2 * IKEv2 responder (RFC 4306) for EAP-IKEV2
3 * Copyright (c) 2007, Jouni Malinen <j@w1.fi>
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
12 #include "crypto/dh_groups.h"
13 #include "crypto/random.h"
17 void ikev2_responder_deinit(struct ikev2_responder_data *data)
19 ikev2_free_keys(&data->keys);
20 wpabuf_free(data->i_dh_public);
21 wpabuf_free(data->r_dh_private);
24 os_free(data->shared_secret);
25 wpabuf_free(data->i_sign_msg);
26 wpabuf_free(data->r_sign_msg);
27 os_free(data->key_pad);
31 static int ikev2_derive_keys(struct ikev2_responder_data *data)
33 u8 *buf, *pos, *pad, skeyseed[IKEV2_MAX_HASH_LEN];
34 size_t buf_len, pad_len;
35 struct wpabuf *shared;
36 const struct ikev2_integ_alg *integ;
37 const struct ikev2_prf_alg *prf;
38 const struct ikev2_encr_alg *encr;
43 /* RFC 4306, Sect. 2.14 */
45 integ = ikev2_get_integ(data->proposal.integ);
46 prf = ikev2_get_prf(data->proposal.prf);
47 encr = ikev2_get_encr(data->proposal.encr);
48 if (integ == NULL || prf == NULL || encr == NULL) {
49 wpa_printf(MSG_INFO, "IKEV2: Unsupported proposal");
53 shared = dh_derive_shared(data->i_dh_public, data->r_dh_private,
58 /* Construct Ni | Nr | SPIi | SPIr */
60 buf_len = data->i_nonce_len + data->r_nonce_len + 2 * IKEV2_SPI_LEN;
61 buf = os_malloc(buf_len);
68 os_memcpy(pos, data->i_nonce, data->i_nonce_len);
69 pos += data->i_nonce_len;
70 os_memcpy(pos, data->r_nonce, data->r_nonce_len);
71 pos += data->r_nonce_len;
72 os_memcpy(pos, data->i_spi, IKEV2_SPI_LEN);
74 os_memcpy(pos, data->r_spi, IKEV2_SPI_LEN);
76 /* SKEYSEED = prf(Ni | Nr, g^ir) */
77 /* Use zero-padding per RFC 4306, Sect. 2.14 */
78 pad_len = data->dh->prime_len - wpabuf_len(shared);
79 pad = os_zalloc(pad_len ? pad_len : 1);
88 addr[1] = wpabuf_head(shared);
89 len[1] = wpabuf_len(shared);
90 if (ikev2_prf_hash(prf->id, buf, data->i_nonce_len + data->r_nonce_len,
91 2, addr, len, skeyseed) < 0) {
100 /* DH parameters are not needed anymore, so free them */
101 wpabuf_free(data->i_dh_public);
102 data->i_dh_public = NULL;
103 wpabuf_free(data->r_dh_private);
104 data->r_dh_private = NULL;
106 wpa_hexdump_key(MSG_DEBUG, "IKEV2: SKEYSEED",
107 skeyseed, prf->hash_len);
109 ret = ikev2_derive_sk_keys(prf, integ, encr, skeyseed, buf, buf_len,
116 static int ikev2_parse_transform(struct ikev2_proposal_data *prop,
117 const u8 *pos, const u8 *end)
120 const struct ikev2_transform *t;
124 if (end - pos < (int) sizeof(*t)) {
125 wpa_printf(MSG_INFO, "IKEV2: Too short transform");
129 t = (const struct ikev2_transform *) pos;
130 transform_len = WPA_GET_BE16(t->transform_length);
131 if (transform_len < (int) sizeof(*t) || pos + transform_len > end) {
132 wpa_printf(MSG_INFO, "IKEV2: Invalid transform length %d",
136 tend = pos + transform_len;
138 transform_id = WPA_GET_BE16(t->transform_id);
140 wpa_printf(MSG_DEBUG, "IKEV2: Transform:");
141 wpa_printf(MSG_DEBUG, "IKEV2: Type: %d Transform Length: %d "
142 "Transform Type: %d Transform ID: %d",
143 t->type, transform_len, t->transform_type, transform_id);
145 if (t->type != 0 && t->type != 3) {
146 wpa_printf(MSG_INFO, "IKEV2: Unexpected Transform type");
150 pos = (const u8 *) (t + 1);
152 wpa_hexdump(MSG_DEBUG, "IKEV2: Transform Attributes",
156 switch (t->transform_type) {
157 case IKEV2_TRANSFORM_ENCR:
158 if (ikev2_get_encr(transform_id)) {
159 if (transform_id == ENCR_AES_CBC) {
160 if (tend - pos != 4) {
161 wpa_printf(MSG_DEBUG, "IKEV2: No "
162 "Transform Attr for AES");
165 if (WPA_GET_BE16(pos) != 0x800e) {
166 wpa_printf(MSG_DEBUG, "IKEV2: Not a "
167 "Key Size attribute for "
171 if (WPA_GET_BE16(pos + 2) != 128) {
172 wpa_printf(MSG_DEBUG, "IKEV2: "
173 "Unsupported AES key size "
175 WPA_GET_BE16(pos + 2));
179 prop->encr = transform_id;
182 case IKEV2_TRANSFORM_PRF:
183 if (ikev2_get_prf(transform_id))
184 prop->prf = transform_id;
186 case IKEV2_TRANSFORM_INTEG:
187 if (ikev2_get_integ(transform_id))
188 prop->integ = transform_id;
190 case IKEV2_TRANSFORM_DH:
191 if (dh_groups_get(transform_id))
192 prop->dh = transform_id;
196 return transform_len;
200 static int ikev2_parse_proposal(struct ikev2_proposal_data *prop,
201 const u8 *pos, const u8 *end)
203 const u8 *pend, *ppos;
205 const struct ikev2_proposal *p;
207 if (end - pos < (int) sizeof(*p)) {
208 wpa_printf(MSG_INFO, "IKEV2: Too short proposal");
212 /* FIX: AND processing if multiple proposals use the same # */
214 p = (const struct ikev2_proposal *) pos;
215 proposal_len = WPA_GET_BE16(p->proposal_length);
216 if (proposal_len < (int) sizeof(*p) || proposal_len > end - pos) {
217 wpa_printf(MSG_INFO, "IKEV2: Invalid proposal length %d",
221 wpa_printf(MSG_DEBUG, "IKEV2: SAi1 Proposal # %d",
223 wpa_printf(MSG_DEBUG, "IKEV2: Type: %d Proposal Length: %d "
225 p->type, proposal_len, p->protocol_id);
226 wpa_printf(MSG_DEBUG, "IKEV2: SPI Size: %d Transforms: %d",
227 p->spi_size, p->num_transforms);
229 if (p->type != 0 && p->type != 2) {
230 wpa_printf(MSG_INFO, "IKEV2: Unexpected Proposal type");
234 if (p->protocol_id != IKEV2_PROTOCOL_IKE) {
235 wpa_printf(MSG_DEBUG, "IKEV2: Unexpected Protocol ID "
236 "(only IKE allowed for EAP-IKEv2)");
240 if (p->proposal_num != prop->proposal_num) {
241 if (p->proposal_num == prop->proposal_num + 1)
242 prop->proposal_num = p->proposal_num;
244 wpa_printf(MSG_INFO, "IKEV2: Unexpected Proposal #");
249 ppos = (const u8 *) (p + 1);
250 pend = pos + proposal_len;
251 if (ppos + p->spi_size > pend) {
252 wpa_printf(MSG_INFO, "IKEV2: Not enough room for SPI "
257 wpa_hexdump(MSG_DEBUG, "IKEV2: SPI",
263 * For initial IKE_SA negotiation, SPI Size MUST be zero; for
264 * subsequent negotiations, it must be 8 for IKE. We only support
265 * initial case for now.
267 if (p->spi_size != 0) {
268 wpa_printf(MSG_INFO, "IKEV2: Unexpected SPI Size");
272 if (p->num_transforms == 0) {
273 wpa_printf(MSG_INFO, "IKEV2: At least one transform required");
277 for (i = 0; i < (int) p->num_transforms; i++) {
278 int tlen = ikev2_parse_transform(prop, ppos, pend);
285 wpa_printf(MSG_INFO, "IKEV2: Unexpected data after "
294 static int ikev2_process_sai1(struct ikev2_responder_data *data,
295 const u8 *sai1, size_t sai1_len)
297 struct ikev2_proposal_data prop;
301 /* Security Association Payloads: <Proposals> */
304 wpa_printf(MSG_INFO, "IKEV2: SAi1 not received");
308 os_memset(&prop, 0, sizeof(prop));
309 prop.proposal_num = 1;
312 end = sai1 + sai1_len;
321 plen = ikev2_parse_proposal(&prop, pos, end);
325 if (!found && prop.integ != -1 && prop.prf != -1 &&
326 prop.encr != -1 && prop.dh != -1) {
327 os_memcpy(&data->proposal, &prop, sizeof(prop));
