Add a return value to prf_t.allocate_bytes()
[strongswan.git] / src / libcharon / sa / ikev1 / keymat_v1.c
1 /*
2 * Copyright (C) 2011 Tobias Brunner
3 * Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "keymat_v1.h"
17
18 #include <daemon.h>
19 #include <encoding/generator.h>
20 #include <encoding/payloads/nonce_payload.h>
21 #include <utils/linked_list.h>
22
23 typedef struct private_keymat_v1_t private_keymat_v1_t;
24
25 /**
26 * Max. number of IVs to track.
27 */
28 #define MAX_IV 3
29
30 /**
31 * Max. number of Quick Modes to track.
32 */
33 #define MAX_QM 2
34
35 /**
36 * Data stored for IVs
37 */
38 typedef struct {
39 /** message ID */
40 u_int32_t mid;
41 /** current IV */
42 chunk_t iv;
43 /** last block of encrypted message */
44 chunk_t last_block;
45 } iv_data_t;
46
47 /**
48 * Private data of an keymat_t object.
49 */
50 struct private_keymat_v1_t {
51
52 /**
53 * Public keymat_v1_t interface.
54 */
55 keymat_v1_t public;
56
57 /**
58 * IKE_SA Role, initiator or responder
59 */
60 bool initiator;
61
62 /**
63 * General purpose PRF
64 */
65 prf_t *prf;
66
67 /**
68 * PRF to create Phase 1 HASH payloads
69 */
70 prf_t *prf_auth;
71
72 /**
73 * Crypter wrapped in an aead_t interface
74 */
75 aead_t *aead;
76
77 /**
78 * Hasher used for IV generation (and other things like e.g. NAT-T)
79 */
80 hasher_t *hasher;
81
82 /**
83 * Key used for authentication during main mode
84 */
85 chunk_t skeyid;
86
87 /**
88 * Key to derive key material from for non-ISAKMP SAs, rekeying
89 */
90 chunk_t skeyid_d;
91
92 /**
93 * Key used for authentication after main mode
94 */
95 chunk_t skeyid_a;
96
97 /**
98 * Phase 1 IV
99 */
100 iv_data_t phase1_iv;
101
102 /**
103 * Keep track of IVs for exchanges after phase 1. We store only a limited
104 * number of IVs in an MRU sort of way. Stores iv_data_t objects.
105 */
106 linked_list_t *ivs;
107
108 /**
109 * Keep track of Nonces during Quick Mode exchanges. Only a limited number
110 * of QMs are tracked at the same time. Stores qm_data_t objects.
111 */
112 linked_list_t *qms;
113 };
114
115
116 /**
117 * Destroy an iv_data_t object.
118 */
119 static void iv_data_destroy(iv_data_t *this)
120 {
121 chunk_free(&this->last_block);
122 chunk_free(&this->iv);
123 free(this);
124 }
125
126 /**
127 * Data stored for Quick Mode exchanges
128 */
129 typedef struct {
130 /** message ID */
131 u_int32_t mid;
132 /** Ni_b (Nonce from first message) */
133 chunk_t n_i;
134 /** Nr_b (Nonce from second message) */
135 chunk_t n_r;
136 } qm_data_t;
137
138 /**
139 * Destroy a qm_data_t object.
140 */
141 static void qm_data_destroy(qm_data_t *this)
142 {
143 chunk_free(&this->n_i);
144 chunk_free(&this->n_r);
145 free(this);
146 }
147
148 /**
149 * Constants used in key derivation.
150 */
151 static const chunk_t octet_0 = chunk_from_chars(0x00);
152 static const chunk_t octet_1 = chunk_from_chars(0x01);
153 static const chunk_t octet_2 = chunk_from_chars(0x02);
154
155 /**
156 * Simple aead_t implementation without support for authentication.
157 */
158 typedef struct {
159 /** implements aead_t interface */
160 aead_t aead;
161 /** crypter to be used */
162 crypter_t *crypter;
163 } private_aead_t;
164
165
166 METHOD(aead_t, encrypt, bool,
167 private_aead_t *this, chunk_t plain, chunk_t assoc, chunk_t iv,
168 chunk_t *encrypted)
169 {
170 this->crypter->encrypt(this->crypter, plain, iv, encrypted);
171 return TRUE;
172 }
173
174 METHOD(aead_t, decrypt, bool,
175 private_aead_t *this, chunk_t encrypted, chunk_t assoc, chunk_t iv,
176 chunk_t *plain)
177 {
178 this->crypter->decrypt(this->crypter, encrypted, iv, plain);
179 return TRUE;
180 }
181
182 METHOD(aead_t, get_block_size, size_t,
183 private_aead_t *this)
184 {
185 return this->crypter->get_block_size(this->crypter);
186 }
187
188 METHOD(aead_t, get_icv_size, size_t,
189 private_aead_t *this)
190 {
191 return 0;
192 }
193
194 METHOD(aead_t, get_iv_size, size_t,
195 private_aead_t *this)
196 {
197 /* in order to create the messages properly we return 0 here */
198 return 0;
199 }
200
201 METHOD(aead_t, get_key_size, size_t,
202 private_aead_t *this)
203 {
204 return this->crypter->get_key_size(this->crypter);
205 }
206
207 METHOD(aead_t, set_key, bool,
208 private_aead_t *this, chunk_t key)
209 {
210 this->crypter->set_key(this->crypter, key);
211 return TRUE;
212 }
213
214 METHOD(aead_t, aead_destroy, void,
215 private_aead_t *this)
216 {
217 this->crypter->destroy(this->crypter);
218 free(this);
219 }
220
221 /**
222 * Expand SKEYID_e according to Appendix B in RFC 2409.
