src/eap_server/ikev2.c

   1 /*
   2  * IKEv2 initiator (RFC 4306) for EAP-IKEV2
   3  * Copyright (c) 2007, Jouni Malinen <j@w1.fi>
   4  *
   5  * This software may be distributed under the terms of the BSD license.
   6  * See README for more details.
   7  */
   8
   9 #include "includes.h"
  10
  11 #include "common.h"
  12 #include "crypto/dh_groups.h"
  13 #include "crypto/random.h"
  14 #include "ikev2.h"
  15
  16
  17 static int ikev2_process_idr(struct ikev2_initiator_data *data,
  18                              const u8 *idr, size_t idr_len);
  19
  20
  21 void ikev2_initiator_deinit(struct ikev2_initiator_data *data)
  22 {
  23         ikev2_free_keys(&data->keys);
  24         wpabuf_free(data->r_dh_public);
  25         wpabuf_free(data->i_dh_private);
  26         os_free(data->IDi);
  27         os_free(data->IDr);
  28         os_free(data->shared_secret);
  29         wpabuf_free(data->i_sign_msg);
  30         wpabuf_free(data->r_sign_msg);
  31         os_free(data->key_pad);
  32 }
  33
  34
  35 static int ikev2_derive_keys(struct ikev2_initiator_data *data)
  36 {
  37         u8 *buf, *pos, *pad, skeyseed[IKEV2_MAX_HASH_LEN];
  38         size_t buf_len, pad_len;
  39         struct wpabuf *shared;
  40         const struct ikev2_integ_alg *integ;
  41         const struct ikev2_prf_alg *prf;
  42         const struct ikev2_encr_alg *encr;
  43         int ret;
  44         const u8 *addr[2];
  45         size_t len[2];
  46
  47         /* RFC 4306, Sect. 2.14 */
  48
  49         integ = ikev2_get_integ(data->proposal.integ);
  50         prf = ikev2_get_prf(data->proposal.prf);
  51         encr = ikev2_get_encr(data->proposal.encr);
  52         if (integ == NULL || prf == NULL || encr == NULL) {
  53                 wpa_printf(MSG_INFO, "IKEV2: Unsupported proposal");
  54                 return -1;
  55         }
  56
  57         shared = dh_derive_shared(data->r_dh_public, data->i_dh_private,
  58                                   data->dh);
  59         if (shared == NULL)
  60                 return -1;
  61
  62         /* Construct Ni | Nr | SPIi | SPIr */
  63
  64         buf_len = data->i_nonce_len + data->r_nonce_len + 2 * IKEV2_SPI_LEN;
  65         buf = os_malloc(buf_len);
  66         if (buf == NULL) {
  67                 wpabuf_free(shared);
  68                 return -1;
  69         }
  70
  71         pos = buf;
  72         os_memcpy(pos, data->i_nonce, data->i_nonce_len);
  73         pos += data->i_nonce_len;
  74         os_memcpy(pos, data->r_nonce, data->r_nonce_len);
  75         pos += data->r_nonce_len;
  76         os_memcpy(pos, data->i_spi, IKEV2_SPI_LEN);
  77         pos += IKEV2_SPI_LEN;
  78         os_memcpy(pos, data->r_spi, IKEV2_SPI_LEN);
  79
  80         /* SKEYSEED = prf(Ni | Nr, g^ir) */
  81
  82         /* Use zero-padding per RFC 4306, Sect. 2.14 */
  83         pad_len = data->dh->prime_len - wpabuf_len(shared);
  84         pad = os_zalloc(pad_len ? pad_len : 1);
  85         if (pad == NULL) {
  86                 wpabuf_free(shared);
  87                 os_free(buf);
  88                 return -1;
  89         }
  90         addr[0] = pad;
  91         len[0] = pad_len;
  92         addr[1] = wpabuf_head(shared);
  93         len[1] = wpabuf_len(shared);
  94         if (ikev2_prf_hash(prf->id, buf, data->i_nonce_len + data->r_nonce_len,
  95                            2, addr, len, skeyseed) < 0) {
  96                 wpabuf_free(shared);
  97                 os_free(buf);
  98                 os_free(pad);
  99                 return -1;
 100         }
 101         os_free(pad);
 102         wpabuf_free(shared);
 103
 104         /* DH parameters are not needed anymore, so free them */
 105         wpabuf_free(data->r_dh_public);
 106         data->r_dh_public = NULL;
 107         wpabuf_free(data->i_dh_private);
 108         data->i_dh_private = NULL;
 109
 110         wpa_hexdump_key(MSG_DEBUG, "IKEV2: SKEYSEED",
 111                         skeyseed, prf->hash_len);
 112
 113         ret = ikev2_derive_sk_keys(prf, integ, encr, skeyseed, buf, buf_len,
 114                                    &data->keys);
 115         os_free(buf);
 116         return ret;
 117 }
 118
 119
 120 static int ikev2_parse_transform(struct ikev2_initiator_data *data,
 121                                  struct ikev2_proposal_data *prop,
 122                                  const u8 *pos, const u8 *end)
 123 {
 124         int transform_len;
 125         const struct ikev2_transform *t;
 126         u16 transform_id;
 127         const u8 *tend;
 128
 129         if (end - pos < (int) sizeof(*t)) {
 130                 wpa_printf(MSG_INFO, "IKEV2: Too short transform");
 131                 return -1;
 132         }
 133
 134         t = (const struct ikev2_transform *) pos;
 135         transform_len = WPA_GET_BE16(t->transform_length);
 136         if (transform_len < (int) sizeof(*t) || transform_len > end - pos) {
 137                 wpa_printf(MSG_INFO, "IKEV2: Invalid transform length %d",
 138                            transform_len);
 139                 return -1;
 140         }
 141         tend = pos + transform_len;
 142
 143         transform_id = WPA_GET_BE16(t->transform_id);
 144
 145         wpa_printf(MSG_DEBUG, "IKEV2:   Transform:");
 146         wpa_printf(MSG_DEBUG, "IKEV2:     Type: %d  Transform Length: %d  "
 147                    "Transform Type: %d  Transform ID: %d",
 148                    t->type, transform_len, t->transform_type, transform_id);
 149
 150         if (t->type != 0 && t->type != 3) {
