xref: /freebsd/contrib/wpa/src/eap_peer/ikev2.c (revision b2d48be1bc7df45ddd13b143a160d0acb5a383c5)
1 /*
2  * IKEv2 responder (RFC 4306) for EAP-IKEV2
3  * Copyright (c) 2007, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #include "includes.h"
10 
11 #include "common.h"
12 #include "crypto/dh_groups.h"
13 #include "crypto/random.h"
14 #include "ikev2.h"
15 
16 
17 void ikev2_responder_deinit(struct ikev2_responder_data *data)
18 {
19 	ikev2_free_keys(&data->keys);
20 	wpabuf_free(data->i_dh_public);
21 	wpabuf_free(data->r_dh_private);
22 	os_free(data->IDi);
23 	os_free(data->IDr);
24 	os_free(data->shared_secret);
25 	wpabuf_free(data->i_sign_msg);
26 	wpabuf_free(data->r_sign_msg);
27 	os_free(data->key_pad);
28 }
29 
30 
31 static int ikev2_derive_keys(struct ikev2_responder_data *data)
32 {
33 	u8 *buf, *pos, *pad, skeyseed[IKEV2_MAX_HASH_LEN];
34 	size_t buf_len, pad_len;
35 	struct wpabuf *shared;
36 	const struct ikev2_integ_alg *integ;
37 	const struct ikev2_prf_alg *prf;
38 	const struct ikev2_encr_alg *encr;
39 	int ret;
40 	const u8 *addr[2];
41 	size_t len[2];
42 
43 	/* RFC 4306, Sect. 2.14 */
44 
45 	integ = ikev2_get_integ(data->proposal.integ);
46 	prf = ikev2_get_prf(data->proposal.prf);
47 	encr = ikev2_get_encr(data->proposal.encr);
48 	if (integ == NULL || prf == NULL || encr == NULL) {
49 		wpa_printf(MSG_INFO, "IKEV2: Unsupported proposal");
50 		return -1;
51 	}
52 
53 	shared = dh_derive_shared(data->i_dh_public, data->r_dh_private,
54 				  data->dh);
55 	if (shared == NULL)
56 		return -1;
57 
58 	/* Construct Ni | Nr | SPIi | SPIr */
59 
60 	buf_len = data->i_nonce_len + data->r_nonce_len + 2 * IKEV2_SPI_LEN;
61 	buf = os_malloc(buf_len);
62 	if (buf == NULL) {
63 		wpabuf_free(shared);
64 		return -1;
65 	}
66 
67 	pos = buf;
68 	os_memcpy(pos, data->i_nonce, data->i_nonce_len);
69 	pos += data->i_nonce_len;
70 	os_memcpy(pos, data->r_nonce, data->r_nonce_len);
71 	pos += data->r_nonce_len;
72 	os_memcpy(pos, data->i_spi, IKEV2_SPI_LEN);
73 	pos += IKEV2_SPI_LEN;
74 	os_memcpy(pos, data->r_spi, IKEV2_SPI_LEN);
75 
76 	/* SKEYSEED = prf(Ni | Nr, g^ir) */
77 	/* Use zero-padding per RFC 4306, Sect. 2.14 */
78 	pad_len = data->dh->prime_len - wpabuf_len(shared);
79 	pad = os_zalloc(pad_len ? pad_len : 1);
80 	if (pad == NULL) {
81 		wpabuf_free(shared);
82 		os_free(buf);
83 		return -1;
84 	}
85 
86 	addr[0] = pad;
87 	len[0] = pad_len;
88 	addr[1] = wpabuf_head(shared);
89 	len[1] = wpabuf_len(shared);
90 	if (ikev2_prf_hash(prf->id, buf, data->i_nonce_len + data->r_nonce_len,
91 			   2, addr, len, skeyseed) < 0) {
92 		wpabuf_free(shared);
93 		os_free(buf);
94 		os_free(pad);
95 		return -1;
96 	}
97 	os_free(pad);
98 	wpabuf_free(shared);
99 
100 	/* DH parameters are not needed anymore, so free them */
101 	wpabuf_free(data->i_dh_public);
102 	data->i_dh_public = NULL;
103 	wpabuf_free(data->r_dh_private);
104 	data->r_dh_private = NULL;
105 
106 	wpa_hexdump_key(MSG_DEBUG, "IKEV2: SKEYSEED",
107 			skeyseed, prf->hash_len);
108 
109 	ret = ikev2_derive_sk_keys(prf, integ, encr, skeyseed, buf, buf_len,
110 				   &data->keys);
111 	os_free(buf);
112 	return ret;
113 }
114 
115 
116 static int ikev2_parse_transform(struct ikev2_proposal_data *prop,
117 				 const u8 *pos, const u8 *end)
118 {
119 	int transform_len;
120 	const struct ikev2_transform *t;
121 	u16 transform_id;
122 	const u8 *tend;
123 
124 	if (end - pos < (int) sizeof(*t)) {
125 		wpa_printf(MSG_INFO, "IKEV2: Too short transform");
126 		return -1;
127 	}
128 
129 	t = (const struct ikev2_transform *) pos;
130 	transform_len = WPA_GET_BE16(t->transform_length);
131 	if (transform_len < (int) sizeof(*t) || pos + transform_len > end) {
132 		wpa_printf(MSG_INFO, "IKEV2: Invalid transform length %d",
133 			   transform_len);
134 		return -1;
135 	}
136 	tend = pos + transform_len;
137 
138 	transform_id = WPA_GET_BE16(t->transform_id);
139 
140 	wpa_printf(MSG_DEBUG, "IKEV2:   Transform:");
141 	wpa_printf(MSG_DEBUG, "IKEV2:     Type: %d  Transform Length: %d  "
142 		   "Transform Type: %d  Transform ID: %d",
143 		   t->type, transform_len, t->transform_type, transform_id);
144 
145 	if (t->type != 0 && t->type != 3) {
146 		wpa_printf(MSG_INFO, "IKEV2: Unexpected Transform type");
147 		return -1;
148 	}
149 
150 	pos = (const u8 *) (t + 1);
151 	if (pos < tend) {
152 		wpa_hexdump(MSG_DEBUG, "IKEV2:     Transform Attributes",
153 			    pos, tend - pos);
154 	}
