1 /* 2 * IKEv2 initiator (RFC 4306) for EAP-IKEV2 3 * Copyright (c) 2007, Jouni Malinen <j@w1.fi> 4 * 5 * This program is free software; you can redistribute it and/or modify 6 * it under the terms of the GNU General Public License version 2 as 7 * published by the Free Software Foundation. 8 * 9 * Alternatively, this software may be distributed under the terms of BSD 10 * license. 11 * 12 * See README and COPYING for more details. 13 */ 14 15 #include "includes.h" 16 17 #include "common.h" 18 #include "crypto/dh_groups.h" 19 #include "crypto/random.h" 20 #include "ikev2.h" 21 22 23 static int ikev2_process_idr(struct ikev2_initiator_data *data, 24 const u8 *idr, size_t idr_len); 25 26 27 void ikev2_initiator_deinit(struct ikev2_initiator_data *data) 28 { 29 ikev2_free_keys(&data->keys); 30 wpabuf_free(data->r_dh_public); 31 wpabuf_free(data->i_dh_private); 32 os_free(data->IDi); 33 os_free(data->IDr); 34 os_free(data->shared_secret); 35 wpabuf_free(data->i_sign_msg); 36 wpabuf_free(data->r_sign_msg); 37 os_free(data->key_pad); 38 } 39 40 41 static int ikev2_derive_keys(struct ikev2_initiator_data *data) 42 { 43 u8 *buf, *pos, *pad, skeyseed[IKEV2_MAX_HASH_LEN]; 44 size_t buf_len, pad_len; 45 struct wpabuf *shared; 46 const struct ikev2_integ_alg *integ; 47 const struct ikev2_prf_alg *prf; 48 const struct ikev2_encr_alg *encr; 49 int ret; 50 const u8 *addr[2]; 51 size_t len[2]; 52 53 /* RFC 4306, Sect. 2.14 */ 54 55 integ = ikev2_get_integ(data->proposal.integ); 56 prf = ikev2_get_prf(data->proposal.prf); 57 encr = ikev2_get_encr(data->proposal.encr); 58 if (integ == NULL || prf == NULL || encr == NULL) { 59 wpa_printf(MSG_INFO, "IKEV2: Unsupported proposal"); 60 return -1; 61 } 62 63 shared = dh_derive_shared(data->r_dh_public, data->i_dh_private, 64 data->dh); 65 if (shared == NULL) 66 return -1; 67 68 /* Construct Ni | Nr | SPIi | SPIr */ 69 70 buf_len = data->i_nonce_len + data->r_nonce_len + 2 * IKEV2_SPI_LEN; 71 buf = os_malloc(buf_len); 72 if (buf == NULL) { 73 wpabuf_free(shared); 74 return -1; 75 } 76 77 pos = buf; 78 os_memcpy(pos, data->i_nonce, data->i_nonce_len); 79 pos += data->i_nonce_len; 80 os_memcpy(pos, data->r_nonce, data->r_nonce_len); 81 pos += data->r_nonce_len; 82 os_memcpy(pos, data->i_spi, IKEV2_SPI_LEN); 83 pos += IKEV2_SPI_LEN; 84 os_memcpy(pos, data->r_spi, IKEV2_SPI_LEN); 85 86 /* SKEYSEED = prf(Ni | Nr, g^ir) */ 87 88 /* Use zero-padding per RFC 4306, Sect. 2.14 */ 89 pad_len = data->dh->prime_len - wpabuf_len(shared); 90 pad = os_zalloc(pad_len ? pad_len : 1); 91 if (pad == NULL) { 92 wpabuf_free(shared); 93 os_free(buf); 94 return -1; 95 } 96 addr[0] = pad; 97 len[0] = pad_len; 98 addr[1] = wpabuf_head(shared); 99 len[1] = wpabuf_len(shared); 100 if (ikev2_prf_hash(prf->id, buf, data->i_nonce_len + data->r_nonce_len, 101 2, addr, len, skeyseed) < 0) { 102 wpabuf_free(shared); 103 os_free(buf); 104 os_free(pad); 105 return -1; 106 } 107 os_free(pad); 108 wpabuf_free(shared); 109 110 /* DH parameters are not needed anymore, so free them */ 111 wpabuf_free(data->r_dh_public); 112 data->r_dh_public = NULL; 113 wpabuf_free(data->i_dh_private); 114 data->i_dh_private = NULL; 115 116 wpa_hexdump_key(MSG_DEBUG, "IKEV2: SKEYSEED", 117 skeyseed, prf->hash_len); 118 119 ret = ikev2_derive_sk_keys(prf, integ, encr, skeyseed, buf, buf_len, 120 &data->keys); 121 os_free(buf); 122 return ret; 123 } 124 125 126 static int ikev2_parse_transform(struct ikev2_initiator_data *data, 127 struct ikev2_proposal_data *prop, 128 const u8 *pos, const u8 *end) 129 { 130 int transform_len; 131 const struct ikev2_transform *t; 132 u16 transform_id; 133 const u8 *tend; 134 135 if (end - pos < (int) sizeof(*t)) { 136 wpa_printf(MSG_INFO, "IKEV2: Too short transform"); 137 return -1; 138 } 139 140 t = (const struct ikev2_transform *) pos; 141 transform_len = WPA_GET_BE16(t->transform_length); 142 if (transform_len < (int) sizeof(*t) || pos + transform_len > end) { 143 wpa_printf(MSG_INFO, "IKEV2: Invalid transform length %d", 144 transform_len); 145 return -1; 146 } 147 tend = pos + transform_len; 148 149 transform_id = WPA_GET_BE16(t->transform_id); 150 151 wpa_printf(MSG_DEBUG, "IKEV2: Transform:"); 152 wpa_printf(MSG_DEBUG, "IKEV2: Type: %d Transform Length: %d " 153 "Transform Type: %d Transform ID: %d", 154 t->type, transform_len, t->transform_type, transform_id); 155 156 if (t->type != 0 && t->type != 3) { 157 wpa_printf(MSG_INFO, "IKEV2: Unexpected Transform type"); 158 return -1; 159 } 160 161 pos = (const u8 *) (t + 1); 162 if (pos < tend) { 163 wpa_hexdump(MSG_DEBUG, "IKEV2: Transform Attributes", 164 pos, tend - pos); 165 } 166 167 switch (t->transform_type) { 168 case IKEV2_TRANSFORM_ENCR: 169 if (ikev2_get_encr(transform_id) && 170 transform_id == data->proposal.encr) { 171 if (transform_id == ENCR_AES_CBC) { 172 if (tend - pos != 4) { 173 wpa_printf(MSG_DEBUG, "IKEV2: No " 174 "Transform Attr for AES"); 175 break; 176 } 177 if (WPA_GET_BE16(pos) != 0x800e) { 178 wpa_printf(MSG_DEBUG, "IKEV2: Not a " 179 "Key Size attribute for " 180 "AES"); 181 break; 182 } 183 if (WPA_GET_BE16(pos + 2) != 128) { 184 wpa_printf(MSG_DEBUG, "IKEV2: " 185 "Unsupported AES key size " 186 "%d bits", 187 WPA_GET_BE16(pos + 2)); 188 break; 189 } 190 } 191 prop->encr = transform_id; 192 } 193 break; 194 case IKEV2_TRANSFORM_PRF: 195 if (ikev2_get_prf(transform_id) && 196 transform_id == data->proposal.prf) 197 prop->prf = transform_id; 198 break; 199 case IKEV2_TRANSFORM_INTEG: 200 if (ikev2_get_integ(transform_id) && 201 transform_id == data->proposal.integ) 202 prop->integ = transform_id; 203 break; 204 case IKEV2_TRANSFORM_DH: 205 if (dh_groups_get(transform_id) && 206 transform_id == data->proposal.dh) 207 prop->dh = transform_id; 208 break; 209 } 210 211 return transform_len; 212 } 213 214 215 static int ikev2_parse_proposal(struct ikev2_initiator_data *data, 216 struct ikev2_proposal_data *prop, 217 const u8 *pos, const u8 *end) 218 { 219 const u8 *pend, *ppos; 220 int proposal_len, i; 221 const struct ikev2_proposal *p; 222 223 if (end - pos < (int) sizeof(*p)) { 224 wpa_printf(MSG_INFO, "IKEV2: Too short proposal"); 225 return -1; 226 } 227 228 p = (const struct ikev2_proposal *) pos; 229 proposal_len = WPA_GET_BE16(p->proposal_length); 230 if (proposal_len < (int) sizeof(*p) || pos + proposal_len > end) { 231 wpa_printf(MSG_INFO, "IKEV2: Invalid proposal length %d", 232 proposal_len); 233 return -1; 234 } 235 wpa_printf(MSG_DEBUG, "IKEV2: SAi1 Proposal # %d", 236 p->proposal_num); 237 wpa_printf(MSG_DEBUG, "IKEV2: Type: %d Proposal Length: %d " 238 " Protocol ID: %d", 239 p->type, proposal_len, p->protocol_id); 240 wpa_printf(MSG_DEBUG, "IKEV2: SPI Size: %d Transforms: %d", 241 p->spi_size, p->num_transforms); 242 243 if (p->type != 0 && p->type != 2) { 244 wpa_printf(MSG_INFO, "IKEV2: Unexpected Proposal type"); 245 return -1; 246 } 247 248 if (p->protocol_id != IKEV2_PROTOCOL_IKE) { 249 wpa_printf(MSG_DEBUG, "IKEV2: Unexpected Protocol ID " 250 "(only IKE allowed for EAP-IKEv2)"); 251 return -1; 252 } 253 254 if (p->proposal_num != prop->proposal_num) { 255 if (p->proposal_num == prop->proposal_num + 1) 256 prop->proposal_num = p->proposal_num; 257 else { 258 wpa_printf(MSG_INFO, "IKEV2: Unexpected Proposal #"); 259 return -1; 260 } 261 } 262 263 ppos = (const u8 *) (p + 1); 264 pend = pos + proposal_len; 265 if (ppos + p->spi_size > pend) { 266 wpa_printf(MSG_INFO, "IKEV2: Not enough room for SPI " 267 "in proposal"); 268 return -1; 269 } 270 if (p->spi_size) { 271 wpa_hexdump(MSG_DEBUG, "IKEV2: SPI", 272 ppos, p->spi_size); 273 ppos += p->spi_size; 274 } 275 276 /* 277 * For initial IKE_SA negotiation, SPI Size MUST be zero; for 278 * subsequent negotiations, it must be 8 for IKE. We only support 279 * initial case for now. 280 */ 281 if (p->spi_size != 0) { 282 wpa_printf(MSG_INFO, "IKEV2: Unexpected SPI Size"); 283 return -1; 284 } 285 286 if (p->num_transforms == 0) { 287 wpa_printf(MSG_INFO, "IKEV2: At least one transform required"); 288 return -1; 289 } 290 291 for (i = 0; i < (int) p->num_transforms; i++) { 292 int tlen = ikev2_parse_transform(data, prop, ppos, pend); 293 if (tlen < 0) 294 return -1; 295 ppos += tlen; 296 } 297 298 if (ppos != pend) { 299 wpa_printf(MSG_INFO, "IKEV2: Unexpected data after " 300 "transforms"); 301 return -1; 302 } 303 304 return proposal_len; 305 } 306 307 308 static int ikev2_process_sar1(struct ikev2_initiator_data *data, 309 const u8 *sar1, size_t sar1_len) 310 { 311 struct ikev2_proposal_data prop; 312 const u8 *pos, *end; 313 int found = 0; 314 315 /* Security Association Payloads: <Proposals> */ 316 317 if (sar1 == NULL) { 318 wpa_printf(MSG_INFO, "IKEV2: SAr1 not received"); 319 return -1; 320 } 321 322 os_memset(&prop, 0, sizeof(prop)); 323 prop.proposal_num = 1; 324 325 pos = sar1; 326 end = sar1 + sar1_len; 327 328 while (pos < end) { 329 int plen; 330 331 prop.integ = -1; 332 prop.prf = -1; 333 prop.encr = -1; 334 prop.dh = -1; 335 plen = ikev2_parse_proposal(data, &prop, pos, end); 336 if (plen < 0) 337 return -1; 338 339 if (!found && prop.integ != -1 && prop.prf != -1 && 340 prop.encr != -1 && prop.dh != -1) { 341 found = 1; 342 } 343 344 pos += plen; 345 346 /* Only one proposal expected in SAr */ 347 break; 348 } 349 350 if (pos != end) { 351 wpa_printf(MSG_INFO, "IKEV2: Unexpected data after proposal"); 352 return -1; 353 } 354 355 if (!found) { 356 wpa_printf(MSG_INFO, "IKEV2: No acceptable proposal found"); 357 return -1; 358 } 359 360 wpa_printf(MSG_DEBUG, "IKEV2: Accepted proposal #%d: ENCR:%d PRF:%d " 361 "INTEG:%d D-H:%d", data->proposal.proposal_num, 362 data->proposal.encr, data->proposal.prf, 363 data->proposal.integ, data->proposal.dh); 364 365 return 0; 366 } 367 368 369 static int ikev2_process_ker(struct ikev2_initiator_data *data, 370 const u8 *ker, size_t ker_len) 371 { 372 u16 group; 373 374 /* 375 * Key Exchange Payload: 376 * DH Group # (16 bits) 377 * RESERVED (16 bits) 378 * Key Exchange Data (Diffie-Hellman public value) 379 */ 380 381 if (ker == NULL) { 382 wpa_printf(MSG_INFO, "IKEV2: KEr not received"); 383 return -1; 384 } 385 386 if (ker_len < 4 + 96) { 387 wpa_printf(MSG_INFO, "IKEV2: Too show Key Exchange Payload"); 388 return -1; 389 } 390 391 group = WPA_GET_BE16(ker); 392 wpa_printf(MSG_DEBUG, "IKEV2: KEr DH Group #%u", group); 393 394 if (group != data->proposal.dh) { 395 wpa_printf(MSG_DEBUG, "IKEV2: KEr DH Group #%u does not match " 396 "with the selected proposal (%u)", 397 group, data->proposal.dh); 398 return -1; 399 } 400 401 if (data->dh == NULL) { 402 wpa_printf(MSG_INFO, "IKEV2: Unsupported DH group"); 403 return -1; 404 } 405 406 /* RFC 4306, Section 3.4: 407 * The length of DH public value MUST be equal to the length of the 408 * prime modulus. 409 */ 410 if (ker_len - 4 != data->dh->prime_len) { 411 wpa_printf(MSG_INFO, "IKEV2: Invalid DH public value length " 412 "%ld (expected %ld)", 413 (long) (ker_len - 4), (long) data->dh->prime_len); 414 return -1; 415 } 416 417 wpabuf_free(data->r_dh_public); 418 data->r_dh_public = wpabuf_alloc_copy(ker + 4, ker_len - 4); 419 if (data->r_dh_public == NULL) 420 return -1; 421 422 wpa_hexdump_buf(MSG_DEBUG, "IKEV2: KEr Diffie-Hellman Public Value", 423 data->r_dh_public); 424 425 return 0; 426 } 427 428 429 static int ikev2_process_nr(struct ikev2_initiator_data *data, 430 const u8 *nr, size_t nr_len) 431 { 432 if (nr == NULL) { 433 wpa_printf(MSG_INFO, "IKEV2: Nr not received"); 434 return -1; 435 } 436 437 if (nr_len < IKEV2_NONCE_MIN_LEN || nr_len > IKEV2_NONCE_MAX_LEN) { 438 wpa_printf(MSG_INFO, "IKEV2: Invalid Nr length %ld", 439 (long) nr_len); 440 return -1; 441 } 442 443 data->r_nonce_len = nr_len; 444 os_memcpy(data->r_nonce, nr, nr_len); 445 wpa_hexdump(MSG_MSGDUMP, "IKEV2: Nr", 446 data->r_nonce, data->r_nonce_len); 447 448 return 0; 449 } 450 451 452 static int ikev2_process_sa_init_encr(struct ikev2_initiator_data *data, 453 const struct ikev2_hdr *hdr, 454 const u8 *encrypted, 455 size_t encrypted_len, u8 next_payload) 456 { 457 u8 *decrypted; 458 size_t decrypted_len; 459 struct ikev2_payloads pl; 460 int ret = 0; 461 462 decrypted = ikev2_decrypt_payload(data->proposal.encr, 463 data->proposal.integ, &data->keys, 0, 464 hdr, encrypted, encrypted_len, 465 &decrypted_len); 466 if (decrypted == NULL) 467 return -1; 468 469 wpa_printf(MSG_DEBUG, "IKEV2: Processing decrypted payloads"); 470 471 if (ikev2_parse_payloads(&pl, next_payload, decrypted, 472 decrypted + decrypted_len) < 