 @@ class StreamDecrypterImpl implements StreamDecrypter { if (payload.length < MAX_PAYLOAD_LENGTH) throw new IllegalArgumentException(); if (finalFrame) return -1; + // Don't allow the frame counter to wrap + if (frameNumber < 0) throw new IOException(); // Read the stream header if required if (frameKey == null) readStreamHeader(); // Read the frame header @@ -62,7 +65,7 @@ class StreamDecrypterImpl implements StreamDecrypter { cipher.init(false, frameKey, frameIv); int decrypted = cipher.process(frameCiphertext, 0, FRAME_HEADER_LENGTH, frameHeader, 0); - if (decrypted != FRAME_HEADER_LENGTH - MAC_LENGTH) + if (decrypted != FRAME_HEADER_PAYLOAD_LENGTH) throw new RuntimeException(); } catch (GeneralSecurityException e) { throw new FormatException(); diff --git a/briar-core/src/org/briarproject/crypto/StreamEncrypterImpl.java b/briar-core/src/org/briarproject/crypto/StreamEncrypterImpl.java index 988be7e0293c9b91e0833af20fdff5543bbebdd8..0dbd8a17664af60ed948265b57ba6fd61d0d555b 100644 --- a/briar-core/src/org/briarproject/crypto/StreamEncrypterImpl.java +++ b/briar-core/src/org/briarproject/crypto/StreamEncrypterImpl.java @@ -8,13 +8,13 @@ import java.io.OutputStream; import java.security.GeneralSecurityException; import static org.briarproject.api.transport.TransportConstants.FRAME_HEADER_LENGTH; +import static org.briarproject.api.transport.TransportConstants.FRAME_HEADER_PAYLOAD_LENGTH; import static org.briarproject.api.transport.TransportConstants.FRAME_IV_LENGTH; import static org.briarproject.api.transport.TransportConstants.MAC_LENGTH; import static org.briarproject.api.transport.TransportConstants.MAX_FRAME_LENGTH; import static org.briarproject.api.transport.TransportConstants.MAX_PAYLOAD_LENGTH; import static org.briarproject.api.transport.TransportConstants.STREAM_HEADER_IV_LENGTH; import static org.briarproject.api.transport.TransportConstants.STREAM_HEADER_LENGTH; -import static org.briarproject.util.ByteUtils.MAX_32_BIT_UNSIGNED; class StreamEncrypterImpl implements StreamEncrypter { @@ -22,7 +22,7 @@ class StreamEncrypterImpl implements StreamEncrypter { private final AuthenticatedCipher cipher; private final SecretKey streamHeaderKey, frameKey; private final byte[] tag, streamHeaderIv; - private final byte[] frameIv, framePlaintext, frameCiphertext; + private final byte[] frameIv, frameHeader, framePlaintext, frameCiphertext; private long frameNumber; private boolean writeTag, writeStreamHeader; @@ -37,7 +37,8 @@ class StreamEncrypterImpl implements StreamEncrypter { this.streamHeaderKey = streamHeaderKey; this.frameKey = frameKey; frameIv = new byte[FRAME_IV_LENGTH]; - framePlaintext = new byte[FRAME_HEADER_LENGTH + MAX_PAYLOAD_LENGTH]; + frameHeader = new byte[FRAME_HEADER_PAYLOAD_LENGTH]; + framePlaintext = new byte[MAX_PAYLOAD_LENGTH]; frameCiphertext = new byte[MAX_FRAME_LENGTH]; frameNumber = 0; writeTag = (tag != null); @@ -49,34 +50,33 @@ class StreamEncrypterImpl implements StreamEncrypter { if (payloadLength + paddingLength > MAX_PAYLOAD_LENGTH) throw new IllegalArgumentException(); // Don't allow the frame counter to wrap - if (frameNumber > MAX_32_BIT_UNSIGNED) throw new IOException(); + if (frameNumber < 0) throw new IOException(); // Write the tag if required if (writeTag) writeTag(); // Write the stream header if required if (writeStreamHeader) writeStreamHeader(); // Encode the frame header - FrameEncoder.encodeHeader(framePlaintext, finalFrame, payloadLength, + FrameEncoder.encodeHeader(frameHeader, finalFrame, payloadLength, paddingLength); // Encrypt and authenticate the frame header FrameEncoder.encodeIv(frameIv, frameNumber, true); try { cipher.init(true, frameKey, frameIv); - int encrypted = cipher.process(framePlaintext, 0, - FRAME_HEADER_LENGTH - MAC_LENGTH, frameCiphertext, 0); + int encrypted = cipher.process(frameHeader, 0, + FRAME_HEADER_PAYLOAD_LENGTH, frameCiphertext, 0); if (encrypted != FRAME_HEADER_LENGTH) throw new RuntimeException(); } catch (GeneralSecurityException badCipher) { throw new RuntimeException(badCipher); } // Combine the