]> git.ipfire.org Git - thirdparty/strongswan.git/blob - src/libcharon/sa/ikev1/keymat_v1.c
projects / thirdparty / strongswan.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Update copyright headers after acquisition by secunet
[thirdparty/strongswan.git] / src / libcharon / sa / ikev1 / keymat_v1.c
1 /*
2 * Copyright (C) 2011 Tobias Brunner
3 *
4 * Copyright (C) secunet Security Networks AG
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 #include "keymat_v1.h"
18
19 #include <daemon.h>
20 #include <sa/ikev1/iv_manager.h>
21 #include <encoding/generator.h>
22 #include <encoding/payloads/nonce_payload.h>
23
24 typedef struct private_keymat_v1_t private_keymat_v1_t;
25
26 /**
27 * Private data of an keymat_t object.
28 */
29 struct private_keymat_v1_t {
30
31 /**
32 * Public keymat_v1_t interface.
33 */
34 keymat_v1_t public;
35
36 /**
37 * IKE_SA Role, initiator or responder
38 */
39 bool initiator;
40
41 /**
42 * General purpose PRF
43 */
44 prf_t *prf;
45
46 /**
47 * PRF to create Phase 1 HASH payloads
48 */
49 prf_t *prf_auth;
50
51 /**
52 * Crypter wrapped in an aead_t interface
53 */
54 aead_t *aead;
55
56 /**
57 * Hasher used for IV generation (and other things like e.g. NAT-T)
58 */
59 hasher_t *hasher;
60
61 /**
62 * Key to derive key material from for non-ISAKMP SAs, rekeying
63 */
64 chunk_t skeyid_d;
65
66 /**
67 * Key used for authentication after main mode
68 */
69 chunk_t skeyid_a;
70
71 /**
72 * IV and QM manager
73 */
74 iv_manager_t *iv_manager;
75 };
76
77 /**
78 * Constants used in key derivation.
79 */
80 static const chunk_t octet_0 = chunk_from_chars(0x00);
81 static const chunk_t octet_1 = chunk_from_chars(0x01);
82 static const chunk_t octet_2 = chunk_from_chars(0x02);
83
84 /**
85 * Simple aead_t implementation without support for authentication.
86 */
87 typedef struct {
88 /** implements aead_t interface */
89 aead_t aead;
90 /** crypter to be used */
91 crypter_t *crypter;
92 } private_aead_t;
93
94
95 METHOD(aead_t, encrypt, bool,
96 private_aead_t *this, chunk_t plain, chunk_t assoc, chunk_t iv,
97 chunk_t *encrypted)
98 {
99 return this->crypter->encrypt(this->crypter, plain, iv, encrypted);
100 }
101
102 METHOD(aead_t, decrypt, bool,
103 private_aead_t *this, chunk_t encrypted, chunk_t assoc, chunk_t iv,
104 chunk_t *plain)
105 {
106 return this->crypter->decrypt(this->crypter, encrypted, iv, plain);
107 }
108
109 METHOD(aead_t, get_block_size, size_t,
110 private_aead_t *this)
111 {
112 return this->crypter->get_block_size(this->crypter);
113 }
114
115 METHOD(aead_t, get_icv_size, size_t,
116 private_aead_t *this)
117 {
118 return 0;
119 }
120
121 METHOD(aead_t, get_iv_size, size_t,
122 private_aead_t *this)
123 {
124 /* in order to create the messages properly we return 0 here */
125 return 0;
126 }
127
128 METHOD(aead_t, get_iv_gen, iv_gen_t*,
129 private_aead_t *this)
130 {
131 /* IVs are retrieved via keymat_v1.get_iv() */
132 return NULL;
133 }
134
135 METHOD(aead_t, get_key_size, size_t,
136 private_aead_t *this)
137 {
138 return this->crypter->get_key_size(this->crypter);
139 }
140
141 METHOD(aead_t, set_key, bool,
142 private_aead_t *this, chunk_t key)
143 {
144 return this->crypter->set_key(this->crypter, key);
145 }
146
147 METHOD(aead_t, aead_destroy, void,
148 private_aead_t *this)
149 {
150 this->crypter->destroy(this->crypter);
151 free(this);
152 }
153
154 /**
155 * Expand SKEYID_e according to Appendix B in RFC 2409.
