contrib/hostapd/src/eap_server/ikev2.c

   1 /*
   2  * IKEv2 initiator (RFC 4306) for EAP-IKEV2
   3  * Copyright (c) 2007, Jouni Malinen <j@w1.fi>
   4  *
   5  * This program is free software; you can redistribute it and/or modify
   6  * it under the terms of the GNU General Public License version 2 as
   7  * published by the Free Software Foundation.
   8  *
   9  * Alternatively, this software may be distributed under the terms of BSD
  10  * license.
  11  *
  12  * See README and COPYING for more details.
  13  */
  14
  15 #include "includes.h"
  16
  17 #include "common.h"
  18 #include "dh_groups.h"
  19 #include "ikev2.h"
  20
  21
  22 static int ikev2_process_idr(struct ikev2_initiator_data *data,
  23                              const u8 *idr, size_t idr_len);
  24
  25
  26 void ikev2_initiator_deinit(struct ikev2_initiator_data *data)
  27 {
  28         ikev2_free_keys(&data->keys);
  29         wpabuf_free(data->r_dh_public);
  30         wpabuf_free(data->i_dh_private);
  31         os_free(data->IDi);
  32         os_free(data->IDr);
  33         os_free(data->shared_secret);
  34         wpabuf_free(data->i_sign_msg);
  35         wpabuf_free(data->r_sign_msg);
  36         os_free(data->key_pad);
  37 }
  38
  39
  40 static int ikev2_derive_keys(struct ikev2_initiator_data *data)
  41 {
  42         u8 *buf, *pos, *pad, skeyseed[IKEV2_MAX_HASH_LEN];
  43         size_t buf_len, pad_len;
  44         struct wpabuf *shared;
  45         const struct ikev2_integ_alg *integ;
  46         const struct ikev2_prf_alg *prf;
  47         const struct ikev2_encr_alg *encr;
  48         int ret;
  49         const u8 *addr[2];
  50         size_t len[2];
  51
  52         /* RFC 4306, Sect. 2.14 */
  53
  54         integ = ikev2_get_integ(data->proposal.integ);
  55         prf = ikev2_get_prf(data->proposal.prf);
  56         encr = ikev2_get_encr(data->proposal.encr);
  57         if (integ == NULL || prf == NULL || encr == NULL) {
  58                 wpa_printf(MSG_INFO, "IKEV2: Unsupported proposal");
  59                 return -1;
  60         }
  61
  62         shared = dh_derive_shared(data->r_dh_public, data->i_dh_private,
  63                                   data->dh);
  64         if (shared == NULL)
  65                 return -1;
  66
  67         /* Construct Ni | Nr | SPIi | SPIr */
  68
  69         buf_len = data->i_nonce_len + data->r_nonce_len + 2 * IKEV2_SPI_LEN;
  70         buf = os_malloc(buf_len);
  71         if (buf == NULL) {
  72                 wpabuf_free(shared);
  73                 return -1;
  74         }
  75
  76         pos = buf;
  77         os_memcpy(pos, data->i_nonce, data->i_nonce_len);
  78         pos += data->i_nonce_len;
  79         os_memcpy(pos, data->r_nonce, data->r_nonce_len);
  80         pos += data->r_nonce_len;
  81         os_memcpy(pos, data->i_spi, IKEV2_SPI_LEN);
  82         pos += IKEV2_SPI_LEN;
  83         os_memcpy(pos, data->r_spi, IKEV2_SPI_LEN);
  84
  85         /* SKEYSEED = prf(Ni | Nr, g^ir) */
  86
  87         /* Use zero-padding per RFC 4306, Sect. 2.14 */
  88         pad_len = data->dh->prime_len - wpabuf_len(shared);
  89         pad = os_zalloc(pad_len ? pad_len : 1);
  90         if (pad == NULL) {
  91                 wpabuf_free(shared);
  92                 os_free(buf);
  93                 return -1;
  94         }
  95         addr[0] = pad;
  96         len[0] = pad_len;
  97         addr[1] = wpabuf_head(shared);
  98         len[1] = wpabuf_len(shared);
  99         if (ikev2_prf_hash(prf->id, buf, data->i_nonce_len + data->r_nonce_len,
 100                            2, addr, len, skeyseed) < 0) {
 101                 wpabuf_free(shared);
 102                 os_free(buf);
 103                 os_free(pad);
 104                 return -1;
 105         }
 106         os_free(pad);
 107         wpabuf_free(shared);
 108
 109         /* DH parameters are not needed anymore, so free them */
 110         wpabuf_free(data->r_dh_public);
 111         data->r_dh_public = NULL;
 112         wpabuf_free(data->i_dh_private);
 113         data->i_dh_private = NULL;
 114
 115         wpa_hexdump_key(MSG_DEBUG, "IKEV2: SKEYSEED",
 116                         skeyseed, prf->hash_len);
 117
 118         ret = ikev2_derive_sk_keys(prf, integ, encr, skeyseed, buf, buf_len,
 119                                    &data->keys);
 120         os_free(buf);
 121         return ret;
 122 }
 123
 124
 125 static int ikev2_parse_transform(struct ikev2_initiator_data *data,
 126                                  struct ikev2_proposal_data *prop,
 127                                  const u8 *pos, const u8 *end)
 128 {
 129         int transform_len;
 130         const struct ikev2_transform *t;
 131         u16 transform_id;
 132         const u8 *tend;
 133
 134         if (end - pos < (int) sizeof(*t)) {
 135                 wpa_printf(MSG_INFO, "IKEV2: Too short transform");
 136                 return -1;
 137         }
 138
 139         t = (const struct ikev2_transform *) pos;
 140         transform_len = WPA_GET_BE16(t->transform_length);
 141         if (transform_len < (int) sizeof(*t) || pos + transform_len > end) {
 142                 wpa_printf(MSG_INFO, "IKEV2: Invalid transform length %d",
 143                            transform_len);
 144                 return -1;
 145         }
 146         tend = pos + transform_len;
 147
 148         transform_id = WPA_GET_BE16(t->transform_id);
 149
 150         wpa_printf(MSG_DEBUG, "IKEV2:   Transform:");
 151         wpa_printf(MSG_DEBUG, "IKEV2:     Type: %d  Transform Length: %d  "
 152                    "Transform Type: %d  Transform ID: %d",
