xref: /freebsd/contrib/wpa/src/eap_peer/ikev2.c (revision e32fecd0c2c3ee37c47ee100f169e7eb0282a873)
1 /*
2  * IKEv2 responder (RFC 4306) for EAP-IKEV2
3  * Copyright (c) 2007, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #include "includes.h"
10 
11 #include "common.h"
12 #include "crypto/dh_groups.h"
13 #include "crypto/random.h"
14 #include "ikev2.h"
15 
16 
17 void ikev2_responder_deinit(struct ikev2_responder_data *data)
18 {
19 	ikev2_free_keys(&data->keys);
20 	wpabuf_free(data->i_dh_public);
21 	wpabuf_free(data->r_dh_private);
22 	os_free(data->IDi);
23 	os_free(data->IDr);
24 	os_free(data->shared_secret);
25 	wpabuf_free(data->i_sign_msg);
26 	wpabuf_free(data->r_sign_msg);
27 	os_free(data->key_pad);
28 }
29 
30 
31 static int ikev2_derive_keys(struct ikev2_responder_data *data)
32 {
33 	u8 *buf, *pos, *pad, skeyseed[IKEV2_MAX_HASH_LEN];
34 	size_t buf_len, pad_len;
35 	struct wpabuf *shared;
36 	const struct ikev2_integ_alg *integ;
37 	const struct ikev2_prf_alg *prf;
38 	const struct ikev2_encr_alg *encr;
39 	int ret;
40 	const u8 *addr[2];
41 	size_t len[2];
42 
43 	/* RFC 4306, Sect. 2.14 */
44 
45 	integ = ikev2_get_integ(data->proposal.integ);
46 	prf = ikev2_get_prf(data->proposal.prf);
47 	encr = ikev2_get_encr(data->proposal.encr);
48 	if (integ == NULL || prf == NULL || encr == NULL) {
49 		wpa_printf(MSG_INFO, "IKEV2: Unsupported proposal");
50 		return -1;
51 	}
52 
53 	shared = dh_derive_shared(data->i_dh_public, data->r_dh_private,
54 				  data->dh);
55 	if (shared == NULL)
56 		return -1;
57 
58 	/* Construct Ni | Nr | SPIi | SPIr */
59 
60 	buf_len = data->i_nonce_len + data->r_nonce_len + 2 * IKEV2_SPI_LEN;
61 	buf = os_malloc(buf_len);
62 	if (buf == NULL) {
63 		wpabuf_free(shared);
64 		return -1;
65 	}
66 
67 	pos = buf;
68 	os_memcpy(pos, data->i_nonce, data->i_nonce_len);
69 	pos += data->i_nonce_len;
70 	os_memcpy(pos, data->r_nonce, data->r_nonce_len);
71 	pos += data->r_nonce_len;
72 	os_memcpy(pos, data->i_spi, IKEV2_SPI_LEN);
73 	pos += IKEV2_SPI_LEN;
74 	os_memcpy(pos, data->r_spi, IKEV2_SPI_LEN);
75 
76 	/* SKEYSEED = prf(Ni | Nr, g^ir) */
77 	/* Use zero-padding per RFC 4306, Sect. 2.14 */
78 	pad_len = data->dh->prime_len - wpabuf_len(shared);
79 	pad = os_zalloc(pad_len ? pad_len : 1);
80 	if (pad == NULL) {
81 		wpabuf_free(shared);
82 		os_free(buf);
83 		return -1;
84 	}
85 
86 	addr[0] = pad;
87 	len[0] = pad_len;
88 	addr[1] = wpabuf_head(shared);
89 	len[1] = wpabuf_len(shared);
90 	if (ikev2_prf_hash(prf->id, buf, data->i_nonce_len + data->r_nonce_len,
91 			   2, addr, len, skeyseed) < 0) {
92 		wpabuf_free(shared);
93 		os_free(buf);
94 		os_free(pad);
95 		return -1;
96 	}
97 	os_free(pad);
98 	wpabuf_free(shared);
99 
100 	/* DH parameters are not needed anymore, so free them */
101 	wpabuf_free(data->i_dh_public);
102 	data->i_dh_public = NULL;
103 	wpabuf_free(data->r_dh_private);
104 	data->r_dh_private = NULL;
105 
106 	wpa_hexdump_key(MSG_DEBUG, "IKEV2: SKEYSEED",
107 			skeyseed, prf->hash_len);
108 
109 	ret = ikev2_derive_sk_keys(prf, integ, encr, skeyseed, buf, buf_len,
110 				   &data->keys);
111 	os_free(buf);
112 	return ret;
113 }
114 
115 
116 static int ikev2_parse_transform(struct ikev2_proposal_data *prop,
117 				 const u8 *pos, const u8 *end)
118 {
119 	int transform_len;
120 	const struct ikev2_transform *t;
121 	u16 transform_id;
122 	const u8 *tend;
123 
124 	if (end - pos < (int) sizeof(*t)) {
125 		wpa_printf(MSG_INFO, "IKEV2: Too short transform");
126 		return -1;
127 	}
128 
129 	t = (const struct ikev2_transform *) pos;
130 	transform_len = WPA_GET_BE16(t->transform_length);
131 	if (transform_len < (int) sizeof(*t) || transform_len > end - pos) {
132 		wpa_printf(MSG_INFO, "IKEV2: Invalid transform length %d",
133 			   transform_len);
134 		return -1;
135 	}
136 	tend = pos + transform_len;
137 
138 	transform_id = WPA_GET_BE16(t->transform_id);
139 
140 	wpa_printf(MSG_DEBUG, "IKEV2:   Transform:");
141 	wpa_printf(MSG_DEBUG, "IKEV2:     Type: %d  Transform Length: %d  "
142 		   "Transform Type: %d  Transform ID: %d",
143 		   t->type, transform_len, t->transform_type, transform_id);
144 
145 	if (t->type != 0 && t->type != 3) {
146 		wpa_printf(MSG_INFO, "IKEV2: Unexpected Transform type");
147 		return -1;
148 	}
149 
150 	pos = (const u8 *) (t + 1);
151 	if (pos < tend) {
152 		wpa_hexdump(MSG_DEBUG, "IKEV2:     Transform Attributes",
153 			    pos, tend - pos);
154 	}