0) { 473 wpa_printf(MSG_INFO, "IKEV2: Failed to parse decrypted " 474 "payloads"); 475 return -1; 476 } 477 478 if (pl.idr) 479 ret = ikev2_process_idr(data, pl.idr, pl.idr_len); 480 481 os_free(decrypted); 482 483 return ret; 484 } 485 486 487 static int ikev2_process_sa_init(struct ikev2_initiator_data *data, 488 const struct ikev2_hdr *hdr, 489 struct ikev2_payloads *pl) 490 { 491 if (ikev2_process_sar1(data, pl->sa, pl->sa_len) < 0 || 492 ikev2_process_ker(data, pl->ke, pl->ke_len) < 0 || 493 ikev2_process_nr(data, pl->nonce, pl->nonce_len) < 0) 494 return -1; 495 496 os_memcpy(data->r_spi, hdr->r_spi, IKEV2_SPI_LEN); 497 498 if (ikev2_derive_keys(data) < 0) 499 return -1; 500 501 if (pl->encrypted) { 502 wpa_printf(MSG_DEBUG, "IKEV2: Encrypted payload in SA_INIT - " 503 "try to get IDr from it"); 504 if (ikev2_process_sa_init_encr(data, hdr, pl->encrypted, 505 pl->encrypted_len, 506 pl->encr_next_payload) < 0) { 507 wpa_printf(MSG_INFO, "IKEV2: Failed to process " 508 "encrypted payload"); 509 return -1; 510 } 511 } 512 513 data->state = SA_AUTH; 514 515 return 0; 516 } 517 518 519 static int ikev2_process_idr(struct ikev2_initiator_data *data, 520 const u8 *idr, size_t idr_len) 521 { 522 u8 id_type; 523 524 if (idr == NULL) { 525 wpa_printf(MSG_INFO, "IKEV2: No IDr received"); 526 return -1; 527 } 528 529 if (idr_len < 4) { 530 wpa_printf(MSG_INFO, "IKEV2: Too short IDr payload"); 531 return -1; 532 } 533 534 id_type = idr[0]; 535 idr += 4; 536 idr_len -= 4; 537 538 wpa_printf(MSG_DEBUG, "IKEV2: IDr ID Type %d", id_type); 539 wpa_hexdump_ascii(MSG_DEBUG, "IKEV2: IDr", idr, idr_len); 540 if (data->IDr) { 541 if (id_type != data->IDr_type || idr_len != data->IDr_len || 542 os_memcmp(idr, data->IDr, idr_len) != 0) { 543 wpa_printf(MSG_INFO, "IKEV2: IDr differs from the one " 544 "received earlier"); 545 wpa_printf(MSG_DEBUG, "IKEV2: Previous IDr ID Type %d", 546 id_type); 547 wpa_hexdump_ascii(MSG_DEBUG, "Previous IKEV2: IDr", 548 data->IDr, data->IDr_len); 549 return -1; 550 } 551 os_free(data->IDr); 552 } 553 data->IDr = os_malloc(idr_len); 554 if (data->IDr == NULL) 555 return -1; 556 os_memcpy(data->IDr, idr, idr_len); 557 data->IDr_len = idr_len; 558 data->IDr_type = id_type; 559 560 return 0; 561 } 562 563 564 static int ikev2_process_cert(struct ikev2_initiator_data *data, 565 const u8 *cert, size_t cert_len) 566 { 567 u8 cert_encoding; 568 569 if (cert == NULL) { 570 if (data->peer_auth == PEER_AUTH_CERT) { 571 wpa_printf(MSG_INFO, "IKEV2: No Certificate received"); 572 return -1; 573 } 574 return 0; 575 } 576 577 if (cert_len < 1) { 578 wpa_printf(MSG_INFO, "IKEV2: No Cert Encoding field"); 579 return -1; 580 } 581 582 cert_encoding = cert[0]; 583 cert++; 584 cert_len--; 585 586 wpa_printf(MSG_DEBUG, "IKEV2: Cert Encoding %d", cert_encoding); 587 wpa_hexdump(MSG_MSGDUMP, "IKEV2: Certificate Data", cert, cert_len); 588 589 /* TODO: validate certificate */ 590 591 return 0; 592 } 593 594 595 static int ikev2_process_auth_cert(struct ikev2_initiator_data *data, 596 u8 method, const u8 *auth, size_t auth_len) 597 { 598 if (method != AUTH_RSA_SIGN) { 599 wpa_printf(MSG_INFO, "IKEV2: Unsupported authentication " 600 "method %d", method); 601 return -1; 602 } 603 604 /* TODO: validate AUTH */ 605 return 0; 606 } 607 608 609 static int ikev2_process_auth_secret(struct ikev2_initiator_data *data, 610 u8 method, const u8 *auth, 611 size_t auth_len) 612 { 613 u8 auth_data[IKEV2_MAX_HASH_LEN]; 614 const struct ikev2_prf_alg *prf; 615 616 if (method != AUTH_SHARED_KEY_MIC) { 617 wpa_printf(MSG_INFO, "IKEV2: Unsupported authentication " 618 "method %d", method); 619 return -1; 620 } 621 622 /* msg | Ni | prf(SK_pr,IDr') */ 623 if (ikev2_derive_auth_data(data->proposal.prf, data->r_sign_msg, 624 data->IDr, data->IDr_len, data->IDr_type, 625 &data->keys, 0, data->shared_secret, 626 data->shared_secret_len, 627 data->i_nonce, data->i_nonce_len, 628 data->key_pad, data->key_pad_len, 629 auth_data) < 0) { 630 wpa_printf(MSG_INFO, "IKEV2: Could not derive AUTH data"); 631 return -1; 632 } 633 634 wpabuf_free(data->r_sign_msg); 635 data->r_sign_msg = NULL; 636 637 prf = ikev2_get_prf(data->proposal.prf); 638 if (prf == NULL) 639 return -1; 640 641 if (auth_len != prf->hash_len || 642 os_memcmp(auth, auth_data, auth_len) != 0) { 643 wpa_printf(MSG_INFO, "IKEV2: Invalid Authentication Data"); 644 wpa_hexdump(MSG_DEBUG, "IKEV2: Received Authentication Data", 645 auth, auth_len); 646 wpa_hexdump(MSG_DEBUG, "IKEV2: Expected Authentication Data", 647 auth_data, prf->hash_len); 648 return -1; 649 } 650 651 wpa_printf(MSG_DEBUG, "IKEV2: Peer authenticated successfully " 652 "using shared keys"); 653 654 return 0; 655 } 656 657 658 static int ikev2_process_auth(struct ikev2_initiator_data *data, 659 const u8 *auth, size_t auth_len) 660 { 661 u8 auth_method; 662 663 if (auth == NULL) { 664 wpa_printf(MSG_INFO, "IKEV2: No Authentication Payload"); 665 return -1; 666 } 667 668 if (auth_len < 4) { 669 wpa_printf(MSG_INFO, "IKEV2: Too short Authentication " 670 "Payload"); 671 return -1; 672 } 673 674 auth_method = auth[0]; 675 auth += 4; 676 auth_len -= 4; 677 678 wpa_printf(MSG_DEBUG, "IKEV2: Auth Method %d", auth_method); 679 wpa_hexdump(MSG_MSGDUMP, "IKEV2: Authentication Data", auth, auth_len); 680 681 switch (data->peer_auth) { 682 case PEER_AUTH_CERT: 683 return ikev2_process_auth_cert(data, auth_method, auth, 684 auth_len); 685 case PEER_AUTH_SECRET: 686 return ikev2_process_auth_secret(data, auth_method, auth, 687 auth_len); 688 } 689 690 return -1; 691 } 692 693 694 static int ikev2_process_sa_auth_decrypted(struct ikev2_initiator_data *data, 695 u8 next_payload, 696 u8 *payload, size_t payload_len) 697 { 698 struct ikev2_payloads pl; 699 700 wpa_printf(MSG_DEBUG, "IKEV2: Processing decrypted payloads"); 701 702 if (ikev2_parse_payloads(&pl, next_payload, payload, payload + 703 payload_len) < 0) { 704 wpa_printf(MSG_INFO, "IKEV2: Failed to parse decrypted " 705 "payloads"); 706 return -1; 707 } 708 709 if (ikev2_process_idr(data, pl.idr, pl.idr_len) < 0 || 710 ikev2_process_cert(data, pl.cert, pl.cert_len) < 0 || 711 ikev2_process_auth(data, pl.auth, pl.auth_len) < 0) 712 return -1; 713 714 return 0; 715 } 716 717 718 static int ikev2_process_sa_auth(struct ikev2_initiator_data *data, 719 const struct ikev2_hdr *hdr, 720 struct ikev2_payloads *pl) 721 { 722 u8 *decrypted; 723 size_t decrypted_len; 724 int ret; 725 726 decrypted = ikev2_decrypt_payload(data->proposal.encr, 727 data->proposal.integ, 728 &data->keys, 0, hdr, pl->encrypted, 729 pl->encrypted_len, &decrypted_len); 730 if (decrypted == NULL) 731 return -1; 732 733 ret = ikev2_process_sa_auth_decrypted(data, pl->encr_next_payload, 734 decrypted, decrypted_len); 735 os_free(decrypted); 736 737 if (ret == 0 && !data->unknown_user) { 738 wpa_printf(MSG_DEBUG, "IKEV2: Authentication completed"); 739 data->state = IKEV2_DONE; 740 } 741 742 return ret; 743 } 744 745 746 static int ikev2_validate_rx_state(struct ikev2_initiator_data *data, 747 u8 exchange_type, u32 message_id) 748 { 749 switch (data->state) { 750 case SA_INIT: 751 /* Expect to receive IKE_SA_INIT: HDR, SAr, KEr, Nr, [CERTREQ], 752 * [SK{IDr}] */ 753 if (exchange_type != IKE_SA_INIT) { 754 wpa_printf(MSG_INFO, "IKEV2: Unexpected Exchange Type " 755 "%u in SA_INIT state", exchange_type); 756 return -1; 757 } 758 if (message_id != 0) { 759 wpa_printf(MSG_INFO, "IKEV2: Unexpected Message ID %u " 760 "in SA_INIT state", message_id); 761 return -1; 762 } 763 break; 764 case SA_AUTH: 765 /* Expect to receive IKE_SA_AUTH: 766 * HDR, SK {IDr, [CERT,] [CERTREQ,] [NFID,] AUTH} 767 */ 768 if (exchange_type != IKE_SA_AUTH) { 769 wpa_printf(MSG_INFO, "IKEV2: Unexpected Exchange Type " 770 "%u in SA_AUTH state", exchange_type); 771 return -1; 772 } 773 if (message_id != 1) { 774 wpa_printf(MSG_INFO, "IKEV2: Unexpected Message ID %u " 775 "in SA_AUTH state", message_id); 776 return -1; 777 } 778 break; 779 case CHILD_SA: 780 if (exchange_type != CREATE_CHILD_SA) { 781 wpa_printf(MSG_INFO, "IKEV2: Unexpected Exchange Type " 782 "%u in CHILD_SA state", exchange_type); 783 return -1; 784 } 785 if (message_id != 2) { 786 wpa_printf(MSG_INFO, "IKEV2: Unexpected Message ID %u " 787 "in CHILD_SA state", message_id); 788 return -1; 789 } 790 break; 791 case