Various stylistic fixes
[strongswan.git] / src / charon-tkm / src / tkm / tkm_keymat.c
1 /*
2 * Copyrigth (C) 2012 Reto Buerki
3 * Copyright (C) 2012 Adrian-Ken Rueegsegger
4 * Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 #include <daemon.h>
18 #include <tkm/constants.h>
19 #include <tkm/client.h>
20
21 #include "tkm.h"
22 #include "tkm_types.h"
23 #include "tkm_utils.h"
24 #include "tkm_diffie_hellman.h"
25 #include "tkm_keymat.h"
26
27 typedef struct private_tkm_keymat_t private_tkm_keymat_t;
28
29 /**
30 * Private data of a keymat_t object.
31 */
32 struct private_tkm_keymat_t {
33
34 /**
35 * Public tkm_keymat_t interface.
36 */
37 tkm_keymat_t public;
38
39 /**
40 * IKE_SA Role, initiator or responder.
41 */
42 bool initiator;
43
44 /**
45 * Inbound AEAD.
46 */
47 aead_t *aead_in;
48
49 /**
50 * Outbound AEAD.
51 */
52 aead_t *aead_out;
53
54 /**
55 * ISA context id.
56 */
57 isa_id_type isa_ctx_id;
58
59 /**
60 * AE context id.
61 */
62 ae_id_type ae_ctx_id;
63
64 /**
65 * AUTH payload chunk.
66 */
67 chunk_t auth_payload;
68
69 /**
70 * Peer init message chunk.
71 */
72 chunk_t other_init_msg;
73
74 };
75
76 /**
77 * Create AEAD transforms from given key chunks.
78 *
79 * @param in inbound AEAD transform to allocate, NULL if failed
80 * @param out outbound AEAD transform to allocate, NULL if failed
81 * @param sk_ai SK_ai key chunk
82 * @param sk_ar SK_ar key chunk
83 * @param sk_ei SK_ei key chunk
84 * @param sk_er SK_er key chunk
85 * @param enc_alg encryption algorithm to use
86 * @param int_alg integrity algorithm to use
87 * @param key_size encryption key size in bytes
88 * @param initiator TRUE if initiator
89 */
90 static void aead_create_from_keys(aead_t **in, aead_t **out,
91 const chunk_t * const sk_ai, const chunk_t * const sk_ar,
92 const chunk_t * const sk_ei, const chunk_t * const sk_er,
93 const u_int16_t enc_alg, const u_int16_t int_alg,
94 const u_int16_t key_size, bool initiator)
95 {
96 *in = *out = NULL;
97 signer_t *signer_i, *signer_r;
98 crypter_t *crypter_i, *crypter_r;
99
100 signer_i = lib->crypto->create_signer(lib->crypto, int_alg);
101 signer_r = lib->crypto->create_signer(lib->crypto, int_alg);
102 if (signer_i == NULL || signer_r == NULL)
103 {
104 DBG1(DBG_IKE, "%N %N not supported!",
105 transform_type_names, INTEGRITY_ALGORITHM,
106 integrity_algorithm_names, int_alg);
107 return;
108 }
109 crypter_i = lib->crypto->create_crypter(lib->crypto, enc_alg, key_size);
110 crypter_r = lib->crypto->create_crypter(lib->crypto, enc_alg, key_size);
111 if (crypter_i == NULL || crypter_r == NULL)
112 {
113 signer_i->destroy(signer_i);
114 signer_r->destroy(signer_r);
115 DBG1(DBG_IKE, "%N %N (key size %d) not supported!",
116 transform_type_names, ENCRYPTION_ALGORITHM,
117 encryption_algorithm_names, enc_alg, key_size);
118 return;
119 }
120
121 DBG4(DBG_IKE, "Sk_ai %B", sk_ai);
122 if (!signer_i->set_key(signer_i, *sk_ai))
123 {
124 return;
125 }
126 DBG4(DBG_IKE, "Sk_ar %B", sk_ar);
127 if (!signer_r->set_key(signer_r, *sk_ar))
128 {
129 return;
130 }
131 DBG4(DBG_IKE, "Sk_ei %B", sk_ei);
132 if (!crypter_i->set_key(crypter_i, *sk_ei))
133 {
134 return;
135 }
136 DBG4(DBG_IKE, "Sk_er %B", sk_er);
137 if (!crypter_r->set_key(crypter_r, *sk_er))
138 {
139 return;
140 }
141
142 if (initiator)
143 {
144 *in = aead_create(crypter_r, signer_r);
145 *out = aead_create(crypter_i, signer_i);
146 }
147 else
148 {
149 *in = aead_create(crypter_i, signer_i);
