]> git.ipfire.org Git - people/ms/strongswan.git/blob - src/charon-tkm/src/tkm/tkm_keymat.c
projects / people / ms / strongswan.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
tkm: Implement hash algorithm storage methods of keymat_v2_t interface
[people/ms/strongswan.git] / src / charon-tkm / src / tkm / tkm_keymat.c
1 /*
2 * Copyright (C) 2015 Tobias Brunner
3 * Copyrigth (C) 2012 Reto Buerki
4 * Copyright (C) 2012 Adrian-Ken Rueegsegger
5 * Hochschule fuer Technik Rapperswil
6 *
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by the
9 * Free Software Foundation; either version 2 of the License, or (at your
10 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 *
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 * for more details.
16 */
17
18 #include <daemon.h>
19 #include <tkm/constants.h>
20 #include <tkm/client.h>
21 #include <crypto/hashers/hash_algorithm_set.h>
22
23 #include "tkm.h"
24 #include "tkm_types.h"
25 #include "tkm_utils.h"
26 #include "tkm_diffie_hellman.h"
27 #include "tkm_keymat.h"
28
29 typedef struct private_tkm_keymat_t private_tkm_keymat_t;
30
31 /**
32 * Private data of a keymat_t object.
33 */
34 struct private_tkm_keymat_t {
35
36 /**
37 * Public tkm_keymat_t interface.
38 */
39 tkm_keymat_t public;
40
41 /**
42 * IKE_SA Role, initiator or responder.
43 */
44 bool initiator;
45
46 /**
47 * Inbound AEAD.
48 */
49 aead_t *aead_in;
50
51 /**
52 * Outbound AEAD.
53 */
54 aead_t *aead_out;
55
56 /**
57 * ISA context id.
58 */
59 isa_id_type isa_ctx_id;
60
61 /**
62 * AE context id.
63 */
64 ae_id_type ae_ctx_id;
65
66 /**
67 * AUTH payload chunk.
68 */
69 chunk_t auth_payload;
70
71 /**
72 * Peer init message chunk.
73 */
74 chunk_t other_init_msg;
75
76 /**
77 * Set of hash algorithms supported by peer for signature authentication
78 */
79 hash_algorithm_set_t *hash_algorithms;
80 };
81
82 /**
83 * Create AEAD transforms from given key chunks.
84 *
85 * @param in inbound AEAD transform to allocate, NULL if failed
86 * @param out outbound AEAD transform to allocate, NULL if failed
87 * @param sk_ai SK_ai key chunk
88 * @param sk_ar SK_ar key chunk
89 * @param sk_ei SK_ei key chunk
90 * @param sk_er SK_er key chunk
91 * @param enc_alg encryption algorithm to use
92 * @param int_alg integrity algorithm to use
93 * @param key_size encryption key size in bytes
94 * @param initiator TRUE if initiator
95 */
96 static void aead_create_from_keys(aead_t **in, aead_t **out,
97 const chunk_t * const sk_ai, const chunk_t * const sk_ar,
98 const chunk_t * const sk_ei, const chunk_t * const sk_er,
99 const u_int16_t enc_alg, const u_int16_t int_alg,
100 const u_int16_t key_size, bool initiator)
101 {
102 *in = *out = NULL;
103 signer_t *signer_i, *signer_r;
104 crypter_t *crypter_i, *crypter_r;
105
106 signer_i = lib->crypto->create_signer(lib->crypto, int_alg);
107 signer_r = lib->crypto->create_signer(lib->crypto, int_alg);
108 if (signer_i == NULL || signer_r == NULL)
109 {
110 DBG1(DBG_IKE, "%N %N not supported!",
111 transform_type_names, INTEGRITY_ALGORITHM,
