2 * Copyright (C) 2015 Tobias Brunner
3 * Copyrigth (C) 2012 Reto Buerki
4 * Copyright (C) 2012 Adrian-Ken Rueegsegger
5 * Hochschule fuer Technik Rapperswil
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by the
9 * Free Software Foundation; either version 2 of the License, or (at your
10 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
19 #include <tkm/constants.h>
20 #include <tkm/client.h>
21 #include <crypto/hashers/hash_algorithm_set.h>
24 #include "tkm_types.h"
25 #include "tkm_utils.h"
26 #include "tkm_diffie_hellman.h"
27 #include "tkm_keymat.h"
29 typedef struct private_tkm_keymat_t private_tkm_keymat_t
;
32 * Private data of a keymat_t object.
34 struct private_tkm_keymat_t
{
37 * Public tkm_keymat_t interface.
42 * IKE_SA Role, initiator or responder.
59 isa_id_type isa_ctx_id
;
72 * Peer init message chunk.
74 chunk_t other_init_msg
;
77 * Set of hash algorithms supported by peer for signature authentication
79 hash_algorithm_set_t
*hash_algorithms
;
83 * Create AEAD transforms from given key chunks.
85 * @param in inbound AEAD transform to allocate, NULL if failed
86 * @param out outbound AEAD transform to allocate, NULL if failed
87 * @param sk_ai SK_ai key chunk
88 * @param sk_ar SK_ar key chunk
89 * @param sk_ei SK_ei key chunk
90 * @param sk_er SK_er key chunk
91 * @param enc_alg encryption algorithm to use
92 * @param int_alg integrity algorithm to use
93 * @param key_size encryption key size in bytes
94 * @param initiator TRUE if initiator
96 static void aead_create_from_keys(aead_t
**in
, aead_t
**out
,
97 const chunk_t
* const sk_ai
, const chunk_t
* const sk_ar
,
98 const chunk_t
* const sk_ei
, const chunk_t
* const sk_er
,
99 const uint16_t enc_alg
, const uint16_t int_alg
,
100 const uint16_t key_size
, bool initiator
)
103 signer_t
*signer_i
, *signer_r
;
104 crypter_t
*crypter_i
, *crypter_r
;
105 iv_gen_t
*ivg_i
, *ivg_r
;
107 signer_i
= lib
->crypto
->create_signer(lib
->crypto
, int_alg
);
108 signer_r
= lib
->crypto
->create_signer(lib
->crypto
, int_alg
);
109 if (signer_i
== NULL
|| signer_r
== NULL
)
111 DBG1(DBG_IKE
, "%N %N not supported!",
112 transform_type_names
, INTEGRITY_ALGORITHM
,
113 integrity_algorithm_names
, int_alg
);
116 crypter_i
= lib
->crypto
->create_crypter(lib
->crypto
, enc_alg
, key_size
);
117 crypter_r
= lib
->crypto
->create_crypter(lib
->crypto
, enc_alg
, key_size
);
118 if (crypter_i
== NULL
|| crypter_r
== NULL
)
120 signer_i
->destroy(signer_i
);
121 signer_r
->destroy(signer_r
);
122 DBG1(DBG_IKE
, "%N %N (key size %d) not supported!",
123 transform_type_names
, ENCRYPTION_ALGORITHM
,
124 encryption_algorithm_names
, enc_alg
, key_size
);
128 DBG4(DBG_IKE
, "Sk_ai %B", sk_ai
);
129 if (!signer_i
->set_key(signer_i
, *sk_ai
))
133 DBG4(DBG_IKE
, "Sk_ar %B", sk_ar
);
134 if (!signer_r
->set_key(signer_r
, *sk_ar
))
138 DBG4(DBG_IKE
, "Sk_ei %B", sk_ei
);
139 if (!crypter_i
->set_key(crypter_i
, *sk_ei
))
143 DBG4(DBG_IKE
, "Sk_er %B", sk_er
);
144 if (!crypter_r
->set_key(crypter_r
, *sk_er
))
149 ivg_i
= iv_gen_create_for_alg(enc_alg
);
150 ivg_r
= iv_gen_create_for_alg(enc_alg
);
151 if (!ivg_i
|| !ivg_r
)
157 *in
= aead_create(crypter_r
, signer_r
, ivg_r
);
158 *out
= aead_create(crypter_i
