contrib/hostapd/src/eap_server/ikev2.c

   1 /*
   2  * IKEv2 initiator (RFC 4306) for EAP-IKEV2
   3  * Copyright (c) 2007, Jouni Malinen <j@w1.fi>
   4  *
   5  * This software may be distributed under the terms of the BSD license.
   6  * See README for more details.
   7  */
   8
   9 #include "includes.h"
  10
  11 #include "common.h"
  12 #include "crypto/dh_groups.h"
  13 #include "crypto/random.h"
  14 #include "ikev2.h"
  15
  16
  17 static int ikev2_process_idr(struct ikev2_initiator_data *data,
  18                              const u8 *idr, size_t idr_len);
  19
  20
  21 void ikev2_initiator_deinit(struct ikev2_initiator_data *data)
  22 {
  23         ikev2_free_keys(&data->keys);
  24         wpabuf_free(data->r_dh_public);
  25         wpabuf_free(data->i_dh_private);
  26         os_free(data->IDi);
  27         os_free(data->IDr);
  28         os_free(data->shared_secret);
  29         wpabuf_free(data->i_sign_msg);
  30         wpabuf_free(data->r_sign_msg);
  31         os_free(data->key_pad);
  32 }
  33
  34
  35 static int ikev2_derive_keys(struct ikev2_initiator_data *data)
  36 {
  37         u8 *buf, *pos, *pad, skeyseed[IKEV2_MAX_HASH_LEN];
  38         size_t buf_len, pad_len;
  39         struct wpabuf *shared;
  40         const struct ikev2_integ_alg *integ;
  41         const struct ikev2_prf_alg *prf;
  42         const struct ikev2_encr_alg *encr;
  43         int ret;
  44         const u8 *addr[2];
  45         size_t len[2];
  46
  47         /* RFC 4306, Sect. 2.14 */
  48
  49         integ = ikev2_get_integ(data->proposal.integ);
  50         prf = ikev2_get_prf(data->proposal.prf);
  51         encr = ikev2_get_encr(data->proposal.encr);
  52         if (integ == NULL || prf == NULL || encr == NULL) {
  53                 wpa_printf(MSG_INFO, "IKEV2: Unsupported proposal");
  54                 return -1;
  55         }
  56
  57         shared = dh_derive_shared(data->r_dh_public, data->i_dh_private,
  58                                   data->dh);
  59         if (shared == NULL)
  60                 return -1;
  61
  62         /* Construct Ni | Nr | SPIi | SPIr */
  63
  64         buf_len = data->i_nonce_len + data->r_nonce_len + 2 * IKEV2_SPI_LEN;
  65         buf = os_malloc(buf_len);
  66         if (buf == NULL) {
  67                 wpabuf_free(shared);
  68                 return -1;
  69         }
  70
  71         pos = buf;
  72         os_memcpy(pos, data->i_nonce, data->i_nonce_len);
  73         pos += data->i_nonce_len;
  74         os_memcpy(pos, data->r_nonce, data->r_nonce_len);
  75         pos += data->r_nonce_len;
  76         os_memcpy(pos, data->i_spi, IKEV2_SPI_LEN);
  77         pos += IKEV2_SPI_LEN;
  78         os_memcpy(pos, data->r_spi, IKEV2_SPI_LEN);
  79
  80         /* SKEYSEED = prf(Ni | Nr, g^ir) */
  81
  82         /* Use zero-padding per RFC 4306, Sect. 2.14 */
  83         pad_len = data->dh->prime_len - wpabuf_len(shared);
  84         pad = os_zalloc(pad_len ? pad_len : 1);
  85         if (pad == NULL) {
  86                 wpabuf_free(shared);
  87                 os_free(buf);
  88                 return -1;
  89         }
  90         addr[0] = pad;
  91         len[0] = pad_len;
  92         addr[1] = wpabuf_head(shared);
  93         len[1] = wpabuf_len(shared);
  94         if (ikev2_prf_hash(prf->id, buf, data->i_nonce_len + data->r_nonce_len,
  95                            2, addr, len, skeyseed) < 0) {
  96                 wpabuf_free(shared);
  97                 os_free(buf);
  98                 os_free(pad);
  99                 return -1;
 100         }
 101         os_free(pad);
 102         wpabuf_free(shared);
 103
 104         /* DH parameters are not needed anymore, so free them */
 105         wpabuf_free(data->r_dh_public);
 106         data->r_dh_public = NULL;
 107         wpabuf_free(data->i_dh_private);
 108         data->i_dh_private = NULL;
 109
 110         wpa_hexdump_key(MSG_DEBUG, "IKEV2: SKEYSEED",
 111                         skeyseed, prf->hash_len);
 112
 113         ret = ikev2_derive_sk_keys(prf, integ, encr, skeyseed, buf, buf_len,
 114                                    &data->keys);
 115         os_free(buf);
 116         return ret;
 117 }
 118
 119
 120 static int ikev2_parse_transform(struct ikev2_initiator_data *data,
 121                                  struct ikev2_proposal_data *prop,
 122                                  const u8 *pos, const u8 *end)
 123 {
 124         int transform_len;
 125         const struct ikev2_transform *t;
 126         u16 transform_id;
 127         const u8 *tend;
 128
 129         if (end - pos < (int) sizeof(*t)) {
 130                 wpa_printf(MSG_INFO, "IKEV2: Too short transform");
 131                 return -1;
 132         }
 133
 134         t = (const struct ikev2_transform *) pos;
 135         transform_len = WPA_GET_BE16(t->transform_length);
 136         if (transform_len < (int) sizeof(*t) || pos + transform_len > end) {
 137                 wpa_printf(MSG_INFO, "IKEV2: Invalid transform length %d",
 138                            transform_len);
 139                 return -1;
 140         }
 141         tend = pos + transform_len;
 142
 143         transform_id = WPA_GET_BE16(t->transform_id);
 144
 145         wpa_printf(MSG_DEBUG, "IKEV2:   Transform:");
 146         wpa_printf(MSG_DEBUG, "IKEV2:     Type: %d  Transform Length: %d  "
 147                    "Transform Type: %d  Transform ID: %d",
 148                    t->type, transform_len, t->transform_type, transform_id);
 149
 150         if (t->type != 0 && t->type != 3) {