328 data->dh = dh_groups_get(prop.dh);
336 wpa_printf(MSG_INFO, "IKEV2: Unexpected data after proposals");
341 wpa_printf(MSG_INFO, "IKEV2: No acceptable proposal found");
345 wpa_printf(MSG_DEBUG, "IKEV2: Accepted proposal #%d: ENCR:%d PRF:%d "
346 "INTEG:%d D-H:%d", data->proposal.proposal_num,
347 data->proposal.encr, data->proposal.prf,
348 data->proposal.integ, data->proposal.dh);
354 static int ikev2_process_kei(struct ikev2_responder_data *data,
355 const u8 *kei, size_t kei_len)
360 * Key Exchange Payload:
361 * DH Group # (16 bits)
363 * Key Exchange Data (Diffie-Hellman public value)
367 wpa_printf(MSG_INFO, "IKEV2: KEi not received");
371 if (kei_len < 4 + 96) {
372 wpa_printf(MSG_INFO, "IKEV2: Too short Key Exchange Payload");
376 group = WPA_GET_BE16(kei);
377 wpa_printf(MSG_DEBUG, "IKEV2: KEi DH Group #%u", group);
379 if (group != data->proposal.dh) {
380 wpa_printf(MSG_DEBUG, "IKEV2: KEi DH Group #%u does not match "
381 "with the selected proposal (%u)",
382 group, data->proposal.dh);
383 /* Reject message with Notify payload of type
384 * INVALID_KE_PAYLOAD (RFC 4306, Sect. 3.4) */
385 data->error_type = INVALID_KE_PAYLOAD;
386 data->state = NOTIFY;
390 if (data->dh == NULL) {
391 wpa_printf(MSG_INFO, "IKEV2: Unsupported DH group");
395 /* RFC 4306, Section 3.4:
396 * The length of DH public value MUST be equal to the length of the
399 if (kei_len - 4 != data->dh->prime_len) {
400 wpa_printf(MSG_INFO, "IKEV2: Invalid DH public value length "
401 "%ld (expected %ld)",
402 (long) (kei_len - 4), (long) data->dh->prime_len);
406 wpabuf_free(data->i_dh_public);
407 data->i_dh_public = wpabuf_alloc(kei_len - 4);
408 if (data->i_dh_public == NULL)
410 wpabuf_put_data(data->i_dh_public, kei + 4, kei_len - 4);
412 wpa_hexdump_buf(MSG_DEBUG, "IKEV2: KEi Diffie-Hellman Public Value",
419 static int ikev2_process_ni(struct ikev2_responder_data *data,
420 const u8 *ni, size_t ni_len)
423 wpa_printf(MSG_INFO, "IKEV2: Ni not received");
427 if (ni_len < IKEV2_NONCE_MIN_LEN || ni_len > IKEV2_NONCE_MAX_LEN) {
428 wpa_printf(MSG_INFO, "IKEV2: Invalid Ni length %ld",
433 data->i_nonce_len = ni_len;
434 os_memcpy(data->i_nonce, ni, ni_len);
435 wpa_hexdump(MSG_MSGDUMP, "IKEV2: Ni",
436 data->i_nonce, data->i_nonce_len);
442 static int ikev2_process_sa_init(struct ikev2_responder_data *data,
443 const struct ikev2_hdr *hdr,
444 struct ikev2_payloads *pl)
446 if (ikev2_process_sai1(data, pl->sa, pl->sa_len) < 0 ||
447 ikev2_process_kei(data, pl->ke, pl->ke_len) < 0 ||
448 ikev2_process_ni(data, pl->nonce, pl->nonce_len) < 0)
451 os_memcpy(data->i_spi, hdr->i_spi, IKEV2_SPI_LEN);
457 static int ikev2_process_idi(struct ikev2_responder_data *data,
458 const u8 *idi, size_t idi_len)
463 wpa_printf(MSG_INFO, "IKEV2: No IDi received");
468 wpa_printf(MSG_INFO, "IKEV2: Too short IDi payload");
476 wpa_printf(MSG_DEBUG, "IKEV2: IDi ID Type %d", id_type);
477 wpa_hexdump_ascii(MSG_DEBUG, "IKEV2: IDi", idi, idi_len);
479 data->IDi = os_malloc(idi_len);
480 if (data->IDi == NULL)
482 os_memcpy(data->IDi, idi, idi_len);
483 data->IDi_len = idi_len;
484 data->IDi_type = id_type;
490 static int ikev2_process_cert(struct ikev2_responder_data *data,
491 const u8 *cert, size_t cert_len)
496 if (data->peer_auth == PEER_AUTH_CERT) {
