introduced encryption test vectors
[strongswan.git] / src / pluto / ike_alg.c
1 /* IKE modular algorithm handling interface
2 * Author: JuanJo Ciarlante <jjo-ipsec@mendoza.gov.ar>
3 *
4 * This program is free software; you can redistribute it and/or modify it
5 * under the terms of the GNU General Public License as published by the
6 * Free Software Foundation; either version 2 of the License, or (at your
7 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
8 *
9 * This program is distributed in the hope that it will be useful, but
10 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
11 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
12 * for more details.
13 */
14
15 #include <stdio.h>
16 #include <string.h>
17 #include <stdlib.h>
18 #include <errno.h>
19 #include <sys/queue.h>
20
21 #include <freeswan.h>
22 #include <ipsec_policy.h>
23
24 #include <library.h>
25 #include <debug.h>
26 #include <crypto/hashers/hasher.h>
27 #include <crypto/crypters/crypter.h>
28 #include <crypto/prfs/prf.h>
29
30 #include "constants.h"
31 #include "defs.h"
32 #include "crypto.h"
33
34 #include "state.h"
35 #include "packet.h"
36 #include "log.h"
37 #include "whack.h"
38 #include "spdb.h"
39 #include "alg_info.h"
40 #include "ike_alg.h"
41 #include "db_ops.h"
42 #include "connections.h"
43 #include "kernel.h"
44
45 #define return_on(var, val) do { var=val;goto return_out; } while(0);
46
47 /**
48 * IKE algorithm list handling - registration and lookup
49 */
50
51 /* Modular IKE algorithm storage structure */
52
53 static struct ike_alg *ike_alg_base[IKE_ALG_MAX+1] = {NULL, NULL};
54
55 /**
56 * Return ike_algo object by {type, id}
57 */
58 static struct ike_alg *ike_alg_find(u_int algo_type, u_int algo_id,
59 u_int keysize __attribute__((unused)))
60 {
61 struct ike_alg *e = ike_alg_base[algo_type];
62
63 while (e != NULL && algo_id > e->algo_id)
64 {
65 e = e->algo_next;
66 }
67 return (e != NULL && e->algo_id == algo_id) ? e : NULL;
68 }
69
70 /**
71 * "raw" ike_alg list adding function
72 */
73 int ike_alg_add(struct ike_alg* a)
74 {
75 if (a->algo_type > IKE_ALG_MAX)
76 {
77 plog("ike_alg: Not added, invalid algorithm type");
78 return -EINVAL;
79 }
80
81 if (ike_alg_find(a->algo_type, a->algo_id, 0) != NULL)
82 {
83 plog("ike_alg: Not added, algorithm already exists");
84 return -EEXIST;
85 }
86
87 {
88 struct ike_alg **ep = &ike_alg_base[a->algo_type];
89 struct ike_alg *e = *ep;
90
91 while (e != NULL && a->algo_id > e->algo_id)
92 {
93 ep = &e->algo_next;
94 e = *ep;
95 }
96 *ep = a;
97 a->algo_next = e;
98 return 0;
99 }
100 }
101
102 /**
103 * Get IKE hash algorithm
104 */
105 struct hash_desc *ike_alg_get_hasher(u_int alg)
106 {
107 return (struct hash_desc *) ike_alg_find(IKE_ALG_HASH, alg, 0);
108 }
109
110 /**
111 * Get IKE encryption algorithm
112 */
113 struct encrypt_desc *ike_alg_get_encrypter(u_int alg)
114 {
115 return (struct encrypt_desc *) ike_alg_find(IKE_ALG_ENCRYPT, alg, 0);
116 }
117
118 /**
