2 * IKEv2 responder (RFC 4306) for EAP-IKEV2
3 * Copyright (c) 2007, Jouni Malinen <j@w1.fi>
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation.
9 * Alternatively, this software may be distributed under the terms of BSD
12 * See README and COPYING for more details.
18 #include "crypto/dh_groups.h"
22 void ikev2_responder_deinit(struct ikev2_responder_data
*data
)
24 ikev2_free_keys(&data
->keys
);
25 wpabuf_free(data
->i_dh_public
);
26 wpabuf_free(data
->r_dh_private
);
29 os_free(data
->shared_secret
);
30 wpabuf_free(data
->i_sign_msg
);
31 wpabuf_free(data
->r_sign_msg
);
32 os_free(data
->key_pad
);
36 static int ikev2_derive_keys(struct ikev2_responder_data
*data
)
38 u8
*buf
, *pos
, *pad
, skeyseed
[IKEV2_MAX_HASH_LEN
];
39 size_t buf_len
, pad_len
;
40 struct wpabuf
*shared
;
41 const struct ikev2_integ_alg
*integ
;
42 const struct ikev2_prf_alg
*prf
;
43 const struct ikev2_encr_alg
*encr
;
48 /* RFC 4306, Sect. 2.14 */
50 integ
= ikev2_get_integ(data
->proposal
.integ
);
51 prf
= ikev2_get_prf(data
->proposal
.prf
);
52 encr
= ikev2_get_encr(data
->proposal
.encr
);
53 if (integ
== NULL
|| prf
== NULL
|| encr
== NULL
) {
54 wpa_printf(MSG_INFO
, "IKEV2: Unsupported proposal");
58 shared
= dh_derive_shared(data
->i_dh_public
, data
->r_dh_private
,
63 /* Construct Ni | Nr | SPIi | SPIr */
65 buf_len
= data
->i_nonce_len
+ data
->r_nonce_len
+ 2 * IKEV2_SPI_LEN
;
66 buf
= os_malloc(buf_len
);
73 os_memcpy(pos
, data
->i_nonce
, data
->i_nonce_len
);
74 pos
+= data
->i_nonce_len
;
75 os_memcpy(pos
, data
->r_nonce
, data
->r_nonce_len
);
76 pos
+= data
->r_nonce_len
;
77 os_memcpy(pos
, data
->i_spi
, IKEV2_SPI_LEN
);
79 os_memcpy(pos
, data
->r_spi
, IKEV2_SPI_LEN
);
81 #if __BYTE_ORDER == __LITTLE_ENDIAN
84 u8
*tmp
= pos
- IKEV2_SPI_LEN
;
85 /* Incorrect byte re-ordering on little endian hosts.. */
86 for (i
= 0; i
< IKEV2_SPI_LEN
; i
++)
87 *tmp
++ = data
->i_spi
[IKEV2_SPI_LEN
- 1 - i
];
88 for (i
= 0; i
< IKEV2_SPI_LEN
; i
++)
89 *tmp
++ = data
->r_spi
[IKEV2_SPI_LEN
- 1 - i
];
94 /* SKEYSEED = prf(Ni | Nr, g^ir) */
95 /* Use zero-padding per RFC 4306, Sect. 2.14 */
96 pad_len
= data
->dh
->prime_len
- wpabuf_len(shared
);
98 /* Shared secret is not zero-padded correctly */
101 pad
= os_zalloc(pad_len
? pad_len
: 1);
110 addr
[1] = wpabuf_head(shared
);
111 len
[1] = wpabuf_len(shared
);
112 if (ikev2_prf_hash(prf
->id
, buf
, data
->i_nonce_len
+ data
->r_nonce_len
,
113 2, addr
, len
, skeyseed
) < 0) {
122 /* DH parameters are not needed anymore, so free them */
123 wpabuf_free(data
->i_dh_public
);
124 data
->i_dh_public
= NULL
;
125 wpabuf_free(data
->r_dh_private
);
126 data
->r_dh_private
= NULL
;
128 wpa_hexdump_key(MSG_DEBUG
, "IKEV2: SKEYSEED",
129 skeyseed
, prf
->hash_len
);
131 ret
= ikev2_derive_sk_keys(prf
, integ
, encr
, skeyseed
, buf
, buf_len
,
138 static int ikev2_parse_transform(struct ikev2_proposal_data
*prop
,
139 const u8
*pos
, const u8
*end
)
142 const struct ikev2_transform
*t
;
146 if (end
- pos
< (int) sizeof(*t
)) {
147 wpa_printf(MSG_INFO
, "IKEV2: Too short transform");
151 t
= (const struct ikev2_transform
*) pos
;
152 transform_len
= WPA_GET_BE16(t
->transform_length
);
153 if (transform_len
< (int) sizeof(*t
) || pos
+ transform_len
