Added support for Camellia cipher to xcbc
[strongswan.git] / src / libcharon / sa / keymat.c
1 /*
2 * Copyright (C) 2008 Martin Willi
3 * Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "keymat.h"
17
18 #include <daemon.h>
19 #include <crypto/prf_plus.h>
20
21 typedef struct private_keymat_t private_keymat_t;
22
23 /**
24 * Private data of an keymat_t object.
25 */
26 struct private_keymat_t {
27
28 /**
29 * Public keymat_t interface.
30 */
31 keymat_t public;
32
33 /**
34 * IKE_SA Role, initiator or responder
35 */
36 bool initiator;
37
38 /**
39 * inbound signer (verify)
40 */
41 signer_t *signer_in;
42
43 /**
44 * outbound signer (sign)
45 */
46 signer_t *signer_out;
47
48 /**
49 * inbound crypter (decrypt)
50 */
51 crypter_t *crypter_in;
52
53 /**
54 * outbound crypter (encrypt)
55 */
56 crypter_t *crypter_out;
57
58 /**
59 * General purpose PRF
60 */
61 prf_t *prf;
62
63 /**
64 * Negotiated PRF algorithm
65 */
66 pseudo_random_function_t prf_alg;
67
68 /**
69 * Key to derive key material from for CHILD_SAs, rekeying
70 */
71 chunk_t skd;
72
73 /**
74 * Key to build outging authentication data (SKp)
75 */
76 chunk_t skp_build;
77
78 /**
79 * Key to verify incoming authentication data (SKp)
80 */
81 chunk_t skp_verify;
82 };
83
84 typedef struct keylen_entry_t keylen_entry_t;
85
86 /**
87 * Implicit key length for an algorithm
88 */
89 struct keylen_entry_t {
90 /** IKEv2 algorithm identifier */
91 int algo;
92 /** key length in bits */
93 int len;
94 };
95
96 #define END_OF_LIST -1
97
98 /**
99 * Keylen for encryption algos
100 */
101 keylen_entry_t keylen_enc[] = {
102 {ENCR_DES, 64},
103 {ENCR_3DES, 192},
104 {END_OF_LIST, 0}
105 };
106
107 /**
108 * Keylen for integrity algos
109 */
110 keylen_entry_t keylen_int[] = {
111 {AUTH_HMAC_MD5_96, 128},
112 {AUTH_HMAC_SHA1_96, 160},
113 {AUTH_HMAC_SHA2_256_96, 256},
114 {AUTH_HMAC_SHA2_256_128, 256},
115 {AUTH_HMAC_SHA2_384_192, 384},
116 {AUTH_HMAC_SHA2_512_256, 512},
117 {AUTH_AES_XCBC_96, 128},
118 {END_OF_LIST, 0}
119 };
120
121 /**
122 * Lookup key length of an algorithm
123 */
124 static int lookup_keylen(keylen_entry_t *list, int algo)
125 {
126 while (list->algo != END_OF_LIST)
127 {
128 if (algo == list->algo)
129 {
130 return list->len;
131 }
132 list++;
133 }
134 return 0;
135 }
136
137 /**
138 * Implementation of keymat_t.create_dh
139 */
140 static diffie_hellman_t* create_dh(private_keymat_t *this,
141 diffie_hellman_group_t group)
142 {
143 return lib->crypto->create_dh(lib->crypto, group);;
144 }
145
146 /**
147 * Implementation of keymat_t.derive_keys
148 */
149 static bool derive_ike_keys(private_keymat_t *this, proposal_t *proposal,
150 diffie_hellman_t *dh, chunk_t nonce_i,
151 chunk_t nonce_r, ike_sa_id_t *id,
152 pseudo_random_function_t rekey_function,
153 chunk_t rekey_skd)
154 {
