Disconnect hostapd from building in base
[dragonfly.git] / contrib / hostapd / src / eap_peer / ikev2.c
CommitLineData
a875087d
JL
1/*
2 * IKEv2 responder (RFC 4306) for EAP-IKEV2
3 * Copyright (c) 2007, Jouni Malinen <j@w1.fi>
4 *
4781064b
JM
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
a875087d
JL
7 */
8
9#include "includes.h"
10
11#include "common.h"
4781064b
JM
12#include "crypto/dh_groups.h"
13#include "crypto/random.h"
a875087d
JL
14#include "ikev2.h"
15
16
17void ikev2_responder_deinit(struct ikev2_responder_data *data)
18{
19 ikev2_free_keys(&data->keys);
20 wpabuf_free(data->i_dh_public);
21 wpabuf_free(data->r_dh_private);
22 os_free(data->IDi);
23 os_free(data->IDr);
24 os_free(data->shared_secret);
25 wpabuf_free(data->i_sign_msg);
26 wpabuf_free(data->r_sign_msg);
27 os_free(data->key_pad);
28}
29
30
31static int ikev2_derive_keys(struct ikev2_responder_data *data)
32{
33 u8 *buf, *pos, *pad, skeyseed[IKEV2_MAX_HASH_LEN];
34 size_t buf_len, pad_len;
35 struct wpabuf *shared;
36 const struct ikev2_integ_alg *integ;
37 const struct ikev2_prf_alg *prf;
38 const struct ikev2_encr_alg *encr;
39 int ret;
40 const u8 *addr[2];
41 size_t len[2];
42
43 /* RFC 4306, Sect. 2.14 */
44
45 integ = ikev2_get_integ(data->proposal.integ);
46 prf = ikev2_get_prf(data->proposal.prf);
47 encr = ikev2_get_encr(data->proposal.encr);
48 if (integ == NULL || prf == NULL || encr == NULL) {
49 wpa_printf(MSG_INFO, "IKEV2: Unsupported proposal");
50 return -1;
51 }
52
53 shared = dh_derive_shared(data->i_dh_public, data->r_dh_private,
54 data->dh);
55 if (shared == NULL)
56 return -1;
57
58 /* Construct Ni | Nr | SPIi | SPIr */
59
60 buf_len = data->i_nonce_len + data->r_nonce_len + 2 * IKEV2_SPI_LEN;
61 buf = os_malloc(buf_len);
62 if (buf == NULL) {
63 wpabuf_free(shared);
64 return -1;
65 }
66
67 pos = buf;
68 os_memcpy(pos, data->i_nonce, data->i_nonce_len);
69 pos += data->i_nonce_len;
70 os_memcpy(pos, data->r_nonce, data->r_nonce_len);
71 pos += data->r_nonce_len;
72 os_memcpy(pos, data->i_spi, IKEV2_SPI_LEN);
73 pos += IKEV2_SPI_LEN;
74 os_memcpy(pos, data->r_spi, IKEV2_SPI_LEN);
75#ifdef CCNS_PL
76#if __BYTE_ORDER == __LITTLE_ENDIAN
77 {
78 int i;
79 u8 *tmp = pos - IKEV2_SPI_LEN;
80 /* Incorrect byte re-ordering on little endian hosts.. */
81 for (i = 0; i < IKEV2_SPI_LEN; i++)
82 *tmp++ = data->i_spi[IKEV2_SPI_LEN - 1 - i];
83 for (i = 0; i < IKEV2_SPI_LEN; i++)
84 *tmp++ = data->r_spi[IKEV2_SPI_LEN - 1 - i];
85 }
86#endif
87#endif /* CCNS_PL */
88
89 /* SKEYSEED = prf(Ni | Nr, g^ir) */
90 /* Use zero-padding per RFC 4306, Sect. 2.14 */
91 pad_len = data->dh->prime_len - wpabuf_len(shared);
92#ifdef CCNS_PL
93 /* Shared secret is not zero-padded correctly */
94 pad_len = 0;
95#endif /* CCNS_PL */
96 pad = os_zalloc(pad_len ? pad_len : 1);
97 if (pad == NULL) {
98 wpabuf_free(shared);
99 os_free(buf);
100 return -1;
101 }
102
103 addr[0] = pad;
104 len[0] = pad_len;
105 addr[1] = wpabuf_head(shared);
106 len[1] = wpabuf_len(shared);
107 if (ikev2_prf_hash(prf->id, buf, data->i_nonce_len + data->r_nonce_len,
108 2, addr, len, skeyseed) < 0) {
109 wpabuf_free(shared);
110 os_free(buf);
111 os_free(pad);
112 return -1;
113 }
114 os_free(pad);
115 wpabuf_free(shared);
116
117 /* DH parameters are not needed anymore, so free them */
118 wpabuf_free(data->i_dh_public);
119 data->i_dh_public = NULL;
120 wpabuf_free(data->r_dh_private);
121 data->r_dh_private = NULL;
122
123 wpa_hexdump_key(MSG_DEBUG, "IKEV2: SKEYSEED",
124 skeyseed, prf->hash_len);
125
126 ret = ikev2_derive_sk_keys(prf, integ, encr, skeyseed, buf, buf_len,
127 &data->keys);
128 os_free(buf);
129 return ret;
130}
131
132
133static int ikev2_parse_transform(struct ikev2_proposal_data *prop,
134 const u8 *pos, const u8 *end)
135{
136 int transform_len;
137 const struct ikev2_transform *t;
138 u16 transform_id;
139 const u8 *tend;
140
141 if (end - pos < (int) sizeof(*t)) {
142 wpa_printf(MSG_INFO, "IKEV2: Too short transform");
143 return -1;
144 }
145
146 t = (const struct ikev2_transform *) pos;
