2 * IKEv2 common routines for initiator and responder
3 * Copyright (c) 2007, Jouni Malinen <j@w1.fi>
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
12 #include "crypto/crypto.h"
13 #include "crypto/md5.h"
14 #include "crypto/sha1.h"
15 #include "crypto/random.h"
16 #include "ikev2_common.h"
19 static struct ikev2_integ_alg ikev2_integ_algs
[] = {
20 { AUTH_HMAC_SHA1_96
, 20, 12 },
21 { AUTH_HMAC_MD5_96
, 16, 12 }
24 #define NUM_INTEG_ALGS ARRAY_SIZE(ikev2_integ_algs)
27 static struct ikev2_prf_alg ikev2_prf_algs
[] = {
28 { PRF_HMAC_SHA1
, 20, 20 },
29 { PRF_HMAC_MD5
, 16, 16 }
32 #define NUM_PRF_ALGS ARRAY_SIZE(ikev2_prf_algs)
35 static struct ikev2_encr_alg ikev2_encr_algs
[] = {
36 { ENCR_AES_CBC
, 16, 16 }, /* only 128-bit keys supported for now */
40 #define NUM_ENCR_ALGS ARRAY_SIZE(ikev2_encr_algs)
43 const struct ikev2_integ_alg
* ikev2_get_integ(int id
)
47 for (i
= 0; i
< NUM_INTEG_ALGS
; i
++) {
48 if (ikev2_integ_algs
[i
].id
== id
)
49 return &ikev2_integ_algs
[i
];
56 int ikev2_integ_hash(int alg
, const u8
*key
, size_t key_len
, const u8
*data
,
57 size_t data_len
, u8
*hash
)
59 u8 tmphash
[IKEV2_MAX_HASH_LEN
];
62 case AUTH_HMAC_SHA1_96
:
65 hmac_sha1(key
, key_len
, data
, data_len
, tmphash
);
66 os_memcpy(hash
, tmphash
, 12);
68 case AUTH_HMAC_MD5_96
:
71 hmac_md5(key
, key_len
, data
, data_len
, tmphash
);
72 os_memcpy(hash
, tmphash
, 12);
82 const struct ikev2_prf_alg
* ikev2_get_prf(int id
)
86 for (i
= 0; i
< NUM_PRF_ALGS
; i
++) {
87 if (ikev2_prf_algs
[i
].id
== id
)
88 return &ikev2_prf_algs
[i
];
95 int ikev2_prf_hash(int alg
, const u8
*key
, size_t key_len
,
96 size_t num_elem
, const u8
*addr
[], const size_t *len
,
101 hmac_sha1_vector(key
, key_len
, num_elem
, addr
, len
, hash
);
104 hmac_md5_vector(key
, key_len
, num_elem
, addr
, len
, hash
);
114 int ikev2_prf_plus(int alg
, const u8
*key
, size_t key_len
,
115 const u8
*data
, size_t data_len
,
116 u8
*out
, size_t out_len
)
118 u8 hash
[IKEV2_MAX_HASH_LEN
];
123 const struct ikev2_prf_alg
*prf
;
126 prf
= ikev2_get_prf(alg
);
129 hash_len
= prf
->hash_len
;
144 res
= ikev2_prf_hash(alg
, key
, key_len
, 2, &addr
[1],
147 res
= ikev2_prf_hash(alg
, key
, key_len
, 3, addr
, len
,
152 if ((int) clen
> end
- pos
)
154 os_memcpy(pos
, hash
, clen
);
163 const struct ikev2_encr_alg
* ikev2_get_encr(int id
)
167 for (i
= 0; i
< NUM_ENCR_ALGS
; i
++) {
168 if (ikev2_encr_algs
[i
].id
== id
)
169 return &ikev2_encr_algs
[i
];
176 int ikev2_encr_encrypt(int alg
, const u8
*key
, size_t key_len
, const u8
*iv
,
177 const u8
