payload: Use common prefixes for all payload type identifiers
[strongswan.git] / src / libcharon / sa / ikev2 / keymat_v2.c
1 /*
2 * Copyright (C) 2008 Martin Willi
3 * Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "keymat_v2.h"
17
18 #include <daemon.h>
19 #include <crypto/prf_plus.h>
20
21 typedef struct private_keymat_v2_t private_keymat_v2_t;
22
23 /**
24 * Private data of an keymat_t object.
25 */
26 struct private_keymat_v2_t {
27
28 /**
29 * Public keymat_v2_t interface.
30 */
31 keymat_v2_t public;
32
33 /**
34 * IKE_SA Role, initiator or responder
35 */
36 bool initiator;
37
38 /**
39 * inbound AEAD
40 */
41 aead_t *aead_in;
42
43 /**
44 * outbound AEAD
45 */
46 aead_t *aead_out;
47
48 /**
49 * General purpose PRF
50 */
51 prf_t *prf;
52
53 /**
54 * Negotiated PRF algorithm
55 */
56 pseudo_random_function_t prf_alg;
57
58 /**
59 * Key to derive key material from for CHILD_SAs, rekeying
60 */
61 chunk_t skd;
62
63 /**
64 * Key to build outging authentication data (SKp)
65 */
66 chunk_t skp_build;
67
68 /**
69 * Key to verify incoming authentication data (SKp)
70 */
71 chunk_t skp_verify;
72 };
73
74 METHOD(keymat_t, get_version, ike_version_t,
75 private_keymat_v2_t *this)
76 {
77 return IKEV2;
78 }
79
80 METHOD(keymat_t, create_dh, diffie_hellman_t*,
81 private_keymat_v2_t *this, diffie_hellman_group_t group)
82 {
83 return lib->crypto->create_dh(lib->crypto, group);
84 }
85
86 METHOD(keymat_t, create_nonce_gen, nonce_gen_t*,
87 private_keymat_v2_t *this)
88 {
89 return lib->crypto->create_nonce_gen(lib->crypto);
90 }
91
92 /**
93 * Derive IKE keys for a combined AEAD algorithm
94 */
95 static bool derive_ike_aead(private_keymat_v2_t *this, u_int16_t alg,
96 u_int16_t key_size, prf_plus_t *prf_plus)
97 {
98 aead_t *aead_i, *aead_r;
99 chunk_t key = chunk_empty;
100 u_int salt_size;
101
102 switch (alg)
103 {
104 case ENCR_AES_GCM_ICV8:
105 case ENCR_AES_GCM_ICV12:
106 case ENCR_AES_GCM_ICV16:
107 /* RFC 4106 */
108 salt_size = 4;
109 break;
110 case ENCR_AES_CCM_ICV8:
111 case ENCR_AES_CCM_ICV12:
112 case ENCR_AES_CCM_ICV16:
113 /* RFC 4309 */
114 case ENCR_CAMELLIA_CCM_ICV8:
115 case ENCR_CAMELLIA_CCM_ICV12:
116 case ENCR_CAMELLIA_CCM_ICV16:
117 /* RFC 5529 */
118 salt_size = 3;
119 break;
120 default:
121 DBG1(DBG_IKE, "nonce size for %N unknown!",
122 encryption_algorithm_names, alg);
123 return FALSE;
124 }
125
126 /* SK_ei/SK_er used for encryption */
127 aead_i = lib->crypto->create_aead(lib->crypto, alg, key_size / 8, salt_size);
128 aead_r = lib->crypto->create_aead(lib->crypto, alg, key_size / 8, salt_size);
129 if (aead_i == NULL || aead_r == NULL)
130 {
131 DBG1(DBG_IKE, "%N %N (key size %d) not supported!",
132 transform_type_names, ENCRYPTION_ALGORITHM,
133 encryption_algorithm_names, alg, key_size);
134 goto failure;
135 }
136 key_size = aead_i->get_key_size(aead_i);
137 if (key_size != aead_r->get_key_size(aead_r))
138 {
139 goto failure;
140 }
141 if (!prf_plus->allocate_bytes(prf_plus, key_size, &key))
142 {
143 goto failure;
144 }
145 DBG4(DBG_IKE, "Sk_ei secret %B", &key);
146 if (!aead_i->set_key(aead_i, key))
147 {
148 goto failure;
149 }
150 chunk_clear(&key);
151
152 if (!prf_plus->allocate_bytes(prf_plus, key_size, &key))
153 {
154 goto failure;
155 }
156 DBG4(DBG_IKE, "Sk_er secret %B", &key);