147 transform_len = WPA_GET_BE16(t->transform_length);
148 if (transform_len < (int) sizeof(*t) || pos + transform_len > end) {
149 wpa_printf(MSG_INFO, "IKEV2: Invalid transform length %d",
150 transform_len);
151 return -1;
152 }
153 tend = pos + transform_len;
154
155 transform_id = WPA_GET_BE16(t->transform_id);
156
157 wpa_printf(MSG_DEBUG, "IKEV2: Transform:");
158 wpa_printf(MSG_DEBUG, "IKEV2: Type: %d Transform Length: %d "
159 "Transform Type: %d Transform ID: %d",
160 t->type, transform_len, t->transform_type, transform_id);
161
162 if (t->type != 0 && t->type != 3) {
163 wpa_printf(MSG_INFO, "IKEV2: Unexpected Transform type");
164 return -1;
165 }
166
167 pos = (const u8 *) (t + 1);
168 if (pos < tend) {
169 wpa_hexdump(MSG_DEBUG, "IKEV2: Transform Attributes",
170 pos, tend - pos);
171 }
172
173 switch (t->transform_type) {
174 case IKEV2_TRANSFORM_ENCR:
175 if (ikev2_get_encr(transform_id)) {
176 if (transform_id == ENCR_AES_CBC) {
177 if (tend - pos != 4) {
178 wpa_printf(MSG_DEBUG, "IKEV2: No "
179 "Transform Attr for AES");
180 break;
181 }
182#ifdef CCNS_PL
183 if (WPA_GET_BE16(pos) != 0x001d /* ?? */) {
184 wpa_printf(MSG_DEBUG, "IKEV2: Not a "
185 "Key Size attribute for "
186 "AES");
187 break;
188 }
189#else /* CCNS_PL */
190 if (WPA_GET_BE16(pos) != 0x800e) {
191 wpa_printf(MSG_DEBUG, "IKEV2: Not a "
192 "Key Size attribute for "
193 "AES");
194 break;
195 }
196#endif /* CCNS_PL */
197 if (WPA_GET_BE16(pos + 2) != 128) {
198 wpa_printf(MSG_DEBUG, "IKEV2: "
199 "Unsupported AES key size "
200 "%d bits",
201 WPA_GET_BE16(pos + 2));
202 break;
203 }
204 }
205 prop->encr = transform_id;
206 }
207 break;
208 case IKEV2_TRANSFORM_PRF:
209 if (ikev2_get_prf(transform_id))
210 prop->prf = transform_id;
211 break;
212 case IKEV2_TRANSFORM_INTEG:
213 if (ikev2_get_integ(transform_id))
214 prop->integ = transform_id;
215 break;
216 case IKEV2_TRANSFORM_DH:
217 if (dh_groups_get(transform_id))
218 prop->dh = transform_id;
219 break;
220 }
221
222 return transform_len;
223}
224
225
226static int ikev2_parse_proposal(struct ikev2_proposal_data *prop,
227 const u8 *pos, const u8 *end)
228{
229 const u8 *pend, *ppos;
230 int proposal_len, i;
231 const struct ikev2_proposal *p;
232
233 if (end - pos < (int) sizeof(*p)) {
234 wpa_printf(MSG_INFO, "IKEV2: Too short proposal");
235 return -1;
236 }
237
238 /* FIX: AND processing if multiple proposals use the same # */
239
240 p = (const struct ikev2_proposal *) pos;
241 proposal_len = WPA_GET_BE16(p->proposal_length);
242 if (proposal_len < (int) sizeof(*p) || pos + proposal_len > end) {
243 wpa_printf(MSG_INFO, "IKEV2: Invalid proposal length %d",
244 proposal_len);
245 return -1;
246 }
247 wpa_printf(MSG_DEBUG, "IKEV2: SAi1 Proposal # %d",
248 p->proposal_num);
249 wpa_printf(MSG_DEBUG, "IKEV2: Type: %d Proposal Length: %d "
250 " Protocol ID: %d",
251 p->type, proposal_len, p->protocol_id);
252 wpa_printf(MSG_DEBUG, "IKEV2: SPI Size: %d Transforms: %d",
253 p->spi_size, p->num_transforms);
254
255 if (p->type != 0 && p->type != 2) {
256 wpa_printf(MSG_INFO, "IKEV2: Unexpected Proposal type");
257 return -1;
258 }
259
260 if (p->protocol_id != IKEV2_PROTOCOL_IKE) {
261 wpa_printf(MSG_DEBUG, "IKEV2: Unexpected Protocol ID "
262 "(only IKE allowed for EAP-IKEv2)");
263 return -1;
264 }
265
266 if (p->proposal_num != prop->proposal_num) {
267 if (p->proposal_num == prop->proposal_num + 1)
268 prop->proposal_num = p->proposal_num;
269 else {
270 wpa_printf(MSG_INFO, "IKEV2: Unexpected Proposal #");
271 return -1;
272 }
273 }
274
275 ppos = (const u8 *) (p + 1);
276 pend = pos + proposal_len;
277 if (ppos + p->spi_size > pend) {
278 wpa_printf(MSG_INFO, "IKEV2: Not enough room for SPI "
279 "in proposal");
280 return -1;
281 }
282 if (p->spi_size) {
283 wpa_hexdump(MSG_DEBUG, "IKEV2: SPI",
284 ppos, p->spi_size);
285 ppos += p->spi_size;
286 }
287
288 /*
289 * For initial IKE_SA negotiation, SPI Size MUST be zero; for
290 * subsequent negotiations, it must be 8 for IKE. We only support
291 * initial case for now.
