Added a keymat_t version to cast it safely
[strongswan.git] / src / libcharon / sa / ikev2 / keymat_v2.c
1 /*
2 * Copyright (C) 2008 Martin Willi
3 * Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "keymat_v2.h"
17
18 #include <daemon.h>
19 #include <crypto/prf_plus.h>
20
21 typedef struct private_keymat_v2_t private_keymat_v2_t;
22
23 /**
24 * Private data of an keymat_t object.
25 */
26 struct private_keymat_v2_t {
27
28 /**
29 * Public keymat_v2_t interface.
30 */
31 keymat_v2_t public;
32
33 /**
34 * IKE_SA Role, initiator or responder
35 */
36 bool initiator;
37
38 /**
39 * inbound AEAD
40 */
41 aead_t *aead_in;
42
43 /**
44 * outbound AEAD
45 */
46 aead_t *aead_out;
47
48 /**
49 * General purpose PRF
50 */
51 prf_t *prf;
52
53 /**
54 * Negotiated PRF algorithm
55 */
56 pseudo_random_function_t prf_alg;
57
58 /**
59 * Key to derive key material from for CHILD_SAs, rekeying
60 */
61 chunk_t skd;
62
63 /**
64 * Key to build outging authentication data (SKp)
65 */
66 chunk_t skp_build;
67
68 /**
69 * Key to verify incoming authentication data (SKp)
70 */
71 chunk_t skp_verify;
72 };
73
74 METHOD(keymat_t, get_version, ike_version_t,
75 private_keymat_v2_t *this)
76 {
77 return IKEV2;
78 }
79
80 METHOD(keymat_t, create_dh, diffie_hellman_t*,
81 private_keymat_v2_t *this, diffie_hellman_group_t group)
82 {
83 return lib->crypto->create_dh(lib->crypto, group);
84 }
85
86 /**
87 * Derive IKE keys for a combined AEAD algorithm
88 */
89 static bool derive_ike_aead(private_keymat_v2_t *this, u_int16_t alg,
90 u_int16_t key_size, prf_plus_t *prf_plus)
91 {
92 aead_t *aead_i, *aead_r;
93 chunk_t key;
94
95 /* SK_ei/SK_er used for encryption */
96 aead_i = lib->crypto->create_aead(lib->crypto, alg, key_size / 8);
97 aead_r = lib->crypto->create_aead(lib->crypto, alg, key_size / 8);
98 if (aead_i == NULL || aead_r == NULL)
99 {
100 DBG1(DBG_IKE, "%N %N (key size %d) not supported!",
101 transform_type_names, ENCRYPTION_ALGORITHM,
102 encryption_algorithm_names, alg, key_size);
103 return FALSE;
104 }
105 key_size = aead_i->get_key_size(aead_i);
106
107 prf_plus->allocate_bytes(prf_plus, key_size, &key);
108 DBG4(DBG_IKE, "Sk_ei secret %B", &key);
109 aead_i->set_key(aead_i, key);
110 chunk_clear(&key);
111
112 prf_plus->allocate_bytes(prf_plus, key_size, &key);
113 DBG4(DBG_IKE, "Sk_er secret %B", &key);
114 aead_r->set_key(aead_r, key);
115 chunk_clear(&key);
116
117 if (this->initiator)
118 {
119 this->aead_in = aead_r;
120 this->aead_out = aead_i;
121 }
122 else
123 {
124 this->aead_in = aead_i;
125 this->aead_out = aead_r;
126 }
127 return TRUE;
128 }
129
130 /**
131 * Derive IKE keys for traditional encryption and MAC algorithms
132 */
133 static bool derive_ike_traditional(private_keymat_v2_t *this, u_int16_t enc_alg,
134 u_int16_t enc_size, u_int16_t int_alg, prf_plus_t *prf_plus)
135 {
136 crypter_t *crypter_i, *crypter_r;
137 signer_t *signer_i, *signer_r;
138 size_t key_size;
139 chunk_t key;
140
141 /* SK_ai/SK_ar used for integrity protection */
142 signer_i = lib->crypto->create_signer(lib->crypto, int_alg);
143 signer_r = lib->crypto->create_signer(lib->crypto, int_alg);
144 if (signer_i == NULL || signer_r == NULL)
145 {
146 DBG1(DBG_IKE, "%N %N not supported!",
147 transform_type_names, INTEGRITY_ALGORITHM,
