Use remote PSK signature computed by TKM
[strongswan.git] / src / charon-tkm / src / tkm / tkm_keymat.c
1 /*
2 * Copyrigth (C) 2012 Reto Buerki
3 * Copyright (C) 2012 Adrian-Ken Rueegsegger
4 * Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 #include <daemon.h>
18 #include <sa/ikev2/keymat_v2.h>
19 #include <tkm/constants.h>
20 #include <tkm/client.h>
21
22 #include "tkm.h"
23 #include "tkm_utils.h"
24 #include "tkm_diffie_hellman.h"
25 #include "tkm_keymat.h"
26
27 typedef struct private_tkm_keymat_t private_tkm_keymat_t;
28
29 /**
30 * Private data of a keymat_t object.
31 */
32 struct private_tkm_keymat_t {
33
34 /**
35 * Public tkm_keymat_t interface.
36 */
37 tkm_keymat_t public;
38
39 /**
40 * IKEv2 keymat proxy (will be removed).
41 */
42 keymat_v2_t *proxy;
43
44 /**
45 * IKE_SA Role, initiator or responder.
46 */
47 bool initiator;
48
49 /**
50 * Inbound AEAD.
51 */
52 aead_t *aead_in;
53
54 /**
55 * Outbound AEAD.
56 */
57 aead_t *aead_out;
58
59 };
60
61 /**
62 * Create AEAD transforms from given key chunks.
63 *
64 * @param in inbound AEAD transform to allocate, NULL if failed
65 * @param out outbound AEAD transform to allocate, NULL if failed
66 * @param sk_ai SK_ai key chunk
67 * @param sk_ar SK_ar key chunk
68 * @param sk_ei SK_ei key chunk
69 * @param sk_er SK_er key chunk
70 * @param enc_alg encryption algorithm to use
71 * @param int_alg integrity algorithm to use
72 * @param key_size encryption key size in bytes
73 * @param initiator TRUE if initiator
74 */
75 static void aead_create_from_keys(aead_t **in, aead_t **out,
76 const chunk_t * const sk_ai, const chunk_t * const sk_ar,
77 const chunk_t * const sk_ei, const chunk_t * const sk_er,
78 const u_int16_t enc_alg, const u_int16_t int_alg,
79 const u_int16_t key_size, bool initiator)
80 {
81 *in = *out = NULL;
82
83 signer_t * const signer_i = lib->crypto->create_signer(lib->crypto, int_alg);
84 signer_t * const signer_r = lib->crypto->create_signer(lib->crypto, int_alg);
85 if (signer_i == NULL || signer_r == NULL)
86 {
87 DBG1(DBG_IKE, "%N %N not supported!",
88 transform_type_names, INTEGRITY_ALGORITHM,
89 integrity_algorithm_names, int_alg);
90 return;
91 }
92 crypter_t * const crypter_i = lib->crypto->create_crypter(lib->crypto,
93 enc_alg, key_size);
94 crypter_t * const crypter_r = lib->crypto->create_crypter(lib->crypto,
95 enc_alg, key_size);
96 if (crypter_i == NULL || crypter_r == NULL)
97 {
98 signer_i->destroy(signer_i);
99 signer_r->destroy(signer_r);
100 DBG1(DBG_IKE, "%N %N (key size %d) not supported!",
101 transform_type_names, ENCRYPTION_ALGORITHM,
102 encryption_algorithm_names, enc_alg, key_size);
103 return;
104 }
105
106 DBG4(DBG_IKE, "Sk_ai %B", sk_ai);
107 if (!signer_i->set_key(signer_i, *sk_ai))
108 {
109 return;
110 }
111 DBG4(DBG_IKE, "Sk_ar %B", sk_ar);
112 if (!signer_r->set_key(signer_r, *sk_ar))
113 {
114 return;
115 }
116 DBG4(DBG_IKE, "Sk_ei %B", sk_ei);
117 if (!crypter_i->set_key(crypter_i, *sk_ei))
118 {
119 return;
120 }
121 DBG4(DBG_IKE, "Sk_er %B", sk_er);
122 if (!crypter_r->set_key(crypter_r, *sk_er))
123 {
124 return;
125 }
126
127 if (initiator)
128 {
129 *in = aead_create(crypter_r, signer_r);
130 *out = aead_create(crypter_i, signer_i);
131 }
132 else
133 {
134 *in = aead_create(crypter_i, signer_i);
135 *out = aead_create(crypter_r, signer_r);
136 }
137 }
138
139 METHOD(keymat_t, get_version, ike_version_t,
140 private_tkm_keymat_t *this)
141 {
142 return IKEV2;
143 }
