1/*
2 * IKEv2 initiator (RFC 4306) for EAP-IKEV2
3 * Copyright (c) 2007, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9#include "includes.h"
10
11#include "common.h"
12#include "crypto/dh_groups.h"
13#include "crypto/random.h"
14#include "ikev2.h"
15
16
17static int ikev2_process_idr(struct ikev2_initiator_data *data,
18			     const u8 *idr, size_t idr_len);
19
20
21void ikev2_initiator_deinit(struct ikev2_initiator_data *data)
22{
23	ikev2_free_keys(&data->keys);
24	wpabuf_free(data->r_dh_public);
25	wpabuf_free(data->i_dh_private);
26	os_free(data->IDi);
27	os_free(data->IDr);
28	os_free(data->shared_secret);
29	wpabuf_free(data->i_sign_msg);
30	wpabuf_free(data->r_sign_msg);
31	os_free(data->key_pad);
32}
33
34
35static int ikev2_derive_keys(struct ikev2_initiator_data *data)
36{
37	u8 *buf, *pos, *pad, skeyseed[IKEV2_MAX_HASH_LEN];
38	size_t buf_len, pad_len;
39	struct wpabuf *shared;
40	const struct ikev2_integ_alg *integ;
41	const struct ikev2_prf_alg *prf;
42	const struct ikev2_encr_alg *encr;
43	int ret;
44	const u8 *addr[2];
45	size_t len[2];
46
47	/* RFC 4306, Sect. 2.14 */
48
49	integ = ikev2_get_integ(data->proposal.integ);
50	prf = ikev2_get_prf(data->proposal.prf);
51	encr = ikev2_get_encr(data->proposal.encr);
52	if (integ == NULL || prf == NULL || encr == NULL) {
53		wpa_printf(MSG_INFO, "IKEV2: Unsupported proposal");
54		return -1;
55	}
56
57	shared = dh_derive_shared(data->r_dh_public, data->i_dh_private,
58				  data->dh);
59	if (shared == NULL)
60		return -1;
61
62	/* Construct Ni | Nr | SPIi | SPIr */
63
64	buf_len = data->i_nonce_len + data->r_nonce_len + 2 * IKEV2_SPI_LEN;
65	buf = os_malloc(buf_len);
66	if (buf == NULL) {
67		wpabuf_free(shared);
68		return -1;
69	}
70
71	pos = buf;
72	os_memcpy(pos, data->i_nonce, data->i_nonce_len);
73	pos += data->i_nonce_len;
74	os_memcpy(pos, data->r_nonce, data->r_nonce_len);
75	pos += data->r_nonce_len;
76	os_memcpy(pos, data->i_spi, IKEV2_SPI_LEN);
77	pos += IKEV2_SPI_LEN;
78	os_memcpy(pos, data->r_spi, IKEV2_SPI_LEN);
79
80	/* SKEYSEED = prf(Ni | Nr, g^ir) */
81
82	/* Use zero-padding per RFC 4306, Sect. 2.14 */
83	pad_len = data->dh->prime_len - wpabuf_len(shared);
84	pad = os_zalloc(pad_len ? pad_len : 1);
85	if (pad == NULL) {
86		wpabuf_free(shared);
87		os_free(buf);
88		return -1;
89	}
90	addr[0] = pad;
91	len[0] = pad_len;
92	addr[1] = wpabuf_head(shared);
93	len[1] = wpabuf_len(shared);
94	if (ikev2_prf_hash(prf->id, buf, data->i_nonce_len + data->r_nonce_len,
95			   2, addr, len, skeyseed) < 0) {
96		wpabuf_free(shared);
97		os_free(buf);
98		os_free(pad);
99		return -1;
100	}
101	os_free(pad);
102	wpabuf_free(shared);
103
104	/* DH parameters are not needed anymore, so free them */
105	wpabuf_free(data->r_dh_public);
106	data->r_dh_public = NULL;
107	wpabuf_free(data->i_dh_private);
108	data->i_dh_private = NULL;
109
110	wpa_hexdump_key(MSG_DEBUG, "IKEV2: SKEYSEED",
111			skeyseed, prf->hash_len);
112
113	ret = ikev2_derive_sk_keys(prf, integ, encr, skeyseed, buf, buf_len,
114				   &data->keys);
115	os_free(buf);
116	return ret;
117}
118
119
120static int ikev2_parse_transform(struct ikev2_initiator_data *data,
121				 struct ikev2_proposal_data *prop,
122				 const u8 *pos, const u8 *end)
123{
124	int transform_len;
125	const struct ikev2_transform *t;
126	u16 transform_id;
127	const u8 *tend;
128
129	if (end - pos < (int) sizeof(*t)) {
130		wpa_printf(MSG_INFO, "IKEV2: Too short transform");
131		return -1;
132	}
133
134	t = (const struct ikev2_transform *) pos;
135	transform_len = WPA_GET_BE16(t->transform_length);
136	if (transform_len < (int) sizeof(*t) || pos + transform_len > end) {
137		wpa_printf(MSG_INFO, "IKEV2: Invalid transform length %d",
138			   transform_len);
139		return -1;
140	}
141	tend = pos + transform_len;
142
143	transform_id = WPA_GET_BE16(t->transform_id);
144
