2 * IKEv2 responder (RFC 4306) for EAP-IKEV2
3 * Copyright (c) 2007, Jouni Malinen <j@w1.fi>
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
12 #include "crypto/dh_groups.h"
13 #include "crypto/random.h"
17 void ikev2_responder_deinit(struct ikev2_responder_data *data)
19 ikev2_free_keys(&data->keys);
20 wpabuf_free(data->i_dh_public);
21 wpabuf_free(data->r_dh_private);
24 os_free(data->shared_secret);
25 wpabuf_free(data->i_sign_msg);
26 wpabuf_free(data->r_sign_msg);
27 os_free(data->key_pad);
31 static int ikev2_derive_keys(struct ikev2_responder_data *data)
33 u8 *buf, *pos, *pad, skeyseed[IKEV2_MAX_HASH_LEN];
34 size_t buf_len, pad_len;
35 struct wpabuf *shared;
36 const struct ikev2_integ_alg *integ;
37 const struct ikev2_prf_alg *prf;
38 const struct ikev2_encr_alg *encr;
43 /* RFC 4306, Sect. 2.14 */
45 integ = ikev2_get_integ(data->proposal.integ);
46 prf = ikev2_get_prf(data->proposal.prf);
47 encr = ikev2_get_encr(data->proposal.encr);
48 if (integ == NULL || prf == NULL || encr == NULL) {
49 wpa_printf(MSG_INFO, "IKEV2: Unsupported proposal");
53 shared = dh_derive_shared(data->i_dh_public, data->r_dh_private,
58 /* Construct Ni | Nr | SPIi | SPIr */
60 buf_len = data->i_nonce_len + data->r_nonce_len + 2 * IKEV2_SPI_LEN;
61 buf = os_malloc(buf_len);
68 os_memcpy(pos, data->i_nonce, data->i_nonce_len);
69 pos += data->i_nonce_len;
70 os_memcpy(pos, data->r_nonce, data->r_nonce_len);
71 pos += data->r_nonce_len;
72 os_memcpy(pos, data->i_spi, IKEV2_SPI_LEN);
74 os_memcpy(pos, data->r_spi, IKEV2_SPI_LEN);
76 /* SKEYSEED = prf(Ni | Nr, g^ir) */
77 /* Use zero-padding per RFC 4306, Sect. 2.14 */
78 pad_len = data->dh->prime_len - wpabuf_len(shared);
79 pad = os_zalloc(pad_len ? pad_len : 1);
88 addr[1] = wpabuf_head(shared);
89 len[1] = wpabuf_len(shared);
90 if (ikev2_prf_hash(prf->id, buf, data->i_nonce_len + data->r_nonce_len,
91 2, addr, len, skeyseed) < 0) {
100 /* DH parameters are not needed anymore, so free them */
101 wpabuf_free(data->i_dh_public);
102 data->i_dh_public = NULL;
103 wpabuf_free(data->r_dh_private);
104 data->r_dh_private = NULL;
106 wpa_hexdump_key(MSG_DEBUG, "IKEV2: SKEYSEED",
107 skeyseed, prf->hash_len);
109 ret = ikev2_derive_sk_keys(prf, integ, encr, skeyseed, buf, buf_len,
116 static int ikev2_parse_transform(struct ikev2_proposal_data *prop,
117 const u8 *pos, const u8 *end)
120 const struct ikev2_transform *t;
124 if (end - pos < (int) sizeof(*t)) {
125 wpa_printf(MSG_INFO, "IKEV2: Too short transform");
129 t = (const struct ikev2_transform *) pos;
130 transform_len = WPA_GET_BE16(t->transform_length);
131 if (transform_len < (int) sizeof(*t) || transform_len > end - pos) {
132 wpa_printf(MSG_INFO, "IKEV2: Invalid transform length %d",
136 tend = pos + transform_len;
138 transform_id = WPA_GET_BE16(t->transform_id);
140 wpa_printf(MSG_DEBUG, "IKEV2: Transform:");
141 wpa_printf(MSG_DEBUG, "IKEV2: Type: %d Transform Length: %d "
142 "Transform Type: %d Transform ID: %d",
143 t->type, transform_len, t->transform_type, transform_id);
145 if (t->type != 0 && t->type != 3) {
146 wpa_printf(MSG_INFO, "IKEV2: Unexpected Transform type");
150 pos = (const u8 *) (t + 1);
152 wpa_hexdump(MSG_DEBUG, "IKEV2: Transform Attributes",
156 switch (t->transform_type) {
157 case IKEV2_TRANSFORM_ENCR:
158 if (ikev2_get_encr(transform_id)) {
159 if (transform_id == ENCR_AES_CBC) {
160 if (tend - pos != 4) {
161 wpa_printf(MSG_DEBUG, "IKEV2: No "
162 "Transform Attr for AES");
165 if (WPA_GET_BE16(pos) != 0x800e) {
166 wpa_printf(MSG_DEBUG, "IKEV2: Not a "
167 "Key Size attribute for "
171 if (WPA_GET_BE16(pos + 2) != 128) {
172 wpa_printf(MSG_DEBUG, "IKEV2: "
173 "Unsupported AES key size "
175 WPA_GET_BE16(pos + 2));
179 prop->encr = transform_id;
182 case IKEV2_TRANSFORM_PRF:
183 if (ikev2_get_prf(transform_id))
184 prop->prf = transform_id;
186 case IKEV2_TRANSFORM_INTEG:
187 if (ikev2_get_integ(transform_id))
188 prop->integ = transform_id;
190 case IKEV2_TRANSFORM_DH:
191 if (dh_groups_get(transform_id))
192 prop->dh = transform_id;
196 return transform_len;
200 static int ikev2_parse_proposal(struct ikev2_proposal_data *prop,
201 const u8 *pos, const u8 *end)
203 const u8 *pend, *ppos;
205 const struct ikev2_proposal *p;
207 if (end - pos < (int) sizeof(*p)) {
208 wpa_printf(MSG_INFO, "IKEV2: Too short proposal");
212 /* FIX: AND processing if multiple proposals use the same # */
214 p = (const struct ikev2_proposal *) pos;
215 proposal_len = WPA_GET_BE16(p->proposal_length);
216 if (proposal_len < (int) sizeof(*p) || proposal_len > end - pos) {
217 wpa_printf(MSG_INFO, "IKEV2: Invalid proposal length %d",
221 wpa_printf(MSG_DEBUG, "IKEV2: SAi1 Proposal # %d",
223 wpa_printf(MSG_DEBUG, "IKEV2: Type: %d Proposal Length: %d "
225 p->type, proposal_len, p->protocol_id);
226 wpa_printf(MSG_DEBUG, "IKEV2: SPI Size: %d Transforms: %d",
227 p->spi_size, p->num_transforms);
229 if (p->type != 0 && p->type != 2) {
230 wpa_printf(MSG_INFO, "IKEV2: Unexpected Proposal type");
234 if (p->protocol_id != IKEV2_PROTOCOL_IKE) {
235 wpa_printf(MSG_DEBUG, "IKEV2: Unexpected Protocol ID "
236 "(only IKE allowed for EAP-IKEv2)");
240 if (p->proposal_num != prop->proposal_num) {
241 if (p->proposal_num == prop->proposal_num + 1)
242 prop->proposal_num = p->proposal_num;
244 wpa_printf(MSG_INFO, "IKEV2: Unexpected Proposal #");
249 ppos = (const u8 *) (p + 1);
250 pend = pos + proposal_len;
251 if (p->spi_size > pend - ppos) {
252 wpa_printf(MSG_INFO, "IKEV2: Not enough room for SPI "
257 wpa_hexdump(MSG_DEBUG, "IKEV2: SPI",
263 * For initial IKE_SA negotiation, SPI Size MUST be zero; for
264 * subsequent negotiations, it must be 8 for IKE. We only support
265 * initial case for now.
267 if (p->spi_size != 0) {
268 wpa_printf(MSG_INFO, "IKEV2: Unexpected SPI Size");
272 if (p->num_transforms == 0) {
273 wpa_printf(MSG_INFO, "IKEV2: At least one transform required");
277 for (i = 0; i < (int) p->num_transforms; i++) {
278 int tlen = ikev2_parse_transform(prop, ppos, pend);
285 wpa_printf(MSG_INFO, "IKEV2: Unexpected data after "
294 static int ikev2_process_sai1(struct ikev2_responder_data *data,
295 const u8 *sai1, size_t sai1_len)
297 struct ikev2_proposal_data prop;
301 /* Security Association Payloads: <Proposals> */
304 wpa_printf(MSG_INFO, "IKEV2: SAi1 not received");
308 os_memset(&prop, 0, sizeof(prop));
309 prop.proposal_num = 1;
312 end = sai1 + sai1_len;
321 plen = ikev2_parse_proposal(&prop, pos, end);
325 if (!found && prop.integ != -1 && prop.prf != -1 &&
326 prop.encr != -1 && prop.dh != -1) {
