1 /* 2 * IKEv2 initiator (RFC 4306) for EAP-IKEV2 3 * Copyright (c) 2007, Jouni Malinen <j (at) w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "includes.h" 10 11 #include "common.h" 12 #include "crypto/dh_groups.h" 13 #include "crypto/random.h" 14 #include "ikev2.h" 15 16 17 static int ikev2_process_idr(struct ikev2_initiator_data *data, 18 const u8 *idr, size_t idr_len); 19 20 21 void ikev2_initiator_deinit(struct ikev2_initiator_data *data) 22 { 23 ikev2_free_keys(&data->keys); 24 wpabuf_free(data->r_dh_public); 25 wpabuf_free(data->i_dh_private); 26 os_free(data->IDi); 27 os_free(data->IDr); 28 os_free(data->shared_secret); 29 wpabuf_free(data->i_sign_msg); 30 wpabuf_free(data->r_sign_msg); 31 os_free(data->key_pad); 32 } 33 34 35 static int ikev2_derive_keys(struct ikev2_initiator_data *data) 36 { 37 u8 *buf, *pos, *pad, skeyseed[IKEV2_MAX_HASH_LEN]; 38 size_t buf_len, pad_len; 39 struct wpabuf *shared; 40 const struct ikev2_integ_alg *integ; 41 const struct ikev2_prf_alg *prf; 42 const struct ikev2_encr_alg *encr; 43 int ret; 44 const u8 *addr[2]; 45 size_t len[2]; 46 47 /* RFC 4306, Sect. 2.14 */ 48 49 integ = ikev2_get_integ(data->proposal.integ); 50 prf = ikev2_get_prf(data->proposal.prf); 51 encr = ikev2_get_encr(data->proposal.encr); 52 if (integ == NULL || prf == NULL || encr == NULL) { 53 wpa_printf(MSG_INFO, "IKEV2: Unsupported proposal"); 54 return -1; 55 } 56 57 shared = dh_derive_shared(data->r_dh_public, data->i_dh_private, 58 data->dh); 59 if (shared == NULL) 60 return -1; 61 62 /* Construct Ni | Nr | SPIi | SPIr */ 63 64 buf_len = data->i_nonce_len + data->r_nonce_len + 2 * IKEV2_SPI_LEN; 65 buf = os_malloc(buf_len); 66 if (buf == NULL) { 67 wpabuf_free(shared); 68 return -1; 69 } 70 71 pos = buf; 72 os_memcpy(pos, data->i_nonce, data->i_nonce_len); 73 pos += data->i_nonce_len; 74 os_memcpy(pos, data->r_nonce, data->r_nonce_len); 75 pos += data->r_nonce_len; 76 os_memcpy(pos, data->i_spi, IKEV2_SPI_LEN); 77 pos += IKEV2_SPI_LEN; 78 os_memcpy(pos, data->r_spi, IKEV2_SPI_LEN); 79 80 /* SKEYSEED = prf(Ni | Nr, g^ir) */ 81 82 /* Use zero-padding per RFC 4306, Sect. 2.14 */ 83 pad_len = data->dh->prime_len - wpabuf_len(shared); 84 pad = os_zalloc(pad_len ? pad_len : 1); 85 if (pad == NULL) { 86 wpabuf_free(shared); 87 os_free(buf); 88 return -1; 89 } 90 addr[0] = pad; 91 len[0] = pad_len; 92 addr[1] = wpabuf_head(shared); 93 len[1] = wpabuf_len(shared); 94 if (ikev2_prf_hash(prf->id, buf, data->i_nonce_len + data->r_nonce_len, 95 2, addr, len, skeyseed) < 0) { 96 wpabuf_free(shared); 97 os_free(buf); 98 os_free(pad); 99 return -1; 100 } 101 os_free(pad); 102 wpabuf_free(shared); 103 104 /* DH parameters are not needed anymore, so free them */ 105 wpabuf_free(data->r_dh_public); 106 data->r_dh_public = NULL; 107 wpabuf_free(data->i_dh_private); 108 data->i_dh_private = NULL; 109 110 wpa_hexdump_key(MSG_DEBUG, "IKEV2: SKEYSEED", 111 skeyseed, prf->hash_len); 112 113 ret = ikev2_derive_sk_keys(prf, integ, encr, skeyseed, buf, buf_len, 114 &data->keys); 115 os_free(buf); 116 return ret; 117 } 118 119 120 static int ikev2_parse_transform(struct ikev2_initiator_data *data, 121 struct ikev2_proposal_data *prop, 122 const u8 *pos, const u8 *end) 123 { 124 int transform_len; 125 const struct ikev2_transform *t; 126 u16 transform_id; 127 const u8 *tend; 128 129 if (end - pos < (int) sizeof(*t)) { 130 wpa_printf(MSG_INFO, "IKEV2: Too short transform"); 131 return -1; 132 } 133 134 t = (const struct ikev2_transform *) pos; 135 transform_len = WPA_GET_BE16(t->transform_length); 136 if (transform_len < (int) sizeof(*t) || pos + transform_len > end) { 137 wpa_printf(MSG_INFO, "IKEV2: Invalid transform length %d", 138 transform_len); 139 return -1; 140 } 141 tend = pos + transform_len; 142 143 transform_id = WPA_GET_BE16(t->transform_id); 144 145 wpa_printf(MSG_DEBUG, "IKEV2: Transform:"); 146 wpa_printf(MSG_DEBUG, "IKEV2: Type: %d Transform Length: %d " 147 "Transform Type: %d Transform ID: %d", 148 t->type, transform_len, t->transform_type, transform_id); 149 150 if (t->type != 0 && t->type != 3) { 151 wpa_printf(MSG_INFO, "IKEV2: Unexpected Transform type"); 152 return -1; 153 } 154 155 pos = (const u8 *) (t + 1); 156 if (pos < tend) { 157 wpa_hexdump(MSG_DEBUG, "IKEV2: Transform Attributes", 158 pos, tend - pos); 159 } 160 161 switch (t->transform_type) { 162 case IKEV2_TRANSFORM_ENCR: 163 if (ikev2_get_encr(transform_id) && 164 transform_id == data->proposal.encr) { 165 if (transform_id == ENCR_AES_CBC) { 166 if (tend - pos != 4) { 167 wpa_printf(MSG_DEBUG, "IKEV2: No " 168 "Transform Attr for AES"); 169 break; 170 } 171 if (WPA_GET_BE16(pos) != 0x800e) { 172 wpa_printf(MSG_DEBUG, "IKEV2: Not a " 173 "Key Size attribute for " 174 "AES"); 175 break; 176 } 177 if (WPA_GET_BE16(pos + 2) != 128) { 178 wpa_printf(MSG_DEBUG, "IKEV2: " 179 "Unsupported AES key size " 180 "%d bits", 181 WPA_GET_BE16(pos + 2)); 182 break; 183 } 184 } 185 prop->encr = transform_id; 186 } 187 break; 188 case IKEV2_TRANSFORM_PRF: 189 if (ikev2_get_prf(transform_id) && 190 transform_id == data->proposal.prf) 191 prop->prf = transform_id; 192 break; 193 case IKEV2_TRANSFORM_INTEG: 194 if (ikev2_get_integ(transform_id) && 195 transform_id == data->proposal.integ) 196 prop->integ = transform_id; 197 break; 198 case IKEV2_TRANSFORM_DH: 199 if (dh_groups_get(transform_id) && 200 transform_id == data->proposal.dh) 201 prop->dh = transform_id; 202 break; 203 } 204 205 return transform_len; 206 } 207 208 209 static int ikev2_parse_proposal(struct ikev2_initiator_data *data, 210 struct ikev2_proposal_data *prop, 211 const u8 *pos, const u8 *end) 212 { 213 const u8 *pend, *ppos; 214 int proposal_len, i; 215 const struct ikev2_proposal *p; 216 217 if (end - pos < (int) sizeof(*p)) { 218 wpa_printf(MSG_INFO, "IKEV2: Too short proposal"); 219 return -1; 220 } 221 222 p = (const struct ikev2_proposal *) pos; 223 proposal_len = WPA_GET_BE16(p->proposal_length); 224 if (proposal_len < (int) sizeof(*p) || pos + proposal_len > end) { 225 wpa_printf(MSG_INFO, "IKEV2: Invalid proposal length %d", 226 proposal_len); 227 return -1; 228 } 229 wpa_printf(MSG_DEBUG, "IKEV2: SAi1 Proposal # %d", 230 p->proposal_num); 231 wpa_printf(MSG_DEBUG, "IKEV2: Type: %d Proposal Length: %d " 232 " Protocol ID: %d", 233 p->type, proposal_len, p->protocol_id); 234 wpa_printf(MSG_DEBUG, "IKEV2: SPI Size: %d Transforms: %d", 235 p->spi_size, p->num_transforms); 236 237 if (p->type != 0 && p->type != 2) { 238 wpa_printf(MSG_INFO, "IKEV2: Unexpected Proposal type"); 239 return -1; 240 } 241 242 if (p->protocol_id != IKEV2_PROTOCOL_IKE) { 243 wpa_printf(MSG_DEBUG, "IKEV2: Unexpected Protocol ID " 244 "(only IKE allowed for EAP-IKEv2)"); 245 return -1; 246 } 247 248 if (p->proposal_num != prop->proposal_num) { 249 if (p->proposal_num == prop->proposal_num + 1) 250 prop->proposal_num = p->proposal_num; 251 else { 252 wpa_printf(MSG_INFO, "IKEV2: Unexpected Proposal #"); 253 return -1; 254 } 255 } 256 257 ppos = (const u8 *) (p + 1); 258 pend = pos + proposal_len; 259 if (ppos + p->spi_size > pend) { 260 wpa_printf(MSG_INFO, "IKEV2: Not enough room for SPI " 261 "in proposal"); 262 return -1; 263 } 264 if (p->spi_size) { 265 wpa_hexdump(MSG_DEBUG, "IKEV2: SPI", 266 ppos, p->spi_size); 267 ppos += p->spi_size; 268 } 269 270 /* 271 * For initial IKE_SA negotiation, SPI Size MUST be zero; for 272 * subsequent negotiations, it must be 8 for IKE. We only support 273 * initial case for now. 274 */ 275 if (p->spi_size != 0) { 276 wpa_printf(MSG_INFO, "IKEV2: Unexpected SPI Size"); 277 return -1; 278 } 279 280 if (p->num_transforms == 0) { 281 wpa_printf(MSG_INFO, "IKEV2: At least one transform required"); 282 return -1; 283 } 284 285 for (i = 0; i < (int) p->num_transforms; i++) { 286 int tlen = ikev2_parse_transform(data, prop, ppos, pend); 287 if (tlen < 0) 288 return -1; 289 ppos += tlen; 290 } 291 292 if (ppos != pend) { 293 wpa_printf(MSG_INFO, "IKEV2: Unexpected data after " 294 "transforms"); 295 return -1; 296 } 297 298 return proposal_len; 299 } 300 301 302 static int ikev2_process_sar1(struct ikev2_initiator_data *data, 303 const u8 *sar1, size_t sar1_len) 304 { 305 struct ikev2_proposal_data prop; 306 const u8 *pos, *end; 307 int found = 0; 308 309 /* Security Association Payloads: <Proposals> */ 310 311 if (sar1 == NULL) { 312 wpa_printf(MSG_INFO, "IKEV2: SAr1 not received"); 313 return -1; 314 } 315 316 os_memset(&prop, 0, sizeof(prop)); 317 prop.proposal_num = 1; 318 319 pos = sar1; 320 end = sar1 + sar1_len; 321 322 while (pos < end) { 323 int plen; 324 325 prop.integ = -1; 326 prop.prf = -1; 327 prop.encr = -1; 328 prop.dh = -1; 329 plen = ikev2_parse_proposal(data, &prop, pos, end); 330 if (plen < 0) 331 return -1; 332 333 if (!found && prop.integ != -1 && prop.prf != -1 && 334 prop.encr != -1 && prop.dh != -1) { 335 found = 1; 336 } 337 338 pos += plen; 339 340 /* Only one proposal expected in SAr */ 341 break; 342 } 343 344 if (pos != end) { 345 wpa_printf(MSG_INFO, "IKEV2: Unexpected data after proposal"); 346 return -1; 347 } 348 349 if (!found) { 350 wpa_printf(MSG_INFO, "IKEV2: No acceptable proposal found"); 351 return -1; 352 } 353 354 wpa_printf(MSG_DEBUG, "IKEV2: Accepted proposal #%d: ENCR:%d PRF:%d " 355 "INTEG:%d D-H:%d", data->proposal.proposal_num, 356 data->proposal.encr, data->proposal.prf, 357 data->proposal.integ, data->proposal.dh); 358 359 return 0; 360 } 361 362 363 static int ikev2_process_ker(struct ikev2_initiator_data *data, 364 const u8 *ker, size_t ker_len) 365 { 366 u16 group; 367 368 /* 369 * Key Exchange Payload: 370 * DH Group # (16 bits) 371 * RESERVED (16 bits) 372 * Key Exchange Data (Diffie-Hellman public value) 373 */ 374 375 if (ker == NULL) { 376 wpa_printf(MSG_INFO, "IKEV2: KEr not received"); 377 return -1; 378 } 379 380 if (ker_len < 4 + 96) { 381 wpa_printf(MSG_INFO, "IKEV2: Too show Key Exchange Payload"); 382 return -1; 383 } 384 385 group = WPA_GET_BE16(ker); 386 wpa_printf(MSG_DEBUG, "IKEV2: KEr DH Group #%u", group); 387 388 if (group != data->proposal.dh) { 389 wpa_printf(MSG_DEBUG, "IKEV2: KEr DH Group #%u does not match " 390 "with the selected proposal (%u)", 391 group, data->proposal.dh); 392 return -1; 393 } 394 395 if (data->dh == NULL) { 396 wpa_printf(MSG_INFO, "IKEV2: Unsupported DH group"); 397 return -1; 398 } 399 400 /* RFC 4306, Section 3.4: 401 * The length of DH public value MUST be equal to the length of the 402 * prime modulus. 403 */ 404 if (ker_len - 4 != data->dh->prime_len) { 405 wpa_printf(MSG_INFO, "IKEV2: Invalid DH public value length " 406 "%ld (expected %ld)", 407 (long) (ker_len - 4), (long) data->dh->prime_len); 408 return -1; 409 } 410 411 wpabuf_free(data->r_dh_public); 412 data->r_dh_public = wpabuf_alloc_copy(ker + 4, ker_len - 4); 413 if (data->r_dh_public == NULL) 414 return -1; 415 416 wpa_hexdump_buf(MSG_DEBUG, "IKEV2: KEr Diffie-Hellman Public Value", 417 data->r_dh_public); 418 419 return 0; 420 } 421 422 423 static int ikev2_process_nr(struct ikev2_initiator_data *data, 424 const u8 *nr, size_t nr_len) 425 { 426 if (nr == NULL) { 427 wpa_printf(MSG_INFO, "IKEV2: Nr not received"); 428 return -1; 429 } 430 431 if (nr_len < IKEV2_NONCE_MIN_LEN || nr_len > IKEV2_NONCE_MAX_LEN) { 432 wpa_printf(MSG_INFO, "IKEV2: Invalid Nr length %ld", 433 (long) nr_len); 434 return -1; 435 } 436 437 data->r_nonce_len = nr_len; 438 os_memcpy(data->r_nonce, nr, nr_len); 439 wpa_hexdump(MSG_MSGDUMP, "IKEV2: Nr", 440 data->r_nonce, data->r_nonce_len); 441 442 return 0; 443 } 444 445 446 static int ikev2_process_sa_init_encr(struct ikev2_initiator_data *data, 447 const struct ikev2_hdr *hdr, 448 const u8 *encrypted, 449 size_t encrypted_len, u8 next_payload) 450 { 451 u8 *decrypted; 452 size_t decrypted_len; 453 struct ikev2_payloads pl; 454 int ret = 0; 455 456 decrypted = ikev2_decrypt_payload(data->proposal.encr, 457 data->proposal.integ, &data->keys, 0, 458 hdr, encrypted, encrypted_len, 459 &decrypted_len); 460 if (decrypted == NULL) 461 return -1; 462 463 wpa_printf(MSG_DEBUG, "IKEV2: Processing decrypted payloads"); 464 465 if (ikev2_parse_payloads(&pl, next_payload, decrypted, 466 decrypted + decrypted_len) < 0) { 467 wpa_printf(MSG_INFO, "IKEV2: Failed to parse decrypted " 468 "payloads"); 469 return -1; 470 } 471 472 if (pl.idr) 473 ret = ikev2_process_idr(data, pl.idr, pl.idr_len); 474 475 