fixing keylength bug at the right place:
[strongswan.git] / src / charon / sa / keymat.c
1 /*
2 * Copyright (C) 2008 Martin Willi
3 * Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 *
15 * $Id$
16 */
17
18 #include "keymat.h"
19
20 #include <daemon.h>
21 #include <crypto/prf_plus.h>
22
23 typedef struct private_keymat_t private_keymat_t;
24
25 /**
26 * Private data of an keymat_t object.
27 */
28 struct private_keymat_t {
29
30 /**
31 * Public keymat_t interface.
32 */
33 keymat_t public;
34
35 /**
36 * IKE_SA Role, initiator or responder
37 */
38 bool initiator;
39
40 /**
41 * inbound signer (verify)
42 */
43 signer_t *signer_in;
44
45 /**
46 * outbound signer (sign)
47 */
48 signer_t *signer_out;
49
50 /**
51 * inbound crypter (decrypt)
52 */
53 crypter_t *crypter_in;
54
55 /**
56 * outbound crypter (encrypt)
57 */
58 crypter_t *crypter_out;
59
60 /**
61 * General purpose PRF
62 */
63 prf_t *prf;
64
65 /**
66 * Key to derive key material from for CHILD_SAs, rekeying
67 */
68 chunk_t skd;
69
70 /**
71 * Key to build outging authentication data (SKp)
72 */
73 chunk_t skp_build;
74
75 /**
76 * Key to verify incoming authentication data (SKp)
77 */
78 chunk_t skp_verify;
79 };
80
81 typedef struct keylen_entry_t keylen_entry_t;
82
83 /**
84 * Implicit key length for an algorithm
85 */
86 struct keylen_entry_t {
87 /** IKEv2 algorithm identifier */
88 int algo;
89 /** key length in bits */
90 int len;
91 };
92
93 #define END_OF_LIST -1
94
95 /**
96 * Keylen for encryption algos
97 */
98 keylen_entry_t keylen_enc[] = {
99 {ENCR_DES, 64},
100 {ENCR_3DES, 192},
101 {END_OF_LIST, 0}
102 };
103
104 /**
105 * Keylen for integrity algos
106 */
107 keylen_entry_t keylen_int[] = {
108 {AUTH_HMAC_MD5_96, 128},
109 {AUTH_HMAC_SHA1_96, 160},
110 {AUTH_HMAC_SHA2_256_128, 256},
111 {AUTH_HMAC_SHA2_384_192, 384},
112 {AUTH_HMAC_SHA2_512_256, 512},
113 {AUTH_AES_XCBC_96, 128},
114 {END_OF_LIST, 0}
115 };
116
117 /**
118 * Lookup key length of an algorithm
119 */
120 static int lookup_keylen(keylen_entry_t *list, int algo)
121 {
122 while (list->algo != END_OF_LIST)
123 {
124 if (algo == list->algo)
125 {
126 return list->len;
127 }
128 list++;
129 }
130 return 0;
131 }
132
133 /**
134 * Implementation of keymat_t.create_dh
135 */
136 static diffie_hellman_t* create_dh(private_keymat_t *this,
137 diffie_hellman_group_t group)
138 {
139 return lib->crypto->create_dh(lib->crypto, group);;
140 }
141
142 /**
143 * Implementation of keymat_t.derive_keys
144 */
145 static bool derive_ike_keys(private_keymat_t *this, proposal_t *proposal,
146 diffie_hellman_t *dh, chunk_t nonce_i,
147 chunk_t nonce_r, ike_sa_id_t *id,
148 private_keymat_t *rekey)
149 {
150 chunk_t skeyseed, key, secret, full_nonce, fixed_nonce, prf_plus_seed;
151 chunk_t spi_i, spi_r;
152 crypter_t *crypter_i, *crypter_r;
153 signer_t *signer_i, *signer_r;
154 prf_plus_t *prf_plus;
155 u_int16_t alg, key_size;
156
157 spi_i = chunk_alloca(sizeof(u_int64_t));
158 spi_r = chunk_alloca(sizeof(u_int64_t));
159
160 if (dh->get_shared_secret(dh, &secret) != SUCCESS)
161 {
162 return FALSE;
163 }
164
165 /* Create SAs general purpose PRF first, we may use it here */