155 
156 	switch (t->transform_type) {
157 	case IKEV2_TRANSFORM_ENCR:
158 		if (ikev2_get_encr(transform_id)) {
159 			if (transform_id == ENCR_AES_CBC) {
160 				if (tend - pos != 4) {
161 					wpa_printf(MSG_DEBUG, "IKEV2: No "
162 						   "Transform Attr for AES");
163 					break;
164 				}
165 				if (WPA_GET_BE16(pos) != 0x800e) {
166 					wpa_printf(MSG_DEBUG, "IKEV2: Not a "
167 						   "Key Size attribute for "
168 						   "AES");
169 					break;
170 				}
171 				if (WPA_GET_BE16(pos + 2) != 128) {
172 					wpa_printf(MSG_DEBUG, "IKEV2: "
173 						   "Unsupported AES key size "
174 						   "%d bits",
175 						   WPA_GET_BE16(pos + 2));
176 					break;
177 				}
178 			}
179 			prop->encr = transform_id;
180 		}
181 		break;
182 	case IKEV2_TRANSFORM_PRF:
183 		if (ikev2_get_prf(transform_id))
184 			prop->prf = transform_id;
185 		break;
186 	case IKEV2_TRANSFORM_INTEG:
187 		if (ikev2_get_integ(transform_id))
188 			prop->integ = transform_id;
189 		break;
190 	case IKEV2_TRANSFORM_DH:
191 		if (dh_groups_get(transform_id))
192 			prop->dh = transform_id;
193 		break;
194 	}
195 
196 	return transform_len;
197 }
198 
199 
200 static int ikev2_parse_proposal(struct ikev2_proposal_data *prop,
201 				const u8 *pos, const u8 *end)
202 {
203 	const u8 *pend, *ppos;
204 	int proposal_len, i;
205 	const struct ikev2_proposal *p;
206 
207 	if (end - pos < (int) sizeof(*p)) {
208 		wpa_printf(MSG_INFO, "IKEV2: Too short proposal");
209 		return -1;
210 	}
211 
212 	/* FIX: AND processing if multiple proposals use the same # */
213 
214 	p = (const struct ikev2_proposal *) pos;
215 	proposal_len = WPA_GET_BE16(p->proposal_length);
216 	if (proposal_len < (int) sizeof(*p) || proposal_len > end - pos) {
217 		wpa_printf(MSG_INFO, "IKEV2: Invalid proposal length %d",
218 			   proposal_len);
219 		return -1;
220 	}
221 	wpa_printf(MSG_DEBUG, "IKEV2: SAi1 Proposal # %d",
222 		   p->proposal_num);
223 	wpa_printf(MSG_DEBUG, "IKEV2:   Type: %d  Proposal Length: %d "
224 		   " Protocol ID: %d",
225 		   p->type, proposal_len, p->protocol_id);
226 	wpa_printf(MSG_DEBUG, "IKEV2:   SPI Size: %d  Transforms: %d",
227 		   p->spi_size, p->num_transforms);
228 
229 	if (p->type != 0 && p->type != 2) {
230 		wpa_printf(MSG_INFO, "IKEV2: Unexpected Proposal type");
231 		return -1;
232 	}
233 
234 	if (p->protocol_id != IKEV2_PROTOCOL_IKE) {
235 		wpa_printf(MSG_DEBUG, "IKEV2: Unexpected Protocol ID "
236 			   "(only IKE allowed for EAP-IKEv2)");
237 		return -1;
238 	}
239 
240 	if (p->proposal_num != prop->proposal_num) {
241 		if (p->proposal_num == prop->proposal_num + 1)
242 			prop->proposal_num = p->proposal_num;
243 		else {
244 			wpa_printf(MSG_INFO, "IKEV2: Unexpected Proposal #");
245 			return -1;
246 		}
247 	}
248 
249 	ppos = (const u8 *) (p + 1);
250 	pend = pos + proposal_len;
251 	if (ppos + p->spi_size > pend) {
252 		wpa_printf(MSG_INFO, "IKEV2: Not enough room for SPI "
253 			   "in proposal");
254 		return -1;
255 	}
256 	if (p->spi_size) {
257 		wpa_hexdump(MSG_DEBUG, "IKEV2:    SPI",
258 			    ppos, p->spi_size);
259 		ppos += p->spi_size;
260 	}
261 
262 	/*
263 	 * For initial IKE_SA negotiation, SPI Size MUST be zero; for
264 	 * subsequent negotiations, it must be 8 for IKE. We only support
265 	 * initial case for now.
266 	 */
267 	if (p->spi_size != 0) {
268 		wpa_printf(MSG_INFO, "IKEV2: Unexpected SPI Size");
269 		return -1;
270 	}
271 
272 	if (p->num_transforms == 0) {
273 		wpa_printf(MSG_INFO, "IKEV2: At least one transform required");
274 		return -1;
275 	}
276 
277 	for (i = 0; i < (int) p->num_transforms; i++) {
278 		int tlen = ikev2_parse_transform(prop, ppos, pend);
279 		if (tlen < 0)
280 			return -1;
281 		ppos += tlen;
282 	}
283 
284 	if (ppos != pend) {
285 		wpa_printf(MSG_INFO, "IKEV2: Unexpected data after "
286 			   "transforms");
287 		return -1;
288 	}
289 
290 	return proposal_len;
291 }
292 
293 
294 static int ikev2_process_sai1(struct ikev2_responder_data *data,
295 			      const u8 *sai1, size_t sai1_len)
296 {
297 	struct ikev2_proposal_data prop;
298 	const u8 *pos, *end;
299 	int found = 0;
300 
301 	/* Security Association Payloads: <Proposals> */
302 
303 	if (sai1 == NULL) {
304 		wpa_printf(MSG_INFO, "IKEV2: SAi1 not received");
305 		return -1;
306 	}
307 
308 	os_memset(&prop, 0, sizeof(prop));
309 	prop.proposal_num = 1;
310 
311 	pos = sai1;
312 	end = sai1 + sai1_len;
313 
314 	while (pos < end) {
