xref: /freebsd/contrib/wpa/src/eap_peer/ikev2.c (revision 39beb93c3f8bdbf72a61fda42300b5ebed7390c8)
1 /*
2  * IKEv2 responder (RFC 4306) for EAP-IKEV2
3  * Copyright (c) 2007, Jouni Malinen <j@w1.fi>
4  *
5  * This program is free software; you can redistribute it and/or modify
6  * it under the terms of the GNU General Public License version 2 as
7  * published by the Free Software Foundation.
8  *
9  * Alternatively, this software may be distributed under the terms of BSD
10  * license.
11  *
12  * See README and COPYING for more details.
13  */
14 
15 #include "includes.h"
16 
17 #include "common.h"
18 #include "dh_groups.h"
19 #include "ikev2.h"
20 
21 
22 void ikev2_responder_deinit(struct ikev2_responder_data *data)
23 {
24 	ikev2_free_keys(&data->keys);
25 	wpabuf_free(data->i_dh_public);
26 	wpabuf_free(data->r_dh_private);
27 	os_free(data->IDi);
28 	os_free(data->IDr);
29 	os_free(data->shared_secret);
30 	wpabuf_free(data->i_sign_msg);
31 	wpabuf_free(data->r_sign_msg);
32 	os_free(data->key_pad);
33 }
34 
35 
36 static int ikev2_derive_keys(struct ikev2_responder_data *data)
37 {
38 	u8 *buf, *pos, *pad, skeyseed[IKEV2_MAX_HASH_LEN];
39 	size_t buf_len, pad_len;
40 	struct wpabuf *shared;
41 	const struct ikev2_integ_alg *integ;
42 	const struct ikev2_prf_alg *prf;
43 	const struct ikev2_encr_alg *encr;
44 	int ret;
45 	const u8 *addr[2];
46 	size_t len[2];
47 
48 	/* RFC 4306, Sect. 2.14 */
49 
50 	integ = ikev2_get_integ(data->proposal.integ);
51 	prf = ikev2_get_prf(data->proposal.prf);
52 	encr = ikev2_get_encr(data->proposal.encr);
53 	if (integ == NULL || prf == NULL || encr == NULL) {
54 		wpa_printf(MSG_INFO, "IKEV2: Unsupported proposal");
55 		return -1;
56 	}
57 
58 	shared = dh_derive_shared(data->i_dh_public, data->r_dh_private,
59 				  data->dh);
60 	if (shared == NULL)
61 		return -1;
62 
63 	/* Construct Ni | Nr | SPIi | SPIr */
64 
65 	buf_len = data->i_nonce_len + data->r_nonce_len + 2 * IKEV2_SPI_LEN;
66 	buf = os_malloc(buf_len);
67 	if (buf == NULL) {
68 		wpabuf_free(shared);
69 		return -1;
70 	}
71 
72 	pos = buf;
73 	os_memcpy(pos, data->i_nonce, data->i_nonce_len);
74 	pos += data->i_nonce_len;
75 	os_memcpy(pos, data->r_nonce, data->r_nonce_len);
76 	pos += data->r_nonce_len;
77 	os_memcpy(pos, data->i_spi, IKEV2_SPI_LEN);
78 	pos += IKEV2_SPI_LEN;
79 	os_memcpy(pos, data->r_spi, IKEV2_SPI_LEN);
80 #ifdef CCNS_PL
81 #if __BYTE_ORDER == __LITTLE_ENDIAN
82 	{
83 		int i;
84 		u8 *tmp = pos - IKEV2_SPI_LEN;
85 		/* Incorrect byte re-ordering on little endian hosts.. */
86 		for (i = 0; i < IKEV2_SPI_LEN; i++)
87 			*tmp++ = data->i_spi[IKEV2_SPI_LEN - 1 - i];
88 		for (i = 0; i < IKEV2_SPI_LEN; i++)
89 			*tmp++ = data->r_spi[IKEV2_SPI_LEN - 1 - i];
90 	}
91 #endif
92 #endif /* CCNS_PL */
93 
94 	/* SKEYSEED = prf(Ni | Nr, g^ir) */
95 	/* Use zero-padding per RFC 4306, Sect. 2.14 */
96 	pad_len = data->dh->prime_len - wpabuf_len(shared);
97 #ifdef CCNS_PL
98 	/* Shared secret is not zero-padded correctly */
99 	pad_len = 0;
100 #endif /* CCNS_PL */
101 	pad = os_zalloc(pad_len ? pad_len : 1);
102 	if (pad == NULL) {
103 		wpabuf_free(shared);
104 		os_free(buf);
105 		return -1;
106 	}
107 
108 	addr[0] = pad;
109 	len[0] = pad_len;
110 	addr[1] = wpabuf_head(shared);
111 	len[1] = wpabuf_len(shared);
112 	if (ikev2_prf_hash(prf->id, buf, data->i_nonce_len + data->r_nonce_len,
113 			   2, addr, len, skeyseed) < 0) {
114 		wpabuf_free(shared);
115 		os_free(buf);
116 		os_free(pad);
117 		return -1;
118 	}
119 	os_free(pad);
120 	wpabuf_free(shared);
121 
122 	/* DH parameters are not needed anymore, so free them */
123 	wpabuf_free(data->i_dh_public);
124 	data->i_dh_public = NULL;
125 	wpabuf_free(data->r_dh_private);
126 	data->r_dh_private = NULL;
127 
128 	wpa_hexdump_key(MSG_DEBUG, "IKEV2: SKEYSEED",
129 			skeyseed, prf->hash_len);
130 
131 	ret = ikev2_derive_sk_keys(prf, integ, encr, skeyseed, buf, buf_len,
132 				   &data->keys);
133 	os_free(buf);
134 	return ret;
135 }
136 
137 
138 static int ikev2_parse_transform(struct ikev2_proposal_data *prop,
139 				 const u8 *pos, const u8 *end)
140 {
141 	int transform_len;
142 	const struct ikev2_transform *t;
143 	u16 transform_id;
144 	const u8 *tend;
145 
146 	if (end - pos < (int) sizeof(*t)) {
147 		wpa_printf(MSG_INFO, "IKEV2: Too short transform");
148 		return -1;
149 	}
150 
151 	t = (const struct ikev2_transform *) pos;
