1 /* 2 * EAP-IKEv2 server (RFC 5106) 3 * Copyright (c) 2007, Jouni Malinen <j (at) w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "includes.h" 10 11 #include "common.h" 12 #include "eap_i.h" 13 #include "eap_common/eap_ikev2_common.h" 14 #include "ikev2.h" 15 16 17 struct eap_ikev2_data { 18 struct ikev2_initiator_data ikev2; 19 enum { MSG, FRAG_ACK, WAIT_FRAG_ACK, DONE, FAIL } state; 20 struct wpabuf *in_buf; 21 struct wpabuf *out_buf; 22 size_t out_used; 23 size_t fragment_size; 24 int keys_ready; 25 u8 keymat[EAP_MSK_LEN + EAP_EMSK_LEN]; 26 int keymat_ok; 27 }; 28 29 30 static const u8 * eap_ikev2_get_shared_secret(void *ctx, const u8 *IDr, 31 size_t IDr_len, 32 size_t *secret_len) 33 { 34 struct eap_sm *sm = ctx; 35 36 if (IDr == NULL) { 37 wpa_printf(MSG_DEBUG, "EAP-IKEV2: No IDr received - default " 38 "to user identity from EAP-Identity"); 39 IDr = sm->identity; 40 IDr_len = sm->identity_len; 41 } 42 43 if (eap_user_get(sm, IDr, IDr_len, 0) < 0 || sm->user == NULL || 44 sm->user->password == NULL) { 45 wpa_printf(MSG_DEBUG, "EAP-IKEV2: No user entry found"); 46 return NULL; 47 } 48 49 *secret_len = sm->user->password_len; 50 return sm->user->password; 51 } 52 53 54 static const char * eap_ikev2_state_txt(int state) 55 { 56 switch (state) { 57 case MSG: 58 return "MSG"; 59 case FRAG_ACK: 60 return "FRAG_ACK"; 61 case WAIT_FRAG_ACK: 62 return "WAIT_FRAG_ACK"; 63 case DONE: 64 return "DONE"; 65 case FAIL: 66 return "FAIL"; 67 default: 68 return "?"; 69 } 70 } 71 72 73 static void eap_ikev2_state(struct eap_ikev2_data *data, int state) 74 { 75 wpa_printf(MSG_DEBUG, "EAP-IKEV2: %s -> %s", 76 eap_ikev2_state_txt(data->state), 77 eap_ikev2_state_txt(state)); 78 data->state = state; 79 } 80 81 82 static void * eap_ikev2_init(struct eap_sm *sm) 83 { 84 struct eap_ikev2_data *data; 85 86 data = os_zalloc(sizeof(*data)); 87 if (data == NULL) 88 return NULL; 89 data->state = MSG; 90 data->fragment_size = sm->fragment_size > 0 ? sm->fragment_size : 91 IKEV2_FRAGMENT_SIZE; 92 data->ikev2.state = SA_INIT; 93 data->ikev2.peer_auth = PEER_AUTH_SECRET; 94 data->ikev2.key_pad = (u8 *) os_strdup("Key Pad for EAP-IKEv2"); 95 if (data->ikev2.key_pad == NULL) 96 goto failed; 97 data->ikev2.key_pad_len = 21; 98 99 /* TODO: make proposals configurable */ 100 data->ikev2.proposal.proposal_num = 1; 101 data->ikev2.proposal.integ = AUTH_HMAC_SHA1_96; 102 data->ikev2.proposal.prf = PRF_HMAC_SHA1; 103 data->ikev2.proposal.encr = ENCR_AES_CBC; 104 data->ikev2.proposal.dh = DH_GROUP2_1024BIT_MODP; 105 106 data->ikev2.IDi = (u8 *) os_strdup("hostapd"); 107 data->ikev2.IDi_len = 7; 108 109 data->ikev2.get_shared_secret = eap_ikev2_get_shared_secret; 110 data->ikev2.cb_ctx = sm; 111 112 return data; 113 114 failed: 115 ikev2_initiator_deinit(&data->ikev2); 