156 * TODO-IKEv1: verify keys (e.g. for weak keys, see Appendix B)
157 */
158 static bool expand_skeyid_e(chunk_t skeyid_e, size_t key_size, prf_t *prf,
159 chunk_t *ka)
160 {
161 size_t block_size;
162 chunk_t seed;
163 int i;
164
165 if (skeyid_e.len >= key_size)
166 { /* no expansion required, reduce to key_size */
167 skeyid_e.len = key_size;
168 *ka = skeyid_e;
169 return TRUE;
170 }
171 block_size = prf->get_block_size(prf);
172 *ka = chunk_alloc((key_size / block_size + 1) * block_size);
173 ka->len = key_size;
174
175 /* Ka = K1 | K2 | ..., K1 = prf(SKEYID_e, 0), K2 = prf(SKEYID_e, K1) ... */
176 if (!prf->set_key(prf, skeyid_e))
177 {
178 chunk_clear(ka);
179 chunk_clear(&skeyid_e);
180 return FALSE;
181 }
182 seed = octet_0;
183 for (i = 0; i < key_size; i += block_size)
184 {
185 if (!prf->get_bytes(prf, seed, ka->ptr + i))
186 {
187 chunk_clear(ka);
188 chunk_clear(&skeyid_e);
189 return FALSE;
190 }
191 seed = chunk_create(ka->ptr + i, block_size);
192 }
193 chunk_clear(&skeyid_e);
194 return TRUE;
195 }
196
197 /**
198 * Create a simple implementation of the aead_t interface which only encrypts
199 * or decrypts data.
200 */
201 static aead_t *create_aead(proposal_t *proposal, prf_t *prf, chunk_t skeyid_e,
202 chunk_t *ka)
203 {
204 private_aead_t *this;
205 uint16_t alg, key_size;
206 crypter_t *crypter;
207
208 if (!proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &alg,
209 &key_size))
210 {
211 DBG1(DBG_IKE, "no %N selected",
212 transform_type_names, ENCRYPTION_ALGORITHM);
213 return NULL;
214 }
215 crypter = lib->crypto->create_crypter(lib->crypto, alg, key_size / 8);
216 if (!crypter)
217 {
218 DBG1(DBG_IKE, "%N %N (key size %d) not supported!",
219 transform_type_names, ENCRYPTION_ALGORITHM,
220 encryption_algorithm_names, alg, key_size);
221 return NULL;
222 }
223 if (!expand_skeyid_e(skeyid_e, crypter->get_key_size(crypter), prf, ka))
224 {
225 return NULL;
226 }
227 DBG4(DBG_IKE, "encryption key Ka %B", ka);
228 if (!crypter->set_key(crypter, *ka))
229 {
230 chunk_clear(ka);
231 return NULL;
232 }
233
234 INIT(this,
235 .aead = {
236 .encrypt = _encrypt,
237 .decrypt = _decrypt,
238 .get_block_size = _get_block_size,
239 .get_icv_size = _get_icv_size,
240 .get_iv_size = _get_iv_size,
241 .get_iv_gen = _get_iv_gen,
242 .get_key_size = _get_key_size,
243 .set_key = _set_key,
244 .destroy = _aead_destroy,
245 },
246 .crypter = crypter,
247 );
248 return &this->aead;
249 }
250
251 /**
252 * Converts integrity algorithm to PRF algorithm
253 */
254 static uint16_t auth_to_prf(uint16_t alg)
255 {
256 switch (alg)
257 {
258 case AUTH_HMAC_SHA1_96:
259 return PRF_HMAC_SHA1;
260 case AUTH_HMAC_SHA2_256_128:
261 return PRF_HMAC_SHA2_256;
262 case AUTH_HMAC_SHA2_384_192:
263 return PRF_HMAC_SHA2_384;
264 case AUTH_HMAC_SHA2_512_256:
265 return PRF_HMAC_SHA2_512;
266 case AUTH_HMAC_MD5_96:
267 return PRF_HMAC_MD5;
268 case AUTH_AES_XCBC_96:
269 return PRF_AES128_XCBC;
270 default:
271 return PRF_UNDEFINED;
272 }
273 }
274
275 /**
276 * Converts integrity algorithm to hash algorithm
277 */
278 static uint16_t auth_to_hash(uint16_t alg)
279 {
280 switch (alg)
281 {
282 case AUTH_HMAC_SHA1_96:
283 return HASH_SHA1;
284 case AUTH_HMAC_SHA2_256_128:
285 return HASH_SHA256;
286 case AUTH_HMAC_SHA2_384_192:
287 return HASH_SHA384;
288 case AUTH_HMAC_SHA2_512_256:
289 return HASH_SHA512;
290 case AUTH_HMAC_MD5_96:
291 return HASH_MD5;
292 default:
293 return HASH_UNKNOWN;
294 }
295 }
296
297 /**
298 * Adjust the key length for PRF algorithms that expect a fixed key length.
