Gitiles
Code Review Sign In
gerrit.omnirom.org / android_external_wpa_supplicant_8 / 8d520ff1dc2da35cdca849e982051b86468016d8 / . / src / eap_server / ikev2.c
blob: 9624d53af36cdd68de4e961742529f81047cc515 [file] [log] [blame]
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame^]1/*
2 * IKEv2 initiator (RFC 4306) for EAP-IKEV2
3 * Copyright (c) 2007, Jouni Malinen <j@w1.fi>
4 *
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation.
8 *
9 * Alternatively, this software may be distributed under the terms of BSD
10 * license.
11 *
12 * See README and COPYING for more details.
13 */
14
15#include "includes.h"
16
17#include "common.h"
18#include "crypto/dh_groups.h"
19#include "crypto/random.h"
20#include "ikev2.h"
21
22
23static int ikev2_process_idr(struct ikev2_initiator_data *data,
24 const u8 *idr, size_t idr_len);
25
26
27void ikev2_initiator_deinit(struct ikev2_initiator_data *data)
28{
29 ikev2_free_keys(&data->keys);
30 wpabuf_free(data->r_dh_public);
31 wpabuf_free(data->i_dh_private);
32 os_free(data->IDi);
33 os_free(data->IDr);
34 os_free(data->shared_secret);
35 wpabuf_free(data->i_sign_msg);
36 wpabuf_free(data->r_sign_msg);
37 os_free(data->key_pad);
38}
39
40
41static int ikev2_derive_keys(struct ikev2_initiator_data *data)
42{
43 u8 *buf, *pos, *pad, skeyseed[IKEV2_MAX_HASH_LEN];
44 size_t buf_len, pad_len;
45 struct wpabuf *shared;
46 const struct ikev2_integ_alg *integ;
47 const struct ikev2_prf_alg *prf;
48 const struct ikev2_encr_alg *encr;
49 int ret;
50 const u8 *addr[2];
51 size_t len[2];
52
53 /* RFC 4306, Sect. 2.14 */
54
55 integ = ikev2_get_integ(data->proposal.integ);
56 prf = ikev2_get_prf(data->proposal.prf);
57 encr = ikev2_get_encr(data->proposal.encr);
58 if (integ == NULL || prf == NULL || encr == NULL) {
59 wpa_printf(MSG_INFO, "IKEV2: Unsupported proposal");
60 return -1;
61 }
62
63 shared = dh_derive_shared(data->r_dh_public, data->i_dh_private,
64 data->dh);
65 if (shared == NULL)
66 return -1;
67
68 /* Construct Ni | Nr | SPIi | SPIr */
69
70 buf_len = data->i_nonce_len + data->r_nonce_len + 2 * IKEV2_SPI_LEN;
71 buf = os_malloc(buf_len);
72 if (buf == NULL) {
73 wpabuf_free(shared);
74 return -1;
75 }
76
77 pos = buf;
78 os_memcpy(pos, data->i_nonce, data->i_nonce_len);
79 pos += data->i_nonce_len;
80 os_memcpy(pos, data->r_nonce, data->r_nonce_len);
81 pos += data->r_nonce_len;
82 os_memcpy(pos, data->i_spi, IKEV2_SPI_LEN);
83 pos += IKEV2_SPI_LEN;
84 os_memcpy(pos, data->r_spi, IKEV2_SPI_LEN);
85
86 /* SKEYSEED = prf(Ni | Nr, g^ir) */
87
88 /* Use zero-padding per RFC 4306, Sect. 2.14 */
89 pad_len = data->dh->prime_len - wpabuf_len(shared);
90 pad = os_zalloc(pad_len ? pad_len : 1);
91 if (pad == NULL) {
92 wpabuf_free(shared);
93 os_free(buf);
94 return -1;
95 }
96 addr[0] = pad;
97 len[0] = pad_len;
98 addr[1] = wpabuf_head(shared);
99 len[1] = wpabuf_len(shared);
100 if (ikev2_prf_hash(prf->id, buf, data->i_nonce_len + data->r_nonce_len,
101 2, addr, len, skeyseed) < 0) {
102 wpabuf_free(shared);
103 os_free(buf);
104 os_free(pad);
105 return -1;
106 }
107 os_free(pad);
108 wpabuf_free(shared);
109
110 /* DH parameters are not needed anymore, so free them */
111 wpabuf_free(data->r_dh_public);
112 data->r_dh_public = NULL;
113 wpabuf_free(data->i_dh_private);
114 data->i_dh_private = NULL;
115
116 wpa_hexdump_key(MSG_DEBUG, "IKEV2: SKEYSEED",
117 skeyseed, prf->hash_len);
118
119 ret = ikev2_derive_sk_keys(prf, integ, encr, skeyseed, buf, buf_len,
120 &data->keys);
121 os_free(buf);
122 return ret;
123}
124
125
126static int ikev2_parse_transform(struct ikev2_initiator_data *data,
127 struct ikev2_proposal_data *prop,
128 const u8 *pos, const u8 *end)
129{
130 int transform_len;
131 const struct ikev2_transform *t;
132 u16 transform_id;
133 const u8 *tend;
134
135 if (end - pos < (int) sizeof(*t)) {
136 wpa_printf(MSG_INFO, "IKEV2: Too short transform");
137 return -1;
138 }
139
140 t = (const struct ikev2_transform *) pos;
