]> git.ipfire.org Git - thirdparty/strongswan.git/blob - src/charon-tkm/src/tkm/tkm_keymat.c
projects / thirdparty / strongswan.git / blob
? search:


ed5366c2c341ace67fe64470b033c1693e7d0ce0
[thirdparty/strongswan.git] / src / charon-tkm / src / tkm / tkm_keymat.c
1 /*
2 * Copyright (C) 2015 Tobias Brunner
3 * Copyrigth (C) 2012 Reto Buerki
4 * Copyright (C) 2012 Adrian-Ken Rueegsegger
5 * Hochschule fuer Technik Rapperswil
6 *
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by the
9 * Free Software Foundation; either version 2 of the License, or (at your
10 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 *
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 * for more details.
16 */
17
18 #include <daemon.h>
19 #include <tkm/constants.h>
20 #include <tkm/client.h>
21 #include <crypto/hashers/hash_algorithm_set.h>
22
23 #include "tkm.h"
24 #include "tkm_types.h"
25 #include "tkm_utils.h"
26 #include "tkm_diffie_hellman.h"
27 #include "tkm_keymat.h"
28
29 typedef struct private_tkm_keymat_t private_tkm_keymat_t;
30
31 /**
32 * Private data of a keymat_t object.
33 */
34 struct private_tkm_keymat_t {
35
36 /**
37 * Public tkm_keymat_t interface.
38 */
39 tkm_keymat_t public;
40
41 /**
42 * IKE_SA Role, initiator or responder.
43 */
44 bool initiator;
45
46 /**
47 * Inbound AEAD.
48 */
49 aead_t *aead_in;
50
51 /**
52 * Outbound AEAD.
53 */
54 aead_t *aead_out;
55
56 /**
57 * ISA context id.
58 */
59 isa_id_type isa_ctx_id;
60
61 /**
62 * AE context id.
63 */
64 ae_id_type ae_ctx_id;
65
66 /**
67 * AUTH payload chunk.
68 */
69 chunk_t auth_payload;
70
71 /**
72 * Peer init message chunk.
73 */
74 chunk_t other_init_msg;
75
76 /**
77 * Set of hash algorithms supported by peer for signature authentication
78 */
79 hash_algorithm_set_t *hash_algorithms;
80 };
81
82 /**
83 * Create AEAD transforms from given key chunks.
84 *
85 * @param in inbound AEAD transform to allocate, NULL if failed
86 * @param out outbound AEAD transform to allocate, NULL if failed
87 * @param sk_ai SK_ai key chunk
88 * @param sk_ar SK_ar key chunk
89 * @param sk_ei SK_ei key chunk
90 * @param sk_er SK_er key chunk
91 * @param enc_alg encryption algorithm to use
92 * @param int_alg integrity algorithm to use
93 * @param key_size encryption key size in bytes
94 * @param initiator TRUE if initiator
95 */
96 static void aead_create_from_keys(aead_t **in, aead_t **out,
97 const chunk_t * const sk_ai, const chunk_t * const sk_ar,
98 const chunk_t * const sk_ei, const chunk_t * const sk_er,
99 const uint16_t enc_alg, const uint16_t int_alg,
100 const uint16_t key_size, bool initiator)
101 {
102 *in = *out = NULL;
103 signer_t *signer_i, *signer_r;
104 crypter_t *crypter_i, *crypter_r;
105 iv_gen_t *ivg_i, *ivg_r;
106
107 signer_i = lib->crypto->create_signer(lib->crypto, int_alg);
108 signer_r = lib->crypto->create_signer(lib->crypto, int_alg);
109 if (signer_i == NULL || signer_r == NULL)
110 {
111 DBG1(DBG_IKE, "%N %N not supported!",
112 transform_type_names, INTEGRITY_ALGORITHM,
113 integrity_algorithm_names, int_alg);
114 return;
115 }