IKEV2_DONE: 792 return -1; 793 } 794 795 return 0; 796 } 797 798 799 int ikev2_initiator_process(struct ikev2_initiator_data *data, 800 const struct wpabuf *buf) 801 { 802 const struct ikev2_hdr *hdr; 803 u32 length, message_id; 804 const u8 *pos, *end; 805 struct ikev2_payloads pl; 806 807 wpa_printf(MSG_MSGDUMP, "IKEV2: Received message (len %lu)", 808 (unsigned long) wpabuf_len(buf)); 809 810 if (wpabuf_len(buf) < sizeof(*hdr)) { 811 wpa_printf(MSG_INFO, "IKEV2: Too short frame to include HDR"); 812 return -1; 813 } 814 815 hdr = (const struct ikev2_hdr *) wpabuf_head(buf); 816 end = wpabuf_head_u8(buf) + wpabuf_len(buf); 817 message_id = WPA_GET_BE32(hdr->message_id); 818 length = WPA_GET_BE32(hdr->length); 819 820 wpa_hexdump(MSG_DEBUG, "IKEV2: IKE_SA Initiator's SPI", 821 hdr->i_spi, IKEV2_SPI_LEN); 822 wpa_hexdump(MSG_DEBUG, "IKEV2: IKE_SA Initiator's SPI", 823 hdr->r_spi, IKEV2_SPI_LEN); 824 wpa_printf(MSG_DEBUG, "IKEV2: Next Payload: %u Version: 0x%x " 825 "Exchange Type: %u", 826 hdr->next_payload, hdr->version, hdr->exchange_type); 827 wpa_printf(MSG_DEBUG, "IKEV2: Message ID: %u Length: %u", 828 message_id, length); 829 830 if (hdr->version != IKEV2_VERSION) { 831 wpa_printf(MSG_INFO, "IKEV2: Unsupported HDR version 0x%x " 832 "(expected 0x%x)", hdr->version, IKEV2_VERSION); 833 return -1; 834 } 835 836 if (length != wpabuf_len(buf)) { 837 wpa_printf(MSG_INFO, "IKEV2: Invalid length (HDR: %lu != " 838 "RX: %lu)", (unsigned long) length, 839 (unsigned long) wpabuf_len(buf)); 840 return -1; 841 } 842 843 if (ikev2_validate_rx_state(data, hdr->exchange_type, message_id) < 0) 844 return -1; 845 846 if ((hdr->flags & (IKEV2_HDR_INITIATOR | IKEV2_HDR_RESPONSE)) != 847 IKEV2_HDR_RESPONSE) { 848 wpa_printf(MSG_INFO, "IKEV2: Unexpected Flags value 0x%x", 849 hdr->flags); 850 return -1; 851 } 852 853 if (data->state != SA_INIT) { 854 if (os_memcmp(data->i_spi, hdr->i_spi, IKEV2_SPI_LEN) != 0) { 855 wpa_printf(MSG_INFO, "IKEV2: Unexpected IKE_SA " 856 "Initiator's SPI"); 857 return -1; 858 } 859 if (os_memcmp(data->r_spi, hdr->r_spi, IKEV2_SPI_LEN) != 0) { 860 wpa_printf(MSG_INFO, "IKEV2: Unexpected IKE_SA " 861 "Responder's SPI"); 862 return -1; 863 } 864 } 865 866 pos = (const u8 *) (hdr + 1); 867 if (ikev2_parse_payloads(&pl, hdr->next_payload, pos, end) < 0) 868 return -1; 869 870 switch (data->state) { 871 case SA_INIT: 872 if (ikev2_process_sa_init(data, hdr, &pl) < 0) 873 return -1; 874 wpabuf_free(data->r_sign_msg); 875 data->r_sign_msg = wpabuf_dup(buf); 876 break; 877 case SA_AUTH: 878 if (ikev2_process_sa_auth(data, hdr, &pl) < 0) 879 return -1; 880 break; 881 case CHILD_SA: 882 case IKEV2_DONE: 883 break; 884 } 885 886 return 0; 887 } 888 889 890 static void ikev2_build_hdr(struct ikev2_initiator_data *data, 891 struct wpabuf *msg, u8 exchange_type, 892 u8 next_payload, u32 message_id) 893 { 894 struct ikev2_hdr *hdr; 895 896 wpa_printf(MSG_DEBUG, "IKEV2: Adding HDR"); 897 898 /* HDR - RFC 4306, Sect. 3.1 */ 899 hdr = wpabuf_put(msg, sizeof(*hdr)); 900 os_memcpy(hdr->i_spi, data->i_spi, IKEV2_SPI_LEN); 901 os_memcpy(hdr->r_spi, data->r_spi, IKEV2_SPI_LEN); 902 hdr->next_payload = next_payload; 903 hdr->version = IKEV2_VERSION; 904 hdr->exchange_type = exchange_type; 905 hdr->flags = IKEV2_HDR_INITIATOR; 906 WPA_PUT_BE32(hdr->message_id, message_id); 907 } 908 909 910 static int ikev2_build_sai(struct ikev2_initiator_data *data, 911 struct wpabuf *msg, u8 next_payload) 912 { 913 struct ikev2_payload_hdr *phdr; 914 size_t plen; 915 struct ikev2_proposal *p; 916 struct ikev2_transform *t; 917 918 wpa_printf(MSG_DEBUG, "IKEV2: Adding SAi payload"); 919 920 /* SAi1 - RFC 4306, Sect. 2.7 and 3.3 */ 921 phdr = wpabuf_put(msg, sizeof(*phdr)); 922 phdr->next_payload = next_payload; 923 phdr->flags = 0; 924 925 /* TODO: support for multiple proposals */ 926 p = wpabuf_put(msg, sizeof(*p)); 927 p->proposal_num = data->proposal.proposal_num; 928 p->protocol_id = IKEV2_PROTOCOL_IKE; 929 p->num_transforms = 4; 930 931 t = wpabuf_put(msg, sizeof(*t)); 932 t->type = 3; 933 t->transform_type = IKEV2_TRANSFORM_ENCR; 934 WPA_PUT_BE16(t->transform_id, data->proposal.encr); 935 if (data->proposal.encr == ENCR_AES_CBC) { 936 /* Transform Attribute: Key Len = 128 bits */ 937 wpabuf_put_be16(msg, 0x800e); /* AF=1, AttrType=14 */ 938 wpabuf_put_be16(msg, 128); /* 128-bit key */ 939 } 940 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) t; 941 WPA_PUT_BE16(t->transform_length, plen); 942 943 t = wpabuf_put(msg, sizeof(*t)); 944 t->type = 3; 945 WPA_PUT_BE16(t->transform_length, sizeof(*t)); 946 t->transform_type = IKEV2_TRANSFORM_PRF; 947 WPA_PUT_BE16(t->transform_id, data->proposal.prf); 948 949 t = wpabuf_put(msg, sizeof(*t)); 950 t->type = 3; 951 WPA_PUT_BE16(t->transform_length, sizeof(*t)); 952 t->transform_type = IKEV2_TRANSFORM_INTEG; 953 WPA_PUT_BE16(t->transform_id, data->proposal.integ); 954 955 t = wpabuf_put(msg, sizeof(*t)); 956 WPA_PUT_BE16(t->transform_length, sizeof(*t)); 957 t->transform_type = IKEV2_TRANSFORM_DH; 958 WPA_PUT_BE16(t->transform_id, data->proposal.dh); 959 960 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) p; 961 WPA_PUT_BE16(p->proposal_length, plen); 962 963 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr; 964 WPA_PUT_BE16(phdr->payload_length, plen); 965 966 return 0; 967 } 968 969 970 static int ikev2_build_kei(struct ikev2_initiator_data *data, 971 struct wpabuf *msg, u8 next_payload) 972 { 973 struct ikev2_payload_hdr *phdr; 974 size_t plen; 975 struct wpabuf *pv; 976 977 wpa_printf(MSG_DEBUG, "IKEV2: Adding KEi payload"); 978 979 data->dh = dh_groups_get(data->proposal.dh); 980 pv = dh_init(data->dh, &data->i_dh_private); 981 if (pv == NULL) { 982 wpa_printf(MSG_DEBUG, "IKEV2: Failed to initialize DH"); 983 return -1; 984 } 985 986 /* KEi - RFC 4306, Sect. 3.4 */ 987 phdr = wpabuf_put(msg, sizeof(*phdr)); 988 phdr->next_payload = next_payload; 989 phdr->flags = 0; 990 991 wpabuf_put_be16(msg, data->proposal.dh); /* DH Group # */ 992 wpabuf_put(msg, 2); /* RESERVED */ 993 /* 994 * RFC 4306, Sect. 3.4: possible zero padding for public value to 995 * match the length of the prime. 996 */ 997 wpabuf_put(msg, data->dh->prime_len - wpabuf_len(pv)); 998 wpabuf_put_buf(msg, pv); 999 os_free(pv); 1000 1001 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr; 1002 WPA_PUT_BE16(phdr->payload_length, plen); 1003 return 0; 1004 } 1005 1006 1007 static int ikev2_build_ni(struct ikev2_initiator_data *data, 1008 struct wpabuf *msg, u8 next_payload) 1009 { 1010 struct ikev2_payload_hdr *phdr; 1011 size_t plen; 1012 1013 wpa_printf(MSG_DEBUG, "IKEV2: Adding Ni payload"); 1014 1015 /* Ni - RFC 4306, Sect. 3.9 */ 1016 phdr = wpabuf_put(msg, sizeof(*phdr)); 1017 phdr->next_payload = next_payload; 1018 phdr->flags = 0; 1019 wpabuf_put_data(msg, data->i_nonce, data->i_nonce_len); 1020 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr; 1021 WPA_PUT_BE16(phdr->payload_length, plen); 1022 return 0; 1023 } 1024 1025 1026 static int ikev2_build_idi(struct ikev2_initiator_data *data, 1027 struct wpabuf *msg, u8 next_payload) 1028 { 1029 struct ikev2_payload_hdr *phdr; 1030 size_t plen; 1031 1032 wpa_printf(MSG_DEBUG, "IKEV2: Adding IDi payload"); 1033 1034 if (data->IDi == NULL) { 1035 wpa_printf(MSG_INFO, "IKEV2: No IDi available"); 1036 return -1; 1037 } 1038 1039 /* IDi - RFC 4306, Sect. 3.5 */ 1040 phdr = wpabuf_put(msg, sizeof(*phdr)); 1041 phdr->next_payload = next_payload; 1042 phdr->flags = 0; 1043 wpabuf_put_u8(msg, ID_KEY_ID); 1044 wpabuf_put(msg, 3); /* RESERVED */ 1045 wpabuf_put_data(msg, data->IDi, data->IDi_len); 1046 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr; 1047 WPA_PUT_BE16(phdr->payload_length, plen); 1048 return 0; 1049 } 1050 1051 1052 static int ikev2_build_auth(struct ikev2_initiator_data *data, 1053 struct wpabuf *msg, u8 next_payload) 1054 { 1055 struct ikev2_payload_hdr *phdr; 1056 size_t plen; 1057 const struct ikev2_prf_alg *prf; 1058 1059 wpa_printf(MSG_DEBUG, "IKEV2: Adding AUTH payload"); 1060 1061 prf = ikev2_get_prf(data->proposal.prf); 1062 if (prf == NULL) 1063 return -1; 1064 1065 /* Authentication - RFC 4306, Sect. 3.8 */ 1066 phdr = wpabuf_put(msg, sizeof(*phdr)); 1067 phdr->next_payload = next_payload; 1068 phdr->flags = 0; 1069 wpabuf_put_u8(msg, AUTH_SHARED_KEY_MIC); 1070 