-
Notifications
You must be signed in to change notification settings - Fork 5
Expand file tree
/
Copy pathepic.go
More file actions
317 lines (291 loc) · 13.2 KB
/
epic.go
File metadata and controls
317 lines (291 loc) · 13.2 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
// Copyright 2020 ETH Zurich
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
// +gobra
// @ dup pkgInvariant acc(postInitInvariant(), _)
package epic
import (
"crypto/aes"
"crypto/cipher"
"crypto/subtle"
"encoding/binary"
"math"
"time"
"github.com/scionproto/scion/pkg/addr"
"github.com/scionproto/scion/pkg/private/serrors"
"github.com/scionproto/scion/pkg/slayers"
"github.com/scionproto/scion/pkg/slayers/path/epic"
// @ . "github.com/scionproto/scion/verification/utils/definitions"
// @ sl "github.com/scionproto/scion/verification/utils/slices"
)
const (
// AuthLen denotes the size of the authenticator in bytes
AuthLen = 16
// MaxPacketLifetime denotes the maximal lifetime of a packet
MaxPacketLifetime time.Duration = 2 * time.Second
// MaxClockSkew denotes the maximal clock skew
MaxClockSkew time.Duration = time.Second
// TimestampResolution denotes the resolution of the epic timestamp
TimestampResolution = 21 * time.Microsecond
// MACBufferSize denotes the buffer size of the CBC input and output.
MACBufferSize = 48
)
var zeroInitVector /*@@@*/ [16]byte
// ghost init
// @ func init() {
// @ fold acc(sl.Bytes(zeroInitVector[:], 0, len(zeroInitVector[:])), _)
// @ fold acc(postInitInvariant(), _)
// @ }
// CreateTimestamp returns the epic timestamp, which encodes the current time (now) relative to the
// input timestamp. The input timestamp must not be in the future (compared to the current time),
// otherwise an error is returned. An error is also returned if the current time is more than 1 day
// and 63 minutes after the input timestamp.
// @ ensures err != nil ==> err.ErrorMem()
// @ decreases
func CreateTimestamp(input time.Time, now time.Time) (res uint32, err error) {
if input.After(now) {
return 0, serrors.New("provided input timestamp is in the future",
"input", input, "now", now)
}
epicTS := now.Sub(input)/TimestampResolution - 1
if epicTS < 0 {
epicTS = 0
}
if epicTS >= (1 << 32) {
return 0, serrors.New("diff between input and now >1d63min", "epicTS", epicTS)
}
return uint32(epicTS), nil
}
// VerifyTimestamp checks whether an EPIC packet is fresh. This means that the time the packet
// was sent from the source host, which is encoded by the timestamp and the epicTimestamp,
// does not date back more than the maximal packet lifetime of two seconds. The function also takes
// a possible clock drift between the packet source and the verifier of up to one second into
// account.
// @ ensures err != nil ==> err.ErrorMem()
// @ decreases
func VerifyTimestamp(timestamp time.Time, epicTS uint32, now time.Time) (err error) {
diff := (time.Duration(epicTS) + 1) * TimestampResolution
tsSender := timestamp.Add(diff)
if tsSender.After(now.Add(MaxClockSkew)) {
delta := tsSender.Sub(now.Add(MaxClockSkew))
return serrors.New("epic timestamp is in the future",
"delta", delta)
}
if now.After(tsSender.Add(MaxPacketLifetime).Add(MaxClockSkew)) {
delta := now.Sub(tsSender.Add(MaxPacketLifetime).Add(MaxClockSkew))
return serrors.New("epic timestamp expired",
"delta", delta)
}
return nil
}
// CalcMac derives the EPIC MAC (PHVF/LHVF) given the full 16 bytes of the SCION path type
// MAC (auth), the EPIC packet ID (pktID), the timestamp in the Info Field (timestamp),
// and the SCION common/address header (s).
// If the same buffer is provided in subsequent calls to this function, the previously returned
// EPIC MAC may get overwritten. Only the most recently returned EPIC MAC is guaranteed to be
// valid.
