// Receive a SIGnature record, verify it, if it passed, compute the shared secret and calculate the session keys. static bool receive_sig(sptps_t *s, const char *data, uint16_t len) { size_t keylen = ECDH_SIZE; size_t siglen = ecdsa_size(s->hiskey); // Verify length of KEX record. if(len != siglen) return error(s, EIO, "Invalid KEX record length"); // Concatenate both KEX messages, plus tag indicating if it is from the connection originator char msg[(1 + 32 + keylen) * 2 + 1 + s->labellen]; msg[0] = !s->initiator; memcpy(msg + 1, s->hiskex, 1 + 32 + keylen); memcpy(msg + 1 + 33 + keylen, s->mykex, 1 + 32 + keylen); memcpy(msg + 1 + 2 * (33 + keylen), s->label, s->labellen); // Verify signature. if(!ecdsa_verify(s->hiskey, msg, sizeof msg, data)) return error(s, EIO, "Failed to verify SIG record"); // Compute shared secret. char shared[ECDH_SHARED_SIZE]; if(!ecdh_compute_shared(s->ecdh, s->hiskex + 1 + 32, shared)) return error(s, EINVAL, "Failed to compute ECDH shared secret"); s->ecdh = NULL; // Generate key material from shared secret. if(!generate_key_material(s, shared, sizeof shared)) return false; free(s->mykex); free(s->hiskex); s->mykex = NULL; s->hiskex = NULL; // Send cipher change record if(s->outstate && !send_ack(s)) return false; // TODO: only set new keys after ACK has been set/received if(s->initiator) { if(!chacha_poly1305_set_key(s->outcipher, s->key + CHACHA_POLY1305_KEYLEN)) return error(s, EINVAL, "Failed to set key"); } else { if(!chacha_poly1305_set_key(s->outcipher, s->key)) return error(s, EINVAL, "Failed to set key"); } return true; }
/* * Derive and export the shared secret */ int ecdh_calc_secret( ecdh_context *ctx, size_t *olen, unsigned char *buf, size_t blen, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ) { int ret; if( ctx == NULL ) return( POLARSSL_ERR_ECP_BAD_INPUT_DATA ); if( ( ret = ecdh_compute_shared( &ctx->grp, &ctx->z, &ctx->Qp, &ctx->d, f_rng, p_rng ) ) != 0 ) { return( ret ); } if( mpi_size( &ctx->z ) > blen ) return( POLARSSL_ERR_ECP_BAD_INPUT_DATA ); *olen = ctx->grp.pbits / 8 + ( ( ctx->grp.pbits % 8 ) != 0 ); return mpi_write_binary( &ctx->z, buf, *olen ); }
int main(int argc, char *argv[]) { ecdsa_t *key1, *key2; ecdh_t *ecdh1, *ecdh2; sptps_t sptps1, sptps2; char buf1[4096], buf2[4096], buf3[4096]; double duration = argc > 1 ? atof(argv[1]) : 10; crypto_init(); randomize(buf1, sizeof buf1); randomize(buf2, sizeof buf2); randomize(buf3, sizeof buf3); // Key generation fprintf(stderr, "Generating keys for %lg seconds: ", duration); for(clock_start(); clock_countto(duration);) ecdsa_free(ecdsa_generate()); fprintf(stderr, "%17.2lf op/s\n", rate); key1 = ecdsa_generate(); key2 = ecdsa_generate(); // Ed25519 signatures fprintf(stderr, "Ed25519 sign for %lg seconds: ", duration); for(clock_start(); clock_countto(duration);) if(!ecdsa_sign(key1, buf1, 256, buf2)) return 1; fprintf(stderr, "%20.2lf op/s\n", rate); fprintf(stderr, "Ed25519 verify for %lg seconds: ", duration); for(clock_start(); clock_countto(duration);) if(!ecdsa_verify(key1, buf1, 256, buf2)) { fprintf(stderr, "Signature verification failed\n"); return 1; } fprintf(stderr, "%18.2lf op/s\n", rate); ecdh1 = ecdh_generate_public(buf1); fprintf(stderr, "ECDH for %lg seconds: ", duration); for(clock_start(); clock_countto(duration);) { ecdh2 = ecdh_generate_public(buf2); if(!ecdh2) return 1; if(!ecdh_compute_shared(ecdh2, buf1, buf3)) return 1; } fprintf(stderr, "%28.2lf op/s\n", rate); ecdh_free(ecdh1); // SPTPS authentication phase int fd[2]; if(socketpair(AF_UNIX, SOCK_STREAM, 0, fd)) { fprintf(stderr, "Could not create a UNIX socket pair: %s\n", sockstrerror(sockerrno)); return 1; } struct pollfd pfd[2] = {{fd[0], POLLIN}, {fd[1], POLLIN}}; fprintf(stderr, "SPTPS/TCP authenticate for %lg seconds: ", duration); for(clock_start(); clock_countto(duration);) { sptps_start(&sptps1, fd + 0, true, false, key1, key2, "sptps_speed", 11, send_data, receive_record); sptps_start(&sptps2, fd + 1, false, false, key2, key1, "sptps_speed", 11, send_data, receive_record); while(poll(pfd, 2, 0)) { if(pfd[0].revents) receive_data(&sptps1); if(pfd[1].revents) receive_data(&sptps2); } sptps_stop(&sptps1); sptps_stop(&sptps2); } fprintf(stderr, "%10.2lf op/s\n", rate * 2); // SPTPS data sptps_start(&sptps1, fd + 0, true, false, key1, key2, "sptps_speed", 11, send_data, receive_record); sptps_start(&sptps2, fd + 1, false, false, key2, key1, "sptps_speed", 11, send_data, receive_record); while(poll(pfd, 2, 0)) { if(pfd[0].revents) receive_data(&sptps1); if(pfd[1].revents) receive_data(&sptps2); } fprintf(stderr, "SPTPS/TCP transmit for %lg seconds: ", duration); for(clock_start(); clock_countto(duration);) { if(!sptps_send_record(&sptps1, 0, buf1, 1451)) abort(); receive_data(&sptps2); } rate *= 2 * 1451 * 8; if(rate > 1e9) fprintf(stderr, "%14.2lf Gbit/s\n", rate / 1e9); else if(rate > 1e6) fprintf(stderr, "%14.2lf Mbit/s\n", rate / 1e6); else if(rate > 1e3) fprintf(stderr, "%14.2lf kbit/s\n", rate / 1e3); sptps_stop(&sptps1); sptps_stop(&sptps2); // SPTPS datagram authentication phase close(fd[0]); close(fd[1]); if(socketpair(AF_UNIX, SOCK_DGRAM, 0, fd)) { fprintf(stderr, "Could not create a UNIX socket pair: %s\n", sockstrerror(sockerrno)); return 1; } fprintf(stderr, "SPTPS/UDP authenticate for %lg seconds: ", duration); for(clock_start(); clock_countto(duration);) { sptps_start(&sptps1, fd + 0, true, true, key1, key2, "sptps_speed", 11, send_data, receive_record); sptps_start(&sptps2, fd + 1, false, true, key2, key1, "sptps_speed", 11, send_data, receive_record); while(poll(pfd, 2, 0)) { if(pfd[0].revents) receive_data(&sptps1); if(pfd[1].revents) receive_data(&sptps2); } sptps_stop(&sptps1); sptps_stop(&sptps2); } fprintf(stderr, "%10.2lf op/s\n", rate * 2); // SPTPS datagram data sptps_start(&sptps1, fd + 0, true, true, key1, key2, "sptps_speed", 11, send_data, receive_record); sptps_start(&sptps2, fd + 1, false, true, key2, key1, "sptps_speed", 11, send_data, receive_record); while(poll(pfd, 2, 0)) { if(pfd[0].revents) receive_data(&sptps1); if(pfd[1].revents) receive_data(&sptps2); } fprintf(stderr, "SPTPS/UDP transmit for %lg seconds: ", duration); for(clock_start(); clock_countto(duration);) { if(!sptps_send_record(&sptps1, 0, buf1, 1451)) abort(); receive_data(&sptps2); } rate *= 2 * 1451 * 8; if(rate > 1e9) fprintf(stderr, "%14.2lf Gbit/s\n", rate / 1e9); else if(rate > 1e6) fprintf(stderr, "%14.2lf Mbit/s\n", rate / 1e6); else if(rate > 1e3) fprintf(stderr, "%14.2lf kbit/s\n", rate / 1e3); sptps_stop(&sptps1); sptps_stop(&sptps2); // Clean up close(fd[0]); close(fd[1]); ecdsa_free(key1); ecdsa_free(key2); crypto_exit(); return 0; }