Gitiles
Code Review Sign In
gerrit.omnirom.org / android_external_wpa_supplicant_8 / 1f69aa52ea2e0a73ac502565df8c666ee49cab6a / . / src / eap_peer / ikev2.c
blob: acd76115f3a6298fe2cc4fa885828975a91d322f [file] [log] [blame]
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]1/*
2 * IKEv2 responder (RFC 4306) for EAP-IKEV2
3 * Copyright (c) 2007, Jouni Malinen <j@w1.fi>
4 *
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation.
8 *
9 * Alternatively, this software may be distributed under the terms of BSD
10 * license.
11 *
12 * See README and COPYING for more details.
13 */
14
15#include "includes.h"
16
17#include "common.h"
18#include "crypto/dh_groups.h"
19#include "crypto/random.h"
20#include "ikev2.h"
21
22
23void ikev2_responder_deinit(struct ikev2_responder_data *data)
24{
25 ikev2_free_keys(&data->keys);
26 wpabuf_free(data->i_dh_public);
27 wpabuf_free(data->r_dh_private);
28 os_free(data->IDi);
29 os_free(data->IDr);
30 os_free(data->shared_secret);
31 wpabuf_free(data->i_sign_msg);
32 wpabuf_free(data->r_sign_msg);
33 os_free(data->key_pad);
34}
35
36
37static int ikev2_derive_keys(struct ikev2_responder_data *data)
38{
39 u8 *buf, *pos, *pad, skeyseed[IKEV2_MAX_HASH_LEN];
40 size_t buf_len, pad_len;
41 struct wpabuf *shared;
42 const struct ikev2_integ_alg *integ;
43 const struct ikev2_prf_alg *prf;
44 const struct ikev2_encr_alg *encr;
45 int ret;
46 const u8 *addr[2];
47 size_t len[2];
48
49 /* RFC 4306, Sect. 2.14 */
50
51 integ = ikev2_get_integ(data->proposal.integ);
52 prf = ikev2_get_prf(data->proposal.prf);
53 encr = ikev2_get_encr(data->proposal.encr);
54 if (integ == NULL || prf == NULL || encr == NULL) {
55 wpa_printf(MSG_INFO, "IKEV2: Unsupported proposal");
56 return -1;
57 }
58
59 shared = dh_derive_shared(data->i_dh_public, data->r_dh_private,
60 data->dh);
61 if (shared == NULL)
62 return -1;
63
64 /* Construct Ni | Nr | SPIi | SPIr */
65
66 buf_len = data->i_nonce_len + data->r_nonce_len + 2 * IKEV2_SPI_LEN;
67 buf = os_malloc(buf_len);
68 if (buf == NULL) {
69 wpabuf_free(shared);
70 return -1;
71 }
72
73 pos = buf;
74 os_memcpy(pos, data->i_nonce, data->i_nonce_len);
75 pos += data->i_nonce_len;
76 os_memcpy(pos, data->r_nonce, data->r_nonce_len);
77 pos += data->r_nonce_len;
78 os_memcpy(pos, data->i_spi, IKEV2_SPI_LEN);
79 pos += IKEV2_SPI_LEN;
80 os_memcpy(pos, data->r_spi, IKEV2_SPI_LEN);
81#ifdef CCNS_PL
82#if __BYTE_ORDER == __LITTLE_ENDIAN
83 {
84 int i;
85 u8 *tmp = pos - IKEV2_SPI_LEN;
86 /* Incorrect byte re-ordering on little endian hosts.. */
87 for (i = 0; i < IKEV2_SPI_LEN; i++)
88 *tmp++ = data->i_spi[IKEV2_SPI_LEN - 1 - i];
89 for (i = 0; i < IKEV2_SPI_LEN; i++)
90 *tmp++ = data->r_spi[IKEV2_SPI_LEN - 1 - i];
91 }
92#endif
93#endif /* CCNS_PL */
94
95 /* SKEYSEED = prf(Ni | Nr, g^ir) */
96 /* Use zero-padding per RFC 4306, Sect. 2.14 */
97 pad_len = data->dh->prime_len - wpabuf_len(shared);
98#ifdef CCNS_PL
99 /* Shared secret is not zero-padded correctly */
100 pad_len = 0;
101#endif /* CCNS_PL */
102 pad = os_zalloc(pad_len ? pad_len : 1);
103 if (pad == NULL) {
104 wpabuf_free(shared);
105 os_free(buf);
106 return -1;
107 }
108
109 addr[0] = pad;
110 len[0] = pad_len;
111 addr[1] = wpabuf_head(shared);
112 len[1] = wpabuf_len(shared);
113 if (ikev2_prf_hash(prf->id, buf, data->i_nonce_len + data->r_nonce_len,
114 2, addr, len, skeyseed) < 0) {
115 wpabuf_free(shared);
116 os_free(buf);
117 os_free(pad);
118 return -1;
119 }
120 os_free(pad);
121 wpabuf_free(shared);
122
123 /* DH parameters are not needed anymore, so free them */
124 wpabuf_free(data->i_dh_public);
125 data->i_dh_public = NULL;
126 wpabuf_free(data->r_dh_private);
127 data->r_dh_private = NULL;
128
129 wpa_hexdump_key(MSG_DEBUG, "IKEV2: SKEYSEED",
130 skeyseed, prf->hash_len);
131
132 ret = ikev2_derive_sk_keys(prf, integ, encr, skeyseed, buf, buf_len,
133 &data->keys);
134 os_free(buf);
135 return ret;
136}
137
138
139static int ikev2_parse_transform(struct ikev2_proposal_data *prop,
140 const u8 *pos, const u8 *end)
141{
142 int transform_len;
143 const struct ikev2_transform *t;
144 u16 transform_id;
145 const u8 *tend;
146
147 if (end - pos < (int) sizeof(*t)) {
