91f001bdb91b53d1f9e61d101e80c8af5e61912f
[strongswan.git] / src / libcharon / sa / ikev2 / keymat_v2.c
1 /*
2 * Copyright (C) 2008 Martin Willi
3 * Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "keymat_v2.h"
17
18 #include <daemon.h>
19 #include <crypto/prf_plus.h>
20
21 typedef struct private_keymat_v2_t private_keymat_v2_t;
22
23 /**
24 * Private data of an keymat_t object.
25 */
26 struct private_keymat_v2_t {
27
28 /**
29 * Public keymat_v2_t interface.
30 */
31 keymat_v2_t public;
32
33 /**
34 * IKE_SA Role, initiator or responder
35 */
36 bool initiator;
37
38 /**
39 * inbound AEAD
40 */
41 aead_t *aead_in;
42
43 /**
44 * outbound AEAD
45 */
46 aead_t *aead_out;
47
48 /**
49 * General purpose PRF
50 */
51 prf_t *prf;
52
53 /**
54 * Negotiated PRF algorithm
55 */
56 pseudo_random_function_t prf_alg;
57
58 /**
59 * Key to derive key material from for CHILD_SAs, rekeying
60 */
61 chunk_t skd;
62
63 /**
64 * Key to build outging authentication data (SKp)
65 */
66 chunk_t skp_build;
67
68 /**
69 * Key to verify incoming authentication data (SKp)
70 */
71 chunk_t skp_verify;
72 };
73
74 METHOD(keymat_t, get_version, ike_version_t,
75 private_keymat_v2_t *this)
76 {
77 return IKEV2;
78 }
79
80 METHOD(keymat_t, create_dh, diffie_hellman_t*,
81 private_keymat_v2_t *this, diffie_hellman_group_t group)
82 {
83 return lib->crypto->create_dh(lib->crypto, group);
84 }
85
86 METHOD(keymat_t, create_nonce_gen, nonce_gen_t*,
87 private_keymat_v2_t *this)
88 {
89 return lib->crypto->create_nonce_gen(lib->crypto);
90 }
91
92 /**
93 * Derive IKE keys for a combined AEAD algorithm
94 */
95 static bool derive_ike_aead(private_keymat_v2_t *this, u_int16_t alg,
96 u_int16_t key_size, prf_plus_t *prf_plus)
97 {
98 aead_t *aead_i, *aead_r;
99 chunk_t key;
100
101 /* SK_ei/SK_er used for encryption */
102 aead_i = lib->crypto->create_aead(lib->crypto, alg, key_size / 8);
103 aead_r = lib->crypto->create_aead(lib->crypto, alg, key_size / 8);
104 if (aead_i == NULL || aead_r == NULL)
105 {
106 DBG1(DBG_IKE, "%N %N (key size %d) not supported!",
107 transform_type_names, ENCRYPTION_ALGORITHM,
108 encryption_algorithm_names, alg, key_size);
109 return FALSE;
110 }
111 key_size = aead_i->get_key_size(aead_i);
112
113 if (!prf_plus->allocate_bytes(prf_plus, key_size, &key))
114 {
115 return FALSE;
116 }
117 DBG4(DBG_IKE, "Sk_ei secret %B", &key);
118 if (!aead_i->set_key(aead_i, key))
119 {
120 chunk_clear(&key);
121 return FALSE;
122 }
123 chunk_clear(&key);
124
125 if (!prf_plus->allocate_bytes(prf_plus, key_size, &key))
126 {
127 return FALSE;
128 }
129 DBG4(DBG_IKE, "Sk_er secret %B", &key);
130 if (!aead_r->set_key(aead_r, key))
131 {
132 chunk_clear(&key);
133 return FALSE;
134 }
135 chunk_clear(&key);
136
137 if (this->initiator)
138 {
139 this->aead_in = aead_r;
140 this->aead_out = aead_i;
141 }
142 else
143 {
144 this->aead_in = aead_i;
145 this->aead_out = aead_r;
146 }
147 return TRUE;
148 }
149
150 /**
151 * Derive IKE keys for traditional encryption and MAC algorithms
152 */
153 static bool derive_ike_traditional(private_keymat_v2_t *this, u_int16_t enc_alg,
154 u_int16_t enc_size, u_int16_t int_alg, prf_plus_t *prf_plus)
155 {
156 crypter_t *crypter_i, *crypter_r;
157 signer_t *signer_i, *signer_r;
158 size_t key_size;
159 chunk_t key;
160