> end
) {
154 wpa_printf(MSG_INFO
, "IKEV2: Invalid transform length %d",
158 tend
= pos
+ transform_len
;
160 transform_id
= WPA_GET_BE16(t
->transform_id
);
162 wpa_printf(MSG_DEBUG
, "IKEV2: Transform:");
163 wpa_printf(MSG_DEBUG
, "IKEV2: Type: %d Transform Length: %d "
164 "Transform Type: %d Transform ID: %d",
165 t
->type
, transform_len
, t
->transform_type
, transform_id
);
167 if (t
->type
!= 0 && t
->type
!= 3) {
168 wpa_printf(MSG_INFO
, "IKEV2: Unexpected Transform type");
172 pos
= (const u8
*) (t
+ 1);
174 wpa_hexdump(MSG_DEBUG
, "IKEV2: Transform Attributes",
178 switch (t
->transform_type
) {
179 case IKEV2_TRANSFORM_ENCR
:
180 if (ikev2_get_encr(transform_id
)) {
181 if (transform_id
== ENCR_AES_CBC
) {
182 if (tend
- pos
!= 4) {
183 wpa_printf(MSG_DEBUG
, "IKEV2: No "
184 "Transform Attr for AES");
188 if (WPA_GET_BE16(pos
) != 0x001d /* ?? */) {
189 wpa_printf(MSG_DEBUG
, "IKEV2: Not a "
190 "Key Size attribute for "
195 if (WPA_GET_BE16(pos
) != 0x800e) {
196 wpa_printf(MSG_DEBUG
, "IKEV2: Not a "
197 "Key Size attribute for "
202 if (WPA_GET_BE16(pos
+ 2) != 128) {
203 wpa_printf(MSG_DEBUG
, "IKEV2: "
204 "Unsupported AES key size "
206 WPA_GET_BE16(pos
+ 2));
210 prop
->encr
= transform_id
;
213 case IKEV2_TRANSFORM_PRF
:
214 if (ikev2_get_prf(transform_id
))
215 prop
->prf
= transform_id
;
217 case IKEV2_TRANSFORM_INTEG
:
218 if (ikev2_get_integ(transform_id
))
219 prop
->integ
= transform_id
;
221 case IKEV2_TRANSFORM_DH
:
222 if (dh_groups_get(transform_id
))
223 prop
->dh
= transform_id
;
227 return transform_len
;
231 static int ikev2_parse_proposal(struct ikev2_proposal_data
*prop
,
232 const u8
*pos
, const u8
*end
)
234 const u8
*pend
, *ppos
;
236 const struct ikev2_proposal
*p
;
238 if (end
- pos
< (int) sizeof(*p
)) {
239 wpa_printf(MSG_INFO
, "IKEV2: Too short proposal");
243 /* FIX: AND processing if multiple proposals use the same # */
245 p
= (const struct ikev2_proposal
*) pos
;
246 proposal_len
= WPA_GET_BE16(p
->proposal_length
);
247 if (proposal_len
< (int) sizeof(*p
) || pos
+ proposal_len
> end
) {
248 wpa_printf(MSG_INFO
, "IKEV2: Invalid proposal length %d",
252 wpa_printf(MSG_DEBUG
, "IKEV2: SAi1 Proposal # %d",
254 wpa_printf(MSG_DEBUG
, "IKEV2: Type: %d Proposal Length: %d "
256 p
->type
, proposal_len
, p
->protocol_id
);
257 wpa_printf(MSG_DEBUG
, "IKEV2: SPI Size: %d Transforms: %d",
258 p
->spi_size
, p
->num_transforms
);
260 if (p
->type
!= 0 && p
->type
!= 2) {
261 wpa_printf(MSG_INFO
, "IKEV2: Unexpected Proposal type");
265 if (p
->protocol_id
!= IKEV2_PROTOCOL_IKE
) {
266 wpa_printf(MSG_DEBUG
, "IKEV2: Unexpected Protocol ID "
267 "(only IKE allowed for EAP-IKEv2)");
271 if (p
->proposal_num
!= prop
->proposal_num
) {
272 if (p
->proposal_num
== prop
->proposal_num
+ 1)
273 prop
->proposal_num
= p
->proposal_num
;
275 wpa_printf(MSG_INFO
, "IKEV2: Unexpected Proposal #");
280 ppos
= (const u8
*) (p
+ 1);
281 pend
= pos
+ proposal_len
;
282 if (ppos
+ p
->spi_size
> pend
) {
283 wpa_printf(MSG_INFO
, "IKEV2: Not enough room for SPI "
288 wpa_hexdump(MSG_DEBUG
, "IKEV2: SPI",
294 * For initial IKE_SA negotiation, SPI Size MUST be zero; for
295 * subsequent negotiations, it must be 8 for IKE. We only support
296 * initial case for now.