141 transform_len = WPA_GET_BE16(t->transform_length);
142 if (transform_len < (int) sizeof(*t) || pos + transform_len > end) {
143 wpa_printf(MSG_INFO, "IKEV2: Invalid transform length %d",
144 transform_len);
145 return -1;
146 }
147 tend = pos + transform_len;
148
149 transform_id = WPA_GET_BE16(t->transform_id);
150
151 wpa_printf(MSG_DEBUG, "IKEV2: Transform:");
152 wpa_printf(MSG_DEBUG, "IKEV2: Type: %d Transform Length: %d "
153 "Transform Type: %d Transform ID: %d",
154 t->type, transform_len, t->transform_type, transform_id);
155
156 if (t->type != 0 && t->type != 3) {
157 wpa_printf(MSG_INFO, "IKEV2: Unexpected Transform type");
158 return -1;
159 }
160
161 pos = (const u8 *) (t + 1);
162 if (pos < tend) {
163 wpa_hexdump(MSG_DEBUG, "IKEV2: Transform Attributes",
164 pos, tend - pos);
165 }
166
167 switch (t->transform_type) {
168 case IKEV2_TRANSFORM_ENCR:
169 if (ikev2_get_encr(transform_id) &&
170 transform_id == data->proposal.encr) {
171 if (transform_id == ENCR_AES_CBC) {
172 if (tend - pos != 4) {
173 wpa_printf(MSG_DEBUG, "IKEV2: No "
174 "Transform Attr for AES");
175 break;
176 }
177 if (WPA_GET_BE16(pos) != 0x800e) {
178 wpa_printf(MSG_DEBUG, "IKEV2: Not a "
179 "Key Size attribute for "
180 "AES");
181 break;
182 }
183 if (WPA_GET_BE16(pos + 2) != 128) {
184 wpa_printf(MSG_DEBUG, "IKEV2: "
185 "Unsupported AES key size "
186 "%d bits",
187 WPA_GET_BE16(pos + 2));
188 break;
189 }
190 }
191 prop->encr = transform_id;
192 }
193 break;
194 case IKEV2_TRANSFORM_PRF:
195 if (ikev2_get_prf(transform_id) &&
196 transform_id == data->proposal.prf)
197 prop->prf = transform_id;
198 break;
199 case IKEV2_TRANSFORM_INTEG:
200 if (ikev2_get_integ(transform_id) &&
201 transform_id == data->proposal.integ)
202 prop->integ = transform_id;
203 break;
204 case IKEV2_TRANSFORM_DH:
205 if (dh_groups_get(transform_id) &&
206 transform_id == data->proposal.dh)
207 prop->dh = transform_id;
208 break;
209 }
210
211 return transform_len;
212}
213
214
215static int ikev2_parse_proposal(struct ikev2_initiator_data *data,
216 struct ikev2_proposal_data *prop,
217 const u8 *pos, const u8 *end)
218{
219 const u8 *pend, *ppos;
220 int proposal_len, i;
221 const struct ikev2_proposal *p;
222
223 if (end - pos < (int) sizeof(*p)) {
224 wpa_printf(MSG_INFO, "IKEV2: Too short proposal");
225 return -1;
226 }
227
228 p = (const struct ikev2_proposal *) pos;
229 proposal_len = WPA_GET_BE16(p->proposal_length);
230 if (proposal_len < (int) sizeof(*p) || pos + proposal_len > end) {
231 wpa_printf(MSG_INFO, "IKEV2: Invalid proposal length %d",
232 proposal_len);
233 return -1;
234 }
235 wpa_printf(MSG_DEBUG, "IKEV2: SAi1 Proposal # %d",
236 p->proposal_num);
237 wpa_printf(MSG_DEBUG, "IKEV2: Type: %d Proposal Length: %d "
238 " Protocol ID: %d",
239 p->type, proposal_len, p->protocol_id);
240 wpa_printf(MSG_DEBUG, "IKEV2: SPI Size: %d Transforms: %d",
241 p->spi_size, p->num_transforms);
242
243 if (p->type != 0 && p->type != 2) {
244 wpa_printf(MSG_INFO, "IKEV2: Unexpected Proposal type");
245 return -1;
246 }
247
248 if (p->protocol_id != IKEV2_PROTOCOL_IKE) {
249 wpa_printf(MSG_DEBUG, "IKEV2: Unexpected Protocol ID "
250 "(only IKE allowed for EAP-IKEv2)");
251 return -1;
252 }
253
254 if (p->proposal_num != prop->proposal_num) {
255 if (p->proposal_num == prop->proposal_num + 1)
256 prop->proposal_num = p->proposal_num;
257 else {
258 wpa_printf(MSG_INFO, "IKEV2: Unexpected Proposal #");
259 return -1;
260 }
261 }
262
263 ppos = (const u8 *) (p + 1);
264 pend = pos + proposal_len;
265 if (ppos + p->spi_size > pend) {
266 wpa_printf(MSG_INFO, "IKEV2: Not enough room for SPI "
267 "in proposal");
268 return -1;
269 }
270 if (p->spi_size) {
271 wpa_hexdump(MSG_DEBUG, "IKEV2: SPI",
272 ppos, p->spi_size);
273 ppos += p->spi_size;
274 }
275
276 /*
277 * For initial IKE_SA negotiation, SPI Size MUST be zero; for
278 * subsequent negotiations, it must be 8 for IKE. We only support
279 * initial case for now.
