2 * IKEv2 initiator (RFC 4306) for EAP-IKEV2
3 * Copyright (c) 2007, Jouni Malinen <j@w1.fi>
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
12 #include "crypto/dh_groups.h"
13 #include "crypto/random.h"
17 static int ikev2_process_idr(struct ikev2_initiator_data
*data
,
18 const u8
*idr
, size_t idr_len
);
21 void ikev2_initiator_deinit(struct ikev2_initiator_data
*data
)
23 ikev2_free_keys(&data
->keys
);
24 wpabuf_free(data
->r_dh_public
);
25 wpabuf_free(data
->i_dh_private
);
28 os_free(data
->shared_secret
);
29 wpabuf_free(data
->i_sign_msg
);
30 wpabuf_free(data
->r_sign_msg
);
31 os_free(data
->key_pad
);
35 static int ikev2_derive_keys(struct ikev2_initiator_data
*data
)
37 u8
*buf
, *pos
, *pad
, skeyseed
[IKEV2_MAX_HASH_LEN
];
38 size_t buf_len
, pad_len
;
39 struct wpabuf
*shared
;
40 const struct ikev2_integ_alg
*integ
;
41 const struct ikev2_prf_alg
*prf
;
42 const struct ikev2_encr_alg
*encr
;
47 /* RFC 4306, Sect. 2.14 */
49 integ
= ikev2_get_integ(data
->proposal
.integ
);
50 prf
= ikev2_get_prf(data
->proposal
.prf
);
51 encr
= ikev2_get_encr(data
->proposal
.encr
);
52 if (integ
== NULL
|| prf
== NULL
|| encr
== NULL
) {
53 wpa_printf(MSG_INFO
, "IKEV2: Unsupported proposal");
57 shared
= dh_derive_shared(data
->r_dh_public
, data
->i_dh_private
,
62 /* Construct Ni | Nr | SPIi | SPIr */
64 buf_len
= data
->i_nonce_len
+ data
->r_nonce_len
+ 2 * IKEV2_SPI_LEN
;
65 buf
= os_malloc(buf_len
);
72 os_memcpy(pos
, data
->i_nonce
, data
->i_nonce_len
);
73 pos
+= data
->i_nonce_len
;
74 os_memcpy(pos
, data
->r_nonce
, data
->r_nonce_len
);
75 pos
+= data
->r_nonce_len
;
76 os_memcpy(pos
, data
->i_spi
, IKEV2_SPI_LEN
);
78 os_memcpy(pos
, data
->r_spi
, IKEV2_SPI_LEN
);
80 /* SKEYSEED = prf(Ni | Nr, g^ir) */
82 /* Use zero-padding per RFC 4306, Sect. 2.14 */
83 pad_len
= data
->dh
->prime_len
- wpabuf_len(shared
);
84 pad
= os_zalloc(pad_len
? pad_len
: 1);
92 addr
[1] = wpabuf_head(shared
);
93 len
[1] = wpabuf_len(shared
);
94 if (ikev2_prf_hash(prf
->id
, buf
, data
->i_nonce_len
+ data
->r_nonce_len
,
95 2, addr
, len
, skeyseed
) < 0) {
104 /* DH parameters are not needed anymore, so free them */
105 wpabuf_free(data
->r_dh_public
);
106 data
->r_dh_public
= NULL
;
107 wpabuf_free(data
->i_dh_private
);
108 data
->i_dh_private
= NULL
;
110 wpa_hexdump_key(MSG_DEBUG
, "IKEV2: SKEYSEED",
111 skeyseed
, prf
->hash_len
);
113 ret
= ikev2_derive_sk_keys(prf
, integ
, encr
, skeyseed
, buf
, buf_len
,
120 static int ikev2_parse_transform(struct ikev2_initiator_data
*data
,
121 struct ikev2_proposal_data
*prop
,
122 const u8
*pos
, const u8
*end
)
125 const struct ikev2_transform
*t
;
129 if (end
- pos
< (int) sizeof(*t
)) {
130 wpa_printf(MSG_INFO
, "IKEV2: Too short transform");
134 t
= (const struct ikev2_transform
*) pos
;
135 transform_len
= WPA_GET_BE16(t
->transform_length
);
136 if (transform_len
< (int) sizeof(*t
) || pos
+ transform_len
> end
) {
137 wpa_printf(MSG_INFO
, "IKEV2: Invalid transform length %d",
141 tend
= pos
+ transform_len
;
143 transform_id
= WPA_GET_BE16(t
->transform_id
);
145 wpa_printf(MSG_DEBUG