 151                 wpa_printf(MSG_INFO, "IKEV2: Unexpected Transform type");
 152                 return -1;
 153         }
 154
 155         pos = (const u8 *) (t + 1);
 156         if (pos < tend) {
 157                 wpa_hexdump(MSG_DEBUG, "IKEV2:     Transform Attributes",
 158                             pos, tend - pos);
 159         }
 160
 161         switch (t->transform_type) {
 162         case IKEV2_TRANSFORM_ENCR:
 163                 if (ikev2_get_encr(transform_id) &&
 164                     transform_id == data->proposal.encr) {
 165                         if (transform_id == ENCR_AES_CBC) {
 166                                 if (tend - pos != 4) {
 167                                         wpa_printf(MSG_DEBUG, "IKEV2: No "
 168                                                    "Transform Attr for AES");
 169                                         break;
 170                                 }
 171                                 if (WPA_GET_BE16(pos) != 0x800e) {
 172                                         wpa_printf(MSG_DEBUG, "IKEV2: Not a "
 173                                                    "Key Size attribute for "
 174                                                    "AES");
 175                                         break;
 176                                 }
 177                                 if (WPA_GET_BE16(pos + 2) != 128) {
 178                                         wpa_printf(MSG_DEBUG, "IKEV2: "
 179                                                    "Unsupported AES key size "
 180                                                    "%d bits",
 181                                                    WPA_GET_BE16(pos + 2));
 182                                         break;
 183                                 }
 184                         }
 185                         prop->encr = transform_id;
 186                 }
 187                 break;
 188         case IKEV2_TRANSFORM_PRF:
 189                 if (ikev2_get_prf(transform_id) &&
 190                     transform_id == data->proposal.prf)
 191                         prop->prf = transform_id;
 192                 break;
 193         case IKEV2_TRANSFORM_INTEG:
 194                 if (ikev2_get_integ(transform_id) &&
 195                     transform_id == data->proposal.integ)
 196                         prop->integ = transform_id;
 197                 break;
 198         case IKEV2_TRANSFORM_DH:
 199                 if (dh_groups_get(transform_id) &&
 200                     transform_id == data->proposal.dh)
 201                         prop->dh = transform_id;
 202                 break;
 203         }
 204
 205         return transform_len;
 206 }
 207
 208
 209 static int ikev2_parse_proposal(struct ikev2_initiator_data *data,
 210                                 struct ikev2_proposal_data *prop,
 211                                 const u8 *pos, const u8 *end)
 212 {
 213         const u8 *pend, *ppos;
 214         int proposal_len, i;
 215         const struct ikev2_proposal *p;
 216
 217         if (end - pos < (int) sizeof(*p)) {
 218                 wpa_printf(MSG_INFO, "IKEV2: Too short proposal");
 219                 return -1;
 220         }
 221
 222         p = (const struct ikev2_proposal *) pos;
 223         proposal_len = WPA_GET_BE16(p->proposal_length);
 224         if (proposal_len < (int) sizeof(*p) || proposal_len > end - pos) {
 225                 wpa_printf(MSG_INFO, "IKEV2: Invalid proposal length %d",
 226                            proposal_len);
 227                 return -1;
 228         }
 229         wpa_printf(MSG_DEBUG, "IKEV2: SAi1 Proposal # %d",
 230                    p->proposal_num);
 231         wpa_printf(MSG_DEBUG, "IKEV2:   Type: %d  Proposal Length: %d "
 232                    " Protocol ID: %d",
 233                    p->type, proposal_len, p->protocol_id);
 234         wpa_printf(MSG_DEBUG, "IKEV2:   SPI Size: %d  Transforms: %d",
 235                    p->spi_size, p->num_transforms);
 236
 237         if (p->type != 0 && p->type != 2) {
 238                 wpa_printf(MSG_INFO, "IKEV2: Unexpected Proposal type");
 239                 return -1;
 240         }
 241
 242         if (p->protocol_id != IKEV2_PROTOCOL_IKE) {
 243                 wpa_printf(MSG_DEBUG, "IKEV2: Unexpected Protocol ID "
 244                            "(only IKE allowed for EAP-IKEv2)");
 245                 return -1;
 246         }
 247
 248         if (p->proposal_num != prop->proposal_num) {
 249                 if (p->proposal_num == prop->proposal_num + 1)
 250                         prop->proposal_num = p->proposal_num;
 251                 else {
 252                         wpa_printf(MSG_INFO, "IKEV2: Unexpected Proposal #");
 253                         return -1;
 254                 }
 255         }
 256
 257         ppos = (const u8 *) (p + 1);
 258         pend = pos + proposal_len;
 259         if (p->spi_size > pend - ppos) {
 260                 wpa_printf(MSG_INFO, "IKEV2: Not enough room for SPI "
 261                            "in proposal");
 262                 return -1;
 263         }
 264         if (p->spi_size) {
 265                 wpa_hexdump(MSG_DEBUG, "IKEV2:    SPI",
 266                             ppos, p->spi_size);
 267                 ppos += p->spi_size;
 268         }
 269
 270         /*
 271          * For initial IKE_SA negotiation, SPI Size MUST be zero; for
 272          * subsequent negotiations, it must be 8 for IKE. We only support
 273          * initial case for now.