148 wpa_printf(MSG_INFO, "IKEV2: Too short transform");
149 return -1;
150 }
151
152 t = (const struct ikev2_transform *) pos;
153 transform_len = WPA_GET_BE16(t->transform_length);
154 if (transform_len < (int) sizeof(*t) || pos + transform_len > end) {
155 wpa_printf(MSG_INFO, "IKEV2: Invalid transform length %d",
156 transform_len);
157 return -1;
158 }
159 tend = pos + transform_len;
160
161 transform_id = WPA_GET_BE16(t->transform_id);
162
163 wpa_printf(MSG_DEBUG, "IKEV2: Transform:");
164 wpa_printf(MSG_DEBUG, "IKEV2: Type: %d Transform Length: %d "
165 "Transform Type: %d Transform ID: %d",
166 t->type, transform_len, t->transform_type, transform_id);
167
168 if (t->type != 0 && t->type != 3) {
169 wpa_printf(MSG_INFO, "IKEV2: Unexpected Transform type");
170 return -1;
171 }
172
173 pos = (const u8 *) (t + 1);
174 if (pos < tend) {
175 wpa_hexdump(MSG_DEBUG, "IKEV2: Transform Attributes",
176 pos, tend - pos);
177 }
178
179 switch (t->transform_type) {
180 case IKEV2_TRANSFORM_ENCR:
181 if (ikev2_get_encr(transform_id)) {
182 if (transform_id == ENCR_AES_CBC) {
183 if (tend - pos != 4) {
184 wpa_printf(MSG_DEBUG, "IKEV2: No "
185 "Transform Attr for AES");
186 break;
187 }
188#ifdef CCNS_PL
189 if (WPA_GET_BE16(pos) != 0x001d /* ?? */) {
190 wpa_printf(MSG_DEBUG, "IKEV2: Not a "
191 "Key Size attribute for "
192 "AES");
193 break;
194 }
195#else /* CCNS_PL */
196 if (WPA_GET_BE16(pos) != 0x800e) {
197 wpa_printf(MSG_DEBUG, "IKEV2: Not a "
198 "Key Size attribute for "
199 "AES");
200 break;
201 }
202#endif /* CCNS_PL */
203 if (WPA_GET_BE16(pos + 2) != 128) {
204 wpa_printf(MSG_DEBUG, "IKEV2: "
205 "Unsupported AES key size "
206 "%d bits",
207 WPA_GET_BE16(pos + 2));
208 break;
209 }
210 }
211 prop->encr = transform_id;
212 }
213 break;
214 case IKEV2_TRANSFORM_PRF:
215 if (ikev2_get_prf(transform_id))
216 prop->prf = transform_id;
217 break;
218 case IKEV2_TRANSFORM_INTEG:
219 if (ikev2_get_integ(transform_id))
220 prop->integ = transform_id;
221 break;
222 case IKEV2_TRANSFORM_DH:
223 if (dh_groups_get(transform_id))
224 prop->dh = transform_id;
225 break;
226 }
227
228 return transform_len;
229}
230
231
232static int ikev2_parse_proposal(struct ikev2_proposal_data *prop,
233 const u8 *pos, const u8 *end)
234{
235 const u8 *pend, *ppos;
236 int proposal_len, i;
237 const struct ikev2_proposal *p;
238
239 if (end - pos < (int) sizeof(*p)) {
240 wpa_printf(MSG_INFO, "IKEV2: Too short proposal");
241 return -1;
242 }
243
244 /* FIX: AND processing if multiple proposals use the same # */
245
246 p = (const struct ikev2_proposal *) pos;
247 proposal_len = WPA_GET_BE16(p->proposal_length);
248 if (proposal_len < (int) sizeof(*p) || pos + proposal_len > end) {
249 wpa_printf(MSG_INFO, "IKEV2: Invalid proposal length %d",
250 proposal_len);
251 return -1;
252 }
253 wpa_printf(MSG_DEBUG, "IKEV2: SAi1 Proposal # %d",
254 p->proposal_num);
255 wpa_printf(MSG_DEBUG, "IKEV2: Type: %d Proposal Length: %d "
256 " Protocol ID: %d",
257 p->type, proposal_len, p->protocol_id);
258 wpa_printf(MSG_DEBUG, "IKEV2: SPI Size: %d Transforms: %d",
259 p->spi_size, p->num_transforms);
260
261 if (p->type != 0 && p->type != 2) {
262 wpa_printf(MSG_INFO, "IKEV2: Unexpected Proposal type");
263 return -1;
264 }
265
266 if (p->protocol_id != IKEV2_PROTOCOL_IKE) {
267 wpa_printf(MSG_DEBUG, "IKEV2: Unexpected Protocol ID "
268 "(only IKE allowed for EAP-IKEv2)");
269 return -1;
270 }
271
272 if (p->proposal_num != prop->proposal_num) {
273 if (p->proposal_num == prop->proposal_num + 1)
274 prop->proposal_num = p->proposal_num;
275 else {
276 wpa_printf(MSG_INFO, "IKEV2: Unexpected Proposal #");
277 return -1;
278 }
279 }
280
281 ppos = (const u8 *) (p + 1);
282 pend = pos + proposal_len;
283 if (ppos + p->spi_size > pend) {
284 wpa_printf(MSG_INFO, "IKEV2: Not enough room for SPI "
285 "in proposal");
286 return -1;
287 }
288 if (p->spi_size) {
289 wpa_hexdump(MSG_DEBUG, "IKEV2: SPI",
290 ppos, p->spi_size);
291 ppos += p->spi_size;
292 }
293
294 /*
295 * For initial IKE_SA negotiation, SPI Size MUST be zero; for
296 * subsequent negotiations, it must be 8 for IKE. We only support
297 * initial case for now.