, "IKEV2: Transform:");
146 wpa_printf(MSG_DEBUG
, "IKEV2: Type: %d Transform Length: %d "
147 "Transform Type: %d Transform ID: %d",
148 t
->type
, transform_len
, t
->transform_type
, transform_id
);
150 if (t
->type
!= 0 && t
->type
!= 3) {
151 wpa_printf(MSG_INFO
, "IKEV2: Unexpected Transform type");
155 pos
= (const u8
*) (t
+ 1);
157 wpa_hexdump(MSG_DEBUG
, "IKEV2: Transform Attributes",
161 switch (t
->transform_type
) {
162 case IKEV2_TRANSFORM_ENCR
:
163 if (ikev2_get_encr(transform_id
) &&
164 transform_id
== data
->proposal
.encr
) {
165 if (transform_id
== ENCR_AES_CBC
) {
166 if (tend
- pos
!= 4) {
167 wpa_printf(MSG_DEBUG
, "IKEV2: No "
168 "Transform Attr for AES");
171 if (WPA_GET_BE16(pos
) != 0x800e) {
172 wpa_printf(MSG_DEBUG
, "IKEV2: Not a "
173 "Key Size attribute for "
177 if (WPA_GET_BE16(pos
+ 2) != 128) {
178 wpa_printf(MSG_DEBUG
, "IKEV2: "
179 "Unsupported AES key size "
181 WPA_GET_BE16(pos
+ 2));
185 prop
->encr
= transform_id
;
188 case IKEV2_TRANSFORM_PRF
:
189 if (ikev2_get_prf(transform_id
) &&
190 transform_id
== data
->proposal
.prf
)
191 prop
->prf
= transform_id
;
193 case IKEV2_TRANSFORM_INTEG
:
194 if (ikev2_get_integ(transform_id
) &&
195 transform_id
== data
->proposal
.integ
)
196 prop
->integ
= transform_id
;
198 case IKEV2_TRANSFORM_DH
:
199 if (dh_groups_get(transform_id
) &&
200 transform_id
== data
->proposal
.dh
)
201 prop
->dh
= transform_id
;
205 return transform_len
;
209 static int ikev2_parse_proposal(struct ikev2_initiator_data
*data
,
210 struct ikev2_proposal_data
*prop
,
211 const u8
*pos
, const u8
*end
)
213 const u8
*pend
, *ppos
;
215 const struct ikev2_proposal
*p
;
217 if (end
- pos
< (int) sizeof(*p
)) {
218 wpa_printf(MSG_INFO
, "IKEV2: Too short proposal");
222 p
= (const struct ikev2_proposal
*) pos
;
223 proposal_len
= WPA_GET_BE16(p
->proposal_length
);
224 if (proposal_len
< (int) sizeof(*p
) || pos
+ proposal_len
> end
) {
225 wpa_printf(MSG_INFO
, "IKEV2: Invalid proposal length %d",
229 wpa_printf(MSG_DEBUG
, "IKEV2: SAi1 Proposal # %d",
231 wpa_printf(MSG_DEBUG
, "IKEV2: Type: %d Proposal Length: %d "
233 p
->type
, proposal_len
, p
->protocol_id
);
234 wpa_printf(MSG_DEBUG
, "IKEV2: SPI Size: %d Transforms: %d",
235 p
->spi_size
, p
->num_transforms
);
237 if (p
->type
!= 0 && p
->type
!= 2) {
238 wpa_printf(MSG_INFO
, "IKEV2: Unexpected Proposal type");
242 if (p
->protocol_id
!= IKEV2_PROTOCOL_IKE
) {
243 wpa_printf(MSG_DEBUG
, "IKEV2: Unexpected Protocol ID "
244 "(only IKE allowed for EAP-IKEv2)");
248 if (p
->proposal_num
!= prop
->proposal_num
) {
249 if (p
->proposal_num
== prop
->proposal_num
+ 1)
250 prop
->proposal_num
= p
->proposal_num
;
252 wpa_printf(MSG_INFO
, "IKEV2: Unexpected Proposal #");
257 ppos
= (const u8
*) (p
+ 1);
258 pend
= pos
+ proposal_len
;
259 if (ppos
+ p
->spi_size
> pend
) {
260 wpa_printf(MSG_INFO
, "IKEV2: Not enough room for SPI "
265 wpa_hexdump(MSG_DEBUG
, "IKEV2: SPI",
271 * For initial IKE_SA negotiation, SPI Size MUST be zero; for
272 * subsequent negotiations, it must be 8 for IKE. We only support
273 * initial case for now.