144
145 METHOD(keymat_t, create_dh, diffie_hellman_t*,
146 private_tkm_keymat_t *this, diffie_hellman_group_t group)
147 {
148 return lib->crypto->create_dh(lib->crypto, group);
149 }
150
151 METHOD(keymat_t, create_nonce_gen, nonce_gen_t*,
152 private_tkm_keymat_t *this)
153 {
154 return lib->crypto->create_nonce_gen(lib->crypto);
155 }
156
157 METHOD(tkm_keymat_t, derive_ike_keys, bool,
158 private_tkm_keymat_t *this, proposal_t *proposal, diffie_hellman_t *dh,
159 chunk_t nonce_i, chunk_t nonce_r, ike_sa_id_t *id,
160 pseudo_random_function_t rekey_function, chunk_t rekey_skd)
161 {
162 /* Check encryption and integrity algorithms */
163 u_int16_t enc_alg, int_alg, key_size;
164 if (!proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &enc_alg, &key_size))
165 {
166 DBG1(DBG_IKE, "no %N selected", transform_type_names,
167 ENCRYPTION_ALGORITHM);
168 return FALSE;
169 }
170 if (encryption_algorithm_is_aead(enc_alg))
171 {
172 DBG1(DBG_IKE, "AEAD algorithm %N not supported",
173 encryption_algorithm_names, enc_alg);
174 return FALSE;
175 }
176 if (!proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, &int_alg, NULL))
177 {
178 DBG1(DBG_IKE, "no %N selected", transform_type_names,
179 INTEGRITY_ALGORITHM);
180 return FALSE;
181 }
182 if (!(enc_alg == ENCR_AES_CBC && key_size == 256 &&
183 int_alg == AUTH_HMAC_SHA2_512_256))
184 {
185 DBG1(DBG_IKE, "the TKM only supports aes256-sha512 at the moment, please"
186 " update your configuration");
187 return FALSE;
188 }
189
190 DBG2(DBG_IKE, "using %N for encryption, %N for integrity",
191 encryption_algorithm_names, enc_alg,
192 integrity_algorithm_names, int_alg);
193
194 /* Acquire nonce context id */
195 chunk_t * const nonce = this->initiator ? &nonce_i : &nonce_r;
196 const uint64_t nc_id = tkm->chunk_map->get_id(tkm->chunk_map, nonce);
197 if (!nc_id)
198 {
199 DBG1(DBG_IKE, "unable to acquire context id for nonce");
200 return FALSE;
201 }
202
203 /* Get DH context id */
204 tkm_diffie_hellman_t * const tkm_dh = (tkm_diffie_hellman_t *)dh;
205 const dh_id_type dh_id = tkm_dh->get_id(tkm_dh);
206
207 nonce_type nonce_rem;
208 u_int64_t spi_loc, spi_rem;
209
210 if (this->initiator)
211 {
212 chunk_to_sequence(&nonce_r, &nonce_rem);
213 spi_loc = id->get_initiator_spi(id);
214 spi_rem = id->get_responder_spi(id);
215 }
216 else
217 {
218 chunk_to_sequence(&nonce_i, &nonce_rem);
219 spi_loc = id->get_responder_spi(id);
220 spi_rem = id->get_initiator_spi(id);
221 }
222
223 key_type sk_ai, sk_ar, sk_ei, sk_er;
224 DBG1(DBG_IKE, "deriving IKE keys (nc: %llu, dh: %llu, spi_loc: %llx, "
225 "spi_rem: %llx)", nc_id, dh_id, spi_loc, spi_rem);
226 /* Fake some data for now */
227 if (ike_isa_create(1, 1, 1, dh_id, nc_id, nonce_rem, 1, spi_loc, spi_rem,
228 &sk_ai, &sk_ar, &sk_ei, &sk_er) != TKM_OK)
229 {
230 DBG1(DBG_IKE, "key derivation failed");
231 return FALSE;
232 }
233
234 chunk_t c_ai, c_ar, c_ei, c_er;
235 sequence_to_chunk(sk_ai.data, sk_ai.size, &c_ai);
236 sequence_to_chunk(sk_ar.data, sk_ar.size, &c_ar);
237 sequence_to_chunk(sk_ei.data, sk_ei.size, &c_ei);
238 sequence_to_chunk(sk_er.data, sk_er.size, &c_er);
239
240 aead_create_from_keys(&this->aead_in, &this->aead_out,
241 &c_ai, &c_ar, &c_ei, &c_er,
242 enc_alg, int_alg, key_size / 8, this->initiator);
243
244 chunk_clear(&c_ai);
245 chunk_clear(&c_ar);
246 chunk_clear(&c_ei);
247 chunk_clear(&c_er);
248
249 if (!this->aead_in || !this->aead_out)
250 {