119 * Check if IKE hash algorithm is present
120 */
121 bool ike_alg_hash_present(u_int halg)
122 {
123 return ike_alg_get_hasher(halg) != NULL;
124 }
125
126 /**
127 * check if IKE encryption algorithm is present
128 */
129 bool ike_alg_enc_present(u_int ealg)
130 {
131 return ike_alg_get_encrypter(ealg) != NULL;
132 }
133
134 /**
135 * Validate and register IKE hash algorithm object
136 */
137 int ike_alg_register_hash(struct hash_desc *hash_desc)
138 {
139 const char *alg_name = NULL;
140 int ret = 0;
141
142 if (hash_desc->algo_id > OAKLEY_HASH_MAX)
143 {
144 plog ("ike_alg: hash alg=%d > max=%d"
145 , hash_desc->algo_id, OAKLEY_HASH_MAX);
146 return_on(ret,-EINVAL);
147 }
148
149 alg_name = enum_name(&oakley_hash_names, hash_desc->algo_id);
150 if (!alg_name)
151 {
152 plog ("ike_alg: hash alg=%d not found in constants.c:oakley_hash_names"
153 , hash_desc->algo_id);
154 alg_name = "<NULL>";
155 }
156
157 return_out:
158 if (ret == 0)
159 ret = ike_alg_add((struct ike_alg *)hash_desc);
160
161 plog("ike_alg: Activating %s hash: %s"
162 ,alg_name, ret == 0 ? "Ok" : "FAILED");
163
164 return ret;
165 }
166
167 /**
168 * Validate and register IKE encryption algorithm object
169 */
170 int ike_alg_register_enc(struct encrypt_desc *enc_desc)
171 {
172 int ret = ike_alg_add((struct ike_alg *)enc_desc);
173
174 const char *alg_name = enum_name(&oakley_enc_names, enc_desc->algo_id);
175
176 char alg_number[20];
177
178 /* algorithm is not listed in oakley_enc_names */
179 if (alg_name == NULL)
180 {
181 snprintf(alg_number, sizeof(alg_number), "OAKLEY_ID_%d"
182 , enc_desc->algo_id);
183 alg_name = alg_number;
184 }
185
186 plog("ike_alg: Activating %s encryption: %s"
187 , alg_name, ret == 0 ? "Ok" : "FAILED");
188
189 return ret;
190 }
191
192 /**
193 * Get pfsgroup for this connection
194 */
195 const struct oakley_group_desc *ike_alg_pfsgroup(struct connection *c, lset_t policy)
196 {
197 const struct oakley_group_desc * ret = NULL;
198
199 if ((policy & POLICY_PFS)
200 && c->alg_info_esp
201 && c->alg_info_esp->esp_pfsgroup)
202 ret = lookup_group(c->alg_info_esp->esp_pfsgroup);
203 return ret;
204 }
205
206 /**
207 * Create an OAKLEY proposal based on alg_info and policy
208 */
209 struct db_context *ike_alg_db_new(struct alg_info_ike *ai , lset_t policy)
210 {
211 struct db_context *db_ctx = NULL;
212 struct ike_info *ike_info;
213 struct encrypt_desc *enc_desc;
214 u_int ealg, halg, modp, eklen = 0;
215 int i;
216
217 bool is_xauth_server = (policy & POLICY_XAUTH_SERVER) != LEMPTY;
218
219 if (!ai)
220 {
221 whack_log(RC_LOG_SERIOUS, "no IKE algorithms "
222 "for this connection "
223 "(check ike algorithm string)");
224 goto fail;
225 }
226 policy &= POLICY_ID_AUTH_MASK;
227 db_ctx = db_prop_new(PROTO_ISAKMP, 8, 8 * 5);
228
229 /* for each group */
230 ALG_INFO_IKE_FOREACH(ai, ike_info, i)
231 {
232 ealg = ike_info->ike_ealg;
233 halg = ike_info->ike_halg;
234 modp = ike_info->ike_modp;