275 if (p
->spi_size
!= 0) {
276 wpa_printf(MSG_INFO
, "IKEV2: Unexpected SPI Size");
280 if (p
->num_transforms
== 0) {
281 wpa_printf(MSG_INFO
, "IKEV2: At least one transform required");
285 for (i
= 0; i
< (int) p
->num_transforms
; i
++) {
286 int tlen
= ikev2_parse_transform(data
, prop
, ppos
, pend
);
293 wpa_printf(MSG_INFO
, "IKEV2: Unexpected data after "
302 static int ikev2_process_sar1(struct ikev2_initiator_data
*data
,
303 const u8
*sar1
, size_t sar1_len
)
305 struct ikev2_proposal_data prop
;
309 /* Security Association Payloads: <Proposals> */
312 wpa_printf(MSG_INFO
, "IKEV2: SAr1 not received");
316 os_memset(&prop
, 0, sizeof(prop
));
317 prop
.proposal_num
= 1;
320 end
= sar1
+ sar1_len
;
329 plen
= ikev2_parse_proposal(data
, &prop
, pos
, end
);
333 if (!found
&& prop
.integ
!= -1 && prop
.prf
!= -1 &&
334 prop
.encr
!= -1 && prop
.dh
!= -1) {
340 /* Only one proposal expected in SAr */
345 wpa_printf(MSG_INFO
, "IKEV2: Unexpected data after proposal");
350 wpa_printf(MSG_INFO
, "IKEV2: No acceptable proposal found");
354 wpa_printf(MSG_DEBUG
, "IKEV2: Accepted proposal #%d: ENCR:%d PRF:%d "
355 "INTEG:%d D-H:%d", data
->proposal
.proposal_num
,
356 data
->proposal
.encr
, data
->proposal
.prf
,
357 data
->proposal
.integ
, data
->proposal
.dh
);
363 static int ikev2_process_ker(struct ikev2_initiator_data
*data
,
364 const u8
*ker
, size_t ker_len
)
369 * Key Exchange Payload:
370 * DH Group # (16 bits)
372 * Key Exchange Data (Diffie-Hellman public value)
376 wpa_printf(MSG_INFO
, "IKEV2: KEr not received");
380 if (ker_len
< 4 + 96) {
381 wpa_printf(MSG_INFO
, "IKEV2: Too show Key Exchange Payload");
385 group
= WPA_GET_BE16(ker
);
386 wpa_printf(MSG_DEBUG
, "IKEV2: KEr DH Group #%u", group
);
388 if (group
!= data
->proposal
.dh
) {
389 wpa_printf(MSG_DEBUG
, "IKEV2: KEr DH Group #%u does not match "
390 "with the selected proposal (%u)",
391 group
, data
->proposal
.dh
);
395 if (data
->dh
== NULL
) {
396 wpa_printf(MSG_INFO
, "IKEV2: Unsupported DH group");
400 /* RFC 4306, Section 3.4:
401 * The length of DH public value MUST be equal to the length of the
404 if (ker_len
- 4 != data
->dh
->prime_len
) {
405 wpa_printf(MSG_INFO
, "IKEV2: Invalid DH public value length "
406 "%ld (expected %ld)",
407 (long) (ker_len
- 4), (long) data
->dh
->prime_len
);
411 wpabuf_free(data
->r_dh_public
);
412 data
->r_dh_public
= wpabuf_alloc_copy(ker
+ 4, ker_len
- 4);
413 if (data
->r_dh_public
== NULL
)
416 wpa_hexdump_buf(MSG_DEBUG
, "IKEV2: KEr Diffie-Hellman Public Value",
423 static int ikev2_process_nr(struct ikev2_initiator_data
*data
,
424 const u8
*nr
, size_t nr_len
)
427 wpa_printf(MSG_INFO
, "IKEV2: Nr not received");
431 if (nr_len
< IKEV2_NONCE_MIN_LEN
|| nr_len
> IKEV2_NONCE_MAX_LEN
) {
432 wpa_printf(MSG_INFO
, "IKEV2: Invalid Nr length %ld",
437 data
->r_nonce_len
= nr_len
;
438 os_memcpy(data
->r_nonce
, nr
, nr_len
);
439 wpa_hexdump(MSG_MSGDUMP
, "IKEV2: Nr",
440 data
->r_nonce
, data
->r_nonce_len
);
446 static int ikev2_process_sa_init_encr(struct ikev2_initiator_data
*data
,
447 const struct ikev2_hdr
*hdr
,
449 size_t encrypted_len
, u8 next_payload
)
452 size_t decrypted_len
;
453 struct ikev2_payloads pl
;
456 decrypted
= ikev2_decrypt_payload(data
->proposal
.encr
,
457 data
->proposal
.integ
, &data
->keys
, 0,
458 hdr
, encrypted
, encrypted_len
,
460 if (decrypted
== NULL
)
463 wpa_printf(MSG_DEBUG
, "IKEV2: Processing decrypted payloads");
465 if (ikev2_parse_payloads(&pl
