pass SKd to derive_ike_keys() to have a more interoperable API
authorMartin Willi <martin@strongswan.org>
Fri, 28 Nov 2008 09:51:44 +0000 (09:51 -0000)
committerMartin Willi <martin@strongswan.org>
Fri, 28 Nov 2008 09:51:44 +0000 (09:51 -0000)
src/charon/sa/keymat.c
src/charon/sa/keymat.h
src/charon/sa/tasks/ike_init.c

index c65bfc3..8866181 100644 (file)
@@ -63,6 +63,11 @@ struct private_keymat_t {
        prf_t *prf;
        
        /**
+        * Negotiated PRF algorithm
+        */
+       pseudo_random_function_t prf_alg;
+       
+       /**
         * Key to derive key material from for CHILD_SAs, rekeying
         */
        chunk_t skd;
@@ -145,7 +150,8 @@ static diffie_hellman_t* create_dh(private_keymat_t *this,
 static bool derive_ike_keys(private_keymat_t *this, proposal_t *proposal,
                                                        diffie_hellman_t *dh, chunk_t nonce_i,
                                                        chunk_t nonce_r, ike_sa_id_t *id,
-                                                       private_keymat_t *rekey)
+                                                       pseudo_random_function_t rekey_function,
+                                                       chunk_t rekey_skd)
 {
        chunk_t skeyseed, key, secret, full_nonce, fixed_nonce, prf_plus_seed;
        chunk_t spi_i, spi_r;
@@ -153,6 +159,7 @@ static bool derive_ike_keys(private_keymat_t *this, proposal_t *proposal,
        signer_t *signer_i, *signer_r;
        prf_plus_t *prf_plus;
        u_int16_t alg, key_size;
+       prf_t *rekey_prf = NULL;
        
        spi_i = chunk_alloca(sizeof(u_int64_t));
        spi_r = chunk_alloca(sizeof(u_int64_t));
@@ -169,6 +176,7 @@ static bool derive_ike_keys(private_keymat_t *this, proposal_t *proposal,
                         transform_type_names, PSEUDO_RANDOM_FUNCTION);
                return FALSE;
        }
+       this->prf_alg = alg;
        this->prf = lib->crypto->create_prf(lib->crypto, alg);
        if (this->prf == NULL)
        {
@@ -205,7 +213,7 @@ static bool derive_ike_keys(private_keymat_t *this, proposal_t *proposal,
         *
         * if we are rekeying, SKEYSEED is built on another way
         */
-       if (rekey == NULL) /* not rekeying */
+       if (rekey_function == PRF_UNDEFINED) /* not rekeying */
        {
                /* SKEYSEED = prf(Ni | Nr, g^ir) */
                this->prf->set_key(this->prf, fixed_nonce);
@@ -217,11 +225,21 @@ static bool derive_ike_keys(private_keymat_t *this, proposal_t *proposal,
        {
                /* SKEYSEED = prf(SK_d (old), [g^ir (new)] | Ni | Nr) 
                 * use OLD SAs PRF functions for both prf_plus and prf */
+               rekey_prf = lib->crypto->create_prf(lib->crypto, rekey_function);
+               if (!rekey_prf)
+               {
+                       DBG1(DBG_IKE, "PRF of old SA %N not supported!",
+                                pseudo_random_function_names, rekey_function);
+                       chunk_free(&full_nonce);
+                       chunk_free(&fixed_nonce);
+                       chunk_clear(&prf_plus_seed);
+                       return FALSE;
+               }
                secret = chunk_cat("mc", secret, full_nonce);
-               rekey->prf->set_key(rekey->prf, rekey->skd);
-               rekey->prf->allocate_bytes(rekey->prf, secret, &skeyseed);
-               rekey->prf->set_key(rekey->prf, skeyseed);
-               prf_plus = prf_plus_create(rekey->prf, prf_plus_seed);
+               rekey_prf->set_key(rekey_prf, rekey_skd);
+               rekey_prf->allocate_bytes(rekey_prf, secret, &skeyseed);
+               rekey_prf->set_key(rekey_prf, skeyseed);
+               prf_plus = prf_plus_create(rekey_prf, prf_plus_seed);
        }
        DBG4(DBG_IKE, "SKEYSEED %B", &skeyseed);
        