298 */
299 if (p->spi_size != 0) {
300 wpa_printf(MSG_INFO, "IKEV2: Unexpected SPI Size");
301 return -1;
302 }
303
304 if (p->num_transforms == 0) {
305 wpa_printf(MSG_INFO, "IKEV2: At least one transform required");
306 return -1;
307 }
308
309 for (i = 0; i < (int) p->num_transforms; i++) {
310 int tlen = ikev2_parse_transform(prop, ppos, pend);
311 if (tlen < 0)
312 return -1;
313 ppos += tlen;
314 }
315
316 if (ppos != pend) {
317 wpa_printf(MSG_INFO, "IKEV2: Unexpected data after "
318 "transforms");
319 return -1;
320 }
321
322 return proposal_len;
323}
324
325
326static int ikev2_process_sai1(struct ikev2_responder_data *data,
327 const u8 *sai1, size_t sai1_len)
328{
329 struct ikev2_proposal_data prop;
330 const u8 *pos, *end;
331 int found = 0;
332
333 /* Security Association Payloads: <Proposals> */
334
335 if (sai1 == NULL) {
336 wpa_printf(MSG_INFO, "IKEV2: SAi1 not received");
337 return -1;
338 }
339
340 os_memset(&prop, 0, sizeof(prop));
341 prop.proposal_num = 1;
342
343 pos = sai1;
344 end = sai1 + sai1_len;
345
346 while (pos < end) {
347 int plen;
348
349 prop.integ = -1;
350 prop.prf = -1;
351 prop.encr = -1;
352 prop.dh = -1;
353 plen = ikev2_parse_proposal(&prop, pos, end);
354 if (plen < 0)
355 return -1;
356
357 if (!found && prop.integ != -1 && prop.prf != -1 &&
358 prop.encr != -1 && prop.dh != -1) {
359 os_memcpy(&data->proposal, &prop, sizeof(prop));
360 data->dh = dh_groups_get(prop.dh);
361 found = 1;
362 }
363
364 pos += plen;
365 }
366
367 if (pos != end) {
368 wpa_printf(MSG_INFO, "IKEV2: Unexpected data after proposals");
369 return -1;
370 }
371
372 if (!found) {
373 wpa_printf(MSG_INFO, "IKEV2: No acceptable proposal found");
374 return -1;
375 }
376
377 wpa_printf(MSG_DEBUG, "IKEV2: Accepted proposal #%d: ENCR:%d PRF:%d "
378 "INTEG:%d D-H:%d", data->proposal.proposal_num,
379 data->proposal.encr, data->proposal.prf,
380 data->proposal.integ, data->proposal.dh);
381
382 return 0;
383}
384
385
386static int ikev2_process_kei(struct ikev2_responder_data *data,
387 const u8 *kei, size_t kei_len)
388{
389 u16 group;
390
391 /*
392 * Key Exchange Payload:
393 * DH Group # (16 bits)
394 * RESERVED (16 bits)
395 * Key Exchange Data (Diffie-Hellman public value)
396 */
397
398 if (kei == NULL) {
399 wpa_printf(MSG_INFO, "IKEV2: KEi not received");
400 return -1;
401 }
402
403 if (kei_len < 4 + 96) {
404 wpa_printf(MSG_INFO, "IKEV2: Too show Key Exchange Payload");
405 return -1;
406 }
407
408 group = WPA_GET_BE16(kei);
409 wpa_printf(MSG_DEBUG, "IKEV2: KEi DH Group #%u", group);
410
411 if (group != data->proposal.dh) {
412 wpa_printf(MSG_DEBUG, "IKEV2: KEi DH Group #%u does not match "
413 "with the selected proposal (%u)",
414 group, data->proposal.dh);
415 /* Reject message with Notify payload of type
416 * INVALID_KE_PAYLOAD (RFC 4306, Sect. 3.4) */
417 data->error_type = INVALID_KE_PAYLOAD;
418 data->state = NOTIFY;
419 return -1;
420 }
421
422 if (data->dh == NULL) {
423 wpa_printf(MSG_INFO, "IKEV2: Unsupported DH group");
424 return -1;
425 }
426
427 /* RFC 4306, Section 3.4:
Dmitry Shmidt1f69aa52012-01-24 16:10:04 -0800[diff] [blame^]428 * The length of DH public value MUST be equal to the length of the
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]429 * prime modulus.
430 */
431 if (kei_len - 4 != data->dh->prime_len) {
432 wpa_printf(MSG_INFO, "IKEV2: Invalid DH public value length "
433 "%ld (expected %ld)",
434 (long) (kei_len - 4), (long) data->dh->prime_len);
435 return -1;
436 }
437
438 wpabuf_free(data->i_dh_public);
439 data->i_dh_public = wpabuf_alloc(kei_len - 4);
440 if (data->i_dh_public == NULL)
441 return -1;
442 wpabuf_put_data(data->i_dh_public, kei + 4, kei_len - 4);
443
444 wpa_hexdump_buf(MSG_DEBUG, "IKEV2: KEi Diffie-Hellman Public Value",
445 data->i_dh_public);
446
447 return 0;
448}
449
450
451static int ikev2_process_ni(struct ikev2_responder_data *data,
452 const u8 *ni, size_t ni_len)
453{
454 if (ni == NULL) {
455 wpa_printf(MSG_INFO, "IKEV2: Ni not received");
456 return -1;
457 }
458
459 if (ni_len < IKEV2_NONCE_MIN_LEN || ni_len > IKEV2_NONCE_MAX_LEN) {
460 wpa_printf(MSG_INFO, "IKEV2: Invalid Ni length %ld",
461 (long) ni_len);
462 return -1;
463 }
464
465#ifdef CCNS_PL
466 /* Zeros are removed incorrectly from the beginning of the nonces */
467 while (ni_len > 1 && *ni == 0) {
468 ni_len--;
469 ni++;
470 }
471#endif /* CCNS_PL */
472
473 data->i_nonce_len = ni_len;
474 os_memcpy(data->i_nonce, ni, ni_len);
475 wpa_hexdump(MSG_MSGDUMP, "IKEV2: Ni",
476 data->i_nonce, data->i_nonce_len);
477
478 return 0;
479}
480
481
