1/*
2 * IKEv2 responder (RFC 4306) for EAP-IKEV2
3 * Copyright (c) 2007, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9#include "includes.h"
10
11#include "common.h"
12#include "crypto/dh_groups.h"
13#include "crypto/random.h"
14#include "ikev2.h"
15
16
17void ikev2_responder_deinit(struct ikev2_responder_data *data)
18{
19	ikev2_free_keys(&data->keys);
20	wpabuf_free(data->i_dh_public);
21	wpabuf_free(data->r_dh_private);
22	os_free(data->IDi);
23	os_free(data->IDr);
24	os_free(data->shared_secret);
25	wpabuf_free(data->i_sign_msg);
26	wpabuf_free(data->r_sign_msg);
27	os_free(data->key_pad);
28}
29
30
31static int ikev2_derive_keys(struct ikev2_responder_data *data)
32{
33	u8 *buf, *pos, *pad, skeyseed[IKEV2_MAX_HASH_LEN];
34	size_t buf_len, pad_len;
35	struct wpabuf *shared;
36	const struct ikev2_integ_alg *integ;
37	const struct ikev2_prf_alg *prf;
38	const struct ikev2_encr_alg *encr;
39	int ret;
40	const u8 *addr[2];
41	size_t len[2];
42
43	/* RFC 4306, Sect. 2.14 */
44
45	integ = ikev2_get_integ(data->proposal.integ);
46	prf = ikev2_get_prf(data->proposal.prf);
47	encr = ikev2_get_encr(data->proposal.encr);
48	if (integ == NULL || prf == NULL || encr == NULL) {
49		wpa_printf(MSG_INFO, "IKEV2: Unsupported proposal");
50		return -1;
51	}
52
53	shared = dh_derive_shared(data->i_dh_public, data->r_dh_private,
54				  data->dh);
55	if (shared == NULL)
56		return -1;
57
58	/* Construct Ni | Nr | SPIi | SPIr */
59
60	buf_len = data->i_nonce_len + data->r_nonce_len + 2 * IKEV2_SPI_LEN;
61	buf = os_malloc(buf_len);
62	if (buf == NULL) {
63		wpabuf_free(shared);
64		return -1;
65	}
66
67	pos = buf;
68	os_memcpy(pos, data->i_nonce, data->i_nonce_len);
69	pos += data->i_nonce_len;
70	os_memcpy(pos, data->r_nonce, data->r_nonce_len);
71	pos += data->r_nonce_len;
72	os_memcpy(pos, data->i_spi, IKEV2_SPI_LEN);
73	pos += IKEV2_SPI_LEN;
74	os_memcpy(pos, data->r_spi, IKEV2_SPI_LEN);
75#ifdef CCNS_PL
76#if __BYTE_ORDER == __LITTLE_ENDIAN
77	{
78		int i;
79		u8 *tmp = pos - IKEV2_SPI_LEN;
80		/* Incorrect byte re-ordering on little endian hosts.. */
81		for (i = 0; i < IKEV2_SPI_LEN; i++)
82			*tmp++ = data->i_spi[IKEV2_SPI_LEN - 1 - i];
83		for (i = 0; i < IKEV2_SPI_LEN; i++)
84			*tmp++ = data->r_spi[IKEV2_SPI_LEN - 1 - i];
85	}
86#endif
87#endif /* CCNS_PL */
88
89	/* SKEYSEED = prf(Ni | Nr, g^ir) */
90	/* Use zero-padding per RFC 4306, Sect. 2.14 */
91	pad_len = data->dh->prime_len - wpabuf_len(shared);
92#ifdef CCNS_PL
93	/* Shared secret is not zero-padded correctly */
94	pad_len = 0;
95#endif /* CCNS_PL */
96	pad = os_zalloc(pad_len ? pad_len : 1);
97	if (pad == NULL) {
98		wpabuf_free(shared);
99		os_free(buf);
100		return -1;
101	}
102
103	addr[0] = pad;
104	len[0] = pad_len;
105	addr[1] = wpabuf_head(shared);
106	len[1] = wpabuf_len(shared);
107	if (ikev2_prf_hash(prf->id, buf, data->i_nonce_len + data->r_nonce_len,
108			   2, addr, len, skeyseed) < 0) {
109		wpabuf_free(shared);
110		os_free(buf);
111		os_free(pad);
112		return -1;
113	}
114	os_free(pad);
115	wpabuf_free(shared);
116
117	/* DH parameters are not needed anymore, so free them */
118	wpabuf_free(data->i_dh_public);
119	data->i_dh_public = NULL;
120	wpabuf_free(data->r_dh_private);
121	data->r_dh_private = NULL;
122
123	wpa_hexdump_key(MSG_DEBUG, "IKEV2: SKEYSEED",
124			skeyseed, prf->hash_len);
125
126	ret = ikev2_derive_sk_keys(prf, integ, encr, skeyseed, buf, buf_len,
127				   &data->keys);
128	os_free(buf);
129	return ret;
130}
131
132
133static int ikev2_parse_transform(struct ikev2_proposal_data *prop,
134				 const u8 *pos, const u8 *end)
135{
136	int transform_len;
137	const struct ikev2_transform *t;
138	u16 transform_id;
139	const u8 *tend;
140
141	if (end - pos < (int) sizeof(*t)) {
142		wpa_printf(MSG_INFO, "IKEV2: Too short transform");
143		return -1;
144	}
145
146	t = (const struct ikev2_transform *) pos;
147	transform_len = WPA_GET_BE16(t->transform_length);
148	if (transform_len < (int) sizeof(*t) || pos + transform_len > end) {
149		wpa_printf(MSG_INFO, "IKEV2: Invalid transform length %d",
150			   transform_len);
