Version bump to 5.9.5dr1
[strongswan.git] / src / libcharon / sa / ikev2 / keymat_v2.c
1 /*
2 * Copyright (C) 2015 Tobias Brunner
3 * Copyright (C) 2008 Martin Willi
4 * HSR Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 #include "keymat_v2.h"
18
19 #include <daemon.h>
20 #include <crypto/prf_plus.h>
21 #include <crypto/hashers/hash_algorithm_set.h>
22
23 typedef struct private_keymat_v2_t private_keymat_v2_t;
24
25 /**
26 * Private data of an keymat_t object.
27 */
28 struct private_keymat_v2_t {
29
30 /**
31 * Public keymat_v2_t interface.
32 */
33 keymat_v2_t public;
34
35 /**
36 * IKE_SA Role, initiator or responder
37 */
38 bool initiator;
39
40 /**
41 * inbound AEAD
42 */
43 aead_t *aead_in;
44
45 /**
46 * outbound AEAD
47 */
48 aead_t *aead_out;
49
50 /**
51 * General purpose PRF
52 */
53 prf_t *prf;
54
55 /**
56 * Negotiated PRF algorithm
57 */
58 pseudo_random_function_t prf_alg;
59
60 /**
61 * Key to derive key material from for CHILD_SAs, rekeying
62 */
63 chunk_t skd;
64
65 /**
66 * Key to build outgoing authentication data (SKp)
67 */
68 chunk_t skp_build;
69
70 /**
71 * Key to verify incoming authentication data (SKp)
72 */
73 chunk_t skp_verify;
74
75 /**
76 * Set of hash algorithms supported by peer for signature authentication
77 */
78 hash_algorithm_set_t *hash_algorithms;
79 };
80
81 METHOD(keymat_t, get_version, ike_version_t,
82 private_keymat_v2_t *this)
83 {
84 return IKEV2;
85 }
86
87 METHOD(keymat_t, create_dh, diffie_hellman_t*,
88 private_keymat_v2_t *this, diffie_hellman_group_t group)
89 {
90 return lib->crypto->create_dh(lib->crypto, group);
91 }
92
93 METHOD(keymat_t, create_nonce_gen, nonce_gen_t*,
94 private_keymat_v2_t *this)
95 {
96 return lib->crypto->create_nonce_gen(lib->crypto);
97 }
98
99 /**
100 * Derive IKE keys for a combined AEAD algorithm
101 */
102 static bool derive_ike_aead(private_keymat_v2_t *this, uint16_t alg,
103 uint16_t key_size, prf_plus_t *prf_plus,
104 chunk_t *sk_ei, chunk_t *sk_er)
105 {
106 aead_t *aead_i, *aead_r;
107 u_int salt_size;
108
109 switch (alg)
110 {
111 case ENCR_AES_GCM_ICV8:
112 case ENCR_AES_GCM_ICV12:
113 case ENCR_AES_GCM_ICV16:
114 /* RFC 4106 */
115 case ENCR_CHACHA20_POLY1305:
116 salt_size = 4;
117 break;
118 case ENCR_AES_CCM_ICV8:
119 case ENCR_AES_CCM_ICV12:
120 case ENCR_AES_CCM_ICV16:
121 /* RFC 4309 */
122 case ENCR_CAMELLIA_CCM_ICV8:
123 case ENCR_CAMELLIA_CCM_ICV12:
124 case ENCR_CAMELLIA_CCM_ICV16:
125 /* RFC 5529 */
126 salt_size = 3;
127 break;
128 default:
129 DBG1(DBG_IKE, "nonce size for %N unknown!",
130 encryption_algorithm_names, alg);
131 return FALSE;
132 }
133
134 /* SK_ei/SK_er used for encryption */
135 aead_i = lib->crypto->create_aead(lib->crypto, alg, key_size / 8, salt_size);
136 aead_r = lib->crypto->create_aead(lib->crypto, alg, key_size / 8, salt_size);
