Merge branch 'build-certs'
[strongswan.git] / src / libcharon / sa / ikev1 / keymat_v1.c
1 /*
2 * Copyright (C) 2011 Tobias Brunner
3 * HSR Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "keymat_v1.h"
17
18 #include <daemon.h>
19 #include <sa/ikev1/iv_manager.h>
20 #include <encoding/generator.h>
21 #include <encoding/payloads/nonce_payload.h>
22
23 typedef struct private_keymat_v1_t private_keymat_v1_t;
24
25 /**
26 * Private data of an keymat_t object.
27 */
28 struct private_keymat_v1_t {
29
30 /**
31 * Public keymat_v1_t interface.
32 */
33 keymat_v1_t public;
34
35 /**
36 * IKE_SA Role, initiator or responder
37 */
38 bool initiator;
39
40 /**
41 * General purpose PRF
42 */
43 prf_t *prf;
44
45 /**
46 * PRF to create Phase 1 HASH payloads
47 */
48 prf_t *prf_auth;
49
50 /**
51 * Crypter wrapped in an aead_t interface
52 */
53 aead_t *aead;
54
55 /**
56 * Hasher used for IV generation (and other things like e.g. NAT-T)
57 */
58 hasher_t *hasher;
59
60 /**
61 * Key to derive key material from for non-ISAKMP SAs, rekeying
62 */
63 chunk_t skeyid_d;
64
65 /**
66 * Key used for authentication after main mode
67 */
68 chunk_t skeyid_a;
69
70 /**
71 * IV and QM manager
72 */
73 iv_manager_t *iv_manager;
74 };
75
76 /**
77 * Constants used in key derivation.
78 */
79 static const chunk_t octet_0 = chunk_from_chars(0x00);
80 static const chunk_t octet_1 = chunk_from_chars(0x01);
81 static const chunk_t octet_2 = chunk_from_chars(0x02);
82
83 /**
84 * Simple aead_t implementation without support for authentication.
85 */
86 typedef struct {
87 /** implements aead_t interface */
88 aead_t aead;
89 /** crypter to be used */
90 crypter_t *crypter;
91 } private_aead_t;
92
93
94 METHOD(aead_t, encrypt, bool,
95 private_aead_t *this, chunk_t plain, chunk_t assoc, chunk_t iv,
96 chunk_t *encrypted)
97 {
98 return this->crypter->encrypt(this->crypter, plain, iv, encrypted);
99 }
100
101 METHOD(aead_t, decrypt, bool,
102 private_aead_t *this, chunk_t encrypted, chunk_t assoc, chunk_t iv,
103 chunk_t *plain)
104 {
105 return this->crypter->decrypt(this->crypter, encrypted, iv, plain);
106 }
107
108 METHOD(aead_t, get_block_size, size_t,
109 private_aead_t *this)
110 {
111 return this->crypter->get_block_size(this->crypter);
112 }
113
114 METHOD(aead_t, get_icv_size, size_t,
115 private_aead_t *this)
116 {
117 return 0;
118 }
119
120 METHOD(aead_t, get_iv_size, size_t,
121 private_aead_t *this)
122 {
123 /* in order to create the messages properly we return 0 here */
124 return 0;
125 }
126
127 METHOD(aead_t, get_iv_gen, iv_gen_t*,
128 private_aead_t *this)
129 {
130 /* IVs are retrieved via keymat_v1.get_iv() */
131 return NULL;
132 }
133
134 METHOD(aead_t, get_key_size, size_t,
135 private_aead_t *this)
136 {
137 return this->crypter->get_key_size(this->crypter);
138 }
139
140 METHOD(aead_t, set_key, bool,
141 private_aead_t *this, chunk_t key)
142 {
143 return this->crypter->set_key(this->crypter, key);
144 }
145
146 METHOD(aead_t, aead_destroy, void,
147 private_aead_t *this)
148 {
149 this->crypter->destroy(this->crypter);
150 free(this);
151 }
152
153 /**
154 * Expand SKEYID_e according to Appendix B in RFC 2409.
