1 /*
2 * IKEv2 initiator (RFC 4306) for EAP-IKEV2
3 * Copyright (c) 2007, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "includes.h"
10
11 #include "common.h"
12 #include "crypto/dh_groups.h"
13 #include "crypto/random.h"
14 #include "ikev2.h"
15
16
17 static int ikev2_process_idr(struct ikev2_initiator_data *data,
18 const u8 *idr, size_t idr_len);
19
20
ikev2_initiator_deinit(struct ikev2_initiator_data * data)21 void ikev2_initiator_deinit(struct ikev2_initiator_data *data)
22 {
23 ikev2_free_keys(&data->keys);
24 wpabuf_free(data->r_dh_public);
25 wpabuf_free(data->i_dh_private);
26 os_free(data->IDi);
27 os_free(data->IDr);
28 os_free(data->shared_secret);
29 wpabuf_free(data->i_sign_msg);
30 wpabuf_free(data->r_sign_msg);
31 os_free(data->key_pad);
32 }
33
34
ikev2_derive_keys(struct ikev2_initiator_data * data)35 static int ikev2_derive_keys(struct ikev2_initiator_data *data)
36 {
37 u8 *buf, *pos, *pad, skeyseed[IKEV2_MAX_HASH_LEN];
38 size_t buf_len, pad_len;
39 struct wpabuf *shared;
40 const struct ikev2_integ_alg *integ;
41 const struct ikev2_prf_alg *prf;
42 const struct ikev2_encr_alg *encr;
43 int ret;
44 const u8 *addr[2];
45 size_t len[2];
46
47 /* RFC 4306, Sect. 2.14 */
48
49 integ = ikev2_get_integ(data->proposal.integ);
50 prf = ikev2_get_prf(data->proposal.prf);
51 encr = ikev2_get_encr(data->proposal.encr);
52 if (integ == NULL || prf == NULL || encr == NULL) {
53 wpa_printf(MSG_INFO, "IKEV2: Unsupported proposal");
54 return -1;
55 }
56
57 shared = dh_derive_shared(data->r_dh_public, data->i_dh_private,
58 data->dh);
59 if (shared == NULL)
60 return -1;
61
62 /* Construct Ni | Nr | SPIi | SPIr */
63
64 buf_len = data->i_nonce_len + data->r_nonce_len + 2 * IKEV2_SPI_LEN;
65 buf = os_malloc(buf_len);
66 if (buf == NULL) {
67 wpabuf_free(shared);
68 return -1;
69 }
70
71 pos = buf;
72 os_memcpy(pos, data->i_nonce, data->i_nonce_len);
73 pos += data->i_nonce_len;
74 os_memcpy(pos, data->r_nonce, data->r_nonce_len);
75 pos += data->r_nonce_len;
76 os_memcpy(pos, data->i_spi, IKEV2_SPI_LEN);
77 pos += IKEV2_SPI_LEN;
78 os_memcpy(pos, data->r_spi, IKEV2_SPI_LEN);
79
80 /* SKEYSEED = prf(Ni | Nr, g^ir) */
81
82 /* Use zero-padding per RFC 4306, Sect. 2.14 */
83 pad_len = data->dh->prime_len - wpabuf_len(shared);
84 pad = os_zalloc(pad_len ? pad_len : 1);
85 if (pad == NULL) {
86 wpabuf_free(shared);
87 os_free(buf);
88 return -1;
89 }
90 addr[0] = pad;
91 len[0] = pad_len;
92 addr[1] = wpabuf_head(shared);
93 len[1] = wpabuf_len(shared);
94 if (ikev2_prf_hash(prf->id, buf, data->i_nonce_len + data->r_nonce_len,
95 2, addr, len, skeyseed) < 0) {
96 wpabuf_free(shared);
97 os_free(buf);
98 os_free(pad);
99 return -1;
100 }
101 os_free(pad);
102 wpabuf_free(shared);
103
104 /* DH parameters are not needed anymore, so free them */
105 wpabuf_free(data->r_dh_public);
106 data->r_dh_public = NULL;
107 wpabuf_free(data->i_dh_private);
108 data->i_dh_private = NULL;
109
110 wpa_hexdump_key(MSG_DEBUG, "IKEV2: SKEYSEED",
111 skeyseed, prf->hash_len);
112
113 ret = ikev2_derive_sk_keys(prf, integ, encr, skeyseed, buf, buf_len,
114 &data->keys);
115 os_free(buf);
116 return ret;
117 }
118
119
ikev2_parse_transform(struct ikev2_initiator_data * data,struct ikev2_proposal_data * prop,const u8 * pos,const u8 * end)120 static int ikev2_parse_transform(struct ikev2_initiator_data *data,
121 struct ikev2_proposal_data *prop,
122 const u8 *pos, const u8 *end)
123 {
124 int transform_len;
125 const struct ikev2_transform *t;
126 u16 transform_id;
127 const u8 *tend;
128
129 if (end - pos < (int) sizeof(*t)) {
130 wpa_printf(MSG_INFO, "IKEV2: Too short transform");
131 return -1;
132 }
133
134 t = (const struct ikev2_transform *) pos;
135 transform_len = WPA_GET_BE16(t->transform_length);
136 if (transform_len < (int) sizeof(*t) || transform_len > end - pos) {
137 wpa_printf(MSG_INFO, "IKEV2: Invalid transform length %d",