298 if (p
->spi_size
!= 0) {
299 wpa_printf(MSG_INFO
, "IKEV2: Unexpected SPI Size");
303 if (p
->num_transforms
== 0) {
304 wpa_printf(MSG_INFO
, "IKEV2: At least one transform required");
308 for (i
= 0; i
< (int) p
->num_transforms
; i
++) {
309 int tlen
= ikev2_parse_transform(prop
, ppos
, pend
);
316 wpa_printf(MSG_INFO
, "IKEV2: Unexpected data after "
325 static int ikev2_process_sai1(struct ikev2_responder_data
*data
,
326 const u8
*sai1
, size_t sai1_len
)
328 struct ikev2_proposal_data prop
;
332 /* Security Association Payloads: <Proposals> */
335 wpa_printf(MSG_INFO
, "IKEV2: SAi1 not received");
339 os_memset(&prop
, 0, sizeof(prop
));
340 prop
.proposal_num
= 1;
343 end
= sai1
+ sai1_len
;
352 plen
= ikev2_parse_proposal(&prop
, pos
, end
);
356 if (!found
&& prop
.integ
!= -1 && prop
.prf
!= -1 &&
357 prop
.encr
!= -1 && prop
.dh
!= -1) {
358 os_memcpy(&data
->proposal
, &prop
, sizeof(prop
));
359 data
->dh
= dh_groups_get(prop
.dh
);
367 wpa_printf(MSG_INFO
, "IKEV2: Unexpected data after proposals");
372 wpa_printf(MSG_INFO
, "IKEV2: No acceptable proposal found");
376 wpa_printf(MSG_DEBUG
, "IKEV2: Accepted proposal #%d: ENCR:%d PRF:%d "
377 "INTEG:%d D-H:%d", data
->proposal
.proposal_num
,
378 data
->proposal
.encr
, data
->proposal
.prf
,
379 data
->proposal
.integ
, data
->proposal
.dh
);
385 static int ikev2_process_kei(struct ikev2_responder_data
*data
,
386 const u8
*kei
, size_t kei_len
)
391 * Key Exchange Payload:
392 * DH Group # (16 bits)
394 * Key Exchange Data (Diffie-Hellman public value)
398 wpa_printf(MSG_INFO
, "IKEV2: KEi not received");
402 if (kei_len
< 4 + 96) {
403 wpa_printf(MSG_INFO
, "IKEV2: Too show Key Exchange Payload");
407 group
= WPA_GET_BE16(kei
);
408 wpa_printf(MSG_DEBUG
, "IKEV2: KEi DH Group #%u", group
);
410 if (group
!= data
->proposal
.dh
) {
411 wpa_printf(MSG_DEBUG
, "IKEV2: KEi DH Group #%u does not match "
412 "with the selected proposal (%u)",
413 group
, data
->proposal
.dh
);
414 /* Reject message with Notify payload of type
415 * INVALID_KE_PAYLOAD (RFC 4306, Sect. 3.4) */
416 data
->error_type
= INVALID_KE_PAYLOAD
;
417 data
->state
= NOTIFY
;
421 if (data
->dh
== NULL
) {
422 wpa_printf(MSG_INFO
, "IKEV2: Unsupported DH group");
426 /* RFC 4306, Section 3.4:
427 * The length of DH public value MUST be equal to the lenght of the
430 if (kei_len
- 4 != data
->dh
->prime_len
) {
431 wpa_printf(MSG_INFO
, "IKEV2: Invalid DH public value length "
432 "%ld (expected %ld)",
433 (long) (kei_len
- 4), (long) data
->dh
->prime_len
);
437 wpabuf_free(data
->i_dh_public
);
438 data
->i_dh_public
= wpabuf_alloc(kei_len
- 4);
439 if (data
->i_dh_public
== NULL
)
441 wpabuf_put_data(data
->i_dh_public
, kei
+ 4, kei_len
- 4);
443 wpa_hexdump_buf(MSG_DEBUG
, "IKEV2: KEi Diffie-Hellman Public Value",
450 static int ikev2_process_ni(struct ikev2_responder_data
*data
,
451 const u8
*ni
, size_t ni_len
)
454 wpa_printf(MSG_INFO
, "IKEV2: Ni not received");
458 if (ni_len
< IKEV2_NONCE_MIN_LEN
|| ni_len
> IKEV2_NONCE_MAX_LEN
) {
459 wpa_printf(MSG_INFO
, "IKEV2: Invalid Ni length %ld",
465 /* Zeros are removed incorrectly from the beginning of the nonces */
466 while (ni_len
> 1 && *ni
== 0) {
472 data
->i_nonce_len
= ni_len
;
473 os_memcpy(data
->i_nonce
, ni
, ni_len
);
474 wpa_hexdump(MSG_MSGDUMP
, "IKEV2: Ni",
475 data
->i_nonce
, data
->i_nonce_len
);
481 static int ikev2_process_sa_init(struct ikev2_responder_data
*data
,
482 const struct ikev2_hdr
*hdr
,
483 struct ikev2_payloads
*pl
)
485 if (ikev2_process_sai1(data
, pl
->sa
, pl
->sa_len
) < 0 ||
486 ikev2_process_kei(data
, pl
->ke
, pl
->ke_len
) < 0 ||
487 ikev2_process_ni(data
, pl
->nonce
, pl
->nonce_len
) < 0)
490 os_memcpy(data
->i_spi
, hdr
->i_spi
, IKEV2_SPI_LEN
);
496 static int ikev2_process_idi(struct ikev2_responder_data
*data
,
497 const u8
*idi
, size_t idi_len
)
502 wpa_printf(MSG_INFO
, "IKEV2: No IDi received");
507 wpa_printf(MSG_INFO
, "IKEV2: Too short IDi payload");
515 wpa_printf(MSG_DEBUG
, "IKEV2: IDi ID Type %d", id_type
);
516 wpa_hexdump_ascii(MSG_DEBUG
, "IKEV2: IDi", idi
, idi_len
);
518 data
->IDi
= os_malloc(idi_len
);
519 if (data
->IDi
== NULL
)
521 os_memcpy(data
->IDi
, idi
, idi_len
);
522 data
->IDi_len
= idi_len
;
523 data
->IDi_type
= id_type
;