145	wpa_printf(MSG_DEBUG, "IKEV2:   Transform:");
146	wpa_printf(MSG_DEBUG, "IKEV2:     Type: %d  Transform Length: %d  "
147		   "Transform Type: %d  Transform ID: %d",
148		   t->type, transform_len, t->transform_type, transform_id);
149
150	if (t->type != 0 && t->type != 3) {
151		wpa_printf(MSG_INFO, "IKEV2: Unexpected Transform type");
152		return -1;
153	}
154
155	pos = (const u8 *) (t + 1);
156	if (pos < tend) {
157		wpa_hexdump(MSG_DEBUG, "IKEV2:     Transform Attributes",
158			    pos, tend - pos);
159	}
160
161	switch (t->transform_type) {
162	case IKEV2_TRANSFORM_ENCR:
163		if (ikev2_get_encr(transform_id) &&
164		    transform_id == data->proposal.encr) {
165			if (transform_id == ENCR_AES_CBC) {
166				if (tend - pos != 4) {
167					wpa_printf(MSG_DEBUG, "IKEV2: No "
168						   "Transform Attr for AES");
169					break;
170				}
171				if (WPA_GET_BE16(pos) != 0x800e) {
172					wpa_printf(MSG_DEBUG, "IKEV2: Not a "
173						   "Key Size attribute for "
174						   "AES");
175					break;
176				}
177				if (WPA_GET_BE16(pos + 2) != 128) {
178					wpa_printf(MSG_DEBUG, "IKEV2: "
179						   "Unsupported AES key size "
180						   "%d bits",
181						   WPA_GET_BE16(pos + 2));
182					break;
183				}
184			}
185			prop->encr = transform_id;
186		}
187		break;
188	case IKEV2_TRANSFORM_PRF:
189		if (ikev2_get_prf(transform_id) &&
190		    transform_id == data->proposal.prf)
191			prop->prf = transform_id;
192		break;
193	case IKEV2_TRANSFORM_INTEG:
194		if (ikev2_get_integ(transform_id) &&
195		    transform_id == data->proposal.integ)
196			prop->integ = transform_id;
197		break;
198	case IKEV2_TRANSFORM_DH:
199		if (dh_groups_get(transform_id) &&
200		    transform_id == data->proposal.dh)
201			prop->dh = transform_id;
202		break;
203	}
204
205	return transform_len;
206}
207
208
209static int ikev2_parse_proposal(struct ikev2_initiator_data *data,
210				struct ikev2_proposal_data *prop,
211				const u8 *pos, const u8 *end)
212{
213	const u8 *pend, *ppos;
214	int proposal_len, i;
215	const struct ikev2_proposal *p;
216
217	if (end - pos < (int) sizeof(*p)) {
218		wpa_printf(MSG_INFO, "IKEV2: Too short proposal");
219		return -1;
220	}
221
222	p = (const struct ikev2_proposal *) pos;
223	proposal_len = WPA_GET_BE16(p->proposal_length);
224	if (proposal_len < (int) sizeof(*p) || pos + proposal_len > end) {
225		wpa_printf(MSG_INFO, "IKEV2: Invalid proposal length %d",
226			   proposal_len);
227		return -1;
228	}
229	wpa_printf(MSG_DEBUG, "IKEV2: SAi1 Proposal # %d",
230		   p->proposal_num);
231	wpa_printf(MSG_DEBUG, "IKEV2:   Type: %d  Proposal Length: %d "
232		   " Protocol ID: %d",
233		   p->type, proposal_len, p->protocol_id);
234	wpa_printf(MSG_DEBUG, "IKEV2:   SPI Size: %d  Transforms: %d",
235		   p->spi_size, p->num_transforms);
236
237	if (p->type != 0 && p->type != 2) {
238		wpa_printf(MSG_INFO, "IKEV2: Unexpected Proposal type");
239		return -1;
240	}
241
242	if (p->protocol_id != IKEV2_PROTOCOL_IKE) {
243		wpa_printf(MSG_DEBUG, "IKEV2: Unexpected Protocol ID "
244			   "(only IKE allowed for EAP-IKEv2)");
245		return -1;
246	}
247
248	if (p->proposal_num != prop->proposal_num) {
249		if (p->proposal_num == prop->proposal_num + 1)
250			prop->proposal_num = p->proposal_num;
251		else {
252			wpa_printf(MSG_INFO, "IKEV2: Unexpected Proposal #");
253			return -1;
254		}
255	}
256
257	ppos = (const u8 *) (p + 1);
258	pend = pos + proposal_len;
259	if (ppos + p->spi_size > pend) {
260		wpa_printf(MSG_INFO, "IKEV2: Not enough room for SPI "
261			   "in proposal");
262		return -1;
263	}
264	if (p->spi_size) {
265		wpa_hexdump(MSG_DEBUG, "IKEV2:    SPI",
266			    ppos, p->spi_size);
267		ppos += p->spi_size;
268	}
269
270	/*
271	 * For initial IKE_SA negotiation, SPI Size MUST be zero; for
272	 * subsequent negotiations, it must be 8 for IKE. We only support
273	 * initial case for now.
