From 4e29d6fac129dff25fc8761910a70e98e27ddc7c Mon Sep 17 00:00:00 2001 From: Thomas Egerer Date: Tue, 1 Jun 2021 14:36:21 +0200 Subject: [PATCH] bus: Extend and reorder arguments of ike_derived_keys() hook This now includes all key material derived for IKE_SAs in the order defined in the RFC: {SK_d | SK_ai | SK_ar | SK_ei | SK_er | SK_pi | SK_pr} = prf+ (SKEYSEED, Ni | Nr | SPIi | SPIr) Signed-off-by: Thomas Egerer --- src/libcharon/bus/bus.c | 9 +- src/libcharon/bus/bus.h | 12 ++- src/libcharon/bus/listeners/listener.h | 12 ++- .../plugins/save_keys/save_keys_listener.c | 5 +- src/libcharon/sa/ikev1/keymat_v1.c | 3 +- src/libcharon/sa/ikev2/keymat_v2.c | 87 +++++++++---------- 6 files changed, 69 insertions(+), 59 deletions(-) diff --git a/src/libcharon/bus/bus.c b/src/libcharon/bus/bus.c index f5b0651f75..80501ce6c3 100644 --- a/src/libcharon/bus/bus.c +++ b/src/libcharon/bus/bus.c @@ -604,8 +604,8 @@ METHOD(bus_t, ike_keys, void, } METHOD(bus_t, ike_derived_keys, void, - private_bus_t *this, chunk_t sk_ei, chunk_t sk_er, chunk_t sk_ai, - chunk_t sk_ar) + private_bus_t *this, chunk_t sk_d, chunk_t sk_ai, chunk_t sk_ar, + chunk_t sk_ei, chunk_t sk_er, chunk_t sk_pi, chunk_t sk_pr) { enumerator_t *enumerator; ike_sa_t *ike_sa; @@ -623,8 +623,9 @@ METHOD(bus_t, ike_derived_keys, void, continue; } entry->calling++; - keep = entry->listener->ike_derived_keys(entry->listener, ike_sa, sk_ei, - sk_er, sk_ai, sk_ar); + keep = entry->listener->ike_derived_keys(entry->listener, ike_sa, sk_d, + sk_ai, sk_ar, sk_ei, sk_er, + sk_pi, sk_pr); entry->calling--; if (!keep) { diff --git a/src/libcharon/bus/bus.h b/src/libcharon/bus/bus.h index 22248f7a07..1256f407ed 100644 --- a/src/libcharon/bus/bus.h +++ b/src/libcharon/bus/bus.h @@ -363,13 +363,17 @@ struct bus_t { /** * IKE_SA derived keys hook. * - * @param sk_ei SK_ei, or Ka for IKEv1 - * @param sk_er SK_er + * @param sk_d SK_d, or SKEYID_d for IKEv1 * @param sk_ai SK_ai, or SKEYID_a for IKEv1 * @param sk_ar SK_ar + * @param sk_ei SK_ei, or Ka for IKEv1 + * @param sk_er SK_er + * @param sk_pi SK_pi + * @param sk_pr SK_pr */ - void (*ike_derived_keys)(bus_t *this, chunk_t sk_ei, chunk_t sk_er, - chunk_t sk_ai, chunk_t sk_ar); + void (*ike_derived_keys)(bus_t *this, chunk_t sk_d, chunk_t sk_ai, + chunk_t sk_ar, chunk_t sk_ei, chunk_t sk_er, + chunk_t sk_pi, chunk_t sk_pr); /** * CHILD_SA keymat hook. diff --git a/src/libcharon/bus/listeners/listener.h b/src/libcharon/bus/listeners/listener.h index b24785a626..e857f16794 100644 --- a/src/libcharon/bus/listeners/listener.h +++ b/src/libcharon/bus/listeners/listener.h @@ -100,13 +100,17 @@ struct listener_t { * Hook called with derived IKE_SA keys. * * @param ike_sa IKE_SA these keys belong to - * @param sk_ei SK_ei, or Ka for IKEv1 - * @param sk_er SK_er + * @param sk_d SK_d, or SKEYID_d for IKEv1 * @param sk_ai SK_ai, or SKEYID_a for IKEv1 * @param sk_ar