 153                    t->type, transform_len, t->transform_type, transform_id);
 154
 155         if (t->type != 0 && t->type != 3) {
 156                 wpa_printf(MSG_INFO, "IKEV2: Unexpected Transform type");
 157                 return -1;
 158         }
 159
 160         pos = (const u8 *) (t + 1);
 161         if (pos < tend) {
 162                 wpa_hexdump(MSG_DEBUG, "IKEV2:     Transform Attributes",
 163                             pos, tend - pos);
 164         }
 165
 166         switch (t->transform_type) {
 167         case IKEV2_TRANSFORM_ENCR:
 168                 if (ikev2_get_encr(transform_id) &&
 169                     transform_id == data->proposal.encr) {
 170                         if (transform_id == ENCR_AES_CBC) {
 171                                 if (tend - pos != 4) {
 172                                         wpa_printf(MSG_DEBUG, "IKEV2: No "
 173                                                    "Transform Attr for AES");
 174                                         break;
 175                                 }
 176                                 if (WPA_GET_BE16(pos) != 0x800e) {
 177                                         wpa_printf(MSG_DEBUG, "IKEV2: Not a "
 178                                                    "Key Size attribute for "
 179                                                    "AES");
 180                                         break;
 181                                 }
 182                                 if (WPA_GET_BE16(pos + 2) != 128) {
 183                                         wpa_printf(MSG_DEBUG, "IKEV2: "
 184                                                    "Unsupported AES key size "
 185                                                    "%d bits",
 186                                                    WPA_GET_BE16(pos + 2));
 187                                         break;
 188                                 }
 189                         }
 190                         prop->encr = transform_id;
 191                 }
 192                 break;
 193         case IKEV2_TRANSFORM_PRF:
 194                 if (ikev2_get_prf(transform_id) &&
 195                     transform_id == data->proposal.prf)
 196                         prop->prf = transform_id;
 197                 break;
 198         case IKEV2_TRANSFORM_INTEG:
 199                 if (ikev2_get_integ(transform_id) &&
 200                     transform_id == data->proposal.integ)
 201                         prop->integ = transform_id;
 202                 break;
 203         case IKEV2_TRANSFORM_DH:
 204                 if (dh_groups_get(transform_id) &&
 205                     transform_id == data->proposal.dh)
 206                         prop->dh = transform_id;
 207                 break;
 208         }
 209
 210         return transform_len;
 211 }
 212
 213
 214 static int ikev2_parse_proposal(struct ikev2_initiator_data *data,
 215                                 struct ikev2_proposal_data *prop,
 216                                 const u8 *pos, const u8 *end)
 217 {
 218         const u8 *pend, *ppos;
 219         int proposal_len, i;
 220         const struct ikev2_proposal *p;
 221
 222         if (end - pos < (int) sizeof(*p)) {
 223                 wpa_printf(MSG_INFO, "IKEV2: Too short proposal");
 224                 return -1;
 225         }
 226
 227         p = (const struct ikev2_proposal *) pos;
 228         proposal_len = WPA_GET_BE16(p->proposal_length);
 229         if (proposal_len < (int) sizeof(*p) || pos + proposal_len > end) {
 230                 wpa_printf(MSG_INFO, "IKEV2: Invalid proposal length %d",
 231                            proposal_len);
 232                 return -1;
 233         }
 234         wpa_printf(MSG_DEBUG, "IKEV2: SAi1 Proposal # %d",
 235                    p->proposal_num);
 236         wpa_printf(MSG_DEBUG, "IKEV2:   Type: %d  Proposal Length: %d "
 237                    " Protocol ID: %d",
 238                    p->type, proposal_len, p->protocol_id);
 239         wpa_printf(MSG_DEBUG, "IKEV2:   SPI Size: %d  Transforms: %d",
 240                    p->spi_size, p->num_transforms);
 241
 242         if (p->type != 0 && p->type != 2) {
 243                 wpa_printf(MSG_INFO, "IKEV2: Unexpected Proposal type");
 244                 return -1;
 245         }
 246
 247         if (p->protocol_id != IKEV2_PROTOCOL_IKE) {
 248                 wpa_printf(MSG_DEBUG, "IKEV2: Unexpected Protocol ID "
 249                            "(only IKE allowed for EAP-IKEv2)");
 250                 return -1;
 251         }
 252
 253         if (p->proposal_num != prop->proposal_num) {
 254                 if (p->proposal_num == prop->proposal_num + 1)
 255                         prop->proposal_num = p->proposal_num;
 256                 else {
 257                         wpa_printf(MSG_INFO, "IKEV2: Unexpected Proposal #");
 258                         return -1;
 259                 }
 260         }
 261
 262         ppos = (const u8 *) (p + 1);
 263         pend = pos + proposal_len;
 264         if (ppos + p->spi_size > pend) {
 265                 wpa_printf(MSG_INFO, "IKEV2: Not enough room for SPI "
 266                            "in proposal");
 267                 return -1;
 268         }
 269         if (p->spi_size) {
 270                 wpa_hexdump(MSG_DEBUG, "IKEV2:    SPI",
 271                             ppos, p->spi_size);
 272                 ppos += p->spi_size;
 273         }
 274
 275         /*
 276          * For initial IKE_SA negotiation, SPI Size MUST be zero; for
 277          * subsequent negotiations, it must be 8 for IKE. We only support
 278          * initial case for now.
