Skip to content

Commit

Permalink
init from 1.3.1
Browse files Browse the repository at this point in the history
  • Loading branch information
@polvi
polvi committed Dec 15, 2013
0 parents commit f71a2d5
Show file tree
Hide file tree
Showing 80 changed files with 9,548 additions and 0 deletions.
36 changes: 36 additions & 0 deletions BUILDING
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
To build and install spiped, run:
# make BINDIR=/path/to/target/directory install

To install man pages, add MAN1DIR=/path/to/man.1/directory to the command
line (e.g., MAN1DIR=/usr/local/man/man1 on FreeBSD).

Spiped should build and run on any IEEE Std 1003.1 (POSIX) compliant
system which
1. Includes the Software Development Utilities option,
2. Has OpenSSL available via -lcrypto and #include <openssl/foo>, and
3. Provides /dev/urandom.

On some platforms (Solaris, maybe others), additional compiler and/or linker
options are required to find OpenSSL or system libraries; these can be
provided by adding e.g., CFLAGS="-I/path/to/openssl/headers" (compiler option)
or LDADD_EXTRA="-L/usr/sfw/lib -lsocket -lnsl" (linker option) to the make
command line.

On some platforms (OpenBSD prior to 5.4, and possibly others) you will need to
add #include <sys/types.h> at the start of
lib/dnsthread/dnsthread.c
lib/util/sock_util.c
proto/proto_conn.c
spipe/main.c
spipe/pushbits.c
due to a POSIX-compliance bug on those platforms.

On some platforms (mostly Linuxes) it is possible to install OpenSSL libaries
wihout the associated header files; the header files are usually in packages
named "openssl-devel", "libssl-dev", or similar.

If your OS provides random bytes via some mechanism other than /dev/urandom,
please make local changes to lib/util/entropy.c and notify the author.

If spiped fails to build or run for other reasons, please notify the
author.
34 changes: 34 additions & 0 deletions CHANGELOG
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
spiped-1.3.1
* Fix build by adding missing <stdint.h> #include.
* Minor code cleanups.
spiped-1.3.0
* Bug fix: spiped now correctly closes connections which have been reset;
in earlier versions spiped could erronously hold "dead" connections open
as long as they remained idle.
* Man pages added.
* Protocol-layer keep-alives are now enabled by default.
* New option -j (spipe/spiped): Disable protocol-layer keep-alives.
* In spiped the target address is now re-resolved every 60 seconds by default.
* New option -R (spiped): Do not re-resolve target address.
* New option -r <rtime> (spiped): Re-resolve target address every <rtime>
seconds.
spiped-1.2.2
* Build fixes for some strictly POSIX-conforming platforms.
* Detect and work around compilers which are POSIX-noncompliant in their
handling of -rt and -lxnet options.
* Minor documentation and typo fixes.
spiped-1.2.1
* Fix build by adding missing <stdint.h> #include.
spiped-1.2.0
* New utility "spipe": A client for the spiped protocol, handling a single
connection with standard input/output as one end.
* Code rearrangement with no functional consequences.
* Minor bug and documentation fixes.
spiped-1.1.0
* New option -D: Wait until DNS lookups succeed.
* New option -F: Don't daemonize.
* Use SO_REUSEADDR to avoid 'socket address already in use' error (most
importantly, if spiped is killed and restarted).
* Minor bug and style fixes.
spiped-1.0.0
* Initial release
32 changes: 32 additions & 0 deletions COPYRIGHT
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
The included code and documentation ("spiped") is distributed under the
following terms:

Copyright 2005-2013 Colin Percival. All rights reserved.

Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.

THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
SUCH DAMAGE.

In addition to the above, some files are:

Copyright 2012 Andreas Olsson

and distributed under the same terms. Such files contain individual
copyright statements and licenses.
34 changes: 34 additions & 0 deletions Makefile
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
.POSIX:

PROGS= spiped spipe
BINDIR_DEFAULT= /usr/local/bin
CFLAGS_DEFAULT= -O2

all:
if [ -z "${CFLAGS}" ]; then \
CFLAGS=${CFLAGS_DEFAULT}; \
else \
CFLAGS="${CFLAGS}"; \
fi; \
LDADD_POSIX=`export CC=${CC}; cd POSIX && command -p sh posix-l.sh`; \
for D in ${PROGS}; do \
( cd $${D} && \
make CFLAGS="$${CFLAGS}" \
LDADD_POSIX="$${LDADD_POSIX}" all ) || \
exit 2; \
done

install: all
if [ -z "${BINDIR}" ]; then \
BINDIR=${BINDIR_DEFAULT}; \
else \
BINDIR="${BINDIR}"; \
fi; \
for D in ${PROGS}; do \
( cd $${D} && make BINDIR="$${BINDIR}" install ) || exit 2; \
done

clean:
for D in ${PROGS}; do \
( cd $${D} && make clean ) || exit 2; \
done
10 changes: 10 additions & 0 deletions POSIX/README
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
POSIX compatibility code
------------------------

This code exists to work around some common POSIX compatibility issues.