155 * TODO-IKEv1: verify keys (e.g. for weak keys, see Appendix B)
156 */
157 static bool expand_skeyid_e(chunk_t skeyid_e, size_t key_size, prf_t *prf,
158 chunk_t *ka)
159 {
160 size_t block_size;
161 chunk_t seed;
162 int i;
163
164 if (skeyid_e.len >= key_size)
165 { /* no expansion required, reduce to key_size */
166 skeyid_e.len = key_size;
167 *ka = skeyid_e;
168 return TRUE;
169 }
170 block_size = prf->get_block_size(prf);
171 *ka = chunk_alloc((key_size / block_size + 1) * block_size);
172 ka->len = key_size;
173
174 /* Ka = K1 | K2 | ..., K1 = prf(SKEYID_e, 0), K2 = prf(SKEYID_e, K1) ... */
175 if (!prf->set_key(prf, skeyid_e))
176 {
177 chunk_clear(ka);
178 chunk_clear(&skeyid_e);
179 return FALSE;
180 }
181 seed = octet_0;
182 for (i = 0; i < key_size; i += block_size)
183 {
184 if (!prf->get_bytes(prf, seed, ka->ptr + i))
185 {
186 chunk_clear(ka);
187 chunk_clear(&skeyid_e);
188 return FALSE;
189 }
190 seed = chunk_create(ka->ptr + i, block_size);
191 }
192 chunk_clear(&skeyid_e);
193 return TRUE;
194 }
195
196 /**
197 * Create a simple implementation of the aead_t interface which only encrypts
198 * or decrypts data.
199 */
200 static aead_t *create_aead(proposal_t *proposal, prf_t *prf, chunk_t skeyid_e,
201 chunk_t *ka)
202 {
203 private_aead_t *this;
204 uint16_t alg, key_size;
205 crypter_t *crypter;
206
207 if (!proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &alg,
208 &key_size))
209 {
210 DBG1(DBG_IKE, "no %N selected",
211 transform_type_names, ENCRYPTION_ALGORITHM);
212 return NULL;
213 }
214 crypter = lib->crypto->create_crypter(lib->crypto, alg, key_size / 8);
215 if (!crypter)
216 {
217 DBG1(DBG_IKE, "%N %N (key size %d) not supported!",
218 transform_type_names, ENCRYPTION_ALGORITHM,
219 encryption_algorithm_names, alg, key_size);
220 return NULL;
221 }
222 if (!expand_skeyid_e(skeyid_e, crypter->get_key_size(crypter), prf, ka))
223 {
224 return NULL;
225 }
226 DBG4(DBG_IKE, "encryption key Ka %B", ka);
227 if (!crypter->set_key(crypter, *ka))
228 {
229 chunk_clear(ka);
230 return NULL;
231 }
232
233 INIT(this,
234 .aead = {
235 .encrypt = _encrypt,
236 .decrypt = _decrypt,
237 .get_block_size = _get_block_size,
238 .get_icv_size = _get_icv_size,
239 .get_iv_size = _get_iv_size,
240 .get_iv_gen = _get_iv_gen,
241 .get_key_size = _get_key_size,
242 .set_key = _set_key,
243 .destroy = _aead_destroy,
244 },
245 .crypter = crypter,
246 );
247 return &this->aead;
248 }
249
250 /**
251 * Converts integrity algorithm to PRF algorithm
252 */
253 static uint16_t auth_to_prf(uint16_t alg)
254 {
255 switch (alg)
256 {
257 case AUTH_HMAC_SHA1_96:
258 return PRF_HMAC_SHA1;
259 case AUTH_HMAC_SHA2_256_128:
260 return PRF_HMAC_SHA2_256;
261 case AUTH_HMAC_SHA2_384_192:
262 return PRF_HMAC_SHA2_384;
263 case AUTH_HMAC_SHA2_512_256:
264 return PRF_HMAC_SHA2_512;
265 case AUTH_HMAC_MD5_96:
266 return PRF_HMAC_MD5;
267 case AUTH_AES_XCBC_96:
268 return PRF_AES128_XCBC;
269 default:
270 return PRF_UNDEFINED;
271 }
272 }
273
274 /**
275 * Converts integrity algorithm to hash algorithm
276 */
277 static uint16_t auth_to_hash(uint16_t alg)
278 {
279 switch (alg)
280 {
281 case AUTH_HMAC_SHA1_96:
282 return HASH_SHA1;
283 case AUTH_HMAC_SHA2_256_128:
284 return HASH_SHA256;
285 case AUTH_HMAC_SHA2_384_192:
286 return HASH_SHA384;
287 case AUTH_HMAC_SHA2_512_256:
288 return HASH_SHA512;
289 case AUTH_HMAC_MD5_96:
290 return HASH_MD5;
291 default:
292 return HASH_UNKNOWN;
293 }
294 }
295
296 /**
297 * Adjust the key length for PRF algorithms that expect a fixed key length.