 279          */
 280         if (p->spi_size != 0) {
 281                 wpa_printf(MSG_INFO, "IKEV2: Unexpected SPI Size");
 282                 return -1;
 283         }
 284
 285         if (p->num_transforms == 0) {
 286                 wpa_printf(MSG_INFO, "IKEV2: At least one transform required");
 287                 return -1;
 288         }
 289
 290         for (i = 0; i < (int) p->num_transforms; i++) {
 291                 int tlen = ikev2_parse_transform(data, prop, ppos, pend);
 292                 if (tlen < 0)
 293                         return -1;
 294                 ppos += tlen;
 295         }
 296
 297         if (ppos != pend) {
 298                 wpa_printf(MSG_INFO, "IKEV2: Unexpected data after "
 299                            "transforms");
 300                 return -1;
 301         }
 302
 303         return proposal_len;
 304 }
 305
 306
 307 static int ikev2_process_sar1(struct ikev2_initiator_data *data,
 308                               const u8 *sar1, size_t sar1_len)
 309 {
 310         struct ikev2_proposal_data prop;
 311         const u8 *pos, *end;
 312         int found = 0;
 313
 314         /* Security Association Payloads: <Proposals> */
 315
 316         if (sar1 == NULL) {
 317                 wpa_printf(MSG_INFO, "IKEV2: SAr1 not received");
 318                 return -1;
 319         }
 320
 321         os_memset(&prop, 0, sizeof(prop));
 322         prop.proposal_num = 1;
 323
 324         pos = sar1;
 325         end = sar1 + sar1_len;
 326
 327         while (pos < end) {
 328                 int plen;
 329
 330                 prop.integ = -1;
 331                 prop.prf = -1;
 332                 prop.encr = -1;
 333                 prop.dh = -1;
 334                 plen = ikev2_parse_proposal(data, &prop, pos, end);
 335                 if (plen < 0)
 336                         return -1;
 337
 338                 if (!found && prop.integ != -1 && prop.prf != -1 &&
 339                     prop.encr != -1 && prop.dh != -1) {
 340                         found = 1;
 341                 }
 342
 343                 pos += plen;
 344
 345                 /* Only one proposal expected in SAr */
 346                 break;
 347         }
 348
 349         if (pos != end) {
 350                 wpa_printf(MSG_INFO, "IKEV2: Unexpected data after proposal");
 351                 return -1;
 352         }
 353
 354         if (!found) {
 355                 wpa_printf(MSG_INFO, "IKEV2: No acceptable proposal found");
 356                 return -1;
 357         }
 358
 359         wpa_printf(MSG_DEBUG, "IKEV2: Accepted proposal #%d: ENCR:%d PRF:%d "
 360                    "INTEG:%d D-H:%d", data->proposal.proposal_num,
 361                    data->proposal.encr, data->proposal.prf,
 362                    data->proposal.integ, data->proposal.dh);
 363
 364         return 0;
 365 }
 366
 367
 368 static int ikev2_process_ker(struct ikev2_initiator_data *data,
 369                              const u8 *ker, size_t ker_len)
 370 {
 371         u16 group;
 372
 373         /*
 374          * Key Exchange Payload:
 375          * DH Group # (16 bits)
 376          * RESERVED (16 bits)
 377          * Key Exchange Data (Diffie-Hellman public value)
 378          */
 379
 380         if (ker == NULL) {
 381                 wpa_printf(MSG_INFO, "IKEV2: KEr not received");
 382                 return -1;
 383         }
 384
 385         if (ker_len < 4 + 96) {
 386                 wpa_printf(MSG_INFO, "IKEV2: Too show Key Exchange Payload");
 387                 return -1;
 388         }
 389
 390         group = WPA_GET_BE16(ker);
 391         wpa_printf(MSG_DEBUG, "IKEV2: KEr DH Group #%u", group);
 392
 393         if (group != data->proposal.dh) {
 394                 wpa_printf(MSG_DEBUG, "IKEV2: KEr DH Group #%u does not match "
 395                            "with the selected proposal (%u)",
 396                            group, data->proposal.dh);
 397                 return -1;
 398         }
 399
 400         if (data->dh == NULL) {
 401                 wpa_printf(MSG_INFO, "IKEV2: Unsupported DH group");
 402                 return -1;
 403         }
 404
 405         /* RFC 4306, Section 3.4:
 406          * The length of DH public value MUST be equal to the lenght of the
 407          * prime modulus.
 408          */
 409         if (ker_len - 4 != data->dh->prime_len) {
 410                 wpa_printf(MSG_INFO, "IKEV2: Invalid DH public value length "
 411                            "%ld (expected %ld)",
 412                            (long) (ker_len - 4), (long) data->dh->prime_len);
 413                 return -1;
 414         }
 415
 416         wpabuf_free(data->r_dh_public);
 417         data->r_dh_public = wpabuf_alloc_copy(ker + 4, ker_len - 4);
 418         if (data->r_dh_public == NULL)
 419                 return -1;
 420
 421         wpa_hexdump_buf(MSG_DEBUG, "IKEV2: KEr Diffie-Hellman Public Value",
 422                         data->r_dh_public);
 423
 424         return 0;
 425 }
 426
 427
 428 static int ikev2_process_nr(struct ikev2_initiator_data *data,
 429                             const u8 *nr, size_t nr_len)
 430 {
 431         if (nr == NULL) {
 432                 wpa_printf(MSG_INFO, "IKEV2: Nr not received");
 433                 return -1;
 434         }
 435
 436         if (nr_len < IKEV2_NONCE_MIN_LEN || nr_len > IKEV2_NONCE_MAX_LEN) {
 437                 wpa_printf(MSG_INFO, "IKEV2: Invalid Nr length %ld",
 438                            (long) nr_len);
 439                 return -1;
 440         }
 441
 442         data->r_nonce_len = nr_len;
 443         os_memcpy(data->r_nonce, nr, nr_len);
 444         wpa_hexdump(MSG_MSGDUMP, "IKEV2: Nr",
 445                     data->r_nonce, data->r_nonce_len);
 446
 447         return 0;
 448 }
 449
 450
 451 static int ikev2_process_sa_init_encr(struct ikev2_initiator_data *data,
 452                                       const struct ikev2_hdr *hdr,