529 static int ikev2_process_cert(struct ikev2_responder_data
*data
,
530 const u8
*cert
, size_t cert_len
)
535 if (data
->peer_auth
== PEER_AUTH_CERT
) {
536 wpa_printf(MSG_INFO
, "IKEV2: No Certificate received");
543 wpa_printf(MSG_INFO
, "IKEV2: No Cert Encoding field");
547 cert_encoding
= cert
[0];
551 wpa_printf(MSG_DEBUG
, "IKEV2: Cert Encoding %d", cert_encoding
);
552 wpa_hexdump(MSG_MSGDUMP
, "IKEV2: Certificate Data", cert
, cert_len
);
554 /* TODO: validate certificate */
560 static int ikev2_process_auth_cert(struct ikev2_responder_data
*data
,
561 u8 method
, const u8
*auth
, size_t auth_len
)
563 if (method
!= AUTH_RSA_SIGN
) {
564 wpa_printf(MSG_INFO
, "IKEV2: Unsupported authentication "
565 "method %d", method
);
569 /* TODO: validate AUTH */
574 static int ikev2_process_auth_secret(struct ikev2_responder_data
*data
,
575 u8 method
, const u8
*auth
,
578 u8 auth_data
[IKEV2_MAX_HASH_LEN
];
579 const struct ikev2_prf_alg
*prf
;
581 if (method
!= AUTH_SHARED_KEY_MIC
) {
582 wpa_printf(MSG_INFO
, "IKEV2: Unsupported authentication "
583 "method %d", method
);
587 /* msg | Nr | prf(SK_pi,IDi') */
588 if (ikev2_derive_auth_data(data
->proposal
.prf
, data
->i_sign_msg
,
589 data
->IDi
, data
->IDi_len
, data
->IDi_type
,
590 &data
->keys
, 1, data
->shared_secret
,
591 data
->shared_secret_len
,
592 data
->r_nonce
, data
->r_nonce_len
,
593 data
->key_pad
, data
->key_pad_len
,
595 wpa_printf(MSG_INFO
, "IKEV2: Could not derive AUTH data");
599 wpabuf_free(data
->i_sign_msg
);
600 data
->i_sign_msg
= NULL
;
602 prf
= ikev2_get_prf(data
->proposal
.prf
);
606 if (auth_len
!= prf
->hash_len
||
607 os_memcmp(auth
, auth_data
, auth_len
) != 0) {
608 wpa_printf(MSG_INFO
, "IKEV2: Invalid Authentication Data");
609 wpa_hexdump(MSG_DEBUG
, "IKEV2: Received Authentication Data",
611 wpa_hexdump(MSG_DEBUG
, "IKEV2: Expected Authentication Data",
612 auth_data
, prf
->hash_len
);
613 data
->error_type
= AUTHENTICATION_FAILED
;
614 data
->state
= NOTIFY
;
618 wpa_printf(MSG_DEBUG
, "IKEV2: Server authenticated successfully "
619 "using shared keys");
625 static int ikev2_process_auth(struct ikev2_responder_data
*data
,
626 const u8
*auth
, size_t auth_len
)
631 wpa_printf(MSG_INFO
, "IKEV2: No Authentication Payload");
636 wpa_printf(MSG_INFO
, "IKEV2: Too short Authentication "
641 auth_method
= auth
[0];
645 wpa_printf(MSG_DEBUG
, "IKEV2: Auth Method %d", auth_method
);
646 wpa_hexdump(MSG_MSGDUMP
, "IKEV2: Authentication Data", auth
, auth_len
);
648 switch (data
->peer_auth
) {
650 return ikev2_process_auth_cert(data
, auth_method
, auth
,
652 case PEER_AUTH_SECRET
:
653 return ikev2_process_auth_secret(data
, auth_method
, auth
,
661 static int ikev2_process_sa_auth_decrypted(struct ikev2_responder_data
*data
,
663 u8
*payload
, size_t payload_len
)
665 struct ikev2_payloads pl
;
667 wpa_printf(MSG_DEBUG
, "IKEV2: Processing decrypted payloads");
669 if (ikev2_parse_payloads(&pl
, next_payload
, payload
, payload
+
671 wpa_printf(MSG_INFO
, "IKEV2: Failed to parse decrypted "
676 if (ikev2_process_idi(data
, pl
.idi
, pl
.idi_len
) < 0 ||
677 ikev2_process_cert(data
, pl
.cert
, pl
.cert_len
) < 0 ||
678 ikev2_process_auth(data
, pl
.auth
, pl
.auth_len
) < 0)
685 static int ikev2_process_sa_auth(struct ikev2_responder_data
*data
,
686 const struct ikev2_hdr
*hdr
,
687 struct ikev2_payloads
*pl
)
690 size_t decrypted_len
;
693 decrypted
= ikev2_decrypt_payload(data
->proposal
.encr
,
694 data
->proposal
.integ
,
695 &data
->keys
, 1, hdr
, pl
->encrypted
,
696 pl
->encrypted_len
, &decrypted_len
);
697 if (decrypted
== NULL
)
700 ret
= ikev2_process_sa_auth_decrypted(data
, pl
->encr_next_payload
,
701 decrypted
, decrypted_len
);
708 static int ikev2_validate_rx_state(struct ikev2_responder_data
*data
,
709 u8 exchange_type
, u32 message_id
)
711 switch (data
->state
) {
713 /* Expect to receive IKE_SA_INIT: HDR, SAi1, KEi, Ni */
714 if (exchange_type
!= IKE_SA_INIT
) {
715 wpa_printf(MSG_INFO
, "IKEV2: Unexpected Exchange Type "
716 "%u in SA_INIT state", exchange_type
);
719 if (message_id
!= 0) {
720 wpa_printf(MSG_INFO
, "IKEV2: Unexpected Message ID %u "
721 "in SA_INIT state", message_id
);
726 /* Expect to receive IKE_SA_AUTH:
727 * HDR, SK {IDi, [CERT,] [CERTREQ,] [IDr,]
728 * AUTH, SAi2, TSi, TSr}
730 if (exchange_type
