2 * IKEv2 initiator (RFC 4306) for EAP-IKEV2
3 * Copyright (c) 2007, Jouni Malinen <j@w1.fi>
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
12 #include "crypto/dh_groups.h"
13 #include "crypto/random.h"
17 static int ikev2_process_idr(struct ikev2_initiator_data *data,
18 const u8 *idr, size_t idr_len);
21 void ikev2_initiator_deinit(struct ikev2_initiator_data *data)
23 ikev2_free_keys(&data->keys);
24 wpabuf_free(data->r_dh_public);
25 wpabuf_free(data->i_dh_private);
28 os_free(data->shared_secret);
29 wpabuf_free(data->i_sign_msg);
30 wpabuf_free(data->r_sign_msg);
31 os_free(data->key_pad);
35 static int ikev2_derive_keys(struct ikev2_initiator_data *data)
37 u8 *buf, *pos, *pad, skeyseed[IKEV2_MAX_HASH_LEN];
38 size_t buf_len, pad_len;
39 struct wpabuf *shared;
40 const struct ikev2_integ_alg *integ;
41 const struct ikev2_prf_alg *prf;
42 const struct ikev2_encr_alg *encr;
47 /* RFC 4306, Sect. 2.14 */
49 integ = ikev2_get_integ(data->proposal.integ);
50 prf = ikev2_get_prf(data->proposal.prf);
51 encr = ikev2_get_encr(data->proposal.encr);
52 if (integ == NULL || prf == NULL || encr == NULL) {
53 wpa_printf(MSG_INFO, "IKEV2: Unsupported proposal");
57 shared = dh_derive_shared(data->r_dh_public, data->i_dh_private,
62 /* Construct Ni | Nr | SPIi | SPIr */
64 buf_len = data->i_nonce_len + data->r_nonce_len + 2 * IKEV2_SPI_LEN;
65 buf = os_malloc(buf_len);
72 os_memcpy(pos, data->i_nonce, data->i_nonce_len);
73 pos += data->i_nonce_len;
74 os_memcpy(pos, data->r_nonce, data->r_nonce_len);
75 pos += data->r_nonce_len;
76 os_memcpy(pos, data->i_spi, IKEV2_SPI_LEN);
78 os_memcpy(pos, data->r_spi, IKEV2_SPI_LEN);
80 /* SKEYSEED = prf(Ni | Nr, g^ir) */
82 /* Use zero-padding per RFC 4306, Sect. 2.14 */
83 pad_len = data->dh->prime_len - wpabuf_len(shared);
84 pad = os_zalloc(pad_len ? pad_len : 1);
92 addr[1] = wpabuf_head(shared);
93 len[1] = wpabuf_len(shared);
94 if (ikev2_prf_hash(prf->id, buf, data->i_nonce_len + data->r_nonce_len,
95 2, addr, len, skeyseed) < 0) {
104 /* DH parameters are not needed anymore, so free them */
105 wpabuf_free(data->r_dh_public);
106 data->r_dh_public = NULL;
107 wpabuf_free(data->i_dh_private);
108 data->i_dh_private = NULL;
110 wpa_hexdump_key(MSG_DEBUG, "IKEV2: SKEYSEED",
111 skeyseed, prf->hash_len);
113 ret = ikev2_derive_sk_keys(prf, integ, encr, skeyseed, buf, buf_len,
120 static int ikev2_parse_transform(struct ikev2_initiator_data *data,
121 struct ikev2_proposal_data *prop,
122 const u8 *pos, const u8 *end)
125 const struct ikev2_transform *t;
129 if (end - pos < (int) sizeof(*t)) {
130 wpa_printf(MSG_INFO, "IKEV2: Too short transform");
134 t = (const struct ikev2_transform *) pos;
135 transform_len = WPA_GET_BE16(t->transform_length);
136 if (transform_len < (int) sizeof(*t) || pos + transform_len > end) {
137 wpa_printf(MSG_INFO, "IKEV2: Invalid transform length %d",
141 tend = pos + transform_len;
143 transform_id = WPA_GET_BE16(t->transform_id);
145 wpa_printf(MSG_DEBUG, "IKEV2: Transform:");
