1 /* 2 * IKEv2 responder (RFC 4306) for EAP-IKEV2 3 * Copyright (c) 2007, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "includes.h" 10 11 #include "common.h" 12 #include "crypto/dh_groups.h" 13 #include "crypto/random.h" 14 #include "ikev2.h" 15 16 17 void ikev2_responder_deinit(struct ikev2_responder_data *data) 18 { 19 ikev2_free_keys(&data->keys); 20 wpabuf_free(data->i_dh_public); 21 wpabuf_free(data->r_dh_private); 22 os_free(data->IDi); 23 os_free(data->IDr); 24 os_free(data->shared_secret); 25 wpabuf_free(data->i_sign_msg); 26 wpabuf_free(data->r_sign_msg); 27 os_free(data->key_pad); 28 } 29 30 31 static int ikev2_derive_keys(struct ikev2_responder_data *data) 32 { 33 u8 *buf, *pos, *pad, skeyseed[IKEV2_MAX_HASH_LEN]; 34 size_t buf_len, pad_len; 35 struct wpabuf *shared; 36 const struct ikev2_integ_alg *integ; 37 const struct ikev2_prf_alg *prf; 38 const struct ikev2_encr_alg *encr; 39 int ret; 40 const u8 *addr[2]; 41 size_t len[2]; 42 43 /* RFC 4306, Sect. 2.14 */ 44 45 integ = ikev2_get_integ(data->proposal.integ); 46 prf = ikev2_get_prf(data->proposal.prf); 47 encr = ikev2_get_encr(data->proposal.encr); 48 if (integ == NULL || prf == NULL || encr == NULL) { 49 wpa_printf(MSG_INFO, "IKEV2: Unsupported proposal"); 50 return -1; 51 } 52 53 shared = dh_derive_shared(data->i_dh_public, data->r_dh_private, 54 data->dh); 55 if (shared == NULL) 56 return -1; 57 58 /* Construct Ni | Nr | SPIi | SPIr */ 59 60 buf_len = data->i_nonce_len + data->r_nonce_len + 2 * IKEV2_SPI_LEN; 61 buf = os_malloc(buf_len); 62 if (buf == NULL) { 63 wpabuf_free(shared); 64 return -1; 65 } 66 67 pos = buf; 68 os_memcpy(pos, data->i_nonce, data->i_nonce_len); 69 pos += data->i_nonce_len; 70 os_memcpy(pos, data->r_nonce, data->r_nonce_len); 71 pos += data->r_nonce_len; 72 os_memcpy(pos, data->i_spi, IKEV2_SPI_LEN); 73 pos += IKEV2_SPI_LEN; 74 os_memcpy(pos, data->r_spi, IKEV2_SPI_LEN); 75 76 /* SKEYSEED = prf(Ni | Nr, g^ir) */ 77 /* Use zero-padding per RFC 4306, Sect. 2.14 */ 78 pad_len = data->dh->prime_len - wpabuf_len(shared); 79 pad = os_zalloc(pad_len ? pad_len : 1); 80 if (pad == NULL) { 81 wpabuf_free(shared); 82 os_free(buf); 83 return -1; 84 } 85 86 addr[0] = pad; 87 len[0] = pad_len; 88 addr[1] = wpabuf_head(shared); 89 len[1] = wpabuf_len(shared); 90 if (ikev2_prf_hash(prf->id, buf, data->i_nonce_len + data->r_nonce_len, 91 2, addr, len, skeyseed) < 0) { 92 wpabuf_free(shared); 93 os_free(buf); 94 os_free(pad); 95 return -1; 96 } 97 os_free(pad); 98 wpabuf_free(shared); 99 100 /* DH parameters are not needed anymore, so free them */ 101 wpabuf_free(data->i_dh_public); 102 data->i_dh_public = NULL; 103 wpabuf_free(data->r_dh_private); 104 data->r_dh_private = NULL; 105 106 wpa_hexdump_key(MSG_DEBUG, "IKEV2: SKEYSEED", 107 skeyseed, prf->hash_len); 108 109 ret = ikev2_derive_sk_keys(prf, integ, encr, skeyseed, buf, buf_len, 110 &data->keys); 111 os_free(buf); 112 return ret; 113 } 114 115 116 static int ikev2_parse_transform(struct ikev2_proposal_data *prop, 117 const u8 *pos, const u8 *end) 118 { 119 int transform_len; 120 const struct ikev2_transform *t; 121 u16 transform_id; 122 const u8 *tend; 123 124 if (end - pos < (int) sizeof(*t)) { 125 wpa_printf(MSG_INFO, "IKEV2: Too short transform"); 126 return -1; 127 } 128 129 t = (const struct ikev2_transform *) pos; 130 transform_len = WPA_GET_BE16(t->transform_length); 131 if (transform_len < (int) sizeof(*t) || pos + transform_len > end) { 132 wpa_printf(MSG_INFO, "IKEV2: Invalid transform length %d", 133 transform_len); 134 return -1; 135 } 136 tend = pos + transform_len; 137 138 transform_id = WPA_GET_BE16(t->transform_id); 139 140 wpa_printf(MSG_DEBUG, "IKEV2: Transform:"); 141 wpa_printf(MSG_DEBUG, "IKEV2: Type: %d Transform Length: %d " 142 "Transform Type: %d Transform ID: %d", 143 t->type, transform_len, t->transform_type, transform_id); 144 145 if (t->type != 0 && t->type != 3) { 146 wpa_printf(MSG_INFO, "IKEV2: Unexpected Transform type"); 147 return -1; 148 } 149 150 pos = (const u8 *) (t + 1); 151 if (pos < tend) { 152 wpa_hexdump(MSG_DEBUG, "IKEV2: Transform Attributes", 153 pos, tend - pos); 154 } 155 156 switch (t->transform_type) { 157 case IKEV2_TRANSFORM_ENCR: 158 if (ikev2_get_encr(transform_id)) { 