155 chunk_t skeyseed, key, secret, full_nonce, fixed_nonce, prf_plus_seed;
156 chunk_t spi_i, spi_r;
157 crypter_t *crypter_i, *crypter_r;
158 signer_t *signer_i, *signer_r;
159 prf_plus_t *prf_plus;
160 u_int16_t alg, key_size;
161 prf_t *rekey_prf = NULL;
162
163 spi_i = chunk_alloca(sizeof(u_int64_t));
164 spi_r = chunk_alloca(sizeof(u_int64_t));
165
166 if (dh->get_shared_secret(dh, &secret) != SUCCESS)
167 {
168 return FALSE;
169 }
170
171 /* Create SAs general purpose PRF first, we may use it here */
172 if (!proposal->get_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, &alg, NULL))
173 {
174 DBG1(DBG_IKE, "no %N selected",
175 transform_type_names, PSEUDO_RANDOM_FUNCTION);
176 return FALSE;
177 }
178 this->prf_alg = alg;
179 this->prf = lib->crypto->create_prf(lib->crypto, alg);
180 if (this->prf == NULL)
181 {
182 DBG1(DBG_IKE, "%N %N not supported!",
183 transform_type_names, PSEUDO_RANDOM_FUNCTION,
184 pseudo_random_function_names, alg);
185 return FALSE;
186 }
187 DBG4(DBG_IKE, "shared Diffie Hellman secret %B", &secret);
188 /* full nonce is used as seed for PRF+ ... */
189 full_nonce = chunk_cat("cc", nonce_i, nonce_r);
190 /* but the PRF may need a fixed key which only uses the first bytes of
191 * the nonces. */
192 switch (alg)
193 {
194 case PRF_AES128_XCBC:
195 /* while rfc4434 defines variable keys for AES-XCBC, rfc3664 does
196 * not and therefore fixed key semantics apply to XCBC for key
197 * derivation. */
198 case PRF_CAMELLIA128_XCBC:
199 /* draft-kanno-ipsecme-camellia-xcbc refers to rfc 4434, we
200 * assume fixed key length. */
201 key_size = this->prf->get_key_size(this->prf)/2;
202 nonce_i.len = min(nonce_i.len, key_size);
203 nonce_r.len = min(nonce_r.len, key_size);
204 break;
205 default:
206 /* all other algorithms use variable key length, full nonce */
207 break;
208 }
209 fixed_nonce = chunk_cat("cc", nonce_i, nonce_r);
210 *((u_int64_t*)spi_i.ptr) = id->get_initiator_spi(id);
211 *((u_int64_t*)spi_r.ptr) = id->get_responder_spi(id);
212 prf_plus_seed = chunk_cat("ccc", full_nonce, spi_i, spi_r);
213
214 /* KEYMAT = prf+ (SKEYSEED, Ni | Nr | SPIi | SPIr)
215 *
216 * if we are rekeying, SKEYSEED is built on another way
217 */
218 if (rekey_function == PRF_UNDEFINED) /* not rekeying */
219 {
220 /* SKEYSEED = prf(Ni | Nr, g^ir) */
221 this->prf->set_key(this->prf, fixed_nonce);
222 this->prf->allocate_bytes(this->prf, secret, &skeyseed);
223 this->prf->set_key(this->prf, skeyseed);
224 prf_plus = prf_plus_create(this->prf, prf_plus_seed);
225 }
226 else
227 {
228 /* SKEYSEED = prf(SK_d (old), [g^ir (new)] | Ni | Nr)
229 * use OLD SAs PRF functions for both prf_plus and prf */
230 rekey_prf = lib->crypto->create_prf(lib->crypto, rekey_function);
231 if (!rekey_prf)
232 {
233 DBG1(DBG_IKE, "PRF of old SA %N not supported!",
234 pseudo_random_function_names, rekey_function);
