payload: Use common prefixes for all payload type identifiers
[strongswan.git] / src / libcharon / sa / ikev1 / keymat_v1.c
1 /*
2 * Copyright (C) 2011 Tobias Brunner
3 * Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "keymat_v1.h"
17
18 #include <daemon.h>
19 #include <encoding/generator.h>
20 #include <encoding/payloads/nonce_payload.h>
21 #include <collections/linked_list.h>
22
23 typedef struct private_keymat_v1_t private_keymat_v1_t;
24
25 /**
26 * Max. number of IVs to track.
27 */
28 #define MAX_IV 3
29
30 /**
31 * Max. number of Quick Modes to track.
32 */
33 #define MAX_QM 2
34
35 /**
36 * Data stored for IVs
37 */
38 typedef struct {
39 /** message ID */
40 u_int32_t mid;
41 /** current IV */
42 chunk_t iv;
43 /** last block of encrypted message */
44 chunk_t last_block;
45 } iv_data_t;
46
47 /**
48 * Private data of an keymat_t object.
49 */
50 struct private_keymat_v1_t {
51
52 /**
53 * Public keymat_v1_t interface.
54 */
55 keymat_v1_t public;
56
57 /**
58 * IKE_SA Role, initiator or responder
59 */
60 bool initiator;
61
62 /**
63 * General purpose PRF
64 */
65 prf_t *prf;
66
67 /**
68 * PRF to create Phase 1 HASH payloads
69 */
70 prf_t *prf_auth;
71
72 /**
73 * Crypter wrapped in an aead_t interface
74 */
75 aead_t *aead;
76
77 /**
78 * Hasher used for IV generation (and other things like e.g. NAT-T)
79 */
80 hasher_t *hasher;
81
82 /**
83 * Key used for authentication during main mode
84 */
85 chunk_t skeyid;
86
87 /**
88 * Key to derive key material from for non-ISAKMP SAs, rekeying
89 */
90 chunk_t skeyid_d;
91
92 /**
93 * Key used for authentication after main mode
94 */
95 chunk_t skeyid_a;
96
97 /**
98 * Phase 1 IV
99 */
100 iv_data_t phase1_iv;
101
102 /**
103 * Keep track of IVs for exchanges after phase 1. We store only a limited
104 * number of IVs in an MRU sort of way. Stores iv_data_t objects.
105 */
106 linked_list_t *ivs;
107
108 /**
109 * Keep track of Nonces during Quick Mode exchanges. Only a limited number
110 * of QMs are tracked at the same time. Stores qm_data_t objects.
111 */
112 linked_list_t *qms;
113 };
114
115
116 /**
117 * Destroy an iv_data_t object.
118 */
119 static void iv_data_destroy(iv_data_t *this)
120 {
121 chunk_free(&this->last_block);
122 chunk_free(&this->iv);
123 free(this);
124 }
125
126 /**
127 * Data stored for Quick Mode exchanges
128 */
129 typedef struct {
130 /** message ID */
131 u_int32_t mid;
132 /** Ni_b (Nonce from first message) */
133 chunk_t n_i;
134 /** Nr_b (Nonce from second message) */
135 chunk_t n_r;
136 } qm_data_t;
137
138 /**
139 * Destroy a qm_data_t object.
140 */
141 static void qm_data_destroy(qm_data_t *this)
142 {
143 chunk_free(&this->n_i);
144 chunk_free(&this->n_r);
145 free(this);
146 }
147
148 /**
149 * Constants used in key derivation.
150 */
151 static const chunk_t octet_0 = chunk_from_chars(0x00);
152 static const chunk_t octet_1 = chunk_from_chars(0x01);
153 static const chunk_t octet_2 = chunk_from_chars(0x02);
154
155 /**
156 * Simple aead_t implementation without support for authentication.
157 */
158 typedef struct {
159 /** implements aead_t interface */
160 aead_t aead;
161 /** crypter to be used */
162 crypter_t *crypter;
163 } private_aead_t;
164
165
166 METHOD(aead_t, encrypt, bool,
167 private_aead_t *this, chunk_t plain, chunk_t assoc, chunk_t iv,
168 chunk_t *encrypted)
169 {
170 return this->crypter->encrypt(this->crypter, plain, iv, encrypted);
171 }
172
173 METHOD(aead_t, decrypt, bool,
174 private_aead_t *this, chunk_t encrypted, chunk_t assoc, chunk_t iv,
175 chunk_t *plain)
176 {
177 return this->crypter->decrypt(this->crypter, encrypted, iv, plain);
178 }
179
180 METHOD(aead_t, get_block_size, size_t,
181 private_aead_t *this)
182 {
183 return this->crypter->get_block_size(this->crypter);
184 }
185
186 METHOD(aead_t, get_icv_size, size_t,
187 private_aead_t *this)
188 {
189 return 0;
190 }
191
192 METHOD(aead_t, get_iv_size, size_t,
193 private_aead_t *this)
194 {
195 /* in order to create the messages properly we return 0 here */
196 return 0;
197 }
198
199 METHOD(aead_t, get_iv_gen, iv_gen_t*,
200 private_aead_t *this)
201 {
202 /* IVs are retrieved via keymat_v1.get_iv() */
203 return NULL;
204 }
205
206 METHOD(aead_t, get_key_size, size_t,
207 private_aead_t *this)
208 {
209 return this->crypter->get_key_size(this->crypter);
210 }
211
212 METHOD(aead_t, set_key, bool,
213 private_aead_t *this, chunk_t key)
214 {
215 return this->crypter->set_key(this->crypter, key);
216 }
217
218 METHOD(aead_t, aead_destroy, void,
219 private_aead_t *this)
220 {
221 this->crypter->destroy(this->crypter);
222 free(this);
223 }
224
225 /**
226 * Expand SKEYID_e according to Appendix B in RFC 2409.