payload and padding - System.arraycopy(payload, 0, framePlaintext, FRAME_HEADER_LENGTH, - payloadLength); + System.arraycopy(payload, 0, framePlaintext, 0, payloadLength); for (int i = 0; i < paddingLength; i++) - framePlaintext[FRAME_HEADER_LENGTH + payloadLength + i] = 0; + framePlaintext[payloadLength + i] = 0; // Encrypt and authenticate the payload and padding FrameEncoder.encodeIv(frameIv, frameNumber, false); try { cipher.init(true, frameKey, frameIv); - int encrypted = cipher.process(framePlaintext, FRAME_HEADER_LENGTH, + int encrypted = cipher.process(framePlaintext, 0, payloadLength + paddingLength, frameCiphertext, FRAME_HEADER_LENGTH); if (encrypted != payloadLength + paddingLength + MAC_LENGTH) diff --git a/briar-core/src/org/briarproject/util/ByteUtils.java b/briar-core/src/org/briarproject/util/ByteUtils.java index 777d8231899011ac506db8052e22617a7d4dfcae..6f47e001461e3ebae29cbdc606db0bf3c21b5821 100644 --- a/briar-core/src/org/briarproject/util/ByteUtils.java +++ b/briar-core/src/org/briarproject/util/ByteUtils.java @@ -37,6 +37,19 @@ public class ByteUtils { b[offset + 3] = (byte) (i & 0xFF); } + public static void writeUint64(long i, byte[] b, int offset) { + if (i < 0) throw new IllegalArgumentException(); + if (b.length < offset + 8) throw new IllegalArgumentException(); + b[offset] = (byte) (i >> 56); + b[offset + 1] = (byte) (i >> 48 & 0xFF); + b[offset + 2] = (byte) (i >> 40 & 0xFF); + b[offset + 3] = (byte) (i >> 32 & 0xFF); + b[offset + 4] = (byte) (i >> 24 & 0xFF); + b[offset + 5] = (byte) (i >> 16 & 0xFF); + b[offset + 6] = (byte) (i >> 8 & 0xFF); + b[offset + 7] = (byte) (i & 0xFF); + } + public static int readUint16(byte[] b, int offset) { if (b.length < offset + 2) throw new IllegalArgumentException(); return ((b[offset] & 0xFF) << 8) | (b[offset + 1] & 0xFF); diff --git a/briar-tests/src/org/briarproject/util/ByteUtilsTest.java b/briar-tests/src/org/briarproject/util/ByteUtilsTest.java index 0df6548bd6c60dff8304b0cacd1748c77a5a9a07..67ad3fe1a767df527b993b2fb3b5873c90264926 100644 --- a/briar-tests/src/org/briarproject/util/ByteUtilsTest.java +++ b/briar-tests/src/org/briarproject/util/ByteUtilsTest.java @@ -30,24 +30,39 @@ public class ByteUtilsTest extends BriarTestCase { @Test public void testWriteUint16() { - byte[] b = new byte[3]; + byte[] b = new byte[4]; ByteUtils.writeUint16(0, b, 1); - assertEquals("000000", StringUtils.toHexString(b)); + assertEquals("00000000", StringUtils.toHexString(b)); ByteUtils.writeUint16(1, b, 1); - assertEquals("000001", StringUtils.toHexString(b)); - ByteUtils.writeUint16(65535, b, 1); - assertEquals("00FFFF", StringUtils.toHexString(b)); + assertEquals("00000100", StringUtils.toHexString(b)); + ByteUtils.writeUint16(Short.MAX_VALUE, b, 1); + assertEquals("007FFF00", StringUtils.toHexString(b)); + ByteUtils.writeUint16(ByteUtils.MAX_16_BIT_UNSIGNED, b, 1); + assertEquals("00FFFF00", StringUtils.toHexString(b)); } @Test public void testWriteUint32() { - byte[] b = new byte[5]; + byte[] b = new byte[6]; ByteUtils.writeUint32(0, b, 1); - assertEquals("0000000000", StringUtils.toHexString(b)); + assertEquals("000000000000", StringUtils.toHexString(b)); ByteUtils.writeUint32(1, b, 1); - assertEquals("0000000001", StringUtils.toHexString(b)); - ByteUtils.writeUint32(4294967295L, b, 1); - assertEquals("00FFFFFFFF", StringUtils.toHexString(b)); + assertEquals("000000000100", StringUtils.toHexString(b)); + ByteUtils.writeUint32(Integer.MAX_VALUE, b, 1); + assertEquals("007FFFFFFF00", StringUtils.toHexString(b)); + ByteUtils.writeUint32(ByteUtils.MAX_32_BIT_UNSIGNED, b, 1); + assertEquals("00FFFFFFFF00", StringUtils.toHexString(b)); + } + + @Test + public void testWriteUint64() { + byte[] b = new byte[10]; + ByteUtils.writeUint64(0, b, 1); + assertEquals("00000000000000000000", StringUtils.toHexString(b)); + ByteUtils.writeUint64(1, b, 1); + assertEquals("00000000000000000100", StringUtils.toHexString(b)); + ByteUtils.writeUint64(Long.MAX_VALUE, b, 1); + assertEquals("007FFFFFFFFFFFFFFF00", StringUtils.toHexString(b)); } @Test