xref: /freebsd/contrib/wpa/src/eap_server/ikev2.c (revision 5ca8e32633c4ffbbcd6762e5888b6a4ba0708c6c)
1 /*
2  * IKEv2 initiator (RFC 4306) for EAP-IKEV2
3  * Copyright (c) 2007, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #include "includes.h"
10 
11 #include "common.h"
12 #include "crypto/dh_groups.h"
13 #include "crypto/random.h"
14 #include "ikev2.h"
15 
16 
17 static int ikev2_process_idr(struct ikev2_initiator_data *data,
18 			     const u8 *idr, size_t idr_len);
19 
20 
21 void ikev2_initiator_deinit(struct ikev2_initiator_data *data)
22 {
23 	ikev2_free_keys(&data->keys);
24 	wpabuf_free(data->r_dh_public);
25 	wpabuf_free(data->i_dh_private);
26 	os_free(data->IDi);
27 	os_free(data->IDr);
28 	os_free(data->shared_secret);
29 	wpabuf_free(data->i_sign_msg);
30 	wpabuf_free(data->r_sign_msg);
31 	os_free(data->key_pad);
32 }
33 
34 
35 static int ikev2_derive_keys(struct ikev2_initiator_data *data)
36 {
37 	u8 *buf, *pos, *pad, skeyseed[IKEV2_MAX_HASH_LEN];
38 	size_t buf_len, pad_len;
39 	struct wpabuf *shared;
40 	const struct ikev2_integ_alg *integ;
41 	const struct ikev2_prf_alg *prf;
42 	const struct ikev2_encr_alg *encr;
43 	int ret;
44 	const u8 *addr[2];
45 	size_t len[2];
46 
47 	/* RFC 4306, Sect. 2.14 */
48 
49 	integ = ikev2_get_integ(data->proposal.integ);
50 	prf = ikev2_get_prf(data->proposal.prf);
51 	encr = ikev2_get_encr(data->proposal.encr);
52 	if (integ == NULL || prf == NULL || encr == NULL) {
53 		wpa_printf(MSG_INFO, "IKEV2: Unsupported proposal");
54 		return -1;
55 	}
56 
57 	shared = dh_derive_shared(data->r_dh_public, data->i_dh_private,
58 				  data->dh);
59 	if (shared == NULL)
60 		return -1;
61 
62 	/* Construct Ni | Nr | SPIi | SPIr */
63 
64 	buf_len = data->i_nonce_len + data->r_nonce_len + 2 * IKEV2_SPI_LEN;
65 	buf = os_malloc(buf_len);
66 	if (buf == NULL) {
67 		wpabuf_free(shared);
68 		return -1;
69 	}
70 
71 	pos = buf;
72 	os_memcpy(pos, data->i_nonce, data->i_nonce_len);
73 	pos += data->i_nonce_len;
74 	os_memcpy(pos, data->r_nonce, data->r_nonce_len);
75 	pos += data->r_nonce_len;
76 	os_memcpy(pos, data->i_spi, IKEV2_SPI_LEN);
77 	pos += IKEV2_SPI_LEN;
78 	os_memcpy(pos, data->r_spi, IKEV2_SPI_LEN);
79 
80 	/* SKEYSEED = prf(Ni | Nr, g^ir) */
81 
82 	/* Use zero-padding per RFC 4306, Sect. 2.14 */
83 	pad_len = data->dh->prime_len - wpabuf_len(shared);
84 	pad = os_zalloc(pad_len ? pad_len : 1);
85 	if (pad == NULL) {
86 		wpabuf_free(shared);
87 		os_free(buf);
88 		return -1;
89 	}
90 	addr[0] = pad;
91 	len[0] = pad_len;
92 	addr[1] = wpabuf_head(shared);
93 	len[1] = wpabuf_len(shared);
94 	if (ikev2_prf_hash(prf->id, buf, data->i_nonce_len + data->r_nonce_len,
95 			   2, addr, len, skeyseed) < 0) {
