1/* 2 * IKEv2 initiator (RFC 4306) for EAP-IKEV2 3 * Copyright (c) 2007, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9#include "includes.h" 10 11#include "common.h" 12#include "crypto/dh_groups.h" 13#include "crypto/random.h" 14#include "ikev2.h" 15 16 17static int ikev2_process_idr(struct ikev2_initiator_data *data, 18 const u8 *idr, size_t idr_len); 19 20 21void ikev2_initiator_deinit(struct ikev2_initiator_data *data) 22{ 23 ikev2_free_keys(&data->keys); 24 wpabuf_free(data->r_dh_public); 25 wpabuf_free(data->i_dh_private); 26 os_free(data->IDi); 27 os_free(data->IDr); 28 os_free(data->shared_secret); 29 wpabuf_free(data->i_sign_msg); 30 wpabuf_free(data->r_sign_msg); 31 os_free(data->key_pad); 32} 33 34 35static int ikev2_derive_keys(struct ikev2_initiator_data *data) 36{ 37 u8 *buf, *pos, *pad, skeyseed[IKEV2_MAX_HASH_LEN]; 38 size_t buf_len, pad_len; 39 struct wpabuf *shared; 40 const struct ikev2_integ_alg *integ; 41 const struct ikev2_prf_alg *prf; 42 const struct ikev2_encr_alg *encr; 43 int ret; 44 const u8 *addr[2]; 45 size_t len[2]; 46 47 /* RFC 4306, Sect. 2.14 */ 48 49 integ = ikev2_get_integ(data->proposal.integ); 50 prf = ikev2_get_prf(data->proposal.prf); 51 encr = ikev2_get_encr(data->proposal.encr); 52 if (integ == NULL || prf == NULL || encr == NULL) { 53 wpa_printf(MSG_INFO, "IKEV2: Unsupported proposal"); 54 return -1; 55 } 56 57 shared = dh_derive_shared(data->r_dh_public, data->i_dh_private, 58 data->dh); 59 if (shared == NULL) 60 return -1; 61 62 /* Construct Ni | Nr | SPIi | SPIr */ 63 64 buf_len = data->i_nonce_len + data->r_nonce_len + 2 * IKEV2_SPI_LEN; 65 buf = os_malloc(buf_len); 66 if (buf == NULL) { 67 wpabuf_free(shared); 68 return -1; 69 } 70 71 pos = buf; 72 os_memcpy(pos, data->i_nonce, data->i_nonce_len); 73 pos += data->i_nonce_len; 74 os_memcpy(pos, data->r_nonce, data->r_nonce_len); 75 pos += data->r_nonce_len; 76 os_memcpy(pos, data->i_spi, IKEV2_SPI_LEN); 77 pos += IKEV2_SPI_LEN; 78 os_memcpy(pos, data->r_spi, IKEV2_SPI_LEN); 79 80 /* SKEYSEED = prf(Ni | Nr, g^ir) */ 81 82 /* Use zero-padding per RFC 4306, Sect. 2.14 */ 83 pad_len = data->dh->prime_len - wpabuf_len(shared); 84 pad = os_zalloc(pad_len ? pad_len : 1); 85 if (pad == NULL) { 86 wpabuf_free(shared); 87 os_free(buf); 88 return -1; 89 } 90 addr[0] = pad; 91 len[0] = pad_len; 92 addr[1] = wpabuf_head(shared); 93 len[1] = wpabuf_len(shared); 94 if (ikev2_prf_hash(prf->id, buf, data->i_nonce_len + data->r_nonce_len, 95 2, addr, len, skeyseed) < 0) { 96 wpabuf_free(shared); 97 os_free(buf); 98 os_free(pad); 99 return -1; 100 } 101 os_free(pad); 102 wpabuf_free(shared); 103 104 /* DH parameters are not needed anymore, so free them */ 105 wpabuf_free(data->r_dh_public); 106 data->r_dh_public = NULL; 107 wpabuf_free(data->i_dh_private); 108 data->i_dh_private = NULL; 109 110 wpa_hexdump_key(MSG_DEBUG, "IKEV2: SKEYSEED", 111 skeyseed, prf->hash_len); 112 113 ret = ikev2_derive_sk_keys(prf, integ, encr, skeyseed, buf, buf_len, 114 &data->keys); 115 os_free(buf); 116 return ret; 117} 118 119 120static int ikev2_parse_transform(struct ikev2_initiator_data *data, 121 struct ikev2_proposal_data *prop, 122 const u8 *pos, const u8 *end) 123{ 124 int transform_len; 125 const struct ikev2_transform *t; 126 u16 transform_id; 127 const u8 *tend; 128 129 if (end - pos < (int) sizeof(*t)) { 130 wpa_printf(MSG_INFO, "IKEV2: Too short transform"); 131 return -1; 132 } 133 134 t = (const struct ikev2_transform *) pos; 135 transform_len = WPA_GET_BE16(t->transform_length); 136 if (transform_len < (int) sizeof(*t) || transform_len > end - pos) { 137 wpa_printf(MSG_INFO, "IKEV2: Invalid transform length %d", 138 transform_len); 139 return -1; 140 } 141 tend = pos + transform_len; 142 143 transform_id = WPA_GET_BE16(t->transform_id); 144 145 wpa_printf(MSG_DEBUG, "IKEV2: Transform:"); 146 wpa_printf(MSG_DEBUG, "IKEV2: Type: %d Transform Length: %d " 147 "Transform Type: %d Transform ID: %d", 148 t->type, transform_len, t->transform_type, transform_id); 149 150 if (t->type != 0 && t->type != 3) { 151 wpa_printf(MSG_INFO, "IKEV2: Unexpected