146 wpa_printf(MSG_DEBUG, "IKEV2: Type: %d Transform Length: %d "
147 "Transform Type: %d Transform ID: %d",
148 t->type, transform_len, t->transform_type, transform_id);
150 if (t->type != 0 && t->type != 3) {
151 wpa_printf(MSG_INFO, "IKEV2: Unexpected Transform type");
155 pos = (const u8 *) (t + 1);
157 wpa_hexdump(MSG_DEBUG, "IKEV2: Transform Attributes",
161 switch (t->transform_type) {
162 case IKEV2_TRANSFORM_ENCR:
163 if (ikev2_get_encr(transform_id) &&
164 transform_id == data->proposal.encr) {
165 if (transform_id == ENCR_AES_CBC) {
166 if (tend - pos != 4) {
167 wpa_printf(MSG_DEBUG, "IKEV2: No "
168 "Transform Attr for AES");
171 if (WPA_GET_BE16(pos) != 0x800e) {
172 wpa_printf(MSG_DEBUG, "IKEV2: Not a "
173 "Key Size attribute for "
177 if (WPA_GET_BE16(pos + 2) != 128) {
178 wpa_printf(MSG_DEBUG, "IKEV2: "
179 "Unsupported AES key size "
181 WPA_GET_BE16(pos + 2));
185 prop->encr = transform_id;
188 case IKEV2_TRANSFORM_PRF:
189 if (ikev2_get_prf(transform_id) &&
190 transform_id == data->proposal.prf)
191 prop->prf = transform_id;
193 case IKEV2_TRANSFORM_INTEG:
194 if (ikev2_get_integ(transform_id) &&
195 transform_id == data->proposal.integ)
196 prop->integ = transform_id;
198 case IKEV2_TRANSFORM_DH:
199 if (dh_groups_get(transform_id) &&
200 transform_id == data->proposal.dh)
201 prop->dh = transform_id;
205 return transform_len;
209 static int ikev2_parse_proposal(struct ikev2_initiator_data *data,
210 struct ikev2_proposal_data *prop,
211 const u8 *pos, const u8 *end)
213 const u8 *pend, *ppos;
215 const struct ikev2_proposal *p;
217 if (end - pos < (int) sizeof(*p)) {
218 wpa_printf(MSG_INFO, "IKEV2: Too short proposal");
222 p = (const struct ikev2_proposal *) pos;
223 proposal_len = WPA_GET_BE16(p->proposal_length);
224 if (proposal_len < (int) sizeof(*p) || pos + proposal_len > end) {
225 wpa_printf(MSG_INFO, "IKEV2: Invalid proposal length %d",
229 wpa_printf(MSG_DEBUG, "IKEV2: SAi1 Proposal # %d",
231 wpa_printf(MSG_DEBUG, "IKEV2: Type: %d Proposal Length: %d "
233 p->type, proposal_len, p->protocol_id);
234 wpa_printf(MSG_DEBUG, "IKEV2: SPI Size: %d Transforms: %d",
235 p->spi_size, p->num_transforms);
237 if (p->type != 0 && p->type != 2) {
238 wpa_printf(MSG_INFO, "IKEV2: Unexpected Proposal type");
242 if (p->protocol_id != IKEV2_PROTOCOL_IKE) {
243 wpa_printf(MSG_DEBUG, "IKEV2: Unexpected Protocol ID "
244 "(only IKE allowed for EAP-IKEv2)");
248 if (p->proposal_num != prop->proposal_num) {
249 if (p->proposal_num == prop->proposal_num + 1)
250 prop->proposal_num = p->proposal_num;
252 wpa_printf(MSG_INFO, "IKEV2: Unexpected Proposal #");
257 ppos = (const u8 *) (p + 1);
258 pend = pos + proposal_len;
259 if (ppos + p->spi_size > pend) {
260 wpa_printf(MSG_INFO, "IKEV2: Not enough room for SPI "
265 wpa_hexdump(MSG_DEBUG, "IKEV2: SPI",
271 * For initial IKE_SA negotiation, SPI Size MUST be zero; for
272 * subsequent negotiations, it must be 8 for IKE. We only support
273 * initial case for now.