 274          */
 275         if (p->spi_size != 0) {
 276                 wpa_printf(MSG_INFO, "IKEV2: Unexpected SPI Size");
 277                 return -1;
 278         }
 279
 280         if (p->num_transforms == 0) {
 281                 wpa_printf(MSG_INFO, "IKEV2: At least one transform required");
 282                 return -1;
 283         }
 284
 285         for (i = 0; i < (int) p->num_transforms; i++) {
 286                 int tlen = ikev2_parse_transform(data, prop, ppos, pend);
 287                 if (tlen < 0)
 288                         return -1;
 289                 ppos += tlen;
 290         }
 291
 292         if (ppos != pend) {
 293                 wpa_printf(MSG_INFO, "IKEV2: Unexpected data after "
 294                            "transforms");
 295                 return -1;
 296         }
 297
 298         return proposal_len;
 299 }
 300
 301
 302 static int ikev2_process_sar1(struct ikev2_initiator_data *data,
 303                               const u8 *sar1, size_t sar1_len)
 304 {
 305         struct ikev2_proposal_data prop;
 306         const u8 *pos, *end;
 307         int found = 0;
 308
 309         /* Security Association Payloads: <Proposals> */
 310
 311         if (sar1 == NULL) {
 312                 wpa_printf(MSG_INFO, "IKEV2: SAr1 not received");
 313                 return -1;
 314         }
 315
 316         os_memset(&prop, 0, sizeof(prop));
 317         prop.proposal_num = 1;
 318
 319         pos = sar1;
 320         end = sar1 + sar1_len;
 321
 322         while (pos < end) {
 323                 int plen;
 324
 325                 prop.integ = -1;
 326                 prop.prf = -1;
 327                 prop.encr = -1;
 328                 prop.dh = -1;
 329                 plen = ikev2_parse_proposal(data, &prop, pos, end);
 330                 if (plen < 0)
 331                         return -1;
 332
 333                 if (!found && prop.integ != -1 && prop.prf != -1 &&
 334                     prop.encr != -1 && prop.dh != -1) {
 335                         found = 1;
 336                 }
 337
 338                 pos += plen;
 339
 340                 /* Only one proposal expected in SAr */
 341                 break;
 342         }
 343
 344         if (pos != end) {
 345                 wpa_printf(MSG_INFO, "IKEV2: Unexpected data after proposal");
 346                 return -1;
 347         }
 348
 349         if (!found) {
 350                 wpa_printf(MSG_INFO, "IKEV2: No acceptable proposal found");
 351                 return -1;
 352         }
 353
 354         wpa_printf(MSG_DEBUG, "IKEV2: Accepted proposal #%d: ENCR:%d PRF:%d "
 355                    "INTEG:%d D-H:%d", data->proposal.proposal_num,
 356                    data->proposal.encr, data->proposal.prf,
 357                    data->proposal.integ, data->proposal.dh);
 358
 359         return 0;
 360 }
 361
 362
 363 static int ikev2_process_ker(struct ikev2_initiator_data *data,
 364                              const u8 *ker, size_t ker_len)
 365 {
 366         u16 group;
 367
 368         /*
 369          * Key Exchange Payload:
 370          * DH Group # (16 bits)
 371          * RESERVED (16 bits)
 372          * Key Exchange Data (Diffie-Hellman public value)
 373          */
 374
 375         if (ker == NULL) {
 376                 wpa_printf(MSG_INFO, "IKEV2: KEr not received");
 377                 return -1;
 378         }
 379
 380         if (ker_len < 4 + 96) {
 381                 wpa_printf(MSG_INFO, "IKEV2: Too show Key Exchange Payload");
 382                 return -1;
 383         }
 384
 385         group = WPA_GET_BE16(ker);
 386         wpa_printf(MSG_DEBUG, "IKEV2: KEr DH Group #%u", group);
 387
 388         if (group != data->proposal.dh) {
 389                 wpa_printf(MSG_DEBUG, "IKEV2: KEr DH Group #%u does not match "
 390                            "with the selected proposal (%u)",
 391                            group, data->proposal.dh);
 392                 return -1;
 393         }
 394
 395         if (data->dh == NULL) {
 396                 wpa_printf(MSG_INFO, "IKEV2: Unsupported DH group");
 397                 return -1;
 398         }
 399
 400         /* RFC 4306, Section 3.4:
 401          * The length of DH public value MUST be equal to the length of the
 402          * prime modulus.
 403          */
 404         if (ker_len - 4 != data->dh->prime_len) {
 405                 wpa_printf(MSG_INFO, "IKEV2: Invalid DH public value length "
 406                            "%ld (expected %ld)",
 407                            (long) (ker_len - 4), (long) data->dh->prime_len);
 408                 return -1;
 409         }
 410
 411         wpabuf_free(data->r_dh_public);
 412         data->r_dh_public = wpabuf_alloc_copy(ker + 4, ker_len - 4);
 413         if (data->r_dh_public == NULL)
 414                 return -1;
 415
 416         wpa_hexdump_buf(MSG_DEBUG, "IKEV2: KEr Diffie-Hellman Public Value",
 417                         data->r_dh_public);
 418
 419         return 0;
 420 }
 421
 422
 423 static int ikev2_process_nr(struct ikev2_initiator_data *data,
 424                             const u8 *nr, size_t nr_len)
 425 {
 426         if (nr == NULL) {
 427                 wpa_printf(MSG_INFO, "IKEV2: Nr not received");
 428                 return -1;
 429         }
 430
 431         if (nr_len < IKEV2_NONCE_MIN_LEN || nr_len > IKEV2_NONCE_MAX_LEN) {
 432                 wpa_printf(MSG_INFO, "IKEV2: Invalid Nr length %ld",
 433                            (long) nr_len);
 434                 return -1;
 435         }
 436
 437         data->r_nonce_len = nr_len;
 438         os_memcpy(data->r_nonce, nr, nr_len);
 439         wpa_hexdump(MSG_MSGDUMP, "IKEV2: Nr",
 440                     data->r_nonce, data->r_nonce_len);
 441
 442         return 0;
 443 }
 444
 445
 446 static int ikev2_process_sa_init_encr(struct ikev2_initiator_data *data,
 447                                       const struct ikev2_hdr *hdr,