315 		int plen;
316 
317 		prop.integ = -1;
318 		prop.prf = -1;
319 		prop.encr = -1;
320 		prop.dh = -1;
321 		plen = ikev2_parse_proposal(&prop, pos, end);
322 		if (plen < 0)
323 			return -1;
324 
325 		if (!found && prop.integ != -1 && prop.prf != -1 &&
326 		    prop.encr != -1 && prop.dh != -1) {
327 			os_memcpy(&data->proposal, &prop, sizeof(prop));
328 			data->dh = dh_groups_get(prop.dh);
329 			found = 1;
330 		}
331 
332 		pos += plen;
333 	}
334 
335 	if (pos != end) {
336 		wpa_printf(MSG_INFO, "IKEV2: Unexpected data after proposals");
337 		return -1;
338 	}
339 
340 	if (!found) {
341 		wpa_printf(MSG_INFO, "IKEV2: No acceptable proposal found");
342 		return -1;
343 	}
344 
345 	wpa_printf(MSG_DEBUG, "IKEV2: Accepted proposal #%d: ENCR:%d PRF:%d "
346 		   "INTEG:%d D-H:%d", data->proposal.proposal_num,
347 		   data->proposal.encr, data->proposal.prf,
348 		   data->proposal.integ, data->proposal.dh);
349 
350 	return 0;
351 }
352 
353 
354 static int ikev2_process_kei(struct ikev2_responder_data *data,
355 			     const u8 *kei, size_t kei_len)
356 {
357 	u16 group;
358 
359 	/*
360 	 * Key Exchange Payload:
361 	 * DH Group # (16 bits)
362 	 * RESERVED (16 bits)
363 	 * Key Exchange Data (Diffie-Hellman public value)
364 	 */
365 
366 	if (kei == NULL) {
367 		wpa_printf(MSG_INFO, "IKEV2: KEi not received");
368 		return -1;
369 	}
370 
371 	if (kei_len < 4 + 96) {
372 		wpa_printf(MSG_INFO, "IKEV2: Too short Key Exchange Payload");
373 		return -1;
374 	}
375 
376 	group = WPA_GET_BE16(kei);
377 	wpa_printf(MSG_DEBUG, "IKEV2: KEi DH Group #%u", group);
378 
379 	if (group != data->proposal.dh) {
380 		wpa_printf(MSG_DEBUG, "IKEV2: KEi DH Group #%u does not match "
381 			   "with the selected proposal (%u)",
382 			   group, data->proposal.dh);
383 		/* Reject message with Notify payload of type
384 		 * INVALID_KE_PAYLOAD (RFC 4306, Sect. 3.4) */
385 		data->error_type = INVALID_KE_PAYLOAD;
386 		data->state = NOTIFY;
387 		return -1;
388 	}
389 
390 	if (data->dh == NULL) {
391 		wpa_printf(MSG_INFO, "IKEV2: Unsupported DH group");
392 		return -1;
393 	}
394 
395 	/* RFC 4306, Section 3.4:
396 	 * The length of DH public value MUST be equal to the length of the
397 	 * prime modulus.
398 	 */
399 	if (kei_len - 4 != data->dh->prime_len) {
400 		wpa_printf(MSG_INFO, "IKEV2: Invalid DH public value length "
401 			   "%ld (expected %ld)",
402 			   (long) (kei_len - 4), (long) data->dh->prime_len);
403 		return -1;
404 	}
405 
406 	wpabuf_free(data->i_dh_public);
407 	data->i_dh_public = wpabuf_alloc(kei_len - 4);
408 	if (data->i_dh_public == NULL)
409 		return -1;
410 	wpabuf_put_data(data->i_dh_public, kei + 4, kei_len - 4);
411 
412 	wpa_hexdump_buf(MSG_DEBUG, "IKEV2: KEi Diffie-Hellman Public Value",
413 			data->i_dh_public);
414 
415 	return 0;
416 }
417 
418 
419 static int ikev2_process_ni(struct ikev2_responder_data *data,
420 			    const u8 *ni, size_t ni_len)
421 {
422 	if (ni == NULL) {
423 		wpa_printf(MSG_INFO, "IKEV2: Ni not received");
424 		return -1;
425 	}
426 
427 	if (ni_len < IKEV2_NONCE_MIN_LEN || ni_len > IKEV2_NONCE_MAX_LEN) {
428 		wpa_printf(MSG_INFO, "IKEV2: Invalid Ni length %ld",
429 		           (long) ni_len);
430 		return -1;
431 	}
432 
433 	data->i_nonce_len = ni_len;
434 	os_memcpy(data->i_nonce, ni, ni_len);
435 	wpa_hexdump(MSG_MSGDUMP, "IKEV2: Ni",
436 		    data->i_nonce, data->i_nonce_len);
437 
438 	return 0;
439 }
440 
441 
442 static int ikev2_process_sa_init(struct ikev2_responder_data *data,
443 				 const struct ikev2_hdr *hdr,
444 				 struct ikev2_payloads *pl)
445 {
446 	if (ikev2_process_sai1(data, pl->sa, pl->sa_len) < 0 ||
447 	    ikev2_process_kei(data, pl->ke, pl->ke_len) < 0 ||
448 	    ikev2_process_ni(data, pl->nonce, pl->nonce_len) < 0)
449 		return -1;
450 
451 	os_memcpy(data->i_spi, hdr->i_spi, IKEV2_SPI_LEN);
452 
453 	return 0;
454 }
455 
456 
457 static int ikev2_process_idi(struct ikev2_responder_data *data,
458 			     const u8 *idi, size_t idi_len)
459 {
460 	u8 id_type;
461 
462 	if (idi == NULL) {
463 		wpa_printf(MSG_INFO, "IKEV2: No IDi received");
464 		return -1;
465 	}
466 
467 	if (idi_len < 4) {
468 		wpa_printf(MSG_INFO, "IKEV2: Too short IDi payload");
469 		return -1;
470 	}
471 
472 	id_type = idi[0];
473 	idi += 4;
474 	idi_len -= 4;
475 
476 	wpa_printf(MSG_DEBUG, "IKEV2: IDi ID Type %d", id_type);
477 	wpa_hexdump_ascii(MSG_DEBUG, "IKEV2: IDi", idi, idi_len);