157 if (!aead_r->set_key(aead_r, key))
158 {
159 goto failure;
160 }
161
162 if (this->initiator)
163 {
164 this->aead_in = aead_r;
165 this->aead_out = aead_i;
166 }
167 else
168 {
169 this->aead_in = aead_i;
170 this->aead_out = aead_r;
171 }
172 aead_i = aead_r = NULL;
173
174 failure:
175 DESTROY_IF(aead_i);
176 DESTROY_IF(aead_r);
177 chunk_clear(&key);
178 return this->aead_in && this->aead_out;
179 }
180
181 /**
182 * Derive IKE keys for traditional encryption and MAC algorithms
183 */
184 static bool derive_ike_traditional(private_keymat_v2_t *this, u_int16_t enc_alg,
185 u_int16_t enc_size, u_int16_t int_alg, prf_plus_t *prf_plus)
186 {
187 crypter_t *crypter_i = NULL, *crypter_r = NULL;
188 signer_t *signer_i, *signer_r;
189 size_t key_size;
190 chunk_t key = chunk_empty;
191
192 signer_i = lib->crypto->create_signer(lib->crypto, int_alg);
193 signer_r = lib->crypto->create_signer(lib->crypto, int_alg);
194 crypter_i = lib->crypto->create_crypter(lib->crypto, enc_alg, enc_size / 8);
195 crypter_r = lib->crypto->create_crypter(lib->crypto, enc_alg, enc_size / 8);
196 if (signer_i == NULL || signer_r == NULL)
197 {
198 DBG1(DBG_IKE, "%N %N not supported!",
199 transform_type_names, INTEGRITY_ALGORITHM,
200 integrity_algorithm_names, int_alg);
201 goto failure;
202 }
203 if (crypter_i == NULL || crypter_r == NULL)
204 {
205 DBG1(DBG_IKE, "%N %N (key size %d) not supported!",
206 transform_type_names, ENCRYPTION_ALGORITHM,
207 encryption_algorithm_names, enc_alg, enc_size);
208 goto failure;
209 }
210
211 /* SK_ai/SK_ar used for integrity protection */
212 key_size = signer_i->get_key_size(signer_i);
213
214 if (!prf_plus->allocate_bytes(prf_plus, key_size, &key))
215 {
216 goto failure;
217 }
218 DBG4(DBG_IKE, "Sk_ai secret %B", &key);
219 if (!signer_i->set_key(signer_i, key))
220 {
221 goto failure;
222 }
223 chunk_clear(&key);
224
225 if (!prf_plus->allocate_bytes(prf_plus, key_size, &key))
226 {
227 goto failure;
228 }
229 DBG4(DBG_IKE, "Sk_ar secret %B", &key);
230 if (!signer_r->set_key(signer_r, key))
231 {
232 goto failure;
233 }
234 chunk_clear(&key);
235
236 /* SK_ei/SK_er used for encryption */
237 key_size = crypter_i->get_key_size(crypter_i);
238
239 if (!prf_plus->allocate_bytes(prf_plus, key_size, &key))
240 {
241 goto failure;
242 }
243 DBG4(DBG_IKE, "Sk_ei secret %B", &key);
244 if (!crypter_i->set_key(crypter_i, key))
245 {
246 goto failure;
247 }
248 chunk_clear(&key);
249
250 if (!prf_plus->allocate_bytes(prf_plus, key_size, &key))
251 {
252 goto failure;
253 }
254 DBG4(DBG_IKE, "Sk_er secret %B", &key);
255 if (!crypter_r->set_key(crypter_r, key))
256 {
257 goto failure;
258 }
259
260 if (this->initiator)
261 {
262 this->aead_in = aead_create(crypter_r, signer_r);
263 this->aead_out = aead_create(crypter_i, signer_i);
264 }
265 else
266 {
267 this->aead_in = aead_create(crypter_i, signer_i);
268 this->aead_out = aead_create(crypter_r, signer_r);
269 }
270 signer_i = signer_r = NULL;
271 crypter_i = crypter_r = NULL;
272
273 failure:
274 chunk_clear(&key);
275 DESTROY_IF(signer_i);
276 DESTROY_IF(signer_r);
277 DESTROY_IF(crypter_i);
278 DESTROY_IF(crypter_r);
279 return this->aead_in && this->aead_out;
280 }
281
282 METHOD(keymat_v2_t, derive_ike_keys, bool,
283 private_keymat_v2_t *this, proposal_t *proposal, diffie_hellman_t *dh,