 151                 wpa_printf(MSG_INFO, "IKEV2: Unexpected Transform type");
 152                 return -1;
 153         }
 154
 155         pos = (const u8 *) (t + 1);
 156         if (pos < tend) {
 157                 wpa_hexdump(MSG_DEBUG, "IKEV2:     Transform Attributes",
 158                             pos, tend - pos);
 159         }
 160
 161         switch (t->transform_type) {
 162         case IKEV2_TRANSFORM_ENCR:
 163                 if (ikev2_get_encr(transform_id) &&
 164                     transform_id == data->proposal.encr) {
 165                         if (transform_id == ENCR_AES_CBC) {
 166                                 if (tend - pos != 4) {
 167                                         wpa_printf(MSG_DEBUG, "IKEV2: No "
 168                                                    "Transform Attr for AES");
 169                                         break;
 170                                 }
 171                                 if (WPA_GET_BE16(pos) != 0x800e) {
 172                                         wpa_printf(MSG_DEBUG, "IKEV2: Not a "
 173                                                    "Key Size attribute for "
 174                                                    "AES");
 175                                         break;
 176                                 }
 177                                 if (WPA_GET_BE16(pos + 2) != 128) {
 178                                         wpa_printf(MSG_DEBUG, "IKEV2: "
 179                                                    "Unsupported AES key size "
 180                                                    "%d bits",
 181                                                    WPA_GET_BE16(pos + 2));
 182                                         break;
 183                                 }
 184                         }
 185                         prop->encr = transform_id;
 186                 }
 187                 break;
 188         case IKEV2_TRANSFORM_PRF:
 189                 if (ikev2_get_prf(transform_id) &&
 190                     transform_id == data->proposal.prf)
 191                         prop->prf = transform_id;
 192                 break;
 193         case IKEV2_TRANSFORM_INTEG:
 194                 if (ikev2_get_integ(transform_id) &&
 195                     transform_id == data->proposal.integ)
 196                         prop->integ = transform_id;
 197                 break;
 198         case IKEV2_TRANSFORM_DH:
 199                 if (dh_groups_get(transform_id) &&
 200                     transform_id == data->proposal.dh)
 201                         prop->dh = transform_id;
 202                 break;
 203         }
 204
 205         return transform_len;
 206 }
 207
 208
 209 static int ikev2_parse_proposal(struct ikev2_initiator_data *data,
 210                                 struct ikev2_proposal_data *prop,
 211                                 const u8 *pos, const u8 *end)
 212 {
 213         const u8 *pend, *ppos;
 214         int proposal_len, i;
 215         const struct ikev2_proposal *p;
 216
 217         if (end - pos < (int) sizeof(*p)) {
 218                 wpa_printf(MSG_INFO, "IKEV2: Too short proposal");
 219                 return -1;
 220         }
 221
 222         p = (const struct ikev2_proposal *) pos;
 223         proposal_len = WPA_GET_BE16(p->proposal_length);
 224         if (proposal_len < (int) sizeof(*p) || pos + proposal_len > end) {
 225                 wpa_printf(MSG_INFO, "IKEV2: Invalid proposal length %d",
 226                            proposal_len);
 227                 return -1;
 228         }
 229         wpa_printf(MSG_DEBUG, "IKEV2: SAi1 Proposal # %d",
 230                    p->proposal_num);
 231         wpa_printf(MSG_DEBUG, "IKEV2:   Type: %d  Proposal Length: %d "
 232                    " Protocol ID: %d",
 233                    p->type, proposal_len, p->protocol_id);
 234         wpa_printf(MSG_DEBUG, "IKEV2:   SPI Size: %d  Transforms: %d",
 235                    p->spi_size, p->num_transforms);
 236
 237         if (p->type != 0 && p->type != 2) {
 238                 wpa_printf(MSG_INFO, "IKEV2: Unexpected Proposal type");
 239                 return -1;
 240         }
 241
 242         if (p->protocol_id != IKEV2_PROTOCOL_IKE) {
 243                 wpa_printf(MSG_DEBUG, "IKEV2: Unexpected Protocol ID "
 244                            "(only IKE allowed for EAP-IKEv2)");
 245                 return -1;
 246         }
 247
 248         if (p->proposal_num != prop->proposal_num) {
 249                 if (p->proposal_num == prop->proposal_num + 1)
 250                         prop->proposal_num = p->proposal_num;
 251                 else {
 252                         wpa_printf(MSG_INFO, "IKEV2: Unexpected Proposal #");
 253                         return -1;
 254                 }
 255         }
 256
 257         ppos = (const u8 *) (p + 1);
 258         pend = pos + proposal_len;
 259         if (ppos + p->spi_size > pend) {
 260                 wpa_printf(MSG_INFO, "IKEV2: Not enough room for SPI "
 261                            "in proposal");
 262                 return -1;
 263         }
 264         if (p->spi_size) {
 265                 wpa_hexdump(MSG_DEBUG, "IKEV2:    SPI",
 266                             ppos, p->spi_size);
 267                 ppos += p->spi_size;
 268         }
 269
 270         /*
 271          * For initial IKE_SA negotiation, SPI Size MUST be zero; for
 272          * subsequent negotiations, it must be 8 for IKE. We only support
 273          * initial case for now.
