f237f7059240914b4bffe6dcc3e50acd1e263b89
[strongswan.git] / src / libcharon / sa / ikev2 / keymat_v2.c
1 /*
2 * Copyright (C) 2015 Tobias Brunner
3 * Copyright (C) 2008 Martin Willi
4 * Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 #include "keymat_v2.h"
18
19 #include <daemon.h>
20 #include <crypto/prf_plus.h>
21 #include <crypto/hashers/hash_algorithm_set.h>
22
23 typedef struct private_keymat_v2_t private_keymat_v2_t;
24
25 /**
26 * Private data of an keymat_t object.
27 */
28 struct private_keymat_v2_t {
29
30 /**
31 * Public keymat_v2_t interface.
32 */
33 keymat_v2_t public;
34
35 /**
36 * IKE_SA Role, initiator or responder
37 */
38 bool initiator;
39
40 /**
41 * inbound AEAD
42 */
43 aead_t *aead_in;
44
45 /**
46 * outbound AEAD
47 */
48 aead_t *aead_out;
49
50 /**
51 * General purpose PRF
52 */
53 prf_t *prf;
54
55 /**
56 * Negotiated PRF algorithm
57 */
58 pseudo_random_function_t prf_alg;
59
60 /**
61 * Key to derive key material from for CHILD_SAs, rekeying
62 */
63 chunk_t skd;
64
65 /**
66 * Key to build outging authentication data (SKp)
67 */
68 chunk_t skp_build;
69
70 /**
71 * Key to verify incoming authentication data (SKp)
72 */
73 chunk_t skp_verify;
74
75 /**
76 * Set of hash algorithms supported by peer for signature authentication
77 */
78 hash_algorithm_set_t *hash_algorithms;
79 };
80
81 METHOD(keymat_t, get_version, ike_version_t,
82 private_keymat_v2_t *this)
83 {
84 return IKEV2;
85 }
86
87 METHOD(keymat_t, create_dh, diffie_hellman_t*,
88 private_keymat_v2_t *this, diffie_hellman_group_t group)
89 {
90 return lib->crypto->create_dh(lib->crypto, group);
91 }
92
93 METHOD(keymat_t, create_nonce_gen, nonce_gen_t*,
94 private_keymat_v2_t *this)
95 {
96 return lib->crypto->create_nonce_gen(lib->crypto);
97 }
98
99 /**
100 * Derive IKE keys for a combined AEAD algorithm
101 */
102 static bool derive_ike_aead(private_keymat_v2_t *this, u_int16_t alg,
103 u_int16_t key_size, prf_plus_t *prf_plus)
104 {
105 aead_t *aead_i, *aead_r;
106 chunk_t key = chunk_empty;
107 u_int salt_size;
108
109 switch (alg)
110 {
111 case ENCR_AES_GCM_ICV8:
112 case ENCR_AES_GCM_ICV12:
113 case ENCR_AES_GCM_ICV16:
114 /* RFC 4106 */
115 salt_size = 4;
116 break;
117 case ENCR_AES_CCM_ICV8:
118 case ENCR_AES_CCM_ICV12:
119 case ENCR_AES_CCM_ICV16:
120 /* RFC 4309 */
121 case ENCR_CAMELLIA_CCM_ICV8:
122 case ENCR_CAMELLIA_CCM_ICV12:
123 case ENCR_CAMELLIA_CCM_ICV16:
124 /* RFC 5529 */
125 salt_size = 3;
126 break;
127 default:
128 DBG1(DBG_IKE, "nonce size for %N unknown!",
129 encryption_algorithm_names, alg);
130 return FALSE;
131 }
132
133 /* SK_ei/SK_er used for encryption */
134 aead_i = lib->crypto->create_aead(lib->crypto, alg, key_size / 8, salt_size);
135 aead_r = lib->crypto->create_aead(lib->crypto, alg, key_size / 8, salt_size);
136 if (aead_i == NULL || aead_r == NULL)
137 {
138 DBG1(DBG_IKE, "%N %N (key size %d) not supported!",
139 transform_type_names, ENCRYPTION_ALGORITHM,
140 encryption_algorithm_names, alg, key_size);
141 goto failure;
142 }
143 key_size = aead_i->get_key_size(aead_i);
144 if (key_size != aead_r->get_key_size(aead_r))
145 {
146 goto failure;
147 }
148 if (!prf_plus->allocate_bytes(prf_plus, key_size, &key))
149 {
150 goto failure;
151 }
152 DBG4(DBG_IKE, "Sk_ei secret %B", &key);
153 if (!aead_i->set_key(aead_i, key))
154 {
155 goto failure;