284 chunk_t nonce_i, chunk_t nonce_r, ike_sa_id_t *id,
285 pseudo_random_function_t rekey_function, chunk_t rekey_skd)
286 {
287 chunk_t skeyseed, key, secret, full_nonce, fixed_nonce, prf_plus_seed;
288 chunk_t spi_i, spi_r;
289 prf_plus_t *prf_plus = NULL;
290 u_int16_t alg, key_size, int_alg;
291 prf_t *rekey_prf = NULL;
292
293 spi_i = chunk_alloca(sizeof(u_int64_t));
294 spi_r = chunk_alloca(sizeof(u_int64_t));
295
296 if (dh->get_shared_secret(dh, &secret) != SUCCESS)
297 {
298 return FALSE;
299 }
300
301 /* Create SAs general purpose PRF first, we may use it here */
302 if (!proposal->get_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, &alg, NULL))
303 {
304 DBG1(DBG_IKE, "no %N selected",
305 transform_type_names, PSEUDO_RANDOM_FUNCTION);
306 chunk_clear(&secret);
307 return FALSE;
308 }
309 this->prf_alg = alg;
310 this->prf = lib->crypto->create_prf(lib->crypto, alg);
311 if (this->prf == NULL)
312 {
313 DBG1(DBG_IKE, "%N %N not supported!",
314 transform_type_names, PSEUDO_RANDOM_FUNCTION,
315 pseudo_random_function_names, alg);
316 chunk_clear(&secret);
317 return FALSE;
318 }
319 DBG4(DBG_IKE, "shared Diffie Hellman secret %B", &secret);
320 /* full nonce is used as seed for PRF+ ... */
321 full_nonce = chunk_cat("cc", nonce_i, nonce_r);
322 /* but the PRF may need a fixed key which only uses the first bytes of
323 * the nonces. */
324 switch (alg)
325 {
326 case PRF_AES128_XCBC:
327 /* while rfc4434 defines variable keys for AES-XCBC, rfc3664 does
328 * not and therefore fixed key semantics apply to XCBC for key
329 * derivation. */
330 case PRF_CAMELLIA128_XCBC:
331 /* draft-kanno-ipsecme-camellia-xcbc refers to rfc 4434, we
332 * assume fixed key length. */
333 key_size = this->prf->get_key_size(this->prf)/2;
334 nonce_i.len = min(nonce_i.len, key_size);
335 nonce_r.len = min(nonce_r.len, key_size);
336 break;
337 default:
338 /* all other algorithms use variable key length, full nonce */
339 break;
340 }
341 fixed_nonce = chunk_cat("cc", nonce_i, nonce_r);
342 *((u_int64_t*)spi_i.ptr) = id->get_initiator_spi(id);
343 *((u_int64_t*)spi_r.ptr) = id->get_responder_spi(id);
344 prf_plus_seed = chunk_cat("ccc", full_nonce, spi_i, spi_r);
345
346 /* KEYMAT = prf+ (SKEYSEED, Ni | Nr | SPIi | SPIr)
347 *
348 * if we are rekeying, SKEYSEED is built on another way
349 */
350 if (rekey_function == PRF_UNDEFINED) /* not rekeying */
351 {
352 /* SKEYSEED = prf(Ni | Nr, g^ir) */
353 if (this->prf->set_key(this->prf, fixed_nonce) &&
354 this->prf->allocate_bytes(this->prf, secret, &skeyseed) &&
355 this->prf->set_key(this->prf, skeyseed))
356 {
357 prf_plus = prf_plus_create(this->prf, TRUE, prf_plus_seed);
358 }
359 }
360 else
361 {
362 /* SKEYSEED = prf(SK_d (old), [g^ir (new)] | Ni | Nr)
363 * use OLD SAs PRF functions for both prf_plus and prf */
364 rekey_prf = lib->crypto->create_prf(lib->crypto, rekey_function);
365 if (!rekey_prf)
366 {
367 DBG1(DBG_IKE, "PRF of old SA %N not supported!",
368 pseudo_random_function_names, rekey_function);
369 chunk_clear(&secret);
370 chunk_free(&full_nonce);
371 chunk_free(&fixed_nonce);
372 chunk_clear(&prf_plus_seed);
373 return FALSE;
374 }
375 secret = chunk_cat("mc", secret, full_nonce);
376 if (rekey_prf->set_key(rekey_prf, rekey_skd) &&