159 if (transform_id == ENCR_AES_CBC) { 160 if (tend - pos != 4) { 161 wpa_printf(MSG_DEBUG, "IKEV2: No " 162 "Transform Attr for AES"); 163 break; 164 } 165 if (WPA_GET_BE16(pos) != 0x800e) { 166 wpa_printf(MSG_DEBUG, "IKEV2: Not a " 167 "Key Size attribute for " 168 "AES"); 169 break; 170 } 171 if (WPA_GET_BE16(pos + 2) != 128) { 172 wpa_printf(MSG_DEBUG, "IKEV2: " 173 "Unsupported AES key size " 174 "%d bits", 175 WPA_GET_BE16(pos + 2)); 176 break; 177 } 178 } 179 prop->encr = transform_id; 180 } 181 break; 182 case IKEV2_TRANSFORM_PRF: 183 if (ikev2_get_prf(transform_id)) 184 prop->prf = transform_id; 185 break; 186 case IKEV2_TRANSFORM_INTEG: 187 if (ikev2_get_integ(transform_id)) 188 prop->integ = transform_id; 189 break; 190 case IKEV2_TRANSFORM_DH: 191 if (dh_groups_get(transform_id)) 192 prop->dh = transform_id; 193 break; 194 } 195 196 return transform_len; 197 } 198 199 200 static int ikev2_parse_proposal(struct ikev2_proposal_data *prop, 201 const u8 *pos, const u8 *end) 202 { 203 const u8 *pend, *ppos; 204 int proposal_len, i; 205 const struct ikev2_proposal *p; 206 207 if (end - pos < (int) sizeof(*p)) { 208 wpa_printf(MSG_INFO, "IKEV2: Too short proposal"); 209 return -1; 210 } 211 212 /* FIX: AND processing if multiple proposals use the same # */ 213 214 p = (const struct ikev2_proposal *) pos; 215 proposal_len = WPA_GET_BE16(p->proposal_length); 216 if (proposal_len < (int) sizeof(*p) || proposal_len > end - pos) { 217 wpa_printf(MSG_INFO, "IKEV2: Invalid proposal length %d", 218 proposal_len); 219 return -1; 220 } 221 wpa_printf(MSG_DEBUG, "IKEV2: SAi1 Proposal # %d", 222 p->proposal_num); 223 wpa_printf(MSG_DEBUG, "IKEV2: Type: %d Proposal Length: %d " 224 " Protocol ID: %d", 225 p->type, proposal_len, p->protocol_id); 226 wpa_printf(MSG_DEBUG, "IKEV2: SPI Size: %d Transforms: %d", 227 p->spi_size, p->num_transforms); 228 229 if (p->type != 0 && p->type != 2) { 230 wpa_printf(MSG_INFO, "IKEV2: Unexpected Proposal type"); 231 return -1; 232 } 233 234 if (p->protocol_id != IKEV2_PROTOCOL_IKE) { 235 wpa_printf(MSG_DEBUG, "IKEV2: Unexpected Protocol ID " 236 "(only IKE allowed for EAP-IKEv2)"); 237 return -1; 238 } 239 240 if (p->proposal_num != prop->proposal_num) { 241 if (p->proposal_num == prop->proposal_num + 1) 242 prop->proposal_num = p->proposal_num; 243 else { 244 wpa_printf(MSG_INFO, "IKEV2: Unexpected Proposal #"); 245 return -1; 246 } 247 } 248 249 ppos = (const u8 *) (p + 1); 250 pend = pos + proposal_len; 251 if (ppos + p->spi_size > pend) { 252 wpa_printf(MSG_INFO, "IKEV2: Not enough room for SPI " 253 "in proposal"); 254 return -1; 255 } 256 if (p->spi_size) { 257 wpa_hexdump(MSG_DEBUG, "IKEV2: SPI", 258 ppos, p->spi_size); 259 ppos += p->spi_size; 260 } 261 262 /* 263 * For initial IKE_SA negotiation, SPI Size MUST be zero; for 264 * subsequent negotiations, it must be 8 for IKE. We only support 265 * initial case for now. 266 */ 267 if (p->spi_size != 0) { 268 wpa_printf(MSG_INFO, "IKEV2: Unexpected SPI Size"); 269 return -1; 270 } 271 272 if (p->num_transforms == 0) { 273 wpa_printf(MSG_INFO, "IKEV2: At least one transform required"); 274 return -1; 275 } 276 277 for (i = 0; i < (int) p->num_transforms; i++) { 278 int tlen = ikev2_parse_transform(prop, ppos, pend); 279 if (tlen < 0) 280 return -1; 281 ppos += tlen; 282 } 283 284 if (ppos != pend) { 285 wpa_printf(MSG_INFO, "IKEV2: Unexpected data after " 286 "transforms"); 287 return -1; 288 } 289 290 return proposal_len; 291 } 292 293 294 static int ikev2_process_sai1(struct ikev2_responder_data *data, 295 const u8 *sai1, size_t sai1_len) 296 { 297 struct ikev2_proposal_data prop; 298 const u8 *pos, *end; 299 int found = 0; 300 301 /* Security Association Payloads: <Proposals> */ 302 303 if (sai1 == NULL) { 304 wpa_printf(MSG_INFO, "IKEV2: SAi1 not received"); 305 return -1; 306 } 307 308 os_memset(&prop, 0, sizeof(prop)); 309 prop.proposal_num = 1; 310 311 pos = sai1; 312 end = sai1 + sai1_len; 313 314 while (pos < end) { 315 int plen; 316 317 prop.integ = -1; 318 prop.prf = -1; 319 prop.encr = -1; 320 prop.dh = -1; 321 plen = ikev2_parse_proposal(&prop, pos, end); 322 if (plen < 0) 323 return -1; 324 325 if (!found && prop.integ != -1 && prop.prf != -1 && 326 prop.encr != -1 && prop.dh != -1) { 327 os_memcpy(&data->proposal, &prop, sizeof(prop)); 328 data->dh = dh_groups_get(prop.dh); 329 found = 1; 330 } 331 332 pos += plen; 333 } 334 335 if (pos != end) { 336 wpa_printf(MSG_INFO, "IKEV2: Unexpected data after proposals"); 337 return -1; 338 } 339 340 if (!found) { 341 wpa_printf(MSG_INFO, "IKEV2: No acceptable proposal found"); 342 return -1; 343 } 344 345 wpa_printf(MSG_DEBUG, "IKEV2: Accepted proposal #%d: ENCR:%d PRF:%d " 346 "INTEG:%d D-H:%d", data->proposal.proposal_num, 347 data->proposal.encr, data->proposal.prf, 348 data->proposal.integ, data->proposal.dh); 349 350 return 0; 351 } 352 353 354 static int ikev2_process_kei(struct ikev2_responder_data *data, 355 const u8 *kei, size_t kei_len) 356 { 357 u16 group; 358 359 /* 360 * Key Exchange Payload: 361 * DH Group # (16 bits) 362 * RESERVED (16 bits) 363 * Key Exchange Data (Diffie-Hellman public value) 364 */ 365 366 if (kei == NULL) { 367 wpa_printf(MSG_INFO, "IKEV2: KEi not received"); 368 return -1; 369 } 370 371 if (kei_len < 4 + 96) { 372 wpa_printf(MSG_INFO, "IKEV2: Too short Key Exchange Payload"); 373 return -1; 374 } 375 376 group = WPA_GET_BE16(kei); 377 wpa_printf(MSG_DEBUG, "IKEV2: KEi DH Group #%u", group); 378 379 if (group != data->proposal.dh) { 380 wpa_printf(MSG_DEBUG, "IKEV2: KEi DH Group #%u does not match " 381 "with the selected proposal (%u)", 382 group, data->proposal.dh); 383 /* Reject message with Notify payload of type 384 * INVALID_KE_PAYLOAD (RFC 4306, Sect. 3.4) */ 385 data->error_type = INVALID_KE_PAYLOAD; 386 data->state = NOTIFY; 387 return -1; 388 } 389 390 if (data->dh == NULL) { 391 wpa_printf(MSG_INFO, "IKEV2: Unsupported DH group"); 392 return -1; 393 } 394 395 /* RFC 4306, Section 3.4: 396 * The length of DH public value MUST be equal to the length of the 397 * prime modulus. 398 */ 399 if (kei_len - 4 != data->dh->prime_len) { 400 wpa_printf(MSG_INFO, "IKEV2: Invalid DH public value length " 401 "%ld (expected %ld)", 402 (long) (kei_len - 4), (long) data->dh->prime_len); 403 return -1; 404 } 405 406 wpabuf_free(data->i_dh_public); 407 data->i_dh_public = wpabuf_alloc(kei_len - 4); 408 if (data->i_dh_public == NULL) 409 return -1; 410 wpabuf_put_data(data->i_dh_public, kei + 4, kei_len - 4); 411 412 wpa_hexdump_buf(MSG_DEBUG, "IKEV2: KEi Diffie-Hellman Public Value", 413 data->i_dh_public); 414 415 return 0; 416 } 417 418 419 static int ikev2_process_ni(struct ikev2_responder_data *data, 420 const u8 *ni, size_t ni_len) 421 { 422 if (ni == NULL) { 423 wpa_printf(MSG_INFO, "IKEV2: Ni not received"); 424 return -1; 425 } 426 427 if (ni_len < IKEV2_NONCE_MIN_LEN || ni_len > IKEV2_NONCE_MAX_LEN) { 428 wpa_printf(MSG_INFO, "IKEV2: Invalid Ni length %ld", 429 (long) ni_len); 430 return -1; 431 } 432 433 data->i_nonce_len = ni_len; 434 os_memcpy(data->i_nonce, ni, ni_len); 435 wpa_hexdump(MSG_MSGDUMP, "IKEV2: Ni", 436 data->i_nonce, data->i_nonce_len); 437 438 return 0; 439 } 440 441 442 static int ikev2_process_sa_init(struct ikev2_responder_data *data, 443 const struct ikev2_hdr *hdr, 444 struct ikev2_payloads *pl) 445 { 446 if (ikev2_process_sai1(data, pl->sa, pl->sa_len) < 0 || 447 ikev2_process_kei(data, pl->ke, pl->ke_len) < 0 || 448 ikev2_process_ni(data, pl->nonce, pl->nonce_len) < 0) 449 return -1; 450 451 os_memcpy(data->i_spi, hdr->i_spi, IKEV2_SPI_LEN); 452 453 return 0; 454 } 455 456 457 static int ikev2_process_idi(struct ikev2_responder_data *data, 458 const u8 *idi, size_t idi_len) 459 { 460 u8 id_type; 461 462 if (idi == NULL) { 463 wpa_printf(MSG_INFO, "IKEV2: No IDi received"); 464 return -1; 465 } 466 467 if (idi_len < 4) { 468 wpa_printf(MSG_INFO, "IKEV2: Too short IDi payload"); 469 return -1; 470 } 471 472 id_type = idi[0]; 473 idi += 4; 474 idi_len -= 4; 475 476 wpa_printf(MSG_DEBUG, "IKEV2: IDi ID Type %d", id_type); 477 wpa_hexdump_ascii(MSG_DEBUG, "IKEV2: IDi", idi, idi_len); 478 os_free(data->IDi); 479 data->IDi = os_malloc(idi_len); 480 if (data->IDi == NULL) 481 return -1; 482 os_memcpy(data->IDi, idi, idi_len); 483 data->IDi_len = idi_len; 484 data->IDi_type = id_type; 485 486 return 0; 487 } 488 489 490 static int ikev2_process_cert(struct ikev2_responder_data *data, 491 const u8 *cert, size_t