274	 */
275	if (p->spi_size != 0) {
276		wpa_printf(MSG_INFO, "IKEV2: Unexpected SPI Size");
277		return -1;
278	}
279
280	if (p->num_transforms == 0) {
281		wpa_printf(MSG_INFO, "IKEV2: At least one transform required");
282		return -1;
283	}
284
285	for (i = 0; i < (int) p->num_transforms; i++) {
286		int tlen = ikev2_parse_transform(data, prop, ppos, pend);
287		if (tlen < 0)
288			return -1;
289		ppos += tlen;
290	}
291
292	if (ppos != pend) {
293		wpa_printf(MSG_INFO, "IKEV2: Unexpected data after "
294			   "transforms");
295		return -1;
296	}
297
298	return proposal_len;
299}
300
301
302static int ikev2_process_sar1(struct ikev2_initiator_data *data,
303			      const u8 *sar1, size_t sar1_len)
304{
305	struct ikev2_proposal_data prop;
306	const u8 *pos, *end;
307	int found = 0;
308
309	/* Security Association Payloads: <Proposals> */
310
311	if (sar1 == NULL) {
312		wpa_printf(MSG_INFO, "IKEV2: SAr1 not received");
313		return -1;
314	}
315
316	os_memset(&prop, 0, sizeof(prop));
317	prop.proposal_num = 1;
318
319	pos = sar1;
320	end = sar1 + sar1_len;
321
322	while (pos < end) {
323		int plen;
324
325		prop.integ = -1;
326		prop.prf = -1;
327		prop.encr = -1;
328		prop.dh = -1;
329		plen = ikev2_parse_proposal(data, &prop, pos, end);
330		if (plen < 0)
331			return -1;
332
333		if (!found && prop.integ != -1 && prop.prf != -1 &&
334		    prop.encr != -1 && prop.dh != -1) {
335			found = 1;
336		}
337
338		pos += plen;
339
340		/* Only one proposal expected in SAr */
341		break;
342	}
343
344	if (pos != end) {
345		wpa_printf(MSG_INFO, "IKEV2: Unexpected data after proposal");
346		return -1;
347	}
348
349	if (!found) {
350		wpa_printf(MSG_INFO, "IKEV2: No acceptable proposal found");
351		return -1;
352	}
353
354	wpa_printf(MSG_DEBUG, "IKEV2: Accepted proposal #%d: ENCR:%d PRF:%d "
355		   "INTEG:%d D-H:%d", data->proposal.proposal_num,
356		   data->proposal.encr, data->proposal.prf,
357		   data->proposal.integ, data->proposal.dh);
358
359	return 0;
360}
361
362
363static int ikev2_process_ker(struct ikev2_initiator_data *data,
364			     const u8 *ker, size_t ker_len)
365{
366	u16 group;
367
368	/*
369	 * Key Exchange Payload:
370	 * DH Group # (16 bits)
371	 * RESERVED (16 bits)
372	 * Key Exchange Data (Diffie-Hellman public value)
373	 */
374
375	if (ker == NULL) {
376		wpa_printf(MSG_INFO, "IKEV2: KEr not received");
377		return -1;
378	}
379
380	if (ker_len < 4 + 96) {
381		wpa_printf(MSG_INFO, "IKEV2: Too show Key Exchange Payload");
382		return -1;
383	}
384
385	group = WPA_GET_BE16(ker);
386	wpa_printf(MSG_DEBUG, "IKEV2: KEr DH Group #%u", group);
387
388	if (group != data->proposal.dh) {
389		wpa_printf(MSG_DEBUG, "IKEV2: KEr DH Group #%u does not match "
390			   "with the selected proposal (%u)",
391			   group, data->proposal.dh);
392		return -1;
393	}
394
395	if (data->dh == NULL) {
396		wpa_printf(MSG_INFO, "IKEV2: Unsupported DH group");
397		return -1;
398	}
399
400	/* RFC 4306, Section 3.4:
401	 * The length of DH public value MUST be equal to the length of the
402	 * prime modulus.
403	 */
404	if (ker_len - 4 != data->dh->prime_len) {
405		wpa_printf(MSG_INFO, "IKEV2: Invalid DH public value length "
406			   "%ld (expected %ld)",
407			   (long) (ker_len - 4), (long) data->dh->prime_len);
408		return -1;
409	}
410
411	wpabuf_free(data->r_dh_public);
412	data->r_dh_public = wpabuf_alloc_copy(ker + 4, ker_len - 4);
413	if (data->r_dh_public == NULL)
414		return -1;
415
416	wpa_hexdump_buf(MSG_DEBUG, "IKEV2: KEr Diffie-Hellman Public Value",
417			data->r_dh_public);
418
419	return 0;
420}
421
422
423static int ikev2_process_nr(struct ikev2_initiator_data *data,
424			    const u8 *nr, size_t nr_len)
425{
426	if (nr == NULL) {
427		wpa_printf(MSG_INFO, "IKEV2: Nr not received");
428		return -1;
429	}
430
431	if (nr_len < IKEV2_NONCE_MIN_LEN || nr_len > IKEV2_NONCE_MAX_LEN) {
432		wpa_printf(MSG_INFO, "IKEV2: Invalid Nr length %ld",
433			   (long) nr_len);
434		return -1;
435	}
436
437	data->r_nonce_len = nr_len;
438	os_memcpy(data->r_nonce, nr, nr_len);
439	wpa_hexdump(MSG_MSGDUMP, "IKEV2: Nr",
440		    data->r_nonce, data->r_nonce_len);
441
442	return 0;
443}
444
445
446static int ikev2_process_sa_init_encr(struct ikev2_initiator_data *data,
447				      const struct ikev2_hdr *hdr,
448				      const u8 *encrypted,
449				      size_t encrypted_len, u8 next_payload)
450{