Transform type"); 152 return -1; 153 } 154 155 pos = (const u8 *) (t + 1); 156 if (pos < tend) { 157 wpa_hexdump(MSG_DEBUG, "IKEV2: Transform Attributes", 158 pos, tend - pos); 159 } 160 161 switch (t->transform_type) { 162 case IKEV2_TRANSFORM_ENCR: 163 if (ikev2_get_encr(transform_id) && 164 transform_id == data->proposal.encr) { 165 if (transform_id == ENCR_AES_CBC) { 166 if (tend - pos != 4) { 167 wpa_printf(MSG_DEBUG, "IKEV2: No " 168 "Transform Attr for AES"); 169 break; 170 } 171 if (WPA_GET_BE16(pos) != 0x800e) { 172 wpa_printf(MSG_DEBUG, "IKEV2: Not a " 173 "Key Size attribute for " 174 "AES"); 175 break; 176 } 177 if (WPA_GET_BE16(pos + 2) != 128) { 178 wpa_printf(MSG_DEBUG, "IKEV2: " 179 "Unsupported AES key size " 180 "%d bits", 181 WPA_GET_BE16(pos + 2)); 182 break; 183 } 184 } 185 prop->encr = transform_id; 186 } 187 break; 188 case IKEV2_TRANSFORM_PRF: 189 if (ikev2_get_prf(transform_id) && 190 transform_id == data->proposal.prf) 191 prop->prf = transform_id; 192 break; 193 case IKEV2_TRANSFORM_INTEG: 194 if (ikev2_get_integ(transform_id) && 195 transform_id == data->proposal.integ) 196 prop->integ = transform_id; 197 break; 198 case IKEV2_TRANSFORM_DH: 199 if (dh_groups_get(transform_id) && 200 transform_id == data->proposal.dh) 201 prop->dh = transform_id; 202 break; 203 } 204 205 return transform_len; 206} 207 208 209static int ikev2_parse_proposal(struct ikev2_initiator_data *data, 210 struct ikev2_proposal_data *prop, 211 const u8 *pos, const u8 *end) 212{ 213 const u8 *pend, *ppos; 214 int proposal_len, i; 215 const struct ikev2_proposal *p; 216 217 if (end - pos < (int) sizeof(*p)) { 218 wpa_printf(MSG_INFO, "IKEV2: Too short proposal"); 219 return -1; 220 } 221 222 p = (const struct ikev2_proposal *) pos; 223 proposal_len = WPA_GET_BE16(p->proposal_length); 224 if (proposal_len < (int) sizeof(*p) || proposal_len > end - pos) { 225 wpa_printf(MSG_INFO, "IKEV2: Invalid proposal length %d", 226 proposal_len); 227 return -1; 228 } 229 wpa_printf(MSG_DEBUG, "IKEV2: SAi1 Proposal # %d", 230 p->proposal_num); 231 wpa_printf(MSG_DEBUG, "IKEV2: Type: %d Proposal Length: %d " 232 " Protocol ID: %d", 233 p->type, proposal_len, p->protocol_id); 234 wpa_printf(MSG_DEBUG, "IKEV2: SPI Size: %d Transforms: %d", 235 p->spi_size, p->num_transforms); 236 237 if (p->type != 0 && p->type != 2) { 238 wpa_printf(MSG_INFO, "IKEV2: Unexpected Proposal type"); 239 return -1; 240 } 241 242 if (p->protocol_id != IKEV2_PROTOCOL_IKE) { 243 wpa_printf(MSG_DEBUG, "IKEV2: Unexpected Protocol ID " 244 "(only IKE allowed for EAP-IKEv2)"); 245 return -1; 246 } 247 248 if (p->proposal_num != prop->proposal_num) { 249 if (p->proposal_num == prop->proposal_num + 1) 250 prop->proposal_num = p->proposal_num; 251 else { 252 wpa_printf(MSG_INFO, "IKEV2: Unexpected Proposal #"); 253 return -1; 254 } 255 } 256 257 ppos = (const u8 *) (p + 1); 258 pend = pos + proposal_len; 259 if (p->spi_size > pend - ppos) { 260 wpa_printf(MSG_INFO, "IKEV2: Not enough room for SPI " 261 "in proposal"); 262 return -1; 263 } 264 if (p->spi_size) { 265 wpa_hexdump(MSG_DEBUG, "IKEV2: SPI", 266 ppos, p->spi_size); 267 ppos += p->spi_size; 268 } 269 270 /* 271 * For initial IKE_SA negotiation, SPI Size MUST be zero; for 272 * subsequent negotiations, it must be 8 for IKE. We only support 273 * initial case for now. 274 */ 275 if (p->spi_size != 0) { 276 wpa_printf(MSG_INFO, "IKEV2: Unexpected SPI Size"); 277 return -1; 278 } 279 280 if (p->num_transforms == 0) { 281 wpa_printf(MSG_INFO, "IKEV2: At least one transform required"); 282 return -1; 283 } 284 285 for (i = 0; i < (int) p->num_transforms; i++) { 286 int tlen = ikev2_parse_transform(data, prop, ppos, pend); 287 if (tlen < 0) 288 return -1; 289 ppos += tlen; 290 } 291 292 if (ppos != pend) { 293 wpa_printf(MSG_INFO, "IKEV2: Unexpected data after " 294 "transforms"); 295 return -1; 296 } 297 298 return proposal_len; 299} 300 301 302static int ikev2_process_sar1(struct ikev2_initiator_data *data, 303 const u8 *sar1, size_t sar1_len) 304{ 305 struct ikev2_proposal_data prop; 306 const u8 *pos, *end; 307 