227 * TODO-IKEv1: verify keys (e.g. for weak keys, see Appendix B)
228 */
229 static bool expand_skeyid_e(chunk_t skeyid_e, size_t key_size, prf_t *prf,
230 chunk_t *ka)
231 {
232 size_t block_size;
233 chunk_t seed;
234 int i;
235
236 if (skeyid_e.len >= key_size)
237 { /* no expansion required, reduce to key_size */
238 skeyid_e.len = key_size;
239 *ka = skeyid_e;
240 return TRUE;
241 }
242 block_size = prf->get_block_size(prf);
243 *ka = chunk_alloc((key_size / block_size + 1) * block_size);
244 ka->len = key_size;
245
246 /* Ka = K1 | K2 | ..., K1 = prf(SKEYID_e, 0), K2 = prf(SKEYID_e, K1) ... */
247 if (!prf->set_key(prf, skeyid_e))
248 {
249 chunk_clear(ka);
250 chunk_clear(&skeyid_e);
251 return FALSE;
252 }
253 seed = octet_0;
254 for (i = 0; i < key_size; i += block_size)
255 {
256 if (!prf->get_bytes(prf, seed, ka->ptr + i))
257 {
258 chunk_clear(ka);
259 chunk_clear(&skeyid_e);
260 return FALSE;
261 }
262 seed = chunk_create(ka->ptr + i, block_size);
263 }
264 chunk_clear(&skeyid_e);
265 return TRUE;
266 }
267
268 /**
269 * Create a simple implementation of the aead_t interface which only encrypts
270 * or decrypts data.
271 */
272 static aead_t *create_aead(proposal_t *proposal, prf_t *prf, chunk_t skeyid_e)
273 {
274 private_aead_t *this;
275 u_int16_t alg, key_size;
276 crypter_t *crypter;
277 chunk_t ka;
278
279 if (!proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &alg,
280 &key_size))
281 {
282 DBG1(DBG_IKE, "no %N selected",
283 transform_type_names, ENCRYPTION_ALGORITHM);
284 return NULL;
285 }
286 crypter = lib->crypto->create_crypter(lib->crypto, alg, key_size / 8);
287 if (!crypter)
288 {
289 DBG1(DBG_IKE, "%N %N (key size %d) not supported!",
290 transform_type_names, ENCRYPTION_ALGORITHM,
291 encryption_algorithm_names, alg, key_size);
292 return NULL;
293 }
294 key_size = crypter->get_key_size(crypter);
295 if (!expand_skeyid_e(skeyid_e, crypter->get_key_size(crypter), prf, &ka))
296 {
297 return NULL;
298 }
299 DBG4(DBG_IKE, "encryption key Ka %B", &ka);
300 if (!crypter->set_key(crypter, ka))
301 {
302 chunk_clear(&ka);
303 return NULL;
304 }
305 chunk_clear(&ka);
306
307 INIT(this,
308 .aead = {
309 .encrypt = _encrypt,
310 .decrypt = _decrypt,
311 .get_block_size = _get_block_size,
312 .get_icv_size = _get_icv_size,
313 .get_iv_size = _get_iv_size,
314 .get_iv_gen = _get_iv_gen,
315 .get_key_size = _get_key_size,
316 .set_key = _set_key,
317 .destroy = _aead_destroy,
318 },
319 .crypter = crypter,
320 );
321 return &this->aead;
322 }
323
324 /**
325 * Converts integrity algorithm to PRF algorithm
326 */
327 static u_int16_t auth_to_prf(u_int16_t alg)
328 {
329 switch (alg)
330 {
331 case AUTH_HMAC_SHA1_96:
332 return PRF_HMAC_SHA1;
333 case AUTH_HMAC_SHA2_256_128:
334 return PRF_HMAC_SHA2_256;
335 case AUTH_HMAC_SHA2_384_192:
336 return PRF_HMAC_SHA2_384;
337 case AUTH_HMAC_SHA2_512_256:
338 return PRF_HMAC_SHA2_512;
339 case AUTH_HMAC_MD5_96:
340 return PRF_HMAC_MD5;
341 case AUTH_AES_XCBC_96:
342 return PRF_AES128_XCBC;
343 default:
344 return PRF_UNDEFINED;
345 }
346 }
347
348 /**
349 * Converts integrity algorithm to hash algorithm
350 */
351 static u_int16_t auth_to_hash(u_int16_t alg)
352 {
353 switch (alg)
354 {
355 case AUTH_HMAC_SHA1_96:
356 return HASH_SHA1;
357 case AUTH_HMAC_SHA2_256_128:
358 return HASH_SHA256;
359 case AUTH_HMAC_SHA2_384_192:
360 return HASH_SHA384;
361 case AUTH_HMAC_SHA2_512_256:
362 return HASH_SHA512;
363 case AUTH_HMAC_MD5_96:
364 return HASH_MD5;
365 default:
366 return HASH_UNKNOWN;
367 }
368 }
369
370 /**
371 * Adjust the key length for PRF algorithms that expect a fixed key length.