280 */
281 if (p->spi_size != 0) {
282 wpa_printf(MSG_INFO, "IKEV2: Unexpected SPI Size");
283 return -1;
284 }
285
286 if (p->num_transforms == 0) {
287 wpa_printf(MSG_INFO, "IKEV2: At least one transform required");
288 return -1;
289 }
290
291 for (i = 0; i < (int) p->num_transforms; i++) {
292 int tlen = ikev2_parse_transform(data, prop, ppos, pend);
293 if (tlen < 0)
294 return -1;
295 ppos += tlen;
296 }
297
298 if (ppos != pend) {
299 wpa_printf(MSG_INFO, "IKEV2: Unexpected data after "
300 "transforms");
301 return -1;
302 }
303
304 return proposal_len;
305}
306
307
308static int ikev2_process_sar1(struct ikev2_initiator_data *data,
309 const u8 *sar1, size_t sar1_len)
310{
311 struct ikev2_proposal_data prop;
312 const u8 *pos, *end;
313 int found = 0;
314
315 /* Security Association Payloads: <Proposals> */
316
317 if (sar1 == NULL) {
318 wpa_printf(MSG_INFO, "IKEV2: SAr1 not received");
319 return -1;
320 }
321
322 os_memset(&prop, 0, sizeof(prop));
323 prop.proposal_num = 1;
324
325 pos = sar1;
326 end = sar1 + sar1_len;
327
328 while (pos < end) {
329 int plen;
330
331 prop.integ = -1;
332 prop.prf = -1;
333 prop.encr = -1;
334 prop.dh = -1;
335 plen = ikev2_parse_proposal(data, &prop, pos, end);
336 if (plen < 0)
337 return -1;
338
339 if (!found && prop.integ != -1 && prop.prf != -1 &&
340 prop.encr != -1 && prop.dh != -1) {
341 found = 1;
342 }
343
344 pos += plen;
345
346 /* Only one proposal expected in SAr */
347 break;
348 }
349
350 if (pos != end) {
351 wpa_printf(MSG_INFO, "IKEV2: Unexpected data after proposal");
352 return -1;
353 }
354
355 if (!found) {
356 wpa_printf(MSG_INFO, "IKEV2: No acceptable proposal found");
357 return -1;
358 }
359
360 wpa_printf(MSG_DEBUG, "IKEV2: Accepted proposal #%d: ENCR:%d PRF:%d "
361 "INTEG:%d D-H:%d", data->proposal.proposal_num,
362 data->proposal.encr, data->proposal.prf,
363 data->proposal.integ, data->proposal.dh);
364
365 return 0;
366}
367
368
369static int ikev2_process_ker(struct ikev2_initiator_data *data,
370 const u8 *ker, size_t ker_len)
371{
372 u16 group;
373
374 /*
375 * Key Exchange Payload:
376 * DH Group # (16 bits)
377 * RESERVED (16 bits)
378 * Key Exchange Data (Diffie-Hellman public value)
379 */
380
381 if (ker == NULL) {
382 wpa_printf(MSG_INFO, "IKEV2: KEr not received");
383 return -1;
384 }
385
386 if (ker_len < 4 + 96) {
387 wpa_printf(MSG_INFO, "IKEV2: Too show Key Exchange Payload");
388 return -1;
389 }
390
391 group = WPA_GET_BE16(ker);
392 wpa_printf(MSG_DEBUG, "IKEV2: KEr DH Group #%u", group);
393
394 if (group != data->proposal.dh) {
395 wpa_printf(MSG_DEBUG, "IKEV2: KEr DH Group #%u does not match "
396 "with the selected proposal (%u)",
397 group, data->proposal.dh);
398 return -1;
399 }
400
401 if (data->dh == NULL) {
402 wpa_printf(MSG_INFO, "IKEV2: Unsupported DH group");
403 return -1;
404 }
405
406 /* RFC 4306, Section 3.4:
407 * The length of DH public value MUST be equal to the lenght of the
408 * prime modulus.
409 */
410 if (ker_len - 4 != data->dh->prime_len) {
411 wpa_printf(MSG_INFO, "IKEV2: Invalid DH public value length "
412 "%ld (expected %ld)",
413 (long) (ker_len - 4), (long) data->dh->prime_len);
414 return -1;
415 }
416
417 wpabuf_free(data->r_dh_public);
418 data->r_dh_public = wpabuf_alloc_copy(ker + 4, ker_len - 4);
419 if (data->r_dh_public == NULL)
420 return -1;
421
422 wpa_hexdump_buf(MSG_DEBUG, "IKEV2: KEr Diffie-Hellman Public Value",
423 data->r_dh_public);
424
425 return 0;
426}
427
428
429static int ikev2_process_nr(struct ikev2_initiator_data *data,
430 const u8 *nr, size_t nr_len)
431{
432 if (nr == NULL) {
433 wpa_printf(MSG_INFO, "IKEV2: Nr not received");
434 return -1;
435 }
436
437 if (nr_len < IKEV2_NONCE_MIN_LEN || nr_len > IKEV2_NONCE_MAX_LEN) {
438 wpa_printf(MSG_INFO, "IKEV2: Invalid Nr length %ld",
439 (long) nr_len);
440 return -1;
441 }
442
443 data->r_nonce_len = nr_len;
444 os_memcpy(data->r_nonce, nr, nr_len);
445 wpa_hexdump(MSG_MSGDUMP, "IKEV2: Nr",
446 data->r_nonce, data->r_nonce_len);
447
448 return 0;
449}
450
451
452static int ikev2_process_sa_init_encr(struct ikev2_initiator_data *data,
453 const struct ikev2_hdr *hdr,
454 const u8 *encrypted,
455 size_t encrypted_len, u8 next_payload)
456{