// @ requires len(auth) == 16
// @ requires sl.Bytes(buffer, 0, len(buffer))
// @ preserves acc(s.Mem(ub), R20)
// @ preserves acc(sl.Bytes(ub, 0, len(ub)), R20)
// @ preserves acc(sl.Bytes(auth, 0, len(auth)), R30)
// @ ensures reserr == nil ==> sl.Bytes(res, 0, len(res))
// @ ensures reserr == nil ==> (sl.Bytes(res, 0, len(res)) --* sl.Bytes(buffer, 0, len(buffer)))
// @ ensures reserr != nil ==> reserr.ErrorMem()
// @ ensures reserr != nil ==> sl.Bytes(buffer, 0, len(buffer))
// @ decreases
func CalcMac(auth []byte, pktID epic.PktID, s *slayers.SCION,
timestamp uint32, buffer []byte /*@ , ghost ub []byte @*/) (res []byte, reserr error) {
// @ ghost oldBuffer := buffer
// @ ghost allocatesNewBuffer := len(buffer) < MACBufferSize
if len(buffer) < MACBufferSize {
buffer = make([]byte, MACBufferSize)
// @ fold sl.Bytes(buffer, 0, len(buffer))
}
// Initialize cryptographic MAC function
f, err := initEpicMac(auth)
if err != nil {
return nil, err
}
// Prepare the input for the MAC function
inputLength, err := prepareMacInput(pktID, s, timestamp, buffer /*@, ub @*/)
if err != nil {
return nil, err
}
// @ assert 16 <= inputLength
// @ assert f.BlockSize() == 16
// Calculate Epic MAC = first 4 bytes of the last CBC block
// @ sl.SplitRange_Bytes(buffer, 0, inputLength, writePerm)
input := buffer[:inputLength]
f.CryptBlocks(input, input)
// @ ghost start := len(input)-f.BlockSize()
// @ ghost end := start + 4
result := input[len(input)-f.BlockSize() : len(input)-f.BlockSize()+4]
// @ sl.SplitRange_Bytes(input, start, end, writePerm)
// @ package (sl.Bytes(result, 0, len(result)) --* sl.Bytes(oldBuffer, 0, len(oldBuffer))) {
// @ ghost if !allocatesNewBuffer {
// @ assert oldBuffer === buffer
// @ sl.CombineRange_Bytes(input, start, end, writePerm)
// @ sl.CombineRange_Bytes(oldBuffer, 0, inputLength, writePerm)
// @ }
// @ }
// @ assert (sl.Bytes(result, 0, len(result)) --* sl.Bytes(oldBuffer, 0, len(oldBuffer)))
return result, nil
}
// VerifyHVF verifies the correctness of the HVF (PHVF or the LHVF) field in the EPIC packet by
// recalculating and comparing it. If the EPIC authenticator (auth), which denotes the full 16
// bytes of the SCION path type MAC, has invalid length, or if the MAC calculation gives an error,
// also VerifyHVF returns an error. The verification was successful if and only if VerifyHVF
// returns nil.
// @ preserves sl.Bytes(buffer, 0, len(buffer))
// @ preserves acc(s.Mem(ub), R20)
// @ preserves acc(sl.Bytes(hvf, 0, len(hvf)), R50)
// @ preserves acc(sl.Bytes(ub, 0, len(ub)), R20)
// @ preserves acc(sl.Bytes(auth, 0, len(auth)), R30)
// @ ensures reserr != nil ==> reserr.ErrorMem()
// @ decreases
func VerifyHVF(auth []byte, pktID epic.PktID, s *slayers.SCION,
timestamp uint32, hvf []byte, buffer []byte /*@ , ghost ub []byte @*/) (reserr error) {
if s == nil || len(auth) != AuthLen {
return serrors.New("invalid input")
}
mac, err := CalcMac(auth, pktID, s, timestamp, buffer /*@ , ub @*/)
if err != nil {
return err
}
if subtle.ConstantTimeCompare(hvf, mac) == 0 {
// @ apply sl.Bytes(mac, 0, len(mac)) --* sl.Bytes(buffer, 0, len(buffer))
return serrors.New("epic hop validation field verification failed",
"hvf in packet", hvf, "calculated mac", mac, "auth", auth)
}
// @ apply sl.Bytes(mac, 0, len(mac)) --* sl.Bytes(buffer, 0, len(buffer))
return nil
}
// PktCounterFromCore creates a counter for the packet identifier
// based on the core ID and the core counter.