372 */
373 static void adjust_keylen(u_int16_t alg, chunk_t *key)
374 {
375 switch (alg)
376 {
377 case PRF_AES128_XCBC:
378 /* while rfc4434 defines variable keys for AES-XCBC, rfc3664 does
379 * not and therefore fixed key semantics apply to XCBC for key
380 * derivation. */
381 key->len = min(key->len, 16);
382 break;
383 default:
384 /* all other algorithms use variable key length */
385 break;
386 }
387 }
388
389 METHOD(keymat_v1_t, derive_ike_keys, bool,
390 private_keymat_v1_t *this, proposal_t *proposal, diffie_hellman_t *dh,
391 chunk_t dh_other, chunk_t nonce_i, chunk_t nonce_r, ike_sa_id_t *id,
392 auth_method_t auth, shared_key_t *shared_key)
393 {
394 chunk_t g_xy, g_xi, g_xr, dh_me, spi_i, spi_r, nonces, data, skeyid_e;
395 chunk_t skeyid;
396 u_int16_t alg;
397
398 spi_i = chunk_alloca(sizeof(u_int64_t));
399 spi_r = chunk_alloca(sizeof(u_int64_t));
400
401 if (!proposal->get_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, &alg, NULL))
402 { /* no PRF negotiated, use HMAC version of integrity algorithm instead */
403 if (!proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, &alg, NULL)
404 || (alg = auth_to_prf(alg)) == PRF_UNDEFINED)
405 {
406 DBG1(DBG_IKE, "no %N selected",
407 transform_type_names, PSEUDO_RANDOM_FUNCTION);
408 return FALSE;
409 }
410 }
411 this->prf = lib->crypto->create_prf(lib->crypto, alg);
412 if (!this->prf)
413 {
414 DBG1(DBG_IKE, "%N %N not supported!",
415 transform_type_names, PSEUDO_RANDOM_FUNCTION,
416 pseudo_random_function_names, alg);
417 return FALSE;
418 }
419 if (this->prf->get_block_size(this->prf) <
420 this->prf->get_key_size(this->prf))
421 { /* TODO-IKEv1: support PRF output expansion (RFC 2409, Appendix B) */
422 DBG1(DBG_IKE, "expansion of %N %N output not supported!",
423 transform_type_names, PSEUDO_RANDOM_FUNCTION,
424 pseudo_random_function_names, alg);
425 return FALSE;
426 }
427
428 if (dh->get_shared_secret(dh, &g_xy) != SUCCESS)
429 {
430 return FALSE;
431 }
432 DBG4(DBG_IKE, "shared Diffie Hellman secret %B", &g_xy);
433
434 *((u_int64_t*)spi_i.ptr) = id->get_initiator_spi(id);
435 *((u_int64_t*)spi_r.ptr) = id->get_responder_spi(id);
436 nonces = chunk_cata("cc", nonce_i, nonce_r);
437
438 switch (auth)
439 {
440 case AUTH_PSK:
441 case AUTH_XAUTH_INIT_PSK:
442 case AUTH_XAUTH_RESP_PSK:
443 { /* SKEYID = prf(pre-shared-key, Ni_b | Nr_b) */
444 chunk_t psk;
445 if (!shared_key)
446 {
447 chunk_clear(&g_xy);
448 return FALSE;
449 }
450 psk = shared_key->get_key(shared_key);
451 adjust_keylen(alg, &psk);
452 if (!this->prf->set_key(this->prf, psk) ||
453 !this->prf->allocate_bytes(this->prf, nonces, &skeyid))
454 {
455 chunk_clear(&g_xy);
456 return FALSE;
457 }
458 break;
459 }
460 case AUTH_RSA:
461 case AUTH_ECDSA_256:
462 case AUTH_ECDSA_384:
463 case AUTH_ECDSA_521:
464 case AUTH_XAUTH_INIT_RSA:
465 case AUTH_XAUTH_RESP_RSA:
466 case AUTH_HYBRID_INIT_RSA:
467 case AUTH_HYBRID_RESP_RSA:
468 {
469 if (!this->prf->set_key(this->prf, nonces) ||
470 !this->prf->allocate_bytes(this->prf, g_xy, &skeyid))
471 {
472 chunk_clear(&g_xy);
473 return FALSE;
474 }
475 break;
476 }
477 default:
478 /* TODO-IKEv1: implement key derivation for other schemes */
479 /* authentication class not supported */
480 chunk_clear(&g_xy);
481 return FALSE;
482 }
483 adjust_keylen(alg, &skeyid);
484 DBG4(DBG_IKE, "SKEYID %B", &skeyid);
