1 /* 2 * IKEv2 responder (RFC 4306) for EAP-IKEV2 3 * Copyright (c) 2007, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "includes.h" 10 11 #include "common.h" 12 #include "crypto/dh_groups.h" 13 #include "crypto/random.h" 14 #include "ikev2.h" 15 16 17 void ikev2_responder_deinit(struct ikev2_responder_data *data) 18 { 19 ikev2_free_keys(&data->keys); 20 wpabuf_free(data->i_dh_public); 21 wpabuf_free(data->r_dh_private); 22 os_free(data->IDi); 23 os_free(data->IDr); 24 os_free(data->shared_secret); 25 wpabuf_free(data->i_sign_msg); 26 wpabuf_free(data->r_sign_msg); 27 os_free(data->key_pad); 28 } 29 30 31 static int ikev2_derive_keys(struct ikev2_responder_data *data) 32 { 33 u8 *buf, *pos, *pad, skeyseed[IKEV2_MAX_HASH_LEN]; 34 size_t buf_len, pad_len; 35 struct wpabuf *shared; 36 const struct ikev2_integ_alg *integ; 37 const struct ikev2_prf_alg *prf; 38 const struct ikev2_encr_alg *encr; 39 int ret; 40 const u8 *addr[2]; 41 size_t len[2]; 42 43 /* RFC 4306, Sect. 2.14 */ 44 45 integ = ikev2_get_integ(data->proposal.integ); 46 prf = ikev2_get_prf(data->proposal.prf); 47 encr = ikev2_get_encr(data->proposal.encr); 48 if (integ == NULL || prf == NULL || encr == NULL) { 49 wpa_printf(MSG_INFO, "IKEV2: Unsupported proposal"); 50 return -1; 51 } 52 53 shared = dh_derive_shared(data->i_dh_public, data->r_dh_private, 54 data->dh); 55 if (shared == NULL) 56 return -1; 57 58 /* Construct Ni | Nr | SPIi | SPIr */ 59 60 buf_len = data->i_nonce_len + data->r_nonce_len + 2 * IKEV2_SPI_LEN; 61 buf = os_malloc(buf_len); 62 if (buf == NULL) { 63 wpabuf_free(shared); 64 return -1; 65 } 66 67 pos = buf; 68 os_memcpy(pos, data->i_nonce, data->i_nonce_len); 69 pos += data->i_nonce_len; 70 os_memcpy(pos, data->r_nonce, data->r_nonce_len); 71 pos += data->r_nonce_len; 72 os_memcpy(pos, data->i_spi, IKEV2_SPI_LEN); 73 pos += IKEV2_SPI_LEN; 74 os_memcpy(pos, data->r_spi, IKEV2_SPI_LEN); 75 76 /* SKEYSEED = prf(Ni | Nr, g^ir) */ 77 /* Use zero-padding per RFC 4306, Sect. 2.14 */ 78 pad_len = data->dh->prime_len - wpabuf_len(shared); 79 pad = os_zalloc(pad_len ? pad_len : 1); 80 if (pad == NULL) { 81 wpabuf_free(shared); 82 os_free(buf); 83 return -1; 84 } 85 86 addr[0] = pad; 87 len[0] = pad_len; 88 addr[1] = wpabuf_head(shared); 89 len[1] = wpabuf_len(shared); 90 if (ikev2_prf_hash(prf->id, buf, data->i_nonce_len + data->r_nonce_len, 91 2, addr, len, skeyseed) < 0) { 92 wpabuf_free(shared); 93 os_free(buf); 94 os_free(pad); 95 return -1; 96 } 97 os_free(pad); 98 wpabuf_free(shared); 99 100 /* DH parameters are not needed anymore, so free them */ 101 wpabuf_free(data->i_dh_public); 102 data->i_dh_public = NULL; 103 wpabuf_free(data->r_dh_private); 104 data->r_dh_private = NULL; 105 106 wpa_hexdump_key(MSG_DEBUG, "IKEV2: SKEYSEED", 107 skeyseed, prf->hash_len); 108 109 ret = ikev2_derive_sk_keys(prf, integ, encr, skeyseed, buf, buf_len, 110 &data->keys); 111 os_free(buf); 112 return ret; 113 } 114 115 116 static int ikev2_parse_transform(struct ikev2_proposal_data *prop, 117 const u8 *pos, const u8 *end) 118 { 119 int transform_len; 120 const struct ikev2_transform *t; 121 u16 transform_id; 122 const u8 *tend; 123 124 if (end - pos < (int) sizeof(*t)) { 125 wpa_printf(MSG_INFO, "IKEV2: Too short transform"); 126 return -1; 127 } 128 129 t = (const struct ikev2_transform *) pos; 130 transform_len = WPA_GET_BE16(t->transform_length); 131 if (transform_len < (int) sizeof(*t) || transform_len > end - pos) { 132 wpa_printf(MSG_INFO, "IKEV2: Invalid transform length %d", 133 transform_len); 134 return -1; 135 } 136 tend = pos + transform_len; 137 138 transform_id = WPA_GET_BE16(t->transform_id); 139 140 wpa_printf(MSG_DEBUG, "IKEV2: Transform:"); 141 wpa_printf(MSG_DEBUG, "IKEV2: Type: %d Transform Length: %d " 142 "Transform Type: %d Transform ID: %d", 143 t->type, transform_len, t->transform_type, transform_id); 144 145 if (t->type != 0 && t->type != 3) { 146 wpa_printf(MSG_INFO, "IKEV2: Unexpected Transform type"); 147 return -1; 148 } 149 150 pos = (const u8 *) (t + 1); 151 if (pos < tend) { 152 wpa_hexdump(MSG_DEBUG, "IKEV2: Transform Attributes", 153 pos, tend - pos); 154 } 155 156 switch (t->transform_type) { 157 case IKEV2_TRANSFORM_ENCR: 158 if (ikev2_get_encr(transform_id)) { 