235 chunk_free(&full_nonce);
236 chunk_free(&fixed_nonce);
237 chunk_clear(&prf_plus_seed);
238 return FALSE;
239 }
240 secret = chunk_cat("mc", secret, full_nonce);
241 rekey_prf->set_key(rekey_prf, rekey_skd);
242 rekey_prf->allocate_bytes(rekey_prf, secret, &skeyseed);
243 rekey_prf->set_key(rekey_prf, skeyseed);
244 prf_plus = prf_plus_create(rekey_prf, prf_plus_seed);
245 }
246 DBG4(DBG_IKE, "SKEYSEED %B", &skeyseed);
247
248 chunk_clear(&skeyseed);
249 chunk_clear(&secret);
250 chunk_free(&full_nonce);
251 chunk_free(&fixed_nonce);
252 chunk_clear(&prf_plus_seed);
253
254 /* KEYMAT = SK_d | SK_ai | SK_ar | SK_ei | SK_er | SK_pi | SK_pr */
255
256 /* SK_d is used for generating CHILD_SA key mat => store for later use */
257 key_size = this->prf->get_key_size(this->prf);
258 prf_plus->allocate_bytes(prf_plus, key_size, &this->skd);
259 DBG4(DBG_IKE, "Sk_d secret %B", &this->skd);
260
261 /* SK_ai/SK_ar used for integrity protection => signer_in/signer_out */
262 if (!proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, &alg, NULL))
263 {
264 DBG1(DBG_IKE, "no %N selected",
265 transform_type_names, INTEGRITY_ALGORITHM);
266 prf_plus->destroy(prf_plus);
267 DESTROY_IF(rekey_prf);
268 return FALSE;
269 }
270 signer_i = lib->crypto->create_signer(lib->crypto, alg);
271 signer_r = lib->crypto->create_signer(lib->crypto, alg);
272 if (signer_i == NULL || signer_r == NULL)
273 {
274 DBG1(DBG_IKE, "%N %N not supported!",
275 transform_type_names, INTEGRITY_ALGORITHM,
276 integrity_algorithm_names ,alg);
277 prf_plus->destroy(prf_plus);
278 DESTROY_IF(rekey_prf);
279 return FALSE;
280 }
281 key_size = signer_i->get_key_size(signer_i);
282
283 prf_plus->allocate_bytes(prf_plus, key_size, &key);
284 DBG4(DBG_IKE, "Sk_ai secret %B", &key);
285 signer_i->set_key(signer_i, key);
286 chunk_clear(&key);
287
288 prf_plus->allocate_bytes(prf_plus, key_size, &key);
289 DBG4(DBG_IKE, "Sk_ar secret %B", &key);
290 signer_r->set_key(signer_r, key);
291 chunk_clear(&key);
292
293 if (this->initiator)
294 {
295 this->signer_in = signer_r;
296 this->signer_out = signer_i;
297 }
298 else
299 {
300 this->signer_in = signer_i;
301 this->signer_out = signer_r;
302 }
303
304 /* SK_ei/SK_er used for encryption => crypter_in/crypter_out */
305 if (!proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &alg, &key_size))
306 {
307 DBG1(DBG_IKE, "no %N selected",
308 transform_type_names, ENCRYPTION_ALGORITHM);
309 prf_plus->destroy(prf_plus);
310 DESTROY_IF(rekey_prf);
311 return FALSE;
312 }
313 crypter_i = lib->crypto->create_crypter(lib->crypto, alg, key_size / 8);
314 crypter_r = lib->crypto->create_crypter(lib->crypto, alg, key_size / 8);
315 if (crypter_i == NULL || crypter_r == NULL)
316 {
317 DBG1(DBG_IKE, "%N %N (key size %d) not supported!",
318 transform_type_names, ENCRYPTION_ALGORITHM,