485
486 /* SKEYID_d = prf(SKEYID, g^xy | CKY-I | CKY-R | 0) */
487 data = chunk_cat("cccc", g_xy, spi_i, spi_r, octet_0);
488 if (!this->prf->set_key(this->prf, skeyid) ||
489 !this->prf->allocate_bytes(this->prf, data, &this->skeyid_d))
490 {
491 chunk_clear(&g_xy);
492 chunk_clear(&data);
493 return FALSE;
494 }
495 chunk_clear(&data);
496 DBG4(DBG_IKE, "SKEYID_d %B", &this->skeyid_d);
497
498 /* SKEYID_a = prf(SKEYID, SKEYID_d | g^xy | CKY-I | CKY-R | 1) */
499 data = chunk_cat("ccccc", this->skeyid_d, g_xy, spi_i, spi_r, octet_1);
500 if (!this->prf->allocate_bytes(this->prf, data, &this->skeyid_a))
501 {
502 chunk_clear(&g_xy);
503 chunk_clear(&data);
504 return FALSE;
505 }
506 chunk_clear(&data);
507 DBG4(DBG_IKE, "SKEYID_a %B", &this->skeyid_a);
508
509 /* SKEYID_e = prf(SKEYID, SKEYID_a | g^xy | CKY-I | CKY-R | 2) */
510 data = chunk_cat("ccccc", this->skeyid_a, g_xy, spi_i, spi_r, octet_2);
511 if (!this->prf->allocate_bytes(this->prf, data, &skeyid_e))
512 {
513 chunk_clear(&g_xy);
514 chunk_clear(&data);
515 return FALSE;
516 }
517 chunk_clear(&data);
518 DBG4(DBG_IKE, "SKEYID_e %B", &skeyid_e);
519
520 chunk_clear(&g_xy);
521
522 switch (auth)
523 {
524 case AUTH_ECDSA_256:
525 alg = PRF_HMAC_SHA2_256;
526 break;
527 case AUTH_ECDSA_384:
528 alg = PRF_HMAC_SHA2_384;
529 break;
530 case AUTH_ECDSA_521:
531 alg = PRF_HMAC_SHA2_512;
532 break;
533 default:
534 /* use proposal algorithm */
535 break;
536 }
537 this->prf_auth = lib->crypto->create_prf(lib->crypto, alg);
538 if (!this->prf_auth)
539 {
540 DBG1(DBG_IKE, "%N %N not supported!",
541 transform_type_names, PSEUDO_RANDOM_FUNCTION,
542 pseudo_random_function_names, alg);
543 chunk_clear(&skeyid);
544 return FALSE;
545 }
546 if (!this->prf_auth->set_key(this->prf_auth, skeyid))
547 {
548 chunk_clear(&skeyid);
549 return FALSE;
550 }
551 chunk_clear(&skeyid);
552
553 this->aead = create_aead(proposal, this->prf, skeyid_e);
554 if (!this->aead)
555 {
556 return FALSE;
557 }
558 if (!this->hasher && !this->public.create_hasher(&this->public, proposal))
559 {
560 return FALSE;
561 }
562
563 dh->get_my_public_value(dh, &dh_me);
564 g_xi = this->initiator ? dh_me : dh_other;
565 g_xr = this->initiator ? dh_other : dh_me;
566
567 /* initial IV = hash(g^xi | g^xr) */
568 data = chunk_cata("cc", g_xi, g_xr);
569 chunk_free(&dh_me);
570 if (!this->hasher->allocate_hash(this->hasher, data, &this->phase1_iv.iv))
571 {
572 return FALSE;
573 }
574 if (this->phase1_iv.iv.len > this->aead->get_block_size(this->aead))
575 {
576 this->phase1_iv.iv.len = this->aead->get_block_size(this->aead);
577 }
578 DBG4(DBG_IKE, "initial IV %B", &this->phase1_iv.iv);
579
580 return TRUE;
581 }
582
583 METHOD(keymat_v1_t, derive_child_keys, bool,
584 private_keymat_v1_t *this, proposal_t *proposal, diffie_hellman_t *dh,
585 u_int32_t spi_i, u_int32_t spi_r, chunk_t nonce_i, chunk_t nonce_r,
586 chunk_t *encr_i, chunk_t *integ_i, chunk_t *encr_r, chunk_t *integ_r)
587 {
588 u_int16_t enc_alg, int_alg, enc_size = 0, int_size = 0;
589 u_int8_t protocol;
590 prf_plus_t *prf_plus;
591 chunk_t seed, secret = chunk_empty;
592 bool success = FALSE;
593
594 if (proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM,
595 &enc_alg, &enc_size))
596 {
597 DBG2(DBG_CHD, " using %N for encryption",
598 encryption_algorithm_names, enc_alg);
599
600 if (!enc_size)
601 {