161 /* SK_ai/SK_ar used for integrity protection */
162 signer_i = lib->crypto->create_signer(lib->crypto, int_alg);
163 signer_r = lib->crypto->create_signer(lib->crypto, int_alg);
164 if (signer_i == NULL || signer_r == NULL)
165 {
166 DBG1(DBG_IKE, "%N %N not supported!",
167 transform_type_names, INTEGRITY_ALGORITHM,
168 integrity_algorithm_names, int_alg);
169 return FALSE;
170 }
171 key_size = signer_i->get_key_size(signer_i);
172
173 if (!prf_plus->allocate_bytes(prf_plus, key_size, &key))
174 {
175 signer_i->destroy(signer_i);
176 signer_r->destroy(signer_r);
177 return FALSE;
178 }
179 DBG4(DBG_IKE, "Sk_ai secret %B", &key);
180 if (!signer_i->set_key(signer_i, key))
181 {
182 signer_i->destroy(signer_i);
183 signer_r->destroy(signer_r);
184 chunk_clear(&key);
185 return FALSE;
186 }
187 chunk_clear(&key);
188
189 if (!prf_plus->allocate_bytes(prf_plus, key_size, &key))
190 {
191 signer_i->destroy(signer_i);
192 signer_r->destroy(signer_r);
193 return FALSE;
194 }
195 DBG4(DBG_IKE, "Sk_ar secret %B", &key);
196 if (!signer_r->set_key(signer_r, key))
197 {
198 signer_i->destroy(signer_i);
199 signer_r->destroy(signer_r);
200 chunk_clear(&key);
201 return FALSE;
202 }
203 chunk_clear(&key);
204
205 /* SK_ei/SK_er used for encryption */
206 crypter_i = lib->crypto->create_crypter(lib->crypto, enc_alg, enc_size / 8);
207 crypter_r = lib->crypto->create_crypter(lib->crypto, enc_alg, enc_size / 8);
208 if (crypter_i == NULL || crypter_r == NULL)
209 {
210 DBG1(DBG_IKE, "%N %N (key size %d) not supported!",
211 transform_type_names, ENCRYPTION_ALGORITHM,
212 encryption_algorithm_names, enc_alg, enc_size);
213 signer_i->destroy(signer_i);
214 signer_r->destroy(signer_r);
215 return FALSE;
216 }
217 key_size = crypter_i->get_key_size(crypter_i);
218
219 if (!prf_plus->allocate_bytes(prf_plus, key_size, &key))
220 {
221 crypter_i->destroy(crypter_i);
222 crypter_r->destroy(crypter_r);
223 signer_i->destroy(signer_i);
224 signer_r->destroy(signer_r);
225 return FALSE;
226 }
227 DBG4(DBG_IKE, "Sk_ei secret %B", &key);
228 if (!crypter_i->set_key(crypter_i, key))
229 {
230 crypter_i->destroy(crypter_i);
231 crypter_r->destroy(crypter_r);
232 signer_i->destroy(signer_i);
233 signer_r->destroy(signer_r);
234 return FALSE;
235 }
236 chunk_clear(&key);
237
238 if (!prf_plus->allocate_bytes(prf_plus, key_size, &key))
239 {
240 crypter_i->destroy(crypter_i);
241 crypter_r->destroy(crypter_r);
242 signer_i->destroy(signer_i);
243 signer_r->destroy(signer_r);
244 return FALSE;
245 }
246 DBG4(DBG_IKE, "Sk_er secret %B", &key);
247 if (!crypter_r->set_key(crypter_r, key))
248 {
249 crypter_i->destroy(crypter_i);
250 crypter_r->destroy(crypter_r);
251 signer_i->destroy(signer_i);
252 signer_r->destroy(signer_r);
253 return FALSE;
254 }
255 chunk_clear(&key);
256
257 if (this->initiator)
258 {
259 this->aead_in = aead_create(crypter_r, signer_r);
260 this->aead_out = aead_create(crypter_i, signer_i);
261 }
262 else
263 {
264 this->aead_in = aead_create(crypter_i, signer_i);
265 this->aead_out = aead_create(crypter_r, signer_r);
266 }
267 return TRUE;
268 }
269
270 METHOD(keymat_v2_t, derive_ike_keys, bool,
271 private_keymat_v2_t *this, proposal_t *proposal, diffie_hellman_t *dh,
272 chunk_t nonce_i, chunk_t nonce_r, ike_sa_id_t *id,
273 pseudo_random_function_t rekey_function, chunk_t rekey_skd)