@@ -243,6 +261,8 @@ static bool derive_ike_keys(private_keymat_t *this, proposal_t *proposal,
        {
                DBG1(DBG_IKE, "no %N selected",
                         transform_type_names, INTEGRITY_ALGORITHM);
+               prf_plus->destroy(prf_plus);
+               DESTROY_IF(rekey_prf);
                return FALSE;
        }
        signer_i = lib->crypto->create_signer(lib->crypto, alg);
@@ -253,6 +273,7 @@ static bool derive_ike_keys(private_keymat_t *this, proposal_t *proposal,
                         transform_type_names, INTEGRITY_ALGORITHM,
                         integrity_algorithm_names ,alg);
                prf_plus->destroy(prf_plus);
+               DESTROY_IF(rekey_prf);
                return FALSE;
        }
        key_size = signer_i->get_key_size(signer_i);
@@ -284,6 +305,7 @@ static bool derive_ike_keys(private_keymat_t *this, proposal_t *proposal,
                DBG1(DBG_IKE, "no %N selected",
                         transform_type_names, ENCRYPTION_ALGORITHM);
                prf_plus->destroy(prf_plus);
+               DESTROY_IF(rekey_prf);
                return FALSE;
        }
        crypter_i = lib->crypto->create_crypter(lib->crypto, alg, key_size / 8);
@@ -294,6 +316,7 @@ static bool derive_ike_keys(private_keymat_t *this, proposal_t *proposal,
                         transform_type_names, ENCRYPTION_ALGORITHM,
                         encryption_algorithm_names, alg, key_size);
                prf_plus->destroy(prf_plus);
+               DESTROY_IF(rekey_prf);
                return FALSE;
        }
        key_size = crypter_i->get_key_size(crypter_i);
@@ -344,6 +367,7 @@ static bool derive_ike_keys(private_keymat_t *this, proposal_t *proposal,
        
        /* all done, prf_plus not needed anymore */
        prf_plus->destroy(prf_plus);
+       DESTROY_IF(rekey_prf);
        
        return TRUE;
 }
@@ -443,6 +467,15 @@ static bool derive_child_keys(private_keymat_t *this,
 }
 
 /**
+ * Implementation of keymat_t.get_skd
+ */
+static pseudo_random_function_t get_skd(private_keymat_t *this, chunk_t *skd)
+{
+       *skd = this->skd;
+       return this->prf_alg;
+}
+
+/**
  * Implementation of keymat_t.get_signer
  */
 static signer_t* get_signer(private_keymat_t *this, bool in)
@@ -544,8 +577,9 @@ keymat_t *keymat_create(bool initiator)
        private_keymat_t *this = malloc_thing(private_keymat_t);
        
        this->public.create_dh = (diffie_hellman_t*(*)(keymat_t*, diffie_hellman_group_t group))create_dh;
-       this->public.derive_ike_keys = (bool(*)(keymat_t*, proposal_t *proposal, diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r, ike_sa_id_t *id, keymat_t *rekey))derive_ike_keys;
+       this->public.derive_ike_keys = (bool(*)(keymat_t*, proposal_t *proposal, diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r, ike_sa_id_t *id, pseudo_random_function_t,chunk_t))derive_ike_keys;
        this->public.derive_child_keys = (bool(*)(keymat_t*, proposal_t *proposal, diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r, chunk_t *encr_i, chunk_t *integ_i, chunk_t *encr_r, chunk_t *integ_r))derive_child_keys;
+       this->public.get_skd = (pseudo_random_function_t(*)(keymat_t*, chunk_t *skd))get_skd;
        this->public.get_signer = (signer_t*(*)(keymat_t*, bool in))get_signer;
        this->public.get_crypter = (crypter_t*(*)(keymat_t*, bool in))get_crypter;
        this->public.get_auth_octets = (chunk_t(*)(keymat_t *, bool verify, chunk_t ike_sa_init, chunk_t nonce, identification_t *id))get_auth_octets;
@@ -559,6 +593,7 @@ keymat_t *keymat_create(bool initiator)
        this->crypter_in = NULL;
        this->crypter_out = NULL;
        this->prf = NULL;
+       this->prf_alg = PRF_UNDEFINED;
        this->skd = chunk_empty;
        this->skp_verify = chunk_empty;
        this->skp_build = chunk_empty;
index 3ca25da..0d6d08f 100644 (file)
@@ -61,12 +61,15 @@ struct keymat_t {
         * @param nonce_i       initiators nonce value
         * @param nonce_r       responders nonce value
         * @param id            IKE_SA identifier
-        * @param rekey         keymat of old SA if we are rekeying
+        * @param rekey_prf     PRF of old SA if rekeying, PRF_UNDEFINED otherwise
+        * @param rekey_sdk     SKd of old SA if rekeying
         * @return                      TRUE on success
         */
        bool (*derive_ike_keys)(keymat_t *this, proposal_t *proposal,
                                                        diffie_hellman_t *dh, chunk_t nonce_i,
-                                                       chunk_t nonce_r, ike_sa_id_t *id, keymat_t *rekey);
+                                                       chunk_t nonce_r, ike_sa_id_t *id,
+                                                       pseudo_random_function_t rekey_function,
+                                                       chunk_t rekey_skd);
        /**
         * Derive keys for a CHILD_SA.
         *
@@ -91,6 +94,14 @@ struct keymat_t {
                                                          chunk_t *encr_i, chunk_t *integ_i,
                                                          chunk_t *encr_r, chunk_t *integ_r);
        /**
+        * Get SKd to pass to derive_ikey_keys() during rekeying.
+        *
+        * @param skd           chunk to write SKd to (internal data)
+        * @return                      PRF function to derive keymat
+        */
+       pseudo_random_function_t (*get_skd)(keymat_t *this, chunk_t *skd);
+       
+       /**
         * Get a signer to sign/verify IKE messages.
         *
         * @param in            TRUE for inbound (verify), FALSE for outbound (sign)
index ce440d8..4f28909 100644 (file)
@@ -370,13 +370,46 @@ static status_t process_r(private_ike_init_t *this, message_t *message)
 }
 
