Let tkm_keymat_t extend keymat_v2_t
[strongswan.git] / src / charon-tkm / src / tkm / tkm_keymat.c
1 /*
2 * Copyrigth (C) 2012 Reto Buerki
3 * Copyright (C) 2012 Adrian-Ken Rueegsegger
4 * Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 #include <daemon.h>
18 #include <tkm/constants.h>
19 #include <tkm/client.h>
20
21 #include "tkm.h"
22 #include "tkm_types.h"
23 #include "tkm_utils.h"
24 #include "tkm_diffie_hellman.h"
25 #include "tkm_keymat.h"
26
27 typedef struct private_tkm_keymat_t private_tkm_keymat_t;
28
29 /**
30 * Private data of a keymat_t object.
31 */
32 struct private_tkm_keymat_t {
33
34 /**
35 * Public tkm_keymat_t interface.
36 */
37 tkm_keymat_t public;
38
39 /**
40 * IKE_SA Role, initiator or responder.
41 */
42 bool initiator;
43
44 /**
45 * Inbound AEAD.
46 */
47 aead_t *aead_in;
48
49 /**
50 * Outbound AEAD.
51 */
52 aead_t *aead_out;
53
54 /**
55 * ISA context id.
56 */
57 isa_id_type isa_ctx_id;
58
59 /**
60 * AE context id.
61 */
62 ae_id_type ae_ctx_id;
63
64 /**
65 * AUTH payload chunk.
66 */
67 chunk_t auth_payload;
68
69 };
70
71 /**
72 * Create AEAD transforms from given key chunks.
73 *
74 * @param in inbound AEAD transform to allocate, NULL if failed
75 * @param out outbound AEAD transform to allocate, NULL if failed
76 * @param sk_ai SK_ai key chunk
77 * @param sk_ar SK_ar key chunk
78 * @param sk_ei SK_ei key chunk
79 * @param sk_er SK_er key chunk
80 * @param enc_alg encryption algorithm to use
81 * @param int_alg integrity algorithm to use
82 * @param key_size encryption key size in bytes
83 * @param initiator TRUE if initiator
84 */
85 static void aead_create_from_keys(aead_t **in, aead_t **out,
86 const chunk_t * const sk_ai, const chunk_t * const sk_ar,
87 const chunk_t * const sk_ei, const chunk_t * const sk_er,
88 const u_int16_t enc_alg, const u_int16_t int_alg,
89 const u_int16_t key_size, bool initiator)
90 {
91 *in = *out = NULL;
92
93 signer_t * const signer_i = lib->crypto->create_signer(lib->crypto, int_alg);
94 signer_t * const signer_r = lib->crypto->create_signer(lib->crypto, int_alg);
95 if (signer_i == NULL || signer_r == NULL)
96 {
97 DBG1(DBG_IKE, "%N %N not supported!",
98 transform_type_names, INTEGRITY_ALGORITHM,
99 integrity_algorithm_names, int_alg);
100 return;
101 }
102 crypter_t * const crypter_i = lib->crypto->create_crypter(lib->crypto,
103 enc_alg, key_size);
104 crypter_t * const crypter_r = lib->crypto->create_crypter(lib->crypto,
105 enc_alg, key_size);
106 if (crypter_i == NULL || crypter_r == NULL)
107 {
108 signer_i->destroy(signer_i);
109 signer_r->destroy(signer_r);
110 DBG1(DBG_IKE, "%N %N (key size %d) not supported!",
111 transform_type_names, ENCRYPTION_ALGORITHM,
112 encryption_algorithm_names, enc_alg, key_size);
113 return;
114 }
115
116 DBG4(DBG_IKE, "Sk_ai %B", sk_ai);
117 if (!signer_i->set_key(signer_i, *sk_ai))
118 {
119 return;
120 }
121 DBG4(DBG_IKE, "Sk_ar %B", sk_ar);
122 if (!signer_r->set_key(signer_r, *sk_ar))
123 {
124 return;
125 }
126 DBG4(DBG_IKE, "Sk_ei %B", sk_ei);
127 if (!crypter_i->set_key(crypter_i, *sk_ei))
128 {
129 return;
130 }
131 DBG4(DBG_IKE, "Sk_er %B", sk_er);
132 if (!crypter_r->set_key(crypter_r, *sk_er))
133 {
134 return;
135 }
136
137 if (initiator)