602 enc_size = keymat_get_keylen_encr(enc_alg);
603 }
604 if (enc_alg != ENCR_NULL && !enc_size)
605 {
606 DBG1(DBG_CHD, "no keylength defined for %N",
607 encryption_algorithm_names, enc_alg);
608 return FALSE;
609 }
610 /* to bytes */
611 enc_size /= 8;
612
613 /* CCM/GCM/CTR/GMAC needs additional bytes */
614 switch (enc_alg)
615 {
616 case ENCR_AES_CCM_ICV8:
617 case ENCR_AES_CCM_ICV12:
618 case ENCR_AES_CCM_ICV16:
619 case ENCR_CAMELLIA_CCM_ICV8:
620 case ENCR_CAMELLIA_CCM_ICV12:
621 case ENCR_CAMELLIA_CCM_ICV16:
622 enc_size += 3;
623 break;
624 case ENCR_AES_GCM_ICV8:
625 case ENCR_AES_GCM_ICV12:
626 case ENCR_AES_GCM_ICV16:
627 case ENCR_AES_CTR:
628 case ENCR_NULL_AUTH_AES_GMAC:
629 enc_size += 4;
630 break;
631 default:
632 break;
633 }
634 }
635
636 if (proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM,
637 &int_alg, &int_size))
638 {
639 DBG2(DBG_CHD, " using %N for integrity",
640 integrity_algorithm_names, int_alg);
641
642 if (!int_size)
643 {
644 int_size = keymat_get_keylen_integ(int_alg);
645 }
646 if (!int_size)
647 {
648 DBG1(DBG_CHD, "no keylength defined for %N",
649 integrity_algorithm_names, int_alg);
650 return FALSE;
651 }
652 /* to bytes */
653 int_size /= 8;
654 }
655
656 /* KEYMAT = prf+(SKEYID_d, [ g(qm)^xy | ] protocol | SPI | Ni_b | Nr_b) */
657 if (!this->prf->set_key(this->prf, this->skeyid_d))
658 {
659 return FALSE;
660 }
661 protocol = proposal->get_protocol(proposal);
662 if (dh)
663 {
664 if (dh->get_shared_secret(dh, &secret) != SUCCESS)
665 {
666 return FALSE;
667 }
668 DBG4(DBG_CHD, "DH secret %B", &secret);
669 }
670
671 *encr_r = *integ_r = *encr_i = *integ_i = chunk_empty;
672 seed = chunk_cata("ccccc", secret, chunk_from_thing(protocol),
673 chunk_from_thing(spi_r), nonce_i, nonce_r);
674 DBG4(DBG_CHD, "initiator SA seed %B", &seed);
675
676 prf_plus = prf_plus_create(this->prf, FALSE, seed);
677 if (!prf_plus ||
678 !prf_plus->allocate_bytes(prf_plus, enc_size, encr_i) ||
679 !prf_plus->allocate_bytes(prf_plus, int_size, integ_i))
680 {
681 goto failure;
682 }
683
684 seed = chunk_cata("ccccc", secret, chunk_from_thing(protocol),
685 chunk_from_thing(spi_i), nonce_i, nonce_r);
686 DBG4(DBG_CHD, "responder SA seed %B", &seed);
687 prf_plus->destroy(prf_plus);
688 prf_plus = prf_plus_create(this->prf, FALSE, seed);
689 if (!prf_plus ||
690 !prf_plus->allocate_bytes(prf_plus, enc_size, encr_r) ||
691 !prf_plus->allocate_bytes(prf_plus, int_size, integ_r))
692 {
693 goto failure;
694 }
695
696 if (enc_size)
697 {
698 DBG4(DBG_CHD, "encryption initiator key %B", encr_i);
699 DBG4(DBG_CHD, "encryption responder key %B", encr_r);
700 }
701 if (int_size)
702 {
703 DBG4(DBG_CHD, "integrity initiator key %B", integ_i);
704 DBG4(DBG_CHD, "integrity responder key %B", integ_r);
705 }
706 success = TRUE;
707
708 failure:
709 if (!success)
710 {
711 chunk_clear(encr_i);
712 chunk_clear(integ_i);
713 chunk_clear(encr_r);
714 chunk_clear(integ_r);
715 }
716 DESTROY_IF(prf_plus);
717 chunk_clear(&secret);
718
719 return success;
720 }
721
722 METHOD(keymat_v1_t, create_hasher, bool,
723 private_keymat_v1_t *this, proposal_t *proposal)
724 {
725 u_int16_t alg;
726 if (!proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, &alg, NULL) ||
727 (alg = auth_to_hash(alg)) == HASH_UNKNOWN)
728 {
729 DBG1(DBG_IKE, "no %N selected", transform_type_names, HASH_ALGORITHM);