235 eklen= ike_info->ike_eklen;
236
237 if (!ike_alg_enc_present(ealg))
238 {
239 DBG_log("ike_alg: ike enc ealg=%d not present"
240 , ealg);
241 continue;
242 }
243
244 if (!ike_alg_hash_present(halg))
245 {
246 DBG_log("ike_alg: ike hash halg=%d not present"
247 , halg);
248 continue;
249 }
250
251 enc_desc = ike_alg_get_encrypter(ealg);
252 passert(enc_desc != NULL);
253
254 if (eklen
255 && (eklen < enc_desc->keyminlen || eklen > enc_desc->keymaxlen))
256 {
257 DBG_log("ike_alg: ealg=%d (specified) keylen:%d, not valid min=%d, max=%d"
258 , ealg
259 , eklen
260 , enc_desc->keyminlen
261 , enc_desc->keymaxlen
262 );
263 continue;
264 }
265
266 if (policy & POLICY_RSASIG)
267 {
268 db_trans_add(db_ctx, KEY_IKE);
269 db_attr_add_values(db_ctx, OAKLEY_ENCRYPTION_ALGORITHM, ealg);
270 db_attr_add_values(db_ctx, OAKLEY_HASH_ALGORITHM, halg);
271 if (eklen)
272 db_attr_add_values(db_ctx, OAKLEY_KEY_LENGTH, eklen);
273 db_attr_add_values(db_ctx, OAKLEY_AUTHENTICATION_METHOD, OAKLEY_RSA_SIG);
274 db_attr_add_values(db_ctx, OAKLEY_GROUP_DESCRIPTION, modp);
275 }
276
277 if (policy & POLICY_PSK)
278 {
279 db_trans_add(db_ctx, KEY_IKE);
280 db_attr_add_values(db_ctx, OAKLEY_ENCRYPTION_ALGORITHM, ealg);
281 db_attr_add_values(db_ctx, OAKLEY_HASH_ALGORITHM, halg);
282 if (eklen)
283 db_attr_add_values(db_ctx, OAKLEY_KEY_LENGTH, eklen);
284 db_attr_add_values(db_ctx, OAKLEY_AUTHENTICATION_METHOD, OAKLEY_PRESHARED_KEY);
285 db_attr_add_values(db_ctx, OAKLEY_GROUP_DESCRIPTION, modp);
286 }
287
288 if (policy & POLICY_XAUTH_RSASIG)
289 {
290 db_trans_add(db_ctx, KEY_IKE);
291 db_attr_add_values(db_ctx, OAKLEY_ENCRYPTION_ALGORITHM, ealg);
292 db_attr_add_values(db_ctx, OAKLEY_HASH_ALGORITHM, halg);
293 if (eklen)
294 db_attr_add_values(db_ctx, OAKLEY_KEY_LENGTH, eklen);
295 db_attr_add_values(db_ctx, OAKLEY_AUTHENTICATION_METHOD
296 , is_xauth_server ? XAUTHRespRSA : XAUTHInitRSA);
297 db_attr_add_values(db_ctx, OAKLEY_GROUP_DESCRIPTION, modp);
298 }
299
300 if (policy & POLICY_XAUTH_PSK)
301 {
302 db_trans_add(db_ctx, KEY_IKE);
303 db_attr_add_values(db_ctx, OAKLEY_ENCRYPTION_ALGORITHM, ealg);
304 db_attr_add_values(db_ctx, OAKLEY_HASH_ALGORITHM, halg);
305 if (eklen)
306 db_attr_add_values(db_ctx, OAKLEY_KEY_LENGTH, eklen);
307 db_attr_add_values(db_ctx, OAKLEY_AUTHENTICATION_METHOD
308 , is_xauth_server ? XAUTHRespPreShared : XAUTHInitPreShared);
309 db_attr_add_values(db_ctx, OAKLEY_GROUP_DESCRIPTION, modp);
310 }
311 }
312 fail:
313 return db_ctx;
314 }
315
316 /**
317 * Show registered IKE algorithms
318 */
319 void ike_alg_list(void)
320 {
321 u_int i;
322 struct ike_alg *a;
323
324 whack_log(RC_COMMENT, " ");
325 whack_log(RC_COMMENT, "List of registered IKE Encryption Algorithms:");
326 whack_log(RC_COMMENT, " ");
327
328 for (a = ike_alg_base[IKE_ALG_ENCRYPT]; a != NULL; a = a->algo_next)
329 {
330 struct encrypt_desc *desc = (struct encrypt_desc*)a;
331
332 whack_log(RC_COMMENT, "#%-5d %s, blocksize: %d, keylen: %d-%d-%d"