 448                                       const u8 *encrypted,
 449                                       size_t encrypted_len, u8 next_payload)
 450 {
 451         u8 *decrypted;
 452         size_t decrypted_len;
 453         struct ikev2_payloads pl;
 454         int ret = 0;
 455
 456         decrypted = ikev2_decrypt_payload(data->proposal.encr,
 457                                           data->proposal.integ, &data->keys, 0,
 458                                           hdr, encrypted, encrypted_len,
 459                                           &decrypted_len);
 460         if (decrypted == NULL)
 461                 return -1;
 462
 463         wpa_printf(MSG_DEBUG, "IKEV2: Processing decrypted payloads");
 464
 465         if (ikev2_parse_payloads(&pl, next_payload, decrypted,
 466                                  decrypted + decrypted_len) < 0) {
 467                 wpa_printf(MSG_INFO, "IKEV2: Failed to parse decrypted "
 468                            "payloads");
 469                 return -1;
 470         }
 471
 472         if (pl.idr)
 473                 ret = ikev2_process_idr(data, pl.idr, pl.idr_len);
 474
 475         os_free(decrypted);
 476
 477         return ret;
 478 }
 479
 480
 481 static int ikev2_process_sa_init(struct ikev2_initiator_data *data,
 482                                  const struct ikev2_hdr *hdr,
 483                                  struct ikev2_payloads *pl)
 484 {
 485         if (ikev2_process_sar1(data, pl->sa, pl->sa_len) < 0 ||
 486             ikev2_process_ker(data, pl->ke, pl->ke_len) < 0 ||
 487             ikev2_process_nr(data, pl->nonce, pl->nonce_len) < 0)
 488                 return -1;
 489
 490         os_memcpy(data->r_spi, hdr->r_spi, IKEV2_SPI_LEN);
 491
 492         if (ikev2_derive_keys(data) < 0)
 493                 return -1;
 494
 495         if (pl->encrypted) {
 496                 wpa_printf(MSG_DEBUG, "IKEV2: Encrypted payload in SA_INIT - "
 497                            "try to get IDr from it");
 498                 if (ikev2_process_sa_init_encr(data, hdr, pl->encrypted,
 499                                                pl->encrypted_len,
 500                                                pl->encr_next_payload) < 0) {
 501                         wpa_printf(MSG_INFO, "IKEV2: Failed to process "
 502                                    "encrypted payload");
 503                         return -1;
 504                 }
 505         }
 506
 507         data->state = SA_AUTH;
 508
 509         return 0;
 510 }
 511
 512
 513 static int ikev2_process_idr(struct ikev2_initiator_data *data,
 514                              const u8 *idr, size_t idr_len)
 515 {
 516         u8 id_type;
 517
 518         if (idr == NULL) {
 519                 wpa_printf(MSG_INFO, "IKEV2: No IDr received");
 520                 return -1;
 521         }
 522
 523         if (idr_len < 4) {
 524                 wpa_printf(MSG_INFO, "IKEV2: Too short IDr payload");
 525                 return -1;
 526         }
 527
 528         id_type = idr[0];
 529         idr += 4;
 530         idr_len -= 4;
 531
 532         wpa_printf(MSG_DEBUG, "IKEV2: IDr ID Type %d", id_type);
 533         wpa_hexdump_ascii(MSG_DEBUG, "IKEV2: IDr", idr, idr_len);
 534         if (data->IDr) {
 535                 if (id_type != data->IDr_type || idr_len != data->IDr_len ||
 536                     os_memcmp(idr, data->IDr, idr_len) != 0) {
 537                         wpa_printf(MSG_INFO, "IKEV2: IDr differs from the one "
 538                                    "received earlier");
 539                         wpa_printf(MSG_DEBUG, "IKEV2: Previous IDr ID Type %d",
 540                                    id_type);
 541                         wpa_hexdump_ascii(MSG_DEBUG, "Previous IKEV2: IDr",
 542                                           data->IDr, data->IDr_len);
 543                         return -1;
 544                 }
 545                 os_free(data->IDr);
 546         }
 547         data->IDr = os_memdup(idr, idr_len);
 548         if (data->IDr == NULL)
 549                 return -1;
 550         data->IDr_len = idr_len;
 551         data->IDr_type = id_type;
 552
 553         return 0;
 554 }
 555
 556
 557 static int ikev2_process_cert(struct ikev2_initiator_data *data,
 558                               const u8 *cert, size_t cert_len)
 559 {
 560         u8 cert_encoding;
 561
 562         if (cert == NULL) {
 563                 if (data->peer_auth == PEER_AUTH_CERT) {
 564                         wpa_printf(MSG_INFO, "IKEV2: No Certificate received");
 565                         return -1;
 566                 }
 567                 return 0;
 568         }
 569
 570         if (cert_len < 1) {
 571                 wpa_printf(MSG_INFO, "IKEV2: No Cert Encoding field");
 572                 return -1;
 573         }
 574
 575         cert_encoding = cert[0];
 576         cert++;
 577         cert_len--;
 578
 579         wpa_printf(MSG_DEBUG, "IKEV2: Cert Encoding %d", cert_encoding);
 580         wpa_hexdump(MSG_MSGDUMP, "IKEV2: Certificate Data", cert, cert_len);
 581
 582         /* TODO: validate certificate */
 583
 584         return 0;
 585 }
 586
 587
 588 static int ikev2_process_auth_cert(struct ikev2_initiator_data *data,
 589                                    u8 method, const u8 *auth, size_t auth_len)
 590 {
 591         if (method != AUTH_RSA_SIGN) {
 592                 wpa_printf(MSG_INFO, "IKEV2: Unsupported authentication "
 593                            "method %d", method);
 594                 return -1;
 595         }
 596
 597         /* TODO: validate AUTH */
 598         return 0;
 599 }
 600
 601
 602 static int ikev2_process_auth_secret(struct ikev2_initiator_data *data,
 603                                      u8 method, const u8 *auth,
 604                                      size_t auth_len)
 605 {
 606         u8 auth_data[IKEV2_MAX_HASH_LEN];