116 os_free(data); 117 return NULL; 118 } 119 120 121 static void eap_ikev2_reset(struct eap_sm *sm, void *priv) 122 { 123 struct eap_ikev2_data *data = priv; 124 wpabuf_free(data->in_buf); 125 wpabuf_free(data->out_buf); 126 ikev2_initiator_deinit(&data->ikev2); 127 os_free(data); 128 } 129 130 131 static struct wpabuf * eap_ikev2_build_msg(struct eap_ikev2_data *data, u8 id) 132 { 133 struct wpabuf *req; 134 u8 flags; 135 size_t send_len, plen, icv_len = 0; 136 137 wpa_printf(MSG_DEBUG, "EAP-IKEV2: Generating Request"); 138 139 flags = 0; 140 send_len = wpabuf_len(data->out_buf) - data->out_used; 141 if (1 + send_len > data->fragment_size) { 142 send_len = data->fragment_size - 1; 143 flags |= IKEV2_FLAGS_MORE_FRAGMENTS; 144 if (data->out_used == 0) { 145 flags |= IKEV2_FLAGS_LENGTH_INCLUDED; 146 send_len -= 4; 147 } 148 } 149 150 plen = 1 + send_len; 151 if (flags & IKEV2_FLAGS_LENGTH_INCLUDED) 152 plen += 4; 153 if (data->keys_ready) { 154 const struct ikev2_integ_alg *integ; 155 wpa_printf(MSG_DEBUG, "EAP-IKEV2: Add Integrity Checksum " 156 "Data"); 157 flags |= IKEV2_FLAGS_ICV_INCLUDED; 158 integ = ikev2_get_integ(data->ikev2.proposal.integ); 159 if (integ == NULL) { 160 wpa_printf(MSG_DEBUG, "EAP-IKEV2: Unknown INTEG " 161 "transform / cannot generate ICV"); 162 return NULL; 163 } 164 icv_len = integ->hash_len; 165 166 plen += icv_len; 167 } 168 req = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_IKEV2, plen, 169 EAP_CODE_REQUEST, id); 170 if (req == NULL) 171 return NULL; 172 173 wpabuf_put_u8(req, flags); /* Flags */ 174 if (flags & IKEV2_FLAGS_LENGTH_INCLUDED) 175 wpabuf_put_be32(req, wpabuf_len(data->out_buf)); 176 177 wpabuf_put_data(req, wpabuf_head_u8(data->out_buf) + data->out_used, 178 send_len); 179 data->out_used += send_len; 180 181 if (flags & IKEV2_FLAGS_ICV_INCLUDED) { 182 const u8 *msg = wpabuf_head(req); 183 size_t len = wpabuf_len(req); 184 ikev2_integ_hash(data->ikev2.proposal.integ, 185 data->ikev2.keys.SK_ai, 186 data->ikev2.keys.SK_integ_len, 187 msg, len, wpabuf_put(req, icv_len)); 188 } 189 190 if (data->out_used == wpabuf_len(data->out_buf)) { 191 wpa_printf(MSG_DEBUG, "EAP-IKEV2: Sending out %lu bytes " 192 "(message sent completely)", 193 (unsigned long) send_len); 194 wpabuf_free(data->out_buf); 195 data->out_buf = NULL; 196 data->out_used = 0; 197 } else { 198 wpa_printf(MSG_DEBUG, "EAP-IKEV2: Sending out %lu bytes " 199 "(%lu more to send)", (unsigned long) send_len, 200 (unsigned long) wpabuf_len(data->out_buf) - 201 data->out_used); 202 eap_ikev2_state(data, WAIT_FRAG_ACK); 203 } 204 205 return req; 206 } 207 208 209 static struct wpabuf * eap_ikev2_buildReq(struct eap_sm *sm, void *priv, u8 id) 210 { 211 struct eap_ikev2_data *data = priv; 212 213 switch (data->state) { 214 case MSG: 215 if (data->out_buf == NULL) { 216 data->out_buf = ikev2_initiator_build(&data->ikev2); 217 if (data->out_buf == NULL) { 218 wpa_printf(MSG_DEBUG, "EAP-IKEV2: Failed to " 219 "generate IKEv2 message"); 220 return NULL; 221 } 222 data->out_used = 0; 223 } 224 /* pass through */ 225 case WAIT_FRAG_ACK: 226 return eap_ikev2_build_msg(data, id); 227 case FRAG_ACK: 228 return eap_ikev2_build_frag_ack(id, EAP_CODE_REQUEST); 229 default: 230 wpa_printf(MSG_DEBUG, "EAP-IKEV2: Unexpected state %d in " 231 "buildReq", data->state); 232 return NULL; 233 } 234 } 235 236 237 static Boolean eap_ikev2_check(struct eap_sm *sm, void *priv, 238 struct wpabuf *respData) 239 { 240 const u8 *pos; 241 size_t len; 242 243 pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_IKEV2, respData, 244 &len); 245 if (pos == NULL) { 246 wpa_printf(MSG_INFO, "EAP-IKEV2: Invalid frame"); 247 return TRUE; 248 } 249 250 return FALSE; 251 } 252 253 254 static int eap_ikev2_process_icv(struct eap_ikev2_data *data, 255 const struct wpabuf *respData, 256 u8 flags, const u8 *pos, const u8 **end) 257 { 258 if (flags & IKEV2_FLAGS_ICV_INCLUDED) { 259 int icv_len = eap_ikev2_validate_icv( 260 data->ikev2.proposal.integ, &data->ikev2.keys, 0, 261 respData, pos, *end); 262 if (icv_len < 0) 263 return -1; 264 /* Hide Integrity Checksum Data from further processing */ 265 *end -= icv_len; 266 } else if (data->keys_ready) { 267 wpa_printf(MSG_INFO, "EAP-IKEV2: The message should have " 268 "included integrity checksum"); 269 return -1; 270 } 271 272 return 0; 273 } 274 275 276 static int eap_ikev2_process_cont(struct eap_ikev2_data *data, 277 const u8 *buf, size_t len) 278 { 279 /* Process continuation of a pending message */ 280 if (len > wpabuf_tailroom(data->in_buf)) { 281 wpa_printf(MSG_DEBUG, "EAP-IKEV2: Fragment overflow"); 282 eap_ikev2_state(data, FAIL); 283 return -1; 284 } 285 286 wpabuf_put_data(data->in_buf, buf, len); 287 wpa_printf(MSG_DEBUG, "EAP-IKEV2: Received %lu bytes, waiting for %lu " 288 "bytes more", (unsigned long) len, 289 (unsigned long) wpabuf_tailroom(data->in_buf)); 290 291 return 0; 292 } 293 294 295 static int eap_ikev2_process_fragment(struct eap_ikev2_data *data, 296 u8 flags, u32 message_length, 297 const u8 *buf, size_t len) 298 { 299 /* Process a fragment that is not the last one of the message */ 300 if (data->in_buf == NULL && !(flags & IKEV2_FLAGS_LENGTH_INCLUDED)) { 301 wpa_printf(MSG_DEBUG, "EAP-IKEV2: No Message Length field in " 302 "a fragmented packet"); 303 return -1; 304 } 305 306 if (data->in_buf == NULL) { 307 /* First fragment of the message */ 308 data->in_buf = wpabuf_alloc(message_length); 309 if (data->in_buf == NULL) { 310 wpa_printf(MSG_DEBUG, "EAP-IKEV2: No memory for " 311 "message"); 312 return -1; 313 } 314 wpabuf_put_data(data->in_buf, buf, len); 