150 *out = aead_create(crypter_r, signer_r);
151 }
152 }
153
154 METHOD(keymat_t, get_version, ike_version_t,
155 private_tkm_keymat_t *this)
156 {
157 return IKEV2;
158 }
159
160 METHOD(keymat_t, create_dh, diffie_hellman_t*,
161 private_tkm_keymat_t *this, diffie_hellman_group_t group)
162 {
163 return lib->crypto->create_dh(lib->crypto, group);
164 }
165
166 METHOD(keymat_t, create_nonce_gen, nonce_gen_t*,
167 private_tkm_keymat_t *this)
168 {
169 return lib->crypto->create_nonce_gen(lib->crypto);
170 }
171
172 METHOD(keymat_v2_t, derive_ike_keys, bool,
173 private_tkm_keymat_t *this, proposal_t *proposal, diffie_hellman_t *dh,
174 chunk_t nonce_i, chunk_t nonce_r, ike_sa_id_t *id,
175 pseudo_random_function_t rekey_function, chunk_t rekey_skd)
176 {
177 u_int16_t enc_alg, int_alg, key_size;
178 u_int64_t nc_id, spi_loc, spi_rem;
179 chunk_t *nonce, c_ai, c_ar, c_ei, c_er;
180 tkm_diffie_hellman_t *tkm_dh;
181 dh_id_type dh_id;
182 nonce_type nonce_rem;
183 result_type res;
184 key_type sk_ai, sk_ar, sk_ei, sk_er;
185
186 /* Check encryption and integrity algorithms */
187 if (!proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &enc_alg,
188 &key_size))
189 {
190 DBG1(DBG_IKE, "no %N selected", transform_type_names,
191 ENCRYPTION_ALGORITHM);
192 return FALSE;
193 }
194 if (encryption_algorithm_is_aead(enc_alg))
195 {
196 DBG1(DBG_IKE, "AEAD algorithm %N not supported",
197 encryption_algorithm_names, enc_alg);
198 return FALSE;
199 }
200 if (!proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, &int_alg, NULL))
201 {
202 DBG1(DBG_IKE, "no %N selected", transform_type_names,
203 INTEGRITY_ALGORITHM);
204 return FALSE;
205 }
206 if (!(enc_alg == ENCR_AES_CBC && key_size == 256 &&
207 int_alg == AUTH_HMAC_SHA2_512_256))
208 {
209 DBG1(DBG_IKE, "the TKM only supports aes256-sha512 at the moment, "
210 "please update your configuration");
211 return FALSE;
212 }
213
214 DBG2(DBG_IKE, "using %N for encryption, %N for integrity",
215 encryption_algorithm_names, enc_alg, integrity_algorithm_names,
216 int_alg);
217
218 /* Acquire nonce context id */
219 nonce = this->initiator ? &nonce_i : &nonce_r;
220 nc_id = tkm->chunk_map->get_id(tkm->chunk_map, nonce);
221 if (!nc_id)
222 {
223 DBG1(DBG_IKE, "unable to acquire context id for nonce");
224 return FALSE;
225 }
226
227 /* Get DH context id */
228 tkm_dh = (tkm_diffie_hellman_t *)dh;
229 dh_id = tkm_dh->get_id(tkm_dh);
230
231 if (this->initiator)
232 {
233 chunk_to_sequence(&nonce_r, &nonce_rem, sizeof(nonce_type));
234 spi_loc = id->get_initiator_spi(id);
235 spi_rem = id->get_responder_spi(id);
236 }
237 else
238 {
239 chunk_to_sequence(&nonce_i, &nonce_rem, sizeof(nonce_type));
240 spi_loc = id->get_responder_spi(id);
241 spi_rem = id->get_initiator_spi(id);
242 }
243
244 if (rekey_function == PRF_UNDEFINED)
245 {
246 this->ae_ctx_id = tkm->idmgr->acquire_id(tkm->idmgr, TKM_CTX_AE);
247 if (!this->ae_ctx_id)
248 {
249 DBG1(DBG_IKE, "unable to acquire ae context id");
250 return FALSE;
251 }
252 DBG1(DBG_IKE, "deriving IKE keys (nc: %llu, dh: %llu, spi_loc: %llx, "
253 "spi_rem: %llx)", nc_id, dh_id, spi_loc, spi_rem);
254 res = ike_isa_create(this->isa_ctx_id, this->ae_ctx_id, 1, dh_id, nc_id,
255 nonce_rem, this->initiator, spi_loc, spi_rem,
256 &sk_ai, &sk_ar, &sk_ei, &sk_er);
257 }
258 else
259 {
260 isa_info_t isa_info;
261
262 if (rekey_skd.ptr == NULL || rekey_skd.len != sizeof(isa_info_t))