292 */
293 if (p->spi_size != 0) {
294 wpa_printf(MSG_INFO, "IKEV2: Unexpected SPI Size");
295 return -1;
296 }
297
298 if (p->num_transforms == 0) {
299 wpa_printf(MSG_INFO, "IKEV2: At least one transform required");
300 return -1;
301 }
302
303 for (i = 0; i < (int) p->num_transforms; i++) {
304 int tlen = ikev2_parse_transform(prop, ppos, pend);
305 if (tlen < 0)
306 return -1;
307 ppos += tlen;
308 }
309
310 if (ppos != pend) {
311 wpa_printf(MSG_INFO, "IKEV2: Unexpected data after "
312 "transforms");
313 return -1;
314 }
315
316 return proposal_len;
317}
318
319
320static int ikev2_process_sai1(struct ikev2_responder_data *data,
321 const u8 *sai1, size_t sai1_len)
322{
323 struct ikev2_proposal_data prop;
324 const u8 *pos, *end;
325 int found = 0;
326
327 /* Security Association Payloads: <Proposals> */
328
329 if (sai1 == NULL) {
330 wpa_printf(MSG_INFO, "IKEV2: SAi1 not received");
331 return -1;
332 }
333
334 os_memset(&prop, 0, sizeof(prop));
335 prop.proposal_num = 1;
336
337 pos = sai1;
338 end = sai1 + sai1_len;
339
340 while (pos < end) {
341 int plen;
342
343 prop.integ = -1;
344 prop.prf = -1;
345 prop.encr = -1;
346 prop.dh = -1;
347 plen = ikev2_parse_proposal(&prop, pos, end);
348 if (plen < 0)
349 return -1;
350
351 if (!found && prop.integ != -1 && prop.prf != -1 &&
352 prop.encr != -1 && prop.dh != -1) {
353 os_memcpy(&data->proposal, &prop, sizeof(prop));
354 data->dh = dh_groups_get(prop.dh);
355 found = 1;
356 }
357
358 pos += plen;
359 }
360
361 if (pos != end) {
362 wpa_printf(MSG_INFO, "IKEV2: Unexpected data after proposals");
363 return -1;
364 }
365
366 if (!found) {
367 wpa_printf(MSG_INFO, "IKEV2: No acceptable proposal found");
368 return -1;
369 }
370
371 wpa_printf(MSG_DEBUG, "IKEV2: Accepted proposal #%d: ENCR:%d PRF:%d "
372 "INTEG:%d D-H:%d", data->proposal.proposal_num,
373 data->proposal.encr, data->proposal.prf,
374 data->proposal.integ, data->proposal.dh);
375
376 return 0;
377}
378
379
380static int ikev2_process_kei(struct ikev2_responder_data *data,
381 const u8 *kei, size_t kei_len)
382{
383 u16 group;
384
385 /*
386 * Key Exchange Payload:
387 * DH Group # (16 bits)
388 * RESERVED (16 bits)
389 * Key Exchange Data (Diffie-Hellman public value)
390 */
391
392 if (kei == NULL) {
393 wpa_printf(MSG_INFO, "IKEV2: KEi not received");
394 return -1;
395 }
396
397 if (kei_len < 4 + 96) {
398 wpa_printf(MSG_INFO, "IKEV2: Too show Key Exchange Payload");
399 return -1;
400 }
401
402 group = WPA_GET_BE16(kei);
403 wpa_printf(MSG_DEBUG, "IKEV2: KEi DH Group #%u", group);
404
405 if (group != data->proposal.dh) {
406 wpa_printf(MSG_DEBUG, "IKEV2: KEi DH Group #%u does not match "
407 "with the selected proposal (%u)",
408 group, data->proposal.dh);
409 /* Reject message with Notify payload of type
410 * INVALID_KE_PAYLOAD (RFC 4306, Sect. 3.4) */
411 data->error_type = INVALID_KE_PAYLOAD;
412 data->state = NOTIFY;
413 return -1;
414 }
415
416 if (data->dh == NULL) {
417 wpa_printf(MSG_INFO, "IKEV2: Unsupported DH group");
418 return -1;
419 }
420
421 /* RFC 4306, Section 3.4:
4781064b 422 * The length of DH public value MUST be equal to the length of the
a875087d
JL
423 * prime modulus.
424 */
425 if (kei_len - 4 != data->dh->prime_len) {
426 wpa_printf(MSG_INFO, "IKEV2: Invalid DH public value length "
427 "%ld (expected %ld)",
428 (long) (kei_len - 4), (long) data->dh->prime_len);
429 return -1;
430 }
431
432 wpabuf_free(data->i_dh_public);
433 data->i_dh_public = wpabuf_alloc(kei_len - 4);
434 if (data->i_dh_public == NULL)
435 return -1;
436 wpabuf_put_data(data->i_dh_public, kei + 4, kei_len - 4);
437
438 wpa_hexdump_buf(MSG_DEBUG, "IKEV2: KEi Diffie-Hellman Public Value",
439 data->i_dh_public);
440
441 return 0;
442}
443
444
445static int ikev2_process_ni(struct ikev2_responder_data *data,
446 const u8 *ni, size_t ni_len)
447{
448 if (ni == NULL) {
449 wpa_printf(MSG_INFO, "IKEV2: Ni not received");
450 return -1;
451 }
452
453 if (ni_len < IKEV2_NONCE_MIN_LEN || ni_len > IKEV2_NONCE_MAX_LEN) {
454 wpa_printf(MSG_INFO, "IKEV2: Invalid Ni length %ld",
455 (long) ni_len);
456 return -1;
457 }
458
459#ifdef CCNS_PL
460 /* Zeros are removed incorrectly from the beginning of the nonces */
461 while (ni_len > 1 && *ni == 0) {
462 ni_len--;
463 ni++;
464 }
465#endif /* CCNS_PL */
466
467 data->i_nonce_len = ni_len;
468 os_memcpy(data->i_nonce, ni, ni_len);
469 wpa_hexdump(MSG_MSGDUMP, "IKEV2: Ni",
470 data->i_nonce, data->i_nonce_len);
471
472 return 0;
473}
474
475
476static int ikev2_process_sa_init(struct ikev2_responder_data *data,
477 const struct ikev2_hdr *hdr,
478 struct ikev2_payloads *pl)
479{
480 if (ikev2_process_sai1(data, pl->sa, pl->sa_len) < 0 ||
481 ikev2_process_kei(data, pl->ke, pl->ke_len) < 0 ||
482 ikev2_process_ni(data, pl->nonce, pl->nonce_len) < 0)
483 return -1;
484
485 os_memcpy(data->i_spi, hdr->i_spi, IKEV2_SPI_LEN);
486
487 return 0;
488}
489
490
491static int ikev2_process_idi(struct ikev2_responder_data *data,
492 const u8 *idi, size_t idi_len)
493{
494 u8 id_type;
495
496 if (idi == NULL) {
497 wpa_printf(MSG_INFO, "IKEV2: No IDi received");
498 return -1;
499 }
500
501 if (idi_len < 4) {
502 wpa_printf(MSG_INFO, "IKEV2: Too short IDi payload");
503 return -1;
504 }
505
506 id_type = idi[0];
507 idi += 4;
508 idi_len -= 4;
509