251 DBG1(DBG_IKE, "could not initialize AEAD transforms");
252 return FALSE;
253 }
254
255 /* TODO: Add failure handler (see keymat_v2.c) */
256
257 if (this->proxy->derive_ike_keys(this->proxy, proposal, dh, nonce_i,
258 nonce_r, id, rekey_function, rekey_skd))
259 {
260 tkm->chunk_map->remove(tkm->chunk_map, nonce);
261 if (ike_nc_reset(nc_id) != TKM_OK)
262 {
263 DBG1(DBG_IKE, "failed to reset nonce context %llu", nc_id);
264 }
265 tkm->idmgr->release_id(tkm->idmgr, TKM_CTX_NONCE, nc_id);
266
267 return TRUE;
268 }
269 return FALSE;
270 }
271
272 METHOD(tkm_keymat_t, derive_child_keys, bool,
273 private_tkm_keymat_t *this, proposal_t *proposal, diffie_hellman_t *dh,
274 chunk_t nonce_i, chunk_t nonce_r, chunk_t *encr_i, chunk_t *integ_i,
275 chunk_t *encr_r, chunk_t *integ_r)
276 {
277 DBG1(DBG_CHD, "deriving child keys");
278 return this->proxy->derive_child_keys(this->proxy, proposal, dh, nonce_i,
279 nonce_r, encr_i, integ_i, encr_r, integ_r);
280 }
281
282 METHOD(keymat_t, get_aead, aead_t*,
283 private_tkm_keymat_t *this, bool in)
284 {
285 return in ? this->aead_in : this->aead_out;
286 }
287
288 METHOD(tkm_keymat_t, get_auth_octets, bool,
289 private_tkm_keymat_t *this, bool verify, chunk_t ike_sa_init,
290 chunk_t nonce, identification_t *id, char reserved[3], chunk_t *octets)
291 {
292 DBG1(DBG_IKE, "returning auth octets");
293 return this->proxy->get_auth_octets(this->proxy, verify, ike_sa_init, nonce,
294 id, reserved, octets);
295 }
296
297 METHOD(tkm_keymat_t, get_skd, pseudo_random_function_t,
298 private_tkm_keymat_t *this, chunk_t *skd)
299 {
300 DBG1(DBG_IKE, "returning skd");
301 return this->proxy->get_skd(this->proxy, skd);
302 }
303
304 METHOD(tkm_keymat_t, get_psk_sig, bool,
305 private_tkm_keymat_t *this, bool verify, chunk_t ike_sa_init, chunk_t nonce,
306 chunk_t secret, identification_t *id, char reserved[3], chunk_t *sig)
307 {
308 DBG1(DBG_IKE, "returning %s PSK signature", verify ? "remote" : "local");
309
310 signature_type signature;
311 init_message_type msg;
312 chunk_to_sequence(&ike_sa_init, &msg);
313
314 chunk_t idx_chunk, chunk = chunk_alloca(4);
315 chunk.ptr[0] = id->get_type(id);
316 memcpy(chunk.ptr + 1, reserved, 3);
317 idx_chunk = chunk_cata("cc", chunk, id->get_encoding(id));
318 idx_type idx;
319 chunk_to_sequence(&idx_chunk, &idx);
320
321 if (ike_isa_sign_psk(1, msg, idx, verify == TRUE, &signature) != TKM_OK)
322 {
323 DBG1(DBG_IKE, "get %s PSK signature failed", verify ?
324 "remote" : "local");
325 return FALSE;
326 }
327
328 sequence_to_chunk(&signature.data[0], signature.size, sig);
329 return TRUE;
330 }
331
332 METHOD(keymat_t, destroy, void,
333 private_tkm_keymat_t *this)
334 {
335 DESTROY_IF(this->aead_in);
336 DESTROY_IF(this->aead_out);
337 this->proxy->keymat.destroy(&this->proxy->keymat);
338 free(this);
339 }
340
341 /**
342 * See header.
343 */
344 tkm_keymat_t *tkm_keymat_create(bool initiator)
345 {
346 private_tkm_keymat_t *this;
347
348 INIT(this,
349 .public = {
350 .keymat = {
351 .get_version = _get_version,
352 .create_dh = _create_dh,
353 .create_nonce_gen = _create_nonce_gen,
354 .get_aead = _get_aead,
355 .destroy = _destroy,
356 },
357 .derive_ike_keys = _derive_ike_keys,
358 .derive_child_keys = _derive_child_keys,
359 .get_skd = _get_skd,
360 .get_auth_octets = _get_auth_octets,
361 .get_psk_sig = _get_psk_sig,
362 },
363 .initiator = initiator,
364 .proxy = keymat_v2_create(initiator),
365 );
366
367 return &this->public;
368 }