138 transform_len);
139 return -1;
140 }
141 tend = pos + transform_len;
142
143 transform_id = WPA_GET_BE16(t->transform_id);
144
145 wpa_printf(MSG_DEBUG, "IKEV2: Transform:");
146 wpa_printf(MSG_DEBUG, "IKEV2: Type: %d Transform Length: %d "
147 "Transform Type: %d Transform ID: %d",
148 t->type, transform_len, t->transform_type, transform_id);
149
150 if (t->type != 0 && t->type != 3) {
151 wpa_printf(MSG_INFO, "IKEV2: Unexpected Transform type");
152 return -1;
153 }
154
155 pos = (const u8 *) (t + 1);
156 if (pos < tend) {
157 wpa_hexdump(MSG_DEBUG, "IKEV2: Transform Attributes",
158 pos, tend - pos);
159 }
160
161 switch (t->transform_type) {
162 case IKEV2_TRANSFORM_ENCR:
163 if (ikev2_get_encr(transform_id) &&
164 transform_id == data->proposal.encr) {
165 if (transform_id == ENCR_AES_CBC) {
166 if (tend - pos != 4) {
167 wpa_printf(MSG_DEBUG, "IKEV2: No "
168 "Transform Attr for AES");
169 break;
170 }
171 if (WPA_GET_BE16(pos) != 0x800e) {
172 wpa_printf(MSG_DEBUG, "IKEV2: Not a "
173 "Key Size attribute for "
174 "AES");
175 break;
176 }
177 if (WPA_GET_BE16(pos + 2) != 128) {
178 wpa_printf(MSG_DEBUG, "IKEV2: "
179 "Unsupported AES key size "
180 "%d bits",
181 WPA_GET_BE16(pos + 2));
182 break;
183 }
184 }
185 prop->encr = transform_id;
186 }
187 break;
188 case IKEV2_TRANSFORM_PRF:
189 if (ikev2_get_prf(transform_id) &&
190 transform_id == data->proposal.prf)
191 prop->prf = transform_id;
192 break;
193 case IKEV2_TRANSFORM_INTEG:
194 if (ikev2_get_integ(transform_id) &&
195 transform_id == data->proposal.integ)
196 prop->integ = transform_id;
197 break;
198 case IKEV2_TRANSFORM_DH:
199 if (dh_groups_get(transform_id) &&
200 transform_id == data->proposal.dh)
201 prop->dh = transform_id;
202 break;
203 }
204
205 return transform_len;
206 }
207
208
ikev2_parse_proposal(struct ikev2_initiator_data * data,struct ikev2_proposal_data * prop,const u8 * pos,const u8 * end)209 static int ikev2_parse_proposal(struct ikev2_initiator_data *data,
210 struct ikev2_proposal_data *prop,
211 const u8 *pos, const u8 *end)
212 {
213 const u8 *pend, *ppos;
214 int proposal_len, i;
215 const struct ikev2_proposal *p;
216
217 if (end - pos < (int) sizeof(*p)) {
218 wpa_printf(MSG_INFO, "IKEV2: Too short proposal");
219 return -1;
220 }
221
222 p = (const struct ikev2_proposal *) pos;
223 proposal_len = WPA_GET_BE16(p->proposal_length);
224 if (proposal_len < (int) sizeof(*p) || proposal_len > end - pos) {
225 wpa_printf(MSG_INFO, "IKEV2: Invalid proposal length %d",
226 proposal_len);
227 return -1;
228 }
229 wpa_printf(MSG_DEBUG, "IKEV2: SAi1 Proposal # %d",
230 p->proposal_num);
231 wpa_printf(MSG_DEBUG, "IKEV2: Type: %d Proposal Length: %d "
232 " Protocol ID: %d",
233 p->type, proposal_len, p->protocol_id);
234 wpa_printf(MSG_DEBUG, "IKEV2: SPI Size: %d Transforms: %d",
235 p->spi_size, p->num_transforms);
236
237 if (p->type != 0 && p->type != 2) {
238 wpa_printf(MSG_INFO, "IKEV2: Unexpected Proposal type");
239 return -1;
240 }
241
242 if (p->protocol_id != IKEV2_PROTOCOL_IKE) {
243 wpa_printf(MSG_DEBUG, "IKEV2: Unexpected Protocol ID "
244 "(only IKE allowed for EAP-IKEv2)");
245 return -1;
246 }
247
248 if (p->proposal_num != prop->proposal_num) {
249 if (p->proposal_num == prop->proposal_num + 1)
250 prop->proposal_num = p->proposal_num;
251 else {
252 wpa_printf(MSG_INFO, "IKEV2: Unexpected Proposal #");
253 return -1;
254 }
255 }
256
257 ppos = (const u8 *) (p + 1);
258 pend = pos + proposal_len;
259 if (p->spi_size > pend - ppos) {
260 wpa_printf(MSG_INFO, "IKEV2: Not enough room for SPI "
261 "in proposal");
262 return -1;
263 }
264 if (p->spi_size) {
265 wpa_hexdump(MSG_DEBUG, "IKEV2: SPI",
266 ppos, p->spi_size);
267 ppos += p->spi_size;
268 }
269
270 /*
271 * For initial IKE_SA negotiation, SPI Size MUST be zero; for
272 * subsequent negotiations, it must be 8 for IKE. We only support
273 * initial case for now.