223 * TODO-IKEv1: verify keys (e.g. for weak keys, see Appendix B)
224 */
225 static bool expand_skeyid_e(chunk_t skeyid_e, size_t key_size, prf_t *prf,
226 chunk_t *ka)
227 {
228 size_t block_size;
229 chunk_t seed;
230 int i;
231
232 if (skeyid_e.len >= key_size)
233 { /* no expansion required, reduce to key_size */
234 skeyid_e.len = key_size;
235 *ka = skeyid_e;
236 return TRUE;
237 }
238 block_size = prf->get_block_size(prf);
239 *ka = chunk_alloc((key_size / block_size + 1) * block_size);
240 ka->len = key_size;
241
242 /* Ka = K1 | K2 | ..., K1 = prf(SKEYID_e, 0), K2 = prf(SKEYID_e, K1) ... */
243 prf->set_key(prf, skeyid_e);
244 seed = octet_0;
245 for (i = 0; i < key_size; i += block_size)
246 {
247 if (!prf->get_bytes(prf, seed, ka->ptr + i))
248 {
249 chunk_clear(ka);
250 chunk_clear(&skeyid_e);
251 return FALSE;
252 }
253 seed = chunk_create(ka->ptr + i, block_size);
254 }
255 chunk_clear(&skeyid_e);
256 return TRUE;
257 }
258
259 /**
260 * Create a simple implementation of the aead_t interface which only encrypts
261 * or decrypts data.
262 */
263 static aead_t *create_aead(proposal_t *proposal, prf_t *prf, chunk_t skeyid_e)
264 {
265 private_aead_t *this;
266 u_int16_t alg, key_size;
267 crypter_t *crypter;
268 chunk_t ka;
269
270 if (!proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &alg,
271 &key_size))
272 {
273 DBG1(DBG_IKE, "no %N selected",
274 transform_type_names, ENCRYPTION_ALGORITHM);
275 return NULL;
276 }
277 crypter = lib->crypto->create_crypter(lib->crypto, alg, key_size / 8);
278 if (!crypter)
279 {
280 DBG1(DBG_IKE, "%N %N (key size %d) not supported!",
281 transform_type_names, ENCRYPTION_ALGORITHM,
282 encryption_algorithm_names, alg, key_size);
283 return NULL;
284 }
285 key_size = crypter->get_key_size(crypter);
286 if (!expand_skeyid_e(skeyid_e, crypter->get_key_size(crypter), prf, &ka))
287 {
288 return NULL;
289 }
290 DBG4(DBG_IKE, "encryption key Ka %B", &ka);
291 crypter->set_key(crypter, ka);
292 chunk_clear(&ka);
293
294 INIT(this,
295 .aead = {
296 .encrypt = _encrypt,
297 .decrypt = _decrypt,
298 .get_block_size = _get_block_size,
299 .get_icv_size = _get_icv_size,
300 .get_iv_size = _get_iv_size,
301 .get_key_size = _get_key_size,
302 .set_key = _set_key,
303 .destroy = _aead_destroy,
304 },
305 .crypter = crypter,
306 );
307 return &this->aead;
308 }
309
310 /**
311 * Converts integrity algorithm to PRF algorithm
312 */
313 static u_int16_t auth_to_prf(u_int16_t alg)
314 {
315 switch (alg)
316 {
317 case AUTH_HMAC_SHA1_96:
318 return PRF_HMAC_SHA1;
319 case AUTH_HMAC_SHA2_256_128:
320 return PRF_HMAC_SHA2_256;
321 case AUTH_HMAC_SHA2_384_192:
322 return PRF_HMAC_SHA2_384;
323 case AUTH_HMAC_SHA2_512_256:
324 return PRF_HMAC_SHA2_512;
325 case AUTH_HMAC_MD5_96:
326 return PRF_HMAC_MD5;
327 case AUTH_AES_XCBC_96:
328 return PRF_AES128_XCBC;
329 default:
330 return PRF_UNDEFINED;
331 }
332 }
333
334 /**
335 * Converts integrity algorithm to hash algorithm
336 */
337 static u_int16_t auth_to_hash(u_int16_t alg)
338 {
339 switch (alg)
340 {
341 case AUTH_HMAC_SHA1_96:
342 return HASH_SHA1;
343 case AUTH_HMAC_SHA2_256_128:
344 return HASH_SHA256;
345 case AUTH_HMAC_SHA2_384_192:
346 return HASH_SHA384;
347 case AUTH_HMAC_SHA2_512_256:
348 return HASH_SHA512;
349 case AUTH_HMAC_MD5_96:
350 return HASH_MD5;
351 default:
352 return HASH_UNKNOWN;
353 }
354 }
355
356 /**
357 * Adjust the key length for PRF algorithms that expect a fixed key length.