510 wpa_printf(MSG_DEBUG, "IKEV2: IDi ID Type %d", id_type);
511 wpa_hexdump_ascii(MSG_DEBUG, "IKEV2: IDi", idi, idi_len);
512 os_free(data->IDi);
513 data->IDi = os_malloc(idi_len);
514 if (data->IDi == NULL)
515 return -1;
516 os_memcpy(data->IDi, idi, idi_len);
517 data->IDi_len = idi_len;
518 data->IDi_type = id_type;
519
520 return 0;
521}
522
523
524static int ikev2_process_cert(struct ikev2_responder_data *data,
525 const u8 *cert, size_t cert_len)
526{
527 u8 cert_encoding;
528
529 if (cert == NULL) {
530 if (data->peer_auth == PEER_AUTH_CERT) {
531 wpa_printf(MSG_INFO, "IKEV2: No Certificate received");
532 return -1;
533 }
534 return 0;
535 }
536
537 if (cert_len < 1) {
538 wpa_printf(MSG_INFO, "IKEV2: No Cert Encoding field");
539 return -1;
540 }
541
542 cert_encoding = cert[0];
543 cert++;
544 cert_len--;
545
546 wpa_printf(MSG_DEBUG, "IKEV2: Cert Encoding %d", cert_encoding);
547 wpa_hexdump(MSG_MSGDUMP, "IKEV2: Certificate Data", cert, cert_len);
548
549 /* TODO: validate certificate */
550
551 return 0;
552}
553
554
555static int ikev2_process_auth_cert(struct ikev2_responder_data *data,
556 u8 method, const u8 *auth, size_t auth_len)
557{
558 if (method != AUTH_RSA_SIGN) {
559 wpa_printf(MSG_INFO, "IKEV2: Unsupported authentication "
560 "method %d", method);
561 return -1;
562 }
563
564 /* TODO: validate AUTH */
565 return 0;
566}
567
568
569static int ikev2_process_auth_secret(struct ikev2_responder_data *data,
570 u8 method, const u8 *auth,
571 size_t auth_len)
572{
573 u8 auth_data[IKEV2_MAX_HASH_LEN];
574 const struct ikev2_prf_alg *prf;
575
576 if (method != AUTH_SHARED_KEY_MIC) {
577 wpa_printf(MSG_INFO, "IKEV2: Unsupported authentication "
578 "method %d", method);
579 return -1;
580 }
581
582 /* msg | Nr | prf(SK_pi,IDi') */
583 if (ikev2_derive_auth_data(data->proposal.prf, data->i_sign_msg,
584 data->IDi, data->IDi_len, data->IDi_type,
585 &data->keys, 1, data->shared_secret,
586 data->shared_secret_len,
587 data->r_nonce, data->r_nonce_len,
588 data->key_pad, data->key_pad_len,
589 auth_data) < 0) {
590 wpa_printf(MSG_INFO, "IKEV2: Could not derive AUTH data");
591 return -1;
592 }
593
594 wpabuf_free(data->i_sign_msg);
595 data->i_sign_msg = NULL;
596
597 prf = ikev2_get_prf(data->proposal.prf);
598 if (prf == NULL)
599 return -1;
600
601 if (auth_len != prf->hash_len ||
602 os_memcmp(auth, auth_data, auth_len) != 0) {
603 wpa_printf(MSG_INFO, "IKEV2: Invalid Authentication Data");
604 wpa_hexdump(MSG_DEBUG, "IKEV2: Received Authentication Data",
605 auth, auth_len);
606 wpa_hexdump(MSG_DEBUG, "IKEV2: Expected Authentication Data",
607 auth_data, prf->hash_len);
608 data->error_type = AUTHENTICATION_FAILED;
609 data->state = NOTIFY;
610 return -1;
611 }
612
613 wpa_printf(MSG_DEBUG, "IKEV2: Server authenticated successfully "
614 "using shared keys");
615
616 return 0;
617}
618
619
620static int ikev2_process_auth(struct ikev2_responder_data *data,
621 const u8 *auth, size_t auth_len)
622{
623 u8 auth_method;
624
625 if (auth == NULL) {
626 wpa_printf(MSG_INFO, "IKEV2: No Authentication Payload");
627 return -1;
628 }
629
630 if (auth_len < 4) {
631 wpa_printf(MSG_INFO, "IKEV2: Too short Authentication "
632 "Payload");
633 return -1;
634 }
635
636 auth_method = auth[0];
637 auth += 4;
638 auth_len -= 4;
639
640 wpa_printf(MSG_DEBUG, "IKEV2: Auth Method %d", auth_method);
641 wpa_hexdump(MSG_MSGDUMP, "IKEV2: Authentication Data", auth, auth_len);
642
643 switch (data->peer_auth) {
644 case PEER_AUTH_CERT:
645 return ikev2_process_auth_cert(data, auth_method, auth,
646 auth_len);
647 case PEER_AUTH_SECRET:
648 return ikev2_process_auth_secret(data, auth_method, auth,
649 auth_len);
650 }
651
652 return -1;
653}
654
655
656static int ikev2_process_sa_auth_decrypted(struct ikev2_responder_data *data,
657 u8 next_payload,
658 u8 *payload, size_t payload_len)
659{
660 struct ikev2_payloads pl;
661
662 wpa_printf(MSG_DEBUG, "IKEV2: Processing decrypted payloads");
663
664 if (ikev2_parse_payloads(&pl, next_payload, payload, payload +
665 payload_len) < 0) {
666 wpa_printf(MSG_INFO, "IKEV2: Failed to parse decrypted "
667 "payloads");
668 return -1;
669 }
670
671 if (ikev2_process_idi(data, pl.idi, pl.idi_len) < 0 ||
672 ikev2_process_cert(data, pl.cert, pl.cert_len) < 0 ||
673 ikev2_process_auth(data, pl.auth, pl.auth_len) < 0)
674 return -1;
675
676 return 0;
677}
678
679
680static int ikev2_process_sa_auth(struct ikev2_responder_data *data,
681 const struct ikev2_hdr *hdr,
682 struct ikev2_payloads *pl)
683{
684 u8 *decrypted;
685 size_t decrypted_len;
686 int ret;
687
688 decrypted = ikev2_decrypt_payload(data->proposal.encr,
689 data->proposal.integ,
690 &data->keys, 1, hdr, pl->encrypted,
691 pl->encrypted_len, &decrypted_len);
692 if (decrypted == NULL)
693 return -1;
694
695 ret = ikev2_process_sa_auth_decrypted(data, pl->encr_next_payload,
696 decrypted, decrypted_len);
697 os_free(decrypted);
698
699 return ret;
700}
701
702
703static int ikev2_validate_rx_state(struct ikev2_responder_data *data,
704 u8 exchange_type, u32 message_id)
705{
706 switch (data->state) {
707 case SA_INIT:
708 /* Expect to receive IKE_SA_INIT: HDR, SAi1, KEi, Ni */
709 if (exchange_type != IKE_SA_INIT) {
710 wpa_printf(MSG_INFO, "IKEV2: Unexpected Exchange Type "
711 "%u in SA_INIT state", exchange_type);