int found = 0; 308 309 /* Security Association Payloads: <Proposals> */ 310 311 if (sar1 == NULL) { 312 wpa_printf(MSG_INFO, "IKEV2: SAr1 not received"); 313 return -1; 314 } 315 316 os_memset(&prop, 0, sizeof(prop)); 317 prop.proposal_num = 1; 318 319 pos = sar1; 320 end = sar1 + sar1_len; 321 322 while (pos < end) { 323 int plen; 324 325 prop.integ = -1; 326 prop.prf = -1; 327 prop.encr = -1; 328 prop.dh = -1; 329 plen = ikev2_parse_proposal(data, &prop, pos, end); 330 if (plen < 0) 331 return -1; 332 333 if (!found && prop.integ != -1 && prop.prf != -1 && 334 prop.encr != -1 && prop.dh != -1) { 335 found = 1; 336 } 337 338 pos += plen; 339 340 /* Only one proposal expected in SAr */ 341 break; 342 } 343 344 if (pos != end) { 345 wpa_printf(MSG_INFO, "IKEV2: Unexpected data after proposal"); 346 return -1; 347 } 348 349 if (!found) { 350 wpa_printf(MSG_INFO, "IKEV2: No acceptable proposal found"); 351 return -1; 352 } 353 354 wpa_printf(MSG_DEBUG, "IKEV2: Accepted proposal #%d: ENCR:%d PRF:%d " 355 "INTEG:%d D-H:%d", data->proposal.proposal_num, 356 data->proposal.encr, data->proposal.prf, 357 data->proposal.integ, data->proposal.dh); 358 359 return 0; 360} 361 362 363static int ikev2_process_ker(struct ikev2_initiator_data *data, 364 const u8 *ker, size_t ker_len) 365{ 366 u16 group; 367 368 /* 369 * Key Exchange Payload: 370 * DH Group # (16 bits) 371 * RESERVED (16 bits) 372 * Key Exchange Data (Diffie-Hellman public value) 373 */ 374 375 if (ker == NULL) { 376 wpa_printf(MSG_INFO, "IKEV2: KEr not received"); 377 return -1; 378 } 379 380 if (ker_len < 4 + 96) { 381 wpa_printf(MSG_INFO, "IKEV2: Too show Key Exchange Payload"); 382 return -1; 383 } 384 385 group = WPA_GET_BE16(ker); 386 wpa_printf(MSG_DEBUG, "IKEV2: KEr DH Group #%u", group); 387 388 if (group != data->proposal.dh) { 389 wpa_printf(MSG_DEBUG, "IKEV2: KEr DH Group #%u does not match " 390 "with the selected proposal (%u)", 391 group, data->proposal.dh); 392 return -1; 393 } 394 395 if (data->dh == NULL) { 396 wpa_printf(MSG_INFO, "IKEV2: Unsupported DH group"); 397 return -1; 398 } 399 400 /* RFC 4306, Section 3.4: 401 * The length of DH public value MUST be equal to the length of the 402 * prime modulus. 403 */ 404 if (ker_len - 4 != data->dh->prime_len) { 405 wpa_printf(MSG_INFO, "IKEV2: Invalid DH public value length " 406 "%ld (expected %ld)", 407 (long) (ker_len - 4), (long) data->dh->prime_len); 408 return -1; 409 } 410 411 wpabuf_free(data->r_dh_public); 412 data->r_dh_public = wpabuf_alloc_copy(ker + 4, ker_len - 4); 413 if (data->r_dh_public == NULL) 414 return -1; 415 416 wpa_hexdump_buf(MSG_DEBUG, "IKEV2: KEr Diffie-Hellman Public Value", 417 data->r_dh_public); 418 419 return 0; 420} 421 422 423static int ikev2_process_nr(struct ikev2_initiator_data *data, 424 const u8 *nr, size_t nr_len) 425{ 426 if (nr == NULL) { 427 wpa_printf(MSG_INFO, "IKEV2: Nr not received"); 428 return -1; 429 } 430 431 if (nr_len < IKEV2_NONCE_MIN_LEN || nr_len > IKEV2_NONCE_MAX_LEN) { 432 wpa_printf(MSG_INFO, "IKEV2: Invalid Nr length %ld", 433 (long) nr_len); 434 return -1; 435 } 436 437 data->r_nonce_len = nr_len; 438 os_memcpy(data->r_nonce, nr, nr_len); 439 wpa_hexdump(MSG_MSGDUMP, "IKEV2: Nr", 440 data->r_nonce, data->r_nonce_len); 441 442 return 0; 443} 444 445 446static int ikev2_process_sa_init_encr(struct ikev2_initiator_data *data, 447 const struct ikev2_hdr *hdr, 448 const u8 *encrypted, 449 size_t encrypted_len, u8 next_payload) 450{ 451 u8 *decrypted; 452 size_t decrypted_len; 453 struct ikev2_payloads pl; 454 int ret = 0; 455 456 decrypted = ikev2_decrypt_payload(data->proposal.encr, 457 data->proposal.integ, &data->keys, 0, 458 hdr, encrypted, encrypted_len, 459 &decrypted_len); 460 if (decrypted == NULL) 461 return -1; 462 463 wpa_printf(MSG_DEBUG, "IKEV2: Processing decrypted payloads"); 464 465 if (ikev2_parse_payloads(&pl, next_payload, decrypted, 466 decrypted + decrypted_len) < 0) { 467 wpa_printf(MSG_INFO, "IKEV2: Failed to parse decrypted " 468 "payloads"); 469 return -1; 470 } 471 472 if (pl.idr) 473 ret = ikev2_process_idr(data, pl.idr, pl.idr_len); 