 /**
- * Implementation of task_t.build for responder
+ * Derive the keymat for the IKE_SA
  */
-static status_t build_r(private_ike_init_t *this, message_t *message)
+static bool derive_keys(private_ike_init_t *this,
+                                               chunk_t nonce_i, chunk_t nonce_r)
 {
-       keymat_t *old_keymat = NULL;
+       keymat_t *old_keymat;
+       pseudo_random_function_t prf_alg = PRF_UNDEFINED;
+       chunk_t skd = chunk_empty;
        ike_sa_id_t *id;
        
+       id = this->ike_sa->get_id(this->ike_sa);
+       if (this->old_sa)
+       {
+               /* rekeying: Include old SKd, use old PRF, apply SPI */
+               old_keymat = this->old_sa->get_keymat(this->old_sa);
+               prf_alg = old_keymat->get_skd(old_keymat, &skd);
+               if (this->initiator)
+               {
+                       id->set_responder_spi(id, this->proposal->get_spi(this->proposal));
+               }
+               else
+               {
+                       id->set_initiator_spi(id, this->proposal->get_spi(this->proposal));
+               }
+       }
+       if (!this->keymat->derive_ike_keys(this->keymat, this->proposal, this->dh,
+                                                                          nonce_i, nonce_r, id, prf_alg, skd))
+       {
+               return FALSE;
+       }
+       charon->bus->ike_keys(charon->bus, this->ike_sa, this->dh,
+                                                 nonce_i, nonce_r, this->old_sa);
+       return TRUE;
+}
+
+/**
+ * Implementation of task_t.build for responder
+ */
+static status_t build_r(private_ike_init_t *this, message_t *message)
+{
        /* check if we have everything we need */
        if (this->proposal == NULL ||
                this->other_nonce.len == 0 || this->my_nonce.len == 0)
@@ -410,23 +443,12 @@ static status_t build_r(private_ike_init_t *this, message_t *message)
                return FAILED;
        }
        
-       id = this->ike_sa->get_id(this->ike_sa);
-       if (this->old_sa)
-       {       /* rekeying: Apply SPI, include keymat from old SA in key derivation */
-               id->set_initiator_spi(id, this->proposal->get_spi(this->proposal));
-               old_keymat = this->old_sa->get_keymat(this->old_sa);
-       }
-       if (!this->keymat->derive_ike_keys(this->keymat, this->proposal, this->dh,
-                                                       this->other_nonce, this->my_nonce, id, old_keymat))
+       if (!derive_keys(this, this->other_nonce, this->my_nonce))
        {
                DBG1(DBG_IKE, "key derivation failed");
                message->add_notify(message, TRUE, NO_PROPOSAL_CHOSEN, chunk_empty);
                return FAILED;
        }
-       
-       charon->bus->ike_keys(charon->bus, this->ike_sa, this->dh,
-                                                 this->other_nonce, this->my_nonce, this->old_sa);
-       
        build_payloads(this, message);
        return SUCCESS;
 }
@@ -436,8 +458,6 @@ static status_t build_r(private_ike_init_t *this, message_t *message)
  */
 static status_t process_i(private_ike_init_t *this, message_t *message)
 {
-       keymat_t *old_keymat = NULL;
-       ike_sa_id_t *id;
        iterator_t *iterator;
        payload_t *payload;
 
@@ -521,22 +541,11 @@ static status_t process_i(private_ike_init_t *this, message_t *message)
                return FAILED;
        }
        
-       id = this->ike_sa->get_id(this->ike_sa);
-       if (this->old_sa)
-       {       /* rekeying: Apply SPI, include keymat from old SA in key derivation */
-               id->set_responder_spi(id, this->proposal->get_spi(this->proposal));
-               old_keymat = this->old_sa->get_keymat(this->old_sa);
-       }
-       if (!this->keymat->derive_ike_keys(this->keymat, this->proposal, this->dh,
-                                                       this->my_nonce, this->other_nonce, id, old_keymat))
+       if (!derive_keys(this, this->my_nonce, this->other_nonce))
        {
                DBG1(DBG_IKE, "key derivation failed");
                return FAILED;
        }
-       
-       charon->bus->ike_keys(charon->bus, this->ike_sa, this->dh,
-                                                 this->my_nonce, this->other_nonce, this->old_sa);
-       
        return SUCCESS;
 }