497 wpa_printf(MSG_INFO, "IKEV2: No Certificate received");
504 wpa_printf(MSG_INFO, "IKEV2: No Cert Encoding field");
508 cert_encoding = cert[0];
512 wpa_printf(MSG_DEBUG, "IKEV2: Cert Encoding %d", cert_encoding);
513 wpa_hexdump(MSG_MSGDUMP, "IKEV2: Certificate Data", cert, cert_len);
515 /* TODO: validate certificate */
521 static int ikev2_process_auth_cert(struct ikev2_responder_data *data,
522 u8 method, const u8 *auth, size_t auth_len)
524 if (method != AUTH_RSA_SIGN) {
525 wpa_printf(MSG_INFO, "IKEV2: Unsupported authentication "
526 "method %d", method);
530 /* TODO: validate AUTH */
535 static int ikev2_process_auth_secret(struct ikev2_responder_data *data,
536 u8 method, const u8 *auth,
539 u8 auth_data[IKEV2_MAX_HASH_LEN];
540 const struct ikev2_prf_alg *prf;
542 if (method != AUTH_SHARED_KEY_MIC) {
543 wpa_printf(MSG_INFO, "IKEV2: Unsupported authentication "
544 "method %d", method);
548 /* msg | Nr | prf(SK_pi,IDi') */
549 if (ikev2_derive_auth_data(data->proposal.prf, data->i_sign_msg,
550 data->IDi, data->IDi_len, data->IDi_type,
551 &data->keys, 1, data->shared_secret,
552 data->shared_secret_len,
553 data->r_nonce, data->r_nonce_len,
554 data->key_pad, data->key_pad_len,
556 wpa_printf(MSG_INFO, "IKEV2: Could not derive AUTH data");
560 wpabuf_free(data->i_sign_msg);
561 data->i_sign_msg = NULL;
563 prf = ikev2_get_prf(data->proposal.prf);
567 if (auth_len != prf->hash_len ||
568 os_memcmp_const(auth, auth_data, auth_len) != 0) {
569 wpa_printf(MSG_INFO, "IKEV2: Invalid Authentication Data");
570 wpa_hexdump(MSG_DEBUG, "IKEV2: Received Authentication Data",
572 wpa_hexdump(MSG_DEBUG, "IKEV2: Expected Authentication Data",
573 auth_data, prf->hash_len);
574 data->error_type = AUTHENTICATION_FAILED;
575 data->state = NOTIFY;
579 wpa_printf(MSG_DEBUG, "IKEV2: Server authenticated successfully "
580 "using shared keys");
586 static int ikev2_process_auth(struct ikev2_responder_data *data,
587 const u8 *auth, size_t auth_len)
592 wpa_printf(MSG_INFO, "IKEV2: No Authentication Payload");
597 wpa_printf(MSG_INFO, "IKEV2: Too short Authentication "
602 auth_method = auth[0];
606 wpa_printf(MSG_DEBUG, "IKEV2: Auth Method %d", auth_method);
607 wpa_hexdump(MSG_MSGDUMP, "IKEV2: Authentication Data", auth, auth_len);
609 switch (data->peer_auth) {
611 return ikev2_process_auth_cert(data, auth_method, auth,
613 case PEER_AUTH_SECRET:
614 return ikev2_process_auth_secret(data, auth_method, auth,
622 static int ikev2_process_sa_auth_decrypted(struct ikev2_responder_data *data,
624 u8 *payload, size_t payload_len)
626 struct ikev2_payloads pl;
628 wpa_printf(MSG_DEBUG, "IKEV2: Processing decrypted payloads");
630 if (ikev2_parse_payloads(&pl, next_payload, payload, payload +
632 wpa_printf(MSG_INFO, "IKEV2: Failed to parse decrypted "
637 if (ikev2_process_idi(data, pl.idi, pl.idi_len) < 0 ||
638 ikev2_process_cert(data, pl.cert, pl.cert_len) < 0 ||
639 ikev2_process_auth(data, pl.auth, pl.auth_len) < 0)
646 static int ikev2_process_sa_auth(struct ikev2_responder_data *data,
647 const struct ikev2_hdr *hdr,
648 struct ikev2_payloads *pl)
651 size_t decrypted_len;
654 decrypted = ikev2_decrypt_payload(data->proposal.encr,
655 data->proposal.integ,
656 &data->keys, 1, hdr, pl->encrypted,
657 pl->encrypted_len, &decrypted_len);