155 
156 	switch (t->transform_type) {
157 	case IKEV2_TRANSFORM_ENCR:
158 		if (ikev2_get_encr(transform_id)) {
159 			if (transform_id == ENCR_AES_CBC) {
160 				if (tend - pos != 4) {
161 					wpa_printf(MSG_DEBUG, "IKEV2: No "
162 						   "Transform Attr for AES");
163 					break;
164 				}
165 				if (WPA_GET_BE16(pos) != 0x800e) {
166 					wpa_printf(MSG_DEBUG, "IKEV2: Not a "
167 						   "Key Size attribute for "
168 						   "AES");
169 					break;
170 				}
171 				if (WPA_GET_BE16(pos + 2) != 128) {
172 					wpa_printf(MSG_DEBUG, "IKEV2: "
173 						   "Unsupported AES key size "
174 						   "%d bits",
175 						   WPA_GET_BE16(pos + 2));
176 					break;
177 				}
178 			}
179 			prop->encr = transform_id;
180 		}
181 		break;
182 	case IKEV2_TRANSFORM_PRF:
183 		if (ikev2_get_prf(transform_id))
184 			prop->prf = transform_id;
185 		break;
186 	case IKEV2_TRANSFORM_INTEG:
187 		if (ikev2_get_integ(transform_id))
188 			prop->integ = transform_id;
189 		break;
190 	case IKEV2_TRANSFORM_DH:
191 		if (dh_groups_get(transform_id))
192 			prop->dh = transform_id;
193 		break;
194 	}
195 
196 	return transform_len;
197 }
198 
199 
200 static int ikev2_parse_proposal(struct ikev2_proposal_data *prop,
201 				const u8 *pos, const u8 *end)
202 {
203 	const u8 *pend, *ppos;
204 	int proposal_len;
205 	unsigned int i, num;
206 	const struct ikev2_proposal *p;
207 
208 	if (end - pos < (int) sizeof(*p)) {
209 		wpa_printf(MSG_INFO, "IKEV2: Too short proposal");
210 		return -1;
211 	}
212 
213 	/* FIX: AND processing if multiple proposals use the same # */
214 
215 	p = (const struct ikev2_proposal *) pos;
216 	proposal_len = WPA_GET_BE16(p->proposal_length);
217 	if (proposal_len < (int) sizeof(*p) || proposal_len > end - pos) {
218 		wpa_printf(MSG_INFO, "IKEV2: Invalid proposal length %d",
219 			   proposal_len);
220 		return -1;
221 	}
222 	wpa_printf(MSG_DEBUG, "IKEV2: SAi1 Proposal # %d",
223 		   p->proposal_num);
224 	wpa_printf(MSG_DEBUG, "IKEV2:   Type: %d  Proposal Length: %d "
225 		   " Protocol ID: %d",
226 		   p->type, proposal_len, p->protocol_id);
227 	wpa_printf(MSG_DEBUG, "IKEV2:   SPI Size: %d  Transforms: %d",
228 		   p->spi_size, p->num_transforms);
229 
230 	if (p->type != 0 && p->type != 2) {
231 		wpa_printf(MSG_INFO, "IKEV2: Unexpected Proposal type");
232 		return -1;
233 	}
234 
235 	if (p->protocol_id != IKEV2_PROTOCOL_IKE) {
236 		wpa_printf(MSG_DEBUG, "IKEV2: Unexpected Protocol ID "
237 			   "(only IKE allowed for EAP-IKEv2)");
238 		return -1;
239 	}
240 
241 	if (p->proposal_num != prop->proposal_num) {
242 		if (p->proposal_num == prop->proposal_num + 1)
243 			prop->proposal_num = p->proposal_num;
244 		else {
245 			wpa_printf(MSG_INFO, "IKEV2: Unexpected Proposal #");
246 			return -1;
247 		}
248 	}
249 
250 	ppos = (const u8 *) (p + 1);
251 	pend = pos + proposal_len;
252 	if (p->spi_size > pend - ppos) {
253 		wpa_printf(MSG_INFO, "IKEV2: Not enough room for SPI "
254 			   "in proposal");
255 		return -1;
256 	}
257 	if (p->spi_size) {
258 		wpa_hexdump(MSG_DEBUG, "IKEV2:    SPI",
259 			    ppos, p->spi_size);
260 		ppos += p->spi_size;
261 	}
262 
263 	/*
264 	 * For initial IKE_SA negotiation, SPI Size MUST be zero; for
265 	 * subsequent negotiations, it must be 8 for IKE. We only support
266 	 * initial case for now.
267 	 */
268 	if (p->spi_size != 0) {
269 		wpa_printf(MSG_INFO, "IKEV2: Unexpected SPI Size");
270 		return -1;
271 	}
272 
273 	num = p->num_transforms;
274 	if (num == 0 || num > 255) {
275 		wpa_printf(MSG_INFO, "IKEV2: At least one transform required");
276 		return -1;
277 	}
278 
279 	for (i = 0; i < num; i++) {
280 		int tlen = ikev2_parse_transform(prop, ppos, pend);
281 		if (tlen < 0)
282 			return -1;
283 		ppos += tlen;
284 	}
285 
286 	if (ppos != pend) {
287 		wpa_printf(MSG_INFO, "IKEV2: Unexpected data after "
288 			   "transforms");
289 		return -1;
290 	}
291 
292 	return proposal_len;
293 }
294 
295 
296 static int ikev2_process_sai1(struct ikev2_responder_data *data,
297 			      const u8 *sai1, size_t sai1_len)
298 {
299 	struct ikev2_proposal_data prop;
300 	const u8 *pos, *end;
301 	int found = 0;
302 
303 	/* Security Association Payloads: <Proposals> */
304 
305 	if (sai1 == NULL) {
306 		wpa_printf(MSG_INFO, "IKEV2: SAi1 not received");
307 		return -1;
308 	}
309 
310 	os_memset(&prop, 0, sizeof(prop));
311 	prop.proposal_num = 1;
312 
313 	pos = sai1;
314 	end = sai1 + sai1_len;