152 	transform_len = WPA_GET_BE16(t->transform_length);
153 	if (transform_len < (int) sizeof(*t) || pos + transform_len > end) {
154 		wpa_printf(MSG_INFO, "IKEV2: Invalid transform length %d",
155 			   transform_len);
156 		return -1;
157 	}
158 	tend = pos + transform_len;
159 
160 	transform_id = WPA_GET_BE16(t->transform_id);
161 
162 	wpa_printf(MSG_DEBUG, "IKEV2:   Transform:");
163 	wpa_printf(MSG_DEBUG, "IKEV2:     Type: %d  Transform Length: %d  "
164 		   "Transform Type: %d  Transform ID: %d",
165 		   t->type, transform_len, t->transform_type, transform_id);
166 
167 	if (t->type != 0 && t->type != 3) {
168 		wpa_printf(MSG_INFO, "IKEV2: Unexpected Transform type");
169 		return -1;
170 	}
171 
172 	pos = (const u8 *) (t + 1);
173 	if (pos < tend) {
174 		wpa_hexdump(MSG_DEBUG, "IKEV2:     Transform Attributes",
175 			    pos, tend - pos);
176 	}
177 
178 	switch (t->transform_type) {
179 	case IKEV2_TRANSFORM_ENCR:
180 		if (ikev2_get_encr(transform_id)) {
181 			if (transform_id == ENCR_AES_CBC) {
182 				if (tend - pos != 4) {
183 					wpa_printf(MSG_DEBUG, "IKEV2: No "
184 						   "Transform Attr for AES");
185 					break;
186 				}
187 #ifdef CCNS_PL
188 				if (WPA_GET_BE16(pos) != 0x001d /* ?? */) {
189 					wpa_printf(MSG_DEBUG, "IKEV2: Not a "
190 						   "Key Size attribute for "
191 						   "AES");
192 					break;
193 				}
194 #else /* CCNS_PL */
195 				if (WPA_GET_BE16(pos) != 0x800e) {
196 					wpa_printf(MSG_DEBUG, "IKEV2: Not a "
197 						   "Key Size attribute for "
198 						   "AES");
199 					break;
200 				}
201 #endif /* CCNS_PL */
202 				if (WPA_GET_BE16(pos + 2) != 128) {
203 					wpa_printf(MSG_DEBUG, "IKEV2: "
204 						   "Unsupported AES key size "
205 						   "%d bits",
206 						   WPA_GET_BE16(pos + 2));
207 					break;
208 				}
209 			}
210 			prop->encr = transform_id;
211 		}
212 		break;
213 	case IKEV2_TRANSFORM_PRF:
214 		if (ikev2_get_prf(transform_id))
215 			prop->prf = transform_id;
216 		break;
217 	case IKEV2_TRANSFORM_INTEG:
218 		if (ikev2_get_integ(transform_id))
219 			prop->integ = transform_id;
220 		break;
221 	case IKEV2_TRANSFORM_DH:
222 		if (dh_groups_get(transform_id))
223 			prop->dh = transform_id;
224 		break;
225 	}
226 
227 	return transform_len;
228 }
229 
230 
231 static int ikev2_parse_proposal(struct ikev2_proposal_data *prop,
232 				const u8 *pos, const u8 *end)
233 {
234 	const u8 *pend, *ppos;
235 	int proposal_len, i;
236 	const struct ikev2_proposal *p;
237 
238 	if (end - pos < (int) sizeof(*p)) {
239 		wpa_printf(MSG_INFO, "IKEV2: Too short proposal");
240 		return -1;
241 	}
242 
243 	/* FIX: AND processing if multiple proposals use the same # */
244 
245 	p = (const struct ikev2_proposal *) pos;
246 	proposal_len = WPA_GET_BE16(p->proposal_length);
247 	if (proposal_len < (int) sizeof(*p) || pos + proposal_len > end) {
248 		wpa_printf(MSG_INFO, "IKEV2: Invalid proposal length %d",
249 			   proposal_len);
250 		return -1;
251 	}
252 	wpa_printf(MSG_DEBUG, "IKEV2: SAi1 Proposal # %d",
253 		   p->proposal_num);
254 	wpa_printf(MSG_DEBUG, "IKEV2:   Type: %d  Proposal Length: %d "
255 		   " Protocol ID: %d",
256 		   p->type, proposal_len, p->protocol_id);
257 	wpa_printf(MSG_DEBUG, "IKEV2:   SPI Size: %d  Transforms: %d",
258 		   p->spi_size, p->num_transforms);
259 
260 	if (p->type != 0 && p->type != 2) {
261 		wpa_printf(MSG_INFO, "IKEV2: Unexpected Proposal type");
262 		return -1;
263 	}
264 
265 	if (p->protocol_id != IKEV2_PROTOCOL_IKE) {
266 		wpa_printf(MSG_DEBUG, "IKEV2: Unexpected Protocol ID "
267 			   "(only IKE allowed for EAP-IKEv2)");
268 		return -1;
269 	}
270 
271 	if (p->proposal_num != prop->proposal_num) {
272 		if (p->proposal_num == prop->proposal_num + 1)
273 			prop->proposal_num = p->proposal_num;
274 		else {
275 			wpa_printf(MSG_INFO, "IKEV2: Unexpected Proposal #");
276 			return -1;
277 		}
278 	}
279 
280 	ppos = (const u8 *) (p + 1);
281 	pend = pos + proposal_len;
282 	if (ppos + p->spi_size > pend) {
283 		wpa_printf(MSG_INFO, "IKEV2: Not enough room for SPI "
284 			   "in proposal");
285 		return -1;
286 	}
287 	if (p->spi_size) {
288 		wpa_hexdump(MSG_DEBUG, "IKEV2:    SPI",
289 			    ppos, p->spi_size);
290 		ppos += p->spi_size;
291 	}
292 
293 	/*
294 	 * For initial IKE_SA negotiation, SPI Size MUST be zero; for
295 	 * subsequent negotiations, it must be 8 for IKE. We only support
296 	 * initial case for now.