!= IKE_SA_AUTH
) {
731 wpa_printf(MSG_INFO
, "IKEV2: Unexpected Exchange Type "
732 "%u in SA_AUTH state", exchange_type
);
735 if (message_id
!= 1) {
736 wpa_printf(MSG_INFO
, "IKEV2: Unexpected Message ID %u "
737 "in SA_AUTH state", message_id
);
742 if (exchange_type
!= CREATE_CHILD_SA
) {
743 wpa_printf(MSG_INFO
, "IKEV2: Unexpected Exchange Type "
744 "%u in CHILD_SA state", exchange_type
);
747 if (message_id
!= 2) {
748 wpa_printf(MSG_INFO
, "IKEV2: Unexpected Message ID %u "
749 "in CHILD_SA state", message_id
);
763 int ikev2_responder_process(struct ikev2_responder_data
*data
,
764 const struct wpabuf
*buf
)
766 const struct ikev2_hdr
*hdr
;
767 u32 length
, message_id
;
769 struct ikev2_payloads pl
;
771 wpa_printf(MSG_MSGDUMP
, "IKEV2: Received message (len %lu)",
772 (unsigned long) wpabuf_len(buf
));
774 if (wpabuf_len(buf
) < sizeof(*hdr
)) {
775 wpa_printf(MSG_INFO
, "IKEV2: Too short frame to include HDR");
779 data
->error_type
= 0;
780 hdr
= (const struct ikev2_hdr
*) wpabuf_head(buf
);
781 end
= wpabuf_head_u8(buf
) + wpabuf_len(buf
);
782 message_id
= WPA_GET_BE32(hdr
->message_id
);
783 length
= WPA_GET_BE32(hdr
->length
);
785 wpa_hexdump(MSG_DEBUG
, "IKEV2: IKE_SA Initiator's SPI",
786 hdr
->i_spi
, IKEV2_SPI_LEN
);
787 wpa_hexdump(MSG_DEBUG
, "IKEV2: IKE_SA Responder's SPI",
788 hdr
->r_spi
, IKEV2_SPI_LEN
);
789 wpa_printf(MSG_DEBUG
, "IKEV2: Next Payload: %u Version: 0x%x "
791 hdr
->next_payload
, hdr
->version
, hdr
->exchange_type
);
792 wpa_printf(MSG_DEBUG
, "IKEV2: Message ID: %u Length: %u",
795 if (hdr
->version
!= IKEV2_VERSION
) {
796 wpa_printf(MSG_INFO
, "IKEV2: Unsupported HDR version 0x%x "
797 "(expected 0x%x)", hdr
->version
, IKEV2_VERSION
);
801 if (length
!= wpabuf_len(buf
)) {
802 wpa_printf(MSG_INFO
, "IKEV2: Invalid length (HDR: %lu != "
803 "RX: %lu)", (unsigned long) length
,
804 (unsigned long) wpabuf_len(buf
));
808 if (ikev2_validate_rx_state(data
, hdr
->exchange_type
, message_id
) < 0)
811 if ((hdr
->flags
& (IKEV2_HDR_INITIATOR
| IKEV2_HDR_RESPONSE
)) !=
812 IKEV2_HDR_INITIATOR
) {
813 wpa_printf(MSG_INFO
, "IKEV2: Unexpected Flags value 0x%x",
818 if (data
->state
!= SA_INIT
) {
819 if (os_memcmp(data
->i_spi
, hdr
->i_spi
, IKEV2_SPI_LEN
) != 0) {
820 wpa_printf(MSG_INFO
, "IKEV2: Unexpected IKE_SA "
824 if (os_memcmp(data
->r_spi
, hdr
->r_spi
, IKEV2_SPI_LEN
) != 0) {
825 wpa_printf(MSG_INFO
, "IKEV2: Unexpected IKE_SA "
831 pos
= (const u8
*) (hdr
+ 1);
832 if (ikev2_parse_payloads(&pl
, hdr
->next_payload
, pos
, end
) < 0)
835 if (data
->state
== SA_INIT
) {
836 data
->last_msg
= LAST_MSG_SA_INIT
;
837 if (ikev2_process_sa_init(data
, hdr
, &pl
) < 0) {
838 if (data
->state
== NOTIFY
)
842 wpabuf_free(data
->i_sign_msg
);
843 data
->i_sign_msg
= wpabuf_dup(buf
);
846 if (data
->state
== SA_AUTH
) {
847 data
->last_msg
= LAST_MSG_SA_AUTH
;
848 if (ikev2_process_sa_auth(data
, hdr
, &pl
) < 0) {
849 if (data
->state
== NOTIFY
)
859 static void ikev2_build_hdr(struct ikev2_responder_data
*data
,
860 struct wpabuf
*msg
, u8 exchange_type
,
861 u8 next_payload
, u32 message_id
)
863 struct ikev2_hdr
*hdr
;
865 wpa_printf(MSG_DEBUG
, "IKEV2: Adding HDR");
867 /* HDR - RFC 4306, Sect. 3.1 */
868 hdr
= wpabuf_put(msg
, sizeof(*hdr
));
869 os_memcpy(hdr
->i_spi
, data
->i_spi
, IKEV2_SPI_LEN
);
870 os_memcpy(hdr
->r_spi
, data
->r_spi
, IKEV2_SPI_LEN
);
871 hdr
->next_payload
= next_payload
;
872 hdr
->version
= IKEV2_VERSION
;
873 hdr
->exchange_type
= exchange_type
;
874 hdr
->flags
= IKEV2_HDR_RESPONSE
;
875 WPA_PUT_BE32(hdr
->message_id
, message_id
);
879 static int ikev2_build_sar1(struct ikev2_responder_data
*data
,
880 struct wpabuf
*msg
, u8 next_payload
)
882 struct ikev2_payload_hdr
*phdr
;
884 struct ikev2_proposal
*p
;
885 struct ikev2_transform
*t
;
887 wpa_printf(MSG_DEBUG
, "IKEV2: Adding SAr1 payload");
889 /* SAr1 - RFC 4306, Sect. 2.7 and 3.3 */
890 phdr
= wpabuf_put(msg
, sizeof(*phdr
));
891 phdr
->next_payload
= next_payload
;
894 p
= wpabuf_put(msg
, sizeof(*p
));
896 /* Seems to require that the Proposal # is 1 even though RFC 4306
897 * Sect 3.3.1 has following requirement "When a proposal is accepted,
898 * all of the proposal numbers in the SA payload MUST be the same and
899 * MUST match the number on the proposal sent that was accepted.".