712 return -1;
713 }
714 if (message_id != 0) {
715 wpa_printf(MSG_INFO, "IKEV2: Unexpected Message ID %u "
716 "in SA_INIT state", message_id);
717 return -1;
718 }
719 break;
720 case SA_AUTH:
721 /* Expect to receive IKE_SA_AUTH:
722 * HDR, SK {IDi, [CERT,] [CERTREQ,] [IDr,]
723 * AUTH, SAi2, TSi, TSr}
724 */
725 if (exchange_type != IKE_SA_AUTH) {
726 wpa_printf(MSG_INFO, "IKEV2: Unexpected Exchange Type "
727 "%u in SA_AUTH state", exchange_type);
728 return -1;
729 }
730 if (message_id != 1) {
731 wpa_printf(MSG_INFO, "IKEV2: Unexpected Message ID %u "
732 "in SA_AUTH state", message_id);
733 return -1;
734 }
735 break;
736 case CHILD_SA:
737 if (exchange_type != CREATE_CHILD_SA) {
738 wpa_printf(MSG_INFO, "IKEV2: Unexpected Exchange Type "
739 "%u in CHILD_SA state", exchange_type);
740 return -1;
741 }
742 if (message_id != 2) {
743 wpa_printf(MSG_INFO, "IKEV2: Unexpected Message ID %u "
744 "in CHILD_SA state", message_id);
745 return -1;
746 }
747 break;
748 case NOTIFY:
749 case IKEV2_DONE:
750 case IKEV2_FAILED:
751 return -1;
752 }
753
754 return 0;
755}
756
757
758int ikev2_responder_process(struct ikev2_responder_data *data,
759 const struct wpabuf *buf)
760{
761 const struct ikev2_hdr *hdr;
762 u32 length, message_id;
763 const u8 *pos, *end;
764 struct ikev2_payloads pl;
765
766 wpa_printf(MSG_MSGDUMP, "IKEV2: Received message (len %lu)",
767 (unsigned long) wpabuf_len(buf));
768
769 if (wpabuf_len(buf) < sizeof(*hdr)) {
770 wpa_printf(MSG_INFO, "IKEV2: Too short frame to include HDR");
771 return -1;
772 }
773
774 data->error_type = 0;
775 hdr = (const struct ikev2_hdr *) wpabuf_head(buf);
776 end = wpabuf_head_u8(buf) + wpabuf_len(buf);
777 message_id = WPA_GET_BE32(hdr->message_id);
778 length = WPA_GET_BE32(hdr->length);
779
780 wpa_hexdump(MSG_DEBUG, "IKEV2: IKE_SA Initiator's SPI",
781 hdr->i_spi, IKEV2_SPI_LEN);
782 wpa_hexdump(MSG_DEBUG, "IKEV2: IKE_SA Responder's SPI",
783 hdr->r_spi, IKEV2_SPI_LEN);
784 wpa_printf(MSG_DEBUG, "IKEV2: Next Payload: %u Version: 0x%x "
785 "Exchange Type: %u",
786 hdr->next_payload, hdr->version, hdr->exchange_type);
787 wpa_printf(MSG_DEBUG, "IKEV2: Message ID: %u Length: %u",
788 message_id, length);
789
790 if (hdr->version != IKEV2_VERSION) {
791 wpa_printf(MSG_INFO, "IKEV2: Unsupported HDR version 0x%x "
792 "(expected 0x%x)", hdr->version, IKEV2_VERSION);
793 return -1;
794 }
795
796 if (length != wpabuf_len(buf)) {
797 wpa_printf(MSG_INFO, "IKEV2: Invalid length (HDR: %lu != "
798 "RX: %lu)", (unsigned long) length,
799 (unsigned long) wpabuf_len(buf));
800 return -1;
801 }
802
803 if (ikev2_validate_rx_state(data, hdr->exchange_type, message_id) < 0)
804 return -1;
805
806 if ((hdr->flags & (IKEV2_HDR_INITIATOR | IKEV2_HDR_RESPONSE)) !=
807 IKEV2_HDR_INITIATOR) {
808 wpa_printf(MSG_INFO, "IKEV2: Unexpected Flags value 0x%x",
809 hdr->flags);
810 return -1;
811 }
812
813 if (data->state != SA_INIT) {
814 if (os_memcmp(data->i_spi, hdr->i_spi, IKEV2_SPI_LEN) != 0) {
815 wpa_printf(MSG_INFO, "IKEV2: Unexpected IKE_SA "
816 "Initiator's SPI");
817 return -1;
818 }
819 if (os_memcmp(data->r_spi, hdr->r_spi, IKEV2_SPI_LEN) != 0) {
820 wpa_printf(MSG_INFO, "IKEV2: Unexpected IKE_SA "
821 "Responder's SPI");
822 return -1;
823 }
824 }
825
826 pos = (const u8 *) (hdr + 1);
827 if (ikev2_parse_payloads(&pl, hdr->next_payload, pos, end) < 0)
828 return -1;
829
830 if (data->state == SA_INIT) {
831 data->last_msg = LAST_MSG_SA_INIT;
832 if (ikev2_process_sa_init(data, hdr, &pl) < 0) {
833 if (data->state == NOTIFY)
834 return 0;
835 return -1;
836 }
837 wpabuf_free(data->i_sign_msg);
838 data->i_sign_msg = wpabuf_dup(buf);
839 }
840
841 if (data->state == SA_AUTH) {
842 data->last_msg = LAST_MSG_SA_AUTH;
843 if (ikev2_process_sa_auth(data, hdr, &pl) < 0) {
844 if (data->state == NOTIFY)
845 return 0;
846 return -1;
847 }
848 }
849
850 return 0;
851}
852
853
854static void ikev2_build_hdr(struct ikev2_responder_data *data,
855 struct wpabuf *msg, u8 exchange_type,
856 u8 next_payload, u32 message_id)
857{
858 struct ikev2_hdr *hdr;
859
860 wpa_printf(MSG_DEBUG, "IKEV2: Adding HDR");
861
862 /* HDR - RFC 4306, Sect. 3.1 */
863 hdr = wpabuf_put(msg, sizeof(*hdr));
864 os_memcpy(hdr->i_spi, data->i_spi, IKEV2_SPI_LEN);
865 os_memcpy(hdr->r_spi, data->r_spi, IKEV2_SPI_LEN);
866 hdr->next_payload = next_payload;
867 hdr->version = IKEV2_VERSION;
868 hdr->exchange_type = exchange_type;
869 hdr->flags = IKEV2_HDR_RESPONSE;
870 WPA_PUT_BE32(hdr->message_id, message_id);
871}
872
873
874static int ikev2_build_sar1(struct ikev2_responder_data *data,
875 struct wpabuf *msg, u8 next_payload)
876{
877 struct ikev2_payload_hdr *phdr;
878 size_t plen;
879 struct ikev2_proposal *p;
880 struct ikev2_transform *t;
881
882 wpa_printf(MSG_DEBUG, "IKEV2: Adding SAr1 payload");
883
884 /* SAr1 - RFC 4306, Sect. 2.7 and 3.3 */
885 phdr = wpabuf_put(msg, sizeof(*phdr));
886 phdr->next_payload = next_payload;
887 phdr->flags = 0;
888
889 p = wpabuf_put(msg, sizeof(*p));
890#ifdef CCNS_PL
891 /* Seems to require that the Proposal # is 1 even though RFC 4306
892 * Sect 3.3.1 has following requirement "When a proposal is accepted,
893 * all of the proposal numbers in the SA payload MUST be the same and
894 * MUST match the number on the proposal sent that was accepted.".