 607         const struct ikev2_prf_alg *prf;
 608
 609         if (method != AUTH_SHARED_KEY_MIC) {
 610                 wpa_printf(MSG_INFO, "IKEV2: Unsupported authentication "
 611                            "method %d", method);
 612                 return -1;
 613         }
 614
 615         /* msg | Ni | prf(SK_pr,IDr') */
 616         if (ikev2_derive_auth_data(data->proposal.prf, data->r_sign_msg,
 617                                    data->IDr, data->IDr_len, data->IDr_type,
 618                                    &data->keys, 0, data->shared_secret,
 619                                    data->shared_secret_len,
 620                                    data->i_nonce, data->i_nonce_len,
 621                                    data->key_pad, data->key_pad_len,
 622                                    auth_data) < 0) {
 623                 wpa_printf(MSG_INFO, "IKEV2: Could not derive AUTH data");
 624                 return -1;
 625         }
 626
 627         wpabuf_free(data->r_sign_msg);
 628         data->r_sign_msg = NULL;
 629
 630         prf = ikev2_get_prf(data->proposal.prf);
 631         if (prf == NULL)
 632                 return -1;
 633
 634         if (auth_len != prf->hash_len ||
 635             os_memcmp_const(auth, auth_data, auth_len) != 0) {
 636                 wpa_printf(MSG_INFO, "IKEV2: Invalid Authentication Data");
 637                 wpa_hexdump(MSG_DEBUG, "IKEV2: Received Authentication Data",
 638                             auth, auth_len);
 639                 wpa_hexdump(MSG_DEBUG, "IKEV2: Expected Authentication Data",
 640                             auth_data, prf->hash_len);
 641                 return -1;
 642         }
 643
 644         wpa_printf(MSG_DEBUG, "IKEV2: Peer authenticated successfully "
 645                    "using shared keys");
 646
 647         return 0;
 648 }
 649
 650
 651 static int ikev2_process_auth(struct ikev2_initiator_data *data,
 652                               const u8 *auth, size_t auth_len)
 653 {
 654         u8 auth_method;
 655
 656         if (auth == NULL) {
 657                 wpa_printf(MSG_INFO, "IKEV2: No Authentication Payload");
 658                 return -1;
 659         }
 660
 661         if (auth_len < 4) {
 662                 wpa_printf(MSG_INFO, "IKEV2: Too short Authentication "
 663                            "Payload");
 664                 return -1;
 665         }
 666
 667         auth_method = auth[0];
 668         auth += 4;
 669         auth_len -= 4;
 670
 671         wpa_printf(MSG_DEBUG, "IKEV2: Auth Method %d", auth_method);
 672         wpa_hexdump(MSG_MSGDUMP, "IKEV2: Authentication Data", auth, auth_len);
 673
 674         switch (data->peer_auth) {
 675         case PEER_AUTH_CERT:
 676                 return ikev2_process_auth_cert(data, auth_method, auth,
 677                                                auth_len);
 678         case PEER_AUTH_SECRET:
 679                 return ikev2_process_auth_secret(data, auth_method, auth,
 680                                                  auth_len);
 681         }
 682
 683         return -1;
 684 }
 685
 686
 687 static int ikev2_process_sa_auth_decrypted(struct ikev2_initiator_data *data,
 688                                            u8 next_payload,
 689                                            u8 *payload, size_t payload_len)
 690 {
 691         struct ikev2_payloads pl;
 692
 693         wpa_printf(MSG_DEBUG, "IKEV2: Processing decrypted payloads");
 694
 695         if (ikev2_parse_payloads(&pl, next_payload, payload, payload +
 696                                  payload_len) < 0) {
 697                 wpa_printf(MSG_INFO, "IKEV2: Failed to parse decrypted "
 698                            "payloads");
 699                 return -1;
 700         }
 701
 702         if (ikev2_process_idr(data, pl.idr, pl.idr_len) < 0 ||
 703             ikev2_process_cert(data, pl.cert, pl.cert_len) < 0 ||
 704             ikev2_process_auth(data, pl.auth, pl.auth_len) < 0)
 705                 return -1;
 706
 707         return 0;
 708 }
 709
 710
 711 static int ikev2_process_sa_auth(struct ikev2_initiator_data *data,
 712                                  const struct ikev2_hdr *hdr,
 713                                  struct ikev2_payloads *pl)
 714 {
 715         u8 *decrypted;
 716         size_t decrypted_len;
 717         int ret;
 718
 719         decrypted = ikev2_decrypt_payload(data->proposal.encr,
 720                                           data->proposal.integ,
 721                                           &data->keys, 0, hdr, pl->encrypted,
 722                                           pl->encrypted_len, &decrypted_len);
 723         if (decrypted == NULL)
 724                 return -1;
 725
 726         ret = ikev2_process_sa_auth_decrypted(data, pl->encr_next_payload,
 727                                               decrypted, decrypted_len);
 728         os_free(decrypted);
 729
 730         if (ret == 0 && !data->unknown_user) {
 731                 wpa_printf(MSG_DEBUG, "IKEV2: Authentication completed");
 732                 data->state = IKEV2_DONE;
 733         }
 734
 735         return ret;
 736 }
 737
 738
 739 static int ikev2_validate_rx_state(struct ikev2_initiator_data *data,
 740                                    u8 exchange_type, u32 message_id)
 741 {
 742         switch (data->state) {
 743         case SA_INIT:
 744                 /* Expect to receive IKE_SA_INIT: HDR, SAr, KEr, Nr, [CERTREQ],
 745                  * [SK{IDr}] */
 746                 if (exchange_type != IKE_SA_INIT) {
 747                         wpa_printf(MSG_INFO, "IKEV2: Unexpected Exchange Type "
 748                                    "%u in SA_INIT state", exchange_type);
 749                         return -1;
 750                 }
 751                 if (message_id != 0) {
 752                         wpa_printf(MSG_INFO, "IKEV2: Unexpected Message ID %u "