903 p
->proposal_num
= data
->proposal
.proposal_num
;
905 p
->protocol_id
= IKEV2_PROTOCOL_IKE
;
906 p
->num_transforms
= 4;
908 t
= wpabuf_put(msg
, sizeof(*t
));
910 t
->transform_type
= IKEV2_TRANSFORM_ENCR
;
911 WPA_PUT_BE16(t
->transform_id
, data
->proposal
.encr
);
912 if (data
->proposal
.encr
== ENCR_AES_CBC
) {
913 /* Transform Attribute: Key Len = 128 bits */
915 wpabuf_put_be16(msg
, 0x001d); /* ?? */
917 wpabuf_put_be16(msg
, 0x800e); /* AF=1, AttrType=14 */
919 wpabuf_put_be16(msg
, 128); /* 128-bit key */
921 plen
= (u8
*) wpabuf_put(msg
, 0) - (u8
*) t
;
922 WPA_PUT_BE16(t
->transform_length
, plen
);
924 t
= wpabuf_put(msg
, sizeof(*t
));
926 WPA_PUT_BE16(t
->transform_length
, sizeof(*t
));
927 t
->transform_type
= IKEV2_TRANSFORM_PRF
;
928 WPA_PUT_BE16(t
->transform_id
, data
->proposal
.prf
);
930 t
= wpabuf_put(msg
, sizeof(*t
));
932 WPA_PUT_BE16(t
->transform_length
, sizeof(*t
));
933 t
->transform_type
= IKEV2_TRANSFORM_INTEG
;
934 WPA_PUT_BE16(t
->transform_id
, data
->proposal
.integ
);
936 t
= wpabuf_put(msg
, sizeof(*t
));
937 WPA_PUT_BE16(t
->transform_length
, sizeof(*t
));
938 t
->transform_type
= IKEV2_TRANSFORM_DH
;
939 WPA_PUT_BE16(t
->transform_id
, data
->proposal
.dh
);
941 plen
= (u8
*) wpabuf_put(msg
, 0) - (u8
*) p
;
942 WPA_PUT_BE16(p
->proposal_length
, plen
);
944 plen
= (u8
*) wpabuf_put(msg
, 0) - (u8
*) phdr
;
945 WPA_PUT_BE16(phdr
->payload_length
, plen
);
951 static int ikev2_build_ker(struct ikev2_responder_data
*data
,
952 struct wpabuf
*msg
, u8 next_payload
)
954 struct ikev2_payload_hdr
*phdr
;
958 wpa_printf(MSG_DEBUG
, "IKEV2: Adding KEr payload");
960 pv
= dh_init(data
->dh
, &data
->r_dh_private
);
962 wpa_printf(MSG_DEBUG
, "IKEV2: Failed to initialize DH");
966 /* KEr - RFC 4306, Sect. 3.4 */
967 phdr
= wpabuf_put(msg
, sizeof(*phdr
));
968 phdr
->next_payload
= next_payload
;
971 wpabuf_put_be16(msg
, data
->proposal
.dh
); /* DH Group # */
972 wpabuf_put(msg
, 2); /* RESERVED */
974 * RFC 4306, Sect. 3.4: possible zero padding for public value to
975 * match the length of the prime.