275 if (p->spi_size != 0) {
276 wpa_printf(MSG_INFO, "IKEV2: Unexpected SPI Size");
280 if (p->num_transforms == 0) {
281 wpa_printf(MSG_INFO, "IKEV2: At least one transform required");
285 for (i = 0; i < (int) p->num_transforms; i++) {
286 int tlen = ikev2_parse_transform(data, prop, ppos, pend);
293 wpa_printf(MSG_INFO, "IKEV2: Unexpected data after "
302 static int ikev2_process_sar1(struct ikev2_initiator_data *data,
303 const u8 *sar1, size_t sar1_len)
305 struct ikev2_proposal_data prop;
309 /* Security Association Payloads: <Proposals> */
312 wpa_printf(MSG_INFO, "IKEV2: SAr1 not received");
316 os_memset(&prop, 0, sizeof(prop));
317 prop.proposal_num = 1;
320 end = sar1 + sar1_len;
329 plen = ikev2_parse_proposal(data, &prop, pos, end);
333 if (!found && prop.integ != -1 && prop.prf != -1 &&
334 prop.encr != -1 && prop.dh != -1) {
340 /* Only one proposal expected in SAr */
345 wpa_printf(MSG_INFO, "IKEV2: Unexpected data after proposal");
350 wpa_printf(MSG_INFO, "IKEV2: No acceptable proposal found");
354 wpa_printf(MSG_DEBUG, "IKEV2: Accepted proposal #%d: ENCR:%d PRF:%d "
355 "INTEG:%d D-H:%d", data->proposal.proposal_num,
356 data->proposal.encr, data->proposal.prf,
357 data->proposal.integ, data->proposal.dh);
363 static int ikev2_process_ker(struct ikev2_initiator_data *data,
364 const u8 *ker, size_t ker_len)
369 * Key Exchange Payload:
370 * DH Group # (16 bits)
372 * Key Exchange Data (Diffie-Hellman public value)
376 wpa_printf(MSG_INFO, "IKEV2: KEr not received");
380 if (ker_len < 4 + 96) {
381 wpa_printf(MSG_INFO, "IKEV2: Too show Key Exchange Payload");
385 group = WPA_GET_BE16(ker);
386 wpa_printf(MSG_DEBUG, "IKEV2: KEr DH Group #%u", group);
388 if (group != data->proposal.dh) {
389 wpa_printf(MSG_DEBUG, "IKEV2: KEr DH Group #%u does not match "
390 "with the selected proposal (%u)",
391 group, data->proposal.dh);
395 if (data->dh == NULL) {
396 wpa_printf(MSG_INFO, "IKEV2: Unsupported DH group");
400 /* RFC 4306, Section 3.4:
401 * The length of DH public value MUST be equal to the length of the
404 if (ker_len - 4 != data->dh->prime_len) {
405 wpa_printf(MSG_INFO, "IKEV2: Invalid DH public value length "
406 "%ld (expected %ld)",
407 (long) (ker_len - 4), (long) data->dh->prime_len);
411 wpabuf_free(data->r_dh_public);
412 data->r_dh_public = wpabuf_alloc_copy(ker + 4, ker_len - 4);
413 if (data->r_dh_public == NULL)
416 wpa_hexdump_buf(MSG_DEBUG, "IKEV2: KEr Diffie-Hellman Public Value",
423 static int ikev2_process_nr(struct ikev2_initiator_data *data,
424 const u8 *nr, size_t nr_len)
427 wpa_printf(MSG_INFO, "IKEV2: Nr not received");
431 if (nr_len < IKEV2_NONCE_MIN_LEN || nr_len > IKEV2_NONCE_MAX_LEN) {
432 wpa_printf(MSG_INFO, "IKEV2: Invalid Nr length %ld",
437 data->r_nonce_len = nr_len;
438 os_memcpy(data->r_nonce, nr, nr_len);
439 wpa_hexdump(MSG_MSGDUMP, "IKEV2: Nr",
440 data->r_nonce, data->r_nonce_len);
446 static int ikev2_process_sa_init_encr(struct ikev2_initiator_data *data,
447 const struct ikev2_hdr *hdr,
449 size_t encrypted_len, u8 next_payload)
452 size_t decrypted_len;
453 struct ikev2_payloads pl;
456 decrypted = ikev2_decrypt_payload(data->proposal.encr,
457 data->proposal.integ, &data->keys, 0,
458 hdr, encrypted, encrypted_len,
460 if (decrypted == NULL)
463 wpa_printf(MSG_DEBUG, "IKEV2: Processing decrypted payloads");