cert_len) 492 { 493 u8 cert_encoding; 494 495 if (cert == NULL) { 496 if (data->peer_auth == PEER_AUTH_CERT) { 497 wpa_printf(MSG_INFO, "IKEV2: No Certificate received"); 498 return -1; 499 } 500 return 0; 501 } 502 503 if (cert_len < 1) { 504 wpa_printf(MSG_INFO, "IKEV2: No Cert Encoding field"); 505 return -1; 506 } 507 508 cert_encoding = cert[0]; 509 cert++; 510 cert_len--; 511 512 wpa_printf(MSG_DEBUG, "IKEV2: Cert Encoding %d", cert_encoding); 513 wpa_hexdump(MSG_MSGDUMP, "IKEV2: Certificate Data", cert, cert_len); 514 515 /* TODO: validate certificate */ 516 517 return 0; 518 } 519 520 521 static int ikev2_process_auth_cert(struct ikev2_responder_data *data, 522 u8 method, const u8 *auth, size_t auth_len) 523 { 524 if (method != AUTH_RSA_SIGN) { 525 wpa_printf(MSG_INFO, "IKEV2: Unsupported authentication " 526 "method %d", method); 527 return -1; 528 } 529 530 /* TODO: validate AUTH */ 531 return 0; 532 } 533 534 535 static int ikev2_process_auth_secret(struct ikev2_responder_data *data, 536 u8 method, const u8 *auth, 537 size_t auth_len) 538 { 539 u8 auth_data[IKEV2_MAX_HASH_LEN]; 540 const struct ikev2_prf_alg *prf; 541 542 if (method != AUTH_SHARED_KEY_MIC) { 543 wpa_printf(MSG_INFO, "IKEV2: Unsupported authentication " 544 "method %d", method); 545 return -1; 546 } 547 548 /* msg | Nr | prf(SK_pi,IDi') */ 549 if (ikev2_derive_auth_data(data->proposal.prf, data->i_sign_msg, 550 data->IDi, data->IDi_len, data->IDi_type, 551 &data->keys, 1, data->shared_secret, 552 data->shared_secret_len, 553 data->r_nonce, data->r_nonce_len, 554 data->key_pad, data->key_pad_len, 555 auth_data) < 0) { 556 wpa_printf(MSG_INFO, "IKEV2: Could not derive AUTH data"); 557 return -1; 558 } 559 560 wpabuf_free(data->i_sign_msg); 561 data->i_sign_msg = NULL; 562 563 prf = ikev2_get_prf(data->proposal.prf); 564 if (prf == NULL) 565 return -1; 566 567 if (auth_len != prf->hash_len || 568 os_memcmp_const(auth, auth_data, auth_len) != 0) { 569 wpa_printf(MSG_INFO, "IKEV2: Invalid Authentication Data"); 570 wpa_hexdump(MSG_DEBUG, "IKEV2: Received Authentication Data", 571 auth, auth_len); 572 wpa_hexdump(MSG_DEBUG, "IKEV2: Expected Authentication Data", 573 auth_data, prf->hash_len); 574 data->error_type = AUTHENTICATION_FAILED; 575 data->state = NOTIFY; 576 return -1; 577 } 578 579 wpa_printf(MSG_DEBUG, "IKEV2: Server authenticated successfully " 580 "using shared keys"); 581 582 return 0; 583 } 584 585 586 static int ikev2_process_auth(struct ikev2_responder_data *data, 587 const u8 *auth, size_t auth_len) 588 { 589 u8 auth_method; 590 591 if (auth == NULL) { 592 wpa_printf(MSG_INFO, "IKEV2: No Authentication Payload"); 593 return -1; 594 } 595 596 if (auth_len < 4) { 597 wpa_printf(MSG_INFO, "IKEV2: Too short Authentication " 598 "Payload"); 599 return -1; 600 } 601 602 auth_method = auth[0]; 603 auth += 4; 604 auth_len -= 4; 605 606 wpa_printf(MSG_DEBUG, "IKEV2: Auth Method %d", auth_method); 607 wpa_hexdump(MSG_MSGDUMP, "IKEV2: Authentication Data", auth, auth_len); 608 609 switch (data->peer_auth) { 610 case PEER_AUTH_CERT: 611 return ikev2_process_auth_cert(data, auth_method, auth, 612 auth_len); 613 case PEER_AUTH_SECRET: 614 return ikev2_process_auth_secret(data, auth_method, auth, 615 auth_len); 616 } 617 618 return -1; 619 } 620 621 622 static int ikev2_process_sa_auth_decrypted(struct ikev2_responder_data *data, 623 u8 next_payload, 624 u8 *payload, size_t payload_len) 625 { 626 struct ikev2_payloads pl; 627 628 wpa_printf(MSG_DEBUG, "IKEV2: Processing decrypted payloads"); 629 630 if (ikev2_parse_payloads(&pl, next_payload, payload, payload + 631 payload_len) < 0) { 632 wpa_printf(MSG_INFO, "IKEV2: Failed to parse decrypted " 633 "payloads"); 634 return -1; 635 } 636 637 if (ikev2_process_idi(data, pl.idi, pl.idi_len) < 0 || 638 ikev2_process_cert(data, pl.cert, pl.cert_len) < 0 || 639 ikev2_process_auth(data, pl.auth, pl.auth_len) < 0) 640 return -1; 641 642 return 0; 643 } 644 645 646 static int ikev2_process_sa_auth(struct ikev2_responder_data *data, 647 const struct ikev2_hdr *hdr, 648 struct ikev2_payloads *pl) 649 { 650 u8 *decrypted; 651 size_t decrypted_len; 652 int ret; 653 654 decrypted = ikev2_decrypt_payload(data->proposal.encr, 655 data->proposal.integ, 