478 	os_free(data->IDi);
479 	data->IDi = os_malloc(idi_len);
480 	if (data->IDi == NULL)
481 		return -1;
482 	os_memcpy(data->IDi, idi, idi_len);
483 	data->IDi_len = idi_len;
484 	data->IDi_type = id_type;
485 
486 	return 0;
487 }
488 
489 
490 static int ikev2_process_cert(struct ikev2_responder_data *data,
491 			      const u8 *cert, size_t cert_len)
492 {
493 	u8 cert_encoding;
494 
495 	if (cert == NULL) {
496 		if (data->peer_auth == PEER_AUTH_CERT) {
497 			wpa_printf(MSG_INFO, "IKEV2: No Certificate received");
498 			return -1;
499 		}
500 		return 0;
501 	}
502 
503 	if (cert_len < 1) {
504 		wpa_printf(MSG_INFO, "IKEV2: No Cert Encoding field");
505 		return -1;
506 	}
507 
508 	cert_encoding = cert[0];
509 	cert++;
510 	cert_len--;
511 
512 	wpa_printf(MSG_DEBUG, "IKEV2: Cert Encoding %d", cert_encoding);
513 	wpa_hexdump(MSG_MSGDUMP, "IKEV2: Certificate Data", cert, cert_len);
514 
515 	/* TODO: validate certificate */
516 
517 	return 0;
518 }
519 
520 
521 static int ikev2_process_auth_cert(struct ikev2_responder_data *data,
522 				   u8 method, const u8 *auth, size_t auth_len)
523 {
524 	if (method != AUTH_RSA_SIGN) {
525 		wpa_printf(MSG_INFO, "IKEV2: Unsupported authentication "
526 			   "method %d", method);
527 		return -1;
528 	}
529 
530 	/* TODO: validate AUTH */
531 	return 0;
532 }
533 
534 
535 static int ikev2_process_auth_secret(struct ikev2_responder_data *data,
536 				     u8 method, const u8 *auth,
537 				     size_t auth_len)
538 {
539 	u8 auth_data[IKEV2_MAX_HASH_LEN];
540 	const struct ikev2_prf_alg *prf;
541 
542 	if (method != AUTH_SHARED_KEY_MIC) {
543 		wpa_printf(MSG_INFO, "IKEV2: Unsupported authentication "
544 			   "method %d", method);
545 		return -1;
546 	}
547 
548 	/* msg | Nr | prf(SK_pi,IDi') */
549 	if (ikev2_derive_auth_data(data->proposal.prf, data->i_sign_msg,
550 				   data->IDi, data->IDi_len, data->IDi_type,
551 				   &data->keys, 1, data->shared_secret,
552 				   data->shared_secret_len,
553 				   data->r_nonce, data->r_nonce_len,
554 				   data->key_pad, data->key_pad_len,
555 				   auth_data) < 0) {
556 		wpa_printf(MSG_INFO, "IKEV2: Could not derive AUTH data");
557 		return -1;
558 	}
559 
560 	wpabuf_free(data->i_sign_msg);
561 	data->i_sign_msg = NULL;
562 
563 	prf = ikev2_get_prf(data->proposal.prf);
564 	if (prf == NULL)
565 		return -1;
566 
567 	if (auth_len != prf->hash_len ||
568 	    os_memcmp_const(auth, auth_data, auth_len) != 0) {
569 		wpa_printf(MSG_INFO, "IKEV2: Invalid Authentication Data");
570 		wpa_hexdump(MSG_DEBUG, "IKEV2: Received Authentication Data",
571 			    auth, auth_len);
572 		wpa_hexdump(MSG_DEBUG, "IKEV2: Expected Authentication Data",
573 			    auth_data, prf->hash_len);
574 		data->error_type = AUTHENTICATION_FAILED;
575 		data->state = NOTIFY;
576 		return -1;
577 	}
578 
579 	wpa_printf(MSG_DEBUG, "IKEV2: Server authenticated successfully "
580 		   "using shared keys");
581 
582 	return 0;
583 }
584 
585 
586 static int ikev2_process_auth(struct ikev2_responder_data *data,
587 			      const u8 *auth, size_t auth_len)
588 {
589 	u8 auth_method;
590 
591 	if (auth == NULL) {
592 		wpa_printf(MSG_INFO, "IKEV2: No Authentication Payload");
593 		return -1;
594 	}
595 
596 	if (auth_len < 4) {
597 		wpa_printf(MSG_INFO, "IKEV2: Too short Authentication "
598 			   "Payload");
599 		return -1;
600 	}
601 
602 	auth_method = auth[0];
603 	auth += 4;
604 	auth_len -= 4;
605 
606 	wpa_printf(MSG_DEBUG, "IKEV2: Auth Method %d", auth_method);
607 	wpa_hexdump(MSG_MSGDUMP, "IKEV2: Authentication Data", auth, auth_len);
608 
609 	switch (data->peer_auth) {
610 	case PEER_AUTH_CERT:
611 		return ikev2_process_auth_cert(data, auth_method, auth,
612 					       auth_len);
613 	case PEER_AUTH_SECRET:
614 		return ikev2_process_auth_secret(data, auth_method, auth,
615 						 auth_len);
616 	}
617 
618 	return -1;
619 }
620 
621 
622 static int ikev2_process_sa_auth_decrypted(struct ikev2_responder_data *data,
623 					   u8 next_payload,
624 					   u8 *payload, size_t payload_len)
625 {
626 	struct ikev2_payloads pl;
627 
628 	wpa_printf(MSG_DEBUG, "IKEV2: Processing decrypted payloads");
629 
630 	if (ikev2_parse_payloads(&pl, next_payload, payload, payload +
631 				 payload_len) < 0) {
632 		wpa_printf(MSG_INFO, "IKEV2: Failed to parse decrypted "
633 			   "payloads");
634 		return -1;
635 	}
636 
637 	if (ikev2_process_idi(data, pl.idi, pl.idi_len) < 0 ||