465 if (ikev2_parse_payloads(&pl, next_payload, decrypted,
466 decrypted + decrypted_len) < 0) {
467 wpa_printf(MSG_INFO, "IKEV2: Failed to parse decrypted "
473 ret = ikev2_process_idr(data, pl.idr, pl.idr_len);
481 static int ikev2_process_sa_init(struct ikev2_initiator_data *data,
482 const struct ikev2_hdr *hdr,
483 struct ikev2_payloads *pl)
485 if (ikev2_process_sar1(data, pl->sa, pl->sa_len) < 0 ||
486 ikev2_process_ker(data, pl->ke, pl->ke_len) < 0 ||
487 ikev2_process_nr(data, pl->nonce, pl->nonce_len) < 0)
490 os_memcpy(data->r_spi, hdr->r_spi, IKEV2_SPI_LEN);
492 if (ikev2_derive_keys(data) < 0)
496 wpa_printf(MSG_DEBUG, "IKEV2: Encrypted payload in SA_INIT - "
497 "try to get IDr from it");
498 if (ikev2_process_sa_init_encr(data, hdr, pl->encrypted,
500 pl->encr_next_payload) < 0) {
501 wpa_printf(MSG_INFO, "IKEV2: Failed to process "
502 "encrypted payload");
507 data->state = SA_AUTH;
513 static int ikev2_process_idr(struct ikev2_initiator_data *data,
514 const u8 *idr, size_t idr_len)
519 wpa_printf(MSG_INFO, "IKEV2: No IDr received");
524 wpa_printf(MSG_INFO, "IKEV2: Too short IDr payload");
532 wpa_printf(MSG_DEBUG, "IKEV2: IDr ID Type %d", id_type);
533 wpa_hexdump_ascii(MSG_DEBUG, "IKEV2: IDr", idr, idr_len);
535 if (id_type != data->IDr_type || idr_len != data->IDr_len ||
536 os_memcmp(idr, data->IDr, idr_len) != 0) {
537 wpa_printf(MSG_INFO, "IKEV2: IDr differs from the one "
539 wpa_printf(MSG_DEBUG, "IKEV2: Previous IDr ID Type %d",
541 wpa_hexdump_ascii(MSG_DEBUG, "Previous IKEV2: IDr",
542 data->IDr, data->IDr_len);
547 data->IDr = os_malloc(idr_len);
548 if (data->IDr == NULL)
550 os_memcpy(data->IDr, idr, idr_len);
551 data->IDr_len = idr_len;
552 data->IDr_type = id_type;
558 static int ikev2_process_cert(struct ikev2_initiator_data *data,
559 const u8 *cert, size_t cert_len)
564 if (data->peer_auth == PEER_AUTH_CERT) {
565 wpa_printf(MSG_INFO, "IKEV2: No Certificate received");
572 wpa_printf(MSG_INFO, "IKEV2: No Cert Encoding field");
576 cert_encoding = cert[0];
580 wpa_printf(MSG_DEBUG, "IKEV2: Cert Encoding %d", cert_encoding);
581 wpa_hexdump(MSG_MSGDUMP, "IKEV2: Certificate Data", cert, cert_len);
583 /* TODO: validate certificate */
589 static int ikev2_process_auth_cert(struct ikev2_initiator_data *data,
590 u8 method, const u8 *auth, size_t auth_len)
592 if (method != AUTH_RSA_SIGN) {
593 wpa_printf(MSG_INFO, "IKEV2: Unsupported authentication "
594 "method %d", method);
598 /* TODO: validate AUTH */
603 static int ikev2_process_auth_secret(struct ikev2_initiator_data *data,
604 u8 method, const u8 *auth,
607 u8 auth_data[IKEV2_MAX_HASH_LEN];
608 const struct ikev2_prf_alg *prf;
610 if (method != AUTH_SHARED_KEY_MIC) {
611 wpa_printf(MSG_INFO, "IKEV2: Unsupported authentication "
612 "method %d", method);
616 /* msg | Ni | prf(SK_pr,IDr') */
617 if (ikev2_derive_auth_data(data->proposal.prf, data->r_sign_msg,
618 data->IDr, data->IDr_len, data->IDr_type,
619 &data->keys, 0, data->shared_secret,
620 data->shared_secret_len,
621 data->i_nonce, data->i_nonce_len,
622 data->key_pad, data->key_pad_len,
624 wpa_printf(MSG_INFO, "IKEV2: Could not derive AUTH data");
628 wpabuf_free(data->r_sign_msg);
629 data->r_sign_msg = NULL;
631 prf = ikev2_get_prf(data->proposal.prf);
635 if (auth_len != prf->hash_len ||
636 os_memcmp_const(auth, auth_data, auth_len) != 0) {