274 {
275 chunk_t skeyseed, key, secret, full_nonce, fixed_nonce, prf_plus_seed;
276 chunk_t spi_i, spi_r;
277 prf_plus_t *prf_plus = NULL;
278 u_int16_t alg, key_size, int_alg;
279 prf_t *rekey_prf = NULL;
280
281 spi_i = chunk_alloca(sizeof(u_int64_t));
282 spi_r = chunk_alloca(sizeof(u_int64_t));
283
284 if (dh->get_shared_secret(dh, &secret) != SUCCESS)
285 {
286 return FALSE;
287 }
288
289 /* Create SAs general purpose PRF first, we may use it here */
290 if (!proposal->get_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, &alg, NULL))
291 {
292 DBG1(DBG_IKE, "no %N selected",
293 transform_type_names, PSEUDO_RANDOM_FUNCTION);
294 return FALSE;
295 }
296 this->prf_alg = alg;
297 this->prf = lib->crypto->create_prf(lib->crypto, alg);
298 if (this->prf == NULL)
299 {
300 DBG1(DBG_IKE, "%N %N not supported!",
301 transform_type_names, PSEUDO_RANDOM_FUNCTION,
302 pseudo_random_function_names, alg);
303 return FALSE;
304 }
305 DBG4(DBG_IKE, "shared Diffie Hellman secret %B", &secret);
306 /* full nonce is used as seed for PRF+ ... */
307 full_nonce = chunk_cat("cc", nonce_i, nonce_r);
308 /* but the PRF may need a fixed key which only uses the first bytes of
309 * the nonces. */
310 switch (alg)
311 {
312 case PRF_AES128_XCBC:
313 /* while rfc4434 defines variable keys for AES-XCBC, rfc3664 does
314 * not and therefore fixed key semantics apply to XCBC for key
315 * derivation. */
316 case PRF_CAMELLIA128_XCBC:
317 /* draft-kanno-ipsecme-camellia-xcbc refers to rfc 4434, we
318 * assume fixed key length. */
319 key_size = this->prf->get_key_size(this->prf)/2;
320 nonce_i.len = min(nonce_i.len, key_size);
321 nonce_r.len = min(nonce_r.len, key_size);
322 break;
323 default:
324 /* all other algorithms use variable key length, full nonce */
325 break;
326 }
327 fixed_nonce = chunk_cat("cc", nonce_i, nonce_r);
328 *((u_int64_t*)spi_i.ptr) = id->get_initiator_spi(id);
329 *((u_int64_t*)spi_r.ptr) = id->get_responder_spi(id);
330 prf_plus_seed = chunk_cat("ccc", full_nonce, spi_i, spi_r);
331
332 /* KEYMAT = prf+ (SKEYSEED, Ni | Nr | SPIi | SPIr)
333 *
334 * if we are rekeying, SKEYSEED is built on another way
335 */
336 if (rekey_function == PRF_UNDEFINED) /* not rekeying */
337 {
338 /* SKEYSEED = prf(Ni | Nr, g^ir) */
339 if (this->prf->set_key(this->prf, fixed_nonce) &&
340 this->prf->allocate_bytes(this->prf, secret, &skeyseed) &&
341 this->prf->set_key(this->prf, skeyseed))
342 {
343 prf_plus = prf_plus_create(this->prf, TRUE, prf_plus_seed);
344 }
345 }
346 else
347 {
348 /* SKEYSEED = prf(SK_d (old), [g^ir (new)] | Ni | Nr)
349 * use OLD SAs PRF functions for both prf_plus and prf */
350 rekey_prf = lib->crypto->create_prf(lib->crypto, rekey_function);
351 if (!rekey_prf)
352 {
353 DBG1(DBG_IKE, "PRF of old SA %N not supported!",
354 pseudo_random_function_names, rekey_function);
355 chunk_free(&full_nonce);
356 chunk_free(&fixed_nonce);
357 chunk_clear(&prf_plus_seed);
358 return FALSE;
359 }
360 secret = chunk_cat("mc", secret, full_nonce);
361 if (rekey_prf->set_key(rekey_prf, rekey_skd) &&
362 rekey_prf->allocate_bytes(rekey_prf, secret, &skeyseed) &&
363 rekey_prf->set_key(rekey_prf, skeyseed))
364 {
365 prf_plus = prf_plus_create(rekey_prf, TRUE, prf_plus_seed);
366 }
367 }
368 DBG4(DBG_IKE, "SKEYSEED %B", &skeyseed);