 274          */
 275         if (p->spi_size != 0) {
 276                 wpa_printf(MSG_INFO, "IKEV2: Unexpected SPI Size");
 277                 return -1;
 278         }
 279
 280         if (p->num_transforms == 0) {
 281                 wpa_printf(MSG_INFO, "IKEV2: At least one transform required");
 282                 return -1;
 283         }
 284
 285         for (i = 0; i < (int) p->num_transforms; i++) {
 286                 int tlen = ikev2_parse_transform(data, prop, ppos, pend);
 287                 if (tlen < 0)
 288                         return -1;
 289                 ppos += tlen;
 290         }
 291
 292         if (ppos != pend) {
 293                 wpa_printf(MSG_INFO, "IKEV2: Unexpected data after "
 294                            "transforms");
 295                 return -1;
 296         }
 297
 298         return proposal_len;
 299 }
 300
 301
 302 static int ikev2_process_sar1(struct ikev2_initiator_data *data,
 303                               const u8 *sar1, size_t sar1_len)
 304 {
 305         struct ikev2_proposal_data prop;
 306         const u8 *pos, *end;
 307         int found = 0;
 308
 309         /* Security Association Payloads: <Proposals> */
 310
 311         if (sar1 == NULL) {
 312                 wpa_printf(MSG_INFO, "IKEV2: SAr1 not received");
 313                 return -1;
 314         }
 315
 316         os_memset(&prop, 0, sizeof(prop));
 317         prop.proposal_num = 1;
 318
 319         pos = sar1;
 320         end = sar1 + sar1_len;
 321
 322         while (pos < end) {
 323                 int plen;
 324
 325                 prop.integ = -1;
 326                 prop.prf = -1;
 327                 prop.encr = -1;
 328                 prop.dh = -1;
 329                 plen = ikev2_parse_proposal(data, &prop, pos, end);
 330                 if (plen < 0)
 331                         return -1;
 332
 333                 if (!found && prop.integ != -1 && prop.prf != -1 &&
 334                     prop.encr != -1 && prop.dh != -1) {
 335                         found = 1;
 336                 }
 337
 338                 pos += plen;
 339
 340                 /* Only one proposal expected in SAr */
 341                 break;
 342         }
 343
 344         if (pos != end) {
 345                 wpa_printf(MSG_INFO, "IKEV2: Unexpected data after proposal");
 346                 return -1;
 347         }
 348
 349         if (!found) {
 350                 wpa_printf(MSG_INFO, "IKEV2: No acceptable proposal found");
 351                 return -1;
 352         }
 353
 354         wpa_printf(MSG_DEBUG, "IKEV2: Accepted proposal #%d: ENCR:%d PRF:%d "
 355                    "INTEG:%d D-H:%d", data->proposal.proposal_num,
 356                    data->proposal.encr, data->proposal.prf,
 357                    data->proposal.integ, data->proposal.dh);
 358
 359         return 0;
 360 }
 361
 362
 363 static int ikev2_process_ker(struct ikev2_initiator_data *data,
 364                              const u8 *ker, size_t ker_len)
 365 {
 366         u16 group;
 367
 368         /*
 369          * Key Exchange Payload:
 370          * DH Group # (16 bits)
 371          * RESERVED (16 bits)
 372          * Key Exchange Data (Diffie-Hellman public value)
 373          */
 374
 375         if (ker == NULL) {
 376                 wpa_printf(MSG_INFO, "IKEV2: KEr not received");
 377                 return -1;
 378         }
 379
 380         if (ker_len < 4 + 96) {
 381                 wpa_printf(MSG_INFO, "IKEV2: Too show Key Exchange Payload");
 382                 return -1;
 383         }
 384
 385         group = WPA_GET_BE16(ker);
 386         wpa_printf(MSG_DEBUG, "IKEV2: KEr DH Group #%u", group);
 387
 388         if (group != data->proposal.dh) {
 389                 wpa_printf(MSG_DEBUG, "IKEV2: KEr DH Group #%u does not match "
 390                            "with the selected proposal (%u)",
 391                            group, data->proposal.dh);
 392                 return -1;
 393         }
 394
 395         if (data->dh == NULL) {
 396                 wpa_printf(MSG_INFO, "IKEV2: Unsupported DH group");
 397                 return -1;
 398         }
 399
 400         /* RFC 4306, Section 3.4:
 401          * The length of DH public value MUST be equal to the length of the
 402          * prime modulus.
 403          */
 404         if (ker_len - 4 != data->dh->prime_len) {
 405                 wpa_printf(MSG_INFO, "IKEV2: Invalid DH public value length "
 406                            "%ld (expected %ld)",
 407                            (long) (ker_len - 4), (long) data->dh->prime_len);
 408                 return -1;
 409         }
 410
 411         wpabuf_free(data->r_dh_public);
 412         data->r_dh_public = wpabuf_alloc_copy(ker + 4, ker_len - 4);
 413         if (data->r_dh_public == NULL)
 414                 return -1;
 415
 416         wpa_hexdump_buf(MSG_DEBUG, "IKEV2: KEr Diffie-Hellman Public Value",
 417                         data->r_dh_public);
 418
 419         return 0;
 420 }
 421
 422
 423 static int ikev2_process_nr(struct ikev2_initiator_data *data,
 424                             const u8 *nr, size_t nr_len)
 425 {
 426         if (nr == NULL) {
 427                 wpa_printf(MSG_INFO, "IKEV2: Nr not received");
 428                 return -1;
 429         }
 430
 431         if (nr_len < IKEV2_NONCE_MIN_LEN || nr_len > IKEV2_NONCE_MAX_LEN) {
 432                 wpa_printf(MSG_INFO, "IKEV2: Invalid Nr length %ld",
 433                            (long) nr_len);
 434                 return -1;
 435         }
 436
 437         data->r_nonce_len = nr_len;
 438         os_memcpy(data->r_nonce, nr, nr_len);
 439         wpa_hexdump(MSG_MSGDUMP, "IKEV2: Nr",
 440                     data->r_nonce, data->r_nonce_len);
 441
 442         return 0;
 443 }
 444
 445
 446 static int ikev2_process_sa_init_encr(struct ikev2_initiator_data *data,
 447                                       const struct ikev2_hdr *hdr,
