Lines Matching full:data
17 void ikev2_responder_deinit(struct ikev2_responder_data *data)
19 ikev2_free_keys(&data->keys);
20 wpabuf_free(data->i_dh_public);
21 wpabuf_free(data->r_dh_private);
22 os_free(data->IDi);
23 os_free(data->IDr);
24 os_free(data->shared_secret);
25 wpabuf_free(data->i_sign_msg);
26 wpabuf_free(data->r_sign_msg);
27 os_free(data->key_pad);
31 static int ikev2_derive_keys(struct ikev2_responder_data *data)
45 integ = ikev2_get_integ(data->proposal.integ);
46 prf = ikev2_get_prf(data->proposal.prf);
47 encr = ikev2_get_encr(data->proposal.encr);
53 shared = dh_derive_shared(data->i_dh_public, data->r_dh_private,
54 data->dh);
60 buf_len = data->i_nonce_len + data->r_nonce_len + 2 * IKEV2_SPI_LEN;
68 os_memcpy(pos, data->i_nonce, data->i_nonce_len);
69 pos += data->i_nonce_len;
70 os_memcpy(pos, data->r_nonce, data->r_nonce_len);
71 pos += data->r_nonce_len;
72 os_memcpy(pos, data->i_spi, IKEV2_SPI_LEN);
74 os_memcpy(pos, data->r_spi, IKEV2_SPI_LEN);
82 *tmp++ = data->i_spi[IKEV2_SPI_LEN - 1 - i];
84 *tmp++ = data->r_spi[IKEV2_SPI_LEN - 1 - i];
91 pad_len = data->dh->prime_len - wpabuf_len(shared);
107 if (ikev2_prf_hash(prf->id, buf, data->i_nonce_len + data->r_nonce_len,
118 wpabuf_free(data->i_dh_public);
119 data->i_dh_public = NULL;
120 wpabuf_free(data->r_dh_private);
121 data->r_dh_private = NULL;
127 &data->keys);
311 wpa_printf(MSG_INFO, "IKEV2: Unexpected data after "
320 static int ikev2_process_sai1(struct ikev2_responder_data *data,
353 os_memcpy(&data->proposal, &prop, sizeof(prop));
354 data->dh = dh_groups_get(prop.dh);
362 wpa_printf(MSG_INFO, "IKEV2: Unexpected data after proposals");
372 "INTEG:%d D-H:%d", data->proposal.proposal_num,
373 data->proposal.encr, data->proposal.prf,
374 data->proposal.integ, data->proposal.dh);
380 static int ikev2_process_kei(struct ikev2_responder_data *data,
389 * Key Exchange Data (Diffie-Hellman public value)
405 if (group != data->proposal.dh) {
408 group, data->proposal.dh);
411 data->error_type = INVALID_KE_PAYLOAD;
412 data->state = NOTIFY;
416 if (data->dh == NULL) {
425 if (kei_len - 4 != data->dh->prime_len) {
428 (long) (kei_len - 4), (long) data->dh->prime_len);
432 wpabuf_free(data->i_dh_public);
433 data->i_dh_public = wpabuf_alloc(kei_len - 4);
434 if (data->i_dh_public == NULL)
436 wpabuf_put_data(data->i_dh_public, kei + 4, kei_len - 4);
439 data->i_dh_public);
445 static int ikev2_process_ni(struct ikev2_responder_data *data,
467 data->i_nonce_len = ni_len;
468 os_memcpy(data->i_nonce, ni, ni_len);
470 data->i_nonce, data->i_nonce_len);
476 static int ikev2_process_sa_init(struct ikev2_responder_data *data,
480 if (ikev2_process_sai1(data, pl->sa, pl->sa_len) < 0 ||
481 ikev2_process_kei(data, pl->ke, pl->ke_len) < 0 ||
482 ikev2_process_ni(data, pl->nonce, pl->nonce_len) < 0)
485 os_memcpy(data->i_spi, hdr->i_spi, IKEV2_SPI_LEN);
491 static int ikev2_process_idi(struct ikev2_responder_data *data,
512 os_free(data->IDi);
513 data->IDi = os_malloc(idi_len);
514 if (data->IDi == NULL)
516 os_memcpy(data->IDi, idi, idi_len);
517 data->IDi_len = idi_len;
518 data->IDi_type = id_type;
524 static int ikev2_process_cert(struct ikev2_responder_data *data,
530 if (data->peer_auth == PEER_AUTH_CERT) {
547 wpa_hexdump(MSG_MSGDUMP, "IKEV2: Certificate Data", cert, cert_len);
555 static int ikev2_process_auth_cert(struct ikev2_responder_data *data,