, next_payload
, decrypted
,
466 decrypted
+ decrypted_len
) < 0) {
467 wpa_printf(MSG_INFO
, "IKEV2: Failed to parse decrypted "
473 ret
= ikev2_process_idr(data
, pl
.idr
, pl
.idr_len
);
481 static int ikev2_process_sa_init(struct ikev2_initiator_data
*data
,
482 const struct ikev2_hdr
*hdr
,
483 struct ikev2_payloads
*pl
)
485 if (ikev2_process_sar1(data
, pl
->sa
, pl
->sa_len
) < 0 ||
486 ikev2_process_ker(data
, pl
->ke
, pl
->ke_len
) < 0 ||
487 ikev2_process_nr(data
, pl
->nonce
, pl
->nonce_len
) < 0)
490 os_memcpy(data
->r_spi
, hdr
->r_spi
, IKEV2_SPI_LEN
);
492 if (ikev2_derive_keys(data
) < 0)
496 wpa_printf(MSG_DEBUG
, "IKEV2: Encrypted payload in SA_INIT - "
497 "try to get IDr from it");
498 if (ikev2_process_sa_init_encr(data
, hdr
, pl
->encrypted
,
500 pl
->encr_next_payload
) < 0) {
501 wpa_printf(MSG_INFO
, "IKEV2: Failed to process "
502 "encrypted payload");
507 data
->state
= SA_AUTH
;
513 static int ikev2_process_idr(struct ikev2_initiator_data
*data
,
514 const u8
*idr
, size_t idr_len
)
519 wpa_printf(MSG_INFO
, "IKEV2: No IDr received");
524 wpa_printf(MSG_INFO
, "IKEV2: Too short IDr payload");
532 wpa_printf(MSG_DEBUG
, "IKEV2: IDr ID Type %d", id_type
);
533 wpa_hexdump_ascii(MSG_DEBUG
, "IKEV2: IDr", idr
, idr_len
);
535 if (id_type
!= data
->IDr_type
|| idr_len
!= data
->IDr_len
||
536 os_memcmp(idr
, data
->IDr
, idr_len
) != 0) {
537 wpa_printf(MSG_INFO
, "IKEV2: IDr differs from the one "
539 wpa_printf(MSG_DEBUG
, "IKEV2: Previous IDr ID Type %d",
541 wpa_hexdump_ascii(MSG_DEBUG
, "Previous IKEV2: IDr",
542 data
->IDr
, data
->IDr_len
);
547 data
->IDr
= os_malloc(idr_len
);
548 if (data
->IDr
== NULL
)
550 os_memcpy(data
->IDr
, idr
, idr_len
);
551 data
->IDr_len
= idr_len
;
552 data
->IDr_type
= id_type
;
558 static int ikev2_process_cert(struct ikev2_initiator_data
*data
,
559 const u8
*cert
, size_t cert_len
)
564 if (data
->peer_auth
== PEER_AUTH_CERT
) {
565 wpa_printf(MSG_INFO
, "IKEV2: No Certificate received");
572 wpa_printf(MSG_INFO
, "IKEV2: No Cert Encoding field");
576 cert_encoding
= cert
[0];
580 wpa_printf(MSG_DEBUG
, "IKEV2: Cert Encoding %d", cert_encoding
);
581 wpa_hexdump(MSG_MSGDUMP
, "IKEV2: Certificate Data", cert
, cert_len
);
583 /* TODO: validate certificate */
589 static int ikev2_process_auth_cert(struct ikev2_initiator_data
*data
,
590 u8 method
, const u8
*auth
, size_t auth_len
)
592 if (method
!= AUTH_RSA_SIGN
) {
593 wpa_printf(MSG_INFO
, "IKEV2: Unsupported authentication "
594 "method %d", method
);
598 /* TODO: validate AUTH */
603 static int ikev2_process_auth_secret(struct ikev2_initiator_data
*data
,
604 u8 method
, const u8
*auth
,
607 u8 auth_data
[IKEV2_MAX_HASH_LEN
];
608 const struct ikev2_prf_alg
*prf
;
610 if (method
!= AUTH_SHARED_KEY_MIC
) {
611 wpa_printf(MSG_INFO
, "IKEV2: Unsupported authentication "
612 "method %d", method
);
616 /* msg | Ni | prf(SK_pr,IDr') */
617 if (ikev2_derive_auth_data(data
->proposal
.prf
, data
->r_sign_msg
,
618 data
->IDr
, data
->IDr_len
, data
->IDr_type
,
619 &data
->keys
, 0, data
->shared_secret
,
620 data
->shared_secret_len
,
621 data
->i_nonce
, data
->i_nonce_len
,
622 data
->key_pad
, data
->key_pad_len
,
624 wpa_printf(MSG_INFO
, "IKEV2: Could not derive AUTH data");
628 wpabuf_free(data
->r_sign_msg
);
629 data
->r_sign_msg
= NULL
;
631 prf
= ikev2_get_prf(data
->proposal
.prf
);
635 if (auth_len
!= prf
->hash_len
||
636 os_memcmp(auth
, auth_data
, auth_len
) != 0) {