358 */
359 static void adjust_keylen(u_int16_t alg, chunk_t *key)
360 {
361 switch (alg)
362 {
363 case PRF_AES128_XCBC:
364 /* while rfc4434 defines variable keys for AES-XCBC, rfc3664 does
365 * not and therefore fixed key semantics apply to XCBC for key
366 * derivation. */
367 key->len = min(key->len, 16);
368 break;
369 default:
370 /* all other algorithms use variable key length */
371 break;
372 }
373 }
374
375 METHOD(keymat_v1_t, derive_ike_keys, bool,
376 private_keymat_v1_t *this, proposal_t *proposal, diffie_hellman_t *dh,
377 chunk_t dh_other, chunk_t nonce_i, chunk_t nonce_r, ike_sa_id_t *id,
378 auth_method_t auth, shared_key_t *shared_key)
379 {
380 chunk_t g_xy, g_xi, g_xr, dh_me, spi_i, spi_r, nonces, data, skeyid_e;
381 chunk_t skeyid;
382 u_int16_t alg;
383
384 spi_i = chunk_alloca(sizeof(u_int64_t));
385 spi_r = chunk_alloca(sizeof(u_int64_t));
386
387 if (!proposal->get_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, &alg, NULL))
388 { /* no PRF negotiated, use HMAC version of integrity algorithm instead */
389 if (!proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, &alg, NULL)
390 || (alg = auth_to_prf(alg)) == PRF_UNDEFINED)
391 {
392 DBG1(DBG_IKE, "no %N selected",
393 transform_type_names, PSEUDO_RANDOM_FUNCTION);
394 return FALSE;
395 }
396 }
397 this->prf = lib->crypto->create_prf(lib->crypto, alg);
398 if (!this->prf)
399 {
400 DBG1(DBG_IKE, "%N %N not supported!",
401 transform_type_names, PSEUDO_RANDOM_FUNCTION,
402 pseudo_random_function_names, alg);
403 return FALSE;
404 }
405 if (this->prf->get_block_size(this->prf) <
406 this->prf->get_key_size(this->prf))
407 { /* TODO-IKEv1: support PRF output expansion (RFC 2409, Appendix B) */
408 DBG1(DBG_IKE, "expansion of %N %N output not supported!",
409 transform_type_names, PSEUDO_RANDOM_FUNCTION,
410 pseudo_random_function_names, alg);
411 return FALSE;
412 }
413
414 if (dh->get_shared_secret(dh, &g_xy) != SUCCESS)
415 {
416 return FALSE;
417 }
418 DBG4(DBG_IKE, "shared Diffie Hellman secret %B", &g_xy);
419
420 *((u_int64_t*)spi_i.ptr) = id->get_initiator_spi(id);
421 *((u_int64_t*)spi_r.ptr) = id->get_responder_spi(id);
422 nonces = chunk_cata("cc", nonce_i, nonce_r);
423
424 switch (auth)
425 {
426 case AUTH_PSK:
427 case AUTH_XAUTH_INIT_PSK:
428 { /* SKEYID = prf(pre-shared-key, Ni_b | Nr_b) */
429 chunk_t psk;
430 if (!shared_key)
431 {
432 chunk_clear(&g_xy);
433 return FALSE;
434 }
435 psk = shared_key->get_key(shared_key);
436 adjust_keylen(alg, &psk);
437 this->prf->set_key(this->prf, psk);
438 if (!this->prf->allocate_bytes(this->prf, nonces, &skeyid))
439 {
440 chunk_clear(&g_xy);
441 return FALSE;
442 }
443 break;
444 }
445 case AUTH_RSA:
446 case AUTH_ECDSA_256:
447 case AUTH_ECDSA_384:
448 case AUTH_ECDSA_521:
449 case AUTH_XAUTH_INIT_RSA:
450 case AUTH_XAUTH_RESP_RSA:
451 case AUTH_HYBRID_INIT_RSA:
452 case AUTH_HYBRID_RESP_RSA:
453 {
454 this->prf->set_key(this->prf, nonces);
455 if (!this->prf->allocate_bytes(this->prf, g_xy, &skeyid))
456 {
457 chunk_clear(&g_xy);
458 return FALSE;
459 }
460 break;
461 }
462 default:
463 /* TODO-IKEv1: implement key derivation for other schemes */
464 /* authentication class not supported */
465 chunk_clear(&g_xy);
466 return FALSE;
467 }
468 adjust_keylen(alg, &skeyid);