151		return -1;
152	}
153	tend = pos + transform_len;
154
155	transform_id = WPA_GET_BE16(t->transform_id);
156
157	wpa_printf(MSG_DEBUG, "IKEV2:   Transform:");
158	wpa_printf(MSG_DEBUG, "IKEV2:     Type: %d  Transform Length: %d  "
159		   "Transform Type: %d  Transform ID: %d",
160		   t->type, transform_len, t->transform_type, transform_id);
161
162	if (t->type != 0 && t->type != 3) {
163		wpa_printf(MSG_INFO, "IKEV2: Unexpected Transform type");
164		return -1;
165	}
166
167	pos = (const u8 *) (t + 1);
168	if (pos < tend) {
169		wpa_hexdump(MSG_DEBUG, "IKEV2:     Transform Attributes",
170			    pos, tend - pos);
171	}
172
173	switch (t->transform_type) {
174	case IKEV2_TRANSFORM_ENCR:
175		if (ikev2_get_encr(transform_id)) {
176			if (transform_id == ENCR_AES_CBC) {
177				if (tend - pos != 4) {
178					wpa_printf(MSG_DEBUG, "IKEV2: No "
179						   "Transform Attr for AES");
180					break;
181				}
182#ifdef CCNS_PL
183				if (WPA_GET_BE16(pos) != 0x001d /* ?? */) {
184					wpa_printf(MSG_DEBUG, "IKEV2: Not a "
185						   "Key Size attribute for "
186						   "AES");
187					break;
188				}
189#else /* CCNS_PL */
190				if (WPA_GET_BE16(pos) != 0x800e) {
191					wpa_printf(MSG_DEBUG, "IKEV2: Not a "
192						   "Key Size attribute for "
193						   "AES");
194					break;
195				}
196#endif /* CCNS_PL */
197				if (WPA_GET_BE16(pos + 2) != 128) {
198					wpa_printf(MSG_DEBUG, "IKEV2: "
199						   "Unsupported AES key size "
200						   "%d bits",
201						   WPA_GET_BE16(pos + 2));
202					break;
203				}
204			}
205			prop->encr = transform_id;
206		}
207		break;
208	case IKEV2_TRANSFORM_PRF:
209		if (ikev2_get_prf(transform_id))
210			prop->prf = transform_id;
211		break;
212	case IKEV2_TRANSFORM_INTEG:
213		if (ikev2_get_integ(transform_id))
214			prop->integ = transform_id;
215		break;
216	case IKEV2_TRANSFORM_DH:
217		if (dh_groups_get(transform_id))
218			prop->dh = transform_id;
219		break;
220	}
221
222	return transform_len;
223}
224
225
226static int ikev2_parse_proposal(struct ikev2_proposal_data *prop,
227				const u8 *pos, const u8 *end)
228{
229	const u8 *pend, *ppos;
230	int proposal_len, i;
231	const struct ikev2_proposal *p;
232
233	if (end - pos < (int) sizeof(*p)) {
234		wpa_printf(MSG_INFO, "IKEV2: Too short proposal");
235		return -1;
236	}
237
238	/* FIX: AND processing if multiple proposals use the same # */
239
240	p = (const struct ikev2_proposal *) pos;
241	proposal_len = WPA_GET_BE16(p->proposal_length);
242	if (proposal_len < (int) sizeof(*p) || pos + proposal_len > end) {
243		wpa_printf(MSG_INFO, "IKEV2: Invalid proposal length %d",
244			   proposal_len);
245		return -1;
246	}
247	wpa_printf(MSG_DEBUG, "IKEV2: SAi1 Proposal # %d",
248		   p->proposal_num);
249	wpa_printf(MSG_DEBUG, "IKEV2:   Type: %d  Proposal Length: %d "
250		   " Protocol ID: %d",
251		   p->type, proposal_len, p->protocol_id);
252	wpa_printf(MSG_DEBUG, "IKEV2:   SPI Size: %d  Transforms: %d",
253		   p->spi_size, p->num_transforms);
254
255	if (p->type != 0 && p->type != 2) {
256		wpa_printf(MSG_INFO, "IKEV2: Unexpected Proposal type");
257		return -1;
258	}
259
260	if (p->protocol_id != IKEV2_PROTOCOL_IKE) {
261		wpa_printf(MSG_DEBUG, "IKEV2: Unexpected Protocol ID "
262			   "(only IKE allowed for EAP-IKEv2)");
263		return -1;
264	}
265
266	if (p->proposal_num != prop->proposal_num) {
267		if (p->proposal_num == prop->proposal_num + 1)
268			prop->proposal_num = p->proposal_num;
269		else {
270			wpa_printf(MSG_INFO, "IKEV2: Unexpected Proposal #");
271			return -1;
272		}
273	}
274
275	ppos = (const u8 *) (p + 1);
276	pend = pos + proposal_len;
277	if (ppos + p->spi_size > pend) {
278		wpa_printf(MSG_INFO, "IKEV2: Not enough room for SPI "
279			   "in proposal");
280		return -1;
281	}
282	if (p->spi_size) {
283		wpa_hexdump(MSG_DEBUG, "IKEV2:    SPI",
284			    ppos, p->spi_size);
285		ppos += p->spi_size;
286	}
287
288	/*
289	 * For initial IKE_SA negotiation, SPI Size MUST be zero; for
290	 * subsequent negotiations, it must be 8 for IKE. We only support
291	 * initial case for now.