156 }
157 chunk_clear(&key);
158
159 if (!prf_plus->allocate_bytes(prf_plus, key_size, &key))
160 {
161 goto failure;
162 }
163 DBG4(DBG_IKE, "Sk_er secret %B", &key);
164 if (!aead_r->set_key(aead_r, key))
165 {
166 goto failure;
167 }
168
169 if (this->initiator)
170 {
171 this->aead_in = aead_r;
172 this->aead_out = aead_i;
173 }
174 else
175 {
176 this->aead_in = aead_i;
177 this->aead_out = aead_r;
178 }
179 aead_i = aead_r = NULL;
180
181 failure:
182 DESTROY_IF(aead_i);
183 DESTROY_IF(aead_r);
184 chunk_clear(&key);
185 return this->aead_in && this->aead_out;
186 }
187
188 /**
189 * Derive IKE keys for traditional encryption and MAC algorithms
190 */
191 static bool derive_ike_traditional(private_keymat_v2_t *this, u_int16_t enc_alg,
192 u_int16_t enc_size, u_int16_t int_alg, prf_plus_t *prf_plus)
193 {
194 crypter_t *crypter_i = NULL, *crypter_r = NULL;
195 signer_t *signer_i, *signer_r;
196 size_t key_size;
197 chunk_t key = chunk_empty;
198
199 signer_i = lib->crypto->create_signer(lib->crypto, int_alg);
200 signer_r = lib->crypto->create_signer(lib->crypto, int_alg);
201 crypter_i = lib->crypto->create_crypter(lib->crypto, enc_alg, enc_size / 8);
202 crypter_r = lib->crypto->create_crypter(lib->crypto, enc_alg, enc_size / 8);
203 if (signer_i == NULL || signer_r == NULL)
204 {
205 DBG1(DBG_IKE, "%N %N not supported!",
206 transform_type_names, INTEGRITY_ALGORITHM,
207 integrity_algorithm_names, int_alg);
208 goto failure;
209 }
210 if (crypter_i == NULL || crypter_r == NULL)
211 {
212 DBG1(DBG_IKE, "%N %N (key size %d) not supported!",
213 transform_type_names, ENCRYPTION_ALGORITHM,
214 encryption_algorithm_names, enc_alg, enc_size);
215 goto failure;
216 }
217
218 /* SK_ai/SK_ar used for integrity protection */
219 key_size = signer_i->get_key_size(signer_i);
220
221 if (!prf_plus->allocate_bytes(prf_plus, key_size, &key))
222 {
223 goto failure;
224 }
225 DBG4(DBG_IKE, "Sk_ai secret %B", &key);
226 if (!signer_i->set_key(signer_i, key))
227 {
228 goto failure;
229 }
230 chunk_clear(&key);
231
232 if (!prf_plus->allocate_bytes(prf_plus, key_size, &key))
233 {
234 goto failure;
235 }
236 DBG4(DBG_IKE, "Sk_ar secret %B", &key);
237 if (!signer_r->set_key(signer_r, key))
238 {
239 goto failure;
240 }
241 chunk_clear(&key);
242
243 /* SK_ei/SK_er used for encryption */
244 key_size = crypter_i->get_key_size(crypter_i);
245
246 if (!prf_plus->allocate_bytes(prf_plus, key_size, &key))
247 {
248 goto failure;
249 }
250 DBG4(DBG_IKE, "Sk_ei secret %B", &key);
251 if (!crypter_i->set_key(crypter_i, key))
252 {
253 goto failure;
254 }
255 chunk_clear(&key);
256
257 if (!prf_plus->allocate_bytes(prf_plus, key_size, &key))
258 {
259 goto failure;
260 }
261 DBG4(DBG_IKE, "Sk_er secret %B", &key);
262 if (!crypter_r->set_key(crypter_r, key))
263 {
264 goto failure;
265 }
266
267 if (this->initiator)
268 {
269 this->aead_in = aead_create(crypter_r, signer_r);
270 this->aead_out = aead_create(crypter_i, signer_i);
271 }
272 else
273 {
274 this->aead_in = aead_create(crypter_i, signer_i);
275 this->aead_out = aead_create(crypter_r, signer_r);
276 }
277 signer_i = signer_r = NULL;
278 crypter_i = crypter_r = NULL;
279
280 failure:
281 chunk_clear(&key);
282 DESTROY_IF(signer_i);
283 DESTROY_IF(signer_r);
284 DESTROY_IF(crypter_i);
285 DESTROY_IF(crypter_r);
286 return this->aead_in && this->aead_out;