469 DBG4(DBG_IKE, "SKEYID %B", &skeyid);
470 this->prf->set_key(this->prf, skeyid);
471
472 /* SKEYID_d = prf(SKEYID, g^xy | CKY-I | CKY-R | 0) */
473 data = chunk_cat("cccc", g_xy, spi_i, spi_r, octet_0);
474 if (!this->prf->allocate_bytes(this->prf, data, &this->skeyid_d))
475 {
476 chunk_clear(&g_xy);
477 chunk_clear(&data);
478 }
479 chunk_clear(&data);
480 DBG4(DBG_IKE, "SKEYID_d %B", &this->skeyid_d);
481
482 /* SKEYID_a = prf(SKEYID, SKEYID_d | g^xy | CKY-I | CKY-R | 1) */
483 data = chunk_cat("ccccc", this->skeyid_d, g_xy, spi_i, spi_r, octet_1);
484 if (!this->prf->allocate_bytes(this->prf, data, &this->skeyid_a))
485 {
486 chunk_clear(&g_xy);
487 chunk_clear(&data);
488 }
489 chunk_clear(&data);
490 DBG4(DBG_IKE, "SKEYID_a %B", &this->skeyid_a);
491
492 /* SKEYID_e = prf(SKEYID, SKEYID_a | g^xy | CKY-I | CKY-R | 2) */
493 data = chunk_cat("ccccc", this->skeyid_a, g_xy, spi_i, spi_r, octet_2);
494 if (!this->prf->allocate_bytes(this->prf, data, &skeyid_e))
495 {
496 chunk_clear(&g_xy);
497 chunk_clear(&data);
498 }
499 chunk_clear(&data);
500 DBG4(DBG_IKE, "SKEYID_e %B", &skeyid_e);
501
502 chunk_clear(&g_xy);
503
504 switch (auth)
505 {
506 case AUTH_ECDSA_256:
507 alg = PRF_HMAC_SHA2_256;
508 break;
509 case AUTH_ECDSA_384:
510 alg = PRF_HMAC_SHA2_384;
511 break;
512 case AUTH_ECDSA_521:
513 alg = PRF_HMAC_SHA2_512;
514 break;
515 default:
516 /* use proposal algorithm */
517 break;
518 }
519 this->prf_auth = lib->crypto->create_prf(lib->crypto, alg);
520 if (!this->prf_auth)
521 {
522 DBG1(DBG_IKE, "%N %N not supported!",
523 transform_type_names, PSEUDO_RANDOM_FUNCTION,
524 pseudo_random_function_names, alg);
525 chunk_clear(&skeyid);
526 return FALSE;
527 }
528 this->prf_auth->set_key(this->prf_auth, skeyid);
529 chunk_clear(&skeyid);
530
531 this->aead = create_aead(proposal, this->prf, skeyid_e);
532 if (!this->aead)
533 {
534 return FALSE;
535 }
536 if (!this->hasher && !this->public.create_hasher(&this->public, proposal))
537 {
538 return FALSE;
539 }
540
541 dh->get_my_public_value(dh, &dh_me);
542 g_xi = this->initiator ? dh_me : dh_other;
543 g_xr = this->initiator ? dh_other : dh_me;
544
545 /* initial IV = hash(g^xi | g^xr) */
546 data = chunk_cata("cc", g_xi, g_xr);
547 this->hasher->allocate_hash(this->hasher, data, &this->phase1_iv.iv);
548 if (this->phase1_iv.iv.len > this->aead->get_block_size(this->aead))
549 {
550 this->phase1_iv.iv.len = this->aead->get_block_size(this->aead);
551 }
552 chunk_free(&dh_me);
553 DBG4(DBG_IKE, "initial IV %B", &this->phase1_iv.iv);
554
555 return TRUE;
556 }
557
558 METHOD(keymat_v1_t, derive_child_keys, bool,
559 private_keymat_v1_t *this, proposal_t *proposal, diffie_hellman_t *dh,
560 u_int32_t spi_i, u_int32_t spi_r, chunk_t nonce_i, chunk_t nonce_r,
561 chunk_t *encr_i, chunk_t *integ_i, chunk_t *encr_r, chunk_t *integ_r)
562 {
563 u_int16_t enc_alg, int_alg, enc_size = 0, int_size = 0;
564 u_int8_t protocol;
565 prf_plus_t *prf_plus;
566 chunk_t seed, secret = chunk_empty;
567
568 if (proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM,
569 &enc_alg, &enc_size))
570 {
571 DBG2(DBG_CHD, " using %N for encryption",
572 encryption_algorithm_names, enc_alg);
573
574 if (!enc_size)
575 {
576 enc_size = keymat_get_keylen_encr(enc_alg);
577 }
578 if (enc_alg != ENCR_NULL && !enc_size)
