Added support for DH groups 22, 23 and 24, patch contributed by Joy Latten
[strongswan.git] / src / pluto / crypto.c
1 /* crypto interfaces
2 * Copyright (C) 1998-2001 D. Hugh Redelmeier
3 * Copyright (C) 2007-2009 Andreas Steffen - Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include <freeswan.h>
17
18 #include "constants.h"
19 #include "defs.h"
20 #include "crypto.h"
21 #include "log.h"
22
23 static struct encrypt_desc encrypt_desc_3des =
24 {
25 algo_type: IKE_ALG_ENCRYPT,
26 algo_id: OAKLEY_3DES_CBC,
27 algo_next: NULL,
28
29 enc_blocksize: DES_BLOCK_SIZE,
30 keydeflen: DES_BLOCK_SIZE * 3 * BITS_PER_BYTE,
31 keyminlen: DES_BLOCK_SIZE * 3 * BITS_PER_BYTE,
32 keymaxlen: DES_BLOCK_SIZE * 3 * BITS_PER_BYTE,
33 };
34
35 #define AES_KEY_MIN_LEN 128
36 #define AES_KEY_DEF_LEN 128
37 #define AES_KEY_MAX_LEN 256
38
39 static struct encrypt_desc encrypt_desc_aes =
40 {
41 algo_type: IKE_ALG_ENCRYPT,
42 algo_id: OAKLEY_AES_CBC,
43 algo_next: NULL,
44
45 enc_blocksize: AES_BLOCK_SIZE,
46 keyminlen: AES_KEY_MIN_LEN,
47 keydeflen: AES_KEY_DEF_LEN,
48 keymaxlen: AES_KEY_MAX_LEN,
49 };
50
51 #define CAMELLIA_KEY_MIN_LEN 128
52 #define CAMELLIA_KEY_DEF_LEN 128
53 #define CAMELLIA_KEY_MAX_LEN 256
54
55 static struct encrypt_desc encrypt_desc_camellia =
56 {
57 algo_type: IKE_ALG_ENCRYPT,
58 algo_id: OAKLEY_CAMELLIA_CBC,
59 algo_next: NULL,
60
61 enc_blocksize: CAMELLIA_BLOCK_SIZE,
62 keyminlen: CAMELLIA_KEY_MIN_LEN,
63 keydeflen: CAMELLIA_KEY_DEF_LEN,
64 keymaxlen: CAMELLIA_KEY_MAX_LEN,
65 };
66
67 #define BLOWFISH_KEY_MIN_LEN 128
68 #define BLOWFISH_KEY_MAX_LEN 448
69
70 static struct encrypt_desc encrypt_desc_blowfish =
71 {
72 algo_type: IKE_ALG_ENCRYPT,
73 algo_id: OAKLEY_BLOWFISH_CBC,
74 algo_next: NULL,
75
76 enc_blocksize: BLOWFISH_BLOCK_SIZE,
77 keyminlen: BLOWFISH_KEY_MIN_LEN,
78 keydeflen: BLOWFISH_KEY_MIN_LEN,
79 keymaxlen: BLOWFISH_KEY_MAX_LEN,
80 };
81
82 #define SERPENT_KEY_MIN_LEN 128
83 #define SERPENT_KEY_DEF_LEN 128
84 #define SERPENT_KEY_MAX_LEN 256
85
86 static struct encrypt_desc encrypt_desc_serpent =
87 {
88 algo_type: IKE_ALG_ENCRYPT,
89 algo_id: OAKLEY_SERPENT_CBC,
90 algo_next: NULL,
91
92 enc_blocksize: SERPENT_BLOCK_SIZE,
93 keyminlen: SERPENT_KEY_MIN_LEN,
94 keydeflen: SERPENT_KEY_DEF_LEN,
95 keymaxlen: SERPENT_KEY_MAX_LEN,
96 };
97
98 #define TWOFISH_KEY_MIN_LEN 128
99 #define TWOFISH_KEY_DEF_LEN 128
100 #define TWOFISH_KEY_MAX_LEN 256
101
102 static struct encrypt_desc encrypt_desc_twofish =
103 {
104 algo_type: IKE_ALG_ENCRYPT,
105 algo_id: OAKLEY_TWOFISH_CBC,
106 algo_next: NULL,
107
108 enc_blocksize: TWOFISH_BLOCK_SIZE,