297 	 */
298 	if (p->spi_size != 0) {
299 		wpa_printf(MSG_INFO, "IKEV2: Unexpected SPI Size");
300 		return -1;
301 	}
302 
303 	if (p->num_transforms == 0) {
304 		wpa_printf(MSG_INFO, "IKEV2: At least one transform required");
305 		return -1;
306 	}
307 
308 	for (i = 0; i < (int) p->num_transforms; i++) {
309 		int tlen = ikev2_parse_transform(prop, ppos, pend);
310 		if (tlen < 0)
311 			return -1;
312 		ppos += tlen;
313 	}
314 
315 	if (ppos != pend) {
316 		wpa_printf(MSG_INFO, "IKEV2: Unexpected data after "
317 			   "transforms");
318 		return -1;
319 	}
320 
321 	return proposal_len;
322 }
323 
324 
325 static int ikev2_process_sai1(struct ikev2_responder_data *data,
326 			      const u8 *sai1, size_t sai1_len)
327 {
328 	struct ikev2_proposal_data prop;
329 	const u8 *pos, *end;
330 	int found = 0;
331 
332 	/* Security Association Payloads: <Proposals> */
333 
334 	if (sai1 == NULL) {
335 		wpa_printf(MSG_INFO, "IKEV2: SAi1 not received");
336 		return -1;
337 	}
338 
339 	os_memset(&prop, 0, sizeof(prop));
340 	prop.proposal_num = 1;
341 
342 	pos = sai1;
343 	end = sai1 + sai1_len;
344 
345 	while (pos < end) {
346 		int plen;
347 
348 		prop.integ = -1;
349 		prop.prf = -1;
350 		prop.encr = -1;
351 		prop.dh = -1;
352 		plen = ikev2_parse_proposal(&prop, pos, end);
353 		if (plen < 0)
354 			return -1;
355 
356 		if (!found && prop.integ != -1 && prop.prf != -1 &&
357 		    prop.encr != -1 && prop.dh != -1) {
358 			os_memcpy(&data->proposal, &prop, sizeof(prop));
359 			data->dh = dh_groups_get(prop.dh);
360 			found = 1;
361 		}
362 
363 		pos += plen;
364 	}
365 
366 	if (pos != end) {
367 		wpa_printf(MSG_INFO, "IKEV2: Unexpected data after proposals");
368 		return -1;
369 	}
370 
371 	if (!found) {
372 		wpa_printf(MSG_INFO, "IKEV2: No acceptable proposal found");
373 		return -1;
374 	}
375 
376 	wpa_printf(MSG_DEBUG, "IKEV2: Accepted proposal #%d: ENCR:%d PRF:%d "
377 		   "INTEG:%d D-H:%d", data->proposal.proposal_num,
378 		   data->proposal.encr, data->proposal.prf,
379 		   data->proposal.integ, data->proposal.dh);
380 
381 	return 0;
382 }
383 
384 
385 static int ikev2_process_kei(struct ikev2_responder_data *data,
386 			     const u8 *kei, size_t kei_len)
387 {
388 	u16 group;
389 
390 	/*
391 	 * Key Exchange Payload:
392 	 * DH Group # (16 bits)
393 	 * RESERVED (16 bits)
394 	 * Key Exchange Data (Diffie-Hellman public value)
395 	 */
396 
397 	if (kei == NULL) {
398 		wpa_printf(MSG_INFO, "IKEV2: KEi not received");
399 		return -1;
400 	}
401 
402 	if (kei_len < 4 + 96) {
403 		wpa_printf(MSG_INFO, "IKEV2: Too show Key Exchange Payload");
404 		return -1;
405 	}
406 
407 	group = WPA_GET_BE16(kei);
408 	wpa_printf(MSG_DEBUG, "IKEV2: KEi DH Group #%u", group);
409 
410 	if (group != data->proposal.dh) {
411 		wpa_printf(MSG_DEBUG, "IKEV2: KEi DH Group #%u does not match "
412 			   "with the selected proposal (%u)",
413 			   group, data->proposal.dh);
414 		/* Reject message with Notify payload of type
415 		 * INVALID_KE_PAYLOAD (RFC 4306, Sect. 3.4) */
416 		data->error_type = INVALID_KE_PAYLOAD;
417 		data->state = NOTIFY;
418 		return -1;
419 	}
420 
421 	if (data->dh == NULL) {
422 		wpa_printf(MSG_INFO, "IKEV2: Unsupported DH group");
423 		return -1;
424 	}
425 
426 	/* RFC 4306, Section 3.4:
427 	 * The length of DH public value MUST be equal to the lenght of the
428 	 * prime modulus.
429 	 */
430 	if (kei_len - 4 != data->dh->prime_len) {
431 		wpa_printf(MSG_INFO, "IKEV2: Invalid DH public value length "
432 			   "%ld (expected %ld)",
433 			   (long) (kei_len - 4), (long) data->dh->prime_len);
434 		return -1;
435 	}
436 
437 	wpabuf_free(data->i_dh_public);
438 	data->i_dh_public = wpabuf_alloc(kei_len - 4);
439 	if (data->i_dh_public == NULL)
440 		return -1;
441 	wpabuf_put_data(data->i_dh_public, kei + 4, kei_len - 4);
442 
443 	wpa_hexdump_buf(MSG_DEBUG, "IKEV2: KEi Diffie-Hellman Public Value",
444 			data->i_dh_public);
445 
446 	return 0;
447 }
448 
449 
450 static int ikev2_process_ni(struct ikev2_responder_data *data,
451 			    const u8 *ni, size_t ni_len)
452 {
453 	if (ni == NULL) {
454 		wpa_printf(MSG_INFO, "IKEV2: Ni not received");
455 		return -1;
456 	}
457 
458 	if (ni_len < IKEV2_NONCE_MIN_LEN || ni_len > IKEV2_NONCE_MAX_LEN) {
459 		wpa_printf(MSG_INFO, "IKEV2: Invalid Ni length %ld",
460 		           (long) ni_len);
461 		return -1;
462 	}
463 
464 #ifdef CCNS_PL
465 	/* Zeros are removed incorrectly from the beginning of the nonces */
466 	while (ni_len > 1 && *ni == 0) {
467 		ni_len--;
468 		ni++;
469 	}
470 #endif /* CCNS_PL */
471 
472 	data->i_nonce_len = ni_len;
473 	os_memcpy(data->i_nonce, ni, ni_len);
474 	wpa_hexdump(MSG_MSGDUMP, "IKEV2: Ni",
475 		    data->i_nonce, data->i_nonce_len);
476 
477 	return 0;
478 }
479 
480 
481 static int ikev2_process_sa_init(struct ikev2_responder_data *data,
482 				 const struct ikev2_hdr *hdr,