315 
316 	while (pos < end) {
317 		int plen;
318 
319 		prop.integ = -1;
320 		prop.prf = -1;
321 		prop.encr = -1;
322 		prop.dh = -1;
323 		plen = ikev2_parse_proposal(&prop, pos, end);
324 		if (plen < 0)
325 			return -1;
326 
327 		if (!found && prop.integ != -1 && prop.prf != -1 &&
328 		    prop.encr != -1 && prop.dh != -1) {
329 			os_memcpy(&data->proposal, &prop, sizeof(prop));
330 			data->dh = dh_groups_get(prop.dh);
331 			found = 1;
332 		}
333 
334 		pos += plen;
335 	}
336 
337 	if (pos != end) {
338 		wpa_printf(MSG_INFO, "IKEV2: Unexpected data after proposals");
339 		return -1;
340 	}
341 
342 	if (!found) {
343 		wpa_printf(MSG_INFO, "IKEV2: No acceptable proposal found");
344 		return -1;
345 	}
346 
347 	wpa_printf(MSG_DEBUG, "IKEV2: Accepted proposal #%d: ENCR:%d PRF:%d "
348 		   "INTEG:%d D-H:%d", data->proposal.proposal_num,
349 		   data->proposal.encr, data->proposal.prf,
350 		   data->proposal.integ, data->proposal.dh);
351 
352 	return 0;
353 }
354 
355 
356 static int ikev2_process_kei(struct ikev2_responder_data *data,
357 			     const u8 *kei, size_t kei_len)
358 {
359 	u16 group;
360 
361 	/*
362 	 * Key Exchange Payload:
363 	 * DH Group # (16 bits)
364 	 * RESERVED (16 bits)
365 	 * Key Exchange Data (Diffie-Hellman public value)
366 	 */
367 
368 	if (kei == NULL) {
369 		wpa_printf(MSG_INFO, "IKEV2: KEi not received");
370 		return -1;
371 	}
372 
373 	if (kei_len < 4 + 96) {
374 		wpa_printf(MSG_INFO, "IKEV2: Too short Key Exchange Payload");
375 		return -1;
376 	}
377 
378 	group = WPA_GET_BE16(kei);
379 	wpa_printf(MSG_DEBUG, "IKEV2: KEi DH Group #%u", group);
380 
381 	if (group != data->proposal.dh) {
382 		wpa_printf(MSG_DEBUG, "IKEV2: KEi DH Group #%u does not match "
383 			   "with the selected proposal (%u)",
384 			   group, data->proposal.dh);
385 		/* Reject message with Notify payload of type
386 		 * INVALID_KE_PAYLOAD (RFC 4306, Sect. 3.4) */
387 		data->error_type = INVALID_KE_PAYLOAD;
388 		data->state = NOTIFY;
389 		return -1;
390 	}
391 
392 	if (data->dh == NULL) {
393 		wpa_printf(MSG_INFO, "IKEV2: Unsupported DH group");
394 		return -1;
395 	}
396 
397 	/* RFC 4306, Section 3.4:
398 	 * The length of DH public value MUST be equal to the length of the
399 	 * prime modulus.
400 	 */
401 	if (kei_len - 4 != data->dh->prime_len) {
402 		wpa_printf(MSG_INFO, "IKEV2: Invalid DH public value length "
403 			   "%ld (expected %ld)",
404 			   (long) (kei_len - 4), (long) data->dh->prime_len);
405 		return -1;
406 	}
407 
408 	wpabuf_free(data->i_dh_public);
409 	data->i_dh_public = wpabuf_alloc(kei_len - 4);
410 	if (data->i_dh_public == NULL)
411 		return -1;
412 	wpabuf_put_data(data->i_dh_public, kei + 4, kei_len - 4);
413 
414 	wpa_hexdump_buf(MSG_DEBUG, "IKEV2: KEi Diffie-Hellman Public Value",
415 			data->i_dh_public);
416 
417 	return 0;
418 }
419 
420 
421 static int ikev2_process_ni(struct ikev2_responder_data *data,
422 			    const u8 *ni, size_t ni_len)
423 {
424 	if (ni == NULL) {
425 		wpa_printf(MSG_INFO, "IKEV2: Ni not received");
426 		return -1;
427 	}
428 
429 	if (ni_len < IKEV2_NONCE_MIN_LEN || ni_len > IKEV2_NONCE_MAX_LEN) {
430 		wpa_printf(MSG_INFO, "IKEV2: Invalid Ni length %ld",
431 		           (long) ni_len);
432 		return -1;
433 	}
434 
435 	data->i_nonce_len = ni_len;
436 	os_memcpy(data->i_nonce, ni, ni_len);
437 	wpa_hexdump(MSG_MSGDUMP, "IKEV2: Ni",
438 		    data->i_nonce, data->i_nonce_len);
439 
440 	return 0;
441 }
442 
443 
444 static int ikev2_process_sa_init(struct ikev2_responder_data *data,
445 				 const struct ikev2_hdr *hdr,
446 				 struct ikev2_payloads *pl)
447 {
448 	if (ikev2_process_sai1(data, pl->sa, pl->sa_len) < 0 ||
449 	    ikev2_process_kei(data, pl->ke, pl->ke_len) < 0 ||
450 	    ikev2_process_ni(data, pl->nonce, pl->nonce_len) < 0)
451 		return -1;
452 
453 	os_memcpy(data->i_spi, hdr->i_spi, IKEV2_SPI_LEN);
454 
455 	return 0;
456 }
457 
458 
459 static int ikev2_process_idi(struct ikev2_responder_data *data,
460 			     const u8 *idi, size_t idi_len)
461 {
462 	u8 id_type;
463 
464 	if (idi == NULL) {
465 		wpa_printf(MSG_INFO, "IKEV2: No IDi received");
466 		return -1;
467 	}
468 
469 	if (idi_len < 4) {
470 		wpa_printf(MSG_INFO, "IKEV2: Too short IDi payload");
471 		return -1;
472 	}
473 
474 	id_type = idi[0];
475 	idi += 4;
476 	idi_len -= 4;
477 
478 	wpa_printf(MSG_DEBUG, "IKEV2: IDi ID Type %d", id_type);