298 */
299 static void adjust_keylen(uint16_t alg, chunk_t *key)
300 {
301 switch (alg)
302 {
303 case PRF_AES128_XCBC:
304 /* while rfc4434 defines variable keys for AES-XCBC, rfc3664 does
305 * not and therefore fixed key semantics apply to XCBC for key
306 * derivation. */
307 key->len = min(key->len, 16);
308 break;
309 default:
310 /* all other algorithms use variable key length */
311 break;
312 }
313 }
314
315 METHOD(keymat_v1_t, derive_ike_keys, bool,
316 private_keymat_v1_t *this, proposal_t *proposal, diffie_hellman_t *dh,
317 chunk_t dh_other, chunk_t nonce_i, chunk_t nonce_r, ike_sa_id_t *id,
318 auth_method_t auth, shared_key_t *shared_key)
319 {
320 chunk_t g_xy, g_xi, g_xr, dh_me, spi_i, spi_r, nonces, data, skeyid_e;
321 chunk_t skeyid, ka;
322 uint16_t alg;
323
324 spi_i = chunk_alloca(sizeof(uint64_t));
325 spi_r = chunk_alloca(sizeof(uint64_t));
326
327 if (!proposal->get_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, &alg, NULL))
328 { /* no PRF negotiated, use HMAC version of integrity algorithm instead */
329 if (!proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, &alg, NULL)
330 || (alg = auth_to_prf(alg)) == PRF_UNDEFINED)
331 {
332 DBG1(DBG_IKE, "no %N selected",
333 transform_type_names, PSEUDO_RANDOM_FUNCTION);
334 return FALSE;
335 }
336 }
337 this->prf = lib->crypto->create_prf(lib->crypto, alg);
338 if (!this->prf)
339 {
340 DBG1(DBG_IKE, "%N %N not supported!",
341 transform_type_names, PSEUDO_RANDOM_FUNCTION,
342 pseudo_random_function_names, alg);
343 return FALSE;
344 }
345 if (this->prf->get_block_size(this->prf) <
346 this->prf->get_key_size(this->prf))
347 { /* TODO-IKEv1: support PRF output expansion (RFC 2409, Appendix B) */
348 DBG1(DBG_IKE, "expansion of %N %N output not supported!",
349 transform_type_names, PSEUDO_RANDOM_FUNCTION,
350 pseudo_random_function_names, alg);
351 return FALSE;
352 }
353
354 if (!dh->get_shared_secret(dh, &g_xy))
355 {
356 return FALSE;
357 }
358 DBG4(DBG_IKE, "shared Diffie Hellman secret %B", &g_xy);
359
360 *((uint64_t*)spi_i.ptr) = id->get_initiator_spi(id);
361 *((uint64_t*)spi_r.ptr) = id->get_responder_spi(id);
362 nonces = chunk_cata("cc", nonce_i, nonce_r);
363
364 switch (auth)
365 {
366 case AUTH_PSK:
367 case AUTH_XAUTH_INIT_PSK:
368 case AUTH_XAUTH_RESP_PSK:
369 { /* SKEYID = prf(pre-shared-key, Ni_b | Nr_b) */
370 chunk_t psk;
371 if (!shared_key)
372 {
373 chunk_clear(&g_xy);
374 return FALSE;
375 }
376 psk = shared_key->get_key(shared_key);
377 adjust_keylen(alg, &psk);
378 if (!this->prf->set_key(this->prf, psk) ||
379 !this->prf->allocate_bytes(this->prf, nonces, &skeyid))
380 {
381 chunk_clear(&g_xy);
382 return FALSE;
383 }
384 break;
385 }
386 case AUTH_RSA:
387 case AUTH_ECDSA_256:
388 case AUTH_ECDSA_384:
389 case AUTH_ECDSA_521:
390 case AUTH_XAUTH_INIT_RSA:
391 case AUTH_XAUTH_RESP_RSA:
392 case AUTH_HYBRID_INIT_RSA:
393 case AUTH_HYBRID_RESP_RSA:
394 {
395 if (!this->prf->set_key(this->prf, nonces) ||
396 !this->prf->allocate_bytes(this->prf, g_xy, &skeyid))
397 {
398 chunk_clear(&g_xy);
399 return FALSE;
400 }
401 break;
402 }
403 default:
404 /* TODO-IKEv1: implement key derivation for other schemes */
405 /* authentication class not supported */
406 chunk_clear(&g_xy);
407 return FALSE;
408 }
409 adjust_keylen(alg, &skeyid);
410 DBG4(DBG_IKE, "SKEYID %B", &skeyid);
411
412 /* SKEYID_d = prf(SKEYID, g^xy | CKY-I | CKY-R | 0) */
413 data = chunk_cat("cccc", g_xy, spi_i, spi_r, octet_0);
414 if (!this->prf->set_key(this->prf, skeyid) ||
415 !this->prf->allocate_bytes(this->prf, data, &this->skeyid_d))
416 {
417 chunk_clear(&g_xy);
418 chunk_clear(&data);
419 return FALSE;
420 }
421 chunk_clear(&data);
422 DBG4(DBG_IKE, "SKEYID_d %B", &this->skeyid_d);
423
424 /* SKEYID_a = prf(SKEYID, SKEYID_d | g^xy | CKY-I | CKY-R | 1) */
425 data = chunk_cat("ccccc", this->skeyid_d, g_xy, spi_i, spi_r, octet_1);
426 if (!this->prf->allocate_bytes(this->prf, data, &this->skeyid_a))
427 {
428 chunk_clear(&g_xy);
429 chunk_clear(&data);
430 return FALSE;
431 }
432 chunk_clear(&data);
433 DBG4(DBG_IKE, "SKEYID_a %B", &this->skeyid_a);
434
435 /* SKEYID_e = prf(SKEYID, SKEYID_a | g^xy | CKY-I | CKY-R | 2) */
436 data = chunk_cat("ccccc", this->skeyid_a, g_xy, spi_i, spi_r, octet_2);
437 if (!this->prf->allocate_bytes(this->prf, data, &skeyid_e))
438 {
439 chunk_clear(&g_xy);
440 chunk_clear(&data);
441 return FALSE;
442 }
443 chunk_clear(&data);
444 DBG4(DBG_IKE, "SKEYID_e %B", &skeyid_e);
445
446 chunk_clear(&g_xy);
447
448 switch (auth)
449 {
450 case AUTH_ECDSA_256:
451 alg = PRF_HMAC_SHA2_256;
452 break;
453 case AUTH_ECDSA_384:
454 alg = PRF_HMAC_SHA2_384;
455 break;
456 case AUTH_ECDSA_521:
457 alg = PRF_HMAC_SHA2_512;
458 break;
459 default:
460 /* use proposal algorithm */
461 break;
462 }
463 this->prf_auth = lib->crypto->create_prf(lib->crypto, alg);
464 if (!this->prf_auth)
465 {
466 DBG1(DBG_IKE, "%N %N not supported!",
467 transform_type_names, PSEUDO_RANDOM_FUNCTION,
468 pseudo_random_function_names, alg);
469 chunk_clear(&skeyid);
470 return FALSE;
471 }
472 if (!this->prf_auth->set_key(this->prf_auth, skeyid))
473 {
474 chunk_clear(&skeyid);
475 return FALSE;
476 }
477 chunk_clear(&skeyid);
478
479 this->aead = create_aead(proposal, this->prf, skeyid_e, &ka);
480 if (!this->aead)
481 {
482 return FALSE;
483 }
484 charon->bus->ike_derived_keys(charon->bus, ka, chunk_empty, this->skeyid_a,
485 chunk_empty);
486 chunk_clear(&ka);
487 if (!this->hasher && !this->public.create_hasher(&this->public, proposal))
488 {
489 return FALSE;
490 }
491
492 if (!dh->get_my_public_value(dh, &dh_me))
493 {
494 return FALSE;
495 }
496 g_xi = this->initiator ? dh_me : dh_other;
497 g_xr = this->initiator ? dh_other : dh_me;
498
499 /* initial IV = hash(g^xi | g^xr) */
500 data = chunk_cata("cc", g_xi, g_xr);