369
370 chunk_clear(&skeyseed);
371 chunk_clear(&secret);
372 chunk_free(&full_nonce);
373 chunk_free(&fixed_nonce);
374 chunk_clear(&prf_plus_seed);
375
376 if (!prf_plus)
377 {
378 DESTROY_IF(rekey_prf);
379 return FALSE;
380 }
381
382 /* KEYMAT = SK_d | SK_ai | SK_ar | SK_ei | SK_er | SK_pi | SK_pr */
383
384 /* SK_d is used for generating CHILD_SA key mat => store for later use */
385 key_size = this->prf->get_key_size(this->prf);
386 if (!prf_plus->allocate_bytes(prf_plus, key_size, &this->skd))
387 {
388 prf_plus->destroy(prf_plus);
389 DESTROY_IF(rekey_prf);
390 return FALSE;
391 }
392 DBG4(DBG_IKE, "Sk_d secret %B", &this->skd);
393
394 if (!proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &alg, &key_size))
395 {
396 DBG1(DBG_IKE, "no %N selected",
397 transform_type_names, ENCRYPTION_ALGORITHM);
398 prf_plus->destroy(prf_plus);
399 DESTROY_IF(rekey_prf);
400 return FALSE;
401 }
402
403 if (encryption_algorithm_is_aead(alg))
404 {
405 if (!derive_ike_aead(this, alg, key_size, prf_plus))
406 {
407 prf_plus->destroy(prf_plus);
408 DESTROY_IF(rekey_prf);
409 return FALSE;
410 }
411 }
412 else
413 {
414 if (!proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM,
415 &int_alg, NULL))
416 {
417 DBG1(DBG_IKE, "no %N selected",
418 transform_type_names, INTEGRITY_ALGORITHM);
419 prf_plus->destroy(prf_plus);
420 DESTROY_IF(rekey_prf);
421 return FALSE;
422 }
423 if (!derive_ike_traditional(this, alg, key_size, int_alg, prf_plus))
424 {
425 prf_plus->destroy(prf_plus);
426 DESTROY_IF(rekey_prf);
427 return FALSE;
428 }
429 }
430
431 /* SK_pi/SK_pr used for authentication => stored for later */
432 key_size = this->prf->get_key_size(this->prf);
433 if (!prf_plus->allocate_bytes(prf_plus, key_size, &key))
434 {
435 prf_plus->destroy(prf_plus);
436 DESTROY_IF(rekey_prf);
437 return FALSE;
438 }
439 DBG4(DBG_IKE, "Sk_pi secret %B", &key);
440 if (this->initiator)
441 {
442 this->skp_build = key;
443 }
444 else
445 {
446 this->skp_verify = key;
447 }
448 if (!prf_plus->allocate_bytes(prf_plus, key_size, &key))
449 {
450 prf_plus->destroy(prf_plus);
451 DESTROY_IF(rekey_prf);
452 return FALSE;
453 }
454 DBG4(DBG_IKE, "Sk_pr secret %B", &key);
455 if (this->initiator)
456 {
457 this->skp_verify = key;
458 }
459 else
460 {
461 this->skp_build = key;
462 }
463
464 /* all done, prf_plus not needed anymore */
465 prf_plus->destroy(prf_plus);
466 DESTROY_IF(rekey_prf);
467
468 return TRUE;
469 }
470
471 METHOD(keymat_v2_t, derive_child_keys, bool,
472 private_keymat_v2_t *this, proposal_t *proposal, diffie_hellman_t *dh,
473 chunk_t nonce_i, chunk_t nonce_r, chunk_t *encr_i, chunk_t *integ_i,
474 chunk_t *encr_r, chunk_t *integ_r)
475 {
476 u_int16_t enc_alg, int_alg, enc_size = 0, int_size = 0;
477 chunk_t seed, secret = chunk_empty;
478 prf_plus_t *prf_plus;
479
480 if (dh)
481 {
482 if (dh->get_shared_secret(dh, &secret) != SUCCESS)
483 {
484 return FALSE;
485 }
486 DBG4(DBG_CHD, "DH secret %B", &secret);
487 }
488 seed = chunk_cata("mcc", secret, nonce_i, nonce_r);
489 DBG4(DBG_CHD, "seed %B", &seed);
490
491 if (proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM,
492 &enc_alg, &enc_size))
493 {
494 DBG2(DBG_CHD, " using %N for encryption",
495 encryption_algorithm_names, enc_alg);
496
497 if (!enc_size)
498 {