482static int ikev2_process_sa_init(struct ikev2_responder_data *data,
483 const struct ikev2_hdr *hdr,
484 struct ikev2_payloads *pl)
485{
486 if (ikev2_process_sai1(data, pl->sa, pl->sa_len) < 0 ||
487 ikev2_process_kei(data, pl->ke, pl->ke_len) < 0 ||
488 ikev2_process_ni(data, pl->nonce, pl->nonce_len) < 0)
489 return -1;
490
491 os_memcpy(data->i_spi, hdr->i_spi, IKEV2_SPI_LEN);
492
493 return 0;
494}
495
496
497static int ikev2_process_idi(struct ikev2_responder_data *data,
498 const u8 *idi, size_t idi_len)
499{
500 u8 id_type;
501
502 if (idi == NULL) {
503 wpa_printf(MSG_INFO, "IKEV2: No IDi received");
504 return -1;
505 }
506
507 if (idi_len < 4) {
508 wpa_printf(MSG_INFO, "IKEV2: Too short IDi payload");
509 return -1;
510 }
511
512 id_type = idi[0];
513 idi += 4;
514 idi_len -= 4;
515
516 wpa_printf(MSG_DEBUG, "IKEV2: IDi ID Type %d", id_type);
517 wpa_hexdump_ascii(MSG_DEBUG, "IKEV2: IDi", idi, idi_len);
518 os_free(data->IDi);
519 data->IDi = os_malloc(idi_len);
520 if (data->IDi == NULL)
521 return -1;
522 os_memcpy(data->IDi, idi, idi_len);
523 data->IDi_len = idi_len;
524 data->IDi_type = id_type;
525
526 return 0;
527}
528
529
530static int ikev2_process_cert(struct ikev2_responder_data *data,
531 const u8 *cert, size_t cert_len)
532{
533 u8 cert_encoding;
534
535 if (cert == NULL) {
536 if (data->peer_auth == PEER_AUTH_CERT) {
537 wpa_printf(MSG_INFO, "IKEV2: No Certificate received");
538 return -1;
539 }
540 return 0;
541 }
542
543 if (cert_len < 1) {
544 wpa_printf(MSG_INFO, "IKEV2: No Cert Encoding field");
545 return -1;
546 }
547
548 cert_encoding = cert[0];
549 cert++;
550 cert_len--;
551
552 wpa_printf(MSG_DEBUG, "IKEV2: Cert Encoding %d", cert_encoding);
553 wpa_hexdump(MSG_MSGDUMP, "IKEV2: Certificate Data", cert, cert_len);
554
555 /* TODO: validate certificate */
556
557 return 0;
558}
559
560
561static int ikev2_process_auth_cert(struct ikev2_responder_data *data,
562 u8 method, const u8 *auth, size_t auth_len)
563{
564 if (method != AUTH_RSA_SIGN) {
565 wpa_printf(MSG_INFO, "IKEV2: Unsupported authentication "
566 "method %d", method);
567 return -1;
568 }
569
570 /* TODO: validate AUTH */
571 return 0;
572}
573
574
575static int ikev2_process_auth_secret(struct ikev2_responder_data *data,
576 u8 method, const u8 *auth,
577 size_t auth_len)
578{
579 u8 auth_data[IKEV2_MAX_HASH_LEN];
580 const struct ikev2_prf_alg *prf;
581
582 if (method != AUTH_SHARED_KEY_MIC) {
583 wpa_printf(MSG_INFO, "IKEV2: Unsupported authentication "
584 "method %d", method);
585 return -1;
586 }
587
588 /* msg | Nr | prf(SK_pi,IDi') */
589 if (ikev2_derive_auth_data(data->proposal.prf, data->i_sign_msg,
590 data->IDi, data->IDi_len, data->IDi_type,
591 &data->keys, 1, data->shared_secret,
592 data->shared_secret_len,
593 data->r_nonce, data->r_nonce_len,
594 data->key_pad, data->key_pad_len,
595 auth_data) < 0) {
596 wpa_printf(MSG_INFO, "IKEV2: Could not derive AUTH data");
597 return -1;
598 }
599
600 wpabuf_free(data->i_sign_msg);
601 data->i_sign_msg = NULL;
602
603 prf = ikev2_get_prf(data->proposal.prf);
604 if (prf == NULL)
605 return -1;
606
607 if (auth_len != prf->hash_len ||
608 os_memcmp(auth, auth_data, auth_len) != 0) {
609 wpa_printf(MSG_INFO, "IKEV2: Invalid Authentication Data");
610 wpa_hexdump(MSG_DEBUG, "IKEV2: Received Authentication Data",
611 auth, auth_len);
612 wpa_hexdump(MSG_DEBUG, "IKEV2: Expected Authentication Data",
613 auth_data, prf->hash_len);
614 data->error_type = AUTHENTICATION_FAILED;
615 data->state = NOTIFY;
616 return -1;
617 }
618
619 wpa_printf(MSG_DEBUG, "IKEV2: Server authenticated successfully "
620 "using shared keys");
621
622 return 0;
623}
624
625
626static int ikev2_process_auth(struct ikev2_responder_data *data,
627 const u8 *auth, size_t auth_len)
628{
629 u8 auth_method;
630
631 if (auth == NULL) {
632 wpa_printf(MSG_INFO, "IKEV2: No Authentication Payload");
633 return -1;
634 }
635
636 if (auth_len < 4) {
637 wpa_printf(MSG_INFO, "IKEV2: Too short Authentication "
638 "Payload");
639 return -1;
640 }
641
642 auth_method = auth[0];
643 auth += 4;
644 auth_len -= 4;
645
646 wpa_printf(MSG_DEBUG, "IKEV2: Auth Method %d", auth_method);
647 wpa_hexdump(MSG_MSGDUMP, "IKEV2: Authentication Data", auth, auth_len);
648
649 switch (data->peer_auth) {
650 case PEER_AUTH_CERT:
651 return ikev2_process_auth_cert(data, auth_method, auth,
652 auth_len);
653 case PEER_AUTH_SECRET:
654 return ikev2_process_auth_secret(data, auth_method, auth,
655 auth_len);
656 }
657
658 return -1;
659}
660
661
662static int ikev2_process_sa_auth_decrypted(struct ikev2_responder_data *data,
663 u8 next_payload,