, signer_i
, ivg_i
);
162 *in
= aead_create(crypter_i
, signer_i
, ivg_i
);
163 *out
= aead_create(crypter_r
, signer_r
, ivg_r
);
167 METHOD(keymat_t
, get_version
, ike_version_t
,
168 private_tkm_keymat_t
*this)
173 METHOD(keymat_t
, create_dh
, diffie_hellman_t
*,
174 private_tkm_keymat_t
*this, diffie_hellman_group_t group
)
176 return lib
->crypto
->create_dh(lib
->crypto
, group
);
179 METHOD(keymat_t
, create_nonce_gen
, nonce_gen_t
*,
180 private_tkm_keymat_t
*this)
182 return lib
->crypto
->create_nonce_gen(lib
->crypto
);
185 METHOD(keymat_v2_t
, derive_ike_keys
, bool,
186 private_tkm_keymat_t
*this, proposal_t
*proposal
, diffie_hellman_t
*dh
,
187 chunk_t nonce_i
, chunk_t nonce_r
, ike_sa_id_t
*id
,
188 pseudo_random_function_t rekey_function
, chunk_t rekey_skd
)
190 uint16_t enc_alg
, int_alg
, key_size
;
191 uint64_t nc_id
, spi_loc
, spi_rem
;
192 chunk_t
*nonce
, c_ai
, c_ar
, c_ei
, c_er
;
193 tkm_diffie_hellman_t
*tkm_dh
;
195 nonce_type nonce_rem
;
197 key_type sk_ai
, sk_ar
, sk_ei
, sk_er
;
199 /* Check encryption and integrity algorithms */
200 if (!proposal
->get_algorithm(proposal
, ENCRYPTION_ALGORITHM
, &enc_alg
,
203 DBG1(DBG_IKE
, "no %N selected", transform_type_names
,
204 ENCRYPTION_ALGORITHM
);
207 if (encryption_algorithm_is_aead(enc_alg
))
209 DBG1(DBG_IKE
, "AEAD algorithm %N not supported",
210 encryption_algorithm_names
, enc_alg
);
213 if (!proposal
->get_algorithm(proposal
, INTEGRITY_ALGORITHM
, &int_alg
, NULL
))
215 DBG1(DBG_IKE
, "no %N selected", transform_type_names
,
216 INTEGRITY_ALGORITHM
);
219 if (!(enc_alg
== ENCR_AES_CBC
&& key_size
== 256 &&
220 int_alg
== AUTH_HMAC_SHA2_512_256
))
222 DBG1(DBG_IKE
, "the TKM only supports aes256-sha512 at the moment, "
223 "please update your configuration");
227 DBG2(DBG_IKE
, "using %N for encryption, %N for integrity",
228 encryption_algorithm_names
, enc_alg
, integrity_algorithm_names
,
231 /* Acquire nonce context id */
232 nonce
= this->initiator
? &nonce_i
: &nonce_r
;
233 nc_id
= tkm
->chunk_map
->get_id(tkm
->chunk_map
, nonce
);
236 DBG1(DBG_IKE
, "unable to acquire context id for nonce");
240 /* Get DH context id */
241 tkm_dh
= (tkm_diffie_hellman_t
*)dh
;
242 dh_id
= tkm_dh
->get_id(tkm_dh
);
246 chunk_to_sequence(&nonce_r
, &nonce_rem
, sizeof(nonce_type
));
247 spi_loc
= id
->get_initiator_spi(id
);
248 spi_rem
= id
->get_responder_spi(id
);
252 chunk_to_sequence(&nonce_i
, &nonce_rem
, sizeof(nonce_type
));
253 spi_loc
= id
->get_responder_spi(id
);
254 spi_rem
= id
->get_initiator_spi(id
);
257 if (rekey_function
== PRF_UNDEFINED
)
259 this->ae_ctx_id
= tkm
->idmgr
->acquire_id(tkm
->idmgr
, TKM_CTX_AE
);
260 if (!this->ae_ctx_id
)
262 DBG1(DBG_IKE
, "unable to acquire ae context id");
265 DBG1(DBG_IKE
, "deriving IKE keys (nc: %llu, dh: %llu, spi_loc: %llx, "
266 "spi_rem: %llx)", nc_id
, dh_id
, spi_loc
, spi_rem
);
267 res
= ike_isa_create(this->isa_ctx_id
, this->ae_ctx_id
, 1, dh_id
, nc_id
,
268 nonce_rem
, this->initiator
, spi_loc
, spi_rem
,
269 &sk_ai
, &sk_ar
, &sk_ei
, &sk_er
);
275 if (rekey_skd
.ptr
== NULL
|| rekey_skd
.len
!= sizeof(isa_info_t
))
277 DBG1(DBG_IKE
, "unable to retrieve parent isa info");
280 isa_info