569 static int ikev2_process_auth_secret(struct ikev2_responder_data *data,
583 if (ikev2_derive_auth_data(data->proposal.prf, data->i_sign_msg,
584 data->IDi, data->IDi_len, data->IDi_type,
585 &data->keys, 1, data->shared_secret,
586 data->shared_secret_len,
587 data->r_nonce, data->r_nonce_len,
588 data->key_pad, data->key_pad_len,
590 wpa_printf(MSG_INFO, "IKEV2: Could not derive AUTH data");
594 wpabuf_free(data->i_sign_msg);
595 data->i_sign_msg = NULL;
597 prf = ikev2_get_prf(data->proposal.prf);
603 wpa_printf(MSG_INFO, "IKEV2: Invalid Authentication Data");
604 wpa_hexdump(MSG_DEBUG, "IKEV2: Received Authentication Data",
606 wpa_hexdump(MSG_DEBUG, "IKEV2: Expected Authentication Data",
608 data->error_type = AUTHENTICATION_FAILED;
609 data->state = NOTIFY;
620 static int ikev2_process_auth(struct ikev2_responder_data *data,
641 wpa_hexdump(MSG_MSGDUMP, "IKEV2: Authentication Data", auth, auth_len);
643 switch (data->peer_auth) {
645 return ikev2_process_auth_cert(data, auth_method, auth,
648 return ikev2_process_auth_secret(data, auth_method, auth,
656 static int ikev2_process_sa_auth_decrypted(struct ikev2_responder_data *data,
671 if (ikev2_process_idi(data, pl.idi, pl.idi_len) < 0 ||
672 ikev2_process_cert(data, pl.cert, pl.cert_len) < 0 ||
673 ikev2_process_auth(data, pl.auth, pl.auth_len) < 0)
680 data,
688 decrypted = ikev2_decrypt_payload(data->proposal.encr,
689 data->proposal.integ,
690 &data->keys, 1, hdr, pl->encrypted,
695 ret = ikev2_process_sa_auth_decrypted(data, pl->encr_next_payload,
703 static int ikev2_validate_rx_state(struct ikev2_responder_data *data,
706 switch (data->state) {
758 int ikev2_responder_process(struct ikev2_responder_data *data,
774 data->error_type = 0;
803 if (ikev2_validate_rx_state(data, hdr->exchange_type, message_id) < 0)
813 if (data->state != SA_INIT) {
814 if (os_memcmp(data->i_spi, hdr->i_spi, IKEV2_SPI_LEN) != 0) {
819 if (os_memcmp(data->r_spi, hdr->r_spi, IKEV2_SPI_LEN) != 0) {
830 if (data->state == SA_INIT) {
831 data->last_msg = LAST_MSG_SA_INIT;
832 if (ikev2_process_sa_init(data, hdr, &pl) < 0) {
833 if (data->state == NOTIFY)
837 wpabuf_free(data->i_sign_msg);
838 data->i_sign_msg = wpabuf_dup(buf);
841 if (data->state == SA_AUTH) {
842 data->last_msg = LAST_MSG_SA_AUTH;
843 if (ikev2_process_sa_auth(data, hdr, &pl) < 0) {
844 if (data->state == NOTIFY)
854 static void ikev2_build_hdr(struct ikev2_responder_data *data,
864 os_memcpy(hdr->i_spi, data->i_spi, IKEV2_SPI_LEN);
865 os_memcpy(hdr->r_spi, data->r_spi, IKEV2_SPI_LEN);
874 static int ikev2_build_sar1(struct ikev2_responder_data *data,
898 p->proposal_num = data->proposal.proposal_num;
906 WPA_PUT_BE16(t->transform_id, data->proposal.encr);
907 if (data->proposal.encr == ENCR_AES_CBC) {
923 WPA_PUT_BE16(t->transform_id, data->proposal.prf);
929 WPA_PUT_BE16(t->transform_id, data->proposal.integ);
934 WPA_PUT_BE16(t->transform_id, data->proposal.dh);
946 static int ikev2_build_ker(struct ikev2_responder_data *data,
955 pv = dh_init(data->dh, &data->r_dh_private);
966 wpabuf_put_be16(msg, data->proposal.dh); /* DH Group # */
972 wpabuf_put(msg, data->dh->prime_len - wpabuf_len(pv));
982 static int ikev2_build_nr(struct ikev2_responder_data *data,
994 wpabuf_put_data(msg, data->r_nonce, data->r_nonce_len);
1001 static int ikev2_build_idr(struct ikev2_responder_data *data,
1009 if (data->IDr == NULL) {