895 */
896 p->proposal_num = 1;
897#else /* CCNS_PL */
898 p->proposal_num = data->proposal.proposal_num;
899#endif /* CCNS_PL */
900 p->protocol_id = IKEV2_PROTOCOL_IKE;
901 p->num_transforms = 4;
902
903 t = wpabuf_put(msg, sizeof(*t));
904 t->type = 3;
905 t->transform_type = IKEV2_TRANSFORM_ENCR;
906 WPA_PUT_BE16(t->transform_id, data->proposal.encr);
907 if (data->proposal.encr == ENCR_AES_CBC) {
908 /* Transform Attribute: Key Len = 128 bits */
909#ifdef CCNS_PL
910 wpabuf_put_be16(msg, 0x001d); /* ?? */
911#else /* CCNS_PL */
912 wpabuf_put_be16(msg, 0x800e); /* AF=1, AttrType=14 */
913#endif /* CCNS_PL */
914 wpabuf_put_be16(msg, 128); /* 128-bit key */
915 }
916 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) t;
917 WPA_PUT_BE16(t->transform_length, plen);
918
919 t = wpabuf_put(msg, sizeof(*t));
920 t->type = 3;
921 WPA_PUT_BE16(t->transform_length, sizeof(*t));
922 t->transform_type = IKEV2_TRANSFORM_PRF;
923 WPA_PUT_BE16(t->transform_id, data->proposal.prf);
924
925 t = wpabuf_put(msg, sizeof(*t));
926 t->type = 3;
927 WPA_PUT_BE16(t->transform_length, sizeof(*t));
928 t->transform_type = IKEV2_TRANSFORM_INTEG;
929 WPA_PUT_BE16(t->transform_id, data->proposal.integ);
930
931 t = wpabuf_put(msg, sizeof(*t));
932 WPA_PUT_BE16(t->transform_length, sizeof(*t));
933 t->transform_type = IKEV2_TRANSFORM_DH;
934 WPA_PUT_BE16(t->transform_id, data->proposal.dh);
935
936 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) p;
937 WPA_PUT_BE16(p->proposal_length, plen);
938
939 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
940 WPA_PUT_BE16(phdr->payload_length, plen);
941
942 return 0;
943}
944
945
946static int ikev2_build_ker(struct ikev2_responder_data *data,
947 struct wpabuf *msg, u8 next_payload)
948{
949 struct ikev2_payload_hdr *phdr;
950 size_t plen;
951 struct wpabuf *pv;
952
953 wpa_printf(MSG_DEBUG, "IKEV2: Adding KEr payload");
954
955 pv = dh_init(data->dh, &data->r_dh_private);
956 if (pv == NULL) {
957 wpa_printf(MSG_DEBUG, "IKEV2: Failed to initialize DH");
958 return -1;
959 }
960
961 /* KEr - RFC 4306, Sect. 3.4 */
962 phdr = wpabuf_put(msg, sizeof(*phdr));
963 phdr->next_payload = next_payload;
964 phdr->flags = 0;
965
966 wpabuf_put_be16(msg, data->proposal.dh); /* DH Group # */
967 wpabuf_put(msg, 2); /* RESERVED */
968 /*
969 * RFC 4306, Sect. 3.4: possible zero padding for public value to
970 * match the length of the prime.
