network_crypto.cpp

Go to the documentation of this file.

/*
 * This file is part of OpenTTD.
 * OpenTTD is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 2.
 * OpenTTD is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
 * See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with OpenTTD. If not, see <http://www.gnu.org/licenses/>.
 */
 
#include "../stdafx.h"
 
#include "network_crypto_internal.h"
#include "core/packet.h"
 
#include "../3rdparty/monocypher/monocypher.h"
#include "../core/random_func.hpp"
#include "../debug.h"
#include "../string_func.h"
 
#include "../safeguards.h"
 
static void crypto_wipe(std::span<uint8_t> span)
{
  crypto_wipe(span.data(), span.size());
}
 
X25519DerivedKeys::~X25519DerivedKeys()
{
  crypto_wipe(keys);
}
 
std::span<const uint8_t> X25519DerivedKeys::ClientToServer() const
{
  return std::span(this->keys.data(), X25519_KEY_SIZE);
}
 
std::span<const uint8_t> X25519DerivedKeys::ServerToClient() const
{
  return std::span(this->keys.data() + X25519_KEY_SIZE, X25519_KEY_SIZE);
}
 
bool X25519DerivedKeys::Exchange(const X25519PublicKey &peer_public_key, X25519KeyExchangeSide side,
    const X25519SecretKey &our_secret_key, const X25519PublicKey &our_public_key, std::string_view extra_payload)
{
  X25519Key shared_secret;
  crypto_x25519(shared_secret.data(), our_secret_key.data(), peer_public_key.data());
  if (std::all_of(shared_secret.begin(), shared_secret.end(), [](auto v) { return v == 0; })) {
    /* A shared secret of all zeros means that the peer tried to force the shared secret to a known constant. */
    return false;
  }
 
  crypto_blake2b_ctx ctx;
  crypto_blake2b_init(&ctx, this->keys.size());
  crypto_blake2b_update(&ctx, shared_secret.data(), shared_secret.size());
  switch (side) {
    case X25519KeyExchangeSide::SERVER:
      crypto_blake2b_update(&ctx, our_public_key.data(), our_public_key.size());
      crypto_blake2b_update(&ctx, peer_public_key.data(), peer_public_key.size());
      break;
    case X25519KeyExchangeSide::CLIENT:
      crypto_blake2b_update(&ctx, peer_public_key.data(), peer_public_key.size());
      crypto_blake2b_update(&ctx, our_public_key.data(), our_public_key.size());
      break;
    default:
      NOT_REACHED();
  }
  crypto_blake2b_update(&ctx, reinterpret_cast<const uint8_t *>(extra_payload.data()), extra_payload.size());
  crypto_blake2b_final(&ctx, this->keys.data());
  return true;
}
 
class X25519EncryptionHandler : public NetworkEncryptionHandler {
private:
  crypto_aead_ctx context; 
 
public:
  X25519EncryptionHandler(const std::span<const uint8_t> key, const X25519Nonce &nonce)
  {
    assert(key.size() == X25519_KEY_SIZE);
    crypto_aead_init_x(&this->context, key.data(), nonce.data());
  }
 
  ~X25519EncryptionHandler()
  {
    crypto_wipe(&this->context, sizeof(this->context));
  }
 
  size_t MACSize() const override
  {
    return X25519_MAC_SIZE;
  }
 
  bool Decrypt(std::span<std::uint8_t> mac, std::span<std::uint8_t> message) override
  {
    return crypto_aead_read(&this->context, message.data(), mac.data(), nullptr, 0, message.data(), message.size()) == 0;
  }
 
  void Encrypt(std::span<std::uint8_t> mac, std::span<std::uint8_t> message) override
  {
    crypto_aead_write(&this->context, message.data(), mac.data(), nullptr, 0, message.data(), message.size());
  }
};
 
X25519Key::~X25519Key()
{
  crypto_wipe(*this);
}
 
/* static */ X25519SecretKey X25519SecretKey::CreateRandom()
{
  X25519SecretKey secret_key;
  RandomBytesWithFallback(secret_key);
  return secret_key;
}
 
X25519PublicKey X25519SecretKey::CreatePublicKey() const
{
  X25519PublicKey public_key;
  crypto_x25519_public_key(public_key.data(), this->data());
  return public_key;
}
 
