libcoap 4.3.5-develop-24d146d
Loading...
Searching...
No Matches
oscore.c
Go to the documentation of this file.
1/* -*- Mode: C; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
2
3/*
4 * Copyright (c) 2018, SICS, RISE AB
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. Neither the name of the Institute nor the names of its contributors
16 * may be used to endorse or promote products derived from this software
17 * without specific prior written permission.
18 *
19 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29 * SUCH DAMAGE.
30 *
31 */
32
47#include "coap3/coap_libcoap_build.h"
48
49#if COAP_OSCORE_SUPPORT
50
51/* oscore_cs_params
52 * returns cbor array [[param_type], [paramtype, param]]
53 */
54uint8_t *
55oscore_cs_params(int8_t param, int8_t param_type, size_t *len) {
56 uint8_t buf[50];
57 size_t rem_size = sizeof(buf);
58 uint8_t *pt = buf;
59
60 *len = 0;
61 *len += oscore_cbor_put_array(&pt, &rem_size, 2);
62 *len += oscore_cbor_put_array(&pt, &rem_size, 1);
63 *len += oscore_cbor_put_number(&pt, &rem_size, param_type);
64 *len += oscore_cbor_put_array(&pt, &rem_size, 2);
65 *len += oscore_cbor_put_number(&pt, &rem_size, param_type);
66 *len += oscore_cbor_put_number(&pt, &rem_size, param);
67 uint8_t *result = coap_malloc_type(COAP_STRING, *len);
68 memcpy(result, buf, *len);
69 return result;
70}
71
72/* oscore_cs_key_params
73 * returns cbor array [paramtype, param]
74 */
75uint8_t *
76oscore_cs_key_params(cose_curve_t param, int8_t param_type, size_t *len) {
77 uint8_t buf[50];
78 size_t rem_size = sizeof(buf);
79 uint8_t *pt = buf;
80
81 *len = 0;
82 *len += oscore_cbor_put_array(&pt, &rem_size, 2);
83 *len += oscore_cbor_put_number(&pt, &rem_size, param_type);
84 *len += oscore_cbor_put_number(&pt, &rem_size, param);
85 uint8_t *result = coap_malloc_type(COAP_STRING, *len);
86 memcpy(result, buf, *len);
87 return result;
88}
89
90/*
91 * Build the CBOR for external_aad
92 *
93 * external_aad = bstr .cbor aad_array
94 *
95 * No group mode
96 * aad_array = [
97 * oscore_version : uint,
98 * algorithms : [ alg_aead : int / tstr ],
99 * request_kid : bstr,
100 * request_piv : bstr,
101 * options : bstr,
102 * ]
103 *
104 * Group mode
105 * aad_array = [
106 * oscore_version : uint,
107 * algorithms : [alg_aead : int / tstr / null,
108 * alg_signature_enc : int / tstr / null,
109 * alg_signature : int / tstr / null,
110 * alg_pairwise_key_agreement : int / tstr / null],
111 * request_kid : bstr,
112 * request_piv : bstr,
113 * options : bstr,
114 * request_kid_context : bstr,
115 * OSCORE_option: bstr,
116 * sender_public_key: bstr, (initiator's key)
117 * gm_public_key: bstr / null
118 * ]
119 */
120size_t
121oscore_prepare_e_aad(oscore_ctx_t *ctx,
122 cose_encrypt0_t *cose,
123 const uint8_t *oscore_option,
124 size_t oscore_option_len,
125 coap_bin_const_t *sender_public_key,
126 uint8_t *external_aad_ptr,
127 size_t external_aad_size) {
128 size_t external_aad_len = 0;