333 , a->algo_id
334 , enum_name(&oakley_enc_names, a->algo_id)
335 , (int)desc->enc_blocksize*BITS_PER_BYTE
336 , desc->keyminlen
337 , desc->keydeflen
338 , desc->keymaxlen
339 );
340 }
341
342 whack_log(RC_COMMENT, " ");
343 whack_log(RC_COMMENT, "List of registered IKE Hash Algorithms:");
344 whack_log(RC_COMMENT, " ");
345
346 for (a = ike_alg_base[IKE_ALG_HASH]; a != NULL; a = a->algo_next)
347 {
348 whack_log(RC_COMMENT, "#%-5d %s, hashsize: %d"
349 , a->algo_id
350 , enum_name(&oakley_hash_names, a->algo_id)
351 , (int)((struct hash_desc *)a)->hash_digest_size*BITS_PER_BYTE
352 );
353 }
354
355 whack_log(RC_COMMENT, " ");
356 whack_log(RC_COMMENT, "List of registered IKE DH Groups:");
357 whack_log(RC_COMMENT, " ");
358
359 for (i = 0; i < countof(oakley_group); i++)
360 {
361 const struct oakley_group_desc *gdesc=oakley_group + i;
362
363 whack_log(RC_COMMENT, "#%-5d %s, groupsize: %d"
364 , gdesc->group
365 , enum_name(&oakley_group_names, gdesc->group)
366 , (int)gdesc->bytes*BITS_PER_BYTE
367 );
368 }
369 }
370
371 /**
372 * Show IKE algorithms for this connection (result from ike= string)
373 * and newest SA
374 */
375 void ike_alg_show_connection(struct connection *c, const char *instance)
376 {
377 char buf[BUF_LEN];
378 struct state *st;
379
380 if (c->alg_info_ike)
381 {
382 alg_info_snprint(buf, sizeof(buf)-1, (struct alg_info *)c->alg_info_ike);
383 whack_log(RC_COMMENT
384 , "\"%s\"%s: IKE algorithms wanted: %s"
385 , c->name
386 , instance
387 , buf
388 );
389
390 alg_info_snprint_ike(buf, sizeof(buf)-1, c->alg_info_ike);
391 whack_log(RC_COMMENT
392 , "\"%s\"%s: IKE algorithms found: %s"
393 , c->name
394 , instance
395 , buf
396 );
397 }
398
399 st = state_with_serialno(c->newest_isakmp_sa);
400 if (st)
401 whack_log(RC_COMMENT
402 , "\"%s\"%s: IKE algorithm newest: %s_%d-%s-%s"
403 , c->name
404 , instance
405 , enum_show(&oakley_enc_names, st->st_oakley.encrypt)
406 +7 /* strlen("OAKLEY_") */
407 /* , st->st_oakley.encrypter->keydeflen */
408 , st->st_oakley.enckeylen
409 , enum_show(&oakley_hash_names, st->st_oakley.hash)
410 +7 /* strlen("OAKLEY_") */
411 , enum_show(&oakley_group_names, st->st_oakley.group->group)
412 +13 /* strlen("OAKLEY_GROUP_") */
413 );
414 }
415
416 /**
417 * Apply a suite of testvectors to an encryption algorithm
418 */
419 static bool ike_encrypt_test(const struct encrypt_desc *desc)
420 {
421 bool encrypt_results = TRUE;
422
423 if (desc->enc_testvectors == NULL)
424 {
425 plog(" %s encryption self-test not available",
426 enum_name(&oakley_enc_names, desc->algo_id));
427 }
428 else
429 {
430 int i;
431 encryption_algorithm_t enc_alg;
432
433 enc_alg = oakley_to_encryption_algorithm(desc->algo_id);
434
435 for (i = 0; desc->enc_testvectors[i].key != NULL; i++)
436 {
437 bool result;
438 crypter_t *crypter;
439 chunk_t key = { (u_char*)desc->enc_testvectors[i].key,
440 desc->enc_testvectors[i].key_size };
441 chunk_t plain = { (u_char*)desc->enc_testvectors[i].plain,