287 }
288
289 METHOD(keymat_v2_t, derive_ike_keys, bool,
290 private_keymat_v2_t *this, proposal_t *proposal, diffie_hellman_t *dh,
291 chunk_t nonce_i, chunk_t nonce_r, ike_sa_id_t *id,
292 pseudo_random_function_t rekey_function, chunk_t rekey_skd)
293 {
294 chunk_t skeyseed, key, secret, full_nonce, fixed_nonce, prf_plus_seed;
295 chunk_t spi_i, spi_r;
296 prf_plus_t *prf_plus = NULL;
297 u_int16_t alg, key_size, int_alg;
298 prf_t *rekey_prf = NULL;
299
300 spi_i = chunk_alloca(sizeof(u_int64_t));
301 spi_r = chunk_alloca(sizeof(u_int64_t));
302
303 if (dh->get_shared_secret(dh, &secret) != SUCCESS)
304 {
305 return FALSE;
306 }
307
308 /* Create SAs general purpose PRF first, we may use it here */
309 if (!proposal->get_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, &alg, NULL))
310 {
311 DBG1(DBG_IKE, "no %N selected",
312 transform_type_names, PSEUDO_RANDOM_FUNCTION);
313 chunk_clear(&secret);
314 return FALSE;
315 }
316 this->prf_alg = alg;
317 this->prf = lib->crypto->create_prf(lib->crypto, alg);
318 if (this->prf == NULL)
319 {
320 DBG1(DBG_IKE, "%N %N not supported!",
321 transform_type_names, PSEUDO_RANDOM_FUNCTION,
322 pseudo_random_function_names, alg);
323 chunk_clear(&secret);
324 return FALSE;
325 }
326 DBG4(DBG_IKE, "shared Diffie Hellman secret %B", &secret);
327 /* full nonce is used as seed for PRF+ ... */
328 full_nonce = chunk_cat("cc", nonce_i, nonce_r);
329 /* but the PRF may need a fixed key which only uses the first bytes of
330 * the nonces. */
331 switch (alg)
332 {
333 case PRF_AES128_XCBC:
334 /* while rfc4434 defines variable keys for AES-XCBC, rfc3664 does
335 * not and therefore fixed key semantics apply to XCBC for key
336 * derivation. */
337 case PRF_CAMELLIA128_XCBC:
338 /* draft-kanno-ipsecme-camellia-xcbc refers to rfc 4434, we
339 * assume fixed key length. */
340 key_size = this->prf->get_key_size(this->prf)/2;
341 nonce_i.len = min(nonce_i.len, key_size);
342 nonce_r.len = min(nonce_r.len, key_size);
343 break;
344 default:
345 /* all other algorithms use variable key length, full nonce */
346 break;
347 }
348 fixed_nonce = chunk_cat("cc", nonce_i, nonce_r);
349 *((u_int64_t*)spi_i.ptr) = id->get_initiator_spi(id);
350 *((u_int64_t*)spi_r.ptr) = id->get_responder_spi(id);
351 prf_plus_seed = chunk_cat("ccc", full_nonce, spi_i, spi_r);
352
353 /* KEYMAT = prf+ (SKEYSEED, Ni | Nr | SPIi | SPIr)
354 *
355 * if we are rekeying, SKEYSEED is built on another way
356 */
357 if (rekey_function == PRF_UNDEFINED) /* not rekeying */
358 {
359 /* SKEYSEED = prf(Ni | Nr, g^ir) */
360 if (this->prf->set_key(this->prf, fixed_nonce) &&
361 this->prf->allocate_bytes(this->prf, secret, &skeyseed) &&
362 this->prf->set_key(this->prf, skeyseed))
363 {
364 prf_plus = prf_plus_create(this->prf, TRUE, prf_plus_seed);
365 }
366 }
367 else
368 {
369 /* SKEYSEED = prf(SK_d (old), [g^ir (new)] | Ni | Nr)
370 * use OLD SAs PRF functions for both prf_plus and prf */
371 rekey_prf = lib->crypto->create_prf(lib->crypto, rekey_function);
372 if (!rekey_prf)
373 {
374 DBG1(DBG_IKE, "PRF of old SA %N not supported!",
375 pseudo_random_function_names, rekey_function);
376 chunk_clear(&secret);
377 chunk_free(&full_nonce);
378 chunk_free(&fixed_nonce);
379 chunk_clear(&prf_plus_seed);
380 return FALSE;
381 }
382 secret = chunk_cat("mc", secret, full_nonce);