637 wpa_printf(MSG_INFO
, "IKEV2: Invalid Authentication Data");
638 wpa_hexdump(MSG_DEBUG
, "IKEV2: Received Authentication Data",
640 wpa_hexdump(MSG_DEBUG
, "IKEV2: Expected Authentication Data",
641 auth_data
, prf
->hash_len
);
645 wpa_printf(MSG_DEBUG
, "IKEV2: Peer authenticated successfully "
646 "using shared keys");
652 static int ikev2_process_auth(struct ikev2_initiator_data
*data
,
653 const u8
*auth
, size_t auth_len
)
658 wpa_printf(MSG_INFO
, "IKEV2: No Authentication Payload");
663 wpa_printf(MSG_INFO
, "IKEV2: Too short Authentication "
668 auth_method
= auth
[0];
672 wpa_printf(MSG_DEBUG
, "IKEV2: Auth Method %d", auth_method
);
673 wpa_hexdump(MSG_MSGDUMP
, "IKEV2: Authentication Data", auth
, auth_len
);
675 switch (data
->peer_auth
) {
677 return ikev2_process_auth_cert(data
, auth_method
, auth
,
679 case PEER_AUTH_SECRET
:
680 return ikev2_process_auth_secret(data
, auth_method
, auth
,
688 static int ikev2_process_sa_auth_decrypted(struct ikev2_initiator_data
*data
,
690 u8
*payload
, size_t payload_len
)
692 struct ikev2_payloads pl
;
694 wpa_printf(MSG_DEBUG
, "IKEV2: Processing decrypted payloads");
696 if (ikev2_parse_payloads(&pl
, next_payload
, payload
, payload
+
698 wpa_printf(MSG_INFO
, "IKEV2: Failed to parse decrypted "
703 if (ikev2_process_idr(data
, pl
.idr
, pl
.idr_len
) < 0 ||
704 ikev2_process_cert(data
, pl
.cert
, pl
.cert_len
) < 0 ||
705 ikev2_process_auth(data
, pl
.auth
, pl
.auth_len
) < 0)
712 static int ikev2_process_sa_auth(struct ikev2_initiator_data
*data
,
713 const struct ikev2_hdr
*hdr
,
714 struct ikev2_payloads
*pl
)
717 size_t decrypted_len
;
720 decrypted
= ikev2_decrypt_payload(data
->proposal
.encr
,
721 data
->proposal
.integ
,
722 &data
->keys
, 0, hdr
, pl
->encrypted
,
723 pl
->encrypted_len
, &decrypted_len
);
724 if (decrypted
== NULL
)
727 ret
= ikev2_process_sa_auth_decrypted(data
, pl
->encr_next_payload
,
728 decrypted
, decrypted_len
);
731 if (ret
== 0 && !data
->unknown_user
) {
732 wpa_printf(MSG_DEBUG
, "IKEV2: Authentication completed");
733 data
->state
= IKEV2_DONE
;
740 static int ikev2_validate_rx_state(struct ikev2_initiator_data
*data
,
741 u8 exchange_type
, u32 message_id
)
743 switch (data
->state
) {
745 /* Expect to receive IKE_SA_INIT: HDR, SAr, KEr, Nr, [CERTREQ],
747 if (exchange_type
!= IKE_SA_INIT
) {
748 wpa_printf(MSG_INFO
, "IKEV2: Unexpected Exchange Type "
749 "%u in SA_INIT state", exchange_type
);
752 if (message_id
!= 0) {
753 wpa_printf(MSG_INFO
, "IKEV2: Unexpected Message ID %u "
754 "in SA_INIT state", message_id
);
759 /* Expect to receive IKE_SA_AUTH:
760 * HDR, SK {IDr, [CERT,] [CERTREQ,] [NFID,] AUTH}
762 if (exchange_type
!= IKE_SA_AUTH
) {
763 wpa_printf(MSG_INFO
, "IKEV2: Unexpected Exchange Type "
764 "%u in SA_AUTH state", exchange_type
);
767 if (message_id
!= 1) {
768 wpa_printf(MSG_INFO
, "IKEV2: Unexpected Message ID %u "
769 "in SA_AUTH state", message_id
);
774 if (exchange_type
!= CREATE_CHILD_SA
) {
775 wpa_printf(MSG_INFO
, "IKEV2: Unexpected Exchange Type "
776 "%u in CHILD_SA state", exchange_type
);
779 if (message_id
!= 2) {
780 wpa_printf(MSG_INFO
, "IKEV2: Unexpected Message ID %u "
781 "in CHILD_SA state", message_id
);
793 int ikev2_initiator_process(struct ikev2_initiator_data
*data
,
794 const struct wpabuf
*buf
)
796 const struct ikev2_hdr
*hdr
;
797 u32 length
, message_id
;
799 struct ikev2_payloads pl
;
801 wpa_printf(MSG_MSGDUMP
, "IKEV2: Received message (len %lu)",