299 */
300 static void adjust_keylen(uint16_t alg, chunk_t *key)
301 {
302 switch (alg)
303 {
304 case PRF_AES128_XCBC:
305 /* while rfc4434 defines variable keys for AES-XCBC, rfc3664 does
306 * not and therefore fixed key semantics apply to XCBC for key
307 * derivation. */
308 key->len = min(key->len, 16);
309 break;
310 default:
311 /* all other algorithms use variable key length */
312 break;
313 }
314 }
315
316 METHOD(keymat_v1_t, derive_ike_keys, bool,
317 private_keymat_v1_t *this, proposal_t *proposal, diffie_hellman_t *dh,
318 chunk_t dh_other, chunk_t nonce_i, chunk_t nonce_r, ike_sa_id_t *id,
319 auth_method_t auth, shared_key_t *shared_key)
320 {
321 chunk_t g_xy, g_xi, g_xr, dh_me, spi_i, spi_r, nonces, data, skeyid_e;
322 chunk_t skeyid, ka;
323 uint16_t alg;
324
325 spi_i = chunk_alloca(sizeof(uint64_t));
326 spi_r = chunk_alloca(sizeof(uint64_t));
327
328 if (!proposal->get_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, &alg, NULL))
329 { /* no PRF negotiated, use HMAC version of integrity algorithm instead */
330 if (!proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, &alg, NULL)
331 || (alg = auth_to_prf(alg)) == PRF_UNDEFINED)
332 {
333 DBG1(DBG_IKE, "no %N selected",
334 transform_type_names, PSEUDO_RANDOM_FUNCTION);
335 return FALSE;
336 }
337 }
338 this->prf = lib->crypto->create_prf(lib->crypto, alg);
339 if (!this->prf)
340 {
341 DBG1(DBG_IKE, "%N %N not supported!",
342 transform_type_names, PSEUDO_RANDOM_FUNCTION,
343 pseudo_random_function_names, alg);
344 return FALSE;
345 }
346 if (this->prf->get_block_size(this->prf) <
347 this->prf->get_key_size(this->prf))
348 { /* TODO-IKEv1: support PRF output expansion (RFC 2409, Appendix B) */
349 DBG1(DBG_IKE, "expansion of %N %N output not supported!",
350 transform_type_names, PSEUDO_RANDOM_FUNCTION,
351 pseudo_random_function_names, alg);
352 return FALSE;
353 }
354
355 if (!dh->get_shared_secret(dh, &g_xy))
356 {
357 return FALSE;
358 }
359 DBG4(DBG_IKE, "shared Diffie Hellman secret %B", &g_xy);
360
361 *((uint64_t*)spi_i.ptr) = id->get_initiator_spi(id);
362 *((uint64_t*)spi_r.ptr) = id->get_responder_spi(id);
363 nonces = chunk_cata("cc", nonce_i, nonce_r);
364
365 switch (auth)
366 {
367 case AUTH_PSK:
368 case AUTH_XAUTH_INIT_PSK:
369 case AUTH_XAUTH_RESP_PSK:
370 { /* SKEYID = prf(pre-shared-key, Ni_b | Nr_b) */
371 chunk_t psk;
372 if (!shared_key)
373 {
374 chunk_clear(&g_xy);
375 return FALSE;
376 }
377 psk = shared_key->get_key(shared_key);
378 adjust_keylen(alg, &psk);
379 if (!this->prf->set_key(this->prf, psk) ||
380 !this->prf->allocate_bytes(this->prf, nonces, &skeyid))
381 {
382 chunk_clear(&g_xy);
383 return FALSE;
384 }
385 break;
386 }
387 case AUTH_RSA:
388 case AUTH_ECDSA_256:
389 case AUTH_ECDSA_384:
390 case AUTH_ECDSA_521:
391 case AUTH_XAUTH_INIT_RSA:
392 case AUTH_XAUTH_RESP_RSA:
393 case AUTH_HYBRID_INIT_RSA:
394 case AUTH_HYBRID_RESP_RSA:
395 {
396 if (!this->prf->set_key(this->prf, nonces) ||
397 !this->prf->allocate_bytes(this->prf, g_xy, &skeyid))
398 {
399 chunk_clear(&g_xy);
400 return FALSE;
401 }
402 break;