 753                                    "in SA_INIT state", message_id);
 754                         return -1;
 755                 }
 756                 break;
 757         case SA_AUTH:
 758                 /* Expect to receive IKE_SA_AUTH:
 759                  * HDR, SK {IDr, [CERT,] [CERTREQ,] [NFID,] AUTH}
 760                  */
 761                 if (exchange_type != IKE_SA_AUTH) {
 762                         wpa_printf(MSG_INFO, "IKEV2: Unexpected Exchange Type "
 763                                    "%u in SA_AUTH state", exchange_type);
 764                         return -1;
 765                 }
 766                 if (message_id != 1) {
 767                         wpa_printf(MSG_INFO, "IKEV2: Unexpected Message ID %u "
 768                                    "in SA_AUTH state", message_id);
 769                         return -1;
 770                 }
 771                 break;
 772         case CHILD_SA:
 773                 if (exchange_type != CREATE_CHILD_SA) {
 774                         wpa_printf(MSG_INFO, "IKEV2: Unexpected Exchange Type "
 775                                    "%u in CHILD_SA state", exchange_type);
 776                         return -1;
 777                 }
 778                 if (message_id != 2) {
 779                         wpa_printf(MSG_INFO, "IKEV2: Unexpected Message ID %u "
 780                                    "in CHILD_SA state", message_id);
 781                         return -1;
 782                 }
 783                 break;
 784         case IKEV2_DONE:
 785                 return -1;
 786         }
 787
 788         return 0;
 789 }
 790
 791
 792 int ikev2_initiator_process(struct ikev2_initiator_data *data,
 793                             const struct wpabuf *buf)
 794 {
 795         const struct ikev2_hdr *hdr;
 796         u32 length, message_id;
 797         const u8 *pos, *end;
 798         struct ikev2_payloads pl;
 799
 800         wpa_printf(MSG_MSGDUMP, "IKEV2: Received message (len %lu)",
 801                    (unsigned long) wpabuf_len(buf));
 802
 803         if (wpabuf_len(buf) < sizeof(*hdr)) {
 804                 wpa_printf(MSG_INFO, "IKEV2: Too short frame to include HDR");
 805                 return -1;
 806         }
 807
 808         hdr = (const struct ikev2_hdr *) wpabuf_head(buf);
 809         end = wpabuf_head_u8(buf) + wpabuf_len(buf);
 810         message_id = WPA_GET_BE32(hdr->message_id);
 811         length = WPA_GET_BE32(hdr->length);
 812
 813         wpa_hexdump(MSG_DEBUG, "IKEV2:   IKE_SA Initiator's SPI",
 814                     hdr->i_spi, IKEV2_SPI_LEN);
 815         wpa_hexdump(MSG_DEBUG, "IKEV2:   IKE_SA Initiator's SPI",
 816                     hdr->r_spi, IKEV2_SPI_LEN);
 817         wpa_printf(MSG_DEBUG, "IKEV2:   Next Payload: %u  Version: 0x%x  "
 818                    "Exchange Type: %u",
 819                    hdr->next_payload, hdr->version, hdr->exchange_type);
 820         wpa_printf(MSG_DEBUG, "IKEV2:   Message ID: %u  Length: %u",
 821                    message_id, length);
 822
 823         if (hdr->version != IKEV2_VERSION) {
 824                 wpa_printf(MSG_INFO, "IKEV2: Unsupported HDR version 0x%x "
 825                            "(expected 0x%x)", hdr->version, IKEV2_VERSION);
 826                 return -1;
 827         }
 828
 829         if (length != wpabuf_len(buf)) {
 830                 wpa_printf(MSG_INFO, "IKEV2: Invalid length (HDR: %lu != "
 831                            "RX: %lu)", (unsigned long) length,
 832                            (unsigned long) wpabuf_len(buf));
 833                 return -1;
 834         }
 835
 836         if (ikev2_validate_rx_state(data, hdr->exchange_type, message_id) < 0)
 837                 return -1;
 838
 839         if ((hdr->flags & (IKEV2_HDR_INITIATOR | IKEV2_HDR_RESPONSE)) !=
 840             IKEV2_HDR_RESPONSE) {
 841                 wpa_printf(MSG_INFO, "IKEV2: Unexpected Flags value 0x%x",
 842                            hdr->flags);
 843                 return -1;
 844         }
 845
 846         if (data->state != SA_INIT) {
 847                 if (os_memcmp(data->i_spi, hdr->i_spi, IKEV2_SPI_LEN) != 0) {
 848                         wpa_printf(MSG_INFO, "IKEV2: Unexpected IKE_SA "
 849                                    "Initiator's SPI");
 850                         return -1;
 851                 }
 852                 if (os_memcmp(data->r_spi, hdr->r_spi, IKEV2_SPI_LEN) != 0) {
 853                         wpa_printf(MSG_INFO, "IKEV2: Unexpected IKE_SA "
 854                                    "Responder's SPI");
 855                         return -1;
 856                 }
 857         }
 858
 859         pos = (const u8 *) (hdr + 1);
 860         if (ikev2_parse_payloads(&pl, hdr->next_payload, pos, end) < 0)
 861                 return -1;
 862
 863         switch (data->state) {
 864         case SA_INIT:
 865                 if (ikev2_process_sa_init(data, hdr, &pl) < 0)
 866                         return -1;
 867                 wpabuf_free(data->r_sign_msg);
 868                 data->r_sign_msg = wpabuf_dup(buf);
 869                 break;
 870         case SA_AUTH:
 871                 if (ikev2_process_sa_auth(data, hdr, &pl) < 0)
 872                         return -1;
 873                 break;
 874         case CHILD_SA:
 875         case IKEV2_DONE:
 876                 break;
 877         }
 878
 879         return 0;
 880 }
 881
 882
 883 static void ikev2_build_hdr(struct ikev2_initiator_data *data,
 884                             struct wpabuf *msg, u8 exchange_type,
 885                             u8 next_payload, u32 message_id)
 886 {
 887         struct ikev2_hdr *hdr;
 888
 889         wpa_printf(MSG_DEBUG, "IKEV2: Adding HDR");
 890
 891         /* HDR - RFC 4306, Sect. 3.1 */
 892         hdr = wpabuf_put(msg, sizeof(*hdr));
 893         os_memcpy(hdr->i_spi, data->i_spi, IKEV2_SPI_LEN);
 894         os_memcpy(hdr->r_spi, data->r_spi, IKEV2_SPI_LEN);