383 if (rekey_prf->set_key(rekey_prf, rekey_skd) &&
384 rekey_prf->allocate_bytes(rekey_prf, secret, &skeyseed) &&
385 rekey_prf->set_key(rekey_prf, skeyseed))
386 {
387 prf_plus = prf_plus_create(rekey_prf, TRUE, prf_plus_seed);
388 }
389 }
390 DBG4(DBG_IKE, "SKEYSEED %B", &skeyseed);
391
392 chunk_clear(&skeyseed);
393 chunk_clear(&secret);
394 chunk_free(&full_nonce);
395 chunk_free(&fixed_nonce);
396 chunk_clear(&prf_plus_seed);
397
398 if (!prf_plus)
399 {
400 goto failure;
401 }
402
403 /* KEYMAT = SK_d | SK_ai | SK_ar | SK_ei | SK_er | SK_pi | SK_pr */
404
405 /* SK_d is used for generating CHILD_SA key mat => store for later use */
406 key_size = this->prf->get_key_size(this->prf);
407 if (!prf_plus->allocate_bytes(prf_plus, key_size, &this->skd))
408 {
409 goto failure;
410 }
411 DBG4(DBG_IKE, "Sk_d secret %B", &this->skd);
412
413 if (!proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &alg, &key_size))
414 {
415 DBG1(DBG_IKE, "no %N selected",
416 transform_type_names, ENCRYPTION_ALGORITHM);
417 goto failure;
418 }
419
420 if (encryption_algorithm_is_aead(alg))
421 {
422 if (!derive_ike_aead(this, alg, key_size, prf_plus))
423 {
424 goto failure;
425 }
426 }
427 else
428 {
429 if (!proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM,
430 &int_alg, NULL))
431 {
432 DBG1(DBG_IKE, "no %N selected",
433 transform_type_names, INTEGRITY_ALGORITHM);
434 goto failure;
435 }
436 if (!derive_ike_traditional(this, alg, key_size, int_alg, prf_plus))
437 {
438 goto failure;
439 }
440 }
441
442 /* SK_pi/SK_pr used for authentication => stored for later */
443 key_size = this->prf->get_key_size(this->prf);
444 if (!prf_plus->allocate_bytes(prf_plus, key_size, &key))
445 {
446 goto failure;
447 }
448 DBG4(DBG_IKE, "Sk_pi secret %B", &key);
449 if (this->initiator)
450 {
451 this->skp_build = key;
452 }
453 else
454 {
455 this->skp_verify = key;
456 }
457 if (!prf_plus->allocate_bytes(prf_plus, key_size, &key))
458 {
459 goto failure;
460 }
461 DBG4(DBG_IKE, "Sk_pr secret %B", &key);
462 if (this->initiator)
463 {
464 this->skp_verify = key;
465 }
466 else
467 {
468 this->skp_build = key;
469 }
470
471 /* all done, prf_plus not needed anymore */
472 failure:
473 DESTROY_IF(prf_plus);
474 DESTROY_IF(rekey_prf);
475
476 return this->skp_build.len && this->skp_verify.len;
477 }
478
479 METHOD(keymat_v2_t, derive_child_keys, bool,
480 private_keymat_v2_t *this, proposal_t *proposal, diffie_hellman_t *dh,
481 chunk_t nonce_i, chunk_t nonce_r, chunk_t *encr_i, chunk_t *integ_i,
482 chunk_t *encr_r, chunk_t *integ_r)
483 {
484 u_int16_t enc_alg, int_alg, enc_size = 0, int_size = 0;
485 chunk_t seed, secret = chunk_empty;
486 prf_plus_t *prf_plus;
487
488 if (proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM,
489 &enc_alg, &enc_size))
490 {
491 DBG2(DBG_CHD, " using %N for encryption",
492 encryption_algorithm_names, enc_alg);
493
494 if (!enc_size)
495 {
496 enc_size = keymat_get_keylen_encr(enc_alg);
497 }
498 if (enc_alg != ENCR_NULL && !enc_size)
499 {
500 DBG1(DBG_CHD, "no keylength defined for %N",
501 encryption_algorithm_names, enc_alg);
502 return FALSE;
503 }
504 /* to bytes */
505 enc_size /= 8;
506
507 /* CCM/GCM/CTR/GMAC needs additional bytes */
508 switch (enc_alg)
509 {
510 case ENCR_AES_CCM_ICV8:
511 case ENCR_AES_CCM_ICV12:
512 case ENCR_AES_CCM_ICV16:
513 case ENCR_CAMELLIA_CCM_ICV8:
514 case ENCR_CAMELLIA_CCM_ICV12:
515 case ENCR_CAMELLIA_CCM_ICV16:
516 enc_size += 3;
517 break;
518 case ENCR_AES_GCM_ICV8:
519 case ENCR_AES_GCM_ICV12:
520 case ENCR_AES_GCM_ICV16:
521 case ENCR_AES_CTR:
522 case ENCR_NULL_AUTH_AES_GMAC:
523 enc_size += 4;
524 break;
525 default:
526 break;
527 }
528 }
529
530 if (proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM,
531 &int_alg, &int_size))
532 {
533 DBG2(DBG_CHD, " using %N for integrity",
534 integrity_algorithm_names, int_alg);
535
536 if (!int_size)
537 {
538 int_size = keymat_get_keylen_integ(int_alg);
539 }
540 if (!int_size)
541 {
542 DBG1(DBG_CHD, "no keylength defined for %N",
543 integrity_algorithm_names, int_alg);
544 return FALSE;
545 }
546 /* to bytes */
547 int_size /= 8;
548 }
549
550 if (!this->prf->set_key(this->prf, this->skd))
551 {
552 return FALSE;
553 }
554
555 if (dh)
556 {
557 if (dh->get_shared_secret(dh, &secret) != SUCCESS)
558 {
559 return FALSE;
560 }
561 DBG4(DBG_CHD, "DH secret %B", &secret);
562 }
563 seed = chunk_cata("scc", secret, nonce_i, nonce_r);
564 DBG4(DBG_CHD, "seed %B", &seed);
565
566 prf_plus = prf_plus_create(this->prf, TRUE, seed);
567 memwipe(seed.ptr, seed.len);
568
569 if (!prf_plus)
570 {
571 return FALSE;
572 }
573
574 *encr_i = *integ_i = *encr_r = *integ_r = chunk_empty;
575 if (!prf_plus->allocate_bytes(prf_plus, enc_size, encr_i) ||
576 !prf_plus->allocate_bytes(prf_plus, int_size, integ_i) ||
577 !prf_plus->allocate_bytes(prf_plus, enc_size, encr_r) ||
578 !prf_plus->allocate_bytes(prf_plus, int_size, integ_r))
579 {
580 chunk_free(encr_i);
581 chunk_free(integ_i);
582 chunk_free(encr_r);
583 chunk_free(integ_r);
584 prf_plus->destroy(prf_plus);
585 return FALSE;
586 }
587
588 prf_plus->destroy(prf_plus);
589
590 if (enc_size)
591 {
592 DBG4(DBG_CHD, "encryption initiator key %B", encr_i);
593 DBG4(DBG_CHD, "encryption responder key %B", encr_r);
594 }
595 if (int_size)
596 {
597 DBG4(DBG_CHD, "integrity initiator key %B", integ_i);
598 DBG4(DBG_CHD, "integrity responder key %B", integ_r);
599 }
600 return TRUE;
601 }
602
603 METHOD(keymat_v2_t, get_skd, pseudo_random_function_t,
604 private_keymat_v2_t *this, chunk_t *skd)
605 {
606 *skd = this->skd;
607 return this->prf_alg;
608 }
609
610 METHOD(keymat_t, get_aead, aead_t*,
611 private_keymat_v2_t *this, bool in)
612 {
613 return in ? this->aead_in : this->aead_out;
614 }
615
616 METHOD(keymat_v2_t, get_auth_octets, bool,
617 private_keymat_v2_t *this, bool verify, chunk_t ike_sa_init,
618 chunk_t nonce, identification_t *id, char reserved[3], chunk_t *octets)
619 {
620 chunk_t chunk, idx;
621 chunk_t skp;
622
623 skp = verify ? this->skp_verify : this->skp_build;
624
625 chunk = chunk_alloca(4);
626 chunk.ptr[0] = id->get_type(id);
627 memcpy(chunk.ptr + 1, reserved, 3);
628 idx = chunk_cata("cc", chunk, id->get_encoding(id));
629
630 DBG3(DBG_IKE, "IDx' %B", &idx);
631 DBG4(DBG_IKE, "SK_p %B", &skp);
632 if (!this->prf->set_key(this->prf, skp) ||
633 !this->prf->allocate_bytes(this->prf, idx, &chunk))
634 {
635 return FALSE;
636 }
637 *octets = chunk_cat("ccm", ike_sa_init, nonce, chunk);
638 DBG3(DBG_IKE, "octets = message + nonce + prf(Sk_px, IDx') %B", octets);
639 return TRUE;
640 }
641
642 /**
643 * Key pad for the AUTH method SHARED_KEY_MESSAGE_INTEGRITY_CODE.