274 */
275 if (p->spi_size != 0) {
276 wpa_printf(MSG_INFO, "IKEV2: Unexpected SPI Size");
277 return -1;
278 }
279
280 if (p->num_transforms == 0) {
281 wpa_printf(MSG_INFO, "IKEV2: At least one transform required");
282 return -1;
283 }
284
285 for (i = 0; i < (int) p->num_transforms; i++) {
286 int tlen = ikev2_parse_transform(data, prop, ppos, pend);
287 if (tlen < 0)
288 return -1;
289 ppos += tlen;
290 }
291
292 if (ppos != pend) {
293 wpa_printf(MSG_INFO, "IKEV2: Unexpected data after "
294 "transforms");
295 return -1;
296 }
297
298 return proposal_len;
299 }
300
301
ikev2_process_sar1(struct ikev2_initiator_data * data,const u8 * sar1,size_t sar1_len)302 static int ikev2_process_sar1(struct ikev2_initiator_data *data,
303 const u8 *sar1, size_t sar1_len)
304 {
305 struct ikev2_proposal_data prop;
306 const u8 *pos, *end;
307 int found = 0;
308
309 /* Security Association Payloads: <Proposals> */
310
311 if (sar1 == NULL) {
312 wpa_printf(MSG_INFO, "IKEV2: SAr1 not received");
313 return -1;
314 }
315
316 os_memset(&prop, 0, sizeof(prop));
317 prop.proposal_num = 1;
318
319 pos = sar1;
320 end = sar1 + sar1_len;
321
322 while (pos < end) {
323 int plen;
324
325 prop.integ = -1;
326 prop.prf = -1;
327 prop.encr = -1;
328 prop.dh = -1;
329 plen = ikev2_parse_proposal(data, &prop, pos, end);
330 if (plen < 0)
331 return -1;
332
333 if (!found && prop.integ != -1 && prop.prf != -1 &&
334 prop.encr != -1 && prop.dh != -1) {
335 found = 1;
336 }
337
338 pos += plen;
339
340 /* Only one proposal expected in SAr */
341 break;
342 }
343
344 if (pos != end) {
345 wpa_printf(MSG_INFO, "IKEV2: Unexpected data after proposal");
346 return -1;
347 }
348
349 if (!found) {
350 wpa_printf(MSG_INFO, "IKEV2: No acceptable proposal found");
351 return -1;
352 }
353
354 wpa_printf(MSG_DEBUG, "IKEV2: Accepted proposal #%d: ENCR:%d PRF:%d "
355 "INTEG:%d D-H:%d", data->proposal.proposal_num,
356 data->proposal.encr, data->proposal.prf,
357 data->proposal.integ, data->proposal.dh);
358
359 return 0;
360 }
361
362
ikev2_process_ker(struct ikev2_initiator_data * data,const u8 * ker,size_t ker_len)363 static int ikev2_process_ker(struct ikev2_initiator_data *data,
364 const u8 *ker, size_t ker_len)
365 {
366 u16 group;
367
368 /*
369 * Key Exchange Payload:
370 * DH Group # (16 bits)
371 * RESERVED (16 bits)
372 * Key Exchange Data (Diffie-Hellman public value)
373 */
374
375 if (ker == NULL) {
376 wpa_printf(MSG_INFO, "IKEV2: KEr not received");
377 return -1;
378 }
379
380 if (ker_len < 4 + 96) {
381 wpa_printf(MSG_INFO, "IKEV2: Too show Key Exchange Payload");
382 return -1;
383 }
384
385 group = WPA_GET_BE16(ker);
386 wpa_printf(MSG_DEBUG, "IKEV2: KEr DH Group #%u", group);
387
388 if (group != data->proposal.dh) {
389 wpa_printf(MSG_DEBUG, "IKEV2: KEr DH Group #%u does not match "
390 "with the selected proposal (%u)",
391 group, data->proposal.dh);
392 return -1;
393 }
394
395 if (data->dh == NULL) {
396 wpa_printf(MSG_INFO, "IKEV2: Unsupported DH group");
397 return -1;
398 }
399
400 /* RFC 4306, Section 3.4:
401 * The length of DH public value MUST be equal to the length of the
402 * prime modulus.
403 */
404 if (ker_len - 4 != data->dh->prime_len) {
405 wpa_printf(MSG_INFO, "IKEV2: Invalid DH public value length "
406 "%ld (expected %ld)",
407 (long) (ker_len - 4), (long) data->dh->prime_len);
408 return -1;
409 }
410
411 wpabuf_free(data->r_dh_public);
412 data->r_dh_public = wpabuf_alloc_copy(ker + 4, ker_len - 4);
413 if (data->r_dh_public == NULL)
414 return -1;
415
416 wpa_hexdump_buf(MSG_DEBUG, "IKEV2: KEr Diffie-Hellman Public Value",
417 data->r_dh_public);
418
419 return 0;
420 }
421
422
ikev2_process_nr(struct ikev2_initiator_data * data,const u8 * nr,size_t nr_len)423 static int ikev2_process_nr(struct ikev2_initiator_data *data,
424 const u8 *nr, size_t nr_len)
425 {
426 if (nr == NULL) {
427 wpa_printf(MSG_INFO, "IKEV2: Nr not received");
428 return -1;
429 }
430
431 if (nr_len < IKEV2_NONCE_MIN_LEN || nr_len > IKEV2_NONCE_MAX_LEN) {
432 wpa_printf(MSG_INFO, "IKEV2: Invalid Nr length %ld",
433 (long) nr_len);
434 return -1;
435 }
436
437 data->r_nonce_len = nr_len;
438 os_memcpy(data->r_nonce, nr, nr_len);
439 wpa_hexdump(MSG_MSGDUMP, "IKEV2: Nr",
440 data->r_nonce, data->r_nonce_len);
441
442 return 0;
443 }
444
445
ikev2_process_sa_init_encr(struct ikev2_initiator_data * data,const struct ikev2_hdr * hdr,const u8 * encrypted,size_t encrypted_len,u8 next_payload)446 static int ikev2_process_sa_init_encr(struct ikev2_initiator_data *data,
447 const struct ikev2_hdr *hdr,
448 const u8 *encrypted,