403 }
404 default:
405 /* TODO-IKEv1: implement key derivation for other schemes */
406 /* authentication class not supported */
407 chunk_clear(&g_xy);
408 return FALSE;
409 }
410 adjust_keylen(alg, &skeyid);
411 DBG4(DBG_IKE, "SKEYID %B", &skeyid);
412
413 /* SKEYID_d = prf(SKEYID, g^xy | CKY-I | CKY-R | 0) */
414 data = chunk_cat("cccc", g_xy, spi_i, spi_r, octet_0);
415 if (!this->prf->set_key(this->prf, skeyid) ||
416 !this->prf->allocate_bytes(this->prf, data, &this->skeyid_d))
417 {
418 chunk_clear(&g_xy);
419 chunk_clear(&data);
420 chunk_clear(&skeyid);
421 return FALSE;
422 }
423 chunk_clear(&data);
424 DBG4(DBG_IKE, "SKEYID_d %B", &this->skeyid_d);
425
426 /* SKEYID_a = prf(SKEYID, SKEYID_d | g^xy | CKY-I | CKY-R | 1) */
427 data = chunk_cat("ccccc", this->skeyid_d, g_xy, spi_i, spi_r, octet_1);
428 if (!this->prf->allocate_bytes(this->prf, data, &this->skeyid_a))
429 {
430 chunk_clear(&g_xy);
431 chunk_clear(&data);
432 chunk_clear(&skeyid);
433 return FALSE;
434 }
435 chunk_clear(&data);
436 DBG4(DBG_IKE, "SKEYID_a %B", &this->skeyid_a);
437
438 /* SKEYID_e = prf(SKEYID, SKEYID_a | g^xy | CKY-I | CKY-R | 2) */
439 data = chunk_cat("ccccc", this->skeyid_a, g_xy, spi_i, spi_r, octet_2);
440 if (!this->prf->allocate_bytes(this->prf, data, &skeyid_e))
441 {
442 chunk_clear(&g_xy);
443 chunk_clear(&data);
444 chunk_clear(&skeyid);
445 return FALSE;
446 }
447 chunk_clear(&data);
448 DBG4(DBG_IKE, "SKEYID_e %B", &skeyid_e);
449
450 chunk_clear(&g_xy);
451
452 switch (auth)
453 {
454 case AUTH_ECDSA_256:
455 alg = PRF_HMAC_SHA2_256;
456 break;
457 case AUTH_ECDSA_384:
458 alg = PRF_HMAC_SHA2_384;
459 break;
460 case AUTH_ECDSA_521:
461 alg = PRF_HMAC_SHA2_512;
462 break;
463 default:
464 /* use proposal algorithm */
465 break;
466 }
467 this->prf_auth = lib->crypto->create_prf(lib->crypto, alg);
468 if (!this->prf_auth)
469 {
470 DBG1(DBG_IKE, "%N %N not supported!",
471 transform_type_names, PSEUDO_RANDOM_FUNCTION,
472 pseudo_random_function_names, alg);
473 chunk_clear(&skeyid);
474 return FALSE;
475 }
476 if (!this->prf_auth->set_key(this->prf_auth, skeyid))
477 {
478 chunk_clear(&skeyid);
479 return FALSE;
480 }
481 chunk_clear(&skeyid);
482
483 this->aead = create_aead(proposal, this->prf, skeyid_e, &ka);
484 if (!this->aead)
485 {
486 return FALSE;
487 }
488 charon->bus->ike_derived_keys(charon->bus, this->skeyid_d, this->skeyid_a,
489 chunk_empty, ka, chunk_empty, chunk_empty,
490 chunk_empty);
491 chunk_clear(&ka);
492 if (!this->hasher && !this->public.create_hasher(&this->public, proposal))
493 {
494 return FALSE;
495 }
496
497 if (!dh->get_my_public_value(dh, &dh_me))
498 {
499 return FALSE;
500 }
501 g_xi = this->initiator ? dh_me : dh_other;
502 g_xr = this->initiator ? dh_other : dh_me;
503
504 /* initial IV = hash(g^xi | g^xr) */
505 data = chunk_cata("cc", g_xi, g_xr);
506 chunk_free(&dh_me);
507 return this->iv_manager->init_iv_chain(this->iv_manager, data, this->hasher,
508 this->aead->get_block_size(this->aead));
509 }
510
511 /**
512 * Derive key material for CHILD_SAs according to section 5.5. in RFC 2409.