148 integrity_algorithm_names, int_alg);
149 return FALSE;
150 }
151 key_size = signer_i->get_key_size(signer_i);
152
153 prf_plus->allocate_bytes(prf_plus, key_size, &key);
154 DBG4(DBG_IKE, "Sk_ai secret %B", &key);
155 signer_i->set_key(signer_i, key);
156 chunk_clear(&key);
157
158 prf_plus->allocate_bytes(prf_plus, key_size, &key);
159 DBG4(DBG_IKE, "Sk_ar secret %B", &key);
160 signer_r->set_key(signer_r, key);
161 chunk_clear(&key);
162
163 /* SK_ei/SK_er used for encryption */
164 crypter_i = lib->crypto->create_crypter(lib->crypto, enc_alg, enc_size / 8);
165 crypter_r = lib->crypto->create_crypter(lib->crypto, enc_alg, enc_size / 8);
166 if (crypter_i == NULL || crypter_r == NULL)
167 {
168 DBG1(DBG_IKE, "%N %N (key size %d) not supported!",
169 transform_type_names, ENCRYPTION_ALGORITHM,
170 encryption_algorithm_names, enc_alg, enc_size);
171 signer_i->destroy(signer_i);
172 signer_r->destroy(signer_r);
173 return FALSE;
174 }
175 key_size = crypter_i->get_key_size(crypter_i);
176
177 prf_plus->allocate_bytes(prf_plus, key_size, &key);
178 DBG4(DBG_IKE, "Sk_ei secret %B", &key);
179 crypter_i->set_key(crypter_i, key);
180 chunk_clear(&key);
181
182 prf_plus->allocate_bytes(prf_plus, key_size, &key);
183 DBG4(DBG_IKE, "Sk_er secret %B", &key);
184 crypter_r->set_key(crypter_r, key);
185 chunk_clear(&key);
186
187 if (this->initiator)
188 {
189 this->aead_in = aead_create(crypter_r, signer_r);
190 this->aead_out = aead_create(crypter_i, signer_i);
191 }
192 else
193 {
194 this->aead_in = aead_create(crypter_i, signer_i);
195 this->aead_out = aead_create(crypter_r, signer_r);
196 }
197 return TRUE;
198 }
199
200 METHOD(keymat_v2_t, derive_ike_keys, bool,
201 private_keymat_v2_t *this, proposal_t *proposal, diffie_hellman_t *dh,
202 chunk_t nonce_i, chunk_t nonce_r, ike_sa_id_t *id,
203 pseudo_random_function_t rekey_function, chunk_t rekey_skd)
204 {
205 chunk_t skeyseed, key, secret, full_nonce, fixed_nonce, prf_plus_seed;
206 chunk_t spi_i, spi_r;
207 prf_plus_t *prf_plus;
208 u_int16_t alg, key_size, int_alg;
209 prf_t *rekey_prf = NULL;
210
211 spi_i = chunk_alloca(sizeof(u_int64_t));
212 spi_r = chunk_alloca(sizeof(u_int64_t));
213
214 if (dh->get_shared_secret(dh, &secret) != SUCCESS)
215 {
216 return FALSE;
217 }
218
219 /* Create SAs general purpose PRF first, we may use it here */
220 if (!proposal->get_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, &alg, NULL))
221 {
222 DBG1(DBG_IKE, "no %N selected",
223 transform_type_names, PSEUDO_RANDOM_FUNCTION);
224 return FALSE;
225 }
226 this->prf_alg = alg;
227 this->prf = lib->crypto->create_prf(lib->crypto, alg);
228 if (this->prf == NULL)
229 {
230 DBG1(DBG_IKE, "%N %N not supported!",
231 transform_type_names, PSEUDO_RANDOM_FUNCTION,
232 pseudo_random_function_names, alg);
233 return FALSE;
234 }
235 DBG4(DBG_IKE, "shared Diffie Hellman secret %B", &secret);
236 /* full nonce is used as seed for PRF+ ... */
237 full_nonce = chunk_cat("cc", nonce_i, nonce_r);
238 /* but the PRF may need a fixed key which only uses the first bytes of
239 * the nonces. */
240 switch (alg)
241 {
242 case PRF_AES128_XCBC:
243 /* while rfc4434 defines variable keys for AES-XCBC, rfc3664 does
244 * not and therefore fixed key semantics apply to XCBC for key
245 * derivation. */