501 chunk_free(&dh_me);
502 return this->iv_manager->init_iv_chain(this->iv_manager, data, this->hasher,
503 this->aead->get_block_size(this->aead));
504 }
505
506 METHOD(keymat_v1_t, derive_child_keys, bool,
507 private_keymat_v1_t *this, proposal_t *proposal, diffie_hellman_t *dh,
508 uint32_t spi_i, uint32_t spi_r, chunk_t nonce_i, chunk_t nonce_r,
509 chunk_t *encr_i, chunk_t *integ_i, chunk_t *encr_r, chunk_t *integ_r)
510 {
511 uint16_t enc_alg, int_alg, enc_size = 0, int_size = 0;
512 uint8_t protocol;
513 prf_plus_t *prf_plus;
514 chunk_t seed, secret = chunk_empty;
515 bool success = FALSE;
516
517 if (proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM,
518 &enc_alg, &enc_size))
519 {
520 DBG2(DBG_CHD, " using %N for encryption",
521 encryption_algorithm_names, enc_alg);
522
523 if (!enc_size)
524 {
525 enc_size = keymat_get_keylen_encr(enc_alg);
526 }
527 if (enc_alg != ENCR_NULL && !enc_size)
528 {
529 DBG1(DBG_CHD, "no keylength defined for %N",
530 encryption_algorithm_names, enc_alg);
531 return FALSE;
532 }
533 /* to bytes */
534 enc_size /= 8;
535
536 /* CCM/GCM/CTR/GMAC needs additional bytes */
537 switch (enc_alg)
538 {
539 case ENCR_AES_CCM_ICV8:
540 case ENCR_AES_CCM_ICV12:
541 case ENCR_AES_CCM_ICV16:
542 case ENCR_CAMELLIA_CCM_ICV8:
543 case ENCR_CAMELLIA_CCM_ICV12:
544 case ENCR_CAMELLIA_CCM_ICV16:
545 enc_size += 3;
546 break;
547 case ENCR_AES_GCM_ICV8:
548 case ENCR_AES_GCM_ICV12:
549 case ENCR_AES_GCM_ICV16:
550 case ENCR_AES_CTR:
551 case ENCR_NULL_AUTH_AES_GMAC:
552 enc_size += 4;
553 break;
554 default:
555 break;
556 }
557 }
558
559 if (proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM,
560 &int_alg, &int_size))
561 {
562 DBG2(DBG_CHD, " using %N for integrity",
563 integrity_algorithm_names, int_alg);
564
565 if (!int_size)
566 {
567 int_size = keymat_get_keylen_integ(int_alg);
568 }
569 if (!int_size)
570 {
571 DBG1(DBG_CHD, "no keylength defined for %N",
572 integrity_algorithm_names, int_alg);
573 return FALSE;
574 }
575 /* to bytes */
576 int_size /= 8;
577 }
578
579 /* KEYMAT = prf+(SKEYID_d, [ g(qm)^xy | ] protocol | SPI | Ni_b | Nr_b) */
580 if (!this->prf->set_key(this->prf, this->skeyid_d))
581 {
582 return FALSE;
583 }
584 protocol = proposal->get_protocol(proposal);
585 if (dh)
586 {
587 if (!dh->get_shared_secret(dh, &secret))
588 {
589 return FALSE;
590 }
591 DBG4(DBG_CHD, "DH secret %B", &secret);
592 }
593
594 *encr_r = *integ_r = *encr_i = *integ_i = chunk_empty;
595 seed = chunk_cata("ccccc", secret, chunk_from_thing(protocol),
596 chunk_from_thing(spi_r), nonce_i, nonce_r);
597 DBG4(DBG_CHD, "initiator SA seed %B", &seed);
598
599 prf_plus = prf_plus_create(this->prf, FALSE, seed);
600 if (!prf_plus ||
601 !prf_plus->allocate_bytes(prf_plus, enc_size, encr_i) ||
602 !prf_plus->allocate_bytes(prf_plus, int_size, integ_i))
603 {
604 goto failure;
605 }
606