579 {
580 DBG1(DBG_CHD, "no keylength defined for %N",
581 encryption_algorithm_names, enc_alg);
582 return FALSE;
583 }
584 /* to bytes */
585 enc_size /= 8;
586
587 /* CCM/GCM/CTR/GMAC needs additional bytes */
588 switch (enc_alg)
589 {
590 case ENCR_AES_CCM_ICV8:
591 case ENCR_AES_CCM_ICV12:
592 case ENCR_AES_CCM_ICV16:
593 case ENCR_CAMELLIA_CCM_ICV8:
594 case ENCR_CAMELLIA_CCM_ICV12:
595 case ENCR_CAMELLIA_CCM_ICV16:
596 enc_size += 3;
597 break;
598 case ENCR_AES_GCM_ICV8:
599 case ENCR_AES_GCM_ICV12:
600 case ENCR_AES_GCM_ICV16:
601 case ENCR_AES_CTR:
602 case ENCR_NULL_AUTH_AES_GMAC:
603 enc_size += 4;
604 break;
605 default:
606 break;
607 }
608 }
609
610 if (proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM,
611 &int_alg, &int_size))
612 {
613 DBG2(DBG_CHD, " using %N for integrity",
614 integrity_algorithm_names, int_alg);
615
616 if (!int_size)
617 {
618 int_size = keymat_get_keylen_integ(int_alg);
619 }
620 if (!int_size)
621 {
622 DBG1(DBG_CHD, "no keylength defined for %N",
623 integrity_algorithm_names, int_alg);
624 return FALSE;
625 }
626 /* to bytes */
627 int_size /= 8;
628 }
629
630 /* KEYMAT = prf+(SKEYID_d, [ g(qm)^xy | ] protocol | SPI | Ni_b | Nr_b) */
631 this->prf->set_key(this->prf, this->skeyid_d);
632 protocol = proposal->get_protocol(proposal);
633 if (dh)
634 {
635 if (dh->get_shared_secret(dh, &secret) != SUCCESS)
636 {
637 return FALSE;
638 }
639 DBG4(DBG_CHD, "DH secret %B", &secret);
640 }
641
642 seed = chunk_cata("ccccc", secret, chunk_from_thing(protocol),
643 chunk_from_thing(spi_r), nonce_i, nonce_r);
644 DBG4(DBG_CHD, "initiator SA seed %B", &seed);
645
646 prf_plus = prf_plus_create(this->prf, FALSE, seed);
647 if (!prf_plus)
648 {
649 chunk_clear(&secret);
650 return FALSE;
651 }
652 if (!prf_plus->allocate_bytes(prf_plus, enc_size, encr_i) ||
653 !prf_plus->allocate_bytes(prf_plus, int_size, integ_i))
654 {
655 prf_plus->destroy(prf_plus);
656 chunk_clear(&secret);
657 return FALSE;
658 }
659 prf_plus->destroy(prf_plus);
660
661 seed = chunk_cata("ccccc", secret, chunk_from_thing(protocol),
662 chunk_from_thing(spi_i), nonce_i, nonce_r);
663 DBG4(DBG_CHD, "responder SA seed %B", &seed);
664 prf_plus = prf_plus_create(this->prf, FALSE, seed);
665 if (!prf_plus)
666 {
667 chunk_clear(&secret);
668 return FALSE;
669 }
670 if (!prf_plus->allocate_bytes(prf_plus, enc_size, encr_r) ||
671 !prf_plus->allocate_bytes(prf_plus, int_size, integ_r))
672 {
673 prf_plus->destroy(prf_plus);
674 chunk_clear(&secret);
675 return FALSE;
676 }
677 prf_plus->destroy(prf_plus);
678
679 chunk_clear(&secret);
680
681 if (enc_size)
682 {
683 DBG4(DBG_CHD, "encryption initiator key %B", encr_i);
684 DBG4(DBG_CHD, "encryption responder key %B", encr_r);
685 }
686 if (int_size)
687 {
688 DBG4(DBG_CHD, "integrity initiator key %B", integ_i);
689 DBG4(DBG_CHD, "integrity responder key %B", integ_r);
690 }
691 return TRUE;
692 }
693
694 METHOD(keymat_v1_t, create_hasher, bool,
695 private_keymat_v1_t *this, proposal_t *proposal)
696 {
697 u_int16_t alg;
698 if (!proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, &alg, NULL) ||
699 (alg = auth_to_hash(alg)) == HASH_UNKNOWN)
700 {
701 DBG1(DBG_IKE, "no %N selected", transform_type_names, HASH_ALGORITHM);
702 return FALSE;
703 }