= *((isa_info_t
*)(rekey_skd
.ptr
));
281 DBG1(DBG_IKE
, "deriving IKE keys (parent_isa: %llu, ae: %llu, nc: %llu,"
282 " dh: %llu, spi_loc: %llx, spi_rem: %llx)", isa_info
.parent_isa_id
,
283 isa_info
.ae_id
, nc_id
, dh_id
, spi_loc
, spi_rem
);
285 if (!tkm
->idmgr
->acquire_ref(tkm
->idmgr
, TKM_CTX_AE
, isa_info
.ae_id
))
287 DBG1(DBG_IKE
, "unable to acquire reference for ae: %llu",
291 this->ae_ctx_id
= isa_info
.ae_id
;
292 res
= ike_isa_create_child(this->isa_ctx_id
, isa_info
.parent_isa_id
, 1,
293 dh_id
, nc_id
, nonce_rem
, this->initiator
,
294 spi_loc
, spi_rem
, &sk_ai
, &sk_ar
, &sk_ei
,
296 chunk_free(&rekey_skd
);
301 DBG1(DBG_IKE
, "key derivation failed (isa: %llu)", this->isa_ctx_id
);
305 sequence_to_chunk(sk_ai
.data
, sk_ai
.size
, &c_ai
);
306 sequence_to_chunk(sk_ar
.data
, sk_ar
.size
, &c_ar
);
307 sequence_to_chunk(sk_ei
.data
, sk_ei
.size
, &c_ei
);
308 sequence_to_chunk(sk_er
.data
, sk_er
.size
, &c_er
);
310 aead_create_from_keys(&this->aead_in
, &this->aead_out
, &c_ai
, &c_ar
, &c_ei
,
311 &c_er
, enc_alg
, int_alg
, key_size
/ 8,
319 if (!this->aead_in
|| !this->aead_out
)
321 DBG1(DBG_IKE
, "could not initialize AEAD transforms");
325 /* TODO: Add failure handler (see keymat_v2.c) */
327 tkm
->chunk_map
->remove(tkm
->chunk_map
, nonce
);
328 if (ike_nc_reset(nc_id
) != TKM_OK
)
330 DBG1(DBG_IKE
, "failed to reset nonce context %llu", nc_id
);
332 tkm
->idmgr
->release_id(tkm
->idmgr
, TKM_CTX_NONCE
, nc_id
);
337 METHOD(keymat_v2_t
, derive_child_keys
, bool,
338 private_tkm_keymat_t
*this, proposal_t
*proposal
, diffie_hellman_t
*dh
,
339 chunk_t nonce_i
, chunk_t nonce_r
, chunk_t
*encr_i
, chunk_t
*integ_i
,
340 chunk_t
*encr_r
, chunk_t
*integ_r
)
342 esa_info_t
*esa_info_i
, *esa_info_r
;
343 dh_id_type dh_id
= 0;
347 dh_id
= ((tkm_diffie_hellman_t
*)dh
)->get_id((tkm_diffie_hellman_t
*)dh
);
351 .isa_id
= this->isa_ctx_id
,
352 .spi_r
= proposal
->get_spi(proposal
),
353 .nonce_i
= chunk_clone(nonce_i
),
354 .nonce_r
= chunk_clone(nonce_r
),
360 .isa_id
= this->isa_ctx_id
,
361 .spi_r
= proposal
->get_spi(proposal
),
362 .nonce_i
= chunk_clone(nonce_i
),
363 .nonce_r
= chunk_clone(nonce_r
),
368 DBG1(DBG_CHD
, "passing on esa info (isa: %llu, spi_r: %x, dh_id: %llu)",
369 esa_info_i
->isa_id
, ntohl(esa_info_i
->spi_r
), esa_info_i
->dh_id
);
371 /* store ESA info in encr_i/r, which is passed to add_sa */
372 *encr_i
= chunk_create((u_char
*)esa_info_i
, sizeof(esa_info_t
));
373 *encr_r
= chunk_create((u_char
*)esa_info_r
, sizeof(esa_info_t
));
374 *integ_i
= chunk_empty
;
375 *integ_r
= chunk_empty
;
380 METHOD(keymat_t
, get_aead
, aead_t
*,
381 private_tkm_keymat_t
*this, bool in
)
383 return in
? this->aead_in
: this->aead_out
;
386 METHOD(keymat_v2_t
, get_auth_octets
, bool,
387 private_tkm_keymat_t
*this, bool verify
, chunk_t ike_sa_init
,
388 chunk_t nonce
, identification_t
*id
, char reserved
[3], chunk_t
*octets
,
395 /* store peer init message for authentication step */
396 this->other_init_msg
= chunk_clone(ike_sa_init
);
397 *octets
= chunk_empty
;
402 .isa_id
= this->isa_ctx_id
,
403 .init_message
= chunk_clone(ike_sa_init
),
407 * store signature info in AUTH octets, which is passed to the private key