129 size_t rem_size = external_aad_size;
130
131 (void)oscore_option;
132 (void)oscore_option_len;
133 (void)sender_public_key;
134
135 external_aad_len += oscore_cbor_put_array(&external_aad_ptr, &rem_size, 5);
136
137 /* oscore_version, always "1" */
138 external_aad_len += oscore_cbor_put_unsigned(&external_aad_ptr, &rem_size, 1);
139
140 /* Algoritms array with one item*/
141 external_aad_len += oscore_cbor_put_array(&external_aad_ptr, &rem_size, 1);
142 /* Encryption Algorithm */
143 external_aad_len +=
144 oscore_cbor_put_number(&external_aad_ptr, &rem_size, ctx->aead_alg);
145 /* request_kid */
146 external_aad_len += oscore_cbor_put_bytes(&external_aad_ptr,
147 &rem_size,
148 cose->key_id.s,
149 cose->key_id.length);
150 /* request_piv */
151 external_aad_len += oscore_cbor_put_bytes(&external_aad_ptr,
152 &rem_size,
153 cose->partial_iv.s,
154 cose->partial_iv.length);
155 /* options */
156 /* Put integrity protected options, at present there are none. */
157 external_aad_len +=
158 oscore_cbor_put_bytes(&external_aad_ptr, &rem_size, NULL, 0);
159
160 return external_aad_len;
161}
162
163/*
164 * oscore_encode_option_value
165 */
166size_t
167oscore_encode_option_value(uint8_t *option_buffer,
168 size_t option_buf_len,
169 cose_encrypt0_t *cose,
170 uint8_t group_flag,
171 uint8_t appendix_b_2) {
172 size_t offset = 1;
173 size_t rem_space = option_buf_len;
174
175 (void)group_flag;
176 if (cose->partial_iv.length > 5) {
177 return 0;
178 }
179 option_buffer[0] = 0;
180
181 if (cose->partial_iv.length > 0 && cose->partial_iv.length <= 5 &&
182 cose->partial_iv.s != NULL) {
183 option_buffer[0] |= (0x07 & cose->partial_iv.length);
184 memcpy(&(option_buffer[offset]),
185 cose->partial_iv.s,
186 cose->partial_iv.length);
187 offset += cose->partial_iv.length;
188 assert(rem_space > cose->partial_iv.length);
189 rem_space -= cose->partial_iv.length;
190 }
191
192 if (cose->kid_context.length > 0 && cose->kid_context.s != NULL) {
193 if (appendix_b_2) {
194 /* Need to CBOR wrap kid_context - yuk! */
195 uint8_t *ptr = &option_buffer[offset+1];
196
197 option_buffer[0] |= 0x10;
198 option_buffer[offset] = (uint8_t)oscore_cbor_put_bytes(&ptr, &rem_space,
199 cose->kid_context.s,
200 cose->kid_context.length);
201 offset += option_buffer[offset] + 1;
202 } else {
203 option_buffer[0] |= 0x10;
204 option_buffer[offset] = (uint8_t)cose->kid_context.length;
205 offset++;
206 memcpy(&(option_buffer[offset]),
207 cose->kid_context.s,
208 (uint8_t)cose->kid_context.length);
209 offset += cose->kid_context.length;
210 assert(rem_space > cose->kid_context.length);
211 rem_space -= cose->kid_context.length;
212 }
213 }
214
215 if (cose->key_id.s != NULL) {
216 option_buffer[0] |= 0x08;
217 if (cose->key_id.length) {
218 memcpy(&(option_buffer[offset]), cose->key_id.s, cose->key_id.length);
219 offset += cose->key_id.length;
220 assert(rem_space > cose->key_id.length);
221 rem_space -= cose->key_id.length;