656 &data->keys, 1, hdr, pl->encrypted, 657 pl->encrypted_len, &decrypted_len); 658 if (decrypted == NULL) 659 return -1; 660 661 ret = ikev2_process_sa_auth_decrypted(data, pl->encr_next_payload, 662 decrypted, decrypted_len); 663 os_free(decrypted); 664 665 return ret; 666 } 667 668 669 static int ikev2_validate_rx_state(struct ikev2_responder_data *data, 670 u8 exchange_type, u32 message_id) 671 { 672 switch (data->state) { 673 case SA_INIT: 674 /* Expect to receive IKE_SA_INIT: HDR, SAi1, KEi, Ni */ 675 if (exchange_type != IKE_SA_INIT) { 676 wpa_printf(MSG_INFO, "IKEV2: Unexpected Exchange Type " 677 "%u in SA_INIT state", exchange_type); 678 return -1; 679 } 680 if (message_id != 0) { 681 wpa_printf(MSG_INFO, "IKEV2: Unexpected Message ID %u " 682 "in SA_INIT state", message_id); 683 return -1; 684 } 685 break; 686 case SA_AUTH: 687 /* Expect to receive IKE_SA_AUTH: 688 * HDR, SK {IDi, [CERT,] [CERTREQ,] [IDr,] 689 * AUTH, SAi2, TSi, TSr} 690 */ 691 if (exchange_type != IKE_SA_AUTH) { 692 wpa_printf(MSG_INFO, "IKEV2: Unexpected Exchange Type " 693 "%u in SA_AUTH state", exchange_type); 694 return -1; 695 } 696 if (message_id != 1) { 697 wpa_printf(MSG_INFO, "IKEV2: Unexpected Message ID %u " 698 "in SA_AUTH state", message_id); 699 return -1; 700 } 701 break; 702 case CHILD_SA: 703 if (exchange_type != CREATE_CHILD_SA) { 704 wpa_printf(MSG_INFO, "IKEV2: Unexpected Exchange Type " 705 "%u in CHILD_SA state", exchange_type); 706 return -1; 707 } 708 if (message_id != 2) { 709 wpa_printf(MSG_INFO, "IKEV2: Unexpected Message ID %u " 710 "in CHILD_SA state", message_id); 711 return -1; 712 } 713 break; 714 case NOTIFY: 715 case IKEV2_DONE: 716 case IKEV2_FAILED: 717 return -1; 718 } 719 720 return 0; 721 } 722 723 724 int ikev2_responder_process(struct ikev2_responder_data *data, 725 const struct wpabuf *buf) 726 { 727 const struct ikev2_hdr *hdr; 728 u32 length, message_id; 729 const u8 *pos, *end; 730 struct ikev2_payloads pl; 731 732 wpa_printf(MSG_MSGDUMP, "IKEV2: Received message (len %lu)", 733 (unsigned long) wpabuf_len(buf)); 734 735 if (wpabuf_len(buf) < sizeof(*hdr)) { 736 wpa_printf(MSG_INFO, "IKEV2: Too short frame to include HDR"); 737 return -1; 738 } 739 740 data->error_type = 0; 741 hdr = (const struct ikev2_hdr *) wpabuf_head(buf); 742 end = wpabuf_head_u8(buf) + wpabuf_len(buf); 743 message_id = WPA_GET_BE32(hdr->message_id); 744 length = WPA_GET_BE32(hdr->length); 745 746 wpa_hexdump(MSG_DEBUG, "IKEV2: IKE_SA Initiator's SPI", 747 hdr->i_spi, IKEV2_SPI_LEN); 748 wpa_hexdump(MSG_DEBUG, "IKEV2: IKE_SA Responder's SPI", 749 hdr->r_spi, IKEV2_SPI_LEN); 750 wpa_printf(MSG_DEBUG, "IKEV2: Next Payload: %u Version: 0x%x " 751 "Exchange Type: %u", 752 hdr->next_payload, hdr->version, hdr->exchange_type); 753 wpa_printf(MSG_DEBUG, "IKEV2: Message ID: %u Length: %u", 754 message_id, length); 755 756 if (hdr->version != IKEV2_VERSION) { 757 wpa_printf(MSG_INFO, "IKEV2: Unsupported HDR version 0x%x " 758 "(expected 0x%x)", hdr->version, IKEV2_VERSION); 759 return -1; 760 } 761 762 if (length != wpabuf_len(buf)) { 763 wpa_printf(MSG_INFO, "IKEV2: Invalid length (HDR: %lu != " 764 "RX: %lu)", (unsigned long) length, 765 (unsigned long) wpabuf_len(buf)); 766 return -1; 767 } 768 769 if (ikev2_validate_rx_state(data, hdr->exchange_type, message_id) < 0) 770 return -1; 771 772 if ((hdr->flags & (IKEV2_HDR_INITIATOR | IKEV2_HDR_RESPONSE)) != 773 IKEV2_HDR_INITIATOR) { 774 wpa_printf(MSG_INFO, "IKEV2: Unexpected Flags value 0x%x", 775 hdr->flags); 776 return -1; 777 } 778 779 if (data->state != SA_INIT) { 780 if (os_memcmp(data->i_spi, hdr->i_spi, IKEV2_SPI_LEN) != 0) { 781 wpa_printf(MSG_INFO, "IKEV2: Unexpected IKE_SA " 782 "Initiator's SPI"); 783 return -1; 784 } 785 if (os_memcmp(data->r_spi, hdr->r_spi, IKEV2_SPI_LEN) != 0) { 786 wpa_printf(MSG_INFO, "IKEV2: Unexpected IKE_SA " 787 "Responder's SPI"); 788 return -1; 789 } 790 } 791 792 pos = (const u8 *) (hdr + 1); 793 if (ikev2_parse_payloads(&pl, hdr->next_payload, pos, end) < 0) 794 return -1; 795 796 if (data->state == SA_INIT) { 797 data->last_msg = LAST_MSG_SA_INIT; 798 if (ikev2_process_sa_init(data, hdr, &pl) < 0) { 799 if (data->state == NOTIFY) 800 return 0; 801 return -1; 802 } 803 