Google Git
Sign in
android / platform / prebuilts / fullsdk / sources / refs/heads/androidx-media-release / . / android-34 / com / android / internal / net / ipsec / ike / crypto / IkeMacPrf.java
blob: 633a395f4ea3e17a76fe06b078310797dbb96b5c [file] [log] [blame]
/*
* Copyright (C) 2019 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package com.android.internal.net.ipsec.ike.crypto;
import static android.net.ipsec.ike.SaProposal.PSEUDORANDOM_FUNCTION_AES128_CMAC;
import static android.net.ipsec.ike.SaProposal.PSEUDORANDOM_FUNCTION_AES128_XCBC;
import android.net.ipsec.ike.SaProposal;
import com.android.internal.net.crypto.KeyGenerationUtils;
import com.android.internal.net.ipsec.ike.message.IkeSaPayload.PrfTransform;
import java.nio.ByteBuffer;
import java.security.GeneralSecurityException;
import java.util.Arrays;
import javax.crypto.Cipher;
import javax.crypto.Mac;
/**
* IkeMacPrf represents a negotiated pseudorandom function.
*
* <p>Pseudorandom function is usually used for IKE SA authentication and generating keying
* materials.
*
* <p>For pseudorandom functions based on integrity algorithms, all operations will be done by a
* {@link Mac}. For pseudorandom functions based on encryption algorithms, all operations will be
* done by a {@link Cipher}.
*
* @see <a href="https://tools.ietf.org/html/rfc7296#section-3.3.2">RFC 7296, Internet Key Exchange
* Protocol Version 2 (IKEv2)</a>
*/
public class IkeMacPrf extends IkeMac {
private static final int PSEUDORANDOM_FUNCTION_AES128_XCBC_KEY_LEN = 16;
private IkeMacPrf(
@SaProposal.PseudorandomFunction int algorithmId,
int keyLength,
String algorithmName,
boolean isJceSupported) {
super(algorithmId, keyLength, algorithmName, isJceSupported);
}
/**
* Construct an instance of IkeMacPrf.
*
* @param prfTransform the valid negotiated PrfTransform.
* @return an instance of IkeMacPrf.
*/
public static IkeMacPrf create(PrfTransform prfTransform) {
int algorithmId = prfTransform.id;
int keyLength = 0;
String algorithmName = "";
boolean isJceSupported = true;
switch (algorithmId) {
case SaProposal.PSEUDORANDOM_FUNCTION_HMAC_SHA1:
keyLength = 20;
algorithmName = "HmacSHA1";
break;
case SaProposal.PSEUDORANDOM_FUNCTION_AES128_XCBC:
keyLength = 16;
isJceSupported = false;
algorithmName = ALGO_NAME_JCE_UNSUPPORTED;
break;
case SaProposal.PSEUDORANDOM_FUNCTION_AES128_CMAC:
keyLength = 16;
algorithmName = "AESCMAC";
break;
case SaProposal.PSEUDORANDOM_FUNCTION_SHA2_256:
keyLength = 32;
algorithmName = "HmacSHA256";
break;
case SaProposal.PSEUDORANDOM_FUNCTION_SHA2_384:
keyLength = 48;
algorithmName = "HmacSHA384";
break;
case SaProposal.PSEUDORANDOM_FUNCTION_SHA2_512:
keyLength = 64;
algorithmName = "HmacSHA512";
break;
default:
throw new IllegalArgumentException("Unrecognized PRF ID: " + algorithmId);
}
return new IkeMacPrf(algorithmId, keyLength, algorithmName, isJceSupported);
}
@Override
public byte[] signBytes(byte[] keyBytes, byte[] dataToSign) {
if (getAlgorithmId() == PSEUDORANDOM_FUNCTION_AES128_XCBC) {
try {
keyBytes = modifyAesXCbcKeyIfNeeded(keyBytes);
return new AesXCbcImpl().mac(keyBytes, dataToSign, false /*needTruncation*/);
} catch (GeneralSecurityException | IllegalStateException e) {
throw new IllegalArgumentException("Failed to generate MAC: ", e);
}
} else if (getAlgorithmId() == PSEUDORANDOM_FUNCTION_AES128_CMAC) {
keyBytes = modifyAesCmacKeyIfNeeded(keyBytes);
}
return super.signBytes(keyBytes, dataToSign);
}
private byte[] modifyAesXCbcKeyIfNeeded(byte[] keyBytes) throws GeneralSecurityException {
// As per RFC 4434:
// The key for AES-XCBC-PRF-128 is created as follows:
//
// 1. If the key is exactly 128 bits long, use it as-is.