246 case PRF_CAMELLIA128_XCBC:
247 /* draft-kanno-ipsecme-camellia-xcbc refers to rfc 4434, we
248 * assume fixed key length. */
249 key_size = this->prf->get_key_size(this->prf)/2;
250 nonce_i.len = min(nonce_i.len, key_size);
251 nonce_r.len = min(nonce_r.len, key_size);
252 break;
253 default:
254 /* all other algorithms use variable key length, full nonce */
255 break;
256 }
257 fixed_nonce = chunk_cat("cc", nonce_i, nonce_r);
258 *((u_int64_t*)spi_i.ptr) = id->get_initiator_spi(id);
259 *((u_int64_t*)spi_r.ptr) = id->get_responder_spi(id);
260 prf_plus_seed = chunk_cat("ccc", full_nonce, spi_i, spi_r);
261
262 /* KEYMAT = prf+ (SKEYSEED, Ni | Nr | SPIi | SPIr)
263 *
264 * if we are rekeying, SKEYSEED is built on another way
265 */
266 if (rekey_function == PRF_UNDEFINED) /* not rekeying */
267 {
268 /* SKEYSEED = prf(Ni | Nr, g^ir) */
269 this->prf->set_key(this->prf, fixed_nonce);
270 this->prf->allocate_bytes(this->prf, secret, &skeyseed);
271 this->prf->set_key(this->prf, skeyseed);
272 prf_plus = prf_plus_create(this->prf, TRUE, prf_plus_seed);
273 }
274 else
275 {
276 /* SKEYSEED = prf(SK_d (old), [g^ir (new)] | Ni | Nr)
277 * use OLD SAs PRF functions for both prf_plus and prf */
278 rekey_prf = lib->crypto->create_prf(lib->crypto, rekey_function);
279 if (!rekey_prf)
280 {
281 DBG1(DBG_IKE, "PRF of old SA %N not supported!",
282 pseudo_random_function_names, rekey_function);
283 chunk_free(&full_nonce);
284 chunk_free(&fixed_nonce);
285 chunk_clear(&prf_plus_seed);
286 return FALSE;
287 }
288 secret = chunk_cat("mc", secret, full_nonce);
289 rekey_prf->set_key(rekey_prf, rekey_skd);
290 rekey_prf->allocate_bytes(rekey_prf, secret, &skeyseed);
291 rekey_prf->set_key(rekey_prf, skeyseed);
292 prf_plus = prf_plus_create(rekey_prf, TRUE, prf_plus_seed);
293 }
294 DBG4(DBG_IKE, "SKEYSEED %B", &skeyseed);
295
296 chunk_clear(&skeyseed);
297 chunk_clear(&secret);
298 chunk_free(&full_nonce);
299 chunk_free(&fixed_nonce);
300 chunk_clear(&prf_plus_seed);
301
302 /* KEYMAT = SK_d | SK_ai | SK_ar | SK_ei | SK_er | SK_pi | SK_pr */
303
304 /* SK_d is used for generating CHILD_SA key mat => store for later use */
305 key_size = this->prf->get_key_size(this->prf);
306 prf_plus->allocate_bytes(prf_plus, key_size, &this->skd);
307 DBG4(DBG_IKE, "Sk_d secret %B", &this->skd);
308
309 if (!proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &alg, &key_size))
310 {
311 DBG1(DBG_IKE, "no %N selected",
312 transform_type_names, ENCRYPTION_ALGORITHM);
313 prf_plus->destroy(prf_plus);
314 DESTROY_IF(rekey_prf);
315 return FALSE;
316 }
317
318 if (encryption_algorithm_is_aead(alg))
319 {
320 if (!derive_ike_aead(this, alg, key_size, prf_plus))
321 {
322 prf_plus->destroy(prf_plus);
323 DESTROY_IF(rekey_prf);
324 return FALSE;
325 }
326 }
327 else
328 {
329 if (!proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM,
330 &int_alg, NULL))
331 {
332 DBG1(DBG_IKE, "no %N selected",
333 transform_type_names, INTEGRITY_ALGORITHM);
334 prf_plus->destroy(prf_plus);
335 DESTROY_IF(rekey_prf);
336 return FALSE;
337 }
338 if (!derive_ike_traditional(this, alg, key_size, int_alg, prf_plus))
339 {
340 prf_plus->destroy(prf_plus);
341 DESTROY_IF(rekey_prf);
342 return FALSE;
343 }
344 }
345
346 /* SK_pi/SK_pr used for authentication => stored for later */