704 this->hasher = lib->crypto->create_hasher(lib->crypto, alg);
705 if (!this->hasher)
706 {
707 DBG1(DBG_IKE, "%N %N not supported!",
708 transform_type_names, HASH_ALGORITHM,
709 hash_algorithm_names, alg);
710 return FALSE;
711 }
712 return TRUE;
713 }
714
715 METHOD(keymat_v1_t, get_hasher, hasher_t*,
716 private_keymat_v1_t *this)
717 {
718 return this->hasher;
719 }
720
721 METHOD(keymat_v1_t, get_hash, bool,
722 private_keymat_v1_t *this, bool initiator, chunk_t dh, chunk_t dh_other,
723 ike_sa_id_t *ike_sa_id, chunk_t sa_i, chunk_t id, chunk_t *hash)
724 {
725 chunk_t data;
726 u_int64_t spi, spi_other;
727
728 /* HASH_I = prf(SKEYID, g^xi | g^xr | CKY-I | CKY-R | SAi_b | IDii_b )
729 * HASH_R = prf(SKEYID, g^xr | g^xi | CKY-R | CKY-I | SAi_b | IDir_b )
730 */
731 if (initiator)
732 {
733 spi = ike_sa_id->get_initiator_spi(ike_sa_id);
734 spi_other = ike_sa_id->get_responder_spi(ike_sa_id);
735 }
736 else
737 {
738 spi_other = ike_sa_id->get_initiator_spi(ike_sa_id);
739 spi = ike_sa_id->get_responder_spi(ike_sa_id);
740 }
741 data = chunk_cat("cccccc", dh, dh_other,
742 chunk_from_thing(spi), chunk_from_thing(spi_other),
743 sa_i, id);
744
745 DBG3(DBG_IKE, "HASH_%c data %B", initiator ? 'I' : 'R', &data);
746
747 if (!this->prf_auth->allocate_bytes(this->prf_auth, data, hash))
748 {
749 free(data.ptr);
750 return FALSE;
751 }
752
753 DBG3(DBG_IKE, "HASH_%c %B", initiator ? 'I' : 'R', hash);
754
755 free(data.ptr);
756 return TRUE;
757 }
758
759 /**
760 * Get the nonce value found in the given message.
761 * Returns FALSE if none is found.
762 */
763 static bool get_nonce(message_t *message, chunk_t *n)
764 {
765 nonce_payload_t *nonce;
766 nonce = (nonce_payload_t*)message->get_payload(message, NONCE_V1);
767 if (nonce)
768 {
769 *n = nonce->get_nonce(nonce);
770 return TRUE;
771 }
772 return FALSE;
773 }
774
775 /**
776 * Generate the message data in order to generate the hashes.
777 */
778 static chunk_t get_message_data(message_t *message, generator_t *generator)
779 {
780 payload_t *payload, *next;
781 enumerator_t *enumerator;
782 u_int32_t *lenpos;
783
784 if (message->is_encoded(message))
785 { /* inbound, although the message is generated, we cannot access the
786 * cleartext message data, so generate it anyway */
787 enumerator = message->create_payload_enumerator(message);
788 while (enumerator->enumerate(enumerator, &payload))
789 {
790 if (payload->get_type(payload) == HASH_V1)
791 {
792 continue;
793 }
794 generator->generate_payload(generator, payload);
795 }
796 enumerator->destroy(enumerator);
797 }
798 else
799 {
800 /* outbound, generate the payloads (there is no HASH payload yet) */
801 enumerator = message->create_payload_enumerator(message);
802 if (enumerator->enumerate(enumerator, &payload))
803 {
804 while (enumerator->enumerate(enumerator, &next))
805 {
806 payload->set_next_type(payload, next->get_type(next));
807 generator->generate_payload(generator, payload);
808 payload = next;
809 }
810 payload->set_next_type(payload, NO_PAYLOAD);
811 generator->generate_payload(generator, payload);
812 }
813 enumerator->destroy(enumerator);
814 }
815 return generator->get_chunk(generator, &lenpos);
816 }
817
818 /**
819 * Try to find data about a Quick Mode with the given message ID,
820 * if none is found, state is generated.
