search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
nl80211: Fix a typo
[hostap-gosc2009.git] / src / eap_server / ikev2.c
blob435ba26249332ff9d943885f8287de06f629d035
1 /*
2 * IKEv2 initiator (RFC 4306) for EAP-IKEV2
3 * Copyright (c) 2007, Jouni Malinen <j@w1.fi>
4 *
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation.
8 *
9 * Alternatively, this software may be distributed under the terms of BSD
10 * license.
11 *
12 * See README and COPYING for more details.
13 */
14
15 #include "includes.h"
16
17 #include "common.h"
18 #include "crypto/dh_groups.h"
19 #include "ikev2.h"
20
21
22 static int ikev2_process_idr(struct ikev2_initiator_data *data,
23 const u8 *idr, size_t idr_len);
24
25
26 void ikev2_initiator_deinit(struct ikev2_initiator_data *data)
27 {
28 ikev2_free_keys(&data->keys);
29 wpabuf_free(data->r_dh_public);
30 wpabuf_free(data->i_dh_private);
31 os_free(data->IDi);
32 os_free(data->IDr);
33 os_free(data->shared_secret);
34 wpabuf_free(data->i_sign_msg);
35 wpabuf_free(data->r_sign_msg);
36 os_free(data->key_pad);
37 }
38
39
40 static int ikev2_derive_keys(struct ikev2_initiator_data *data)
41 {
42 u8 *buf, *pos, *pad, skeyseed[IKEV2_MAX_HASH_LEN];
43 size_t buf_len, pad_len;
44 struct wpabuf *shared;
45 const struct ikev2_integ_alg *integ;
46 const struct ikev2_prf_alg *prf;
47 const struct ikev2_encr_alg *encr;
48 int ret;
49 const u8 *addr[2];
50 size_t len[2];
51
52 /* RFC 4306, Sect. 2.14 */
53
54 integ = ikev2_get_integ(data->proposal.integ);
55 prf = ikev2_get_prf(data->proposal.prf);
56 encr = ikev2_get_encr(data->proposal.encr);
57 if (integ == NULL || prf == NULL || encr == NULL) {
58 wpa_printf(MSG_INFO, "IKEV2: Unsupported proposal");
59 return -1;
60 }
61
62 shared = dh_derive_shared(data->r_dh_public, data->i_dh_private,
63 data->dh);
64 if (shared == NULL)
65 return -1;
66
67 /* Construct Ni | Nr | SPIi | SPIr */
68
69 buf_len = data->i_nonce_len + data->r_nonce_len + 2 * IKEV2_SPI_LEN;
70 buf = os_malloc(buf_len);
71 if (buf == NULL) {
72 wpabuf_free(shared);
73 return -1;
74 }
75
76 pos = buf;
77 os_memcpy(pos, data->i_nonce, data->i_nonce_len);
78 pos += data->i_nonce_len;
79 os_memcpy(pos, data->r_nonce, data->r_nonce_len);
80 pos += data->r_nonce_len;
81 os_memcpy(pos, data->i_spi, IKEV2_SPI_LEN);
82 pos += IKEV2_SPI_LEN;
83 os_memcpy(pos, data->r_spi, IKEV2_SPI_LEN);
84
85 /* SKEYSEED = prf(Ni | Nr, g^ir) */
86
87 /* Use zero-padding per RFC 4306, Sect. 2.14 */
88 pad_len = data->dh->prime_len - wpabuf_len(shared);
89 pad = os_zalloc(pad_len ? pad_len : 1);
90 if (pad == NULL) {
91 wpabuf_free(shared);
92 os_free(buf);
93 return -1;
94 }
95 addr[0] = pad;
96 len[0] = pad_len;
97 addr[1] = wpabuf_head(shared);
98 len[1] = wpabuf_len(shared);
99 if (ikev2_prf_hash(prf->id, buf, data->i_nonce_len + data->r_nonce_len,
100 2, addr, len, skeyseed) < 0) {
101 wpabuf_free(shared);
102 os_free(buf);
103 os_free(pad);
104 return -1;
105 }
106 os_free(pad);
107 wpabuf_free(shared);
108
109 /* DH parameters are not needed anymore, so free them */
110 wpabuf_free(data->r_dh_public);
111 data->r_dh_public = NULL;
112 wpabuf_free(data->i_dh_private);
113 data->i_dh_private = NULL;
114
115 wpa_hexdump_key(MSG_DEBUG, "IKEV2: SKEYSEED",
116 skeyseed, prf->hash_len);
117
118 ret = ikev2_derive_sk_keys(prf, integ, encr, skeyseed, buf, buf_len,
119 &data->keys);
120 os_free(buf);
121 return ret;
122 }
123
124
125 static int ikev2_parse_transform(struct ikev2_initiator_data *data,
126 struct ikev2_proposal_data *prop,
127 const u8 *pos, const u8 *end)
128 {
129 int transform_len;
130 const struct ikev2_transform *t;
131 u16 transform_id;
132 const u8 *tend;
133
134 if (end - pos < (int) sizeof(*t)) {
135 wpa_printf(MSG_INFO, "IKEV2: Too short transform");
136 return -1;
137 }
138
139 t = (const struct ikev2_transform *) pos;
140 transform_len = WPA_GET_BE16(t->transform_length);