449 size_t encrypted_len, u8 next_payload)
450 {
451 u8 *decrypted;
452 size_t decrypted_len;
453 struct ikev2_payloads pl;
454 int ret = 0;
455
456 decrypted = ikev2_decrypt_payload(data->proposal.encr,
457 data->proposal.integ, &data->keys, 0,
458 hdr, encrypted, encrypted_len,
459 &decrypted_len);
460 if (decrypted == NULL)
461 return -1;
462
463 wpa_printf(MSG_DEBUG, "IKEV2: Processing decrypted payloads");
464
465 if (ikev2_parse_payloads(&pl, next_payload, decrypted,
466 decrypted + decrypted_len) < 0) {
467 wpa_printf(MSG_INFO, "IKEV2: Failed to parse decrypted "
468 "payloads");
469 return -1;
470 }
471
472 if (pl.idr)
473 ret = ikev2_process_idr(data, pl.idr, pl.idr_len);
474
475 os_free(decrypted);
476
477 return ret;
478 }
479
480
ikev2_process_sa_init(struct ikev2_initiator_data * data,const struct ikev2_hdr * hdr,struct ikev2_payloads * pl)481 static int ikev2_process_sa_init(struct ikev2_initiator_data *data,
482 const struct ikev2_hdr *hdr,
483 struct ikev2_payloads *pl)
484 {
485 if (ikev2_process_sar1(data, pl->sa, pl->sa_len) < 0 ||
486 ikev2_process_ker(data, pl->ke, pl->ke_len) < 0 ||
487 ikev2_process_nr(data, pl->nonce, pl->nonce_len) < 0)
488 return -1;
489
490 os_memcpy(data->r_spi, hdr->r_spi, IKEV2_SPI_LEN);
491
492 if (ikev2_derive_keys(data) < 0)
493 return -1;
494
495 if (pl->encrypted) {
496 wpa_printf(MSG_DEBUG, "IKEV2: Encrypted payload in SA_INIT - "
497 "try to get IDr from it");
498 if (ikev2_process_sa_init_encr(data, hdr, pl->encrypted,
499 pl->encrypted_len,
500 pl->encr_next_payload) < 0) {
501 wpa_printf(MSG_INFO, "IKEV2: Failed to process "
502 "encrypted payload");
503 return -1;
504 }
505 }
506
507 data->state = SA_AUTH;
508
509 return 0;
510 }
511
512
ikev2_process_idr(struct ikev2_initiator_data * data,const u8 * idr,size_t idr_len)513 static int ikev2_process_idr(struct ikev2_initiator_data *data,
514 const u8 *idr, size_t idr_len)
515 {
516 u8 id_type;
517
518 if (idr == NULL) {
519 wpa_printf(MSG_INFO, "IKEV2: No IDr received");
520 return -1;
521 }
522
523 if (idr_len < 4) {
524 wpa_printf(MSG_INFO, "IKEV2: Too short IDr payload");
525 return -1;
526 }
527
528 id_type = idr[0];
529 idr += 4;
530 idr_len -= 4;
531
532 wpa_printf(MSG_DEBUG, "IKEV2: IDr ID Type %d", id_type);
533 wpa_hexdump_ascii(MSG_DEBUG, "IKEV2: IDr", idr, idr_len);
534 if (data->IDr) {
535 if (id_type != data->IDr_type || idr_len != data->IDr_len ||
536 os_memcmp(idr, data->IDr, idr_len) != 0) {
537 wpa_printf(MSG_INFO, "IKEV2: IDr differs from the one "
538 "received earlier");
539 wpa_printf(MSG_DEBUG, "IKEV2: Previous IDr ID Type %d",
540 id_type);
541 wpa_hexdump_ascii(MSG_DEBUG, "Previous IKEV2: IDr",
542 data->IDr, data->IDr_len);
543 return -1;
544 }
545 os_free(data->IDr);
546 }
547 data->IDr = os_memdup(idr, idr_len);
548 if (data->IDr == NULL)
549 return -1;
550 data->IDr_len = idr_len;
551 data->IDr_type = id_type;
552
553 return 0;
554 }
555
556
ikev2_process_cert(struct ikev2_initiator_data * data,const u8 * cert,size_t cert_len)557 static int ikev2_process_cert(struct ikev2_initiator_data *data,
558 const u8 *cert, size_t cert_len)
559 {
560 u8 cert_encoding;
561
562 if (cert == NULL) {
563 if (data->peer_auth == PEER_AUTH_CERT) {
564 wpa_printf(MSG_INFO, "IKEV2: No Certificate received");
565 return -1;
566 }
567 return 0;
568 }
569
570 if (cert_len < 1) {
571 wpa_printf(MSG_INFO, "IKEV2: No Cert Encoding field");
572 return -1;
573 }
574
575 cert_encoding = cert[0];
576 cert++;
577 cert_len--;
578
579 wpa_printf(MSG_DEBUG, "IKEV2: Cert Encoding %d", cert_encoding);
580 wpa_hexdump(MSG_MSGDUMP, "IKEV2: Certificate Data", cert, cert_len);
581
582 /* TODO: validate certificate */
583
584 return 0;
585 }
586
587
ikev2_process_auth_cert(struct ikev2_initiator_data * data,u8 method,const u8 * auth,size_t auth_len)588 static int ikev2_process_auth_cert(struct ikev2_initiator_data *data,
589 u8 method, const u8 *auth, size_t auth_len)
590 {
591 if (method != AUTH_RSA_SIGN) {
592 wpa_printf(MSG_INFO, "IKEV2: Unsupported authentication "
593 "method %d", method);
594 return -1;
595 }
596
597 /* TODO: validate AUTH */
598 return 0;
599 }
600
601
ikev2_process_auth_secret(struct ikev2_initiator_data * data,u8 method,const u8 * auth,size_t auth_len)602 static int ikev2_process_auth_secret(struct ikev2_initiator_data *data,
603 u8 method, const u8 *auth,
604 size_t auth_len)
605 {
606 u8 auth_data[IKEV2_MAX_HASH_LEN];
607 const struct ikev2_prf_alg *prf;
608
609 if (method != AUTH_SHARED_KEY_MIC) {
610 wpa_printf(MSG_INFO, "IKEV2: Unsupported authentication "
