/* * Copyright (C) 2019 The Android Open Source Project * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package com.android.internal.net.ipsec.ike.crypto; import static android.net.ipsec.ike.SaProposal.PSEUDORANDOM_FUNCTION_AES128_CMAC; import static android.net.ipsec.ike.SaProposal.PSEUDORANDOM_FUNCTION_AES128_XCBC; import android.net.ipsec.ike.SaProposal; import com.android.internal.net.crypto.KeyGenerationUtils; import com.android.internal.net.ipsec.ike.message.IkeSaPayload.PrfTransform; import java.nio.ByteBuffer; import java.security.GeneralSecurityException; import java.util.Arrays; import javax.crypto.Cipher; import javax.crypto.Mac; /** * IkeMacPrf represents a negotiated pseudorandom function. * *

Pseudorandom function is usually used for IKE SA authentication and generating keying * materials. * *

For pseudorandom functions based on integrity algorithms, all operations will be done by a * {@link Mac}. For pseudorandom functions based on encryption algorithms, all operations will be * done by a {@link Cipher}. * * @see RFC 7296, Internet Key Exchange * Protocol Version 2 (IKEv2) */ public class IkeMacPrf extends IkeMac { private static final int PSEUDORANDOM_FUNCTION_AES128_XCBC_KEY_LEN = 16; private IkeMacPrf( @SaProposal.PseudorandomFunction int algorithmId, int keyLength, String algorithmName, boolean isJceSupported) { super(algorithmId, keyLength, algorithmName, isJceSupported); } /** * Construct an instance of IkeMacPrf. * * @param prfTransform the valid negotiated PrfTransform. * @return an instance of IkeMacPrf. */ public static IkeMacPrf create(PrfTransform prfTransform) { int algorithmId = prfTransform.id; int keyLength = 0; String algorithmName = ""; boolean isJceSupported = true; switch (algorithmId) { case SaProposal.PSEUDORANDOM_FUNCTION_HMAC_SHA1: keyLength = 20; algorithmName = "HmacSHA1"; break; case SaProposal.PSEUDORANDOM_FUNCTION_AES128_XCBC: keyLength = 16; isJceSupported = false; algorithmName = ALGO_NAME_JCE_UNSUPPORTED; break; case SaProposal.PSEUDORANDOM_FUNCTION_AES128_CMAC: keyLength = 16; algorithmName = "AESCMAC"; break; case SaProposal.PSEUDORANDOM_FUNCTION_SHA2_256: keyLength = 32; algorithmName = "HmacSHA256"; break; case SaProposal.PSEUDORANDOM_FUNCTION_SHA2_384: keyLength = 48; algorithmName = "HmacSHA384"; break; case SaProposal.PSEUDORANDOM_FUNCTION_SHA2_512: keyLength = 64; algorithmName = "HmacSHA512"; break; default: throw new IllegalArgumentException("Unrecognized PRF ID: " + algorithmId); } return new IkeMacPrf(algorithmId, keyLength, algorithmName, isJceSupported); } @Override public byte[] signBytes(byte[] keyBytes, byte[] dataToSign) { if (getAlgorithmId() == PSEUDORANDOM_FUNCTION_AES128_XCBC) { try { keyBytes = modifyAesXCbcKeyIfNeeded(keyBytes); return new AesXCbcImpl().mac(keyBytes, dataToSign, false /*needTruncation*/); } catch (GeneralSecurityException | IllegalStateException e) { throw new IllegalArgumentException("Failed to generate MAC: ", e); } } else if (getAlgorithmId() == PSEUDORANDOM_FUNCTION_AES128_CMAC) { keyBytes = modifyAesCmacKeyIfNeeded(keyBytes); } return super.signBytes(keyBytes, dataToSign); } private byte[] modifyAesXCbcKeyIfNeeded(byte[] keyBytes) throws GeneralSecurityException { // As per RFC 4434: // The key for AES-XCBC-PRF-128 is created as follows: // // 1. If the key is exactly 128 bits long, use it as-is. // // 2. If the key has fewer than 128 bits, lengthen it to exactly 128 bits by padding it on // the right with zero bits. // // 