141 if (transform_len < (int) sizeof(*t) || pos + transform_len > end) {
142 wpa_printf(MSG_INFO, "IKEV2: Invalid transform length %d",
143 transform_len);
144 return -1;
145 }
146 tend = pos + transform_len;
147
148 transform_id = WPA_GET_BE16(t->transform_id);
149
150 wpa_printf(MSG_DEBUG, "IKEV2: Transform:");
151 wpa_printf(MSG_DEBUG, "IKEV2: Type: %d Transform Length: %d "
152 "Transform Type: %d Transform ID: %d",
153 t->type, transform_len, t->transform_type, transform_id);
154
155 if (t->type != 0 && t->type != 3) {
156 wpa_printf(MSG_INFO, "IKEV2: Unexpected Transform type");
157 return -1;
158 }
159
160 pos = (const u8 *) (t + 1);
161 if (pos < tend) {
162 wpa_hexdump(MSG_DEBUG, "IKEV2: Transform Attributes",
163 pos, tend - pos);
164 }
165
166 switch (t->transform_type) {
167 case IKEV2_TRANSFORM_ENCR:
168 if (ikev2_get_encr(transform_id) &&
169 transform_id == data->proposal.encr) {
170 if (transform_id == ENCR_AES_CBC) {
171 if (tend - pos != 4) {
172 wpa_printf(MSG_DEBUG, "IKEV2: No "
173 "Transform Attr for AES");
174 break;
175 }
176 if (WPA_GET_BE16(pos) != 0x800e) {
177 wpa_printf(MSG_DEBUG, "IKEV2: Not a "
178 "Key Size attribute for "
179 "AES");
180 break;
181 }
182 if (WPA_GET_BE16(pos + 2) != 128) {
183 wpa_printf(MSG_DEBUG, "IKEV2: "
184 "Unsupported AES key size "
185 "%d bits",
186 WPA_GET_BE16(pos + 2));
187 break;
188 }
189 }
190 prop->encr = transform_id;
191 }
192 break;
193 case IKEV2_TRANSFORM_PRF:
194 if (ikev2_get_prf(transform_id) &&
195 transform_id == data->proposal.prf)
196 prop->prf = transform_id;
197 break;
198 case IKEV2_TRANSFORM_INTEG:
199 if (ikev2_get_integ(transform_id) &&
200 transform_id == data->proposal.integ)
201 prop->integ = transform_id;
202 break;
203 case IKEV2_TRANSFORM_DH:
204 if (dh_groups_get(transform_id) &&
205 transform_id == data->proposal.dh)
206 prop->dh = transform_id;
207 break;
208 }
209
210 return transform_len;
211 }
212
213
214 static int ikev2_parse_proposal(struct ikev2_initiator_data *data,
215 struct ikev2_proposal_data *prop,
216 const u8 *pos, const u8 *end)
217 {
218 const u8 *pend, *ppos;
219 int proposal_len, i;
220 const struct ikev2_proposal *p;
221
222 if (end - pos < (int) sizeof(*p)) {
223 wpa_printf(MSG_INFO, "IKEV2: Too short proposal");
224 return -1;
225 }
226
227 p = (const struct ikev2_proposal *) pos;
228 proposal_len = WPA_GET_BE16(p->proposal_length);
229 if (proposal_len < (int) sizeof(*p) || pos + proposal_len > end) {
230 wpa_printf(MSG_INFO, "IKEV2: Invalid proposal length %d",
231 proposal_len);
232 return -1;
233 }
234 wpa_printf(MSG_DEBUG, "IKEV2: SAi1 Proposal # %d",
235 p->proposal_num);
236 wpa_printf(MSG_DEBUG, "IKEV2: Type: %d Proposal Length: %d "
237 " Protocol ID: %d",
238 p->type, proposal_len, p->protocol_id);
239 wpa_printf(MSG_DEBUG, "IKEV2: SPI Size: %d Transforms: %d",
240 p->spi_size, p->num_transforms);
241
242 if (p->type != 0 && p->type != 2) {
243 wpa_printf(MSG_INFO, "IKEV2: Unexpected Proposal type");
244 return -1;
245 }
246
247 if (p->protocol_id != IKEV2_PROTOCOL_IKE) {
248 wpa_printf(MSG_DEBUG, "IKEV2: Unexpected Protocol ID "
249 "(only IKE allowed for EAP-IKEv2)");
250 return -1;
251 }
252
253 if (p->proposal_num != prop->proposal_num) {
254 if (p->proposal_num == prop->proposal_num + 1)
255 prop->proposal_num = p->proposal_num;
256 else {
257 wpa_printf(MSG_INFO, "IKEV2: Unexpected Proposal #");
258 return -1;
259 }
260 }
261
262 ppos = (const u8 *) (p + 1);
263 pend = pos + proposal_len;
264 if (ppos + p->spi_size > pend) {
265 wpa_printf(MSG_INFO, "IKEV2: Not enough room for SPI "
266 "in proposal");
267 return -1;
268 }
269 if (p->spi_size) {
270 wpa_hexdump(MSG_DEBUG, "IKEV2: SPI",
271 ppos, p->spi_size);
272 ppos += p->spi_size;
273 }
274
275 /*
276 * For initial IKE_SA negotiation, SPI Size MUST be zero; for
277 * subsequent negotiations, it must be 8 for IKE. We only support
278 * initial case for now.