137 if (aead_i == NULL || aead_r == NULL)
138 {
139 DBG1(DBG_IKE, "%N %N (key size %d) not supported!",
140 transform_type_names, ENCRYPTION_ALGORITHM,
141 encryption_algorithm_names, alg, key_size);
142 goto failure;
143 }
144 key_size = aead_i->get_key_size(aead_i);
145 if (key_size != aead_r->get_key_size(aead_r))
146 {
147 goto failure;
148 }
149 if (!prf_plus->allocate_bytes(prf_plus, key_size, sk_ei))
150 {
151 goto failure;
152 }
153 DBG4(DBG_IKE, "Sk_ei secret %B", sk_ei);
154 if (!aead_i->set_key(aead_i, *sk_ei))
155 {
156 goto failure;
157 }
158
159 if (!prf_plus->allocate_bytes(prf_plus, key_size, sk_er))
160 {
161 goto failure;
162 }
163 DBG4(DBG_IKE, "Sk_er secret %B", sk_er);
164 if (!aead_r->set_key(aead_r, *sk_er))
165 {
166 goto failure;
167 }
168
169 if (this->initiator)
170 {
171 this->aead_in = aead_r;
172 this->aead_out = aead_i;
173 }
174 else
175 {
176 this->aead_in = aead_i;
177 this->aead_out = aead_r;
178 }
179 aead_i = aead_r = NULL;
180
181 failure:
182 DESTROY_IF(aead_i);
183 DESTROY_IF(aead_r);
184 return this->aead_in && this->aead_out;
185 }
186
187 /**
188 * Derive IKE keys for traditional encryption and MAC algorithms
189 */
190 static bool derive_ike_traditional(private_keymat_v2_t *this, uint16_t enc_alg,
191 uint16_t enc_size, uint16_t int_alg, prf_plus_t *prf_plus,
192 chunk_t *sk_ai, chunk_t *sk_ar, chunk_t *sk_ei,
193 chunk_t *sk_er)
194 {
195 crypter_t *crypter_i = NULL, *crypter_r = NULL;
196 signer_t *signer_i, *signer_r;
197 iv_gen_t *ivg_i, *ivg_r;
198 size_t key_size;
199
200 signer_i = lib->crypto->create_signer(lib->crypto, int_alg);
201 signer_r = lib->crypto->create_signer(lib->crypto, int_alg);
202 crypter_i = lib->crypto->create_crypter(lib->crypto, enc_alg, enc_size / 8);
203 crypter_r = lib->crypto->create_crypter(lib->crypto, enc_alg, enc_size / 8);
204 if (signer_i == NULL || signer_r == NULL)
205 {
206 DBG1(DBG_IKE, "%N %N not supported!",
207 transform_type_names, INTEGRITY_ALGORITHM,
208 integrity_algorithm_names, int_alg);
209 goto failure;
210 }
211 if (crypter_i == NULL || crypter_r == NULL)
212 {
213 DBG1(DBG_IKE, "%N %N (key size %d) not supported!",
214 transform_type_names, ENCRYPTION_ALGORITHM,
215 encryption_algorithm_names, enc_alg, enc_size);
216 goto failure;
217 }
218
219 /* SK_ai/SK_ar used for integrity protection */
220 key_size = signer_i->get_key_size(signer_i);
221
222 if (!prf_plus->allocate_bytes(prf_plus, key_size, sk_ai))
223 {
224 goto failure;
225 }
226 DBG4(DBG_IKE, "Sk_ai secret %B", sk_ai);
227 if (!signer_i->set_key(signer_i, *sk_ai))
228 {
229 goto failure;
230 }
231
232 if (!prf_plus->allocate_bytes(prf_plus, key_size, sk_ar))
233 {
234 goto failure;
235 }
236 DBG4(DBG_IKE, "Sk_ar secret %B", sk_ar);
237 if (!signer_r->set_key(signer_r, *sk_ar))
238 {
239 goto failure;
240 }
241
242 /* SK_ei/SK_er used for encryption */