457 u8 *decrypted;
458 size_t decrypted_len;
459 struct ikev2_payloads pl;
460 int ret = 0;
461
462 decrypted = ikev2_decrypt_payload(data->proposal.encr,
463 data->proposal.integ, &data->keys, 0,
464 hdr, encrypted, encrypted_len,
465 &decrypted_len);
466 if (decrypted == NULL)
467 return -1;
468
469 wpa_printf(MSG_DEBUG, "IKEV2: Processing decrypted payloads");
470
471 if (ikev2_parse_payloads(&pl, next_payload, decrypted,
472 decrypted + decrypted_len) < 0) {
473 wpa_printf(MSG_INFO, "IKEV2: Failed to parse decrypted "
474 "payloads");
475 return -1;
476 }
477
478 if (pl.idr)
479 ret = ikev2_process_idr(data, pl.idr, pl.idr_len);
480
481 os_free(decrypted);
482
483 return ret;
484}
485
486
487static int ikev2_process_sa_init(struct ikev2_initiator_data *data,
488 const struct ikev2_hdr *hdr,
489 struct ikev2_payloads *pl)
490{
491 if (ikev2_process_sar1(data, pl->sa, pl->sa_len) < 0 ||
492 ikev2_process_ker(data, pl->ke, pl->ke_len) < 0 ||
493 ikev2_process_nr(data, pl->nonce, pl->nonce_len) < 0)
494 return -1;
495
496 os_memcpy(data->r_spi, hdr->r_spi, IKEV2_SPI_LEN);
497
498 if (ikev2_derive_keys(data) < 0)
499 return -1;
500
501 if (pl->encrypted) {
502 wpa_printf(MSG_DEBUG, "IKEV2: Encrypted payload in SA_INIT - "
503 "try to get IDr from it");
504 if (ikev2_process_sa_init_encr(data, hdr, pl->encrypted,
505 pl->encrypted_len,
506 pl->encr_next_payload) < 0) {
507 wpa_printf(MSG_INFO, "IKEV2: Failed to process "
508 "encrypted payload");
509 return -1;
510 }
511 }
512
513 data->state = SA_AUTH;
514
515 return 0;
516}
517
518
519static int ikev2_process_idr(struct ikev2_initiator_data *data,
520 const u8 *idr, size_t idr_len)
521{
522 u8 id_type;
523
524 if (idr == NULL) {
525 wpa_printf(MSG_INFO, "IKEV2: No IDr received");
526 return -1;
527 }
528
529 if (idr_len < 4) {
530 wpa_printf(MSG_INFO, "IKEV2: Too short IDr payload");
531 return -1;
532 }
533
534 id_type = idr[0];
535 idr += 4;
536 idr_len -= 4;
537
538 wpa_printf(MSG_DEBUG, "IKEV2: IDr ID Type %d", id_type);
539 wpa_hexdump_ascii(MSG_DEBUG, "IKEV2: IDr", idr, idr_len);
540 if (data->IDr) {
541 if (id_type != data->IDr_type || idr_len != data->IDr_len ||
542 os_memcmp(idr, data->IDr, idr_len) != 0) {
543 wpa_printf(MSG_INFO, "IKEV2: IDr differs from the one "
544 "received earlier");
545 wpa_printf(MSG_DEBUG, "IKEV2: Previous IDr ID Type %d",
546 id_type);
547 wpa_hexdump_ascii(MSG_DEBUG, "Previous IKEV2: IDr",
548 data->IDr, data->IDr_len);
549 return -1;
550 }
551 os_free(data->IDr);
552 }
553 data->IDr = os_malloc(idr_len);
554 if (data->IDr == NULL)
555 return -1;
556 os_memcpy(data->IDr, idr, idr_len);
557 data->IDr_len = idr_len;
558 data->IDr_type = id_type;
559
560 return 0;
561}
562
563
564static int ikev2_process_cert(struct ikev2_initiator_data *data,
565 const u8 *cert, size_t cert_len)
566{
567 u8 cert_encoding;
568
569 if (cert == NULL) {
570 if (data->peer_auth == PEER_AUTH_CERT) {
571 wpa_printf(MSG_INFO, "IKEV2: No Certificate received");
572 return -1;
573 }
574 return 0;
575 }
576
577 if (cert_len < 1) {
578 wpa_printf(MSG_INFO, "IKEV2: No Cert Encoding field");
579 return -1;
580 }
581
582 cert_encoding = cert[0];
583 cert++;
584 cert_len--;
585
586 wpa_printf(MSG_DEBUG, "IKEV2: Cert Encoding %d", cert_encoding);
587 wpa_hexdump(MSG_MSGDUMP, "IKEV2: Certificate Data", cert, cert_len);
588
589 /* TODO: validate certificate */
590
591 return 0;
592}
593
594
595static int ikev2_process_auth_cert(struct ikev2_initiator_data *data,
596 u8 method, const u8 *auth, size_t auth_len)
597{
598 if (method != AUTH_RSA_SIGN) {
599 wpa_printf(MSG_INFO, "IKEV2: Unsupported authentication "
600 "method %d", method);
601 return -1;
602 }
603
604 /* TODO: validate AUTH */
605 return 0;
606}
607
608
609static int ikev2_process_auth_secret(struct ikev2_initiator_data *data,
610 u8 method, const u8 *auth,
611 size_t auth_len)
612{
613 u8 auth_data[IKEV2_MAX_HASH_LEN];
614 const struct ikev2_prf_alg *prf;
615
616 if (method != AUTH_SHARED_KEY_MIC) {
617 wpa_printf(MSG_INFO, "IKEV2: Unsupported authentication "
618 "method %d", method);
619 return -1;
620 }
621
622 /* msg | Ni | prf(SK_pr,IDr') */
623 if (ikev2_derive_auth_data(data->proposal.prf, data->r_sign_msg,
624 data->IDr, data->IDr_len, data->IDr_type,