730 return FALSE;
731 }
732 this->hasher = lib->crypto->create_hasher(lib->crypto, alg);
733 if (!this->hasher)
734 {
735 DBG1(DBG_IKE, "%N %N not supported!",
736 transform_type_names, HASH_ALGORITHM,
737 hash_algorithm_names, alg);
738 return FALSE;
739 }
740 return TRUE;
741 }
742
743 METHOD(keymat_v1_t, get_hasher, hasher_t*,
744 private_keymat_v1_t *this)
745 {
746 return this->hasher;
747 }
748
749 METHOD(keymat_v1_t, get_hash, bool,
750 private_keymat_v1_t *this, bool initiator, chunk_t dh, chunk_t dh_other,
751 ike_sa_id_t *ike_sa_id, chunk_t sa_i, chunk_t id, chunk_t *hash)
752 {
753 chunk_t data;
754 u_int64_t spi, spi_other;
755
756 /* HASH_I = prf(SKEYID, g^xi | g^xr | CKY-I | CKY-R | SAi_b | IDii_b )
757 * HASH_R = prf(SKEYID, g^xr | g^xi | CKY-R | CKY-I | SAi_b | IDir_b )
758 */
759 if (initiator)
760 {
761 spi = ike_sa_id->get_initiator_spi(ike_sa_id);
762 spi_other = ike_sa_id->get_responder_spi(ike_sa_id);
763 }
764 else
765 {
766 spi_other = ike_sa_id->get_initiator_spi(ike_sa_id);
767 spi = ike_sa_id->get_responder_spi(ike_sa_id);
768 }
769 data = chunk_cat("cccccc", dh, dh_other,
770 chunk_from_thing(spi), chunk_from_thing(spi_other),
771 sa_i, id);
772
773 DBG3(DBG_IKE, "HASH_%c data %B", initiator ? 'I' : 'R', &data);
774
775 if (!this->prf_auth->allocate_bytes(this->prf_auth, data, hash))
776 {
777 free(data.ptr);
778 return FALSE;
779 }
780
781 DBG3(DBG_IKE, "HASH_%c %B", initiator ? 'I' : 'R', hash);
782
783 free(data.ptr);
784 return TRUE;
785 }
786
787 /**
788 * Get the nonce value found in the given message.
789 * Returns FALSE if none is found.
790 */
791 static bool get_nonce(message_t *message, chunk_t *n)
792 {
793 nonce_payload_t *nonce;
794 nonce = (nonce_payload_t*)message->get_payload(message, PLV1_NONCE);
795 if (nonce)
796 {
797 *n = nonce->get_nonce(nonce);
798 return TRUE;
799 }
800 return FALSE;
801 }
802
803 /**
804 * Generate the message data in order to generate the hashes.
805 */
806 static chunk_t get_message_data(message_t *message, generator_t *generator)
807 {
808 payload_t *payload, *next;
809 enumerator_t *enumerator;
810 u_int32_t *lenpos;
811
812 if (message->is_encoded(message))
813 { /* inbound, although the message is generated, we cannot access the
814 * cleartext message data, so generate it anyway */
815 enumerator = message->create_payload_enumerator(message);
816 while (enumerator->enumerate(enumerator, &payload))
817 {
818 if (payload->get_type(payload) == PLV1_HASH)
819 {
820 continue;
821 }
822 generator->generate_payload(generator, payload);
823 }
824 enumerator->destroy(enumerator);
825 }
826 else
827 {
828 /* outbound, generate the payloads (there is no HASH payload yet) */
829 enumerator = message->create_payload_enumerator(message);
830 if (enumerator->enumerate(enumerator, &payload))
831 {
832 while (enumerator->enumerate(enumerator, &next))
833 {
834 payload->set_next_type(payload, next->get_type(next));
835 generator->generate_payload(generator, payload);
836 payload = next;
837 }
838 payload->set_next_type(payload, PL_NONE);
839 generator->generate_payload(generator, payload);
840 }
841 enumerator->destroy(enumerator);
842 }
843 return generator->get_chunk(generator, &lenpos);
844 }
845
846 /**
847 * Try to find data about a Quick Mode with the given message ID,
848 * if none is found, state is generated.