479 	wpa_hexdump_ascii(MSG_DEBUG, "IKEV2: IDi", idi, idi_len);
480 	os_free(data->IDi);
481 	data->IDi = os_memdup(idi, idi_len);
482 	if (data->IDi == NULL)
483 		return -1;
484 	data->IDi_len = idi_len;
485 	data->IDi_type = id_type;
486 
487 	return 0;
488 }
489 
490 
491 static int ikev2_process_cert(struct ikev2_responder_data *data,
492 			      const u8 *cert, size_t cert_len)
493 {
494 	u8 cert_encoding;
495 
496 	if (cert == NULL) {
497 		if (data->peer_auth == PEER_AUTH_CERT) {
498 			wpa_printf(MSG_INFO, "IKEV2: No Certificate received");
499 			return -1;
500 		}
501 		return 0;
502 	}
503 
504 	if (cert_len < 1) {
505 		wpa_printf(MSG_INFO, "IKEV2: No Cert Encoding field");
506 		return -1;
507 	}
508 
509 	cert_encoding = cert[0];
510 	cert++;
511 	cert_len--;
512 
513 	wpa_printf(MSG_DEBUG, "IKEV2: Cert Encoding %d", cert_encoding);
514 	wpa_hexdump(MSG_MSGDUMP, "IKEV2: Certificate Data", cert, cert_len);
515 
516 	/* TODO: validate certificate */
517 
518 	return 0;
519 }
520 
521 
522 static int ikev2_process_auth_cert(struct ikev2_responder_data *data,
523 				   u8 method, const u8 *auth, size_t auth_len)
524 {
525 	if (method != AUTH_RSA_SIGN) {
526 		wpa_printf(MSG_INFO, "IKEV2: Unsupported authentication "
527 			   "method %d", method);
528 		return -1;
529 	}
530 
531 	/* TODO: validate AUTH */
532 	return 0;
533 }
534 
535 
536 static int ikev2_process_auth_secret(struct ikev2_responder_data *data,
537 				     u8 method, const u8 *auth,
538 				     size_t auth_len)
539 {
540 	u8 auth_data[IKEV2_MAX_HASH_LEN];
541 	const struct ikev2_prf_alg *prf;
542 
543 	if (method != AUTH_SHARED_KEY_MIC) {
544 		wpa_printf(MSG_INFO, "IKEV2: Unsupported authentication "
545 			   "method %d", method);
546 		return -1;
547 	}
548 
549 	/* msg | Nr | prf(SK_pi,IDi') */
550 	if (ikev2_derive_auth_data(data->proposal.prf, data->i_sign_msg,
551 				   data->IDi, data->IDi_len, data->IDi_type,
552 				   &data->keys, 1, data->shared_secret,
553 				   data->shared_secret_len,
554 				   data->r_nonce, data->r_nonce_len,
555 				   data->key_pad, data->key_pad_len,
556 				   auth_data) < 0) {
557 		wpa_printf(MSG_INFO, "IKEV2: Could not derive AUTH data");
558 		return -1;
559 	}
560 
561 	wpabuf_free(data->i_sign_msg);
562 	data->i_sign_msg = NULL;
563 
564 	prf = ikev2_get_prf(data->proposal.prf);
565 	if (prf == NULL)
566 		return -1;
567 
568 	if (auth_len != prf->hash_len ||
569 	    os_memcmp_const(auth, auth_data, auth_len) != 0) {
570 		wpa_printf(MSG_INFO, "IKEV2: Invalid Authentication Data");
571 		wpa_hexdump(MSG_DEBUG, "IKEV2: Received Authentication Data",
572 			    auth, auth_len);
573 		wpa_hexdump(MSG_DEBUG, "IKEV2: Expected Authentication Data",
574 			    auth_data, prf->hash_len);
575 		data->error_type = AUTHENTICATION_FAILED;
576 		data->state = NOTIFY;
577 		return -1;
578 	}
579 
580 	wpa_printf(MSG_DEBUG, "IKEV2: Server authenticated successfully "
581 		   "using shared keys");
582 
583 	return 0;
584 }
585 
586 
587 static int ikev2_process_auth(struct ikev2_responder_data *data,
588 			      const u8 *auth, size_t auth_len)
589 {
590 	u8 auth_method;
591 
592 	if (auth == NULL) {
593 		wpa_printf(MSG_INFO, "IKEV2: No Authentication Payload");
594 		return -1;
595 	}
596 
597 	if (auth_len < 4) {
598 		wpa_printf(MSG_INFO, "IKEV2: Too short Authentication "
599 			   "Payload");
600 		return -1;
601 	}
602 
603 	auth_method = auth[0];
604 	auth += 4;
605 	auth_len -= 4;
606 
607 	wpa_printf(MSG_DEBUG, "IKEV2: Auth Method %d", auth_method);
608 	wpa_hexdump(MSG_MSGDUMP, "IKEV2: Authentication Data", auth, auth_len);
609 
610 	switch (data->peer_auth) {
611 	case PEER_AUTH_CERT:
612 		return ikev2_process_auth_cert(data, auth_method, auth,
613 					       auth_len);
614 	case PEER_AUTH_SECRET:
615 		return ikev2_process_auth_secret(data, auth_method, auth,
616 						 auth_len);
617 	}
618 
619 	return -1;
620 }
621 
622 
623 static int ikev2_process_sa_auth_decrypted(struct ikev2_responder_data *data,
624 					   u8 next_payload,
625 					   u8 *payload, size_t payload_len)
626 {
627 	struct ikev2_payloads pl;
628 
629 	wpa_printf(MSG_DEBUG, "IKEV2: Processing decrypted payloads");
630 
631 	if (ikev2_parse_payloads(&pl, next_payload, payload, payload +
632 				 payload_len) < 0) {
633 		wpa_printf(MSG_INFO, "IKEV2: Failed to parse decrypted "
634 			   "payloads");
635 		return -1;
636 	}
637 
638 	if (ikev2_process_idi(data, pl.idi, pl.idi_len) < 0 ||