*plain
, u8
*crypt
, size_t len
)
179 struct crypto_cipher
*cipher
;
184 encr_alg
= CRYPTO_CIPHER_ALG_3DES
;
187 encr_alg
= CRYPTO_CIPHER_ALG_AES
;
190 wpa_printf(MSG_DEBUG
, "IKEV2: Unsupported encr alg %d", alg
);
194 cipher
= crypto_cipher_init(encr_alg
, iv
, key
, key_len
);
195 if (cipher
== NULL
) {
196 wpa_printf(MSG_INFO
, "IKEV2: Failed to initialize cipher");
200 if (crypto_cipher_encrypt(cipher
, plain
, crypt
, len
) < 0) {
201 wpa_printf(MSG_INFO
, "IKEV2: Encryption failed");
202 crypto_cipher_deinit(cipher
);
205 crypto_cipher_deinit(cipher
);
211 int ikev2_encr_decrypt(int alg
, const u8
*key
, size_t key_len
, const u8
*iv
,
212 const u8
*crypt
, u8
*plain
, size_t len
)
214 struct crypto_cipher
*cipher
;
219 encr_alg
= CRYPTO_CIPHER_ALG_3DES
;
222 encr_alg
= CRYPTO_CIPHER_ALG_AES
;
225 wpa_printf(MSG_DEBUG
, "IKEV2: Unsupported encr alg %d", alg
);
229 cipher
= crypto_cipher_init(encr_alg
, iv
, key
, key_len
);
230 if (cipher
== NULL
) {
231 wpa_printf(MSG_INFO
, "IKEV2: Failed to initialize cipher");
235 if (crypto_cipher_decrypt(cipher
, crypt
, plain
, len
) < 0) {
236 wpa_printf(MSG_INFO
, "IKEV2: Decryption failed");
237 crypto_cipher_deinit(cipher
);
240 crypto_cipher_deinit(cipher
);
246 int ikev2_parse_payloads(struct ikev2_payloads
*payloads
,
247 u8 next_payload
, const u8
*pos
, const u8
*end
)
249 const struct ikev2_payload_hdr
*phdr
;
251 os_memset(payloads
, 0, sizeof(*payloads
));
253 while (next_payload
!= IKEV2_PAYLOAD_NO_NEXT_PAYLOAD
) {
256 wpa_printf(MSG_DEBUG
, "IKEV2: Processing payload %u",
258 if (end
- pos
< (int) sizeof(*phdr
)) {
259 wpa_printf(MSG_INFO
, "IKEV2: Too short message for "
260 "payload header (left=%ld)",
263 phdr
= (const struct ikev2_payload_hdr
*) pos
;
264 plen
= WPA_GET_BE16(phdr
->payload_length
);
265 if (plen
< (int) sizeof(*phdr
) || pos
+ plen
> end
) {
266 wpa_printf(MSG_INFO
, "IKEV2: Invalid payload header "
271 wpa_printf(MSG_DEBUG
, "IKEV2: Next Payload: %u Flags: 0x%x"
272 " Payload Length: %d",
273 phdr
->next_payload
, phdr
->flags
, plen
);
275 pdata
= (const u8
*) (phdr
+ 1);
276 pdatalen
= plen
- sizeof(*phdr
);
278 switch (next_payload
) {
279 case IKEV2_PAYLOAD_SA
:
280 wpa_printf(MSG_DEBUG
, "IKEV2: Payload: Security "
282 payloads
->sa
= pdata
;
283 payloads
->sa_len
= pdatalen
;
285 case IKEV2_PAYLOAD_KEY_EXCHANGE
:
286 wpa_printf(MSG_DEBUG
, "IKEV2: Payload: Key "
288 payloads
->ke
= pdata
;
289 payloads
->ke_len
= pdatalen
;
291 case IKEV2_PAYLOAD_IDi
:
292 wpa_printf(MSG_DEBUG
, "IKEV2: Payload: IDi");
293 payloads
->idi