112 integrity_algorithm_names, int_alg);
113 return;
114 }
115 crypter_i = lib->crypto->create_crypter(lib->crypto, enc_alg, key_size);
116 crypter_r = lib->crypto->create_crypter(lib->crypto, enc_alg, key_size);
117 if (crypter_i == NULL || crypter_r == NULL)
118 {
119 signer_i->destroy(signer_i);
120 signer_r->destroy(signer_r);
121 DBG1(DBG_IKE, "%N %N (key size %d) not supported!",
122 transform_type_names, ENCRYPTION_ALGORITHM,
123 encryption_algorithm_names, enc_alg, key_size);
124 return;
125 }
126
127 DBG4(DBG_IKE, "Sk_ai %B", sk_ai);
128 if (!signer_i->set_key(signer_i, *sk_ai))
129 {
130 return;
131 }
132 DBG4(DBG_IKE, "Sk_ar %B", sk_ar);
133 if (!signer_r->set_key(signer_r, *sk_ar))
134 {
135 return;
136 }
137 DBG4(DBG_IKE, "Sk_ei %B", sk_ei);
138 if (!crypter_i->set_key(crypter_i, *sk_ei))
139 {
140 return;
141 }
142 DBG4(DBG_IKE, "Sk_er %B", sk_er);
143 if (!crypter_r->set_key(crypter_r, *sk_er))
144 {
145 return;
146 }
147
148 if (initiator)
149 {
150 *in = aead_create(crypter_r, signer_r);
151 *out = aead_create(crypter_i, signer_i);
152 }
153 else
154 {
155 *in = aead_create(crypter_i, signer_i);
156 *out = aead_create(crypter_r, signer_r);
157 }
158 }
159
160 METHOD(keymat_t, get_version, ike_version_t,
161 private_tkm_keymat_t *this)
162 {
163 return IKEV2;
164 }
165
166 METHOD(keymat_t, create_dh, diffie_hellman_t*,
167 private_tkm_keymat_t *this, diffie_hellman_group_t group)
168 {
169 return lib->crypto->create_dh(lib->crypto, group);
170 }
171
172 METHOD(keymat_t, create_nonce_gen, nonce_gen_t*,
173 private_tkm_keymat_t *this)
174 {
175 return lib->crypto->create_nonce_gen(lib->crypto);
176 }
177
178 METHOD(keymat_v2_t, derive_ike_keys, bool,
179 private_tkm_keymat_t *this, proposal_t *proposal, diffie_hellman_t *dh,
180 chunk_t nonce_i, chunk_t nonce_r, ike_sa_id_t *id,
181 pseudo_random_function_t rekey_function, chunk_t rekey_skd)
182 {
183 u_int16_t enc_alg, int_alg, key_size;
184 u_int64_t nc_id, spi_loc, spi_rem;
185 chunk_t *nonce, c_ai, c_ar, c_ei, c_er;
186 tkm_diffie_hellman_t *tkm_dh;
187 dh_id_type dh_id;
188 nonce_type nonce_rem;
189 result_type res;
190 key_type sk_ai, sk_ar, sk_ei, sk_er;
191
192 /* Check encryption and integrity algorithms */
193 if (!proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &enc_alg,
194 &key_size))
195 {
196 DBG1(DBG_IKE, "no %N selected", transform_type_names,
197 ENCRYPTION_ALGORITHM);
198 return FALSE;
199 }
200 if (encryption_algorithm_is_aead(enc_alg))
201 {
202 DBG1(DBG_IKE, "AEAD algorithm %N not supported",
203 encryption_algorithm_names, enc_alg);
204 return FALSE;
205 }
206 if (!proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, &int_alg, NULL))
207 {
208 DBG1(DBG_IKE, "no %N selected", transform_type_names,
209 INTEGRITY_ALGORITHM);
210 return FALSE;
211 }
212 if (!(enc_alg == ENCR_AES_CBC && key_size == 256 &&
213 int_alg == AUTH_HMAC_SHA2_512_256))
214 {
215 DBG1(DBG_IKE, "the TKM only supports aes256-sha512 at the moment, "
216 "please update your configuration");
217 return FALSE;