638 	    ikev2_process_cert(data, pl.cert, pl.cert_len) < 0 ||
639 	    ikev2_process_auth(data, pl.auth, pl.auth_len) < 0)
640 		return -1;
641 
642 	return 0;
643 }
644 
645 
646 static int ikev2_process_sa_auth(struct ikev2_responder_data *data,
647 				 const struct ikev2_hdr *hdr,
648 				 struct ikev2_payloads *pl)
649 {
650 	u8 *decrypted;
651 	size_t decrypted_len;
652 	int ret;
653 
654 	decrypted = ikev2_decrypt_payload(data->proposal.encr,
655 					  data->proposal.integ,
656 					  &data->keys, 1, hdr, pl->encrypted,
657 					  pl->encrypted_len, &decrypted_len);
658 	if (decrypted == NULL)
659 		return -1;
660 
661 	ret = ikev2_process_sa_auth_decrypted(data, pl->encr_next_payload,
662 					      decrypted, decrypted_len);
663 	os_free(decrypted);
664 
665 	return ret;
666 }
667 
668 
669 static int ikev2_validate_rx_state(struct ikev2_responder_data *data,
670 				   u8 exchange_type, u32 message_id)
671 {
672 	switch (data->state) {
673 	case SA_INIT:
674 		/* Expect to receive IKE_SA_INIT: HDR, SAi1, KEi, Ni */
675 		if (exchange_type != IKE_SA_INIT) {
676 			wpa_printf(MSG_INFO, "IKEV2: Unexpected Exchange Type "
677 				   "%u in SA_INIT state", exchange_type);
678 			return -1;
679 		}
680 		if (message_id != 0) {
681 			wpa_printf(MSG_INFO, "IKEV2: Unexpected Message ID %u "
682 				   "in SA_INIT state", message_id);
683 			return -1;
684 		}
685 		break;
686 	case SA_AUTH:
687 		/* Expect to receive IKE_SA_AUTH:
688 		 * HDR, SK {IDi, [CERT,] [CERTREQ,] [IDr,]
689 		 *	AUTH, SAi2, TSi, TSr}
690 		 */
691 		if (exchange_type != IKE_SA_AUTH) {
692 			wpa_printf(MSG_INFO, "IKEV2: Unexpected Exchange Type "
693 				   "%u in SA_AUTH state", exchange_type);
694 			return -1;
695 		}
696 		if (message_id != 1) {
697 			wpa_printf(MSG_INFO, "IKEV2: Unexpected Message ID %u "
698 				   "in SA_AUTH state", message_id);
699 			return -1;
700 		}
701 		break;
702 	case CHILD_SA:
703 		if (exchange_type != CREATE_CHILD_SA) {
704 			wpa_printf(MSG_INFO, "IKEV2: Unexpected Exchange Type "
705 				   "%u in CHILD_SA state", exchange_type);
706 			return -1;
707 		}
708 		if (message_id != 2) {
709 			wpa_printf(MSG_INFO, "IKEV2: Unexpected Message ID %u "
710 				   "in CHILD_SA state", message_id);
711 			return -1;
712 		}
713 		break;
714 	case NOTIFY:
715 	case IKEV2_DONE:
716 	case IKEV2_FAILED:
717 		return -1;
718 	}
719 
720 	return 0;
721 }
722 
723 
724 int ikev2_responder_process(struct ikev2_responder_data *data,
725 			    const struct wpabuf *buf)
726 {
727 	const struct ikev2_hdr *hdr;
728 	u32 length, message_id;
729 	const u8 *pos, *end;
730 	struct ikev2_payloads pl;
731 
732 	wpa_printf(MSG_MSGDUMP, "IKEV2: Received message (len %lu)",
733 		   (unsigned long) wpabuf_len(buf));
734 
735 	if (wpabuf_len(buf) < sizeof(*hdr)) {
736 		wpa_printf(MSG_INFO, "IKEV2: Too short frame to include HDR");
737 		return -1;
738 	}
739 
740 	data->error_type = 0;
741 	hdr = (const struct ikev2_hdr *) wpabuf_head(buf);
742 	end = wpabuf_head_u8(buf) + wpabuf_len(buf);
743 	message_id = WPA_GET_BE32(hdr->message_id);
744 	length = WPA_GET_BE32(hdr->length);
745 
746 	wpa_hexdump(MSG_DEBUG, "IKEV2:   IKE_SA Initiator's SPI",
747 		    hdr->i_spi, IKEV2_SPI_LEN);
748 	wpa_hexdump(MSG_DEBUG, "IKEV2:   IKE_SA Responder's SPI",
749 		    hdr->r_spi, IKEV2_SPI_LEN);
750 	wpa_printf(MSG_DEBUG, "IKEV2:   Next Payload: %u  Version: 0x%x  "
751 		   "Exchange Type: %u",
752 		   hdr->next_payload, hdr->version, hdr->exchange_type);
753 	wpa_printf(MSG_DEBUG, "IKEV2:   Message ID: %u  Length: %u",
754 		   message_id, length);
755 
756 	if (hdr->version != IKEV2_VERSION) {
757 		wpa_printf(MSG_INFO, "IKEV2: Unsupported HDR version 0x%x "
758 			   "(expected 0x%x)", hdr->version, IKEV2_VERSION);
759 		return -1;
760 	}
761 
762 	if (length != wpabuf_len(buf)) {
763 		wpa_printf(MSG_INFO, "IKEV2: Invalid length (HDR: %lu != "
764 			   "RX: %lu)", (unsigned long) length,
765 			   (unsigned long) wpabuf_len(buf));
766 		return -1;
767 	}
768 
769 	if (ikev2_validate_rx_state(data, hdr->exchange_type, message_id) < 0)
770 		return -1;
771 
772 	if ((hdr->flags & (IKEV2_HDR_INITIATOR | IKEV2_HDR_RESPONSE)) !=
773 	    IKEV2_HDR_INITIATOR) {
774 		wpa_printf(MSG_INFO, "IKEV2: Unexpected Flags value 0x%x",
775 			   hdr->flags);
776 		return -1;
777 	}
778 
779 	if (data->state != SA_INIT) {
780 		if (os_memcmp(data->i_spi, hdr->i_spi, IKEV2_SPI_LEN) != 0) {