658 if (decrypted == NULL)
661 ret = ikev2_process_sa_auth_decrypted(data, pl->encr_next_payload,
662 decrypted, decrypted_len);
669 static int ikev2_validate_rx_state(struct ikev2_responder_data *data,
670 u8 exchange_type, u32 message_id)
672 switch (data->state) {
674 /* Expect to receive IKE_SA_INIT: HDR, SAi1, KEi, Ni */
675 if (exchange_type != IKE_SA_INIT) {
676 wpa_printf(MSG_INFO, "IKEV2: Unexpected Exchange Type "
677 "%u in SA_INIT state", exchange_type);
680 if (message_id != 0) {
681 wpa_printf(MSG_INFO, "IKEV2: Unexpected Message ID %u "
682 "in SA_INIT state", message_id);
687 /* Expect to receive IKE_SA_AUTH:
688 * HDR, SK {IDi, [CERT,] [CERTREQ,] [IDr,]
689 * AUTH, SAi2, TSi, TSr}
691 if (exchange_type != IKE_SA_AUTH) {
692 wpa_printf(MSG_INFO, "IKEV2: Unexpected Exchange Type "
693 "%u in SA_AUTH state", exchange_type);
696 if (message_id != 1) {
697 wpa_printf(MSG_INFO, "IKEV2: Unexpected Message ID %u "
698 "in SA_AUTH state", message_id);
703 if (exchange_type != CREATE_CHILD_SA) {
704 wpa_printf(MSG_INFO, "IKEV2: Unexpected Exchange Type "
705 "%u in CHILD_SA state", exchange_type);
708 if (message_id != 2) {
709 wpa_printf(MSG_INFO, "IKEV2: Unexpected Message ID %u "
710 "in CHILD_SA state", message_id);
724 int ikev2_responder_process(struct ikev2_responder_data *data,
725 const struct wpabuf *buf)
727 const struct ikev2_hdr *hdr;
728 u32 length, message_id;
730 struct ikev2_payloads pl;
732 wpa_printf(MSG_MSGDUMP, "IKEV2: Received message (len %lu)",
733 (unsigned long) wpabuf_len(buf));
735 if (wpabuf_len(buf) < sizeof(*hdr)) {
736 wpa_printf(MSG_INFO, "IKEV2: Too short frame to include HDR");
740 data->error_type = 0;
741 hdr = (const struct ikev2_hdr *) wpabuf_head(buf);
742 end = wpabuf_head_u8(buf) + wpabuf_len(buf);
743 message_id = WPA_GET_BE32(hdr->message_id);
744 length = WPA_GET_BE32(hdr->length);
746 wpa_hexdump(MSG_DEBUG, "IKEV2: IKE_SA Initiator's SPI",
747 hdr->i_spi, IKEV2_SPI_LEN);
748 wpa_hexdump(MSG_DEBUG, "IKEV2: IKE_SA Responder's SPI",
749 hdr->r_spi, IKEV2_SPI_LEN);
750 wpa_printf(MSG_DEBUG, "IKEV2: Next Payload: %u Version: 0x%x "
752 hdr->next_payload, hdr->version, hdr->exchange_type);
753 wpa_printf(MSG_DEBUG, "IKEV2: Message ID: %u Length: %u",
756 if (hdr->version != IKEV2_VERSION) {
757 wpa_printf(MSG_INFO, "IKEV2: Unsupported HDR version 0x%x "
758 "(expected 0x%x)", hdr->version, IKEV2_VERSION);
762 if (length != wpabuf_len(buf)) {
763 wpa_printf(MSG_INFO, "IKEV2: Invalid length (HDR: %lu != "
764 "RX: %lu)", (unsigned long) length,
765 (unsigned long) wpabuf_len(buf));
769 if (ikev2_validate_rx_state(data, hdr->exchange_type, message_id) < 0)
772 if ((hdr->flags & (IKEV2_HDR_INITIATOR | IKEV2_HDR_RESPONSE)) !=
773 IKEV2_HDR_INITIATOR) {
774 wpa_printf(MSG_INFO, "IKEV2: Unexpected Flags value 0x%x",
779 if (data->state != SA_INIT) {
780 if (os_memcmp(data->i_spi, hdr->i_spi, IKEV2_SPI_LEN) != 0) {
781 wpa_printf(MSG_INFO, "IKEV2: Unexpected IKE_SA "
785 if (os_memcmp(data->r_spi, hdr->r_spi, IKEV2_SPI_LEN) != 0) {
786 wpa_printf(MSG_INFO, "IKEV2: Unexpected IKE_SA "
792 pos = (const u8 *) (hdr + 1);
793 if (ikev2_parse_payloads(&pl, hdr->next_payload, pos, end) < 0)
796 if (data->state == SA_INIT) {
797 data->last_msg = LAST_MSG_SA_INIT;
798 if (ikev2_process_sa_init(data, hdr, &pl) < 0) {