 448                                       const u8 *encrypted,
 449                                       size_t encrypted_len, u8 next_payload)
 450 {
 451         u8 *decrypted;
 452         size_t decrypted_len;
 453         struct ikev2_payloads pl;
 454         int ret = 0;
 455
 456         decrypted = ikev2_decrypt_payload(data->proposal.encr,
 457                                           data->proposal.integ, &data->keys, 0,
 458                                           hdr, encrypted, encrypted_len,
 459                                           &decrypted_len);
 460         if (decrypted == NULL)
 461                 return -1;
 462
 463         wpa_printf(MSG_DEBUG, "IKEV2: Processing decrypted payloads");
 464
 465         if (ikev2_parse_payloads(&pl, next_payload, decrypted,
 466                                  decrypted + decrypted_len) < 0) {
 467                 wpa_printf(MSG_INFO, "IKEV2: Failed to parse decrypted "
 468                            "payloads");
 469                 return -1;
 470         }
 471
 472         if (pl.idr)
 473                 ret = ikev2_process_idr(data, pl.idr, pl.idr_len);
 474
 475         os_free(decrypted);
 476
 477         return ret;
 478 }
 479
 480
 481 static int ikev2_process_sa_init(struct ikev2_initiator_data *data,
 482                                  const struct ikev2_hdr *hdr,
 483                                  struct ikev2_payloads *pl)
 484 {
 485         if (ikev2_process_sar1(data, pl->sa, pl->sa_len) < 0 ||
 486             ikev2_process_ker(data, pl->ke, pl->ke_len) < 0 ||
 487             ikev2_process_nr(data, pl->nonce, pl->nonce_len) < 0)
 488                 return -1;
 489
 490         os_memcpy(data->r_spi, hdr->r_spi, IKEV2_SPI_LEN);
 491
 492         if (ikev2_derive_keys(data) < 0)
 493                 return -1;
 494
 495         if (pl->encrypted) {
 496                 wpa_printf(MSG_DEBUG, "IKEV2: Encrypted payload in SA_INIT - "
 497                            "try to get IDr from it");
 498                 if (ikev2_process_sa_init_encr(data, hdr, pl->encrypted,
 499                                                pl->encrypted_len,
 500                                                pl->encr_next_payload) < 0) {
 501                         wpa_printf(MSG_INFO, "IKEV2: Failed to process "
 502                                    "encrypted payload");
 503                         return -1;
 504                 }
 505         }
 506
 507         data->state = SA_AUTH;
 508
 509         return 0;
 510 }
 511
 512
 513 static int ikev2_process_idr(struct ikev2_initiator_data *data,
 514                              const u8 *idr, size_t idr_len)
 515 {
 516         u8 id_type;
 517
 518         if (idr == NULL) {
 519                 wpa_printf(MSG_INFO, "IKEV2: No IDr received");
 520                 return -1;
 521         }
 522
 523         if (idr_len < 4) {
 524                 wpa_printf(MSG_INFO, "IKEV2: Too short IDr payload");
 525                 return -1;
 526         }
 527
 528         id_type = idr[0];
 529         idr += 4;
 530         idr_len -= 4;
 531
 532         wpa_printf(MSG_DEBUG, "IKEV2: IDr ID Type %d", id_type);
 533         wpa_hexdump_ascii(MSG_DEBUG, "IKEV2: IDr", idr, idr_len);
 534         if (data->IDr) {
 535                 if (id_type != data->IDr_type || idr_len != data->IDr_len ||
 536                     os_memcmp(idr, data->IDr, idr_len) != 0) {
 537                         wpa_printf(MSG_INFO, "IKEV2: IDr differs from the one "
 538                                    "received earlier");
 539                         wpa_printf(MSG_DEBUG, "IKEV2: Previous IDr ID Type %d",
 540                                    id_type);
 541                         wpa_hexdump_ascii(MSG_DEBUG, "Previous IKEV2: IDr",
 542                                           data->IDr, data->IDr_len);
 543                         return -1;
 544                 }
 545                 os_free(data->IDr);
 546         }
 547         data->IDr = os_malloc(idr_len);
 548         if (data->IDr == NULL)
 549                 return -1;
 550         os_memcpy(data->IDr, idr, idr_len);
 551         data->IDr_len = idr_len;
 552         data->IDr_type = id_type;
 553
 554         return 0;
 555 }
 556
 557
 558 static int ikev2_process_cert(struct ikev2_initiator_data *data,
 559                               const u8 *cert, size_t cert_len)
 560 {
 561         u8 cert_encoding;
 562
 563         if (cert == NULL) {
 564                 if (data->peer_auth == PEER_AUTH_CERT) {
 565                         wpa_printf(MSG_INFO, "IKEV2: No Certificate received");
 566                         return -1;
 567                 }
 568                 return 0;
 569         }
 570
 571         if (cert_len < 1) {
 572                 wpa_printf(MSG_INFO, "IKEV2: No Cert Encoding field");
 573                 return -1;
 574         }
 575
 576         cert_encoding = cert[0];
 577         cert++;
 578         cert_len--;
 579
 580         wpa_printf(MSG_DEBUG, "IKEV2: Cert Encoding %d", cert_encoding);
 581         wpa_hexdump(MSG_MSGDUMP, "IKEV2: Certificate Data", cert, cert_len);
 582
 583         /* TODO: validate certificate */
 584
 585         return 0;
 586 }
 587
 588
 589 static int ikev2_process_auth_cert(struct ikev2_initiator_data *data,
 590                                    u8 method, const u8 *auth, size_t auth_len)
 591 {
 592         if (method != AUTH_RSA_SIGN) {
 593                 wpa_printf(MSG_INFO, "IKEV2: Unsupported authentication "
 594                            "method %d", method);
 595                 return -1;
 596         }
 597
 598         /* TODO: validate AUTH */
 599         return 0;
 600 }
 601
 602
 603 static int ikev2_process_auth_secret(struct ikev2_initiator_data *data,
 604                                      u8 method, const u8 *auth,
 605                                      size_t auth_len)
 606 {
 607         u8 auth_data[IKEV2_MAX_HASH_LEN];