821 */
822 static qm_data_t *lookup_quick_mode(private_keymat_v1_t *this, u_int32_t mid)
823 {
824 enumerator_t *enumerator;
825 qm_data_t *qm, *found = NULL;
826
827 enumerator = this->qms->create_enumerator(this->qms);
828 while (enumerator->enumerate(enumerator, &qm))
829 {
830 if (qm->mid == mid)
831 { /* state gets moved to the front of the list */
832 this->qms->remove_at(this->qms, enumerator);
833 found = qm;
834 break;
835 }
836 }
837 enumerator->destroy(enumerator);
838 if (!found)
839 {
840 INIT(found,
841 .mid = mid,
842 );
843 }
844 this->qms->insert_first(this->qms, found);
845 /* remove least recently used state if maximum reached */
846 if (this->qms->get_count(this->qms) > MAX_QM &&
847 this->qms->remove_last(this->qms, (void**)&qm) == SUCCESS)
848 {
849 qm_data_destroy(qm);
850 }
851 return found;
852 }
853
854 METHOD(keymat_v1_t, get_hash_phase2, bool,
855 private_keymat_v1_t *this, message_t *message, chunk_t *hash)
856 {
857 u_int32_t mid, mid_n;
858 chunk_t data = chunk_empty;
859 bool add_message = TRUE;
860 char *name = "Hash";
861
862 if (!this->prf)
863 { /* no keys derived yet */
864 return FALSE;
865 }
866
867 mid = message->get_message_id(message);
868 mid_n = htonl(mid);
869
870 /* Hashes are simple for most exchanges in Phase 2:
871 * Hash = prf(SKEYID_a, M-ID | Complete message after HASH payload)
872 * For Quick Mode there are three hashes:
873 * Hash(1) = same as above
874 * Hash(2) = prf(SKEYID_a, M-ID | Ni_b | Message after HASH payload)
875 * Hash(3) = prf(SKEYID_a, 0 | M-ID | Ni_b | Nr_b)
876 * So, for Quick Mode we keep track of the nonce values.
877 */
878 switch (message->get_exchange_type(message))
879 {
880 case QUICK_MODE:
881 {
882 qm_data_t *qm = lookup_quick_mode(this, mid);
883 if (!qm->n_i.ptr)
884 { /* Hash(1) = prf(SKEYID_a, M-ID | Message after HASH payload) */
885 name = "Hash(1)";
886 if (!get_nonce(message, &qm->n_i))
887 {
888 return FALSE;
889 }
890 data = chunk_from_thing(mid_n);
891 }
892 else if (!qm->n_r.ptr)
893 { /* Hash(2) = prf(SKEYID_a, M-ID | Ni_b | Message after HASH) */
894 name = "Hash(2)";
895 if (!get_nonce(message, &qm->n_r))
896 {
897 return FALSE;
898 }
899 data = chunk_cata("cc", chunk_from_thing(mid_n), qm->n_i);
900 }
901 else
902 { /* Hash(3) = prf(SKEYID_a, 0 | M-ID | Ni_b | Nr_b) */
903 name = "Hash(3)";
904 data = chunk_cata("cccc", octet_0, chunk_from_thing(mid_n),
905 qm->n_i, qm->n_r);
906 add_message = FALSE;
907 /* we don't need the state anymore */
908 this->qms->remove(this->qms, qm, NULL);
909 qm_data_destroy(qm);
910 }
911 break;
912 }
913 case TRANSACTION:
914 case INFORMATIONAL_V1:
915 /* Hash = prf(SKEYID_a, M-ID | Message after HASH payload) */
916 data = chunk_from_thing(mid_n);
917 break;
918 default:
919 return FALSE;
920 }
921 this->prf->set_key(this->prf, this->skeyid_a);
922 if (add_message)
923 {
924 generator_t *generator;
925 chunk_t msg;
926
927 generator = generator_create_no_dbg();
928 msg = get_message_data(message, generator);
929 if (!this->prf->allocate_bytes(this->prf, data, NULL) ||
930 !this->prf->allocate_bytes(this->prf, msg, hash))
931 {
932 generator->destroy(generator);
933 return FALSE;
934 }
935 generator->destroy(generator);
936 }
937 else
938 {
939 if (!this->prf->allocate_bytes(this->prf, data, hash))
940 {
941 return FALSE;
942 }
943 }
944 DBG3(DBG_IKE, "%s %B", name, hash);
945 return TRUE;
946 }
947
948 /**
949 * Generate an IV
950 */
951 static void generate_iv(private_keymat_v1_t *this, iv_data_t *iv)
952 {
953 if (iv->mid == 0 || iv->iv.ptr)
954 { /* use last block of previous encrypted message */
955 chunk_free(&iv->iv);
956 iv->iv = iv->last_block;
957 iv->last_block = chunk_empty;
958 }
959 else
960 {
961 /* initial phase 2 IV = hash(last_phase1_block | mid) */
962 u_int32_t net = htonl(iv->mid);
963 chunk_t data = chunk_cata("cc", this->phase1_iv.iv,
964 chunk_from_thing(net));
965 this->hasher->allocate_hash(this->hasher, data, &iv->iv);
966 if (iv->iv.len > this->aead->get_block_size(this->aead))
967 {
968 iv->iv.len = this->aead->get_block_size(this->aead);
969 }
970 }
971 DBG4(DBG_IKE, "next IV for MID %u %B", iv->mid, &iv->iv);
972 }
973
974 /**
975 * Try to find an IV for the given message ID, if not found, generate it.