116 crypter_i = lib->crypto->create_crypter(lib->crypto, enc_alg, key_size);
117 crypter_r = lib->crypto->create_crypter(lib->crypto, enc_alg, key_size);
118 if (crypter_i == NULL || crypter_r == NULL)
119 {
120 signer_i->destroy(signer_i);
121 signer_r->destroy(signer_r);
122 DBG1(DBG_IKE, "%N %N (key size %d) not supported!",
123 transform_type_names, ENCRYPTION_ALGORITHM,
124 encryption_algorithm_names, enc_alg, key_size);
125 return;
126 }
127
128 DBG4(DBG_IKE, "Sk_ai %B", sk_ai);
129 if (!signer_i->set_key(signer_i, *sk_ai))
130 {
131 return;
132 }
133 DBG4(DBG_IKE, "Sk_ar %B", sk_ar);
134 if (!signer_r->set_key(signer_r, *sk_ar))
135 {
136 return;
137 }
138 DBG4(DBG_IKE, "Sk_ei %B", sk_ei);
139 if (!crypter_i->set_key(crypter_i, *sk_ei))
140 {
141 return;
142 }
143 DBG4(DBG_IKE, "Sk_er %B", sk_er);
144 if (!crypter_r->set_key(crypter_r, *sk_er))
145 {
146 return;
147 }
148
149 ivg_i = iv_gen_create_for_alg(enc_alg);
150 ivg_r = iv_gen_create_for_alg(enc_alg);
151 if (!ivg_i || !ivg_r)
152 {
153 return;
154 }
155 if (initiator)
156 {
157 *in = aead_create(crypter_r, signer_r, ivg_r);
158 *out = aead_create(crypter_i, signer_i, ivg_i);
159 }
160 else
161 {
162 *in = aead_create(crypter_i, signer_i, ivg_i);
163 *out = aead_create(crypter_r, signer_r, ivg_r);
164 }
165 }
166
167 METHOD(keymat_t, get_version, ike_version_t,
168 private_tkm_keymat_t *this)
169 {
170 return IKEV2;
171 }
172
173 METHOD(keymat_t, create_dh, diffie_hellman_t*,
174 private_tkm_keymat_t *this, diffie_hellman_group_t group)
175 {
176 return lib->crypto->create_dh(lib->crypto, group);
177 }
178
179 METHOD(keymat_t, create_nonce_gen, nonce_gen_t*,
180 private_tkm_keymat_t *this)
181 {
182 return lib->crypto->create_nonce_gen(lib->crypto);
183 }
184
185 METHOD(keymat_v2_t, derive_ike_keys, bool,
186 private_tkm_keymat_t *this, proposal_t *proposal, diffie_hellman_t *dh,
187 chunk_t nonce_i, chunk_t nonce_r, ike_sa_id_t *id,
188 pseudo_random_function_t rekey_function, chunk_t rekey_skd)
189 {
190 uint16_t enc_alg, int_alg, key_size;
191 uint64_t nc_id, spi_loc, spi_rem;
192 chunk_t *nonce, c_ai, c_ar, c_ei, c_er;
193 tkm_diffie_hellman_t *tkm_dh;
194 dh_id_type dh_id;
195 nonce_type nonce_rem;
196 result_type res;
197 key_type sk_ai, sk_ar, sk_ei, sk_er;
198
199 /* Check encryption and integrity algorithms */
200 if (!proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &enc_alg,
201 &key_size))
202 {
203 DBG1(DBG_IKE, "no %N selected", transform_type_names,
204 ENCRYPTION_ALGORITHM);
205 return FALSE;
206 }
207 if (encryption_algorithm_is_aead(enc_alg))
208 {
209 DBG1(DBG_IKE, "AEAD algorithm %N not supported",
210 encryption_algorithm_names, enc_alg);
211 return FALSE;
212 }
213 if (!proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, &int_alg, NULL))
214 {
215 DBG1(DBG_IKE, "no %N selected", transform_type_names,
216 INTEGRITY_ALGORITHM);
217 return FALSE;
218 }
219 if (!(enc_alg == ENCR_AES_CBC && key_size == 256 &&
220 int_alg == AUTH_HMAC_SHA2_512_256))
221 {
222 DBG1(DBG_IKE, "the TKM only supports aes256-sha512 at the moment, "
223 "please update your configuration");