279 */
280 if (p->spi_size != 0) {
281 wpa_printf(MSG_INFO, "IKEV2: Unexpected SPI Size");
282 return -1;
283 }
284
285 if (p->num_transforms == 0) {
286 wpa_printf(MSG_INFO, "IKEV2: At least one transform required");
287 return -1;
288 }
289
290 for (i = 0; i < (int) p->num_transforms; i++) {
291 int tlen = ikev2_parse_transform(data, prop, ppos, pend);
292 if (tlen < 0)
293 return -1;
294 ppos += tlen;
295 }
296
297 if (ppos != pend) {
298 wpa_printf(MSG_INFO, "IKEV2: Unexpected data after "
299 "transforms");
300 return -1;
301 }
302
303 return proposal_len;
304 }
305
306
307 static int ikev2_process_sar1(struct ikev2_initiator_data *data,
308 const u8 *sar1, size_t sar1_len)
309 {
310 struct ikev2_proposal_data prop;
311 const u8 *pos, *end;
312 int found = 0;
313
314 /* Security Association Payloads: <Proposals> */
315
316 if (sar1 == NULL) {
317 wpa_printf(MSG_INFO, "IKEV2: SAr1 not received");
318 return -1;
319 }
320
321 os_memset(&prop, 0, sizeof(prop));
322 prop.proposal_num = 1;
323
324 pos = sar1;
325 end = sar1 + sar1_len;
326
327 while (pos < end) {
328 int plen;
329
330 prop.integ = -1;
331 prop.prf = -1;
332 prop.encr = -1;
333 prop.dh = -1;
334 plen = ikev2_parse_proposal(data, &prop, pos, end);
335 if (plen < 0)
336 return -1;
337
338 if (!found && prop.integ != -1 && prop.prf != -1 &&
339 prop.encr != -1 && prop.dh != -1) {
340 found = 1;
341 }
342
343 pos += plen;
344
345 /* Only one proposal expected in SAr */
346 break;
347 }
348
349 if (pos != end) {
350 wpa_printf(MSG_INFO, "IKEV2: Unexpected data after proposal");
351 return -1;
352 }
353
354 if (!found) {
355 wpa_printf(MSG_INFO, "IKEV2: No acceptable proposal found");
356 return -1;
357 }
358
359 wpa_printf(MSG_DEBUG, "IKEV2: Accepted proposal #%d: ENCR:%d PRF:%d "
360 "INTEG:%d D-H:%d", data->proposal.proposal_num,
361 data->proposal.encr, data->proposal.prf,
362 data->proposal.integ, data->proposal.dh);
363
364 return 0;
365 }
366
367
368 static int ikev2_process_ker(struct ikev2_initiator_data *data,
369 const u8 *ker, size_t ker_len)
370 {
371 u16 group;
372
373 /*
374 * Key Exchange Payload:
375 * DH Group # (16 bits)
376 * RESERVED (16 bits)
377 * Key Exchange Data (Diffie-Hellman public value)
378 */
379
380 if (ker == NULL) {
381 wpa_printf(MSG_INFO, "IKEV2: KEr not received");
382 return -1;
383 }
384
385 if (ker_len < 4 + 96) {
386 wpa_printf(MSG_INFO, "IKEV2: Too show Key Exchange Payload");
387 return -1;
388 }
389
390 group = WPA_GET_BE16(ker);
391 wpa_printf(MSG_DEBUG, "IKEV2: KEr DH Group #%u", group);
392
393 if (group != data->proposal.dh) {
394 wpa_printf(MSG_DEBUG, "IKEV2: KEr DH Group #%u does not match "
395 "with the selected proposal (%u)",
396 group, data->proposal.dh);
397 return -1;
398 }
399
400 if (data->dh == NULL) {
401 wpa_printf(MSG_INFO, "IKEV2: Unsupported DH group");
402 return -1;
403 }
404
405 /* RFC 4306, Section 3.4:
406 * The length of DH public value MUST be equal to the lenght of the
407 * prime modulus.
408 */
409 if (ker_len - 4 != data->dh->prime_len) {
410 wpa_printf(MSG_INFO, "IKEV2: Invalid DH public value length "
411 "%ld (expected %ld)",
412 (long) (ker_len - 4), (long) data->dh->prime_len);
413 return -1;
414 }
415
416 wpabuf_free(data->r_dh_public);
417 data->r_dh_public = wpabuf_alloc_copy(ker + 4, ker_len - 4);
418 if (data->r_dh_public == NULL)
419 return -1;
420
421 wpa_hexdump_buf(MSG_DEBUG, "IKEV2: KEr Diffie-Hellman Public Value",
422 data->r_dh_public);
423
424 return 0;
425 }
426
427
428 static int ikev2_process_nr(struct ikev2_initiator_data *data,
429 const u8 *nr, size_t nr_len)
430 {
431 if (nr == NULL) {
432 wpa_printf(MSG_INFO, "IKEV2: Nr not received");
433 return -1;
434 }
435
436 if (nr_len < IKEV2_NONCE_MIN_LEN || nr_len > IKEV2_NONCE_MAX_LEN) {
437 wpa_printf(MSG_INFO, "IKEV2: Invalid Nr length %ld",
438 (long) nr_len);
439 return -1;
440 }
441
442 data->r_nonce_len = nr_len;
443 os_memcpy(data->r_nonce, nr, nr_len);
444 wpa_hexdump(MSG_MSGDUMP, "IKEV2: Nr",
445 data->r_nonce, data->r_nonce_len);
446
447 return 0;
448 }
449
450
451 static int ikev2_process_sa_init_encr(struct ikev2_initiator_data *data,
452 const struct ikev2_hdr *hdr,
453 const u8 *encrypted,
454 size_t encrypted_len, u8 next_payload)
455 {