292	 */
293	if (p->spi_size != 0) {
294		wpa_printf(MSG_INFO, "IKEV2: Unexpected SPI Size");
295		return -1;
296	}
297
298	if (p->num_transforms == 0) {
299		wpa_printf(MSG_INFO, "IKEV2: At least one transform required");
300		return -1;
301	}
302
303	for (i = 0; i < (int) p->num_transforms; i++) {
304		int tlen = ikev2_parse_transform(prop, ppos, pend);
305		if (tlen < 0)
306			return -1;
307		ppos += tlen;
308	}
309
310	if (ppos != pend) {
311		wpa_printf(MSG_INFO, "IKEV2: Unexpected data after "
312			   "transforms");
313		return -1;
314	}
315
316	return proposal_len;
317}
318
319
320static int ikev2_process_sai1(struct ikev2_responder_data *data,
321			      const u8 *sai1, size_t sai1_len)
322{
323	struct ikev2_proposal_data prop;
324	const u8 *pos, *end;
325	int found = 0;
326
327	/* Security Association Payloads: <Proposals> */
328
329	if (sai1 == NULL) {
330		wpa_printf(MSG_INFO, "IKEV2: SAi1 not received");
331		return -1;
332	}
333
334	os_memset(&prop, 0, sizeof(prop));
335	prop.proposal_num = 1;
336
337	pos = sai1;
338	end = sai1 + sai1_len;
339
340	while (pos < end) {
341		int plen;
342
343		prop.integ = -1;
344		prop.prf = -1;
345		prop.encr = -1;
346		prop.dh = -1;
347		plen = ikev2_parse_proposal(&prop, pos, end);
348		if (plen < 0)
349			return -1;
350
351		if (!found && prop.integ != -1 && prop.prf != -1 &&
352		    prop.encr != -1 && prop.dh != -1) {
353			os_memcpy(&data->proposal, &prop, sizeof(prop));
354			data->dh = dh_groups_get(prop.dh);
355			found = 1;
356		}
357
358		pos += plen;
359	}
360
361	if (pos != end) {
362		wpa_printf(MSG_INFO, "IKEV2: Unexpected data after proposals");
363		return -1;
364	}
365
366	if (!found) {
367		wpa_printf(MSG_INFO, "IKEV2: No acceptable proposal found");
368		return -1;
369	}
370
371	wpa_printf(MSG_DEBUG, "IKEV2: Accepted proposal #%d: ENCR:%d PRF:%d "
372		   "INTEG:%d D-H:%d", data->proposal.proposal_num,
373		   data->proposal.encr, data->proposal.prf,
374		   data->proposal.integ, data->proposal.dh);
375
376	return 0;
377}
378
379
380static int ikev2_process_kei(struct ikev2_responder_data *data,
381			     const u8 *kei, size_t kei_len)
382{
383	u16 group;
384
385	/*
386	 * Key Exchange Payload:
387	 * DH Group # (16 bits)
388	 * RESERVED (16 bits)
389	 * Key Exchange Data (Diffie-Hellman public value)
390	 */
391
392	if (kei == NULL) {
393		wpa_printf(MSG_INFO, "IKEV2: KEi not received");
394		return -1;
395	}
396
397	if (kei_len < 4 + 96) {
398		wpa_printf(MSG_INFO, "IKEV2: Too show Key Exchange Payload");
399		return -1;
400	}
401
402	group = WPA_GET_BE16(kei);
403	wpa_printf(MSG_DEBUG, "IKEV2: KEi DH Group #%u", group);
404
405	if (group != data->proposal.dh) {
406		wpa_printf(MSG_DEBUG, "IKEV2: KEi DH Group #%u does not match "
407			   "with the selected proposal (%u)",
408			   group, data->proposal.dh);
409		/* Reject message with Notify payload of type
410		 * INVALID_KE_PAYLOAD (RFC 4306, Sect. 3.4) */
411		data->error_type = INVALID_KE_PAYLOAD;
412		data->state = NOTIFY;
413		return -1;
414	}
415
416	if (data->dh == NULL) {
417		wpa_printf(MSG_INFO, "IKEV2: Unsupported DH group");
418		return -1;
419	}
420
421	/* RFC 4306, Section 3.4:
422	 * The length of DH public value MUST be equal to the length of the
423	 * prime modulus.
424	 */
425	if (kei_len - 4 != data->dh->prime_len) {
426		wpa_printf(MSG_INFO, "IKEV2: Invalid DH public value length "
427			   "%ld (expected %ld)",
428			   (long) (kei_len - 4), (long) data->dh->prime_len);
429		return -1;
430	}
431
432	wpabuf_free(data->i_dh_public);
433	data->i_dh_public = wpabuf_alloc(kei_len - 4);
434	if (data->i_dh_public == NULL)
435		return -1;
436	wpabuf_put_data(data->i_dh_public, kei + 4, kei_len - 4);
437
438	wpa_hexdump_buf(MSG_DEBUG, "IKEV2: KEi Diffie-Hellman Public Value",
439			data->i_dh_public);
440
441	return 0;
442}
443
444
445static int ikev2_process_ni(struct ikev2_responder_data *data,
446			    const u8 *ni, size_t ni_len)
447{
448	if (ni == NULL) {
449		wpa_printf(MSG_INFO, "IKEV2: Ni not received");
450		return -1;
451	}
452
453	if (ni_len < IKEV2_NONCE_MIN_LEN || ni_len > IKEV2_NONCE_MAX_LEN) {
454		wpa_printf(MSG_INFO, "IKEV2: Invalid Ni length %ld",
455		           (long) ni_len);
456		return -1;
457	}
458
459#ifdef CCNS_PL
460	/* Zeros are removed incorrectly from the beginning of the nonces */
461	while (ni_len > 1 && *ni == 0) {
462		ni_len--;
463		ni++;
464	}
465#endif /* CCNS_PL */
466
467	data->i_nonce_len = ni_len;
468	os_memcpy(data->i_nonce, ni, ni_len);
469	wpa_hexdump(MSG_MSGDUMP, "IKEV2: Ni",
470		    data->i_nonce, data->i_nonce_len);
471
472	return 0;
473}
474
475
476static int ikev2_process_sa_init(struct ikev2_responder_data *data,
477				 const struct ikev2_hdr *hdr,
478				 struct ikev2_payloads *pl)
479{
480	if (ikev2_process_sai1(data, pl->sa, pl->sa_len) < 0 ||
481	    ikev2_process_kei(data, pl->ke, pl->ke_len) < 0 ||
482	    ikev2_process_ni(data, pl->nonce, pl->nonce_len) < 0)
483		return -1;
484
485	os_memcpy(data->i_spi, hdr->i_spi, IKEV2_SPI_LEN);
486
487	return 0;
488}
489
490
491static int ikev2_process_idi(struct ikev2_responder_data *data,
492			     const u8 *idi, size_t idi_len)
493{
494	u8 id_type;
495
496	if (idi == NULL) {
497		wpa_printf(MSG_INFO, "IKEV2: No IDi received");
498		return -1;
499	}
500
501	if (idi_len < 4) {
502		wpa_printf(MSG_INFO, "IKEV2: Too short IDi payload");
503		return -1;
504	}
505
506	id_type = idi[0];
507	idi += 4;
508	idi_len -= 4;
509
510	wpa_printf(MSG_DEBUG, "IKEV2: IDi ID Type %d", id_type);