138 {
139 *in = aead_create(crypter_r, signer_r);
140 *out = aead_create(crypter_i, signer_i);
141 }
142 else
143 {
144 *in = aead_create(crypter_i, signer_i);
145 *out = aead_create(crypter_r, signer_r);
146 }
147 }
148
149 METHOD(keymat_t, get_version, ike_version_t,
150 private_tkm_keymat_t *this)
151 {
152 return IKEV2;
153 }
154
155 METHOD(keymat_t, create_dh, diffie_hellman_t*,
156 private_tkm_keymat_t *this, diffie_hellman_group_t group)
157 {
158 return lib->crypto->create_dh(lib->crypto, group);
159 }
160
161 METHOD(keymat_t, create_nonce_gen, nonce_gen_t*,
162 private_tkm_keymat_t *this)
163 {
164 return lib->crypto->create_nonce_gen(lib->crypto);
165 }
166
167 METHOD(keymat_v2_t, derive_ike_keys, bool,
168 private_tkm_keymat_t *this, proposal_t *proposal, diffie_hellman_t *dh,
169 chunk_t nonce_i, chunk_t nonce_r, ike_sa_id_t *id,
170 pseudo_random_function_t rekey_function, chunk_t rekey_skd)
171 {
172 /* Check encryption and integrity algorithms */
173 u_int16_t enc_alg, int_alg, key_size;
174 if (!proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &enc_alg, &key_size))
175 {
176 DBG1(DBG_IKE, "no %N selected", transform_type_names,
177 ENCRYPTION_ALGORITHM);
178 return FALSE;
179 }
180 if (encryption_algorithm_is_aead(enc_alg))
181 {
182 DBG1(DBG_IKE, "AEAD algorithm %N not supported",
183 encryption_algorithm_names, enc_alg);
184 return FALSE;
185 }
186 if (!proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, &int_alg, NULL))
187 {
188 DBG1(DBG_IKE, "no %N selected", transform_type_names,
189 INTEGRITY_ALGORITHM);
190 return FALSE;
191 }
192 if (!(enc_alg == ENCR_AES_CBC && key_size == 256 &&
193 int_alg == AUTH_HMAC_SHA2_512_256))
194 {
195 DBG1(DBG_IKE, "the TKM only supports aes256-sha512 at the moment, please"
196 " update your configuration");
197 return FALSE;
198 }
199
200 DBG2(DBG_IKE, "using %N for encryption, %N for integrity",
201 encryption_algorithm_names, enc_alg,
202 integrity_algorithm_names, int_alg);
203
204 /* Acquire nonce context id */
205 chunk_t * const nonce = this->initiator ? &nonce_i : &nonce_r;
206 const uint64_t nc_id = tkm->chunk_map->get_id(tkm->chunk_map, nonce);
207 if (!nc_id)
208 {
209 DBG1(DBG_IKE, "unable to acquire context id for nonce");
210 return FALSE;
211 }
212
213 /* Get DH context id */
214 tkm_diffie_hellman_t * const tkm_dh = (tkm_diffie_hellman_t *)dh;
215 const dh_id_type dh_id = tkm_dh->get_id(tkm_dh);
216
217 nonce_type nonce_rem;
218 u_int64_t spi_loc, spi_rem;
219
220 if (this->initiator)
221 {
222 chunk_to_sequence(&nonce_r, &nonce_rem);
223 spi_loc = id->get_initiator_spi(id);
224 spi_rem = id->get_responder_spi(id);
225 }
226 else
227 {
228 chunk_to_sequence(&nonce_i, &nonce_rem);
229 spi_loc = id->get_responder_spi(id);
230 spi_rem = id->get_initiator_spi(id);
231 }
232
233 result_type res;
234 key_type sk_ai, sk_ar, sk_ei, sk_er;
235 if (rekey_function == PRF_UNDEFINED)
236 {
237 DBG1(DBG_IKE, "deriving IKE keys (nc: %llu, dh: %llu, spi_loc: %llx, "
238 "spi_rem: %llx)", nc_id, dh_id, spi_loc, spi_rem);
239 res = ike_isa_create(this->isa_ctx_id, this->ae_ctx_id, 1, dh_id, nc_id,
240 nonce_rem, this->initiator, spi_loc, spi_rem,
241 &sk_ai, &sk_ar, &sk_ei, &sk_er);
242 }
243 else
244 {