wpabuf_free(data->i_sign_msg); 804 data->i_sign_msg = wpabuf_dup(buf); 805 } 806 807 if (data->state == SA_AUTH) { 808 data->last_msg = LAST_MSG_SA_AUTH; 809 if (ikev2_process_sa_auth(data, hdr, &pl) < 0) { 810 if (data->state == NOTIFY) 811 return 0; 812 return -1; 813 } 814 } 815 816 return 0; 817 } 818 819 820 static void ikev2_build_hdr(struct ikev2_responder_data *data, 821 struct wpabuf *msg, u8 exchange_type, 822 u8 next_payload, u32 message_id) 823 { 824 struct ikev2_hdr *hdr; 825 826 wpa_printf(MSG_DEBUG, "IKEV2: Adding HDR"); 827 828 /* HDR - RFC 4306, Sect. 3.1 */ 829 hdr = wpabuf_put(msg, sizeof(*hdr)); 830 os_memcpy(hdr->i_spi, data->i_spi, IKEV2_SPI_LEN); 831 os_memcpy(hdr->r_spi, data->r_spi, IKEV2_SPI_LEN); 832 hdr->next_payload = next_payload; 833 hdr->version = IKEV2_VERSION; 834 hdr->exchange_type = exchange_type; 835 hdr->flags = IKEV2_HDR_RESPONSE; 836 WPA_PUT_BE32(hdr->message_id, message_id); 837 } 838 839 840 static int ikev2_build_sar1(struct ikev2_responder_data *data, 841 struct wpabuf *msg, u8 next_payload) 842 { 843 struct ikev2_payload_hdr *phdr; 844 size_t plen; 845 struct ikev2_proposal *p; 846 struct ikev2_transform *t; 847 848 wpa_printf(MSG_DEBUG, "IKEV2: Adding SAr1 payload"); 849 850 /* SAr1 - RFC 4306, Sect. 2.7 and 3.3 */ 851 phdr = wpabuf_put(msg, sizeof(*phdr)); 852 phdr->next_payload = next_payload; 853 phdr->flags = 0; 854 855 p = wpabuf_put(msg, sizeof(*p)); 856 p->proposal_num = data->proposal.proposal_num; 857 p->protocol_id = IKEV2_PROTOCOL_IKE; 858 p->num_transforms = 4; 859 860 t = wpabuf_put(msg, sizeof(*t)); 861 t->type = 3; 862 t->transform_type = IKEV2_TRANSFORM_ENCR; 863 WPA_PUT_BE16(t->transform_id, data->proposal.encr); 864 if (data->proposal.encr == ENCR_AES_CBC) { 865 /* Transform Attribute: Key Len = 128 bits */ 866 wpabuf_put_be16(msg, 0x800e); /* AF=1, AttrType=14 */ 867 wpabuf_put_be16(msg, 128); /* 128-bit key */ 868 } 869 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) t; 870 WPA_PUT_BE16(t->transform_length, plen); 871 872 t = wpabuf_put(msg, sizeof(*t)); 873 t->type = 3; 874 WPA_PUT_BE16(t->transform_length, sizeof(*t)); 875 t->transform_type = IKEV2_TRANSFORM_PRF; 876 WPA_PUT_BE16(t->transform_id, data->proposal.prf); 877 878 t = wpabuf_put(msg, sizeof(*t)); 879 t->type = 3; 880 WPA_PUT_BE16(t->transform_length, sizeof(*t)); 881 t->transform_type = IKEV2_TRANSFORM_INTEG; 882 WPA_PUT_BE16(t->transform_id, data->proposal.integ); 883 884 t = wpabuf_put(msg, sizeof(*t)); 885 WPA_PUT_BE16(t->transform_length, sizeof(*t)); 886 t->transform_type = IKEV2_TRANSFORM_DH; 887 WPA_PUT_BE16(t->transform_id, data->proposal.dh); 888 889 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) p; 890 WPA_PUT_BE16(p->proposal_length, plen); 891 892 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr; 893 WPA_PUT_BE16(phdr->payload_length, plen); 894 895 return 0; 896 } 897 898 899 static int ikev2_build_ker(struct ikev2_responder_data *data, 900 struct wpabuf *msg, u8 next_payload) 901 { 902 struct ikev2_payload_hdr *phdr; 903 size_t plen; 904 struct wpabuf *pv; 905 906 wpa_printf(MSG_DEBUG, "IKEV2: Adding KEr payload"); 907 908 pv = dh_init(data->dh, &data->r_dh_private); 909 if (pv == NULL) { 910 wpa_printf(MSG_DEBUG, "IKEV2: Failed to initialize DH"); 911 return -1; 912 } 913 914 /* KEr - RFC 4306, Sect. 3.4 */ 915 phdr = wpabuf_put(msg, sizeof(*phdr)); 916 phdr->next_payload = next_payload; 917 phdr->flags = 0; 918 919 wpabuf_put_be16(msg, data->proposal.dh); /* DH Group # */ 920 wpabuf_put(msg, 2); /* RESERVED */ 921 /* 922 * RFC 4306, Sect. 3.4: possible zero padding for public value to 923 * match the length of the prime. 