224 return FALSE;
225 }
226
227 DBG2(DBG_IKE, "using %N for encryption, %N for integrity",
228 encryption_algorithm_names, enc_alg, integrity_algorithm_names,
229 int_alg);
230
231 /* Acquire nonce context id */
232 nonce = this->initiator ? &nonce_i : &nonce_r;
233 nc_id = tkm->chunk_map->get_id(tkm->chunk_map, nonce);
234 if (!nc_id)
235 {
236 DBG1(DBG_IKE, "unable to acquire context id for nonce");
237 return FALSE;
238 }
239
240 /* Get DH context id */
241 tkm_dh = (tkm_diffie_hellman_t *)dh;
242 dh_id = tkm_dh->get_id(tkm_dh);
243
244 if (this->initiator)
245 {
246 chunk_to_sequence(&nonce_r, &nonce_rem, sizeof(nonce_type));
247 spi_loc = id->get_initiator_spi(id);
248 spi_rem = id->get_responder_spi(id);
249 }
250 else
251 {
252 chunk_to_sequence(&nonce_i, &nonce_rem, sizeof(nonce_type));
253 spi_loc = id->get_responder_spi(id);
254 spi_rem = id->get_initiator_spi(id);
255 }
256
257 if (rekey_function == PRF_UNDEFINED)
258 {
259 this->ae_ctx_id = tkm->idmgr->acquire_id(tkm->idmgr, TKM_CTX_AE);
260 if (!this->ae_ctx_id)
261 {
262 DBG1(DBG_IKE, "unable to acquire ae context id");
263 return FALSE;
264 }
265 DBG1(DBG_IKE, "deriving IKE keys (nc: %llu, dh: %llu, spi_loc: %llx, "
266 "spi_rem: %llx)", nc_id, dh_id, spi_loc, spi_rem);
267 res = ike_isa_create(this->isa_ctx_id, this->ae_ctx_id, 1, dh_id, nc_id,
268 nonce_rem, this->initiator, spi_loc, spi_rem,
269 &sk_ai, &sk_ar, &sk_ei, &sk_er);
270 }
271 else
272 {
273 isa_info_t isa_info;
274
275 if (rekey_skd.ptr == NULL || rekey_skd.len != sizeof(isa_info_t))
276 {
277 DBG1(DBG_IKE, "unable to retrieve parent isa info");
278 return FALSE;
279 }
280 isa_info = *((isa_info_t *)(rekey_skd.ptr));
281 DBG1(DBG_IKE, "deriving IKE keys (parent_isa: %llu, ae: %llu, nc: %llu,"
282 " dh: %llu, spi_loc: %llx, spi_rem: %llx)", isa_info.parent_isa_id,
283 isa_info.ae_id, nc_id, dh_id, spi_loc, spi_rem);
284
285 if (!tkm->idmgr->acquire_ref(tkm->idmgr, TKM_CTX_AE, isa_info.ae_id))
286 {
287 DBG1(DBG_IKE, "unable to acquire reference for ae: %llu",
288 isa_info.ae_id);
289 return FALSE;
290 }
291 this->ae_ctx_id = isa_info.ae_id;
292 res = ike_isa_create_child(this->isa_ctx_id, isa_info.parent_isa_id, 1,
293 dh_id, nc_id, nonce_rem, this->initiator,
294 spi_loc, spi_rem, &sk_ai, &sk_ar, &sk_ei,
295 &sk_er);
296 chunk_free(&rekey_skd);
297 }
298
299 if (res != TKM_OK)
300 {
301 DBG1(DBG_IKE, "key derivation failed (isa: %llu)", this->isa_ctx_id);
302 return FALSE;
303 }
304
305 sequence_to_chunk(sk_ai.data, sk_ai.size, &c_ai);
306 sequence_to_chunk(sk_ar.data, sk_ar.size, &c_ar);
307 sequence_to_chunk(sk_ei.data, sk_ei.size, &c_ei);
308 sequence_to_chunk(sk_er.data, sk_er.size, &c_er);
309
310 aead_create_from_keys(&this->aead_in, &this->aead_out, &c_ai, &c_ar, &c_ei,
311 &c_er, enc_alg, int_alg, key_size / 8,
312 this->initiator);
313
314 chunk_clear(&c_ai);
315 chunk_clear(&c_ar);
316 chunk_clear(&c_ei);
317 chunk_clear(&c_er);
318
319 if (!this->aead_in || !this->aead_out)
320 {
321 DBG1(DBG_IKE, "could not initialize AEAD transforms");
322 return FALSE;
323 }
324
325 /* TODO: Add failure handler (see keymat_v2.c) */