263 {
264 DBG1(DBG_IKE, "unable to retrieve parent isa info");
265 return FALSE;
266 }
267 isa_info = *((isa_info_t *)(rekey_skd.ptr));
268 DBG1(DBG_IKE, "deriving IKE keys (parent_isa: %llu, ae: %llu, nc: %llu,"
269 "dh: %llu, spi_loc: %llx, spi_rem: %llx)", isa_info.parent_isa_id,
270 isa_info.ae_id, nc_id, dh_id, spi_loc, spi_rem);
271 this->ae_ctx_id = isa_info.ae_id;
272 res = ike_isa_create_child(this->isa_ctx_id, isa_info.parent_isa_id, 1,
273 dh_id, nc_id, nonce_rem, this->initiator,
274 spi_loc, spi_rem, &sk_ai, &sk_ar, &sk_ei,
275 &sk_er);
276 chunk_free(&rekey_skd);
277 }
278
279 if (res != TKM_OK)
280 {
281 DBG1(DBG_IKE, "key derivation failed (isa: %llu)", this->isa_ctx_id);
282 return FALSE;
283 }
284
285 sequence_to_chunk(sk_ai.data, sk_ai.size, &c_ai);
286 sequence_to_chunk(sk_ar.data, sk_ar.size, &c_ar);
287 sequence_to_chunk(sk_ei.data, sk_ei.size, &c_ei);
288 sequence_to_chunk(sk_er.data, sk_er.size, &c_er);
289
290 aead_create_from_keys(&this->aead_in, &this->aead_out, &c_ai, &c_ar, &c_ei,
291 &c_er, enc_alg, int_alg, key_size / 8,
292 this->initiator);
293
294 chunk_clear(&c_ai);
295 chunk_clear(&c_ar);
296 chunk_clear(&c_ei);
297 chunk_clear(&c_er);
298
299 if (!this->aead_in || !this->aead_out)
300 {
301 DBG1(DBG_IKE, "could not initialize AEAD transforms");
302 return FALSE;
303 }
304
305 /* TODO: Add failure handler (see keymat_v2.c) */
306
307 tkm->chunk_map->remove(tkm->chunk_map, nonce);
308 if (ike_nc_reset(nc_id) != TKM_OK)
309 {
310 DBG1(DBG_IKE, "failed to reset nonce context %llu", nc_id);
311 }
312 tkm->idmgr->release_id(tkm->idmgr, TKM_CTX_NONCE, nc_id);
313
314 return TRUE;
315 }
316
317 METHOD(keymat_v2_t, derive_child_keys, bool,
318 private_tkm_keymat_t *this, proposal_t *proposal, diffie_hellman_t *dh,
319 chunk_t nonce_i, chunk_t nonce_r, chunk_t *encr_i, chunk_t *integ_i,
320 chunk_t *encr_r, chunk_t *integ_r)
321 {
322 esa_info_t *esa_info_i, *esa_info_r;
323 dh_id_type dh_id = 0;
324
325 if (dh)
326 {
327 dh_id = ((tkm_diffie_hellman_t *)dh)->get_id((tkm_diffie_hellman_t *)dh);
328 }
329
330 INIT(esa_info_i,
331 .isa_id = this->isa_ctx_id,
332 .spi_r = proposal->get_spi(proposal),
333 .nonce_i = chunk_clone(nonce_i),
334 .nonce_r = chunk_clone(nonce_r),
335 .is_encr_r = FALSE,
336 .dh_id = dh_id,
337 );
338
339 INIT(esa_info_r,
340 .isa_id = this->isa_ctx_id,
341 .spi_r = proposal->get_spi(proposal),
342 .nonce_i = chunk_clone(nonce_i),
343 .nonce_r = chunk_clone(nonce_r),
344 .is_encr_r = TRUE,
345 .dh_id = dh_id,
346 );
347
348 DBG1(DBG_CHD, "passing on esa info (isa: %llu, spi_r: %x, dh_id: %llu)",
349 esa_info_i->isa_id, ntohl(esa_info_i->spi_r), esa_info_i->dh_id);
350
351 /* store ESA info in encr_i/r, which is passed to add_sa */
352 *encr_i = chunk_create((u_char *)esa_info_i, sizeof(esa_info_t));
353 *encr_r = chunk_create((u_char *)esa_info_r, sizeof(esa_info_t));
354 *integ_i = chunk_empty;
355 *integ_r = chunk_empty;
356
357 return TRUE;
358 }
359
360 METHOD(keymat_t, get_aead, aead_t*,
361 private_tkm_keymat_t *this, bool in)
362 {
363 return in ? this->aead_in : this->aead_out;
364 }
365
366 METHOD(keymat_v2_t, get_auth_octets, bool,
367 private_tkm_keymat_t *this, bool verify, chunk_t ike_sa_init,
368 chunk_t nonce, identification_t *id, char reserved[3], chunk_t *octets)
369 {
370 sign_info_t *sign;
371
372 if (verify)
373 {
374 /* store peer init message for authentication step */