1020 wpabuf_put_data(msg, data->IDr, data->IDr_len);
1027 static int ikev2_build_auth(struct ikev2_responder_data *data,
1036 prf = ikev2_get_prf(data->proposal.prf);
1048 if (ikev2_derive_auth_data(data->proposal.prf, data->r_sign_msg,
1049 data->IDr, data->IDr_len, ID_KEY_ID,
1050 &data->keys, 0, data->shared_secret,
1051 data->shared_secret_len,
1052 data->i_nonce, data->i_nonce_len,
1053 data->key_pad, data->key_pad_len,
1055 wpa_printf(MSG_INFO, "IKEV2: Could not derive AUTH data");
1058 wpabuf_free(data->r_sign_msg);
1059 data->r_sign_msg = NULL;
1067 static int ikev2_build_notification(struct ikev2_responder_data *data,
1075 if (data->error_type == 0) {
1091 wpabuf_put_be16(msg, data->error_type);
1093 switch (data->error_type) {
1095 if (data->proposal.dh == -1) {
1100 wpabuf_put_be16(msg, data->proposal.dh);
1102 "DH Group #%d", data->proposal.dh);
1105 /* no associated data */
1109 "%d", data->error_type);
1119 static struct wpabuf * ikev2_build_sa_init(struct ikev2_responder_data *data)
1125 if (os_get_random(data->r_spi, IKEV2_SPI_LEN))
1128 data->r_spi, IKEV2_SPI_LEN);
1130 data->r_nonce_len = IKEV2_NONCE_MIN_LEN;
1131 if (random_get_bytes(data->r_nonce, data->r_nonce_len))
1137 if (data->r_nonce[0] == 0)
1138 data->r_nonce[0] = 1;
1140 wpa_hexdump(MSG_DEBUG, "IKEV2: Nr", data->r_nonce, data->r_nonce_len);
1142 msg = wpabuf_alloc(sizeof(struct ikev2_hdr) + data->IDr_len + 1500);
1146 ikev2_build_hdr(data, msg, IKE_SA_INIT, IKEV2_PAYLOAD_SA, 0);
1147 if (ikev2_build_sar1(data, msg, IKEV2_PAYLOAD_KEY_EXCHANGE) ||
1148 ikev2_build_ker(data, msg, IKEV2_PAYLOAD_NONCE) ||
1149 ikev2_build_nr(data, msg, data->peer_auth == PEER_AUTH_SECRET ?
1156 if (ikev2_derive_keys(data)) {
1161 if (data->peer_auth == PEER_AUTH_CERT) {
1166 if (data->peer_auth == PEER_AUTH_SECRET) {
1167 struct wpabuf *plain = wpabuf_alloc(data->IDr_len + 1000);
1172 if (ikev2_build_idr(data, plain,
1174 ikev2_build_encrypted(data->proposal.encr,
1175 data->proposal.integ,
1176 &data->keys, 0, msg, plain,
1189 data->state = SA_AUTH;
1191 wpabuf_free(data->r_sign_msg);
1192 data->r_sign_msg = wpabuf_dup(msg);
1198 static struct wpabuf * ikev2_build_sa_auth(struct ikev2_responder_data *data)
1204 msg = wpabuf_alloc(sizeof(struct ikev2_hdr) + data->IDr_len + 1000);
1207 ikev2_build_hdr(data, msg, IKE_SA_AUTH, IKEV2_PAYLOAD_ENCRYPTED, 1);
1209 plain = wpabuf_alloc(data->IDr_len + 1000);
1215 if (ikev2_build_idr(data, plain, IKEV2_PAYLOAD_AUTHENTICATION) ||
1216 ikev2_build_auth(data, plain, IKEV2_PAYLOAD_NO_NEXT_PAYLOAD) ||
1217 ikev2_build_encrypted(data->proposal.encr, data->proposal.integ,
1218 &data->keys, 0, msg, plain,
1228 data->state = IKEV2_DONE;
1234 static struct wpabuf * ikev2_build_notify(struct ikev2_responder_data *data)
1241 if (data->last_msg == LAST_MSG_SA_AUTH) {
1248 ikev2_build_hdr(data, msg, IKE_SA_AUTH,
1250 if (ikev2_build_notification(data, plain,
1252 ikev2_build_encrypted(data->proposal.encr,
1253 data->proposal.integ,
1254 &data->keys, 0, msg, plain,
1260 data->state = IKEV2_FAILED;
1263 ikev2_build_hdr(data, msg, IKE_SA_INIT,
1265 if (ikev2_build_notification(data, msg,
1270 data->state = SA_INIT;
1282 struct wpabuf * ikev2_responder_build(struct ikev2_responder_data *data)
1284 switch (data->state) {
1286 return ikev2_build_sa_init(data);
1288 return ikev2_build_sa_auth(data);
1292 return ikev2_build_notify(data);