664 u8 *payload, size_t payload_len)
665{
666 struct ikev2_payloads pl;
667
668 wpa_printf(MSG_DEBUG, "IKEV2: Processing decrypted payloads");
669
670 if (ikev2_parse_payloads(&pl, next_payload, payload, payload +
671 payload_len) < 0) {
672 wpa_printf(MSG_INFO, "IKEV2: Failed to parse decrypted "
673 "payloads");
674 return -1;
675 }
676
677 if (ikev2_process_idi(data, pl.idi, pl.idi_len) < 0 ||
678 ikev2_process_cert(data, pl.cert, pl.cert_len) < 0 ||
679 ikev2_process_auth(data, pl.auth, pl.auth_len) < 0)
680 return -1;
681
682 return 0;
683}
684
685
686static int ikev2_process_sa_auth(struct ikev2_responder_data *data,
687 const struct ikev2_hdr *hdr,
688 struct ikev2_payloads *pl)
689{
690 u8 *decrypted;
691 size_t decrypted_len;
692 int ret;
693
694 decrypted = ikev2_decrypt_payload(data->proposal.encr,
695 data->proposal.integ,
696 &data->keys, 1, hdr, pl->encrypted,
697 pl->encrypted_len, &decrypted_len);
698 if (decrypted == NULL)
699 return -1;
700
701 ret = ikev2_process_sa_auth_decrypted(data, pl->encr_next_payload,
702 decrypted, decrypted_len);
703 os_free(decrypted);
704
705 return ret;
706}
707
708
709static int ikev2_validate_rx_state(struct ikev2_responder_data *data,
710 u8 exchange_type, u32 message_id)
711{
712 switch (data->state) {
713 case SA_INIT:
714 /* Expect to receive IKE_SA_INIT: HDR, SAi1, KEi, Ni */
715 if (exchange_type != IKE_SA_INIT) {
716 wpa_printf(MSG_INFO, "IKEV2: Unexpected Exchange Type "
717 "%u in SA_INIT state", exchange_type);
718 return -1;
719 }
720 if (message_id != 0) {
721 wpa_printf(MSG_INFO, "IKEV2: Unexpected Message ID %u "
722 "in SA_INIT state", message_id);
723 return -1;
724 }
725 break;
726 case SA_AUTH:
727 /* Expect to receive IKE_SA_AUTH:
728 * HDR, SK {IDi, [CERT,] [CERTREQ,] [IDr,]
729 * AUTH, SAi2, TSi, TSr}
730 */
731 if (exchange_type != IKE_SA_AUTH) {
732 wpa_printf(MSG_INFO, "IKEV2: Unexpected Exchange Type "
733 "%u in SA_AUTH state", exchange_type);
734 return -1;
735 }
736 if (message_id != 1) {
737 wpa_printf(MSG_INFO, "IKEV2: Unexpected Message ID %u "
738 "in SA_AUTH state", message_id);
739 return -1;
740 }
741 break;
742 case CHILD_SA:
743 if (exchange_type != CREATE_CHILD_SA) {
744 wpa_printf(MSG_INFO, "IKEV2: Unexpected Exchange Type "
745 "%u in CHILD_SA state", exchange_type);
746 return -1;
747 }
748 if (message_id != 2) {
749 wpa_printf(MSG_INFO, "IKEV2: Unexpected Message ID %u "
750 "in CHILD_SA state", message_id);
751 return -1;
752 }
753 break;
754 case NOTIFY:
755 case IKEV2_DONE:
756 case IKEV2_FAILED:
757 return -1;
758 }
759
760 return 0;
761}
762
763
764int ikev2_responder_process(struct ikev2_responder_data *data,
765 const struct wpabuf *buf)
766{
767 const struct ikev2_hdr *hdr;
768 u32 length, message_id;
769 const u8 *pos, *end;
770 struct ikev2_payloads pl;
771
772 wpa_printf(MSG_MSGDUMP, "IKEV2: Received message (len %lu)",
773 (unsigned long) wpabuf_len(buf));
774
775 if (wpabuf_len(buf) < sizeof(*hdr)) {
776 wpa_printf(MSG_INFO, "IKEV2: Too short frame to include HDR");
777 return -1;
778 }
779
780 data->error_type = 0;
781 hdr = (const struct ikev2_hdr *) wpabuf_head(buf);
782 end = wpabuf_head_u8(buf) + wpabuf_len(buf);
783 message_id = WPA_GET_BE32(hdr->message_id);
784 length = WPA_GET_BE32(hdr->length);
785
786 wpa_hexdump(MSG_DEBUG, "IKEV2: IKE_SA Initiator's SPI",
787 hdr->i_spi, IKEV2_SPI_LEN);
788 wpa_hexdump(MSG_DEBUG, "IKEV2: IKE_SA Responder's SPI",
789 hdr->r_spi, IKEV2_SPI_LEN);
790 wpa_printf(MSG_DEBUG, "IKEV2: Next Payload: %u Version: 0x%x "
791 "Exchange Type: %u",
792 hdr->next_payload, hdr->version, hdr->exchange_type);
793 wpa_printf(MSG_DEBUG, "IKEV2: Message ID: %u Length: %u",
794 message_id, length);
795
796 if (hdr->version != IKEV2_VERSION) {
797 wpa_printf(MSG_INFO, "IKEV2: Unsupported HDR version 0x%x "
798 "(expected 0x%x)", hdr->version, IKEV2_VERSION);
799 return -1;
800 }
801
802 if (length != wpabuf_len(buf)) {
803 wpa_printf(MSG_INFO, "IKEV2: Invalid length (HDR: %lu != "
804 "RX: %lu)", (unsigned long) length,
805 (unsigned long) wpabuf_len(buf));
806 return -1;
807 }
808
809 if (ikev2_validate_rx_state(data, hdr->exchange_type, message_id) < 0)
810 return -1;
811
812 if ((hdr->flags & (IKEV2_HDR_INITIATOR | IKEV2_HDR_RESPONSE)) !=
813 IKEV2_HDR_INITIATOR) {
814 wpa_printf(MSG_INFO, "IKEV2: Unexpected Flags value 0x%x",
815 hdr->flags);
816 return -1;
817 }
818
819 if (data->state != SA_INIT) {
820 if (os_memcmp(data->i_spi, hdr->i_spi, IKEV2_SPI_LEN) != 0) {
821 wpa_printf(MSG_INFO, "IKEV2: Unexpected IKE_SA "
822 "Initiator's SPI");
823 return -1;
824 }