971 */
972 wpabuf_put(msg, data->dh->prime_len - wpabuf_len(pv));
973 wpabuf_put_buf(msg, pv);
974 wpabuf_free(pv);
975
976 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
977 WPA_PUT_BE16(phdr->payload_length, plen);
978 return 0;
979}
980
981
982static int ikev2_build_nr(struct ikev2_responder_data *data,
983 struct wpabuf *msg, u8 next_payload)
984{
985 struct ikev2_payload_hdr *phdr;
986 size_t plen;
987
988 wpa_printf(MSG_DEBUG, "IKEV2: Adding Nr payload");
989
990 /* Nr - RFC 4306, Sect. 3.9 */
991 phdr = wpabuf_put(msg, sizeof(*phdr));
992 phdr->next_payload = next_payload;
993 phdr->flags = 0;
994 wpabuf_put_data(msg, data->r_nonce, data->r_nonce_len);
995 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
996 WPA_PUT_BE16(phdr->payload_length, plen);
997 return 0;
998}
999
1000
1001static int ikev2_build_idr(struct ikev2_responder_data *data,
1002 struct wpabuf *msg, u8 next_payload)
1003{
1004 struct ikev2_payload_hdr *phdr;
1005 size_t plen;
1006
1007 wpa_printf(MSG_DEBUG, "IKEV2: Adding IDr payload");
1008
1009 if (data->IDr == NULL) {
1010 wpa_printf(MSG_INFO, "IKEV2: No IDr available");
1011 return -1;
1012 }
1013
1014 /* IDr - RFC 4306, Sect. 3.5 */
1015 phdr = wpabuf_put(msg, sizeof(*phdr));
1016 phdr->next_payload = next_payload;
1017 phdr->flags = 0;
1018 wpabuf_put_u8(msg, ID_KEY_ID);
1019 wpabuf_put(msg, 3); /* RESERVED */
1020 wpabuf_put_data(msg, data->IDr, data->IDr_len);
1021 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
1022 WPA_PUT_BE16(phdr->payload_length, plen);
1023 return 0;
1024}
1025
1026
1027static int ikev2_build_auth(struct ikev2_responder_data *data,
1028 struct wpabuf *msg, u8 next_payload)
1029{
1030 struct ikev2_payload_hdr *phdr;
1031 size_t plen;
1032 const struct ikev2_prf_alg *prf;
1033
1034 wpa_printf(MSG_DEBUG, "IKEV2: Adding AUTH payload");
1035
1036 prf = ikev2_get_prf(data->proposal.prf);
1037 if (prf == NULL)
1038 return -1;
1039
1040 /* Authentication - RFC 4306, Sect. 3.8 */
1041 phdr = wpabuf_put(msg, sizeof(*phdr));
1042 phdr->next_payload = next_payload;
1043 phdr->flags = 0;
1044 wpabuf_put_u8(msg, AUTH_SHARED_KEY_MIC);
1045 wpabuf_put(msg, 3); /* RESERVED */
1046
1047 /* msg | Ni | prf(SK_pr,IDr') */
1048 if (ikev2_derive_auth_data(data->proposal.prf, data->r_sign_msg,
1049 data->IDr, data->IDr_len, ID_KEY_ID,
1050 &data->keys, 0, data->shared_secret,
1051 data->shared_secret_len,
1052 data->i_nonce, data->i_nonce_len,
1053 data->key_pad, data->key_pad_len,
1054 wpabuf_put(msg, prf->hash_len)) < 0) {
1055 wpa_printf(MSG_INFO, "IKEV2: Could not derive AUTH data");
1056 return -1;
1057 }
1058 wpabuf_free(data->r_sign_msg);
1059 data->r_sign_msg = NULL;
1060
1061 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
1062 WPA_PUT_BE16(phdr->payload_length, plen);
1063 return 0;
1064}
1065
1066
1067static int ikev2_build_notification(struct ikev2_responder_data *data,
1068 struct wpabuf *msg, u8 next_payload)
1069{
1070 struct ikev2_payload_hdr *phdr;
1071 size_t plen;
1072
1073 wpa_printf(MSG_DEBUG, "IKEV2: Adding Notification payload");
1074
1075 if (data->error_type == 0) {
1076 wpa_printf(MSG_INFO, "IKEV2: No Notify Message Type "
1077 "available");
1078 return -1;
1079 }
1080
1081 /* Notify - RFC 4306, Sect. 3.10 */
1082 phdr = wpabuf_put(msg, sizeof(*phdr));
1083 phdr->next_payload = next_payload;
1084 phdr->flags = 0;
1085#ifdef CCNS_PL
1086 wpabuf_put_u8(msg, 1); /* Protocol ID: IKE_SA notification */
1087#else /* CCNS_PL */
1088 wpabuf_put_u8(msg, 0); /* Protocol ID: no existing SA */
1089#endif /* CCNS_PL */
1090 wpabuf_put_u8(msg, 0); /* SPI Size */
1091 wpabuf_put_be16(msg, data->error_type);
1092
1093 switch (data->error_type) {
1094 case INVALID_KE_PAYLOAD:
1095 if (data->proposal.dh == -1) {
1096 wpa_printf(MSG_INFO, "IKEV2: No DH Group selected for "
1097 "INVALID_KE_PAYLOAD notifications");
1098 return -1;
1099 }
1100 wpabuf_put_be16(msg, data->proposal.dh);
1101 wpa_printf(MSG_DEBUG, "IKEV2: INVALID_KE_PAYLOAD - request "
1102 "DH Group #%d", data->proposal.dh);
1103 break;
1104 case AUTHENTICATION_FAILED:
1105 /* no associated data */
1106 break;
1107 default:
1108 wpa_printf(MSG_INFO, "IKEV2: Unsupported Notify Message Type "
1109 "%d", data->error_type);
1110 return -1;
1111 }
1112
1113 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
1114 WPA_PUT_BE16(phdr->payload_length, plen);
1115 return 0;
1116}
1117
1118
1119static struct wpabuf * ikev2_build_sa_init(struct ikev2_responder_data *data)
1120{
1121 struct wpabuf *msg;
1122
1123 /* build IKE_SA_INIT: HDR, SAr1, KEr, Nr, [CERTREQ], [SK{IDr}] */
1124
1125 if (os_get_random(data->r_spi, IKEV2_SPI_LEN))
1126 return NULL;
1127 wpa_hexdump(MSG_DEBUG, "IKEV2: IKE_SA Responder's SPI",
1128 data->r_spi, IKEV2_SPI_LEN);
1129
1130 data->r_nonce_len = IKEV2_NONCE_MIN_LEN;
4781064b 1131 if (random_get_bytes(data->r_nonce, data->r_nonce_len))
a875087d
JL
1132 return NULL;
1133#ifdef CCNS_PL
1134 /* Zeros are removed incorrectly from the beginning of the nonces in
1135 * key derivation; as a workaround, make sure Nr does not start with
1136 * zero.. */
1137 if (data->r_nonce[0] == 0)
1138 data->r_nonce[0] = 1;
1139#endif /* CCNS_PL */
1140 wpa_hexdump(MSG_DEBUG, "IKEV2: Nr", data->r_nonce, data->r_nonce_len);
1141
1142 msg = wpabuf_alloc(sizeof(struct ikev2_hdr) + data->IDr_len + 1500);
1143 if (msg == NULL)
1144 return NULL;
1145
1146 ikev2_build_hdr(data, msg, IKE_SA_INIT, IKEV2_PAYLOAD_SA, 0);
1147 if (ikev2_build_sar1(data, msg, IKEV2_PAYLOAD_KEY_EXCHANGE) ||
1148 ikev2_build_ker(data, msg, IKEV2_PAYLOAD_NONCE) ||
1149 ikev2_build_nr(data, msg, data->peer_auth == PEER_AUTH_SECRET ?