781 			wpa_printf(MSG_INFO, "IKEV2: Unexpected IKE_SA "
782 				   "Initiator's SPI");
783 			return -1;
784 		}
785 		if (os_memcmp(data->r_spi, hdr->r_spi, IKEV2_SPI_LEN) != 0) {
786 			wpa_printf(MSG_INFO, "IKEV2: Unexpected IKE_SA "
787 				   "Responder's SPI");
788 			return -1;
789 		}
790 	}
791 
792 	pos = (const u8 *) (hdr + 1);
793 	if (ikev2_parse_payloads(&pl, hdr->next_payload, pos, end) < 0)
794 		return -1;
795 
796 	if (data->state == SA_INIT) {
797 		data->last_msg = LAST_MSG_SA_INIT;
798 		if (ikev2_process_sa_init(data, hdr, &pl) < 0) {
799 			if (data->state == NOTIFY)
800 				return 0;
801 			return -1;
802 		}
803 		wpabuf_free(data->i_sign_msg);
804 		data->i_sign_msg = wpabuf_dup(buf);
805 	}
806 
807 	if (data->state == SA_AUTH) {
808 		data->last_msg = LAST_MSG_SA_AUTH;
809 		if (ikev2_process_sa_auth(data, hdr, &pl) < 0) {
810 			if (data->state == NOTIFY)
811 				return 0;
812 			return -1;
813 		}
814 	}
815 
816 	return 0;
817 }
818 
819 
820 static void ikev2_build_hdr(struct ikev2_responder_data *data,
821 			    struct wpabuf *msg, u8 exchange_type,
822 			    u8 next_payload, u32 message_id)
823 {
824 	struct ikev2_hdr *hdr;
825 
826 	wpa_printf(MSG_DEBUG, "IKEV2: Adding HDR");
827 
828 	/* HDR - RFC 4306, Sect. 3.1 */
829 	hdr = wpabuf_put(msg, sizeof(*hdr));
830 	os_memcpy(hdr->i_spi, data->i_spi, IKEV2_SPI_LEN);
831 	os_memcpy(hdr->r_spi, data->r_spi, IKEV2_SPI_LEN);
832 	hdr->next_payload = next_payload;
833 	hdr->version = IKEV2_VERSION;
834 	hdr->exchange_type = exchange_type;
835 	hdr->flags = IKEV2_HDR_RESPONSE;
836 	WPA_PUT_BE32(hdr->message_id, message_id);
837 }
838 
839 
840 static int ikev2_build_sar1(struct ikev2_responder_data *data,
841 			    struct wpabuf *msg, u8 next_payload)
842 {
843 	struct ikev2_payload_hdr *phdr;
844 	size_t plen;
845 	struct ikev2_proposal *p;
846 	struct ikev2_transform *t;
847 
848 	wpa_printf(MSG_DEBUG, "IKEV2: Adding SAr1 payload");
849 
850 	/* SAr1 - RFC 4306, Sect. 2.7 and 3.3 */
851 	phdr = wpabuf_put(msg, sizeof(*phdr));
852 	phdr->next_payload = next_payload;
853 	phdr->flags = 0;
854 
855 	p = wpabuf_put(msg, sizeof(*p));
856 	p->proposal_num = data->proposal.proposal_num;
857 	p->protocol_id = IKEV2_PROTOCOL_IKE;
858 	p->num_transforms = 4;
859 
860 	t = wpabuf_put(msg, sizeof(*t));
861 	t->type = 3;
862 	t->transform_type = IKEV2_TRANSFORM_ENCR;
863 	WPA_PUT_BE16(t->transform_id, data->proposal.encr);
864 	if (data->proposal.encr == ENCR_AES_CBC) {
865 		/* Transform Attribute: Key Len = 128 bits */
866 		wpabuf_put_be16(msg, 0x800e); /* AF=1, AttrType=14 */
867 		wpabuf_put_be16(msg, 128); /* 128-bit key */
868 	}
869 	plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) t;
870 	WPA_PUT_BE16(t->transform_length, plen);
871 
872 	t = wpabuf_put(msg, sizeof(*t));
873 	t->type = 3;
874 	WPA_PUT_BE16(t->transform_length, sizeof(*t));
875 	t->transform_type = IKEV2_TRANSFORM_PRF;
876 	WPA_PUT_BE16(t->transform_id, data->proposal.prf);
877 
878 	t = wpabuf_put(msg, sizeof(*t));
879 	t->type = 3;
880 	WPA_PUT_BE16(t->transform_length, sizeof(*t));
881 	t->transform_type = IKEV2_TRANSFORM_INTEG;
882 	WPA_PUT_BE16(t->transform_id, data->proposal.integ);
883 
884 	t = wpabuf_put(msg, sizeof(*t));
885 	WPA_PUT_BE16(t->transform_length, sizeof(*t));
886 	t->transform_type = IKEV2_TRANSFORM_DH;
887 	WPA_PUT_BE16(t->transform_id, data->proposal.dh);
888 
889 	plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) p;
890 	WPA_PUT_BE16(p->proposal_length, plen);
891 
892 	plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
893 	WPA_PUT_BE16(phdr->payload_length, plen);
894 
895 	return 0;
896 }
897 
898 
899 static int ikev2_build_ker(struct ikev2_responder_data *data,
900 			   struct wpabuf *msg, u8 next_payload)
901 {
902 	struct ikev2_payload_hdr *phdr;
903 	size_t plen;
904 	struct wpabuf *pv;
905 
906 	wpa_printf(MSG_DEBUG, "IKEV2: Adding KEr payload");
907 
908 	pv = dh_init(data->dh, &data->r_dh_private);
909 	if (pv == NULL) {
910 		wpa_printf(MSG_DEBUG, "IKEV2: Failed to initialize DH");
911 		return -1;
912 	}
913 
914 	/* KEr - RFC 4306, Sect. 3.4 */
915 	phdr = wpabuf_put(msg, sizeof(*phdr));
916 	phdr->next_payload = next_payload;
917 	phdr->flags = 0;
918 
919 	wpabuf_put_be16(msg, data->proposal.dh); /* DH Group # */
920 	wpabuf_put(msg, 2); /* RESERVED */
921 	/*
922 	 * RFC 4306, Sect. 3.4: possible zero padding for public value to
923 	 * match the length of the prime.