639 	    ikev2_process_cert(data, pl.cert, pl.cert_len) < 0 ||
640 	    ikev2_process_auth(data, pl.auth, pl.auth_len) < 0)
641 		return -1;
642 
643 	return 0;
644 }
645 
646 
647 static int ikev2_process_sa_auth(struct ikev2_responder_data *data,
648 				 const struct ikev2_hdr *hdr,
649 				 struct ikev2_payloads *pl)
650 {
651 	u8 *decrypted;
652 	size_t decrypted_len;
653 	int ret;
654 
655 	decrypted = ikev2_decrypt_payload(data->proposal.encr,
656 					  data->proposal.integ,
657 					  &data->keys, 1, hdr, pl->encrypted,
658 					  pl->encrypted_len, &decrypted_len);
659 	if (decrypted == NULL)
660 		return -1;
661 
662 	ret = ikev2_process_sa_auth_decrypted(data, pl->encr_next_payload,
663 					      decrypted, decrypted_len);
664 	os_free(decrypted);
665 
666 	return ret;
667 }
668 
669 
670 static int ikev2_validate_rx_state(struct ikev2_responder_data *data,
671 				   u8 exchange_type, u32 message_id)
672 {
673 	switch (data->state) {
674 	case SA_INIT:
675 		/* Expect to receive IKE_SA_INIT: HDR, SAi1, KEi, Ni */
676 		if (exchange_type != IKE_SA_INIT) {
677 			wpa_printf(MSG_INFO, "IKEV2: Unexpected Exchange Type "
678 				   "%u in SA_INIT state", exchange_type);
679 			return -1;
680 		}
681 		if (message_id != 0) {
682 			wpa_printf(MSG_INFO, "IKEV2: Unexpected Message ID %u "
683 				   "in SA_INIT state", message_id);
684 			return -1;
685 		}
686 		break;
687 	case SA_AUTH:
688 		/* Expect to receive IKE_SA_AUTH:
689 		 * HDR, SK {IDi, [CERT,] [CERTREQ,] [IDr,]
690 		 *	AUTH, SAi2, TSi, TSr}
691 		 */
692 		if (exchange_type != IKE_SA_AUTH) {
693 			wpa_printf(MSG_INFO, "IKEV2: Unexpected Exchange Type "
694 				   "%u in SA_AUTH state", exchange_type);
695 			return -1;
696 		}
697 		if (message_id != 1) {
698 			wpa_printf(MSG_INFO, "IKEV2: Unexpected Message ID %u "
699 				   "in SA_AUTH state", message_id);
700 			return -1;
701 		}
702 		break;
703 	case CHILD_SA:
704 		if (exchange_type != CREATE_CHILD_SA) {
705 			wpa_printf(MSG_INFO, "IKEV2: Unexpected Exchange Type "
706 				   "%u in CHILD_SA state", exchange_type);
707 			return -1;
708 		}
709 		if (message_id != 2) {
710 			wpa_printf(MSG_INFO, "IKEV2: Unexpected Message ID %u "
711 				   "in CHILD_SA state", message_id);
712 			return -1;
713 		}
714 		break;
715 	case NOTIFY:
716 	case IKEV2_DONE:
717 	case IKEV2_FAILED:
718 		return -1;
719 	}
720 
721 	return 0;
722 }
723 
724 
725 int ikev2_responder_process(struct ikev2_responder_data *data,
726 			    const struct wpabuf *buf)
727 {
728 	const struct ikev2_hdr *hdr;
729 	u32 length, message_id;
730 	const u8 *pos, *end;
731 	struct ikev2_payloads pl;
732 
733 	wpa_printf(MSG_MSGDUMP, "IKEV2: Received message (len %lu)",
734 		   (unsigned long) wpabuf_len(buf));
735 
736 	if (wpabuf_len(buf) < sizeof(*hdr)) {
737 		wpa_printf(MSG_INFO, "IKEV2: Too short frame to include HDR");
738 		return -1;
739 	}
740 
741 	data->error_type = 0;
742 	hdr = (const struct ikev2_hdr *) wpabuf_head(buf);
743 	end = wpabuf_head_u8(buf) + wpabuf_len(buf);
744 	message_id = WPA_GET_BE32(hdr->message_id);
745 	length = WPA_GET_BE32(hdr->length);
746 
747 	wpa_hexdump(MSG_DEBUG, "IKEV2:   IKE_SA Initiator's SPI",
748 		    hdr->i_spi, IKEV2_SPI_LEN);
749 	wpa_hexdump(MSG_DEBUG, "IKEV2:   IKE_SA Responder's SPI",
750 		    hdr->r_spi, IKEV2_SPI_LEN);
751 	wpa_printf(MSG_DEBUG, "IKEV2:   Next Payload: %u  Version: 0x%x  "
752 		   "Exchange Type: %u",
753 		   hdr->next_payload, hdr->version, hdr->exchange_type);
754 	wpa_printf(MSG_DEBUG, "IKEV2:   Message ID: %u  Length: %u",
755 		   message_id, length);
756 
757 	if (hdr->version != IKEV2_VERSION) {
758 		wpa_printf(MSG_INFO, "IKEV2: Unsupported HDR version 0x%x "
759 			   "(expected 0x%x)", hdr->version, IKEV2_VERSION);
760 		return -1;
761 	}
762 
763 	if (length != wpabuf_len(buf)) {
764 		wpa_printf(MSG_INFO, "IKEV2: Invalid length (HDR: %lu != "
765 			   "RX: %lu)", (unsigned long) length,
766 			   (unsigned long) wpabuf_len(buf));
767 		return -1;
768 	}
769 
770 	if (ikev2_validate_rx_state(data, hdr->exchange_type, message_id) < 0)
771 		return -1;
772 
773 	if ((hdr->flags & (IKEV2_HDR_INITIATOR | IKEV2_HDR_RESPONSE)) !=
774 	    IKEV2_HDR_INITIATOR) {
775 		wpa_printf(MSG_INFO, "IKEV2: Unexpected Flags value 0x%x",
776 			   hdr->flags);
777 		return -1;
778 	}
779 
780 	if (data->state != SA_INIT) {
781 		if (os_memcmp(data->i_spi, hdr->i_spi, IKEV2_SPI_LEN) != 0) {