375 this->other_init_msg = chunk_clone(ike_sa_init);
376 *octets = chunk_empty;
377 return TRUE;
378 }
379
380 INIT(sign,
381 .isa_id = this->isa_ctx_id,
382 .init_message = chunk_clone(ike_sa_init),
383 );
384
385 /*
386 * store signature info in AUTH octets, which is passed to the private key
387 * sign() operation
388 */
389 *octets = chunk_create((u_char *)sign, sizeof(sign_info_t));
390 return TRUE;
391 }
392
393 METHOD(keymat_v2_t, get_skd, pseudo_random_function_t,
394 private_tkm_keymat_t *this, chunk_t *skd)
395 {
396 isa_info_t *isa_info;
397
398 INIT(isa_info,
399 .parent_isa_id = this->isa_ctx_id,
400 .ae_id = this->ae_ctx_id,
401 );
402
403 *skd = chunk_create((u_char *)isa_info, sizeof(isa_info_t));
404
405 /*
406 * remove ae context id, since control has now been handed over to the new
407 * IKE SA keymat
408 */
409 this->ae_ctx_id = 0;
410 return PRF_HMAC_SHA2_512;
411 }
412
413 METHOD(keymat_v2_t, get_psk_sig, bool,
414 private_tkm_keymat_t *this, bool verify, chunk_t ike_sa_init, chunk_t nonce,
415 chunk_t secret, identification_t *id, char reserved[3], chunk_t *sig)
416 {
417 return FALSE;
418 }
419
420 METHOD(keymat_t, destroy, void,
421 private_tkm_keymat_t *this)
422 {
423 if (ike_isa_reset(this->isa_ctx_id) != TKM_OK)
424 {
425 DBG1(DBG_IKE, "failed to reset ISA context %d", this->isa_ctx_id);
426 }
427 tkm->idmgr->release_id(tkm->idmgr, TKM_CTX_ISA, this->isa_ctx_id);
428 /* only reset ae context if set */
429 if (this->ae_ctx_id != 0)
430 {
431 if (ike_ae_reset(this->ae_ctx_id) != TKM_OK)
432 {
433 DBG1(DBG_IKE, "failed to reset AE context %d", this->ae_ctx_id);
434 }
435 tkm->idmgr->release_id(tkm->idmgr, TKM_CTX_AE, this->ae_ctx_id);
436 }
437
438 DESTROY_IF(this->aead_in);
439 DESTROY_IF(this->aead_out);
440 chunk_free(&this->auth_payload);
441 chunk_free(&this->other_init_msg);
442 free(this);
443 }
444
445 METHOD(tkm_keymat_t, get_isa_id, isa_id_type,
446 private_tkm_keymat_t *this)
447 {
448 return this->isa_ctx_id;
449 }
450
451 METHOD(tkm_keymat_t, set_auth_payload, void,
452 private_tkm_keymat_t *this, const chunk_t * const payload)
453 {
454 this->auth_payload = chunk_clone(*payload);
455 }
456
457 METHOD(tkm_keymat_t, get_auth_payload, chunk_t*,
458 private_tkm_keymat_t *this)
459 {
460 return &this->auth_payload;
461 }
462
463 METHOD(tkm_keymat_t, get_peer_init_msg, chunk_t*,
464 private_tkm_keymat_t *this)
465 {
466 return &this->other_init_msg;
467 }
468
469 /**
470 * See header.
471 */
472 tkm_keymat_t *tkm_keymat_create(bool initiator)
473 {
474 private_tkm_keymat_t *this;
475
476 INIT(this,
477 .public = {
478 .keymat_v2 = {
479 .keymat = {
480 .get_version = _get_version,
481 .create_dh = _create_dh,
482 .create_nonce_gen = _create_nonce_gen,
483 .get_aead = _get_aead,
484 .destroy = _destroy,
485 },
486 .derive_ike_keys = _derive_ike_keys,
487 .derive_child_keys = _derive_child_keys,
488 .get_skd = _get_skd,
489 .get_auth_octets = _get_auth_octets,
490 .get_psk_sig = _get_psk_sig,
491 },
492 .get_isa_id = _get_isa_id,
493 .set_auth_payload = _set_auth_payload,
494 .get_auth_payload = _get_auth_payload,
495 .get_peer_init_msg = _get_peer_init_msg,
496 },
497 .initiator = initiator,
498 .isa_ctx_id = tkm->idmgr->acquire_id(tkm->idmgr, TKM_CTX_ISA),
499 .ae_ctx_id = 0,
500 .auth_payload = chunk_empty,
501 .other_init_msg = chunk_empty,
502 );
503
504 if (!this->isa_ctx_id)
505 {
506 free(this);
507 return NULL;
508 }
509
510 return &this->public;
511 }