222 }
223 }
224
225 if (offset == 1 && option_buffer[0] == 0) {
226 /* If option_value is 0x00 it should be empty. */
227 offset = 0;
228 }
229 assert(offset <= option_buf_len);
230 cose->oscore_option.s = option_buffer;
231 cose->oscore_option.length = offset;
232 return offset;
233}
234
235/*
236 * oscore_decode_option_value
237 * error: return 0
238 * OK: return 1
239 *
240 * Basic assupmption is that all is preset to 0 or NULL on entry
241 */
242int
243oscore_decode_option_value(const uint8_t *opt_value,
244 size_t option_len,
245 cose_encrypt0_t *cose) {
246 uint8_t partial_iv_len = (opt_value[0] & 0x07);
247 size_t offset = 1;
248
249 cose->oscore_option.s = opt_value;
250 cose->oscore_option.length = option_len;
251
252 if (option_len == 0)
253 return 1; /* empty option */
254
255 if (option_len > 255 || partial_iv_len == 6 || partial_iv_len == 7 ||
256 (opt_value[0] & 0xC0) != 0) {
257 return 0;
258 }
259
260 if ((opt_value[0] & 0x20) != 0) {
261 return 0;
262 }
263
264 if (partial_iv_len != 0) {
265 coap_bin_const_t partial_iv;
266 if (offset + partial_iv_len > option_len) {
267 return 0;
268 }
269 partial_iv.s = &(opt_value[offset]);
270 partial_iv.length = partial_iv_len;
271 cose_encrypt0_set_partial_iv(cose, &partial_iv);
272 offset += partial_iv_len;
273 }
274
275 if ((opt_value[0] & 0x10) != 0) {
276 coap_bin_const_t kid_context;
277
278 if (offset >= option_len)
279 return 0;
280 kid_context.length = opt_value[offset];
281 offset++;
282 if (offset + kid_context.length > option_len) {
283 return 0;
284 }
285 kid_context.s = &(opt_value[offset]);
286 cose_encrypt0_set_kid_context(cose, &kid_context);
287 offset = offset + kid_context.length;
288 }
289
290 if ((opt_value[0] & 0x08) != 0) {
291 coap_bin_const_t key_id;
292
293 key_id.length = option_len - offset;
294 if ((int)key_id.length < 0) {
295 return 0;
296 }
297 key_id.s = &(opt_value[offset]);
298 cose_encrypt0_set_key_id(cose, &key_id);
299 }
300 return 1;
301}
302
303/*
304 * oscore_prepare_aad
305 *
306 * Creates and sets External AAD for encryption
307 */
308size_t
309oscore_prepare_aad(const uint8_t *external_aad_buffer,
310 size_t external_aad_len,
311 uint8_t *aad_buffer,
312 size_t aad_size) {
313 size_t ret = 0;
314 size_t rem_size = aad_size;
315 char encrypt0[] = "Encrypt0";
316
317 (void)aad_size; /* TODO */
318 /* Creating the AAD */
319 ret += oscore_cbor_put_array(&aad_buffer, &rem_size, 3);
320 /* 1. "Encrypt0" */
321 ret +=
322 oscore_cbor_put_text(&aad_buffer, &rem_size, encrypt0, strlen(encrypt0));
323 /* 2. Empty h'' entry */
324 ret += oscore_cbor_put_bytes(&aad_buffer, &rem_size, NULL, 0);
325 /* 3. External AAD */
326 ret += oscore_cbor_put_bytes(&aad_buffer,
327 &rem_size,
328 external_aad_buffer,
329 external_aad_len);
330
331 return ret;
332}
333
334/*
335 * oscore_generate_nonce
336 *
337 * Creates Nonce
338 * See https://datatracker.ietf.org/doc/html/rfc8613#section-5.2 and Figure 8.