451	u8 *decrypted;
452	size_t decrypted_len;
453	struct ikev2_payloads pl;
454	int ret = 0;
455
456	decrypted = ikev2_decrypt_payload(data->proposal.encr,
457					  data->proposal.integ, &data->keys, 0,
458					  hdr, encrypted, encrypted_len,
459					  &decrypted_len);
460	if (decrypted == NULL)
461		return -1;
462
463	wpa_printf(MSG_DEBUG, "IKEV2: Processing decrypted payloads");
464
465	if (ikev2_parse_payloads(&pl, next_payload, decrypted,
466				 decrypted + decrypted_len) < 0) {
467		wpa_printf(MSG_INFO, "IKEV2: Failed to parse decrypted "
468			   "payloads");
469		return -1;
470	}
471
472	if (pl.idr)
473		ret = ikev2_process_idr(data, pl.idr, pl.idr_len);
474
475	os_free(decrypted);
476
477	return ret;
478}
479
480
481static int ikev2_process_sa_init(struct ikev2_initiator_data *data,
482				 const struct ikev2_hdr *hdr,
483				 struct ikev2_payloads *pl)
484{
485	if (ikev2_process_sar1(data, pl->sa, pl->sa_len) < 0 ||
486	    ikev2_process_ker(data, pl->ke, pl->ke_len) < 0 ||
487	    ikev2_process_nr(data, pl->nonce, pl->nonce_len) < 0)
488		return -1;
489
490	os_memcpy(data->r_spi, hdr->r_spi, IKEV2_SPI_LEN);
491
492	if (ikev2_derive_keys(data) < 0)
493		return -1;
494
495	if (pl->encrypted) {
496		wpa_printf(MSG_DEBUG, "IKEV2: Encrypted payload in SA_INIT - "
497			   "try to get IDr from it");
498		if (ikev2_process_sa_init_encr(data, hdr, pl->encrypted,
499					       pl->encrypted_len,
500					       pl->encr_next_payload) < 0) {
501			wpa_printf(MSG_INFO, "IKEV2: Failed to process "
502				   "encrypted payload");
503			return -1;
504		}
505	}
506
507	data->state = SA_AUTH;
508
509	return 0;
510}
511
512
513static int ikev2_process_idr(struct ikev2_initiator_data *data,
514			     const u8 *idr, size_t idr_len)
515{
516	u8 id_type;
517
518	if (idr == NULL) {
519		wpa_printf(MSG_INFO, "IKEV2: No IDr received");
520		return -1;
521	}
522
523	if (idr_len < 4) {
524		wpa_printf(MSG_INFO, "IKEV2: Too short IDr payload");
525		return -1;
526	}
527
528	id_type = idr[0];
529	idr += 4;
530	idr_len -= 4;
531
532	wpa_printf(MSG_DEBUG, "IKEV2: IDr ID Type %d", id_type);
533	wpa_hexdump_ascii(MSG_DEBUG, "IKEV2: IDr", idr, idr_len);
534	if (data->IDr) {
535		if (id_type != data->IDr_type || idr_len != data->IDr_len ||
536		    os_memcmp(idr, data->IDr, idr_len) != 0) {
537			wpa_printf(MSG_INFO, "IKEV2: IDr differs from the one "
538				   "received earlier");
539			wpa_printf(MSG_DEBUG, "IKEV2: Previous IDr ID Type %d",
540				   id_type);
541			wpa_hexdump_ascii(MSG_DEBUG, "Previous IKEV2: IDr",
542					  data->IDr, data->IDr_len);
543			return -1;
544		}
545		os_free(data->IDr);
546	}
547	data->IDr = os_malloc(idr_len);
548	if (data->IDr == NULL)
549		return -1;
550	os_memcpy(data->IDr, idr, idr_len);
551	data->IDr_len = idr_len;
552	data->IDr_type = id_type;
553
554	return 0;
555}
556
557
558static int ikev2_process_cert(struct ikev2_initiator_data *data,
559			      const u8 *cert, size_t cert_len)
560{
561	u8 cert_encoding;
562
563	if (cert == NULL) {
564		if (data->peer_auth == PEER_AUTH_CERT) {
565			wpa_printf(MSG_INFO, "IKEV2: No Certificate received");
566			return -1;
567		}
568		return 0;
569	}
570
571	if (cert_len < 1) {
572		wpa_printf(MSG_INFO, "IKEV2: No Cert Encoding field");
573		return -1;
574	}
575
576	cert_encoding = cert[0];
577	cert++;
578	cert_len--;
579
580	wpa_printf(MSG_DEBUG, "IKEV2: Cert Encoding %d", cert_encoding);
581	wpa_hexdump(MSG_MSGDUMP, "IKEV2: Certificate Data", cert, cert_len);
582
583	/* TODO: validate certificate */
584
585	return 0;
586}
587
588
589static int ikev2_process_auth_cert(struct ikev2_initiator_data *data,
590				   u8 method, const u8 *auth, size_t auth_len)
591{
592	if (method != AUTH_RSA_SIGN) {
593		wpa_printf(MSG_INFO, "IKEV2: Unsupported authentication "
594			   "method %d", method);
595		return -1;
596	}
597
598	/* TODO: validate AUTH */
599	return 0;
600}
601
602
603static int ikev2_process_auth_secret(struct ikev2_initiator_data *data,
604				     u8 method, const u8 *auth,
605				     size_t auth_len)
606{
607	u8 auth_data[IKEV2_MAX_HASH_LEN];
608	const struct ikev2_prf_alg *prf;
609
610	if (method != AUTH_SHARED_KEY_MIC) {
611		wpa_printf(MSG_INFO, "IKEV2: Unsupported authentication "
612			   "method %d", method);
613		return -1;
614	}
615
616	/* msg | Ni | prf(SK_pr,IDr') */
617	if (ikev2_derive_auth_data(data->proposal.prf, data->r_sign_msg,