319 encryption_algorithm_names, alg, key_size);
320 prf_plus->destroy(prf_plus);
321 DESTROY_IF(rekey_prf);
322 return FALSE;
323 }
324 key_size = crypter_i->get_key_size(crypter_i);
325
326 prf_plus->allocate_bytes(prf_plus, key_size, &key);
327 DBG4(DBG_IKE, "Sk_ei secret %B", &key);
328 crypter_i->set_key(crypter_i, key);
329 chunk_clear(&key);
330
331 prf_plus->allocate_bytes(prf_plus, key_size, &key);
332 DBG4(DBG_IKE, "Sk_er secret %B", &key);
333 crypter_r->set_key(crypter_r, key);
334 chunk_clear(&key);
335
336 if (this->initiator)
337 {
338 this->crypter_in = crypter_r;
339 this->crypter_out = crypter_i;
340 }
341 else
342 {
343 this->crypter_in = crypter_i;
344 this->crypter_out = crypter_r;
345 }
346
347 /* SK_pi/SK_pr used for authentication => stored for later */
348 key_size = this->prf->get_key_size(this->prf);
349 prf_plus->allocate_bytes(prf_plus, key_size, &key);
350 DBG4(DBG_IKE, "Sk_pi secret %B", &key);
351 if (this->initiator)
352 {
353 this->skp_build = key;
354 }
355 else
356 {
357 this->skp_verify = key;
358 }
359 prf_plus->allocate_bytes(prf_plus, key_size, &key);
360 DBG4(DBG_IKE, "Sk_pr secret %B", &key);
361 if (this->initiator)
362 {
363 this->skp_verify = key;
364 }
365 else
366 {
367 this->skp_build = key;
368 }
369
370 /* all done, prf_plus not needed anymore */
371 prf_plus->destroy(prf_plus);
372 DESTROY_IF(rekey_prf);
373
374 return TRUE;
375 }
376
377 /**
378 * Implementation of keymat_t.derive_child_keys
379 */
380 static bool derive_child_keys(private_keymat_t *this,
381 proposal_t *proposal, diffie_hellman_t *dh,
382 chunk_t nonce_i, chunk_t nonce_r,
383 chunk_t *encr_i, chunk_t *integ_i,
384 chunk_t *encr_r, chunk_t *integ_r)
385 {
386 u_int16_t enc_alg, int_alg, enc_size = 0, int_size = 0;
387 chunk_t seed, secret = chunk_empty;
388 prf_plus_t *prf_plus;
389
390 if (dh)
391 {
392 if (dh->get_shared_secret(dh, &secret) != SUCCESS)
393 {
394 return FALSE;
395 }
396 DBG4(DBG_CHD, "DH secret %B", &secret);
397 }
398 seed = chunk_cata("mcc", secret, nonce_i, nonce_r);
399 DBG4(DBG_CHD, "seed %B", &seed);
400
401 if (proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM,
402 &enc_alg, &enc_size))
403 {
404 DBG2(DBG_CHD, " using %N for encryption",
405 encryption_algorithm_names, enc_alg);
406
407 if (!enc_size)
408 {
409 enc_size = lookup_keylen(keylen_enc, enc_alg);
410 }
411 if (enc_alg != ENCR_NULL && !enc_size)
412 {
413 DBG1(DBG_CHD, "no keylength defined for %N",
414 encryption_algorithm_names, enc_alg);
415 return FALSE;
416 }
417 /* to bytes */
418 enc_size /= 8;
419
420 /* CCM/GCM/CTR/GMAC needs additional bytes */
421 switch (enc_alg)
422 {
423 case ENCR_AES_CCM_ICV8:
424 case ENCR_AES_CCM_ICV12:
425 case ENCR_AES_CCM_ICV16:
426 case ENCR_CAMELLIA_CCM_ICV8:
427 case ENCR_CAMELLIA_CCM_ICV12:
428 case ENCR_CAMELLIA_CCM_ICV16:
429 enc_size += 3;
430 break;