243 key_size = crypter_i->get_key_size(crypter_i);
244
245 if (!prf_plus->allocate_bytes(prf_plus, key_size, sk_ei))
246 {
247 goto failure;
248 }
249 DBG4(DBG_IKE, "Sk_ei secret %B", sk_ei);
250 if (!crypter_i->set_key(crypter_i, *sk_ei))
251 {
252 goto failure;
253 }
254
255 if (!prf_plus->allocate_bytes(prf_plus, key_size, sk_er))
256 {
257 goto failure;
258 }
259 DBG4(DBG_IKE, "Sk_er secret %B", sk_er);
260 if (!crypter_r->set_key(crypter_r, *sk_er))
261 {
262 goto failure;
263 }
264
265 ivg_i = iv_gen_create_for_alg(enc_alg);
266 ivg_r = iv_gen_create_for_alg(enc_alg);
267 if (!ivg_i || !ivg_r)
268 {
269 goto failure;
270 }
271 if (this->initiator)
272 {
273 this->aead_in = aead_create(crypter_r, signer_r, ivg_r);
274 this->aead_out = aead_create(crypter_i, signer_i, ivg_i);
275 }
276 else
277 {
278 this->aead_in = aead_create(crypter_i, signer_i, ivg_i);
279 this->aead_out = aead_create(crypter_r, signer_r, ivg_r);
280 }
281 signer_i = signer_r = NULL;
282 crypter_i = crypter_r = NULL;
283
284 failure:
285 DESTROY_IF(signer_i);
286 DESTROY_IF(signer_r);
287 DESTROY_IF(crypter_i);
288 DESTROY_IF(crypter_r);
289 return this->aead_in && this->aead_out;
290 }
291
292 METHOD(keymat_v2_t, derive_ike_keys, bool,
293 private_keymat_v2_t *this, proposal_t *proposal, diffie_hellman_t *dh,
294 chunk_t nonce_i, chunk_t nonce_r, ike_sa_id_t *id,
295 pseudo_random_function_t rekey_function, chunk_t rekey_skd)
296 {
297 chunk_t skeyseed = chunk_empty, secret, full_nonce, fixed_nonce;
298 chunk_t prf_plus_seed, spi_i, spi_r;
299 chunk_t sk_ei = chunk_empty, sk_er = chunk_empty;
300 chunk_t sk_ai = chunk_empty, sk_ar = chunk_empty, sk_pi, sk_pr;
301 prf_plus_t *prf_plus = NULL;
302 uint16_t alg, key_size, int_alg;
303 prf_t *rekey_prf = NULL;
304
305 spi_i = chunk_alloca(sizeof(uint64_t));
306 spi_r = chunk_alloca(sizeof(uint64_t));
307
308 if (!dh->get_shared_secret(dh, &secret))
309 {
310 return FALSE;
311 }
312
313 /* Create SAs general purpose PRF first, we may use it here */
314 if (!proposal->get_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, &alg, NULL))
315 {
316 DBG1(DBG_IKE, "no %N selected",
317 transform_type_names, PSEUDO_RANDOM_FUNCTION);
318 chunk_clear(&secret);
319 return FALSE;
320 }
321 this->prf_alg = alg;
322 this->prf = lib->crypto->create_prf(lib->crypto, alg);
323 if (this->prf == NULL)
324 {
325 DBG1(DBG_IKE, "%N %N not supported!",
326 transform_type_names, PSEUDO_RANDOM_FUNCTION,
327 pseudo_random_function_names, alg);
328 chunk_clear(&secret);
329 return FALSE;
330 }
331 DBG4(DBG_IKE, "shared Diffie Hellman secret %B", &secret);
332 /* full nonce is used as seed for PRF+ ... */
333 full_nonce = chunk_cat("cc", nonce_i, nonce_r);
334 /* but the PRF may need a fixed key which only uses the first bytes of
335 * the nonces. */
336 switch (alg)
337 {
338 case PRF_AES128_CMAC:
339 /* while variable keys may be used according to RFC 4615, RFC 7296
340 * explicitly limits the key size to 128 bit for this application */
341 case PRF_AES128_XCBC:
342 /* while RFC 4434 defines variable keys for AES-XCBC, RFC 3664 does
343 * not and therefore fixed key semantics apply to XCBC for key
344 * derivation, which is also reinforced by RFC 7296 */
345 case PRF_CAMELLIA128_XCBC:
346 /* draft-kanno-ipsecme-camellia-xcbc refers to rfc 4434, we
347 * assume fixed key length. */
348 key_size = this->prf->get_key_size(this->prf)/2;
349 nonce_i.len = min(nonce_i.len, key_size);
350 nonce_r.len = min(nonce_r.len, key_size);
351 break;
352 default:
353 /* all other algorithms use variable key length, full nonce */
354 break;
355 }
356 fixed_nonce = chunk_cat("cc", nonce_i, nonce_r);
357 *((uint64_t*)spi_i.ptr) = id->get_initiator_spi(id);
358 *((uint64_t*)spi_r.ptr) = id->get_responder_spi(id);
359 prf_plus_seed = chunk_cat("ccc", full_nonce, spi_i, spi_r);
360
361 /* KEYMAT = prf+ (SKEYSEED, Ni | Nr | SPIi | SPIr)
362 *
363 * if we are rekeying, SKEYSEED is built on another way
364 */
365 if (rekey_function == PRF_UNDEFINED) /* not rekeying */
366 {
367 /* SKEYSEED = prf(Ni | Nr, g^ir) */
368 if (this->prf->set_key(this->prf, fixed_nonce) &&
369 this->prf->allocate_bytes(this->prf, secret, &skeyseed) &&
370 this->prf->set_key(this->prf, skeyseed))
371 {
372 prf_plus = prf_plus_create(this->prf, TRUE, prf_plus_seed);
373 }
374 }
375 else
376 {
377 /* SKEYSEED = prf(SK_d (old), [g^ir (new)] | Ni | Nr)
378 * use OLD SAs PRF functions for both prf_plus and prf */
379 rekey_prf = lib->crypto->create_prf(lib->crypto, rekey_function);
380 if (!rekey_prf)
381 {
382 DBG1(DBG_IKE, "PRF of old SA %N not supported!",
383 pseudo_random_function_names, rekey_function);
384 chunk_clear(&secret);
385 chunk_free(&full_nonce);
386 chunk_free(&fixed_nonce);
387 chunk_clear(&prf_plus_seed);
388 return FALSE;
389 }
390 secret = chunk_cat("sc", secret, full_nonce);
391 if (rekey_prf->set_key(rekey_prf, rekey_skd) &&
392 rekey_prf->allocate_bytes(rekey_prf, secret, &skeyseed) &&
393 rekey_prf->set_key(rekey_prf, skeyseed))
394 {
395 prf_plus = prf_plus_create(rekey_prf, TRUE, prf_plus_seed);
396 }
397 }
398 DBG4(DBG_IKE, "SKEYSEED %B", &skeyseed);
399
400 chunk_clear(&skeyseed);
401 chunk_clear(&secret);
402 chunk_free(&full_nonce);
403 chunk_free(&fixed_nonce);
404 chunk_clear(&prf_plus_seed);
405
406 if (!prf_plus)
407 {
408 goto failure;
409 }
410
411 /* KEYMAT = SK_d | SK_ai | SK_ar | SK_ei | SK_er | SK_pi | SK_pr */
412
413 /* SK_d is used for generating CHILD_SA key mat => store for later use */
414 key_size = this->prf->get_key_size(this->prf);
415 if (!prf_plus->allocate_bytes(prf_plus, key_size, &this->skd))
416 {
417 goto failure;
418 }
419 DBG4(DBG_IKE, "Sk_d secret %B", &this->skd);