339 */
340void
341oscore_generate_nonce(cose_encrypt0_t *ptr,
342 oscore_ctx_t *ctx,
343 uint8_t *buffer,
344 uint8_t size) {
345 size_t tmp_len;
346
347 memset(buffer, 0, size);
348 /* ID_PIV */
349 if (ptr->key_id.length > size - 6UL) {
350 tmp_len = size - 6;
351 } else {
352 tmp_len = ptr->key_id.length;
353 }
354 if (ptr->key_id.s)
355 memcpy(&(buffer[((size - 5) - tmp_len)]),
356 ptr->key_id.s,
357 tmp_len);
358 /* S */
359 buffer[0] = (uint8_t)tmp_len;
360 /* PIV */
361 if (ptr->partial_iv.length > size) {
362 tmp_len = size;
363 } else {
364 tmp_len = ptr->partial_iv.length;
365 }
366 if (tmp_len > 5) {
367 tmp_len = 5;
368 }
369 if (tmp_len) {
370 memcpy(&(buffer[size - tmp_len]),
371 ptr->partial_iv.s,
372 tmp_len);
373 }
374 /* XOR */
375 for (int i = 0; i < size; i++) {
376 buffer[i] = buffer[i] ^ (uint8_t)ctx->common_iv->s[i];
377 }
378}
379
380/*
381 * oscore_validate_sender_seq
382 *
383 * Return 1 if OK, 0 otherwise
384 */
385uint8_t
386oscore_validate_sender_seq(oscore_recipient_ctx_t *ctx, cose_encrypt0_t *cose) {
387 uint64_t incoming_seq =
388 coap_decode_var_bytes8(cose->partial_iv.s, cose->partial_iv.length);
389
390 if (incoming_seq >= OSCORE_SEQ_MAX) {
391 coap_log_warn("OSCORE Replay protection, SEQ larger than SEQ_MAX.\n");
392 return 0;
393 }
394
395 ctx->rollback_last_seq = ctx->last_seq;
396 ctx->rollback_sliding_window = ctx->sliding_window;
397
398 /* Special case since we do not use unsigned int for seq */
399 if (ctx->initial_state == 1) {
400 ctx->initial_state = 0;
401 /* bitfield. B0 biggest seq seen. B1 seq-1 seen, B2 seq-2 seen etc. */
402 ctx->sliding_window = 1;
403 ctx->last_seq = incoming_seq;
404 } else if (incoming_seq > ctx->last_seq) {
405 /* Update the replay window */
406 uint64_t shift = incoming_seq - ctx->last_seq;
407 /* bitfield. B0 biggest seq seen. B1 seq-1 seen, B2 seq-2 seen etc. */
408 if (shift >= ctx->osc_ctx->replay_window_size || shift >= 64) {
409 ctx->sliding_window = 0;
410 } else {
411 ctx->sliding_window <<= shift;
412 }
413 ctx->sliding_window |= 1;
414 ctx->last_seq = incoming_seq;
415 } else if (incoming_seq == ctx->last_seq) {
416 coap_log_warn("OSCORE: Replay protection, replayed SEQ (%" PRIu64 ")\n",
417 incoming_seq);
418 return 0;
419 } else { /* incoming_seq < last_seq */
420 uint64_t shift = ctx->last_seq - incoming_seq;
421 uint64_t pattern;
422
423 if (shift >= ctx->osc_ctx->replay_window_size || shift >= 64) {
424 coap_log_warn(
425 "OSCORE: Replay protection, SEQ outside of replay window (%" PRIu64
426 " %" PRIu64 ")\n",
427 ctx->last_seq, incoming_seq);
428 return 0;
429 }
430 /* seq + replay_window_size > last_seq */
431 pattern = 1ULL << shift;
432 if (ctx->sliding_window & pattern) {
433 coap_log_warn("OSCORE: Replay protection, replayed SEQ (%" PRIu64 ")\n",
434 incoming_seq);
435 return 0;
436 }
437 /* bitfield. B0 biggest seq seen. B1 seq-1 seen, B2 seq-2 seen etc. */
438 ctx->sliding_window |= pattern;
439 }
440 coap_log_oscore("OSCORE: window 0x%" PRIx64 " seq-B0 %" PRIu64 " SEQ %"
441 PRIu64 "\n",
442 ctx->sliding_window,
443 ctx->last_seq,
444 incoming_seq);
445 return 1;
446}
447
448/*
449 * oscore_increment_sender_seq
450 *
451 * Return 0 if SEQ MAX, return 1 if OK
452 */
453uint8_t
454oscore_increment_sender_seq(oscore_ctx_t *ctx) {
455 ctx->sender_context->seq++;
456
457 if (ctx->sender_context->seq >= OSCORE_SEQ_MAX) {
458 return 0;
459 } else {
460 return 1;
461 }
462}
463
464/*
465 * oscore_roll_back_seq
466 *
467 * Restore the sequence number and replay-window to the previous state. This
468 * is to be used when decryption fail.
