Add a return value to crypter_t.decrypt()
[strongswan.git] / src / libsimaka / simaka_crypto.c
1 /*
2 * Copyright (C) 2009-2011 Martin Willi
3 * Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "simaka_crypto.h"
17
18 #include "simaka_manager.h"
19
20 #include <debug.h>
21
22 /** length of the k_encr key */
23 #define KENCR_LEN 16
24 /** length of the k_auth key */
25 #define KAUTH_LEN 16
26 /** length of the MSK */
27 #define MSK_LEN 64
28 /** length of the EMSK */
29 #define EMSK_LEN 64
30
31 typedef struct private_simaka_crypto_t private_simaka_crypto_t;
32
33 /**
34 * Private data of an simaka_crypto_t object.
35 */
36 struct private_simaka_crypto_t {
37
38 /**
39 * Public simaka_crypto_t interface.
40 */
41 simaka_crypto_t public;
42
43 /**
44 * EAP type this crypto is used, SIM or AKA
45 */
46 eap_type_t type;
47
48 /**
49 * signer to create/verify AT_MAC
50 */
51 signer_t *signer;
52
53 /**
54 * crypter to encrypt/decrypt AT_ENCR_DATA
55 */
56 crypter_t *crypter;
57
58 /**
59 * hasher used in key derivation
60 */
61 hasher_t *hasher;
62
63 /**
64 * PRF function used in key derivation
65 */
66 prf_t *prf;
67
68 /**
69 * Random number generator to generate nonces
70 */
71 rng_t *rng;
72
73 /**
74 * Have k_encr/k_auth been derived?
75 */
76 bool derived;
77 };
78
79 METHOD(simaka_crypto_t, get_signer, signer_t*,
80 private_simaka_crypto_t *this)
81 {
82 return this->derived ? this->signer : NULL;
83 }
84
85 METHOD(simaka_crypto_t, get_crypter, crypter_t*,
86 private_simaka_crypto_t *this)
87 {
88 return this->derived ? this->crypter : NULL;
89 }
90
91 METHOD(simaka_crypto_t, get_rng, rng_t*,
92 private_simaka_crypto_t *this)
93 {
94 return this->rng;
95 }
96
97 /**
98 * Call SIM/AKA key hook
99 */
100 static void call_hook(private_simaka_crypto_t *this, chunk_t encr, chunk_t auth)
101 {
102 simaka_manager_t *mgr;
103
104 switch (this->type)
105 {
106 case EAP_SIM:
107 mgr = lib->get(lib, "sim-manager");
108 break;
109 case EAP_AKA:
110 mgr = lib->get(lib, "aka-manager");
111 break;
112 default:
113 return;
114 }
115 mgr->key_hook(mgr, encr, auth);
116 }
117
118 METHOD(simaka_crypto_t, derive_keys_full, bool,
119 private_simaka_crypto_t *this, identification_t *id,
120 chunk_t data, chunk_t *mk, chunk_t *msk)
121 {
122 chunk_t str, k_encr, k_auth;
123 int i;
124
125 /* For SIM: MK = SHA1(Identity|n*Kc|NONCE_MT|Version List|Selected Version)
126 * For AKA: MK = SHA1(Identity|IK|CK) */
127 this->hasher->get_hash(this->hasher, id->get_encoding(id), NULL);
128 this->hasher->allocate_hash(this->hasher, data, mk);
129 DBG3(DBG_LIB, "MK %B", mk);
130
131 /* K_encr | K_auth | MSK | EMSK = prf() | prf() | prf() | prf() */
132 if (this->prf->set_key(this->prf, *mk))
133 {
134 return FALSE;
135 }
136 str = chunk_alloca(this->prf->get_block_size(this->prf) * 3);
137 for (i = 0; i < 3; i++)
138 {
139 if (!this->prf->get_bytes(this->prf, chunk_empty,
140 str.ptr + str.len / 3 * i))
141 {
142 chunk_clear(mk);
143 return FALSE;
144 }
145 }
146
147 k_encr = chunk_create(str.ptr, KENCR_LEN);
148 k_auth = chunk_create(str.ptr + KENCR_LEN, KAUTH_LEN);
149 DBG3(DBG_LIB, "K_encr %B\nK_auth %B\nMSK %B", &k_encr, &k_auth, &msk);
150
151 if (!this->signer->set_key(this->signer, k_auth))
152 {
153 chunk_clear(mk);
154 return FALSE;
155 }
156 this->crypter->set_key(this->crypter, k_encr);
157
158 *msk = chunk_create(str.ptr + KENCR_LEN + KAUTH_LEN, MSK_LEN);
159