511	wpa_hexdump_ascii(MSG_DEBUG, "IKEV2: IDi", idi, idi_len);
512	os_free(data->IDi);
513	data->IDi = os_malloc(idi_len);
514	if (data->IDi == NULL)
515		return -1;
516	os_memcpy(data->IDi, idi, idi_len);
517	data->IDi_len = idi_len;
518	data->IDi_type = id_type;
519
520	return 0;
521}
522
523
524static int ikev2_process_cert(struct ikev2_responder_data *data,
525			      const u8 *cert, size_t cert_len)
526{
527	u8 cert_encoding;
528
529	if (cert == NULL) {
530		if (data->peer_auth == PEER_AUTH_CERT) {
531			wpa_printf(MSG_INFO, "IKEV2: No Certificate received");
532			return -1;
533		}
534		return 0;
535	}
536
537	if (cert_len < 1) {
538		wpa_printf(MSG_INFO, "IKEV2: No Cert Encoding field");
539		return -1;
540	}
541
542	cert_encoding = cert[0];
543	cert++;
544	cert_len--;
545
546	wpa_printf(MSG_DEBUG, "IKEV2: Cert Encoding %d", cert_encoding);
547	wpa_hexdump(MSG_MSGDUMP, "IKEV2: Certificate Data", cert, cert_len);
548
549	/* TODO: validate certificate */
550
551	return 0;
552}
553
554
555static int ikev2_process_auth_cert(struct ikev2_responder_data *data,
556				   u8 method, const u8 *auth, size_t auth_len)
557{
558	if (method != AUTH_RSA_SIGN) {
559		wpa_printf(MSG_INFO, "IKEV2: Unsupported authentication "
560			   "method %d", method);
561		return -1;
562	}
563
564	/* TODO: validate AUTH */
565	return 0;
566}
567
568
569static int ikev2_process_auth_secret(struct ikev2_responder_data *data,
570				     u8 method, const u8 *auth,
571				     size_t auth_len)
572{
573	u8 auth_data[IKEV2_MAX_HASH_LEN];
574	const struct ikev2_prf_alg *prf;
575
576	if (method != AUTH_SHARED_KEY_MIC) {
577		wpa_printf(MSG_INFO, "IKEV2: Unsupported authentication "
578			   "method %d", method);
579		return -1;
580	}
581
582	/* msg | Nr | prf(SK_pi,IDi') */
583	if (ikev2_derive_auth_data(data->proposal.prf, data->i_sign_msg,
584				   data->IDi, data->IDi_len, data->IDi_type,
585				   &data->keys, 1, data->shared_secret,
586				   data->shared_secret_len,
587				   data->r_nonce, data->r_nonce_len,
588				   data->key_pad, data->key_pad_len,
589				   auth_data) < 0) {
590		wpa_printf(MSG_INFO, "IKEV2: Could not derive AUTH data");
591		return -1;
592	}
593
594	wpabuf_free(data->i_sign_msg);
595	data->i_sign_msg = NULL;
596
597	prf = ikev2_get_prf(data->proposal.prf);
598	if (prf == NULL)
599		return -1;
600
601	if (auth_len != prf->hash_len ||
602	    os_memcmp(auth, auth_data, auth_len) != 0) {
603		wpa_printf(MSG_INFO, "IKEV2: Invalid Authentication Data");
604		wpa_hexdump(MSG_DEBUG, "IKEV2: Received Authentication Data",
605			    auth, auth_len);
606		wpa_hexdump(MSG_DEBUG, "IKEV2: Expected Authentication Data",
607			    auth_data, prf->hash_len);
608		data->error_type = AUTHENTICATION_FAILED;
609		data->state = NOTIFY;
610		return -1;
611	}
612
613	wpa_printf(MSG_DEBUG, "IKEV2: Server authenticated successfully "
614		   "using shared keys");
615
616	return 0;
617}
618
619
620static int ikev2_process_auth(struct ikev2_responder_data *data,
621			      const u8 *auth, size_t auth_len)
622{
623	u8 auth_method;
624
625	if (auth == NULL) {
626		wpa_printf(MSG_INFO, "IKEV2: No Authentication Payload");
627		return -1;
628	}
629
630	if (auth_len < 4) {
631		wpa_printf(MSG_INFO, "IKEV2: Too short Authentication "
632			   "Payload");
633		return -1;
634	}
635
636	auth_method = auth[0];
637	auth += 4;
638	auth_len -= 4;
639
640	wpa_printf(MSG_DEBUG, "IKEV2: Auth Method %d", auth_method);
641	wpa_hexdump(MSG_MSGDUMP, "IKEV2: Authentication Data", auth, auth_len);
642
643	switch (data->peer_auth) {
644	case PEER_AUTH_CERT:
645		return ikev2_process_auth_cert(data, auth_method, auth,
646					       auth_len);
647	case PEER_AUTH_SECRET:
648		return ikev2_process_auth_secret(data, auth_method, auth,
649						 auth_len);
650	}
651
652	return -1;
653}
654
655
656static int ikev2_process_sa_auth_decrypted(struct ikev2_responder_data *data,
657					   u8 next_payload,
658					   u8 *payload, size_t payload_len)
659{
660	struct ikev2_payloads pl;
661
662	wpa_printf(MSG_DEBUG, "IKEV2: Processing decrypted payloads");
663
664	if (ikev2_parse_payloads(&pl, next_payload, payload, payload +
665				 payload_len) < 0) {
666		wpa_printf(MSG_INFO, "IKEV2: Failed to parse decrypted "
667			   "payloads");
668		return -1;
669	}
670
671	if (ikev2_process_idi(data, pl.idi, pl.idi_len) < 0 ||
672	    ikev2_process_cert(data, pl.cert, pl.cert_len) < 0 ||
673	    ikev2_process_auth(data, pl.auth, pl.auth_len) < 0)
674		return -1;
675
676	return 0;
677}
678
679
680static int ikev2_process_sa_auth(struct ikev2_responder_data *data,
681				 const struct ikev2_hdr *hdr,
682				 struct ikev2_payloads *pl)
683{
684	u8 *decrypted;
685	size_t decrypted_len;
686	int ret;
687
688	decrypted = ikev2_decrypt_payload(data->proposal.encr,
689					  data->proposal.integ,
690					  &data->keys, 1, hdr, pl->encrypted,
691					  pl->encrypted_len, &decrypted_len);
692	if (decrypted == NULL)
693		return -1;
694
695	ret = ikev2_process_sa_auth_decrypted(data, pl->encr_next_payload,
696					      decrypted, decrypted_len);
697	os_free(decrypted);
698
699	return ret;
700}
701
702
703static int ikev2_validate_rx_state(struct ikev2_responder_data *data,
704				   u8 exchange_type, u32 message_id)
705{
706	switch (data->state) {
707	case SA_INIT:
708		/* Expect to receive IKE_SA_INIT: HDR, SAi1, KEi, Ni */
709		if (exchange_type != IKE_SA_INIT) {
710			wpa_printf(MSG_INFO, "IKEV2: Unexpected Exchange Type "
711				   "%u in SA_INIT state", exchange_type);