469 */
470void
471oscore_roll_back_seq(oscore_recipient_ctx_t *ctx) {
472
473 if (ctx->rollback_sliding_window != 0) {
474 ctx->sliding_window = ctx->rollback_sliding_window;
475 ctx->rollback_sliding_window = 0;
476 }
477 if (ctx->rollback_last_seq != 0) {
478 ctx->last_seq = ctx->rollback_last_seq;
479 ctx->rollback_last_seq = 0;
480 }
481}
482
483#else /* ! COAP_OSCORE_SUPPORT */
484
485#ifdef __clang__
486/* Make compilers happy that do not like empty modules. As this function is
487 * never used, we ignore -Wunused-function at the end of compiling this file
488 */
489#pragma GCC diagnostic ignored "-Wunused-function"
490#endif
491static inline void
492dummy(void) {
493}
494
495#endif /* ! COAP_OSCORE_SUPPORT */
PRIx64
#define PRIx64
Definition coap_internal.h:56
PRIu64
#define PRIu64
Definition coap_internal.h:59
coap_libcoap_build.h
Library specific build wrapper for coap_internal.h.
COAP_STRING
@ COAP_STRING
Definition coap_mem.h:33
coap_malloc_type
void * coap_malloc_type(coap_memory_tag_t type, size_t size)
Allocates a chunk of size bytes and returns a pointer to the newly allocated memory.
NULL
#define NULL
Definition coap_option.h:30
coap_decode_var_bytes8
uint64_t coap_decode_var_bytes8(const uint8_t *buf, size_t len)
Decodes multiple-length byte sequences.
Definition coap_encode.c:71
coap_log_oscore
#define coap_log_oscore(...)
Definition coap_debug.h:132
coap_log_warn
#define coap_log_warn(...)
Definition coap_debug.h:108
oscore_cbor_put_text
size_t oscore_cbor_put_text(uint8_t **buffer, size_t *buf_size, const char *text, size_t text_len)
oscore_cbor_put_number
size_t oscore_cbor_put_number(uint8_t **buffer, size_t *buf_size, int64_t value)
oscore_cbor_put_unsigned
size_t oscore_cbor_put_unsigned(uint8_t **buffer, size_t *buf_size, uint64_t value)
oscore_cbor_put_bytes
size_t oscore_cbor_put_bytes(uint8_t **buffer, size_t *buf_size, const uint8_t *bytes, size_t bytes_len)
oscore_cbor_put_array
size_t oscore_cbor_put_array(uint8_t **buffer, size_t *buf_size, size_t elements)
cose_encrypt0_set_kid_context
void cose_encrypt0_set_kid_context(cose_encrypt0_t *ptr, coap_bin_const_t *kid_context)
cose_curve_t
cose_curve_t
Definition oscore_cose.h:62
cose_encrypt0_set_partial_iv
void cose_encrypt0_set_partial_iv(cose_encrypt0_t *ptr, coap_bin_const_t *partial_iv)
cose_encrypt0_set_key_id
void cose_encrypt0_set_key_id(cose_encrypt0_t *ptr, coap_bin_const_t *key_id)
oscore_prepare_aad
size_t oscore_prepare_aad(const uint8_t *external_aad_buffer, size_t external_aad_len, uint8_t *aad_buffer, size_t aad_size)
oscore_encode_option_value
size_t oscore_encode_option_value(uint8_t *option_buffer, size_t option_buf_len, cose_encrypt0_t *cose, uint8_t group, uint8_t appendix_b_2)
oscore_validate_sender_seq
uint8_t oscore_validate_sender_seq(oscore_recipient_ctx_t *ctx, cose_encrypt0_t *cose)