849 */
850 static qm_data_t *lookup_quick_mode(private_keymat_v1_t *this, u_int32_t mid)
851 {
852 enumerator_t *enumerator;
853 qm_data_t *qm, *found = NULL;
854
855 enumerator = this->qms->create_enumerator(this->qms);
856 while (enumerator->enumerate(enumerator, &qm))
857 {
858 if (qm->mid == mid)
859 { /* state gets moved to the front of the list */
860 this->qms->remove_at(this->qms, enumerator);
861 found = qm;
862 break;
863 }
864 }
865 enumerator->destroy(enumerator);
866 if (!found)
867 {
868 INIT(found,
869 .mid = mid,
870 );
871 }
872 this->qms->insert_first(this->qms, found);
873 /* remove least recently used state if maximum reached */
874 if (this->qms->get_count(this->qms) > MAX_QM &&
875 this->qms->remove_last(this->qms, (void**)&qm) == SUCCESS)
876 {
877 qm_data_destroy(qm);
878 }
879 return found;
880 }
881
882 METHOD(keymat_v1_t, get_hash_phase2, bool,
883 private_keymat_v1_t *this, message_t *message, chunk_t *hash)
884 {
885 u_int32_t mid, mid_n;
886 chunk_t data = chunk_empty;
887 bool add_message = TRUE;
888 char *name = "Hash";
889
890 if (!this->prf)
891 { /* no keys derived yet */
892 return FALSE;
893 }
894
895 mid = message->get_message_id(message);
896 mid_n = htonl(mid);
897
898 /* Hashes are simple for most exchanges in Phase 2:
899 * Hash = prf(SKEYID_a, M-ID | Complete message after HASH payload)
900 * For Quick Mode there are three hashes:
901 * Hash(1) = same as above
902 * Hash(2) = prf(SKEYID_a, M-ID | Ni_b | Message after HASH payload)
903 * Hash(3) = prf(SKEYID_a, 0 | M-ID | Ni_b | Nr_b)
904 * So, for Quick Mode we keep track of the nonce values.
905 */
906 switch (message->get_exchange_type(message))
907 {
908 case QUICK_MODE:
909 {
910 qm_data_t *qm = lookup_quick_mode(this, mid);
911 if (!qm->n_i.ptr)
912 { /* Hash(1) = prf(SKEYID_a, M-ID | Message after HASH payload) */
913 name = "Hash(1)";
914 if (!get_nonce(message, &qm->n_i))
915 {
916 return FALSE;
917 }
918 data = chunk_from_thing(mid_n);
919 }
920 else if (!qm->n_r.ptr)
921 { /* Hash(2) = prf(SKEYID_a, M-ID | Ni_b | Message after HASH) */
922 name = "Hash(2)";
923 if (!get_nonce(message, &qm->n_r))
924 {
925 return FALSE;
926 }
927 data = chunk_cata("cc", chunk_from_thing(mid_n), qm->n_i);
928 }
929 else
930 { /* Hash(3) = prf(SKEYID_a, 0 | M-ID | Ni_b | Nr_b) */
931 name = "Hash(3)";
932 data = chunk_cata("cccc", octet_0, chunk_from_thing(mid_n),
933 qm->n_i, qm->n_r);
934 add_message = FALSE;
935 /* we don't need the state anymore */
936 this->qms->remove(this->qms, qm, NULL);
937 qm_data_destroy(qm);
938 }
939 break;
940 }
941 case TRANSACTION:
942 case INFORMATIONAL_V1:
943 /* Hash = prf(SKEYID_a, M-ID | Message after HASH payload) */
944 data = chunk_from_thing(mid_n);
945 break;
946 default:
947 return FALSE;
948 }
949 if (!this->prf->set_key(this->prf, this->skeyid_a))
950 {
951 return FALSE;
952 }
953 if (add_message)
954 {
955 generator_t *generator;
956 chunk_t msg;
957
958 generator = generator_create_no_dbg();
959 msg = get_message_data(message, generator);
960 if (!this->prf->allocate_bytes(this->prf, data, NULL) ||
961 !this->prf->allocate_bytes(this->prf, msg, hash))
962 {
963 generator->destroy(generator);
964 return FALSE;
965 }
966 generator->destroy(generator);
967 }
968 else
969 {
970 if (!this->prf->allocate_bytes(this->prf, data, hash))
971 {
972 return FALSE;
973 }
974 }
975 DBG3(DBG_IKE, "%s %B", name, hash);
976 return TRUE;
977 }
978
979 /**
980 * Generate an IV
981 */
982 static bool generate_iv(private_keymat_v1_t *this, iv_data_t *iv)
983 {
984 if (iv->mid == 0 || iv->iv.ptr)
985 { /* use last block of previous encrypted message */
986 chunk_free(&iv->iv);
987 iv->iv = iv->last_block;
988 iv->last_block = chunk_empty;
989 }
990 else
991 {
992 /* initial phase 2 IV = hash(last_phase1_block | mid) */
993 u_int32_t net;;
994 chunk_t data;
995
996 net = htonl(iv->mid);
997 data = chunk_cata("cc", this->phase1_iv.iv, chunk_from_thing(net));
998 if (!this->hasher->allocate_hash(this->hasher, data, &iv->iv))
999 {
1000 return FALSE;
1001 }
1002 if (iv->iv.len > this->aead->get_block_size(this->aead))
1003 {
1004 iv->iv.len = this->aead->get_block_size(this->aead);
1005 }
1006 }
1007 DBG4(DBG_IKE, "next IV for MID %u %B", iv->mid, &iv->iv);
1008 return TRUE;
1009 }
1010
1011 /**
1012 * Try to find an IV for the given message ID, if not found, generate it.