218 }
219
220 DBG2(DBG_IKE, "using %N for encryption, %N for integrity",
221 encryption_algorithm_names, enc_alg, integrity_algorithm_names,
222 int_alg);
223
224 /* Acquire nonce context id */
225 nonce = this->initiator ? &nonce_i : &nonce_r;
226 nc_id = tkm->chunk_map->get_id(tkm->chunk_map, nonce);
227 if (!nc_id)
228 {
229 DBG1(DBG_IKE, "unable to acquire context id for nonce");
230 return FALSE;
231 }
232
233 /* Get DH context id */
234 tkm_dh = (tkm_diffie_hellman_t *)dh;
235 dh_id = tkm_dh->get_id(tkm_dh);
236
237 if (this->initiator)
238 {
239 chunk_to_sequence(&nonce_r, &nonce_rem, sizeof(nonce_type));
240 spi_loc = id->get_initiator_spi(id);
241 spi_rem = id->get_responder_spi(id);
242 }
243 else
244 {
245 chunk_to_sequence(&nonce_i, &nonce_rem, sizeof(nonce_type));
246 spi_loc = id->get_responder_spi(id);
247 spi_rem = id->get_initiator_spi(id);
248 }
249
250 if (rekey_function == PRF_UNDEFINED)
251 {
252 this->ae_ctx_id = tkm->idmgr->acquire_id(tkm->idmgr, TKM_CTX_AE);
253 if (!this->ae_ctx_id)
254 {
255 DBG1(DBG_IKE, "unable to acquire ae context id");
256 return FALSE;
257 }
258 DBG1(DBG_IKE, "deriving IKE keys (nc: %llu, dh: %llu, spi_loc: %llx, "
259 "spi_rem: %llx)", nc_id, dh_id, spi_loc, spi_rem);
260 res = ike_isa_create(this->isa_ctx_id, this->ae_ctx_id, 1, dh_id, nc_id,
261 nonce_rem, this->initiator, spi_loc, spi_rem,
262 &sk_ai, &sk_ar, &sk_ei, &sk_er);
263 }
264 else
265 {
266 isa_info_t isa_info;
267
268 if (rekey_skd.ptr == NULL || rekey_skd.len != sizeof(isa_info_t))
269 {
270 DBG1(DBG_IKE, "unable to retrieve parent isa info");
271 return FALSE;
272 }
273 isa_info = *((isa_info_t *)(rekey_skd.ptr));
274 DBG1(DBG_IKE, "deriving IKE keys (parent_isa: %llu, ae: %llu, nc: %llu,"
275 "dh: %llu, spi_loc: %llx, spi_rem: %llx)", isa_info.parent_isa_id,
276 isa_info.ae_id, nc_id, dh_id, spi_loc, spi_rem);
277 this->ae_ctx_id = isa_info.ae_id;
278 res = ike_isa_create_child(this->isa_ctx_id, isa_info.parent_isa_id, 1,
279 dh_id, nc_id, nonce_rem, this->initiator,
280 spi_loc, spi_rem, &sk_ai, &sk_ar, &sk_ei,
281 &sk_er);
282 chunk_free(&rekey_skd);
283 }
284
285 if (res != TKM_OK)
286 {
287 DBG1(DBG_IKE, "key derivation failed (isa: %llu)", this->isa_ctx_id);
288 return FALSE;
289 }
290
291 sequence_to_chunk(sk_ai.data, sk_ai.size, &c_ai);
292 sequence_to_chunk(sk_ar.data, sk_ar.size, &c_ar);
293 sequence_to_chunk(sk_ei.data, sk_ei.size, &c_ei);
294 sequence_to_chunk(sk_er.data, sk_er.size, &c_er);
295
296 aead_create_from_keys(&this->aead_in, &this->aead_out, &c_ai, &c_ar, &c_ei,
297 &c_er, enc_alg, int_alg, key_size / 8,
298 this->initiator);
299
300 chunk_clear(&c_ai);
301 chunk_clear(&c_ar);
302 chunk_clear(&c_ei);
303 chunk_clear(&c_er);
304
305 if (!this->aead_in || !this->aead_out)
306 {
307 DBG1(DBG_IKE, "could not initialize AEAD transforms");
308 return FALSE;
309 }
310
311 /* TODO: Add failure handler (see keymat_v2.c) */
312
313 tkm->chunk_map->remove(tkm->chunk_map, nonce);
314 if (ike_nc_reset(nc_id) != TKM_OK)
315 {
