Return to keymat_v1.c CVS log | Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / src / libcharon / sa / ikev1 |
1.1 misho 1: /* 2: * Copyright (C) 2011 Tobias Brunner 3: * HSR Hochschule fuer Technik Rapperswil 4: * 5: * This program is free software; you can redistribute it and/or modify it 6: * under the terms of the GNU General Public License as published by the 7: * Free Software Foundation; either version 2 of the License, or (at your 8: * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. 9: * 10: * This program is distributed in the hope that it will be useful, but 11: * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY 12: * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 13: * for more details. 14: */ 15: 16: #include "keymat_v1.h" 17: 18: #include <daemon.h> 19: #include <sa/ikev1/iv_manager.h> 20: #include <encoding/generator.h> 21: #include <encoding/payloads/nonce_payload.h> 22: 23: typedef struct private_keymat_v1_t private_keymat_v1_t; 24: 25: /** 26: * Private data of an keymat_t object. 27: */ 28: struct private_keymat_v1_t { 29: 30: /** 31: * Public keymat_v1_t interface. 32: */ 33: keymat_v1_t public; 34: 35: /** 36: * IKE_SA Role, initiator or responder 37: */ 38: bool initiator; 39: 40: /** 41: * General purpose PRF 42: */ 43: prf_t *prf; 44: 45: /** 46: * PRF to create Phase 1 HASH payloads 47: */ 48: prf_t *prf_auth; 49: 50: /** 51: * Crypter wrapped in an aead_t interface 52: */ 53: aead_t *aead; 54: 55: /** 56: * Hasher used for IV generation (and other things like e.g. NAT-T) 57: */ 58: hasher_t *hasher; 59: 60: /** 61: * Key to derive key material from for non-ISAKMP SAs, rekeying 62: */ 63: chunk_t skeyid_d; 64: 65: /** 66: * Key used for authentication after main mode 67: */ 68: chunk_t skeyid_a; 69: 70: /** 71: * IV and QM manager 72: */ 73: iv_manager_t *iv_manager; 74: }; 75: 76: /** 77: * Constants used in key derivation. 78: */ 79: static const chunk_t octet_0 = chunk_from_chars(0x00); 80: static const chunk_t octet_1 = chunk_from_chars(0x01); 81: static const chunk_t octet_2 = chunk_from_chars(0x02); 82: 83: /** 84: * Simple aead_t implementation without support for authentication. 85: */ 86: typedef struct { 87: /** implements aead_t interface */ 88: aead_t aead; 89: /** crypter to be used */ 90: crypter_t *crypter; 91: } private_aead_t; 92: 93: 94: METHOD(aead_t, encrypt, bool, 95: private_aead_t *this, chunk_t plain, chunk_t assoc, chunk_t iv, 96: chunk_t *encrypted) 97: { 98: return this->crypter->encrypt(this->crypter, plain, iv, encrypted); 99: } 100: 101: METHOD(aead_t, decrypt, bool, 102: private_aead_t *this, chunk_t encrypted, chunk_t assoc, chunk_t iv, 103: chunk_t *plain) 104: { 105: return this->crypter->decrypt(this->crypter, encrypted, iv, plain); 106: } 107: 108: METHOD(aead_t, get_block_size, size_t, 109: private_aead_t *this) 110: { 111: return this->crypter->get_block_size(this->crypter); 112: } 113: 114: METHOD(aead_t, get_icv_size, size_t, 115: private_aead_t *this) 116: { 117: return 0; 118: } 119: 120: METHOD(aead_t, get_iv_size, size_t, 121: private_aead_t *this) 122: { 123: /* in order to create the messages properly we return 0 here */ 124: return 0; 125: } 126: 127: METHOD(aead_t, get_iv_gen, iv_gen_t*, 128: private_aead_t *this) 129: { 130: /* IVs are