611 "method %d", method);
612 return -1;
613 }
614
615 /* msg | Ni | prf(SK_pr,IDr') */
616 if (ikev2_derive_auth_data(data->proposal.prf, data->r_sign_msg,
617 data->IDr, data->IDr_len, data->IDr_type,
618 &data->keys, 0, data->shared_secret,
619 data->shared_secret_len,
620 data->i_nonce, data->i_nonce_len,
621 data->key_pad, data->key_pad_len,
622 auth_data) < 0) {
623 wpa_printf(MSG_INFO, "IKEV2: Could not derive AUTH data");
624 return -1;
625 }
626
627 wpabuf_free(data->r_sign_msg);
628 data->r_sign_msg = NULL;
629
630 prf = ikev2_get_prf(data->proposal.prf);
631 if (prf == NULL)
632 return -1;
633
634 if (auth_len != prf->hash_len ||
635 os_memcmp_const(auth, auth_data, auth_len) != 0) {
636 wpa_printf(MSG_INFO, "IKEV2: Invalid Authentication Data");
637 wpa_hexdump(MSG_DEBUG, "IKEV2: Received Authentication Data",
638 auth, auth_len);
639 wpa_hexdump(MSG_DEBUG, "IKEV2: Expected Authentication Data",
640 auth_data, prf->hash_len);
641 return -1;
642 }
643
644 wpa_printf(MSG_DEBUG, "IKEV2: Peer authenticated successfully "
645 "using shared keys");
646
647 return 0;
648 }
649
650
ikev2_process_auth(struct ikev2_initiator_data * data,const u8 * auth,size_t auth_len)651 static int ikev2_process_auth(struct ikev2_initiator_data *data,
652 const u8 *auth, size_t auth_len)
653 {
654 u8 auth_method;
655
656 if (auth == NULL) {
657 wpa_printf(MSG_INFO, "IKEV2: No Authentication Payload");
658 return -1;
659 }
660
661 if (auth_len < 4) {
662 wpa_printf(MSG_INFO, "IKEV2: Too short Authentication "
663 "Payload");
664 return -1;
665 }
666
667 auth_method = auth[0];
668 auth += 4;
669 auth_len -= 4;
670
671 wpa_printf(MSG_DEBUG, "IKEV2: Auth Method %d", auth_method);
672 wpa_hexdump(MSG_MSGDUMP, "IKEV2: Authentication Data", auth, auth_len);
673
674 switch (data->peer_auth) {
675 case PEER_AUTH_CERT:
676 return ikev2_process_auth_cert(data, auth_method, auth,
677 auth_len);
678 case PEER_AUTH_SECRET:
679 return ikev2_process_auth_secret(data, auth_method, auth,
680 auth_len);
681 }
682
683 return -1;
684 }
685
686
ikev2_process_sa_auth_decrypted(struct ikev2_initiator_data * data,u8 next_payload,u8 * payload,size_t payload_len)687 static int ikev2_process_sa_auth_decrypted(struct ikev2_initiator_data *data,
688 u8 next_payload,
689 u8 *payload, size_t payload_len)
690 {
691 struct ikev2_payloads pl;
692
693 wpa_printf(MSG_DEBUG, "IKEV2: Processing decrypted payloads");
694
695 if (ikev2_parse_payloads(&pl, next_payload, payload, payload +
696 payload_len) < 0) {
697 wpa_printf(MSG_INFO, "IKEV2: Failed to parse decrypted "
698 "payloads");
699 return -1;
700 }
701
702 if (ikev2_process_idr(data, pl.idr, pl.idr_len) < 0 ||
703 ikev2_process_cert(data, pl.cert, pl.cert_len) < 0 ||
704 ikev2_process_auth(data, pl.auth, pl.auth_len) < 0)
705 return -1;
706
707 return 0;
708 }
709
710
ikev2_process_sa_auth(struct ikev2_initiator_data * data,const struct ikev2_hdr * hdr,struct ikev2_payloads * pl)711 static int ikev2_process_sa_auth(struct ikev2_initiator_data *data,
712 const struct ikev2_hdr *hdr,
713 struct ikev2_payloads *pl)
714 {
715 u8 *decrypted;
716 size_t decrypted_len;
717 int ret;
718
719 decrypted = ikev2_decrypt_payload(data->proposal.encr,
720 data->proposal.integ,
721 &data->keys, 0, hdr, pl->encrypted,
722 pl->encrypted_len, &decrypted_len);
723 if (decrypted == NULL)
724 return -1;
725
726 ret = ikev2_process_sa_auth_decrypted(data, pl->encr_next_payload,
727 decrypted, decrypted_len);
728 os_free(decrypted);
729
730 if (ret == 0 && !data->unknown_user) {
731 wpa_printf(MSG_DEBUG, "IKEV2: Authentication completed");
732 data->state = IKEV2_DONE;
733 }
734
735 return ret;
736 }
737
738
ikev2_validate_rx_state(struct ikev2_initiator_data * data,u8 exchange_type,u32 message_id)739 static int ikev2_validate_rx_state(struct ikev2_initiator_data *data,
740 u8 exchange_type, u32 message_id)
741 {
742 switch (data->state) {
743 case SA_INIT:
744 /* Expect to receive IKE_SA_INIT: HDR, SAr, KEr, Nr, [CERTREQ],
745 * [SK{IDr}] */
746 if (exchange_type != IKE_SA_INIT) {
747 wpa_printf(MSG_INFO, "IKEV2: Unexpected Exchange Type "
748 "%u in SA_INIT state", exchange_type);
749 return -1;
750 }
751 if (message_id != 0) {
752 wpa_printf(MSG_INFO, "IKEV2: Unexpected Message ID %u "
753 "in SA_INIT state", message_id);
754 return -1;
755 }
756 break;
757 case SA_AUTH:
758 /* Expect to receive IKE_SA_AUTH:
759 * HDR, SK {IDr, [CERT,] [CERTREQ,] [NFID,] AUTH}
760 */
761 if (exchange_type != IKE_SA_AUTH) {
762 wpa_printf(MSG_INFO, "IKEV2: Unexpected Exchange Type "
763 "%u in SA_AUTH state", exchange_type);
764 return -1;