109 keydeflen: TWOFISH_KEY_MIN_LEN,
110 keyminlen: TWOFISH_KEY_DEF_LEN,
111 keymaxlen: TWOFISH_KEY_MAX_LEN,
112 };
113
114 static struct encrypt_desc encrypt_desc_twofish_ssh =
115 {
116 algo_type: IKE_ALG_ENCRYPT,
117 algo_id: OAKLEY_TWOFISH_CBC_SSH,
118 algo_next: NULL,
119
120 enc_blocksize: TWOFISH_BLOCK_SIZE,
121 keydeflen: TWOFISH_KEY_MIN_LEN,
122 keyminlen: TWOFISH_KEY_DEF_LEN,
123 keymaxlen: TWOFISH_KEY_MAX_LEN,
124 };
125
126 static struct hash_desc hash_desc_md5 =
127 {
128 algo_type: IKE_ALG_HASH,
129 algo_id: OAKLEY_MD5,
130 algo_next: NULL,
131 hash_digest_size: HASH_SIZE_MD5,
132 };
133
134 static struct hash_desc hash_desc_sha1 =
135 {
136 algo_type: IKE_ALG_HASH,
137 algo_id: OAKLEY_SHA,
138 algo_next: NULL,
139 hash_digest_size: HASH_SIZE_SHA1,
140 };
141
142 static struct hash_desc hash_desc_sha2_256 = {
143 algo_type: IKE_ALG_HASH,
144 algo_id: OAKLEY_SHA2_256,
145 algo_next: NULL,
146 hash_digest_size: HASH_SIZE_SHA256,
147 };
148
149 static struct hash_desc hash_desc_sha2_384 = {
150 algo_type: IKE_ALG_HASH,
151 algo_id: OAKLEY_SHA2_384,
152 algo_next: NULL,
153 hash_digest_size: HASH_SIZE_SHA384,
154 };
155
156 static struct hash_desc hash_desc_sha2_512 = {
157 algo_type: IKE_ALG_HASH,
158 algo_id: OAKLEY_SHA2_512,
159 algo_next: NULL,
160 hash_digest_size: HASH_SIZE_SHA512,
161 };
162
163 const struct dh_desc unset_group = {
164 algo_type: IKE_ALG_DH_GROUP,
165 algo_id: MODP_NONE,
166 algo_next: NULL,
167 ke_size: 0
168 };
169
170 static struct dh_desc dh_desc_modp_1024 = {
171 algo_type: IKE_ALG_DH_GROUP,
172 algo_id: MODP_1024_BIT,
173 algo_next: NULL,
174 ke_size: 1024 / BITS_PER_BYTE
175 };
176
177 static struct dh_desc dh_desc_modp_1536 = {
178 algo_type: IKE_ALG_DH_GROUP,
179 algo_id: MODP_1536_BIT,
180 algo_next: NULL,
181 ke_size: 1536 / BITS_PER_BYTE
182 };
183
184 static struct dh_desc dh_desc_modp_2048 = {
185 algo_type: IKE_ALG_DH_GROUP,
186 algo_id: MODP_2048_BIT,
187 algo_next: NULL,
188 ke_size: 2048 / BITS_PER_BYTE
189 };
190
191 static struct dh_desc dh_desc_modp_3072 = {
192 algo_type: IKE_ALG_DH_GROUP,
193 algo_id: MODP_3072_BIT,
194 algo_next: NULL,
195 ke_size: 3072 / BITS_PER_BYTE
196 };
197
198 static struct dh_desc dh_desc_modp_4096 = {
199 algo_type: IKE_ALG_DH_GROUP,
200 algo_id: MODP_4096_BIT,
201 algo_next: NULL,
202 ke_size: 4096 / BITS_PER_BYTE
203 };
204
205 static struct dh_desc dh_desc_modp_6144 = {
206 algo_type: IKE_ALG_DH_GROUP,
207 algo_id: MODP_6144_BIT,
208 algo_next: NULL,
209 ke_size: 6144 / BITS_PER_BYTE
210 };
211
212 static struct dh_desc dh_desc_modp_8192 = {