442 desc->enc_testvectors[i].data_size};
443 chunk_t cipher = { (u_char*)desc->enc_testvectors[i].cipher,
444 desc->enc_testvectors[i].data_size};
445 chunk_t encrypted = chunk_empty;
446 chunk_t decrypted = chunk_empty;
447 chunk_t iv;
448
449 crypter = lib->crypto->create_crypter(lib->crypto, enc_alg, key.len);
450 if (crypter == NULL)
451 {
452 plog(" %s encryption function not available",
453 enum_name(&oakley_enc_names, desc->algo_id));
454 return FALSE;
455 }
456 iv = chunk_create((u_char*)desc->enc_testvectors[i].iv,
457 crypter->get_block_size(crypter));
458 crypter->set_key(crypter, key);
459 crypter->decrypt(crypter, cipher, iv, &decrypted);
460 result = chunk_equals(decrypted, plain);
461 crypter->encrypt(crypter, plain, iv, &encrypted);
462 result &= chunk_equals(encrypted, cipher);
463 DBG(DBG_CRYPT,
464 DBG_log(" enc testvector %d: %s", i, result ? "ok":"failed")
465 )
466 encrypt_results &= result;
467 crypter->destroy(crypter);
468 free(encrypted.ptr);
469 free(decrypted.ptr);
470 }
471 plog(" %s encryption self-test %s",
472 enum_name(&oakley_enc_names, desc->algo_id),
473 encrypt_results ? "passed":"failed");
474 }
475 return encrypt_results;
476 }
477
478 /**
479 * Apply a suite of testvectors to a hash algorithm
480 */
481 static bool ike_hash_test(const struct hash_desc *desc)
482 {
483 bool hash_results = TRUE;
484 bool hmac_results = TRUE;
485
486 if (desc->hash_testvectors == NULL)
487 {
488 plog(" %s hash self-test not available",
489 enum_name(&oakley_hash_names, desc->algo_id));
490 }
491 else
492 {
493 int i;
494 hash_algorithm_t hash_alg;
495 hasher_t *hasher;
496
497 hash_alg = oakley_to_hash_algorithm(desc->algo_id);
498 hasher = lib->crypto->create_hasher(lib->crypto, hash_alg);
499 if (hasher == NULL)
500 {
501 plog(" %s hash function not available",
502 enum_name(&oakley_hash_names, desc->algo_id));
503 return FALSE;
504 }
505
506 for (i = 0; desc->hash_testvectors[i].msg_digest != NULL; i++)
507 {
508 u_char digest[MAX_DIGEST_LEN];
509 chunk_t msg = { (u_char*)desc->hash_testvectors[i].msg,
510 desc->hash_testvectors[i].msg_size };
511 bool result;
512
513 hasher->get_hash(hasher, msg, digest);
514 result = memeq(digest, desc->hash_testvectors[i].msg_digest
515 , desc->hash_digest_size);
516 DBG(DBG_CRYPT,
517 DBG_log(" hash testvector %d: %s", i, result ? "ok":"failed")
518 )
519 hash_results &= result;
520 }
521 hasher->destroy(hasher);
522 plog(" %s hash self-test %s", enum_name(&oakley_hash_names, desc->algo_id),
523 hash_results ? "passed":"failed");
524 }
525
526 if (desc->hmac_testvectors == NULL)
527 {
528 plog(" %s hmac self-test not available", enum_name(&oakley_hash_names, desc->algo_id));
529 }
530 else
531 {
532 int i;
533 pseudo_random_function_t prf_alg;
534
535 prf_alg = oakley_to_prf(desc->algo_id);
536
537 for (i = 0; desc->hmac_testvectors[i].hmac != NULL; i++)
538 {
539 u_char digest[MAX_DIGEST_LEN];
540 chunk_t key = { (u_char*)desc->hmac_testvectors[i].key,