924 	 */
925 	wpabuf_put(msg, data->dh->prime_len - wpabuf_len(pv));
926 	wpabuf_put_buf(msg, pv);
927 	wpabuf_free(pv);
928 
929 	plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
930 	WPA_PUT_BE16(phdr->payload_length, plen);
931 	return 0;
932 }
933 
934 
935 static int ikev2_build_nr(struct ikev2_responder_data *data,
936 			  struct wpabuf *msg, u8 next_payload)
937 {
938 	struct ikev2_payload_hdr *phdr;
939 	size_t plen;
940 
941 	wpa_printf(MSG_DEBUG, "IKEV2: Adding Nr payload");
942 
943 	/* Nr - RFC 4306, Sect. 3.9 */
944 	phdr = wpabuf_put(msg, sizeof(*phdr));
945 	phdr->next_payload = next_payload;
946 	phdr->flags = 0;
947 	wpabuf_put_data(msg, data->r_nonce, data->r_nonce_len);
948 	plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
949 	WPA_PUT_BE16(phdr->payload_length, plen);
950 	return 0;
951 }
952 
953 
954 static int ikev2_build_idr(struct ikev2_responder_data *data,
955 			   struct wpabuf *msg, u8 next_payload)
956 {
957 	struct ikev2_payload_hdr *phdr;
958 	size_t plen;
959 
960 	wpa_printf(MSG_DEBUG, "IKEV2: Adding IDr payload");
961 
962 	if (data->IDr == NULL) {
963 		wpa_printf(MSG_INFO, "IKEV2: No IDr available");
964 		return -1;
965 	}
966 
967 	/* IDr - RFC 4306, Sect. 3.5 */
968 	phdr = wpabuf_put(msg, sizeof(*phdr));
969 	phdr->next_payload = next_payload;
970 	phdr->flags = 0;
971 	wpabuf_put_u8(msg, ID_KEY_ID);
972 	wpabuf_put(msg, 3); /* RESERVED */
973 	wpabuf_put_data(msg, data->IDr, data->IDr_len);
974 	plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
975 	WPA_PUT_BE16(phdr->payload_length, plen);
976 	return 0;
977 }
978 
979 
980 static int ikev2_build_auth(struct ikev2_responder_data *data,
981 			    struct wpabuf *msg, u8 next_payload)
982 {
983 	struct ikev2_payload_hdr *phdr;
984 	size_t plen;
985 	const struct ikev2_prf_alg *prf;
986 
987 	wpa_printf(MSG_DEBUG, "IKEV2: Adding AUTH payload");
988 
989 	prf = ikev2_get_prf(data->proposal.prf);
990 	if (prf == NULL)
991 		return -1;
992 
993 	/* Authentication - RFC 4306, Sect. 3.8 */
994 	phdr = wpabuf_put(msg, sizeof(*phdr));
995 	phdr->next_payload = next_payload;
996 	phdr->flags = 0;
997 	wpabuf_put_u8(msg, AUTH_SHARED_KEY_MIC);
998 	wpabuf_put(msg, 3); /* RESERVED */
999 
1000 	/* msg | Ni | prf(SK_pr,IDr') */
1001 	if (ikev2_derive_auth_data(data->proposal.prf, data->r_sign_msg,
1002 				   data->IDr, data->IDr_len, ID_KEY_ID,
1003 				   &data->keys, 0, data->shared_secret,
1004 				   data->shared_secret_len,
1005 				   data->i_nonce, data->i_nonce_len,
1006 				   data->key_pad, data->key_pad_len,
1007 				   wpabuf_put(msg, prf->hash_len)) < 0) {
1008 		wpa_printf(MSG_INFO, "IKEV2: Could not derive AUTH data");
1009 		return -1;
1010 	}
1011 	wpabuf_free(data->r_sign_msg);
1012 	data->r_sign_msg = NULL;
1013 
1014 	plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
1015 	WPA_PUT_BE16(phdr->payload_length, plen);
1016 	return 0;
1017 }
1018 
1019 
1020 static int ikev2_build_notification(struct ikev2_responder_data *data,
1021 				    struct wpabuf *msg, u8 next_payload)
1022 {
1023 	struct ikev2_payload_hdr *phdr;
1024 	size_t plen;
1025 
1026 	wpa_printf(MSG_DEBUG, "IKEV2: Adding Notification payload");
1027 
1028 	if (data->error_type == 0) {
1029 		wpa_printf(MSG_INFO, "IKEV2: No Notify Message Type "
1030 			   "available");
1031 		return -1;
1032 	}
1033 
1034 	/* Notify - RFC 4306, Sect. 3.10 */
1035 	phdr = wpabuf_put(msg, sizeof(*phdr));
1036 	phdr->next_payload = next_payload;
1037 	phdr->flags = 0;
1038 	wpabuf_put_u8(msg, 0); /* Protocol ID: no existing SA */
1039 	wpabuf_put_u8(msg, 0); /* SPI Size */
1040 	wpabuf_put_be16(msg, data->error_type);
1041 
1042 	switch (data->error_type) {
1043 	case INVALID_KE_PAYLOAD:
1044 		if (data->proposal.dh == -1) {
1045 			wpa_printf(MSG_INFO, "IKEV2: No DH Group selected for "
1046 				   "INVALID_KE_PAYLOAD notifications");
1047 			return -1;
1048 		}
1049 		wpabuf_put_be16(msg, data->proposal.dh);
1050 		wpa_printf(MSG_DEBUG, "IKEV2: INVALID_KE_PAYLOAD - request "
1051 			   "DH Group #%d", data->proposal.dh);
1052 		break;
1053 	case AUTHENTICATION_FAILED:
1054 		/* no associated data */
1055 		break;
1056 	default:
1057 		wpa_printf(MSG_INFO, "IKEV2: Unsupported Notify Message Type "
1058 			   "%d", data->error_type);
1059 		return -1;
1060 	}
1061 
1062 	plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
1063 	WPA_PUT_BE16(phdr->payload_length, plen);
1064 	return 0;
1065 }
1066 
1067 
1068 static struct wpabuf * ikev2_build_sa_init(struct ikev2_responder_data *data)
1069 {
1070 	struct wpabuf *msg;
1071 
1072 	/* build IKE_SA_INIT: HDR, SAr1, KEr, Nr, [CERTREQ], [SK{IDr}] */
1073 
1074 	if (os_get_random(data->r_spi, IKEV2_SPI_LEN))
1075 		return NULL;
1076 	wpa_hexdump(MSG_DEBUG, "IKEV2: IKE_SA Responder's SPI",
1077 		    data->r_spi, IKEV2_SPI_LEN);
1078 
1079 	data->r_nonce_len = IKEV2_NONCE_MIN_LEN;
1080 	if (random_get_bytes(data->r_nonce, data->r_nonce_len))
1081 		return NULL;
1082 	wpa_hexdump(MSG_DEBUG, "IKEV2: Nr", data->r_nonce, data->r_nonce_len);
1083 
1084 	msg = wpabuf_alloc(sizeof(struct ikev2_hdr) + data->IDr_len + 1500);
1085 	if (msg == NULL)
1086 		return NULL;
1087 
1088 	ikev2_build_hdr(data, msg, IKE_SA_INIT, IKEV2_PAYLOAD_SA, 0);
1089 	if (ikev2_build_sar1(data, msg, IKEV2_PAYLOAD_KEY_EXCHANGE) ||
1090 	    ikev2_build_ker(data, msg, IKEV2_PAYLOAD_NONCE) ||
1091 	    ikev2_build_nr(data, msg, data->peer_auth == PEER_AUTH_SECRET ?