410 *octets
= chunk_create((u_char
*)sign
, sizeof(sign_info_t
));
414 METHOD(keymat_v2_t
, get_skd
, pseudo_random_function_t
,
415 private_tkm_keymat_t
*this, chunk_t
*skd
)
417 isa_info_t
*isa_info
;
420 .parent_isa_id
= this->isa_ctx_id
,
421 .ae_id
= this->ae_ctx_id
,
424 *skd
= chunk_create((u_char
*)isa_info
, sizeof(isa_info_t
));
426 return PRF_HMAC_SHA2_512
;
429 METHOD(keymat_v2_t
, get_psk_sig
, bool,
430 private_tkm_keymat_t
*this, bool verify
, chunk_t ike_sa_init
, chunk_t nonce
,
431 chunk_t secret
, identification_t
*id
, char reserved
[3], chunk_t
*sig
)
436 METHOD(keymat_v2_t
, hash_algorithm_supported
, bool,
437 private_tkm_keymat_t
*this, hash_algorithm_t hash
)
439 if (!this->hash_algorithms
)
443 return this->hash_algorithms
->contains(this->hash_algorithms
, hash
);
446 METHOD(keymat_v2_t
, add_hash_algorithm
, void,
447 private_tkm_keymat_t
*this, hash_algorithm_t hash
)
449 if (!this->hash_algorithms
)
451 this->hash_algorithms
= hash_algorithm_set_create();
453 this->hash_algorithms
->add(this->hash_algorithms
, hash
);
456 METHOD(keymat_t
, destroy
, void,
457 private_tkm_keymat_t
*this)
459 if (ike_isa_reset(this->isa_ctx_id
) != TKM_OK
)
461 DBG1(DBG_IKE
, "failed to reset ISA context %d", this->isa_ctx_id
);
463 tkm
->idmgr
->release_id(tkm
->idmgr
, TKM_CTX_ISA
, this->isa_ctx_id
);
464 /* only reset ae context if set */
465 if (this->ae_ctx_id
!= 0)
468 count
= tkm
->idmgr
->release_id(tkm
->idmgr
, TKM_CTX_AE
, this->ae_ctx_id
);
469 if (count
== 0 && ike_ae_reset(this->ae_ctx_id
) != TKM_OK
)
471 DBG1(DBG_IKE
, "failed to reset AE context %d", this->ae_ctx_id
);
475 DESTROY_IF(this->hash_algorithms
);
476 DESTROY_IF(this->aead_in
);
477 DESTROY_IF(this->aead_out
);
478 chunk_free(&this->auth_payload
);
479 chunk_free(&this->other_init_msg
);
483 METHOD(tkm_keymat_t
, get_isa_id
, isa_id_type
,
484 private_tkm_keymat_t
*this)
486 return this->isa_ctx_id
;
489 METHOD(tkm_keymat_t
, set_auth_payload
, void,
490 private_tkm_keymat_t
*this, const chunk_t
* const payload
)
492 this->auth_payload
= chunk_clone(*payload
);
495 METHOD(tkm_keymat_t
, get_auth_payload
, chunk_t
*,
496 private_tkm_keymat_t
*this)
498 return &this->auth_payload
;
501 METHOD(tkm_keymat_t
, get_peer_init_msg
, chunk_t
*,
502 private_tkm_keymat_t
*this)
504 return &this->other_init_msg
;
510 tkm_keymat_t
*tkm_keymat_create(bool initiator
)
512 private_tkm_keymat_t
*this;
518 .get_version
= _get_version
,
519 .create_dh
= _create_dh
,
520 .create_nonce_gen
= _create_nonce_gen
,
521 .get_aead
= _get_aead
,
524 .derive_ike_keys
= _derive_ike_keys
,
525 .derive_child_keys
= _derive_child_keys
,
527 .get_auth_octets
= _get_auth_octets
,
528 .get_psk_sig
= _get_psk_sig
,
529 .add_hash_algorithm
= _add_hash_algorithm
,
530 .hash_algorithm_supported
= _hash_algorithm_supported
,
532 .get_isa_id
= _get_isa_id
,
533 .set_auth_payload
= _set_auth_payload
,
534 .get_auth_payload
= _get_auth_payload
,
535 .get_peer_init_msg
= _get_peer_init_msg
,
537 .initiator
= initiator
,
538 .isa_ctx_id
= tkm
->idmgr
->acquire_id(tkm
->idmgr
, TKM_CTX_ISA
),
540 .auth_payload
= chunk_empty
,
541 .other_init_msg
= chunk_empty
,
544 if (!this->isa_ctx_id
)
550 return &this->public;