541 desc->hmac_testvectors[i].key_size };
542 chunk_t msg = { (u_char*)desc->hmac_testvectors[i].msg,
543 desc->hmac_testvectors[i].msg_size };
544 prf_t *prf;
545 bool result;
546
547 prf = lib->crypto->create_prf(lib->crypto, prf_alg);
548 if (prf == NULL)
549 {
550 plog(" %s hmac function not available",
551 enum_name(&oakley_hash_names, desc->algo_id));
552 return FALSE;
553 }
554 prf->set_key(prf, key);
555 prf->get_bytes(prf, msg, digest);
556 prf->destroy(prf);
557 result = memeq(digest, desc->hmac_testvectors[i].hmac,
558 desc->hash_digest_size);
559 DBG(DBG_CRYPT,
560 DBG_log(" hmac testvector %d: %s", i, result ? "ok":"failed")
561 )
562 hmac_results &= result;
563 }
564 plog(" %s hmac self-test %s", enum_name(&oakley_hash_names, desc->algo_id)
565 , hmac_results ? "passed":"failed");
566 }
567 return hash_results && hmac_results;
568 }
569
570 /**
571 * Apply test vectors to registered encryption and hash algorithms
572 */
573 bool ike_alg_test(void)
574 {
575 bool all_results = TRUE;
576 struct ike_alg *a;
577
578 plog("Testing registered IKE encryption algorithms:");
579
580 for (a = ike_alg_base[IKE_ALG_ENCRYPT]; a != NULL; a = a->algo_next)
581 {
582 struct encrypt_desc *desc = (struct encrypt_desc*)a;
583
584 all_results &= ike_encrypt_test(desc);
585 }
586
587 for (a = ike_alg_base[IKE_ALG_HASH]; a != NULL; a = a->algo_next)
588 {
589 struct hash_desc *desc = (struct hash_desc*)a;
590
591 all_results &= ike_hash_test(desc);
592 }
593
594 if (all_results)
595 plog("All crypto self-tests passed");
596 else
597 plog("Some crypto self-tests failed");
598 return all_results;
599 }
600
601 /**
602 * ML: make F_STRICT logic consider enc,hash/auth,modp algorithms
603 */
604 bool ike_alg_ok_final(u_int ealg, u_int key_len, u_int aalg, u_int group,
605 struct alg_info_ike *alg_info_ike)
606 {
607 /*
608 * simple test to discard low key_len, will accept it only
609 * if specified in "esp" string
610 */
611 bool ealg_insecure = (key_len < 128);
612
613 if (ealg_insecure
614 || (alg_info_ike && alg_info_ike->alg_info_flags & ALG_INFO_F_STRICT))
615 {
616 int i;
617 struct ike_info *ike_info;
618
619 if (alg_info_ike)
620 {
621 ALG_INFO_IKE_FOREACH(alg_info_ike, ike_info, i)
622 {
623 if (ike_info->ike_ealg == ealg
624 && (ike_info->ike_eklen == 0 || key_len == 0 || ike_info->ike_eklen == key_len)
625 && ike_info->ike_halg == aalg
626 && ike_info->ike_modp == group)
627 {
628 if (ealg_insecure)
629 loglog(RC_LOG_SERIOUS, "You should NOT use insecure IKE algorithms (%s)!"
630 , enum_name(&oakley_enc_names, ealg));
631 return TRUE;
632 }
633 }
634 }
635 plog("Oakley Transform [%s (%d), %s, %s] refused due to %s"
636 , enum_name(&oakley_enc_names, ealg), key_len
637 , enum_name(&oakley_hash_names, aalg)
638 , enum_name(&oakley_group_names, group)
639 , ealg_insecure ?
640 "insecure key_len and enc. alg. not listed in \"ike\" string" : "strict flag"
641 );
642 return FALSE;
643 }
644 return TRUE;
645 }
646