/* static */ X25519Nonce X25519Nonce::CreateRandom()
{
  X25519Nonce nonce;
  RandomBytesWithFallback(nonce);
  return nonce;
}
 
X25519Nonce::~X25519Nonce()
{
  crypto_wipe(*this);
}
 
X25519AuthenticationHandler::X25519AuthenticationHandler(const X25519SecretKey &secret_key) :
  our_secret_key(secret_key), our_public_key(secret_key.CreatePublicKey()),
  key_exchange_nonce(X25519Nonce::CreateRandom()), encryption_nonce(X25519Nonce::CreateRandom())
{
}
 
/* virtual */ void X25519AuthenticationHandler::SendRequest(Packet &p)
{
  p.Send_bytes(this->our_public_key);
  p.Send_bytes(this->key_exchange_nonce);
}
 
bool X25519AuthenticationHandler::ReceiveRequest(Packet &p)
{
  if (p.RemainingBytesToTransfer() != X25519_KEY_SIZE + X25519_NONCE_SIZE) {
    Debug(net, 1, "[crypto] Received auth response of illegal size; authentication aborted.");
    return false;
  }
 
  p.Recv_bytes(this->peer_public_key);
  p.Recv_bytes(this->key_exchange_nonce);
  return true;
}
 
bool X25519AuthenticationHandler::SendResponse(Packet &p, std::string_view derived_key_extra_payload)
{
  if (!this->derived_keys.Exchange(this->peer_public_key, X25519KeyExchangeSide::CLIENT,
      this->our_secret_key, this->our_public_key, derived_key_extra_payload)) {
    Debug(net, 0, "[crypto] Peer sent an illegal public key; authentication aborted.");
    return false;
  }
 
  X25519KeyExchangeMessage message;
  RandomBytesWithFallback(message);
  X25519Mac mac;
 
  crypto_aead_lock(message.data(), mac.data(), this->derived_keys.ClientToServer().data(), this->key_exchange_nonce.data(),
      this->our_public_key.data(), this->our_public_key.size(), message.data(), message.size());
 
  p.Send_bytes(this->our_public_key);
  p.Send_bytes(mac);
  p.Send_bytes(message);
  return true;
}
 
std::string X25519AuthenticationHandler::GetPeerPublicKey() const
{
  return FormatArrayAsHex(this->peer_public_key);
}
 
void X25519AuthenticationHandler::SendEnableEncryption(struct Packet &p) const
{
  p.Send_bytes(this->encryption_nonce);
}
 
bool X25519AuthenticationHandler::ReceiveEnableEncryption(struct Packet &p)
{
  return p.Recv_bytes(this->encryption_nonce) == this->encryption_nonce.size();
}
 
std::unique_ptr<NetworkEncryptionHandler> X25519AuthenticationHandler::CreateClientToServerEncryptionHandler() const
{
  return std::make_unique<X25519EncryptionHandler>(this->derived_keys.ClientToServer(), this->encryption_nonce);
}
 
std::unique_ptr<NetworkEncryptionHandler> X25519AuthenticationHandler::CreateServerToClientEncryptionHandler() const
{
  return std::make_unique<X25519EncryptionHandler>(this->derived_keys.ServerToClient(), this->encryption_nonce);
}
 
NetworkAuthenticationServerHandler::ResponseResult X25519AuthenticationHandler::ReceiveResponse(Packet &p, std::string_view derived_key_extra_payload)
{
  if (p.RemainingBytesToTransfer() != X25519_KEY_SIZE + X25519_MAC_SIZE + X25519_KEY_EXCHANGE_MESSAGE_SIZE) {
    Debug(net, 1, "[crypto] Received auth response of illegal size; authentication aborted.");
    return NetworkAuthenticationServerHandler::NOT_AUTHENTICATED;
  }
 