377 rekey_prf->allocate_bytes(rekey_prf, secret, &skeyseed) &&
378 rekey_prf->set_key(rekey_prf, skeyseed))
379 {
380 prf_plus = prf_plus_create(rekey_prf, TRUE, prf_plus_seed);
381 }
382 }
383 DBG4(DBG_IKE, "SKEYSEED %B", &skeyseed);
384
385 chunk_clear(&skeyseed);
386 chunk_clear(&secret);
387 chunk_free(&full_nonce);
388 chunk_free(&fixed_nonce);
389 chunk_clear(&prf_plus_seed);
390
391 if (!prf_plus)
392 {
393 goto failure;
394 }
395
396 /* KEYMAT = SK_d | SK_ai | SK_ar | SK_ei | SK_er | SK_pi | SK_pr */
397
398 /* SK_d is used for generating CHILD_SA key mat => store for later use */
399 key_size = this->prf->get_key_size(this->prf);
400 if (!prf_plus->allocate_bytes(prf_plus, key_size, &this->skd))
401 {
402 goto failure;
403 }
404 DBG4(DBG_IKE, "Sk_d secret %B", &this->skd);
405
406 if (!proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &alg, &key_size))
407 {
408 DBG1(DBG_IKE, "no %N selected",
409 transform_type_names, ENCRYPTION_ALGORITHM);
410 goto failure;
411 }
412
413 if (encryption_algorithm_is_aead(alg))
414 {
415 if (!derive_ike_aead(this, alg, key_size, prf_plus))
416 {
417 goto failure;
418 }
419 }
420 else
421 {
422 if (!proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM,
423 &int_alg, NULL))
424 {
425 DBG1(DBG_IKE, "no %N selected",
426 transform_type_names, INTEGRITY_ALGORITHM);
427 goto failure;
428 }
429 if (!derive_ike_traditional(this, alg, key_size, int_alg, prf_plus))
430 {
431 goto failure;
432 }
433 }
434
435 /* SK_pi/SK_pr used for authentication => stored for later */
436 key_size = this->prf->get_key_size(this->prf);
437 if (!prf_plus->allocate_bytes(prf_plus, key_size, &key))
438 {
439 goto failure;
440 }
441 DBG4(DBG_IKE, "Sk_pi secret %B", &key);
442 if (this->initiator)
443 {
444 this->skp_build = key;
445 }
446 else
447 {
448 this->skp_verify = key;
449 }
450 if (!prf_plus->allocate_bytes(prf_plus, key_size, &key))
451 {
452 goto failure;
453 }
454 DBG4(DBG_IKE, "Sk_pr secret %B", &key);
455 if (this->initiator)
456 {
457 this->skp_verify = key;
458 }
459 else
460 {
461 this->skp_build = key;
462 }
463
464 /* all done, prf_plus not needed anymore */
465 failure:
466 DESTROY_IF(prf_plus);
467 DESTROY_IF(rekey_prf);
468
469 return this->skp_build.len && this->skp_verify.len;
470 }
471
472 METHOD(keymat_v2_t, derive_child_keys, bool,
473 private_keymat_v2_t *this, proposal_t *proposal, diffie_hellman_t *dh,
474 chunk_t nonce_i, chunk_t nonce_r, chunk_t *encr_i, chunk_t *integ_i,
475 chunk_t *encr_r, chunk_t *integ_r)
476 {
477 u_int16_t enc_alg, int_alg, enc_size = 0, int_size = 0;
478 chunk_t seed, secret = chunk_empty;
479 prf_plus_t *prf_plus;
480
481 if (proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM,
482 &enc_alg, &enc_size))
483 {
484 DBG2(DBG_CHD, " using %N for encryption",
485 encryption_algorithm_names, enc_alg);
486
487 if (!enc_size)
488 {
489 enc_size = keymat_get_keylen_encr(enc_alg);
490 }
491 if (enc_alg != ENCR_NULL && !enc_size)
492 {
493 DBG1(DBG_CHD, "no keylength defined for %N",
494 encryption_algorithm_names, enc_alg);
495 return FALSE;
496 }
497 /* to bytes */
498 enc_size /= 8;
499
500 /* CCM/GCM/CTR/GMAC needs additional bytes */
501 switch (enc_alg)
502 {
503 case ENCR_AES_CCM_ICV8:
504 case ENCR_AES_CCM_ICV12:
505 case ENCR_AES_CCM_ICV16:
506 case ENCR_CAMELLIA_CCM_ICV8:
507 case ENCR_CAMELLIA_CCM_ICV12:
508 case ENCR_CAMELLIA_CCM_ICV16:
509 enc_size += 3;
510 break;
511 case ENCR_AES_GCM_ICV8:
512 case ENCR_AES_GCM_ICV12:
513 case ENCR_AES_GCM_ICV16:
514 case ENCR_AES_CTR:
515 case ENCR_NULL_AUTH_AES_GMAC:
516 enc_size += 4;
517 break;
518 default:
519 break;
520 }
521 }
522
523 if (proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM,
524 &int_alg, &int_size))
525 {
526 DBG2(DBG_CHD, " using %N for integrity",
527 integrity_algorithm_names, int_alg);
528
529 if (!int_size)
530 {
531 int_size = keymat_get_keylen_integ(int_alg);
532 }
533 if (!int_size)
534 {
535 DBG1(DBG_CHD, "no keylength defined for %N",
536 integrity_algorithm_names, int_alg);
537 return FALSE;
538 }
539 /* to bytes */
540 int_size /= 8;
541 }
542
543 if (!this->prf->set_key(this->prf, this->skd))
544 {
545 return FALSE;
546 }
547
548 if (dh)
549 {
550 if (dh->get_shared_secret(dh, &secret) != SUCCESS)
551 {
552 return FALSE;
553 }
554 DBG4(DBG_CHD, "DH secret %B", &secret);
555 }
556 seed = chunk_cata("scc", secret, nonce_i, nonce_r);
557 DBG4(DBG_CHD, "seed %B", &seed);
558
559 prf_plus = prf_plus_create(this->prf, TRUE, seed);
560 memwipe(seed.ptr, seed.len);
561
562 if (!prf_plus)
563 {
564 return FALSE;
565 }
566
567 *encr_i = *integ_i = *encr_r = *integ_r = chunk_empty;
568 if (!prf_plus->allocate_bytes(prf_plus, enc_size, encr_i) ||
569 !prf_plus->allocate_bytes(prf_plus, int_size, integ_i) ||
570 !prf_plus->allocate_bytes(prf_plus, enc_size, encr_r) ||
571 !prf_plus->allocate_bytes(prf_plus, int_size, integ_r))
572 {
573 chunk_free(encr_i);
574 chunk_free(integ_i);
575 chunk_free(encr_r);
576 chunk_free(integ_r);
577 prf_plus->destroy(prf_plus);
578 return FALSE;
579 }
580
581 prf_plus->destroy(prf_plus);
582
583 if (enc_size)
584 {
585 DBG4(DBG_CHD, "encryption initiator key %B", encr_i);
586 DBG4(DBG_CHD, "encryption responder key %B", encr_r);
587 }
588 if (int_size)
589 {
590 DBG4(DBG_CHD, "integrity initiator key %B", integ_i);
591 DBG4(DBG_CHD, "integrity responder key %B", integ_r);
592 }
593 return TRUE;
594 }
595
596 METHOD(keymat_v2_t, get_skd, pseudo_random_function_t,
597 private_keymat_v2_t *this, chunk_t *skd)
598 {
599 *skd = this->skd;
600 return this->prf_alg;
601 }
602
603 METHOD(keymat_t, get_aead, aead_t*,
604 private_keymat_v2_t *this, bool in)
605 {
606 return in ? this->aead_in : this->aead_out;
607 }
608
609 METHOD(keymat_v2_t, get_auth_octets, bool,
610 private_keymat_v2_t *this, bool verify, chunk_t ike_sa_init,
611 chunk_t nonce, identification_t *id, char reserved[3], chunk_t *octets)
612 {
613 chunk_t chunk, idx;
614 chunk_t skp;
615
616 skp = verify ? this->skp_verify : this->skp_build;
617
618 chunk = chunk_alloca(4);
619 chunk.ptr[0] = id->get_type(id);
620 memcpy(chunk.ptr + 1, reserved, 3);
621 idx = chunk_cata("cc", chunk, id->get_encoding(id));
622
623 DBG3(DBG_IKE, "IDx' %B", &idx);
624 DBG4(DBG_IKE, "SK_p %B", &skp);
625 if (!this->prf->set_key(this->prf, skp) ||
626 !this->prf->allocate_bytes(this->prf, idx, &chunk))
627 {
628 return FALSE;
629 }
630 *octets = chunk_cat("ccm", ike_sa_init, nonce, chunk);
631 DBG3(DBG_IKE, "octets = message + nonce + prf(Sk_px, IDx') %B", octets);
632 return TRUE;
633 }
634
635 /**
636 * Key pad for the AUTH method SHARED_KEY_MESSAGE_INTEGRITY_CODE.