499 enc_size = keymat_get_keylen_encr(enc_alg);
500 }
501 if (enc_alg != ENCR_NULL && !enc_size)
502 {
503 DBG1(DBG_CHD, "no keylength defined for %N",
504 encryption_algorithm_names, enc_alg);
505 return FALSE;
506 }
507 /* to bytes */
508 enc_size /= 8;
509
510 /* CCM/GCM/CTR/GMAC needs additional bytes */
511 switch (enc_alg)
512 {
513 case ENCR_AES_CCM_ICV8:
514 case ENCR_AES_CCM_ICV12:
515 case ENCR_AES_CCM_ICV16:
516 case ENCR_CAMELLIA_CCM_ICV8:
517 case ENCR_CAMELLIA_CCM_ICV12:
518 case ENCR_CAMELLIA_CCM_ICV16:
519 enc_size += 3;
520 break;
521 case ENCR_AES_GCM_ICV8:
522 case ENCR_AES_GCM_ICV12:
523 case ENCR_AES_GCM_ICV16:
524 case ENCR_AES_CTR:
525 case ENCR_NULL_AUTH_AES_GMAC:
526 enc_size += 4;
527 break;
528 default:
529 break;
530 }
531 }
532
533 if (proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM,
534 &int_alg, &int_size))
535 {
536 DBG2(DBG_CHD, " using %N for integrity",
537 integrity_algorithm_names, int_alg);
538
539 if (!int_size)
540 {
541 int_size = keymat_get_keylen_integ(int_alg);
542 }
543 if (!int_size)
544 {
545 DBG1(DBG_CHD, "no keylength defined for %N",
546 integrity_algorithm_names, int_alg);
547 return FALSE;
548 }
549 /* to bytes */
550 int_size /= 8;
551 }
552
553 if (!this->prf->set_key(this->prf, this->skd))
554 {
555 return FALSE;
556 }
557 prf_plus = prf_plus_create(this->prf, TRUE, seed);
558 if (!prf_plus)
559 {
560 return FALSE;
561 }
562
563 if (!prf_plus->allocate_bytes(prf_plus, enc_size, encr_i) ||
564 !prf_plus->allocate_bytes(prf_plus, int_size, integ_i) ||
565 !prf_plus->allocate_bytes(prf_plus, enc_size, encr_r) ||
566 !prf_plus->allocate_bytes(prf_plus, int_size, integ_r))
567 {
568 prf_plus->destroy(prf_plus);
569 return FALSE;
570 }
571
572 prf_plus->destroy(prf_plus);
573
574 if (enc_size)
575 {
576 DBG4(DBG_CHD, "encryption initiator key %B", encr_i);
577 DBG4(DBG_CHD, "encryption responder key %B", encr_r);
578 }
579 if (int_size)
580 {
581 DBG4(DBG_CHD, "integrity initiator key %B", integ_i);
582 DBG4(DBG_CHD, "integrity responder key %B", integ_r);
583 }
584 return TRUE;
585 }
586
587 METHOD(keymat_v2_t, get_skd, pseudo_random_function_t,
588 private_keymat_v2_t *this, chunk_t *skd)
589 {
590 *skd = this->skd;
591 return this->prf_alg;
592 }
593
594 METHOD(keymat_t, get_aead, aead_t*,
595 private_keymat_v2_t *this, bool in)
596 {
597 return in ? this->aead_in : this->aead_out;
598 }
599
600 METHOD(keymat_v2_t, get_auth_octets, bool,
601 private_keymat_v2_t *this, bool verify, chunk_t ike_sa_init,
602 chunk_t nonce, identification_t *id, char reserved[3], chunk_t *octets)
603 {
604 chunk_t chunk, idx;
605 chunk_t skp;
606
607 skp = verify ? this->skp_verify : this->skp_build;
608
609 chunk = chunk_alloca(4);
610 chunk.ptr[0] = id->get_type(id);
611 memcpy(chunk.ptr + 1, reserved, 3);
612 idx = chunk_cata("cc", chunk, id->get_encoding(id));
613
614 DBG3(DBG_IKE, "IDx' %B", &idx);
615 DBG3(DBG_IKE, "SK_p %B", &skp);
616 if (!this->prf->set_key(this->prf, skp) ||
617 !this->prf->allocate_bytes(this->prf, idx, &chunk))
618 {
619 return FALSE;
620 }
621 *octets = chunk_cat("ccm", ike_sa_init, nonce, chunk);
622 DBG3(DBG_IKE, "octets = message + nonce + prf(Sk_px, IDx') %B", octets);
623 return TRUE;
624 }
625
626 /**
627 * Key pad for the AUTH method SHARED_KEY_MESSAGE_INTEGRITY_CODE.