618				   data->IDr, data->IDr_len, data->IDr_type,
619				   &data->keys, 0, data->shared_secret,
620				   data->shared_secret_len,
621				   data->i_nonce, data->i_nonce_len,
622				   data->key_pad, data->key_pad_len,
623				   auth_data) < 0) {
624		wpa_printf(MSG_INFO, "IKEV2: Could not derive AUTH data");
625		return -1;
626	}
627
628	wpabuf_free(data->r_sign_msg);
629	data->r_sign_msg = NULL;
630
631	prf = ikev2_get_prf(data->proposal.prf);
632	if (prf == NULL)
633		return -1;
634
635	if (auth_len != prf->hash_len ||
636	    os_memcmp_const(auth, auth_data, auth_len) != 0) {
637		wpa_printf(MSG_INFO, "IKEV2: Invalid Authentication Data");
638		wpa_hexdump(MSG_DEBUG, "IKEV2: Received Authentication Data",
639			    auth, auth_len);
640		wpa_hexdump(MSG_DEBUG, "IKEV2: Expected Authentication Data",
641			    auth_data, prf->hash_len);
642		return -1;
643	}
644
645	wpa_printf(MSG_DEBUG, "IKEV2: Peer authenticated successfully "
646		   "using shared keys");
647
648	return 0;
649}
650
651
652static int ikev2_process_auth(struct ikev2_initiator_data *data,
653			      const u8 *auth, size_t auth_len)
654{
655	u8 auth_method;
656
657	if (auth == NULL) {
658		wpa_printf(MSG_INFO, "IKEV2: No Authentication Payload");
659		return -1;
660	}
661
662	if (auth_len < 4) {
663		wpa_printf(MSG_INFO, "IKEV2: Too short Authentication "
664			   "Payload");
665		return -1;
666	}
667
668	auth_method = auth[0];
669	auth += 4;
670	auth_len -= 4;
671
672	wpa_printf(MSG_DEBUG, "IKEV2: Auth Method %d", auth_method);
673	wpa_hexdump(MSG_MSGDUMP, "IKEV2: Authentication Data", auth, auth_len);
674
675	switch (data->peer_auth) {
676	case PEER_AUTH_CERT:
677		return ikev2_process_auth_cert(data, auth_method, auth,
678					       auth_len);
679	case PEER_AUTH_SECRET:
680		return ikev2_process_auth_secret(data, auth_method, auth,
681						 auth_len);
682	}
683
684	return -1;
685}
686
687
688static int ikev2_process_sa_auth_decrypted(struct ikev2_initiator_data *data,
689					   u8 next_payload,
690					   u8 *payload, size_t payload_len)
691{
692	struct ikev2_payloads pl;
693
694	wpa_printf(MSG_DEBUG, "IKEV2: Processing decrypted payloads");
695
696	if (ikev2_parse_payloads(&pl, next_payload, payload, payload +
697				 payload_len) < 0) {
698		wpa_printf(MSG_INFO, "IKEV2: Failed to parse decrypted "
699			   "payloads");
700		return -1;
701	}
702
703	if (ikev2_process_idr(data, pl.idr, pl.idr_len) < 0 ||
704	    ikev2_process_cert(data, pl.cert, pl.cert_len) < 0 ||
705	    ikev2_process_auth(data, pl.auth, pl.auth_len) < 0)
706		return -1;
707
708	return 0;
709}
710
711
712static int ikev2_process_sa_auth(struct ikev2_initiator_data *data,
713				 const struct ikev2_hdr *hdr,
714				 struct ikev2_payloads *pl)
715{
716	u8 *decrypted;
717	size_t decrypted_len;
718	int ret;
719
720	decrypted = ikev2_decrypt_payload(data->proposal.encr,
721					  data->proposal.integ,
722					  &data->keys, 0, hdr, pl->encrypted,
723					  pl->encrypted_len, &decrypted_len);
724	if (decrypted == NULL)
725		return -1;
726
727	ret = ikev2_process_sa_auth_decrypted(data, pl->encr_next_payload,
728					      decrypted, decrypted_len);
729	os_free(decrypted);
730
731	if (ret == 0 && !data->unknown_user) {
732		wpa_printf(MSG_DEBUG, "IKEV2: Authentication completed");
733		data->state = IKEV2_DONE;
734	}
735
736	return ret;
737}
738
739
740static int ikev2_validate_rx_state(struct ikev2_initiator_data *data,
741				   u8 exchange_type, u32 message_id)
742{
743	switch (data->state) {
744	case SA_INIT:
745		/* Expect to receive IKE_SA_INIT: HDR, SAr, KEr, Nr, [CERTREQ],
746		 * [SK{IDr}] */
747		if (exchange_type != IKE_SA_INIT) {
748			wpa_printf(MSG_INFO, "IKEV2: Unexpected Exchange Type "
749				   "%u in SA_INIT state", exchange_type);
750			return -1;
751		}
752		if (message_id != 0) {
753			wpa_printf(MSG_INFO, "IKEV2: Unexpected Message ID %u "
754				   "in SA_INIT state", message_id);
755			return -1;
756		}
757		break;
758	case SA_AUTH:
759		/* Expect to receive IKE_SA_AUTH:
760		 * HDR, SK {IDr, [CERT,] [CERTREQ,] [NFID,] AUTH}
761		 */
762		if (exchange_type != IKE_SA_AUTH) {
763			wpa_printf(MSG_INFO, "IKEV2: Unexpected Exchange Type "
764				   "%u in SA_AUTH state", exchange_type);
765			return -1;
766		}
767		if (message_id != 1) {
768			wpa_printf(MSG_INFO, "IKEV2: Unexpected Message ID %u "
769				   "in SA_AUTH state", message_id);