159 if (transform_id == ENCR_AES_CBC) { 160 if (tend - pos != 4) { 161 wpa_printf(MSG_DEBUG, "IKEV2: No " 162 "Transform Attr for AES"); 163 break; 164 } 165 if (WPA_GET_BE16(pos) != 0x800e) { 166 wpa_printf(MSG_DEBUG, "IKEV2: Not a " 167 "Key Size attribute for " 168 "AES"); 169 break; 170 } 171 if (WPA_GET_BE16(pos + 2) != 128) { 172 wpa_printf(MSG_DEBUG, "IKEV2: " 173 "Unsupported AES key size " 174 "%d bits", 175 WPA_GET_BE16(pos + 2)); 176 break; 177 } 178 } 179 prop->encr = transform_id; 180 } 181 break; 182 case IKEV2_TRANSFORM_PRF: 183 if (ikev2_get_prf(transform_id)) 184 prop->prf = transform_id; 185 break; 186 case IKEV2_TRANSFORM_INTEG: 187 if (ikev2_get_integ(transform_id)) 188 prop->integ = transform_id; 189 break; 190 case IKEV2_TRANSFORM_DH: 191 if (dh_groups_get(transform_id)) 192 prop->dh = transform_id; 193 break; 194 } 195 196 return transform_len; 197 } 198 199 200 static int ikev2_parse_proposal(struct ikev2_proposal_data *prop, 201 const u8 *pos, const u8 *end) 202 { 203 const u8 *pend, *ppos; 204 int proposal_len; 205 unsigned int i, num; 206 const struct ikev2_proposal *p; 207 208 if (end - pos < (int) sizeof(*p)) { 209 wpa_printf(MSG_INFO, "IKEV2: Too short proposal"); 210 return -1; 211 } 212 213 /* FIX: AND processing if multiple proposals use the same # */ 214 215 p = (const struct ikev2_proposal *) pos; 216 proposal_len = WPA_GET_BE16(p->proposal_length); 217 if (proposal_len < (int) sizeof(*p) || proposal_len > end - pos) { 218 wpa_printf(MSG_INFO, "IKEV2: Invalid proposal length %d", 219 proposal_len); 220 return -1; 221 } 222 wpa_printf(MSG_DEBUG, "IKEV2: SAi1 Proposal # %d", 223 p->proposal_num); 224 wpa_printf(MSG_DEBUG, "IKEV2: Type: %d Proposal Length: %d " 225 " Protocol ID: %d", 226 p->type, proposal_len, p->protocol_id); 227 wpa_printf(MSG_DEBUG, "IKEV2: SPI Size: %d Transforms: %d", 228 p->spi_size, p->num_transforms); 229 230 if (p->type != 0 && p->type != 2) { 231 wpa_printf(MSG_INFO, "IKEV2: Unexpected Proposal type"); 232 return -1; 233 } 234 235 if (p->protocol_id != IKEV2_PROTOCOL_IKE) { 236 wpa_printf(MSG_DEBUG, "IKEV2: Unexpected Protocol ID " 237 "(only IKE allowed for EAP-IKEv2)"); 238 return -1; 239 } 240 241 if (p->proposal_num != prop->proposal_num) { 242 if (p->proposal_num == prop->proposal_num + 1) 243 prop->proposal_num = p->proposal_num; 244 else { 245 wpa_printf(MSG_INFO, "IKEV2: Unexpected Proposal #"); 246 return -1; 247 } 248 } 249 250 ppos = (const u8 *) (p + 1); 251 pend = pos + proposal_len; 252 if (p->spi_size > pend - ppos) { 253 wpa_printf(MSG_INFO, "IKEV2: Not enough room for SPI " 254 "in proposal"); 255 return -1; 256 } 257 if (p->spi_size) { 258 wpa_hexdump(MSG_DEBUG, "IKEV2: SPI", 259 ppos, p->spi_size); 260 ppos += p->spi_size; 261 } 262 263 /* 264 * For initial IKE_SA negotiation, SPI Size MUST be zero; for 265 * subsequent negotiations, it must be 8 for IKE. We only support 266 * initial case for now. 267 */ 268 if (p->spi_size != 0) { 269 wpa_printf(MSG_INFO, "IKEV2: Unexpected SPI Size"); 270 return -1; 271 } 272 273 num = p->num_transforms; 274 if (num == 0 || num > 255) { 275 wpa_printf(MSG_INFO, "IKEV2: At least one transform required"); 276 return -1; 277 } 278 279 for (i = 0; i < num; i++) { 280 int tlen = ikev2_parse_transform(prop, ppos, pend); 281 if (tlen < 0) 282 return -1; 283 ppos += tlen; 284 } 285 286 if (ppos != pend) { 287 wpa_printf(MSG_INFO, "IKEV2: Unexpected data after " 288 "transforms"); 289 return -1; 290 } 291 292 return proposal_len; 293 } 294 295 296 static int ikev2_process_sai1(struct ikev2_responder_data *data, 297 const u8 *sai1, size_t sai1_len) 298 { 299 struct ikev2_proposal_data prop; 300 const u8 *pos, *end; 301 int found = 0; 302 303 /* Security Association Payloads: <Proposals> */ 304 305 if (sai1 == NULL) { 306 wpa_printf(MSG_INFO, "IKEV2: SAi1 not received"); 307 return -1; 308 } 309 310 os_memset(&prop, 0, sizeof(prop)); 311 prop.proposal_num = 1; 312 313 pos = sai1; 314 end = sai1 + sai1_len; 315 316 while (pos < end) { 317 int plen; 318 319 prop.integ = -1; 320 prop.prf = -1; 321 prop.encr = -1; 322 prop.dh = -1; 323 plen = ikev2_parse_proposal(&prop, pos, end); 324 if (plen < 0) 325 return -1; 326 327 if (!found && prop.integ != -1 && prop.prf != -1 && 328 prop.encr != -1 && prop.dh != -1) { 329 os_memcpy(&data->proposal, &prop, sizeof(prop)); 330 data->dh = dh_groups_get(prop.dh); 331 found = 1; 332 } 333 334 pos += plen; 335 } 336 337 if (pos != end) { 338 wpa_printf(MSG_INFO, "IKEV2: Unexpected data after proposals"); 339 return -1; 340 } 341 342 if (!found) { 343 wpa_printf(MSG_INFO, "IKEV2: No acceptable proposal found"); 344 return -1; 345 } 346 347 wpa_printf(MSG_DEBUG, "IKEV2: Accepted proposal #%d: ENCR:%d PRF:%d " 348 "INTEG:%d D-H:%d", data->proposal.proposal_num, 349 data->proposal.encr, data->proposal.prf, 350 data->proposal.integ, data->proposal.dh); 351 352 return 0; 353 } 354 355 356 static int ikev2_process_kei(struct ikev2_responder_data *data, 357 const u8 *kei, size_t kei_len) 358 { 359 u16 group; 360 361 /* 362 * Key Exchange Payload: 363 * DH Group # (16 bits) 364 * RESERVED (16 bits) 365 * Key Exchange Data (Diffie-Hellman public value) 366 */ 367 368 if (kei == NULL) { 369 wpa_printf(MSG_INFO, "IKEV2: KEi not received"); 370 return -1; 371 } 372 373 if (kei_len < 4 + 96) { 374 wpa_printf(MSG_INFO, "IKEV2: Too short Key Exchange Payload"); 375 return -1; 376 } 377 378 group = WPA_GET_BE16(kei); 379 wpa_printf(MSG_DEBUG, "IKEV2: KEi DH Group #%u", group); 380 381 if (group != data->proposal.dh) { 382 wpa_printf(MSG_DEBUG, "IKEV2: KEi DH Group #%u does not match " 383 "with the selected proposal (%u)", 384 group, data->proposal.dh); 385 /* Reject message with Notify payload of type 386 * INVALID_KE_PAYLOAD (RFC 4306, Sect. 3.4) */ 387 data->error_type = INVALID_KE_PAYLOAD; 388 data->state = NOTIFY; 389 return -1; 390 } 391 392 if (data->dh == NULL) { 393 wpa_printf(MSG_INFO, "IKEV2: Unsupported DH group"); 394 return -1; 395 } 396 397 /* RFC 4306, Section 3.4: 398 * The length of DH public value MUST be equal to the length of the 399 * prime modulus. 400 */ 401 if (kei_len - 4 != data->dh->prime_len) { 402 wpa_printf(MSG_INFO, "IKEV2: Invalid DH public value length " 403 "%ld (expected %ld)", 404 (long) (kei_len - 4), (long) data->dh->prime_len); 405 return -1; 406 } 407 408 wpabuf_free(data->i_dh_public); 409 data->i_dh_public = wpabuf_alloc(kei_len - 4); 410 if (data->i_dh_public == NULL) 411 return -1; 412 wpabuf_put_data(data->i_dh_public, kei + 4, kei_len - 4); 413 414 wpa_hexdump_buf(MSG_DEBUG, "IKEV2: KEi Diffie-Hellman Public Value", 415 data->i_dh_public); 416 417 return 0; 418 } 419 420 421 static int ikev2_process_ni(struct ikev2_responder_data *data, 422 const u8 *ni, size_t ni_len) 423 { 424 if (ni == NULL) { 425 wpa_printf(MSG_INFO, "IKEV2: Ni not received"); 426 return -1; 427 } 428 429 if (ni_len < IKEV2_NONCE_MIN_LEN || ni_len > IKEV2_NONCE_MAX_LEN) { 430 wpa_printf(MSG_INFO, "IKEV2: Invalid Ni length %ld", 431 (long) ni_len); 432 return -1; 433 } 434 435 data->i_nonce_len = ni_len; 436 os_memcpy(data->i_nonce, ni, ni_len); 437 wpa_hexdump(MSG_MSGDUMP, "IKEV2: Ni", 438 data->i_nonce, data->i_nonce_len); 439 440 return 0; 441 } 442 443 444 static int ikev2_process_sa_init(struct ikev2_responder_data *data, 445 const struct ikev2_hdr *hdr, 446 struct ikev2_payloads *pl) 447 { 448 if (ikev2_process_sai1(data, pl->sa, pl->sa_len) < 0 || 449 ikev2_process_kei(data, pl->ke, pl->ke_len) < 0 || 450 ikev2_process_ni(data, pl->nonce, pl->nonce_len) < 0) 451 return -1; 452 453 os_memcpy(data->i_spi, hdr->i_spi, IKEV2_SPI_LEN); 454 455 return 0; 456 } 457 458 459 static int ikev2_process_idi(struct ikev2_responder_data *data, 460 const u8 *idi, size_t idi_len) 461 { 462 u8 id_type; 463 464 if (idi == NULL) { 465 wpa_printf(MSG_INFO, "IKEV2: No IDi received"); 466 return -1; 467 } 468 469 if (idi_len < 4) { 470 wpa_printf(MSG_INFO, "IKEV2: Too short IDi payload"); 471 return -1; 472 } 473 474 id_type = idi[0]; 475 idi += 4; 476 idi_len -= 4; 477 478 wpa_printf(MSG_DEBUG, "IKEV2: IDi ID Type %d", id_type); 479 wpa_hexdump_ascii(MSG_DEBUG, "IKEV2: IDi", idi, idi_len); 480 os_free(data->IDi); 481 data->IDi = os_memdup(idi, idi_len); 482 if (data->IDi == NULL) 483 return -1; 484 data->IDi_len = idi_len; 485 data->IDi_type = id_type; 486 487 return 0; 488 } 489 490 491 static int ikev2_process_cert(struct ikev2_responder_data *data, 492 const u8 *cert, size_t