474 475 os_free(decrypted); 476 477 return ret; 478} 479 480 481static int ikev2_process_sa_init(struct ikev2_initiator_data *data, 482 const struct ikev2_hdr *hdr, 483 struct ikev2_payloads *pl) 484{ 485 if (ikev2_process_sar1(data, pl->sa, pl->sa_len) < 0 || 486 ikev2_process_ker(data, pl->ke, pl->ke_len) < 0 || 487 ikev2_process_nr(data, pl->nonce, pl->nonce_len) < 0) 488 return -1; 489 490 os_memcpy(data->r_spi, hdr->r_spi, IKEV2_SPI_LEN); 491 492 if (ikev2_derive_keys(data) < 0) 493 return -1; 494 495 if (pl->encrypted) { 496 wpa_printf(MSG_DEBUG, "IKEV2: Encrypted payload in SA_INIT - " 497 "try to get IDr from it"); 498 if (ikev2_process_sa_init_encr(data, hdr, pl->encrypted, 499 pl->encrypted_len, 500 pl->encr_next_payload) < 0) { 501 wpa_printf(MSG_INFO, "IKEV2: Failed to process " 502 "encrypted payload"); 503 return -1; 504 } 505 } 506 507 data->state = SA_AUTH; 508 509 return 0; 510} 511 512 513static int ikev2_process_idr(struct ikev2_initiator_data *data, 514 const u8 *idr, size_t idr_len) 515{ 516 u8 id_type; 517 518 if (idr == NULL) { 519 wpa_printf(MSG_INFO, "IKEV2: No IDr received"); 520 return -1; 521 } 522 523 if (idr_len < 4) { 524 wpa_printf(MSG_INFO, "IKEV2: Too short IDr payload"); 525 return -1; 526 } 527 528 id_type = idr[0]; 529 idr += 4; 530 idr_len -= 4; 531 532 wpa_printf(MSG_DEBUG, "IKEV2: IDr ID Type %d", id_type); 533 wpa_hexdump_ascii(MSG_DEBUG, "IKEV2: IDr", idr, idr_len); 534 if (data->IDr) { 535 if (id_type != data->IDr_type || idr_len != data->IDr_len || 536 os_memcmp(idr, data->IDr, idr_len) != 0) { 537 wpa_printf(MSG_INFO, "IKEV2: IDr differs from the one " 538 "received earlier"); 539 wpa_printf(MSG_DEBUG, "IKEV2: Previous IDr ID Type %d", 540 id_type); 541 wpa_hexdump_ascii(MSG_DEBUG, "Previous IKEV2: IDr", 542 data->IDr, data->IDr_len); 543 return -1; 544 } 545 os_free(data->IDr); 546 } 547 data->IDr = os_memdup(idr, idr_len); 548 if (data->IDr == NULL) 549 return -1; 550 data->IDr_len = idr_len; 551 data->IDr_type = id_type; 552 553 return 0; 554} 555 556 557static int ikev2_process_cert(struct ikev2_initiator_data *data, 558 const u8 *cert, size_t cert_len) 559{ 560 u8 cert_encoding; 561 562 if (cert == NULL) { 563 if (data->peer_auth == PEER_AUTH_CERT) { 564 wpa_printf(MSG_INFO, "IKEV2: No Certificate received"); 565 return -1; 566 } 567 return 0; 568 } 569 570 if (cert_len < 1) { 571 wpa_printf(MSG_INFO, "IKEV2: No Cert Encoding field"); 572 return -1; 573 } 574 575 cert_encoding = cert[0]; 576 cert++; 577 cert_len--; 578 579 wpa_printf(MSG_DEBUG, "IKEV2: Cert Encoding %d", cert_encoding); 580 wpa_hexdump(MSG_MSGDUMP, "IKEV2: Certificate Data", cert, cert_len); 581 582 /* TODO: validate certificate */ 583 584 return 0; 585} 586 587 588static int ikev2_process_auth_cert(struct ikev2_initiator_data *data, 589 u8 method, const u8 *auth, size_t auth_len) 590{ 591 if (method != AUTH_RSA_SIGN) { 592 wpa_printf(MSG_INFO, "IKEV2: Unsupported authentication " 593 "method %d", method); 594 return -1; 595 } 596 597 /* TODO: validate AUTH */ 598 return 0; 599} 600 601 602static int ikev2_process_auth_secret(struct ikev2_initiator_data *data, 603 u8 method, const u8 *auth, 604 size_t auth_len) 605{ 606 u8 auth_data[IKEV2_MAX_HASH_LEN]; 607 const struct ikev2_prf_alg *prf; 608 609 if (method != AUTH_SHARED_KEY_MIC) { 610 wpa_printf(MSG_INFO, "IKEV2: Unsupported authentication " 611 "method %d", method); 612 return -1; 613 } 614 615 /* msg | Ni | prf(SK_pr,IDr') */ 616 if (ikev2_derive_auth_data(data->proposal.prf, data->r_sign_msg, 617 data->IDr, data->IDr_len, data->IDr_type, 618 &data->keys, 0, data->shared_secret, 619 data->shared_secret_len, 620 data->i_nonce, data->i_nonce_len, 621 data->key_pad, data->key_pad_len, 622 auth_data) < 0) { 623 wpa_printf(MSG_INFO, "IKEV2: Could not derive AUTH data"); 624 return -1; 625 } 626 627 wpabuf_free(data->r_sign_msg); 628 data->r_sign_msg = NULL; 629 630 prf = ikev2_get_prf(data->proposal.prf); 631 if (prf == NULL) 632 return -1; 633 634 if (auth_len != prf->hash_len || 635 os_memcmp_const(auth, auth_data, auth_len) != 0) { 