retrieved via keymat_v1.get_iv() */ 131: return NULL; 132: } 133: 134: METHOD(aead_t, get_key_size, size_t, 135: private_aead_t *this) 136: { 137: return this->crypter->get_key_size(this->crypter); 138: } 139: 140: METHOD(aead_t, set_key, bool, 141: private_aead_t *this, chunk_t key) 142: { 143: return this->crypter->set_key(this->crypter, key); 144: } 145: 146: METHOD(aead_t, aead_destroy, void, 147: private_aead_t *this) 148: { 149: this->crypter->destroy(this->crypter); 150: free(this); 151: } 152: 153: /** 154: * Expand SKEYID_e according to Appendix B in RFC 2409. 155: * TODO-IKEv1: verify keys (e.g. for weak keys, see Appendix B) 156: */ 157: static bool expand_skeyid_e(chunk_t skeyid_e, size_t key_size, prf_t *prf, 158: chunk_t *ka) 159: { 160: size_t block_size; 161: chunk_t seed; 162: int i; 163: 164: if (skeyid_e.len >= key_size) 165: { /* no expansion required, reduce to key_size */ 166: skeyid_e.len = key_size; 167: *ka = skeyid_e; 168: return TRUE; 169: } 170: block_size = prf->get_block_size(prf); 171: *ka = chunk_alloc((key_size / block_size + 1) * block_size); 172: ka->len = key_size; 173: 174: /* Ka = K1 | K2 | ..., K1 = prf(SKEYID_e, 0), K2 = prf(SKEYID_e, K1) ... */ 175: if (!prf->set_key(prf, skeyid_e)) 176: { 177: chunk_clear(ka); 178: chunk_clear(&skeyid_e); 179: return FALSE; 180: } 181: seed = octet_0; 182: for (i = 0; i < key_size; i += block_size) 183: { 184: if (!prf->get_bytes(prf, seed, ka->ptr + i)) 185: { 186: chunk_clear(ka); 187: chunk_clear(&skeyid_e); 188: return FALSE; 189: } 190: seed = chunk_create(ka->ptr + i, block_size); 191: } 192: chunk_clear(&skeyid_e); 193: return TRUE; 194: } 195: 196: /** 197: * Create a simple implementation of the aead_t interface which only encrypts 198: * or decrypts data. 199: */ 200: static aead_t *create_aead(proposal_t *proposal, prf_t *prf, chunk_t skeyid_e, 201: chunk_t *ka) 202: { 203: private_aead_t *this; 204: uint16_t alg, key_size; 205: crypter_t *crypter; 206: 207: if (!proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &alg, 208: &key_size)) 209: { 210: DBG1(DBG_IKE, "no %N selected", 211: transform_type_names, ENCRYPTION_ALGORITHM); 212: return NULL; 213: } 214: crypter = lib->crypto->create_crypter(lib->crypto, alg, key_size / 8); 215: if (!crypter) 216: { 217: DBG1(DBG_IKE, "%N %N (key size %d) not supported!", 218: transform_type_names, ENCRYPTION_ALGORITHM, 219: encryption_algorithm_names, alg, key_size); 220: return NULL; 221: } 222: if (!expand_skeyid_e(skeyid_e, crypter->get_key_size(crypter), prf, ka)) 223: { 224: return NULL; 225: } 226: DBG4(DBG_IKE, "encryption key Ka %B", ka); 227: if (!crypter->set_key(crypter, *ka)) 228: { 229: chunk_clear(ka); 230: return NULL; 231: } 232: 233: INIT(this, 234: .aead = { 235: .encrypt = _encrypt, 236: .decrypt = _decrypt, 237: .get_block_size = _get_block_size, 238: .get_icv_size = _get_icv_size, 239: .get_iv_size = _get_iv_size, 240: .get_iv_gen = _get_iv_gen, 241: .get_key_size = _get_key_size, 242: .set_key = _set_key, 243: .destroy = _aead_destroy, 244: }, 245: .crypter = crypter, 246: ); 247: return &this->aead; 248: } 249: 250: /** 251: * Converts integrity algorithm to PRF algorithm 252: */ 253: static uint16_t auth_to_prf(uint16_t alg) 254: { 255: switch (alg) 256: { 257: case AUTH_HMAC_SHA1_96: 