712			return -1;
713		}
714		if (message_id != 0) {
715			wpa_printf(MSG_INFO, "IKEV2: Unexpected Message ID %u "
716				   "in SA_INIT state", message_id);
717			return -1;
718		}
719		break;
720	case SA_AUTH:
721		/* Expect to receive IKE_SA_AUTH:
722		 * HDR, SK {IDi, [CERT,] [CERTREQ,] [IDr,]
723		 *	AUTH, SAi2, TSi, TSr}
724		 */
725		if (exchange_type != IKE_SA_AUTH) {
726			wpa_printf(MSG_INFO, "IKEV2: Unexpected Exchange Type "
727				   "%u in SA_AUTH state", exchange_type);
728			return -1;
729		}
730		if (message_id != 1) {
731			wpa_printf(MSG_INFO, "IKEV2: Unexpected Message ID %u "
732				   "in SA_AUTH state", message_id);
733			return -1;
734		}
735		break;
736	case CHILD_SA:
737		if (exchange_type != CREATE_CHILD_SA) {
738			wpa_printf(MSG_INFO, "IKEV2: Unexpected Exchange Type "
739				   "%u in CHILD_SA state", exchange_type);
740			return -1;
741		}
742		if (message_id != 2) {
743			wpa_printf(MSG_INFO, "IKEV2: Unexpected Message ID %u "
744				   "in CHILD_SA state", message_id);
745			return -1;
746		}
747		break;
748	case NOTIFY:
749	case IKEV2_DONE:
750	case IKEV2_FAILED:
751		return -1;
752	}
753
754	return 0;
755}
756
757
758int ikev2_responder_process(struct ikev2_responder_data *data,
759			    const struct wpabuf *buf)
760{
761	const struct ikev2_hdr *hdr;
762	u32 length, message_id;
763	const u8 *pos, *end;
764	struct ikev2_payloads pl;
765
766	wpa_printf(MSG_MSGDUMP, "IKEV2: Received message (len %lu)",
767		   (unsigned long) wpabuf_len(buf));
768
769	if (wpabuf_len(buf) < sizeof(*hdr)) {
770		wpa_printf(MSG_INFO, "IKEV2: Too short frame to include HDR");
771		return -1;
772	}
773
774	data->error_type = 0;
775	hdr = (const struct ikev2_hdr *) wpabuf_head(buf);
776	end = wpabuf_head_u8(buf) + wpabuf_len(buf);
777	message_id = WPA_GET_BE32(hdr->message_id);
778	length = WPA_GET_BE32(hdr->length);
779
780	wpa_hexdump(MSG_DEBUG, "IKEV2:   IKE_SA Initiator's SPI",
781		    hdr->i_spi, IKEV2_SPI_LEN);
782	wpa_hexdump(MSG_DEBUG, "IKEV2:   IKE_SA Responder's SPI",
783		    hdr->r_spi, IKEV2_SPI_LEN);
784	wpa_printf(MSG_DEBUG, "IKEV2:   Next Payload: %u  Version: 0x%x  "
785		   "Exchange Type: %u",
786		   hdr->next_payload, hdr->version, hdr->exchange_type);
787	wpa_printf(MSG_DEBUG, "IKEV2:   Message ID: %u  Length: %u",
788		   message_id, length);
789
790	if (hdr->version != IKEV2_VERSION) {
791		wpa_printf(MSG_INFO, "IKEV2: Unsupported HDR version 0x%x "
792			   "(expected 0x%x)", hdr->version, IKEV2_VERSION);
793		return -1;
794	}
795
796	if (length != wpabuf_len(buf)) {
797		wpa_printf(MSG_INFO, "IKEV2: Invalid length (HDR: %lu != "
798			   "RX: %lu)", (unsigned long) length,
799			   (unsigned long) wpabuf_len(buf));
800		return -1;
801	}
802
803	if (ikev2_validate_rx_state(data, hdr->exchange_type, message_id) < 0)
804		return -1;
805
806	if ((hdr->flags & (IKEV2_HDR_INITIATOR | IKEV2_HDR_RESPONSE)) !=
807	    IKEV2_HDR_INITIATOR) {
808		wpa_printf(MSG_INFO, "IKEV2: Unexpected Flags value 0x%x",
809			   hdr->flags);
810		return -1;
811	}
812
813	if (data->state != SA_INIT) {
814		if (os_memcmp(data->i_spi, hdr->i_spi, IKEV2_SPI_LEN) != 0) {
815			wpa_printf(MSG_INFO, "IKEV2: Unexpected IKE_SA "
816				   "Initiator's SPI");
817			return -1;
818		}
819		if (os_memcmp(data->r_spi, hdr->r_spi, IKEV2_SPI_LEN) != 0) {
820			wpa_printf(MSG_INFO, "IKEV2: Unexpected IKE_SA "
821				   "Responder's SPI");
822			return -1;
823		}
824	}
825
826	pos = (const u8 *) (hdr + 1);
827	if (ikev2_parse_payloads(&pl, hdr->next_payload, pos, end) < 0)
828		return -1;
829
830	if (data->state == SA_INIT) {
831		data->last_msg = LAST_MSG_SA_INIT;
832		if (ikev2_process_sa_init(data, hdr, &pl) < 0) {
833			if (data->state == NOTIFY)
834				return 0;
835			return -1;
836		}
837		wpabuf_free(data->i_sign_msg);
838		data->i_sign_msg = wpabuf_dup(buf);
839	}
840
841	if (data->state == SA_AUTH) {
842		data->last_msg = LAST_MSG_SA_AUTH;
843		if (ikev2_process_sa_auth(data, hdr, &pl) < 0) {
844			if (data->state == NOTIFY)
845				return 0;
846			return -1;
847		}
848	}
849
850	return 0;
851}
852
853
854static void ikev2_build_hdr(struct ikev2_responder_data *data,
855			    struct wpabuf *msg, u8 exchange_type,
856			    u8 next_payload, u32 message_id)
857{
858	struct ikev2_hdr *hdr;
859
860	wpa_printf(MSG_DEBUG, "IKEV2: Adding HDR");
861
862	/* HDR - RFC 4306, Sect. 3.1 */
863	hdr = wpabuf_put(msg, sizeof(*hdr));
864	os_memcpy(hdr->i_spi, data->i_spi, IKEV2_SPI_LEN);
865	os_memcpy(hdr->r_spi, data->r_spi, IKEV2_SPI_LEN);
866	hdr->next_payload = next_payload;
867	hdr->version = IKEV2_VERSION;
868	hdr->exchange_type = exchange_type;
869	hdr->flags = IKEV2_HDR_RESPONSE;
870	WPA_PUT_BE32(hdr->message_id, message_id);
871}
872
873
874static int ikev2_build_sar1(struct ikev2_responder_data *data,
875			    struct wpabuf *msg, u8 next_payload)
876{
877	struct ikev2_payload_hdr *phdr;
878	size_t plen;
879	struct ikev2_proposal *p;
880	struct ikev2_transform *t;
881
882	wpa_printf(MSG_DEBUG, "IKEV2: Adding SAr1 payload");
883
884	/* SAr1 - RFC 4306, Sect. 2.7 and 3.3 */
885	phdr = wpabuf_put(msg, sizeof(*phdr));
886	phdr->next_payload = next_payload;
887	phdr->flags = 0;
888
889	p = wpabuf_put(msg, sizeof(*p));
890#ifdef CCNS_PL
891	/* Seems to require that the Proposal # is 1 even though RFC 4306
892	 * Sect 3.3.1 has following requirement "When a proposal is accepted,
893	 * all of the proposal numbers in the SA payload MUST be the same and
894	 * MUST match the number on the proposal sent that was accepted.".