628 */
629 #define IKEV2_KEY_PAD "Key Pad for IKEv2"
630 #define IKEV2_KEY_PAD_LENGTH 17
631
632 METHOD(keymat_v2_t, get_psk_sig, bool,
633 private_keymat_v2_t *this, bool verify, chunk_t ike_sa_init, chunk_t nonce,
634 chunk_t secret, identification_t *id, char reserved[3], chunk_t *sig)
635 {
636 chunk_t key_pad, key, octets;
637
638 if (!secret.len)
639 { /* EAP uses SK_p if no MSK has been established */
640 secret = verify ? this->skp_verify : this->skp_build;
641 }
642 if (!get_auth_octets(this, verify, ike_sa_init, nonce, id, reserved, &octets))
643 {
644 return FALSE;
645 }
646 /* AUTH = prf(prf(Shared Secret,"Key Pad for IKEv2"), <msg octets>) */
647 key_pad = chunk_create(IKEV2_KEY_PAD, IKEV2_KEY_PAD_LENGTH);
648 if (!this->prf->set_key(this->prf, secret) ||
649 !this->prf->allocate_bytes(this->prf, key_pad, &key))
650 {
651 chunk_free(&octets);
652 return FALSE;
653 }
654 if (!this->prf->set_key(this->prf, key) ||
655 !this->prf->allocate_bytes(this->prf, octets, sig))
656 {
657 chunk_free(&key);
658 chunk_free(&octets);
659 return FALSE;
660 }
661 DBG4(DBG_IKE, "secret %B", &secret);
662 DBG4(DBG_IKE, "prf(secret, keypad) %B", &key);
663 DBG3(DBG_IKE, "AUTH = prf(prf(secret, keypad), octets) %B", sig);
664 chunk_free(&octets);
665 chunk_free(&key);
666
667 return TRUE;
668 }
669
670 METHOD(keymat_t, destroy, void,
671 private_keymat_v2_t *this)
672 {
673 DESTROY_IF(this->aead_in);
674 DESTROY_IF(this->aead_out);
675 DESTROY_IF(this->prf);
676 chunk_clear(&this->skd);
677 chunk_clear(&this->skp_verify);
678 chunk_clear(&this->skp_build);
679 free(this);
680 }
681
682 /**
683 * See header
684 */
685 keymat_v2_t *keymat_v2_create(bool initiator)
686 {
687 private_keymat_v2_t *this;
688
689 INIT(this,
690 .public = {
691 .keymat = {
692 .get_version = _get_version,
693 .create_dh = _create_dh,
694 .create_nonce_gen = _create_nonce_gen,
695 .get_aead = _get_aead,
696 .destroy = _destroy,
697 },
698 .derive_ike_keys = _derive_ike_keys,
699 .derive_child_keys = _derive_child_keys,
700 .get_skd = _get_skd,
701 .get_auth_octets = _get_auth_octets,
702 .get_psk_sig = _get_psk_sig,
703 },
704 .initiator = initiator,
705 .prf_alg = PRF_UNDEFINED,
706 );
707
708 return &this->public;
709 }