607 seed = chunk_cata("ccccc", secret, chunk_from_thing(protocol),
608 chunk_from_thing(spi_i), nonce_i, nonce_r);
609 DBG4(DBG_CHD, "responder SA seed %B", &seed);
610 prf_plus->destroy(prf_plus);
611 prf_plus = prf_plus_create(this->prf, FALSE, seed);
612 if (!prf_plus ||
613 !prf_plus->allocate_bytes(prf_plus, enc_size, encr_r) ||
614 !prf_plus->allocate_bytes(prf_plus, int_size, integ_r))
615 {
616 goto failure;
617 }
618
619 if (enc_size)
620 {
621 DBG4(DBG_CHD, "encryption initiator key %B", encr_i);
622 DBG4(DBG_CHD, "encryption responder key %B", encr_r);
623 }
624 if (int_size)
625 {
626 DBG4(DBG_CHD, "integrity initiator key %B", integ_i);
627 DBG4(DBG_CHD, "integrity responder key %B", integ_r);
628 }
629 success = TRUE;
630
631 failure:
632 if (!success)
633 {
634 chunk_clear(encr_i);
635 chunk_clear(integ_i);
636 chunk_clear(encr_r);
637 chunk_clear(integ_r);
638 }
639 DESTROY_IF(prf_plus);
640 chunk_clear(&secret);
641
642 return success;
643 }
644
645 METHOD(keymat_v1_t, create_hasher, bool,
646 private_keymat_v1_t *this, proposal_t *proposal)
647 {
648 uint16_t alg;
649 if (!proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, &alg, NULL) ||
650 (alg = auth_to_hash(alg)) == HASH_UNKNOWN)
651 {
652 DBG1(DBG_IKE, "no %N selected", transform_type_names, HASH_ALGORITHM);
653 return FALSE;
654 }
655 this->hasher = lib->crypto->create_hasher(lib->crypto, alg);
656 if (!this->hasher)
657 {
658 DBG1(DBG_IKE, "%N %N not supported!",
659 transform_type_names, HASH_ALGORITHM,
660 hash_algorithm_names, alg);
661 return FALSE;
662 }
663 return TRUE;
664 }
665
666 METHOD(keymat_v1_t, get_hasher, hasher_t*,
667 private_keymat_v1_t *this)
668 {
669 return this->hasher;
670 }
671
672 METHOD(keymat_v1_t, get_hash, bool,
673 private_keymat_v1_t *this, bool initiator, chunk_t dh, chunk_t dh_other,
674 ike_sa_id_t *ike_sa_id, chunk_t sa_i, chunk_t id, chunk_t *hash,
675 signature_scheme_t *scheme)
676 {
677 chunk_t data;
678 uint64_t spi, spi_other;
679
680 /* HASH_I = prf(SKEYID, g^xi | g^xr | CKY-I | CKY-R | SAi_b | IDii_b )
681 * HASH_R = prf(SKEYID, g^xr | g^xi | CKY-R | CKY-I | SAi_b | IDir_b )
682 */
683 if (initiator)
684 {
685 spi = ike_sa_id->get_initiator_spi(ike_sa_id);
686 spi_other = ike_sa_id->get_responder_spi(ike_sa_id);
687 }
688 else
689 {
690 spi_other = ike_sa_id->get_initiator_spi(ike_sa_id);
691 spi = ike_sa_id->get_responder_spi(ike_sa_id);
692 }
693 data = chunk_cat("cccccc", dh, dh_other,
694 chunk_from_thing(spi), chunk_from_thing(spi_other),
695 sa_i, id);
696
697 DBG3(DBG_IKE, "HASH_%c data %B", initiator ? 'I' : 'R', &data);
698
699 if (!this->prf_auth->allocate_bytes(this->prf_auth, data, hash))
700 {
701 free(data.ptr);
702 return FALSE;
703 }
704
705 DBG3(DBG_IKE, "HASH_%c %B", initiator ? 'I' : 'R', hash);
706
707 free(data.ptr);
708 return TRUE;
709 }
710
711 /**
712 * Get the nonce value found in the given message.