483 				 struct ikev2_payloads *pl)
484 {
485 	if (ikev2_process_sai1(data, pl->sa, pl->sa_len) < 0 ||
486 	    ikev2_process_kei(data, pl->ke, pl->ke_len) < 0 ||
487 	    ikev2_process_ni(data, pl->nonce, pl->nonce_len) < 0)
488 		return -1;
489 
490 	os_memcpy(data->i_spi, hdr->i_spi, IKEV2_SPI_LEN);
491 
492 	return 0;
493 }
494 
495 
496 static int ikev2_process_idi(struct ikev2_responder_data *data,
497 			     const u8 *idi, size_t idi_len)
498 {
499 	u8 id_type;
500 
501 	if (idi == NULL) {
502 		wpa_printf(MSG_INFO, "IKEV2: No IDi received");
503 		return -1;
504 	}
505 
506 	if (idi_len < 4) {
507 		wpa_printf(MSG_INFO, "IKEV2: Too short IDi payload");
508 		return -1;
509 	}
510 
511 	id_type = idi[0];
512 	idi += 4;
513 	idi_len -= 4;
514 
515 	wpa_printf(MSG_DEBUG, "IKEV2: IDi ID Type %d", id_type);
516 	wpa_hexdump_ascii(MSG_DEBUG, "IKEV2: IDi", idi, idi_len);
517 	os_free(data->IDi);
518 	data->IDi = os_malloc(idi_len);
519 	if (data->IDi == NULL)
520 		return -1;
521 	os_memcpy(data->IDi, idi, idi_len);
522 	data->IDi_len = idi_len;
523 	data->IDi_type = id_type;
524 
525 	return 0;
526 }
527 
528 
529 static int ikev2_process_cert(struct ikev2_responder_data *data,
530 			      const u8 *cert, size_t cert_len)
531 {
532 	u8 cert_encoding;
533 
534 	if (cert == NULL) {
535 		if (data->peer_auth == PEER_AUTH_CERT) {
536 			wpa_printf(MSG_INFO, "IKEV2: No Certificate received");
537 			return -1;
538 		}
539 		return 0;
540 	}
541 
542 	if (cert_len < 1) {
543 		wpa_printf(MSG_INFO, "IKEV2: No Cert Encoding field");
544 		return -1;
545 	}
546 
547 	cert_encoding = cert[0];
548 	cert++;
549 	cert_len--;
550 
551 	wpa_printf(MSG_DEBUG, "IKEV2: Cert Encoding %d", cert_encoding);
552 	wpa_hexdump(MSG_MSGDUMP, "IKEV2: Certificate Data", cert, cert_len);
553 
554 	/* TODO: validate certificate */
555 
556 	return 0;
557 }
558 
559 
560 static int ikev2_process_auth_cert(struct ikev2_responder_data *data,
561 				   u8 method, const u8 *auth, size_t auth_len)
562 {
563 	if (method != AUTH_RSA_SIGN) {
564 		wpa_printf(MSG_INFO, "IKEV2: Unsupported authentication "
565 			   "method %d", method);
566 		return -1;
567 	}
568 
569 	/* TODO: validate AUTH */
570 	return 0;
571 }
572 
573 
574 static int ikev2_process_auth_secret(struct ikev2_responder_data *data,
575 				     u8 method, const u8 *auth,
576 				     size_t auth_len)
577 {
578 	u8 auth_data[IKEV2_MAX_HASH_LEN];
579 	const struct ikev2_prf_alg *prf;
580 
581 	if (method != AUTH_SHARED_KEY_MIC) {
582 		wpa_printf(MSG_INFO, "IKEV2: Unsupported authentication "
583 			   "method %d", method);
584 		return -1;
585 	}
586 
587 	/* msg | Nr | prf(SK_pi,IDi') */
588 	if (ikev2_derive_auth_data(data->proposal.prf, data->i_sign_msg,
589 				   data->IDi, data->IDi_len, data->IDi_type,
590 				   &data->keys, 1, data->shared_secret,
591 				   data->shared_secret_len,
592 				   data->r_nonce, data->r_nonce_len,
593 				   data->key_pad, data->key_pad_len,
594 				   auth_data) < 0) {
595 		wpa_printf(MSG_INFO, "IKEV2: Could not derive AUTH data");
596 		return -1;
597 	}
598 
599 	wpabuf_free(data->i_sign_msg);
600 	data->i_sign_msg = NULL;
601 
602 	prf = ikev2_get_prf(data->proposal.prf);
603 	if (prf == NULL)
604 		return -1;
605 
606 	if (auth_len != prf->hash_len ||
607 	    os_memcmp(auth, auth_data, auth_len) != 0) {
608 		wpa_printf(MSG_INFO, "IKEV2: Invalid Authentication Data");
609 		wpa_hexdump(MSG_DEBUG, "IKEV2: Received Authentication Data",
610 			    auth, auth_len);
611 		wpa_hexdump(MSG_DEBUG, "IKEV2: Expected Authentication Data",
612 			    auth_data, prf->hash_len);
613 		data->error_type = AUTHENTICATION_FAILED;
614 		data->state = NOTIFY;
615 		return -1;
616 	}
617 
618 	wpa_printf(MSG_DEBUG, "IKEV2: Server authenticated successfully "
619 		   "using shared keys");
620 
621 	return 0;
622 }
623 
624 
625 static int ikev2_process_auth(struct ikev2_responder_data *data,
626 			      const u8 *auth, size_t auth_len)
627 {
628 	u8 auth_method;
629 
630 	if (auth == NULL) {
631 		wpa_printf(MSG_INFO, "IKEV2: No Authentication Payload");
632 		return -1;
633 	}
634 
635 	if (auth_len < 4) {
636 		wpa_printf(MSG_INFO, "IKEV2: Too short Authentication "
637 			   "Payload");
638 		return -1;
639 	}
640 
641 	auth_method = auth[0];
642 	auth += 4;
643 	auth_len -= 4;
644 
645 	wpa_printf(MSG_DEBUG, "IKEV2: Auth Method %d", auth_method);
646 	wpa_hexdump(MSG_MSGDUMP, "IKEV2: Authentication Data", auth, auth_len);
647 
648 	switch (data->peer_auth) {
649 	case PEER_AUTH_CERT:
650 		return ikev2_process_auth_cert(data, auth_method, auth,
651 					       auth_len);
652 	case PEER_AUTH_SECRET:
653 		return ikev2_process_auth_secret(data, auth_method, auth,
654 						 auth_len);
655 	}
656 
657 	return -1;
658 }
659 
660 
661 static int ikev2_process_sa_auth_decrypted(struct ikev2_responder_data *data,
662 					   u8 next_payload,