96 		wpabuf_free(shared);
97 		os_free(buf);
98 		os_free(pad);
99 		return -1;
100 	}
101 	os_free(pad);
102 	wpabuf_free(shared);
103 
104 	/* DH parameters are not needed anymore, so free them */
105 	wpabuf_free(data->r_dh_public);
106 	data->r_dh_public = NULL;
107 	wpabuf_free(data->i_dh_private);
108 	data->i_dh_private = NULL;
109 
110 	wpa_hexdump_key(MSG_DEBUG, "IKEV2: SKEYSEED",
111 			skeyseed, prf->hash_len);
112 
113 	ret = ikev2_derive_sk_keys(prf, integ, encr, skeyseed, buf, buf_len,
114 				   &data->keys);
115 	os_free(buf);
116 	return ret;
117 }
118 
119 
120 static int ikev2_parse_transform(struct ikev2_initiator_data *data,
121 				 struct ikev2_proposal_data *prop,
122 				 const u8 *pos, const u8 *end)
123 {
124 	int transform_len;
125 	const struct ikev2_transform *t;
126 	u16 transform_id;
127 	const u8 *tend;
128 
129 	if (end - pos < (int) sizeof(*t)) {
130 		wpa_printf(MSG_INFO, "IKEV2: Too short transform");
131 		return -1;
132 	}
133 
134 	t = (const struct ikev2_transform *) pos;
135 	transform_len = WPA_GET_BE16(t->transform_length);
136 	if (transform_len < (int) sizeof(*t) || transform_len > end - pos) {
137 		wpa_printf(MSG_INFO, "IKEV2: Invalid transform length %d",
138 			   transform_len);
139 		return -1;
140 	}
141 	tend = pos + transform_len;
142 
143 	transform_id = WPA_GET_BE16(t->transform_id);
144 
145 	wpa_printf(MSG_DEBUG, "IKEV2:   Transform:");
146 	wpa_printf(MSG_DEBUG, "IKEV2:     Type: %d  Transform Length: %d  "
147 		   "Transform Type: %d  Transform ID: %d",
148 		   t->type, transform_len, t->transform_type, transform_id);
149 
150 	if (t->type != 0 && t->type != 3) {
151 		wpa_printf(MSG_INFO, "IKEV2: Unexpected Transform type");
152 		return -1;
153 	}
154 
155 	pos = (const u8 *) (t + 1);
156 	if (pos < tend) {
157 		wpa_hexdump(MSG_DEBUG, "IKEV2:     Transform Attributes",
158 			    pos, tend - pos);
159 	}
160 
161 	switch (t->transform_type) {
162 	case IKEV2_TRANSFORM_ENCR:
163 		if (ikev2_get_encr(transform_id) &&
164 		    transform_id == data->proposal.encr) {
165 			if (transform_id == ENCR_AES_CBC) {
166 				if (tend - pos != 4) {
167 					wpa_printf(MSG_DEBUG, "IKEV2: No "
168 						   "Transform Attr for AES");
169 					break;
170 				}
171 				if (WPA_GET_BE16(pos) != 0x800e) {
172 					wpa_printf(MSG_DEBUG, "IKEV2: Not a "
173 						   "Key Size attribute for "
174 						   "AES");
175 					break;
176 				}
177 				if (WPA_GET_BE16(pos + 2) != 128) {
178 					wpa_printf(MSG_DEBUG, "IKEV2: "
179 						   "Unsupported AES key size "
180 						   "%d bits",
181 						   WPA_GET_BE16(pos + 2));
182 					break;
183 				}
184 			}
185 			prop->encr = transform_id;