315 wpa_printf(MSG_DEBUG, "EAP-IKEV2: Received %lu bytes in first " 316 "fragment, waiting for %lu bytes more", 317 (unsigned long) len, 318 (unsigned long) wpabuf_tailroom(data->in_buf)); 319 } 320 321 return 0; 322 } 323 324 325 static int eap_ikev2_server_keymat(struct eap_ikev2_data *data) 326 { 327 if (eap_ikev2_derive_keymat( 328 data->ikev2.proposal.prf, &data->ikev2.keys, 329 data->ikev2.i_nonce, data->ikev2.i_nonce_len, 330 data->ikev2.r_nonce, data->ikev2.r_nonce_len, 331 data->keymat) < 0) { 332 wpa_printf(MSG_DEBUG, "EAP-IKEV2: Failed to derive " 333 "key material"); 334 return -1; 335 } 336 data->keymat_ok = 1; 337 return 0; 338 } 339 340 341 static void eap_ikev2_process(struct eap_sm *sm, void *priv, 342 struct wpabuf *respData) 343 { 344 struct eap_ikev2_data *data = priv; 345 const u8 *start, *pos, *end; 346 size_t len; 347 u8 flags; 348 u32 message_length = 0; 349 struct wpabuf tmpbuf; 350 351 pos = eap_hdr_validate(EAP_VENDOR_IETF, EAP_TYPE_IKEV2, respData, 352 &len); 353 if (pos == NULL) 354 return; /* Should not happen; message already verified */ 355 356 start = pos; 357 end = start + len; 358 359 if (len == 0) { 360 /* fragment ack */ 361 flags = 0; 362 } else 363 flags = *pos++; 364 365 if (eap_ikev2_process_icv(data, respData, flags, pos, &end) < 0) { 366 eap_ikev2_state(data, FAIL); 367 return; 368 } 369 370 if (flags & IKEV2_FLAGS_LENGTH_INCLUDED) { 371 if (end - pos < 4) { 372 wpa_printf(MSG_DEBUG, "EAP-IKEV2: Message underflow"); 373 eap_ikev2_state(data, FAIL); 374 return; 375 } 376 message_length = WPA_GET_BE32(pos); 377 pos += 4; 378 379 if (message_length < (u32) (end - pos)) { 380 wpa_printf(MSG_DEBUG, "EAP-IKEV2: Invalid Message " 381 "Length (%d; %ld remaining in this msg)", 382 message_length, (long) (end - pos)); 383 eap_ikev2_state(data, FAIL); 384 return; 385 } 386 } 387 wpa_printf(MSG_DEBUG, "EAP-IKEV2: Received packet: Flags 0x%x " 388 "Message Length %u", flags, message_length); 389 390 if (data->state == WAIT_FRAG_ACK) { 391 if (len != 0) { 392 wpa_printf(MSG_DEBUG, "EAP-IKEV2: Unexpected payload " 393 "in WAIT_FRAG_ACK state"); 394 eap_ikev2_state(data, FAIL); 395 return; 396 } 397 wpa_printf(MSG_DEBUG, "EAP-IKEV2: Fragment acknowledged"); 398 eap_ikev2_state(data, MSG); 399 return; 400 } 401 402 if (data->in_buf && eap_ikev2_process_cont(data, pos, end - pos) < 0) { 403 eap_ikev2_state(data, FAIL); 404 return; 405 } 406 407 if (flags & IKEV2_FLAGS_MORE_FRAGMENTS) { 408 if (eap_ikev2_process_fragment(data, flags, message_length, 409 pos, end - pos) < 0) 410 eap_ikev2_state(data, FAIL); 411 else 412 eap_ikev2_state(data, FRAG_ACK); 413 return; 414 } else if (data->state == FRAG_ACK) { 415 wpa_printf(MSG_DEBUG, "EAP-TNC: All fragments received"); 416 data->state = MSG; 417 } 418 419 if (data->in_buf == NULL) { 420 /* Wrap unfragmented messages as wpabuf without extra copy */ 421 wpabuf_set(&tmpbuf, pos, end - pos); 422 data->in_buf = &tmpbuf; 423 } 424 425 if (ikev2_initiator_process(&data->ikev2, data->in_buf) < 0) { 426 if (data->in_buf == &tmpbuf) 427 data->in_buf = NULL; 428 eap_ikev2_state(data, FAIL); 429 return; 430 } 431 432 switch (data->ikev2.state) { 433 case SA_AUTH: 434 /* SA_INIT was sent out, so message have to be 435 * integrity protected from now on. */ 436 data->keys_ready = 1; 437 break; 438 case IKEV2_DONE: 439 if (data->state == FAIL) 440 break; 441 wpa_printf(MSG_DEBUG, "EAP-IKEV2: Authentication completed " 442 "successfully"); 443 if (eap_ikev2_server_keymat(data)) 444 break; 445 eap_ikev2_state(data, DONE); 446 break; 447 default: 448 break; 449 } 450 451 if (data->in_buf != &tmpbuf) 452 wpabuf_free(data->in_buf); 453 data->in_buf = NULL; 454 } 455 456 457 static Boolean eap_ikev2_isDone(struct eap_sm *sm, void *priv) 458 { 459 struct eap_ikev2_data *data = priv; 460 return data->state == DONE || data->state == FAIL; 461 } 462 463 464 static Boolean eap_ikev2_isSuccess(struct eap_sm *sm, void *priv) 465 { 466 struct eap_ikev2_data *data = priv; 467 return data->state == DONE && data->ikev2.state == IKEV2_DONE && 468 data->keymat_ok; 469 } 470 471 472 static u8 * eap_ikev2_getKey(struct eap_sm *sm, void *priv, size_t *len) 473 { 474 struct eap_ikev2_data *data = priv; 475 u8 *key; 476 477 if (data->state != DONE || !data->keymat_ok) 478 return NULL; 479 480 key = os_malloc(EAP_MSK_LEN); 481 if (key) { 482 os_memcpy(key, data->keymat, EAP_MSK_LEN); 483 *len = EAP_MSK_LEN; 484 } 485 486 return key; 487 } 488 489 490 static u8 * eap_ikev2_get_emsk(struct eap_sm *sm, void *priv, size_t *len) 491 { 492 struct eap_ikev2_data *data = priv; 493 u8 *key; 494 495 if (data->state != DONE || !data->keymat_ok) 496 return NULL; 497 498 key = os_malloc(EAP_EMSK_LEN); 499 if (key) { 500 os_memcpy(key, data->keymat + EAP_MSK_LEN, EAP_EMSK_LEN); 501 *len = EAP_EMSK_LEN; 502 } 503 504 return key; 505 } 506 507 508 int eap_server_ikev2_register(void) 509 { 510 struct eap_method *eap; 511 int ret; 512 513 eap = eap_server_method_alloc(EAP_SERVER_METHOD_INTERFACE_VERSION, 514 EAP_VENDOR_IETF, EAP_TYPE_IKEV2, 515 "IKEV2"); 516 if (eap == NULL) 517 return -1; 518 519 eap->init = eap_ikev2_init; 520 eap->reset = eap_ikev2_reset; 521 eap->buildReq = eap_ikev2_buildReq; 522 eap->check = eap_ikev2_check; 523 eap->process = eap_ikev2_process; 524 eap->isDone = eap_ikev2_isDone; 525 eap->getKey = eap_ikev2_getKey; 526 eap->isSuccess = eap_ikev2_isSuccess; 527 eap->get_emsk = eap_ikev2_get_emsk; 528 529 ret = eap_server_method_register(eap); 530 if (ret) 531 eap_server_method_free(eap); 532 return ret; 533 } 534