636 wpa_printf(MSG_INFO, "IKEV2: Invalid Authentication Data"); 637 wpa_hexdump(MSG_DEBUG, "IKEV2: Received Authentication Data", 638 auth, auth_len); 639 wpa_hexdump(MSG_DEBUG, "IKEV2: Expected Authentication Data", 640 auth_data, prf->hash_len); 641 return -1; 642 } 643 644 wpa_printf(MSG_DEBUG, "IKEV2: Peer authenticated successfully " 645 "using shared keys"); 646 647 return 0; 648} 649 650 651static int ikev2_process_auth(struct ikev2_initiator_data *data, 652 const u8 *auth, size_t auth_len) 653{ 654 u8 auth_method; 655 656 if (auth == NULL) { 657 wpa_printf(MSG_INFO, "IKEV2: No Authentication Payload"); 658 return -1; 659 } 660 661 if (auth_len < 4) { 662 wpa_printf(MSG_INFO, "IKEV2: Too short Authentication " 663 "Payload"); 664 return -1; 665 } 666 667 auth_method = auth[0]; 668 auth += 4; 669 auth_len -= 4; 670 671 wpa_printf(MSG_DEBUG, "IKEV2: Auth Method %d", auth_method); 672 wpa_hexdump(MSG_MSGDUMP, "IKEV2: Authentication Data", auth, auth_len); 673 674 switch (data->peer_auth) { 675 case PEER_AUTH_CERT: 676 return ikev2_process_auth_cert(data, auth_method, auth, 677 auth_len); 678 case PEER_AUTH_SECRET: 679 return ikev2_process_auth_secret(data, auth_method, auth, 680 auth_len); 681 } 682 683 return -1; 684} 685 686 687static int ikev2_process_sa_auth_decrypted(struct ikev2_initiator_data *data, 688 u8 next_payload, 689 u8 *payload, size_t payload_len) 690{ 691 struct ikev2_payloads pl; 692 693 wpa_printf(MSG_DEBUG, "IKEV2: Processing decrypted payloads"); 694 695 if (ikev2_parse_payloads(&pl, next_payload, payload, payload + 696 payload_len) < 0) { 697 wpa_printf(MSG_INFO, "IKEV2: Failed to parse decrypted " 698 "payloads"); 699 return -1; 700 } 701 702 if (ikev2_process_idr(data, pl.idr, pl.idr_len) < 0 || 703 ikev2_process_cert(data, pl.cert, pl.cert_len) < 0 || 704 ikev2_process_auth(data, pl.auth, pl.auth_len) < 0) 705 return -1; 706 707 return 0; 708} 709 710 711static int ikev2_process_sa_auth(struct ikev2_initiator_data *data, 712 const struct ikev2_hdr *hdr, 713 struct ikev2_payloads *pl) 714{ 715 u8 *decrypted; 716 size_t decrypted_len; 717 int ret; 718 719 decrypted = ikev2_decrypt_payload(data->proposal.encr, 720 data->proposal.integ, 721 &data->keys, 0, hdr, pl->encrypted, 722 pl->encrypted_len, &decrypted_len); 723 if (decrypted == NULL) 724 return -1; 725 726 ret = ikev2_process_sa_auth_decrypted(data, pl->encr_next_payload, 727 decrypted, decrypted_len); 728 os_free(decrypted); 729 730 if (ret == 0 && !data->unknown_user) { 731 wpa_printf(MSG_DEBUG, "IKEV2: Authentication completed"); 732 data->state = IKEV2_DONE; 733 } 734 735 return ret; 736} 737 738 739static int ikev2_validate_rx_state(struct ikev2_initiator_data *data, 740 u8 exchange_type, u32 message_id) 741{ 742 switch (data->state) { 743 case SA_INIT: 744 /* Expect to receive IKE_SA_INIT: HDR, SAr, KEr, Nr, [CERTREQ], 745 * [SK{IDr}] */ 746 if (exchange_type != IKE_SA_INIT) { 747 wpa_printf(MSG_INFO, "IKEV2: Unexpected Exchange Type " 748 "%u in SA_INIT state", exchange_type); 749 return -1; 750 } 751 if (message_id != 0) { 752 wpa_printf(MSG_INFO, "IKEV2: Unexpected Message ID %u " 753 "in SA_INIT state", message_id); 754 return -1; 755 } 756 break; 757 case SA_AUTH: 758 /* Expect to receive IKE_SA_AUTH: 759 * HDR, SK {IDr, [CERT,] [CERTREQ,] [NFID,] AUTH} 760 */ 761 if (exchange_type != IKE_SA_AUTH) { 762 wpa_printf(MSG_INFO, "IKEV2: Unexpected Exchange Type " 763 "%u in SA_AUTH state", exchange_type); 764 return -1; 765 } 766 if (message_id != 1) { 767 wpa_printf(MSG_INFO, "IKEV2: Unexpected Message ID %u " 768 "in SA_AUTH state", message_id); 769 return -1; 770 } 771 break; 772 case CHILD_SA: 773 if (exchange_type != CREATE_CHILD_SA) { 774 wpa_printf(MSG_INFO, "IKEV2: Unexpected Exchange Type " 775 "%u in CHILD_SA state", exchange_type); 776 return -1; 777 } 778 if (message_id != 2) { 779 wpa_printf(MSG_INFO, "IKEV2: Unexpected Message ID %u " 780 "in CHILD_SA state", message_id); 781 return -1; 782 } 783 break; 784 case IKEV2_DONE: 785 return -1; 786 } 787 788 return 0; 789} 790 791 792int ikev2_initiator_process(struct