 608         const struct ikev2_prf_alg *prf;
 609
 610         if (method != AUTH_SHARED_KEY_MIC) {
 611                 wpa_printf(MSG_INFO, "IKEV2: Unsupported authentication "
 612                            "method %d", method);
 613                 return -1;
 614         }
 615
 616         /* msg | Ni | prf(SK_pr,IDr') */
 617         if (ikev2_derive_auth_data(data->proposal.prf, data->r_sign_msg,
 618                                    data->IDr, data->IDr_len, data->IDr_type,
 619                                    &data->keys, 0, data->shared_secret,
 620                                    data->shared_secret_len,
 621                                    data->i_nonce, data->i_nonce_len,
 622                                    data->key_pad, data->key_pad_len,
 623                                    auth_data) < 0) {
 624                 wpa_printf(MSG_INFO, "IKEV2: Could not derive AUTH data");
 625                 return -1;
 626         }
 627
 628         wpabuf_free(data->r_sign_msg);
 629         data->r_sign_msg = NULL;
 630
 631         prf = ikev2_get_prf(data->proposal.prf);
 632         if (prf == NULL)
 633                 return -1;
 634
 635         if (auth_len != prf->hash_len ||
 636             os_memcmp(auth, auth_data, auth_len) != 0) {
 637                 wpa_printf(MSG_INFO, "IKEV2: Invalid Authentication Data");
 638                 wpa_hexdump(MSG_DEBUG, "IKEV2: Received Authentication Data",
 639                             auth, auth_len);
 640                 wpa_hexdump(MSG_DEBUG, "IKEV2: Expected Authentication Data",
 641                             auth_data, prf->hash_len);
 642                 return -1;
 643         }
 644
 645         wpa_printf(MSG_DEBUG, "IKEV2: Peer authenticated successfully "
 646                    "using shared keys");
 647
 648         return 0;
 649 }
 650
 651
 652 static int ikev2_process_auth(struct ikev2_initiator_data *data,
 653                               const u8 *auth, size_t auth_len)
 654 {
 655         u8 auth_method;
 656
 657         if (auth == NULL) {
 658                 wpa_printf(MSG_INFO, "IKEV2: No Authentication Payload");
 659                 return -1;
 660         }
 661
 662         if (auth_len < 4) {
 663                 wpa_printf(MSG_INFO, "IKEV2: Too short Authentication "
 664                            "Payload");
 665                 return -1;
 666         }
 667
 668         auth_method = auth[0];
 669         auth += 4;
 670         auth_len -= 4;
 671
 672         wpa_printf(MSG_DEBUG, "IKEV2: Auth Method %d", auth_method);
 673         wpa_hexdump(MSG_MSGDUMP, "IKEV2: Authentication Data", auth, auth_len);
 674
 675         switch (data->peer_auth) {
 676         case PEER_AUTH_CERT:
 677                 return ikev2_process_auth_cert(data, auth_method, auth,
 678                                                auth_len);
 679         case PEER_AUTH_SECRET:
 680                 return ikev2_process_auth_secret(data, auth_method, auth,
 681                                                  auth_len);
 682         }
 683
 684         return -1;
 685 }
 686
 687
 688 static int ikev2_process_sa_auth_decrypted(struct ikev2_initiator_data *data,
 689                                            u8 next_payload,
 690                                            u8 *payload, size_t payload_len)
 691 {
 692         struct ikev2_payloads pl;
 693
 694         wpa_printf(MSG_DEBUG, "IKEV2: Processing decrypted payloads");
 695
 696         if (ikev2_parse_payloads(&pl, next_payload, payload, payload +
 697                                  payload_len) < 0) {
 698                 wpa_printf(MSG_INFO, "IKEV2: Failed to parse decrypted "
 699                            "payloads");
 700                 return -1;
 701         }
 702
 703         if (ikev2_process_idr(data, pl.idr, pl.idr_len) < 0 ||
 704             ikev2_process_cert(data, pl.cert, pl.cert_len) < 0 ||
 705             ikev2_process_auth(data, pl.auth, pl.auth_len) < 0)
 706                 return -1;
 707
 708         return 0;
 709 }
 710
 711
 712 static int ikev2_process_sa_auth(struct ikev2_initiator_data *data,
 713                                  const struct ikev2_hdr *hdr,
 714                                  struct ikev2_payloads *pl)
 715 {
 716         u8 *decrypted;
 717         size_t decrypted_len;
 718         int ret;
 719
 720         decrypted = ikev2_decrypt_payload(data->proposal.encr,
 721                                           data->proposal.integ,
 722                                           &data->keys, 0, hdr, pl->encrypted,
 723                                           pl->encrypted_len, &decrypted_len);
 724         if (decrypted == NULL)
 725                 return -1;
 726
 727         ret = ikev2_process_sa_auth_decrypted(data, pl->encr_next_payload,
 728                                               decrypted, decrypted_len);
 729         os_free(decrypted);
 730
 731         if (ret == 0 && !data->unknown_user) {
 732                 wpa_printf(MSG_DEBUG, "IKEV2: Authentication completed");
 733                 data->state = IKEV2_DONE;
 734         }
 735
 736         return ret;
 737 }
 738
 739
 740 static int ikev2_validate_rx_state(struct ikev2_initiator_data *data,
 741                                    u8 exchange_type, u32 message_id)
 742 {
 743         switch (data->state) {
 744         case SA_INIT:
 745                 /* Expect to receive IKE_SA_INIT: HDR, SAr, KEr, Nr, [CERTREQ],
 746                  * [SK{IDr}] */
 747                 if (exchange_type != IKE_SA_INIT) {
 748                         wpa_printf(MSG_INFO, "IKEV2: Unexpected Exchange Type "
 749                                    "%u in SA_INIT state", exchange_type);
 750                         return -1;
 751                 }
 752                 if (message_id != 0) {
 753                         wpa_printf(MSG_INFO, "IKEV2: Unexpected Message ID %u "