770			return -1;
771		}
772		break;
773	case CHILD_SA:
774		if (exchange_type != CREATE_CHILD_SA) {
775			wpa_printf(MSG_INFO, "IKEV2: Unexpected Exchange Type "
776				   "%u in CHILD_SA state", exchange_type);
777			return -1;
778		}
779		if (message_id != 2) {
780			wpa_printf(MSG_INFO, "IKEV2: Unexpected Message ID %u "
781				   "in CHILD_SA state", message_id);
782			return -1;
783		}
784		break;
785	case IKEV2_DONE:
786		return -1;
787	}
788
789	return 0;
790}
791
792
793int ikev2_initiator_process(struct ikev2_initiator_data *data,
794			    const struct wpabuf *buf)
795{
796	const struct ikev2_hdr *hdr;
797	u32 length, message_id;
798	const u8 *pos, *end;
799	struct ikev2_payloads pl;
800
801	wpa_printf(MSG_MSGDUMP, "IKEV2: Received message (len %lu)",
802		   (unsigned long) wpabuf_len(buf));
803
804	if (wpabuf_len(buf) < sizeof(*hdr)) {
805		wpa_printf(MSG_INFO, "IKEV2: Too short frame to include HDR");
806		return -1;
807	}
808
809	hdr = (const struct ikev2_hdr *) wpabuf_head(buf);
810	end = wpabuf_head_u8(buf) + wpabuf_len(buf);
811	message_id = WPA_GET_BE32(hdr->message_id);
812	length = WPA_GET_BE32(hdr->length);
813
814	wpa_hexdump(MSG_DEBUG, "IKEV2:   IKE_SA Initiator's SPI",
815		    hdr->i_spi, IKEV2_SPI_LEN);
816	wpa_hexdump(MSG_DEBUG, "IKEV2:   IKE_SA Initiator's SPI",
817		    hdr->r_spi, IKEV2_SPI_LEN);
818	wpa_printf(MSG_DEBUG, "IKEV2:   Next Payload: %u  Version: 0x%x  "
819		   "Exchange Type: %u",
820		   hdr->next_payload, hdr->version, hdr->exchange_type);
821	wpa_printf(MSG_DEBUG, "IKEV2:   Message ID: %u  Length: %u",
822		   message_id, length);
823
824	if (hdr->version != IKEV2_VERSION) {
825		wpa_printf(MSG_INFO, "IKEV2: Unsupported HDR version 0x%x "
826			   "(expected 0x%x)", hdr->version, IKEV2_VERSION);
827		return -1;
828	}
829
830	if (length != wpabuf_len(buf)) {
831		wpa_printf(MSG_INFO, "IKEV2: Invalid length (HDR: %lu != "
832			   "RX: %lu)", (unsigned long) length,
833			   (unsigned long) wpabuf_len(buf));
834		return -1;
835	}
836
837	if (ikev2_validate_rx_state(data, hdr->exchange_type, message_id) < 0)
838		return -1;
839
840	if ((hdr->flags & (IKEV2_HDR_INITIATOR | IKEV2_HDR_RESPONSE)) !=
841	    IKEV2_HDR_RESPONSE) {
842		wpa_printf(MSG_INFO, "IKEV2: Unexpected Flags value 0x%x",
843			   hdr->flags);
844		return -1;
845	}
846
847	if (data->state != SA_INIT) {
848		if (os_memcmp(data->i_spi, hdr->i_spi, IKEV2_SPI_LEN) != 0) {
849			wpa_printf(MSG_INFO, "IKEV2: Unexpected IKE_SA "
850				   "Initiator's SPI");
851			return -1;
852		}
853		if (os_memcmp(data->r_spi, hdr->r_spi, IKEV2_SPI_LEN) != 0) {
854			wpa_printf(MSG_INFO, "IKEV2: Unexpected IKE_SA "
855				   "Responder's SPI");
856			return -1;
857		}
858	}
859
860	pos = (const u8 *) (hdr + 1);
861	if (ikev2_parse_payloads(&pl, hdr->next_payload, pos, end) < 0)
862		return -1;
863
864	switch (data->state) {
865	case SA_INIT:
866		if (ikev2_process_sa_init(data, hdr, &pl) < 0)
867			return -1;
868		wpabuf_free(data->r_sign_msg);
869		data->r_sign_msg = wpabuf_dup(buf);
870		break;
871	case SA_AUTH:
872		if (ikev2_process_sa_auth(data, hdr, &pl) < 0)
873			return -1;
874		break;
875	case CHILD_SA:
876	case IKEV2_DONE:
877		break;
878	}
879
880	return 0;
881}
882
883
884static void ikev2_build_hdr(struct ikev2_initiator_data *data,
885			    struct wpabuf *msg, u8 exchange_type,
886			    u8 next_payload, u32 message_id)
887{
888	struct ikev2_hdr *hdr;
889
890	wpa_printf(MSG_DEBUG, "IKEV2: Adding HDR");
891
892	/* HDR - RFC 4306, Sect. 3.1 */
893	hdr = wpabuf_put(msg, sizeof(*hdr));
894	os_memcpy(hdr->i_spi, data->i_spi, IKEV2_SPI_LEN);
895	os_memcpy(hdr->r_spi, data->r_spi, IKEV2_SPI_LEN);
896	hdr->next_payload = next_payload;
897	hdr->version = IKEV2_VERSION;
898	hdr->exchange_type = exchange_type;
899	hdr->flags = IKEV2_HDR_INITIATOR;
900	WPA_PUT_BE32(hdr->message_id, message_id);
901}
902
903
904static int ikev2_build_sai(struct ikev2_initiator_data *data,
905			    struct wpabuf *msg, u8 next_payload)
906{
907	struct ikev2_payload_hdr *phdr;
908	size_t plen;
909	struct ikev2_proposal *p;
910	struct ikev2_transform *t;
911
912	wpa_printf(MSG_DEBUG, "IKEV2: Adding SAi payload");
913
914	/* SAi1 - RFC 4306, Sect. 2.7 and 3.3 */
915	phdr = wpabuf_put(msg, sizeof(*phdr));
916	phdr->next_payload = next_payload;
917	phdr->flags = 0;
918
919	/* TODO: support for multiple proposals */