327 os_memcpy(&data->proposal, &prop, sizeof(prop));
328 data->dh = dh_groups_get(prop.dh);
336 wpa_printf(MSG_INFO, "IKEV2: Unexpected data after proposals");
341 wpa_printf(MSG_INFO, "IKEV2: No acceptable proposal found");
345 wpa_printf(MSG_DEBUG, "IKEV2: Accepted proposal #%d: ENCR:%d PRF:%d "
346 "INTEG:%d D-H:%d", data->proposal.proposal_num,
347 data->proposal.encr, data->proposal.prf,
348 data->proposal.integ, data->proposal.dh);
354 static int ikev2_process_kei(struct ikev2_responder_data *data,
355 const u8 *kei, size_t kei_len)
360 * Key Exchange Payload:
361 * DH Group # (16 bits)
363 * Key Exchange Data (Diffie-Hellman public value)
367 wpa_printf(MSG_INFO, "IKEV2: KEi not received");
371 if (kei_len < 4 + 96) {
372 wpa_printf(MSG_INFO, "IKEV2: Too short Key Exchange Payload");
376 group = WPA_GET_BE16(kei);
377 wpa_printf(MSG_DEBUG, "IKEV2: KEi DH Group #%u", group);
379 if (group != data->proposal.dh) {
380 wpa_printf(MSG_DEBUG, "IKEV2: KEi DH Group #%u does not match "
381 "with the selected proposal (%u)",
382 group, data->proposal.dh);
383 /* Reject message with Notify payload of type
384 * INVALID_KE_PAYLOAD (RFC 4306, Sect. 3.4) */
385 data->error_type = INVALID_KE_PAYLOAD;
386 data->state = NOTIFY;
390 if (data->dh == NULL) {
391 wpa_printf(MSG_INFO, "IKEV2: Unsupported DH group");
395 /* RFC 4306, Section 3.4:
396 * The length of DH public value MUST be equal to the length of the
399 if (kei_len - 4 != data->dh->prime_len) {
400 wpa_printf(MSG_INFO, "IKEV2: Invalid DH public value length "
401 "%ld (expected %ld)",
402 (long) (kei_len - 4), (long) data->dh->prime_len);
406 wpabuf_free(data->i_dh_public);
407 data->i_dh_public = wpabuf_alloc(kei_len - 4);
408 if (data->i_dh_public == NULL)
410 wpabuf_put_data(data->i_dh_public, kei + 4, kei_len - 4);
412 wpa_hexdump_buf(MSG_DEBUG, "IKEV2: KEi Diffie-Hellman Public Value",
419 static int ikev2_process_ni(struct ikev2_responder_data *data,
420 const u8 *ni, size_t ni_len)
423 wpa_printf(MSG_INFO, "IKEV2: Ni not received");
427 if (ni_len < IKEV2_NONCE_MIN_LEN || ni_len > IKEV2_NONCE_MAX_LEN) {
428 wpa_printf(MSG_INFO, "IKEV2: Invalid Ni length %ld",
433 data->i_nonce_len = ni_len;
434 os_memcpy(data->i_nonce, ni, ni_len);
435 wpa_hexdump(MSG_MSGDUMP, "IKEV2: Ni",
436 data->i_nonce, data->i_nonce_len);
442 static int ikev2_process_sa_init(struct ikev2_responder_data *data,
443 const struct ikev2_hdr *hdr,
444 struct ikev2_payloads *pl)
446 if (ikev2_process_sai1(data, pl->sa, pl->sa_len) < 0 ||
447 ikev2_process_kei(data, pl->ke, pl->ke_len) < 0 ||
448 ikev2_process_ni(data, pl->nonce, pl->nonce_len) < 0)
451 os_memcpy(data->i_spi, hdr->i_spi, IKEV2_SPI_LEN);
457 static int ikev2_process_idi(struct ikev2_responder_data *data,
458 const u8 *idi, size_t idi_len)
463 wpa_printf(MSG_INFO, "IKEV2: No IDi received");
468 wpa_printf(MSG_INFO, "IKEV2: Too short IDi payload");
476 wpa_printf(MSG_DEBUG, "IKEV2: IDi ID Type %d", id_type);
477 wpa_hexdump_ascii(MSG_DEBUG, "IKEV2: IDi", idi, idi_len);
479 data->IDi = os_memdup(idi, idi_len);
480 if (data->IDi == NULL)
482 data->IDi_len = idi_len;
483 data->IDi_type = id_type;
489 static int ikev2_process_cert(struct ikev2_responder_data *data,
490 const u8 *cert, size_t cert_len)
495 if (data->peer_auth == PEER_AUTH_CERT) {