1092 			   IKEV2_PAYLOAD_ENCRYPTED :
1093 			   IKEV2_PAYLOAD_NO_NEXT_PAYLOAD)) {
1094 		wpabuf_free(msg);
1095 		return NULL;
1096 	}
1097 
1098 	if (ikev2_derive_keys(data)) {
1099 		wpabuf_free(msg);
1100 		return NULL;
1101 	}
1102 
1103 	if (data->peer_auth == PEER_AUTH_CERT) {
1104 		/* TODO: CERTREQ with SHA-1 hashes of Subject Public Key Info
1105 		 * for trust agents */
1106 	}
1107 
1108 	if (data->peer_auth == PEER_AUTH_SECRET) {
1109 		struct wpabuf *plain = wpabuf_alloc(data->IDr_len + 1000);
1110 		if (plain == NULL) {
1111 			wpabuf_free(msg);
1112 			return NULL;
1113 		}
1114 		if (ikev2_build_idr(data, plain,
1115 				    IKEV2_PAYLOAD_NO_NEXT_PAYLOAD) ||
1116 		    ikev2_build_encrypted(data->proposal.encr,
1117 					  data->proposal.integ,
1118 					  &data->keys, 0, msg, plain,
1119 					  IKEV2_PAYLOAD_IDr)) {
1120 			wpabuf_free(plain);
1121 			wpabuf_free(msg);
1122 			return NULL;
1123 		}
1124 		wpabuf_free(plain);
1125 	}
1126 
1127 	ikev2_update_hdr(msg);
1128 
1129 	wpa_hexdump_buf(MSG_MSGDUMP, "IKEV2: Sending message (SA_INIT)", msg);
1130 
1131 	data->state = SA_AUTH;
1132 
1133 	wpabuf_free(data->r_sign_msg);
1134 	data->r_sign_msg = wpabuf_dup(msg);
1135 
1136 	return msg;
1137 }
1138 
1139 
1140 static struct wpabuf * ikev2_build_sa_auth(struct ikev2_responder_data *data)
1141 {
1142 	struct wpabuf *msg, *plain;
1143 
1144 	/* build IKE_SA_AUTH: HDR, SK {IDr, [CERT,] AUTH} */
1145 
1146 	msg = wpabuf_alloc(sizeof(struct ikev2_hdr) + data->IDr_len + 1000);
1147 	if (msg == NULL)
1148 		return NULL;
1149 	ikev2_build_hdr(data, msg, IKE_SA_AUTH, IKEV2_PAYLOAD_ENCRYPTED, 1);
1150 
1151 	plain = wpabuf_alloc(data->IDr_len + 1000);
1152 	if (plain == NULL) {
1153 		wpabuf_free(msg);
1154 		return NULL;
1155 	}
1156 
1157 	if (ikev2_build_idr(data, plain, IKEV2_PAYLOAD_AUTHENTICATION) ||
1158 	    ikev2_build_auth(data, plain, IKEV2_PAYLOAD_NO_NEXT_PAYLOAD) ||
1159 	    ikev2_build_encrypted(data->proposal.encr, data->proposal.integ,
1160 				  &data->keys, 0, msg, plain,
1161 				  IKEV2_PAYLOAD_IDr)) {
1162 		wpabuf_free(plain);
1163 		wpabuf_free(msg);
1164 		return NULL;
1165 	}
1166 	wpabuf_free(plain);
1167 
1168 	wpa_hexdump_buf(MSG_MSGDUMP, "IKEV2: Sending message (SA_AUTH)", msg);
1169 
1170 	data->state = IKEV2_DONE;
1171 
1172 	return msg;
1173 }
1174 
1175 
1176 static struct wpabuf * ikev2_build_notify(struct ikev2_responder_data *data)
1177 {
1178 	struct wpabuf *msg;
1179 
1180 	msg = wpabuf_alloc(sizeof(struct ikev2_hdr) + 1000);
1181 	if (msg == NULL)
1182 		return NULL;
1183 	if (data->last_msg == LAST_MSG_SA_AUTH) {
1184 		/* HDR, SK{N} */
1185 		struct wpabuf *plain = wpabuf_alloc(100);
1186 		if (plain == NULL) {
1187 			wpabuf_free(msg);
1188 			return NULL;
1189 		}
1190 		ikev2_build_hdr(data, msg, IKE_SA_AUTH,
1191 				IKEV2_PAYLOAD_ENCRYPTED, 1);
1192 		if (ikev2_build_notification(data, plain,
1193 					     IKEV2_PAYLOAD_NO_NEXT_PAYLOAD) ||
1194 		    ikev2_build_encrypted(data->proposal.encr,
1195 					  data->proposal.integ,
1196 					  &data->keys, 0, msg, plain,
1197 					  IKEV2_PAYLOAD_NOTIFICATION)) {
1198 			wpabuf_free(plain);
1199 			wpabuf_free(msg);
1200 			return NULL;
1201 		}
1202 		wpabuf_free(plain);
1203 		data->state = IKEV2_FAILED;
1204 	} else {
1205 		/* HDR, N */
1206 		ikev2_build_hdr(data, msg, IKE_SA_INIT,
1207 				IKEV2_PAYLOAD_NOTIFICATION, 0);
1208 		if (ikev2_build_notification(data, msg,
1209 					     IKEV2_PAYLOAD_NO_NEXT_PAYLOAD)) {
1210 			wpabuf_free(msg);
1211 			return NULL;
1212 		}
1213 		data->state = SA_INIT;
1214 	}
1215 
1216 	ikev2_update_hdr(msg);
1217 
1218 	wpa_hexdump_buf(MSG_MSGDUMP, "IKEV2: Sending message (Notification)",
1219 			msg);
1220 
1221 	return msg;
1222 }
1223 
1224 
1225 struct wpabuf * ikev2_responder_build(struct ikev2_responder_data *data)
1226 {
1227 	switch (data->state) {
1228 	case SA_INIT:
1229 		return ikev2_build_sa_init(data);
1230 	case SA_AUTH:
1231 		return ikev2_build_sa_auth(data);
1232 	case CHILD_SA:
1233 		return NULL;
1234 	case NOTIFY:
1235 		return ikev2_build_notify(data);
1236 	case IKEV2_DONE:
1237 	case IKEV2_FAILED:
1238 		return NULL;
1239 	}
1240 	return NULL;
1241 }
1242