924 */ 925 wpabuf_put(msg, data->dh->prime_len - wpabuf_len(pv)); 926 wpabuf_put_buf(msg, pv); 927 wpabuf_free(pv); 928 929 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr; 930 WPA_PUT_BE16(phdr->payload_length, plen); 931 return 0; 932 } 933 934 935 static int ikev2_build_nr(struct ikev2_responder_data *data, 936 struct wpabuf *msg, u8 next_payload) 937 { 938 struct ikev2_payload_hdr *phdr; 939 size_t plen; 940 941 wpa_printf(MSG_DEBUG, "IKEV2: Adding Nr payload"); 942 943 /* Nr - RFC 4306, Sect. 3.9 */ 944 phdr = wpabuf_put(msg, sizeof(*phdr)); 945 phdr->next_payload = next_payload; 946 phdr->flags = 0; 947 wpabuf_put_data(msg, data->r_nonce, data->r_nonce_len); 948 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr; 949 WPA_PUT_BE16(phdr->payload_length, plen); 950 return 0; 951 } 952 953 954 static int ikev2_build_idr(struct ikev2_responder_data *data, 955 struct wpabuf *msg, u8 next_payload) 956 { 957 struct ikev2_payload_hdr *phdr; 958 size_t plen; 959 960 wpa_printf(MSG_DEBUG, "IKEV2: Adding IDr payload"); 961 962 if (data->IDr == NULL) { 963 wpa_printf(MSG_INFO, "IKEV2: No IDr available"); 964 return -1; 965 } 966 967 /* IDr - RFC 4306, Sect. 3.5 */ 968 phdr = wpabuf_put(msg, sizeof(*phdr)); 969 phdr->next_payload = next_payload; 970 phdr->flags = 0; 971 wpabuf_put_u8(msg, ID_KEY_ID); 972 wpabuf_put(msg, 3); /* RESERVED */ 973 wpabuf_put_data(msg, data->IDr, data->IDr_len); 974 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr; 975 WPA_PUT_BE16(phdr->payload_length, plen); 976 return 0; 977 } 978 979 980 static int ikev2_build_auth(struct ikev2_responder_data *data, 981 struct wpabuf *msg, u8 next_payload) 982 { 983 struct ikev2_payload_hdr *phdr; 984 size_t plen; 985 const struct ikev2_prf_alg *prf; 986 987 wpa_printf(MSG_DEBUG, "IKEV2: Adding AUTH payload"); 988 989 prf = ikev2_get_prf(data->proposal.prf); 990 if (prf == NULL) 991 return -1; 992 993 /* Authentication - RFC 4306, Sect. 3.8 */ 994 phdr = wpabuf_put(msg, sizeof(*phdr)); 995 phdr->next_payload = next_payload; 996 phdr->flags = 0; 997 wpabuf_put_u8(msg, AUTH_SHARED_KEY_MIC); 998 wpabuf_put(msg, 3); /* RESERVED */ 999 1000 /* msg | Ni | prf(SK_pr,IDr') */ 1001 if (ikev2_derive_auth_data(data->proposal.prf, data->r_sign_msg, 1002 data->IDr, data->IDr_len, ID_KEY_ID, 1003 &data->keys, 0, data->shared_secret, 1004 data->shared_secret_len, 1005 data->i_nonce, data->i_nonce_len, 1006 data->key_pad, data->key_pad_len, 1007 wpabuf_put(msg, prf->hash_len)) < 0) { 1008 wpa_printf(MSG_INFO, "IKEV2: Could not derive AUTH data"); 1009 return -1; 1010 } 1011 wpabuf_free(data->r_sign_msg); 1012 data->r_sign_msg = NULL; 1013 1014 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr; 1015 WPA_PUT_BE16(phdr->payload_length, plen); 1016 return 0; 1017 } 1018 1019 1020 static int ikev2_build_notification(struct ikev2_responder_data *data, 1021 struct wpabuf *msg, u8 next_payload) 1022 { 1023 struct ikev2_payload_hdr *phdr; 1024 size_t plen; 1025 1026 wpa_printf(MSG_DEBUG, "IKEV2: Adding Notification payload"); 1027 1028 if (data->error_type == 0) { 1029 wpa_printf(MSG_INFO, "IKEV2: No Notify Message Type " 1030 "available"); 1031 return -1; 1032 } 1033 1034 /* Notify - RFC 4306, Sect. 3.10 */ 1035 phdr = wpabuf_put(msg, sizeof(*phdr)); 1036 phdr->next_payload = next_payload; 1037 phdr->flags = 0; 1038 wpabuf_put_u8(msg, 0); /* Protocol ID: no existing SA */ 1039 wpabuf_put_u8(msg, 0); /* SPI Size */ 1040 wpabuf_put_be16(msg, data->error_type); 1041 1042 switch (data->error_type) { 1043 case INVALID_KE_PAYLOAD: 1044 if (data->proposal.dh == -1) { 1045 wpa_printf(MSG_INFO, "IKEV2: No DH Group selected for " 1046 "INVALID_KE_PAYLOAD notifications"); 1047 return -1; 1048 } 1049 wpabuf_put_be16(msg, data->proposal.dh); 1050 wpa_printf(MSG_DEBUG, "IKEV2: INVALID_KE_PAYLOAD - request " 1051 "DH Group #%d", data->proposal.dh); 1052 break; 1053 case AUTHENTICATION_FAILED: 1054 /* no associated data */ 1055 break; 1056 default: 1057 wpa_printf(MSG_INFO, "IKEV2: Unsupported Notify Message Type " 1058 "%d", data->error_type); 1059 return -1; 1060 } 1061 1062 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr; 1063 WPA_PUT_BE16(phdr->payload_length, plen); 1064 return 0; 1065 } 1066 1067 1068 static struct wpabuf * ikev2_build_sa_init(struct ikev2_responder_data *data) 1069 { 1070 struct wpabuf *msg; 1071 1072 /* build IKE_SA_INIT: HDR, SAr1, KEr, Nr, [CERTREQ], [SK{IDr}] */ 1073 1074 if (os_get_random(data->r_spi, IKEV2_SPI_LEN)) 1075 return NULL; 1076 wpa_hexdump(MSG_DEBUG, "IKEV2: IKE_SA Responder's SPI", 1077 data->r_spi, IKEV2_SPI_LEN); 1078 1079 data->r_nonce_len = IKEV2_NONCE_MIN_LEN; 1080 if (random_get_bytes(data->r_nonce, data->r_nonce_len)) 1081 return NULL; 1082 wpa_hexdump(MSG_DEBUG, "IKEV2: Nr", data->r_nonce, data->r_nonce_len); 1083 1084 msg = wpabuf_alloc(sizeof(struct ikev2_hdr) + data->IDr_len + 1500); 1085 if (msg == NULL) 1086 return NULL; 1087 1088 ikev2_build_hdr(data, msg, IKE_SA_INIT, IKEV2_PAYLOAD_SA, 0); 1089 if (ikev2_build_sar1(data, msg, IKEV2_PAYLOAD_KEY_EXCHANGE) || 1090 ikev2_build_ker(data, msg, IKEV2_PAYLOAD_NONCE) || 1091 ikev2_build_nr(data, msg, data->peer_auth == PEER_AUTH_SECRET ? 