496 wpa_printf(MSG_INFO, "IKEV2: No Certificate received");
503 wpa_printf(MSG_INFO, "IKEV2: No Cert Encoding field");
507 cert_encoding = cert[0];
511 wpa_printf(MSG_DEBUG, "IKEV2: Cert Encoding %d", cert_encoding);
512 wpa_hexdump(MSG_MSGDUMP, "IKEV2: Certificate Data", cert, cert_len);
514 /* TODO: validate certificate */
520 static int ikev2_process_auth_cert(struct ikev2_responder_data *data,
521 u8 method, const u8 *auth, size_t auth_len)
523 if (method != AUTH_RSA_SIGN) {
524 wpa_printf(MSG_INFO, "IKEV2: Unsupported authentication "
525 "method %d", method);
529 /* TODO: validate AUTH */
534 static int ikev2_process_auth_secret(struct ikev2_responder_data *data,
535 u8 method, const u8 *auth,
538 u8 auth_data[IKEV2_MAX_HASH_LEN];
539 const struct ikev2_prf_alg *prf;
541 if (method != AUTH_SHARED_KEY_MIC) {
542 wpa_printf(MSG_INFO, "IKEV2: Unsupported authentication "
543 "method %d", method);
547 /* msg | Nr | prf(SK_pi,IDi') */
548 if (ikev2_derive_auth_data(data->proposal.prf, data->i_sign_msg,
549 data->IDi, data->IDi_len, data->IDi_type,
550 &data->keys, 1, data->shared_secret,
551 data->shared_secret_len,
552 data->r_nonce, data->r_nonce_len,
553 data->key_pad, data->key_pad_len,
555 wpa_printf(MSG_INFO, "IKEV2: Could not derive AUTH data");
559 wpabuf_free(data->i_sign_msg);
560 data->i_sign_msg = NULL;
562 prf = ikev2_get_prf(data->proposal.prf);
566 if (auth_len != prf->hash_len ||
567 os_memcmp_const(auth, auth_data, auth_len) != 0) {
568 wpa_printf(MSG_INFO, "IKEV2: Invalid Authentication Data");
569 wpa_hexdump(MSG_DEBUG, "IKEV2: Received Authentication Data",
571 wpa_hexdump(MSG_DEBUG, "IKEV2: Expected Authentication Data",
572 auth_data, prf->hash_len);
573 data->error_type = AUTHENTICATION_FAILED;
574 data->state = NOTIFY;
578 wpa_printf(MSG_DEBUG, "IKEV2: Server authenticated successfully "
579 "using shared keys");
585 static int ikev2_process_auth(struct ikev2_responder_data *data,
586 const u8 *auth, size_t auth_len)
591 wpa_printf(MSG_INFO, "IKEV2: No Authentication Payload");
596 wpa_printf(MSG_INFO, "IKEV2: Too short Authentication "
601 auth_method = auth[0];
605 wpa_printf(MSG_DEBUG, "IKEV2: Auth Method %d", auth_method);
606 wpa_hexdump(MSG_MSGDUMP, "IKEV2: Authentication Data", auth, auth_len);
608 switch (data->peer_auth) {
610 return ikev2_process_auth_cert(data, auth_method, auth,
612 case PEER_AUTH_SECRET:
613 return ikev2_process_auth_secret(data, auth_method, auth,
621 static int ikev2_process_sa_auth_decrypted(struct ikev2_responder_data *data,
623 u8 *payload, size_t payload_len)
625 struct ikev2_payloads pl;
627 wpa_printf(MSG_DEBUG, "IKEV2: Processing decrypted payloads");
629 if (ikev2_parse_payloads(&pl, next_payload, payload, payload +
631 wpa_printf(MSG_INFO, "IKEV2: Failed to parse decrypted "
636 if (ikev2_process_idi(data, pl.idi, pl.idi_len) < 0 ||
637 ikev2_process_cert(data, pl.cert, pl.cert_len) < 0 ||
638 ikev2_process_auth(data, pl.auth, pl.auth_len) < 0)
645 static int ikev2_process_sa_auth(struct ikev2_responder_data *data,
646 const struct ikev2_hdr *hdr,
647 struct ikev2_payloads *pl)
650 size_t decrypted_len;
653 decrypted = ikev2_decrypt_payload(data->proposal.encr,
654 data->proposal.integ,
655 &data->keys, 1, hdr, pl->encrypted,
656 pl->encrypted_len, &decrypted_len);