765 }
766 if (message_id != 1) {
767 wpa_printf(MSG_INFO, "IKEV2: Unexpected Message ID %u "
768 "in SA_AUTH state", message_id);
769 return -1;
770 }
771 break;
772 case CHILD_SA:
773 if (exchange_type != CREATE_CHILD_SA) {
774 wpa_printf(MSG_INFO, "IKEV2: Unexpected Exchange Type "
775 "%u in CHILD_SA state", exchange_type);
776 return -1;
777 }
778 if (message_id != 2) {
779 wpa_printf(MSG_INFO, "IKEV2: Unexpected Message ID %u "
780 "in CHILD_SA state", message_id);
781 return -1;
782 }
783 break;
784 case IKEV2_DONE:
785 return -1;
786 }
787
788 return 0;
789 }
790
791
ikev2_initiator_process(struct ikev2_initiator_data * data,const struct wpabuf * buf)792 int ikev2_initiator_process(struct ikev2_initiator_data *data,
793 const struct wpabuf *buf)
794 {
795 const struct ikev2_hdr *hdr;
796 u32 length, message_id;
797 const u8 *pos, *end;
798 struct ikev2_payloads pl;
799
800 wpa_printf(MSG_MSGDUMP, "IKEV2: Received message (len %lu)",
801 (unsigned long) wpabuf_len(buf));
802
803 if (wpabuf_len(buf) < sizeof(*hdr)) {
804 wpa_printf(MSG_INFO, "IKEV2: Too short frame to include HDR");
805 return -1;
806 }
807
808 hdr = (const struct ikev2_hdr *) wpabuf_head(buf);
809 end = wpabuf_head_u8(buf) + wpabuf_len(buf);
810 message_id = WPA_GET_BE32(hdr->message_id);
811 length = WPA_GET_BE32(hdr->length);
812
813 wpa_hexdump(MSG_DEBUG, "IKEV2: IKE_SA Initiator's SPI",
814 hdr->i_spi, IKEV2_SPI_LEN);
815 wpa_hexdump(MSG_DEBUG, "IKEV2: IKE_SA Initiator's SPI",
816 hdr->r_spi, IKEV2_SPI_LEN);
817 wpa_printf(MSG_DEBUG, "IKEV2: Next Payload: %u Version: 0x%x "
818 "Exchange Type: %u",
819 hdr->next_payload, hdr->version, hdr->exchange_type);
820 wpa_printf(MSG_DEBUG, "IKEV2: Message ID: %u Length: %u",
821 message_id, length);
822
823 if (hdr->version != IKEV2_VERSION) {
824 wpa_printf(MSG_INFO, "IKEV2: Unsupported HDR version 0x%x "
825 "(expected 0x%x)", hdr->version, IKEV2_VERSION);
826 return -1;
827 }
828
829 if (length != wpabuf_len(buf)) {
830 wpa_printf(MSG_INFO, "IKEV2: Invalid length (HDR: %lu != "
831 "RX: %lu)", (unsigned long) length,
832 (unsigned long) wpabuf_len(buf));
833 return -1;
834 }
835
836 if (ikev2_validate_rx_state(data, hdr->exchange_type, message_id) < 0)
837 return -1;
838
839 if ((hdr->flags & (IKEV2_HDR_INITIATOR | IKEV2_HDR_RESPONSE)) !=
840 IKEV2_HDR_RESPONSE) {
841 wpa_printf(MSG_INFO, "IKEV2: Unexpected Flags value 0x%x",
842 hdr->flags);
843 return -1;
844 }
845
846 if (data->state != SA_INIT) {
847 if (os_memcmp(data->i_spi, hdr->i_spi, IKEV2_SPI_LEN) != 0) {
848 wpa_printf(MSG_INFO, "IKEV2: Unexpected IKE_SA "
849 "Initiator's SPI");
850 return -1;
851 }
852 if (os_memcmp(data->r_spi, hdr->r_spi, IKEV2_SPI_LEN) != 0) {
853 wpa_printf(MSG_INFO, "IKEV2: Unexpected IKE_SA "
854 "Responder's SPI");
855 return -1;
856 }
857 }
858
859 pos = (const u8 *) (hdr + 1);
860 if (ikev2_parse_payloads(&pl, hdr->next_payload, pos, end) < 0)
861 return -1;
862
863 switch (data->state) {
864 case SA_INIT:
865 if (ikev2_process_sa_init(data, hdr, &pl) < 0)
866 return -1;
867 wpabuf_free(data->r_sign_msg);
868 data->r_sign_msg = wpabuf_dup(buf);
869 break;
870 case SA_AUTH:
871 if (ikev2_process_sa_auth(data, hdr, &pl) < 0)
872 return -1;
873 break;
874 case CHILD_SA:
875 case IKEV2_DONE:
876 break;
877 }
878
879 return 0;
880 }
881
882
ikev2_build_hdr(struct ikev2_initiator_data * data,struct wpabuf * msg,u8 exchange_type,u8 next_payload,u32 message_id)883 static void ikev2_build_hdr(struct ikev2_initiator_data *data,
884 struct wpabuf *msg, u8 exchange_type,
885 u8 next_payload, u32 message_id)
886 {
887 struct ikev2_hdr *hdr;
888
889 wpa_printf(MSG_DEBUG, "IKEV2: Adding HDR");
890
891 /* HDR - RFC 4306, Sect. 3.1 */
892 hdr = wpabuf_put(msg, sizeof(*hdr));
893 os_memcpy(hdr->i_spi, data->i_spi, IKEV2_SPI_LEN);
894 os_memcpy(hdr->r_spi, data->r_spi, IKEV2_SPI_LEN);
895 hdr->next_payload = next_payload;
896 hdr->version = IKEV2_VERSION;
897 hdr->exchange_type = exchange_type;
898 hdr->flags = IKEV2_HDR_INITIATOR;
899 WPA_PUT_BE32(hdr->message_id, message_id);
900 }
901
902
ikev2_build_sai(struct ikev2_initiator_data * data,struct wpabuf * msg,u8 next_payload)903 static int ikev2_build_sai(struct ikev2_initiator_data *data,
904 struct wpabuf *msg, u8 next_payload)
905 {
906 struct ikev2_payload_hdr *phdr;
907 size_t plen;
908 struct ikev2_proposal *p;
909 struct ikev2_transform *t;
910
911 wpa_printf(MSG_DEBUG, "IKEV2: Adding SAi payload");
912
913 /* SAi1 - RFC 4306, Sect. 2.7 and 3.3 */
914 phdr = wpabuf_put(msg, sizeof(*phdr));
915 phdr->next_payload = next_payload;
916 phdr->flags = 0;