625 &data->keys, 0, data->shared_secret,
626 data->shared_secret_len,
627 data->i_nonce, data->i_nonce_len,
628 data->key_pad, data->key_pad_len,
629 auth_data) < 0) {
630 wpa_printf(MSG_INFO, "IKEV2: Could not derive AUTH data");
631 return -1;
632 }
633
634 wpabuf_free(data->r_sign_msg);
635 data->r_sign_msg = NULL;
636
637 prf = ikev2_get_prf(data->proposal.prf);
638 if (prf == NULL)
639 return -1;
640
641 if (auth_len != prf->hash_len ||
642 os_memcmp(auth, auth_data, auth_len) != 0) {
643 wpa_printf(MSG_INFO, "IKEV2: Invalid Authentication Data");
644 wpa_hexdump(MSG_DEBUG, "IKEV2: Received Authentication Data",
645 auth, auth_len);
646 wpa_hexdump(MSG_DEBUG, "IKEV2: Expected Authentication Data",
647 auth_data, prf->hash_len);
648 return -1;
649 }
650
651 wpa_printf(MSG_DEBUG, "IKEV2: Peer authenticated successfully "
652 "using shared keys");
653
654 return 0;
655}
656
657
658static int ikev2_process_auth(struct ikev2_initiator_data *data,
659 const u8 *auth, size_t auth_len)
660{
661 u8 auth_method;
662
663 if (auth == NULL) {
664 wpa_printf(MSG_INFO, "IKEV2: No Authentication Payload");
665 return -1;
666 }
667
668 if (auth_len < 4) {
669 wpa_printf(MSG_INFO, "IKEV2: Too short Authentication "
670 "Payload");
671 return -1;
672 }
673
674 auth_method = auth[0];
675 auth += 4;
676 auth_len -= 4;
677
678 wpa_printf(MSG_DEBUG, "IKEV2: Auth Method %d", auth_method);
679 wpa_hexdump(MSG_MSGDUMP, "IKEV2: Authentication Data", auth, auth_len);
680
681 switch (data->peer_auth) {
682 case PEER_AUTH_CERT:
683 return ikev2_process_auth_cert(data, auth_method, auth,
684 auth_len);
685 case PEER_AUTH_SECRET:
686 return ikev2_process_auth_secret(data, auth_method, auth,
687 auth_len);
688 }
689
690 return -1;
691}
692
693
694static int ikev2_process_sa_auth_decrypted(struct ikev2_initiator_data *data,
695 u8 next_payload,
696 u8 *payload, size_t payload_len)
697{
698 struct ikev2_payloads pl;
699
700 wpa_printf(MSG_DEBUG, "IKEV2: Processing decrypted payloads");
701
702 if (ikev2_parse_payloads(&pl, next_payload, payload, payload +
703 payload_len) < 0) {
704 wpa_printf(MSG_INFO, "IKEV2: Failed to parse decrypted "
705 "payloads");
706 return -1;
707 }
708
709 if (ikev2_process_idr(data, pl.idr, pl.idr_len) < 0 ||
710 ikev2_process_cert(data, pl.cert, pl.cert_len) < 0 ||
711 ikev2_process_auth(data, pl.auth, pl.auth_len) < 0)
712 return -1;
713
714 return 0;
715}
716
717
718static int ikev2_process_sa_auth(struct ikev2_initiator_data *data,
719 const struct ikev2_hdr *hdr,
720 struct ikev2_payloads *pl)
721{
722 u8 *decrypted;
723 size_t decrypted_len;
724 int ret;
725
726 decrypted = ikev2_decrypt_payload(data->proposal.encr,
727 data->proposal.integ,
728 &data->keys, 0, hdr, pl->encrypted,
729 pl->encrypted_len, &decrypted_len);
730 if (decrypted == NULL)
731 return -1;
732
733 ret = ikev2_process_sa_auth_decrypted(data, pl->encr_next_payload,
734 decrypted, decrypted_len);
735 os_free(decrypted);
736
737 if (ret == 0 && !data->unknown_user) {
738 wpa_printf(MSG_DEBUG, "IKEV2: Authentication completed");
739 data->state = IKEV2_DONE;
740 }
741
742 return ret;
743}
744
745
746static int ikev2_validate_rx_state(struct ikev2_initiator_data *data,
747 u8 exchange_type, u32 message_id)
748{
749 switch (data->state) {
750 case SA_INIT:
751 /* Expect to receive IKE_SA_INIT: HDR, SAr, KEr, Nr, [CERTREQ],
752 * [SK{IDr}] */
753 if (exchange_type != IKE_SA_INIT) {
754 wpa_printf(MSG_INFO, "IKEV2: Unexpected Exchange Type "
755 "%u in SA_INIT state", exchange_type);
756 return -1;
757 }
758 if (message_id != 0) {
759 wpa_printf(MSG_INFO, "IKEV2: Unexpected Message ID %u "
760 "in SA_INIT state", message_id);
761 return -1;
762 }
763 break;
764 case SA_AUTH:
765 /* Expect to receive IKE_SA_AUTH:
766 * HDR, SK {IDr, [CERT,] [CERTREQ,] [NFID,] AUTH}
767 */
768 if (exchange_type != IKE_SA_AUTH) {
769 wpa_printf(MSG_INFO, "IKEV2: Unexpected Exchange Type "
770 "%u in SA_AUTH state", exchange_type);
771 return -1;
772 }
773 if (message_id != 1) {
774 wpa_printf(MSG_INFO, "IKEV2: Unexpected Message ID %u "
775 "in SA_AUTH state", message_id);
776 return -1;
777 }
778 break;
779 case CHILD_SA:
780 if (exchange_type != CREATE_CHILD_SA) {