245 if (rekey_skd.ptr == NULL || rekey_skd.len != sizeof(isa_id_type))
246 {
247 DBG1(DBG_IKE, "unable to retrieve parent isa context id");
248 return FALSE;
249 }
250 const isa_id_type parent_isa_id = *((isa_id_type *)(rekey_skd.ptr));
251 DBG1(DBG_IKE, "deriving IKE keys (parent_isa: %llu, nc: %llu, dh: %llu,"
252 "spi_loc: %llx, spi_rem: %llx)", parent_isa_id, nc_id, dh_id,
253 spi_loc, spi_rem);
254 res = ike_isa_create_child(this->isa_ctx_id, parent_isa_id, 1, dh_id,
255 nc_id, nonce_rem, this->initiator, spi_loc,
256 spi_rem, &sk_ai, &sk_ar, &sk_ei, &sk_er);
257 chunk_free(&rekey_skd);
258 }
259
260 if (res != TKM_OK)
261 {
262 DBG1(DBG_IKE, "key derivation failed (isa: %llu)", this->isa_ctx_id);
263 return FALSE;
264 }
265
266 chunk_t c_ai, c_ar, c_ei, c_er;
267 sequence_to_chunk(sk_ai.data, sk_ai.size, &c_ai);
268 sequence_to_chunk(sk_ar.data, sk_ar.size, &c_ar);
269 sequence_to_chunk(sk_ei.data, sk_ei.size, &c_ei);
270 sequence_to_chunk(sk_er.data, sk_er.size, &c_er);
271
272 aead_create_from_keys(&this->aead_in, &this->aead_out,
273 &c_ai, &c_ar, &c_ei, &c_er,
274 enc_alg, int_alg, key_size / 8, this->initiator);
275
276 chunk_clear(&c_ai);
277 chunk_clear(&c_ar);
278 chunk_clear(&c_ei);
279 chunk_clear(&c_er);
280
281 if (!this->aead_in || !this->aead_out)
282 {
283 DBG1(DBG_IKE, "could not initialize AEAD transforms");
284 return FALSE;
285 }
286
287 /* TODO: Add failure handler (see keymat_v2.c) */
288
289 tkm->chunk_map->remove(tkm->chunk_map, nonce);
290 if (ike_nc_reset(nc_id) != TKM_OK)
291 {
292 DBG1(DBG_IKE, "failed to reset nonce context %llu", nc_id);
293 }
294 tkm->idmgr->release_id(tkm->idmgr, TKM_CTX_NONCE, nc_id);
295
296 return TRUE;
297 }
298
299 METHOD(keymat_v2_t, derive_child_keys, bool,
300 private_tkm_keymat_t *this, proposal_t *proposal, diffie_hellman_t *dh,
301 chunk_t nonce_i, chunk_t nonce_r, chunk_t *encr_i, chunk_t *integ_i,
302 chunk_t *encr_r, chunk_t *integ_r)
303 {
304 esa_info_t *esa_info_i, *esa_info_r;
305
306 dh_id_type dh_id = 0;
307 if (dh)
308 {
309 dh_id = ((tkm_diffie_hellman_t *)dh)->get_id((tkm_diffie_hellman_t *)dh);
310 }
311
312 INIT(esa_info_i,
313 .isa_id = this->isa_ctx_id,
314 .spi_r = proposal->get_spi(proposal),
315 .nonce_i = chunk_clone(nonce_i),
316 .nonce_r = chunk_clone(nonce_r),
317 .is_encr_r = FALSE,
318 .dh_id = dh_id,
319 );
320
321 INIT(esa_info_r,
322 .isa_id = this->isa_ctx_id,
323 .spi_r = proposal->get_spi(proposal),
324 .nonce_i = chunk_clone(nonce_i),
325 .nonce_r = chunk_clone(nonce_r),
326 .is_encr_r = TRUE,
327 .dh_id = dh_id,
328 );
329
330 DBG1(DBG_CHD, "passing on esa info (isa: %llu, spi_r: %x, dh_id: %llu)",
331 esa_info_i->isa_id, ntohl(esa_info_i->spi_r), esa_info_i->dh_id);
332
333 /* store ESA info in encr_i/r, which is passed to add_sa */
334 *encr_i = chunk_create((u_char *)esa_info_i, sizeof(esa_info_t));
335 *encr_r = chunk_create((u_char *)esa_info_r, sizeof(esa_info_t));
336 *integ_i = chunk_empty;
337 *integ_r = chunk_empty;
338
339 return TRUE;
340 }
341
342 METHOD(keymat_t, get_aead, aead_t*,
343 private_tkm_keymat_t *this, bool in)
344 {
345 return in ? this->aead_in : this->aead_out;
346 }
347
348 METHOD(keymat_v2_t, get_auth_octets, bool,