420
421 if (!proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &alg, &key_size))
422 {
423 DBG1(DBG_IKE, "no %N selected",
424 transform_type_names, ENCRYPTION_ALGORITHM);
425 goto failure;
426 }
427
428 if (encryption_algorithm_is_aead(alg))
429 {
430 if (!derive_ike_aead(this, alg, key_size, prf_plus, &sk_ei, &sk_er))
431 {
432 goto failure;
433 }
434 }
435 else
436 {
437 if (!proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM,
438 &int_alg, NULL))
439 {
440 DBG1(DBG_IKE, "no %N selected",
441 transform_type_names, INTEGRITY_ALGORITHM);
442 goto failure;
443 }
444 if (!derive_ike_traditional(this, alg, key_size, int_alg, prf_plus,
445 &sk_ai, &sk_ar, &sk_ei, &sk_er))
446 {
447 goto failure;
448 }
449 }
450
451 /* SK_pi/SK_pr used for authentication => stored for later */
452 key_size = this->prf->get_key_size(this->prf);
453 if (!prf_plus->allocate_bytes(prf_plus, key_size, &sk_pi))
454 {
455 goto failure;
456 }
457 DBG4(DBG_IKE, "Sk_pi secret %B", &sk_pi);
458 if (this->initiator)
459 {
460 this->skp_build = sk_pi;
461 }
462 else
463 {
464 this->skp_verify = sk_pi;
465 }
466 if (!prf_plus->allocate_bytes(prf_plus, key_size, &sk_pr))
467 {
468 goto failure;
469 }
470 DBG4(DBG_IKE, "Sk_pr secret %B", &sk_pr);
471 if (this->initiator)
472 {
473 this->skp_verify = sk_pr;
474 }
475 else
476 {
477 this->skp_build = sk_pr;
478 }
479 charon->bus->ike_derived_keys(charon->bus,this->skd, sk_ai, sk_ar, sk_ei,
480 sk_er, sk_pi, sk_pr);
481
482 failure:
483 chunk_clear(&sk_ai);
484 chunk_clear(&sk_ar);
485 chunk_clear(&sk_ei);
486 chunk_clear(&sk_er);
487 DESTROY_IF(prf_plus);
488 DESTROY_IF(rekey_prf);
489
490 return this->skp_build.len && this->skp_verify.len;
491 }
492
493 /**
494 * Derives a key from the given key and a PRF that was initialized with a PPK
495 */
496 static bool derive_ppk_key(prf_t *prf, char *name, chunk_t key,
497 chunk_t *new_key)
498 {
499 prf_plus_t *prf_plus;
500
501 prf_plus = prf_plus_create(prf, TRUE, key);
502 if (!prf_plus ||
503 !prf_plus->allocate_bytes(prf_plus, key.len, new_key))
504 {
505 DBG1(DBG_IKE, "unable to derive %s with PPK", name);
506 DESTROY_IF(prf_plus);
507 return FALSE;
508 }
509 prf_plus->destroy(prf_plus);
510 return TRUE;
511 }
512
513 /**
514 * Use the given PPK to derive a new SK_pi/r
515 */
516 static bool derive_skp_ppk(private_keymat_v2_t *this, chunk_t ppk, chunk_t skp,
517 chunk_t *new_skp)
518 {
519 if (!this->prf->set_key(this->prf, ppk))
520 {
521 DBG1(DBG_IKE, "unable to set PPK in PRF");
522 return FALSE;
523 }
524 return derive_ppk_key(this->prf, "SK_p", skp, new_skp);
525 }
526
527 METHOD(keymat_v2_t, derive_ike_keys_ppk, bool,
528 private_keymat_v2_t *this, chunk_t ppk)
529 {
530 chunk_t skd = chunk_empty, new_skpi = chunk_empty, new_skpr = chunk_empty;
531 chunk_t *skpi, *skpr;
532
533 if (!this->skd.ptr)
534 {