977 wpabuf_put(msg
, data
->dh
->prime_len
- wpabuf_len(pv
));
978 wpabuf_put_buf(msg
, pv
);
981 plen
= (u8
*) wpabuf_put(msg
, 0) - (u8
*) phdr
;
982 WPA_PUT_BE16(phdr
->payload_length
, plen
);
987 static int ikev2_build_nr(struct ikev2_responder_data
*data
,
988 struct wpabuf
*msg
, u8 next_payload
)
990 struct ikev2_payload_hdr
*phdr
;
993 wpa_printf(MSG_DEBUG
, "IKEV2: Adding Nr payload");
995 /* Nr - RFC 4306, Sect. 3.9 */
996 phdr
= wpabuf_put(msg
, sizeof(*phdr
));
997 phdr
->next_payload
= next_payload
;
999 wpabuf_put_data(msg
, data
->r_nonce
, data
->r_nonce_len
);
1000 plen
= (u8
*) wpabuf_put(msg
, 0) - (u8
*) phdr
;
1001 WPA_PUT_BE16(phdr
->payload_length
, plen
);
1006 static int ikev2_build_idr(struct ikev2_responder_data
*data
,
1007 struct wpabuf
*msg
, u8 next_payload
)
1009 struct ikev2_payload_hdr
*phdr
;
1012 wpa_printf(MSG_DEBUG
, "IKEV2: Adding IDr payload");
1014 if (data
->IDr
== NULL
) {
1015 wpa_printf(MSG_INFO
, "IKEV2: No IDr available");
1019 /* IDr - RFC 4306, Sect. 3.5 */
1020 phdr
= wpabuf_put(msg
, sizeof(*phdr
));
1021 phdr
->next_payload
= next_payload
;
1023 wpabuf_put_u8(msg
, ID_KEY_ID
);
1024 wpabuf_put(msg
, 3); /* RESERVED */
1025 wpabuf_put_data(msg
, data
->IDr
, data
->IDr_len
);
1026 plen
= (u8
*) wpabuf_put(msg
, 0) - (u8
*) phdr
;
1027 WPA_PUT_BE16(phdr
->payload_length
, plen
);
1032 static int ikev2_build_auth(struct ikev2_responder_data
*data
,
1033 struct wpabuf
*msg
, u8 next_payload
)
1035 struct ikev2_payload_hdr
*phdr
;
1037 const struct ikev2_prf_alg
*prf
;
1039 wpa_printf(MSG_DEBUG
, "IKEV2: Adding AUTH payload");
1041 prf
= ikev2_get_prf(data
->proposal
.prf
);
1045 /* Authentication - RFC 4306, Sect. 3.8 */
1046 phdr
= wpabuf_put(msg
, sizeof(*phdr
));
1047 phdr
->next_payload
= next_payload
;
1049 wpabuf_put_u8(msg
, AUTH_SHARED_KEY_MIC
);
1050 wpabuf_put(msg
, 3); /* RESERVED */
1052 /* msg | Ni | prf(SK_pr,IDr') */
1053 if (ikev2_derive_auth_data(data
->proposal
.prf
, data
->r_sign_msg
,
1054 data
->IDr
, data
->IDr_len
, ID_KEY_ID
,
1055 &data
->keys
, 0, data
->shared_secret
,
1056 data
->shared_secret_len
,
1057 data
->i_nonce
, data
->i_nonce_len
,
1058 data
->key_pad
, data
->key_pad_len
,
1059 wpabuf_put(msg
, prf
->hash_len
)) < 0) {
1060 wpa_printf(MSG_INFO
, "IKEV2: Could not derive AUTH data");
1063 wpabuf_free(data
->r_sign_msg
);
1064 data
->r_sign_msg
= NULL
;
1066 plen
= (u8
*) wpabuf_put(msg
, 0) - (u8
*) phdr
;
1067 WPA_PUT_BE16(phdr
->payload_length
, plen
);
1072 static int ikev2_build_notification(struct ikev2_responder_data
*data
,
1073 struct wpabuf
*msg
, u8 next_payload
)
1075 struct ikev2_payload_hdr
*phdr
;
1078 wpa_printf(MSG_DEBUG
, "IKEV2: Adding Notification payload");
1080 if (data
->error_type
== 0) {
1081 wpa_printf(MSG_INFO
, "IKEV2: No Notify Message Type "
1086 /* Notify - RFC 4306, Sect. 3.10 */
1087 phdr
= wpabuf_put(msg
, sizeof(*phdr
));
1088 phdr
->next_payload
= next_payload
;
1091 wpabuf_put_u8(msg
, 1); /* Protocol ID: IKE_SA notification */
1093 wpabuf_put_u8(msg
, 0); /* Protocol ID: no existing SA */
1094 #endif /* CCNS_PL */
1095 wpabuf_put_u8(msg
, 0); /* SPI Size */
1096 wpabuf_put_be16(msg
, data
->error_type
);
1098 switch (data
->error_type
) {
1099 case INVALID_KE_PAYLOAD
:
1100 if (data
->proposal
.dh
== -1) {
1101 wpa_printf(MSG_INFO
, "IKEV2: No DH Group selected for "
1102 "INVALID_KE_PAYLOAD notifications");
1105 wpabuf_put_be16(msg
, data
->proposal
.dh
);
1106 wpa_printf(MSG_DEBUG
, "IKEV2: INVALID_KE_PAYLOAD - request "
1107 "DH Group #%d", data
->proposal
.dh
);
1109 case AUTHENTICATION_FAILED
:
1110 /* no associated data */
1113 wpa_printf(MSG_INFO
, "IKEV2: Unsupported Notify Message Type "
1114 "%d", data
->error_type
);
1118 plen
= (u8
*) wpabuf_put(msg
, 0) - (u8
*) phdr
;
1119 WPA_PUT_BE16(phdr
->payload_length
, plen
);
1124 static struct wpabuf
* ikev2_build_sa_init(struct ikev2_responder_data
*data
)
1128 /* build IKE_SA_INIT: HDR, SAr1, KEr, Nr, [CERTREQ], [SK{IDr}] */
1130 if (os_get_random(data
->r_spi
, IKEV2_SPI_LEN
))
1132 wpa_hexdump(MSG_DEBUG
, "IKEV2: IKE_SA Responder's SPI",
1133 data
->r_spi
, IKEV2_SPI_LEN
);
1135 data
->r_nonce_len
= IKEV2_NONCE_MIN_LEN
;
1136 if (os_get_random(data
->r_nonce
, data
->r_nonce_len
))
1139 /* Zeros are removed incorrectly from the beginning of the nonces in
1140 * key derivation; as a workaround, make sure Nr does not start with
1142 if (data
->r_nonce
[0] == 0)
1143 data
->r_nonce
[0] = 1;
1144 #endif /* CCNS_PL */
1145 wpa_hexdump(MSG_DEBUG
, "IKEV2: Nr", data
->r_nonce
, data
->r_nonce_len
);
1147 msg
= wpabuf_alloc(sizeof(struct ikev2_hdr
) + data
->IDr_len
+ 1500);
1151 ikev2_build_hdr(data
, msg
, IKE_SA_INIT
, IKEV2_PAYLOAD_SA
, 0);
1152 if (ikev2_build_sar1(data
, msg
, IKEV2_PAYLOAD_KEY_EXCHANGE
) ||
1153 ikev2_build_ker(data
, msg
, IKEV2_PAYLOAD_NONCE
) ||
1154 ikev2_build_nr(data
, msg
, data
->peer_auth
== PEER_AUTH_SECRET
?