//
// 2. If the key has fewer than 128 bits, lengthen it to exactly 128 bits by padding it on
// the right with zero bits.
//
// 3. If the key is 129 bits or longer, shorten it to exactly 128 bits by performing the
// steps in AES-XCBC-PRF-128 (that is, the algorithm described in this document). In that
// re-application of this algorithm, the key is 128 zero bits; the message is the too-long
// current key.
if (keyBytes.length < 16) {
keyBytes = Arrays.copyOf(keyBytes, 16);
} else if (keyBytes.length > 16) {
keyBytes = new AesXCbcImpl().mac(new byte[16], keyBytes, false /*needTruncation*/);
}
return keyBytes;
}
private byte[] modifyAesCmacKeyIfNeeded(byte[] keyBytes) {
// As per RFC 4615:
// The key for AES-CMAC-PRF-128 is created as follows:
//
// 1. If the key, VK, is exactly 128 bits, then we use it as-is.
//
// 2. If it is longer or shorter than 128 bits, then we derive the key, K, by applying the
// AES-CMAC algorithm using the 128-bit all-zero string as the key and VK as the input
// message.
if (keyBytes.length != 16) {
keyBytes = signBytes(new byte[16], keyBytes);
}
return keyBytes;
}
/**
* Generates SKEYSEED based on the nonces and shared DH secret.
*
* @param nonceInit the IKE initiator nonce.
* @param nonceResp the IKE responder nonce.
* @param sharedDhKey the DH shared key.
* @return the byte array of SKEYSEED.
*/
public byte[] generateSKeySeed(byte[] nonceInit, byte[] nonceResp, byte[] sharedDhKey) {
ByteBuffer keyBuffer = null;
if (getAlgorithmId() == SaProposal.PSEUDORANDOM_FUNCTION_AES128_XCBC
|| getAlgorithmId() == SaProposal.PSEUDORANDOM_FUNCTION_AES128_CMAC) {
keyBuffer = ByteBuffer.allocate(getKeyLength());
// When generating initial keys, use 8 bytes each from initiator and responder nonces as
// per RFC 7296
keyBuffer
.put(Arrays.copyOfRange(nonceInit, 0, 8))
.put(Arrays.copyOfRange(nonceResp, 0, 8));
} else {
keyBuffer = ByteBuffer.allocate(nonceInit.length + nonceResp.length);
keyBuffer.put(nonceInit).put(nonceResp);
}
return signBytes(keyBuffer.array(), sharedDhKey);
}
/**
* Generates a rekey SKEYSEED based on the nonces and shared DH secret.
*
* @param skD the secret for deriving new keys
* @param nonceInit the IKE initiator nonce.
* @param nonceResp the IKE responder nonce.
* @param sharedDhKey the DH shared key.
* @return the byte array of SKEYSEED.
*/
public byte[] generateRekeyedSKeySeed(
byte[] skD, byte[] nonceInit, byte[] nonceResp, byte[] sharedDhKey) {
ByteBuffer dataToSign =
ByteBuffer.allocate(sharedDhKey.length + nonceInit.length + nonceResp.length);
dataToSign.put(sharedDhKey).put(nonceInit).put(nonceResp);
return signBytes(skD, dataToSign.array());
}
/**
* Derives keying materials from IKE/Child SA negotiation.
*
* <p>prf+(K, S) outputs a pseudorandom stream by using negotiated PRF iteratively. In this way
* it can generate long enough keying material containing all the keys for this IKE/Child SA.
*
* @see <a href="https://tools.ietf.org/html/rfc7296#section-2.13">RFC 7296 Internet Key
* Exchange Protocol Version 2 (IKEv2) 2.13. Generating Keying Material </a>
* @param keyBytes the key to sign data. SKEYSEED is used for generating KEYMAT for IKE SA. SK_d
* is used for generating KEYMAT for Child SA.
* @param dataToSign the data to be signed.
* @param keyMaterialLen the length of keying materials.
* @return the byte array of keying materials
*/
public byte[] generateKeyMat(byte[] keyBytes, byte[] dataToSign, int keyMaterialLen) {
return KeyGenerationUtils.prfPlus(this, keyBytes, dataToSign, keyMaterialLen);
}
/**
* Returns algorithm type as a String.
*
* @return the algorithm type as a String.
*/
@Override
public String getTypeString() {
return "Pseudorandom Function";
}
}