456 u8 *decrypted;
457 size_t decrypted_len;
458 struct ikev2_payloads pl;
459 int ret = 0;
460
461 decrypted = ikev2_decrypt_payload(data->proposal.encr,
462 data->proposal.integ, &data->keys, 0,
463 hdr, encrypted, encrypted_len,
464 &decrypted_len);
465 if (decrypted == NULL)
466 return -1;
467
468 wpa_printf(MSG_DEBUG, "IKEV2: Processing decrypted payloads");
469
470 if (ikev2_parse_payloads(&pl, next_payload, decrypted,
471 decrypted + decrypted_len) < 0) {
472 wpa_printf(MSG_INFO, "IKEV2: Failed to parse decrypted "
473 "payloads");
474 return -1;
475 }
476
477 if (pl.idr)
478 ret = ikev2_process_idr(data, pl.idr, pl.idr_len);
479
480 os_free(decrypted);
481
482 return ret;
483 }
484
485
486 static int ikev2_process_sa_init(struct ikev2_initiator_data *data,
487 const struct ikev2_hdr *hdr,
488 struct ikev2_payloads *pl)
489 {
490 if (ikev2_process_sar1(data, pl->sa, pl->sa_len) < 0 ||
491 ikev2_process_ker(data, pl->ke, pl->ke_len) < 0 ||
492 ikev2_process_nr(data, pl->nonce, pl->nonce_len) < 0)
493 return -1;
494
495 os_memcpy(data->r_spi, hdr->r_spi, IKEV2_SPI_LEN);
496
497 if (ikev2_derive_keys(data) < 0)
498 return -1;
499
500 if (pl->encrypted) {
501 wpa_printf(MSG_DEBUG, "IKEV2: Encrypted payload in SA_INIT - "
502 "try to get IDr from it");
503 if (ikev2_process_sa_init_encr(data, hdr, pl->encrypted,
504 pl->encrypted_len,
505 pl->encr_next_payload) < 0) {
506 wpa_printf(MSG_INFO, "IKEV2: Failed to process "
507 "encrypted payload");
508 return -1;
509 }
510 }
511
512 data->state = SA_AUTH;
513
514 return 0;
515 }
516
517
518 static int ikev2_process_idr(struct ikev2_initiator_data *data,
519 const u8 *idr, size_t idr_len)
520 {
521 u8 id_type;
522
523 if (idr == NULL) {
524 wpa_printf(MSG_INFO, "IKEV2: No IDr received");
525 return -1;
526 }
527
528 if (idr_len < 4) {
529 wpa_printf(MSG_INFO, "IKEV2: Too short IDr payload");
530 return -1;
531 }
532
533 id_type = idr[0];
534 idr += 4;
535 idr_len -= 4;
536
537 wpa_printf(MSG_DEBUG, "IKEV2: IDr ID Type %d", id_type);
538 wpa_hexdump_ascii(MSG_DEBUG, "IKEV2: IDr", idr, idr_len);
539 if (data->IDr) {
540 if (id_type != data->IDr_type || idr_len != data->IDr_len ||
541 os_memcmp(idr, data->IDr, idr_len) != 0) {
542 wpa_printf(MSG_INFO, "IKEV2: IDr differs from the one "
543 "received earlier");
544 wpa_printf(MSG_DEBUG, "IKEV2: Previous IDr ID Type %d",
545 id_type);
546 wpa_hexdump_ascii(MSG_DEBUG, "Previous IKEV2: IDr",
547 data->IDr, data->IDr_len);
548 return -1;
549 }
550 os_free(data->IDr);
551 }
552 data->IDr = os_malloc(idr_len);
553 if (data->IDr == NULL)
554 return -1;
555 os_memcpy(data->IDr, idr, idr_len);
556 data->IDr_len = idr_len;
557 data->IDr_type = id_type;
558
559 return 0;
560 }
561
562
563 static int ikev2_process_cert(struct ikev2_initiator_data *data,
564 const u8 *cert, size_t cert_len)
565 {
566 u8 cert_encoding;
567
568 if (cert == NULL) {
569 if (data->peer_auth == PEER_AUTH_CERT) {
570 wpa_printf(MSG_INFO, "IKEV2: No Certificate received");
571 return -1;
572 }
573 return 0;
574 }
575
576 if (cert_len < 1) {
577 wpa_printf(MSG_INFO, "IKEV2: No Cert Encoding field");
578 return -1;
579 }
580
581 cert_encoding = cert[0];
582 cert++;
583 cert_len--;
584
585 wpa_printf(MSG_DEBUG, "IKEV2: Cert Encoding %d", cert_encoding);
586 wpa_hexdump(MSG_MSGDUMP, "IKEV2: Certificate Data", cert, cert_len);
587
588 /* TODO: validate certificate */
589
590 return 0;
591 }
592
593
594 static int ikev2_process_auth_cert(struct ikev2_initiator_data *data,
595 u8 method, const u8 *auth, size_t auth_len)
596 {
597 if (method != AUTH_RSA_SIGN) {
598 wpa_printf(MSG_INFO, "IKEV2: Unsupported authentication "
599 "method %d", method);
600 return -1;
601 }
602
603 /* TODO: validate AUTH */
604 return 0;
605 }
606
607
608 static int ikev2_process_auth_secret(struct ikev2_initiator_data *data,
609 u8 method, const u8 *auth,
610 size_t auth_len)
611 {
612 u8 auth_data[IKEV2_MAX_HASH_LEN];
613 const struct ikev2_prf_alg *prf;
614
615 if (method != AUTH_SHARED_KEY_MIC) {
616 wpa_printf(MSG_INFO, "IKEV2: Unsupported authentication "
617 "method %d", method);
618 return -1;
619 }
620
621 /* msg | Ni | prf(SK_pr,IDr') */
622 if (ikev2_derive_auth_data(data->proposal.prf, data->r_sign_msg,
623 data->IDr, data->IDr_len, data->IDr_type,