431 case ENCR_AES_GCM_ICV8:
432 case ENCR_AES_GCM_ICV12:
433 case ENCR_AES_GCM_ICV16:
434 case ENCR_AES_CTR:
435 case ENCR_NULL_AUTH_AES_GMAC:
436 enc_size += 4;
437 break;
438 default:
439 break;
440 }
441 }
442
443 if (proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM,
444 &int_alg, &int_size))
445 {
446 DBG2(DBG_CHD, " using %N for integrity",
447 integrity_algorithm_names, int_alg);
448
449 if (!int_size)
450 {
451 int_size = lookup_keylen(keylen_int, int_alg);
452 }
453 if (!int_size)
454 {
455 DBG1(DBG_CHD, "no keylength defined for %N",
456 integrity_algorithm_names, int_alg);
457 return FALSE;
458 }
459 /* to bytes */
460 int_size /= 8;
461 }
462
463 this->prf->set_key(this->prf, this->skd);
464 prf_plus = prf_plus_create(this->prf, seed);
465
466 prf_plus->allocate_bytes(prf_plus, enc_size, encr_i);
467 prf_plus->allocate_bytes(prf_plus, int_size, integ_i);
468 prf_plus->allocate_bytes(prf_plus, enc_size, encr_r);
469 prf_plus->allocate_bytes(prf_plus, int_size, integ_r);
470
471 prf_plus->destroy(prf_plus);
472
473 if (enc_size)
474 {
475 DBG4(DBG_CHD, "encryption initiator key %B", encr_i);
476 DBG4(DBG_CHD, "encryption responder key %B", encr_r);
477 }
478 if (int_size)
479 {
480 DBG4(DBG_CHD, "integrity initiator key %B", integ_i);
481 DBG4(DBG_CHD, "integrity responder key %B", integ_r);
482 }
483 return TRUE;
484 }
485
486 /**
487 * Implementation of keymat_t.get_skd
488 */
489 static pseudo_random_function_t get_skd(private_keymat_t *this, chunk_t *skd)
490 {
491 *skd = this->skd;
492 return this->prf_alg;
493 }
494
495 /**
496 * Implementation of keymat_t.get_signer
497 */
498 static signer_t* get_signer(private_keymat_t *this, bool in)
499 {
500 return in ? this->signer_in : this->signer_out;
501 }
502
503 /**
504 * Implementation of keymat_t.get_crypter
505 */
506 static crypter_t* get_crypter(private_keymat_t *this, bool in)
507 {
508 return in ? this->crypter_in : this->crypter_out;
509 }
510
511 /**
512 * Implementation of keymat_t.get_auth_octets
513 */
514 static chunk_t get_auth_octets(private_keymat_t *this, bool verify,
515 chunk_t ike_sa_init, chunk_t nonce,
516 identification_t *id)
517 {
518 chunk_t chunk, idx, octets;
519 chunk_t skp;
520
521 skp = verify ? this->skp_verify : this->skp_build;
522
523 chunk = chunk_alloca(4);
524 memset(chunk.ptr, 0, chunk.len);
525 chunk.ptr[0] = id->get_type(id);
526 idx = chunk_cata("cc", chunk, id->get_encoding(id));
527
528 DBG3(DBG_IKE, "IDx' %B", &idx);
529 DBG3(DBG_IKE, "SK_p %B", &skp);
530 this->prf->set_key(this->prf, skp);
531 this->prf->allocate_bytes(this->prf, idx, &chunk);
532
533 octets = chunk_cat("ccm", ike_sa_init, nonce, chunk);
534 DBG3(DBG_IKE, "octets = message + nonce + prf(Sk_px, IDx') %B", &octets);
535 return octets;
536 }
537
538 /**
539 * Key pad for the AUTH method SHARED_KEY_MESSAGE_INTEGRITY_CODE.