782 			wpa_printf(MSG_INFO, "IKEV2: Unexpected IKE_SA "
783 				   "Initiator's SPI");
784 			return -1;
785 		}
786 		if (os_memcmp(data->r_spi, hdr->r_spi, IKEV2_SPI_LEN) != 0) {
787 			wpa_printf(MSG_INFO, "IKEV2: Unexpected IKE_SA "
788 				   "Responder's SPI");
789 			return -1;
790 		}
791 	}
792 
793 	pos = (const u8 *) (hdr + 1);
794 	if (ikev2_parse_payloads(&pl, hdr->next_payload, pos, end) < 0)
795 		return -1;
796 
797 	if (data->state == SA_INIT) {
798 		data->last_msg = LAST_MSG_SA_INIT;
799 		if (ikev2_process_sa_init(data, hdr, &pl) < 0) {
800 			if (data->state == NOTIFY)
801 				return 0;
802 			return -1;
803 		}
804 		wpabuf_free(data->i_sign_msg);
805 		data->i_sign_msg = wpabuf_dup(buf);
806 	}
807 
808 	if (data->state == SA_AUTH) {
809 		data->last_msg = LAST_MSG_SA_AUTH;
810 		if (ikev2_process_sa_auth(data, hdr, &pl) < 0) {
811 			if (data->state == NOTIFY)
812 				return 0;
813 			return -1;
814 		}
815 	}
816 
817 	return 0;
818 }
819 
820 
821 static void ikev2_build_hdr(struct ikev2_responder_data *data,
822 			    struct wpabuf *msg, u8 exchange_type,
823 			    u8 next_payload, u32 message_id)
824 {
825 	struct ikev2_hdr *hdr;
826 
827 	wpa_printf(MSG_DEBUG, "IKEV2: Adding HDR");
828 
829 	/* HDR - RFC 4306, Sect. 3.1 */
830 	hdr = wpabuf_put(msg, sizeof(*hdr));
831 	os_memcpy(hdr->i_spi, data->i_spi, IKEV2_SPI_LEN);
832 	os_memcpy(hdr->r_spi, data->r_spi, IKEV2_SPI_LEN);
833 	hdr->next_payload = next_payload;
834 	hdr->version = IKEV2_VERSION;
835 	hdr->exchange_type = exchange_type;
836 	hdr->flags = IKEV2_HDR_RESPONSE;
837 	WPA_PUT_BE32(hdr->message_id, message_id);
838 }
839 
840 
841 static int ikev2_build_sar1(struct ikev2_responder_data *data,
842 			    struct wpabuf *msg, u8 next_payload)
843 {
844 	struct ikev2_payload_hdr *phdr;
845 	size_t plen;
846 	struct ikev2_proposal *p;
847 	struct ikev2_transform *t;
848 
849 	wpa_printf(MSG_DEBUG, "IKEV2: Adding SAr1 payload");
850 
851 	/* SAr1 - RFC 4306, Sect. 2.7 and 3.3 */
852 	phdr = wpabuf_put(msg, sizeof(*phdr));
853 	phdr->next_payload = next_payload;
854 	phdr->flags = 0;
855 
856 	p = wpabuf_put(msg, sizeof(*p));
857 	p->proposal_num = data->proposal.proposal_num;
858 	p->protocol_id = IKEV2_PROTOCOL_IKE;
859 	p->num_transforms = 4;
860 
861 	t = wpabuf_put(msg, sizeof(*t));
862 	t->type = 3;
863 	t->transform_type = IKEV2_TRANSFORM_ENCR;
864 	WPA_PUT_BE16(t->transform_id, data->proposal.encr);
865 	if (data->proposal.encr == ENCR_AES_CBC) {
866 		/* Transform Attribute: Key Len = 128 bits */
867 		wpabuf_put_be16(msg, 0x800e); /* AF=1, AttrType=14 */
868 		wpabuf_put_be16(msg, 128); /* 128-bit key */
869 	}
870 	plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) t;
871 	WPA_PUT_BE16(t->transform_length, plen);
872 
873 	t = wpabuf_put(msg, sizeof(*t));
874 	t->type = 3;
875 	WPA_PUT_BE16(t->transform_length, sizeof(*t));
876 	t->transform_type = IKEV2_TRANSFORM_PRF;
877 	WPA_PUT_BE16(t->transform_id, data->proposal.prf);
878 
879 	t = wpabuf_put(msg, sizeof(*t));
880 	t->type = 3;
881 	WPA_PUT_BE16(t->transform_length, sizeof(*t));
882 	t->transform_type = IKEV2_TRANSFORM_INTEG;
883 	WPA_PUT_BE16(t->transform_id, data->proposal.integ);
884 
885 	t = wpabuf_put(msg, sizeof(*t));
886 	WPA_PUT_BE16(t->transform_length, sizeof(*t));
887 	t->transform_type = IKEV2_TRANSFORM_DH;
888 	WPA_PUT_BE16(t->transform_id, data->proposal.dh);
889 
890 	plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) p;
891 	WPA_PUT_BE16(p->proposal_length, plen);
892 
893 	plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
894 	WPA_PUT_BE16(phdr->payload_length, plen);
895 
896 	return 0;
897 }
898 
899 
900 static int ikev2_build_ker(struct ikev2_responder_data *data,
901 			   struct wpabuf *msg, u8 next_payload)
902 {
903 	struct ikev2_payload_hdr *phdr;
904 	size_t plen;
905 	struct wpabuf *pv;
906 
907 	wpa_printf(MSG_DEBUG, "IKEV2: Adding KEr payload");
908 
909 	pv = dh_init(data->dh, &data->r_dh_private);
910 	if (pv == NULL) {
911 		wpa_printf(MSG_DEBUG, "IKEV2: Failed to initialize DH");
912 		return -1;
913 	}
914 
915 	/* KEr - RFC 4306, Sect. 3.4 */
916 	phdr = wpabuf_put(msg, sizeof(*phdr));
917 	phdr->next_payload = next_payload;
918 	phdr->flags = 0;
919 
920 	wpabuf_put_be16(msg, data->proposal.dh); /* DH Group # */
921 	wpabuf_put(msg, 2); /* RESERVED */
922 	/*
923 	 * RFC 4306, Sect. 3.4: possible zero padding for public value to
924 	 * match the length of the prime.
