diff options
Diffstat (limited to 'src/libcharon/sa/keymat.c')
-rw-r--r-- | src/libcharon/sa/keymat.c | 348 |
1 files changed, 182 insertions, 166 deletions
diff --git a/src/libcharon/sa/keymat.c b/src/libcharon/sa/keymat.c index 837cbe428..878ad124f 100644 --- a/src/libcharon/sa/keymat.c +++ b/src/libcharon/sa/keymat.c @@ -36,24 +36,14 @@ struct private_keymat_t { bool initiator; /** - * inbound signer (verify) + * inbound AEAD */ - signer_t *signer_in; + aead_t *aead_in; /** - * outbound signer (sign) + * outbound AEAD */ - signer_t *signer_out; - - /** - * inbound crypter (decrypt) - */ - crypter_t *crypter_in; - - /** - * outbound crypter (encrypt) - */ - crypter_t *crypter_out; + aead_t *aead_out; /** * General purpose PRF @@ -134,30 +124,135 @@ static int lookup_keylen(keylen_entry_t *list, int algo) return 0; } +METHOD(keymat_t, create_dh, diffie_hellman_t*, + private_keymat_t *this, diffie_hellman_group_t group) +{ + return lib->crypto->create_dh(lib->crypto, group);; +} + /** - * Implementation of keymat_t.create_dh + * Derive IKE keys for a combined AEAD algorithm */ -static diffie_hellman_t* create_dh(private_keymat_t *this, - diffie_hellman_group_t group) +static bool derive_ike_aead(private_keymat_t *this, u_int16_t alg, + u_int16_t key_size, prf_plus_t *prf_plus) { - return lib->crypto->create_dh(lib->crypto, group);; + aead_t *aead_i, *aead_r; + chunk_t key; + + /* SK_ei/SK_er used for encryption */ + aead_i = lib->crypto->create_aead(lib->crypto, alg, key_size / 8); + aead_r = lib->crypto->create_aead(lib->crypto, alg, key_size / 8); + if (aead_i == NULL || aead_r == NULL) + { + DBG1(DBG_IKE, "%N %N (key size %d) not supported!", + transform_type_names, ENCRYPTION_ALGORITHM, + encryption_algorithm_names, alg, key_size); + return FALSE; + } + key_size = aead_i->get_key_size(aead_i); + + prf_plus->allocate_bytes(prf_plus, key_size, &key); + DBG4(DBG_IKE, "Sk_ei secret %B", &key); + aead_i->set_key(aead_i, key); + chunk_clear(&key); + + prf_plus->allocate_bytes(prf_plus, key_size, &key); + DBG4(DBG_IKE, "Sk_er secret %B", &key); + aead_r->set_key(aead_r, key); + chunk_clear(&key); + + if (this->initiator) + { + this->aead_in = aead_r; + this->aead_out = aead_i; + } + else + { + this->aead_in = aead_i; + this->aead_out = aead_r; + } + return TRUE; } /** - * Implementation of keymat_t.derive_keys + * Derive IKE keys for traditional encryption and MAC algorithms */ -static bool derive_ike_keys(private_keymat_t *this, proposal_t *proposal, - diffie_hellman_t *dh, chunk_t nonce_i, - chunk_t nonce_r, ike_sa_id_t *id, - pseudo_random_function_t rekey_function, - chunk_t rekey_skd) +static bool derive_ike_traditional(private_keymat_t *this, u_int16_t enc_alg, + u_int16_t enc_size, u_int16_t int_alg, prf_plus_t *prf_plus) { - chunk_t skeyseed, key, secret, full_nonce, fixed_nonce, prf_plus_seed; - chunk_t spi_i, spi_r; crypter_t *crypter_i, *crypter_r; signer_t *signer_i, *signer_r; + size_t key_size; + chunk_t key; + + /* SK_ai/SK_ar used for integrity protection */ + signer_i = lib->crypto->create_signer(lib->crypto, int_alg); + signer_r = lib->crypto->create_signer(lib->crypto, int_alg); + if (signer_i == NULL || signer_r == NULL) + { + DBG1(DBG_IKE, "%N %N not supported!", + transform_type_names, INTEGRITY_ALGORITHM, + integrity_algorithm_names, int_alg); + return FALSE; + } + key_size = signer_i->get_key_size(signer_i); + + prf_plus->allocate_bytes(prf_plus, key_size, &key); + DBG4(DBG_IKE, "Sk_ai secret %B", &key); + signer_i->set_key(signer_i, key); + chunk_clear(&key); + + prf_plus->allocate_bytes(prf_plus, key_size, &key); + DBG4(DBG_IKE, "Sk_ar secret %B", &key); + signer_r->set_key(signer_r, key); + chunk_clear(&key); + + /* SK_ei/SK_er used for encryption */ + crypter_i = lib->crypto->create_crypter(lib->crypto, enc_alg, enc_size / 8); + crypter_r = lib->crypto->create_crypter(lib->crypto, enc_alg, enc_size / 8); + if (crypter_i == NULL || crypter_r == NULL) + { + DBG1(DBG_IKE, "%N %N (key size %d) not supported!", + transform_type_names, ENCRYPTION_ALGORITHM, + encryption_algorithm_names, enc_alg, key_size); + signer_i->destroy(signer_i); + signer_r->destroy(signer_r); + return FALSE; + } + key_size = crypter_i->get_key_size(crypter_i); + + prf_plus->allocate_bytes(prf_plus, key_size, &key); + DBG4(DBG_IKE, "Sk_ei secret %B", &key); + crypter_i->set_key(crypter_i, key); + chunk_clear(&key); + + prf_plus->allocate_bytes(prf_plus, key_size, &key); + DBG4(DBG_IKE, "Sk_er secret %B", &key); + crypter_r->set_key(crypter_r, key); + chunk_clear(&key); + + if (this->initiator) + { + this->aead_in = aead_create(crypter_r, signer_r); + this->aead_out = aead_create(crypter_i, signer_i); + } + else + { + this->aead_in = aead_create(crypter_i, signer_i); + this->aead_out = aead_create(crypter_r, signer_r); + } + return TRUE; +} + +METHOD(keymat_t, derive_ike_keys, bool, + private_keymat_t *this, proposal_t *proposal, diffie_hellman_t *dh, + chunk_t nonce_i, chunk_t nonce_r, ike_sa_id_t *id, + pseudo_random_function_t rekey_function, chunk_t rekey_skd) +{ + chunk_t skeyseed, key, secret, full_nonce, fixed_nonce, prf_plus_seed; + chunk_t spi_i, spi_r; prf_plus_t *prf_plus; - u_int16_t alg, key_size; + u_int16_t alg, key_size, int_alg; prf_t *rekey_prf = NULL; spi_i = chunk_alloca(sizeof(u_int64_t)); @@ -195,6 +290,9 @@ static bool derive_ike_keys(private_keymat_t *this, proposal_t *proposal, /* while rfc4434 defines variable keys for AES-XCBC, rfc3664 does * not and therefore fixed key semantics apply to XCBC for key * derivation. */ + case PRF_CAMELLIA128_XCBC: + /* draft-kanno-ipsecme-camellia-xcbc refers to rfc 4434, we + * assume fixed key length. */ key_size = this->prf->get_key_size(this->prf)/2; nonce_i.len = min(nonce_i.len, key_size); nonce_r.len = min(nonce_r.len, key_size); @@ -255,50 +353,6 @@ static bool derive_ike_keys(private_keymat_t *this, proposal_t *proposal, prf_plus->allocate_bytes(prf_plus, key_size, &this->skd); DBG4(DBG_IKE, "Sk_d secret %B", &this->skd); - /* SK_ai/SK_ar used for integrity protection => signer_in/signer_out */ - if (!proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, &alg, NULL)) - { - DBG1(DBG_IKE, "no %N selected", - transform_type_names, INTEGRITY_ALGORITHM); - prf_plus->destroy(prf_plus); - DESTROY_IF(rekey_prf); - return FALSE; - } - signer_i = lib->crypto->create_signer(lib->crypto, alg); - signer_r = lib->crypto->create_signer(lib->crypto, alg); - if (signer_i == NULL || signer_r == NULL) - { - DBG1(DBG_IKE, "%N %N not supported!", - transform_type_names, INTEGRITY_ALGORITHM, - integrity_algorithm_names ,alg); - prf_plus->destroy(prf_plus); - DESTROY_IF(rekey_prf); - return FALSE; - } - key_size = signer_i->get_key_size(signer_i); - - prf_plus->allocate_bytes(prf_plus, key_size, &key); - DBG4(DBG_IKE, "Sk_ai secret %B", &key); - signer_i->set_key(signer_i, key); - chunk_clear(&key); - - prf_plus->allocate_bytes(prf_plus, key_size, &key); - DBG4(DBG_IKE, "Sk_ar secret %B", &key); - signer_r->set_key(signer_r, key); - chunk_clear(&key); - - if (this->initiator) - { - this->signer_in = signer_r; - this->signer_out = signer_i; - } - else - { - this->signer_in = signer_i; - this->signer_out = signer_r; - } - - /* SK_ei/SK_er used for encryption => crypter_in/crypter_out */ if (!proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &alg, &key_size)) { DBG1(DBG_IKE, "no %N selected", @@ -307,38 +361,33 @@ static bool derive_ike_keys(private_keymat_t *this, proposal_t *proposal, DESTROY_IF(rekey_prf); return FALSE; } - crypter_i = lib->crypto->create_crypter(lib->crypto, alg, key_size / 8); - crypter_r = lib->crypto->create_crypter(lib->crypto, alg, key_size / 8); - if (crypter_i == NULL || crypter_r == NULL) - { - DBG1(DBG_IKE, "%N %N (key size %d) not supported!", - transform_type_names, ENCRYPTION_ALGORITHM, - encryption_algorithm_names, alg, key_size); - prf_plus->destroy(prf_plus); - DESTROY_IF(rekey_prf); - return FALSE; - } - key_size = crypter_i->get_key_size(crypter_i); - prf_plus->allocate_bytes(prf_plus, key_size, &key); - DBG4(DBG_IKE, "Sk_ei secret %B", &key); - crypter_i->set_key(crypter_i, key); - chunk_clear(&key); - - prf_plus->allocate_bytes(prf_plus, key_size, &key); - DBG4(DBG_IKE, "Sk_er secret %B", &key); - crypter_r->set_key(crypter_r, key); - chunk_clear(&key); - - if (this->initiator) + if (encryption_algorithm_is_aead(alg)) { - this->crypter_in = crypter_r; - this->crypter_out = crypter_i; + if (!derive_ike_aead(this, alg, key_size, prf_plus)) + { + prf_plus->destroy(prf_plus); + DESTROY_IF(rekey_prf); + return FALSE; + } } else { - this->crypter_in = crypter_i; - this->crypter_out = crypter_r; + if (!proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, + &int_alg, NULL)) + { + DBG1(DBG_IKE, "no %N selected", + transform_type_names, INTEGRITY_ALGORITHM); + prf_plus->destroy(prf_plus); + DESTROY_IF(rekey_prf); + return FALSE; + } + if (!derive_ike_traditional(this, alg, key_size, int_alg, prf_plus)) + { + prf_plus->destroy(prf_plus); + DESTROY_IF(rekey_prf); + return FALSE; + } } /* SK_pi/SK_pr used for authentication => stored for later */ @@ -371,14 +420,10 @@ static bool derive_ike_keys(private_keymat_t *this, proposal_t *proposal, return TRUE; } -/** - * Implementation of keymat_t.derive_child_keys - */ -static bool derive_child_keys(private_keymat_t *this, - proposal_t *proposal, diffie_hellman_t *dh, - chunk_t nonce_i, chunk_t nonce_r, - chunk_t *encr_i, chunk_t *integ_i, - chunk_t *encr_r, chunk_t *integ_r) +METHOD(keymat_t, derive_child_keys, bool, + private_keymat_t *this, proposal_t *proposal, diffie_hellman_t *dh, + chunk_t nonce_i, chunk_t nonce_r, chunk_t *encr_i, chunk_t *integ_i, + chunk_t *encr_r, chunk_t *integ_r) { u_int16_t enc_alg, int_alg, enc_size = 0, int_size = 0; chunk_t seed, secret = chunk_empty; @@ -480,37 +525,22 @@ static bool derive_child_keys(private_keymat_t *this, return TRUE; } -/** - * Implementation of keymat_t.get_skd - */ -static pseudo_random_function_t get_skd(private_keymat_t *this, chunk_t *skd) +METHOD(keymat_t, get_skd, pseudo_random_function_t, + private_keymat_t *this, chunk_t *skd) { *skd = this->skd; return this->prf_alg; } -/** - * Implementation of keymat_t.get_signer - */ -static signer_t* get_signer(private_keymat_t *this, bool in) -{ - return in ? this->signer_in : this->signer_out; -} - -/** - * Implementation of keymat_t.get_crypter - */ -static crypter_t* get_crypter(private_keymat_t *this, bool in) +METHOD(keymat_t, get_aead, aead_t*, + private_keymat_t *this, bool in) { - return in ? this->crypter_in : this->crypter_out; + return in ? this->aead_in : this->aead_out; } -/** - * Implementation of keymat_t.get_auth_octets - */ -static chunk_t get_auth_octets(private_keymat_t *this, bool verify, - chunk_t ike_sa_init, chunk_t nonce, - identification_t *id) +METHOD(keymat_t, get_auth_octets, chunk_t, + private_keymat_t *this, bool verify, chunk_t ike_sa_init, + chunk_t nonce, identification_t *id) { chunk_t chunk, idx, octets; chunk_t skp; @@ -538,12 +568,9 @@ static chunk_t get_auth_octets(private_keymat_t *this, bool verify, #define IKEV2_KEY_PAD "Key Pad for IKEv2" #define IKEV2_KEY_PAD_LENGTH 17 -/** - * Implementation of keymat_t.get_psk_sig - */ -static chunk_t get_psk_sig(private_keymat_t *this, bool verify, - chunk_t ike_sa_init, chunk_t nonce, chunk_t secret, - identification_t *id) +METHOD(keymat_t, get_psk_sig, chunk_t, + private_keymat_t *this, bool verify, chunk_t ike_sa_init, + chunk_t nonce, chunk_t secret, identification_t *id) { chunk_t key_pad, key, sig, octets; @@ -567,15 +594,11 @@ static chunk_t get_psk_sig(private_keymat_t *this, bool verify, return sig; } -/** - * Implementation of keymat_t.destroy. - */ -static void destroy(private_keymat_t *this) +METHOD(keymat_t, destroy, void, + private_keymat_t *this) { - DESTROY_IF(this->signer_in); - DESTROY_IF(this->signer_out); - DESTROY_IF(this->crypter_in); - DESTROY_IF(this->crypter_out); + DESTROY_IF(this->aead_in); + DESTROY_IF(this->aead_out); DESTROY_IF(this->prf); chunk_clear(&this->skd); chunk_clear(&this->skp_verify); @@ -588,29 +611,22 @@ static void destroy(private_keymat_t *this) */ keymat_t *keymat_create(bool initiator) { - private_keymat_t *this = malloc_thing(private_keymat_t); - - this->public.create_dh = (diffie_hellman_t*(*)(keymat_t*, diffie_hellman_group_t group))create_dh; - this->public.derive_ike_keys = (bool(*)(keymat_t*, proposal_t *proposal, diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r, ike_sa_id_t *id, pseudo_random_function_t,chunk_t))derive_ike_keys; - this->public.derive_child_keys = (bool(*)(keymat_t*, proposal_t *proposal, diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r, chunk_t *encr_i, chunk_t *integ_i, chunk_t *encr_r, chunk_t *integ_r))derive_child_keys; - this->public.get_skd = (pseudo_random_function_t(*)(keymat_t*, chunk_t *skd))get_skd; - this->public.get_signer = (signer_t*(*)(keymat_t*, bool in))get_signer; - this->public.get_crypter = (crypter_t*(*)(keymat_t*, bool in))get_crypter; - this->public.get_auth_octets = (chunk_t(*)(keymat_t *, bool verify, chunk_t ike_sa_init, chunk_t nonce, identification_t *id))get_auth_octets; - this->public.get_psk_sig = (chunk_t(*)(keymat_t*, bool verify, chunk_t ike_sa_init, chunk_t nonce, chunk_t secret, identification_t *id))get_psk_sig; - this->public.destroy = (void(*)(keymat_t*))destroy; - - this->initiator = initiator; - - this->signer_in = NULL; - this->signer_out = NULL; - this->crypter_in = NULL; - this->crypter_out = NULL; - this->prf = NULL; - this->prf_alg = PRF_UNDEFINED; - this->skd = chunk_empty; - this->skp_verify = chunk_empty; - this->skp_build = chunk_empty; + private_keymat_t *this; + + INIT(this, + .public = { + .create_dh = _create_dh, + .derive_ike_keys = _derive_ike_keys, + .derive_child_keys = _derive_child_keys, + .get_skd = _get_skd, + .get_aead = _get_aead, + .get_auth_octets = _get_auth_octets, + .get_psk_sig = _get_psk_sig, + .destroy = _destroy, + }, + .initiator = initiator, + .prf_alg = PRF_UNDEFINED, + ); return &this->public; } |