535 return FALSE;
536 }
537
538 if (this->initiator)
539 {
540 skpi = &this->skp_build;
541 skpr = &this->skp_verify;
542 }
543 else
544 {
545 skpi = &this->skp_verify;
546 skpr = &this->skp_build;
547 }
548
549 DBG4(DBG_IKE, "derive keys using PPK %B", &ppk);
550
551 if (!this->prf->set_key(this->prf, ppk))
552 {
553 DBG1(DBG_IKE, "unable to set PPK in PRF");
554 return FALSE;
555 }
556 if (!derive_ppk_key(this->prf, "Sk_d", this->skd, &skd) ||
557 !derive_ppk_key(this->prf, "Sk_pi", *skpi, &new_skpi) ||
558 !derive_ppk_key(this->prf, "Sk_pr", *skpr, &new_skpr))
559 {
560 chunk_clear(&skd);
561 chunk_clear(&new_skpi);
562 chunk_clear(&new_skpr);
563 return FALSE;
564 }
565
566 DBG4(DBG_IKE, "Sk_d secret %B", &skd);
567 chunk_clear(&this->skd);
568 this->skd = skd;
569
570 DBG4(DBG_IKE, "Sk_pi secret %B", &new_skpi);
571 chunk_clear(skpi);
572 *skpi = new_skpi;
573
574 DBG4(DBG_IKE, "Sk_pr secret %B", &new_skpr);
575 chunk_clear(skpr);
576 *skpr = new_skpr;
577 return TRUE;
578 }
579
580 METHOD(keymat_v2_t, derive_child_keys, bool,
581 private_keymat_v2_t *this, proposal_t *proposal, diffie_hellman_t *dh,
582 chunk_t nonce_i, chunk_t nonce_r, chunk_t *encr_i, chunk_t *integ_i,
583 chunk_t *encr_r, chunk_t *integ_r)
584 {
585 uint16_t enc_alg, int_alg, enc_size = 0, int_size = 0;
586 chunk_t seed, secret = chunk_empty;
587 prf_plus_t *prf_plus;
588
589 if (proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM,
590 &enc_alg, &enc_size))
591 {
592 DBG2(DBG_CHD, " using %N for encryption",
593 encryption_algorithm_names, enc_alg);
594
595 if (!enc_size)
596 {
597 enc_size = keymat_get_keylen_encr(enc_alg);
598 }
599 if (enc_alg != ENCR_NULL && !enc_size)
600 {
601 DBG1(DBG_CHD, "no keylength defined for %N",
602 encryption_algorithm_names, enc_alg);
603 return FALSE;
604 }
605 /* to bytes */
606 enc_size /= 8;
607
608 /* CCM/GCM/CTR/GMAC needs additional bytes */
609 switch (enc_alg)
610 {
611 case ENCR_AES_CCM_ICV8:
612 case ENCR_AES_CCM_ICV12:
613 case ENCR_AES_CCM_ICV16:
614 case ENCR_CAMELLIA_CCM_ICV8:
615 case ENCR_CAMELLIA_CCM_ICV12:
616 case ENCR_CAMELLIA_CCM_ICV16:
617 enc_size += 3;
618 break;
619 case ENCR_AES_GCM_ICV8:
620 case ENCR_AES_GCM_ICV12:
621 case ENCR_AES_GCM_ICV16:
622 case ENCR_AES_CTR:
623 case ENCR_CAMELLIA_CTR:
624 case ENCR_NULL_AUTH_AES_GMAC:
625 case ENCR_CHACHA20_POLY1305:
626 enc_size += 4;
627 break;
628 default:
629 break;
630 }
631 }
632
633 if (proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM,
634 &int_alg, &int_size))
635 {
636 DBG2(DBG_CHD, " using %N for integrity",
637 integrity_algorithm_names, int_alg);
638
639 if (!int_size)
640 {
641 int_size = keymat_get_keylen_integ(int_alg);
642 }
643 if (!int_size)
644 {
645 DBG1(DBG_CHD, "no keylength defined for %N",
646 integrity_algorithm_names, int_alg);
647 return FALSE;
648 }
649 /* to bytes */