799 if (data->state == NOTIFY)
803 wpabuf_free(data->i_sign_msg);
804 data->i_sign_msg = wpabuf_dup(buf);
807 if (data->state == SA_AUTH) {
808 data->last_msg = LAST_MSG_SA_AUTH;
809 if (ikev2_process_sa_auth(data, hdr, &pl) < 0) {
810 if (data->state == NOTIFY)
820 static void ikev2_build_hdr(struct ikev2_responder_data *data,
821 struct wpabuf *msg, u8 exchange_type,
822 u8 next_payload, u32 message_id)
824 struct ikev2_hdr *hdr;
826 wpa_printf(MSG_DEBUG, "IKEV2: Adding HDR");
828 /* HDR - RFC 4306, Sect. 3.1 */
829 hdr = wpabuf_put(msg, sizeof(*hdr));
830 os_memcpy(hdr->i_spi, data->i_spi, IKEV2_SPI_LEN);
831 os_memcpy(hdr->r_spi, data->r_spi, IKEV2_SPI_LEN);
832 hdr->next_payload = next_payload;
833 hdr->version = IKEV2_VERSION;
834 hdr->exchange_type = exchange_type;
835 hdr->flags = IKEV2_HDR_RESPONSE;
836 WPA_PUT_BE32(hdr->message_id, message_id);
840 static int ikev2_build_sar1(struct ikev2_responder_data *data,
841 struct wpabuf *msg, u8 next_payload)
843 struct ikev2_payload_hdr *phdr;
845 struct ikev2_proposal *p;
846 struct ikev2_transform *t;
848 wpa_printf(MSG_DEBUG, "IKEV2: Adding SAr1 payload");
850 /* SAr1 - RFC 4306, Sect. 2.7 and 3.3 */
851 phdr = wpabuf_put(msg, sizeof(*phdr));
852 phdr->next_payload = next_payload;
855 p = wpabuf_put(msg, sizeof(*p));
856 p->proposal_num = data->proposal.proposal_num;
857 p->protocol_id = IKEV2_PROTOCOL_IKE;
858 p->num_transforms = 4;
860 t = wpabuf_put(msg, sizeof(*t));
862 t->transform_type = IKEV2_TRANSFORM_ENCR;
863 WPA_PUT_BE16(t->transform_id, data->proposal.encr);
864 if (data->proposal.encr == ENCR_AES_CBC) {
865 /* Transform Attribute: Key Len = 128 bits */
866 wpabuf_put_be16(msg, 0x800e); /* AF=1, AttrType=14 */
867 wpabuf_put_be16(msg, 128); /* 128-bit key */
869 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) t;
870 WPA_PUT_BE16(t->transform_length, plen);
872 t = wpabuf_put(msg, sizeof(*t));
874 WPA_PUT_BE16(t->transform_length, sizeof(*t));
875 t->transform_type = IKEV2_TRANSFORM_PRF;
876 WPA_PUT_BE16(t->transform_id, data->proposal.prf);
878 t = wpabuf_put(msg, sizeof(*t));
880 WPA_PUT_BE16(t->transform_length, sizeof(*t));
881 t->transform_type = IKEV2_TRANSFORM_INTEG;
882 WPA_PUT_BE16(t->transform_id, data->proposal.integ);
884 t = wpabuf_put(msg, sizeof(*t));
885 WPA_PUT_BE16(t->transform_length, sizeof(*t));
886 t->transform_type = IKEV2_TRANSFORM_DH;
887 WPA_PUT_BE16(t->transform_id, data->proposal.dh);
889 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) p;
890 WPA_PUT_BE16(p->proposal_length, plen);
892 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
893 WPA_PUT_BE16(phdr->payload_length, plen);
899 static int ikev2_build_ker(struct ikev2_responder_data *data,
900 struct wpabuf *msg, u8 next_payload)
902 struct ikev2_payload_hdr *phdr;
906 wpa_printf(MSG_DEBUG, "IKEV2: Adding KEr payload");
908 pv = dh_init(data->dh, &data->r_dh_private);
910 wpa_printf(MSG_DEBUG, "IKEV2: Failed to initialize DH");
914 /* KEr - RFC 4306, Sect. 3.4 */
915 phdr = wpabuf_put(msg, sizeof(*phdr));
916 phdr->next_payload = next_payload;
919 wpabuf_put_be16(msg, data->proposal.dh); /* DH Group # */
920 wpabuf_put(msg, 2); /* RESERVED */
922 * RFC 4306, Sect. 3.4: possible zero padding for public value to
923 * match the length of the prime.