 754                                    "in SA_INIT state", message_id);
 755                         return -1;
 756                 }
 757                 break;
 758         case SA_AUTH:
 759                 /* Expect to receive IKE_SA_AUTH:
 760                  * HDR, SK {IDr, [CERT,] [CERTREQ,] [NFID,] AUTH}
 761                  */
 762                 if (exchange_type != IKE_SA_AUTH) {
 763                         wpa_printf(MSG_INFO, "IKEV2: Unexpected Exchange Type "
 764                                    "%u in SA_AUTH state", exchange_type);
 765                         return -1;
 766                 }
 767                 if (message_id != 1) {
 768                         wpa_printf(MSG_INFO, "IKEV2: Unexpected Message ID %u "
 769                                    "in SA_AUTH state", message_id);
 770                         return -1;
 771                 }
 772                 break;
 773         case CHILD_SA:
 774                 if (exchange_type != CREATE_CHILD_SA) {
 775                         wpa_printf(MSG_INFO, "IKEV2: Unexpected Exchange Type "
 776                                    "%u in CHILD_SA state", exchange_type);
 777                         return -1;
 778                 }
 779                 if (message_id != 2) {
 780                         wpa_printf(MSG_INFO, "IKEV2: Unexpected Message ID %u "
 781                                    "in CHILD_SA state", message_id);
 782                         return -1;
 783                 }
 784                 break;
 785         case IKEV2_DONE:
 786                 return -1;
 787         }
 788
 789         return 0;
 790 }
 791
 792
 793 int ikev2_initiator_process(struct ikev2_initiator_data *data,
 794                             const struct wpabuf *buf)
 795 {
 796         const struct ikev2_hdr *hdr;
 797         u32 length, message_id;
 798         const u8 *pos, *end;
 799         struct ikev2_payloads pl;
 800
 801         wpa_printf(MSG_MSGDUMP, "IKEV2: Received message (len %lu)",
 802                    (unsigned long) wpabuf_len(buf));
 803
 804         if (wpabuf_len(buf) < sizeof(*hdr)) {
 805                 wpa_printf(MSG_INFO, "IKEV2: Too short frame to include HDR");
 806                 return -1;
 807         }
 808
 809         hdr = (const struct ikev2_hdr *) wpabuf_head(buf);
 810         end = wpabuf_head_u8(buf) + wpabuf_len(buf);
 811         message_id = WPA_GET_BE32(hdr->message_id);
 812         length = WPA_GET_BE32(hdr->length);
 813
 814         wpa_hexdump(MSG_DEBUG, "IKEV2:   IKE_SA Initiator's SPI",
 815                     hdr->i_spi, IKEV2_SPI_LEN);
 816         wpa_hexdump(MSG_DEBUG, "IKEV2:   IKE_SA Initiator's SPI",
 817                     hdr->r_spi, IKEV2_SPI_LEN);
 818         wpa_printf(MSG_DEBUG, "IKEV2:   Next Payload: %u  Version: 0x%x  "
 819                    "Exchange Type: %u",
 820                    hdr->next_payload, hdr->version, hdr->exchange_type);
 821         wpa_printf(MSG_DEBUG, "IKEV2:   Message ID: %u  Length: %u",
 822                    message_id, length);
 823
 824         if (hdr->version != IKEV2_VERSION) {
 825                 wpa_printf(MSG_INFO, "IKEV2: Unsupported HDR version 0x%x "
 826                            "(expected 0x%x)", hdr->version, IKEV2_VERSION);
 827                 return -1;
 828         }
 829
 830         if (length != wpabuf_len(buf)) {
 831                 wpa_printf(MSG_INFO, "IKEV2: Invalid length (HDR: %lu != "
 832                            "RX: %lu)", (unsigned long) length,
 833                            (unsigned long) wpabuf_len(buf));
 834                 return -1;
 835         }
 836
 837         if (ikev2_validate_rx_state(data, hdr->exchange_type, message_id) < 0)
 838                 return -1;
 839
 840         if ((hdr->flags & (IKEV2_HDR_INITIATOR | IKEV2_HDR_RESPONSE)) !=
 841             IKEV2_HDR_RESPONSE) {
 842                 wpa_printf(MSG_INFO, "IKEV2: Unexpected Flags value 0x%x",
 843                            hdr->flags);
 844                 return -1;
 845         }
 846
 847         if (data->state != SA_INIT) {
 848                 if (os_memcmp(data->i_spi, hdr->i_spi, IKEV2_SPI_LEN) != 0) {
 849                         wpa_printf(MSG_INFO, "IKEV2: Unexpected IKE_SA "
 850                                    "Initiator's SPI");
 851                         return -1;
 852                 }
 853                 if (os_memcmp(data->r_spi, hdr->r_spi, IKEV2_SPI_LEN) != 0) {
 854                         wpa_printf(MSG_INFO, "IKEV2: Unexpected IKE_SA "
 855                                    "Responder's SPI");
 856                         return -1;
 857                 }
 858         }
 859
 860         pos = (const u8 *) (hdr + 1);
 861         if (ikev2_parse_payloads(&pl, hdr->next_payload, pos, end) < 0)
 862                 return -1;
 863
 864         switch (data->state) {
 865         case SA_INIT:
 866                 if (ikev2_process_sa_init(data, hdr, &pl) < 0)
 867                         return -1;
 868                 wpabuf_free(data->r_sign_msg);
 869                 data->r_sign_msg = wpabuf_dup(buf);
 870                 break;
 871         case SA_AUTH:
 872                 if (ikev2_process_sa_auth(data, hdr, &pl) < 0)
 873                         return -1;
 874                 break;
 875         case CHILD_SA:
 876         case IKEV2_DONE:
 877                 break;
 878         }
 879
 880         return 0;
 881 }
 882
 883
 884 static void ikev2_build_hdr(struct ikev2_initiator_data *data,
 885                             struct wpabuf *msg, u8 exchange_type,
 886                             u8 next_payload, u32 message_id)
 887 {
 888         struct ikev2_hdr *hdr;
 889
 890         wpa_printf(MSG_DEBUG, "IKEV2: Adding HDR");
 891
 892         /* HDR - RFC 4306, Sect. 3.1 */
 893         hdr = wpabuf_put(msg, sizeof(*hdr));
 894         os_memcpy(hdr->i_spi, data->i_spi, IKEV2_SPI_LEN);
 895         os_memcpy(hdr->r_spi, data->r_spi, IKEV2_SPI_LEN);