 453                                       const u8 *encrypted,
 454                                       size_t encrypted_len, u8 next_payload)
 455 {
 456         u8 *decrypted;
 457         size_t decrypted_len;
 458         struct ikev2_payloads pl;
 459         int ret = 0;
 460
 461         decrypted = ikev2_decrypt_payload(data->proposal.encr,
 462                                           data->proposal.integ, &data->keys, 0,
 463                                           hdr, encrypted, encrypted_len,
 464                                           &decrypted_len);
 465         if (decrypted == NULL)
 466                 return -1;
 467
 468         wpa_printf(MSG_DEBUG, "IKEV2: Processing decrypted payloads");
 469
 470         if (ikev2_parse_payloads(&pl, next_payload, decrypted,
 471                                  decrypted + decrypted_len) < 0) {
 472                 wpa_printf(MSG_INFO, "IKEV2: Failed to parse decrypted "
 473                            "payloads");
 474                 return -1;
 475         }
 476
 477         if (pl.idr)
 478                 ret = ikev2_process_idr(data, pl.idr, pl.idr_len);
 479
 480         os_free(decrypted);
 481
 482         return ret;
 483 }
 484
 485
 486 static int ikev2_process_sa_init(struct ikev2_initiator_data *data,
 487                                  const struct ikev2_hdr *hdr,
 488                                  struct ikev2_payloads *pl)
 489 {
 490         if (ikev2_process_sar1(data, pl->sa, pl->sa_len) < 0 ||
 491             ikev2_process_ker(data, pl->ke, pl->ke_len) < 0 ||
 492             ikev2_process_nr(data, pl->nonce, pl->nonce_len) < 0)
 493                 return -1;
 494
 495         os_memcpy(data->r_spi, hdr->r_spi, IKEV2_SPI_LEN);
 496
 497         if (ikev2_derive_keys(data) < 0)
 498                 return -1;
 499
 500         if (pl->encrypted) {
 501                 wpa_printf(MSG_DEBUG, "IKEV2: Encrypted payload in SA_INIT - "
 502                            "try to get IDr from it");
 503                 if (ikev2_process_sa_init_encr(data, hdr, pl->encrypted,
 504                                                pl->encrypted_len,
 505                                                pl->encr_next_payload) < 0) {
 506                         wpa_printf(MSG_INFO, "IKEV2: Failed to process "
 507                                    "encrypted payload");
 508                         return -1;
 509                 }
 510         }
 511
 512         data->state = SA_AUTH;
 513
 514         return 0;
 515 }
 516
 517
 518 static int ikev2_process_idr(struct ikev2_initiator_data *data,
 519                              const u8 *idr, size_t idr_len)
 520 {
 521         u8 id_type;
 522
 523         if (idr == NULL) {
 524                 wpa_printf(MSG_INFO, "IKEV2: No IDr received");
 525                 return -1;
 526         }
 527
 528         if (idr_len < 4) {
 529                 wpa_printf(MSG_INFO, "IKEV2: Too short IDr payload");
 530                 return -1;
 531         }
 532
 533         id_type = idr[0];
 534         idr += 4;
 535         idr_len -= 4;
 536
 537         wpa_printf(MSG_DEBUG, "IKEV2: IDr ID Type %d", id_type);
 538         wpa_hexdump_ascii(MSG_DEBUG, "IKEV2: IDr", idr, idr_len);
 539         if (data->IDr) {
 540                 if (id_type != data->IDr_type || idr_len != data->IDr_len ||
 541                     os_memcmp(idr, data->IDr, idr_len) != 0) {
 542                         wpa_printf(MSG_INFO, "IKEV2: IDr differs from the one "
 543                                    "received earlier");
 544                         wpa_printf(MSG_DEBUG, "IKEV2: Previous IDr ID Type %d",
 545                                    id_type);
 546                         wpa_hexdump_ascii(MSG_DEBUG, "Previous IKEV2: IDr",
 547                                           data->IDr, data->IDr_len);
 548                         return -1;
 549                 }
 550                 os_free(data->IDr);
 551         }
 552         data->IDr = os_malloc(idr_len);
 553         if (data->IDr == NULL)
 554                 return -1;
 555         os_memcpy(data->IDr, idr, idr_len);
 556         data->IDr_len = idr_len;
 557         data->IDr_type = id_type;
 558
 559         return 0;
 560 }
 561
 562
 563 static int ikev2_process_cert(struct ikev2_initiator_data *data,
 564                               const u8 *cert, size_t cert_len)
 565 {
 566         u8 cert_encoding;
 567
 568         if (cert == NULL) {
 569                 if (data->peer_auth == PEER_AUTH_CERT) {
 570                         wpa_printf(MSG_INFO, "IKEV2: No Certificate received");
 571                         return -1;
 572                 }
 573                 return 0;
 574         }
 575
 576         if (cert_len < 1) {
 577                 wpa_printf(MSG_INFO, "IKEV2: No Cert Encoding field");
 578                 return -1;
 579         }
 580
 581         cert_encoding = cert[0];
 582         cert++;
 583         cert_len--;
 584
 585         wpa_printf(MSG_DEBUG, "IKEV2: Cert Encoding %d", cert_encoding);
 586         wpa_hexdump(MSG_MSGDUMP, "IKEV2: Certificate Data", cert, cert_len);
 587
 588         /* TODO: validate certificate */
 589
 590         return 0;
 591 }
 592
 593
 594 static int ikev2_process_auth_cert(struct ikev2_initiator_data *data,
 595                                    u8 method, const u8 *auth, size_t auth_len)
 596 {
 597         if (method != AUTH_RSA_SIGN) {
 598                 wpa_printf(MSG_INFO, "IKEV2: Unsupported authentication "
 599                            "method %d", method);
 600                 return -1;
 601         }
 602
 603         /* TODO: validate AUTH */
 604         return 0;
 605 }
 606
 607
 608 static int ikev2_process_auth_secret(struct ikev2_initiator_data *data,
 609                                      u8 method, const u8 *auth,
 610                                      size_t auth_len)
 611 {
 612         u8 auth_data[IKEV2_MAX_HASH_LEN];