895	 */
896	p->proposal_num = 1;
897#else /* CCNS_PL */
898	p->proposal_num = data->proposal.proposal_num;
899#endif /* CCNS_PL */
900	p->protocol_id = IKEV2_PROTOCOL_IKE;
901	p->num_transforms = 4;
902
903	t = wpabuf_put(msg, sizeof(*t));
904	t->type = 3;
905	t->transform_type = IKEV2_TRANSFORM_ENCR;
906	WPA_PUT_BE16(t->transform_id, data->proposal.encr);
907	if (data->proposal.encr == ENCR_AES_CBC) {
908		/* Transform Attribute: Key Len = 128 bits */
909#ifdef CCNS_PL
910		wpabuf_put_be16(msg, 0x001d); /* ?? */
911#else /* CCNS_PL */
912		wpabuf_put_be16(msg, 0x800e); /* AF=1, AttrType=14 */
913#endif /* CCNS_PL */
914		wpabuf_put_be16(msg, 128); /* 128-bit key */
915	}
916	plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) t;
917	WPA_PUT_BE16(t->transform_length, plen);
918
919	t = wpabuf_put(msg, sizeof(*t));
920	t->type = 3;
921	WPA_PUT_BE16(t->transform_length, sizeof(*t));
922	t->transform_type = IKEV2_TRANSFORM_PRF;
923	WPA_PUT_BE16(t->transform_id, data->proposal.prf);
924
925	t = wpabuf_put(msg, sizeof(*t));
926	t->type = 3;
927	WPA_PUT_BE16(t->transform_length, sizeof(*t));
928	t->transform_type = IKEV2_TRANSFORM_INTEG;
929	WPA_PUT_BE16(t->transform_id, data->proposal.integ);
930
931	t = wpabuf_put(msg, sizeof(*t));
932	WPA_PUT_BE16(t->transform_length, sizeof(*t));
933	t->transform_type = IKEV2_TRANSFORM_DH;
934	WPA_PUT_BE16(t->transform_id, data->proposal.dh);
935
936	plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) p;
937	WPA_PUT_BE16(p->proposal_length, plen);
938
939	plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
940	WPA_PUT_BE16(phdr->payload_length, plen);
941
942	return 0;
943}
944
945
946static int ikev2_build_ker(struct ikev2_responder_data *data,
947			   struct wpabuf *msg, u8 next_payload)
948{
949	struct ikev2_payload_hdr *phdr;
950	size_t plen;
951	struct wpabuf *pv;
952
953	wpa_printf(MSG_DEBUG, "IKEV2: Adding KEr payload");
954
955	pv = dh_init(data->dh, &data->r_dh_private);
956	if (pv == NULL) {
957		wpa_printf(MSG_DEBUG, "IKEV2: Failed to initialize DH");
958		return -1;
959	}
960
961	/* KEr - RFC 4306, Sect. 3.4 */
962	phdr = wpabuf_put(msg, sizeof(*phdr));
963	phdr->next_payload = next_payload;
964	phdr->flags = 0;
965
966	wpabuf_put_be16(msg, data->proposal.dh); /* DH Group # */
967	wpabuf_put(msg, 2); /* RESERVED */
968	/*
969	 * RFC 4306, Sect. 3.4: possible zero padding for public value to
970	 * match the length of the prime.