657 if (decrypted == NULL)
660 ret = ikev2_process_sa_auth_decrypted(data, pl->encr_next_payload,
661 decrypted, decrypted_len);
668 static int ikev2_validate_rx_state(struct ikev2_responder_data *data,
669 u8 exchange_type, u32 message_id)
671 switch (data->state) {
673 /* Expect to receive IKE_SA_INIT: HDR, SAi1, KEi, Ni */
674 if (exchange_type != IKE_SA_INIT) {
675 wpa_printf(MSG_INFO, "IKEV2: Unexpected Exchange Type "
676 "%u in SA_INIT state", exchange_type);
679 if (message_id != 0) {
680 wpa_printf(MSG_INFO, "IKEV2: Unexpected Message ID %u "
681 "in SA_INIT state", message_id);
686 /* Expect to receive IKE_SA_AUTH:
687 * HDR, SK {IDi, [CERT,] [CERTREQ,] [IDr,]
688 * AUTH, SAi2, TSi, TSr}
690 if (exchange_type != IKE_SA_AUTH) {
691 wpa_printf(MSG_INFO, "IKEV2: Unexpected Exchange Type "
692 "%u in SA_AUTH state", exchange_type);
695 if (message_id != 1) {
696 wpa_printf(MSG_INFO, "IKEV2: Unexpected Message ID %u "
697 "in SA_AUTH state", message_id);
702 if (exchange_type != CREATE_CHILD_SA) {
703 wpa_printf(MSG_INFO, "IKEV2: Unexpected Exchange Type "
704 "%u in CHILD_SA state", exchange_type);
707 if (message_id != 2) {
708 wpa_printf(MSG_INFO, "IKEV2: Unexpected Message ID %u "
709 "in CHILD_SA state", message_id);
723 int ikev2_responder_process(struct ikev2_responder_data *data,
724 const struct wpabuf *buf)
726 const struct ikev2_hdr *hdr;
727 u32 length, message_id;
729 struct ikev2_payloads pl;
731 wpa_printf(MSG_MSGDUMP, "IKEV2: Received message (len %lu)",
732 (unsigned long) wpabuf_len(buf));
734 if (wpabuf_len(buf) < sizeof(*hdr)) {
735 wpa_printf(MSG_INFO, "IKEV2: Too short frame to include HDR");
739 data->error_type = 0;
740 hdr = (const struct ikev2_hdr *) wpabuf_head(buf);
741 end = wpabuf_head_u8(buf) + wpabuf_len(buf);
742 message_id = WPA_GET_BE32(hdr->message_id);
743 length = WPA_GET_BE32(hdr->length);
745 wpa_hexdump(MSG_DEBUG, "IKEV2: IKE_SA Initiator's SPI",
746 hdr->i_spi, IKEV2_SPI_LEN);
747 wpa_hexdump(MSG_DEBUG, "IKEV2: IKE_SA Responder's SPI",
748 hdr->r_spi, IKEV2_SPI_LEN);
749 wpa_printf(MSG_DEBUG, "IKEV2: Next Payload: %u Version: 0x%x "
751 hdr->next_payload, hdr->version, hdr->exchange_type);
752 wpa_printf(MSG_DEBUG, "IKEV2: Message ID: %u Length: %u",
755 if (hdr->version != IKEV2_VERSION) {
756 wpa_printf(MSG_INFO, "IKEV2: Unsupported HDR version 0x%x "
757 "(expected 0x%x)", hdr->version, IKEV2_VERSION);
761 if (length != wpabuf_len(buf)) {
762 wpa_printf(MSG_INFO, "IKEV2: Invalid length (HDR: %lu != "
763 "RX: %lu)", (unsigned long) length,
764 (unsigned long) wpabuf_len(buf));
768 if (ikev2_validate_rx_state(data, hdr->exchange_type, message_id) < 0)
771 if ((hdr->flags & (IKEV2_HDR_INITIATOR | IKEV2_HDR_RESPONSE)) !=
772 IKEV2_HDR_INITIATOR) {
773 wpa_printf(MSG_INFO, "IKEV2: Unexpected Flags value 0x%x",
778 if (data->state != SA_INIT) {
779 if (os_memcmp(data->i_spi, hdr->i_spi, IKEV2_SPI_LEN) != 0) {
780 wpa_printf(MSG_INFO, "IKEV2: Unexpected IKE_SA "
784 if (os_memcmp(data->r_spi, hdr->r_spi, IKEV2_SPI_LEN) != 0) {
785 wpa_printf(MSG_INFO, "IKEV2: Unexpected IKE_SA "
791 pos = (const u8 *) (hdr + 1);
792 if (ikev2_parse_payloads(&pl, hdr->next_payload, pos, end) < 0)
795 if (data->state == SA_INIT) {
796 data->last_msg = LAST_MSG_SA_INIT;
797 if (ikev2_process_sa_init(data, hdr, &pl) < 0) {