func PktCounterFromCore(coreID uint8, coreCounter uint32) uint32 {
return (uint32(coreID) << 24) | (coreCounter & 0x00FFFFFF)
}
// CoreFromPktCounter reads the core ID and the core counter
// from a counter belonging to a packet identifier.
func CoreFromPktCounter(counter uint32) (uint8, uint32) {
coreID := uint8(counter >> 24)
coreCounter := counter & 0x00FFFFFF
return coreID, coreCounter
}
// @ requires len(key) == 16
// @ preserves acc(sl.Bytes(key, 0, len(key)), R50)
// @ ensures reserr == nil ==>
// @ res != nil && res.Mem() && res.BlockSize() == 16
// @ ensures reserr != nil ==> reserr.ErrorMem()
// @ decreases
func initEpicMac(key []byte) (res cipher.BlockMode, reserr error) {
block, err := aes.NewCipher(key)
if err != nil {
return nil, serrors.New("Unable to initialize AES cipher")
}
// @ establishPostInitInvariant()
// @ unfold acc(postInitInvariant(), _)
// CBC-MAC = CBC-Encryption with zero initialization vector
mode := cipher.NewCBCEncrypter(block, zeroInitVector[:])
return mode, nil
}
// @ requires MACBufferSize <= len(inputBuffer)
// @ preserves acc(s.Mem(ub), R20)
// @ preserves acc(sl.Bytes(ub, 0, len(ub)), R20)
// @ preserves sl.Bytes(inputBuffer, 0, len(inputBuffer))
// @ ensures reserr == nil ==> 16 <= res && res <= len(inputBuffer)
// @ ensures reserr != nil ==> reserr.ErrorMem()
// @ decreases
func prepareMacInput(pktID epic.PktID, s *slayers.SCION, timestamp uint32,
inputBuffer []byte /*@ , ghost ub []byte @*/) (res int, reserr error) {
// @ share pktID
// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
// | flags (1B) | timestamp (4B) | packet ID (8B) |
// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
// | srcIA (8B) | srcAddr (4/8/12/16B) | payloadLen (2B) |
// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
// | zero padding (0-15B) |
// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
// The "flags" field only encodes the length of the source address.
if s == nil {
return 0, serrors.New("SCION common+address header must not be nil")
}
// @ unfold acc(s.Mem(ub), R20/2)
// @ defer fold acc(s.Mem(ub), R20/2)
// @ unfold acc(s.HeaderMem(ub[slayers.CmnHdrLen:]), R20/2)
// @ defer fold acc(s.HeaderMem(ub[slayers.CmnHdrLen:]), R20/2)
srcAddr := s.RawSrcAddr
// @ ghost start := slayers.CmnHdrLen+2*addr.IABytes+s.DstAddrType.Length()
// @ ghost end := slayers.CmnHdrLen+2*addr.IABytes+s.DstAddrType.Length()+s.SrcAddrType.Length()
// @ assert srcAddr === ub[start:end]
l := len(srcAddr)
// Calculate a multiple of 16 such that the input fits in
nrBlocks := int(math.Ceil((float64(23) + float64(l)) / float64(16)))
// (VerifiedSCION) The following assumptions cannot be currently proven due to Gobra's incomplete
// support for floats.