186 		}
187 		break;
188 	case IKEV2_TRANSFORM_PRF:
189 		if (ikev2_get_prf(transform_id) &&
190 		    transform_id == data->proposal.prf)
191 			prop->prf = transform_id;
192 		break;
193 	case IKEV2_TRANSFORM_INTEG:
194 		if (ikev2_get_integ(transform_id) &&
195 		    transform_id == data->proposal.integ)
196 			prop->integ = transform_id;
197 		break;
198 	case IKEV2_TRANSFORM_DH:
199 		if (dh_groups_get(transform_id) &&
200 		    transform_id == data->proposal.dh)
201 			prop->dh = transform_id;
202 		break;
203 	}
204 
205 	return transform_len;
206 }
207 
208 
209 static int ikev2_parse_proposal(struct ikev2_initiator_data *data,
210 				struct ikev2_proposal_data *prop,
211 				const u8 *pos, const u8 *end)
212 {
213 	const u8 *pend, *ppos;
214 	int proposal_len, i;
215 	const struct ikev2_proposal *p;
216 
217 	if (end - pos < (int) sizeof(*p)) {
218 		wpa_printf(MSG_INFO, "IKEV2: Too short proposal");
219 		return -1;
220 	}
221 
222 	p = (const struct ikev2_proposal *) pos;
223 	proposal_len = WPA_GET_BE16(p->proposal_length);
224 	if (proposal_len < (int) sizeof(*p) || proposal_len > end - pos) {
225 		wpa_printf(MSG_INFO, "IKEV2: Invalid proposal length %d",
226 			   proposal_len);
227 		return -1;
228 	}
229 	wpa_printf(MSG_DEBUG, "IKEV2: SAi1 Proposal # %d",
230 		   p->proposal_num);
231 	wpa_printf(MSG_DEBUG, "IKEV2:   Type: %d  Proposal Length: %d "
232 		   " Protocol ID: %d",
233 		   p->type, proposal_len, p->protocol_id);
234 	wpa_printf(MSG_DEBUG, "IKEV2:   SPI Size: %d  Transforms: %d",
235 		   p->spi_size, p->num_transforms);
236 
237 	if (p->type != 0 && p->type != 2) {
238 		wpa_printf(MSG_INFO, "IKEV2: Unexpected Proposal type");
239 		return -1;
240 	}
241 
242 	if (p->protocol_id != IKEV2_PROTOCOL_IKE) {
243 		wpa_printf(MSG_DEBUG, "IKEV2: Unexpected Protocol ID "
244 			   "(only IKE allowed for EAP-IKEv2)");
245 		return -1;
246 	}
247 
248 	if (p->proposal_num != prop->proposal_num) {
249 		if (p->proposal_num == prop->proposal_num + 1)
250 			prop->proposal_num = p->proposal_num;
251 		else {
252 			wpa_printf(MSG_INFO, "IKEV2: Unexpected Proposal #");
253 			return -1;
254 		}
255 	}
256 
257 	ppos = (const u8 *) (p + 1);
258 	pend = pos + proposal_len;
259 	if (p->spi_size > pend - ppos) {
260 		wpa_printf(MSG_INFO, "IKEV2: Not enough room for SPI "
261 			   "in proposal");
262 		return -1;
263 	}
264 	if (p->spi_size) {
265 		wpa_hexdump(MSG_DEBUG, "IKEV2:    SPI",
266 			    ppos, p->spi_size);
267 		ppos += p->spi_size;
268 	}
269 
270 	/*
271 	 * For initial IKE_SA negotiation, SPI Size MUST be zero; for
272 	 * subsequent negotiations, it must be 8 for IKE. We only support
273 	 * initial case for now.