513 */
514 static bool derive_child_keymat(private_keymat_v1_t *this, chunk_t seed,
515 uint16_t enc_size, chunk_t *encr,
516 uint16_t int_size, chunk_t *integ)
517 {
518 size_t block_size, i;
519 chunk_t keymat, prev = chunk_empty;
520
521 block_size = this->prf->get_block_size(this->prf);
522 keymat = chunk_alloc(round_up(enc_size + int_size, block_size));
523 keymat.len = enc_size + int_size;
524
525 for (i = 0; i < keymat.len; i += block_size)
526 {
527 if (!this->prf->get_bytes(this->prf, prev, NULL) ||
528 !this->prf->get_bytes(this->prf, seed, keymat.ptr + i))
529 {
530 chunk_clear(&keymat);
531 return FALSE;
532 }
533 prev = chunk_create(keymat.ptr + i, block_size);
534 }
535
536 chunk_split(keymat, "aa", enc_size, encr, int_size, integ);
537 chunk_clear(&keymat);
538 return TRUE;
539 }
540
541 METHOD(keymat_v1_t, derive_child_keys, bool,
542 private_keymat_v1_t *this, proposal_t *proposal, diffie_hellman_t *dh,
543 uint32_t spi_i, uint32_t spi_r, chunk_t nonce_i, chunk_t nonce_r,
544 chunk_t *encr_i, chunk_t *integ_i, chunk_t *encr_r, chunk_t *integ_r)
545 {
546 uint16_t enc_alg, int_alg, enc_size = 0, int_size = 0;
547 uint8_t protocol;
548 chunk_t seed = chunk_empty, secret = chunk_empty;
549 bool success = FALSE;
550
551 if (proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM,
552 &enc_alg, &enc_size))
553 {
554 DBG2(DBG_CHD, " using %N for encryption",
555 encryption_algorithm_names, enc_alg);
556
557 if (!enc_size)
558 {
559 enc_size = keymat_get_keylen_encr(enc_alg);
560 }
561 if (enc_alg != ENCR_NULL && !enc_size)
562 {
563 DBG1(DBG_CHD, "no keylength defined for %N",
564 encryption_algorithm_names, enc_alg);
565 return FALSE;
566 }
567 /* to bytes */
568 enc_size /= 8;
569
570 /* CCM/GCM/CTR/GMAC needs additional bytes */
571 switch (enc_alg)
572 {
573 case ENCR_AES_CCM_ICV8:
574 case ENCR_AES_CCM_ICV12:
575 case ENCR_AES_CCM_ICV16:
576 case ENCR_CAMELLIA_CCM_ICV8:
577 case ENCR_CAMELLIA_CCM_ICV12:
578 case ENCR_CAMELLIA_CCM_ICV16:
579 enc_size += 3;
580 break;
581 case ENCR_AES_GCM_ICV8:
582 case ENCR_AES_GCM_ICV12:
583 case ENCR_AES_GCM_ICV16:
584 case ENCR_AES_CTR:
585 case ENCR_NULL_AUTH_AES_GMAC:
586 enc_size += 4;
587 break;
588 default:
589 break;
590 }
591 }
592
593 if (proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM,
594 &int_alg, &int_size))
595 {
596 DBG2(DBG_CHD, " using %N for integrity",
597 integrity_algorithm_names, int_alg);
598
599 if (!int_size)
600 {
601 int_size = keymat_get_keylen_integ(int_alg);
602 }
603 if (!int_size)
604 {
605 DBG1(DBG_CHD, "no keylength defined for %N",
606 integrity_algorithm_names, int_alg);
607 return FALSE;
608 }
609 /* to bytes */
610 int_size /= 8;
611 }
612
613 /* KEYMAT = prf+(SKEYID_d, [ g(qm)^xy | ] protocol | SPI | Ni_b | Nr_b) */
614 if (!this->prf->set_key(this->prf, this->skeyid_d))
615 {
616 return FALSE;
617 }
618 protocol = proposal->get_protocol(proposal);
619 if (dh)
620 {
621 if (!dh->get_shared_secret(dh, &secret))
622 {
623 return FALSE;
624 }
625 DBG4(DBG_CHD, "DH secret %B", &secret);
626 }
627