 613         const struct ikev2_prf_alg *prf;
 614
 615         if (method != AUTH_SHARED_KEY_MIC) {
 616                 wpa_printf(MSG_INFO, "IKEV2: Unsupported authentication "
 617                            "method %d", method);
 618                 return -1;
 619         }
 620
 621         /* msg | Ni | prf(SK_pr,IDr') */
 622         if (ikev2_derive_auth_data(data->proposal.prf, data->r_sign_msg,
 623                                    data->IDr, data->IDr_len, data->IDr_type,
 624                                    &data->keys, 0, data->shared_secret,
 625                                    data->shared_secret_len,
 626                                    data->i_nonce, data->i_nonce_len,
 627                                    data->key_pad, data->key_pad_len,
 628                                    auth_data) < 0) {
 629                 wpa_printf(MSG_INFO, "IKEV2: Could not derive AUTH data");
 630                 return -1;
 631         }
 632
 633         wpabuf_free(data->r_sign_msg);
 634         data->r_sign_msg = NULL;
 635
 636         prf = ikev2_get_prf(data->proposal.prf);
 637         if (prf == NULL)
 638                 return -1;
 639
 640         if (auth_len != prf->hash_len ||
 641             os_memcmp(auth, auth_data, auth_len) != 0) {
 642                 wpa_printf(MSG_INFO, "IKEV2: Invalid Authentication Data");
 643                 wpa_hexdump(MSG_DEBUG, "IKEV2: Received Authentication Data",
 644                             auth, auth_len);
 645                 wpa_hexdump(MSG_DEBUG, "IKEV2: Expected Authentication Data",
 646                             auth_data, prf->hash_len);
 647                 return -1;
 648         }
 649
 650         wpa_printf(MSG_DEBUG, "IKEV2: Peer authenticated successfully "
 651                    "using shared keys");
 652
 653         return 0;
 654 }
 655
 656
 657 static int ikev2_process_auth(struct ikev2_initiator_data *data,
 658                               const u8 *auth, size_t auth_len)
 659 {
 660         u8 auth_method;
 661
 662         if (auth == NULL) {
 663                 wpa_printf(MSG_INFO, "IKEV2: No Authentication Payload");
 664                 return -1;
 665         }
 666
 667         if (auth_len < 4) {
 668                 wpa_printf(MSG_INFO, "IKEV2: Too short Authentication "
 669                            "Payload");
 670                 return -1;
 671         }
 672
 673         auth_method = auth[0];
 674         auth += 4;
 675         auth_len -= 4;
 676
 677         wpa_printf(MSG_DEBUG, "IKEV2: Auth Method %d", auth_method);
 678         wpa_hexdump(MSG_MSGDUMP, "IKEV2: Authentication Data", auth, auth_len);
 679
 680         switch (data->peer_auth) {
 681         case PEER_AUTH_CERT:
 682                 return ikev2_process_auth_cert(data, auth_method, auth,
 683                                                auth_len);
 684         case PEER_AUTH_SECRET:
 685                 return ikev2_process_auth_secret(data, auth_method, auth,
 686                                                  auth_len);
 687         }
 688
 689         return -1;
 690 }
 691
 692
 693 static int ikev2_process_sa_auth_decrypted(struct ikev2_initiator_data *data,
 694                                            u8 next_payload,
 695                                            u8 *payload, size_t payload_len)
 696 {
 697         struct ikev2_payloads pl;
 698
 699         wpa_printf(MSG_DEBUG, "IKEV2: Processing decrypted payloads");
 700
 701         if (ikev2_parse_payloads(&pl, next_payload, payload, payload +
 702                                  payload_len) < 0) {
 703                 wpa_printf(MSG_INFO, "IKEV2: Failed to parse decrypted "
 704                            "payloads");
 705                 return -1;
 706         }
 707
 708         if (ikev2_process_idr(data, pl.idr, pl.idr_len) < 0 ||
 709             ikev2_process_cert(data, pl.cert, pl.cert_len) < 0 ||
 710             ikev2_process_auth(data, pl.auth, pl.auth_len) < 0)
 711                 return -1;
 712
 713         return 0;
 714 }
 715
 716
 717 static int ikev2_process_sa_auth(struct ikev2_initiator_data *data,
 718                                  const struct ikev2_hdr *hdr,
 719                                  struct ikev2_payloads *pl)
 720 {
 721         u8 *decrypted;
 722         size_t decrypted_len;
 723         int ret;
 724
 725         decrypted = ikev2_decrypt_payload(data->proposal.encr,
 726                                           data->proposal.integ,
 727                                           &data->keys, 0, hdr, pl->encrypted,
 728                                           pl->encrypted_len, &decrypted_len);
 729         if (decrypted == NULL)
 730                 return -1;
 731
 732         ret = ikev2_process_sa_auth_decrypted(data, pl->encr_next_payload,
 733                                               decrypted, decrypted_len);
 734         os_free(decrypted);
 735
 736         if (ret == 0 && !data->unknown_user) {
 737                 wpa_printf(MSG_DEBUG, "IKEV2: Authentication completed");
 738                 data->state = IKEV2_DONE;
 739         }
 740
 741         return ret;
 742 }
 743
 744
 745 static int ikev2_validate_rx_state(struct ikev2_initiator_data *data,
 746                                    u8 exchange_type, u32 message_id)
 747 {
 748         switch (data->state) {
 749         case SA_INIT:
 750                 /* Expect to receive IKE_SA_INIT: HDR, SAr, KEr, Nr, [CERTREQ],
 751                  * [SK{IDr}] */
 752                 if (exchange_type != IKE_SA_INIT) {
 753                         wpa_printf(MSG_INFO, "IKEV2: Unexpected Exchange Type "
 754                                    "%u in SA_INIT state", exchange_type);
 755                         return -1;
 756                 }
 757                 if (message_id != 0) {
 758                         wpa_printf(MSG_INFO, "IKEV2: Unexpected Message ID %u "