274 	 */
275 	if (p->spi_size != 0) {
276 		wpa_printf(MSG_INFO, "IKEV2: Unexpected SPI Size");
277 		return -1;
278 	}
279 
280 	if (p->num_transforms == 0) {
281 		wpa_printf(MSG_INFO, "IKEV2: At least one transform required");
282 		return -1;
283 	}
284 
285 	for (i = 0; i < (int) p->num_transforms; i++) {
286 		int tlen = ikev2_parse_transform(data, prop, ppos, pend);
287 		if (tlen < 0)
288 			return -1;
289 		ppos += tlen;
290 	}
291 
292 	if (ppos != pend) {
293 		wpa_printf(MSG_INFO, "IKEV2: Unexpected data after "
294 			   "transforms");
295 		return -1;
296 	}
297 
298 	return proposal_len;
299 }
300 
301 
302 static int ikev2_process_sar1(struct ikev2_initiator_data *data,
303 			      const u8 *sar1, size_t sar1_len)
304 {
305 	struct ikev2_proposal_data prop;
306 	const u8 *pos, *end;
307 	int found = 0;
308 
309 	/* Security Association Payloads: <Proposals> */
310 
311 	if (sar1 == NULL) {
312 		wpa_printf(MSG_INFO, "IKEV2: SAr1 not received");
313 		return -1;
314 	}
315 
316 	os_memset(&prop, 0, sizeof(prop));
317 	prop.proposal_num = 1;
318 
319 	pos = sar1;
320 	end = sar1 + sar1_len;
321 
322 	while (pos < end) {
323 		int plen;
324 
325 		prop.integ = -1;
326 		prop.prf = -1;
327 		prop.encr = -1;
328 		prop.dh = -1;
329 		plen = ikev2_parse_proposal(data, &prop, pos, end);
330 		if (plen < 0)
331 			return -1;
332 
333 		if (!found && prop.integ != -1 && prop.prf != -1 &&
334 		    prop.encr != -1 && prop.dh != -1) {
335 			found = 1;
336 		}
337 
338 		pos += plen;
339 
340 		/* Only one proposal expected in SAr */
341 		break;
342 	}
343 
344 	if (pos != end) {
345 		wpa_printf(MSG_INFO, "IKEV2: Unexpected data after proposal");
346 		return -1;
347 	}
348 
349 	if (!found) {
350 		wpa_printf(MSG_INFO, "IKEV2: No acceptable proposal found");
351 		return -1;
352 	}
353 
354 	wpa_printf(MSG_DEBUG, "IKEV2: Accepted proposal #%d: ENCR:%d PRF:%d "
355 		   "INTEG:%d D-H:%d", data->proposal.proposal_num,
356 		   data->proposal.encr, data->proposal.prf,
357 		   data->proposal.integ, data->proposal.dh);
358 
359 	return 0;
360 }
361 
362 
363 static int ikev2_process_ker(struct ikev2_initiator_data *data,
364 			     const u8 *ker, size_t ker_len)
365 {
366 	u16 group;
367 
368 	/*
369 	 * Key Exchange Payload:
370 	 * DH Group # (16 bits)
371 	 * RESERVED (16 bits)
372 	 * Key Exchange Data (Diffie-Hellman public value)
373 	 */
374 
375 	if (ker == NULL) {
376 		wpa_printf(MSG_INFO, "IKEV2: KEr not received");
377 		return -1;
378 	}
379 
380 	if (ker_len < 4 + 96) {
381 		wpa_printf(MSG_INFO, "IKEV2: Too show Key Exchange Payload");
382 		return -1;
383 	}
384 
385 	group = WPA_GET_BE16(ker);
386 	wpa_printf(MSG_DEBUG, "IKEV2: KEr DH Group #%u", group);
387 
388 	if (group != data->proposal.dh) {
389 		wpa_printf(MSG_DEBUG, "IKEV2: KEr DH Group #%u does not match "
390 			   "with the selected proposal (%u)",
391 			   group, data->proposal.dh);
392 		return -1;
393 	}
394 
395 	if (data->dh == NULL) {
396 		wpa_printf(MSG_INFO, "IKEV2: Unsupported DH group");
397 		return -1;
398 	}
399 
400 	/* RFC 4306, Section 3.4:
401 	 * The length of DH public value MUST be equal to the length of the
402 	 * prime modulus.