= pdata
;
294 payloads
->idi_len
= pdatalen
;
296 case IKEV2_PAYLOAD_IDr
:
297 wpa_printf(MSG_DEBUG
, "IKEV2: Payload: IDr");
298 payloads
->idr
= pdata
;
299 payloads
->idr_len
= pdatalen
;
301 case IKEV2_PAYLOAD_CERTIFICATE
:
302 wpa_printf(MSG_DEBUG
, "IKEV2: Payload: Certificate");
303 payloads
->cert
= pdata
;
304 payloads
->cert_len
= pdatalen
;
306 case IKEV2_PAYLOAD_AUTHENTICATION
:
307 wpa_printf(MSG_DEBUG
, "IKEV2: Payload: "
309 payloads
->auth
= pdata
;
310 payloads
->auth_len
= pdatalen
;
312 case IKEV2_PAYLOAD_NONCE
:
313 wpa_printf(MSG_DEBUG
, "IKEV2: Payload: Nonce");
314 payloads
->nonce
= pdata
;
315 payloads
->nonce_len
= pdatalen
;
317 case IKEV2_PAYLOAD_ENCRYPTED
:
318 wpa_printf(MSG_DEBUG
, "IKEV2: Payload: Encrypted");
319 payloads
->encrypted
= pdata
;
320 payloads
->encrypted_len
= pdatalen
;
322 case IKEV2_PAYLOAD_NOTIFICATION
:
323 wpa_printf(MSG_DEBUG
, "IKEV2: Payload: "
325 payloads
->notification
= pdata
;
326 payloads
->notification_len
= pdatalen
;
329 if (phdr
->flags
& IKEV2_PAYLOAD_FLAGS_CRITICAL
) {
330 wpa_printf(MSG_INFO
, "IKEV2: Unsupported "
331 "critical payload %u - reject the "
332 "entire message", next_payload
);
335 wpa_printf(MSG_DEBUG
, "IKEV2: Skipped "
336 "unsupported payload %u",
341 if (next_payload
== IKEV2_PAYLOAD_ENCRYPTED
&&
344 * Next Payload in the case of Encrypted Payload is
345 * actually the payload type for the first embedded
348 payloads
->encr_next_payload
= phdr
->next_payload
;
349 next_payload
= IKEV2_PAYLOAD_NO_NEXT_PAYLOAD
;
351 next_payload
= phdr
->next_payload
;
357 wpa_printf(MSG_INFO
, "IKEV2: Unexpected extra data after "
366 int ikev2_derive_auth_data(int prf_alg
, const struct wpabuf
*sign_msg
,
367 const u8
*ID
, size_t ID_len
, u8 ID_type
,
368 struct ikev2_keys
*keys
, int initiator
,
369 const u8
*shared_secret
, size_t shared_secret_len
,
370 const u8
*nonce
, size_t nonce_len
,
371 const u8
*key_pad
, size_t key_pad_len
,
374 size_t sign_len
, buf_len
;
375 u8
*sign_data
, *pos
, *buf
, hash
[IKEV2_MAX_HASH_LEN
];
376 const struct ikev2_prf_alg
*prf
;
377 const u8
*SK_p
= initiator
? keys
->SK_pi
: keys
->SK_pr
;
379 prf
= ikev2_get_prf(prf_alg
);
380 if (sign_msg
== NULL
|| ID
== NULL
|| SK_p
== NULL
||
381 shared_secret
== NULL
|| nonce
== NULL
|| prf
== NULL
)
384 /* prf(SK_pi/r,IDi/r') */
385 buf_len
= 4 + ID_len
;
386 buf
= os_zalloc(buf_len
);
390 os_memcpy(buf
+ 4, ID
, ID_len
);
391 if (ikev2_prf_hash(prf
->id
, SK_p
, keys
->SK_prf_len
,
392 1, (const u8
**) &buf
, &buf_len
, hash
) < 0) {
398 /* sign_data = msg | Nr/i | prf(SK_pi/r,IDi/r') */