 759                                    "in SA_INIT state", message_id);
 760                         return -1;
 761                 }
 762                 break;
 763         case SA_AUTH:
 764                 /* Expect to receive IKE_SA_AUTH:
 765                  * HDR, SK {IDr, [CERT,] [CERTREQ,] [NFID,] AUTH}
 766                  */
 767                 if (exchange_type != IKE_SA_AUTH) {
 768                         wpa_printf(MSG_INFO, "IKEV2: Unexpected Exchange Type "
 769                                    "%u in SA_AUTH state", exchange_type);
 770                         return -1;
 771                 }
 772                 if (message_id != 1) {
 773                         wpa_printf(MSG_INFO, "IKEV2: Unexpected Message ID %u "
 774                                    "in SA_AUTH state", message_id);
 775                         return -1;
 776                 }
 777                 break;
 778         case CHILD_SA:
 779                 if (exchange_type != CREATE_CHILD_SA) {
 780                         wpa_printf(MSG_INFO, "IKEV2: Unexpected Exchange Type "
 781                                    "%u in CHILD_SA state", exchange_type);
 782                         return -1;
 783                 }
 784                 if (message_id != 2) {
 785                         wpa_printf(MSG_INFO, "IKEV2: Unexpected Message ID %u "
 786                                    "in CHILD_SA state", message_id);
 787                         return -1;
 788                 }
 789                 break;
 790         case IKEV2_DONE:
 791                 return -1;
 792         }
 793
 794         return 0;
 795 }
 796
 797
 798 int ikev2_initiator_process(struct ikev2_initiator_data *data,
 799                             const struct wpabuf *buf)
 800 {
 801         const struct ikev2_hdr *hdr;
 802         u32 length, message_id;
 803         const u8 *pos, *end;
 804         struct ikev2_payloads pl;
 805
 806         wpa_printf(MSG_MSGDUMP, "IKEV2: Received message (len %lu)",
 807                    (unsigned long) wpabuf_len(buf));
 808
 809         if (wpabuf_len(buf) < sizeof(*hdr)) {
 810                 wpa_printf(MSG_INFO, "IKEV2: Too short frame to include HDR");
 811                 return -1;
 812         }
 813
 814         hdr = (const struct ikev2_hdr *) wpabuf_head(buf);
 815         end = wpabuf_head_u8(buf) + wpabuf_len(buf);
 816         message_id = WPA_GET_BE32(hdr->message_id);
 817         length = WPA_GET_BE32(hdr->length);
 818
 819         wpa_hexdump(MSG_DEBUG, "IKEV2:   IKE_SA Initiator's SPI",
 820                     hdr->i_spi, IKEV2_SPI_LEN);
 821         wpa_hexdump(MSG_DEBUG, "IKEV2:   IKE_SA Initiator's SPI",
 822                     hdr->r_spi, IKEV2_SPI_LEN);
 823         wpa_printf(MSG_DEBUG, "IKEV2:   Next Payload: %u  Version: 0x%x  "
 824                    "Exchange Type: %u",
 825                    hdr->next_payload, hdr->version, hdr->exchange_type);
 826         wpa_printf(MSG_DEBUG, "IKEV2:   Message ID: %u  Length: %u",
 827                    message_id, length);
 828
 829         if (hdr->version != IKEV2_VERSION) {
 830                 wpa_printf(MSG_INFO, "IKEV2: Unsupported HDR version 0x%x "
 831                            "(expected 0x%x)", hdr->version, IKEV2_VERSION);
 832                 return -1;
 833         }
 834
 835         if (length != wpabuf_len(buf)) {
 836                 wpa_printf(MSG_INFO, "IKEV2: Invalid length (HDR: %lu != "
 837                            "RX: %lu)", (unsigned long) length,
 838                            (unsigned long) wpabuf_len(buf));
 839                 return -1;
 840         }
 841
 842         if (ikev2_validate_rx_state(data, hdr->exchange_type, message_id) < 0)
 843                 return -1;
 844
 845         if ((hdr->flags & (IKEV2_HDR_INITIATOR | IKEV2_HDR_RESPONSE)) !=
 846             IKEV2_HDR_RESPONSE) {
 847                 wpa_printf(MSG_INFO, "IKEV2: Unexpected Flags value 0x%x",
 848                            hdr->flags);
 849                 return -1;
 850         }
 851
 852         if (data->state != SA_INIT) {
 853                 if (os_memcmp(data->i_spi, hdr->i_spi, IKEV2_SPI_LEN) != 0) {
 854                         wpa_printf(MSG_INFO, "IKEV2: Unexpected IKE_SA "
 855                                    "Initiator's SPI");
 856                         return -1;
 857                 }
 858                 if (os_memcmp(data->r_spi, hdr->r_spi, IKEV2_SPI_LEN) != 0) {
 859                         wpa_printf(MSG_INFO, "IKEV2: Unexpected IKE_SA "
 860                                    "Responder's SPI");
 861                         return -1;
 862                 }
 863         }
 864
 865         pos = (const u8 *) (hdr + 1);
 866         if (ikev2_parse_payloads(&pl, hdr->next_payload, pos, end) < 0)
 867                 return -1;
 868
 869         switch (data->state) {
 870         case SA_INIT:
 871                 if (ikev2_process_sa_init(data, hdr, &pl) < 0)
 872                         return -1;
 873                 wpabuf_free(data->r_sign_msg);
 874                 data->r_sign_msg = wpabuf_dup(buf);
 875                 break;
 876         case SA_AUTH:
 877                 if (ikev2_process_sa_auth(data, hdr, &pl) < 0)
 878                         return -1;
 879                 break;
 880         case CHILD_SA:
 881         case IKEV2_DONE:
 882                 break;
 883         }
 884
 885         return 0;
 886 }
 887
 888
 889 static void ikev2_build_hdr(struct ikev2_initiator_data *data,
 890                             struct wpabuf *msg, u8 exchange_type,
 891                             u8 next_payload, u32 message_id)
 892 {
 893         struct ikev2_hdr *hdr;
 894
 895         wpa_printf(MSG_DEBUG, "IKEV2: Adding HDR");
 896
 897         /* HDR - RFC 4306, Sect. 3.1 */
 898         hdr = wpabuf_put(msg, sizeof(*hdr));
 899         os_memcpy(hdr->i_spi, data->i_spi, IKEV2_SPI_LEN);
 900         os_memcpy(hdr->r_spi, data->r_spi, IKEV2_SPI_LEN);