637 wpa_printf(MSG_INFO, "IKEV2: Invalid Authentication Data");
638 wpa_hexdump(MSG_DEBUG, "IKEV2: Received Authentication Data",
640 wpa_hexdump(MSG_DEBUG, "IKEV2: Expected Authentication Data",
641 auth_data, prf->hash_len);
645 wpa_printf(MSG_DEBUG, "IKEV2: Peer authenticated successfully "
646 "using shared keys");
652 static int ikev2_process_auth(struct ikev2_initiator_data *data,
653 const u8 *auth, size_t auth_len)
658 wpa_printf(MSG_INFO, "IKEV2: No Authentication Payload");
663 wpa_printf(MSG_INFO, "IKEV2: Too short Authentication "
668 auth_method = auth[0];
672 wpa_printf(MSG_DEBUG, "IKEV2: Auth Method %d", auth_method);
673 wpa_hexdump(MSG_MSGDUMP, "IKEV2: Authentication Data", auth, auth_len);
675 switch (data->peer_auth) {
677 return ikev2_process_auth_cert(data, auth_method, auth,
679 case PEER_AUTH_SECRET:
680 return ikev2_process_auth_secret(data, auth_method, auth,
688 static int ikev2_process_sa_auth_decrypted(struct ikev2_initiator_data *data,
690 u8 *payload, size_t payload_len)
692 struct ikev2_payloads pl;
694 wpa_printf(MSG_DEBUG, "IKEV2: Processing decrypted payloads");
696 if (ikev2_parse_payloads(&pl, next_payload, payload, payload +
698 wpa_printf(MSG_INFO, "IKEV2: Failed to parse decrypted "
703 if (ikev2_process_idr(data, pl.idr, pl.idr_len) < 0 ||
704 ikev2_process_cert(data, pl.cert, pl.cert_len) < 0 ||
705 ikev2_process_auth(data, pl.auth, pl.auth_len) < 0)
712 static int ikev2_process_sa_auth(struct ikev2_initiator_data *data,
713 const struct ikev2_hdr *hdr,
714 struct ikev2_payloads *pl)
717 size_t decrypted_len;
720 decrypted = ikev2_decrypt_payload(data->proposal.encr,
721 data->proposal.integ,
722 &data->keys, 0, hdr, pl->encrypted,
723 pl->encrypted_len, &decrypted_len);
724 if (decrypted == NULL)
727 ret = ikev2_process_sa_auth_decrypted(data, pl->encr_next_payload,
728 decrypted, decrypted_len);
731 if (ret == 0 && !data->unknown_user) {
732 wpa_printf(MSG_DEBUG, "IKEV2: Authentication completed");
733 data->state = IKEV2_DONE;
740 static int ikev2_validate_rx_state(struct ikev2_initiator_data *data,
741 u8 exchange_type, u32 message_id)
743 switch (data->state) {
745 /* Expect to receive IKE_SA_INIT: HDR, SAr, KEr, Nr, [CERTREQ],
747 if (exchange_type != IKE_SA_INIT) {
748 wpa_printf(MSG_INFO, "IKEV2: Unexpected Exchange Type "
749 "%u in SA_INIT state", exchange_type);
752 if (message_id != 0) {
753 wpa_printf(MSG_INFO, "IKEV2: Unexpected Message ID %u "
754 "in SA_INIT state", message_id);
759 /* Expect to receive IKE_SA_AUTH:
760 * HDR, SK {IDr, [CERT,] [CERTREQ,] [NFID,] AUTH}
762 if (exchange_type != IKE_SA_AUTH) {
763 wpa_printf(MSG_INFO, "IKEV2: Unexpected Exchange Type "
764 "%u in SA_AUTH state", exchange_type);
767 if (message_id != 1) {
768 wpa_printf(MSG_INFO, "IKEV2: Unexpected Message ID %u "
769 "in SA_AUTH state", message_id);
774 if (exchange_type != CREATE_CHILD_SA) {
775 wpa_printf(MSG_INFO, "IKEV2: Unexpected Exchange Type "
776 "%u in CHILD_SA state", exchange_type);
779 if (message_id != 2) {
780 wpa_printf(MSG_INFO, "IKEV2: Unexpected Message ID %u "
781 "in CHILD_SA state", message_id);
793 int ikev2_initiator_process(struct ikev2_initiator_data *data,
794 const struct wpabuf *buf)
796 const struct ikev2_hdr *hdr;
797 u32 length, message_id;
799 struct ikev2_payloads pl;
801 wpa_printf(MSG_MSGDUMP, "IKEV2: Received message (len %lu)",