326
327 tkm->chunk_map->remove(tkm->chunk_map, nonce);
328 if (ike_nc_reset(nc_id) != TKM_OK)
329 {
330 DBG1(DBG_IKE, "failed to reset nonce context %llu", nc_id);
331 }
332 tkm->idmgr->release_id(tkm->idmgr, TKM_CTX_NONCE, nc_id);
333
334 return TRUE;
335 }
336
337 METHOD(keymat_v2_t, derive_child_keys, bool,
338 private_tkm_keymat_t *this, proposal_t *proposal, diffie_hellman_t *dh,
339 chunk_t nonce_i, chunk_t nonce_r, chunk_t *encr_i, chunk_t *integ_i,
340 chunk_t *encr_r, chunk_t *integ_r)
341 {
342 esa_info_t *esa_info_i, *esa_info_r;
343 dh_id_type dh_id = 0;
344
345 if (dh)
346 {
347 dh_id = ((tkm_diffie_hellman_t *)dh)->get_id((tkm_diffie_hellman_t *)dh);
348 }
349
350 INIT(esa_info_i,
351 .isa_id = this->isa_ctx_id,
352 .spi_r = proposal->get_spi(proposal),
353 .nonce_i = chunk_clone(nonce_i),
354 .nonce_r = chunk_clone(nonce_r),
355 .is_encr_r = FALSE,
356 .dh_id = dh_id,
357 );
358
359 INIT(esa_info_r,
360 .isa_id = this->isa_ctx_id,
361 .spi_r = proposal->get_spi(proposal),
362 .nonce_i = chunk_clone(nonce_i),
363 .nonce_r = chunk_clone(nonce_r),
364 .is_encr_r = TRUE,
365 .dh_id = dh_id,
366 );
367
368 DBG1(DBG_CHD, "passing on esa info (isa: %llu, spi_r: %x, dh_id: %llu)",
369 esa_info_i->isa_id, ntohl(esa_info_i->spi_r), esa_info_i->dh_id);
370
371 /* store ESA info in encr_i/r, which is passed to add_sa */
372 *encr_i = chunk_create((u_char *)esa_info_i, sizeof(esa_info_t));
373 *encr_r = chunk_create((u_char *)esa_info_r, sizeof(esa_info_t));
374 *integ_i = chunk_empty;
375 *integ_r = chunk_empty;
376
377 return TRUE;
378 }
379
380 METHOD(keymat_t, get_aead, aead_t*,
381 private_tkm_keymat_t *this, bool in)
382 {
383 return in ? this->aead_in : this->aead_out;
384 }
385
386 METHOD(keymat_v2_t, get_auth_octets, bool,
387 private_tkm_keymat_t *this, bool verify, chunk_t ike_sa_init,
388 chunk_t nonce, identification_t *id, char reserved[3], chunk_t *octets,
389 array_t *schemes)
390 {
391 sign_info_t *sign;
392
393 if (verify)
394 {
395 /* store peer init message for authentication step */
396 this->other_init_msg = chunk_clone(ike_sa_init);
397 *octets = chunk_empty;
398 return TRUE;
399 }
400
401 INIT(sign,
402 .isa_id = this->isa_ctx_id,
403 .init_message = chunk_clone(ike_sa_init),
404 );
405
406 /*
407 * store signature info in AUTH octets, which is passed to the private key
408 * sign() operation
409 */
410 *octets = chunk_create((u_char *)sign, sizeof(sign_info_t));
411 return TRUE;
412 }
413
414 METHOD(keymat_v2_t, get_skd, pseudo_random_function_t,
415 private_tkm_keymat_t *this, chunk_t *skd)
416 {
417 isa_info_t *isa_info;
418
419 INIT(isa_info,
420 .parent_isa_id = this->isa_ctx_id,
421 .ae_id = this->ae_ctx_id,
422 );
423
424 *skd = chunk_create((u_char *)isa_info, sizeof(isa_info_t));
425
426 return PRF_HMAC_SHA2_512;
427 }
428
429 METHOD(keymat_v2_t, get_psk_sig, bool,
430 private_tkm_keymat_t *this, bool verify, chunk_t ike_sa_init, chunk_t nonce,
431 chunk_t secret, identification_t *id, char reserved[3], chunk_t *sig)
432 {
433 return FALSE;
434 }
435