 896         hdr->next_payload = next_payload;
 897         hdr->version = IKEV2_VERSION;
 898         hdr->exchange_type = exchange_type;
 899         hdr->flags = IKEV2_HDR_INITIATOR;
 900         WPA_PUT_BE32(hdr->message_id, message_id);
 901 }
 902
 903
 904 static int ikev2_build_sai(struct ikev2_initiator_data *data,
 905                             struct wpabuf *msg, u8 next_payload)
 906 {
 907         struct ikev2_payload_hdr *phdr;
 908         size_t plen;
 909         struct ikev2_proposal *p;
 910         struct ikev2_transform *t;
 911
 912         wpa_printf(MSG_DEBUG, "IKEV2: Adding SAi payload");
 913
 914         /* SAi1 - RFC 4306, Sect. 2.7 and 3.3 */
 915         phdr = wpabuf_put(msg, sizeof(*phdr));
 916         phdr->next_payload = next_payload;
 917         phdr->flags = 0;
 918
 919         /* TODO: support for multiple proposals */
 920         p = wpabuf_put(msg, sizeof(*p));
 921         p->proposal_num = data->proposal.proposal_num;
 922         p->protocol_id = IKEV2_PROTOCOL_IKE;
 923         p->num_transforms = 4;
 924
 925         t = wpabuf_put(msg, sizeof(*t));
 926         t->type = 3;
 927         t->transform_type = IKEV2_TRANSFORM_ENCR;
 928         WPA_PUT_BE16(t->transform_id, data->proposal.encr);
 929         if (data->proposal.encr == ENCR_AES_CBC) {
 930                 /* Transform Attribute: Key Len = 128 bits */
 931                 wpabuf_put_be16(msg, 0x800e); /* AF=1, AttrType=14 */
 932                 wpabuf_put_be16(msg, 128); /* 128-bit key */
 933         }
 934         plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) t;
 935         WPA_PUT_BE16(t->transform_length, plen);
 936
 937         t = wpabuf_put(msg, sizeof(*t));
 938         t->type = 3;
 939         WPA_PUT_BE16(t->transform_length, sizeof(*t));
 940         t->transform_type = IKEV2_TRANSFORM_PRF;
 941         WPA_PUT_BE16(t->transform_id, data->proposal.prf);
 942
 943         t = wpabuf_put(msg, sizeof(*t));
 944         t->type = 3;
 945         WPA_PUT_BE16(t->transform_length, sizeof(*t));
 946         t->transform_type = IKEV2_TRANSFORM_INTEG;
 947         WPA_PUT_BE16(t->transform_id, data->proposal.integ);
 948
 949         t = wpabuf_put(msg, sizeof(*t));
 950         WPA_PUT_BE16(t->transform_length, sizeof(*t));
 951         t->transform_type = IKEV2_TRANSFORM_DH;
 952         WPA_PUT_BE16(t->transform_id, data->proposal.dh);
 953
 954         plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) p;
 955         WPA_PUT_BE16(p->proposal_length, plen);
 956
 957         plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
 958         WPA_PUT_BE16(phdr->payload_length, plen);
 959
 960         return 0;
 961 }
 962
 963
 964 static int ikev2_build_kei(struct ikev2_initiator_data *data,
 965                            struct wpabuf *msg, u8 next_payload)
 966 {
 967         struct ikev2_payload_hdr *phdr;
 968         size_t plen;
 969         struct wpabuf *pv;
 970
 971         wpa_printf(MSG_DEBUG, "IKEV2: Adding KEi payload");
 972
 973         data->dh = dh_groups_get(data->proposal.dh);
 974         pv = dh_init(data->dh, &data->i_dh_private);
 975         if (pv == NULL) {
 976                 wpa_printf(MSG_DEBUG, "IKEV2: Failed to initialize DH");
 977                 return -1;
 978         }
 979
 980         /* KEi - RFC 4306, Sect. 3.4 */
 981         phdr = wpabuf_put(msg, sizeof(*phdr));
 982         phdr->next_payload = next_payload;
 983         phdr->flags = 0;
 984
 985         wpabuf_put_be16(msg, data->proposal.dh); /* DH Group # */
 986         wpabuf_put(msg, 2); /* RESERVED */
 987         /*
 988          * RFC 4306, Sect. 3.4: possible zero padding for public value to
 989          * match the length of the prime.
 990          */
 991         wpabuf_put(msg, data->dh->prime_len - wpabuf_len(pv));
 992         wpabuf_put_buf(msg, pv);
 993         wpabuf_free(pv);
 994
 995         plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
 996         WPA_PUT_BE16(phdr->payload_length, plen);
 997         return 0;
 998 }
 999
1000
1001 static int ikev2_build_ni(struct ikev2_initiator_data *data,
1002                           struct wpabuf *msg, u8 next_payload)
1003 {
1004         struct ikev2_payload_hdr *phdr;
1005         size_t plen;
1006
1007         wpa_printf(MSG_DEBUG, "IKEV2: Adding Ni payload");
1008
1009         /* Ni - RFC 4306, Sect. 3.9 */
1010         phdr = wpabuf_put(msg, sizeof(*phdr));
1011         phdr->next_payload = next_payload;
1012         phdr->flags = 0;
1013         wpabuf_put_data(msg, data->i_nonce, data->i_nonce_len);
1014         plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
1015         WPA_PUT_BE16(phdr->payload_length, plen);
1016         return 0;
1017 }
1018
1019
1020 static int ikev2_build_idi(struct ikev2_initiator_data *data,
1021                            struct wpabuf *msg, u8 next_payload)
1022 {
1023         struct ikev2_payload_hdr *phdr;
1024         size_t plen;
1025
1026         wpa_printf(MSG_DEBUG, "IKEV2: Adding IDi payload");
1027
1028         if (data->IDi == NULL) {
1029                 wpa_printf(MSG_INFO, "IKEV2: No IDi available");
1030                 return -1;
1031         }
1032
1033         /* IDi - RFC 4306, Sect. 3.5 */
1034         phdr = wpabuf_put(msg, sizeof(*phdr));
1035         phdr->next_payload = next_payload;
1036         phdr->flags = 0;
1037         wpabuf_put_u8(msg, ID_KEY_ID);
1038         wpabuf_put(msg, 3); /* RESERVED */
1039         wpabuf_put_data(msg, data->IDi, data->IDi_len);
1040         plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
1041         WPA_PUT_BE16(phdr->payload_length, plen);
1042         return 0;
1043 }
1044
1045
1046 static int ikev2_build_auth(struct ikev2_initiator_data *data,
1047                             struct wpabuf *msg, u8 next_payload)
1048 {
1049         struct ikev2_payload_hdr *phdr;
1050         size_t plen;
1051         const struct ikev2_prf_alg *prf;
1052