1013 */
1014 static iv_data_t *lookup_iv(private_keymat_v1_t *this, u_int32_t mid)
1015 {
1016 enumerator_t *enumerator;
1017 iv_data_t *iv, *found = NULL;
1018
1019 if (mid == 0)
1020 {
1021 return &this->phase1_iv;
1022 }
1023
1024 enumerator = this->ivs->create_enumerator(this->ivs);
1025 while (enumerator->enumerate(enumerator, &iv))
1026 {
1027 if (iv->mid == mid)
1028 { /* IV gets moved to the front of the list */
1029 this->ivs->remove_at(this->ivs, enumerator);
1030 found = iv;
1031 break;
1032 }
1033 }
1034 enumerator->destroy(enumerator);
1035 if (!found)
1036 {
1037 INIT(found,
1038 .mid = mid,
1039 );
1040 if (!generate_iv(this, found))
1041 {
1042 iv_data_destroy(found);
1043 return NULL;
1044 }
1045 }
1046 this->ivs->insert_first(this->ivs, found);
1047 /* remove least recently used IV if maximum reached */
1048 if (this->ivs->get_count(this->ivs) > MAX_IV &&
1049 this->ivs->remove_last(this->ivs, (void**)&iv) == SUCCESS)
1050 {
1051 iv_data_destroy(iv);
1052 }
1053 return found;
1054 }
1055
1056 METHOD(keymat_v1_t, get_iv, bool,
1057 private_keymat_v1_t *this, u_int32_t mid, chunk_t *out)
1058 {
1059 iv_data_t *iv;
1060
1061 iv = lookup_iv(this, mid);
1062 if (iv)
1063 {
1064 *out = iv->iv;
1065 return TRUE;
1066 }
1067 return FALSE;
1068 }
1069
1070 METHOD(keymat_v1_t, update_iv, bool,
1071 private_keymat_v1_t *this, u_int32_t mid, chunk_t last_block)
1072 {
1073 iv_data_t *iv = lookup_iv(this, mid);
1074 if (iv)
1075 { /* update last block */
1076 chunk_free(&iv->last_block);
1077 iv->last_block = chunk_clone(last_block);
1078 return TRUE;
1079 }
1080 return FALSE;
1081 }
1082
1083 METHOD(keymat_v1_t, confirm_iv, bool,
1084 private_keymat_v1_t *this, u_int32_t mid)
1085 {
1086 iv_data_t *iv = lookup_iv(this, mid);
1087 if (iv)
1088 {
1089 return generate_iv(this, iv);
1090 }
1091 return FALSE;
1092 }
1093
1094 METHOD(keymat_t, get_version, ike_version_t,
1095 private_keymat_v1_t *this)
1096 {
1097 return IKEV1;
1098 }
1099
1100 METHOD(keymat_t, create_dh, diffie_hellman_t*,
1101 private_keymat_v1_t *this, diffie_hellman_group_t group)
1102 {
1103 return lib->crypto->create_dh(lib->crypto, group);
1104 }
1105
1106 METHOD(keymat_t, create_nonce_gen, nonce_gen_t*,
1107 private_keymat_v1_t *this)
1108 {
1109 return lib->crypto->create_nonce_gen(lib->crypto);
1110 }
1111
1112 METHOD(keymat_t, get_aead, aead_t*,
1113 private_keymat_v1_t *this, bool in)
1114 {
1115 return this->aead;
1116 }
1117
1118 METHOD(keymat_t, destroy, void,
1119 private_keymat_v1_t *this)
1120 {
1121 DESTROY_IF(this->prf);
1122 DESTROY_IF(this->prf_auth);
1123 DESTROY_IF(this->aead);
1124 DESTROY_IF(this->hasher);
1125 chunk_clear(&this->skeyid_d);
1126 chunk_clear(&this->skeyid_a);
1127 chunk_free(&this->phase1_iv.iv);
1128 chunk_free(&this->phase1_iv.last_block);
1129 this->ivs->destroy_function(this->ivs, (void*)iv_data_destroy);
1130 this->qms->destroy_function(this->qms, (void*)qm_data_destroy);
1131 free(this);
1132 }
1133
1134 /**
1135 * See header
1136 */
1137 keymat_v1_t *keymat_v1_create(bool initiator)
1138 {
1139 private_keymat_v1_t *this;
1140
1141 INIT(this,
1142 .public = {
1143 .keymat = {
1144 .get_version = _get_version,
1145 .create_dh = _create_dh,
1146 .create_nonce_gen = _create_nonce_gen,
1147 .get_aead = _get_aead,
1148 .destroy = _destroy,
1149 },
1150 .derive_ike_keys = _derive_ike_keys,
1151 .derive_child_keys = _derive_child_keys,
1152 .create_hasher = _create_hasher,
1153 .get_hasher = _get_hasher,
1154 .get_hash = _get_hash,
1155 .get_hash_phase2 = _get_hash_phase2,
1156 .get_iv = _get_iv,
1157 .update_iv = _update_iv,
1158 .confirm_iv = _confirm_iv,
1159 },
1160 .ivs = linked_list_create(),
1161 .qms = linked_list_create(),
1162 .initiator = initiator,
1163 );
1164
1165 return &this->public;
1166 }