663 					   u8 *payload, size_t payload_len)
664 {
665 	struct ikev2_payloads pl;
666 
667 	wpa_printf(MSG_DEBUG, "IKEV2: Processing decrypted payloads");
668 
669 	if (ikev2_parse_payloads(&pl, next_payload, payload, payload +
670 				 payload_len) < 0) {
671 		wpa_printf(MSG_INFO, "IKEV2: Failed to parse decrypted "
672 			   "payloads");
673 		return -1;
674 	}
675 
676 	if (ikev2_process_idi(data, pl.idi, pl.idi_len) < 0 ||
677 	    ikev2_process_cert(data, pl.cert, pl.cert_len) < 0 ||
678 	    ikev2_process_auth(data, pl.auth, pl.auth_len) < 0)
679 		return -1;
680 
681 	return 0;
682 }
683 
684 
685 static int ikev2_process_sa_auth(struct ikev2_responder_data *data,
686 				 const struct ikev2_hdr *hdr,
687 				 struct ikev2_payloads *pl)
688 {
689 	u8 *decrypted;
690 	size_t decrypted_len;
691 	int ret;
692 
693 	decrypted = ikev2_decrypt_payload(data->proposal.encr,
694 					  data->proposal.integ,
695 					  &data->keys, 1, hdr, pl->encrypted,
696 					  pl->encrypted_len, &decrypted_len);
697 	if (decrypted == NULL)
698 		return -1;
699 
700 	ret = ikev2_process_sa_auth_decrypted(data, pl->encr_next_payload,
701 					      decrypted, decrypted_len);
702 	os_free(decrypted);
703 
704 	return ret;
705 }
706 
707 
708 static int ikev2_validate_rx_state(struct ikev2_responder_data *data,
709 				   u8 exchange_type, u32 message_id)
710 {
711 	switch (data->state) {
712 	case SA_INIT:
713 		/* Expect to receive IKE_SA_INIT: HDR, SAi1, KEi, Ni */
714 		if (exchange_type != IKE_SA_INIT) {
715 			wpa_printf(MSG_INFO, "IKEV2: Unexpected Exchange Type "
716 				   "%u in SA_INIT state", exchange_type);
717 			return -1;
718 		}
719 		if (message_id != 0) {
720 			wpa_printf(MSG_INFO, "IKEV2: Unexpected Message ID %u "
721 				   "in SA_INIT state", message_id);
722 			return -1;
723 		}
724 		break;
725 	case SA_AUTH:
726 		/* Expect to receive IKE_SA_AUTH:
727 		 * HDR, SK {IDi, [CERT,] [CERTREQ,] [IDr,]
728 		 *	AUTH, SAi2, TSi, TSr}
729 		 */
730 		if (exchange_type != IKE_SA_AUTH) {
731 			wpa_printf(MSG_INFO, "IKEV2: Unexpected Exchange Type "
732 				   "%u in SA_AUTH state", exchange_type);
733 			return -1;
734 		}
735 		if (message_id != 1) {
736 			wpa_printf(MSG_INFO, "IKEV2: Unexpected Message ID %u "
737 				   "in SA_AUTH state", message_id);
738 			return -1;
739 		}
740 		break;
741 	case CHILD_SA:
742 		if (exchange_type != CREATE_CHILD_SA) {
743 			wpa_printf(MSG_INFO, "IKEV2: Unexpected Exchange Type "
744 				   "%u in CHILD_SA state", exchange_type);
745 			return -1;
746 		}
747 		if (message_id != 2) {
748 			wpa_printf(MSG_INFO, "IKEV2: Unexpected Message ID %u "
749 				   "in CHILD_SA state", message_id);
750 			return -1;
751 		}
752 		break;
753 	case NOTIFY:
754 	case IKEV2_DONE:
755 	case IKEV2_FAILED:
756 		return -1;
757 	}
758 
759 	return 0;
760 }
761 
762 
763 int ikev2_responder_process(struct ikev2_responder_data *data,
764 			    const struct wpabuf *buf)
765 {
766 	const struct ikev2_hdr *hdr;
767 	u32 length, message_id;
768 	const u8 *pos, *end;
769 	struct ikev2_payloads pl;
770 
771 	wpa_printf(MSG_MSGDUMP, "IKEV2: Received message (len %lu)",
772 		   (unsigned long) wpabuf_len(buf));
773 
774 	if (wpabuf_len(buf) < sizeof(*hdr)) {
775 		wpa_printf(MSG_INFO, "IKEV2: Too short frame to include HDR");
776 		return -1;
777 	}
778 
779 	data->error_type = 0;
780 	hdr = (const struct ikev2_hdr *) wpabuf_head(buf);
781 	end = wpabuf_head_u8(buf) + wpabuf_len(buf);
782 	message_id = WPA_GET_BE32(hdr->message_id);
783 	length = WPA_GET_BE32(hdr->length);
784 
785 	wpa_hexdump(MSG_DEBUG, "IKEV2:   IKE_SA Initiator's SPI",
786 		    hdr->i_spi, IKEV2_SPI_LEN);
787 	wpa_hexdump(MSG_DEBUG, "IKEV2:   IKE_SA Responder's SPI",
788 		    hdr->r_spi, IKEV2_SPI_LEN);
789 	wpa_printf(MSG_DEBUG, "IKEV2:   Next Payload: %u  Version: 0x%x  "
790 		   "Exchange Type: %u",
791 		   hdr->next_payload, hdr->version, hdr->exchange_type);
792 	wpa_printf(MSG_DEBUG, "IKEV2:   Message ID: %u  Length: %u",
793 		   message_id, length);
794 
795 	if (hdr->version != IKEV2_VERSION) {
796 		wpa_printf(MSG_INFO, "IKEV2: Unsupported HDR version 0x%x "
797 			   "(expected 0x%x)", hdr->version, IKEV2_VERSION);
798 		return -1;
799 	}
800 
801 	if (length != wpabuf_len(buf)) {
802 		wpa_printf(MSG_INFO, "IKEV2: Invalid length (HDR: %lu != "
803 			   "RX: %lu)", (unsigned long) length,
804 			   (unsigned long) wpabuf_len(buf));
805 		return -1;
806 	}
807 
808 	if (ikev2_validate_rx_state(data, hdr->exchange_type, message_id) < 0)
809 		return -1;
810 
811 	if ((hdr->flags & (IKEV2_HDR_INITIATOR | IKEV2_HDR_RESPONSE)) !=
812 	    IKEV2_HDR_INITIATOR) {
813 		wpa_printf(MSG_INFO, "IKEV2: Unexpected Flags value 0x%x",
814 			   hdr->flags);
815 		return -1;
816 	}
817 
818 	if (data->state != SA_INIT) {
819 		if (os_memcmp(data->i_spi, hdr->i_spi, IKEV2_SPI_LEN) != 0) {
820 			wpa_printf(MSG_INFO, "IKEV2: Unexpected IKE_SA "