347 key_size = this->prf->get_key_size(this->prf);
348 prf_plus->allocate_bytes(prf_plus, key_size, &key);
349 DBG4(DBG_IKE, "Sk_pi secret %B", &key);
350 if (this->initiator)
351 {
352 this->skp_build = key;
353 }
354 else
355 {
356 this->skp_verify = key;
357 }
358 prf_plus->allocate_bytes(prf_plus, key_size, &key);
359 DBG4(DBG_IKE, "Sk_pr secret %B", &key);
360 if (this->initiator)
361 {
362 this->skp_verify = key;
363 }
364 else
365 {
366 this->skp_build = key;
367 }
368
369 /* all done, prf_plus not needed anymore */
370 prf_plus->destroy(prf_plus);
371 DESTROY_IF(rekey_prf);
372
373 return TRUE;
374 }
375
376 METHOD(keymat_v2_t, derive_child_keys, bool,
377 private_keymat_v2_t *this, proposal_t *proposal, diffie_hellman_t *dh,
378 chunk_t nonce_i, chunk_t nonce_r, chunk_t *encr_i, chunk_t *integ_i,
379 chunk_t *encr_r, chunk_t *integ_r)
380 {
381 u_int16_t enc_alg, int_alg, enc_size = 0, int_size = 0;
382 chunk_t seed, secret = chunk_empty;
383 prf_plus_t *prf_plus;
384
385 if (dh)
386 {
387 if (dh->get_shared_secret(dh, &secret) != SUCCESS)
388 {
389 return FALSE;
390 }
391 DBG4(DBG_CHD, "DH secret %B", &secret);
392 }
393 seed = chunk_cata("mcc", secret, nonce_i, nonce_r);
394 DBG4(DBG_CHD, "seed %B", &seed);
395
396 if (proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM,
397 &enc_alg, &enc_size))
398 {
399 DBG2(DBG_CHD, " using %N for encryption",
400 encryption_algorithm_names, enc_alg);
401
402 if (!enc_size)
403 {
404 enc_size = keymat_get_keylen_encr(enc_alg);
405 }
406 if (enc_alg != ENCR_NULL && !enc_size)
407 {
408 DBG1(DBG_CHD, "no keylength defined for %N",
409 encryption_algorithm_names, enc_alg);
410 return FALSE;
411 }
412 /* to bytes */
413 enc_size /= 8;
414
415 /* CCM/GCM/CTR/GMAC needs additional bytes */
416 switch (enc_alg)
417 {
418 case ENCR_AES_CCM_ICV8:
419 case ENCR_AES_CCM_ICV12:
420 case ENCR_AES_CCM_ICV16:
421 case ENCR_CAMELLIA_CCM_ICV8:
422 case ENCR_CAMELLIA_CCM_ICV12:
423 case ENCR_CAMELLIA_CCM_ICV16:
424 enc_size += 3;
425 break;
426 case ENCR_AES_GCM_ICV8:
427 case ENCR_AES_GCM_ICV12:
428 case ENCR_AES_GCM_ICV16:
429 case ENCR_AES_CTR:
430 case ENCR_NULL_AUTH_AES_GMAC:
431 enc_size += 4;
432 break;
433 default:
434 break;
435 }
436 }
437
438 if (proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM,
439 &int_alg, &int_size))
440 {
441 DBG2(DBG_CHD, " using %N for integrity",
442 integrity_algorithm_names, int_alg);
443
444 if (!int_size)
445 {
446 int_size = keymat_get_keylen_integ(int_alg);
447 }
448 if (!int_size)
449 {
450 DBG1(DBG_CHD, "no keylength defined for %N",
451 integrity_algorithm_names, int_alg);
452 return FALSE;
453 }
454 /* to bytes */
455 int_size /= 8;
456 }
457
458 this->prf->set_key(this->prf, this->skd);
459 prf_plus = prf_plus_create(this->prf, TRUE, seed);
460
461 prf_plus->allocate_bytes(prf_plus, enc_size, encr_i);
462 prf_plus->allocate_bytes(prf_plus, int_size, integ_i);
463 prf_plus->allocate_bytes(prf_plus, enc_size, encr_r);
464 prf_plus->allocate_bytes(prf_plus, int_size, integ_r);
465
466 prf_plus->destroy(prf_plus);
467
468 if (enc_size)
469 {
470 DBG4(DBG_CHD, "encryption initiator key %B", encr_i);
471 DBG4(DBG_CHD, "encryption responder key %B", encr_r);
472 }
473 if (int_size)
474 {
475 DBG4(DBG_CHD, "integrity initiator key %B", integ_i);