1150 IKEV2_PAYLOAD_ENCRYPTED :
1151 IKEV2_PAYLOAD_NO_NEXT_PAYLOAD)) {
1152 wpabuf_free(msg);
1153 return NULL;
1154 }
1155
1156 if (ikev2_derive_keys(data)) {
1157 wpabuf_free(msg);
1158 return NULL;
1159 }
1160
1161 if (data->peer_auth == PEER_AUTH_CERT) {
1162 /* TODO: CERTREQ with SHA-1 hashes of Subject Public Key Info
1163 * for trust agents */
1164 }
1165
1166 if (data->peer_auth == PEER_AUTH_SECRET) {
1167 struct wpabuf *plain = wpabuf_alloc(data->IDr_len + 1000);
1168 if (plain == NULL) {
1169 wpabuf_free(msg);
1170 return NULL;
1171 }
1172 if (ikev2_build_idr(data, plain,
1173 IKEV2_PAYLOAD_NO_NEXT_PAYLOAD) ||
1174 ikev2_build_encrypted(data->proposal.encr,
1175 data->proposal.integ,
1176 &data->keys, 0, msg, plain,
1177 IKEV2_PAYLOAD_IDr)) {
1178 wpabuf_free(plain);
1179 wpabuf_free(msg);
1180 return NULL;
1181 }
1182 wpabuf_free(plain);
1183 }
1184
1185 ikev2_update_hdr(msg);
1186
1187 wpa_hexdump_buf(MSG_MSGDUMP, "IKEV2: Sending message (SA_INIT)", msg);
1188
1189 data->state = SA_AUTH;
1190
1191 wpabuf_free(data->r_sign_msg);
1192 data->r_sign_msg = wpabuf_dup(msg);
1193
1194 return msg;
1195}
1196
1197
1198static struct wpabuf * ikev2_build_sa_auth(struct ikev2_responder_data *data)
1199{
1200 struct wpabuf *msg, *plain;
1201
1202 /* build IKE_SA_AUTH: HDR, SK {IDr, [CERT,] AUTH} */
1203
1204 msg = wpabuf_alloc(sizeof(struct ikev2_hdr) + data->IDr_len + 1000);
1205 if (msg == NULL)
1206 return NULL;
1207 ikev2_build_hdr(data, msg, IKE_SA_AUTH, IKEV2_PAYLOAD_ENCRYPTED, 1);
1208
1209 plain = wpabuf_alloc(data->IDr_len + 1000);
1210 if (plain == NULL) {
1211 wpabuf_free(msg);
1212 return NULL;
1213 }
1214
1215 if (ikev2_build_idr(data, plain, IKEV2_PAYLOAD_AUTHENTICATION) ||
1216 ikev2_build_auth(data, plain, IKEV2_PAYLOAD_NO_NEXT_PAYLOAD) ||
1217 ikev2_build_encrypted(data->proposal.encr, data->proposal.integ,
1218 &data->keys, 0, msg, plain,
1219 IKEV2_PAYLOAD_IDr)) {
1220 wpabuf_free(plain);
1221 wpabuf_free(msg);
1222 return NULL;
1223 }
1224 wpabuf_free(plain);
1225
1226 wpa_hexdump_buf(MSG_MSGDUMP, "IKEV2: Sending message (SA_AUTH)", msg);
1227
1228 data->state = IKEV2_DONE;
1229
1230 return msg;
1231}
1232
1233
1234static struct wpabuf * ikev2_build_notify(struct ikev2_responder_data *data)
1235{
1236 struct wpabuf *msg;
1237
1238 msg = wpabuf_alloc(sizeof(struct ikev2_hdr) + 1000);
1239 if (msg == NULL)
1240 return NULL;
1241 if (data->last_msg == LAST_MSG_SA_AUTH) {
1242 /* HDR, SK{N} */
1243 struct wpabuf *plain = wpabuf_alloc(100);
1244 if (plain == NULL) {
1245 wpabuf_free(msg);
1246 return NULL;
1247 }
1248 ikev2_build_hdr(data, msg, IKE_SA_AUTH,
1249 IKEV2_PAYLOAD_ENCRYPTED, 1);
1250 if (ikev2_build_notification(data, plain,
1251 IKEV2_PAYLOAD_NO_NEXT_PAYLOAD) ||
1252 ikev2_build_encrypted(data->proposal.encr,
1253 data->proposal.integ,
1254 &data->keys, 0, msg, plain,
1255 IKEV2_PAYLOAD_NOTIFICATION)) {
1256 wpabuf_free(plain);
1257 wpabuf_free(msg);
1258 return NULL;
1259 }
4781064b 1260 wpabuf_free(plain);
a875087d
JL
1261 data->state = IKEV2_FAILED;
1262 } else {
1263 /* HDR, N */
1264 ikev2_build_hdr(data, msg, IKE_SA_INIT,
1265 IKEV2_PAYLOAD_NOTIFICATION, 0);
1266 if (ikev2_build_notification(data, msg,
1267 IKEV2_PAYLOAD_NO_NEXT_PAYLOAD)) {
1268 wpabuf_free(msg);
1269 return NULL;
1270 }
1271 data->state = SA_INIT;
1272 }
1273
1274 ikev2_update_hdr(msg);
1275
1276 wpa_hexdump_buf(MSG_MSGDUMP, "IKEV2: Sending message (Notification)",
1277 msg);
1278
1279 return msg;
1280}
1281
1282
1283struct wpabuf * ikev2_responder_build(struct ikev2_responder_data *data)
1284{
1285 switch (data->state) {
1286 case SA_INIT:
1287 return ikev2_build_sa_init(data);
1288 case SA_AUTH:
1289 return ikev2_build_sa_auth(data);
1290 case CHILD_SA:
1291 return NULL;
1292 case NOTIFY:
1293 return ikev2_build_notify(data);
1294 case IKEV2_DONE:
1295 case IKEV2_FAILED:
1296 return NULL;
1297 }
1298 return NULL;
1299}