713 * Returns FALSE if none is found.
714 */
715 static bool get_nonce(message_t *message, chunk_t *n)
716 {
717 nonce_payload_t *nonce;
718 nonce = (nonce_payload_t*)message->get_payload(message, PLV1_NONCE);
719 if (nonce)
720 {
721 *n = nonce->get_nonce(nonce);
722 return TRUE;
723 }
724 return FALSE;
725 }
726
727 /**
728 * Generate the message data in order to generate the hashes.
729 */
730 static chunk_t get_message_data(message_t *message, generator_t *generator)
731 {
732 payload_t *payload, *next;
733 enumerator_t *enumerator;
734 uint32_t *lenpos;
735
736 if (message->is_encoded(message))
737 { /* inbound, although the message is generated, we cannot access the
738 * cleartext message data, so generate it anyway */
739 enumerator = message->create_payload_enumerator(message);
740 while (enumerator->enumerate(enumerator, &payload))
741 {
742 if (payload->get_type(payload) == PLV1_HASH)
743 {
744 continue;
745 }
746 generator->generate_payload(generator, payload);
747 }
748 enumerator->destroy(enumerator);
749 }
750 else
751 {
752 /* outbound, generate the payloads (there is no HASH payload yet) */
753 enumerator = message->create_payload_enumerator(message);
754 if (enumerator->enumerate(enumerator, &payload))
755 {
756 while (enumerator->enumerate(enumerator, &next))
757 {
758 payload->set_next_type(payload, next->get_type(next));
759 generator->generate_payload(generator, payload);
760 payload = next;
761 }
762 payload->set_next_type(payload, PL_NONE);
763 generator->generate_payload(generator, payload);
764 }
765 enumerator->destroy(enumerator);
766 }
767 return generator->get_chunk(generator, &lenpos);
768 }
769
770 METHOD(keymat_v1_t, get_hash_phase2, bool,
771 private_keymat_v1_t *this, message_t *message, chunk_t *hash)
772 {
773 uint32_t mid, mid_n;
774 chunk_t data = chunk_empty, *n_i, *n_r;
775 bool add_message = TRUE;
776 char *name = "Hash";
777
778 if (!this->prf)
779 { /* no keys derived yet */
780 return FALSE;
781 }
782
783 mid = message->get_message_id(message);
784 mid_n = htonl(mid);
785
786 /* Hashes are simple for most exchanges in Phase 2:
787 * Hash = prf(SKEYID_a, M-ID | Complete message after HASH payload)
788 * For Quick Mode there are three hashes:
789 * Hash(1) = same as above
790 * Hash(2) = prf(SKEYID_a, M-ID | Ni_b | Message after HASH payload)
791 * Hash(3) = prf(SKEYID_a, 0 | M-ID | Ni_b | Nr_b)
792 * So, for Quick Mode we keep track of the nonce values.