802 (unsigned long) wpabuf_len(buf
));
804 if (wpabuf_len(buf
) < sizeof(*hdr
)) {
805 wpa_printf(MSG_INFO
, "IKEV2: Too short frame to include HDR");
809 hdr
= (const struct ikev2_hdr
*) wpabuf_head(buf
);
810 end
= wpabuf_head_u8(buf
) + wpabuf_len(buf
);
811 message_id
= WPA_GET_BE32(hdr
->message_id
);
812 length
= WPA_GET_BE32(hdr
->length
);
814 wpa_hexdump(MSG_DEBUG
, "IKEV2: IKE_SA Initiator's SPI",
815 hdr
->i_spi
, IKEV2_SPI_LEN
);
816 wpa_hexdump(MSG_DEBUG
, "IKEV2: IKE_SA Initiator's SPI",
817 hdr
->r_spi
, IKEV2_SPI_LEN
);
818 wpa_printf(MSG_DEBUG
, "IKEV2: Next Payload: %u Version: 0x%x "
820 hdr
->next_payload
, hdr
->version
, hdr
->exchange_type
);
821 wpa_printf(MSG_DEBUG
, "IKEV2: Message ID: %u Length: %u",
824 if (hdr
->version
!= IKEV2_VERSION
) {
825 wpa_printf(MSG_INFO
, "IKEV2: Unsupported HDR version 0x%x "
826 "(expected 0x%x)", hdr
->version
, IKEV2_VERSION
);
830 if (length
!= wpabuf_len(buf
)) {
831 wpa_printf(MSG_INFO
, "IKEV2: Invalid length (HDR: %lu != "
832 "RX: %lu)", (unsigned long) length
,
833 (unsigned long) wpabuf_len(buf
));
837 if (ikev2_validate_rx_state(data
, hdr
->exchange_type
, message_id
) < 0)
840 if ((hdr
->flags
& (IKEV2_HDR_INITIATOR
| IKEV2_HDR_RESPONSE
)) !=
841 IKEV2_HDR_RESPONSE
) {
842 wpa_printf(MSG_INFO
, "IKEV2: Unexpected Flags value 0x%x",
847 if (data
->state
!= SA_INIT
) {
848 if (os_memcmp(data
->i_spi
, hdr
->i_spi
, IKEV2_SPI_LEN
) != 0) {
849 wpa_printf(MSG_INFO
, "IKEV2: Unexpected IKE_SA "
853 if (os_memcmp(data
->r_spi
, hdr
->r_spi
, IKEV2_SPI_LEN
) != 0) {
854 wpa_printf(MSG_INFO
, "IKEV2: Unexpected IKE_SA "
860 pos
= (const u8
*) (hdr
+ 1);
861 if (ikev2_parse_payloads(&pl
, hdr
->next_payload
, pos
, end
) < 0)
864 switch (data
->state
) {
866 if (ikev2_process_sa_init(data
, hdr
, &pl
) < 0)
868 wpabuf_free(data
->r_sign_msg
);
869 data
->r_sign_msg
= wpabuf_dup(buf
);
872 if (ikev2_process_sa_auth(data
, hdr
, &pl
) < 0)
884 static void ikev2_build_hdr(struct ikev2_initiator_data
*data
,
885 struct wpabuf
*msg
, u8 exchange_type
,
886 u8 next_payload
, u32 message_id
)
888 struct ikev2_hdr
*hdr
;
890 wpa_printf(MSG_DEBUG
, "IKEV2: Adding HDR");
892 /* HDR - RFC 4306, Sect. 3.1 */
893 hdr
= wpabuf_put(msg
, sizeof(*hdr
));
894 os_memcpy(hdr
->i_spi
, data
->i_spi
, IKEV2_SPI_LEN
);
895 os_memcpy(hdr
->r_spi
, data
->r_spi
, IKEV2_SPI_LEN
);
896 hdr
->next_payload
= next_payload
;
897 hdr
->version
= IKEV2_VERSION
;
898 hdr
->exchange_type
= exchange_type
;
899 hdr
->flags
= IKEV2_HDR_INITIATOR
;
900 WPA_PUT_BE32(hdr
->message_id
, message_id
);
904 static int ikev2_build_sai(struct ikev2_initiator_data
*data
,
905 struct wpabuf
*msg
, u8 next_payload
)
907 struct ikev2_payload_hdr
*phdr
;
909 struct ikev2_proposal
*p
;
910 struct ikev2_transform
*t
;
912 wpa_printf(MSG_DEBUG
, "IKEV2: Adding SAi payload");
914 /* SAi1 - RFC 4306, Sect. 2.7 and 3.3 */
915 phdr
= wpabuf_put(msg
, sizeof(*phdr
));
916 phdr
->next_payload
= next_payload
;
919 /* TODO: support for multiple proposals */
920 p
= wpabuf_put(msg
, sizeof(*p
));
921 p
->proposal_num
= data
->proposal
.proposal_num
;
922 p
->protocol_id
= IKEV2_PROTOCOL_IKE
;
923 p
->num_transforms
= 4;
925 t
= wpabuf_put(msg
, sizeof(*t
));
927 t
->transform_type
= IKEV2_TRANSFORM_ENCR
;
928 WPA_PUT_BE16(t
->transform_id
, data
->proposal
.encr
);
929 if (data
->proposal
.encr
== ENCR_AES_CBC
) {
930 /* Transform Attribute: Key Len = 128 bits */
931 wpabuf_put_be16(msg
, 0x800e); /* AF=1, AttrType=14 */