 901         hdr->next_payload = next_payload;
 902         hdr->version = IKEV2_VERSION;
 903         hdr->exchange_type = exchange_type;
 904         hdr->flags = IKEV2_HDR_INITIATOR;
 905         WPA_PUT_BE32(hdr->message_id, message_id);
 906 }
 907
 908
 909 static int ikev2_build_sai(struct ikev2_initiator_data *data,
 910                             struct wpabuf *msg, u8 next_payload)
 911 {
 912         struct ikev2_payload_hdr *phdr;
 913         size_t plen;
 914         struct ikev2_proposal *p;
 915         struct ikev2_transform *t;
 916
 917         wpa_printf(MSG_DEBUG, "IKEV2: Adding SAi payload");
 918
 919         /* SAi1 - RFC 4306, Sect. 2.7 and 3.3 */
 920         phdr = wpabuf_put(msg, sizeof(*phdr));
 921         phdr->next_payload = next_payload;
 922         phdr->flags = 0;
 923
 924         /* TODO: support for multiple proposals */
 925         p = wpabuf_put(msg, sizeof(*p));
 926         p->proposal_num = data->proposal.proposal_num;
 927         p->protocol_id = IKEV2_PROTOCOL_IKE;
 928         p->num_transforms = 4;
 929
 930         t = wpabuf_put(msg, sizeof(*t));
 931         t->type = 3;
 932         t->transform_type = IKEV2_TRANSFORM_ENCR;
 933         WPA_PUT_BE16(t->transform_id, data->proposal.encr);
 934         if (data->proposal.encr == ENCR_AES_CBC) {
 935                 /* Transform Attribute: Key Len = 128 bits */
 936                 wpabuf_put_be16(msg, 0x800e); /* AF=1, AttrType=14 */
 937                 wpabuf_put_be16(msg, 128); /* 128-bit key */
 938         }
 939         plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) t;
 940         WPA_PUT_BE16(t->transform_length, plen);
 941
 942         t = wpabuf_put(msg, sizeof(*t));
 943         t->type = 3;
 944         WPA_PUT_BE16(t->transform_length, sizeof(*t));
 945         t->transform_type = IKEV2_TRANSFORM_PRF;
 946         WPA_PUT_BE16(t->transform_id, data->proposal.prf);
 947
 948         t = wpabuf_put(msg, sizeof(*t));
 949         t->type = 3;
 950         WPA_PUT_BE16(t->transform_length, sizeof(*t));
 951         t->transform_type = IKEV2_TRANSFORM_INTEG;
 952         WPA_PUT_BE16(t->transform_id, data->proposal.integ);
 953
 954         t = wpabuf_put(msg, sizeof(*t));
 955         WPA_PUT_BE16(t->transform_length, sizeof(*t));
 956         t->transform_type = IKEV2_TRANSFORM_DH;
 957         WPA_PUT_BE16(t->transform_id, data->proposal.dh);
 958
 959         plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) p;
 960         WPA_PUT_BE16(p->proposal_length, plen);
 961
 962         plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
 963         WPA_PUT_BE16(phdr->payload_length, plen);
 964
 965         return 0;
 966 }
 967
 968
 969 static int ikev2_build_kei(struct ikev2_initiator_data *data,
 970                            struct wpabuf *msg, u8 next_payload)
 971 {
 972         struct ikev2_payload_hdr *phdr;
 973         size_t plen;
 974         struct wpabuf *pv;
 975
 976         wpa_printf(MSG_DEBUG, "IKEV2: Adding KEi payload");
 977
 978         data->dh = dh_groups_get(data->proposal.dh);
 979         pv = dh_init(data->dh, &data->i_dh_private);
 980         if (pv == NULL) {
 981                 wpa_printf(MSG_DEBUG, "IKEV2: Failed to initialize DH");
 982                 return -1;
 983         }
 984
 985         /* KEi - RFC 4306, Sect. 3.4 */
 986         phdr = wpabuf_put(msg, sizeof(*phdr));
 987         phdr->next_payload = next_payload;
 988         phdr->flags = 0;
 989
 990         wpabuf_put_be16(msg, data->proposal.dh); /* DH Group # */
 991         wpabuf_put(msg, 2); /* RESERVED */
 992         /*
 993          * RFC 4306, Sect. 3.4: possible zero padding for public value to
 994          * match the length of the prime.
 995          */
 996         wpabuf_put(msg, data->dh->prime_len - wpabuf_len(pv));
 997         wpabuf_put_buf(msg, pv);
 998         os_free(pv);
 999
1000         plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
1001         WPA_PUT_BE16(phdr->payload_length, plen);
1002         return 0;
1003 }
1004
1005
1006 static int ikev2_build_ni(struct ikev2_initiator_data *data,
1007                           struct wpabuf *msg, u8 next_payload)
1008 {
1009         struct ikev2_payload_hdr *phdr;
1010         size_t plen;
1011
1012         wpa_printf(MSG_DEBUG, "IKEV2: Adding Ni payload");
1013
1014         /* Ni - RFC 4306, Sect. 3.9 */
1015         phdr = wpabuf_put(msg, sizeof(*phdr));
1016         phdr->next_payload = next_payload;
1017         phdr->flags = 0;
1018         wpabuf_put_data(msg, data->i_nonce, data->i_nonce_len);
1019         plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
1020         WPA_PUT_BE16(phdr->payload_length, plen);
1021         return 0;
1022 }
1023
1024
1025 static int ikev2_build_idi(struct ikev2_initiator_data *data,
1026                            struct wpabuf *msg, u8 next_payload)
1027 {
1028         struct ikev2_payload_hdr *phdr;
1029         size_t plen;
1030
1031         wpa_printf(MSG_DEBUG, "IKEV2: Adding IDi payload");
1032
1033         if (data->IDi == NULL) {
1034                 wpa_printf(MSG_INFO, "IKEV2: No IDi available");
1035                 return -1;
1036         }
1037
1038         /* IDi - RFC 4306, Sect. 3.5 */
1039         phdr = wpabuf_put(msg, sizeof(*phdr));
1040         phdr->next_payload = next_payload;
1041         phdr->flags = 0;
1042         wpabuf_put_u8(msg, ID_KEY_ID);
1043         wpabuf_put(msg, 3); /* RESERVED */
1044         wpabuf_put_data(msg, data->IDi, data->IDi_len);
1045         plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
1046         WPA_PUT_BE16(phdr->payload_length, plen);
1047         return 0;
1048 }
1049
1050
1051 static int ikev2_build_auth(struct ikev2_initiator_data *data,
1052                             struct wpabuf *msg, u8 next_payload)
1053 {
1054         struct ikev2_payload_hdr *phdr;
1055         size_t plen;
1056         const struct ikev2_prf_alg *prf;
1057