628 *encr_r = *integ_r = *encr_i = *integ_i = chunk_empty;
629 seed = chunk_cata("ccccc", secret, chunk_from_thing(protocol),
630 chunk_from_thing(spi_r), nonce_i, nonce_r);
631 DBG4(DBG_CHD, "initiator SA seed %B", &seed);
632 if (!derive_child_keymat(this, seed, enc_size, encr_i, int_size, integ_i))
633 {
634 goto failure;
635 }
636
637 seed = chunk_cata("ccccc", secret, chunk_from_thing(protocol),
638 chunk_from_thing(spi_i), nonce_i, nonce_r);
639 DBG4(DBG_CHD, "responder SA seed %B", &seed);
640 if (!derive_child_keymat(this, seed, enc_size, encr_r, int_size, integ_r))
641 {
642 goto failure;
643 }
644
645 if (enc_size)
646 {
647 DBG4(DBG_CHD, "encryption initiator key %B", encr_i);
648 DBG4(DBG_CHD, "encryption responder key %B", encr_r);
649 }
650 if (int_size)
651 {
652 DBG4(DBG_CHD, "integrity initiator key %B", integ_i);
653 DBG4(DBG_CHD, "integrity responder key %B", integ_r);
654 }
655 success = TRUE;
656
657 failure:
658 if (!success)
659 {
660 chunk_clear(encr_i);
661 chunk_clear(integ_i);
662 chunk_clear(encr_r);
663 chunk_clear(integ_r);
664 }
665 memwipe(seed.ptr, seed.len);
666 chunk_clear(&secret);
667
668 return success;
669 }
670
671 METHOD(keymat_v1_t, create_hasher, bool,
672 private_keymat_v1_t *this, proposal_t *proposal)
673 {
674 uint16_t alg;
675 if (!proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, &alg, NULL) ||
676 (alg = auth_to_hash(alg)) == HASH_UNKNOWN)
677 {
678 DBG1(DBG_IKE, "no %N selected", transform_type_names, HASH_ALGORITHM);
679 return FALSE;
680 }
681 this->hasher = lib->crypto->create_hasher(lib->crypto, alg);
682 if (!this->hasher)
683 {
684 DBG1(DBG_IKE, "%N %N not supported!",
685 transform_type_names, HASH_ALGORITHM,
686 hash_algorithm_names, alg);
687 return FALSE;
688 }
689 return TRUE;
690 }
691
692 METHOD(keymat_v1_t, get_hasher, hasher_t*,
693 private_keymat_v1_t *this)
694 {
695 return this->hasher;
696 }
697
698 METHOD(keymat_v1_t, get_hash, bool,
699 private_keymat_v1_t *this, bool initiator, chunk_t dh, chunk_t dh_other,
700 ike_sa_id_t *ike_sa_id, chunk_t sa_i, chunk_t id, chunk_t *hash,
701 signature_scheme_t *scheme)
702 {
703 chunk_t data;
704 uint64_t spi, spi_other;
705
706 /* HASH_I = prf(SKEYID, g^xi | g^xr | CKY-I | CKY-R | SAi_b | IDii_b )
707 * HASH_R = prf(SKEYID, g^xr | g^xi | CKY-R | CKY-I | SAi_b | IDir_b )
708 */
709 if (initiator)
710 {
711 spi = ike_sa_id->get_initiator_spi(ike_sa_id);
712 spi_other = ike_sa_id->get_responder_spi(ike_sa_id);
713 }
714 else
715 {
716 spi_other = ike_sa_id->get_initiator_spi(ike_sa_id);
717 spi = ike_sa_id->get_responder_spi(ike_sa_id);
718 }
719 data = chunk_cat("cccccc", dh, dh_other,
720 chunk_from_thing(spi), chunk_from_thing(spi_other),
721 sa_i, id);
722
723 DBG3(DBG_IKE, "HASH_%c data %B", initiator ? 'I' : 'R', &data);
724
725 if (!this->prf_auth->allocate_bytes(this->prf_auth, data, hash))
726 {
727 free(data.ptr);
728 return FALSE;
729 }
730
731 DBG3(DBG_IKE, "HASH_%c %B", initiator ? 'I' : 'R', hash);
732
733 free(data.ptr);
734 return TRUE;
735 }
736
737 /**
738 * Get the nonce value found in the given message.