624 &data->keys, 0, data->shared_secret,
625 data->shared_secret_len,
626 data->i_nonce, data->i_nonce_len,
627 data->key_pad, data->key_pad_len,
628 auth_data) < 0) {
629 wpa_printf(MSG_INFO, "IKEV2: Could not derive AUTH data");
630 return -1;
631 }
632
633 wpabuf_free(data->r_sign_msg);
634 data->r_sign_msg = NULL;
635
636 prf = ikev2_get_prf(data->proposal.prf);
637 if (prf == NULL)
638 return -1;
639
640 if (auth_len != prf->hash_len ||
641 os_memcmp(auth, auth_data, auth_len) != 0) {
642 wpa_printf(MSG_INFO, "IKEV2: Invalid Authentication Data");
643 wpa_hexdump(MSG_DEBUG, "IKEV2: Received Authentication Data",
644 auth, auth_len);
645 wpa_hexdump(MSG_DEBUG, "IKEV2: Expected Authentication Data",
646 auth_data, prf->hash_len);
647 return -1;
648 }
649
650 wpa_printf(MSG_DEBUG, "IKEV2: Peer authenticated successfully "
651 "using shared keys");
652
653 return 0;
654 }
655
656
657 static int ikev2_process_auth(struct ikev2_initiator_data *data,
658 const u8 *auth, size_t auth_len)
659 {
660 u8 auth_method;
661
662 if (auth == NULL) {
663 wpa_printf(MSG_INFO, "IKEV2: No Authentication Payload");
664 return -1;
665 }
666
667 if (auth_len < 4) {
668 wpa_printf(MSG_INFO, "IKEV2: Too short Authentication "
669 "Payload");
670 return -1;
671 }
672
673 auth_method = auth[0];
674 auth += 4;
675 auth_len -= 4;
676
677 wpa_printf(MSG_DEBUG, "IKEV2: Auth Method %d", auth_method);
678 wpa_hexdump(MSG_MSGDUMP, "IKEV2: Authentication Data", auth, auth_len);
679
680 switch (data->peer_auth) {
681 case PEER_AUTH_CERT:
682 return ikev2_process_auth_cert(data, auth_method, auth,
683 auth_len);
684 case PEER_AUTH_SECRET:
685 return ikev2_process_auth_secret(data, auth_method, auth,
686 auth_len);
687 }
688
689 return -1;
690 }
691
692
693 static int ikev2_process_sa_auth_decrypted(struct ikev2_initiator_data *data,
694 u8 next_payload,
695 u8 *payload, size_t payload_len)
696 {
697 struct ikev2_payloads pl;
698
699 wpa_printf(MSG_DEBUG, "IKEV2: Processing decrypted payloads");
700
701 if (ikev2_parse_payloads(&pl, next_payload, payload, payload +
702 payload_len) < 0) {
703 wpa_printf(MSG_INFO, "IKEV2: Failed to parse decrypted "
704 "payloads");
705 return -1;
706 }
707
708 if (ikev2_process_idr(data, pl.idr, pl.idr_len) < 0 ||
709 ikev2_process_cert(data, pl.cert, pl.cert_len) < 0 ||
710 ikev2_process_auth(data, pl.auth, pl.auth_len) < 0)
711 return -1;
712
713 return 0;
714 }
715
716
717 static int ikev2_process_sa_auth(struct ikev2_initiator_data *data,
718 const struct ikev2_hdr *hdr,
719 struct ikev2_payloads *pl)
720 {
721 u8 *decrypted;
722 size_t decrypted_len;
723 int ret;
724
725 decrypted = ikev2_decrypt_payload(data->proposal.encr,
726 data->proposal.integ,
727 &data->keys, 0, hdr, pl->encrypted,
728 pl->encrypted_len, &decrypted_len);
729 if (decrypted == NULL)
730 return -1;
731
732 ret = ikev2_process_sa_auth_decrypted(data, pl->encr_next_payload,
733 decrypted, decrypted_len);
734 os_free(decrypted);
735
736 if (ret == 0 && !data->unknown_user) {
737 wpa_printf(MSG_DEBUG, "IKEV2: Authentication completed");
738 data->state = IKEV2_DONE;
739 }
740
741 return ret;
742 }
743
744
745 static int ikev2_validate_rx_state(struct ikev2_initiator_data *data,
746 u8 exchange_type, u32 message_id)
747 {
748 switch (data->state) {
749 case SA_INIT:
750 /* Expect to receive IKE_SA_INIT: HDR, SAr, KEr, Nr, [CERTREQ],
751 * [SK{IDr}] */
752 if (exchange_type != IKE_SA_INIT) {
753 wpa_printf(MSG_INFO, "IKEV2: Unexpected Exchange Type "
754 "%u in SA_INIT state", exchange_type);
755 return -1;
756 }
757 if (message_id != 0) {
758 wpa_printf(MSG_INFO, "IKEV2: Unexpected Message ID %u "
759 "in SA_INIT state", message_id);
760 return -1;
761 }
762 break;
763 case SA_AUTH:
764 /* Expect to receive IKE_SA_AUTH:
765 * HDR, SK {IDr, [CERT,] [CERTREQ,] [NFID,] AUTH}
766 */
767 if (exchange_type != IKE_SA_AUTH) {
768 wpa_printf(MSG_INFO, "IKEV2: Unexpected Exchange Type "
769 "%u in SA_AUTH state", exchange_type);
770 return -1;
771 }
772 if (message_id != 1) {
773 wpa_printf(MSG_INFO, "IKEV2: Unexpected Message ID %u "
774 "in SA_AUTH state", message_id);
775 return -1;
776 }
777 break;
778 case CHILD_SA:
779 if (exchange_type != CREATE_CHILD_SA) {