925 wpabuf_put(msg, data->dh->prime_len - wpabuf_len(pv));
926 wpabuf_put_buf(msg, pv);
929 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
930 WPA_PUT_BE16(phdr->payload_length, plen);
935 static int ikev2_build_nr(struct ikev2_responder_data *data,
936 struct wpabuf *msg, u8 next_payload)
938 struct ikev2_payload_hdr *phdr;
941 wpa_printf(MSG_DEBUG, "IKEV2: Adding Nr payload");
943 /* Nr - RFC 4306, Sect. 3.9 */
944 phdr = wpabuf_put(msg, sizeof(*phdr));
945 phdr->next_payload = next_payload;
947 wpabuf_put_data(msg, data->r_nonce, data->r_nonce_len);
948 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
949 WPA_PUT_BE16(phdr->payload_length, plen);
954 static int ikev2_build_idr(struct ikev2_responder_data *data,
955 struct wpabuf *msg, u8 next_payload)
957 struct ikev2_payload_hdr *phdr;
960 wpa_printf(MSG_DEBUG, "IKEV2: Adding IDr payload");
962 if (data->IDr == NULL) {
963 wpa_printf(MSG_INFO, "IKEV2: No IDr available");
967 /* IDr - RFC 4306, Sect. 3.5 */
968 phdr = wpabuf_put(msg, sizeof(*phdr));
969 phdr->next_payload = next_payload;
971 wpabuf_put_u8(msg, ID_KEY_ID);
972 wpabuf_put(msg, 3); /* RESERVED */
973 wpabuf_put_data(msg, data->IDr, data->IDr_len);
974 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
975 WPA_PUT_BE16(phdr->payload_length, plen);
980 static int ikev2_build_auth(struct ikev2_responder_data *data,
981 struct wpabuf *msg, u8 next_payload)
983 struct ikev2_payload_hdr *phdr;
985 const struct ikev2_prf_alg *prf;
987 wpa_printf(MSG_DEBUG, "IKEV2: Adding AUTH payload");
989 prf = ikev2_get_prf(data->proposal.prf);
993 /* Authentication - RFC 4306, Sect. 3.8 */
994 phdr = wpabuf_put(msg, sizeof(*phdr));
995 phdr->next_payload = next_payload;
997 wpabuf_put_u8(msg, AUTH_SHARED_KEY_MIC);
998 wpabuf_put(msg, 3); /* RESERVED */
1000 /* msg | Ni | prf(SK_pr,IDr') */
1001 if (ikev2_derive_auth_data(data->proposal.prf, data->r_sign_msg,
1002 data->IDr, data->IDr_len, ID_KEY_ID,
1003 &data->keys, 0, data->shared_secret,
1004 data->shared_secret_len,
1005 data->i_nonce, data->i_nonce_len,
1006 data->key_pad, data->key_pad_len,
1007 wpabuf_put(msg, prf->hash_len)) < 0) {
1008 wpa_printf(MSG_INFO, "IKEV2: Could not derive AUTH data");
1011 wpabuf_free(data->r_sign_msg);
1012 data->r_sign_msg = NULL;
1014 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
1015 WPA_PUT_BE16(phdr->payload_length, plen);
1020 static int ikev2_build_notification(struct ikev2_responder_data *data,
1021 struct wpabuf *msg, u8 next_payload)
1023 struct ikev2_payload_hdr *phdr;
1026 wpa_printf(MSG_DEBUG, "IKEV2: Adding Notification payload");
1028 if (data->error_type == 0) {
1029 wpa_printf(MSG_INFO, "IKEV2: No Notify Message Type "
1034 /* Notify - RFC 4306, Sect. 3.10 */
1035 phdr = wpabuf_put(msg, sizeof(*phdr));
1036 phdr->next_payload = next_payload;
1038 wpabuf_put_u8(msg, 0); /* Protocol ID: no existing SA */
1039 wpabuf_put_u8(msg, 0); /* SPI Size */
1040 wpabuf_put_be16(msg, data->error_type);
1042 switch (data->error_type) {
1043 case INVALID_KE_PAYLOAD:
1044 if (data->proposal.dh == -1) {
1045 wpa_printf(MSG_INFO, "IKEV2: No DH Group selected for "
1046 "INVALID_KE_PAYLOAD notifications");
1049 wpabuf_put_be16(msg, data->proposal.dh);
1050 wpa_printf(MSG_DEBUG, "IKEV2: INVALID_KE_PAYLOAD - request "
1051 "DH Group #%d", data->proposal.dh);
1053 case AUTHENTICATION_FAILED:
1054 /* no associated data */
1057 wpa_printf(MSG_INFO, "IKEV2: Unsupported Notify Message Type "
1058 "%d", data->error_type);
1062 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
1063 WPA_PUT_BE16(phdr->payload_length, plen);
1068 static struct wpabuf * ikev2_build_sa_init(struct ikev2_responder_data *data)
1072 /* build IKE_SA_INIT: HDR, SAr1, KEr, Nr, [CERTREQ], [SK{IDr}] */
1074 if (os_get_random(data->r_spi, IKEV2_SPI_LEN))
1076 wpa_hexdump(MSG_DEBUG, "IKEV2: IKE_SA Responder's SPI",
1077 data->r_spi, IKEV2_SPI_LEN);
1079 data->r_nonce_len = IKEV2_NONCE_MIN_LEN;
1080 if (random_get_bytes(data->r_nonce, data->r_nonce_len))
1082 wpa_hexdump(MSG_DEBUG, "IKEV2: Nr", data->r_nonce, data->r_nonce_len);
1084 msg = wpabuf_alloc(sizeof(struct ikev2_hdr) + data->IDr_len + 1500);
1088 ikev2_build_hdr(data, msg, IKE_SA_INIT, IKEV2_PAYLOAD_SA, 0);
1089 if (ikev2_build_sar1(data, msg, IKEV2_PAYLOAD_KEY_EXCHANGE) ||
1090 ikev2_build_ker(data, msg, IKEV2_PAYLOAD_NONCE) ||
1091 ikev2_build_nr(data, msg, data->peer_auth == PEER_AUTH_SECRET ?