316 DBG1(DBG_IKE, "failed to reset nonce context %llu", nc_id);
317 }
318 tkm->idmgr->release_id(tkm->idmgr, TKM_CTX_NONCE, nc_id);
319
320 return TRUE;
321 }
322
323 METHOD(keymat_v2_t, derive_child_keys, bool,
324 private_tkm_keymat_t *this, proposal_t *proposal, diffie_hellman_t *dh,
325 chunk_t nonce_i, chunk_t nonce_r, chunk_t *encr_i, chunk_t *integ_i,
326 chunk_t *encr_r, chunk_t *integ_r)
327 {
328 esa_info_t *esa_info_i, *esa_info_r;
329 dh_id_type dh_id = 0;
330
331 if (dh)
332 {
333 dh_id = ((tkm_diffie_hellman_t *)dh)->get_id((tkm_diffie_hellman_t *)dh);
334 }
335
336 INIT(esa_info_i,
337 .isa_id = this->isa_ctx_id,
338 .spi_r = proposal->get_spi(proposal),
339 .nonce_i = chunk_clone(nonce_i),
340 .nonce_r = chunk_clone(nonce_r),
341 .is_encr_r = FALSE,
342 .dh_id = dh_id,
343 );
344
345 INIT(esa_info_r,
346 .isa_id = this->isa_ctx_id,
347 .spi_r = proposal->get_spi(proposal),
348 .nonce_i = chunk_clone(nonce_i),
349 .nonce_r = chunk_clone(nonce_r),
350 .is_encr_r = TRUE,
351 .dh_id = dh_id,
352 );
353
354 DBG1(DBG_CHD, "passing on esa info (isa: %llu, spi_r: %x, dh_id: %llu)",
355 esa_info_i->isa_id, ntohl(esa_info_i->spi_r), esa_info_i->dh_id);
356
357 /* store ESA info in encr_i/r, which is passed to add_sa */
358 *encr_i = chunk_create((u_char *)esa_info_i, sizeof(esa_info_t));
359 *encr_r = chunk_create((u_char *)esa_info_r, sizeof(esa_info_t));
360 *integ_i = chunk_empty;
361 *integ_r = chunk_empty;
362
363 return TRUE;
364 }
365
366 METHOD(keymat_t, get_aead, aead_t*,
367 private_tkm_keymat_t *this, bool in)
368 {
369 return in ? this->aead_in : this->aead_out;
370 }
371
372 METHOD(keymat_v2_t, get_auth_octets, bool,
373 private_tkm_keymat_t *this, bool verify, chunk_t ike_sa_init,
374 chunk_t nonce, identification_t *id, char reserved[3], chunk_t *octets)
375 {
376 sign_info_t *sign;
377
378 if (verify)
379 {
380 /* store peer init message for authentication step */
381 this->other_init_msg = chunk_clone(ike_sa_init);
382 *octets = chunk_empty;
383 return TRUE;
384 }
385
386 INIT(sign,
387 .isa_id = this->isa_ctx_id,
388 .init_message = chunk_clone(ike_sa_init),
389 );
390
391 /*
392 * store signature info in AUTH octets, which is passed to the private key
393 * sign() operation
394 */
395 *octets = chunk_create((u_char *)sign, sizeof(sign_info_t));
396 return TRUE;
397 }
398
399 METHOD(keymat_v2_t, get_skd, pseudo_random_function_t,
400 private_tkm_keymat_t *this, chunk_t *skd)
401 {
402 isa_info_t *isa_info;
403
404 INIT(isa_info,
405 .parent_isa_id = this->isa_ctx_id,
406 .ae_id = this->ae_ctx_id,
407 );
408
409 *skd = chunk_create((u_char *)isa_info, sizeof(isa_info_t));
410
411 /*
412 * remove ae context id, since control has now been handed over to the new
413 * IKE SA keymat
414 */
415 this->ae_ctx_id = 0;
416 return PRF_HMAC_SHA2_512;
417 }
418
419 METHOD(keymat_v2_t, get_psk_sig, bool,
420 private_tkm_keymat_t *this, bool verify, chunk_t ike_sa_init, chunk_t nonce,
421 chunk_t secret, identification_t *id, char reserved[3], chunk_t *sig)
422 {
423 return FALSE;
424 }
425