403 	 */
404 	if (ker_len - 4 != data->dh->prime_len) {
405 		wpa_printf(MSG_INFO, "IKEV2: Invalid DH public value length "
406 			   "%ld (expected %ld)",
407 			   (long) (ker_len - 4), (long) data->dh->prime_len);
408 		return -1;
409 	}
410 
411 	wpabuf_free(data->r_dh_public);
412 	data->r_dh_public = wpabuf_alloc_copy(ker + 4, ker_len - 4);
413 	if (data->r_dh_public == NULL)
414 		return -1;
415 
416 	wpa_hexdump_buf(MSG_DEBUG, "IKEV2: KEr Diffie-Hellman Public Value",
417 			data->r_dh_public);
418 
419 	return 0;
420 }
421 
422 
423 static int ikev2_process_nr(struct ikev2_initiator_data *data,
424 			    const u8 *nr, size_t nr_len)
425 {
426 	if (nr == NULL) {
427 		wpa_printf(MSG_INFO, "IKEV2: Nr not received");
428 		return -1;
429 	}
430 
431 	if (nr_len < IKEV2_NONCE_MIN_LEN || nr_len > IKEV2_NONCE_MAX_LEN) {
432 		wpa_printf(MSG_INFO, "IKEV2: Invalid Nr length %ld",
433 			   (long) nr_len);
434 		return -1;
435 	}
436 
437 	data->r_nonce_len = nr_len;
438 	os_memcpy(data->r_nonce, nr, nr_len);
439 	wpa_hexdump(MSG_MSGDUMP, "IKEV2: Nr",
440 		    data->r_nonce, data->r_nonce_len);
441 
442 	return 0;
443 }
444 
445 
446 static int ikev2_process_sa_init_encr(struct ikev2_initiator_data *data,
447 				      const struct ikev2_hdr *hdr,
448 				      const u8 *encrypted,
449 				      size_t encrypted_len, u8 next_payload)
450 {
451 	u8 *decrypted;
452 	size_t decrypted_len;
453 	struct ikev2_payloads pl;
454 	int ret = 0;
455 
456 	decrypted = ikev2_decrypt_payload(data->proposal.encr,
457 					  data->proposal.integ, &data->keys, 0,
458 					  hdr, encrypted, encrypted_len,
459 					  &decrypted_len);
460 	if (decrypted == NULL)
461 		return -1;
462 
463 	wpa_printf(MSG_DEBUG, "IKEV2: Processing decrypted payloads");
464 
465 	if (ikev2_parse_payloads(&pl, next_payload, decrypted,
466 				 decrypted + decrypted_len) < 0) {
467 		wpa_printf(MSG_INFO, "IKEV2: Failed to parse decrypted "
468 			   "payloads");
469 		return -1;
470 	}
471 
472 	if (pl.idr)
473 		ret = ikev2_process_idr(data, pl.idr, pl.idr_len);
474 
475 	os_free(decrypted);
476 
477 	return ret;
478 }
479 
480 
481 static int ikev2_process_sa_init(struct ikev2_initiator_data *data,
482 				 const struct ikev2_hdr *hdr,
483 				 struct ikev2_payloads *pl)
484 {
485 	if (ikev2_process_sar1(data, pl->sa, pl->sa_len) < 0 ||
486 	    ikev2_process_ker(data, pl->ke, pl->ke_len) < 0 ||
487 	    ikev2_process_nr(data, pl->nonce, pl->nonce_len) < 0)
488 		return -1;
489 
490 	os_memcpy(data->r_spi, hdr->r_spi, IKEV2_SPI_LEN);
491 
492 	if (ikev2_derive_keys(data) < 0)
493 		return -1;
494 
495 	if (pl->encrypted) {
496 		wpa_printf(MSG_DEBUG, "IKEV2: Encrypted payload in SA_INIT - "
497 			   "try to get IDr from it");
498 		if (ikev2_process_sa_init_encr(data, hdr, pl->encrypted,
499 					       pl->encrypted_len,
500 					       pl->encr_next_payload) < 0) {
501 			wpa_printf(MSG_INFO, "IKEV2: Failed to process "
502 				   "encrypted payload");
503 			return -1;
504 		}
505 	}
506 
507 	data->state = SA_AUTH;
508 
509 	return 0;
510 }
511 
512 
513 static int ikev2_process_idr(struct ikev2_initiator_data *data,
514 			     const u8 *idr, size_t idr_len)
515 {