SK_ar + * @param sk_ei SK_ei, or Ka for IKEv1 + * @param sk_er SK_er + * @param sk_pi SK_pi + * @param sk_pr SK_pr */ - bool (*ike_derived_keys)(listener_t *this, ike_sa_t *ike_sa, chunk_t sk_ei, - chunk_t sk_er, chunk_t sk_ai, chunk_t sk_ar); + bool (*ike_derived_keys)(listener_t *this, ike_sa_t *ike_sa, chunk_t sk_d, + chunk_t sk_ai, chunk_t sk_ar, chunk_t sk_ei, + chunk_t sk_er, chunk_t sk_pi, chunk_t sk_pr); /** * Hook called with CHILD_SA key material. diff --git a/src/libcharon/plugins/save_keys/save_keys_listener.c b/src/libcharon/plugins/save_keys/save_keys_listener.c index 1c949b6b1d..d8f6abebdf 100644 --- a/src/libcharon/plugins/save_keys/save_keys_listener.c +++ b/src/libcharon/plugins/save_keys/save_keys_listener.c @@ -276,8 +276,9 @@ static inline void esp_names(proposal_t *proposal, const char **enc, } METHOD(listener_t, ike_derived_keys, bool, - private_save_keys_listener_t *this, ike_sa_t *ike_sa, chunk_t sk_ei, - chunk_t sk_er, chunk_t sk_ai, chunk_t sk_ar) + private_save_keys_listener_t *this, ike_sa_t *ike_sa, chunk_t sk_d, + chunk_t sk_ai, chunk_t sk_ar, chunk_t sk_ei, chunk_t sk_er, chunk_t sk_pi, + chunk_t sk_pr) { ike_version_t version; ike_sa_id_t *id; diff --git a/src/libcharon/sa/ikev1/keymat_v1.c b/src/libcharon/sa/ikev1/keymat_v1.c index 34bae4391c..efceba51c2 100644 --- a/src/libcharon/sa/ikev1/keymat_v1.c +++ b/src/libcharon/sa/ikev1/keymat_v1.c @@ -484,7 +484,8 @@ METHOD(keymat_v1_t, derive_ike_keys, bool, { return FALSE; } - charon->bus->ike_derived_keys(charon->bus, ka, chunk_empty, this->skeyid_a, + charon->bus->ike_derived_keys(charon->bus, this->skeyid_d, this->skeyid_a, + chunk_empty, ka, chunk_empty, chunk_empty, chunk_empty); chunk_clear(&ka); if (!this->hasher && !this->public.create_hasher(&this->public, proposal)) diff --git a/src/libcharon/sa/ikev2/keymat_v2.c b/src/libcharon/sa/ikev2/keymat_v2.c index 98cba066da..00900a4269 100644 --- a/src/libcharon/sa/ikev2/keymat_v2.c +++ b/src/libcharon/sa/ikev2/keymat_v2.c @@ -100,10 +100,10 @@ METHOD(keymat_t, create_nonce_gen, nonce_gen_t*, * Derive IKE keys for a combined AEAD algorithm */ static bool derive_ike_aead(private_keymat_v2_t *this, uint16_t alg, - uint16_t key_size, prf_plus_t *prf_plus) + uint16_t key_size, prf_plus_t *prf_plus, + chunk_t *sk_ei, chunk_t *sk_er) { aead_t *aead_i, *aead_r; - chunk_t sk_ei = chunk_empty, sk_er = chunk_empty; u_int salt_size; switch (alg) @@ -146,22 +146,22 @@ static bool derive_ike_aead(private_keymat_v2_t *this, uint16_t alg, { goto failure; } - if (!prf_plus->allocate_bytes(prf_plus, key_size, &sk_ei)) + if (!prf_plus->allocate_bytes(prf_plus, key_size, sk_ei)) { goto failure; } - DBG4(DBG_IKE, "Sk_ei secret %B", &sk_ei); - if (!aead_i->set_key(aead_i, sk_ei)) + DBG4(DBG_IKE, "Sk_ei secret %B", sk_ei); + if (!aead_i->set_key(aead_i, *sk_ei)) { goto failure; } - if (!prf_plus->allocate_bytes(prf_plus, key_size, &sk_er)) + if (!prf_plus->allocate_bytes(prf_plus, key_size, sk_er)) { goto failure; } - DBG4(DBG_IKE, "Sk_er secret %B", &sk_er); - if (!aead_r->set_key(aead_r, sk_er)) + DBG4(DBG_IKE, "Sk_er secret %B", sk_er); + if (!aead_r->set_key(aead_r, *sk_er)) { goto failure; } @@ -177,14 +177,10 @@ static bool derive_ike_aead(private_keymat_v2_t *this, uint16_t alg, this->aead_out = aead_r; } aead_i = aead_r = NULL; - charon->bus->ike_derived_keys(charon->bus, sk_ei, sk_er, chunk_empty, - chunk_empty); failure: DESTROY_IF(aead_i); DESTROY_IF(aead_r); - chunk_clear(&sk_ei); - chunk_clear(&sk_er); return this->aead_in && this->aead_out; } @@ -192,14 +188,14 @@ failure: * Derive IKE keys for traditional encryption and MAC algorithms */ static bool derive_ike_traditional(private_keymat_v2_t *this, uint16_t enc_alg, - uint16_t enc_size, uint16_t int_alg, prf_plus_t *prf_plus) + uint16_t enc_size, uint16_t int_alg, prf_plus_t *prf_plus, + chunk_t *sk_ai, chunk_t *sk_ar, chunk_t *sk_ei, + chunk_t *sk_er) { crypter_t *crypter_i = NULL, *crypter_r = NULL; signer_t *signer_i, *signer_r; iv_gen_t *ivg_i, *ivg_r; size_t key_size; - chunk_t sk_ei = chunk_empty, sk_er = chunk_empty, - sk_ai = chunk_empty, sk_ar = chunk_empty; signer_i = lib->crypto->create_signer(lib->crypto, int_alg); signer_r = lib->crypto->create_signer(lib->crypto, int_alg); @@ -223,22 +219,22 @@ static bool derive_ike_traditional(private_keymat_v2_t *this, uint16_t enc_alg, /* SK_ai/SK_ar used for integrity protection */ key_size = signer_i->get_key_size(signer_i); - if (!prf_plus->allocate_bytes(prf_plus, key_size, &sk_ai)) + if (!prf_plus->allocate_bytes(prf_plus, key_size, sk_ai)) { goto failure; } - DBG4(DBG_IKE, "Sk_ai secret %B", &sk_ai); - if (!signer_i->set_key(signer_i, sk_ai)) + DBG4(DBG_IKE, "Sk_ai secret %B", sk_ai); + if (!signer_i->set_key(signer_i, *sk_ai)) { goto failure; } - if (!prf_plus->allocate_bytes(prf_plus, key_size, &sk_ar)) + if (!prf_plus->allocate_bytes(prf_plus, key_size, sk_ar)) { goto failure; } - DBG4(DBG_IKE, "Sk_ar secret %B", &sk_ar); - if (!signer_r->set_key(signer_r, sk_ar)) + DBG4(DBG_IKE, "Sk_ar secret %B", sk_ar); + if (!signer_r->set_key(signer_r, *sk_ar)) { goto failure; } @@ -246,22 +242,22 @@ static bool derive_ike_traditional(private_keymat_v2_t *this, uint16_t enc_alg, /* SK_ei/SK_er used for encryption */ key_size = crypter_i->get_key_size(crypter_i); - if (!prf_plus->allocate_bytes(prf_plus, key_size, &sk_ei)) + if (!prf_plus->allocate_bytes(prf_plus, key_size, sk_ei)) { goto failure; } - DBG4(DBG_IKE, "Sk_ei secret %B", &sk_ei); - if (!crypter_i->set_key(crypter_i, sk_ei)) + DBG4(DBG_IKE, "Sk_ei secret %B", sk_ei); + if (!crypter_i->set_key(crypter_i, *sk_ei)) { goto failure; } - if (!prf_plus->allocate_bytes(prf_plus, key_size, &sk_er)) + if (!prf_plus->allocate_bytes(prf_plus, key_size, sk_er)) { goto failure; } - DBG4(DBG_IKE, "Sk_er secret %B", &sk_er); - if (!crypter_r->set_key(crypter_r, sk_er)) + DBG4(DBG_IKE, "Sk_er secret %B", sk_er); + if (!crypter_r->set_key(crypter_r, *sk_er)) { goto failure; } @@ -284,13 +280,8 @@ static bool derive_ike_traditional(private_keymat_v2_t *this, uint16_t enc_alg, } signer_i = signer_r = NULL; crypter_i = crypter_r = NULL; - charon->bus->ike_derived_keys(charon->bus, sk_ei, sk_er, sk_ai, sk_ar); failure: - chunk_clear(&sk_ai); - chunk_clear(&sk_ar); - chunk_clear(&sk_ei); - chunk_clear(&sk_er); DESTROY_IF(signer_i); DESTROY_IF(signer_r); DESTROY_IF(crypter_i); @@ -303,8 +294,10 @@ METHOD(keymat_v2_t, derive_ike_keys, bool, chunk_t nonce_i, chunk_t nonce_r, ike_sa_id_t *id, pseudo_random_function_t rekey_function, chunk_t rekey_skd) { - chunk_t skeyseed = chunk_empty, key, secret, full_nonce, fixed_nonce; + chunk_t skeyseed = chunk_empty, secret, full_nonce, fixed_nonce; chunk_t prf_plus_seed, spi_i, spi_r; + chunk_t sk_ei = chunk_empty, sk_er = chunk_empty; + chunk_t sk_ai = chunk_empty, sk_ar = chunk_empty, sk_pi, sk_pr; prf_plus_t *prf_plus = NULL; uint16_t alg, key_size, int_alg; prf_t *rekey_prf = NULL; @@ -434,7 +427,7 @@ METHOD(keymat_v2_t, derive_ike_keys, bool, if (encryption_algorithm_is_aead(alg)) { - if (!derive_ike_aead(this, alg, key_size, prf_plus)) + if (!derive_ike_aead(this, alg, key_size, prf_plus, &sk_ei, &sk_er)) { goto failure; } @@ -448,7 +441,8 @@ METHOD(keymat_v2_t, derive_ike_keys, bool, transform_type_names, INTEGRITY_ALGORITHM); goto failure; } - if (!derive_ike_traditional(this, alg, key_size, int_alg, prf_plus)) + if (!derive_ike_traditional(this, alg, key_size, int_alg, prf_plus, + &sk_ai, &sk_ar, &sk_ei, &sk_er)) { goto failure; } @@ -456,35 +450,40 @@ METHOD(keymat_v2_t, derive_ike_keys, bool, /* SK_pi/SK_pr used for authentication => stored for later */ key_size = this->prf->get_key_size(this->prf); - if (!prf_plus->allocate_bytes(prf_plus, key_size, &key)) + if (!prf_plus->allocate_bytes(prf_plus, key_size, &sk_pi)) { goto failure; } - DBG4(DBG_IKE, "Sk_pi secret %B", &key); + DBG4(DBG_IKE, "Sk_pi secret %B", &sk_pi); if (this->initiator) { - this->skp_build = key; + this->skp_build = sk_pi; } else { - this->skp_verify = key; + this->skp_verify = sk_pi; } - if (!prf_plus->allocate_bytes(prf_plus, key_size, &key)) + if (!prf_plus->allocate_bytes(prf_plus, key_size, &sk_pr)) { goto failure; } - DBG4(DBG_IKE, "Sk_pr secret %B", &key); + DBG4(DBG_IKE, "Sk_pr secret %B", &sk_pr); if (this->initiator) { - this->skp_verify = key; + this->skp_verify = sk_pr; } else { - this->skp_build = key; + this->skp_build = sk_pr; } + charon->bus->ike_derived_keys(charon->bus,this->skd, sk_ai, sk_ar, sk_ei, + sk_er, sk_pi, sk_pr); - /* all done, prf_plus not needed anymore */ failure: + chunk_clear(&sk_ai); + chunk_clear(&sk_ar); + chunk_clear(&sk_ei); + chunk_clear(&sk_er); DESTROY_IF(prf_plus); DESTROY_IF(rekey_prf); -- 2.47.2