798 if (data->state == NOTIFY)
802 wpabuf_free(data->i_sign_msg);
803 data->i_sign_msg = wpabuf_dup(buf);
806 if (data->state == SA_AUTH) {
807 data->last_msg = LAST_MSG_SA_AUTH;
808 if (ikev2_process_sa_auth(data, hdr, &pl) < 0) {
809 if (data->state == NOTIFY)
819 static void ikev2_build_hdr(struct ikev2_responder_data *data,
820 struct wpabuf *msg, u8 exchange_type,
821 u8 next_payload, u32 message_id)
823 struct ikev2_hdr *hdr;
825 wpa_printf(MSG_DEBUG, "IKEV2: Adding HDR");
827 /* HDR - RFC 4306, Sect. 3.1 */
828 hdr = wpabuf_put(msg, sizeof(*hdr));
829 os_memcpy(hdr->i_spi, data->i_spi, IKEV2_SPI_LEN);
830 os_memcpy(hdr->r_spi, data->r_spi, IKEV2_SPI_LEN);
831 hdr->next_payload = next_payload;
832 hdr->version = IKEV2_VERSION;
833 hdr->exchange_type = exchange_type;
834 hdr->flags = IKEV2_HDR_RESPONSE;
835 WPA_PUT_BE32(hdr->message_id, message_id);
839 static int ikev2_build_sar1(struct ikev2_responder_data *data,
840 struct wpabuf *msg, u8 next_payload)
842 struct ikev2_payload_hdr *phdr;
844 struct ikev2_proposal *p;
845 struct ikev2_transform *t;
847 wpa_printf(MSG_DEBUG, "IKEV2: Adding SAr1 payload");
849 /* SAr1 - RFC 4306, Sect. 2.7 and 3.3 */
850 phdr = wpabuf_put(msg, sizeof(*phdr));
851 phdr->next_payload = next_payload;
854 p = wpabuf_put(msg, sizeof(*p));
855 p->proposal_num = data->proposal.proposal_num;
856 p->protocol_id = IKEV2_PROTOCOL_IKE;
857 p->num_transforms = 4;
859 t = wpabuf_put(msg, sizeof(*t));
861 t->transform_type = IKEV2_TRANSFORM_ENCR;
862 WPA_PUT_BE16(t->transform_id, data->proposal.encr);
863 if (data->proposal.encr == ENCR_AES_CBC) {
864 /* Transform Attribute: Key Len = 128 bits */
865 wpabuf_put_be16(msg, 0x800e); /* AF=1, AttrType=14 */
866 wpabuf_put_be16(msg, 128); /* 128-bit key */
868 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) t;
869 WPA_PUT_BE16(t->transform_length, plen);
871 t = wpabuf_put(msg, sizeof(*t));
873 WPA_PUT_BE16(t->transform_length, sizeof(*t));
874 t->transform_type = IKEV2_TRANSFORM_PRF;
875 WPA_PUT_BE16(t->transform_id, data->proposal.prf);
877 t = wpabuf_put(msg, sizeof(*t));
879 WPA_PUT_BE16(t->transform_length, sizeof(*t));
880 t->transform_type = IKEV2_TRANSFORM_INTEG;
881 WPA_PUT_BE16(t->transform_id, data->proposal.integ);
883 t = wpabuf_put(msg, sizeof(*t));
884 WPA_PUT_BE16(t->transform_length, sizeof(*t));
885 t->transform_type = IKEV2_TRANSFORM_DH;
886 WPA_PUT_BE16(t->transform_id, data->proposal.dh);
888 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) p;
889 WPA_PUT_BE16(p->proposal_length, plen);
891 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
892 WPA_PUT_BE16(phdr->payload_length, plen);
898 static int ikev2_build_ker(struct ikev2_responder_data *data,
899 struct wpabuf *msg, u8 next_payload)
901 struct ikev2_payload_hdr *phdr;
905 wpa_printf(MSG_DEBUG, "IKEV2: Adding KEr payload");
907 pv = dh_init(data->dh, &data->r_dh_private);
909 wpa_printf(MSG_DEBUG, "IKEV2: Failed to initialize DH");
913 /* KEr - RFC 4306, Sect. 3.4 */
914 phdr = wpabuf_put(msg, sizeof(*phdr));
915 phdr->next_payload = next_payload;
918 wpabuf_put_be16(msg, data->proposal.dh); /* DH Group # */
919 wpabuf_put(msg, 2); /* RESERVED */
921 * RFC 4306, Sect. 3.4: possible zero padding for public value to
922 * match the length of the prime.