1053         wpa_printf(MSG_DEBUG, "IKEV2: Adding AUTH payload");
1054
1055         prf = ikev2_get_prf(data->proposal.prf);
1056         if (prf == NULL)
1057                 return -1;
1058
1059         /* Authentication - RFC 4306, Sect. 3.8 */
1060         phdr = wpabuf_put(msg, sizeof(*phdr));
1061         phdr->next_payload = next_payload;
1062         phdr->flags = 0;
1063         wpabuf_put_u8(msg, AUTH_SHARED_KEY_MIC);
1064         wpabuf_put(msg, 3); /* RESERVED */
1065
1066         /* msg | Nr | prf(SK_pi,IDi') */
1067         if (ikev2_derive_auth_data(data->proposal.prf, data->i_sign_msg,
1068                                    data->IDi, data->IDi_len, ID_KEY_ID,
1069                                    &data->keys, 1, data->shared_secret,
1070                                    data->shared_secret_len,
1071                                    data->r_nonce, data->r_nonce_len,
1072                                    data->key_pad, data->key_pad_len,
1073                                    wpabuf_put(msg, prf->hash_len)) < 0) {
1074                 wpa_printf(MSG_INFO, "IKEV2: Could not derive AUTH data");
1075                 return -1;
1076         }
1077         wpabuf_free(data->i_sign_msg);
1078         data->i_sign_msg = NULL;
1079
1080         plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
1081         WPA_PUT_BE16(phdr->payload_length, plen);
1082         return 0;
1083 }
1084
1085
1086 static struct wpabuf * ikev2_build_sa_init(struct ikev2_initiator_data *data)
1087 {
1088         struct wpabuf *msg;
1089
1090         /* build IKE_SA_INIT: HDR, SAi, KEi, Ni */
1091
1092         if (os_get_random(data->i_spi, IKEV2_SPI_LEN))
1093                 return NULL;
1094         wpa_hexdump(MSG_DEBUG, "IKEV2: IKE_SA Initiator's SPI",
1095                     data->i_spi, IKEV2_SPI_LEN);
1096
1097         data->i_nonce_len = IKEV2_NONCE_MIN_LEN;
1098         if (random_get_bytes(data->i_nonce, data->i_nonce_len))
1099                 return NULL;
1100         wpa_hexdump(MSG_DEBUG, "IKEV2: Ni", data->i_nonce, data->i_nonce_len);
1101
1102         msg = wpabuf_alloc(sizeof(struct ikev2_hdr) + 1000);
1103         if (msg == NULL)
1104                 return NULL;
1105
1106         ikev2_build_hdr(data, msg, IKE_SA_INIT, IKEV2_PAYLOAD_SA, 0);
1107         if (ikev2_build_sai(data, msg, IKEV2_PAYLOAD_KEY_EXCHANGE) ||
1108             ikev2_build_kei(data, msg, IKEV2_PAYLOAD_NONCE) ||
1109             ikev2_build_ni(data, msg, IKEV2_PAYLOAD_NO_NEXT_PAYLOAD)) {
1110                 wpabuf_free(msg);
1111                 return NULL;
1112         }
1113
1114         ikev2_update_hdr(msg);
1115
1116         wpa_hexdump_buf(MSG_MSGDUMP, "IKEV2: Sending message (SA_INIT)", msg);
1117
1118         wpabuf_free(data->i_sign_msg);
1119         data->i_sign_msg = wpabuf_dup(msg);
1120
1121         return msg;
1122 }
1123
1124
1125 static struct wpabuf * ikev2_build_sa_auth(struct ikev2_initiator_data *data)
1126 {
1127         struct wpabuf *msg, *plain;
1128         const u8 *secret;
1129         size_t secret_len;
1130
1131         secret = data->get_shared_secret(data->cb_ctx, data->IDr,
1132                                          data->IDr_len, &secret_len);
1133         if (secret == NULL) {
1134                 wpa_printf(MSG_INFO, "IKEV2: Could not get shared secret - "
1135                            "use fake value");
1136                 /* RFC 5106, Sect. 7:
1137                  * Use a random key to fake AUTH generation in order to prevent
1138                  * probing of user identities.
1139                  */
1140                 data->unknown_user = 1;
1141                 os_free(data->shared_secret);
1142                 data->shared_secret = os_malloc(16);
1143                 if (data->shared_secret == NULL)
1144                         return NULL;
1145                 data->shared_secret_len = 16;
1146                 if (random_get_bytes(data->shared_secret, 16))
1147                         return NULL;
1148         } else {
1149                 os_free(data->shared_secret);
1150                 data->shared_secret = os_malloc(secret_len);
1151                 if (data->shared_secret == NULL)
1152                         return NULL;
1153                 os_memcpy(data->shared_secret, secret, secret_len);
1154                 data->shared_secret_len = secret_len;
1155         }
1156
1157         /* build IKE_SA_AUTH: HDR, SK {IDi, [CERT,] [CERTREQ,] AUTH} */
1158
1159         msg = wpabuf_alloc(sizeof(struct ikev2_hdr) + data->IDr_len + 1000);
1160         if (msg == NULL)
1161                 return NULL;
1162         ikev2_build_hdr(data, msg, IKE_SA_AUTH, IKEV2_PAYLOAD_ENCRYPTED, 1);
1163
1164         plain = wpabuf_alloc(data->IDr_len + 1000);
1165         if (plain == NULL) {
1166                 wpabuf_free(msg);
1167                 return NULL;
1168         }
1169
1170         if (ikev2_build_idi(data, plain, IKEV2_PAYLOAD_AUTHENTICATION) ||
1171             ikev2_build_auth(data, plain, IKEV2_PAYLOAD_NO_NEXT_PAYLOAD) ||
1172             ikev2_build_encrypted(data->proposal.encr, data->proposal.integ,
1173                                   &data->keys, 1, msg, plain,
1174                                   IKEV2_PAYLOAD_IDi)) {
1175                 wpabuf_free(plain);
1176                 wpabuf_free(msg);
1177                 return NULL;
1178         }
1179         wpabuf_free(plain);
1180
1181         wpa_hexdump_buf(MSG_MSGDUMP, "IKEV2: Sending message (SA_AUTH)", msg);
1182
1183         return msg;
1184 }
1185
1186
1187 struct wpabuf * ikev2_initiator_build(struct ikev2_initiator_data *data)
1188 {
1189         switch (data->state) {
1190         case SA_INIT:
1191                 return ikev2_build_sa_init(data);
1192         case SA_AUTH:
1193                 return ikev2_build_sa_auth(data);
1194         case CHILD_SA:
1195                 return NULL;
1196         case IKEV2_DONE:
1197                 return NULL;
1198         }
1199         return NULL;
1200 }