976 */
977 static iv_data_t *lookup_iv(private_keymat_v1_t *this, u_int32_t mid)
978 {
979 enumerator_t *enumerator;
980 iv_data_t *iv, *found = NULL;
981
982 if (mid == 0)
983 {
984 return &this->phase1_iv;
985 }
986
987 enumerator = this->ivs->create_enumerator(this->ivs);
988 while (enumerator->enumerate(enumerator, &iv))
989 {
990 if (iv->mid == mid)
991 { /* IV gets moved to the front of the list */
992 this->ivs->remove_at(this->ivs, enumerator);
993 found = iv;
994 break;
995 }
996 }
997 enumerator->destroy(enumerator);
998 if (!found)
999 {
1000 INIT(found,
1001 .mid = mid,
1002 );
1003 generate_iv(this, found);
1004 }
1005 this->ivs->insert_first(this->ivs, found);
1006 /* remove least recently used IV if maximum reached */
1007 if (this->ivs->get_count(this->ivs) > MAX_IV &&
1008 this->ivs->remove_last(this->ivs, (void**)&iv) == SUCCESS)
1009 {
1010 iv_data_destroy(iv);
1011 }
1012 return found;
1013 }
1014
1015 METHOD(keymat_v1_t, get_iv, chunk_t,
1016 private_keymat_v1_t *this, u_int32_t mid)
1017 {
1018 return chunk_clone(lookup_iv(this, mid)->iv);
1019 }
1020
1021 METHOD(keymat_v1_t, update_iv, void,
1022 private_keymat_v1_t *this, u_int32_t mid, chunk_t last_block)
1023 {
1024 iv_data_t *iv = lookup_iv(this, mid);
1025 if (iv)
1026 { /* update last block */
1027 chunk_free(&iv->last_block);
1028 iv->last_block = chunk_clone(last_block);
1029 }
1030 }
1031
1032 METHOD(keymat_v1_t, confirm_iv, void,
1033 private_keymat_v1_t *this, u_int32_t mid)
1034 {
1035 iv_data_t *iv = lookup_iv(this, mid);
1036 if (iv)
1037 {
1038 generate_iv(this, iv);
1039 }
1040 }
1041
1042 METHOD(keymat_t, get_version, ike_version_t,
1043 private_keymat_v1_t *this)
1044 {
1045 return IKEV1;
1046 }
1047
1048 METHOD(keymat_t, create_dh, diffie_hellman_t*,
1049 private_keymat_v1_t *this, diffie_hellman_group_t group)
1050 {
1051 return lib->crypto->create_dh(lib->crypto, group);
1052 }
1053
1054 METHOD(keymat_t, create_nonce_gen, nonce_gen_t*,
1055 private_keymat_v1_t *this)
1056 {
1057 return lib->crypto->create_nonce_gen(lib->crypto);
1058 }
1059
1060 METHOD(keymat_t, get_aead, aead_t*,
1061 private_keymat_v1_t *this, bool in)
1062 {
1063 return this->aead;
1064 }
1065
1066 METHOD(keymat_t, destroy, void,
1067 private_keymat_v1_t *this)
1068 {
1069 DESTROY_IF(this->prf);
1070 DESTROY_IF(this->prf_auth);
1071 DESTROY_IF(this->aead);
1072 DESTROY_IF(this->hasher);
1073 chunk_clear(&this->skeyid_d);
1074 chunk_clear(&this->skeyid_a);
1075 chunk_free(&this->phase1_iv.iv);
1076 chunk_free(&this->phase1_iv.last_block);
1077 this->ivs->destroy_function(this->ivs, (void*)iv_data_destroy);
1078 this->qms->destroy_function(this->qms, (void*)qm_data_destroy);
1079 free(this);
1080 }
1081
1082 /**
1083 * See header
1084 */
1085 keymat_v1_t *keymat_v1_create(bool initiator)
1086 {
1087 private_keymat_v1_t *this;
1088
1089 INIT(this,
1090 .public = {
1091 .keymat = {
1092 .get_version = _get_version,
1093 .create_dh = _create_dh,
1094 .create_nonce_gen = _create_nonce_gen,
1095 .get_aead = _get_aead,
1096 .destroy = _destroy,
1097 },
1098 .derive_ike_keys = _derive_ike_keys,
1099 .derive_child_keys = _derive_child_keys,
1100 .create_hasher = _create_hasher,
1101 .get_hasher = _get_hasher,
1102 .get_hash = _get_hash,
1103 .get_hash_phase2 = _get_hash_phase2,
1104 .get_iv = _get_iv,
1105 .update_iv = _update_iv,
1106 .confirm_iv = _confirm_iv,
1107 },
1108 .ivs = linked_list_create(),
1109 .qms = linked_list_create(),
1110 .initiator = initiator,
1111 );
1112
1113 return &this->public;
1114 }