971	 */
972	wpabuf_put(msg, data->dh->prime_len - wpabuf_len(pv));
973	wpabuf_put_buf(msg, pv);
974	wpabuf_free(pv);
975
976	plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
977	WPA_PUT_BE16(phdr->payload_length, plen);
978	return 0;
979}
980
981
982static int ikev2_build_nr(struct ikev2_responder_data *data,
983			  struct wpabuf *msg, u8 next_payload)
984{
985	struct ikev2_payload_hdr *phdr;
986	size_t plen;
987
988	wpa_printf(MSG_DEBUG, "IKEV2: Adding Nr payload");
989
990	/* Nr - RFC 4306, Sect. 3.9 */
991	phdr = wpabuf_put(msg, sizeof(*phdr));
992	phdr->next_payload = next_payload;
993	phdr->flags = 0;
994	wpabuf_put_data(msg, data->r_nonce, data->r_nonce_len);
995	plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
996	WPA_PUT_BE16(phdr->payload_length, plen);
997	return 0;
998}
999
1000
1001static int ikev2_build_idr(struct ikev2_responder_data *data,
1002			   struct wpabuf *msg, u8 next_payload)
1003{
1004	struct ikev2_payload_hdr *phdr;
1005	size_t plen;
1006
1007	wpa_printf(MSG_DEBUG, "IKEV2: Adding IDr payload");
1008
1009	if (data->IDr == NULL) {
1010		wpa_printf(MSG_INFO, "IKEV2: No IDr available");
1011		return -1;
1012	}
1013
1014	/* IDr - RFC 4306, Sect. 3.5 */
1015	phdr = wpabuf_put(msg, sizeof(*phdr));
1016	phdr->next_payload = next_payload;
1017	phdr->flags = 0;
1018	wpabuf_put_u8(msg, ID_KEY_ID);
1019	wpabuf_put(msg, 3); /* RESERVED */
1020	wpabuf_put_data(msg, data->IDr, data->IDr_len);
1021	plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
1022	WPA_PUT_BE16(phdr->payload_length, plen);
1023	return 0;
1024}
1025
1026
1027static int ikev2_build_auth(struct ikev2_responder_data *data,
1028			    struct wpabuf *msg, u8 next_payload)
1029{
1030	struct ikev2_payload_hdr *phdr;
1031	size_t plen;
1032	const struct ikev2_prf_alg *prf;
1033
1034	wpa_printf(MSG_DEBUG, "IKEV2: Adding AUTH payload");
1035
1036	prf = ikev2_get_prf(data->proposal.prf);
1037	if (prf == NULL)
1038		return -1;
1039
1040	/* Authentication - RFC 4306, Sect. 3.8 */
1041	phdr = wpabuf_put(msg, sizeof(*phdr));
1042	phdr->next_payload = next_payload;
1043	phdr->flags = 0;
1044	wpabuf_put_u8(msg, AUTH_SHARED_KEY_MIC);
1045	wpabuf_put(msg, 3); /* RESERVED */
1046
1047	/* msg | Ni | prf(SK_pr,IDr') */
1048	if (ikev2_derive_auth_data(data->proposal.prf, data->r_sign_msg,
1049				   data->IDr, data->IDr_len, ID_KEY_ID,
1050				   &data->keys, 0, data->shared_secret,
1051				   data->shared_secret_len,
1052				   data->i_nonce, data->i_nonce_len,
1053				   data->key_pad, data->key_pad_len,
1054				   wpabuf_put(msg, prf->hash_len)) < 0) {
1055		wpa_printf(MSG_INFO, "IKEV2: Could not derive AUTH data");
1056		return -1;
1057	}
1058	wpabuf_free(data->r_sign_msg);
1059	data->r_sign_msg = NULL;
1060
1061	plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
1062	WPA_PUT_BE16(phdr->payload_length, plen);
1063	return 0;
1064}
1065
1066
1067static int ikev2_build_notification(struct ikev2_responder_data *data,
1068				    struct wpabuf *msg, u8 next_payload)
1069{
1070	struct ikev2_payload_hdr *phdr;
1071	size_t plen;
1072
1073	wpa_printf(MSG_DEBUG, "IKEV2: Adding Notification payload");
1074
1075	if (data->error_type == 0) {
1076		wpa_printf(MSG_INFO, "IKEV2: No Notify Message Type "
1077			   "available");
1078		return -1;
1079	}
1080
1081	/* Notify - RFC 4306, Sect. 3.10 */
1082	phdr = wpabuf_put(msg, sizeof(*phdr));
1083	phdr->next_payload = next_payload;
1084	phdr->flags = 0;
1085#ifdef CCNS_PL
1086	wpabuf_put_u8(msg, 1); /* Protocol ID: IKE_SA notification */
1087#else /* CCNS_PL */
1088	wpabuf_put_u8(msg, 0); /* Protocol ID: no existing SA */
1089#endif /* CCNS_PL */
1090	wpabuf_put_u8(msg, 0); /* SPI Size */
1091	wpabuf_put_be16(msg, data->error_type);
1092
1093	switch (data->error_type) {
1094	case INVALID_KE_PAYLOAD:
1095		if (data->proposal.dh == -1) {
1096			wpa_printf(MSG_INFO, "IKEV2: No DH Group selected for "
1097				   "INVALID_KE_PAYLOAD notifications");
1098			return -1;
1099		}
1100		wpabuf_put_be16(msg, data->proposal.dh);
1101		wpa_printf(MSG_DEBUG, "IKEV2: INVALID_KE_PAYLOAD - request "
1102			   "DH Group #%d", data->proposal.dh);
1103		break;
1104	case AUTHENTICATION_FAILED:
1105		/* no associated data */
1106		break;
1107	default:
1108		wpa_printf(MSG_INFO, "IKEV2: Unsupported Notify Message Type "
1109			   "%d", data->error_type);
1110		return -1;
1111	}
1112
1113	plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
1114	WPA_PUT_BE16(phdr->payload_length, plen);
1115	return 0;
1116}
1117
1118
1119static struct wpabuf * ikev2_build_sa_init(struct ikev2_responder_data *data)
1120{
1121	struct wpabuf *msg;
1122
1123	/* build IKE_SA_INIT: HDR, SAr1, KEr, Nr, [CERTREQ], [SK{IDr}] */
1124
1125	if (os_get_random(data->r_spi, IKEV2_SPI_LEN))
1126		return NULL;
1127	wpa_hexdump(MSG_DEBUG, "IKEV2: IKE_SA Responder's SPI",
1128		    data->r_spi, IKEV2_SPI_LEN);
1129
1130	data->r_nonce_len = IKEV2_NONCE_MIN_LEN;
1131	if (random_get_bytes(data->r_nonce, data->r_nonce_len))
1132		return NULL;
1133#ifdef CCNS_PL
1134	/* Zeros are removed incorrectly from the beginning of the nonces in
1135	 * key derivation; as a workaround, make sure Nr does not start with
1136	 * zero.. */
1137	if (data->r_nonce[0] == 0)
1138		data->r_nonce[0] = 1;
1139#endif /* CCNS_PL */
1140	wpa_hexdump(MSG_DEBUG, "IKEV2: Nr", data->r_nonce, data->r_nonce_len);
1141
1142	msg = wpabuf_alloc(sizeof(struct ikev2_hdr) + data->IDr_len + 1500);
1143	if (msg == NULL)
1144		return NULL;
1145
1146	ikev2_build_hdr(data, msg, IKE_SA_INIT, IKEV2_PAYLOAD_SA, 0);
1147	if (ikev2_build_sar1(data, msg, IKEV2_PAYLOAD_KEY_EXCHANGE) ||
1148	    ikev2_build_ker(data, msg, IKEV2_PAYLOAD_NONCE) ||
1149	    ikev2_build_nr(data, msg, data->peer_auth == PEER_AUTH_SECRET ?