258: return PRF_HMAC_SHA1; 259: case AUTH_HMAC_SHA2_256_128: 260: return PRF_HMAC_SHA2_256; 261: case AUTH_HMAC_SHA2_384_192: 262: return PRF_HMAC_SHA2_384; 263: case AUTH_HMAC_SHA2_512_256: 264: return PRF_HMAC_SHA2_512; 265: case AUTH_HMAC_MD5_96: 266: return PRF_HMAC_MD5; 267: case AUTH_AES_XCBC_96: 268: return PRF_AES128_XCBC; 269: default: 270: return PRF_UNDEFINED; 271: } 272: } 273: 274: /** 275: * Converts integrity algorithm to hash algorithm 276: */ 277: static uint16_t auth_to_hash(uint16_t alg) 278: { 279: switch (alg) 280: { 281: case AUTH_HMAC_SHA1_96: 282: return HASH_SHA1; 283: case AUTH_HMAC_SHA2_256_128: 284: return HASH_SHA256; 285: case AUTH_HMAC_SHA2_384_192: 286: return HASH_SHA384; 287: case AUTH_HMAC_SHA2_512_256: 288: return HASH_SHA512; 289: case AUTH_HMAC_MD5_96: 290: return HASH_MD5; 291: default: 292: return HASH_UNKNOWN; 293: } 294: } 295: 296: /** 297: * Adjust the key length for PRF algorithms that expect a fixed key length. 298: */ 299: static void adjust_keylen(uint16_t alg, chunk_t *key) 300: { 301: switch (alg) 302: { 303: case PRF_AES128_XCBC: 304: /* while rfc4434 defines variable keys for AES-XCBC, rfc3664 does 305: * not and therefore fixed key semantics apply to XCBC for key 306: * derivation. */ 307: key->len = min(key->len, 16); 308: break; 309: default: 310: /* all other algorithms use variable key length */ 311: break; 312: } 313: } 314: 315: METHOD(keymat_v1_t, derive_ike_keys, bool, 316: private_keymat_v1_t *this, proposal_t *proposal, diffie_hellman_t *dh, 317: chunk_t dh_other, chunk_t nonce_i, chunk_t nonce_r, ike_sa_id_t *id, 318: auth_method_t auth, shared_key_t *shared_key) 319: { 320: chunk_t g_xy, g_xi, g_xr, dh_me, spi_i, spi_r, nonces, data, skeyid_e; 321: chunk_t skeyid, ka; 322: uint16_t alg; 323: 324: spi_i = chunk_alloca(sizeof(uint64_t)); 325: spi_r = chunk_alloca(sizeof(uint64_t)); 326: 327: if (!proposal->get_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, &alg, NULL)) 328: { /* no PRF negotiated, use HMAC version of integrity algorithm instead */ 329: if (!proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, &alg, NULL) 330: || (alg = auth_to_prf(alg)) == PRF_UNDEFINED) 331: { 332: DBG1(DBG_IKE, "no %N selected", 333: transform_type_names, PSEUDO_RANDOM_FUNCTION); 334: return FALSE; 335: } 336: } 337: this->prf = lib->crypto->create_prf(lib->crypto, alg); 338: if (!this->prf) 339: { 340: DBG1(DBG_IKE, "%N %N not supported!", 341: transform_type_names, PSEUDO_RANDOM_FUNCTION, 342: pseudo_random_function_names, alg); 343: return FALSE; 344: } 345: if (this->prf->get_block_size(this->prf) < 346: this->prf->get_key_size(this->prf)) 347: { /* TODO-IKEv1: support PRF output expansion (RFC 2409, Appendix B) */ 348: DBG1(DBG_IKE, "expansion of %N %N output not supported!", 349: transform_type_names, PSEUDO_RANDOM_FUNCTION, 350: pseudo_random_function_names, alg); 351: return FALSE; 352: } 353: 354: if (!dh->get_shared_secret(dh, &g_xy)) 355: { 356: return FALSE; 357: } 358: DBG4(DBG_IKE, "shared Diffie Hellman secret %B", &g_xy); 359: 360: *((uint64_t*)spi_i.ptr) = id->get_initiator_spi(id); 361: *((uint64_t*)spi_r.ptr) = id->get_responder_spi(id); 362: nonces = chunk_cata("cc", nonce_i, nonce_r); 363: 364: switch (auth) 365: { 366: case AUTH_PSK: 367: case AUTH_XAUTH_INIT_PSK: 368: case AUTH_XAUTH_RESP_PSK: 369: { /* SKEYID = prf(pre-shared-key, Ni_b | Nr_b) */ 370: chunk_t psk; 371: if (!shared_key) 372: { 373: chunk_clear(&g_xy); 374: return FALSE; 375: } 376: psk = shared_key->get_key(shared_key); 377: adjust_keylen(alg, &psk); 378: if (!this->prf->set_key(this->prf, psk) || 379: !this->prf->allocate_bytes(this->prf, nonces, &skeyid)) 380: { 381: chunk_clear(&g_xy); 382: return FALSE; 383: } 384: break; 385: } 386: case AUTH_RSA: 387: case AUTH_ECDSA_256: 388: case AUTH_ECDSA_384: 389: case AUTH_ECDSA_521: 390: case AUTH_XAUTH_INIT_RSA: 391: case AUTH_XAUTH_RESP_RSA: 392: case AUTH_HYBRID_INIT_RSA: 393: case AUTH_HYBRID_RESP_RSA: 394: { 395: if (!this->prf->set_key(this->prf, nonces) || 396: !this->prf->allocate_bytes(this->prf, g_xy, &skeyid)) 397: { 398: chunk_clear(&g_xy); 399: return FALSE; 400: } 401: break; 402: } 403: default: 404: /* TODO-IKEv1: implement key derivation for other schemes */ 405: /* authentication class not supported */ 406: chunk_clear(&g_xy); 407: return FALSE; 408: } 409: adjust_keylen(alg, &skeyid); 410: DBG4(DBG_IKE, "SKEYID %B", &skeyid); 411: 412: /* SKEYID_d = prf(SKEYID, g^xy | CKY-I | CKY-R | 0) */ 413: data = chunk_cat("cccc", g_xy, spi_i, spi_r, octet_0); 414: if (!this->prf->set_key(this->prf, skeyid) || 415: !this->prf->allocate_bytes(this->prf, data, &this->skeyid_d)) 416: { 417: chunk_clear(&g_xy); 418: chunk_clear(&data); 419: chunk_clear(&skeyid); 420: return FALSE; 421: } 422: chunk_clear(&data); 423: DBG4(DBG_IKE, "SKEYID_d %B", &this->skeyid_d); 424: 425: /* SKEYID_a = prf(SKEYID, SKEYID_d | g^xy | CKY-I | CKY-R | 1) */ 426: data = chunk_cat("ccccc", this->skeyid_d, g_xy, spi_i, spi_r, octet_1); 427: if (!this->prf->allocate_bytes(this->prf, data, &this->skeyid_a)) 428: { 429: chunk_clear(&g_xy); 430: chunk_clear(&data); 431: chunk_clear(&skeyid); 432: return FALSE; 433: } 434: chunk_clear(&data); 435: DBG4(DBG_IKE, "SKEYID_a %B", &this->skeyid_a); 436: 437: /* SKEYID_e = prf(SKEYID, SKEYID_a | g^xy | CKY-I | CKY-R | 2) */ 438: data = chunk_cat("ccccc", this->skeyid_a, g_xy, spi_i, spi_r, octet_2); 439: if (!this->prf->allocate_bytes(this->prf, data, &skeyid_e)) 440: { 441: chunk_clear(&g_xy); 442: chunk_clear(&data); 443: chunk_clear(&skeyid); 444: return FALSE; 445: } 446: chunk_clear(&data); 447: DBG4(DBG_IKE, "SKEYID_e %B", &skeyid_e); 448: 449: chunk_clear(&g_xy); 450: 451: switch (auth) 452: { 453: case AUTH_ECDSA_256: 454: alg = PRF_HMAC_SHA2_256; 455: break; 456: case AUTH_ECDSA_384: 457: alg = PRF_HMAC_SHA2_384; 458: break; 459: case AUTH_ECDSA_521: 460: alg = PRF_HMAC_SHA2_512; 461: break; 462: default: 463: /* use proposal algorithm */ 464: break; 465: } 466: this->prf_auth = lib->crypto->create_prf(lib->crypto, alg); 467: if (!this->prf_auth) 468: { 469: DBG1(DBG_IKE, "%N %N not supported!", 470: transform_type_names, PSEUDO_RANDOM_FUNCTION, 471: pseudo_random_function_names, alg); 472: chunk_clear(&skeyid); 473: return FALSE; 474: } 475: if (!this->prf_auth->set_key(this->prf_auth, skeyid)) 476: { 477: chunk_clear(&skeyid); 478: return FALSE; 479: } 480: chunk_clear(&skeyid); 481: 482: this->aead = create_aead(proposal, this->prf, skeyid_e, &ka); 483: if (!this->aead) 484: { 485: return FALSE; 486: } 487: charon->bus->ike_derived_keys(charon->bus, ka, chunk_empty, this->skeyid_a, 488: chunk_empty); 489: chunk_clear(&ka); 490: if (!this->hasher && !this->public.create_hasher(&this->public, proposal)) 491: { 492: return FALSE; 493: } 494: 495: if (!dh->get_my_public_value(dh, &dh_me)) 496: { 497: return FALSE; 498: } 499: g_xi = this->initiator ? dh_me : dh_other; 500: g_xr = this->initiator ? dh_other : dh_me; 501: 502: /* initial IV = hash(g^xi | g^xr) */ 503: data = chunk_cata("cc", g_xi, g_xr); 504: chunk_free(&dh_me); 505: return this->iv_manager->init_iv_chain(this->iv_manager, data, this->hasher, 506: this->aead->get_block_size(this->aead)); 507: } 508: 509: METHOD(keymat_v1_t, derive_child_keys, bool, 510: private_keymat_v1_t *this, proposal_t *proposal, diffie_hellman_t *dh, 511: uint32_t spi_i, uint32_t spi_r, chunk_t nonce_i, chunk_t nonce_r, 512: chunk_t *encr_i, chunk_t *integ_i, chunk_t *encr_r, chunk_t *integ_r) 513: { 514: uint16_t enc_alg, int_alg, enc_size = 0, int_size = 0; 515: uint8_t protocol; 516: prf_plus_t *prf_plus; 517: chunk_t seed, secret = chunk_empty; 518: bool success = FALSE; 519: 520: if (proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, 521: &enc_alg, &enc_size)) 522: { 523: DBG2(DBG_CHD, " using %N for encryption", 524: encryption_algorithm_names, enc_alg); 525: 526: if (!enc_size) 527: { 528: enc_size = keymat_get_keylen_encr(enc_alg); 529: } 530: if (enc_alg != ENCR_NULL && !enc_size) 531: { 532: DBG1(DBG_CHD, "no keylength defined for %N", 533: encryption_algorithm_names, enc_alg); 534: return FALSE; 535: } 536: /* to bytes */ 537: enc_size /= 8; 538: 539: /* CCM/GCM/CTR/GMAC needs additional bytes */ 540: switch (enc_alg) 541: { 542: case ENCR_AES_CCM_ICV8: 543: case ENCR_AES_CCM_ICV12: 544: case ENCR_AES_CCM_ICV16: 545: case ENCR_CAMELLIA_CCM_ICV8: 546: case ENCR_CAMELLIA_CCM_ICV12: 547: case ENCR_CAMELLIA_CCM_ICV16: 548: enc_size += 3; 549: break; 550: case ENCR_AES_GCM_ICV8: 551: case ENCR_AES_GCM_ICV12: 552: case ENCR_AES_GCM_ICV16: 553: case ENCR_AES_CTR: 554: case ENCR_NULL_AUTH_AES_GMAC: 555: enc_size += 4; 556: break; 557: default: 558: break; 559: } 560: } 561: 562: if (proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, 563: &int_alg, &int_size)) 564: { 565: DBG2(DBG_CHD, " using %N for integrity", 566: integrity_algorithm_names, int_alg); 567: 568: if (!int_size) 569: { 570: int_size = keymat_get_keylen_integ(int_alg); 571: } 572: if (!int_size) 573: { 574: DBG1(DBG_CHD, "no keylength defined for %N", 575: integrity_algorithm_names, int_alg); 576: return FALSE; 577: } 578: /* to bytes */ 579: int_size /= 8; 580: } 581: 582: /* KEYMAT = prf+(SKEYID_d, [ g(qm)^xy | ] protocol | SPI | Ni_b | Nr_b) */ 583: if (!this->prf->set_key(this->prf, this->skeyid_d)) 584: { 585: return FALSE; 586: } 587: protocol = proposal->get_protocol(proposal); 588: if (dh) 589: { 590: if (!dh->get_shared_secret(dh, &secret)) 591: { 592: return FALSE; 593: } 594: DBG4(DBG_CHD, "DH secret %B", &secret); 595: } 596: 597: *encr_r = *integ_r = *encr_i = *integ_i = chunk_empty; 598: seed = chunk_cata("ccccc", secret, chunk_from_thing(protocol), 599: chunk_from_thing(spi_r), nonce_i, nonce_r); 600: DBG4(DBG_CHD, "initiator SA seed %B", &seed); 601: 602: prf_plus = prf_plus_create(this->prf, FALSE, seed); 603: if (!prf_plus || 604: !prf_plus->allocate_bytes(prf_plus, enc_size, encr_i) || 605: !prf_plus->allocate_bytes(prf_plus, int_size, integ_i)) 606: { 607: goto failure; 608: } 609: 610: seed = chunk_cata("ccccc", secret, chunk_from_thing(protocol), 611: chunk_from_thing(spi_i), nonce_i, nonce_r); 612: DBG4(DBG_CHD, "responder SA seed %B", &seed); 613: prf_plus->destroy(prf_plus); 614: prf_plus = prf_plus_create(this->prf, FALSE, seed); 615: if (!prf_plus || 616: !prf_plus->allocate_bytes(prf_plus, enc_size, encr_r) || 617: !prf_plus->allocate_bytes(prf_plus, int_size, integ_r)) 618: { 619: goto failure; 620: } 621: 622: if (enc_size) 623: { 624: DBG4(DBG_CHD, "encryption initiator key %B", encr_i); 625: DBG4(DBG_CHD, "encryption responder key %B", encr_r); 626: } 627: if (int_size) 628: { 629: DBG4(DBG_CHD, "integrity initiator key %B", integ_i); 630: DBG4(DBG_CHD, "integrity responder key %B", integ_r); 631: } 632: success = TRUE; 633: 634: failure: 635: if (!success) 636: { 637: chunk_clear(encr_i); 638: chunk_clear(integ_i); 639: chunk_clear(encr_r); 640: chunk_clear(integ_r); 641: } 642: DESTROY_IF(prf_plus); 643: chunk_clear(&secret); 644: 645: return success; 646: } 647: 648: METHOD(keymat_v1_t, create_hasher, bool, 649: private_keymat_v1_t *this, proposal_t *proposal) 650: { 651: uint16_t alg; 652: if (!proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, &alg, NULL) || 653: (alg = auth_to_hash(alg)) == HASH_UNKNOWN) 654: { 655: DBG1(DBG_IKE, "no %N selected", transform_type_names, HASH_ALGORITHM); 656: return FALSE; 657: } 658: this->hasher = lib->crypto->create_hasher(lib->crypto, alg); 659: if (!this->hasher) 660: { 661: DBG1(DBG_IKE, "%N %N not supported!", 662: transform_type_names, HASH_ALGORITHM, 663: hash_algorithm_names, alg); 664: return FALSE; 665: } 666: return TRUE; 667: } 668: 669: METHOD(keymat_v1_t, get_hasher, hasher_t*, 670: private_keymat_v1_t *this) 671: { 672: return this->hasher; 673: } 674: 675: METHOD(keymat_v1_t, get_hash, bool, 676: private_keymat_v1_t *this, bool initiator, chunk_t dh, chunk_t dh_other, 677: ike_sa_id_t *ike_sa_id, chunk_t sa_i, chunk_t id, chunk_t *hash, 678: signature_scheme_t *scheme) 679: { 680: chunk_t data; 681: uint64_t spi, spi_other; 682: 683: /* HASH_I = prf(SKEYID, g^xi | g^xr | CKY-I | CKY-R | SAi_b | IDii_b ) 684: * HASH_R = prf(SKEYID, g^xr | g^xi | CKY-R | CKY-I | SAi_b | IDir_b ) 685: */ 686: if (initiator) 687: { 688: spi = ike_sa_id->get_initiator_spi(ike_sa_id); 689: spi_other = ike_sa_id->get_responder_spi(ike_sa_id); 690: } 691: else 692: { 693: spi_other = ike_sa_id->get_initiator_spi(ike_sa_id); 694: spi = ike_sa_id->get_responder_spi(ike_sa_id); 695: } 696: data = chunk_cat("cccccc", dh, dh_other, 697: chunk_from_thing(spi), chunk_from_thing(spi_other), 698: sa_i, id); 699: 700: DBG3(DBG_IKE, "HASH_%c data %B", initiator ? 'I' : 'R', &data); 701: 702: if (!this->prf_auth->allocate_bytes(this->prf_auth, data, hash)) 703: { 704: free(data.ptr); 705: return FALSE; 706: } 707: 708: DBG3(DBG_IKE, "HASH_%c %B", initiator ? 'I' : 'R', hash); 709: 710: free(data.ptr); 711: return TRUE; 712: } 713: 714: /** 715: * Get the nonce value found in the given message. 716: * Returns FALSE if none is found. 