802 (unsigned long) wpabuf_len(buf));
804 if (wpabuf_len(buf) < sizeof(*hdr)) {
805 wpa_printf(MSG_INFO, "IKEV2: Too short frame to include HDR");
809 hdr = (const struct ikev2_hdr *) wpabuf_head(buf);
810 end = wpabuf_head_u8(buf) + wpabuf_len(buf);
811 message_id = WPA_GET_BE32(hdr->message_id);
812 length = WPA_GET_BE32(hdr->length);
814 wpa_hexdump(MSG_DEBUG, "IKEV2: IKE_SA Initiator's SPI",
815 hdr->i_spi, IKEV2_SPI_LEN);
816 wpa_hexdump(MSG_DEBUG, "IKEV2: IKE_SA Initiator's SPI",
817 hdr->r_spi, IKEV2_SPI_LEN);
818 wpa_printf(MSG_DEBUG, "IKEV2: Next Payload: %u Version: 0x%x "
820 hdr->next_payload, hdr->version, hdr->exchange_type);
821 wpa_printf(MSG_DEBUG, "IKEV2: Message ID: %u Length: %u",
824 if (hdr->version != IKEV2_VERSION) {
825 wpa_printf(MSG_INFO, "IKEV2: Unsupported HDR version 0x%x "
826 "(expected 0x%x)", hdr->version, IKEV2_VERSION);
830 if (length != wpabuf_len(buf)) {
831 wpa_printf(MSG_INFO, "IKEV2: Invalid length (HDR: %lu != "
832 "RX: %lu)", (unsigned long) length,
833 (unsigned long) wpabuf_len(buf));
837 if (ikev2_validate_rx_state(data, hdr->exchange_type, message_id) < 0)
840 if ((hdr->flags & (IKEV2_HDR_INITIATOR | IKEV2_HDR_RESPONSE)) !=
841 IKEV2_HDR_RESPONSE) {
842 wpa_printf(MSG_INFO, "IKEV2: Unexpected Flags value 0x%x",
847 if (data->state != SA_INIT) {
848 if (os_memcmp(data->i_spi, hdr->i_spi, IKEV2_SPI_LEN) != 0) {
849 wpa_printf(MSG_INFO, "IKEV2: Unexpected IKE_SA "
853 if (os_memcmp(data->r_spi, hdr->r_spi, IKEV2_SPI_LEN) != 0) {
854 wpa_printf(MSG_INFO, "IKEV2: Unexpected IKE_SA "
860 pos = (const u8 *) (hdr + 1);
861 if (ikev2_parse_payloads(&pl, hdr->next_payload, pos, end) < 0)
864 switch (data->state) {
866 if (ikev2_process_sa_init(data, hdr, &pl) < 0)
868 wpabuf_free(data->r_sign_msg);
869 data->r_sign_msg = wpabuf_dup(buf);
872 if (ikev2_process_sa_auth(data, hdr, &pl) < 0)
884 static void ikev2_build_hdr(struct ikev2_initiator_data *data,
885 struct wpabuf *msg, u8 exchange_type,
886 u8 next_payload, u32 message_id)
888 struct ikev2_hdr *hdr;
890 wpa_printf(MSG_DEBUG, "IKEV2: Adding HDR");
892 /* HDR - RFC 4306, Sect. 3.1 */
893 hdr = wpabuf_put(msg, sizeof(*hdr));
894 os_memcpy(hdr->i_spi, data->i_spi, IKEV2_SPI_LEN);
895 os_memcpy(hdr->r_spi, data->r_spi, IKEV2_SPI_LEN);
896 hdr->next_payload = next_payload;
897 hdr->version = IKEV2_VERSION;
898 hdr->exchange_type = exchange_type;
899 hdr->flags = IKEV2_HDR_INITIATOR;
900 WPA_PUT_BE32(hdr->message_id, message_id);
904 static int ikev2_build_sai(struct ikev2_initiator_data *data,
905 struct wpabuf *msg, u8 next_payload)
907 struct ikev2_payload_hdr *phdr;
909 struct ikev2_proposal *p;
910 struct ikev2_transform *t;
912 wpa_printf(MSG_DEBUG, "IKEV2: Adding SAi payload");
914 /* SAi1 - RFC 4306, Sect. 2.7 and 3.3 */
915 phdr = wpabuf_put(msg, sizeof(*phdr));
916 phdr->next_payload = next_payload;
919 /* TODO: support for multiple proposals */
920 p = wpabuf_put(msg, sizeof(*p));
921 p->proposal_num = data->proposal.proposal_num;
922 p->protocol_id = IKEV2_PROTOCOL_IKE;
923 p->num_transforms = 4;
925 t = wpabuf_put(msg, sizeof(*t));
927 t->transform_type = IKEV2_TRANSFORM_ENCR;
928 WPA_PUT_BE16(t->transform_id, data->proposal.encr);
929 if (data->proposal.encr == ENCR_AES_CBC) {
930 /* Transform Attribute: Key Len = 128 bits */
931 wpabuf_put_be16(msg, 0x800e); /* AF=1, AttrType=14 */