cert_len) 493 { 494 u8 cert_encoding; 495 496 if (cert == NULL) { 497 if (data->peer_auth == PEER_AUTH_CERT) { 498 wpa_printf(MSG_INFO, "IKEV2: No Certificate received"); 499 return -1; 500 } 501 return 0; 502 } 503 504 if (cert_len < 1) { 505 wpa_printf(MSG_INFO, "IKEV2: No Cert Encoding field"); 506 return -1; 507 } 508 509 cert_encoding = cert[0]; 510 cert++; 511 cert_len--; 512 513 wpa_printf(MSG_DEBUG, "IKEV2: Cert Encoding %d", cert_encoding); 514 wpa_hexdump(MSG_MSGDUMP, "IKEV2: Certificate Data", cert, cert_len); 515 516 /* TODO: validate certificate */ 517 518 return 0; 519 } 520 521 522 static int ikev2_process_auth_cert(struct ikev2_responder_data *data, 523 u8 method, const u8 *auth, size_t auth_len) 524 { 525 if (method != AUTH_RSA_SIGN) { 526 wpa_printf(MSG_INFO, "IKEV2: Unsupported authentication " 527 "method %d", method); 528 return -1; 529 } 530 531 /* TODO: validate AUTH */ 532 return 0; 533 } 534 535 536 static int ikev2_process_auth_secret(struct ikev2_responder_data *data, 537 u8 method, const u8 *auth, 538 size_t auth_len) 539 { 540 u8 auth_data[IKEV2_MAX_HASH_LEN]; 541 const struct ikev2_prf_alg *prf; 542 543 if (method != AUTH_SHARED_KEY_MIC) { 544 wpa_printf(MSG_INFO, "IKEV2: Unsupported authentication " 545 "method %d", method); 546 return -1; 547 } 548 549 /* msg | Nr | prf(SK_pi,IDi') */ 550 if (ikev2_derive_auth_data(data->proposal.prf, data->i_sign_msg, 551 data->IDi, data->IDi_len, data->IDi_type, 552 &data->keys, 1, data->shared_secret, 553 data->shared_secret_len, 554 data->r_nonce, data->r_nonce_len, 555 data->key_pad, data->key_pad_len, 556 auth_data) < 0) { 557 wpa_printf(MSG_INFO, "IKEV2: Could not derive AUTH data"); 558 return -1; 559 } 560 561 wpabuf_free(data->i_sign_msg); 562 data->i_sign_msg = NULL; 563 564 prf = ikev2_get_prf(data->proposal.prf); 565 if (prf == NULL) 566 return -1; 567 568 if (auth_len != prf->hash_len || 569 os_memcmp_const(auth, auth_data, auth_len) != 0) { 570 wpa_printf(MSG_INFO, "IKEV2: Invalid Authentication Data"); 571 wpa_hexdump(MSG_DEBUG, "IKEV2: Received Authentication Data", 572 auth, auth_len); 573 wpa_hexdump(MSG_DEBUG, "IKEV2: Expected Authentication Data", 574 auth_data, prf->hash_len); 575 data->error_type = AUTHENTICATION_FAILED; 576 data->state = NOTIFY; 577 return -1; 578 } 579 580 wpa_printf(MSG_DEBUG, "IKEV2: Server authenticated successfully " 581 "using shared keys"); 582 583 return 0; 584 } 585 586 587 static int ikev2_process_auth(struct ikev2_responder_data *data, 588 const u8 *auth, size_t auth_len) 589 { 590 u8 auth_method; 591 592 if (auth == NULL) { 593 wpa_printf(MSG_INFO, "IKEV2: No Authentication Payload"); 594 return -1; 595 } 596 597 if (auth_len < 4) { 598 wpa_printf(MSG_INFO, "IKEV2: Too short Authentication " 599 "Payload"); 600 return -1; 601 } 602 603 auth_method = auth[0]; 604 auth += 4; 605 auth_len -= 4; 606 607 wpa_printf(MSG_DEBUG, "IKEV2: Auth Method %d", auth_method); 608 wpa_hexdump(MSG_MSGDUMP, "IKEV2: Authentication Data", auth, auth_len); 609 610 switch (data->peer_auth) { 611 case PEER_AUTH_CERT: 612 return ikev2_process_auth_cert(data, auth_method, auth, 613 auth_len); 614 case PEER_AUTH_SECRET: 615 return ikev2_process_auth_secret(data, auth_method, auth, 616 auth_len); 617 } 618 619 return -1; 620 } 621 622 623 static int ikev2_process_sa_auth_decrypted(struct ikev2_responder_data *data, 624 u8 next_payload, 625 u8 *payload, size_t payload_len) 626 { 627 struct ikev2_payloads pl; 628 629 wpa_printf(MSG_DEBUG, "IKEV2: Processing decrypted payloads"); 630 631 if (ikev2_parse_payloads(&pl, next_payload, payload, payload + 632 payload_len) < 0) { 633 wpa_printf(MSG_INFO, "IKEV2: Failed to parse decrypted " 634 "payloads"); 635 return -1; 636 } 637 638 if (ikev2_process_idi(data, pl.idi, pl.idi_len) < 0 || 639 ikev2_process_cert(data, pl.cert, pl.cert_len) < 0 || 640 ikev2_process_auth(data, pl.auth, pl.auth_len) < 0) 641 return -1; 642 643 return 0; 644 } 645 646 647 static int ikev2_process_sa_auth(struct ikev2_responder_data *data, 648 const struct ikev2_hdr *hdr, 649 struct ikev2_payloads *pl) 650 { 651 u8 *decrypted; 652 size_t decrypted_len; 653 int ret; 654 655 decrypted = ikev2_decrypt_payload(data->proposal.encr, 656 data->proposal.integ, 657 &data->keys, 1, hdr, pl->encrypted, 658 pl->encrypted_len, &decrypted_len); 659 if (decrypted == NULL) 660 return -1; 661 662 ret = ikev2_process_sa_auth_decrypted(data, pl->encr_next_payload, 663 decrypted, decrypted_len); 664 os_free(decrypted); 665 666 return ret; 667 } 668 669 670 static int ikev2_validate_rx_state(struct ikev2_responder_data *data, 671 u8 exchange_type, u32 message_id) 672 { 673 switch (data->state) { 674 case SA_INIT: 675 /* Expect to receive IKE_SA_INIT: HDR, SAi1, KEi, Ni */ 676 if (exchange_type != IKE_SA_INIT) { 677 wpa_printf(MSG_INFO, "IKEV2: Unexpected Exchange Type " 678 "%u in SA_INIT state", exchange_type); 679 return -1; 680 } 681 if (message_id != 0) { 682 wpa_printf(MSG_INFO, "IKEV2: Unexpected Message ID %u " 683 "in SA_INIT state", message_id); 684 return -1; 685 } 686 break; 687 case SA_AUTH: 688 /* Expect to receive IKE_SA_AUTH: 689 * HDR, SK {IDi, [CERT,] [CERTREQ,] [IDr,] 690 * AUTH, SAi2, TSi, TSr} 691 */ 692 if (exchange_type != IKE_SA_AUTH) { 693 wpa_printf(MSG_INFO, "IKEV2: Unexpected Exchange Type " 694 "%u in SA_AUTH state", exchange_type); 695 return -1; 696 } 697 if (message_id != 1) { 698 wpa_printf(MSG_INFO, "IKEV2: Unexpected Message ID %u " 699 "in SA_AUTH state", message_id); 700 return -1; 701 } 702 break; 703 case CHILD_SA: 704 if (exchange_type != CREATE_CHILD_SA) { 705 wpa_printf(MSG_INFO, "IKEV2: Unexpected Exchange Type " 706 "%u in CHILD_SA state", exchange_type); 707 return -1; 708 } 709 if (message_id != 2) { 710 wpa_printf(MSG_INFO, "IKEV2: Unexpected Message ID %u " 711 "in CHILD_SA state", message_id); 712 return -1; 713 } 714 break; 715 case NOTIFY: 716 case IKEV2_DONE: 717 case IKEV2_FAILED: 718 return -1; 719 } 720 721 return 0; 722 } 723 724 725 int ikev2_responder_process(struct ikev2_responder_data *data, 726 const struct wpabuf *buf) 727 { 728 const struct ikev2_hdr *hdr; 729 u32 length, message_id; 730 const u8 *pos, *end; 731 struct ikev2_payloads pl; 732 733 wpa_printf(MSG_MSGDUMP, "IKEV2: Received message (len %lu)", 734 (unsigned long) wpabuf_len(buf)); 735 736 if (wpabuf_len(buf) < sizeof(*hdr)) { 737 wpa_printf(MSG_INFO, "IKEV2: Too short frame to include HDR"); 738 return -1; 739 } 740 741 data->error_type = 0; 742 hdr = (const struct ikev2_hdr *) wpabuf_head(buf); 743 end = wpabuf_head_u8(buf) + wpabuf_len(buf); 744 message_id = WPA_GET_BE32(hdr->message_id); 745 length = WPA_GET_BE32(hdr->length); 746 747 wpa_hexdump(MSG_DEBUG, "IKEV2: IKE_SA Initiator's SPI", 748 hdr->i_spi, IKEV2_SPI_LEN); 749 wpa_hexdump(MSG_DEBUG, "IKEV2: IKE_SA Responder's SPI", 750 hdr->r_spi, IKEV2_SPI_LEN); 751 wpa_printf(MSG_DEBUG, "IKEV2: Next Payload: %u Version: 0x%x " 752 "Exchange Type: %u", 753 hdr->next_payload, hdr->version, hdr->exchange_type); 754 wpa_printf(MSG_DEBUG, "IKEV2: Message ID: %u Length: %u", 755 message_id, length); 756 757 if (hdr->version != IKEV2_VERSION) { 758 wpa_printf(MSG_INFO, "IKEV2: Unsupported HDR version 0x%x " 759 "(expected 0x%x)", hdr->version, IKEV2_VERSION); 760 return -1; 761 } 762 763 if (length != wpabuf_len(buf)) { 764 wpa_printf(MSG_INFO, "IKEV2: Invalid length (HDR: %lu != " 765 "RX: %lu)", (unsigned long) length, 766 (unsigned long) wpabuf_len(buf)); 767 return -1; 768 } 769 770 if (ikev2_validate_rx_state(data, hdr->exchange_type, message_id) < 0) 771 return -1; 772 773 if ((hdr->flags & (IKEV2_HDR_INITIATOR | IKEV2_HDR_RESPONSE)) != 774 IKEV2_HDR_INITIATOR) { 775 wpa_printf(MSG_INFO, "IKEV2: Unexpected Flags value 0x%x", 776 hdr->flags); 777 return -1; 778 } 779 780 if (data->state != SA_INIT) { 781 if (os_memcmp(data->i_spi, hdr->i_spi, IKEV2_SPI_LEN) != 0) { 782 wpa_printf(MSG_INFO, "IKEV2: Unexpected IKE_SA " 783 "Initiator's SPI"); 784 return -1; 785 } 786 if (os_memcmp(data->r_spi, hdr->r_spi, IKEV2_SPI_LEN) != 0) { 787 wpa_printf(MSG_INFO, "IKEV2: Unexpected IKE_SA " 788 "Responder's SPI"); 789 return -1; 790 } 791 } 792 793 pos = (const u8 *) (hdr + 1); 794 if (ikev2_parse_payloads(&pl, hdr->next_payload, pos, end) < 0) 795 return -1; 796 797 if (data->state == SA_INIT) { 798 data->last_msg = LAST_MSG_SA_INIT; 799 if (ikev2_process_sa_init(data, hdr, &pl) < 0) { 800 if (data->state == NOTIFY) 801 return 0; 802 return -1; 803 } 804 