POSIX specifies that if the first line of a Makefile is ".POSIX:" then the
Makefile should be processed according to POSIX rules, including with CC=c99.
Further, c99 is required to understand the -lrt and -lxnet options (and ignore
them if the routines they specify linkage for are already in the standard C
library). Unfortunately some systems fail or one or both of these accounts.
1 change: 1 addition & 0 deletions POSIX/posix-l.c
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
int main() {return 0;}
14 changes: 14 additions & 0 deletions POSIX/posix-l.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
# Should be sourced by `command -p sh posix-l.sh` from within a Makefile.
FIRST=YES
for LIB in rt xnet; do
if ${CC} -l${LIB} posix-l.c 2>/dev/null; then
if [ ${FIRST} = "NO" ]; then
printf " ";
fi
printf "%s" "-l${LIB}";
FIRST=NO;
else
echo "WARNING: POSIX violation: make's CC doesn't understand -l${LIB}" >/dev/stderr
fi
rm -f a.out
done
198 changes: 198 additions & 0 deletions README
Original file line number Diff line number Diff line change
@@ -0,0 +1,198 @@
spiped design
=============

Introduction
------------

spiped (pronounced "ess-pipe-dee") is a utility for creating symmetrically
encrypted and authenticated pipes between socket addresses, so that one may
connect to one address (e.g., a UNIX socket on localhost) and transparently
have a connection established to another address (e.g., a UNIX socket on a
different system). This is similar to 'ssh -L' functionality, but does not
use SSH and requires a pre-shared symmetric key.

spipe (pronounced "ess-pipe") is a utility which acts as an spiped protocol
client (i.e., connects to an spiped daemon), taking input from the standard
input and writing data read back to the standard output.

Note that spiped:
1. Requires a strong key file: The file specified via the -k option should
have at least 256 bits of entropy. ('dd if=/dev/urandom bs=32 count=1' is
your friend.)
2. Requires strong entropy from /dev/urandom. (Make sure your kernel's
random number generator is seeded at boot time!)
3. Does not provide any protection against information leakage via packet
timing: Running telnet over spiped will protect a password from being directly
read from the network, but will not obscure the typing rhythm.
4. Can significantly increase bandwidth usage for interactive sessions: It
sends data in packets of 1024 bytes, and pads smaller messages up to this
length, so a 1 byte write could be expanded to 1024 bytes if it cannot be
coalesced with adjacent bytes.
5. Uses a symmetric key -- so anyone who can connect to an spiped "server" is
also able to impersonate it.

Example usage
-------------

To set up an encrypted and authenticated pipe for sending email between two
systems (in the author's case, from many systems around the internet to his
central SMTP server, which then relays email to the rest of the world), one
might run

# dd if=/dev/urandom bs=32 count=1 of=keyfile
# spiped -d -s '[0.0.0.0]:8025' -t '[127.0.0.1]:25' -k keyfile

on a server and after copying keyfile to the local system, run

# spiped -e -s '[127.0.0.1]:25' -t $SERVERNAME:8025 -k keyfile

at which point mail delivered via localhost:25 on the local system will be
securely transmitted to port 25 on the server.

You can also use spiped to protect SSH servers from attackers: Since data is
authenticated before being forwarded to the target, this can allow you to SSH
to a host while protecting you in the event that someone finds an exploitable
bug in the SSH daemon -- this serves the same purpose as port knocking or a
firewall which restricts source IP addresses which can connect to SSH. On the
SSH server, run

# dd if=/dev/urandom bs=32 count=1 of=/etc/ssh/spiped.key
# spiped -d -s '[0.0.0.0]:8022' -t '[127.0.0.1]:22' -k /etc/ssh/spiped.key

then copy the server's /etc/ssh/spiped.key to ~/.ssh/spiped_HOSTNAME_key on
your local system and add the lines

Host HOSTNAME
ProxyCommand spipe -t %h:8022 -k ~/.ssh/spiped_%h_key

to the ~/.ssh/config file. This will cause "ssh HOSTNAME" to automatically
connect using the spipe client via the spiped daemon; you can then firewall
off all incoming traffic on port tcp/22.

For a detailed list of the command-line options to spiped and spipe, see the
README files in the respective subdirectories.

Security requirements
---------------------

The user is responsible for ensuring that:
1. The key file contains 256 or more bits of entropy.
2. The same key file is not used for more than 2^64 connections.
3. Any individual connection does not transmit more than 2^64 bytes.

Encrypted protocol
------------------

The client and server share a key file with 256 or more bits of entropy. On
launch, they read the key file and compute
K = SHA256(key file).

When a connection is established:
C1. The client generates a 256-bit random value nonce_C and sends it.
S1. The server generates a 256-bit random value nonce_S and sends it.

C2. The client receives a 256-bit value nonce_S.
S2. The server receives a 256-bit value nonce_C.