 895         hdr->next_payload = next_payload;
 896         hdr->version = IKEV2_VERSION;
 897         hdr->exchange_type = exchange_type;
 898         hdr->flags = IKEV2_HDR_INITIATOR;
 899         WPA_PUT_BE32(hdr->message_id, message_id);
 900 }
 901
 902
 903 static int ikev2_build_sai(struct ikev2_initiator_data *data,
 904                             struct wpabuf *msg, u8 next_payload)
 905 {
 906         struct ikev2_payload_hdr *phdr;
 907         size_t plen;
 908         struct ikev2_proposal *p;
 909         struct ikev2_transform *t;
 910
 911         wpa_printf(MSG_DEBUG, "IKEV2: Adding SAi payload");
 912
 913         /* SAi1 - RFC 4306, Sect. 2.7 and 3.3 */
 914         phdr = wpabuf_put(msg, sizeof(*phdr));
 915         phdr->next_payload = next_payload;
 916         phdr->flags = 0;
 917
 918         /* TODO: support for multiple proposals */
 919         p = wpabuf_put(msg, sizeof(*p));
 920         p->proposal_num = data->proposal.proposal_num;
 921         p->protocol_id = IKEV2_PROTOCOL_IKE;
 922         p->num_transforms = 4;
 923
 924         t = wpabuf_put(msg, sizeof(*t));
 925         t->type = 3;
 926         t->transform_type = IKEV2_TRANSFORM_ENCR;
 927         WPA_PUT_BE16(t->transform_id, data->proposal.encr);
 928         if (data->proposal.encr == ENCR_AES_CBC) {
 929                 /* Transform Attribute: Key Len = 128 bits */
 930                 wpabuf_put_be16(msg, 0x800e); /* AF=1, AttrType=14 */
 931                 wpabuf_put_be16(msg, 128); /* 128-bit key */
 932         }
 933         plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) t;
 934         WPA_PUT_BE16(t->transform_length, plen);
 935
 936         t = wpabuf_put(msg, sizeof(*t));
 937         t->type = 3;
 938         WPA_PUT_BE16(t->transform_length, sizeof(*t));
 939         t->transform_type = IKEV2_TRANSFORM_PRF;
 940         WPA_PUT_BE16(t->transform_id, data->proposal.prf);
 941
 942         t = wpabuf_put(msg, sizeof(*t));
 943         t->type = 3;
 944         WPA_PUT_BE16(t->transform_length, sizeof(*t));
 945         t->transform_type = IKEV2_TRANSFORM_INTEG;
 946         WPA_PUT_BE16(t->transform_id, data->proposal.integ);
 947
 948         t = wpabuf_put(msg, sizeof(*t));
 949         WPA_PUT_BE16(t->transform_length, sizeof(*t));
 950         t->transform_type = IKEV2_TRANSFORM_DH;
 951         WPA_PUT_BE16(t->transform_id, data->proposal.dh);
 952
 953         plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) p;
 954         WPA_PUT_BE16(p->proposal_length, plen);
 955
 956         plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
 957         WPA_PUT_BE16(phdr->payload_length, plen);
 958
 959         return 0;
 960 }
 961
 962
 963 static int ikev2_build_kei(struct ikev2_initiator_data *data,
 964                            struct wpabuf *msg, u8 next_payload)
 965 {
 966         struct ikev2_payload_hdr *phdr;
 967         size_t plen;
 968         struct wpabuf *pv;
 969
 970         wpa_printf(MSG_DEBUG, "IKEV2: Adding KEi payload");
 971
 972         data->dh = dh_groups_get(data->proposal.dh);
 973         pv = dh_init(data->dh, &data->i_dh_private);
 974         if (pv == NULL) {
 975                 wpa_printf(MSG_DEBUG, "IKEV2: Failed to initialize DH");
 976                 return -1;
 977         }
 978
 979         /* KEi - RFC 4306, Sect. 3.4 */
 980         phdr = wpabuf_put(msg, sizeof(*phdr));
 981         phdr->next_payload = next_payload;
 982         phdr->flags = 0;
 983
 984         wpabuf_put_be16(msg, data->proposal.dh); /* DH Group # */
 985         wpabuf_put(msg, 2); /* RESERVED */
 986         /*
 987          * RFC 4306, Sect. 3.4: possible zero padding for public value to
 988          * match the length of the prime.
 989          */
 990         wpabuf_put(msg, data->dh->prime_len - wpabuf_len(pv));
 991         wpabuf_put_buf(msg, pv);
 992         wpabuf_free(pv);
 993
 994         plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
 995         WPA_PUT_BE16(phdr->payload_length, plen);
 996         return 0;
 997 }
 998
 999
1000 static int ikev2_build_ni(struct ikev2_initiator_data *data,
1001                           struct wpabuf *msg, u8 next_payload)
1002 {
1003         struct ikev2_payload_hdr *phdr;
1004         size_t plen;
1005
1006         wpa_printf(MSG_DEBUG, "IKEV2: Adding Ni payload");
1007
1008         /* Ni - RFC 4306, Sect. 3.9 */
1009         phdr = wpabuf_put(msg, sizeof(*phdr));
1010         phdr->next_payload = next_payload;
1011         phdr->flags = 0;
1012         wpabuf_put_data(msg, data->i_nonce, data->i_nonce_len);
1013         plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
1014         WPA_PUT_BE16(phdr->payload_length, plen);
1015         return 0;
1016 }
1017
1018
1019 static int ikev2_build_idi(struct ikev2_initiator_data *data,
1020                            struct wpabuf *msg, u8 next_payload)
1021 {
1022         struct ikev2_payload_hdr *phdr;
1023         size_t plen;
1024
1025         wpa_printf(MSG_DEBUG, "IKEV2: Adding IDi payload");
1026
1027         if (data->IDi == NULL) {
1028                 wpa_printf(MSG_INFO, "IKEV2: No IDi available");
1029                 return -1;
1030         }
1031
1032         /* IDi - RFC 4306, Sect. 3.5 */
1033         phdr = wpabuf_put(msg, sizeof(*phdr));
1034         phdr->next_payload = next_payload;
1035         phdr->flags = 0;
1036         wpabuf_put_u8(msg, ID_KEY_ID);
1037         wpabuf_put(msg, 3); /* RESERVED */
1038         wpabuf_put_data(msg, data->IDi, data->IDi_len);
1039         plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
1040         WPA_PUT_BE16(phdr->payload_length, plen);
1041         return 0;
1042 }
1043
1044
1045 static int ikev2_build_auth(struct ikev2_initiator_data *data,
1046                             struct wpabuf *msg, u8 next_payload)
1047 {
1048         struct ikev2_payload_hdr *phdr;
1049         size_t plen;
1050         const struct ikev2_prf_alg *prf;