os_free(decrypted); 476 477 return ret; 478 } 479 480 481 static int ikev2_process_sa_init(struct ikev2_initiator_data *data, 482 const struct ikev2_hdr *hdr, 483 struct ikev2_payloads *pl) 484 { 485 if (ikev2_process_sar1(data, pl->sa, pl->sa_len) < 0 || 486 ikev2_process_ker(data, pl->ke, pl->ke_len) < 0 || 487 ikev2_process_nr(data, pl->nonce, pl->nonce_len) < 0) 488 return -1; 489 490 os_memcpy(data->r_spi, hdr->r_spi, IKEV2_SPI_LEN); 491 492 if (ikev2_derive_keys(data) < 0) 493 return -1; 494 495 if (pl->encrypted) { 496 wpa_printf(MSG_DEBUG, "IKEV2: Encrypted payload in SA_INIT - " 497 "try to get IDr from it"); 498 if (ikev2_process_sa_init_encr(data, hdr, pl->encrypted, 499 pl->encrypted_len, 500 pl->encr_next_payload) < 0) { 501 wpa_printf(MSG_INFO, "IKEV2: Failed to process " 502 "encrypted payload"); 503 return -1; 504 } 505 } 506 507 data->state = SA_AUTH; 508 509 return 0; 510 } 511 512 513 static int ikev2_process_idr(struct ikev2_initiator_data *data, 514 const u8 *idr, size_t idr_len) 515 { 516 u8 id_type; 517 518 if (idr == NULL) { 519 wpa_printf(MSG_INFO, "IKEV2: No IDr received"); 520 return -1; 521 } 522 523 if (idr_len < 4) { 524 wpa_printf(MSG_INFO, "IKEV2: Too short IDr payload"); 525 return -1; 526 } 527 528 id_type = idr[0]; 529 idr += 4; 530 idr_len -= 4; 531 532 wpa_printf(MSG_DEBUG, "IKEV2: IDr ID Type %d", id_type); 533 wpa_hexdump_ascii(MSG_DEBUG, "IKEV2: IDr", idr, idr_len); 534 if (data->IDr) { 535 if (id_type != data->IDr_type || idr_len != data->IDr_len || 536 os_memcmp(idr, data->IDr, idr_len) != 0) { 537 wpa_printf(MSG_INFO, "IKEV2: IDr differs from the one " 538 "received earlier"); 539 wpa_printf(MSG_DEBUG, "IKEV2: Previous IDr ID Type %d", 540 id_type); 541 wpa_hexdump_ascii(MSG_DEBUG, "Previous IKEV2: IDr", 542 data->IDr, data->IDr_len); 543 return -1; 544 } 545 os_free(data->IDr); 546 } 547 data->IDr = os_malloc(idr_len); 548 if (data->IDr == NULL) 549 return -1; 550 os_memcpy(data->IDr, idr, idr_len); 551 data->IDr_len = idr_len; 552 data->IDr_type = id_type; 553 554 return 0; 555 } 556 557 558 static int ikev2_process_cert(struct ikev2_initiator_data *data, 559 const u8 *cert, size_t cert_len) 560 { 561 u8 cert_encoding; 562 563 if (cert == NULL) { 564 if (data->peer_auth == PEER_AUTH_CERT) { 565 wpa_printf(MSG_INFO, "IKEV2: No Certificate received"); 566 return -1; 567 } 568 return 0; 569 } 570 571 if (cert_len < 1) { 572 wpa_printf(MSG_INFO, "IKEV2: No Cert Encoding field"); 573 return -1; 574 } 575 576 cert_encoding = cert[0]; 577 cert++; 578 cert_len--; 579 580 wpa_printf(MSG_DEBUG, "IKEV2: Cert Encoding %d", cert_encoding); 581 wpa_hexdump(MSG_MSGDUMP, "IKEV2: Certificate Data", cert, cert_len); 582 583 /* TODO: validate certificate */ 584 585 return 0; 586 } 587 588 589 static int ikev2_process_auth_cert(struct ikev2_initiator_data *data, 590 u8 method, const u8 *auth, size_t auth_len) 591 { 592 if (method != AUTH_RSA_SIGN) { 593 wpa_printf(MSG_INFO, "IKEV2: Unsupported authentication " 594 "method %d", method); 595 return -1; 596 } 597 598 /* TODO: validate AUTH */ 599 return 0; 600 } 601 602 603 static int ikev2_process_auth_secret(struct ikev2_initiator_data *data, 604 u8 method, const u8 *auth, 605 size_t auth_len) 606 { 607 u8 auth_data[IKEV2_MAX_HASH_LEN]; 608 const struct ikev2_prf_alg *prf; 609 610 if (method != AUTH_SHARED_KEY_MIC) { 611 wpa_printf(MSG_INFO, "IKEV2: Unsupported authentication " 612 "method %d", method); 613 return -1; 614 } 615 616 /* msg | Ni | prf(SK_pr,IDr') */ 617 if (ikev2_derive_auth_data(data->proposal.prf, data->r_sign_msg, 618 data->IDr, data->IDr_len, data->IDr_type, 619 &data->keys, 0, data->shared_secret, 620 data->shared_secret_len, 621 data->i_nonce, data->i_nonce_len, 622 data->key_pad, data->key_pad_len, 623 auth_data) < 0) { 624 wpa_printf(MSG_INFO, "IKEV2: Could not derive AUTH data"); 625 return -1; 626 } 627 628 wpabuf_free(data->r_sign_msg); 629 data->r_sign_msg = NULL; 630 631 prf = ikev2_get_prf(data->proposal.prf); 632 if (prf == NULL) 633 return -1; 634 635 if (auth_len != prf->hash_len || 636 os_memcmp(auth, auth_data, auth_len) != 0) { 637 