wpabuf_free(data->i_sign_msg); 805 data->i_sign_msg = wpabuf_dup(buf); 806 } 807 808 if (data->state == SA_AUTH) { 809 data->last_msg = LAST_MSG_SA_AUTH; 810 if (ikev2_process_sa_auth(data, hdr, &pl) < 0) { 811 if (data->state == NOTIFY) 812 return 0; 813 return -1; 814 } 815 } 816 817 return 0; 818 } 819 820 821 static void ikev2_build_hdr(struct ikev2_responder_data *data, 822 struct wpabuf *msg, u8 exchange_type, 823 u8 next_payload, u32 message_id) 824 { 825 struct ikev2_hdr *hdr; 826 827 wpa_printf(MSG_DEBUG, "IKEV2: Adding HDR"); 828 829 /* HDR - RFC 4306, Sect. 3.1 */ 830 hdr = wpabuf_put(msg, sizeof(*hdr)); 831 os_memcpy(hdr->i_spi, data->i_spi, IKEV2_SPI_LEN); 832 os_memcpy(hdr->r_spi, data->r_spi, IKEV2_SPI_LEN); 833 hdr->next_payload = next_payload; 834 hdr->version = IKEV2_VERSION; 835 hdr->exchange_type = exchange_type; 836 hdr->flags = IKEV2_HDR_RESPONSE; 837 WPA_PUT_BE32(hdr->message_id, message_id); 838 } 839 840 841 static int ikev2_build_sar1(struct ikev2_responder_data *data, 842 struct wpabuf *msg, u8 next_payload) 843 { 844 struct ikev2_payload_hdr *phdr; 845 size_t plen; 846 struct ikev2_proposal *p; 847 struct ikev2_transform *t; 848 849 wpa_printf(MSG_DEBUG, "IKEV2: Adding SAr1 payload"); 850 851 /* SAr1 - RFC 4306, Sect. 2.7 and 3.3 */ 852 phdr = wpabuf_put(msg, sizeof(*phdr)); 853 phdr->next_payload = next_payload; 854 phdr->flags = 0; 855 856 p = wpabuf_put(msg, sizeof(*p)); 857 p->proposal_num = data->proposal.proposal_num; 858 p->protocol_id = IKEV2_PROTOCOL_IKE; 859 p->num_transforms = 4; 860 861 t = wpabuf_put(msg, sizeof(*t)); 862 t->type = 3; 863 t->transform_type = IKEV2_TRANSFORM_ENCR; 864 WPA_PUT_BE16(t->transform_id, data->proposal.encr); 865 if (data->proposal.encr == ENCR_AES_CBC) { 866 /* Transform Attribute: Key Len = 128 bits */ 867 wpabuf_put_be16(msg, 0x800e); /* AF=1, AttrType=14 */ 868 wpabuf_put_be16(msg, 128); /* 128-bit key */ 869 } 870 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) t; 871 WPA_PUT_BE16(t->transform_length, plen); 872 873 t = wpabuf_put(msg, sizeof(*t)); 874 t->type = 3; 875 WPA_PUT_BE16(t->transform_length, sizeof(*t)); 876 t->transform_type = IKEV2_TRANSFORM_PRF; 877 WPA_PUT_BE16(t->transform_id, data->proposal.prf); 878 879 t = wpabuf_put(msg, sizeof(*t)); 880 t->type = 3; 881 WPA_PUT_BE16(t->transform_length, sizeof(*t)); 882 t->transform_type = IKEV2_TRANSFORM_INTEG; 883 WPA_PUT_BE16(t->transform_id, data->proposal.integ); 884 885 t = wpabuf_put(msg, sizeof(*t)); 886 WPA_PUT_BE16(t->transform_length, sizeof(*t)); 887 t->transform_type = IKEV2_TRANSFORM_DH; 888 WPA_PUT_BE16(t->transform_id, data->proposal.dh); 889 890 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) p; 891 WPA_PUT_BE16(p->proposal_length, plen); 892 893 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr; 894 WPA_PUT_BE16(phdr->payload_length, plen); 895 896 return 0; 897 } 898 899 900 static int ikev2_build_ker(struct ikev2_responder_data *data, 901 struct wpabuf *msg, u8 next_payload) 902 { 903 struct ikev2_payload_hdr *phdr; 904 size_t plen; 905 struct wpabuf *pv; 906 907 wpa_printf(MSG_DEBUG, "IKEV2: Adding KEr payload"); 908 909 pv = dh_init(data->dh, &data->r_dh_private); 910 if (pv == NULL) { 911 wpa_printf(MSG_DEBUG, "IKEV2: Failed to initialize DH"); 912 return -1; 913 } 914 915 /* KEr - RFC 4306, Sect. 3.4 */ 916 phdr = wpabuf_put(msg, sizeof(*phdr)); 917 phdr->next_payload = next_payload; 918 phdr->flags = 0; 919 920 wpabuf_put_be16(msg, data->proposal.dh); /* DH Group # */ 921 wpabuf_put(msg, 2); /* RESERVED */ 922 /* 923 * RFC 4306, Sect. 3.4: possible zero padding for public value to 924 * match the length of the prime. 