1051
1052         wpa_printf(MSG_DEBUG, "IKEV2: Adding AUTH payload");
1053
1054         prf = ikev2_get_prf(data->proposal.prf);
1055         if (prf == NULL)
1056                 return -1;
1057
1058         /* Authentication - RFC 4306, Sect. 3.8 */
1059         phdr = wpabuf_put(msg, sizeof(*phdr));
1060         phdr->next_payload = next_payload;
1061         phdr->flags = 0;
1062         wpabuf_put_u8(msg, AUTH_SHARED_KEY_MIC);
1063         wpabuf_put(msg, 3); /* RESERVED */
1064
1065         /* msg | Nr | prf(SK_pi,IDi') */
1066         if (ikev2_derive_auth_data(data->proposal.prf, data->i_sign_msg,
1067                                    data->IDi, data->IDi_len, ID_KEY_ID,
1068                                    &data->keys, 1, data->shared_secret,
1069                                    data->shared_secret_len,
1070                                    data->r_nonce, data->r_nonce_len,
1071                                    data->key_pad, data->key_pad_len,
1072                                    wpabuf_put(msg, prf->hash_len)) < 0) {
1073                 wpa_printf(MSG_INFO, "IKEV2: Could not derive AUTH data");
1074                 return -1;
1075         }
1076         wpabuf_free(data->i_sign_msg);
1077         data->i_sign_msg = NULL;
1078
1079         plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
1080         WPA_PUT_BE16(phdr->payload_length, plen);
1081         return 0;
1082 }
1083
1084
1085 static struct wpabuf * ikev2_build_sa_init(struct ikev2_initiator_data *data)
1086 {
1087         struct wpabuf *msg;
1088
1089         /* build IKE_SA_INIT: HDR, SAi, KEi, Ni */
1090
1091         if (os_get_random(data->i_spi, IKEV2_SPI_LEN))
1092                 return NULL;
1093         wpa_hexdump(MSG_DEBUG, "IKEV2: IKE_SA Initiator's SPI",
1094                     data->i_spi, IKEV2_SPI_LEN);
1095
1096         data->i_nonce_len = IKEV2_NONCE_MIN_LEN;
1097         if (random_get_bytes(data->i_nonce, data->i_nonce_len))
1098                 return NULL;
1099         wpa_hexdump(MSG_DEBUG, "IKEV2: Ni", data->i_nonce, data->i_nonce_len);
1100
1101         msg = wpabuf_alloc(sizeof(struct ikev2_hdr) + 1000);
1102         if (msg == NULL)
1103                 return NULL;
1104
1105         ikev2_build_hdr(data, msg, IKE_SA_INIT, IKEV2_PAYLOAD_SA, 0);
1106         if (ikev2_build_sai(data, msg, IKEV2_PAYLOAD_KEY_EXCHANGE) ||
1107             ikev2_build_kei(data, msg, IKEV2_PAYLOAD_NONCE) ||
1108             ikev2_build_ni(data, msg, IKEV2_PAYLOAD_NO_NEXT_PAYLOAD)) {
1109                 wpabuf_free(msg);
1110                 return NULL;
1111         }
1112
1113         ikev2_update_hdr(msg);
1114
1115         wpa_hexdump_buf(MSG_MSGDUMP, "IKEV2: Sending message (SA_INIT)", msg);
1116
1117         wpabuf_free(data->i_sign_msg);
1118         data->i_sign_msg = wpabuf_dup(msg);
1119
1120         return msg;
1121 }
1122
1123
1124 static struct wpabuf * ikev2_build_sa_auth(struct ikev2_initiator_data *data)
1125 {
1126         struct wpabuf *msg, *plain;
1127         const u8 *secret;
1128         size_t secret_len;
1129
1130         secret = data->get_shared_secret(data->cb_ctx, data->IDr,
1131                                          data->IDr_len, &secret_len);
1132         if (secret == NULL) {
1133                 wpa_printf(MSG_INFO, "IKEV2: Could not get shared secret - "
1134                            "use fake value");
1135                 /* RFC 5106, Sect. 7:
1136                  * Use a random key to fake AUTH generation in order to prevent
1137                  * probing of user identities.
1138                  */
1139                 data->unknown_user = 1;
1140                 os_free(data->shared_secret);
1141                 data->shared_secret = os_malloc(16);
1142                 if (data->shared_secret == NULL)
1143                         return NULL;
1144                 data->shared_secret_len = 16;
1145                 if (random_get_bytes(data->shared_secret, 16))
1146                         return NULL;
1147         } else {
1148                 os_free(data->shared_secret);
1149                 data->shared_secret = os_memdup(secret, secret_len);
1150                 if (data->shared_secret == NULL)
1151                         return NULL;
1152                 data->shared_secret_len = secret_len;
1153         }
1154
1155         /* build IKE_SA_AUTH: HDR, SK {IDi, [CERT,] [CERTREQ,] AUTH} */
1156
1157         msg = wpabuf_alloc(sizeof(struct ikev2_hdr) + data->IDr_len + 1000);
1158         if (msg == NULL)
1159                 return NULL;
1160         ikev2_build_hdr(data, msg, IKE_SA_AUTH, IKEV2_PAYLOAD_ENCRYPTED, 1);
1161
1162         plain = wpabuf_alloc(data->IDr_len + 1000);
1163         if (plain == NULL) {
1164                 wpabuf_free(msg);
1165                 return NULL;
1166         }
1167
1168         if (ikev2_build_idi(data, plain, IKEV2_PAYLOAD_AUTHENTICATION) ||
1169             ikev2_build_auth(data, plain, IKEV2_PAYLOAD_NO_NEXT_PAYLOAD) ||
1170             ikev2_build_encrypted(data->proposal.encr, data->proposal.integ,
1171                                   &data->keys, 1, msg, plain,
1172                                   IKEV2_PAYLOAD_IDi)) {
1173                 wpabuf_free(plain);
1174                 wpabuf_free(msg);
1175                 return NULL;
1176         }
1177         wpabuf_free(plain);
1178
1179         wpa_hexdump_buf(MSG_MSGDUMP, "IKEV2: Sending message (SA_AUTH)", msg);
1180
1181         return msg;
1182 }
1183
1184
1185 struct wpabuf * ikev2_initiator_build(struct ikev2_initiator_data *data)
1186 {
1187         switch (data->state) {
1188         case SA_INIT:
1189                 return ikev2_build_sa_init(data);
1190         case SA_AUTH:
1191                 return ikev2_build_sa_auth(data);
1192         case CHILD_SA:
1193                 return NULL;
1194         case IKEV2_DONE:
1195                 return NULL;
1196         }
1197         return NULL;
1198 }