1155 IKEV2_PAYLOAD_ENCRYPTED
:
1156 IKEV2_PAYLOAD_NO_NEXT_PAYLOAD
)) {
1161 if (ikev2_derive_keys(data
)) {
1166 if (data
->peer_auth
== PEER_AUTH_CERT
) {
1167 /* TODO: CERTREQ with SHA-1 hashes of Subject Public Key Info
1168 * for trust agents */
1171 if (data
->peer_auth
== PEER_AUTH_SECRET
) {
1172 struct wpabuf
*plain
= wpabuf_alloc(data
->IDr_len
+ 1000);
1173 if (plain
== NULL
) {
1177 if (ikev2_build_idr(data
, plain
,
1178 IKEV2_PAYLOAD_NO_NEXT_PAYLOAD
) ||
1179 ikev2_build_encrypted(data
->proposal
.encr
,
1180 data
->proposal
.integ
,
1181 &data
->keys
, 0, msg
, plain
,
1182 IKEV2_PAYLOAD_IDr
)) {
1190 ikev2_update_hdr(msg
);
1192 wpa_hexdump_buf(MSG_MSGDUMP
, "IKEV2: Sending message (SA_INIT)", msg
);
1194 data
->state
= SA_AUTH
;
1196 wpabuf_free(data
->r_sign_msg
);
1197 data
->r_sign_msg
= wpabuf_dup(msg
);
1203 static struct wpabuf
* ikev2_build_sa_auth(struct ikev2_responder_data
*data
)
1205 struct wpabuf
*msg
, *plain
;
1207 /* build IKE_SA_AUTH: HDR, SK {IDr, [CERT,] AUTH} */
1209 msg
= wpabuf_alloc(sizeof(struct ikev2_hdr
) + data
->IDr_len
+ 1000);
1212 ikev2_build_hdr(data
, msg
, IKE_SA_AUTH
, IKEV2_PAYLOAD_ENCRYPTED
, 1);
1214 plain
= wpabuf_alloc(data
->IDr_len
+ 1000);
1215 if (plain
== NULL
) {
1220 if (ikev2_build_idr(data
, plain
, IKEV2_PAYLOAD_AUTHENTICATION
) ||
1221 ikev2_build_auth(data
, plain
, IKEV2_PAYLOAD_NO_NEXT_PAYLOAD
) ||
1222 ikev2_build_encrypted(data
->proposal
.encr
, data
->proposal
.integ
,
1223 &data
->keys
, 0, msg
, plain
,
1224 IKEV2_PAYLOAD_IDr
)) {
1231 wpa_hexdump_buf(MSG_MSGDUMP
, "IKEV2: Sending message (SA_AUTH)", msg
);
1233 data
->state
= IKEV2_DONE
;
1239 static struct wpabuf
* ikev2_build_notify(struct ikev2_responder_data
*data
)
1243 msg
= wpabuf_alloc(sizeof(struct ikev2_hdr
) + 1000);
1246 if (data
->last_msg
== LAST_MSG_SA_AUTH
) {
1248 struct wpabuf
*plain
= wpabuf_alloc(100);
1249 if (plain
== NULL
) {
1253 ikev2_build_hdr(data
, msg
, IKE_SA_AUTH
,
1254 IKEV2_PAYLOAD_ENCRYPTED
, 1);
1255 if (ikev2_build_notification(data
, plain
,
1256 IKEV2_PAYLOAD_NO_NEXT_PAYLOAD
) ||
1257 ikev2_build_encrypted(data
->proposal
.encr
,
1258 data
->proposal
.integ
,
1259 &data
->keys
, 0, msg
, plain
,
1260 IKEV2_PAYLOAD_NOTIFICATION
)) {
1265 data
->state
= IKEV2_FAILED
;
1268 ikev2_build_hdr(data
, msg
, IKE_SA_INIT
,
1269 IKEV2_PAYLOAD_NOTIFICATION
, 0);
1270 if (ikev2_build_notification(data
, msg
,
1271 IKEV2_PAYLOAD_NO_NEXT_PAYLOAD
)) {
1275 data
->state
= SA_INIT
;
1278 ikev2_update_hdr(msg
);
1280 wpa_hexdump_buf(MSG_MSGDUMP
, "IKEV2: Sending message (Notification)",
1287 struct wpabuf
* ikev2_responder_build(struct ikev2_responder_data
*data
)
1289 switch (data
->state
) {
1291 return ikev2_build_sa_init(data
);
1293 return ikev2_build_sa_auth(data
);
1297 return ikev2_build_notify(data
);