781 wpa_printf(MSG_INFO, "IKEV2: Unexpected Exchange Type "
782 "%u in CHILD_SA state", exchange_type);
783 return -1;
784 }
785 if (message_id != 2) {
786 wpa_printf(MSG_INFO, "IKEV2: Unexpected Message ID %u "
787 "in CHILD_SA state", message_id);
788 return -1;
789 }
790 break;
791 case IKEV2_DONE:
792 return -1;
793 }
794
795 return 0;
796}
797
798
799int ikev2_initiator_process(struct ikev2_initiator_data *data,
800 const struct wpabuf *buf)
801{
802 const struct ikev2_hdr *hdr;
803 u32 length, message_id;
804 const u8 *pos, *end;
805 struct ikev2_payloads pl;
806
807 wpa_printf(MSG_MSGDUMP, "IKEV2: Received message (len %lu)",
808 (unsigned long) wpabuf_len(buf));
809
810 if (wpabuf_len(buf) < sizeof(*hdr)) {
811 wpa_printf(MSG_INFO, "IKEV2: Too short frame to include HDR");
812 return -1;
813 }
814
815 hdr = (const struct ikev2_hdr *) wpabuf_head(buf);
816 end = wpabuf_head_u8(buf) + wpabuf_len(buf);
817 message_id = WPA_GET_BE32(hdr->message_id);
818 length = WPA_GET_BE32(hdr->length);
819
820 wpa_hexdump(MSG_DEBUG, "IKEV2: IKE_SA Initiator's SPI",
821 hdr->i_spi, IKEV2_SPI_LEN);
822 wpa_hexdump(MSG_DEBUG, "IKEV2: IKE_SA Initiator's SPI",
823 hdr->r_spi, IKEV2_SPI_LEN);
824 wpa_printf(MSG_DEBUG, "IKEV2: Next Payload: %u Version: 0x%x "
825 "Exchange Type: %u",
826 hdr->next_payload, hdr->version, hdr->exchange_type);
827 wpa_printf(MSG_DEBUG, "IKEV2: Message ID: %u Length: %u",
828 message_id, length);
829
830 if (hdr->version != IKEV2_VERSION) {
831 wpa_printf(MSG_INFO, "IKEV2: Unsupported HDR version 0x%x "
832 "(expected 0x%x)", hdr->version, IKEV2_VERSION);
833 return -1;
834 }
835
836 if (length != wpabuf_len(buf)) {
837 wpa_printf(MSG_INFO, "IKEV2: Invalid length (HDR: %lu != "
838 "RX: %lu)", (unsigned long) length,
839 (unsigned long) wpabuf_len(buf));
840 return -1;
841 }
842
843 if (ikev2_validate_rx_state(data, hdr->exchange_type, message_id) < 0)
844 return -1;
845
846 if ((hdr->flags & (IKEV2_HDR_INITIATOR | IKEV2_HDR_RESPONSE)) !=
847 IKEV2_HDR_RESPONSE) {
848 wpa_printf(MSG_INFO, "IKEV2: Unexpected Flags value 0x%x",
849 hdr->flags);
850 return -1;
851 }
852
853 if (data->state != SA_INIT) {
854 if (os_memcmp(data->i_spi, hdr->i_spi, IKEV2_SPI_LEN) != 0) {
855 wpa_printf(MSG_INFO, "IKEV2: Unexpected IKE_SA "
856 "Initiator's SPI");
857 return -1;
858 }
859 if (os_memcmp(data->r_spi, hdr->r_spi, IKEV2_SPI_LEN) != 0) {
860 wpa_printf(MSG_INFO, "IKEV2: Unexpected IKE_SA "
861 "Responder's SPI");
862 return -1;
863 }
864 }
865
866 pos = (const u8 *) (hdr + 1);
867 if (ikev2_parse_payloads(&pl, hdr->next_payload, pos, end) < 0)
868 return -1;
869
870 switch (data->state) {
871 case SA_INIT:
872 if (ikev2_process_sa_init(data, hdr, &pl) < 0)
873 return -1;
874 wpabuf_free(data->r_sign_msg);
875 data->r_sign_msg = wpabuf_dup(buf);
876 break;
877 case SA_AUTH:
878 if (ikev2_process_sa_auth(data, hdr, &pl) < 0)
879 return -1;
880 break;
881 case CHILD_SA:
882 case IKEV2_DONE:
883 break;
884 }
885
886 return 0;
887}
888
889
890static void ikev2_build_hdr(struct ikev2_initiator_data *data,
891 struct wpabuf *msg, u8 exchange_type,
892 u8 next_payload, u32 message_id)
893{
894 struct ikev2_hdr *hdr;
895
896 wpa_printf(MSG_DEBUG, "IKEV2: Adding HDR");
897
898 /* HDR - RFC 4306, Sect. 3.1 */
899 hdr = wpabuf_put(msg, sizeof(*hdr));
900 os_memcpy(hdr->i_spi, data->i_spi, IKEV2_SPI_LEN);
901 os_memcpy(hdr->r_spi, data->r_spi, IKEV2_SPI_LEN);
902 hdr->next_payload = next_payload;
903 hdr->version = IKEV2_VERSION;
904 hdr->exchange_type = exchange_type;
905 hdr->flags = IKEV2_HDR_INITIATOR;
906 WPA_PUT_BE32(hdr->message_id, message_id);
907}
908
909
910static int ikev2_build_sai(struct ikev2_initiator_data *data,
911 struct wpabuf *msg, u8 next_payload)
912{
913 struct ikev2_payload_hdr *phdr;
914 size_t plen;
915 struct ikev2_proposal *p;
916 struct ikev2_transform *t;
917
918 wpa_printf(MSG_DEBUG, "IKEV2: Adding SAi payload");
919
920 /* SAi1 - RFC 4306, Sect. 2.7 and 3.3 */
921 phdr = wpabuf_put(msg, sizeof(*phdr));
922 phdr->next_payload = next_payload;
923 phdr->flags = 0;
924
925 /* TODO: support for multiple proposals */
926 p = wpabuf_put(msg, sizeof(*p));
927 p->proposal_num = data->proposal.proposal_num;
928 p->protocol_id = IKEV2_PROTOCOL_IKE;
929 p->num_transforms = 4;