540 */
541 #define IKEV2_KEY_PAD "Key Pad for IKEv2"
542 #define IKEV2_KEY_PAD_LENGTH 17
543
544 /**
545 * Implementation of keymat_t.get_psk_sig
546 */
547 static chunk_t get_psk_sig(private_keymat_t *this, bool verify,
548 chunk_t ike_sa_init, chunk_t nonce, chunk_t secret,
549 identification_t *id)
550 {
551 chunk_t key_pad, key, sig, octets;
552
553 if (!secret.len)
554 { /* EAP uses SK_p if no MSK has been established */
555 secret = verify ? this->skp_verify : this->skp_build;
556 }
557 octets = get_auth_octets(this, verify, ike_sa_init, nonce, id);
558 /* AUTH = prf(prf(Shared Secret,"Key Pad for IKEv2"), <msg octets>) */
559 key_pad = chunk_create(IKEV2_KEY_PAD, IKEV2_KEY_PAD_LENGTH);
560 this->prf->set_key(this->prf, secret);
561 this->prf->allocate_bytes(this->prf, key_pad, &key);
562 this->prf->set_key(this->prf, key);
563 this->prf->allocate_bytes(this->prf, octets, &sig);
564 DBG4(DBG_IKE, "secret %B", &secret);
565 DBG4(DBG_IKE, "prf(secret, keypad) %B", &key);
566 DBG3(DBG_IKE, "AUTH = prf(prf(secret, keypad), octets) %B", &sig);
567 chunk_free(&octets);
568 chunk_free(&key);
569
570 return sig;
571 }
572
573 /**
574 * Implementation of keymat_t.destroy.
575 */
576 static void destroy(private_keymat_t *this)
577 {
578 DESTROY_IF(this->signer_in);
579 DESTROY_IF(this->signer_out);
580 DESTROY_IF(this->crypter_in);
581 DESTROY_IF(this->crypter_out);
582 DESTROY_IF(this->prf);
583 chunk_clear(&this->skd);
584 chunk_clear(&this->skp_verify);
585 chunk_clear(&this->skp_build);
586 free(this);
587 }
588
589 /**
590 * See header
591 */
592 keymat_t *keymat_create(bool initiator)
593 {
594 private_keymat_t *this = malloc_thing(private_keymat_t);
595
596 this->public.create_dh = (diffie_hellman_t*(*)(keymat_t*, diffie_hellman_group_t group))create_dh;
597 this->public.derive_ike_keys = (bool(*)(keymat_t*, proposal_t *proposal, diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r, ike_sa_id_t *id, pseudo_random_function_t,chunk_t))derive_ike_keys;
598 this->public.derive_child_keys = (bool(*)(keymat_t*, proposal_t *proposal, diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r, chunk_t *encr_i, chunk_t *integ_i, chunk_t *encr_r, chunk_t *integ_r))derive_child_keys;
599 this->public.get_skd = (pseudo_random_function_t(*)(keymat_t*, chunk_t *skd))get_skd;
600 this->public.get_signer = (signer_t*(*)(keymat_t*, bool in))get_signer;
601 this->public.get_crypter = (crypter_t*(*)(keymat_t*, bool in))get_crypter;
602 this->public.get_auth_octets = (chunk_t(*)(keymat_t *, bool verify, chunk_t ike_sa_init, chunk_t nonce, identification_t *id))get_auth_octets;
603 this->public.get_psk_sig = (chunk_t(*)(keymat_t*, bool verify, chunk_t ike_sa_init, chunk_t nonce, chunk_t secret, identification_t *id))get_psk_sig;
604 this->public.destroy = (void(*)(keymat_t*))destroy;
605
606 this->initiator = initiator;
607
608 this->signer_in = NULL;
609 this->signer_out = NULL;
610 this->crypter_in = NULL;
611 this->crypter_out = NULL;
612 this->prf = NULL;
613 this->prf_alg = PRF_UNDEFINED;
614 this->skd = chunk_empty;
615 this->skp_verify = chunk_empty;
616 this->skp_build = chunk_empty;
617
618 return &this->public;
619 }
620