825 if (os_memcmp(data->r_spi, hdr->r_spi, IKEV2_SPI_LEN) != 0) {
826 wpa_printf(MSG_INFO, "IKEV2: Unexpected IKE_SA "
827 "Responder's SPI");
828 return -1;
829 }
830 }
831
832 pos = (const u8 *) (hdr + 1);
833 if (ikev2_parse_payloads(&pl, hdr->next_payload, pos, end) < 0)
834 return -1;
835
836 if (data->state == SA_INIT) {
837 data->last_msg = LAST_MSG_SA_INIT;
838 if (ikev2_process_sa_init(data, hdr, &pl) < 0) {
839 if (data->state == NOTIFY)
840 return 0;
841 return -1;
842 }
843 wpabuf_free(data->i_sign_msg);
844 data->i_sign_msg = wpabuf_dup(buf);
845 }
846
847 if (data->state == SA_AUTH) {
848 data->last_msg = LAST_MSG_SA_AUTH;
849 if (ikev2_process_sa_auth(data, hdr, &pl) < 0) {
850 if (data->state == NOTIFY)
851 return 0;
852 return -1;
853 }
854 }
855
856 return 0;
857}
858
859
860static void ikev2_build_hdr(struct ikev2_responder_data *data,
861 struct wpabuf *msg, u8 exchange_type,
862 u8 next_payload, u32 message_id)
863{
864 struct ikev2_hdr *hdr;
865
866 wpa_printf(MSG_DEBUG, "IKEV2: Adding HDR");
867
868 /* HDR - RFC 4306, Sect. 3.1 */
869 hdr = wpabuf_put(msg, sizeof(*hdr));
870 os_memcpy(hdr->i_spi, data->i_spi, IKEV2_SPI_LEN);
871 os_memcpy(hdr->r_spi, data->r_spi, IKEV2_SPI_LEN);
872 hdr->next_payload = next_payload;
873 hdr->version = IKEV2_VERSION;
874 hdr->exchange_type = exchange_type;
875 hdr->flags = IKEV2_HDR_RESPONSE;
876 WPA_PUT_BE32(hdr->message_id, message_id);
877}
878
879
880static int ikev2_build_sar1(struct ikev2_responder_data *data,
881 struct wpabuf *msg, u8 next_payload)
882{
883 struct ikev2_payload_hdr *phdr;
884 size_t plen;
885 struct ikev2_proposal *p;
886 struct ikev2_transform *t;
887
888 wpa_printf(MSG_DEBUG, "IKEV2: Adding SAr1 payload");
889
890 /* SAr1 - RFC 4306, Sect. 2.7 and 3.3 */
891 phdr = wpabuf_put(msg, sizeof(*phdr));
892 phdr->next_payload = next_payload;
893 phdr->flags = 0;
894
895 p = wpabuf_put(msg, sizeof(*p));
896#ifdef CCNS_PL
897 /* Seems to require that the Proposal # is 1 even though RFC 4306
898 * Sect 3.3.1 has following requirement "When a proposal is accepted,
899 * all of the proposal numbers in the SA payload MUST be the same and
900 * MUST match the number on the proposal sent that was accepted.".
901 */
902 p->proposal_num = 1;
903#else /* CCNS_PL */
904 p->proposal_num = data->proposal.proposal_num;
905#endif /* CCNS_PL */
906 p->protocol_id = IKEV2_PROTOCOL_IKE;
907 p->num_transforms = 4;
908
909 t = wpabuf_put(msg, sizeof(*t));
910 t->type = 3;
911 t->transform_type = IKEV2_TRANSFORM_ENCR;
912 WPA_PUT_BE16(t->transform_id, data->proposal.encr);
913 if (data->proposal.encr == ENCR_AES_CBC) {
914 /* Transform Attribute: Key Len = 128 bits */
915#ifdef CCNS_PL
916 wpabuf_put_be16(msg, 0x001d); /* ?? */
917#else /* CCNS_PL */
918 wpabuf_put_be16(msg, 0x800e); /* AF=1, AttrType=14 */
919#endif /* CCNS_PL */
920 wpabuf_put_be16(msg, 128); /* 128-bit key */
921 }
922 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) t;
923 WPA_PUT_BE16(t->transform_length, plen);
924
925 t = wpabuf_put(msg, sizeof(*t));
926 t->type = 3;
927 WPA_PUT_BE16(t->transform_length, sizeof(*t));
928 t->transform_type = IKEV2_TRANSFORM_PRF;
929 WPA_PUT_BE16(t->transform_id, data->proposal.prf);
930
931 t = wpabuf_put(msg, sizeof(*t));
932 t->type = 3;
933 WPA_PUT_BE16(t->transform_length, sizeof(*t));
934 t->transform_type = IKEV2_TRANSFORM_INTEG;
935 WPA_PUT_BE16(t->transform_id, data->proposal.integ);
936
937 t = wpabuf_put(msg, sizeof(*t));
938 WPA_PUT_BE16(t->transform_length, sizeof(*t));
939 t->transform_type = IKEV2_TRANSFORM_DH;
940 WPA_PUT_BE16(t->transform_id, data->proposal.dh);
941
942 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) p;
943 WPA_PUT_BE16(p->proposal_length, plen);
944
945 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
946 WPA_PUT_BE16(phdr->payload_length, plen);
947
948 return 0;
949}
950
951
952static int ikev2_build_ker(struct ikev2_responder_data *data,
953 struct wpabuf *msg, u8 next_payload)
954{
955 struct ikev2_payload_hdr *phdr;
956 size_t plen;
957 struct wpabuf *pv;
958
959 wpa_printf(MSG_DEBUG, "IKEV2: Adding KEr payload");
960
961 pv = dh_init(data->dh, &data->r_dh_private);
962 if (pv == NULL) {
963 wpa_printf(MSG_DEBUG, "IKEV2: Failed to initialize DH");
964 return -1;
965 }
966
967 /* KEr - RFC 4306, Sect. 3.4 */
968 phdr = wpabuf_put(msg, sizeof(*phdr));
969 phdr->next_payload = next_payload;
970 phdr->flags = 0;
971
972 wpabuf_put_be16(msg, data->proposal.dh); /* DH Group # */
973 wpabuf_put(msg, 2); /* RESERVED */
974 /*
975 * RFC 4306, Sect. 3.4: possible zero padding for public value to
976 * match the length of the prime.