925 */ 926 wpabuf_put(msg, data->dh->prime_len - wpabuf_len(pv)); 927 wpabuf_put_buf(msg, pv); 928 wpabuf_free(pv); 929 930 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr; 931 WPA_PUT_BE16(phdr->payload_length, plen); 932 return 0; 933 } 934 935 936 static int ikev2_build_nr(struct ikev2_responder_data *data, 937 struct wpabuf *msg, u8 next_payload) 938 { 939 struct ikev2_payload_hdr *phdr; 940 size_t plen; 941 942 wpa_printf(MSG_DEBUG, "IKEV2: Adding Nr payload"); 943 944 /* Nr - RFC 4306, Sect. 3.9 */ 945 phdr = wpabuf_put(msg, sizeof(*phdr)); 946 phdr->next_payload = next_payload; 947 phdr->flags = 0; 948 wpabuf_put_data(msg, data->r_nonce, data->r_nonce_len); 949 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr; 950 WPA_PUT_BE16(phdr->payload_length, plen); 951 return 0; 952 } 953 954 955 static int ikev2_build_idr(struct ikev2_responder_data *data, 956 struct wpabuf *msg, u8 next_payload) 957 { 958 struct ikev2_payload_hdr *phdr; 959 size_t plen; 960 961 wpa_printf(MSG_DEBUG, "IKEV2: Adding IDr payload"); 962 963 if (data->IDr == NULL) { 964 wpa_printf(MSG_INFO, "IKEV2: No IDr available"); 965 return -1; 966 } 967 968 /* IDr - RFC 4306, Sect. 3.5 */ 969 phdr = wpabuf_put(msg, sizeof(*phdr)); 970 phdr->next_payload = next_payload; 971 phdr->flags = 0; 972 wpabuf_put_u8(msg, ID_KEY_ID); 973 wpabuf_put(msg, 3); /* RESERVED */ 974 wpabuf_put_data(msg, data->IDr, data->IDr_len); 975 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr; 976 WPA_PUT_BE16(phdr->payload_length, plen); 977 return 0; 978 } 979 980 981 static int ikev2_build_auth(struct ikev2_responder_data *data, 982 struct wpabuf *msg, u8 next_payload) 983 { 984 struct ikev2_payload_hdr *phdr; 985 size_t plen; 986 const struct ikev2_prf_alg *prf; 987 988 wpa_printf(MSG_DEBUG, "IKEV2: Adding AUTH payload"); 989 990 prf = ikev2_get_prf(data->proposal.prf); 991 if (prf == NULL) 992 return -1; 993 994 /* Authentication - RFC 4306, Sect. 3.8 */ 995 phdr = wpabuf_put(msg, sizeof(*phdr)); 996 phdr->next_payload = next_payload; 997 phdr->flags = 0; 998 wpabuf_put_u8(msg, AUTH_SHARED_KEY_MIC); 999 wpabuf_put(msg, 3); /* RESERVED */ 1000 1001 /* msg | Ni | prf(SK_pr,IDr') */ 1002 if (ikev2_derive_auth_data(data->proposal.prf, data->r_sign_msg, 1003 data->IDr, data->IDr_len, ID_KEY_ID, 1004 &data->keys, 0, data->shared_secret, 1005 data->shared_secret_len, 1006 data->i_nonce, data->i_nonce_len, 1007 data->key_pad, data->key_pad_len, 1008 wpabuf_put(msg, prf->hash_len)) < 0) { 1009 wpa_printf(MSG_INFO, "IKEV2: Could not derive AUTH data"); 1010 return -1; 1011 } 1012 wpabuf_free(data->r_sign_msg); 1013 data->r_sign_msg = NULL; 1014 1015 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr; 1016 WPA_PUT_BE16(phdr->payload_length, plen); 1017 return 0; 1018 } 1019 1020 1021 static int ikev2_build_notification(struct ikev2_responder_data *data, 1022 struct wpabuf *msg, u8 next_payload) 1023 { 1024 struct ikev2_payload_hdr *phdr; 1025 size_t plen; 1026 1027 wpa_printf(MSG_DEBUG, "IKEV2: Adding Notification payload"); 1028 1029 if (data->error_type == 0) { 1030 wpa_printf(MSG_INFO, "IKEV2: No Notify Message Type " 1031 "available"); 1032 return -1; 1033 } 1034 1035 /* Notify - RFC 4306, Sect. 3.10 */ 1036 phdr = wpabuf_put(msg, sizeof(*phdr)); 1037 phdr->next_payload = next_payload; 1038 phdr->flags = 0; 1039 wpabuf_put_u8(msg, 0); /* Protocol ID: no existing SA */ 1040 wpabuf_put_u8(msg, 0); /* SPI Size */ 1041 wpabuf_put_be16(msg, data->error_type); 1042 1043 switch (data->error_type) { 1044 case INVALID_KE_PAYLOAD: 1045 if (data->proposal.dh == -1) { 1046 wpa_printf(MSG_INFO, "IKEV2: No DH Group selected for " 1047 "INVALID_KE_PAYLOAD notifications"); 1048 return -1; 1049 } 1050 wpabuf_put_be16(msg, data->proposal.dh); 1051 wpa_printf(MSG_DEBUG, "IKEV2: INVALID_KE_PAYLOAD - request " 1052 "DH Group #%d", data->proposal.dh); 1053 break; 1054 case AUTHENTICATION_FAILED: 1055 /* no associated data */ 1056 break; 1057 default: 1058 wpa_printf(MSG_INFO, "IKEV2: Unsupported Notify Message Type " 1059 "%d", data->error_type); 1060 return -1; 1061 } 1062 1063 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr; 1064 WPA_PUT_BE16(phdr->payload_length, plen); 1065 return 0; 1066 } 1067 1068 1069 static struct wpabuf * ikev2_build_sa_init(struct ikev2_responder_data *data) 1070 { 1071 struct wpabuf *msg; 1072 1073 /* build IKE_SA_INIT: HDR, SAr1, KEr, Nr, [CERTREQ], [SK{IDr}] */ 1074 1075 if (os_get_random(data->r_spi, IKEV2_SPI_LEN)) 1076 return NULL; 1077 wpa_hexdump(MSG_DEBUG, "IKEV2: IKE_SA Responder's SPI", 1078 data->r_spi, IKEV2_SPI_LEN); 1079 1080 data->r_nonce_len = IKEV2_NONCE_MIN_LEN; 1081 if (random_get_bytes(data->r_nonce, data->r_nonce_len)) 1082 return NULL; 1083 wpa_hexdump(MSG_DEBUG, "IKEV2: Nr", data->r_nonce, data->r_nonce_len); 1084 1085 msg = wpabuf_alloc(sizeof(struct ikev2_hdr) + data->IDr_len + 1500); 1086 if (msg == NULL) 1087 return NULL; 1088 1089 ikev2_build_hdr(data, msg, IKE_SA_INIT, IKEV2_PAYLOAD_SA, 0); 1090 if (ikev2_build_sar1(data, msg, IKEV2_PAYLOAD_KEY_EXCHANGE) || 1091 ikev2_build_ker(data, msg, IKEV2_PAYLOAD_NONCE) || 1092 ikev2_build_nr(data, msg, data->peer_auth == PEER_AUTH_SECRET ? 