637 */
638 #define IKEV2_KEY_PAD "Key Pad for IKEv2"
639 #define IKEV2_KEY_PAD_LENGTH 17
640
641 METHOD(keymat_v2_t, get_psk_sig, bool,
642 private_keymat_v2_t *this, bool verify, chunk_t ike_sa_init, chunk_t nonce,
643 chunk_t secret, identification_t *id, char reserved[3], chunk_t *sig)
644 {
645 chunk_t key_pad, key, octets;
646
647 if (!secret.len)
648 { /* EAP uses SK_p if no MSK has been established */
649 secret = verify ? this->skp_verify : this->skp_build;
650 }
651 if (!get_auth_octets(this, verify, ike_sa_init, nonce, id, reserved, &octets))
652 {
653 return FALSE;
654 }
655 /* AUTH = prf(prf(Shared Secret,"Key Pad for IKEv2"), <msg octets>) */
656 key_pad = chunk_create(IKEV2_KEY_PAD, IKEV2_KEY_PAD_LENGTH);
657 if (!this->prf->set_key(this->prf, secret) ||
658 !this->prf->allocate_bytes(this->prf, key_pad, &key))
659 {
660 chunk_free(&octets);
661 return FALSE;
662 }
663 if (!this->prf->set_key(this->prf, key) ||
664 !this->prf->allocate_bytes(this->prf, octets, sig))
665 {
666 chunk_free(&key);
667 chunk_free(&octets);
668 return FALSE;
669 }
670 DBG4(DBG_IKE, "secret %B", &secret);
671 DBG4(DBG_IKE, "prf(secret, keypad) %B", &key);
672 DBG3(DBG_IKE, "AUTH = prf(prf(secret, keypad), octets) %B", sig);
673 chunk_free(&octets);
674 chunk_free(&key);
675
676 return TRUE;
677 }
678
679 METHOD(keymat_t, destroy, void,
680 private_keymat_v2_t *this)
681 {
682 DESTROY_IF(this->aead_in);
683 DESTROY_IF(this->aead_out);
684 DESTROY_IF(this->prf);
685 chunk_clear(&this->skd);
686 chunk_clear(&this->skp_verify);
687 chunk_clear(&this->skp_build);
688 free(this);
689 }
690
691 /**
692 * See header
693 */
694 keymat_v2_t *keymat_v2_create(bool initiator)
695 {
696 private_keymat_v2_t *this;
697
698 INIT(this,
699 .public = {
700 .keymat = {
701 .get_version = _get_version,
702 .create_dh = _create_dh,
703 .create_nonce_gen = _create_nonce_gen,
704 .get_aead = _get_aead,
705 .destroy = _destroy,
706 },
707 .derive_ike_keys = _derive_ike_keys,
708 .derive_child_keys = _derive_child_keys,
709 .get_skd = _get_skd,
710 .get_auth_octets = _get_auth_octets,
711 .get_psk_sig = _get_psk_sig,
712 },
713 .initiator = initiator,
714 .prf_alg = PRF_UNDEFINED,
715 );
716
717 return &this->public;
718 }