EAP-SIM/AKA crypto helper supports key derivation for fast reauthentication

3 files changed, 110 insertions, 22 deletions

diff --git a/src/libsimaka/simaka_crypto.c b/src/libsimaka/simaka_crypto.c
index 4f4e850c7..4afab234b 100644
--- a/src/libsimaka/simaka_crypto.c
+++ b/src/libsimaka/simaka_crypto.c
@@ -97,41 +97,97 @@ static rng_t* get_rng(private_simaka_crypto_t *this)
  * Implementation of simaka_crypto_t.derive_keys_full
  */
 static chunk_t derive_keys_full(private_simaka_crypto_t *this,
-								identification_t *id, chunk_t data)
+								identification_t *id, chunk_t data, chunk_t *mk)
 {
-
-	char mk[HASH_SIZE_SHA1], k_encr[KENCR_LEN], k_auth[KAUTH_LEN];
-	chunk_t str, msk;
+	chunk_t str, msk, k_encr, k_auth;
 	int i;
 
 	/* For SIM: MK = SHA1(Identity|n*Kc|NONCE_MT|Version List|Selected Version)
 	 * For AKA: MK = SHA1(Identity|IK|CK) */
 	this->hasher->get_hash(this->hasher, id->get_encoding(id), NULL);
-	this->hasher->get_hash(this->hasher, data, mk);
-	DBG3(DBG_IKE, "MK %b", mk, HASH_SIZE_SHA1);
+	this->hasher->allocate_hash(this->hasher, data, mk);
+	DBG3(DBG_IKE, "MK %B", mk);
 
 	/* K_encr | K_auth | MSK | EMSK = prf() | prf() | prf() | prf() */
-	this->prf->set_key(this->prf, chunk_create(mk, HASH_SIZE_SHA1));
+	this->prf->set_key(this->prf, *mk);
 	str = chunk_alloca(this->prf->get_block_size(this->prf) * 3);
 	for (i = 0; i < 3; i++)
 	{
 		this->prf->get_bytes(this->prf, chunk_empty, str.ptr + str.len / 3 * i);
 	}
 
-	memcpy(k_encr, str.ptr, KENCR_LEN);
-	str = chunk_skip(str, KENCR_LEN);
-	memcpy(k_auth, str.ptr, KAUTH_LEN);
-	str = chunk_skip(str, KAUTH_LEN);
+	k_encr = chunk_create(str.ptr, KENCR_LEN);
+	k_auth = chunk_create(str.ptr + KENCR_LEN, KAUTH_LEN);
+	msk = chunk_create(str.ptr + KENCR_LEN + KAUTH_LEN, MSK_LEN);
+	DBG3(DBG_IKE, "K_encr %B\nK_auth %B\nMSK %B", &k_encr, &k_auth, &msk);
+
+	this->signer->set_key(this->signer, k_auth);
+	this->crypter->set_key(this->crypter, k_encr);
+
+	this->derived = TRUE;
+	return chunk_clone(msk);
+}
+
+/**
+ * Implementation of simaka_crypto_t.derive_keys_reauth
+ */
+static void derive_keys_reauth(private_simaka_crypto_t *this, chunk_t mk)
+{
+	chunk_t str, k_encr, k_auth;
+	int i;
 
-	this->signer->set_key(this->signer, chunk_create(k_auth, KAUTH_LEN));
-	this->crypter->set_key(this->crypter, chunk_create(k_encr, KENCR_LEN));
+	/* K_encr | K_auth = prf() | prf() */
+	this->prf->set_key(this->prf, mk);
+	str = chunk_alloca(this->prf->get_block_size(this->prf) * 2);
+	for (i = 0; i < 2; i++)
+	{
+		this->prf->get_bytes(this->prf, chunk_empty, str.ptr + str.len / 2 * i);
+	}
+	k_encr = chunk_create(str.ptr, KENCR_LEN);
+	k_auth = chunk_create(str.ptr + KENCR_LEN, KAUTH_LEN);
+	DBG3(DBG_IKE, "K_encr %B\nK_auth %B", &k_encr, &k_auth);
 
-	msk = chunk_clone(chunk_create(str.ptr, MSK_LEN));
-	DBG3(DBG_IKE, "K_encr %b\nK_auth %b\nMSK %B",
-		 k_encr, KENCR_LEN, k_auth, KAUTH_LEN, &msk);
+	this->signer->set_key(this->signer, k_auth);
+	this->crypter->set_key(this->crypter, k_encr);
 