932 wpabuf_put_be16(msg
, 128); /* 128-bit key */
934 plen
= (u8
*) wpabuf_put(msg
, 0) - (u8
*) t
;
935 WPA_PUT_BE16(t
->transform_length
, plen
);
937 t
= wpabuf_put(msg
, sizeof(*t
));
939 WPA_PUT_BE16(t
->transform_length
, sizeof(*t
));
940 t
->transform_type
= IKEV2_TRANSFORM_PRF
;
941 WPA_PUT_BE16(t
->transform_id
, data
->proposal
.prf
);
943 t
= wpabuf_put(msg
, sizeof(*t
));
945 WPA_PUT_BE16(t
->transform_length
, sizeof(*t
));
946 t
->transform_type
= IKEV2_TRANSFORM_INTEG
;
947 WPA_PUT_BE16(t
->transform_id
, data
->proposal
.integ
);
949 t
= wpabuf_put(msg
, sizeof(*t
));
950 WPA_PUT_BE16(t
->transform_length
, sizeof(*t
));
951 t
->transform_type
= IKEV2_TRANSFORM_DH
;
952 WPA_PUT_BE16(t
->transform_id
, data
->proposal
.dh
);
954 plen
= (u8
*) wpabuf_put(msg
, 0) - (u8
*) p
;
955 WPA_PUT_BE16(p
->proposal_length
, plen
);
957 plen
= (u8
*) wpabuf_put(msg
, 0) - (u8
*) phdr
;
958 WPA_PUT_BE16(phdr
->payload_length
, plen
);
964 static int ikev2_build_kei(struct ikev2_initiator_data
*data
,
965 struct wpabuf
*msg
, u8 next_payload
)
967 struct ikev2_payload_hdr
*phdr
;
971 wpa_printf(MSG_DEBUG
, "IKEV2: Adding KEi payload");
973 data
->dh
= dh_groups_get(data
->proposal
.dh
);
974 pv
= dh_init(data
->dh
, &data
->i_dh_private
);
976 wpa_printf(MSG_DEBUG
, "IKEV2: Failed to initialize DH");
980 /* KEi - RFC 4306, Sect. 3.4 */
981 phdr
= wpabuf_put(msg
, sizeof(*phdr
));
982 phdr
->next_payload
= next_payload
;
985 wpabuf_put_be16(msg
, data
->proposal
.dh
); /* DH Group # */
986 wpabuf_put(msg
, 2); /* RESERVED */
988 * RFC 4306, Sect. 3.4: possible zero padding for public value to
989 * match the length of the prime.
991 wpabuf_put(msg
, data
->dh
->prime_len
- wpabuf_len(pv
));
992 wpabuf_put_buf(msg
, pv
);
995 plen
= (u8
*) wpabuf_put(msg
, 0) - (u8
*) phdr
;
996 WPA_PUT_BE16(phdr
->payload_length
, plen
);
1001 static int ikev2_build_ni(struct ikev2_initiator_data
*data
,
1002 struct wpabuf
*msg
, u8 next_payload
)
1004 struct ikev2_payload_hdr
*phdr
;
1007 wpa_printf(MSG_DEBUG
, "IKEV2: Adding Ni payload");
1009 /* Ni - RFC 4306, Sect. 3.9 */
1010 phdr
= wpabuf_put(msg
, sizeof(*phdr
));
1011 phdr
->next_payload
= next_payload
;
1013 wpabuf_put_data(msg
, data
->i_nonce
, data
->i_nonce_len
);
1014 plen
= (u8
*) wpabuf_put(msg
, 0) - (u8
*) phdr
;
1015 WPA_PUT_BE16(phdr
->payload_length
, plen
);
1020 static int ikev2_build_idi(struct ikev2_initiator_data
*data
,
1021 struct wpabuf
*msg
, u8 next_payload
)
1023 struct ikev2_payload_hdr
*phdr
;
1026 wpa_printf(MSG_DEBUG
, "IKEV2: Adding IDi payload");
1028 if (data
->IDi
== NULL
) {
1029 wpa_printf(MSG_INFO
, "IKEV2: No IDi available");
1033 /* IDi - RFC 4306, Sect. 3.5 */
1034 phdr
= wpabuf_put(msg
, sizeof(*phdr
));
1035 phdr
->next_payload
= next_payload
;
1037 wpabuf_put_u8(msg
, ID_KEY_ID
);
1038 wpabuf_put(msg
, 3); /* RESERVED */
1039 wpabuf_put_data(msg
, data
->IDi
, data
->IDi_len
);
1040 plen
= (u8
*) wpabuf_put(msg
, 0) - (u8
*) phdr
;
1041 WPA_PUT_BE16(phdr
->payload_length
, plen
);
1046 static int ikev2_build_auth(struct ikev2_initiator_data
*data
,
1047 struct wpabuf
*msg
, u8 next_payload
)
1049 struct ikev2_payload_hdr
*phdr
;
1051 const struct ikev2_prf_alg
*prf
;
1053 wpa_printf(MSG_DEBUG
, "IKEV2: Adding AUTH payload");
1055 prf
= ikev2_get_prf(data
->proposal
.prf
);
1059 /* Authentication - RFC 4306, Sect. 3.8 */
1060 phdr
= wpabuf_put(msg
, sizeof(*phdr
));
1061 phdr
->next_payload
= next_payload
;