920	p = wpabuf_put(msg, sizeof(*p));
921	p->proposal_num = data->proposal.proposal_num;
922	p->protocol_id = IKEV2_PROTOCOL_IKE;
923	p->num_transforms = 4;
924
925	t = wpabuf_put(msg, sizeof(*t));
926	t->type = 3;
927	t->transform_type = IKEV2_TRANSFORM_ENCR;
928	WPA_PUT_BE16(t->transform_id, data->proposal.encr);
929	if (data->proposal.encr == ENCR_AES_CBC) {
930		/* Transform Attribute: Key Len = 128 bits */
931		wpabuf_put_be16(msg, 0x800e); /* AF=1, AttrType=14 */
932		wpabuf_put_be16(msg, 128); /* 128-bit key */
933	}
934	plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) t;
935	WPA_PUT_BE16(t->transform_length, plen);
936
937	t = wpabuf_put(msg, sizeof(*t));
938	t->type = 3;
939	WPA_PUT_BE16(t->transform_length, sizeof(*t));
940	t->transform_type = IKEV2_TRANSFORM_PRF;
941	WPA_PUT_BE16(t->transform_id, data->proposal.prf);
942
943	t = wpabuf_put(msg, sizeof(*t));
944	t->type = 3;
945	WPA_PUT_BE16(t->transform_length, sizeof(*t));
946	t->transform_type = IKEV2_TRANSFORM_INTEG;
947	WPA_PUT_BE16(t->transform_id, data->proposal.integ);
948
949	t = wpabuf_put(msg, sizeof(*t));
950	WPA_PUT_BE16(t->transform_length, sizeof(*t));
951	t->transform_type = IKEV2_TRANSFORM_DH;
952	WPA_PUT_BE16(t->transform_id, data->proposal.dh);
953
954	plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) p;
955	WPA_PUT_BE16(p->proposal_length, plen);
956
957	plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
958	WPA_PUT_BE16(phdr->payload_length, plen);
959
960	return 0;
961}
962
963
964static int ikev2_build_kei(struct ikev2_initiator_data *data,
965			   struct wpabuf *msg, u8 next_payload)
966{
967	struct ikev2_payload_hdr *phdr;
968	size_t plen;
969	struct wpabuf *pv;
970
971	wpa_printf(MSG_DEBUG, "IKEV2: Adding KEi payload");
972
973	data->dh = dh_groups_get(data->proposal.dh);
974	pv = dh_init(data->dh, &data->i_dh_private);
975	if (pv == NULL) {
976		wpa_printf(MSG_DEBUG, "IKEV2: Failed to initialize DH");
977		return -1;
978	}
979
980	/* KEi - RFC 4306, Sect. 3.4 */
981	phdr = wpabuf_put(msg, sizeof(*phdr));
982	phdr->next_payload = next_payload;
983	phdr->flags = 0;
984
985	wpabuf_put_be16(msg, data->proposal.dh); /* DH Group # */
986	wpabuf_put(msg, 2); /* RESERVED */
987	/*
988	 * RFC 4306, Sect. 3.4: possible zero padding for public value to
989	 * match the length of the prime.
990	 */
991	wpabuf_put(msg, data->dh->prime_len - wpabuf_len(pv));
992	wpabuf_put_buf(msg, pv);
993	wpabuf_free(pv);
994
995	plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
996	WPA_PUT_BE16(phdr->payload_length, plen);
997	return 0;
998}
999
1000
1001static int ikev2_build_ni(struct ikev2_initiator_data *data,
1002			  struct wpabuf *msg, u8 next_payload)
1003{
1004	struct ikev2_payload_hdr *phdr;
1005	size_t plen;
1006
1007	wpa_printf(MSG_DEBUG, "IKEV2: Adding Ni payload");
1008
1009	/* Ni - RFC 4306, Sect. 3.9 */
1010	phdr = wpabuf_put(msg, sizeof(*phdr));
1011	phdr->next_payload = next_payload;
1012	phdr->flags = 0;
1013	wpabuf_put_data(msg, data->i_nonce, data->i_nonce_len);
1014	plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
1015	WPA_PUT_BE16(phdr->payload_length, plen);
1016	return 0;
1017}
1018
1019
1020static int ikev2_build_idi(struct ikev2_initiator_data *data,
1021			   struct wpabuf *msg, u8 next_payload)
1022{
1023	struct ikev2_payload_hdr *phdr;
1024	size_t plen;
1025
1026	wpa_printf(MSG_DEBUG, "IKEV2: Adding IDi payload");
1027
1028	if (data->IDi == NULL) {
1029		wpa_printf(MSG_INFO, "IKEV2: No IDi available");
1030		return -1;
1031	}
1032
1033	/* IDi - RFC 4306, Sect. 3.5 */
1034	phdr = wpabuf_put(msg, sizeof(*phdr));
1035	phdr->next_payload = next_payload;
1036	phdr->flags = 0;
1037	wpabuf_put_u8(msg, ID_KEY_ID);
1038	wpabuf_put(msg, 3); /* RESERVED */
1039	wpabuf_put_data(msg, data->IDi, data->IDi_len);
1040	plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
1041	WPA_PUT_BE16(phdr->payload_length, plen);
1042	return 0;
1043}
1044
1045
1046static int ikev2_build_auth(struct ikev2_initiator_data *data,
1047			    struct wpabuf *msg, u8 next_payload)
1048{
1049	struct ikev2_payload_hdr *phdr;
1050	size_t plen;
1051	const struct ikev2_prf_alg *prf;
1052
1053	wpa_printf(MSG_DEBUG, "IKEV2: Adding AUTH payload");
1054
1055	prf = ikev2_get_prf(data->proposal.prf);
1056	if (prf == NULL)
1057		return -1;
1058
1059	/* Authentication - RFC 4306, Sect. 3.8 */
1060	phdr = wpabuf_put(msg, sizeof(*phdr));