932 wpabuf_put_be16(msg, 128); /* 128-bit key */
934 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) t;
935 WPA_PUT_BE16(t->transform_length, plen);
937 t = wpabuf_put(msg, sizeof(*t));
939 WPA_PUT_BE16(t->transform_length, sizeof(*t));
940 t->transform_type = IKEV2_TRANSFORM_PRF;
941 WPA_PUT_BE16(t->transform_id, data->proposal.prf);
943 t = wpabuf_put(msg, sizeof(*t));
945 WPA_PUT_BE16(t->transform_length, sizeof(*t));
946 t->transform_type = IKEV2_TRANSFORM_INTEG;
947 WPA_PUT_BE16(t->transform_id, data->proposal.integ);
949 t = wpabuf_put(msg, sizeof(*t));
950 WPA_PUT_BE16(t->transform_length, sizeof(*t));
951 t->transform_type = IKEV2_TRANSFORM_DH;
952 WPA_PUT_BE16(t->transform_id, data->proposal.dh);
954 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) p;
955 WPA_PUT_BE16(p->proposal_length, plen);
957 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
958 WPA_PUT_BE16(phdr->payload_length, plen);
964 static int ikev2_build_kei(struct ikev2_initiator_data *data,
965 struct wpabuf *msg, u8 next_payload)
967 struct ikev2_payload_hdr *phdr;
971 wpa_printf(MSG_DEBUG, "IKEV2: Adding KEi payload");
973 data->dh = dh_groups_get(data->proposal.dh);
974 pv = dh_init(data->dh, &data->i_dh_private);
976 wpa_printf(MSG_DEBUG, "IKEV2: Failed to initialize DH");
980 /* KEi - RFC 4306, Sect. 3.4 */
981 phdr = wpabuf_put(msg, sizeof(*phdr));
982 phdr->next_payload = next_payload;
985 wpabuf_put_be16(msg, data->proposal.dh); /* DH Group # */
986 wpabuf_put(msg, 2); /* RESERVED */
988 * RFC 4306, Sect. 3.4: possible zero padding for public value to
989 * match the length of the prime.
991 wpabuf_put(msg, data->dh->prime_len - wpabuf_len(pv));
992 wpabuf_put_buf(msg, pv);
995 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
996 WPA_PUT_BE16(phdr->payload_length, plen);
1001 static int ikev2_build_ni(struct ikev2_initiator_data *data,
1002 struct wpabuf *msg, u8 next_payload)
1004 struct ikev2_payload_hdr *phdr;
1007 wpa_printf(MSG_DEBUG, "IKEV2: Adding Ni payload");
1009 /* Ni - RFC 4306, Sect. 3.9 */
1010 phdr = wpabuf_put(msg, sizeof(*phdr));
1011 phdr->next_payload = next_payload;
1013 wpabuf_put_data(msg, data->i_nonce, data->i_nonce_len);
1014 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
1015 WPA_PUT_BE16(phdr->payload_length, plen);
1020 static int ikev2_build_idi(struct ikev2_initiator_data *data,
1021 struct wpabuf *msg, u8 next_payload)
1023 struct ikev2_payload_hdr *phdr;
1026 wpa_printf(MSG_DEBUG, "IKEV2: Adding IDi payload");
1028 if (data->IDi == NULL) {
1029 wpa_printf(MSG_INFO, "IKEV2: No IDi available");
1033 /* IDi - RFC 4306, Sect. 3.5 */
1034 phdr = wpabuf_put(msg, sizeof(*phdr));
1035 phdr->next_payload = next_payload;
1037 wpabuf_put_u8(msg, ID_KEY_ID);
1038 wpabuf_put(msg, 3); /* RESERVED */
1039 wpabuf_put_data(msg, data->IDi, data->IDi_len);
1040 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
1041 WPA_PUT_BE16(phdr->payload_length, plen);
1046 static int ikev2_build_auth(struct ikev2_initiator_data *data,
1047 struct wpabuf *msg, u8 next_payload)
1049 struct ikev2_payload_hdr *phdr;
1051 const struct ikev2_prf_alg *prf;
1053 wpa_printf(MSG_DEBUG, "IKEV2: Adding AUTH payload");
1055 prf = ikev2_get_prf(data->proposal.prf);
1059 /* Authentication - RFC 4306, Sect. 3.8 */
1060 phdr = wpabuf_put(msg, sizeof(*phdr));
1061 phdr->next_payload = next_payload;