930
931 t = wpabuf_put(msg, sizeof(*t));
932 t->type = 3;
933 t->transform_type = IKEV2_TRANSFORM_ENCR;
934 WPA_PUT_BE16(t->transform_id, data->proposal.encr);
935 if (data->proposal.encr == ENCR_AES_CBC) {
936 /* Transform Attribute: Key Len = 128 bits */
937 wpabuf_put_be16(msg, 0x800e); /* AF=1, AttrType=14 */
938 wpabuf_put_be16(msg, 128); /* 128-bit key */
939 }
940 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) t;
941 WPA_PUT_BE16(t->transform_length, plen);
942
943 t = wpabuf_put(msg, sizeof(*t));
944 t->type = 3;
945 WPA_PUT_BE16(t->transform_length, sizeof(*t));
946 t->transform_type = IKEV2_TRANSFORM_PRF;
947 WPA_PUT_BE16(t->transform_id, data->proposal.prf);
948
949 t = wpabuf_put(msg, sizeof(*t));
950 t->type = 3;
951 WPA_PUT_BE16(t->transform_length, sizeof(*t));
952 t->transform_type = IKEV2_TRANSFORM_INTEG;
953 WPA_PUT_BE16(t->transform_id, data->proposal.integ);
954
955 t = wpabuf_put(msg, sizeof(*t));
956 WPA_PUT_BE16(t->transform_length, sizeof(*t));
957 t->transform_type = IKEV2_TRANSFORM_DH;
958 WPA_PUT_BE16(t->transform_id, data->proposal.dh);
959
960 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) p;
961 WPA_PUT_BE16(p->proposal_length, plen);
962
963 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
964 WPA_PUT_BE16(phdr->payload_length, plen);
965
966 return 0;
967}
968
969
970static int ikev2_build_kei(struct ikev2_initiator_data *data,
971 struct wpabuf *msg, u8 next_payload)
972{
973 struct ikev2_payload_hdr *phdr;
974 size_t plen;
975 struct wpabuf *pv;
976
977 wpa_printf(MSG_DEBUG, "IKEV2: Adding KEi payload");
978
979 data->dh = dh_groups_get(data->proposal.dh);
980 pv = dh_init(data->dh, &data->i_dh_private);
981 if (pv == NULL) {
982 wpa_printf(MSG_DEBUG, "IKEV2: Failed to initialize DH");
983 return -1;
984 }
985
986 /* KEi - RFC 4306, Sect. 3.4 */
987 phdr = wpabuf_put(msg, sizeof(*phdr));
988 phdr->next_payload = next_payload;
989 phdr->flags = 0;
990
991 wpabuf_put_be16(msg, data->proposal.dh); /* DH Group # */
992 wpabuf_put(msg, 2); /* RESERVED */
993 /*
994 * RFC 4306, Sect. 3.4: possible zero padding for public value to
995 * match the length of the prime.
996 */
997 wpabuf_put(msg, data->dh->prime_len - wpabuf_len(pv));
998 wpabuf_put_buf(msg, pv);
999 os_free(pv);
1000
1001 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
1002 WPA_PUT_BE16(phdr->payload_length, plen);
1003 return 0;
1004}
1005
1006
1007static int ikev2_build_ni(struct ikev2_initiator_data *data,
1008 struct wpabuf *msg, u8 next_payload)
1009{
1010 struct ikev2_payload_hdr *phdr;
1011 size_t plen;
1012
1013 wpa_printf(MSG_DEBUG, "IKEV2: Adding Ni payload");
1014
1015 /* Ni - RFC 4306, Sect. 3.9 */
1016 phdr = wpabuf_put(msg, sizeof(*phdr));
1017 phdr->next_payload = next_payload;
1018 phdr->flags = 0;
1019 wpabuf_put_data(msg, data->i_nonce, data->i_nonce_len);
1020 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
1021 WPA_PUT_BE16(phdr->payload_length, plen);
1022 return 0;
1023}
1024
1025
1026static int ikev2_build_idi(struct ikev2_initiator_data *data,
1027 struct wpabuf *msg, u8 next_payload)
1028{
1029 struct ikev2_payload_hdr *phdr;
1030 size_t plen;
1031
1032 wpa_printf(MSG_DEBUG, "IKEV2: Adding IDi payload");
1033
1034 if (data->IDi == NULL) {
1035 wpa_printf(MSG_INFO, "IKEV2: No IDi available");
1036 return -1;
1037 }
1038
1039 /* IDi - RFC 4306, Sect. 3.5 */
1040 phdr = wpabuf_put(msg, sizeof(*phdr));
1041 phdr->next_payload = next_payload;
1042 phdr->flags = 0;
1043 wpabuf_put_u8(msg, ID_KEY_ID);
1044 wpabuf_put(msg, 3); /* RESERVED */
1045 wpabuf_put_data(msg, data->IDi, data->IDi_len);
1046 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
1047 WPA_PUT_BE16(phdr->payload_length, plen);
1048 return 0;
1049}
1050
1051
1052static int ikev2_build_auth(struct ikev2_initiator_data *data,
1053 struct wpabuf *msg, u8 next_payload)
1054{
1055 struct ikev2_payload_hdr *phdr;
1056 size_t plen;
1057 const struct ikev2_prf_alg *prf;
1058
1059 wpa_printf(MSG_DEBUG, "IKEV2: Adding AUTH payload");
1060
1061 prf = ikev2_get_prf(data->proposal.prf);
1062 if (prf == NULL)
1063 return -1;
1064
1065 /* Authentication - RFC 4306, Sect. 3.8 */
1066 phdr = wpabuf_put(msg, sizeof(*phdr));
1067 phdr->next_payload = next_payload;