924 wpabuf_put(msg, data->dh->prime_len - wpabuf_len(pv));
925 wpabuf_put_buf(msg, pv);
928 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
929 WPA_PUT_BE16(phdr->payload_length, plen);
934 static int ikev2_build_nr(struct ikev2_responder_data *data,
935 struct wpabuf *msg, u8 next_payload)
937 struct ikev2_payload_hdr *phdr;
940 wpa_printf(MSG_DEBUG, "IKEV2: Adding Nr payload");
942 /* Nr - RFC 4306, Sect. 3.9 */
943 phdr = wpabuf_put(msg, sizeof(*phdr));
944 phdr->next_payload = next_payload;
946 wpabuf_put_data(msg, data->r_nonce, data->r_nonce_len);
947 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
948 WPA_PUT_BE16(phdr->payload_length, plen);
953 static int ikev2_build_idr(struct ikev2_responder_data *data,
954 struct wpabuf *msg, u8 next_payload)
956 struct ikev2_payload_hdr *phdr;
959 wpa_printf(MSG_DEBUG, "IKEV2: Adding IDr payload");
961 if (data->IDr == NULL) {
962 wpa_printf(MSG_INFO, "IKEV2: No IDr available");
966 /* IDr - RFC 4306, Sect. 3.5 */
967 phdr = wpabuf_put(msg, sizeof(*phdr));
968 phdr->next_payload = next_payload;
970 wpabuf_put_u8(msg, ID_KEY_ID);
971 wpabuf_put(msg, 3); /* RESERVED */
972 wpabuf_put_data(msg, data->IDr, data->IDr_len);
973 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
974 WPA_PUT_BE16(phdr->payload_length, plen);
979 static int ikev2_build_auth(struct ikev2_responder_data *data,
980 struct wpabuf *msg, u8 next_payload)
982 struct ikev2_payload_hdr *phdr;
984 const struct ikev2_prf_alg *prf;
986 wpa_printf(MSG_DEBUG, "IKEV2: Adding AUTH payload");
988 prf = ikev2_get_prf(data->proposal.prf);
992 /* Authentication - RFC 4306, Sect. 3.8 */
993 phdr = wpabuf_put(msg, sizeof(*phdr));
994 phdr->next_payload = next_payload;
996 wpabuf_put_u8(msg, AUTH_SHARED_KEY_MIC);
997 wpabuf_put(msg, 3); /* RESERVED */
999 /* msg | Ni | prf(SK_pr,IDr') */
1000 if (ikev2_derive_auth_data(data->proposal.prf, data->r_sign_msg,
1001 data->IDr, data->IDr_len, ID_KEY_ID,
1002 &data->keys, 0, data->shared_secret,
1003 data->shared_secret_len,
1004 data->i_nonce, data->i_nonce_len,
1005 data->key_pad, data->key_pad_len,
1006 wpabuf_put(msg, prf->hash_len)) < 0) {
1007 wpa_printf(MSG_INFO, "IKEV2: Could not derive AUTH data");
1010 wpabuf_free(data->r_sign_msg);
1011 data->r_sign_msg = NULL;
1013 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
1014 WPA_PUT_BE16(phdr->payload_length, plen);
1019 static int ikev2_build_notification(struct ikev2_responder_data *data,
1020 struct wpabuf *msg, u8 next_payload)
1022 struct ikev2_payload_hdr *phdr;
1025 wpa_printf(MSG_DEBUG, "IKEV2: Adding Notification payload");
1027 if (data->error_type == 0) {
1028 wpa_printf(MSG_INFO, "IKEV2: No Notify Message Type "
1033 /* Notify - RFC 4306, Sect. 3.10 */
1034 phdr = wpabuf_put(msg, sizeof(*phdr));
1035 phdr->next_payload = next_payload;
1037 wpabuf_put_u8(msg, 0); /* Protocol ID: no existing SA */
1038 wpabuf_put_u8(msg, 0); /* SPI Size */
1039 wpabuf_put_be16(msg, data->error_type);
1041 switch (data->error_type) {
1042 case INVALID_KE_PAYLOAD:
1043 if (data->proposal.dh == -1) {
1044 wpa_printf(MSG_INFO, "IKEV2: No DH Group selected for "
1045 "INVALID_KE_PAYLOAD notifications");
1048 wpabuf_put_be16(msg, data->proposal.dh);
1049 wpa_printf(MSG_DEBUG, "IKEV2: INVALID_KE_PAYLOAD - request "
1050 "DH Group #%d", data->proposal.dh);
1052 case AUTHENTICATION_FAILED:
1053 /* no associated data */
1056 wpa_printf(MSG_INFO, "IKEV2: Unsupported Notify Message Type "
1057 "%d", data->error_type);
1061 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
1062 WPA_PUT_BE16(phdr->payload_length, plen);
1067 static struct wpabuf * ikev2_build_sa_init(struct ikev2_responder_data *data)
1071 /* build IKE_SA_INIT: HDR, SAr1, KEr, Nr, [CERTREQ], [SK{IDr}] */
1073 if (os_get_random(data->r_spi, IKEV2_SPI_LEN))
1075 wpa_hexdump(MSG_DEBUG, "IKEV2: IKE_SA Responder's SPI",
1076 data->r_spi, IKEV2_SPI_LEN);
1078 data->r_nonce_len = IKEV2_NONCE_MIN_LEN;
1079 if (random_get_bytes(data->r_nonce, data->r_nonce_len))
1081 wpa_hexdump(MSG_DEBUG, "IKEV2: Nr", data->r_nonce, data->r_nonce_len);
1083 msg = wpabuf_alloc(sizeof(struct ikev2_hdr) + data->IDr_len + 1500);
1087 ikev2_build_hdr(data, msg, IKE_SA_INIT, IKEV2_PAYLOAD_SA, 0);
1088 if (ikev2_build_sar1(data, msg, IKEV2_PAYLOAD_KEY_EXCHANGE) ||
1089 ikev2_build_ker(data, msg, IKEV2_PAYLOAD_NONCE) ||
1090 ikev2_build_nr(data, msg, data->peer_auth == PEER_AUTH_SECRET ?