644 */
645 #define IKEV2_KEY_PAD "Key Pad for IKEv2"
646 #define IKEV2_KEY_PAD_LENGTH 17
647
648 METHOD(keymat_v2_t, get_psk_sig, bool,
649 private_keymat_v2_t *this, bool verify, chunk_t ike_sa_init, chunk_t nonce,
650 chunk_t secret, identification_t *id, char reserved[3], chunk_t *sig)
651 {
652 chunk_t key_pad, key, octets;
653
654 if (!secret.len)
655 { /* EAP uses SK_p if no MSK has been established */
656 secret = verify ? this->skp_verify : this->skp_build;
657 }
658 if (!get_auth_octets(this, verify, ike_sa_init, nonce, id, reserved, &octets))
659 {
660 return FALSE;
661 }
662 /* AUTH = prf(prf(Shared Secret,"Key Pad for IKEv2"), <msg octets>) */
663 key_pad = chunk_create(IKEV2_KEY_PAD, IKEV2_KEY_PAD_LENGTH);
664 if (!this->prf->set_key(this->prf, secret) ||
665 !this->prf->allocate_bytes(this->prf, key_pad, &key))
666 {
667 chunk_free(&octets);
668 return FALSE;
669 }
670 if (!this->prf->set_key(this->prf, key) ||
671 !this->prf->allocate_bytes(this->prf, octets, sig))
672 {
673 chunk_free(&key);
674 chunk_free(&octets);
675 return FALSE;
676 }
677 DBG4(DBG_IKE, "secret %B", &secret);
678 DBG4(DBG_IKE, "prf(secret, keypad) %B", &key);
679 DBG3(DBG_IKE, "AUTH = prf(prf(secret, keypad), octets) %B", sig);
680 chunk_free(&octets);
681 chunk_free(&key);
682
683 return TRUE;
684 }
685
686 METHOD(keymat_v2_t, hash_algorithm_supported, bool,
687 private_keymat_v2_t *this, hash_algorithm_t hash)
688 {
689 if (!this->hash_algorithms)
690 {
691 return FALSE;
692 }
693 return this->hash_algorithms->contains(this->hash_algorithms, hash);
694 }
695
696 METHOD(keymat_v2_t, add_hash_algorithm, void,
697 private_keymat_v2_t *this, hash_algorithm_t hash)
698 {
699 if (!this->hash_algorithms)
700 {
701 this->hash_algorithms = hash_algorithm_set_create();
702 }
703 this->hash_algorithms->add(this->hash_algorithms, hash);
704 }
705
706 METHOD(keymat_t, destroy, void,
707 private_keymat_v2_t *this)
708 {
709 DESTROY_IF(this->aead_in);
710 DESTROY_IF(this->aead_out);
711 DESTROY_IF(this->prf);
712 chunk_clear(&this->skd);
713 chunk_clear(&this->skp_verify);
714 chunk_clear(&this->skp_build);
715 DESTROY_IF(this->hash_algorithms);
716 free(this);
717 }
718
719 /**
720 * See header
721 */
722 keymat_v2_t *keymat_v2_create(bool initiator)
723 {
724 private_keymat_v2_t *this;
725
726 INIT(this,
727 .public = {
728 .keymat = {
729 .get_version = _get_version,
730 .create_dh = _create_dh,
731 .create_nonce_gen = _create_nonce_gen,
732 .get_aead = _get_aead,
733 .destroy = _destroy,
734 },
735 .derive_ike_keys = _derive_ike_keys,
736 .derive_child_keys = _derive_child_keys,
737 .get_skd = _get_skd,
738 .get_auth_octets = _get_auth_octets,
739 .get_psk_sig = _get_psk_sig,
740 .add_hash_algorithm = _add_hash_algorithm,
741 .hash_algorithm_supported = _hash_algorithm_supported,
742
743 },
744 .initiator = initiator,
745 .prf_alg = PRF_UNDEFINED,
746 );
747
748 return &this->public;
749 }