213 algo_type: IKE_ALG_DH_GROUP,
214 algo_id: MODP_8192_BIT,
215 algo_next: NULL,
216 ke_size: 8192 / BITS_PER_BYTE
217 };
218
219 static struct dh_desc dh_desc_ecp_256 = {
220 algo_type: IKE_ALG_DH_GROUP,
221 algo_id: ECP_256_BIT,
222 algo_next: NULL,
223 ke_size: 2*256 / BITS_PER_BYTE
224 };
225
226 static struct dh_desc dh_desc_ecp_384 = {
227 algo_type: IKE_ALG_DH_GROUP,
228 algo_id: ECP_384_BIT,
229 algo_next: NULL,
230 ke_size: 2*384 / BITS_PER_BYTE
231 };
232
233 static struct dh_desc dh_desc_ecp_521 = {
234 algo_type: IKE_ALG_DH_GROUP,
235 algo_id: ECP_521_BIT,
236 algo_next: NULL,
237 ke_size: 2*528 / BITS_PER_BYTE
238 };
239
240 static struct dh_desc dh_desc_modp_1024_160 = {
241 algo_type: IKE_ALG_DH_GROUP,
242 algo_id: MODP_1024_160,
243 algo_next: NULL,
244 ke_size: 1024 / BITS_PER_BYTE
245 };
246
247 static struct dh_desc dh_desc_modp_2048_224 = {
248 algo_type: IKE_ALG_DH_GROUP,
249 algo_id: MODP_2048_224,
250 algo_next: NULL,
251 ke_size: 2048 / BITS_PER_BYTE
252 };
253
254 static struct dh_desc dh_desc_modp_2048_256 = {
255 algo_type: IKE_ALG_DH_GROUP,
256 algo_id: MODP_2048_256,
257 algo_next: NULL,
258 ke_size: 2048 / BITS_PER_BYTE
259 };
260
261 static struct dh_desc dh_desc_ecp_192 = {
262 algo_type: IKE_ALG_DH_GROUP,
263 algo_id: ECP_192_BIT,
264 algo_next: NULL,
265 ke_size: 2*192 / BITS_PER_BYTE
266 };
267
268 static struct dh_desc dh_desc_ecp_224 = {
269 algo_type: IKE_ALG_DH_GROUP,
270 algo_id: ECP_224_BIT,
271 algo_next: NULL,
272 ke_size: 2*224 / BITS_PER_BYTE
273 };
274
275 bool init_crypto(void)
276 {
277 enumerator_t *enumerator;
278 encryption_algorithm_t encryption_alg;
279 hash_algorithm_t hash_alg;
280 diffie_hellman_group_t dh_group;
281 bool no_md5 = TRUE;
282 bool no_sha1 = TRUE;
283
284 enumerator = lib->crypto->create_hasher_enumerator(lib->crypto);
285 while (enumerator->enumerate(enumerator, &hash_alg))
286 {
287 const struct hash_desc *desc;
288
289 switch (hash_alg)
290 {
291 case HASH_SHA1:
292 desc = &hash_desc_sha1;
293 no_sha1 = FALSE;
294 break;
295 case HASH_SHA256:
296 desc = &hash_desc_sha2_256;
297 break;
298 case HASH_SHA384:
299 desc = &hash_desc_sha2_384;
300 break;
301 case HASH_SHA512:
302 desc = &hash_desc_sha2_512;
303 break;
304 case HASH_MD5:
305 desc = &hash_desc_md5;
306 no_md5 = FALSE;
307 break;
308 default:
309 continue;
310 }
311 ike_alg_add((struct ike_alg *)desc);
312 }
313 enumerator->destroy(enumerator);
314
315 if (no_sha1 || no_md5)
316 {
317 plog("pluto cannot run without a %s%s%s hasher",
318 (no_sha1) ? "SHA-1" : "",
319 (no_sha1 && no_md5) ? " and " : "",