1091 IKEV2_PAYLOAD_ENCRYPTED :
1092 IKEV2_PAYLOAD_NO_NEXT_PAYLOAD)) {
1097 if (ikev2_derive_keys(data)) {
1102 if (data->peer_auth == PEER_AUTH_CERT) {
1103 /* TODO: CERTREQ with SHA-1 hashes of Subject Public Key Info
1104 * for trust agents */
1107 if (data->peer_auth == PEER_AUTH_SECRET) {
1108 struct wpabuf *plain = wpabuf_alloc(data->IDr_len + 1000);
1109 if (plain == NULL) {
1113 if (ikev2_build_idr(data, plain,
1114 IKEV2_PAYLOAD_NO_NEXT_PAYLOAD) ||
1115 ikev2_build_encrypted(data->proposal.encr,
1116 data->proposal.integ,
1117 &data->keys, 0, msg, plain,
1118 IKEV2_PAYLOAD_IDr)) {
1126 ikev2_update_hdr(msg);
1128 wpa_hexdump_buf(MSG_MSGDUMP, "IKEV2: Sending message (SA_INIT)", msg);
1130 data->state = SA_AUTH;
1132 wpabuf_free(data->r_sign_msg);
1133 data->r_sign_msg = wpabuf_dup(msg);
1139 static struct wpabuf * ikev2_build_sa_auth(struct ikev2_responder_data *data)
1141 struct wpabuf *msg, *plain;
1143 /* build IKE_SA_AUTH: HDR, SK {IDr, [CERT,] AUTH} */
1145 msg = wpabuf_alloc(sizeof(struct ikev2_hdr) + data->IDr_len + 1000);
1148 ikev2_build_hdr(data, msg, IKE_SA_AUTH, IKEV2_PAYLOAD_ENCRYPTED, 1);
1150 plain = wpabuf_alloc(data->IDr_len + 1000);
1151 if (plain == NULL) {
1156 if (ikev2_build_idr(data, plain, IKEV2_PAYLOAD_AUTHENTICATION) ||
1157 ikev2_build_auth(data, plain, IKEV2_PAYLOAD_NO_NEXT_PAYLOAD) ||
1158 ikev2_build_encrypted(data->proposal.encr, data->proposal.integ,
1159 &data->keys, 0, msg, plain,
1160 IKEV2_PAYLOAD_IDr)) {
1167 wpa_hexdump_buf(MSG_MSGDUMP, "IKEV2: Sending message (SA_AUTH)", msg);
1169 data->state = IKEV2_DONE;
1175 static struct wpabuf * ikev2_build_notify(struct ikev2_responder_data *data)
1179 msg = wpabuf_alloc(sizeof(struct ikev2_hdr) + 1000);
1182 if (data->last_msg == LAST_MSG_SA_AUTH) {
1184 struct wpabuf *plain = wpabuf_alloc(100);
1185 if (plain == NULL) {
1189 ikev2_build_hdr(data, msg, IKE_SA_AUTH,
1190 IKEV2_PAYLOAD_ENCRYPTED, 1);
1191 if (ikev2_build_notification(data, plain,
1192 IKEV2_PAYLOAD_NO_NEXT_PAYLOAD) ||
1193 ikev2_build_encrypted(data->proposal.encr,
1194 data->proposal.integ,
1195 &data->keys, 0, msg, plain,
1196 IKEV2_PAYLOAD_NOTIFICATION)) {
1202 data->state = IKEV2_FAILED;
1205 ikev2_build_hdr(data, msg, IKE_SA_INIT,
1206 IKEV2_PAYLOAD_NOTIFICATION, 0);
1207 if (ikev2_build_notification(data, msg,
1208 IKEV2_PAYLOAD_NO_NEXT_PAYLOAD)) {
1212 data->state = SA_INIT;
1215 ikev2_update_hdr(msg);
1217 wpa_hexdump_buf(MSG_MSGDUMP, "IKEV2: Sending message (Notification)",
1224 struct wpabuf * ikev2_responder_build(struct ikev2_responder_data *data)
1226 switch (data->state) {
1228 return ikev2_build_sa_init(data);
1230 return ikev2_build_sa_auth(data);
1234 return ikev2_build_notify(data);