780 wpa_printf(MSG_INFO, "IKEV2: Unexpected Exchange Type "
781 "%u in CHILD_SA state", exchange_type);
782 return -1;
783 }
784 if (message_id != 2) {
785 wpa_printf(MSG_INFO, "IKEV2: Unexpected Message ID %u "
786 "in CHILD_SA state", message_id);
787 return -1;
788 }
789 break;
790 case IKEV2_DONE:
791 return -1;
792 }
793
794 return 0;
795 }
796
797
798 int ikev2_initiator_process(struct ikev2_initiator_data *data,
799 const struct wpabuf *buf)
800 {
801 const struct ikev2_hdr *hdr;
802 u32 length, message_id;
803 const u8 *pos, *end;
804 struct ikev2_payloads pl;
805
806 wpa_printf(MSG_MSGDUMP, "IKEV2: Received message (len %lu)",
807 (unsigned long) wpabuf_len(buf));
808
809 if (wpabuf_len(buf) < sizeof(*hdr)) {
810 wpa_printf(MSG_INFO, "IKEV2: Too short frame to include HDR");
811 return -1;
812 }
813
814 hdr = (const struct ikev2_hdr *) wpabuf_head(buf);
815 end = wpabuf_head_u8(buf) + wpabuf_len(buf);
816 message_id = WPA_GET_BE32(hdr->message_id);
817 length = WPA_GET_BE32(hdr->length);
818
819 wpa_hexdump(MSG_DEBUG, "IKEV2: IKE_SA Initiator's SPI",
820 hdr->i_spi, IKEV2_SPI_LEN);
821 wpa_hexdump(MSG_DEBUG, "IKEV2: IKE_SA Initiator's SPI",
822 hdr->r_spi, IKEV2_SPI_LEN);
823 wpa_printf(MSG_DEBUG, "IKEV2: Next Payload: %u Version: 0x%x "
824 "Exchange Type: %u",
825 hdr->next_payload, hdr->version, hdr->exchange_type);
826 wpa_printf(MSG_DEBUG, "IKEV2: Message ID: %u Length: %u",
827 message_id, length);
828
829 if (hdr->version != IKEV2_VERSION) {
830 wpa_printf(MSG_INFO, "IKEV2: Unsupported HDR version 0x%x "
831 "(expected 0x%x)", hdr->version, IKEV2_VERSION);
832 return -1;
833 }
834
835 if (length != wpabuf_len(buf)) {
836 wpa_printf(MSG_INFO, "IKEV2: Invalid length (HDR: %lu != "
837 "RX: %lu)", (unsigned long) length,
838 (unsigned long) wpabuf_len(buf));
839 return -1;
840 }
841
842 if (ikev2_validate_rx_state(data, hdr->exchange_type, message_id) < 0)
843 return -1;
844
845 if ((hdr->flags & (IKEV2_HDR_INITIATOR | IKEV2_HDR_RESPONSE)) !=
846 IKEV2_HDR_RESPONSE) {
847 wpa_printf(MSG_INFO, "IKEV2: Unexpected Flags value 0x%x",
848 hdr->flags);
849 return -1;
850 }
851
852 if (data->state != SA_INIT) {
853 if (os_memcmp(data->i_spi, hdr->i_spi, IKEV2_SPI_LEN) != 0) {
854 wpa_printf(MSG_INFO, "IKEV2: Unexpected IKE_SA "
855 "Initiator's SPI");
856 return -1;
857 }
858 if (os_memcmp(data->r_spi, hdr->r_spi, IKEV2_SPI_LEN) != 0) {
859 wpa_printf(MSG_INFO, "IKEV2: Unexpected IKE_SA "
860 "Responder's SPI");
861 return -1;
862 }
863 }
864
865 pos = (const u8 *) (hdr + 1);
866 if (ikev2_parse_payloads(&pl, hdr->next_payload, pos, end) < 0)
867 return -1;
868
869 switch (data->state) {
870 case SA_INIT:
871 if (ikev2_process_sa_init(data, hdr, &pl) < 0)
872 return -1;
873 wpabuf_free(data->r_sign_msg);
874 data->r_sign_msg = wpabuf_dup(buf);
875 break;
876 case SA_AUTH:
877 if (ikev2_process_sa_auth(data, hdr, &pl) < 0)
878 return -1;
879 break;
880 case CHILD_SA:
881 case IKEV2_DONE:
882 break;
883 }
884
885 return 0;
886 }
887
888
889 static void ikev2_build_hdr(struct ikev2_initiator_data *data,
890 struct wpabuf *msg, u8 exchange_type,
891 u8 next_payload, u32 message_id)
892 {
893 struct ikev2_hdr *hdr;
894
895 wpa_printf(MSG_DEBUG, "IKEV2: Adding HDR");
896
897 /* HDR - RFC 4306, Sect. 3.1 */
898 hdr = wpabuf_put(msg, sizeof(*hdr));
899 os_memcpy(hdr->i_spi, data->i_spi, IKEV2_SPI_LEN);
900 os_memcpy(hdr->r_spi, data->r_spi, IKEV2_SPI_LEN);
901 hdr->next_payload = next_payload;
902 hdr->version = IKEV2_VERSION;
903 hdr->exchange_type = exchange_type;
904 hdr->flags = IKEV2_HDR_INITIATOR;
905 WPA_PUT_BE32(hdr->message_id, message_id);
906 }
907
908
909 static int ikev2_build_sai(struct ikev2_initiator_data *data,
910 struct wpabuf *msg, u8 next_payload)
911 {
912 struct ikev2_payload_hdr *phdr;
913 size_t plen;
914 struct ikev2_proposal *p;
915 struct ikev2_transform *t;
916
917 wpa_printf(MSG_DEBUG, "IKEV2: Adding SAi payload");
918
919 /* SAi1 - RFC 4306, Sect. 2.7 and 3.3 */
920 phdr = wpabuf_put(msg, sizeof(*phdr));
921 phdr->next_payload = next_payload;
922 phdr->flags = 0;
923
924 /* TODO: support for multiple proposals */
925 p = wpabuf_put(msg, sizeof(*p));
926 p->proposal_num = data->proposal.proposal_num;
927 p->protocol_id = IKEV2_PROTOCOL_IKE;