739 * Returns FALSE if none is found.
740 */
741 static bool get_nonce(message_t *message, chunk_t *n)
742 {
743 nonce_payload_t *nonce;
744 nonce = (nonce_payload_t*)message->get_payload(message, PLV1_NONCE);
745 if (nonce)
746 {
747 *n = nonce->get_nonce(nonce);
748 return TRUE;
749 }
750 return FALSE;
751 }
752
753 /**
754 * Generate the message data in order to generate the hashes.
755 */
756 static chunk_t get_message_data(message_t *message, generator_t *generator)
757 {
758 payload_t *payload, *next;
759 enumerator_t *enumerator;
760 uint32_t *lenpos;
761
762 if (message->is_encoded(message))
763 { /* inbound, although the message is generated, we cannot access the
764 * cleartext message data, so generate it anyway */
765 enumerator = message->create_payload_enumerator(message);
766 while (enumerator->enumerate(enumerator, &payload))
767 {
768 if (payload->get_type(payload) == PLV1_HASH)
769 {
770 continue;
771 }
772 generator->generate_payload(generator, payload);
773 }
774 enumerator->destroy(enumerator);
775 }
776 else
777 {
778 /* outbound, generate the payloads (there is no HASH payload yet) */
779 enumerator = message->create_payload_enumerator(message);
780 if (enumerator->enumerate(enumerator, &payload))
781 {
782 while (enumerator->enumerate(enumerator, &next))
783 {
784 payload->set_next_type(payload, next->get_type(next));
785 generator->generate_payload(generator, payload);
786 payload = next;
787 }
788 payload->set_next_type(payload, PL_NONE);
789 generator->generate_payload(generator, payload);
790 }
791 enumerator->destroy(enumerator);
792 }
793 return generator->get_chunk(generator, &lenpos);
794 }
795
796 METHOD(keymat_v1_t, get_hash_phase2, bool,
797 private_keymat_v1_t *this, message_t *message, chunk_t *hash)
798 {
799 uint32_t mid, mid_n;
800 chunk_t data = chunk_empty, *n_i, *n_r;
801 bool add_message = TRUE;
802 char *name = "Hash";
803
804 if (!this->prf)
805 { /* no keys derived yet */
806 return FALSE;
807 }
808
809 mid = message->get_message_id(message);
810 mid_n = htonl(mid);
811
812 /* Hashes are simple for most exchanges in Phase 2:
813 * Hash = prf(SKEYID_a, M-ID | Complete message after HASH payload)
814 * For Quick Mode there are three hashes:
815 * Hash(1) = same as above
816 * Hash(2) = prf(SKEYID_a, M-ID | Ni_b | Message after HASH payload)
817 * Hash(3) = prf(SKEYID_a, 0 | M-ID | Ni_b | Nr_b)
818 * So, for Quick Mode we keep track of the nonce values.