717: */ 718: static bool get_nonce(message_t *message, chunk_t *n) 719: { 720: nonce_payload_t *nonce; 721: nonce = (nonce_payload_t*)message->get_payload(message, PLV1_NONCE); 722: if (nonce) 723: { 724: *n = nonce->get_nonce(nonce); 725: return TRUE; 726: } 727: return FALSE; 728: } 729: 730: /** 731: * Generate the message data in order to generate the hashes. 732: */ 733: static chunk_t get_message_data(message_t *message, generator_t *generator) 734: { 735: payload_t *payload, *next; 736: enumerator_t *enumerator; 737: uint32_t *lenpos; 738: 739: if (message->is_encoded(message)) 740: { /* inbound, although the message is generated, we cannot access the 741: * cleartext message data, so generate it anyway */ 742: enumerator = message->create_payload_enumerator(message); 743: while (enumerator->enumerate(enumerator, &payload)) 744: { 745: if (payload->get_type(payload) == PLV1_HASH) 746: { 747: continue; 748: } 749: generator->generate_payload(generator, payload); 750: } 751: enumerator->destroy(enumerator); 752: } 753: else 754: { 755: /* outbound, generate the payloads (there is no HASH payload yet) */ 756: enumerator = message->create_payload_enumerator(message); 757: if (enumerator->enumerate(enumerator, &payload)) 758: { 759: while (enumerator->enumerate(enumerator, &next)) 760: { 761: payload->set_next_type(payload, next->get_type(next)); 762: generator->generate_payload(generator, payload); 763: payload = next; 764: } 765: payload->set_next_type(payload, PL_NONE); 766: generator->generate_payload(generator, payload); 767: } 768: enumerator->destroy(enumerator); 769: } 770: return generator->get_chunk(generator, &lenpos); 771: } 772: 773: METHOD(keymat_v1_t, get_hash_phase2, bool, 774: private_keymat_v1_t *this, message_t *message, chunk_t *hash) 775: { 776: uint32_t mid, mid_n; 777: chunk_t data = chunk_empty, *n_i, *n_r; 778: bool add_message = TRUE; 779: char *name = "Hash"; 780: 781: if (!this->prf) 782: { /* no keys derived yet */ 783: return FALSE; 784: } 785: 786: mid = message->get_message_id(message); 787: mid_n = htonl(mid); 788: 789: /* Hashes are simple for most exchanges in Phase 2: 790: * Hash = prf(SKEYID_a, M-ID | Complete message after HASH payload) 791: * For Quick Mode there are three hashes: 792: * Hash(1) = same as above 793: * Hash(2) = prf(SKEYID_a, M-ID | Ni_b | Message after HASH payload) 794: * Hash(3) = prf(SKEYID_a, 0 | M-ID | Ni_b | Nr_b) 795: * So, for Quick Mode we keep track of the nonce values. 796: */ 797: switch (message->get_exchange_type(message)) 798: { 799: case QUICK_MODE: 800: { 801: this->iv_manager->lookup_quick_mode(this->iv_manager, mid, &n_i, 802: &n_r); 803: if (!n_i->ptr) 804: { /* Hash(1) = prf(SKEYID_a, M-ID | Message after HASH payload) */ 805: name = "Hash(1)"; 806: if (!get_nonce(message, n_i)) 807: { 808: return FALSE; 809: } 810: data = chunk_from_thing(mid_n); 811: } 812: else if (!n_r->ptr) 813: { /* Hash(2) = prf(SKEYID_a, M-ID | Ni_b | Message after HASH) */ 814: name = "Hash(2)"; 815: if (!get_nonce(message, n_r)) 816: { 817: return FALSE; 818: } 819: data = chunk_cata("cc", chunk_from_thing(mid_n), *n_i); 820: } 821: else 822: { /* Hash(3) = prf(SKEYID_a, 0 | M-ID | Ni_b | Nr_b) */ 823: name = "Hash(3)"; 824: data = chunk_cata("cccc", octet_0, chunk_from_thing(mid_n), 825: *n_i, *n_r); 826: add_message = FALSE; 827: /* we don't