1150			   IKEV2_PAYLOAD_ENCRYPTED :
1151			   IKEV2_PAYLOAD_NO_NEXT_PAYLOAD)) {
1152		wpabuf_free(msg);
1153		return NULL;
1154	}
1155
1156	if (ikev2_derive_keys(data)) {
1157		wpabuf_free(msg);
1158		return NULL;
1159	}
1160
1161	if (data->peer_auth == PEER_AUTH_CERT) {
1162		/* TODO: CERTREQ with SHA-1 hashes of Subject Public Key Info
1163		 * for trust agents */
1164	}
1165
1166	if (data->peer_auth == PEER_AUTH_SECRET) {
1167		struct wpabuf *plain = wpabuf_alloc(data->IDr_len + 1000);
1168		if (plain == NULL) {
1169			wpabuf_free(msg);
1170			return NULL;
1171		}
1172		if (ikev2_build_idr(data, plain,
1173				    IKEV2_PAYLOAD_NO_NEXT_PAYLOAD) ||
1174		    ikev2_build_encrypted(data->proposal.encr,
1175					  data->proposal.integ,
1176					  &data->keys, 0, msg, plain,
1177					  IKEV2_PAYLOAD_IDr)) {
1178			wpabuf_free(plain);
1179			wpabuf_free(msg);
1180			return NULL;
1181		}
1182		wpabuf_free(plain);
1183	}
1184
1185	ikev2_update_hdr(msg);
1186
1187	wpa_hexdump_buf(MSG_MSGDUMP, "IKEV2: Sending message (SA_INIT)", msg);
1188
1189	data->state = SA_AUTH;
1190
1191	wpabuf_free(data->r_sign_msg);
1192	data->r_sign_msg = wpabuf_dup(msg);
1193
1194	return msg;
1195}
1196
1197
1198static struct wpabuf * ikev2_build_sa_auth(struct ikev2_responder_data *data)
1199{
1200	struct wpabuf *msg, *plain;
1201
1202	/* build IKE_SA_AUTH: HDR, SK {IDr, [CERT,] AUTH} */
1203
1204	msg = wpabuf_alloc(sizeof(struct ikev2_hdr) + data->IDr_len + 1000);
1205	if (msg == NULL)
1206		return NULL;
1207	ikev2_build_hdr(data, msg, IKE_SA_AUTH, IKEV2_PAYLOAD_ENCRYPTED, 1);
1208
1209	plain = wpabuf_alloc(data->IDr_len + 1000);
1210	if (plain == NULL) {
1211		wpabuf_free(msg);
1212		return NULL;
1213	}
1214
1215	if (ikev2_build_idr(data, plain, IKEV2_PAYLOAD_AUTHENTICATION) ||
1216	    ikev2_build_auth(data, plain, IKEV2_PAYLOAD_NO_NEXT_PAYLOAD) ||
1217	    ikev2_build_encrypted(data->proposal.encr, data->proposal.integ,
1218				  &data->keys, 0, msg, plain,
1219				  IKEV2_PAYLOAD_IDr)) {
1220		wpabuf_free(plain);
1221		wpabuf_free(msg);
1222		return NULL;
1223	}
1224	wpabuf_free(plain);
1225
1226	wpa_hexdump_buf(MSG_MSGDUMP, "IKEV2: Sending message (SA_AUTH)", msg);
1227
1228	data->state = IKEV2_DONE;
1229
1230	return msg;
1231}
1232
1233
1234static struct wpabuf * ikev2_build_notify(struct ikev2_responder_data *data)
1235{
1236	struct wpabuf *msg;
1237
1238	msg = wpabuf_alloc(sizeof(struct ikev2_hdr) + 1000);
1239	if (msg == NULL)
1240		return NULL;
1241	if (data->last_msg == LAST_MSG_SA_AUTH) {
1242		/* HDR, SK{N} */
1243		struct wpabuf *plain = wpabuf_alloc(100);
1244		if (plain == NULL) {
1245			wpabuf_free(msg);
1246			return NULL;
1247		}
1248		ikev2_build_hdr(data, msg, IKE_SA_AUTH,
1249				IKEV2_PAYLOAD_ENCRYPTED, 1);
1250		if (ikev2_build_notification(data, plain,
1251					     IKEV2_PAYLOAD_NO_NEXT_PAYLOAD) ||
1252		    ikev2_build_encrypted(data->proposal.encr,
1253					  data->proposal.integ,
1254					  &data->keys, 0, msg, plain,
1255					  IKEV2_PAYLOAD_NOTIFICATION)) {
1256			wpabuf_free(plain);
1257			wpabuf_free(msg);
1258			return NULL;
1259		}
1260		data->state = IKEV2_FAILED;
1261	} else {
1262		/* HDR, N */
1263		ikev2_build_hdr(data, msg, IKE_SA_INIT,
1264				IKEV2_PAYLOAD_NOTIFICATION, 0);
1265		if (ikev2_build_notification(data, msg,
1266					     IKEV2_PAYLOAD_NO_NEXT_PAYLOAD)) {
1267			wpabuf_free(msg);
1268			return NULL;
1269		}
1270		data->state = SA_INIT;
1271	}
1272
1273	ikev2_update_hdr(msg);
1274
1275	wpa_hexdump_buf(MSG_MSGDUMP, "IKEV2: Sending message (Notification)",
1276			msg);
1277
1278	return msg;
1279}
1280
1281
1282struct wpabuf * ikev2_responder_build(struct ikev2_responder_data *data)
1283{
1284	switch (data->state) {
1285	case SA_INIT:
1286		return ikev2_build_sa_init(data);
1287	case SA_AUTH:
1288		return ikev2_build_sa_auth(data);
1289	case CHILD_SA:
1290		return NULL;
1291	case NOTIFY:
1292		return ikev2_build_notify(data);
1293	case IKEV2_DONE:
1294	case IKEV2_FAILED:
1295		return NULL;
1296	}
1297	return NULL;
1298}
1299