399 sign_len
= wpabuf_len(sign_msg
) + nonce_len
+ prf
->hash_len
;
400 sign_data
= os_malloc(sign_len
);
401 if (sign_data
== NULL
)
404 os_memcpy(pos
, wpabuf_head(sign_msg
), wpabuf_len(sign_msg
));
405 pos
+= wpabuf_len(sign_msg
);
406 os_memcpy(pos
, nonce
, nonce_len
);
408 os_memcpy(pos
, hash
, prf
->hash_len
);
410 /* AUTH = prf(prf(Shared Secret, key pad, sign_data) */
411 if (ikev2_prf_hash(prf
->id
, shared_secret
, shared_secret_len
, 1,
412 &key_pad
, &key_pad_len
, hash
) < 0 ||
413 ikev2_prf_hash(prf
->id
, hash
, prf
->hash_len
, 1,
414 (const u8
**) &sign_data
, &sign_len
, auth_data
) < 0)
425 u8
* ikev2_decrypt_payload(int encr_id
, int integ_id
,
426 struct ikev2_keys
*keys
, int initiator
,
427 const struct ikev2_hdr
*hdr
,
428 const u8
*encrypted
, size_t encrypted_len
,
432 const u8
*pos
, *end
, *iv
, *integ
;
433 u8 hash
[IKEV2_MAX_HASH_LEN
], *decrypted
;
434 size_t decrypted_len
, pad_len
;
435 const struct ikev2_integ_alg
*integ_alg
;
436 const struct ikev2_encr_alg
*encr_alg
;
437 const u8
*SK_e
= initiator
? keys
->SK_ei
: keys
->SK_er
;
438 const u8
*SK_a
= initiator
? keys
->SK_ai
: keys
->SK_ar
;
440 if (encrypted
== NULL
) {
441 wpa_printf(MSG_INFO
, "IKEV2: No Encrypted payload in SA_AUTH");
445 encr_alg
= ikev2_get_encr(encr_id
);
446 if (encr_alg
== NULL
) {
447 wpa_printf(MSG_INFO
, "IKEV2: Unsupported encryption type");
450 iv_len
= encr_alg
->block_size
;
452 integ_alg
= ikev2_get_integ(integ_id
);
453 if (integ_alg
== NULL
) {
454 wpa_printf(MSG_INFO
, "IKEV2: Unsupported intergrity type");
458 if (encrypted_len
< iv_len
+ 1 + integ_alg
->hash_len
) {
459 wpa_printf(MSG_INFO
, "IKEV2: No room for IV or Integrity "
466 end
= encrypted
+ encrypted_len
;
467 integ
= end
- integ_alg
->hash_len
;
470 wpa_printf(MSG_INFO
, "IKEV2: No SK_a available");
473 if (ikev2_integ_hash(integ_id
, SK_a
, keys
->SK_integ_len
,
475 integ
- (const u8
*) hdr
, hash
) < 0) {
476 wpa_printf(MSG_INFO
, "IKEV2: Failed to calculate integrity "
480 if (os_memcmp(integ
, hash
, integ_alg
->hash_len
) != 0) {
481 wpa_printf(MSG_INFO
, "IKEV2: Incorrect Integrity Checksum "
487 wpa_printf(MSG_INFO
, "IKEV2: No SK_e available");
491 decrypted_len
= integ
- pos
;
492 decrypted
= os_malloc(decrypted_len
);
493 if (decrypted
== NULL
)
496 if (ikev2_encr_decrypt(encr_alg
->id
, SK_e
, keys
->SK_encr_len
, iv
, pos
,
497 decrypted
, decrypted_len
) < 0) {
502 pad_len
= decrypted
[decrypted_len
- 1];
503 if (decrypted_len
< pad_len
+ 1) {
504 wpa_printf(MSG_INFO
, "IKEV2: Invalid padding in encrypted "