wpa_printf(MSG_INFO, "IKEV2: Invalid Authentication Data"); 638 wpa_hexdump(MSG_DEBUG, "IKEV2: Received Authentication Data", 639 auth, auth_len); 640 wpa_hexdump(MSG_DEBUG, "IKEV2: Expected Authentication Data", 641 auth_data, prf->hash_len); 642 return -1; 643 } 644 645 wpa_printf(MSG_DEBUG, "IKEV2: Peer authenticated successfully " 646 "using shared keys"); 647 648 return 0; 649 } 650 651 652 static int ikev2_process_auth(struct ikev2_initiator_data *data, 653 const u8 *auth, size_t auth_len) 654 { 655 u8 auth_method; 656 657 if (auth == NULL) { 658 wpa_printf(MSG_INFO, "IKEV2: No Authentication Payload"); 659 return -1; 660 } 661 662 if (auth_len < 4) { 663 wpa_printf(MSG_INFO, "IKEV2: Too short Authentication " 664 "Payload"); 665 return -1; 666 } 667 668 auth_method = auth[0]; 669 auth += 4; 670 auth_len -= 4; 671 672 wpa_printf(MSG_DEBUG, "IKEV2: Auth Method %d", auth_method); 673 wpa_hexdump(MSG_MSGDUMP, "IKEV2: Authentication Data", auth, auth_len); 674 675 switch (data->peer_auth) { 676 case PEER_AUTH_CERT: 677 return ikev2_process_auth_cert(data, auth_method, auth, 678 auth_len); 679 case PEER_AUTH_SECRET: 680 return ikev2_process_auth_secret(data, auth_method, auth, 681 auth_len); 682 } 683 684 return -1; 685 } 686 687 688 static int ikev2_process_sa_auth_decrypted(struct ikev2_initiator_data *data, 689 u8 next_payload, 690 u8 *payload, size_t payload_len) 691 { 692 struct ikev2_payloads pl; 693 694 wpa_printf(MSG_DEBUG, "IKEV2: Processing decrypted payloads"); 695 696 if (ikev2_parse_payloads(&pl, next_payload, payload, payload + 697 payload_len) < 0) { 698 wpa_printf(MSG_INFO, "IKEV2: Failed to parse decrypted " 699 "payloads"); 700 return -1; 701 } 702 703 if (ikev2_process_idr(data, pl.idr, pl.idr_len) < 0 || 704 ikev2_process_cert(data, pl.cert, pl.cert_len) < 0 || 705 ikev2_process_auth(data, pl.auth, pl.auth_len) < 0) 706 return -1; 707 708 return 0; 709 } 710 711 712 static int ikev2_process_sa_auth(struct ikev2_initiator_data *data, 713 const struct ikev2_hdr *hdr, 714 struct ikev2_payloads *pl) 715 { 716 u8 *decrypted; 717 size_t decrypted_len; 718 int ret; 719 720 decrypted = ikev2_decrypt_payload(data->proposal.encr, 721 data->proposal.integ, 722 &data->keys, 0, hdr, pl->encrypted, 723 pl->encrypted_len, &decrypted_len); 724 if (decrypted == NULL) 725 return -1; 726 727 ret = ikev2_process_sa_auth_decrypted(data, pl->encr_next_payload, 728 decrypted, decrypted_len); 729 os_free(decrypted); 730 731 if (ret == 0 && !data->unknown_user) { 732 wpa_printf(MSG_DEBUG, "IKEV2: Authentication completed"); 733 data->state = IKEV2_DONE; 734 } 735 736 return ret; 737 } 738 739 740 static int ikev2_validate_rx_state(struct ikev2_initiator_data *data, 741 u8 exchange_type, u32 message_id) 742 { 743 switch (data->state) { 744 case SA_INIT: 745 /* Expect to receive IKE_SA_INIT: HDR, SAr, KEr, Nr, [CERTREQ], 746 * [SK{IDr}] */ 747 if (exchange_type != IKE_SA_INIT) { 748 wpa_printf(MSG_INFO, "IKEV2: Unexpected Exchange Type " 749 "%u in SA_INIT state", exchange_type); 750 return -1; 751 } 752 if (message_id != 0) { 753 wpa_printf(MSG_INFO, "IKEV2: Unexpected Message ID %u " 754 "in SA_INIT state", message_id); 755 return -1; 756 } 757 break; 758 case SA_AUTH: 759 /* Expect to receive IKE_SA_AUTH: 760 * HDR, SK {IDr, [CERT,] [CERTREQ,] [NFID,] AUTH} 761 */ 762 if (exchange_type != IKE_SA_AUTH) { 763 wpa_printf(MSG_INFO, "IKEV2: Unexpected Exchange Type " 764 "%u in SA_AUTH state", exchange_type); 765 return -1; 766 } 767 if (message_id != 1) { 768 wpa_printf(MSG_INFO, "IKEV2: Unexpected Message ID %u " 769 "in SA_AUTH state", message_id); 770 return -1; 771 } 772 break; 773 case CHILD_SA: 774 if (exchange_type != CREATE_CHILD_SA) { 775 wpa_printf(MSG_INFO, "IKEV2: Unexpected Exchange Type " 776 "%u in CHILD_SA state", exchange_type); 777 return -1; 778 } 779 if (message_id != 2) { 780 wpa_printf(MSG_INFO, "IKEV2: Unexpected Message ID %u " 781 "in CHILD_SA state", message_id); 782 return -1; 783 } 784 break; 785 case IKEV2_DONE: 786 return -1; 787 } 788 789 return 0; 790 } 791 792 793 int ikev2_initiator_process(struct ikev2_initiator_data *data, 794 const struct wpabuf *buf) 795 { 796 const struct ikev2_hdr *hdr; 797 u32 length, message_id; 798 const u8 *pos, *end; 799 struct ikev2_payloads pl; 800 801 wpa_printf(MSG_MSGDUMP, "IKEV2: Received message (len %lu)", 802 (unsigned long) wpabuf_len(buf)); 803 804 if (wpabuf_len(buf) < sizeof(*hdr)) { 805 wpa_printf(MSG_INFO, "IKEV2: Too short frame to include HDR"); 806 return -1; 807 } 808 809 hdr = (const struct ikev2_hdr *) wpabuf_head(buf); 810 end = wpabuf_head_u8(buf) + wpabuf_len(buf); 811 message_id = WPA_GET_BE32(hdr->message_id); 812 length = WPA_GET_BE32(hdr->length); 813 814 wpa_hexdump(MSG_DEBUG, "IKEV2: IKE_SA Initiator's SPI", 815 hdr->i_spi, IKEV2_SPI_LEN); 816 wpa_hexdump(MSG_DEBUG, "IKEV2: IKE_SA Initiator's SPI", 817 hdr->r_spi, IKEV2_SPI_LEN); 818 wpa_printf(MSG_DEBUG, "IKEV2: Next Payload: %u Version: 0x%x " 819 "Exchange Type: %u", 820 hdr->next_payload, hdr->version, hdr->exchange_type); 821 wpa_printf(MSG_DEBUG, "IKEV2: Message ID: %u Length: %u", 822 message_id, length); 823 824 if (hdr->version != IKEV2_VERSION) { 825 wpa_printf(MSG_INFO, "IKEV2: Unsupported HDR version 0x%x " 826 "(expected 0x%x)", hdr->version, IKEV2_VERSION); 827 return -1; 828 } 829 830 if (length != wpabuf_len(buf)) { 831 wpa_printf(MSG_INFO, "IKEV2: Invalid length (HDR: %lu != " 832 "RX: %lu)", (unsigned long) length, 833 (unsigned long) wpabuf_len(buf)); 834 return -1; 835 } 836 837 if (ikev2_validate_rx_state(data, hdr->exchange_type, message_id) < 0) 838 return -1; 839 840 if ((hdr->flags & (IKEV2_HDR_INITIATOR | IKEV2_HDR_RESPONSE)) != 841 IKEV2_HDR_RESPONSE) { 842 wpa_printf(MSG_INFO, "IKEV2: Unexpected Flags value 0x%x", 843 hdr->flags); 844 return -1; 845 } 846 847 if (data->state != SA_INIT) { 848 if (os_memcmp(data->i_spi, hdr->i_spi, IKEV2_SPI_LEN) != 0) { 849 wpa_printf(MSG_INFO, "IKEV2: Unexpected IKE_SA " 850 "Initiator's SPI"); 851 return -1; 852 } 853 if (os_memcmp(data->r_spi, hdr->r_spi, IKEV2_SPI_LEN) != 0) { 854 wpa_printf(MSG_INFO, "IKEV2: Unexpected IKE_SA " 855 "Responder's SPI"); 856 return -1; 857 } 858 } 859 860 pos = (const u8 *) (hdr + 1); 861 if (ikev2_parse_payloads(&pl, hdr->next_payload, pos, end) < 0) 862 return -1; 863 864 switch (data->state) { 865 case SA_INIT: 866 if (ikev2_process_sa_init(data, hdr, &pl) < 0) 867 return -1; 868 wpabuf_free(data->r_sign_msg); 869 data->r_sign_msg = wpabuf_dup(buf); 870 break; 871 case SA_AUTH: 872 if (ikev2_process_sa_auth(data, hdr, &pl) < 0) 873 return -1; 874 break; 875 case CHILD_SA: 876 case IKEV2_DONE: 877 break; 878 } 879 880 return 0; 881 } 882 883 884 static void ikev2_build_hdr(struct ikev2_initiator_data *data, 885 struct wpabuf *msg, u8 exchange_type, 886 u8 next_payload, u32 message_id) 887 { 888 struct ikev2_hdr *hdr; 889 890 wpa_printf(MSG_DEBUG, "IKEV2: Adding HDR"); 891 892 /* HDR - RFC 4306, Sect. 3.1 */ 893 hdr = wpabuf_put(msg, sizeof(*hdr)); 894 os_memcpy(hdr->i_spi, data->i_spi, IKEV2_SPI_LEN); 895 os_memcpy(hdr->r_spi, data->r_spi, IKEV2_SPI_LEN); 896 hdr->next_payload = next_payload; 897 hdr->version = IKEV2_VERSION; 898 hdr->exchange_type = exchange_type; 899 hdr->flags = IKEV2_HDR_INITIATOR; 900 WPA_PUT_BE32(hdr->message_id, message_id); 901 } 902 903 904 static int ikev2_build_sai(struct ikev2_initiator_data *data, 905 struct wpabuf *msg, u8 next_payload) 906 { 907 struct ikev2_payload_hdr *phdr; 908 size_t plen; 909 struct ikev2_proposal *p; 910 struct ikev2_transform *t; 911 912 wpa_printf(MSG_DEBUG, "IKEV2: Adding SAi payload"); 913 914 /* SAi1 - RFC 4306, Sect. 2.7 and 3.3 */ 915 phdr = wpabuf_put(msg, sizeof(*phdr)); 916 phdr->next_payload = next_payload; 917 phdr->flags = 0; 918 919 /* TODO: support for multiple proposals */ 920 p = wpabuf_put(msg, sizeof(*p)); 921 p->proposal_num = data->proposal.proposal_num; 922 p->protocol_id = IKEV2_PROTOCOL_IKE; 923 p->num_transforms = 4; 924 925 t = wpabuf_put(msg, sizeof(*t)); 926 t->type = 3; 927 t->transform_type = IKEV2_TRANSFORM_ENCR; 928 WPA_PUT_BE16(t->transform_id, data->proposal.encr); 929 if (data->proposal.encr == ENCR_AES_CBC) { 930 /* Transform Attribute: Key Len = 128 bits */ 931 wpabuf_put_be16(msg, 0x800e); /* AF=1, AttrType=14 */ 932 wpabuf_put_be16(msg, 128); /* 128-bit key */ 933 } 934 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) t; 935 WPA_PUT_BE16(t->transform_length, plen); 936 937 t = wpabuf_put(msg, sizeof(*t)); 938 t->type = 3; 939 WPA_PUT_BE16(t->transform_length, sizeof(*t)); 940 t->transform_type = IKEV2_TRANSFORM_PRF; 941 WPA_PUT_BE16(t->transform_id, data->proposal.prf); 942 943 t = wpabuf_put(msg, sizeof(*t)); 944 t->type = 3; 945 WPA_PUT_BE16(t->transform_length, sizeof(*t)); 946 t->transform_type = IKEV2_TRANSFORM_INTEG; 947 WPA_PUT_BE16(t->transform_id, data->proposal.integ); 948 949 t = wpabuf_put(msg, sizeof(*t)); 950 WPA_PUT_BE16(t->transform_length, sizeof(*t)); 951 t->transform_type = IKEV2_TRANSFORM_DH; 952 WPA_PUT_BE16(t->transform_id, data->proposal.dh); 953 954 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) p; 955 WPA_PUT_BE16(p->proposal_length, plen); 956 957 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr; 958 WPA_PUT_BE16(phdr->payload_length, plen); 959 960 return 0; 961 } 962 963 964 static int ikev2_build_kei(struct ikev2_initiator_data *data, 965 struct wpabuf *msg, u8 next_payload) 966 { 967 struct ikev2_payload_hdr *phdr; 968 size_t plen; 969 struct wpabuf *pv; 970 971 wpa_printf(MSG_DEBUG, "IKEV2: Adding KEi payload"); 972 973 data->dh = dh_groups_get(data->proposal.dh); 974 pv = dh_init(data->dh, &data->i_dh_private); 975 if (pv == NULL) { 976 wpa_printf(MSG_DEBUG, "IKEV2: Failed to initialize DH"); 977 return -1; 978 } 979 980 /* KEi - RFC 4306, Sect. 3.4 */ 981 phdr = wpabuf_put(msg, sizeof(*phdr)); 982 phdr->next_payload = next_payload; 983 phdr->flags = 0; 984 985 wpabuf_put_be16(msg, data->proposal.dh); /* DH Group # */ 986 wpabuf_put(msg, 2); /* RESERVED */ 987 /* 988 * RFC 4306, Sect. 3.4: possible zero padding for public value to 989 * match the length of the prime. 990 */ 991 wpabuf_put(msg, data->dh->prime_len - wpabuf_len(pv)); 992 wpabuf_put_buf(msg, pv); 993 wpabuf_free(pv); 994 995 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr; 996 WPA_PUT_BE16(phdr->payload_length, plen); 997 return 0; 998 } 999 1000 1001 static int ikev2_build_ni(struct ikev2_initiator_data *data, 1002 struct wpabuf *msg, u8 next_payload) 1003 { 1004 struct ikev2_payload_hdr *phdr; 1005 size_t plen; 1006 1007 wpa_printf(MSG_DEBUG, "IKEV2: Adding Ni payload"); 1008 1009 /* Ni - RFC 4306, Sect. 3.9 */ 1010 phdr = wpabuf_put(msg, sizeof(*phdr)); 1011 phdr->next_payload = next_payload; 1012 phdr->flags = 0; 1013 wpabuf_put_data(msg, data->i_nonce, data->i_nonce_len); 1014 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr; 1015 WPA_PUT_BE16(phdr->payload_length, plen); 1016 return 0; 1017 } 1018 1019 1020 static int ikev2_build_idi(struct ikev2_initiator_data *data, 1021 struct wpabuf *msg, u8 next_payload) 1022 { 1023 struct ikev2_payload_hdr *phdr; 1024 size_t plen; 1025 1026 wpa_printf(MSG_DEBUG, "IKEV2: Adding IDi payload"); 1027 1028 if (data->IDi == NULL) { 1029 wpa_printf(MSG_INFO, "IKEV2: No IDi available"); 1030 return -1; 1031 } 1032 1033 /* IDi - RFC 4306, Sect. 3.5 */ 1034 phdr = wpabuf_put(msg, sizeof(*phdr)); 1035 phdr->next_payload = next_payload; 1036 phdr->flags = 0; 1037 wpabuf_put_u8(msg, ID_KEY_ID); 1038 wpabuf_put(msg, 3); /* RESERVED */ 1039 wpabuf_put_data(msg, data->IDi, data->IDi_len); 1040 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr; 1041 WPA_PUT_BE16(phdr->payload_length, plen); 1042 return 0; 1043 } 1044 1045 1046 static int ikev2_build_auth(struct ikev2_initiator_data *data, 1047 struct wpabuf *msg, u8 next_payload) 1048 { 1049 struct ikev2_payload_hdr *phdr; 1050 size_t plen; 1051 const struct ikev2_prf_alg *prf; 1052 1053 wpa_printf(MSG_DEBUG, "IKEV2: Adding AUTH payload"); 1054 1055 prf = ikev2_get_prf(data->proposal.prf); 1056 if (prf == NULL) 1057 return -1; 1058 1059 /* Authentication - RFC 4306, Sect. 3.8 */ 1060 phdr = wpabuf_put(msg, sizeof(*phdr)); 1061 phdr->next_payload = next_payload; 1062 phdr->flags = 0; 1063 wpabuf_put_u8(msg, AUTH_SHARED_KEY_MIC); 1064 wpabuf_put(msg, 3); /* RESERVED */ 1065 1066 /* msg | Nr | prf(SK_pi,IDi') */ 1067 if (ikev2_derive_auth_data(data->proposal.prf, data->i_sign_msg, 1068 data->IDi, data->IDi_len, ID_KEY_ID, 1069 &data->keys, 1, data->shared_secret, 1070 data->shared_secret_len, 1071 data->r_nonce, data->r_nonce_len, 1072 data->key_pad, data->key_pad_len, 1073 wpabuf_put(msg, prf->hash_len)) < 0) { 1074 wpa_printf(MSG_INFO, "IKEV2: Could not derive AUTH data"); 1075 return -1; 1076 } 1077 wpabuf_free(data->i_sign_msg); 1078 data->i_sign_msg = NULL; 1079 1080 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr; 1081 WPA_PUT_BE16(phdr->payload_length, plen); 1082 return 0; 1083 } 1084 1085 1086 static struct wpabuf * ikev2_build_sa_init(struct ikev2_initiator_data *data) 1087 { 1088 struct wpabuf *msg; 1089 1090 /* build IKE_SA_INIT: HDR, SAi, KEi, Ni */ 1091 1092 if (os_get_random(data->i_spi, IKEV2_SPI_LEN)) 1093 return NULL; 1094 wpa_hexdump(MSG_DEBUG, "IKEV2: IKE_SA Initiator's SPI", 1095 data->i_spi, IKEV2_SPI_LEN); 1096 1097 data->i_nonce_len = IKEV2_NONCE_MIN_LEN; 1098 if (random_get_bytes(data->i_nonce, data->i_nonce_len)) 1099 return NULL; 1100 wpa_hexdump(MSG_DEBUG, "IKEV2: Ni", data->i_nonce, data->i_nonce_len); 1101 1102 msg = wpabuf_alloc(sizeof(struct ikev2_hdr) + 1000); 1103 if (msg == NULL) 1104 return NULL; 1105 1106 ikev2_build_hdr(data, msg, IKE_SA_INIT, IKEV2_PAYLOAD_SA, 0); 1107 if (ikev2_build_sai(data, msg, IKEV2_PAYLOAD_KEY_EXCHANGE) || 1108 ikev2_build_kei(data, msg, IKEV2_PAYLOAD_NONCE) || 1109 ikev2_build_ni(data, msg, IKEV2_PAYLOAD_NO_NEXT_PAYLOAD)) { 1110 wpabuf_free(msg); 1111 return NULL; 1112 } 1113 1114 ikev2_update_hdr(msg); 1115 1116 wpa_hexdump_buf(MSG_MSGDUMP, "IKEV2: Sending message (SA_INIT)", msg); 1117 1118 wpabuf_free(data->i_sign_msg); 1119 data->i_sign_msg = wpabuf_dup(msg); 1120 1121 return msg; 1122 } 1123 1124 1125 static struct wpabuf * ikev2_build_sa_auth(struct ikev2_initiator_data *data) 1126 { 1127 struct wpabuf *msg, *plain; 1128 const u8 *secret; 1129 size_t secret_len; 1130 1131 secret = data->get_shared_secret(data->cb_ctx, data->IDr, 1132 data->IDr_len, &secret_len); 1133 if (secret == NULL) { 1134 wpa_printf(MSG_INFO, "IKEV2: Could not get shared secret - " 1135 "use fake value"); 1136 /* RFC 5106, Sect. 7: 1137 * Use a random key to fake AUTH generation in order to prevent 1138 * probing of user identities. 1139 */ 1140 data->unknown_user = 1; 1141 os_free(data->shared_secret); 1142 data->shared_secret = os_malloc(16); 1143 if (data->shared_secret == NULL) 1144 return NULL; 1145 data->shared_secret_len = 16; 1146 if (random_get_bytes(data->shared_secret, 16)) 1147 return NULL; 1148 } else { 1149 os_free(data->shared_secret); 1150 data->shared_secret = os_malloc(secret_len); 1151 if (data->shared_secret == NULL) 1152 return NULL; 1153 os_memcpy(data->shared_secret, secret, secret_len); 1154 data->shared_secret_len = secret_len; 1155 } 1156 1157 /* build IKE_SA_AUTH: HDR, SK {IDi, [CERT,] [CERTREQ,] AUTH} */ 1158 1159 msg = wpabuf_alloc(sizeof(struct ikev2_hdr) + data->IDr_len + 1000); 1160 if (msg == NULL) 1161 return NULL; 1162 ikev2_build_hdr(data, msg, IKE_SA_AUTH, IKEV2_PAYLOAD_ENCRYPTED, 1); 1163 1164 plain = wpabuf_alloc(data->IDr_len + 1000); 1165 if (plain == NULL) { 1166 wpabuf_free(msg); 1167 return NULL; 1168 } 1169 1170 if (ikev2_build_idi(data, plain, IKEV2_PAYLOAD_AUTHENTICATION) || 1171 ikev2_build_auth(data, plain, IKEV2_PAYLOAD_NO_NEXT_PAYLOAD) || 1172 ikev2_build_encrypted(data->proposal.encr, data->proposal.integ, 1173 &data->keys, 1, msg, plain, 1174 IKEV2_PAYLOAD_IDi)) { 1175 wpabuf_free(plain); 1176 wpabuf_free(msg); 1177 return NULL; 1178 } 1179 wpabuf_free(plain); 1180 1181 wpa_hexdump_buf(MSG_MSGDUMP, "IKEV2: Sending message (SA_AUTH)", msg); 1182 1183 return msg; 1184 } 1185 1186 1187 struct wpabuf * ikev2_initiator_build(struct ikev2_initiator_data *data) 1188 { 1189 switch (data->state) { 1190 case SA_INIT: 1191 return ikev2_build_sa_init(data); 1192 case SA_AUTH: 1193 return ikev2_build_sa_auth(data); 1194 case CHILD_SA: 1195 return NULL; 1196 case IKEV2_DONE: 1197 return NULL; 1198 } 1199 return NULL; 1200 } 1201