793 */
794 switch (message->get_exchange_type(message))
795 {
796 case QUICK_MODE:
797 {
798 this->iv_manager->lookup_quick_mode(this->iv_manager, mid, &n_i,
799 &n_r);
800 if (!n_i->ptr)
801 { /* Hash(1) = prf(SKEYID_a, M-ID | Message after HASH payload) */
802 name = "Hash(1)";
803 if (!get_nonce(message, n_i))
804 {
805 return FALSE;
806 }
807 data = chunk_from_thing(mid_n);
808 }
809 else if (!n_r->ptr)
810 { /* Hash(2) = prf(SKEYID_a, M-ID | Ni_b | Message after HASH) */
811 name = "Hash(2)";
812 if (!get_nonce(message, n_r))
813 {
814 return FALSE;
815 }
816 data = chunk_cata("cc", chunk_from_thing(mid_n), *n_i);
817 }
818 else
819 { /* Hash(3) = prf(SKEYID_a, 0 | M-ID | Ni_b | Nr_b) */
820 name = "Hash(3)";
821 data = chunk_cata("cccc", octet_0, chunk_from_thing(mid_n),
822 *n_i, *n_r);
823 add_message = FALSE;
824 /* we don't need the state anymore */
825 this->iv_manager->remove_quick_mode(this->iv_manager, mid);
826 }
827 break;
828 }
829 case TRANSACTION:
830 case INFORMATIONAL_V1:
831 /* Hash = prf(SKEYID_a, M-ID | Message after HASH payload) */
832 data = chunk_from_thing(mid_n);
833 break;
834 default:
835 return FALSE;
836 }
837 if (!this->prf->set_key(this->prf, this->skeyid_a))
838 {
839 return FALSE;
840 }
841 if (add_message)
842 {
843 generator_t *generator;
844 chunk_t msg;
845
846 generator = generator_create_no_dbg();
847 msg = get_message_data(message, generator);
848 if (!this->prf->allocate_bytes(this->prf, data, NULL) ||
849 !this->prf->allocate_bytes(this->prf, msg, hash))
850 {
851 generator->destroy(generator);
852 return FALSE;
853 }
854 generator->destroy(generator);
855 }
856 else
857 {
858 if (!this->prf->allocate_bytes(this->prf, data, hash))
859 {
860 return FALSE;
861 }
862 }
863 DBG3(DBG_IKE, "%s %B", name, hash);
864 return TRUE;
865 }
866
867 METHOD(keymat_v1_t, get_iv, bool,
868 private_keymat_v1_t *this, uint32_t mid, chunk_t *out)
869 {
870 return this->iv_manager->get_iv(this->iv_manager, mid, out);
871 }
872
873 METHOD(keymat_v1_t, update_iv, bool,
874 private_keymat_v1_t *this, uint32_t mid, chunk_t last_block)
875 {
876 return this->iv_manager->update_iv(this->iv_manager, mid, last_block);
877 }
878
879 METHOD(keymat_v1_t, confirm_iv, bool,
880 private_keymat_v1_t *this, uint32_t mid)
881 {
882 return this->iv_manager->confirm_iv(this->iv_manager, mid);
883 }
884
885 METHOD(keymat_t, get_version, ike_version_t,
886 private_keymat_v1_t *this)
887 {
888 return IKEV1;
889 }
890
891 METHOD(keymat_t, create_dh, diffie_hellman_t*,
892 private_keymat_v1_t *this, diffie_hellman_group_t group)
893 {
894 return lib->crypto->create_dh(lib->crypto, group);
895 }
896
897 METHOD(keymat_t, create_nonce_gen, nonce_gen_t*,
898 private_keymat_v1_t *this)
899 {
900 return lib->crypto->create_nonce_gen(lib->crypto);
901 }
902
903 METHOD(keymat_t, get_aead, aead_t*,
904 private_keymat_v1_t *this, bool in)
905 {
906 return this->aead;
907 }
908
909 METHOD(keymat_t, destroy, void,
910 private_keymat_v1_t *this)
911 {
912 DESTROY_IF(this->prf);
913 DESTROY_IF(this->prf_auth);
914 DESTROY_IF(this->aead);
915 DESTROY_IF(this->hasher);
916 chunk_clear(&this->skeyid_d);
917 chunk_clear(&this->skeyid_a);
918 this->iv_manager->destroy(this->iv_manager);
919 free(this);
920 }
921
922 /**
923 * See header
924 */
925 keymat_v1_t *keymat_v1_create(bool initiator)
926 {
927 private_keymat_v1_t *this;
928
929 INIT(this,
930 .public = {
931 .keymat = {
932 .get_version = _get_version,
933 .create_dh = _create_dh,
934 .create_nonce_gen = _create_nonce_gen,
935 .get_aead = _get_aead,
936 .destroy = _destroy,
937 },
938 .derive_ike_keys = _derive_ike_keys,
939 .derive_child_keys = _derive_child_keys,
940 .create_hasher = _create_hasher,
941 .get_hasher = _get_hasher,
942 .get_hash = _get_hash,
943 .get_hash_phase2 = _get_hash_phase2,
944 .get_iv = _get_iv,
945 .update_iv = _update_iv,
946 .confirm_iv = _confirm_iv,
947 },
948 .initiator = initiator,
949 .iv_manager = iv_manager_create(0),
950 );
951 return &this->public;
952 }