1092 IKEV2_PAYLOAD_ENCRYPTED : 1093 IKEV2_PAYLOAD_NO_NEXT_PAYLOAD)) { 1094 wpabuf_free(msg); 1095 return NULL; 1096 } 1097 1098 if (ikev2_derive_keys(data)) { 1099 wpabuf_free(msg); 1100 return NULL; 1101 } 1102 1103 if (data->peer_auth == PEER_AUTH_CERT) { 1104 /* TODO: CERTREQ with SHA-1 hashes of Subject Public Key Info 1105 * for trust agents */ 1106 } 1107 1108 if (data->peer_auth == PEER_AUTH_SECRET) { 1109 struct wpabuf *plain = wpabuf_alloc(data->IDr_len + 1000); 1110 if (plain == NULL) { 1111 wpabuf_free(msg); 1112 return NULL; 1113 } 1114 if (ikev2_build_idr(data, plain, 1115 IKEV2_PAYLOAD_NO_NEXT_PAYLOAD) || 1116 ikev2_build_encrypted(data->proposal.encr, 1117 data->proposal.integ, 1118 &data->keys, 0, msg, plain, 1119 IKEV2_PAYLOAD_IDr)) { 1120 wpabuf_free(plain); 1121 wpabuf_free(msg); 1122 return NULL; 1123 } 1124 wpabuf_free(plain); 1125 } 1126 1127 ikev2_update_hdr(msg); 1128 1129 wpa_hexdump_buf(MSG_MSGDUMP, "IKEV2: Sending message (SA_INIT)", msg); 1130 1131 data->state = SA_AUTH; 1132 1133 wpabuf_free(data->r_sign_msg); 1134 data->r_sign_msg = wpabuf_dup(msg); 1135 1136 return msg; 1137 } 1138 1139 1140 static struct wpabuf * ikev2_build_sa_auth(struct ikev2_responder_data *data) 1141 { 1142 struct wpabuf *msg, *plain; 1143 1144 /* build IKE_SA_AUTH: HDR, SK {IDr, [CERT,] AUTH} */ 1145 1146 msg = wpabuf_alloc(sizeof(struct ikev2_hdr) + data->IDr_len + 1000); 1147 if (msg == NULL) 1148 return NULL; 1149 ikev2_build_hdr(data, msg, IKE_SA_AUTH, IKEV2_PAYLOAD_ENCRYPTED, 1); 1150 1151 plain = wpabuf_alloc(data->IDr_len + 1000); 1152 if (plain == NULL) { 1153 wpabuf_free(msg); 1154 return NULL; 1155 } 1156 1157 if (ikev2_build_idr(data, plain, IKEV2_PAYLOAD_AUTHENTICATION) || 1158 ikev2_build_auth(data, plain, IKEV2_PAYLOAD_NO_NEXT_PAYLOAD) || 1159 ikev2_build_encrypted(data->proposal.encr, data->proposal.integ, 1160 &data->keys, 0, msg, plain, 1161 IKEV2_PAYLOAD_IDr)) { 1162 wpabuf_free(plain); 1163 wpabuf_free(msg); 1164 return NULL; 1165 } 1166 wpabuf_free(plain); 1167 1168 wpa_hexdump_buf(MSG_MSGDUMP, "IKEV2: Sending message (SA_AUTH)", msg); 1169 1170 data->state = IKEV2_DONE; 1171 1172 return msg; 1173 } 1174 1175 1176 static struct wpabuf * ikev2_build_notify(struct ikev2_responder_data *data) 1177 { 1178 struct wpabuf *msg; 1179 1180 msg = wpabuf_alloc(sizeof(struct ikev2_hdr) + 1000); 1181 if (msg == NULL) 1182 return NULL; 1183 if (data->last_msg == LAST_MSG_SA_AUTH) { 1184 /* HDR, SK{N} */ 1185 struct wpabuf *plain = wpabuf_alloc(100); 1186 if (plain == NULL) { 1187 wpabuf_free(msg); 1188 return NULL; 1189 } 1190 ikev2_build_hdr(data, msg, IKE_SA_AUTH, 1191 IKEV2_PAYLOAD_ENCRYPTED, 1); 1192 if (ikev2_build_notification(data, plain, 1193 IKEV2_PAYLOAD_NO_NEXT_PAYLOAD) || 1194 ikev2_build_encrypted(data->proposal.encr, 1195 data->proposal.integ, 1196 &data->keys, 0, msg, plain, 1197 IKEV2_PAYLOAD_NOTIFICATION)) { 1198 wpabuf_free(plain); 1199 wpabuf_free(msg); 1200 return NULL; 1201 } 1202 wpabuf_free(plain); 1203 data->state = IKEV2_FAILED; 1204 } else { 1205 /* HDR, N */ 1206 ikev2_build_hdr(data, msg, IKE_SA_INIT, 1207 IKEV2_PAYLOAD_NOTIFICATION, 0); 1208 if (ikev2_build_notification(data, msg, 1209 IKEV2_PAYLOAD_NO_NEXT_PAYLOAD)) { 1210 wpabuf_free(msg); 1211 return NULL; 1212 } 1213 data->state = SA_INIT; 1214 } 1215 1216 ikev2_update_hdr(msg); 1217 1218 wpa_hexdump_buf(MSG_MSGDUMP, "IKEV2: Sending message (Notification)", 1219 msg); 1220 1221 return msg; 1222 } 1223 1224 1225 struct wpabuf * ikev2_responder_build(struct ikev2_responder_data *data) 1226 { 1227 switch (data->state) { 1228 case SA_INIT: 1229 return ikev2_build_sa_init(data); 1230 case SA_AUTH: 1231 return ikev2_build_sa_auth(data); 1232 case CHILD_SA: 1233 return NULL; 1234 case NOTIFY: 1235 return ikev2_build_notify(data); 1236 case IKEV2_DONE: 1237 case IKEV2_FAILED: 1238 return NULL; 1239 } 1240 return NULL; 1241 } 1242