320 (no_md5) ? "MD5" : "");
321 return FALSE;
322 }
323
324 enumerator = lib->crypto->create_crypter_enumerator(lib->crypto);
325 while (enumerator->enumerate(enumerator, &encryption_alg))
326 {
327 const struct encrypt_desc *desc;
328
329 switch (encryption_alg)
330 {
331 case ENCR_3DES:
332 desc = &encrypt_desc_3des;
333 break;
334 case ENCR_BLOWFISH:
335 desc = &encrypt_desc_blowfish;
336 break;
337 case ENCR_AES_CBC:
338 desc = &encrypt_desc_aes;
339 break;
340 case ENCR_CAMELLIA_CBC:
341 desc = &encrypt_desc_camellia;
342 break;
343 case ENCR_TWOFISH_CBC:
344 desc = &encrypt_desc_twofish;
345 ike_alg_add((struct ike_alg *)&encrypt_desc_twofish_ssh);
346 break;
347 case ENCR_SERPENT_CBC:
348 desc = &encrypt_desc_serpent;
349 break;
350 default:
351 continue;
352 }
353 ike_alg_add((struct ike_alg *)desc);
354 }
355 enumerator->destroy(enumerator);
356
357 enumerator = lib->crypto->create_dh_enumerator(lib->crypto);
358 while (enumerator->enumerate(enumerator, &dh_group))
359 {
360 const struct dh_desc *desc;
361
362 switch (dh_group)
363 {
364 case MODP_1024_BIT:
365 desc = &dh_desc_modp_1024;
366 break;
367 case MODP_1536_BIT:
368 desc = &dh_desc_modp_1536;
369 break;
370 case MODP_2048_BIT:
371 desc = &dh_desc_modp_2048;
372 break;
373 case MODP_3072_BIT:
374 desc = &dh_desc_modp_3072;
375 break;
376 case MODP_4096_BIT:
377 desc = &dh_desc_modp_4096;
378 break;
379 case MODP_6144_BIT:
380 desc = &dh_desc_modp_6144;
381 break;
382 case MODP_8192_BIT:
383 desc = &dh_desc_modp_8192;
384 break;
385 case ECP_256_BIT:
386 desc = &dh_desc_ecp_256;
387 break;
388 case ECP_384_BIT:
389 desc = &dh_desc_ecp_384;
390 break;
391 case ECP_521_BIT:
392 desc = &dh_desc_ecp_521;
393 break;
394 case MODP_1024_160:
395 desc = &dh_desc_modp_1024_160;
396 break;
397 case MODP_2048_224:
398 desc = &dh_desc_modp_2048_224;
399 break;
400 case MODP_2048_256:
401 desc = &dh_desc_modp_2048_256;
402 break;
403 case ECP_192_BIT:
404 desc = &dh_desc_ecp_192;
405 break;
406 case ECP_224_BIT:
407 desc = &dh_desc_ecp_224;
408 break;
409 default:
410 continue;
411 }
412 ike_alg_add((struct ike_alg *)desc);
413 }
414 enumerator->destroy(enumerator);
415 return TRUE;
416 }
417
418 void free_crypto(void)
419 {
420 /* currently nothing to do */
421 }
422
423 /**
424 * Converts IKEv1 encryption algorithm name to crypter name
425 */
426 encryption_algorithm_t oakley_to_encryption_algorithm(int alg)
427 {
428 switch (alg)
429 {
430 case OAKLEY_DES_CBC:
431 return ENCR_DES;
432 case OAKLEY_IDEA_CBC:
433 return ENCR_IDEA;
434 case OAKLEY_BLOWFISH_CBC:
435 return ENCR_BLOWFISH;
436 case OAKLEY_RC5_R16_B64_CBC:
437 return ENCR_RC5;
438 case OAKLEY_3DES_CBC:
439 return ENCR_3DES;
440 case OAKLEY_CAST_CBC:
441 return ENCR_CAST;
442 case OAKLEY_AES_CBC:
443 return ENCR_AES_CBC;
444 case OAKLEY_CAMELLIA_CBC:
445 return ENCR_CAMELLIA_CBC;
446 case OAKLEY_SERPENT_CBC:
447 return ENCR_SERPENT_CBC;
448 case OAKLEY_TWOFISH_CBC:
449 case OAKLEY_TWOFISH_CBC_SSH:
450 return ENCR_TWOFISH_CBC;
451 default:
452 return ENCR_UNDEFINED;
453 }
454 }
455
456 /**
457 * Converts IKEv1 hash algorithm name to hasher name
458 */
459 hash_algorithm_t oakley_to_hash_algorithm(int alg)
460 {
461 switch (alg)
462 {
463 case OAKLEY_MD5:
464 return HASH_MD5;
465 case OAKLEY_SHA:
466 return HASH_SHA1;
467 case OAKLEY_SHA2_256:
468 return HASH_SHA256;
469 case OAKLEY_SHA2_384:
470 return HASH_SHA384;
471 case OAKLEY_SHA2_512:
472 return HASH_SHA512;
473 default:
474 return HASH_UNKNOWN;
475 }
476 }
477
478 /**
479 * Converts IKEv1 hash algorithm name to IKEv2 prf name
480 */
481 pseudo_random_function_t oakley_to_prf(int alg)
482 {
483 switch (alg)
484 {
485 case OAKLEY_MD5:
486 return PRF_HMAC_MD5;
487 case OAKLEY_SHA:
488 return PRF_HMAC_SHA1;
489 case OAKLEY_SHA2_256:
490 return PRF_HMAC_SHA2_256;
491 case OAKLEY_SHA2_384:
492 return PRF_HMAC_SHA2_384;
493 case OAKLEY_SHA2_512:
494 return PRF_HMAC_SHA2_512;
495 default:
496 return PRF_UNDEFINED;
497 }
498 }
499
500 /**
501 * Maps IKEv1 authentication method to IKEv2 signature scheme
502 */
503 signature_scheme_t oakley_to_signature_scheme(int method)
504 {
505 switch (method)
506 {
507 case OAKLEY_RSA_SIG:
508 case XAUTHInitRSA:
509 case XAUTHRespRSA:
510 return SIGN_RSA_EMSA_PKCS1_NULL;
511 case OAKLEY_ECDSA_256:
512 case OAKLEY_ECDSA_384:
513 case OAKLEY_ECDSA_521:
514 return SIGN_ECDSA_WITH_NULL;
515 default:
516 return SIGN_UNKNOWN;
517 }
518 }
519
520 /**
521 * Converts IKEv2 encryption to IKEv1 encryption algorithm
522 */
523 int oakley_from_encryption_algorithm(encryption_algorithm_t alg)
524 {
525 switch (alg)
526 {
527 case ENCR_DES:
528 return OAKLEY_DES_CBC;
529 case ENCR_3DES:
530 return OAKLEY_3DES_CBC;
531 case ENCR_RC5:
532 return OAKLEY_RC5_R16_B64_CBC;
533 case ENCR_IDEA:
534 return OAKLEY_IDEA_CBC;
535 case ENCR_CAST:
536 return OAKLEY_CAST_CBC;
537 case ENCR_BLOWFISH:
538 return OAKLEY_BLOWFISH_CBC;
539 case ENCR_AES_CBC:
540 return OAKLEY_AES_CBC;
541 case ENCR_CAMELLIA_CBC:
542 return OAKLEY_CAMELLIA_CBC;
543 case ENCR_SERPENT_CBC:
544 return OAKLEY_SERPENT_CBC;
545 case ENCR_TWOFISH_CBC:
546 return OAKLEY_TWOFISH_CBC;
547 default:
548 return 0;
549 }
550 }
551
552 /**
553 * Converts IKEv2 integrity to IKEv1 hash algorithm
554 */
555 int oakley_from_integrity_algorithm(integrity_algorithm_t alg)
556 {
557 switch (alg)
558 {
559 case AUTH_HMAC_MD5_96:
560 return OAKLEY_MD5;
561 case AUTH_HMAC_SHA1_96:
562 return OAKLEY_SHA;
563 case AUTH_HMAC_SHA2_256_128:
564 return OAKLEY_SHA2_256;
565 case AUTH_HMAC_SHA2_384_192:
566 return OAKLEY_SHA2_384;
567 case AUTH_HMAC_SHA2_512_256:
568 return OAKLEY_SHA2_512;
569 default:
570 return 0;
571 }
572 }
573
574 /**
575 * Converts IKEv2 encryption to IKEv1 ESP encryption algorithm
576 */
577 int esp_from_encryption_algorithm(encryption_algorithm_t alg)
578 {
579 switch (alg)
580 {
581 case ENCR_DES:
582 return ESP_DES;
583 case ENCR_3DES:
584 return ESP_3DES;
585 case ENCR_RC5:
586 return ESP_RC5;
587 case ENCR_IDEA:
588 return ESP_IDEA;
589 case ENCR_CAST:
590 return ESP_CAST;
591 case ENCR_BLOWFISH:
592 return ESP_BLOWFISH;
593 case ENCR_NULL:
594 return ESP_NULL;
595 case ENCR_AES_CBC:
596 return ESP_AES;
597 case ENCR_AES_CTR:
598 return ESP_AES_CTR;
599 case ENCR_AES_CCM_ICV8:
600 return ESP_AES_CCM_8;
601 case ENCR_AES_CCM_ICV12:
602 return ESP_AES_CCM_12;
603 case ENCR_AES_CCM_ICV16:
604 return ESP_AES_CCM_16;
605 case ENCR_AES_GCM_ICV8:
606 return ESP_AES_GCM_8;
607 case ENCR_AES_GCM_ICV12:
608 return ESP_AES_GCM_12;
609 case ENCR_AES_GCM_ICV16:
610 return ESP_AES_GCM_16;
611 case ENCR_CAMELLIA_CBC:
612 return ESP_CAMELLIA;
613 case ENCR_NULL_AUTH_AES_GMAC:
614 return ESP_AES_GMAC;
615 case ENCR_SERPENT_CBC:
616 return ESP_SERPENT;
617 case ENCR_TWOFISH_CBC:
618 return ESP_TWOFISH;
619 default:
620 return 0;
621 }
622 }
623
624 /**
625 * Converts IKEv2 integrity to IKEv1 ESP authentication algorithm
626 */
627 int esp_from_integrity_algorithm(integrity_algorithm_t alg)
628 {
629 switch (alg)
630 {
631 case AUTH_HMAC_MD5_96:
632 return AUTH_ALGORITHM_HMAC_MD5;
633 case AUTH_HMAC_SHA1_96:
634 return AUTH_ALGORITHM_HMAC_SHA1;
635 case AUTH_AES_XCBC_96:
636 return AUTH_ALGORITHM_AES_XCBC_MAC;
637 case AUTH_HMAC_SHA2_256_96:
638 return AUTH_ALGORITHM_HMAC_SHA2_256_96;
639 case AUTH_HMAC_SHA2_256_128:
640 return AUTH_ALGORITHM_HMAC_SHA2_256;
641 case AUTH_HMAC_SHA2_384_192:
642 return AUTH_ALGORITHM_HMAC_SHA2_384;
643 case AUTH_HMAC_SHA2_512_256:
644 return AUTH_ALGORITHM_HMAC_SHA2_512;
645 case AUTH_AES_128_GMAC:
646 return AUTH_ALGORITHM_AES_128_GMAC;
647 case AUTH_AES_192_GMAC:
648 return AUTH_ALGORITHM_AES_192_GMAC;
649 case AUTH_AES_256_GMAC:
650 return AUTH_ALGORITHM_AES_256_GMAC;
651 default:
652 return 0;
653 }
654 }