928 p->num_transforms = 4;
929
930 t = wpabuf_put(msg, sizeof(*t));
931 t->type = 3;
932 t->transform_type = IKEV2_TRANSFORM_ENCR;
933 WPA_PUT_BE16(t->transform_id, data->proposal.encr);
934 if (data->proposal.encr == ENCR_AES_CBC) {
935 /* Transform Attribute: Key Len = 128 bits */
936 wpabuf_put_be16(msg, 0x800e); /* AF=1, AttrType=14 */
937 wpabuf_put_be16(msg, 128); /* 128-bit key */
938 }
939 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) t;
940 WPA_PUT_BE16(t->transform_length, plen);
941
942 t = wpabuf_put(msg, sizeof(*t));
943 t->type = 3;
944 WPA_PUT_BE16(t->transform_length, sizeof(*t));
945 t->transform_type = IKEV2_TRANSFORM_PRF;
946 WPA_PUT_BE16(t->transform_id, data->proposal.prf);
947
948 t = wpabuf_put(msg, sizeof(*t));
949 t->type = 3;
950 WPA_PUT_BE16(t->transform_length, sizeof(*t));
951 t->transform_type = IKEV2_TRANSFORM_INTEG;
952 WPA_PUT_BE16(t->transform_id, data->proposal.integ);
953
954 t = wpabuf_put(msg, sizeof(*t));
955 WPA_PUT_BE16(t->transform_length, sizeof(*t));
956 t->transform_type = IKEV2_TRANSFORM_DH;
957 WPA_PUT_BE16(t->transform_id, data->proposal.dh);
958
959 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) p;
960 WPA_PUT_BE16(p->proposal_length, plen);
961
962 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
963 WPA_PUT_BE16(phdr->payload_length, plen);
964
965 return 0;
966 }
967
968
969 static int ikev2_build_kei(struct ikev2_initiator_data *data,
970 struct wpabuf *msg, u8 next_payload)
971 {
972 struct ikev2_payload_hdr *phdr;
973 size_t plen;
974 struct wpabuf *pv;
975
976 wpa_printf(MSG_DEBUG, "IKEV2: Adding KEi payload");
977
978 data->dh = dh_groups_get(data->proposal.dh);
979 pv = dh_init(data->dh, &data->i_dh_private);
980 if (pv == NULL) {
981 wpa_printf(MSG_DEBUG, "IKEV2: Failed to initialize DH");
982 return -1;
983 }
984
985 /* KEi - RFC 4306, Sect. 3.4 */
986 phdr = wpabuf_put(msg, sizeof(*phdr));
987 phdr->next_payload = next_payload;
988 phdr->flags = 0;
989
990 wpabuf_put_be16(msg, data->proposal.dh); /* DH Group # */
991 wpabuf_put(msg, 2); /* RESERVED */
992 /*
993 * RFC 4306, Sect. 3.4: possible zero padding for public value to
994 * match the length of the prime.
995 */
996 wpabuf_put(msg, data->dh->prime_len - wpabuf_len(pv));
997 wpabuf_put_buf(msg, pv);
998 os_free(pv);
999
1000 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
1001 WPA_PUT_BE16(phdr->payload_length, plen);
1002 return 0;
1003 }
1004
1005
1006 static int ikev2_build_ni(struct ikev2_initiator_data *data,
1007 struct wpabuf *msg, u8 next_payload)
1008 {
1009 struct ikev2_payload_hdr *phdr;
1010 size_t plen;
1011
1012 wpa_printf(MSG_DEBUG, "IKEV2: Adding Ni payload");
1013
1014 /* Ni - RFC 4306, Sect. 3.9 */
1015 phdr = wpabuf_put(msg, sizeof(*phdr));
1016 phdr->next_payload = next_payload;
1017 phdr->flags = 0;
1018 wpabuf_put_data(msg, data->i_nonce, data->i_nonce_len);
1019 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
1020 WPA_PUT_BE16(phdr->payload_length, plen);
1021 return 0;
1022 }
1023
1024
1025 static int ikev2_build_idi(struct ikev2_initiator_data *data,
1026 struct wpabuf *msg, u8 next_payload)
1027 {
1028 struct ikev2_payload_hdr *phdr;
1029 size_t plen;
1030
1031 wpa_printf(MSG_DEBUG, "IKEV2: Adding IDi payload");
1032
1033 if (data->IDi == NULL) {
1034 wpa_printf(MSG_INFO, "IKEV2: No IDi available");
1035 return -1;
1036 }
1037
1038 /* IDi - RFC 4306, Sect. 3.5 */
1039 phdr = wpabuf_put(msg, sizeof(*phdr));
1040 phdr->next_payload = next_payload;
1041 phdr->flags = 0;
1042 wpabuf_put_u8(msg, ID_KEY_ID);
1043 wpabuf_put(msg, 3); /* RESERVED */
1044 wpabuf_put_data(msg, data->IDi, data->IDi_len);
1045 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
1046 WPA_PUT_BE16(phdr->payload_length, plen);
1047 return 0;
1048 }
1049
1050
1051 static int ikev2_build_auth(struct ikev2_initiator_data *data,
1052 struct wpabuf *msg, u8 next_payload)
1053 {
1054 struct ikev2_payload_hdr *phdr;
1055 size_t plen;
1056 const struct ikev2_prf_alg *prf;
1057
1058 wpa_printf(MSG_DEBUG, "IKEV2: Adding AUTH payload");
1059
1060 prf = ikev2_get_prf(data->proposal.prf);
1061 if (prf == NULL)
1062 return -1;
1063
1064 /* Authentication - RFC 4306, Sect. 3.8 */
1065 phdr = wpabuf_put(msg, sizeof(*phdr));