1068 phdr->flags = 0;
1069 wpabuf_put_u8(msg, AUTH_SHARED_KEY_MIC);
1070 wpabuf_put(msg, 3); /* RESERVED */
1071
1072 /* msg | Nr | prf(SK_pi,IDi') */
1073 if (ikev2_derive_auth_data(data->proposal.prf, data->i_sign_msg,
1074 data->IDi, data->IDi_len, ID_KEY_ID,
1075 &data->keys, 1, data->shared_secret,
1076 data->shared_secret_len,
1077 data->r_nonce, data->r_nonce_len,
1078 data->key_pad, data->key_pad_len,
1079 wpabuf_put(msg, prf->hash_len)) < 0) {
1080 wpa_printf(MSG_INFO, "IKEV2: Could not derive AUTH data");
1081 return -1;
1082 }
1083 wpabuf_free(data->i_sign_msg);
1084 data->i_sign_msg = NULL;
1085
1086 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
1087 WPA_PUT_BE16(phdr->payload_length, plen);
1088 return 0;
1089}
1090
1091
1092static struct wpabuf * ikev2_build_sa_init(struct ikev2_initiator_data *data)
1093{
1094 struct wpabuf *msg;
1095
1096 /* build IKE_SA_INIT: HDR, SAi, KEi, Ni */
1097
1098 if (os_get_random(data->i_spi, IKEV2_SPI_LEN))
1099 return NULL;
1100 wpa_hexdump(MSG_DEBUG, "IKEV2: IKE_SA Initiator's SPI",
1101 data->i_spi, IKEV2_SPI_LEN);
1102
1103 data->i_nonce_len = IKEV2_NONCE_MIN_LEN;
1104 if (random_get_bytes(data->i_nonce, data->i_nonce_len))
1105 return NULL;
1106 wpa_hexdump(MSG_DEBUG, "IKEV2: Ni", data->i_nonce, data->i_nonce_len);
1107
1108 msg = wpabuf_alloc(sizeof(struct ikev2_hdr) + 1000);
1109 if (msg == NULL)
1110 return NULL;
1111
1112 ikev2_build_hdr(data, msg, IKE_SA_INIT, IKEV2_PAYLOAD_SA, 0);
1113 if (ikev2_build_sai(data, msg, IKEV2_PAYLOAD_KEY_EXCHANGE) ||
1114 ikev2_build_kei(data, msg, IKEV2_PAYLOAD_NONCE) ||
1115 ikev2_build_ni(data, msg, IKEV2_PAYLOAD_NO_NEXT_PAYLOAD)) {
1116 wpabuf_free(msg);
1117 return NULL;
1118 }
1119
1120 ikev2_update_hdr(msg);
1121
1122 wpa_hexdump_buf(MSG_MSGDUMP, "IKEV2: Sending message (SA_INIT)", msg);
1123
1124 wpabuf_free(data->i_sign_msg);
1125 data->i_sign_msg = wpabuf_dup(msg);
1126
1127 return msg;
1128}
1129
1130
1131static struct wpabuf * ikev2_build_sa_auth(struct ikev2_initiator_data *data)
1132{
1133 struct wpabuf *msg, *plain;
1134 const u8 *secret;
1135 size_t secret_len;
1136
1137 secret = data->get_shared_secret(data->cb_ctx, data->IDr,
1138 data->IDr_len, &secret_len);
1139 if (secret == NULL) {
1140 wpa_printf(MSG_INFO, "IKEV2: Could not get shared secret - "
1141 "use fake value");
1142 /* RFC 5106, Sect. 7:
1143 * Use a random key to fake AUTH generation in order to prevent
1144 * probing of user identities.
1145 */
1146 data->unknown_user = 1;
1147 os_free(data->shared_secret);
1148 data->shared_secret = os_malloc(16);
1149 if (data->shared_secret == NULL)
1150 return NULL;
1151 data->shared_secret_len = 16;
1152 if (random_get_bytes(data->shared_secret, 16))
1153 return NULL;
1154 } else {
1155 os_free(data->shared_secret);
1156 data->shared_secret = os_malloc(secret_len);
1157 if (data->shared_secret == NULL)
1158 return NULL;
1159 os_memcpy(data->shared_secret, secret, secret_len);
1160 data->shared_secret_len = secret_len;
1161 }
1162
1163 /* build IKE_SA_AUTH: HDR, SK {IDi, [CERT,] [CERTREQ,] AUTH} */
1164
1165 msg = wpabuf_alloc(sizeof(struct ikev2_hdr) + data->IDr_len + 1000);
1166 if (msg == NULL)
1167 return NULL;
1168 ikev2_build_hdr(data, msg, IKE_SA_AUTH, IKEV2_PAYLOAD_ENCRYPTED, 1);
1169
1170 plain = wpabuf_alloc(data->IDr_len + 1000);
1171 if (plain == NULL) {
1172 wpabuf_free(msg);
1173 return NULL;
1174 }
1175
1176 if (ikev2_build_idi(data, plain, IKEV2_PAYLOAD_AUTHENTICATION) ||
1177 ikev2_build_auth(data, plain, IKEV2_PAYLOAD_NO_NEXT_PAYLOAD) ||
1178 ikev2_build_encrypted(data->proposal.encr, data->proposal.integ,
1179 &data->keys, 1, msg, plain,
1180 IKEV2_PAYLOAD_IDi)) {
1181 wpabuf_free(plain);
1182 wpabuf_free(msg);
1183 return NULL;
1184 }
1185 wpabuf_free(plain);
1186
1187 wpa_hexdump_buf(MSG_MSGDUMP, "IKEV2: Sending message (SA_AUTH)", msg);
1188
1189 return msg;
1190}
1191
1192
1193struct wpabuf * ikev2_initiator_build(struct ikev2_initiator_data *data)
1194{
1195 switch (data->state) {
1196 case SA_INIT:
1197 return ikev2_build_sa_init(data);
1198 case SA_AUTH:
1199 return ikev2_build_sa_auth(data);
1200 case CHILD_SA:
1201 return NULL;
1202 case IKEV2_DONE:
1203 return NULL;
1204 }
1205 return NULL;
1206}