821 				   "Initiator's SPI");
822 			return -1;
823 		}
824 		if (os_memcmp(data->r_spi, hdr->r_spi, IKEV2_SPI_LEN) != 0) {
825 			wpa_printf(MSG_INFO, "IKEV2: Unexpected IKE_SA "
826 				   "Responder's SPI");
827 			return -1;
828 		}
829 	}
830 
831 	pos = (const u8 *) (hdr + 1);
832 	if (ikev2_parse_payloads(&pl, hdr->next_payload, pos, end) < 0)
833 		return -1;
834 
835 	if (data->state == SA_INIT) {
836 		data->last_msg = LAST_MSG_SA_INIT;
837 		if (ikev2_process_sa_init(data, hdr, &pl) < 0) {
838 			if (data->state == NOTIFY)
839 				return 0;
840 			return -1;
841 		}
842 		wpabuf_free(data->i_sign_msg);
843 		data->i_sign_msg = wpabuf_dup(buf);
844 	}
845 
846 	if (data->state == SA_AUTH) {
847 		data->last_msg = LAST_MSG_SA_AUTH;
848 		if (ikev2_process_sa_auth(data, hdr, &pl) < 0) {
849 			if (data->state == NOTIFY)
850 				return 0;
851 			return -1;
852 		}
853 	}
854 
855 	return 0;
856 }
857 
858 
859 static void ikev2_build_hdr(struct ikev2_responder_data *data,
860 			    struct wpabuf *msg, u8 exchange_type,
861 			    u8 next_payload, u32 message_id)
862 {
863 	struct ikev2_hdr *hdr;
864 
865 	wpa_printf(MSG_DEBUG, "IKEV2: Adding HDR");
866 
867 	/* HDR - RFC 4306, Sect. 3.1 */
868 	hdr = wpabuf_put(msg, sizeof(*hdr));
869 	os_memcpy(hdr->i_spi, data->i_spi, IKEV2_SPI_LEN);
870 	os_memcpy(hdr->r_spi, data->r_spi, IKEV2_SPI_LEN);
871 	hdr->next_payload = next_payload;
872 	hdr->version = IKEV2_VERSION;
873 	hdr->exchange_type = exchange_type;
874 	hdr->flags = IKEV2_HDR_RESPONSE;
875 	WPA_PUT_BE32(hdr->message_id, message_id);
876 }
877 
878 
879 static int ikev2_build_sar1(struct ikev2_responder_data *data,
880 			    struct wpabuf *msg, u8 next_payload)
881 {
882 	struct ikev2_payload_hdr *phdr;
883 	size_t plen;
884 	struct ikev2_proposal *p;
885 	struct ikev2_transform *t;
886 
887 	wpa_printf(MSG_DEBUG, "IKEV2: Adding SAr1 payload");
888 
889 	/* SAr1 - RFC 4306, Sect. 2.7 and 3.3 */
890 	phdr = wpabuf_put(msg, sizeof(*phdr));
891 	phdr->next_payload = next_payload;
892 	phdr->flags = 0;
893 
894 	p = wpabuf_put(msg, sizeof(*p));
895 #ifdef CCNS_PL
896 	/* Seems to require that the Proposal # is 1 even though RFC 4306
897 	 * Sect 3.3.1 has following requirement "When a proposal is accepted,
898 	 * all of the proposal numbers in the SA payload MUST be the same and
899 	 * MUST match the number on the proposal sent that was accepted.".
900 	 */
901 	p->proposal_num = 1;
902 #else /* CCNS_PL */
903 	p->proposal_num = data->proposal.proposal_num;
904 #endif /* CCNS_PL */
905 	p->protocol_id = IKEV2_PROTOCOL_IKE;
906 	p->num_transforms = 4;
907 
908 	t = wpabuf_put(msg, sizeof(*t));
909 	t->type = 3;
910 	t->transform_type = IKEV2_TRANSFORM_ENCR;
911 	WPA_PUT_BE16(t->transform_id, data->proposal.encr);
912 	if (data->proposal.encr == ENCR_AES_CBC) {
913 		/* Transform Attribute: Key Len = 128 bits */
914 #ifdef CCNS_PL
915 		wpabuf_put_be16(msg, 0x001d); /* ?? */
916 #else /* CCNS_PL */
917 		wpabuf_put_be16(msg, 0x800e); /* AF=1, AttrType=14 */
918 #endif /* CCNS_PL */
919 		wpabuf_put_be16(msg, 128); /* 128-bit key */
920 	}
921 	plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) t;
922 	WPA_PUT_BE16(t->transform_length, plen);
923 
924 	t = wpabuf_put(msg, sizeof(*t));
925 	t->type = 3;
926 	WPA_PUT_BE16(t->transform_length, sizeof(*t));
927 	t->transform_type = IKEV2_TRANSFORM_PRF;
928 	WPA_PUT_BE16(t->transform_id, data->proposal.prf);
929 
930 	t = wpabuf_put(msg, sizeof(*t));
931 	t->type = 3;
932 	WPA_PUT_BE16(t->transform_length, sizeof(*t));
933 	t->transform_type = IKEV2_TRANSFORM_INTEG;
934 	WPA_PUT_BE16(t->transform_id, data->proposal.integ);
935 
936 	t = wpabuf_put(msg, sizeof(*t));
937 	WPA_PUT_BE16(t->transform_length, sizeof(*t));
938 	t->transform_type = IKEV2_TRANSFORM_DH;
939 	WPA_PUT_BE16(t->transform_id, data->proposal.dh);
940 
941 	plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) p;
942 	WPA_PUT_BE16(p->proposal_length, plen);
943 
944 	plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
945 	WPA_PUT_BE16(phdr->payload_length, plen);
946 
947 	return 0;
948 }
949 
950 
951 static int ikev2_build_ker(struct ikev2_responder_data *data,
952 			   struct wpabuf *msg, u8 next_payload)
953 {
954 	struct ikev2_payload_hdr *phdr;
955 	size_t plen;
956 	struct wpabuf *pv;
957 
958 	wpa_printf(MSG_DEBUG, "IKEV2: Adding KEr payload");
959 
960 	pv = dh_init(data->dh, &data->r_dh_private);
961 	if (pv == NULL) {
962 		wpa_printf(MSG_DEBUG, "IKEV2: Failed to initialize DH");
963 		return -1;
964 	}
965 
966 	/* KEr - RFC 4306, Sect. 3.4 */
967 	phdr = wpabuf_put(msg, sizeof(*phdr));
968 	phdr->next_payload = next_payload;
969 	phdr->flags = 0;
970 
971 	wpabuf_put_be16(msg, data->proposal.dh); /* DH Group # */
972 	wpabuf_put(msg, 2); /* RESERVED */
973 	/*
974 	 * RFC 4306, Sect. 3.4: possible zero padding for public value to
975 	 * match the length of the prime.