1093 IKEV2_PAYLOAD_ENCRYPTED : 1094 IKEV2_PAYLOAD_NO_NEXT_PAYLOAD)) { 1095 wpabuf_free(msg); 1096 return NULL; 1097 } 1098 1099 if (ikev2_derive_keys(data)) { 1100 wpabuf_free(msg); 1101 return NULL; 1102 } 1103 1104 if (data->peer_auth == PEER_AUTH_CERT) { 1105 /* TODO: CERTREQ with SHA-1 hashes of Subject Public Key Info 1106 * for trust agents */ 1107 } 1108 1109 if (data->peer_auth == PEER_AUTH_SECRET) { 1110 struct wpabuf *plain = wpabuf_alloc(data->IDr_len + 1000); 1111 if (plain == NULL) { 1112 wpabuf_free(msg); 1113 return NULL; 1114 } 1115 if (ikev2_build_idr(data, plain, 1116 IKEV2_PAYLOAD_NO_NEXT_PAYLOAD) || 1117 ikev2_build_encrypted(data->proposal.encr, 1118 data->proposal.integ, 1119 &data->keys, 0, msg, plain, 1120 IKEV2_PAYLOAD_IDr)) { 1121 wpabuf_free(plain); 1122 wpabuf_free(msg); 1123 return NULL; 1124 } 1125 wpabuf_free(plain); 1126 } 1127 1128 ikev2_update_hdr(msg); 1129 1130 wpa_hexdump_buf(MSG_MSGDUMP, "IKEV2: Sending message (SA_INIT)", msg); 1131 1132 data->state = SA_AUTH; 1133 1134 wpabuf_free(data->r_sign_msg); 1135 data->r_sign_msg = wpabuf_dup(msg); 1136 1137 return msg; 1138 } 1139 1140 1141 static struct wpabuf * ikev2_build_sa_auth(struct ikev2_responder_data *data) 1142 { 1143 struct wpabuf *msg, *plain; 1144 1145 /* build IKE_SA_AUTH: HDR, SK {IDr, [CERT,] AUTH} */ 1146 1147 msg = wpabuf_alloc(sizeof(struct ikev2_hdr) + data->IDr_len + 1000); 1148 if (msg == NULL) 1149 return NULL; 1150 ikev2_build_hdr(data, msg, IKE_SA_AUTH, IKEV2_PAYLOAD_ENCRYPTED, 1); 1151 1152 plain = wpabuf_alloc(data->IDr_len + 1000); 1153 if (plain == NULL) { 1154 wpabuf_free(msg); 1155 return NULL; 1156 } 1157 1158 if (ikev2_build_idr(data, plain, IKEV2_PAYLOAD_AUTHENTICATION) || 1159 ikev2_build_auth(data, plain, IKEV2_PAYLOAD_NO_NEXT_PAYLOAD) || 1160 ikev2_build_encrypted(data->proposal.encr, data->proposal.integ, 1161 &data->keys, 0, msg, plain, 1162 IKEV2_PAYLOAD_IDr)) { 1163 wpabuf_free(plain); 1164 wpabuf_free(msg); 1165 return NULL; 1166 } 1167 wpabuf_free(plain); 1168 1169 wpa_hexdump_buf(MSG_MSGDUMP, "IKEV2: Sending message (SA_AUTH)", msg); 1170 1171 data->state = IKEV2_DONE; 1172 1173 return msg; 1174 } 1175 1176 1177 static struct wpabuf * ikev2_build_notify(struct ikev2_responder_data *data) 1178 { 1179 struct wpabuf *msg; 1180 1181 msg = wpabuf_alloc(sizeof(struct ikev2_hdr) + 1000); 1182 if (msg == NULL) 1183 return NULL; 1184 if (data->last_msg == LAST_MSG_SA_AUTH) { 1185 /* HDR, SK{N} */ 1186 struct wpabuf *plain = wpabuf_alloc(100); 1187 if (plain == NULL) { 1188 wpabuf_free(msg); 1189 return NULL; 1190 } 1191 ikev2_build_hdr(data, msg, IKE_SA_AUTH, 1192 IKEV2_PAYLOAD_ENCRYPTED, 1); 1193 if (ikev2_build_notification(data, plain, 1194 IKEV2_PAYLOAD_NO_NEXT_PAYLOAD) || 1195 ikev2_build_encrypted(data->proposal.encr, 1196 data->proposal.integ, 1197 &data->keys, 0, msg, plain, 1198 IKEV2_PAYLOAD_NOTIFICATION)) { 1199 wpabuf_free(plain); 1200 wpabuf_free(msg); 1201 return NULL; 1202 } 1203 wpabuf_free(plain); 1204 data->state = IKEV2_FAILED; 1205 } else { 1206 /* HDR, N */ 1207 ikev2_build_hdr(data, msg, IKE_SA_INIT, 1208 IKEV2_PAYLOAD_NOTIFICATION, 0); 1209 if (ikev2_build_notification(data, msg, 1210 IKEV2_PAYLOAD_NO_NEXT_PAYLOAD)) { 1211 wpabuf_free(msg); 1212 return NULL; 1213 } 1214 data->state = SA_INIT; 1215 } 1216 1217 ikev2_update_hdr(msg); 1218 1219 wpa_hexdump_buf(MSG_MSGDUMP, "IKEV2: Sending message (Notification)", 1220 msg); 1221 1222 return msg; 1223 } 1224 1225 1226 struct wpabuf * ikev2_responder_build(struct ikev2_responder_data *data) 1227 { 1228 switch (data->state) { 1229 case SA_INIT: 1230 return ikev2_build_sa_init(data); 1231 case SA_AUTH: 1232 return ikev2_build_sa_auth(data); 1233 case CHILD_SA: 1234 return NULL; 1235 case NOTIFY: 1236 return ikev2_build_notify(data); 1237 case IKEV2_DONE: 1238 case IKEV2_FAILED: 1239 return NULL; 1240 } 1241 return NULL; 1242 } 1243