  X25519KeyExchangeMessage message{};
  X25519Mac mac;
 
  p.Recv_bytes(this->peer_public_key);
  p.Recv_bytes(mac);
  p.Recv_bytes(message);
 
  if (!this->derived_keys.Exchange(this->peer_public_key, X25519KeyExchangeSide::SERVER,
      this->our_secret_key, this->our_public_key, derived_key_extra_payload)) {
    Debug(net, 0, "[crypto] Peer sent an illegal public key; authentication aborted.");
    return NetworkAuthenticationServerHandler::NOT_AUTHENTICATED;
  }
 
  if (crypto_aead_unlock(message.data(), mac.data(), this->derived_keys.ClientToServer().data(), this->key_exchange_nonce.data(),
      this->peer_public_key.data(), this->peer_public_key.size(), message.data(), message.size()) != 0) {
    /*
     * The ciphertext and the message authentication code do not match with the encryption key.
     * This is most likely an invalid password, or possibly a bug in the client.
     */
    return NetworkAuthenticationServerHandler::NOT_AUTHENTICATED;
  }
 
  return NetworkAuthenticationServerHandler::AUTHENTICATED;
}
 
 
/* virtual */ NetworkAuthenticationClientHandler::RequestResult X25519PAKEClientHandler::ReceiveRequest(struct Packet &p)
{
  bool success = this->X25519AuthenticationHandler::ReceiveRequest(p);
  if (!success) return NetworkAuthenticationClientHandler::INVALID;
 
  this->handler->AskUserForPassword(this->handler);
  return NetworkAuthenticationClientHandler::AWAIT_USER_INPUT;
}
 
/* static */ X25519SecretKey X25519AuthorizedKeyClientHandler::GetValidSecretKeyAndUpdatePublicKey(std::string &secret_key, std::string &public_key)
{
  X25519SecretKey key{};
  if (!ConvertHexToBytes(secret_key, key)) {
    if (secret_key.empty()) {
      Debug(net, 3, "[crypto] Creating a new random key");
    } else {
      Debug(net, 0, "[crypto] Found invalid secret key, creating a new random key");
    }
    key = X25519SecretKey::CreateRandom();
    secret_key = FormatArrayAsHex(key);
  }
 
  public_key = FormatArrayAsHex(key.CreatePublicKey());
  return key;
}
 
/* virtual */ NetworkAuthenticationServerHandler::ResponseResult X25519AuthorizedKeyServerHandler::ReceiveResponse(Packet &p)
{
  ResponseResult result = this->X25519AuthenticationHandler::ReceiveResponse(p, {});
  if (result != AUTHENTICATED) return result;
 
  std::string peer_public_key = this->GetPeerPublicKey();
  return this->authorized_key_handler->IsAllowed(peer_public_key) ? AUTHENTICATED : NOT_AUTHENTICATED;
}
 
 
/* virtual */ NetworkAuthenticationClientHandler::RequestResult CombinedAuthenticationClientHandler::ReceiveRequest(struct Packet &p)
{
  NetworkAuthenticationMethod method = static_cast<NetworkAuthenticationMethod>(p.Recv_uint8());
 
  auto is_of_method = [method](Handler &handler) { return handler->GetAuthenticationMethod() == method; };
  auto it = std::find_if(handlers.begin(), handlers.end(), is_of_method);
  if (it == handlers.end()) return INVALID;
 
  this->current_handler = it->get();
 
  Debug(net, 9, "Received {} authentication request", this->GetName());
  return this->current_handler->ReceiveRequest(p);
}
 
/* virtual */ bool CombinedAuthenticationClientHandler::SendResponse(struct Packet &p)
{
  Debug(net, 9, "Sending {} authentication response", this->GetName());
 
  return this->current_handler->SendResponse(p);
}
 
/* virtual */ std::string_view CombinedAuthenticationClientHandler::GetName() const
{
  return this->current_handler != nullptr ? this->current_handler->GetName() : "Unknown";
}
 
/* virtual */ NetworkAuthenticationMethod CombinedAuthenticationClientHandler::GetAuthenticationMethod() const
{
  return this->current_handler != nullptr ? this->current_handler->GetAuthenticationMethod() : NETWORK_AUTH_METHOD_END;
}
 
 
void CombinedAuthenticationServerHandler::Add(CombinedAuthenticationServerHandler::Handler &&handler)
{
  /* Is the handler configured correctly, e.g. does it have a password? */
  if (!handler->CanBeUsed()) return;
 
  this->handlers.push_back(std::move(handler));
}
 
/* virtual */ void CombinedAuthenticationServerHandler::SendRequest(struct Packet &p)
{
  Debug(net, 9, "Sending {} authentication request", this->GetName());
 
  p.Send_uint8(this->handlers.back()->GetAuthenticationMethod());
  this->handlers.back()->SendRequest(p);
}
 