166 if (!proposal->get_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, &alg, NULL))
167 {
168 DBG1(DBG_IKE, "no %N selected",
169 transform_type_names, PSEUDO_RANDOM_FUNCTION);
170 return FALSE;
171 }
172 this->prf = lib->crypto->create_prf(lib->crypto, alg);
173 if (this->prf == NULL)
174 {
175 DBG1(DBG_IKE, "%N %N not supported!",
176 transform_type_names, PSEUDO_RANDOM_FUNCTION,
177 pseudo_random_function_names, alg);
178 return FALSE;
179 }
180 DBG4(DBG_IKE, "shared Diffie Hellman secret %B", &secret);
181 /* full nonce is used as seed for PRF+ ... */
182 full_nonce = chunk_cat("cc", nonce_i, nonce_r);
183 /* but the PRF may need a fixed key which only uses the first bytes of
184 * the nonces. */
185 switch (alg)
186 {
187 case PRF_AES128_XCBC:
188 /* while rfc4434 defines variable keys for AES-XCBC, rfc3664 does
189 * not and therefore fixed key semantics apply to XCBC for key
190 * derivation. */
191 key_size = this->prf->get_key_size(this->prf)/2;
192 nonce_i.len = min(nonce_i.len, key_size);
193 nonce_r.len = min(nonce_r.len, key_size);
194 break;
195 default:
196 /* all other algorithms use variable key length, full nonce */
197 break;
198 }
199 fixed_nonce = chunk_cat("cc", nonce_i, nonce_r);
200 *((u_int64_t*)spi_i.ptr) = id->get_initiator_spi(id);
201 *((u_int64_t*)spi_r.ptr) = id->get_responder_spi(id);
202 prf_plus_seed = chunk_cat("ccc", full_nonce, spi_i, spi_r);
203
204 /* KEYMAT = prf+ (SKEYSEED, Ni | Nr | SPIi | SPIr)
205 *
206 * if we are rekeying, SKEYSEED is built on another way
207 */
208 if (rekey == NULL) /* not rekeying */
209 {
210 /* SKEYSEED = prf(Ni | Nr, g^ir) */
211 this->prf->set_key(this->prf, fixed_nonce);
212 this->prf->allocate_bytes(this->prf, secret, &skeyseed);
213 this->prf->set_key(this->prf, skeyseed);
214 prf_plus = prf_plus_create(this->prf, prf_plus_seed);
215 }
216 else
217 {
218 /* SKEYSEED = prf(SK_d (old), [g^ir (new)] | Ni | Nr)
219 * use OLD SAs PRF functions for both prf_plus and prf */
220 secret = chunk_cat("mc", secret, full_nonce);
221 rekey->prf->set_key(rekey->prf, rekey->skd);
222 rekey->prf->allocate_bytes(rekey->prf, secret, &skeyseed);
223 rekey->prf->set_key(rekey->prf, skeyseed);
224 prf_plus = prf_plus_create(rekey->prf, prf_plus_seed);
225 }
226 DBG4(DBG_IKE, "SKEYSEED %B", &skeyseed);
227
228 chunk_clear(&skeyseed);
229 chunk_clear(&secret);
230 chunk_free(&full_nonce);
231 chunk_free(&fixed_nonce);
232 chunk_clear(&prf_plus_seed);
233
234 /* KEYMAT = SK_d | SK_ai | SK_ar | SK_ei | SK_er | SK_pi | SK_pr */
235
236 /* SK_d is used for generating CHILD_SA key mat => store for later use */
237 key_size = this->prf->get_key_size(this->prf);
238 prf_plus->allocate_bytes(prf_plus, key_size, &this->skd);
239 DBG4(DBG_IKE, "Sk_d secret %B", &this->skd);
240
241 /* SK_ai/SK_ar used for integrity protection => signer_in/signer_out */
242 if (!proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, &alg, NULL))
243 {
244 DBG1(DBG_IKE, "no %N selected",
245 transform_type_names, INTEGRITY_ALGORITHM);
246 return FALSE;
247 }
248 signer_i = lib->crypto->create_signer(lib->crypto, alg);
249 signer_r = lib->crypto->create_signer(lib->crypto, alg);
250 if (signer_i == NULL || signer_r == NULL)