need the state anymore */ 828: this->iv_manager->remove_quick_mode(this->iv_manager, mid); 829: } 830: break; 831: } 832: case TRANSACTION: 833: case INFORMATIONAL_V1: 834: /* Hash = prf(SKEYID_a, M-ID | Message after HASH payload) */ 835: data = chunk_from_thing(mid_n); 836: break; 837: default: 838: return FALSE; 839: } 840: if (!this->prf->set_key(this->prf, this->skeyid_a)) 841: { 842: return FALSE; 843: } 844: if (add_message) 845: { 846: generator_t *generator; 847: chunk_t msg; 848: 849: generator = generator_create_no_dbg(); 850: msg = get_message_data(message, generator); 851: if (!this->prf->allocate_bytes(this->prf, data, NULL) || 852: !this->prf->allocate_bytes(this->prf, msg, hash)) 853: { 854: generator->destroy(generator); 855: return FALSE; 856: } 857: generator->destroy(generator); 858: } 859: else 860: { 861: if (!this->prf->allocate_bytes(this->prf, data, hash)) 862: { 863: return FALSE; 864: } 865: } 866: DBG3(DBG_IKE, "%s %B", name, hash); 867: return TRUE; 868: } 869: 870: METHOD(keymat_v1_t, get_iv, bool, 871: private_keymat_v1_t *this, uint32_t mid, chunk_t *out) 872: { 873: return this->iv_manager->get_iv(this->iv_manager, mid, out); 874: } 875: 876: METHOD(keymat_v1_t, update_iv, bool, 877: private_keymat_v1_t *this, uint32_t mid, chunk_t last_block) 878: { 879: return this->iv_manager->update_iv(this->iv_manager, mid, last_block); 880: } 881: 882: METHOD(keymat_v1_t, confirm_iv, bool, 883: private_keymat_v1_t *this, uint32_t mid) 884: { 885: return this->iv_manager->confirm_iv(this->iv_manager, mid); 886: } 887: 888: METHOD(keymat_t, get_version, ike_version_t, 889: private_keymat_v1_t *this) 890: { 891: return IKEV1; 892: } 893: 894: METHOD(keymat_t, create_dh, diffie_hellman_t*, 895: private_keymat_v1_t *this, diffie_hellman_group_t group) 896: { 897: return lib->crypto->create_dh(lib->crypto, group); 898: } 899: 900: METHOD(keymat_t, create_nonce_gen, nonce_gen_t*, 901: private_keymat_v1_t *this) 902: { 903: return lib->crypto->create_nonce_gen(lib->crypto); 904: } 905: 906: METHOD(keymat_t, get_aead, aead_t*, 907: private_keymat_v1_t *this, bool in) 908: { 909: return this->aead; 910: } 911: 912: METHOD(keymat_t, destroy, void, 913: private_keymat_v1_t *this) 914: { 915: DESTROY_IF(this->prf); 916: DESTROY_IF(this->prf_auth); 917: DESTROY_IF(this->aead); 918: DESTROY_IF(this->hasher); 919: chunk_clear(&this->skeyid_d); 920: chunk_clear(&this->skeyid_a); 921: this->iv_manager->destroy(this->iv_manager); 922: free(this); 923: } 924: 925: /** 926: * See header 927: */ 928: keymat_v1_t *keymat_v1_create(bool initiator) 929: { 930: private_keymat_v1_t *this; 931: 932: INIT(this, 933: .public = { 934: .keymat = { 935: .get_version = _get_version, 936: .create_dh = _create_dh, 937: .create_nonce_gen = _create_nonce_gen, 938: .get_aead = _get_aead, 939: .destroy = _destroy, 940: }, 941: .derive_ike_keys = _derive_ike_keys, 942: .derive_child_keys = _derive_child_keys, 943: .create_hasher = _create_hasher, 944: .get_hasher = _get_hasher, 945: .get_hash = _get_hash, 946: .get_hash_phase2 = _get_hash_phase2, 947: .get_iv = _get_iv, 948: .update_iv = _update_iv, 949: .confirm_iv = _confirm_iv, 950: }, 951: .initiator = initiator, 952: .iv_manager = iv_manager_create(0), 953: ); 954: return &this->public; 955: }