917
918 /* TODO: support for multiple proposals */
919 p = wpabuf_put(msg, sizeof(*p));
920 p->proposal_num = data->proposal.proposal_num;
921 p->protocol_id = IKEV2_PROTOCOL_IKE;
922 p->num_transforms = 4;
923
924 t = wpabuf_put(msg, sizeof(*t));
925 t->type = 3;
926 t->transform_type = IKEV2_TRANSFORM_ENCR;
927 WPA_PUT_BE16(t->transform_id, data->proposal.encr);
928 if (data->proposal.encr == ENCR_AES_CBC) {
929 /* Transform Attribute: Key Len = 128 bits */
930 wpabuf_put_be16(msg, 0x800e); /* AF=1, AttrType=14 */
931 wpabuf_put_be16(msg, 128); /* 128-bit key */
932 }
933 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) t;
934 WPA_PUT_BE16(t->transform_length, plen);
935
936 t = wpabuf_put(msg, sizeof(*t));
937 t->type = 3;
938 WPA_PUT_BE16(t->transform_length, sizeof(*t));
939 t->transform_type = IKEV2_TRANSFORM_PRF;
940 WPA_PUT_BE16(t->transform_id, data->proposal.prf);
941
942 t = wpabuf_put(msg, sizeof(*t));
943 t->type = 3;
944 WPA_PUT_BE16(t->transform_length, sizeof(*t));
945 t->transform_type = IKEV2_TRANSFORM_INTEG;
946 WPA_PUT_BE16(t->transform_id, data->proposal.integ);
947
948 t = wpabuf_put(msg, sizeof(*t));
949 WPA_PUT_BE16(t->transform_length, sizeof(*t));
950 t->transform_type = IKEV2_TRANSFORM_DH;
951 WPA_PUT_BE16(t->transform_id, data->proposal.dh);
952
953 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) p;
954 WPA_PUT_BE16(p->proposal_length, plen);
955
956 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
957 WPA_PUT_BE16(phdr->payload_length, plen);
958
959 return 0;
960 }
961
962
ikev2_build_kei(struct ikev2_initiator_data * data,struct wpabuf * msg,u8 next_payload)963 static int ikev2_build_kei(struct ikev2_initiator_data *data,
964 struct wpabuf *msg, u8 next_payload)
965 {
966 struct ikev2_payload_hdr *phdr;
967 size_t plen;
968 struct wpabuf *pv;
969
970 wpa_printf(MSG_DEBUG, "IKEV2: Adding KEi payload");
971
972 data->dh = dh_groups_get(data->proposal.dh);
973 pv = dh_init(data->dh, &data->i_dh_private);
974 if (pv == NULL) {
975 wpa_printf(MSG_DEBUG, "IKEV2: Failed to initialize DH");
976 return -1;
977 }
978
979 /* KEi - RFC 4306, Sect. 3.4 */
980 phdr = wpabuf_put(msg, sizeof(*phdr));
981 phdr->next_payload = next_payload;
982 phdr->flags = 0;
983
984 wpabuf_put_be16(msg, data->proposal.dh); /* DH Group # */
985 wpabuf_put(msg, 2); /* RESERVED */
986 /*
987 * RFC 4306, Sect. 3.4: possible zero padding for public value to
988 * match the length of the prime.
989 */
990 wpabuf_put(msg, data->dh->prime_len - wpabuf_len(pv));
991 wpabuf_put_buf(msg, pv);
992 wpabuf_free(pv);
993
994 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
995 WPA_PUT_BE16(phdr->payload_length, plen);
996 return 0;
997 }
998
999
ikev2_build_ni(struct ikev2_initiator_data * data,struct wpabuf * msg,u8 next_payload)1000 static int ikev2_build_ni(struct ikev2_initiator_data *data,
1001 struct wpabuf *msg, u8 next_payload)
1002 {
1003 struct ikev2_payload_hdr *phdr;
1004 size_t plen;
1005
1006 wpa_printf(MSG_DEBUG, "IKEV2: Adding Ni payload");
1007
1008 /* Ni - RFC 4306, Sect. 3.9 */
1009 phdr = wpabuf_put(msg, sizeof(*phdr));
1010 phdr->next_payload = next_payload;
1011 phdr->flags = 0;
1012 wpabuf_put_data(msg, data->i_nonce, data->i_nonce_len);
1013 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
1014 WPA_PUT_BE16(phdr->payload_length, plen);
1015 return 0;
1016 }
1017
1018
ikev2_build_idi(struct ikev2_initiator_data * data,struct wpabuf * msg,u8 next_payload)1019 static int ikev2_build_idi(struct ikev2_initiator_data *data,
1020 struct wpabuf *msg, u8 next_payload)
1021 {
1022 struct ikev2_payload_hdr *phdr;
1023 size_t plen;
1024
1025 wpa_printf(MSG_DEBUG, "IKEV2: Adding IDi payload");
1026
1027 if (data->IDi == NULL) {
1028 wpa_printf(MSG_INFO, "IKEV2: No IDi available");
1029 return -1;
1030 }
1031
1032 /* IDi - RFC 4306, Sect. 3.5 */
1033 phdr = wpabuf_put(msg, sizeof(*phdr));
1034 phdr->next_payload = next_payload;
1035 phdr->flags = 0;
1036 wpabuf_put_u8(msg, ID_KEY_ID);
1037 wpabuf_put(msg, 3); /* RESERVED */
1038 wpabuf_put_data(msg, data->IDi, data->IDi_len);
1039 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
1040 WPA_PUT_BE16(phdr->payload_length, plen);
1041 return 0;
1042 }
1043
1044
ikev2_build_auth(struct ikev2_initiator_data * data,struct wpabuf * msg,u8 next_payload)1045 static int ikev2_build_auth(struct ikev2_initiator_data *data,
1046 struct wpabuf *msg, u8 next_payload)
1047 {
1048 struct ikev2_payload_hdr *phdr;
1049 size_t plen;
1050 const struct ikev2_prf_alg *prf;
1051
1052 wpa_printf(MSG_DEBUG, "IKEV2: Adding AUTH payload");