436 METHOD(keymat_v2_t, hash_algorithm_supported, bool,
437 private_tkm_keymat_t *this, hash_algorithm_t hash)
438 {
439 if (!this->hash_algorithms)
440 {
441 return FALSE;
442 }
443 return this->hash_algorithms->contains(this->hash_algorithms, hash);
444 }
445
446 METHOD(keymat_v2_t, add_hash_algorithm, void,
447 private_tkm_keymat_t *this, hash_algorithm_t hash)
448 {
449 if (!this->hash_algorithms)
450 {
451 this->hash_algorithms = hash_algorithm_set_create();
452 }
453 this->hash_algorithms->add(this->hash_algorithms, hash);
454 }
455
456 METHOD(keymat_t, destroy, void,
457 private_tkm_keymat_t *this)
458 {
459 if (ike_isa_reset(this->isa_ctx_id) != TKM_OK)
460 {
461 DBG1(DBG_IKE, "failed to reset ISA context %d", this->isa_ctx_id);
462 }
463 tkm->idmgr->release_id(tkm->idmgr, TKM_CTX_ISA, this->isa_ctx_id);
464 /* only reset ae context if set */
465 if (this->ae_ctx_id != 0)
466 {
467 int count;
468 count = tkm->idmgr->release_id(tkm->idmgr, TKM_CTX_AE, this->ae_ctx_id);
469 if (count == 0 && ike_ae_reset(this->ae_ctx_id) != TKM_OK)
470 {
471 DBG1(DBG_IKE, "failed to reset AE context %d", this->ae_ctx_id);
472 }
473 }
474
475 DESTROY_IF(this->hash_algorithms);
476 DESTROY_IF(this->aead_in);
477 DESTROY_IF(this->aead_out);
478 chunk_free(&this->auth_payload);
479 chunk_free(&this->other_init_msg);
480 free(this);
481 }
482
483 METHOD(tkm_keymat_t, get_isa_id, isa_id_type,
484 private_tkm_keymat_t *this)
485 {
486 return this->isa_ctx_id;
487 }
488
489 METHOD(tkm_keymat_t, set_auth_payload, void,
490 private_tkm_keymat_t *this, const chunk_t * const payload)
491 {
492 this->auth_payload = chunk_clone(*payload);
493 }
494
495 METHOD(tkm_keymat_t, get_auth_payload, chunk_t*,
496 private_tkm_keymat_t *this)
497 {
498 return &this->auth_payload;
499 }
500
501 METHOD(tkm_keymat_t, get_peer_init_msg, chunk_t*,
502 private_tkm_keymat_t *this)
503 {
504 return &this->other_init_msg;
505 }
506
507 /**
508 * See header.
509 */
510 tkm_keymat_t *tkm_keymat_create(bool initiator)
511 {
512 private_tkm_keymat_t *this;
513
514 INIT(this,
515 .public = {
516 .keymat_v2 = {
517 .keymat = {
518 .get_version = _get_version,
519 .create_dh = _create_dh,
520 .create_nonce_gen = _create_nonce_gen,
521 .get_aead = _get_aead,
522 .destroy = _destroy,
523 },
524 .derive_ike_keys = _derive_ike_keys,
525 .derive_child_keys = _derive_child_keys,
526 .get_skd = _get_skd,
527 .get_auth_octets = _get_auth_octets,
528 .get_psk_sig = _get_psk_sig,
529 .add_hash_algorithm = _add_hash_algorithm,
530 .hash_algorithm_supported = _hash_algorithm_supported,
531 },
532 .get_isa_id = _get_isa_id,
533 .set_auth_payload = _set_auth_payload,
534 .get_auth_payload = _get_auth_payload,
535 .get_peer_init_msg = _get_peer_init_msg,
536 },
537 .initiator = initiator,
538 .isa_ctx_id = tkm->idmgr->acquire_id(tkm->idmgr, TKM_CTX_ISA),
539 .ae_ctx_id = 0,
540 .auth_payload = chunk_empty,
541 .other_init_msg = chunk_empty,
542 );
543
544 if (!this->isa_ctx_id)
545 {
546 free(this);
547 return NULL;
548 }
549
550 return &this->public;
551 }
Unnamed repository; edit this file 'description' to name the repository.