ikev2_initiator_data *data, 793 const struct wpabuf *buf) 794{ 795 const struct ikev2_hdr *hdr; 796 u32 length, message_id; 797 const u8 *pos, *end; 798 struct ikev2_payloads pl; 799 800 wpa_printf(MSG_MSGDUMP, "IKEV2: Received message (len %lu)", 801 (unsigned long) wpabuf_len(buf)); 802 803 if (wpabuf_len(buf) < sizeof(*hdr)) { 804 wpa_printf(MSG_INFO, "IKEV2: Too short frame to include HDR"); 805 return -1; 806 } 807 808 hdr = (const struct ikev2_hdr *) wpabuf_head(buf); 809 end = wpabuf_head_u8(buf) + wpabuf_len(buf); 810 message_id = WPA_GET_BE32(hdr->message_id); 811 length = WPA_GET_BE32(hdr->length); 812 813 wpa_hexdump(MSG_DEBUG, "IKEV2: IKE_SA Initiator's SPI", 814 hdr->i_spi, IKEV2_SPI_LEN); 815 wpa_hexdump(MSG_DEBUG, "IKEV2: IKE_SA Initiator's SPI", 816 hdr->r_spi, IKEV2_SPI_LEN); 817 wpa_printf(MSG_DEBUG, "IKEV2: Next Payload: %u Version: 0x%x " 818 "Exchange Type: %u", 819 hdr->next_payload, hdr->version, hdr->exchange_type); 820 wpa_printf(MSG_DEBUG, "IKEV2: Message ID: %u Length: %u", 821 message_id, length); 822 823 if (hdr->version != IKEV2_VERSION) { 824 wpa_printf(MSG_INFO, "IKEV2: Unsupported HDR version 0x%x " 825 "(expected 0x%x)", hdr->version, IKEV2_VERSION); 826 return -1; 827 } 828 829 if (length != wpabuf_len(buf)) { 830 wpa_printf(MSG_INFO, "IKEV2: Invalid length (HDR: %lu != " 831 "RX: %lu)", (unsigned long) length, 832 (unsigned long) wpabuf_len(buf)); 833 return -1; 834 } 835 836 if (ikev2_validate_rx_state(data, hdr->exchange_type, message_id) < 0) 837 return -1; 838 839 if ((hdr->flags & (IKEV2_HDR_INITIATOR | IKEV2_HDR_RESPONSE)) != 840 IKEV2_HDR_RESPONSE) { 841 wpa_printf(MSG_INFO, "IKEV2: Unexpected Flags value 0x%x", 842 hdr->flags); 843 return -1; 844 } 845 846 if (data->state != SA_INIT) { 847 if (os_memcmp(data->i_spi, hdr->i_spi, IKEV2_SPI_LEN) != 0) { 848 wpa_printf(MSG_INFO, "IKEV2: Unexpected IKE_SA " 849 "Initiator's SPI"); 850 return -1; 851 } 852 if (os_memcmp(data->r_spi, hdr->r_spi, IKEV2_SPI_LEN) != 0) { 853 wpa_printf(MSG_INFO, "IKEV2: Unexpected IKE_SA " 854 "Responder's SPI"); 855 return -1; 856 } 857 } 858 859 pos = (const u8 *) (hdr + 1); 860 if (ikev2_parse_payloads(&pl, hdr->next_payload, pos, end) < 0) 861 return -1; 862 863 switch (data->state) { 864 case SA_INIT: 865 if (ikev2_process_sa_init(data, hdr, &pl) < 0) 866 return -1; 867 wpabuf_free(data->r_sign_msg); 868 data->r_sign_msg = wpabuf_dup(buf); 869 break; 870 case SA_AUTH: 871 if (ikev2_process_sa_auth(data, hdr, &pl) < 0) 872 return -1; 873 break; 874 case CHILD_SA: 875 case IKEV2_DONE: 876 break; 877 } 878 879 return 0; 880} 881 882 883static void ikev2_build_hdr(struct ikev2_initiator_data *data, 884 struct wpabuf *msg, u8 exchange_type, 885 u8 next_payload, u32 message_id) 886{ 887 struct ikev2_hdr *hdr; 888 889 wpa_printf(MSG_DEBUG, "IKEV2: Adding HDR"); 890 891 /* HDR - RFC 4306, Sect. 3.1 */ 892 hdr = wpabuf_put(msg, sizeof(*hdr)); 893 os_memcpy(hdr->i_spi, data->i_spi, IKEV2_SPI_LEN); 894 os_memcpy(hdr->r_spi, data->r_spi, IKEV2_SPI_LEN); 895 hdr->next_payload = next_payload; 896 hdr->version = IKEV2_VERSION; 897 hdr->exchange_type = exchange_type; 898 hdr->flags = IKEV2_HDR_INITIATOR; 899 WPA_PUT_BE32(hdr->message_id, message_id); 900} 901 902 903static int ikev2_build_sai(struct ikev2_initiator_data *data, 904 struct wpabuf *msg, u8 next_payload) 905{ 906 struct ikev2_payload_hdr *phdr; 907 size_t plen; 908 struct ikev2_proposal *p; 909 struct ikev2_transform *t; 910 911 wpa_printf(MSG_DEBUG, "IKEV2: Adding SAi payload"); 912 913 /* SAi1 - RFC 4306, Sect. 2.7 and 3.3 */ 914 phdr = wpabuf_put(msg, sizeof(*phdr)); 915 phdr->next_payload = next_payload; 916 phdr->flags = 0; 917 918 /* TODO: support for multiple proposals */ 919 p = wpabuf_put(msg, sizeof(*p)); 920 p->proposal_num = data->proposal.proposal_num; 921 p->protocol_id = IKEV2_PROTOCOL_IKE; 922 p->num_transforms = 4; 923 924 t = wpabuf_put(msg, sizeof(*t)); 925 t->type = 3; 926 t->transform_type = IKEV2_TRANSFORM_ENCR; 927 WPA_PUT_BE16(t->transform_id, data->proposal.encr); 928 if (data->proposal.encr == ENCR_AES_CBC) { 929 /* Transform