1063 wpabuf_put_u8(msg
, AUTH_SHARED_KEY_MIC
);
1064 wpabuf_put(msg
, 3); /* RESERVED */
1066 /* msg | Nr | prf(SK_pi,IDi') */
1067 if (ikev2_derive_auth_data(data
->proposal
.prf
, data
->i_sign_msg
,
1068 data
->IDi
, data
->IDi_len
, ID_KEY_ID
,
1069 &data
->keys
, 1, data
->shared_secret
,
1070 data
->shared_secret_len
,
1071 data
->r_nonce
, data
->r_nonce_len
,
1072 data
->key_pad
, data
->key_pad_len
,
1073 wpabuf_put(msg
, prf
->hash_len
)) < 0) {
1074 wpa_printf(MSG_INFO
, "IKEV2: Could not derive AUTH data");
1077 wpabuf_free(data
->i_sign_msg
);
1078 data
->i_sign_msg
= NULL
;
1080 plen
= (u8
*) wpabuf_put(msg
, 0) - (u8
*) phdr
;
1081 WPA_PUT_BE16(phdr
->payload_length
, plen
);
1086 static struct wpabuf
* ikev2_build_sa_init(struct ikev2_initiator_data
*data
)
1090 /* build IKE_SA_INIT: HDR, SAi, KEi, Ni */
1092 if (os_get_random(data
->i_spi
, IKEV2_SPI_LEN
))
1094 wpa_hexdump(MSG_DEBUG
, "IKEV2: IKE_SA Initiator's SPI",
1095 data
->i_spi
, IKEV2_SPI_LEN
);
1097 data
->i_nonce_len
= IKEV2_NONCE_MIN_LEN
;
1098 if (random_get_bytes(data
->i_nonce
, data
->i_nonce_len
))
1100 wpa_hexdump(MSG_DEBUG
, "IKEV2: Ni", data
->i_nonce
, data
->i_nonce_len
);
1102 msg
= wpabuf_alloc(sizeof(struct ikev2_hdr
) + 1000);
1106 ikev2_build_hdr(data
, msg
, IKE_SA_INIT
, IKEV2_PAYLOAD_SA
, 0);
1107 if (ikev2_build_sai(data
, msg
, IKEV2_PAYLOAD_KEY_EXCHANGE
) ||
1108 ikev2_build_kei(data
, msg
, IKEV2_PAYLOAD_NONCE
) ||
1109 ikev2_build_ni(data
, msg
, IKEV2_PAYLOAD_NO_NEXT_PAYLOAD
)) {
1114 ikev2_update_hdr(msg
);
1116 wpa_hexdump_buf(MSG_MSGDUMP
, "IKEV2: Sending message (SA_INIT)", msg
);
1118 wpabuf_free(data
->i_sign_msg
);
1119 data
->i_sign_msg
= wpabuf_dup(msg
);
1125 static struct wpabuf
* ikev2_build_sa_auth(struct ikev2_initiator_data
*data
)
1127 struct wpabuf
*msg
, *plain
;
1131 secret
= data
->get_shared_secret(data
->cb_ctx
, data
->IDr
,
1132 data
->IDr_len
, &secret_len
);
1133 if (secret
== NULL
) {
1134 wpa_printf(MSG_INFO
, "IKEV2: Could not get shared secret - "
1136 /* RFC 5106, Sect. 7:
1137 * Use a random key to fake AUTH generation in order to prevent
1138 * probing of user identities.
1140 data
->unknown_user
= 1;
1141 os_free(data
->shared_secret
);
1142 data
->shared_secret
= os_malloc(16);
1143 if (data
->shared_secret
== NULL
)
1145 data
->shared_secret_len
= 16;
1146 if (random_get_bytes(data
->shared_secret
, 16))
1149 os_free(data
->shared_secret
);
1150 data
->shared_secret
= os_malloc(secret_len
);
1151 if (data
->shared_secret
== NULL
)
1153 os_memcpy(data
->shared_secret
, secret
, secret_len
);
1154 data
->shared_secret_len
= secret_len
;
1157 /* build IKE_SA_AUTH: HDR, SK {IDi, [CERT,] [CERTREQ,] AUTH} */
1159 msg
= wpabuf_alloc(sizeof(struct ikev2_hdr
) + data
->IDr_len
+ 1000);
1162 ikev2_build_hdr(data
, msg
, IKE_SA_AUTH
, IKEV2_PAYLOAD_ENCRYPTED
, 1);
1164 plain
= wpabuf_alloc(data
->IDr_len
+ 1000);
1165 if (plain
== NULL
) {
1170 if (ikev2_build_idi(data
, plain
, IKEV2_PAYLOAD_AUTHENTICATION
) ||
1171 ikev2_build_auth(data
, plain
, IKEV2_PAYLOAD_NO_NEXT_PAYLOAD
) ||
1172 ikev2_build_encrypted(data
->proposal
.encr
, data
->proposal
.integ
,
1173 &data
->keys
, 1, msg
, plain
,
1174 IKEV2_PAYLOAD_IDi
)) {
1181 wpa_hexdump_buf(MSG_MSGDUMP
, "IKEV2: Sending message (SA_AUTH)", msg
);
1187 struct wpabuf
* ikev2_initiator_build(struct ikev2_initiator_data
*data
)
1189 switch (data
->state
) {
1191 return ikev2_build_sa_init(data
);
1193 return ikev2_build_sa_auth(data
);