1061	phdr->next_payload = next_payload;
1062	phdr->flags = 0;
1063	wpabuf_put_u8(msg, AUTH_SHARED_KEY_MIC);
1064	wpabuf_put(msg, 3); /* RESERVED */
1065
1066	/* msg | Nr | prf(SK_pi,IDi') */
1067	if (ikev2_derive_auth_data(data->proposal.prf, data->i_sign_msg,
1068				   data->IDi, data->IDi_len, ID_KEY_ID,
1069				   &data->keys, 1, data->shared_secret,
1070				   data->shared_secret_len,
1071				   data->r_nonce, data->r_nonce_len,
1072				   data->key_pad, data->key_pad_len,
1073				   wpabuf_put(msg, prf->hash_len)) < 0) {
1074		wpa_printf(MSG_INFO, "IKEV2: Could not derive AUTH data");
1075		return -1;
1076	}
1077	wpabuf_free(data->i_sign_msg);
1078	data->i_sign_msg = NULL;
1079
1080	plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
1081	WPA_PUT_BE16(phdr->payload_length, plen);
1082	return 0;
1083}
1084
1085
1086static struct wpabuf * ikev2_build_sa_init(struct ikev2_initiator_data *data)
1087{
1088	struct wpabuf *msg;
1089
1090	/* build IKE_SA_INIT: HDR, SAi, KEi, Ni */
1091
1092	if (os_get_random(data->i_spi, IKEV2_SPI_LEN))
1093		return NULL;
1094	wpa_hexdump(MSG_DEBUG, "IKEV2: IKE_SA Initiator's SPI",
1095		    data->i_spi, IKEV2_SPI_LEN);
1096
1097	data->i_nonce_len = IKEV2_NONCE_MIN_LEN;
1098	if (random_get_bytes(data->i_nonce, data->i_nonce_len))
1099		return NULL;
1100	wpa_hexdump(MSG_DEBUG, "IKEV2: Ni", data->i_nonce, data->i_nonce_len);
1101
1102	msg = wpabuf_alloc(sizeof(struct ikev2_hdr) + 1000);
1103	if (msg == NULL)
1104		return NULL;
1105
1106	ikev2_build_hdr(data, msg, IKE_SA_INIT, IKEV2_PAYLOAD_SA, 0);
1107	if (ikev2_build_sai(data, msg, IKEV2_PAYLOAD_KEY_EXCHANGE) ||
1108	    ikev2_build_kei(data, msg, IKEV2_PAYLOAD_NONCE) ||
1109	    ikev2_build_ni(data, msg, IKEV2_PAYLOAD_NO_NEXT_PAYLOAD)) {
1110		wpabuf_free(msg);
1111		return NULL;
1112	}
1113
1114	ikev2_update_hdr(msg);
1115
1116	wpa_hexdump_buf(MSG_MSGDUMP, "IKEV2: Sending message (SA_INIT)", msg);
1117
1118	wpabuf_free(data->i_sign_msg);
1119	data->i_sign_msg = wpabuf_dup(msg);
1120
1121	return msg;
1122}
1123
1124
1125static struct wpabuf * ikev2_build_sa_auth(struct ikev2_initiator_data *data)
1126{
1127	struct wpabuf *msg, *plain;
1128	const u8 *secret;
1129	size_t secret_len;
1130
1131	secret = data->get_shared_secret(data->cb_ctx, data->IDr,
1132					 data->IDr_len, &secret_len);
1133	if (secret == NULL) {
1134		wpa_printf(MSG_INFO, "IKEV2: Could not get shared secret - "
1135			   "use fake value");
1136		/* RFC 5106, Sect. 7:
1137		 * Use a random key to fake AUTH generation in order to prevent
1138		 * probing of user identities.
1139		 */
1140		data->unknown_user = 1;
1141		os_free(data->shared_secret);
1142		data->shared_secret = os_malloc(16);
1143		if (data->shared_secret == NULL)
1144			return NULL;
1145		data->shared_secret_len = 16;
1146		if (random_get_bytes(data->shared_secret, 16))
1147			return NULL;
1148	} else {
1149		os_free(data->shared_secret);
1150		data->shared_secret = os_malloc(secret_len);
1151		if (data->shared_secret == NULL)
1152			return NULL;
1153		os_memcpy(data->shared_secret, secret, secret_len);
1154		data->shared_secret_len = secret_len;
1155	}
1156
1157	/* build IKE_SA_AUTH: HDR, SK {IDi, [CERT,] [CERTREQ,] AUTH} */
1158
1159	msg = wpabuf_alloc(sizeof(struct ikev2_hdr) + data->IDr_len + 1000);
1160	if (msg == NULL)
1161		return NULL;
1162	ikev2_build_hdr(data, msg, IKE_SA_AUTH, IKEV2_PAYLOAD_ENCRYPTED, 1);
1163
1164	plain = wpabuf_alloc(data->IDr_len + 1000);
1165	if (plain == NULL) {
1166		wpabuf_free(msg);
1167		return NULL;
1168	}
1169
1170	if (ikev2_build_idi(data, plain, IKEV2_PAYLOAD_AUTHENTICATION) ||
1171	    ikev2_build_auth(data, plain, IKEV2_PAYLOAD_NO_NEXT_PAYLOAD) ||
1172	    ikev2_build_encrypted(data->proposal.encr, data->proposal.integ,
1173				  &data->keys, 1, msg, plain,
1174				  IKEV2_PAYLOAD_IDi)) {
1175		wpabuf_free(plain);
1176		wpabuf_free(msg);
1177		return NULL;
1178	}
1179	wpabuf_free(plain);
1180
1181	wpa_hexdump_buf(MSG_MSGDUMP, "IKEV2: Sending message (SA_AUTH)", msg);
1182
1183	return msg;
1184}
1185
1186
1187struct wpabuf * ikev2_initiator_build(struct ikev2_initiator_data *data)
1188{
1189	switch (data->state) {
1190	case SA_INIT:
1191		return ikev2_build_sa_init(data);
1192	case SA_AUTH:
1193		return ikev2_build_sa_auth(data);
1194	case CHILD_SA:
1195		return NULL;
1196	case IKEV2_DONE:
1197		return NULL;
1198	}
1199	return NULL;
1200}
1201