Attribute: Key Len = 128 bits */ 930 wpabuf_put_be16(msg, 0x800e); /* AF=1, AttrType=14 */ 931 wpabuf_put_be16(msg, 128); /* 128-bit key */ 932 } 933 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) t; 934 WPA_PUT_BE16(t->transform_length, plen); 935 936 t = wpabuf_put(msg, sizeof(*t)); 937 t->type = 3; 938 WPA_PUT_BE16(t->transform_length, sizeof(*t)); 939 t->transform_type = IKEV2_TRANSFORM_PRF; 940 WPA_PUT_BE16(t->transform_id, data->proposal.prf); 941 942 t = wpabuf_put(msg, sizeof(*t)); 943 t->type = 3; 944 WPA_PUT_BE16(t->transform_length, sizeof(*t)); 945 t->transform_type = IKEV2_TRANSFORM_INTEG; 946 WPA_PUT_BE16(t->transform_id, data->proposal.integ); 947 948 t = wpabuf_put(msg, sizeof(*t)); 949 WPA_PUT_BE16(t->transform_length, sizeof(*t)); 950 t->transform_type = IKEV2_TRANSFORM_DH; 951 WPA_PUT_BE16(t->transform_id, data->proposal.dh); 952 953 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) p; 954 WPA_PUT_BE16(p->proposal_length, plen); 955 956 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr; 957 WPA_PUT_BE16(phdr->payload_length, plen); 958 959 return 0; 960} 961 962 963static int ikev2_build_kei(struct ikev2_initiator_data *data, 964 struct wpabuf *msg, u8 next_payload) 965{ 966 struct ikev2_payload_hdr *phdr; 967 size_t plen; 968 struct wpabuf *pv; 969 970 wpa_printf(MSG_DEBUG, "IKEV2: Adding KEi payload"); 971 972 data->dh = dh_groups_get(data->proposal.dh); 973 pv = dh_init(data->dh, &data->i_dh_private); 974 if (pv == NULL) { 975 wpa_printf(MSG_DEBUG, "IKEV2: Failed to initialize DH"); 976 return -1; 977 } 978 979 /* KEi - RFC 4306, Sect. 3.4 */ 980 phdr = wpabuf_put(msg, sizeof(*phdr)); 981 phdr->next_payload = next_payload; 982 phdr->flags = 0; 983 984 wpabuf_put_be16(msg, data->proposal.dh); /* DH Group # */ 985 wpabuf_put(msg, 2); /* RESERVED */ 986 /* 987 * RFC 4306, Sect. 3.4: possible zero padding for public value to 988 * match the length of the prime. 989 */ 990 wpabuf_put(msg, data->dh->prime_len - wpabuf_len(pv)); 991 wpabuf_put_buf(msg, pv); 992 wpabuf_free(pv); 993 994 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr; 995 WPA_PUT_BE16(phdr->payload_length, plen); 996 return 0; 997} 998 999 1000static int ikev2_build_ni(struct ikev2_initiator_data *data, 1001 struct wpabuf *msg, u8 next_payload) 1002{ 1003 struct ikev2_payload_hdr *phdr; 1004 size_t plen; 1005 1006 wpa_printf(MSG_DEBUG, "IKEV2: Adding Ni payload"); 1007 1008 /* Ni - RFC 4306, Sect. 3.9 */ 1009 phdr = wpabuf_put(msg, sizeof(*phdr)); 1010 phdr->next_payload = next_payload; 1011 phdr->flags = 0; 1012 wpabuf_put_data(msg, data->i_nonce, data->i_nonce_len); 1013 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr; 1014 WPA_PUT_BE16(phdr->payload_length, plen); 1015 return 0; 1016} 1017 1018 1019static int ikev2_build_idi(struct ikev2_initiator_data *data, 1020 struct wpabuf *msg, u8 next_payload) 1021{ 1022 struct ikev2_payload_hdr *phdr; 1023 size_t plen; 1024 1025 wpa_printf(MSG_DEBUG, "IKEV2: Adding IDi payload"); 1026 1027 if (data->IDi == NULL) { 1028 wpa_printf(MSG_INFO, "IKEV2: No IDi available"); 1029 return -1; 1030 } 1031 1032 /* IDi - RFC 4306, Sect. 3.5 */ 1033 phdr = wpabuf_put(msg, sizeof(*phdr)); 1034 phdr->next_payload = next_payload; 1035 phdr->flags = 0; 1036 wpabuf_put_u8(msg, ID_KEY_ID); 1037 wpabuf_put(msg, 3); /* RESERVED */ 1038 wpabuf_put_data(msg, data->IDi, data->IDi_len); 1039 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr; 1040 WPA_PUT_BE16(phdr->payload_length, plen); 1041 return 0; 1042} 1043 1044 1045static int ikev2_build_auth(struct ikev2_initiator_data *data, 1046 struct wpabuf *msg, u8 next_payload) 1047{ 1048 struct ikev2_payload_hdr *phdr; 1049 size_t plen; 1050 const struct ikev2_prf_alg *prf; 1051 1052 wpa_printf(MSG_DEBUG, "IKEV2: Adding AUTH payload"); 1053 1054 prf = ikev2_get_prf(data->proposal.prf); 1055 if (prf == NULL) 1056 return -1; 1057 1058 /* Authentication - RFC 4306, Sect. 3.8 */ 1059 phdr = wpabuf_put(msg, sizeof(*phdr)); 1060 phdr->next_payload = next_payload; 1061 phdr->flags = 0; 1062 wpabuf_put_u8(msg, AUTH_SHARED_KEY_MIC); 1063 