516 	u8 id_type;
517 
518 	if (idr == NULL) {
519 		wpa_printf(MSG_INFO, "IKEV2: No IDr received");
520 		return -1;
521 	}
522 
523 	if (idr_len < 4) {
524 		wpa_printf(MSG_INFO, "IKEV2: Too short IDr payload");
525 		return -1;
526 	}
527 
528 	id_type = idr[0];
529 	idr += 4;
530 	idr_len -= 4;
531 
532 	wpa_printf(MSG_DEBUG, "IKEV2: IDr ID Type %d", id_type);
533 	wpa_hexdump_ascii(MSG_DEBUG, "IKEV2: IDr", idr, idr_len);
534 	if (data->IDr) {
535 		if (id_type != data->IDr_type || idr_len != data->IDr_len ||
536 		    os_memcmp(idr, data->IDr, idr_len) != 0) {
537 			wpa_printf(MSG_INFO, "IKEV2: IDr differs from the one "
538 				   "received earlier");
539 			wpa_printf(MSG_DEBUG, "IKEV2: Previous IDr ID Type %d",
540 				   id_type);
541 			wpa_hexdump_ascii(MSG_DEBUG, "Previous IKEV2: IDr",
542 					  data->IDr, data->IDr_len);
543 			return -1;
544 		}
545 		os_free(data->IDr);
546 	}
547 	data->IDr = os_memdup(idr, idr_len);
548 	if (data->IDr == NULL)
549 		return -1;
550 	data->IDr_len = idr_len;
551 	data->IDr_type = id_type;
552 
553 	return 0;
554 }
555 
556 
557 static int ikev2_process_cert(struct ikev2_initiator_data *data,
558 			      const u8 *cert, size_t cert_len)
559 {
560 	u8 cert_encoding;
561 
562 	if (cert == NULL) {
563 		if (data->peer_auth == PEER_AUTH_CERT) {
564 			wpa_printf(MSG_INFO, "IKEV2: No Certificate received");
565 			return -1;
566 		}
567 		return 0;
568 	}
569 
570 	if (cert_len < 1) {
571 		wpa_printf(MSG_INFO, "IKEV2: No Cert Encoding field");
572 		return -1;
573 	}
574 
575 	cert_encoding = cert[0];
576 	cert++;
577 	cert_len--;
578 
579 	wpa_printf(MSG_DEBUG, "IKEV2: Cert Encoding %d", cert_encoding);
580 	wpa_hexdump(MSG_MSGDUMP, "IKEV2: Certificate Data", cert, cert_len);
581 
582 	/* TODO: validate certificate */
583 
584 	return 0;
585 }
586 
587 
588 static int ikev2_process_auth_cert(struct ikev2_initiator_data *data,
589 				   u8 method, const u8 *auth, size_t auth_len)
590 {
591 	if (method != AUTH_RSA_SIGN) {
592 		wpa_printf(MSG_INFO, "IKEV2: Unsupported authentication "
593 			   "method %d", method);
594 		return -1;
595 	}
596 
597 	/* TODO: validate AUTH */
598 	return 0;
599 }
600 
601 
602 static int ikev2_process_auth_secret(struct ikev2_initiator_data *data,
603 				     u8 method, const u8 *auth,
604 				     size_t auth_len)
605 {
606 	u8 auth_data[IKEV2_MAX_HASH_LEN];
607 	const struct ikev2_prf_alg *prf;
608 
609 	if (method != AUTH_SHARED_KEY_MIC) {
610 		wpa_printf(MSG_INFO, "IKEV2: Unsupported authentication "
611 			   "method %d", method);
612 		return -1;
613 	}
614 
615 	/* msg | Ni | prf(SK_pr,IDr') */
616 	if (ikev2_derive_auth_data(data->proposal.prf, data->r_sign_msg,
617 				   data->IDr, data->IDr_len, data->IDr_type,
618 				   &data->keys, 0, data->shared_secret,
619 				   data->shared_secret_len,
620 				   data->i_nonce, data->i_nonce_len,
621 				   data->key_pad, data->key_pad_len,
622 				   auth_data) < 0) {
623 		wpa_printf(MSG_INFO, "IKEV2: Could not derive AUTH data");
624 		return -1;
625 	}
626 
627 	wpabuf_free(data->r_sign_msg);
628 	data->r_sign_msg = NULL;
629 
630 	prf = ikev2_get_prf(data->proposal.prf);
631 	if (prf == NULL)
632 		return -1;