/* virtual */ NetworkAuthenticationServerHandler::ResponseResult CombinedAuthenticationServerHandler::ReceiveResponse(struct Packet &p)
{
  Debug(net, 9, "Receiving {} authentication response", this->GetName());
 
  ResponseResult result = this->handlers.back()->ReceiveResponse(p);
  if (result != NOT_AUTHENTICATED) return result;
 
  this->handlers.pop_back();
  return this->CanBeUsed() ? RETRY_NEXT_METHOD : NOT_AUTHENTICATED;
}
 
/* virtual */ std::string_view CombinedAuthenticationServerHandler::GetName() const
{
  return this->CanBeUsed() ? this->handlers.back()->GetName() : "Unknown";
}
 
/* virtual */ NetworkAuthenticationMethod CombinedAuthenticationServerHandler::GetAuthenticationMethod() const
{
  return this->CanBeUsed() ? this->handlers.back()->GetAuthenticationMethod() : NETWORK_AUTH_METHOD_END;
}
 
/* virtual */ bool CombinedAuthenticationServerHandler::CanBeUsed() const
{
  return !this->handlers.empty();
}
 
 
/* virtual */ void NetworkAuthenticationPasswordRequestHandler::Reply(const std::string &password)
{
  this->password = password;
  this->SendResponse();
}
 
/* static */ void NetworkAuthenticationClientHandler::EnsureValidSecretKeyAndUpdatePublicKey(std::string &secret_key, std::string &public_key)
{
  X25519AuthorizedKeyClientHandler::GetValidSecretKeyAndUpdatePublicKey(secret_key, public_key);
}
 
/* static */ std::unique_ptr<NetworkAuthenticationClientHandler> NetworkAuthenticationClientHandler::Create(std::shared_ptr<NetworkAuthenticationPasswordRequestHandler> password_handler, std::string &secret_key, std::string &public_key)
{
  auto secret = X25519AuthorizedKeyClientHandler::GetValidSecretKeyAndUpdatePublicKey(secret_key, public_key);
  auto handler = std::make_unique<CombinedAuthenticationClientHandler>();
  handler->Add(std::make_unique<X25519KeyExchangeOnlyClientHandler>(secret));
  handler->Add(std::make_unique<X25519PAKEClientHandler>(secret, std::move(password_handler)));
  handler->Add(std::make_unique<X25519AuthorizedKeyClientHandler>(secret));
  return handler;
}
 
std::unique_ptr<NetworkAuthenticationServerHandler> NetworkAuthenticationServerHandler::Create(const NetworkAuthenticationPasswordProvider *password_provider, const NetworkAuthenticationAuthorizedKeyHandler *authorized_key_handler, NetworkAuthenticationMethodMask client_supported_method_mask)
{
  auto secret = X25519SecretKey::CreateRandom();
  auto handler = std::make_unique<CombinedAuthenticationServerHandler>();
  if (password_provider != nullptr && HasBit(client_supported_method_mask, NETWORK_AUTH_METHOD_X25519_PAKE)) {
    handler->Add(std::make_unique<X25519PAKEServerHandler>(secret, password_provider));
  }
 
  if (authorized_key_handler != nullptr && HasBit(client_supported_method_mask, NETWORK_AUTH_METHOD_X25519_AUTHORIZED_KEY)) {
    handler->Add(std::make_unique<X25519AuthorizedKeyServerHandler>(secret, authorized_key_handler));
  }
 
  if (!handler->CanBeUsed() && HasBit(client_supported_method_mask, NETWORK_AUTH_METHOD_X25519_KEY_EXCHANGE_ONLY)) {
    /* Fall back to the plain handler when neither password, nor authorized keys are configured. */
    handler->Add(std::make_unique<X25519KeyExchangeOnlyServerHandler>(secret));
  }
  return handler;
}