// @ assume 23 + l <= nrBlocks * 16
// @ assume nrBlocks * 16 <= 23 + l + 16
inputLength := 16 * nrBlocks
// Fill input
// @ unfold sl.Bytes(inputBuffer, 0, len(inputBuffer))
offset := 0
inputBuffer[0] = uint8(s.SrcAddrType & 0x3) // extract length bits
offset += 1
// @ assert forall i int :: { &inputBuffer[offset:][i] } 0 <= i && i < len(inputBuffer[offset:]) ==>
// @ &inputBuffer[offset:][i] == &inputBuffer[offset+i]
binary.BigEndian.PutUint32(inputBuffer[offset:], timestamp)
offset += 4
// @ fold sl.Bytes(inputBuffer, 0, len(inputBuffer))
// @ sl.SplitRange_Bytes(inputBuffer, offset, len(inputBuffer), writePerm)
pktID.SerializeTo(inputBuffer[offset:])
// @ sl.CombineRange_Bytes(inputBuffer, offset, len(inputBuffer), writePerm)
offset += epic.PktIDLen
// @ unfold sl.Bytes(inputBuffer, 0, len(inputBuffer))
// @ assert forall i int :: { &inputBuffer[offset:][i] } 0 <= i && i < len(inputBuffer[offset:]) ==>
// @ &inputBuffer[offset:][i] == &inputBuffer[offset+i]
binary.BigEndian.PutUint64(inputBuffer[offset:], uint64(s.SrcIA))
offset += addr.IABytes
// @ assert forall i int :: { &inputBuffer[offset:][i] } 0 <= i && i < len(inputBuffer[offset:]) ==>
// @ &inputBuffer[offset:][i] == &inputBuffer[offset+i]
// @ sl.SplitRange_Bytes(ub, start, end, R20)
// @ unfold acc(sl.Bytes(srcAddr, 0, len(srcAddr)), R20)
copy(inputBuffer[offset:], srcAddr /*@ , R20 @*/)
// @ fold acc(sl.Bytes(srcAddr, 0, len(srcAddr)), R20)
// @ sl.CombineRange_Bytes(ub, start, end, R20)
offset += l
// @ assert forall i int :: { &inputBuffer[offset:][i] } 0 <= i && i < len(inputBuffer[offset:]) ==>
// @ &inputBuffer[offset:][i] == &inputBuffer[offset+i]
binary.BigEndian.PutUint16(inputBuffer[offset:], s.PayloadLen)
offset += 2
// @ assert offset == 23 + l
// @ assert offset <= inputLength
// @ assert inputLength <= len(inputBuffer)
// @ assert forall i int :: { &inputBuffer[offset:inputLength][i] } 0 <= i && i < len(inputBuffer[offset:inputLength]) ==>
// @ &inputBuffer[offset:inputLength][i] == &inputBuffer[offset+i]
// @ assert forall i int :: { &inputBuffer[offset:inputLength][i] } 0 <= i && i < len(inputBuffer[offset:inputLength]) ==>
// @ acc(&inputBuffer[offset:inputLength][i])
// @ establishPostInitInvariant()
// @ unfold acc(postInitInvariant(), _)
// @ assert acc(sl.Bytes(zeroInitVector[:], 0, 16), _)
// (VerifiedSCION) From the package invariant, we learn that we have a wildcard access to zeroInitVector.
// Unfortunately, it is not possible to call `copy` with a wildcard amount, even though
// that would be perfectly fine. The spec of `copy` would need to be adapted to allow for that case.
// @ inhale acc(sl.Bytes(zeroInitVector[:], 0, len(zeroInitVector[:])), R55)
// @ unfold acc(sl.Bytes(zeroInitVector[:], 0, len(zeroInitVector[:])), R55)
// @ assert forall i int :: { &zeroInitVector[:][i] } 0 <= i && i < len(zeroInitVector[:]) ==>
// @ &zeroInitVector[:][i] == &zeroInitVector[i]
copy(inputBuffer[offset:inputLength], zeroInitVector[:] /*@ , R55 @*/)
// @ fold sl.Bytes(inputBuffer, 0, len(inputBuffer))
return inputLength, nil
}