251 {
252 DBG1(DBG_IKE, "%N %N not supported!",
253 transform_type_names, INTEGRITY_ALGORITHM,
254 integrity_algorithm_names ,alg);
255 prf_plus->destroy(prf_plus);
256 return FALSE;
257 }
258 key_size = signer_i->get_key_size(signer_i);
259
260 prf_plus->allocate_bytes(prf_plus, key_size, &key);
261 DBG4(DBG_IKE, "Sk_ai secret %B", &key);
262 signer_i->set_key(signer_i, key);
263 chunk_clear(&key);
264
265 prf_plus->allocate_bytes(prf_plus, key_size, &key);
266 DBG4(DBG_IKE, "Sk_ar secret %B", &key);
267 signer_r->set_key(signer_r, key);
268 chunk_clear(&key);
269
270 if (this->initiator)
271 {
272 this->signer_in = signer_r;
273 this->signer_out = signer_i;
274 }
275 else
276 {
277 this->signer_in = signer_i;
278 this->signer_out = signer_r;
279 }
280
281 /* SK_ei/SK_er used for encryption => crypter_in/crypter_out */
282 if (!proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &alg, &key_size))
283 {
284 DBG1(DBG_IKE, "no %N selected",
285 transform_type_names, ENCRYPTION_ALGORITHM);
286 prf_plus->destroy(prf_plus);
287 return FALSE;
288 }
289 crypter_i = lib->crypto->create_crypter(lib->crypto, alg, key_size / 8);
290 crypter_r = lib->crypto->create_crypter(lib->crypto, alg, key_size / 8);
291 if (crypter_i == NULL || crypter_r == NULL)
292 {
293 DBG1(DBG_IKE, "%N %N (key size %d) not supported!",
294 transform_type_names, ENCRYPTION_ALGORITHM,
295 encryption_algorithm_names, alg, key_size);
296 prf_plus->destroy(prf_plus);
297 return FALSE;
298 }
299 key_size = crypter_i->get_key_size(crypter_i);
300
301 prf_plus->allocate_bytes(prf_plus, key_size, &key);
302 DBG4(DBG_IKE, "Sk_ei secret %B", &key);
303 crypter_i->set_key(crypter_i, key);
304 chunk_clear(&key);
305
306 prf_plus->allocate_bytes(prf_plus, key_size, &key);
307 DBG4(DBG_IKE, "Sk_er secret %B", &key);
308 crypter_r->set_key(crypter_r, key);
309 chunk_clear(&key);
310
311 if (this->initiator)
312 {
313 this->crypter_in = crypter_r;
314 this->crypter_out = crypter_i;
315 }
316 else
317 {
318 this->crypter_in = crypter_i;
319 this->crypter_out = crypter_r;
320 }
321
322 /* SK_pi/SK_pr used for authentication => stored for later */
323 key_size = this->prf->get_key_size(this->prf);
324 prf_plus->allocate_bytes(prf_plus, key_size, &key);
325 DBG4(DBG_IKE, "Sk_pi secret %B", &key);
326 if (this->initiator)
327 {
328 this->skp_build = key;
329 }
330 else
331 {
332 this->skp_verify = key;
333 }
334 prf_plus->allocate_bytes(prf_plus, key_size, &key);
335 DBG4(DBG_IKE, "Sk_pr secret %B", &key);
336 if (this->initiator)
337 {
338 this->skp_verify = key;
339 }
340 else
341 {
342 this->skp_build = key;
343 }
344
345 /* all done, prf_plus not needed anymore */
346 prf_plus->destroy(prf_plus);
347
348 return TRUE;
349 }
350
351 /**
352 * Implementation of keymat_t.derive_child_keys
353 */
354 static bool derive_child_keys(private_keymat_t *this,
355 proposal_t *proposal, diffie_hellman_t *dh,
356 chunk_t nonce_i, chunk_t nonce_r,
357 chunk_t *encr_i, chunk_t *integ_i,
358 chunk_t *encr_r, chunk_t *integ_r)
359 {
360 u_int16_t enc_alg, int_alg, enc_size = 0, int_size = 0;
361 chunk_t seed, secret = chunk_empty;
362 prf_plus_t *prf_plus;
363
364 if (dh)