925 	 */
926 	wpabuf_put(msg, data->dh->prime_len - wpabuf_len(pv));
927 	wpabuf_put_buf(msg, pv);
928 	wpabuf_free(pv);
929 
930 	plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
931 	WPA_PUT_BE16(phdr->payload_length, plen);
932 	return 0;
933 }
934 
935 
936 static int ikev2_build_nr(struct ikev2_responder_data *data,
937 			  struct wpabuf *msg, u8 next_payload)
938 {
939 	struct ikev2_payload_hdr *phdr;
940 	size_t plen;
941 
942 	wpa_printf(MSG_DEBUG, "IKEV2: Adding Nr payload");
943 
944 	/* Nr - RFC 4306, Sect. 3.9 */
945 	phdr = wpabuf_put(msg, sizeof(*phdr));
946 	phdr->next_payload = next_payload;
947 	phdr->flags = 0;
948 	wpabuf_put_data(msg, data->r_nonce, data->r_nonce_len);
949 	plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
950 	WPA_PUT_BE16(phdr->payload_length, plen);
951 	return 0;
952 }
953 
954 
955 static int ikev2_build_idr(struct ikev2_responder_data *data,
956 			   struct wpabuf *msg, u8 next_payload)
957 {
958 	struct ikev2_payload_hdr *phdr;
959 	size_t plen;
960 
961 	wpa_printf(MSG_DEBUG, "IKEV2: Adding IDr payload");
962 
963 	if (data->IDr == NULL) {
964 		wpa_printf(MSG_INFO, "IKEV2: No IDr available");
965 		return -1;
966 	}
967 
968 	/* IDr - RFC 4306, Sect. 3.5 */
969 	phdr = wpabuf_put(msg, sizeof(*phdr));
970 	phdr->next_payload = next_payload;
971 	phdr->flags = 0;
972 	wpabuf_put_u8(msg, ID_KEY_ID);
973 	wpabuf_put(msg, 3); /* RESERVED */
974 	wpabuf_put_data(msg, data->IDr, data->IDr_len);
975 	plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
976 	WPA_PUT_BE16(phdr->payload_length, plen);
977 	return 0;
978 }
979 
980 
981 static int ikev2_build_auth(struct ikev2_responder_data *data,
982 			    struct wpabuf *msg, u8 next_payload)
983 {
984 	struct ikev2_payload_hdr *phdr;
985 	size_t plen;
986 	const struct ikev2_prf_alg *prf;
987 
988 	wpa_printf(MSG_DEBUG, "IKEV2: Adding AUTH payload");
989 
990 	prf = ikev2_get_prf(data->proposal.prf);
991 	if (prf == NULL)
992 		return -1;
993 
994 	/* Authentication - RFC 4306, Sect. 3.8 */
995 	phdr = wpabuf_put(msg, sizeof(*phdr));
996 	phdr->next_payload = next_payload;
997 	phdr->flags = 0;
998 	wpabuf_put_u8(msg, AUTH_SHARED_KEY_MIC);
999 	wpabuf_put(msg, 3); /* RESERVED */
1000 
1001 	/* msg | Ni | prf(SK_pr,IDr') */
1002 	if (ikev2_derive_auth_data(data->proposal.prf, data->r_sign_msg,
1003 				   data->IDr, data->IDr_len, ID_KEY_ID,
1004 				   &data->keys, 0, data->shared_secret,
1005 				   data->shared_secret_len,
1006 				   data->i_nonce, data->i_nonce_len,
1007 				   data->key_pad, data->key_pad_len,
1008 				   wpabuf_put(msg, prf->hash_len)) < 0) {
1009 		wpa_printf(MSG_INFO, "IKEV2: Could not derive AUTH data");
1010 		return -1;
1011 	}
1012 	wpabuf_free(data->r_sign_msg);
1013 	data->r_sign_msg = NULL;
1014 
1015 	plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
1016 	WPA_PUT_BE16(phdr->payload_length, plen);
1017 	return 0;
1018 }
1019 
1020 
1021 static int ikev2_build_notification(struct ikev2_responder_data *data,
1022 				    struct wpabuf *msg, u8 next_payload)
1023 {
1024 	struct ikev2_payload_hdr *phdr;
1025 	size_t plen;
1026 
1027 	wpa_printf(MSG_DEBUG, "IKEV2: Adding Notification payload");
1028 
1029 	if (data->error_type == 0) {
1030 		wpa_printf(MSG_INFO, "IKEV2: No Notify Message Type "
1031 			   "available");
1032 		return -1;
1033 	}
1034 
1035 	/* Notify - RFC 4306, Sect. 3.10 */
1036 	phdr = wpabuf_put(msg, sizeof(*phdr));
1037 	phdr->next_payload = next_payload;
1038 	phdr->flags = 0;
1039 	wpabuf_put_u8(msg, 0); /* Protocol ID: no existing SA */
1040 	wpabuf_put_u8(msg, 0); /* SPI Size */
1041 	wpabuf_put_be16(msg, data->error_type);
1042 
1043 	switch (data->error_type) {
1044 	case INVALID_KE_PAYLOAD:
1045 		if (data->proposal.dh == -1) {
1046 			wpa_printf(MSG_INFO, "IKEV2: No DH Group selected for "
1047 				   "INVALID_KE_PAYLOAD notifications");
1048 			return -1;
1049 		}
1050 		wpabuf_put_be16(msg, data->proposal.dh);
1051 		wpa_printf(MSG_DEBUG, "IKEV2: INVALID_KE_PAYLOAD - request "
1052 			   "DH Group #%d", data->proposal.dh);
1053 		break;
1054 	case AUTHENTICATION_FAILED:
1055 		/* no associated data */
1056 		break;
1057 	default:
1058 		wpa_printf(MSG_INFO, "IKEV2: Unsupported Notify Message Type "
1059 			   "%d", data->error_type);
1060 		return -1;
1061 	}
1062 
1063 	plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
1064 	WPA_PUT_BE16(phdr->payload_length, plen);
1065 	return 0;
1066 }
1067 
1068 
1069 static struct wpabuf * ikev2_build_sa_init(struct ikev2_responder_data *data)
1070 {
1071 	struct wpabuf *msg;
1072 
1073 	/* build IKE_SA_INIT: HDR, SAr1, KEr, Nr, [CERTREQ], [SK{IDr}] */
1074 
1075 	if (os_get_random(data->r_spi, IKEV2_SPI_LEN))
1076 		return NULL;
1077 	wpa_hexdump(MSG_DEBUG, "IKEV2: IKE_SA Responder's SPI",
1078 		    data->r_spi, IKEV2_SPI_LEN);
1079 
1080 	data->r_nonce_len = IKEV2_NONCE_MIN_LEN;
1081 	if (random_get_bytes(data->r_nonce, data->r_nonce_len))
1082 		return NULL;
1083 	wpa_hexdump(MSG_DEBUG, "IKEV2: Nr", data->r_nonce, data->r_nonce_len);
1084 
1085 	msg = wpabuf_alloc(sizeof(struct ikev2_hdr) + data->IDr_len + 1500);
1086 	if (msg == NULL)
1087 		return NULL;
1088 
1089 	ikev2_build_hdr(data, msg, IKE_SA_INIT, IKEV2_PAYLOAD_SA, 0);
1090 	if (ikev2_build_sar1(data, msg, IKEV2_PAYLOAD_KEY_EXCHANGE) ||
1091 	    ikev2_build_ker(data, msg, IKEV2_PAYLOAD_NONCE) ||
1092 	    ikev2_build_nr(data, msg, data->peer_auth == PEER_AUTH_SECRET ?