650 int_size /= 8;
651 }
652
653 if (!this->prf->set_key(this->prf, this->skd))
654 {
655 return FALSE;
656 }
657
658 if (dh)
659 {
660 if (!dh->get_shared_secret(dh, &secret))
661 {
662 return FALSE;
663 }
664 DBG4(DBG_CHD, "DH secret %B", &secret);
665 }
666 seed = chunk_cata("scc", secret, nonce_i, nonce_r);
667 DBG4(DBG_CHD, "seed %B", &seed);
668
669 prf_plus = prf_plus_create(this->prf, TRUE, seed);
670 memwipe(seed.ptr, seed.len);
671
672 if (!prf_plus)
673 {
674 return FALSE;
675 }
676
677 *encr_i = *integ_i = *encr_r = *integ_r = chunk_empty;
678 if (!prf_plus->allocate_bytes(prf_plus, enc_size, encr_i) ||
679 !prf_plus->allocate_bytes(prf_plus, int_size, integ_i) ||
680 !prf_plus->allocate_bytes(prf_plus, enc_size, encr_r) ||
681 !prf_plus->allocate_bytes(prf_plus, int_size, integ_r))
682 {
683 chunk_free(encr_i);
684 chunk_free(integ_i);
685 chunk_free(encr_r);
686 chunk_free(integ_r);
687 prf_plus->destroy(prf_plus);
688 return FALSE;
689 }
690
691 prf_plus->destroy(prf_plus);
692
693 if (enc_size)
694 {
695 DBG4(DBG_CHD, "encryption initiator key %B", encr_i);
696 DBG4(DBG_CHD, "encryption responder key %B", encr_r);
697 }
698 if (int_size)
699 {
700 DBG4(DBG_CHD, "integrity initiator key %B", integ_i);
701 DBG4(DBG_CHD, "integrity responder key %B", integ_r);
702 }
703 return TRUE;
704 }
705
706 METHOD(keymat_v2_t, get_skd, pseudo_random_function_t,
707 private_keymat_v2_t *this, chunk_t *skd)
708 {
709 *skd = this->skd;
710 return this->prf_alg;
711 }
712
713 METHOD(keymat_t, get_aead, aead_t*,
714 private_keymat_v2_t *this, bool in)
715 {
716 return in ? this->aead_in : this->aead_out;
717 }
718
719 METHOD(keymat_v2_t, get_auth_octets, bool,
720 private_keymat_v2_t *this, bool verify, chunk_t ike_sa_init,
721 chunk_t nonce, chunk_t ppk, identification_t *id, char reserved[3],
722 chunk_t *octets, array_t *schemes)
723 {
724 chunk_t chunk, idx;
725 chunk_t skp_ppk = chunk_empty;
726 chunk_t skp;
727
728 skp = verify ? this->skp_verify : this->skp_build;
729 if (ppk.ptr)
730 {
731 DBG4(DBG_IKE, "PPK %B", &ppk);
732 if (!derive_skp_ppk(this, ppk, skp, &skp_ppk))
733 {
734 return FALSE;
735 }
736 skp = skp_ppk;
737 }
738
739 chunk = chunk_alloca(4);
740 chunk.ptr[0] = id->get_type(id);
741 memcpy(chunk.ptr + 1, reserved, 3);
742 idx = chunk_cata("cc", chunk, id->get_encoding(id));
743
744 DBG3(DBG_IKE, "IDx' %B", &idx);
745 DBG4(DBG_IKE, "SK_p %B", &skp);
746 if (!this->prf->set_key(this->prf, skp) ||
747 !this->prf->allocate_bytes(this->prf, idx, &chunk))
748 {
749 chunk_clear(&skp_ppk);
750 return FALSE;
751 }
752 chunk_clear(&skp_ppk);
753 *octets = chunk_cat("ccm", ike_sa_init, nonce, chunk);
754 DBG3(DBG_IKE, "octets = message + nonce + prf(Sk_px, IDx') %B", octets);
755 return TRUE;
756 }
757
758 /**
759 * Key pad for the AUTH method SHARED_KEY_MESSAGE_INTEGRITY_CODE.