349 private_tkm_keymat_t *this, bool verify, chunk_t ike_sa_init,
350 chunk_t nonce, identification_t *id, char reserved[3], chunk_t *octets)
351 {
352 DBG1(DBG_IKE, "returning auth octets");
353 *octets = chunk_empty;
354 return TRUE;
355 }
356
357 METHOD(keymat_v2_t, get_skd, pseudo_random_function_t,
358 private_tkm_keymat_t *this, chunk_t *skd)
359 {
360 *skd = chunk_clone(chunk_from_thing(this->isa_ctx_id));
361 return PRF_HMAC_SHA2_512;
362 }
363
364 METHOD(keymat_v2_t, get_psk_sig, bool,
365 private_tkm_keymat_t *this, bool verify, chunk_t ike_sa_init, chunk_t nonce,
366 chunk_t secret, identification_t *id, char reserved[3], chunk_t *sig)
367 {
368 DBG1(DBG_IKE, "returning %s PSK signature", verify ? "remote" : "local");
369
370 signature_type signature;
371 init_message_type msg;
372 chunk_to_sequence(&ike_sa_init, &msg);
373
374 chunk_t idx_chunk, chunk = chunk_alloca(4);
375 chunk.ptr[0] = id->get_type(id);
376 memcpy(chunk.ptr + 1, reserved, 3);
377 idx_chunk = chunk_cata("cc", chunk, id->get_encoding(id));
378 idx_type idx;
379 chunk_to_sequence(&idx_chunk, &idx);
380
381 if (ike_isa_sign_psk(this->isa_ctx_id, msg, idx, verify == TRUE, &signature)
382 != TKM_OK)
383 {
384 DBG1(DBG_IKE, "get %s PSK signature failed", verify ?
385 "remote" : "local");
386 return FALSE;
387 }
388
389 sequence_to_chunk(&signature.data[0], signature.size, sig);
390 return TRUE;
391 }
392
393 METHOD(keymat_t, destroy, void,
394 private_tkm_keymat_t *this)
395 {
396 if (ike_isa_reset(this->isa_ctx_id) != TKM_OK)
397 {
398 DBG1(DBG_IKE, "failed to reset ISA context %d", this->isa_ctx_id);
399 }
400 tkm->idmgr->release_id(tkm->idmgr, TKM_CTX_ISA, this->isa_ctx_id);
401
402 DESTROY_IF(this->aead_in);
403 DESTROY_IF(this->aead_out);
404 chunk_free(&this->auth_payload);
405 free(this);
406 }
407
408 METHOD(tkm_keymat_t, get_isa_id, isa_id_type,
409 private_tkm_keymat_t *this)
410 {
411 return this->isa_ctx_id;
412 }
413
414 METHOD(tkm_keymat_t, set_auth_payload, void,
415 private_tkm_keymat_t *this, const chunk_t * const payload)
416 {
417 this->auth_payload = chunk_clone(*payload);
418 }
419
420 METHOD(tkm_keymat_t, get_auth_payload, chunk_t*,
421 private_tkm_keymat_t *this)
422 {
423 return &this->auth_payload;
424 }
425
426 /**
427 * See header.
428 */
429 tkm_keymat_t *tkm_keymat_create(bool initiator)
430 {
431 private_tkm_keymat_t *this;
432
433 INIT(this,
434 .public = {
435 .keymat_v2 = {
436 .keymat = {
437 .get_version = _get_version,
438 .create_dh = _create_dh,
439 .create_nonce_gen = _create_nonce_gen,
440 .get_aead = _get_aead,
441 .destroy = _destroy,
442 },
443 .derive_ike_keys = _derive_ike_keys,
444 .derive_child_keys = _derive_child_keys,
445 .get_skd = _get_skd,
446 .get_auth_octets = _get_auth_octets,
447 .get_psk_sig = _get_psk_sig,
448 },
449 .get_isa_id = _get_isa_id,
450 .set_auth_payload = _set_auth_payload,
451 .get_auth_payload = _get_auth_payload,
452 },
453 .initiator = initiator,
454 .isa_ctx_id = tkm->idmgr->acquire_id(tkm->idmgr, TKM_CTX_ISA),
455 .ae_ctx_id = tkm->idmgr->acquire_id(tkm->idmgr, TKM_CTX_AE),
456 .auth_payload = chunk_empty,
457 );
458
459 if (!this->isa_ctx_id || !this->ae_ctx_id)
460 {
461 free(this);
462 return NULL;
463 }
464
465 return &this->public;
466 }