1093 			   IKEV2_PAYLOAD_ENCRYPTED :
1094 			   IKEV2_PAYLOAD_NO_NEXT_PAYLOAD)) {
1095 		wpabuf_free(msg);
1096 		return NULL;
1097 	}
1098 
1099 	if (ikev2_derive_keys(data)) {
1100 		wpabuf_free(msg);
1101 		return NULL;
1102 	}
1103 
1104 	if (data->peer_auth == PEER_AUTH_CERT) {
1105 		/* TODO: CERTREQ with SHA-1 hashes of Subject Public Key Info
1106 		 * for trust agents */
1107 	}
1108 
1109 	if (data->peer_auth == PEER_AUTH_SECRET) {
1110 		struct wpabuf *plain = wpabuf_alloc(data->IDr_len + 1000);
1111 		if (plain == NULL) {
1112 			wpabuf_free(msg);
1113 			return NULL;
1114 		}
1115 		if (ikev2_build_idr(data, plain,
1116 				    IKEV2_PAYLOAD_NO_NEXT_PAYLOAD) ||
1117 		    ikev2_build_encrypted(data->proposal.encr,
1118 					  data->proposal.integ,
1119 					  &data->keys, 0, msg, plain,
1120 					  IKEV2_PAYLOAD_IDr)) {
1121 			wpabuf_free(plain);
1122 			wpabuf_free(msg);
1123 			return NULL;
1124 		}
1125 		wpabuf_free(plain);
1126 	}
1127 
1128 	ikev2_update_hdr(msg);
1129 
1130 	wpa_hexdump_buf(MSG_MSGDUMP, "IKEV2: Sending message (SA_INIT)", msg);
1131 
1132 	data->state = SA_AUTH;
1133 
1134 	wpabuf_free(data->r_sign_msg);
1135 	data->r_sign_msg = wpabuf_dup(msg);
1136 
1137 	return msg;
1138 }
1139 
1140 
1141 static struct wpabuf * ikev2_build_sa_auth(struct ikev2_responder_data *data)
1142 {
1143 	struct wpabuf *msg, *plain;
1144 
1145 	/* build IKE_SA_AUTH: HDR, SK {IDr, [CERT,] AUTH} */
1146 
1147 	msg = wpabuf_alloc(sizeof(struct ikev2_hdr) + data->IDr_len + 1000);
1148 	if (msg == NULL)
1149 		return NULL;
1150 	ikev2_build_hdr(data, msg, IKE_SA_AUTH, IKEV2_PAYLOAD_ENCRYPTED, 1);
1151 
1152 	plain = wpabuf_alloc(data->IDr_len + 1000);
1153 	if (plain == NULL) {
1154 		wpabuf_free(msg);
1155 		return NULL;
1156 	}
1157 
1158 	if (ikev2_build_idr(data, plain, IKEV2_PAYLOAD_AUTHENTICATION) ||
1159 	    ikev2_build_auth(data, plain, IKEV2_PAYLOAD_NO_NEXT_PAYLOAD) ||
1160 	    ikev2_build_encrypted(data->proposal.encr, data->proposal.integ,
1161 				  &data->keys, 0, msg, plain,
1162 				  IKEV2_PAYLOAD_IDr)) {
1163 		wpabuf_free(plain);
1164 		wpabuf_free(msg);
1165 		return NULL;
1166 	}
1167 	wpabuf_free(plain);
1168 
1169 	wpa_hexdump_buf(MSG_MSGDUMP, "IKEV2: Sending message (SA_AUTH)", msg);
1170 
1171 	data->state = IKEV2_DONE;
1172 
1173 	return msg;
1174 }
1175 
1176 
1177 static struct wpabuf * ikev2_build_notify(struct ikev2_responder_data *data)
1178 {
1179 	struct wpabuf *msg;
1180 
1181 	msg = wpabuf_alloc(sizeof(struct ikev2_hdr) + 1000);
1182 	if (msg == NULL)
1183 		return NULL;
1184 	if (data->last_msg == LAST_MSG_SA_AUTH) {
1185 		/* HDR, SK{N} */
1186 		struct wpabuf *plain = wpabuf_alloc(100);
1187 		if (plain == NULL) {
1188 			wpabuf_free(msg);
1189 			return NULL;
1190 		}
1191 		ikev2_build_hdr(data, msg, IKE_SA_AUTH,
1192 				IKEV2_PAYLOAD_ENCRYPTED, 1);
1193 		if (ikev2_build_notification(data, plain,
1194 					     IKEV2_PAYLOAD_NO_NEXT_PAYLOAD) ||
1195 		    ikev2_build_encrypted(data->proposal.encr,
1196 					  data->proposal.integ,
1197 					  &data->keys, 0, msg, plain,
1198 					  IKEV2_PAYLOAD_NOTIFICATION)) {
1199 			wpabuf_free(plain);
1200 			wpabuf_free(msg);
1201 			return NULL;
1202 		}
1203 		wpabuf_free(plain);
1204 		data->state = IKEV2_FAILED;
1205 	} else {
1206 		/* HDR, N */
1207 		ikev2_build_hdr(data, msg, IKE_SA_INIT,
1208 				IKEV2_PAYLOAD_NOTIFICATION, 0);
1209 		if (ikev2_build_notification(data, msg,
1210 					     IKEV2_PAYLOAD_NO_NEXT_PAYLOAD)) {
1211 			wpabuf_free(msg);
1212 			return NULL;
1213 		}
1214 		data->state = SA_INIT;
1215 	}
1216 
1217 	ikev2_update_hdr(msg);
1218 
1219 	wpa_hexdump_buf(MSG_MSGDUMP, "IKEV2: Sending message (Notification)",
1220 			msg);
1221 
1222 	return msg;
1223 }
1224 
1225 
1226 struct wpabuf * ikev2_responder_build(struct ikev2_responder_data *data)
1227 {
1228 	switch (data->state) {
1229 	case SA_INIT:
1230 		return ikev2_build_sa_init(data);
1231 	case SA_AUTH:
1232 		return ikev2_build_sa_auth(data);
1233 	case CHILD_SA:
1234 		return NULL;
1235 	case NOTIFY:
1236 		return ikev2_build_notify(data);
1237 	case IKEV2_DONE:
1238 	case IKEV2_FAILED:
1239 		return NULL;
1240 	}
1241 	return NULL;
1242 }
1243