510 decrypted_len
-= pad_len
+ 1;
512 *res_len
= decrypted_len
;
517 void ikev2_update_hdr(struct wpabuf
*msg
)
519 struct ikev2_hdr
*hdr
;
521 /* Update lenth field in HDR */
522 hdr
= wpabuf_mhead(msg
);
523 WPA_PUT_BE32(hdr
->length
, wpabuf_len(msg
));
527 int ikev2_build_encrypted(int encr_id
, int integ_id
, struct ikev2_keys
*keys
,
528 int initiator
, struct wpabuf
*msg
,
529 struct wpabuf
*plain
, u8 next_payload
)
531 struct ikev2_payload_hdr
*phdr
;
533 size_t iv_len
, pad_len
;
535 const struct ikev2_integ_alg
*integ_alg
;
536 const struct ikev2_encr_alg
*encr_alg
;
537 const u8
*SK_e
= initiator
? keys
->SK_ei
: keys
->SK_er
;
538 const u8
*SK_a
= initiator
? keys
->SK_ai
: keys
->SK_ar
;
540 wpa_printf(MSG_DEBUG
, "IKEV2: Adding Encrypted payload");
542 /* Encr - RFC 4306, Sect. 3.14 */
544 encr_alg
= ikev2_get_encr(encr_id
);
545 if (encr_alg
== NULL
) {
546 wpa_printf(MSG_INFO
, "IKEV2: Unsupported encryption type");
549 iv_len
= encr_alg
->block_size
;
551 integ_alg
= ikev2_get_integ(integ_id
);
552 if (integ_alg
== NULL
) {
553 wpa_printf(MSG_INFO
, "IKEV2: Unsupported intergrity type");
558 wpa_printf(MSG_INFO
, "IKEV2: No SK_e available");
563 wpa_printf(MSG_INFO
, "IKEV2: No SK_a available");
567 phdr
= wpabuf_put(msg
, sizeof(*phdr
));
568 phdr
->next_payload
= next_payload
;
571 iv
= wpabuf_put(msg
, iv_len
);
572 if (random_get_bytes(iv
, iv_len
)) {
573 wpa_printf(MSG_INFO
, "IKEV2: Could not generate IV");
577 pad_len
= iv_len
- (wpabuf_len(plain
) + 1) % iv_len
;
578 if (pad_len
== iv_len
)
580 wpabuf_put(plain
, pad_len
);
581 wpabuf_put_u8(plain
, pad_len
);
583 if (ikev2_encr_encrypt(encr_alg
->id
, SK_e
, keys
->SK_encr_len
, iv
,
584 wpabuf_head(plain
), wpabuf_mhead(plain
),
585 wpabuf_len(plain
)) < 0)
588 wpabuf_put_buf(msg
, plain
);
590 /* Need to update all headers (Length fields) prior to hash func */
591 icv
= wpabuf_put(msg
, integ_alg
->hash_len
);
592 plen
= (u8
*) wpabuf_put(msg
, 0) - (u8
*) phdr
;
593 WPA_PUT_BE16(phdr
->payload_length
, plen
);
595 ikev2_update_hdr(msg
);
597 return ikev2_integ_hash(integ_id
, SK_a
, keys
->SK_integ_len
,
599 wpabuf_len(msg
) - integ_alg
->hash_len
, icv
);
605 int ikev2_keys_set(struct ikev2_keys
*keys
)
607 return keys
->SK_d
&& keys
->SK_ai
&& keys
->SK_ar
&& keys
->SK_ei
&&
608 keys
->SK_er
&& keys
->SK_pi
&& keys
->SK_pr
;
612 void ikev2_free_keys(struct ikev2_keys
*keys
)
615 os_free(keys
->SK_ai
);
616 os_free(keys
->SK_ar
);
617 os_free(keys
->SK_ei
);
618 os_free(keys
->SK_er
);
619 os_free(keys
->SK_pi
);