760 */
761 #define IKEV2_KEY_PAD "Key Pad for IKEv2"
762 #define IKEV2_KEY_PAD_LENGTH 17
763
764 METHOD(keymat_v2_t, get_psk_sig, bool,
765 private_keymat_v2_t *this, bool verify, chunk_t ike_sa_init, chunk_t nonce,
766 chunk_t secret, chunk_t ppk, identification_t *id, char reserved[3],
767 chunk_t *sig)
768 {
769 chunk_t skp_ppk = chunk_empty, key = chunk_empty, octets = chunk_empty;
770 chunk_t key_pad;
771 bool success = FALSE;
772
773 if (!secret.len)
774 { /* EAP uses SK_p if no MSK has been established */
775 secret = verify ? this->skp_verify : this->skp_build;
776 if (ppk.ptr)
777 {
778 if (!derive_skp_ppk(this, ppk, secret, &skp_ppk))
779 {
780 return FALSE;
781 }
782 secret = skp_ppk;
783 }
784 }
785 if (!get_auth_octets(this, verify, ike_sa_init, nonce, ppk, id, reserved,
786 &octets, NULL))
787 {
788 goto failure;
789 }
790 /* AUTH = prf(prf(Shared Secret,"Key Pad for IKEv2"), <msg octets>) */
791 key_pad = chunk_create(IKEV2_KEY_PAD, IKEV2_KEY_PAD_LENGTH);
792 if (!this->prf->set_key(this->prf, secret) ||
793 !this->prf->allocate_bytes(this->prf, key_pad, &key))
794 {
795 goto failure;
796 }
797 if (!this->prf->set_key(this->prf, key) ||
798 !this->prf->allocate_bytes(this->prf, octets, sig))
799 {
800 goto failure;
801 }
802 DBG4(DBG_IKE, "secret %B", &secret);
803 DBG4(DBG_IKE, "prf(secret, keypad) %B", &key);
804 DBG3(DBG_IKE, "AUTH = prf(prf(secret, keypad), octets) %B", sig);
805 success = TRUE;
806
807 failure:
808 chunk_clear(&skp_ppk);
809 chunk_free(&octets);
810 chunk_free(&key);
811 return success;
812
813 }
814
815 METHOD(keymat_v2_t, hash_algorithm_supported, bool,
816 private_keymat_v2_t *this, hash_algorithm_t hash)
817 {
818 if (!this->hash_algorithms)
819 {
820 return FALSE;
821 }
822 return this->hash_algorithms->contains(this->hash_algorithms, hash);
823 }
824
825 METHOD(keymat_v2_t, add_hash_algorithm, void,
826 private_keymat_v2_t *this, hash_algorithm_t hash)
827 {
828 if (!this->hash_algorithms)
829 {
830 this->hash_algorithms = hash_algorithm_set_create();
831 }
832 this->hash_algorithms->add(this->hash_algorithms, hash);
833 }
834
835 METHOD(keymat_t, destroy, void,
836 private_keymat_v2_t *this)
837 {
838 DESTROY_IF(this->aead_in);
839 DESTROY_IF(this->aead_out);
840 DESTROY_IF(this->prf);
841 chunk_clear(&this->skd);
842 chunk_clear(&this->skp_verify);
843 chunk_clear(&this->skp_build);
844 DESTROY_IF(this->hash_algorithms);
845 free(this);
846 }
847
848 /**
849 * See header
850 */
851 keymat_v2_t *keymat_v2_create(bool initiator)
852 {
853 private_keymat_v2_t *this;
854
855 INIT(this,
856 .public = {
857 .keymat = {
858 .get_version = _get_version,
859 .create_dh = _create_dh,
860 .create_nonce_gen = _create_nonce_gen,
861 .get_aead = _get_aead,
862 .destroy = _destroy,
863 },
864 .derive_ike_keys = _derive_ike_keys,
865 .derive_ike_keys_ppk = _derive_ike_keys_ppk,
866 .derive_child_keys = _derive_child_keys,
867 .get_skd = _get_skd,
868 .get_auth_octets = _get_auth_octets,
869 .get_psk_sig = _get_psk_sig,
870 .add_hash_algorithm = _add_hash_algorithm,
871 .hash_algorithm_supported = _hash_algorithm_supported,
872
873 },
874 .initiator = initiator,
875 .prf_alg = PRF_UNDEFINED,
876 );
877
878 return &this->public;
879 }