1058         wpa_printf(MSG_DEBUG, "IKEV2: Adding AUTH payload");
1059
1060         prf = ikev2_get_prf(data->proposal.prf);
1061         if (prf == NULL)
1062                 return -1;
1063
1064         /* Authentication - RFC 4306, Sect. 3.8 */
1065         phdr = wpabuf_put(msg, sizeof(*phdr));
1066         phdr->next_payload = next_payload;
1067         phdr->flags = 0;
1068         wpabuf_put_u8(msg, AUTH_SHARED_KEY_MIC);
1069         wpabuf_put(msg, 3); /* RESERVED */
1070
1071         /* msg | Nr | prf(SK_pi,IDi') */
1072         if (ikev2_derive_auth_data(data->proposal.prf, data->i_sign_msg,
1073                                    data->IDi, data->IDi_len, ID_KEY_ID,
1074                                    &data->keys, 1, data->shared_secret,
1075                                    data->shared_secret_len,
1076                                    data->r_nonce, data->r_nonce_len,
1077                                    data->key_pad, data->key_pad_len,
1078                                    wpabuf_put(msg, prf->hash_len)) < 0) {
1079                 wpa_printf(MSG_INFO, "IKEV2: Could not derive AUTH data");
1080                 return -1;
1081         }
1082         wpabuf_free(data->i_sign_msg);
1083         data->i_sign_msg = NULL;
1084
1085         plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
1086         WPA_PUT_BE16(phdr->payload_length, plen);
1087         return 0;
1088 }
1089
1090
1091 static struct wpabuf * ikev2_build_sa_init(struct ikev2_initiator_data *data)
1092 {
1093         struct wpabuf *msg;
1094
1095         /* build IKE_SA_INIT: HDR, SAi, KEi, Ni */
1096
1097         if (os_get_random(data->i_spi, IKEV2_SPI_LEN))
1098                 return NULL;
1099         wpa_hexdump(MSG_DEBUG, "IKEV2: IKE_SA Initiator's SPI",
1100                     data->i_spi, IKEV2_SPI_LEN);
1101
1102         data->i_nonce_len = IKEV2_NONCE_MIN_LEN;
1103         if (os_get_random(data->i_nonce, data->i_nonce_len))
1104                 return NULL;
1105         wpa_hexdump(MSG_DEBUG, "IKEV2: Ni", data->i_nonce, data->i_nonce_len);
1106
1107         msg = wpabuf_alloc(sizeof(struct ikev2_hdr) + 1000);
1108         if (msg == NULL)
1109                 return NULL;
1110
1111         ikev2_build_hdr(data, msg, IKE_SA_INIT, IKEV2_PAYLOAD_SA, 0);
1112         if (ikev2_build_sai(data, msg, IKEV2_PAYLOAD_KEY_EXCHANGE) ||
1113             ikev2_build_kei(data, msg, IKEV2_PAYLOAD_NONCE) ||
1114             ikev2_build_ni(data, msg, IKEV2_PAYLOAD_NO_NEXT_PAYLOAD)) {
1115                 wpabuf_free(msg);
1116                 return NULL;
1117         }
1118
1119         ikev2_update_hdr(msg);
1120
1121         wpa_hexdump_buf(MSG_MSGDUMP, "IKEV2: Sending message (SA_INIT)", msg);
1122
1123         wpabuf_free(data->i_sign_msg);
1124         data->i_sign_msg = wpabuf_dup(msg);
1125
1126         return msg;
1127 }
1128
1129
1130 static struct wpabuf * ikev2_build_sa_auth(struct ikev2_initiator_data *data)
1131 {
1132         struct wpabuf *msg, *plain;
1133         const u8 *secret;
1134         size_t secret_len;
1135
1136         secret = data->get_shared_secret(data->cb_ctx, data->IDr,
1137                                          data->IDr_len, &secret_len);
1138         if (secret == NULL) {
1139                 wpa_printf(MSG_INFO, "IKEV2: Could not get shared secret - "
1140                            "use fake value");
1141                 /* RFC 5106, Sect. 7:
1142                  * Use a random key to fake AUTH generation in order to prevent
1143                  * probing of user identities.
1144                  */
1145                 data->unknown_user = 1;
1146                 os_free(data->shared_secret);
1147                 data->shared_secret = os_malloc(16);
1148                 if (data->shared_secret == NULL)
1149                         return NULL;
1150                 data->shared_secret_len = 16;
1151                 if (os_get_random(data->shared_secret, 16))
1152                         return NULL;
1153         } else {
1154                 os_free(data->shared_secret);
1155                 data->shared_secret = os_malloc(secret_len);
1156                 if (data->shared_secret == NULL)
1157                         return NULL;
1158                 os_memcpy(data->shared_secret, secret, secret_len);
1159                 data->shared_secret_len = secret_len;
1160         }
1161
1162         /* build IKE_SA_AUTH: HDR, SK {IDi, [CERT,] [CERTREQ,] AUTH} */
1163
1164         msg = wpabuf_alloc(sizeof(struct ikev2_hdr) + data->IDr_len + 1000);
1165         if (msg == NULL)
1166                 return NULL;
1167         ikev2_build_hdr(data, msg, IKE_SA_AUTH, IKEV2_PAYLOAD_ENCRYPTED, 1);
1168
1169         plain = wpabuf_alloc(data->IDr_len + 1000);
1170         if (plain == NULL) {
1171                 wpabuf_free(msg);
1172                 return NULL;
1173         }
1174
1175         if (ikev2_build_idi(data, plain, IKEV2_PAYLOAD_AUTHENTICATION) ||
1176             ikev2_build_auth(data, plain, IKEV2_PAYLOAD_NO_NEXT_PAYLOAD) ||
1177             ikev2_build_encrypted(data->proposal.encr, data->proposal.integ,
1178                                   &data->keys, 1, msg, plain,
1179                                   IKEV2_PAYLOAD_IDi)) {
1180                 wpabuf_free(plain);
1181                 wpabuf_free(msg);
1182                 return NULL;
1183         }
1184         wpabuf_free(plain);
1185
1186         wpa_hexdump_buf(MSG_MSGDUMP, "IKEV2: Sending message (SA_AUTH)", msg);
1187
1188         return msg;
1189 }
1190
1191
1192 struct wpabuf * ikev2_initiator_build(struct ikev2_initiator_data *data)
1193 {
1194         switch (data->state) {
1195         case SA_INIT:
1196                 return ikev2_build_sa_init(data);
1197         case SA_AUTH:
1198                 return ikev2_build_sa_auth(data);
1199         case CHILD_SA:
1200                 return NULL;
1201         case IKEV2_DONE:
1202                 return NULL;
1203         }
1204         return NULL;
1205 }