wpabuf_put(msg, 3); /* RESERVED */ 1064 1065 /* msg | Nr | prf(SK_pi,IDi') */ 1066 if (ikev2_derive_auth_data(data->proposal.prf, data->i_sign_msg, 1067 data->IDi, data->IDi_len, ID_KEY_ID, 1068 &data->keys, 1, data->shared_secret, 1069 data->shared_secret_len, 1070 data->r_nonce, data->r_nonce_len, 1071 data->key_pad, data->key_pad_len, 1072 wpabuf_put(msg, prf->hash_len)) < 0) { 1073 wpa_printf(MSG_INFO, "IKEV2: Could not derive AUTH data"); 1074 return -1; 1075 } 1076 wpabuf_free(data->i_sign_msg); 1077 data->i_sign_msg = NULL; 1078 1079 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr; 1080 WPA_PUT_BE16(phdr->payload_length, plen); 1081 return 0; 1082} 1083 1084 1085static struct wpabuf * ikev2_build_sa_init(struct ikev2_initiator_data *data) 1086{ 1087 struct wpabuf *msg; 1088 1089 /* build IKE_SA_INIT: HDR, SAi, KEi, Ni */ 1090 1091 if (os_get_random(data->i_spi, IKEV2_SPI_LEN)) 1092 return NULL; 1093 wpa_hexdump(MSG_DEBUG, "IKEV2: IKE_SA Initiator's SPI", 1094 data->i_spi, IKEV2_SPI_LEN); 1095 1096 data->i_nonce_len = IKEV2_NONCE_MIN_LEN; 1097 if (random_get_bytes(data->i_nonce, data->i_nonce_len)) 1098 return NULL; 1099 wpa_hexdump(MSG_DEBUG, "IKEV2: Ni", data->i_nonce, data->i_nonce_len); 1100 1101 msg = wpabuf_alloc(sizeof(struct ikev2_hdr) + 1000); 1102 if (msg == NULL) 1103 return NULL; 1104 1105 ikev2_build_hdr(data, msg, IKE_SA_INIT, IKEV2_PAYLOAD_SA, 0); 1106 if (ikev2_build_sai(data, msg, IKEV2_PAYLOAD_KEY_EXCHANGE) || 1107 ikev2_build_kei(data, msg, IKEV2_PAYLOAD_NONCE) || 1108 ikev2_build_ni(data, msg, IKEV2_PAYLOAD_NO_NEXT_PAYLOAD)) { 1109 wpabuf_free(msg); 1110 return NULL; 1111 } 1112 1113 ikev2_update_hdr(msg); 1114 1115 wpa_hexdump_buf(MSG_MSGDUMP, "IKEV2: Sending message (SA_INIT)", msg); 1116 1117 wpabuf_free(data->i_sign_msg); 1118 data->i_sign_msg = wpabuf_dup(msg); 1119 1120 return msg; 1121} 1122 1123 1124static struct wpabuf * ikev2_build_sa_auth(struct ikev2_initiator_data *data) 1125{ 1126 struct wpabuf *msg, *plain; 1127 const u8 *secret; 1128 size_t secret_len; 1129 1130 secret = data->get_shared_secret(data->cb_ctx, data->IDr, 1131 data->IDr_len, &secret_len); 1132 if (secret == NULL) { 1133 wpa_printf(MSG_INFO, "IKEV2: Could not get shared secret - " 1134 "use fake value"); 1135 /* RFC 5106, Sect. 7: 1136 * Use a random key to fake AUTH generation in order to prevent 1137 * probing of user identities. 1138 */ 1139 data->unknown_user = 1; 1140 os_free(data->shared_secret); 1141 data->shared_secret = os_malloc(16); 1142 if (data->shared_secret == NULL) 1143 return NULL; 1144 data->shared_secret_len = 16; 1145 if (random_get_bytes(data->shared_secret, 16)) 1146 return NULL; 1147 } else { 1148 os_free(data->shared_secret); 1149 data->shared_secret = os_memdup(secret, secret_len); 1150 if (data->shared_secret == NULL) 1151 return NULL; 1152 data->shared_secret_len = secret_len; 1153 } 1154 1155 /* build IKE_SA_AUTH: HDR, SK {IDi, [CERT,] [CERTREQ,] AUTH} */ 1156 1157 msg = wpabuf_alloc(sizeof(struct ikev2_hdr) + data->IDr_len + 1000); 1158 if (msg == NULL) 1159 return NULL; 1160 ikev2_build_hdr(data, msg, IKE_SA_AUTH, IKEV2_PAYLOAD_ENCRYPTED, 1); 1161 1162 plain = wpabuf_alloc(data->IDr_len + 1000); 1163 if (plain == NULL) { 1164 wpabuf_free(msg); 1165 return NULL; 1166 } 1167 1168 if (ikev2_build_idi(data, plain, IKEV2_PAYLOAD_AUTHENTICATION) || 1169 ikev2_build_auth(data, plain, IKEV2_PAYLOAD_NO_NEXT_PAYLOAD) || 1170 ikev2_build_encrypted(data->proposal.encr, data->proposal.integ, 1171 &data->keys, 1, msg, plain, 1172 IKEV2_PAYLOAD_IDi)) { 1173 wpabuf_free(plain); 1174 wpabuf_free(msg); 1175 return NULL; 1176 } 1177 wpabuf_free(plain); 1178 1179 wpa_hexdump_buf(MSG_MSGDUMP, "IKEV2: Sending message (SA_AUTH)", msg); 1180 1181 return msg; 1182} 1183 1184 1185struct wpabuf * ikev2_initiator_build(struct ikev2_initiator_data *data) 1186{ 1187 switch (data->state) { 1188 case SA_INIT: 1189 return ikev2_build_sa_init(data); 1190 case SA_AUTH: 1191 return ikev2_build_sa_auth(data); 1192 case CHILD_SA: 1193 return NULL; 1194 case IKEV2_DONE: 1195 return NULL; 1196 } 1197 return NULL; 1198} 1199