3. If the key is 129 bits or longer, shorten it to exactly 128 bits by performing the // steps in AES-XCBC-PRF-128 (that is, the algorithm described in this document). In that // re-application of this algorithm, the key is 128 zero bits; the message is the too-long // current key. if (keyBytes.length < 16) { keyBytes = Arrays.copyOf(keyBytes, 16); } else if (keyBytes.length > 16) { keyBytes = new AesXCbcImpl().mac(new byte[16], keyBytes, false /*needTruncation*/); } return keyBytes; } private byte[] modifyAesCmacKeyIfNeeded(byte[] keyBytes) { // As per RFC 4615: // The key for AES-CMAC-PRF-128 is created as follows: // // 1. If the key, VK, is exactly 128 bits, then we use it as-is. // // 2. If it is longer or shorter than 128 bits, then we derive the key, K, by applying the // AES-CMAC algorithm using the 128-bit all-zero string as the key and VK as the input // message. if (keyBytes.length != 16) { keyBytes = signBytes(new byte[16], keyBytes); } return keyBytes; } /** * Generates SKEYSEED based on the nonces and shared DH secret. * * @param nonceInit the IKE initiator nonce. * @param nonceResp the IKE responder nonce. * @param sharedDhKey the DH shared key. * @return the byte array of SKEYSEED. */ public byte[] generateSKeySeed(byte[] nonceInit, byte[] nonceResp, byte[] sharedDhKey) { ByteBuffer keyBuffer = null; if (getAlgorithmId() == SaProposal.PSEUDORANDOM_FUNCTION_AES128_XCBC || getAlgorithmId() == SaProposal.PSEUDORANDOM_FUNCTION_AES128_CMAC) { keyBuffer = ByteBuffer.allocate(getKeyLength()); // When generating initial keys, use 8 bytes each from initiator and responder nonces as // per RFC 7296 keyBuffer .put(Arrays.copyOfRange(nonceInit, 0, 8)) .put(Arrays.copyOfRange(nonceResp, 0, 8)); } else { keyBuffer = ByteBuffer.allocate(nonceInit.length + nonceResp.length); keyBuffer.put(nonceInit).put(nonceResp); } return signBytes(keyBuffer.array(), sharedDhKey); } /** * Generates a rekey SKEYSEED based on the nonces and shared DH secret. * * @param skD the secret for deriving new keys * @param nonceInit the IKE initiator nonce. * @param nonceResp the IKE responder nonce. * @param sharedDhKey the DH shared key. * @return the byte array of SKEYSEED. */ public byte[] generateRekeyedSKeySeed( byte[] skD, byte[] nonceInit, byte[] nonceResp, byte[] sharedDhKey) { ByteBuffer dataToSign = ByteBuffer.allocate(sharedDhKey.length + nonceInit.length + nonceResp.length); dataToSign.put(sharedDhKey).put(nonceInit).put(nonceResp); return signBytes(skD, dataToSign.array()); } /** * Derives keying materials from IKE/Child SA negotiation. * *

prf+(K, S) outputs a pseudorandom stream by using negotiated PRF iteratively. In this way * it can generate long enough keying material containing all the keys for this IKE/Child SA. * * @see RFC 7296 Internet Key * Exchange Protocol Version 2 (IKEv2) 2.13. Generating Keying Material * @param keyBytes the key to sign data. SKEYSEED is used for generating KEYMAT for IKE SA. SK_d * is used for generating KEYMAT for Child SA. * @param dataToSign the data to be signed. * @param keyMaterialLen the length of keying materials. * @return the byte array of keying materials */ public byte[] generateKeyMat(byte[] keyBytes, byte[] dataToSign, int keyMaterialLen) { return KeyGenerationUtils.prfPlus(this, keyBytes, dataToSign, keyMaterialLen); } /** * Returns algorithm type as a String. * * @return the algorithm type as a String. */ @Override public String getTypeString() { return "Pseudorandom Function"; } }