976 	 */
977 	wpabuf_put(msg, data->dh->prime_len - wpabuf_len(pv));
978 	wpabuf_put_buf(msg, pv);
979 	wpabuf_free(pv);
980 
981 	plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
982 	WPA_PUT_BE16(phdr->payload_length, plen);
983 	return 0;
984 }
985 
986 
987 static int ikev2_build_nr(struct ikev2_responder_data *data,
988 			  struct wpabuf *msg, u8 next_payload)
989 {
990 	struct ikev2_payload_hdr *phdr;
991 	size_t plen;
992 
993 	wpa_printf(MSG_DEBUG, "IKEV2: Adding Nr payload");
994 
995 	/* Nr - RFC 4306, Sect. 3.9 */
996 	phdr = wpabuf_put(msg, sizeof(*phdr));
997 	phdr->next_payload = next_payload;
998 	phdr->flags = 0;
999 	wpabuf_put_data(msg, data->r_nonce, data->r_nonce_len);
1000 	plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
1001 	WPA_PUT_BE16(phdr->payload_length, plen);
1002 	return 0;
1003 }
1004 
1005 
1006 static int ikev2_build_idr(struct ikev2_responder_data *data,
1007 			   struct wpabuf *msg, u8 next_payload)
1008 {
1009 	struct ikev2_payload_hdr *phdr;
1010 	size_t plen;
1011 
1012 	wpa_printf(MSG_DEBUG, "IKEV2: Adding IDr payload");
1013 
1014 	if (data->IDr == NULL) {
1015 		wpa_printf(MSG_INFO, "IKEV2: No IDr available");
1016 		return -1;
1017 	}
1018 
1019 	/* IDr - RFC 4306, Sect. 3.5 */
1020 	phdr = wpabuf_put(msg, sizeof(*phdr));
1021 	phdr->next_payload = next_payload;
1022 	phdr->flags = 0;
1023 	wpabuf_put_u8(msg, ID_KEY_ID);
1024 	wpabuf_put(msg, 3); /* RESERVED */
1025 	wpabuf_put_data(msg, data->IDr, data->IDr_len);
1026 	plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
1027 	WPA_PUT_BE16(phdr->payload_length, plen);
1028 	return 0;
1029 }
1030 
1031 
1032 static int ikev2_build_auth(struct ikev2_responder_data *data,
1033 			    struct wpabuf *msg, u8 next_payload)
1034 {
1035 	struct ikev2_payload_hdr *phdr;
1036 	size_t plen;
1037 	const struct ikev2_prf_alg *prf;
1038 
1039 	wpa_printf(MSG_DEBUG, "IKEV2: Adding AUTH payload");
1040 
1041 	prf = ikev2_get_prf(data->proposal.prf);
1042 	if (prf == NULL)
1043 		return -1;
1044 
1045 	/* Authentication - RFC 4306, Sect. 3.8 */
1046 	phdr = wpabuf_put(msg, sizeof(*phdr));
1047 	phdr->next_payload = next_payload;
1048 	phdr->flags = 0;
1049 	wpabuf_put_u8(msg, AUTH_SHARED_KEY_MIC);
1050 	wpabuf_put(msg, 3); /* RESERVED */
1051 
1052 	/* msg | Ni | prf(SK_pr,IDr') */
1053 	if (ikev2_derive_auth_data(data->proposal.prf, data->r_sign_msg,
1054 				   data->IDr, data->IDr_len, ID_KEY_ID,
1055 				   &data->keys, 0, data->shared_secret,
1056 				   data->shared_secret_len,
1057 				   data->i_nonce, data->i_nonce_len,
1058 				   data->key_pad, data->key_pad_len,
1059 				   wpabuf_put(msg, prf->hash_len)) < 0) {
1060 		wpa_printf(MSG_INFO, "IKEV2: Could not derive AUTH data");
1061 		return -1;
1062 	}
1063 	wpabuf_free(data->r_sign_msg);
1064 	data->r_sign_msg = NULL;
1065 
1066 	plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
1067 	WPA_PUT_BE16(phdr->payload_length, plen);
1068 	return 0;
1069 }
1070 
1071 
1072 static int ikev2_build_notification(struct ikev2_responder_data *data,
1073 				    struct wpabuf *msg, u8 next_payload)
1074 {
1075 	struct ikev2_payload_hdr *phdr;
1076 	size_t plen;
1077 
1078 	wpa_printf(MSG_DEBUG, "IKEV2: Adding Notification payload");
1079 
1080 	if (data->error_type == 0) {
1081 		wpa_printf(MSG_INFO, "IKEV2: No Notify Message Type "
1082 			   "available");
1083 		return -1;
1084 	}
1085 
1086 	/* Notify - RFC 4306, Sect. 3.10 */
1087 	phdr = wpabuf_put(msg, sizeof(*phdr));
1088 	phdr->next_payload = next_payload;
1089 	phdr->flags = 0;
1090 #ifdef CCNS_PL
1091 	wpabuf_put_u8(msg, 1); /* Protocol ID: IKE_SA notification */
1092 #else /* CCNS_PL */
1093 	wpabuf_put_u8(msg, 0); /* Protocol ID: no existing SA */
1094 #endif /* CCNS_PL */
1095 	wpabuf_put_u8(msg, 0); /* SPI Size */
1096 	wpabuf_put_be16(msg, data->error_type);
1097 
1098 	switch (data->error_type) {
1099 	case INVALID_KE_PAYLOAD:
1100 		if (data->proposal.dh == -1) {
1101 			wpa_printf(MSG_INFO, "IKEV2: No DH Group selected for "
1102 				   "INVALID_KE_PAYLOAD notifications");
1103 			return -1;
1104 		}
1105 		wpabuf_put_be16(msg, data->proposal.dh);
1106 		wpa_printf(MSG_DEBUG, "IKEV2: INVALID_KE_PAYLOAD - request "
1107 			   "DH Group #%d", data->proposal.dh);
1108 		break;
1109 	case AUTHENTICATION_FAILED:
1110 		/* no associated data */
1111 		break;
1112 	default:
1113 		wpa_printf(MSG_INFO, "IKEV2: Unsupported Notify Message Type "
1114 			   "%d", data->error_type);
1115 		return -1;
1116 	}
1117 
1118 	plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
1119 	WPA_PUT_BE16(phdr->payload_length, plen);
1120 	return 0;
1121 }
1122 
1123 
1124 static struct wpabuf * ikev2_build_sa_init(struct ikev2_responder_data *data)
1125 {
1126 	struct wpabuf *msg;
1127 
1128 	/* build IKE_SA_INIT: HDR, SAr1, KEr, Nr, [CERTREQ], [SK{IDr}] */
1129 
1130 	if (os_get_random(data->r_spi, IKEV2_SPI_LEN))
1131 		return NULL;
1132 	wpa_hexdump(MSG_DEBUG, "IKEV2: IKE_SA Responder's SPI",
1133 		    data->r_spi, IKEV2_SPI_LEN);
1134 
1135 	data->r_nonce_len = IKEV2_NONCE_MIN_LEN;
1136 	if (os_get_random(data->r_nonce, data->r_nonce_len))
1137 		return NULL;
1138 #ifdef CCNS_PL
1139 	/* Zeros are removed incorrectly from the beginning of the nonces in
1140 	 * key derivation; as a workaround, make sure Nr does not start with
1141 	 * zero.. */
1142 	if (data->r_nonce[0] == 0)
1143 		data->r_nonce[0] = 1;
1144 #endif /* CCNS_PL */
1145 	wpa_hexdump(MSG_DEBUG, "IKEV2: Nr", data->r_nonce, data->r_nonce_len);
1146 
1147 	msg = wpabuf_alloc(sizeof(struct ikev2_hdr) + data->IDr_len + 1500);
1148 	if (msg == NULL)
1149 		return NULL;
1150 
1151 	ikev2_build_hdr(data, msg, IKE_SA_INIT, IKEV2_PAYLOAD_SA, 0);
1152 	if (ikev2_build_sar1(data, msg, IKEV2_PAYLOAD_KEY_EXCHANGE) ||
1153 	    ikev2_build_ker(data, msg, IKEV2_PAYLOAD_NONCE) ||
1154 	    ikev2_build_nr(data, msg, data->peer_auth == PEER_AUTH_SECRET ?