1066 phdr->next_payload = next_payload;
1067 phdr->flags = 0;
1068 wpabuf_put_u8(msg, AUTH_SHARED_KEY_MIC);
1069 wpabuf_put(msg, 3); /* RESERVED */
1070
1071 /* msg | Nr | prf(SK_pi,IDi') */
1072 if (ikev2_derive_auth_data(data->proposal.prf, data->i_sign_msg,
1073 data->IDi, data->IDi_len, ID_KEY_ID,
1074 &data->keys, 1, data->shared_secret,
1075 data->shared_secret_len,
1076 data->r_nonce, data->r_nonce_len,
1077 data->key_pad, data->key_pad_len,
1078 wpabuf_put(msg, prf->hash_len)) < 0) {
1079 wpa_printf(MSG_INFO, "IKEV2: Could not derive AUTH data");
1080 return -1;
1081 }
1082 wpabuf_free(data->i_sign_msg);
1083 data->i_sign_msg = NULL;
1084
1085 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
1086 WPA_PUT_BE16(phdr->payload_length, plen);
1087 return 0;
1088 }
1089
1090
1091 static struct wpabuf * ikev2_build_sa_init(struct ikev2_initiator_data *data)
1092 {
1093 struct wpabuf *msg;
1094
1095 /* build IKE_SA_INIT: HDR, SAi, KEi, Ni */
1096
1097 if (os_get_random(data->i_spi, IKEV2_SPI_LEN))
1098 return NULL;
1099 wpa_hexdump(MSG_DEBUG, "IKEV2: IKE_SA Initiator's SPI",
1100 data->i_spi, IKEV2_SPI_LEN);
1101
1102 data->i_nonce_len = IKEV2_NONCE_MIN_LEN;
1103 if (os_get_random(data->i_nonce, data->i_nonce_len))
1104 return NULL;
1105 wpa_hexdump(MSG_DEBUG, "IKEV2: Ni", data->i_nonce, data->i_nonce_len);
1106
1107 msg = wpabuf_alloc(sizeof(struct ikev2_hdr) + 1000);
1108 if (msg == NULL)
1109 return NULL;
1110
1111 ikev2_build_hdr(data, msg, IKE_SA_INIT, IKEV2_PAYLOAD_SA, 0);
1112 if (ikev2_build_sai(data, msg, IKEV2_PAYLOAD_KEY_EXCHANGE) ||
1113 ikev2_build_kei(data, msg, IKEV2_PAYLOAD_NONCE) ||
1114 ikev2_build_ni(data, msg, IKEV2_PAYLOAD_NO_NEXT_PAYLOAD)) {
1115 wpabuf_free(msg);
1116 return NULL;
1117 }
1118
1119 ikev2_update_hdr(msg);
1120
1121 wpa_hexdump_buf(MSG_MSGDUMP, "IKEV2: Sending message (SA_INIT)", msg);
1122
1123 wpabuf_free(data->i_sign_msg);
1124 data->i_sign_msg = wpabuf_dup(msg);
1125
1126 return msg;
1127 }
1128
1129
1130 static struct wpabuf * ikev2_build_sa_auth(struct ikev2_initiator_data *data)
1131 {
1132 struct wpabuf *msg, *plain;
1133 const u8 *secret;
1134 size_t secret_len;
1135
1136 secret = data->get_shared_secret(data->cb_ctx, data->IDr,
1137 data->IDr_len, &secret_len);
1138 if (secret == NULL) {
1139 wpa_printf(MSG_INFO, "IKEV2: Could not get shared secret - "
1140 "use fake value");
1141 /* RFC 5106, Sect. 7:
1142 * Use a random key to fake AUTH generation in order to prevent
1143 * probing of user identities.
1144 */
1145 data->unknown_user = 1;
1146 os_free(data->shared_secret);
1147 data->shared_secret = os_malloc(16);
1148 if (data->shared_secret == NULL)
1149 return NULL;
1150 data->shared_secret_len = 16;
1151 if (os_get_random(data->shared_secret, 16))
1152 return NULL;
1153 } else {
1154 os_free(data->shared_secret);
1155 data->shared_secret = os_malloc(secret_len);
1156 if (data->shared_secret == NULL)
1157 return NULL;
1158 os_memcpy(data->shared_secret, secret, secret_len);
1159 data->shared_secret_len = secret_len;
1160 }
1161
1162 /* build IKE_SA_AUTH: HDR, SK {IDi, [CERT,] [CERTREQ,] AUTH} */
1163
1164 msg = wpabuf_alloc(sizeof(struct ikev2_hdr) + data->IDr_len + 1000);
1165 if (msg == NULL)
1166 return NULL;
1167 ikev2_build_hdr(data, msg, IKE_SA_AUTH, IKEV2_PAYLOAD_ENCRYPTED, 1);
1168
1169 plain = wpabuf_alloc(data->IDr_len + 1000);
1170 if (plain == NULL) {
1171 wpabuf_free(msg);
1172 return NULL;
1173 }
1174
1175 if (ikev2_build_idi(data, plain, IKEV2_PAYLOAD_AUTHENTICATION) ||
1176 ikev2_build_auth(data, plain, IKEV2_PAYLOAD_NO_NEXT_PAYLOAD) ||
1177 ikev2_build_encrypted(data->proposal.encr, data->proposal.integ,
1178 &data->keys, 1, msg, plain,
1179 IKEV2_PAYLOAD_IDi)) {
1180 wpabuf_free(plain);
1181 wpabuf_free(msg);
1182 return NULL;
1183 }
1184 wpabuf_free(plain);
1185
1186 wpa_hexdump_buf(MSG_MSGDUMP, "IKEV2: Sending message (SA_AUTH)", msg);
1187
1188 return msg;
1189 }
1190
1191
1192 struct wpabuf * ikev2_initiator_build(struct ikev2_initiator_data *data)
1193 {
1194 switch (data->state) {
1195 case SA_INIT:
1196 return ikev2_build_sa_init(data);
1197 case SA_AUTH:
1198 return ikev2_build_sa_auth(data);
1199 case CHILD_SA:
1200 return NULL;
1201 case IKEV2_DONE:
1202 return NULL;
1203 }
1204 return NULL;
1205 }