476 DBG4(DBG_CHD, "integrity responder key %B", integ_r);
477 }
478 return TRUE;
479 }
480
481 METHOD(keymat_v2_t, get_skd, pseudo_random_function_t,
482 private_keymat_v2_t *this, chunk_t *skd)
483 {
484 *skd = this->skd;
485 return this->prf_alg;
486 }
487
488 METHOD(keymat_t, get_aead, aead_t*,
489 private_keymat_v2_t *this, bool in)
490 {
491 return in ? this->aead_in : this->aead_out;
492 }
493
494 METHOD(keymat_v2_t, get_auth_octets, chunk_t,
495 private_keymat_v2_t *this, bool verify, chunk_t ike_sa_init,
496 chunk_t nonce, identification_t *id, char reserved[3])
497 {
498 chunk_t chunk, idx, octets;
499 chunk_t skp;
500
501 skp = verify ? this->skp_verify : this->skp_build;
502
503 chunk = chunk_alloca(4);
504 chunk.ptr[0] = id->get_type(id);
505 memcpy(chunk.ptr + 1, reserved, 3);
506 idx = chunk_cata("cc", chunk, id->get_encoding(id));
507
508 DBG3(DBG_IKE, "IDx' %B", &idx);
509 DBG3(DBG_IKE, "SK_p %B", &skp);
510 this->prf->set_key(this->prf, skp);
511 this->prf->allocate_bytes(this->prf, idx, &chunk);
512
513 octets = chunk_cat("ccm", ike_sa_init, nonce, chunk);
514 DBG3(DBG_IKE, "octets = message + nonce + prf(Sk_px, IDx') %B", &octets);
515 return octets;
516 }
517
518 /**
519 * Key pad for the AUTH method SHARED_KEY_MESSAGE_INTEGRITY_CODE.
520 */
521 #define IKEV2_KEY_PAD "Key Pad for IKEv2"
522 #define IKEV2_KEY_PAD_LENGTH 17
523
524 METHOD(keymat_v2_t, get_psk_sig, chunk_t,
525 private_keymat_v2_t *this, bool verify, chunk_t ike_sa_init,
526 chunk_t nonce, chunk_t secret, identification_t *id, char reserved[3])
527 {
528 chunk_t key_pad, key, sig, octets;
529
530 if (!secret.len)
531 { /* EAP uses SK_p if no MSK has been established */
532 secret = verify ? this->skp_verify : this->skp_build;
533 }
534 octets = get_auth_octets(this, verify, ike_sa_init, nonce, id, reserved);
535 /* AUTH = prf(prf(Shared Secret,"Key Pad for IKEv2"), <msg octets>) */
536 key_pad = chunk_create(IKEV2_KEY_PAD, IKEV2_KEY_PAD_LENGTH);
537 this->prf->set_key(this->prf, secret);
538 this->prf->allocate_bytes(this->prf, key_pad, &key);
539 this->prf->set_key(this->prf, key);
540 this->prf->allocate_bytes(this->prf, octets, &sig);
541 DBG4(DBG_IKE, "secret %B", &secret);
542 DBG4(DBG_IKE, "prf(secret, keypad) %B", &key);
543 DBG3(DBG_IKE, "AUTH = prf(prf(secret, keypad), octets) %B", &sig);
544 chunk_free(&octets);
545 chunk_free(&key);
546
547 return sig;
548 }
549
550 METHOD(keymat_t, destroy, void,
551 private_keymat_v2_t *this)
552 {
553 DESTROY_IF(this->aead_in);
554 DESTROY_IF(this->aead_out);
555 DESTROY_IF(this->prf);
556 chunk_clear(&this->skd);
557 chunk_clear(&this->skp_verify);
558 chunk_clear(&this->skp_build);
559 free(this);
560 }
561
562 /**
563 * See header
564 */
565 keymat_v2_t *keymat_v2_create(bool initiator)
566 {
567 private_keymat_v2_t *this;
568
569 INIT(this,
570 .public = {
571 .keymat = {
572 .get_version = _get_version,
573 .create_dh = _create_dh,
574 .get_aead = _get_aead,
575 .destroy = _destroy,
576 },
577 .derive_ike_keys = _derive_ike_keys,
578 .derive_child_keys = _derive_child_keys,
579 .get_skd = _get_skd,
580 .get_auth_octets = _get_auth_octets,
581 .get_psk_sig = _get_psk_sig,
582 },
583 .initiator = initiator,
584 .prf_alg = PRF_UNDEFINED,
585 );
586
587 return &this->public;
588 }