OSCORE_SEQ_MAX
#define OSCORE_SEQ_MAX
Definition oscore_context.h:74
oscore_decode_option_value
int oscore_decode_option_value(const uint8_t *option_value, size_t option_len, cose_encrypt0_t *cose)
oscore_increment_sender_seq
uint8_t oscore_increment_sender_seq(oscore_ctx_t *ctx)
oscore_roll_back_seq
void oscore_roll_back_seq(oscore_recipient_ctx_t *ctx)
oscore_prepare_e_aad
size_t oscore_prepare_e_aad(oscore_ctx_t *ctx, cose_encrypt0_t *cose, const uint8_t *oscore_option, size_t oscore_option_len, coap_bin_const_t *sender_public_key, uint8_t *external_aad_ptr, size_t external_aad_size)
oscore_cs_key_params
uint8_t * oscore_cs_key_params(cose_curve_t param, int8_t param_type, size_t *len)
oscore_generate_nonce
void oscore_generate_nonce(cose_encrypt0_t *ptr, oscore_ctx_t *ctx, uint8_t *buffer, uint8_t size)
oscore_cs_params
uint8_t * oscore_cs_params(int8_t param, int8_t param_type, size_t *len)
dummy
static void dummy(void)
Definition oscore.c:492
coap_bin_const_t
CoAP binary data definition with const data.
Definition coap_str.h:65
coap_bin_const_t::length
size_t length
length of binary data
Definition coap_str.h:66
coap_bin_const_t::s
const uint8_t * s
read-only binary data
Definition coap_str.h:67
cose_encrypt0_t
Definition oscore_cose.h:199
cose_encrypt0_t::partial_iv
coap_bin_const_t partial_iv
Definition oscore_cose.h:204
cose_encrypt0_t::kid_context
coap_bin_const_t kid_context
Definition oscore_cose.h:206
cose_encrypt0_t::key_id
coap_bin_const_t key_id
Definition oscore_cose.h:205
cose_encrypt0_t::oscore_option
coap_bin_const_t oscore_option
Definition oscore_cose.h:207
oscore_ctx_t
Definition oscore_context.h:86
oscore_ctx_t::replay_window_size
uint32_t replay_window_size
Definition oscore_context.h:102
oscore_ctx_t::common_iv
coap_bin_const_t * common_iv
Derived from Master Secret, Master Salt, and ID Context.
Definition oscore_context.h:94
oscore_ctx_t::sender_context
oscore_sender_ctx_t * sender_context
Definition oscore_context.h:96
oscore_ctx_t::aead_alg
cose_alg_t aead_alg
Set to one of COSE_ALGORITHM_AES*.
Definition oscore_context.h:88
oscore_recipient_ctx_t
Definition oscore_context.h:119
oscore_recipient_ctx_t::rollback_sliding_window
uint64_t rollback_sliding_window
Definition oscore_context.h:129
oscore_recipient_ctx_t::sliding_window
uint64_t sliding_window
Definition oscore_context.h:128
oscore_recipient_ctx_t::last_seq
uint64_t last_seq
Definition oscore_context.h:126
oscore_recipient_ctx_t::initial_state
uint8_t initial_state
Definition oscore_context.h:132
oscore_recipient_ctx_t::osc_ctx
oscore_ctx_t * osc_ctx
Definition oscore_context.h:122
oscore_recipient_ctx_t::rollback_last_seq
uint64_t rollback_last_seq
Definition oscore_context.h:130
oscore_sender_ctx_t::seq
uint64_t seq
Sender Sequence Number.
Definition oscore_context.h:114