 	this->derived = TRUE;
-	return msk;
+}
+
+/**
+ * Implementation of simaka_crypto_t.derive_keys_reauth_msk
+ */
+static chunk_t derive_keys_reauth_msk(private_simaka_crypto_t *this,
+									  identification_t *id, chunk_t counter,
+									  chunk_t nonce_s, chunk_t mk)
+{
+	char xkey[HASH_SIZE_SHA1];
+	chunk_t str, msk;
+	int i;
+
+	this->hasher->get_hash(this->hasher, id->get_encoding(id), NULL);
+	this->hasher->get_hash(this->hasher, counter, NULL);
+	this->hasher->get_hash(this->hasher, nonce_s, NULL);
+	this->hasher->get_hash(this->hasher, mk, xkey);
+
+	/* MSK | EMSK = prf() | prf() | prf() | prf() */
+	this->prf->set_key(this->prf, chunk_create(xkey, sizeof(xkey)));
+	str = chunk_alloca(this->prf->get_block_size(this->prf) * 2);
+	for (i = 0; i < 2; i++)
+	{
+		this->prf->get_bytes(this->prf, chunk_empty, str.ptr + str.len / 2 * i);
+	}
+	msk = chunk_create(str.ptr, MSK_LEN);
+	DBG3(DBG_IKE, "MSK %B", &msk);
+
+	return chunk_clone(msk);
+}
+
+/**
+ * Implementation of simaka_crypto_t.clear_keys
+ */
+static void clear_keys(private_simaka_crypto_t *this)
+{
+	this->derived = FALSE;
 }
 
 /**
@@ -157,7 +213,10 @@ simaka_crypto_t *simaka_crypto_create()
 	this->public.get_signer = (signer_t*(*)(simaka_crypto_t*))get_signer;
 	this->public.get_crypter = (crypter_t*(*)(simaka_crypto_t*))get_crypter;
 	this->public.get_rng = (rng_t*(*)(simaka_crypto_t*))get_rng;
-	this->public.derive_keys_full = (chunk_t(*)(simaka_crypto_t*, identification_t *id, chunk_t data))derive_keys_full;
+	this->public.derive_keys_full = (chunk_t(*)(simaka_crypto_t*, identification_t *id, chunk_t data, chunk_t *mk))derive_keys_full;
+	this->public.derive_keys_reauth = (void(*)(simaka_crypto_t*, chunk_t mk))derive_keys_reauth;
+	this->public.derive_keys_reauth_msk = (chunk_t(*)(simaka_crypto_t*, identification_t *id, chunk_t counter, chunk_t nonce_s, chunk_t mk))derive_keys_reauth_msk;
+	this->public.clear_keys = (void(*)(simaka_crypto_t*))clear_keys;
 	this->public.destroy = (void(*)(simaka_crypto_t*))destroy;
 
 	this->derived = FALSE;
diff --git a/src/libsimaka/simaka_crypto.h b/src/libsimaka/simaka_crypto.h
index 4c12f97d3..d1830e658 100644
--- a/src/libsimaka/simaka_crypto.h
+++ b/src/libsimaka/simaka_crypto.h
@@ -61,10 +61,38 @@ struct simaka_crypto_t {
 	 *
 	 * @param id	peer identity
 	 * @param data	method specific data
+	 * @param mk	chunk receiving allocated master key MK
 	 * @return		allocated MSK value
 	 */
 	chunk_t (*derive_keys_full)(simaka_crypto_t *this, identification_t *id,
-								chunk_t data);
+								chunk_t data, chunk_t *mk);
+
+	/**
+	 * Derive k_encr/k_auth keys from MK using fast reauthentication.
+	 *
+	 * This methods derives the k_encr/k_auth keys and loads them into the
+	 * internal crypter/signer instances.
+	 *
+	 * @param mk	master key
+	 */
+	void (*derive_keys_reauth)(simaka_crypto_t *this, chunk_t mk);
+
+	/**
+	 * Derive MSK using fast reauthentication.
+	 *
+	 * @param id		fast reauthentication identity
+	 * @param counter	fast reauthentication counter value, network order
+	 * @param nonce_s	server generated NONCE_S value
+	 * @param mk		master key of last full authentication
+	 */
+	chunk_t (*derive_keys_reauth_msk)(simaka_crypto_t *this,
+									  identification_t *id, chunk_t counter,
+									  chunk_t nonce_s, chunk_t mk);
+
+	/**
+	 * Clear keys (partially) derived.
+	 */
+	void (*clear_keys)(simaka_crypto_t *this);
 
 	/**
 	 * Destroy a simaka_crypto_t.
diff --git a/src/libsimaka/simaka_message.c b/src/libsimaka/simaka_message.c
index 9d85d1fbc..b64ff1b9a 100644
--- a/src/libsimaka/simaka_message.c
+++ b/src/libsimaka/simaka_message.c
@@ -469,6 +469,7 @@ static bool decrypt(private_simaka_message_t *this)
 {
 	bool success;
 	crypter_t *crypter;
+	chunk_t plain;
 
 	crypter = this->crypto->get_crypter(this->crypto);
 	if (!crypter || !this->iv.len || !this->encr.len || this->encrypted)
@@ -482,12 +483,12 @@ static bool decrypt(private_simaka_message_t *this)
 		return FALSE;
 	}
 
-	/* decrypt inline */
-	crypter->decrypt(crypter, this->encr, this->iv, NULL);
+	crypter->decrypt(crypter, this->encr, this->iv, &plain);
 
 	this->encrypted = TRUE;
-	success = parse_attributes(this, this->encr);
+	success = parse_attributes(this, plain);
 	this->encrypted = FALSE;
+	free(plain.ptr);
 	return success;
 }