977 */
978 wpabuf_put(msg, data->dh->prime_len - wpabuf_len(pv));
979 wpabuf_put_buf(msg, pv);
980 wpabuf_free(pv);
981
982 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
983 WPA_PUT_BE16(phdr->payload_length, plen);
984 return 0;
985}
986
987
988static int ikev2_build_nr(struct ikev2_responder_data *data,
989 struct wpabuf *msg, u8 next_payload)
990{
991 struct ikev2_payload_hdr *phdr;
992 size_t plen;
993
994 wpa_printf(MSG_DEBUG, "IKEV2: Adding Nr payload");
995
996 /* Nr - RFC 4306, Sect. 3.9 */
997 phdr = wpabuf_put(msg, sizeof(*phdr));
998 phdr->next_payload = next_payload;
999 phdr->flags = 0;
1000 wpabuf_put_data(msg, data->r_nonce, data->r_nonce_len);
1001 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
1002 WPA_PUT_BE16(phdr->payload_length, plen);
1003 return 0;
1004}
1005
1006
1007static int ikev2_build_idr(struct ikev2_responder_data *data,
1008 struct wpabuf *msg, u8 next_payload)
1009{
1010 struct ikev2_payload_hdr *phdr;
1011 size_t plen;
1012
1013 wpa_printf(MSG_DEBUG, "IKEV2: Adding IDr payload");
1014
1015 if (data->IDr == NULL) {
1016 wpa_printf(MSG_INFO, "IKEV2: No IDr available");
1017 return -1;
1018 }
1019
1020 /* IDr - RFC 4306, Sect. 3.5 */
1021 phdr = wpabuf_put(msg, sizeof(*phdr));
1022 phdr->next_payload = next_payload;
1023 phdr->flags = 0;
1024 wpabuf_put_u8(msg, ID_KEY_ID);
1025 wpabuf_put(msg, 3); /* RESERVED */
1026 wpabuf_put_data(msg, data->IDr, data->IDr_len);
1027 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
1028 WPA_PUT_BE16(phdr->payload_length, plen);
1029 return 0;
1030}
1031
1032
1033static int ikev2_build_auth(struct ikev2_responder_data *data,
1034 struct wpabuf *msg, u8 next_payload)
1035{
1036 struct ikev2_payload_hdr *phdr;
1037 size_t plen;
1038 const struct ikev2_prf_alg *prf;
1039
1040 wpa_printf(MSG_DEBUG, "IKEV2: Adding AUTH payload");
1041
1042 prf = ikev2_get_prf(data->proposal.prf);
1043 if (prf == NULL)
1044 return -1;
1045
1046 /* Authentication - RFC 4306, Sect. 3.8 */
1047 phdr = wpabuf_put(msg, sizeof(*phdr));
1048 phdr->next_payload = next_payload;
1049 phdr->flags = 0;
1050 wpabuf_put_u8(msg, AUTH_SHARED_KEY_MIC);
1051 wpabuf_put(msg, 3); /* RESERVED */
1052
1053 /* msg | Ni | prf(SK_pr,IDr') */
1054 if (ikev2_derive_auth_data(data->proposal.prf, data->r_sign_msg,
1055 data->IDr, data->IDr_len, ID_KEY_ID,
1056 &data->keys, 0, data->shared_secret,
1057 data->shared_secret_len,
1058 data->i_nonce, data->i_nonce_len,
1059 data->key_pad, data->key_pad_len,
1060 wpabuf_put(msg, prf->hash_len)) < 0) {
1061 wpa_printf(MSG_INFO, "IKEV2: Could not derive AUTH data");
1062 return -1;
1063 }
1064 wpabuf_free(data->r_sign_msg);
1065 data->r_sign_msg = NULL;
1066
1067 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
1068 WPA_PUT_BE16(phdr->payload_length, plen);
1069 return 0;
1070}
1071
1072
1073static int ikev2_build_notification(struct ikev2_responder_data *data,
1074 struct wpabuf *msg, u8 next_payload)
1075{
1076 struct ikev2_payload_hdr *phdr;
1077 size_t plen;
1078
1079 wpa_printf(MSG_DEBUG, "IKEV2: Adding Notification payload");
1080
1081 if (data->error_type == 0) {
1082 wpa_printf(MSG_INFO, "IKEV2: No Notify Message Type "
1083 "available");
1084 return -1;
1085 }
1086
1087 /* Notify - RFC 4306, Sect. 3.10 */
1088 phdr = wpabuf_put(msg, sizeof(*phdr));
1089 phdr->next_payload = next_payload;
1090 phdr->flags = 0;
1091#ifdef CCNS_PL
1092 wpabuf_put_u8(msg, 1); /* Protocol ID: IKE_SA notification */
1093#else /* CCNS_PL */
1094 wpabuf_put_u8(msg, 0); /* Protocol ID: no existing SA */
1095#endif /* CCNS_PL */
1096 wpabuf_put_u8(msg, 0); /* SPI Size */
1097 wpabuf_put_be16(msg, data->error_type);
1098
1099 switch (data->error_type) {
1100 case INVALID_KE_PAYLOAD:
1101 if (data->proposal.dh == -1) {
1102 wpa_printf(MSG_INFO, "IKEV2: No DH Group selected for "
1103 "INVALID_KE_PAYLOAD notifications");
1104 return -1;
1105 }
1106 wpabuf_put_be16(msg, data->proposal.dh);
1107 wpa_printf(MSG_DEBUG, "IKEV2: INVALID_KE_PAYLOAD - request "
1108 "DH Group #%d", data->proposal.dh);
1109 break;
1110 case AUTHENTICATION_FAILED:
1111 /* no associated data */
1112 break;
1113 default:
1114 wpa_printf(MSG_INFO, "IKEV2: Unsupported Notify Message Type "
1115 "%d", data->error_type);
1116 return -1;
1117 }
1118
1119 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
1120 WPA_PUT_BE16(phdr->payload_length, plen);
1121 return 0;
1122}
1123
1124
1125static struct wpabuf * ikev2_build_sa_init(struct ikev2_responder_data *data)
1126{
1127 struct wpabuf *msg;
1128
1129 /* build IKE_SA_INIT: HDR, SAr1, KEr, Nr, [CERTREQ], [SK{IDr}] */
1130
1131 if (os_get_random(data->r_spi, IKEV2_SPI_LEN))
1132 return NULL;
1133 wpa_hexdump(MSG_DEBUG, "IKEV2: IKE_SA Responder's SPI",
1134 data->r_spi, IKEV2_SPI_LEN);
1135
1136 data->r_nonce_len = IKEV2_NONCE_MIN_LEN;
1137 if (random_get_bytes(data->r_nonce, data->r_nonce_len))
1138 return NULL;
1139#ifdef CCNS_PL
1140 /* Zeros are removed incorrectly from the beginning of the nonces in
1141 * key derivation; as a workaround, make sure Nr does not start with
1142 * zero.. */
1143 if (data->r_nonce[0] == 0)
1144 data->r_nonce[0] = 1;
1145#endif /* CCNS_PL */
1146 wpa_hexdump(MSG_DEBUG, "IKEV2: Nr", data->r_nonce, data->r_nonce_len);
1147
1148 msg = wpabuf_alloc(sizeof(struct ikev2_hdr) + data->IDr_len + 1500);
1149 if (msg == NULL)
1150 return NULL;
1151
1152 ikev2_build_hdr(data, msg, IKE_SA_INIT, IKEV2_PAYLOAD_SA, 0);
1153 if (ikev2_build_sar1(data, msg, IKEV2_PAYLOAD_KEY_EXCHANGE) ||
1154 ikev2_build_ker(data, msg, IKEV2_PAYLOAD_NONCE) ||
1155 ikev2_build_nr(data, msg, data->peer_auth == PEER_AUTH_SECRET ?