426 METHOD(keymat_v2_t, hash_algorithm_supported, bool,
427 private_tkm_keymat_t *this, hash_algorithm_t hash)
428 {
429 if (!this->hash_algorithms)
430 {
431 return FALSE;
432 }
433 return this->hash_algorithms->contains(this->hash_algorithms, hash);
434 }
435
436 METHOD(keymat_v2_t, add_hash_algorithm, void,
437 private_tkm_keymat_t *this, hash_algorithm_t hash)
438 {
439 if (!this->hash_algorithms)
440 {
441 this->hash_algorithms = hash_algorithm_set_create();
442 }
443 this->hash_algorithms->add(this->hash_algorithms, hash);
444 }
445
446 METHOD(keymat_t, destroy, void,
447 private_tkm_keymat_t *this)
448 {
449 if (ike_isa_reset(this->isa_ctx_id) != TKM_OK)
450 {
451 DBG1(DBG_IKE, "failed to reset ISA context %d", this->isa_ctx_id);
452 }
453 tkm->idmgr->release_id(tkm->idmgr, TKM_CTX_ISA, this->isa_ctx_id);
454 /* only reset ae context if set */
455 if (this->ae_ctx_id != 0)
456 {
457 if (ike_ae_reset(this->ae_ctx_id) != TKM_OK)
458 {
459 DBG1(DBG_IKE, "failed to reset AE context %d", this->ae_ctx_id);
460 }
461 tkm->idmgr->release_id(tkm->idmgr, TKM_CTX_AE, this->ae_ctx_id);
462 }
463
464 DESTROY_IF(this->hash_algorithms);
465 DESTROY_IF(this->aead_in);
466 DESTROY_IF(this->aead_out);
467 chunk_free(&this->auth_payload);
468 chunk_free(&this->other_init_msg);
469 free(this);
470 }
471
472 METHOD(tkm_keymat_t, get_isa_id, isa_id_type,
473 private_tkm_keymat_t *this)
474 {
475 return this->isa_ctx_id;
476 }
477
478 METHOD(tkm_keymat_t, set_auth_payload, void,
479 private_tkm_keymat_t *this, const chunk_t * const payload)
480 {
481 this->auth_payload = chunk_clone(*payload);
482 }
483
484 METHOD(tkm_keymat_t, get_auth_payload, chunk_t*,
485 private_tkm_keymat_t *this)
486 {
487 return &this->auth_payload;
488 }
489
490 METHOD(tkm_keymat_t, get_peer_init_msg, chunk_t*,
491 private_tkm_keymat_t *this)
492 {
493 return &this->other_init_msg;
494 }
495
496 /**
497 * See header.
498 */
499 tkm_keymat_t *tkm_keymat_create(bool initiator)
500 {
501 private_tkm_keymat_t *this;
502
503 INIT(this,
504 .public = {
505 .keymat_v2 = {
506 .keymat = {
507 .get_version = _get_version,
508 .create_dh = _create_dh,
509 .create_nonce_gen = _create_nonce_gen,
510 .get_aead = _get_aead,
511 .destroy = _destroy,
512 },
513 .derive_ike_keys = _derive_ike_keys,
514 .derive_child_keys = _derive_child_keys,
515 .get_skd = _get_skd,
516 .get_auth_octets = _get_auth_octets,
517 .get_psk_sig = _get_psk_sig,
518 .add_hash_algorithm = _add_hash_algorithm,
519 .hash_algorithm_supported = _hash_algorithm_supported,
520 },
521 .get_isa_id = _get_isa_id,
522 .set_auth_payload = _set_auth_payload,
523 .get_auth_payload = _get_auth_payload,
524 .get_peer_init_msg = _get_peer_init_msg,
525 },
526 .initiator = initiator,
527 .isa_ctx_id = tkm->idmgr->acquire_id(tkm->idmgr, TKM_CTX_ISA),
528 .ae_ctx_id = 0,
529 .auth_payload = chunk_empty,
530 .other_init_msg = chunk_empty,
531 );
532
533 if (!this->isa_ctx_id)
534 {
535 free(this);
536 return NULL;
537 }
538
539 return &this->public;
540 }
Michael's strongswan development tree