wpabuf_put(msg, 3); /* RESERVED */ 1071 1072 /* msg | Nr | prf(SK_pi,IDi') */ 1073 if (ikev2_derive_auth_data(data->proposal.prf, data->i_sign_msg, 1074 data->IDi, data->IDi_len, ID_KEY_ID, 1075 &data->keys, 1, data->shared_secret, 1076 data->shared_secret_len, 1077 data->r_nonce, data->r_nonce_len, 1078 data->key_pad, data->key_pad_len, 1079 wpabuf_put(msg, prf->hash_len)) < 0) { 1080 wpa_printf(MSG_INFO, "IKEV2: Could not derive AUTH data"); 1081 return -1; 1082 } 1083 wpabuf_free(data->i_sign_msg); 1084 data->i_sign_msg = NULL; 1085 1086 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr; 1087 WPA_PUT_BE16(phdr->payload_length, plen); 1088 return 0; 1089 } 1090 1091 1092 static struct wpabuf * ikev2_build_sa_init(struct ikev2_initiator_data *data) 1093 { 1094 struct wpabuf *msg; 1095 1096 /* build IKE_SA_INIT: HDR, SAi, KEi, Ni */ 1097 1098 if (os_get_random(data->i_spi, IKEV2_SPI_LEN)) 1099 return NULL; 1100 wpa_hexdump(MSG_DEBUG, "IKEV2: IKE_SA Initiator's SPI", 1101 data->i_spi, IKEV2_SPI_LEN); 1102 1103 data->i_nonce_len = IKEV2_NONCE_MIN_LEN; 1104 if (random_get_bytes(data->i_nonce, data->i_nonce_len)) 1105 return NULL; 1106 wpa_hexdump(MSG_DEBUG, "IKEV2: Ni", data->i_nonce, data->i_nonce_len); 1107 1108 msg = wpabuf_alloc(sizeof(struct ikev2_hdr) + 1000); 1109 if (msg == NULL) 1110 return NULL; 1111 1112 ikev2_build_hdr(data, msg, IKE_SA_INIT, IKEV2_PAYLOAD_SA, 0); 1113 if (ikev2_build_sai(data, msg, IKEV2_PAYLOAD_KEY_EXCHANGE) || 1114 ikev2_build_kei(data, msg, IKEV2_PAYLOAD_NONCE) || 1115 ikev2_build_ni(data, msg, IKEV2_PAYLOAD_NO_NEXT_PAYLOAD)) { 1116 wpabuf_free(msg); 1117 return NULL; 1118 } 1119 1120 ikev2_update_hdr(msg); 1121 1122 wpa_hexdump_buf(MSG_MSGDUMP, "IKEV2: Sending message (SA_INIT)", msg); 1123 1124 wpabuf_free(data->i_sign_msg); 1125 data->i_sign_msg = wpabuf_dup(msg); 1126 1127 return msg; 1128 } 1129 1130 1131 static struct wpabuf * ikev2_build_sa_auth(struct ikev2_initiator_data *data) 1132 { 1133 struct wpabuf *msg, *plain; 1134 const u8 *secret; 1135 size_t secret_len; 1136 1137 secret = data->get_shared_secret(data->cb_ctx, data->IDr, 1138 data->IDr_len, &secret_len); 1139 if (secret == NULL) { 1140 wpa_printf(MSG_INFO, "IKEV2: Could not get shared secret - " 1141 "use fake value"); 1142 /* RFC 5106, Sect. 7: 1143 * Use a random key to fake AUTH generation in order to prevent 1144 * probing of user identities. 1145 */ 1146 data->unknown_user = 1; 1147 os_free(data->shared_secret); 1148 data->shared_secret = os_malloc(16); 1149 if (data->shared_secret == NULL) 1150 return NULL; 1151 data->shared_secret_len = 16; 1152 if (random_get_bytes(data->shared_secret, 16)) 1153 return NULL; 1154 } else { 1155 os_free(data->shared_secret); 1156 data->shared_secret = os_malloc(secret_len); 1157 if (data->shared_secret == NULL) 1158 return NULL; 1159 os_memcpy(data->shared_secret, secret, secret_len); 1160 data->shared_secret_len = secret_len; 1161 } 1162 1163 /* build IKE_SA_AUTH: HDR, SK {IDi, [CERT,] [CERTREQ,] AUTH} */ 1164 1165 msg = wpabuf_alloc(sizeof(struct ikev2_hdr) + data->IDr_len + 1000); 1166 if (msg == NULL) 1167 return NULL; 1168 ikev2_build_hdr(data, msg, IKE_SA_AUTH, IKEV2_PAYLOAD_ENCRYPTED, 1); 1169 1170 plain = wpabuf_alloc(data->IDr_len + 1000); 1171 if (plain == NULL) { 1172 wpabuf_free(msg); 1173 return NULL; 1174 } 1175 1176 if (ikev2_build_idi(data, plain, IKEV2_PAYLOAD_AUTHENTICATION) || 1177 ikev2_build_auth(data, plain, IKEV2_PAYLOAD_NO_NEXT_PAYLOAD) || 1178 ikev2_build_encrypted(data->proposal.encr, data->proposal.integ, 1179 &data->keys, 1, msg, plain, 1180 IKEV2_PAYLOAD_IDi)) { 1181 wpabuf_free(plain); 1182 wpabuf_free(msg); 1183 return NULL; 1184 } 1185 wpabuf_free(plain); 1186 1187 wpa_hexdump_buf(MSG_MSGDUMP, "IKEV2: Sending message (SA_AUTH)", msg); 1188 1189 return msg; 1190 } 1191 1192 1193 struct wpabuf * ikev2_initiator_build(struct ikev2_initiator_data *data) 1194 { 1195 switch (data->state) { 1196 case SA_INIT: 1197 return ikev2_build_sa_init(data); 1198 case SA_AUTH: 1199 return ikev2_build_sa_auth(data); 1200 case CHILD_SA: 1201 return NULL; 1202 case IKEV2_DONE: 1203 return NULL; 1204 } 1205 return NULL; 1206 } 1207