1092 IKEV2_PAYLOAD_ENCRYPTED :
1093 IKEV2_PAYLOAD_NO_NEXT_PAYLOAD)) {
1098 if (ikev2_derive_keys(data)) {
1103 if (data->peer_auth == PEER_AUTH_CERT) {
1104 /* TODO: CERTREQ with SHA-1 hashes of Subject Public Key Info
1105 * for trust agents */
1108 if (data->peer_auth == PEER_AUTH_SECRET) {
1109 struct wpabuf *plain = wpabuf_alloc(data->IDr_len + 1000);
1110 if (plain == NULL) {
1114 if (ikev2_build_idr(data, plain,
1115 IKEV2_PAYLOAD_NO_NEXT_PAYLOAD) ||
1116 ikev2_build_encrypted(data->proposal.encr,
1117 data->proposal.integ,
1118 &data->keys, 0, msg, plain,
1119 IKEV2_PAYLOAD_IDr)) {
1127 ikev2_update_hdr(msg);
1129 wpa_hexdump_buf(MSG_MSGDUMP, "IKEV2: Sending message (SA_INIT)", msg);
1131 data->state = SA_AUTH;
1133 wpabuf_free(data->r_sign_msg);
1134 data->r_sign_msg = wpabuf_dup(msg);
1140 static struct wpabuf * ikev2_build_sa_auth(struct ikev2_responder_data *data)
1142 struct wpabuf *msg, *plain;
1144 /* build IKE_SA_AUTH: HDR, SK {IDr, [CERT,] AUTH} */
1146 msg = wpabuf_alloc(sizeof(struct ikev2_hdr) + data->IDr_len + 1000);
1149 ikev2_build_hdr(data, msg, IKE_SA_AUTH, IKEV2_PAYLOAD_ENCRYPTED, 1);
1151 plain = wpabuf_alloc(data->IDr_len + 1000);
1152 if (plain == NULL) {
1157 if (ikev2_build_idr(data, plain, IKEV2_PAYLOAD_AUTHENTICATION) ||
1158 ikev2_build_auth(data, plain, IKEV2_PAYLOAD_NO_NEXT_PAYLOAD) ||
1159 ikev2_build_encrypted(data->proposal.encr, data->proposal.integ,
1160 &data->keys, 0, msg, plain,
1161 IKEV2_PAYLOAD_IDr)) {
1168 wpa_hexdump_buf(MSG_MSGDUMP, "IKEV2: Sending message (SA_AUTH)", msg);
1170 data->state = IKEV2_DONE;
1176 static struct wpabuf * ikev2_build_notify(struct ikev2_responder_data *data)
1180 msg = wpabuf_alloc(sizeof(struct ikev2_hdr) + 1000);
1183 if (data->last_msg == LAST_MSG_SA_AUTH) {
1185 struct wpabuf *plain = wpabuf_alloc(100);
1186 if (plain == NULL) {
1190 ikev2_build_hdr(data, msg, IKE_SA_AUTH,
1191 IKEV2_PAYLOAD_ENCRYPTED, 1);
1192 if (ikev2_build_notification(data, plain,
1193 IKEV2_PAYLOAD_NO_NEXT_PAYLOAD) ||
1194 ikev2_build_encrypted(data->proposal.encr,
1195 data->proposal.integ,
1196 &data->keys, 0, msg, plain,
1197 IKEV2_PAYLOAD_NOTIFICATION)) {
1203 data->state = IKEV2_FAILED;
1206 ikev2_build_hdr(data, msg, IKE_SA_INIT,
1207 IKEV2_PAYLOAD_NOTIFICATION, 0);
1208 if (ikev2_build_notification(data, msg,
1209 IKEV2_PAYLOAD_NO_NEXT_PAYLOAD)) {
1213 data->state = SA_INIT;
1216 ikev2_update_hdr(msg);
1218 wpa_hexdump_buf(MSG_MSGDUMP, "IKEV2: Sending message (Notification)",
1225 struct wpabuf * ikev2_responder_build(struct ikev2_responder_data *data)
1227 switch (data->state) {
1229 return ikev2_build_sa_init(data);
1231 return ikev2_build_sa_auth(data);
1235 return ikev2_build_notify(data);