819 */
820 switch (message->get_exchange_type(message))
821 {
822 case QUICK_MODE:
823 {
824 this->iv_manager->lookup_quick_mode(this->iv_manager, mid, &n_i,
825 &n_r);
826 if (!n_i->ptr)
827 { /* Hash(1) = prf(SKEYID_a, M-ID | Message after HASH payload) */
828 name = "Hash(1)";
829 if (!get_nonce(message, n_i))
830 {
831 return FALSE;
832 }
833 data = chunk_from_thing(mid_n);
834 }
835 else if (!n_r->ptr)
836 { /* Hash(2) = prf(SKEYID_a, M-ID | Ni_b | Message after HASH) */
837 name = "Hash(2)";
838 if (!get_nonce(message, n_r))
839 {
840 return FALSE;
841 }
842 data = chunk_cata("cc", chunk_from_thing(mid_n), *n_i);
843 }
844 else
845 { /* Hash(3) = prf(SKEYID_a, 0 | M-ID | Ni_b | Nr_b) */
846 name = "Hash(3)";
847 data = chunk_cata("cccc", octet_0, chunk_from_thing(mid_n),
848 *n_i, *n_r);
849 add_message = FALSE;
850 /* we don't need the state anymore */
851 this->iv_manager->remove_quick_mode(this->iv_manager, mid);
852 }
853 break;
854 }
855 case TRANSACTION:
856 case INFORMATIONAL_V1:
857 /* Hash = prf(SKEYID_a, M-ID | Message after HASH payload) */
858 data = chunk_from_thing(mid_n);
859 break;
860 default:
861 return FALSE;
862 }
863 if (!this->prf->set_key(this->prf, this->skeyid_a))
864 {
865 return FALSE;
866 }
867 if (add_message)
868 {
869 generator_t *generator;
870 chunk_t msg;
871
872 generator = generator_create_no_dbg();
873 msg = get_message_data(message, generator);
874 if (!this->prf->allocate_bytes(this->prf, data, NULL) ||
875 !this->prf->allocate_bytes(this->prf, msg, hash))
876 {
877 generator->destroy(generator);
878 return FALSE;
879 }
880 generator->destroy(generator);
881 }
882 else
883 {
884 if (!this->prf->allocate_bytes(this->prf, data, hash))
885 {
886 return FALSE;
887 }
888 }
889 DBG3(DBG_IKE, "%s %B", name, hash);
890 return TRUE;
891 }
892
893 METHOD(keymat_v1_t, get_iv, bool,
894 private_keymat_v1_t *this, uint32_t mid, chunk_t *out)
895 {
896 return this->iv_manager->get_iv(this->iv_manager, mid, out);
897 }
898
899 METHOD(keymat_v1_t, update_iv, bool,
900 private_keymat_v1_t *this, uint32_t mid, chunk_t last_block)
901 {
902 return this->iv_manager->update_iv(this->iv_manager, mid, last_block);
903 }
904
905 METHOD(keymat_v1_t, confirm_iv, bool,
906 private_keymat_v1_t *this, uint32_t mid)
907 {
908 return this->iv_manager->confirm_iv(this->iv_manager, mid);
909 }
910
911 METHOD(keymat_t, get_version, ike_version_t,
912 private_keymat_v1_t *this)
913 {
914 return IKEV1;
915 }
916
917 METHOD(keymat_t, create_dh, diffie_hellman_t*,
918 private_keymat_v1_t *this, diffie_hellman_group_t group)
919 {
920 return lib->crypto->create_dh(lib->crypto, group);
921 }
922
923 METHOD(keymat_t, create_nonce_gen, nonce_gen_t*,
924 private_keymat_v1_t *this)
925 {
926 return lib->crypto->create_nonce_gen(lib->crypto);
927 }
928
929 METHOD(keymat_t, get_aead, aead_t*,
930 private_keymat_v1_t *this, bool in)
931 {
932 return this->aead;
933 }
934
935 METHOD(keymat_t, destroy, void,
936 private_keymat_v1_t *this)
937 {
938 DESTROY_IF(this->prf);
939 DESTROY_IF(this->prf_auth);
940 DESTROY_IF(this->aead);
941 DESTROY_IF(this->hasher);
942 chunk_clear(&this->skeyid_d);
943 chunk_clear(&this->skeyid_a);
944 this->iv_manager->destroy(this->iv_manager);
945 free(this);
946 }
947
948 /**
949 * See header
950 */
951 keymat_v1_t *keymat_v1_create(bool initiator)
952 {
953 private_keymat_v1_t *this;
954
955 INIT(this,
956 .public = {
957 .keymat = {
958 .get_version = _get_version,
959 .create_dh = _create_dh,
960 .create_nonce_gen = _create_nonce_gen,
961 .get_aead = _get_aead,
962 .destroy = _destroy,
963 },
964 .derive_ike_keys = _derive_ike_keys,
965 .derive_child_keys = _derive_child_keys,
966 .create_hasher = _create_hasher,
967 .get_hasher = _get_hasher,
968 .get_hash = _get_hash,
969 .get_hash_phase2 = _get_hash_phase2,
970 .get_iv = _get_iv,
971 .update_iv = _update_iv,
972 .confirm_iv = _confirm_iv,
973 },
974 .initiator = initiator,
975 .iv_manager = iv_manager_create(0),
976 );
977 return &this->public;
978 }
Unnamed repository; edit this file 'description' to name the repository.