1155 			   IKEV2_PAYLOAD_ENCRYPTED :
1156 			   IKEV2_PAYLOAD_NO_NEXT_PAYLOAD)) {
1157 		wpabuf_free(msg);
1158 		return NULL;
1159 	}
1160 
1161 	if (ikev2_derive_keys(data)) {
1162 		wpabuf_free(msg);
1163 		return NULL;
1164 	}
1165 
1166 	if (data->peer_auth == PEER_AUTH_CERT) {
1167 		/* TODO: CERTREQ with SHA-1 hashes of Subject Public Key Info
1168 		 * for trust agents */
1169 	}
1170 
1171 	if (data->peer_auth == PEER_AUTH_SECRET) {
1172 		struct wpabuf *plain = wpabuf_alloc(data->IDr_len + 1000);
1173 		if (plain == NULL) {
1174 			wpabuf_free(msg);
1175 			return NULL;
1176 		}
1177 		if (ikev2_build_idr(data, plain,
1178 				    IKEV2_PAYLOAD_NO_NEXT_PAYLOAD) ||
1179 		    ikev2_build_encrypted(data->proposal.encr,
1180 					  data->proposal.integ,
1181 					  &data->keys, 0, msg, plain,
1182 					  IKEV2_PAYLOAD_IDr)) {
1183 			wpabuf_free(plain);
1184 			wpabuf_free(msg);
1185 			return NULL;
1186 		}
1187 		wpabuf_free(plain);
1188 	}
1189 
1190 	ikev2_update_hdr(msg);
1191 
1192 	wpa_hexdump_buf(MSG_MSGDUMP, "IKEV2: Sending message (SA_INIT)", msg);
1193 
1194 	data->state = SA_AUTH;
1195 
1196 	wpabuf_free(data->r_sign_msg);
1197 	data->r_sign_msg = wpabuf_dup(msg);
1198 
1199 	return msg;
1200 }
1201 
1202 
1203 static struct wpabuf * ikev2_build_sa_auth(struct ikev2_responder_data *data)
1204 {
1205 	struct wpabuf *msg, *plain;
1206 
1207 	/* build IKE_SA_AUTH: HDR, SK {IDr, [CERT,] AUTH} */
1208 
1209 	msg = wpabuf_alloc(sizeof(struct ikev2_hdr) + data->IDr_len + 1000);
1210 	if (msg == NULL)
1211 		return NULL;
1212 	ikev2_build_hdr(data, msg, IKE_SA_AUTH, IKEV2_PAYLOAD_ENCRYPTED, 1);
1213 
1214 	plain = wpabuf_alloc(data->IDr_len + 1000);
1215 	if (plain == NULL) {
1216 		wpabuf_free(msg);
1217 		return NULL;
1218 	}
1219 
1220 	if (ikev2_build_idr(data, plain, IKEV2_PAYLOAD_AUTHENTICATION) ||
1221 	    ikev2_build_auth(data, plain, IKEV2_PAYLOAD_NO_NEXT_PAYLOAD) ||
1222 	    ikev2_build_encrypted(data->proposal.encr, data->proposal.integ,
1223 				  &data->keys, 0, msg, plain,
1224 				  IKEV2_PAYLOAD_IDr)) {
1225 		wpabuf_free(plain);
1226 		wpabuf_free(msg);
1227 		return NULL;
1228 	}
1229 	wpabuf_free(plain);
1230 
1231 	wpa_hexdump_buf(MSG_MSGDUMP, "IKEV2: Sending message (SA_AUTH)", msg);
1232 
1233 	data->state = IKEV2_DONE;
1234 
1235 	return msg;
1236 }
1237 
1238 
1239 static struct wpabuf * ikev2_build_notify(struct ikev2_responder_data *data)
1240 {
1241 	struct wpabuf *msg;
1242 
1243 	msg = wpabuf_alloc(sizeof(struct ikev2_hdr) + 1000);
1244 	if (msg == NULL)
1245 		return NULL;
1246 	if (data->last_msg == LAST_MSG_SA_AUTH) {
1247 		/* HDR, SK{N} */
1248 		struct wpabuf *plain = wpabuf_alloc(100);
1249 		if (plain == NULL) {
1250 			wpabuf_free(msg);
1251 			return NULL;
1252 		}
1253 		ikev2_build_hdr(data, msg, IKE_SA_AUTH,
1254 				IKEV2_PAYLOAD_ENCRYPTED, 1);
1255 		if (ikev2_build_notification(data, plain,
1256 					     IKEV2_PAYLOAD_NO_NEXT_PAYLOAD) ||
1257 		    ikev2_build_encrypted(data->proposal.encr,
1258 					  data->proposal.integ,
1259 					  &data->keys, 0, msg, plain,
1260 					  IKEV2_PAYLOAD_NOTIFICATION)) {
1261 			wpabuf_free(plain);
1262 			wpabuf_free(msg);
1263 			return NULL;
1264 		}
1265 		data->state = IKEV2_FAILED;
1266 	} else {
1267 		/* HDR, N */
1268 		ikev2_build_hdr(data, msg, IKE_SA_INIT,
1269 				IKEV2_PAYLOAD_NOTIFICATION, 0);
1270 		if (ikev2_build_notification(data, msg,
1271 					     IKEV2_PAYLOAD_NO_NEXT_PAYLOAD)) {
1272 			wpabuf_free(msg);
1273 			return NULL;
1274 		}
1275 		data->state = SA_INIT;
1276 	}
1277 
1278 	ikev2_update_hdr(msg);
1279 
1280 	wpa_hexdump_buf(MSG_MSGDUMP, "IKEV2: Sending message (Notification)",
1281 			msg);
1282 
1283 	return msg;
1284 }
1285 
1286 
1287 struct wpabuf * ikev2_responder_build(struct ikev2_responder_data *data)
1288 {
1289 	switch (data->state) {
1290 	case SA_INIT:
1291 		return ikev2_build_sa_init(data);
1292 	case SA_AUTH:
1293 		return ikev2_build_sa_auth(data);
1294 	case CHILD_SA:
1295 		return NULL;
1296 	case NOTIFY:
1297 		return ikev2_build_notify(data);
1298 	case IKEV2_DONE:
1299 	case IKEV2_FAILED:
1300 		return NULL;
1301 	}
1302 	return NULL;
1303 }
1304