1053
1054 prf = ikev2_get_prf(data->proposal.prf);
1055 if (prf == NULL)
1056 return -1;
1057
1058 /* Authentication - RFC 4306, Sect. 3.8 */
1059 phdr = wpabuf_put(msg, sizeof(*phdr));
1060 phdr->next_payload = next_payload;
1061 phdr->flags = 0;
1062 wpabuf_put_u8(msg, AUTH_SHARED_KEY_MIC);
1063 wpabuf_put(msg, 3); /* RESERVED */
1064
1065 /* msg | Nr | prf(SK_pi,IDi') */
1066 if (ikev2_derive_auth_data(data->proposal.prf, data->i_sign_msg,
1067 data->IDi, data->IDi_len, ID_KEY_ID,
1068 &data->keys, 1, data->shared_secret,
1069 data->shared_secret_len,
1070 data->r_nonce, data->r_nonce_len,
1071 data->key_pad, data->key_pad_len,
1072 wpabuf_put(msg, prf->hash_len)) < 0) {
1073 wpa_printf(MSG_INFO, "IKEV2: Could not derive AUTH data");
1074 return -1;
1075 }
1076 wpabuf_free(data->i_sign_msg);
1077 data->i_sign_msg = NULL;
1078
1079 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
1080 WPA_PUT_BE16(phdr->payload_length, plen);
1081 return 0;
1082 }
1083
1084
ikev2_build_sa_init(struct ikev2_initiator_data * data)1085 static struct wpabuf * ikev2_build_sa_init(struct ikev2_initiator_data *data)
1086 {
1087 struct wpabuf *msg;
1088
1089 /* build IKE_SA_INIT: HDR, SAi, KEi, Ni */
1090
1091 if (os_get_random(data->i_spi, IKEV2_SPI_LEN))
1092 return NULL;
1093 wpa_hexdump(MSG_DEBUG, "IKEV2: IKE_SA Initiator's SPI",
1094 data->i_spi, IKEV2_SPI_LEN);
1095
1096 data->i_nonce_len = IKEV2_NONCE_MIN_LEN;
1097 if (random_get_bytes(data->i_nonce, data->i_nonce_len))
1098 return NULL;
1099 wpa_hexdump(MSG_DEBUG, "IKEV2: Ni", data->i_nonce, data->i_nonce_len);
1100
1101 msg = wpabuf_alloc(sizeof(struct ikev2_hdr) + 1000);
1102 if (msg == NULL)
1103 return NULL;
1104
1105 ikev2_build_hdr(data, msg, IKE_SA_INIT, IKEV2_PAYLOAD_SA, 0);
1106 if (ikev2_build_sai(data, msg, IKEV2_PAYLOAD_KEY_EXCHANGE) ||
1107 ikev2_build_kei(data, msg, IKEV2_PAYLOAD_NONCE) ||
1108 ikev2_build_ni(data, msg, IKEV2_PAYLOAD_NO_NEXT_PAYLOAD)) {
1109 wpabuf_free(msg);
1110 return NULL;
1111 }
1112
1113 ikev2_update_hdr(msg);
1114
1115 wpa_hexdump_buf(MSG_MSGDUMP, "IKEV2: Sending message (SA_INIT)", msg);
1116
1117 wpabuf_free(data->i_sign_msg);
1118 data->i_sign_msg = wpabuf_dup(msg);
1119
1120 return msg;
1121 }
1122
1123
ikev2_build_sa_auth(struct ikev2_initiator_data * data)1124 static struct wpabuf * ikev2_build_sa_auth(struct ikev2_initiator_data *data)
1125 {
1126 struct wpabuf *msg, *plain;
1127 const u8 *secret;
1128 size_t secret_len;
1129
1130 secret = data->get_shared_secret(data->cb_ctx, data->IDr,
1131 data->IDr_len, &secret_len);
1132 if (secret == NULL) {
1133 wpa_printf(MSG_INFO, "IKEV2: Could not get shared secret - "
1134 "use fake value");
1135 /* RFC 5106, Sect. 7:
1136 * Use a random key to fake AUTH generation in order to prevent
1137 * probing of user identities.
1138 */
1139 data->unknown_user = 1;
1140 os_free(data->shared_secret);
1141 data->shared_secret = os_malloc(16);
1142 if (data->shared_secret == NULL)
1143 return NULL;
1144 data->shared_secret_len = 16;
1145 if (random_get_bytes(data->shared_secret, 16))
1146 return NULL;
1147 } else {
1148 os_free(data->shared_secret);
1149 data->shared_secret = os_memdup(secret, secret_len);
1150 if (data->shared_secret == NULL)
1151 return NULL;
1152 data->shared_secret_len = secret_len;
1153 }
1154
1155 /* build IKE_SA_AUTH: HDR, SK {IDi, [CERT,] [CERTREQ,] AUTH} */
1156
1157 msg = wpabuf_alloc(sizeof(struct ikev2_hdr) + data->IDr_len + 1000);
1158 if (msg == NULL)
1159 return NULL;
1160 ikev2_build_hdr(data, msg, IKE_SA_AUTH, IKEV2_PAYLOAD_ENCRYPTED, 1);
1161
1162 plain = wpabuf_alloc(data->IDr_len + 1000);
1163 if (plain == NULL) {
1164 wpabuf_free(msg);
1165 return NULL;
1166 }
1167
1168 if (ikev2_build_idi(data, plain, IKEV2_PAYLOAD_AUTHENTICATION) ||
1169 ikev2_build_auth(data, plain, IKEV2_PAYLOAD_NO_NEXT_PAYLOAD) ||
1170 ikev2_build_encrypted(data->proposal.encr, data->proposal.integ,
1171 &data->keys, 1, msg, plain,
1172 IKEV2_PAYLOAD_IDi)) {
1173 wpabuf_free(plain);
1174 wpabuf_free(msg);
1175 return NULL;
1176 }
1177 wpabuf_free(plain);
1178
1179 wpa_hexdump_buf(MSG_MSGDUMP, "IKEV2: Sending message (SA_AUTH)", msg);
1180
1181 return msg;
1182 }
1183
1184
ikev2_initiator_build(struct ikev2_initiator_data * data)1185 struct wpabuf * ikev2_initiator_build(struct ikev2_initiator_data *data)
1186 {
1187 switch (data->state) {
1188 case SA_INIT:
1189 return ikev2_build_sa_init(data);
1190 case SA_AUTH:
1191 return ikev2_build_sa_auth(data);
1192 case CHILD_SA:
1193 return NULL;
1194 case IKEV2_DONE:
1195 return NULL;
1196 }
1197 return NULL;
1198 }
1199