160 call_hook(this, k_encr, k_auth);
161
162 this->derived = TRUE;
163 return TRUE;
164 }
165
166 METHOD(simaka_crypto_t, derive_keys_reauth, bool,
167 private_simaka_crypto_t *this, chunk_t mk)
168 {
169 chunk_t str, k_encr, k_auth;
170 int i;
171
172 /* K_encr | K_auth = prf() | prf() */
173 if (!this->prf->set_key(this->prf, mk))
174 {
175 return FALSE;
176 }
177 str = chunk_alloca(this->prf->get_block_size(this->prf) * 2);
178 for (i = 0; i < 2; i++)
179 {
180 if (!this->prf->get_bytes(this->prf, chunk_empty,
181 str.ptr + str.len / 2 * i))
182 {
183 return FALSE;
184 }
185 }
186 k_encr = chunk_create(str.ptr, KENCR_LEN);
187 k_auth = chunk_create(str.ptr + KENCR_LEN, KAUTH_LEN);
188 DBG3(DBG_LIB, "K_encr %B\nK_auth %B", &k_encr, &k_auth);
189
190 if (!this->signer->set_key(this->signer, k_auth))
191 {
192 return FALSE;
193 }
194 this->crypter->set_key(this->crypter, k_encr);
195
196 call_hook(this, k_encr, k_auth);
197
198 this->derived = TRUE;
199 return TRUE;
200 }
201
202 METHOD(simaka_crypto_t, derive_keys_reauth_msk, bool,
203 private_simaka_crypto_t *this, identification_t *id, chunk_t counter,
204 chunk_t nonce_s, chunk_t mk, chunk_t *msk)
205 {
206 char xkey[HASH_SIZE_SHA1];
207 chunk_t str;
208 int i;
209
210 this->hasher->get_hash(this->hasher, id->get_encoding(id), NULL);
211 this->hasher->get_hash(this->hasher, counter, NULL);
212 this->hasher->get_hash(this->hasher, nonce_s, NULL);
213 this->hasher->get_hash(this->hasher, mk, xkey);
214
215 /* MSK | EMSK = prf() | prf() | prf() | prf() */
216 if (!this->prf->set_key(this->prf, chunk_create(xkey, sizeof(xkey))))
217 {
218 return FALSE;
219 }
220 str = chunk_alloca(this->prf->get_block_size(this->prf) * 2);
221 for (i = 0; i < 2; i++)
222 {
223 if (!this->prf->get_bytes(this->prf, chunk_empty,
224 str.ptr + str.len / 2 * i))
225 {
226 return FALSE;
227 }
228 }
229 *msk = chunk_create(str.ptr, MSK_LEN);
230 DBG3(DBG_LIB, "MSK %B", msk);
231
232 return TRUE;
233 }
234
235 METHOD(simaka_crypto_t, clear_keys, void,
236 private_simaka_crypto_t *this)
237 {
238 this->derived = FALSE;
239 }
240
241 METHOD(simaka_crypto_t, destroy, void,
242 private_simaka_crypto_t *this)
243 {
244 DESTROY_IF(this->rng);
245 DESTROY_IF(this->hasher);
246 DESTROY_IF(this->prf);
247 DESTROY_IF(this->signer);
248 DESTROY_IF(this->crypter);
249 free(this);
250 }
251
252 /**
253 * See header
254 */
255 simaka_crypto_t *simaka_crypto_create(eap_type_t type)
256 {
257 private_simaka_crypto_t *this;
258
259 INIT(this,
260 .public = {
261 .get_signer = _get_signer,
262 .get_crypter = _get_crypter,
263 .get_rng = _get_rng,
264 .derive_keys_full = _derive_keys_full,
265 .derive_keys_reauth = _derive_keys_reauth,
266 .derive_keys_reauth_msk = _derive_keys_reauth_msk,
267 .clear_keys = _clear_keys,
268 .destroy = _destroy,
269 },
270 .type = type,
271 .rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK),
272 .hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1),
273 .prf = lib->crypto->create_prf(lib->crypto, PRF_FIPS_SHA1_160),
274 .signer = lib->crypto->create_signer(lib->crypto, AUTH_HMAC_SHA1_128),
275 .crypter = lib->crypto->create_crypter(lib->crypto, ENCR_AES_CBC, 16),
276 );
277 if (!this->rng || !this->hasher || !this->prf ||
278 !this->signer || !this->crypter)
279 {
280 DBG1(DBG_LIB, "unable to use %N, missing algorithms",
281 eap_type_names, type);
282 destroy(this);
283 return NULL;
284 }
285 return &this->public;
286 }