365 {
366 if (dh->get_shared_secret(dh, &secret) != SUCCESS)
367 {
368 return FALSE;
369 }
370 DBG4(DBG_CHD, "DH secret %B", &secret);
371 }
372 seed = chunk_cata("mcc", secret, nonce_i, nonce_r);
373 DBG4(DBG_CHD, "seed %B", &seed);
374
375 if (proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM,
376 &enc_alg, &enc_size))
377 {
378 DBG2(DBG_CHD, " using %N for encryption",
379 encryption_algorithm_names, enc_alg);
380
381 if (!enc_size)
382 {
383 enc_size = lookup_keylen(keylen_enc, enc_alg);
384 }
385 if (!enc_size)
386 {
387 DBG1(DBG_CHD, "no keylenth defined for %N",
388 encryption_algorithm_names, enc_alg);
389 return FALSE;
390 }
391 /* to bytes */
392 enc_size /= 8;
393
394 /* CCM/GCM needs additional bytes */
395 switch (enc_alg)
396 {
397 case ENCR_AES_CCM_ICV8:
398 case ENCR_AES_CCM_ICV12:
399 case ENCR_AES_CCM_ICV16:
400 enc_size += 3;
401 break;
402 case ENCR_AES_GCM_ICV8:
403 case ENCR_AES_GCM_ICV12:
404 case ENCR_AES_GCM_ICV16:
405 enc_size += 4;
406 break;
407 default:
408 break;
409 }
410 }
411
412 if (proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM,
413 &int_alg, &int_size))
414 {
415 DBG2(DBG_CHD, " using %N for integrity",
416 integrity_algorithm_names, int_alg);
417
418 if (!int_size)
419 {
420 int_size = lookup_keylen(keylen_int, int_alg);
421 }
422 if (!int_size)
423 {
424 DBG1(DBG_CHD, "no keylenth defined for %N",
425 integrity_algorithm_names, int_alg);
426 return FALSE;
427 }
428 /* to bytes */
429 int_size /= 8;
430 }
431
432 this->prf->set_key(this->prf, this->skd);
433 prf_plus = prf_plus_create(this->prf, seed);
434
435 prf_plus->allocate_bytes(prf_plus, enc_size, encr_i);
436 prf_plus->allocate_bytes(prf_plus, int_size, integ_i);
437 prf_plus->allocate_bytes(prf_plus, enc_size, encr_r);
438 prf_plus->allocate_bytes(prf_plus, int_size, integ_r);
439
440 prf_plus->destroy(prf_plus);
441
442 return TRUE;
443 }
444
445 /**
446 * Implementation of keymat_t.get_signer
447 */
448 static signer_t* get_signer(private_keymat_t *this, bool in)
449 {
450 return in ? this->signer_in : this->signer_out;
451 }
452
453 /**
454 * Implementation of keymat_t.get_crypter
455 */
456 static crypter_t* get_crypter(private_keymat_t *this, bool in)
457 {
458 return in ? this->crypter_in : this->crypter_out;
459 }
460
461 /**
462 * Implementation of keymat_t.get_auth_octets
463 */
464 static chunk_t get_auth_octets(private_keymat_t *this, bool verify,
465 chunk_t ike_sa_init, chunk_t nonce,
466 identification_t *id)
467 {
468 chunk_t chunk, idx, octets;
469 chunk_t skp;
470
471 skp = verify ? this->skp_verify : this->skp_build;
472
473 chunk = chunk_alloca(4);
474 memset(chunk.ptr, 0, chunk.len);
475 chunk.ptr[0] = id->get_type(id);
476 idx = chunk_cata("cc", chunk, id->get_encoding(id));
477
478 DBG3(DBG_IKE, "IDx' %B", &idx);
479 DBG3(DBG_IKE, "SK_p %B", &skp);
480 this->prf->set_key(this->prf, skp);
481 this->prf->allocate_bytes(this->prf, idx, &chunk);
482
483 octets = chunk_cat("ccm", ike_sa_init, nonce, chunk);
484 DBG3(DBG_IKE, "octets = message + nonce + prf(Sk_px, IDx') %B", &octets);
485 return octets;
486 }
487
488 /**
489 * Key pad for the AUTH method SHARED_KEY_MESSAGE_INTEGRITY_CODE.