C3/S3. Both parties now compute the 512-bit value
dk_1 = PBKDF2-SHA256(K, nonce_C || nonce_S, 1)
and parse it as a pair of 256-bit values
dhmac_C || dhmac_S = dk_1.

C4. The client picks* a value x_C and computes** y_C = 2^x_C mod p, where p is
the Diffie-Hellman "group #14" modulus, and h_C = HMAC-SHA256(dhmac_C, y_C).
The client sends y_C || h_C to the server.
S4. The server receives a 2304-bit value which it parses as y_C || h_C, where
y_C is 2048 bits and h_C is 256 bits; and drops the connection if h_C is not
equal to HMAC-SHA256(dhmac_C, y_C) or y_C >= p.

S5. The server picks* a value x_S and computes** y_S = 2^x_S mod p and
h_S = HMAC-SHA256(dhmac_S, y_S). The server sends y_S || h_S to the client.
C5. The client receives a 2304-bit value which it parses as y_S || h_S, where
y_S is 2048 bits and h_S is 256 bits; and drops the connection if h_S is not
equal to HMAC-SHA256(dhmac_S, y_S) or y_S >= p.

C6. The client computes** y_SC = y_S^x_C mod p.
S6. The server computes** y_SC = y_C^x_S mod p.
(Note that these two compute values are identical.)

C7/S7. Both parties now compute the 1024-bit value
dk_2 = PBKDF2-SHA256(K, nonce_C || nonce_S || y_SC, 1)
and parse it as a 4-tuple of 256-bit values
E_C || H_C || E_S || H_S.

Thereafter, the client and server exchange 1060-byte packets P generated from
plaintext messages M of 1--1024 bytes
msg_padded = M || ( 0x00 x (1024 - length(M))) || bigendian32(length(M))
msg_encrypted = AES256-CTR(E, msg_padded, packet#)
P = msg_encrypted || HMAC-SHA256(H, msg_encrypted || bigendian64(packet#))
where E and H are E_C and H_C or E_S and H_S depending on whether the packet
is being sent by the client or the server, and AES256-CTR is computed with
nonce equal to the packet #, which starts at zero and increments for each
packet sent in the same direction.

* The values x_C, x_S picked must either be 0 (if forward perfect secrecy
is not desired) or have 256 bits of entropy (if forward perfect secrecy is
desired).

** The values y_C, y_S, and y_SC are 2048 bits and big-endian.

Security proof
--------------
1. Under the random oracle model, K has at least 255 bits of entropy (it's a
256-bit hash computed from a value with at least 256 bits of entropy).

2. Provided that at least one party is following the protocol and the key
file has been used for fewer than 2^64 connections, the probability of the
tuple (K, nonce_C, nonce_S) being non-unique is less than 2^(-192).

3. Under the random oracle model, the probability of an attacker without
access to K guessing either of dhmac_C and dhmac_S is less than
P(attacker guesses K) +
P(the tuple has been input to the oracle before) +
P(the attacker directly guesses),
which is less than
2^(-255) + 2^(-192) + 2^(-255) = 2^(-192) + 2^(-254).

4. Consequently, in order for an attacker to convince a protocol-obeying
party that a tuple (y, h) is legitimate, the attacker must do at least 2^190
expected work (which we consider to be computationally infeasible and do not
consider any further).

5. If one of the parties opts to not have perfect forward secrecy, then the
value y_SC will be equal to 1 and dk_2 will have the same security properties
as dk_1, i.e., it will be computationally infeasible for an attacker without
access to K to compute dk_2.

6. If both parties opt for perfect forward secrecy, an attacker who can
compute y_SC has solved a Diffie-Hellman problem over the 2048-bit group #14,
which is (under the CDH assumption) computationally infeasible.

7. Consequently, if both parties opt for perfect forward secrecy, an attacker
who obtains access to K after the handshake has completed will continue to be
unable to compute dk_2 from information exchanged during the handshake.

8. Under the random oracle model, the packets P are indistinguishable from
random 1060-byte packets; thus no information about the keys used or the
plaintext being transmitted is revealed by post-key-exchange communications.

9. Because the values (msg_encrypted || bigendian(packet#)) are distinct for
each packet, under the random oracle model it is infeasible for an attacker
without access to the value H to generate a packet which will be accepted as
valid.

Code layout
-----------

spiped/* -- Code specific to the spiped utility.
main.c -- Command-line parsing, initialization, and event loop.
dispatch.c -- Accepts connections and hands them off to protocol code.
spipe/* -- Code specific to the spipe utility.
main.c -- Command-line parsing, initialization, and event loop.
pushbits.c -- Copies data between standard input/output and a socket.
proto/* -- Implements the spiped protocol.
_conn.c -- Manages the lifecycle of a connection.
_handshake.c -- Performs the handshaking portion of the protocol.
_pipe.c -- Performs the data-shuttling portion of the protocol.
_crypt.c -- Does the cryptographic bits needed by _handshake and _pipe.
lib/* -- Library code (mostly originating from tarsnap and kivaloo).
Loading

0 comments on commit f71a2d5

Please sign in to comment.