620 os_free(keys
->SK_pr
);
621 keys
->SK_d
= keys
->SK_ai
= keys
->SK_ar
= keys
->SK_ei
= keys
->SK_er
=
622 keys
->SK_pi
= keys
->SK_pr
= NULL
;
626 int ikev2_derive_sk_keys(const struct ikev2_prf_alg
*prf
,
627 const struct ikev2_integ_alg
*integ
,
628 const struct ikev2_encr_alg
*encr
,
629 const u8
*skeyseed
, const u8
*data
, size_t data_len
,
630 struct ikev2_keys
*keys
)
636 * {SK_d | SK_ai | SK_ar | SK_ei | SK_er | SK_pi | SK_pr } =
637 * prf+(SKEYSEED, Ni | Nr | SPIi | SPIr )
639 ikev2_free_keys(keys
);
640 keys
->SK_d_len
= prf
->key_len
;
641 keys
->SK_integ_len
= integ
->key_len
;
642 keys
->SK_encr_len
= encr
->key_len
;
643 keys
->SK_prf_len
= prf
->key_len
;
645 keybuf_len
= keys
->SK_d_len
+ 2 * keys
->SK_integ_len
+
646 2 * keys
->SK_encr_len
+ 2 * keys
->SK_prf_len
;
647 keybuf
= os_malloc(keybuf_len
);
651 if (ikev2_prf_plus(prf
->id
, skeyseed
, prf
->hash_len
,
652 data
, data_len
, keybuf
, keybuf_len
)) {
659 keys
->SK_d
= os_malloc(keys
->SK_d_len
);
661 os_memcpy(keys
->SK_d
, pos
, keys
->SK_d_len
);
662 wpa_hexdump_key(MSG_DEBUG
, "IKEV2: SK_d",
663 keys
->SK_d
, keys
->SK_d_len
);
665 pos
+= keys
->SK_d_len
;
667 keys
->SK_ai
= os_malloc(keys
->SK_integ_len
);
669 os_memcpy(keys
->SK_ai
, pos
, keys
->SK_integ_len
);
670 wpa_hexdump_key(MSG_DEBUG
, "IKEV2: SK_ai",
671 keys
->SK_ai
, keys
->SK_integ_len
);
673 pos
+= keys
->SK_integ_len
;
675 keys
->SK_ar
= os_malloc(keys
->SK_integ_len
);
677 os_memcpy(keys
->SK_ar
, pos
, keys
->SK_integ_len
);
678 wpa_hexdump_key(MSG_DEBUG
, "IKEV2: SK_ar",
679 keys
->SK_ar
, keys
->SK_integ_len
);
681 pos
+= keys
->SK_integ_len
;
683 keys
->SK_ei
= os_malloc(keys
->SK_encr_len
);
685 os_memcpy(keys
->SK_ei
, pos
, keys
->SK_encr_len
);
686 wpa_hexdump_key(MSG_DEBUG
, "IKEV2: SK_ei",
687 keys
->SK_ei
, keys
->SK_encr_len
);
689 pos
+= keys
->SK_encr_len
;
691 keys
->SK_er
= os_malloc(keys
->SK_encr_len
);
693 os_memcpy(keys
->SK_er
, pos
, keys
->SK_encr_len
);
694 wpa_hexdump_key(MSG_DEBUG
, "IKEV2: SK_er",
695 keys
->SK_er
, keys
->SK_encr_len
);
697 pos
+= keys
->SK_encr_len
;
699 keys
->SK_pi
= os_malloc(keys
->SK_prf_len
);
701 os_memcpy(keys
->SK_pi
, pos
, keys
->SK_prf_len
);
702 wpa_hexdump_key(MSG_DEBUG
, "IKEV2: SK_pi",
703 keys
->SK_pi
, keys
->SK_prf_len
);
705 pos
+= keys
->SK_prf_len
;
707 keys
->SK_pr
= os_malloc(keys
->SK_prf_len
);
709 os_memcpy(keys
->SK_pr
, pos
, keys
->SK_prf_len
);
710 wpa_hexdump_key(MSG_DEBUG
, "IKEV2: SK_pr",
711 keys
->SK_pr
, keys
->SK_prf_len
);
716 if (!ikev2_keys_set(keys
)) {
717 ikev2_free_keys(keys
);