490 */
491 #define IKEV2_KEY_PAD "Key Pad for IKEv2"
492 #define IKEV2_KEY_PAD_LENGTH 17
493
494 /**
495 * Implementation of keymat_t.get_psk_sig
496 */
497 static chunk_t get_psk_sig(private_keymat_t *this, bool verify,
498 chunk_t ike_sa_init, chunk_t nonce, chunk_t secret,
499 identification_t *id)
500 {
501 chunk_t key_pad, key, sig, octets;
502
503 if (!secret.len)
504 { /* EAP uses SK_p if no MSK has been established */
505 secret = verify ? this->skp_verify : this->skp_build;
506 }
507 octets = get_auth_octets(this, verify, ike_sa_init, nonce, id);
508 /* AUTH = prf(prf(Shared Secret,"Key Pad for IKEv2"), <msg octets>) */
509 key_pad = chunk_create(IKEV2_KEY_PAD, IKEV2_KEY_PAD_LENGTH);
510 this->prf->set_key(this->prf, secret);
511 this->prf->allocate_bytes(this->prf, key_pad, &key);
512 this->prf->set_key(this->prf, key);
513 this->prf->allocate_bytes(this->prf, octets, &sig);
514 DBG4(DBG_IKE, "secret %B", &secret);
515 DBG4(DBG_IKE, "prf(secret, keypad) %B", &key);
516 DBG3(DBG_IKE, "AUTH = prf(prf(secret, keypad), octets) %B", &sig);
517 chunk_free(&octets);
518 chunk_free(&key);
519
520 return sig;
521 }
522
523 /**
524 * Implementation of keymat_t.destroy.
525 */
526 static void destroy(private_keymat_t *this)
527 {
528 DESTROY_IF(this->signer_in);
529 DESTROY_IF(this->signer_out);
530 DESTROY_IF(this->crypter_in);
531 DESTROY_IF(this->crypter_out);
532 DESTROY_IF(this->prf);
533 chunk_clear(&this->skd);
534 chunk_clear(&this->skp_verify);
535 chunk_clear(&this->skp_build);
536 free(this);
537 }
538
539 /**
540 * See header
541 */
542 keymat_t *keymat_create(bool initiator)
543 {
544 private_keymat_t *this = malloc_thing(private_keymat_t);
545
546 this->public.create_dh = (diffie_hellman_t*(*)(keymat_t*, diffie_hellman_group_t group))create_dh;
547 this->public.derive_ike_keys = (bool(*)(keymat_t*, proposal_t *proposal, diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r, ike_sa_id_t *id, keymat_t *rekey))derive_ike_keys;
548 this->public.derive_child_keys = (bool(*)(keymat_t*, proposal_t *proposal, diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r, chunk_t *encr_i, chunk_t *integ_i, chunk_t *encr_r, chunk_t *integ_r))derive_child_keys;
549 this->public.get_signer = (signer_t*(*)(keymat_t*, bool in))get_signer;
550 this->public.get_crypter = (crypter_t*(*)(keymat_t*, bool in))get_crypter;
551 this->public.get_auth_octets = (chunk_t(*)(keymat_t *, bool verify, chunk_t ike_sa_init, chunk_t nonce, identification_t *id))get_auth_octets;
552 this->public.get_psk_sig = (chunk_t(*)(keymat_t*, bool verify, chunk_t ike_sa_init, chunk_t nonce, chunk_t secret, identification_t *id))get_psk_sig;
553 this->public.destroy = (void(*)(keymat_t*))destroy;
554
555 this->initiator = initiator;
556
557 this->signer_in = NULL;
558 this->signer_out = NULL;
559 this->crypter_in = NULL;
560 this->crypter_out = NULL;
561 this->prf = NULL;
562 this->skd = chunk_empty;
563 this->skp_verify = chunk_empty;
564 this->skp_build = chunk_empty;
565
566 return &this->public;
567 }
568