1156 IKEV2_PAYLOAD_ENCRYPTED :
1157 IKEV2_PAYLOAD_NO_NEXT_PAYLOAD)) {
1158 wpabuf_free(msg);
1159 return NULL;
1160 }
1161
1162 if (ikev2_derive_keys(data)) {
1163 wpabuf_free(msg);
1164 return NULL;
1165 }
1166
1167 if (data->peer_auth == PEER_AUTH_CERT) {
1168 /* TODO: CERTREQ with SHA-1 hashes of Subject Public Key Info
1169 * for trust agents */
1170 }
1171
1172 if (data->peer_auth == PEER_AUTH_SECRET) {
1173 struct wpabuf *plain = wpabuf_alloc(data->IDr_len + 1000);
1174 if (plain == NULL) {
1175 wpabuf_free(msg);
1176 return NULL;
1177 }
1178 if (ikev2_build_idr(data, plain,
1179 IKEV2_PAYLOAD_NO_NEXT_PAYLOAD) ||
1180 ikev2_build_encrypted(data->proposal.encr,
1181 data->proposal.integ,
1182 &data->keys, 0, msg, plain,
1183 IKEV2_PAYLOAD_IDr)) {
1184 wpabuf_free(plain);
1185 wpabuf_free(msg);
1186 return NULL;
1187 }
1188 wpabuf_free(plain);
1189 }
1190
1191 ikev2_update_hdr(msg);
1192
1193 wpa_hexdump_buf(MSG_MSGDUMP, "IKEV2: Sending message (SA_INIT)", msg);
1194
1195 data->state = SA_AUTH;
1196
1197 wpabuf_free(data->r_sign_msg);
1198 data->r_sign_msg = wpabuf_dup(msg);
1199
1200 return msg;
1201}
1202
1203
1204static struct wpabuf * ikev2_build_sa_auth(struct ikev2_responder_data *data)
1205{
1206 struct wpabuf *msg, *plain;
1207
1208 /* build IKE_SA_AUTH: HDR, SK {IDr, [CERT,] AUTH} */
1209
1210 msg = wpabuf_alloc(sizeof(struct ikev2_hdr) + data->IDr_len + 1000);
1211 if (msg == NULL)
1212 return NULL;
1213 ikev2_build_hdr(data, msg, IKE_SA_AUTH, IKEV2_PAYLOAD_ENCRYPTED, 1);
1214
1215 plain = wpabuf_alloc(data->IDr_len + 1000);
1216 if (plain == NULL) {
1217 wpabuf_free(msg);
1218 return NULL;
1219 }
1220
1221 if (ikev2_build_idr(data, plain, IKEV2_PAYLOAD_AUTHENTICATION) ||
1222 ikev2_build_auth(data, plain, IKEV2_PAYLOAD_NO_NEXT_PAYLOAD) ||
1223 ikev2_build_encrypted(data->proposal.encr, data->proposal.integ,
1224 &data->keys, 0, msg, plain,
1225 IKEV2_PAYLOAD_IDr)) {
1226 wpabuf_free(plain);
1227 wpabuf_free(msg);
1228 return NULL;
1229 }
1230 wpabuf_free(plain);
1231
1232 wpa_hexdump_buf(MSG_MSGDUMP, "IKEV2: Sending message (SA_AUTH)", msg);
1233
1234 data->state = IKEV2_DONE;
1235
1236 return msg;
1237}
1238
1239
1240static struct wpabuf * ikev2_build_notify(struct ikev2_responder_data *data)
1241{
1242 struct wpabuf *msg;
1243
1244 msg = wpabuf_alloc(sizeof(struct ikev2_hdr) + 1000);
1245 if (msg == NULL)
1246 return NULL;
1247 if (data->last_msg == LAST_MSG_SA_AUTH) {
1248 /* HDR, SK{N} */
1249 struct wpabuf *plain = wpabuf_alloc(100);
1250 if (plain == NULL) {
1251 wpabuf_free(msg);
1252 return NULL;
1253 }
1254 ikev2_build_hdr(data, msg, IKE_SA_AUTH,
1255 IKEV2_PAYLOAD_ENCRYPTED, 1);
1256 if (ikev2_build_notification(data, plain,
1257 IKEV2_PAYLOAD_NO_NEXT_PAYLOAD) ||
1258 ikev2_build_encrypted(data->proposal.encr,
1259 data->proposal.integ,
1260 &data->keys, 0, msg, plain,
1261 IKEV2_PAYLOAD_NOTIFICATION)) {
1262 wpabuf_free(plain);
1263 wpabuf_free(msg);
1264 return NULL;
1265 }
1266 data->state = IKEV2_FAILED;
1267 } else {
1268 /* HDR, N */
1269 ikev2_build_hdr(data, msg, IKE_SA_INIT,
1270 IKEV2_PAYLOAD_NOTIFICATION, 0);
1271 if (ikev2_build_notification(data, msg,
1272 IKEV2_PAYLOAD_NO_NEXT_PAYLOAD)) {
1273 wpabuf_free(msg);
1274 return NULL;
1275 }
1276 data->state = SA_INIT;
1277 }
1278
1279 ikev2_update_hdr(msg);
1280
1281 wpa_hexdump_buf(MSG_MSGDUMP, "IKEV2: Sending message (Notification)",
1282 msg);
1283
1284 return msg;
1285}
1286
1287
1288struct wpabuf * ikev2_responder_build(struct ikev2_responder_data *data)
1289{
1290 switch (data->state) {
1291 case SA_INIT:
1292 return ikev2_build_sa_init(data);
1293 case SA_AUTH:
1294 return ikev2_build_sa_auth(data);
1295 case CHILD_SA:
1296 return NULL;
1297 case NOTIFY:
1298 return ikev2_build_notify(data);
1299 case IKEV2_DONE:
1300 case IKEV2_FAILED:
1301 return NULL;
1302 }
1303 return NULL;
1304}