1063 wpabuf_put_u8(msg, AUTH_SHARED_KEY_MIC);
1064 wpabuf_put(msg, 3); /* RESERVED */
1066 /* msg | Nr | prf(SK_pi,IDi') */
1067 if (ikev2_derive_auth_data(data->proposal.prf, data->i_sign_msg,
1068 data->IDi, data->IDi_len, ID_KEY_ID,
1069 &data->keys, 1, data->shared_secret,
1070 data->shared_secret_len,
1071 data->r_nonce, data->r_nonce_len,
1072 data->key_pad, data->key_pad_len,
1073 wpabuf_put(msg, prf->hash_len)) < 0) {
1074 wpa_printf(MSG_INFO, "IKEV2: Could not derive AUTH data");
1077 wpabuf_free(data->i_sign_msg);
1078 data->i_sign_msg = NULL;
1080 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
1081 WPA_PUT_BE16(phdr->payload_length, plen);
1086 static struct wpabuf * ikev2_build_sa_init(struct ikev2_initiator_data *data)
1090 /* build IKE_SA_INIT: HDR, SAi, KEi, Ni */
1092 if (os_get_random(data->i_spi, IKEV2_SPI_LEN))
1094 wpa_hexdump(MSG_DEBUG, "IKEV2: IKE_SA Initiator's SPI",
1095 data->i_spi, IKEV2_SPI_LEN);
1097 data->i_nonce_len = IKEV2_NONCE_MIN_LEN;
1098 if (random_get_bytes(data->i_nonce, data->i_nonce_len))
1100 wpa_hexdump(MSG_DEBUG, "IKEV2: Ni", data->i_nonce, data->i_nonce_len);
1102 msg = wpabuf_alloc(sizeof(struct ikev2_hdr) + 1000);
1106 ikev2_build_hdr(data, msg, IKE_SA_INIT, IKEV2_PAYLOAD_SA, 0);
1107 if (ikev2_build_sai(data, msg, IKEV2_PAYLOAD_KEY_EXCHANGE) ||
1108 ikev2_build_kei(data, msg, IKEV2_PAYLOAD_NONCE) ||
1109 ikev2_build_ni(data, msg, IKEV2_PAYLOAD_NO_NEXT_PAYLOAD)) {
1114 ikev2_update_hdr(msg);
1116 wpa_hexdump_buf(MSG_MSGDUMP, "IKEV2: Sending message (SA_INIT)", msg);
1118 wpabuf_free(data->i_sign_msg);
1119 data->i_sign_msg = wpabuf_dup(msg);
1125 static struct wpabuf * ikev2_build_sa_auth(struct ikev2_initiator_data *data)
1127 struct wpabuf *msg, *plain;
1131 secret = data->get_shared_secret(data->cb_ctx, data->IDr,
1132 data->IDr_len, &secret_len);
1133 if (secret == NULL) {
1134 wpa_printf(MSG_INFO, "IKEV2: Could not get shared secret - "
1136 /* RFC 5106, Sect. 7:
1137 * Use a random key to fake AUTH generation in order to prevent
1138 * probing of user identities.
1140 data->unknown_user = 1;
1141 os_free(data->shared_secret);
1142 data->shared_secret = os_malloc(16);
1143 if (data->shared_secret == NULL)
1145 data->shared_secret_len = 16;
1146 if (random_get_bytes(data->shared_secret, 16))
1149 os_free(data->shared_secret);
1150 data->shared_secret = os_malloc(secret_len);
1151 if (data->shared_secret == NULL)
1153 os_memcpy(data->shared_secret, secret, secret_len);
1154 data->shared_secret_len = secret_len;
1157 /* build IKE_SA_AUTH: HDR, SK {IDi, [CERT,] [CERTREQ,] AUTH} */
1159 msg = wpabuf_alloc(sizeof(struct ikev2_hdr) + data->IDr_len + 1000);
1162 ikev2_build_hdr(data, msg, IKE_SA_AUTH, IKEV2_PAYLOAD_ENCRYPTED, 1);
1164 plain = wpabuf_alloc(data->IDr_len + 1000);
1165 if (plain == NULL) {
1170 if (ikev2_build_idi(data, plain, IKEV2_PAYLOAD_AUTHENTICATION) ||
1171 ikev2_build_auth(data, plain, IKEV2_PAYLOAD_NO_NEXT_PAYLOAD) ||
1172 ikev2_build_encrypted(data->proposal.encr, data->proposal.integ,
1173 &data->keys, 1, msg, plain,
1174 IKEV2_PAYLOAD_IDi)) {
1181 wpa_hexdump_buf(MSG_MSGDUMP, "IKEV2: Sending message (SA_AUTH)", msg);
1187 struct wpabuf * ikev2_initiator_build(struct ikev2_initiator_data *data)
1189 switch (data->state) {
1191 return ikev2_build_sa_init(data);
1193 return ikev2_build_sa_auth(data);