633 
634 	if (auth_len != prf->hash_len ||
635 	    os_memcmp_const(auth, auth_data, auth_len) != 0) {
636 		wpa_printf(MSG_INFO, "IKEV2: Invalid Authentication Data");
637 		wpa_hexdump(MSG_DEBUG, "IKEV2: Received Authentication Data",
638 			    auth, auth_len);
639 		wpa_hexdump(MSG_DEBUG, "IKEV2: Expected Authentication Data",
640 			    auth_data, prf->hash_len);
641 		return -1;
642 	}
643 
644 	wpa_printf(MSG_DEBUG, "IKEV2: Peer authenticated successfully "
645 		   "using shared keys");
646 
647 	return 0;
648 }
649 
650 
651 static int ikev2_process_auth(struct ikev2_initiator_data *data,
652 			      const u8 *auth, size_t auth_len)
653 {
654 	u8 auth_method;
655 
656 	if (auth == NULL) {
657 		wpa_printf(MSG_INFO, "IKEV2: No Authentication Payload");
658 		return -1;
659 	}
660 
661 	if (auth_len < 4) {
662 		wpa_printf(MSG_INFO, "IKEV2: Too short Authentication "
663 			   "Payload");
664 		return -1;
665 	}
666 
667 	auth_method = auth[0];
668 	auth += 4;
669 	auth_len -= 4;
670 
671 	wpa_printf(MSG_DEBUG, "IKEV2: Auth Method %d", auth_method);
672 	wpa_hexdump(MSG_MSGDUMP, "IKEV2: Authentication Data", auth, auth_len);
673 
674 	switch (data->peer_auth) {
675 	case PEER_AUTH_CERT:
676 		return ikev2_process_auth_cert(data, auth_method, auth,
677 					       auth_len);
678 	case PEER_AUTH_SECRET:
679 		return ikev2_process_auth_secret(data, auth_method, auth,
680 						 auth_len);
681 	}
682 
683 	return -1;
684 }
685 
686 
687 static int ikev2_process_sa_auth_decrypted(struct ikev2_initiator_data *data,
688 					   u8 next_payload,
689 					   u8 *payload, size_t payload_len)
690 {
691 	struct ikev2_payloads pl;
692 
693 	wpa_printf(MSG_DEBUG, "IKEV2: Processing decrypted payloads");
694 
695 	if (ikev2_parse_payloads(&pl, next_payload, payload, payload +
696 				 payload_len) < 0) {
697 		wpa_printf(MSG_INFO, "IKEV2: Failed to parse decrypted "
698 			   "payloads");
699 		return -1;
700 	}
701 
702 	if (ikev2_process_idr(data, pl.idr, pl.idr_len) < 0 ||
703 	    ikev2_process_cert(data, pl.cert, pl.cert_len) < 0 ||
704 	    ikev2_process_auth(data, pl.auth, pl.auth_len) < 0)
705 		return -1;
706 
707 	return 0;
708 }
709 
710 
711 static int ikev2_process_sa_auth(struct ikev2_initiator_data *data,
712 				 const struct ikev2_hdr *hdr,
713 				 struct ikev2_payloads *pl)
714 {
715 	u8 *decrypted;
716 	size_t decrypted_len;
717 	int ret;
718 
719 	decrypted = ikev2_decrypt_payload(data->proposal.encr,
720 					  data->proposal.integ,
721 					  &data->keys, 0, hdr, pl->encrypted,
722 					  pl->encrypted_len, &decrypted_len);
723 	if (decrypted == NULL)
724 		return -1;
725 
726 	ret = ikev2_process_sa_auth_decrypted(data, pl->encr_next_payload,
727 					      decrypted, decrypted_len);
728 	os_free(decrypted);
729 
730 	if (ret == 0 && !data->unknown_user) {
731 		wpa_printf(MSG_DEBUG, "IKEV2: Authentication completed");
732 		data->state = IKEV2_DONE;
733 	}
734 
735 	return ret;
736 }
737 
738 
739 static int ikev2_validate_rx_state(struct ikev2_initiator_data *data,
740 				   u8 exchange_type, u32 message_id)
741 {
742 	switch (data->state) {
743 	case SA_INIT:
744 		/* Expect to receive IKE_SA_INIT: HDR, SAr, KEr, Nr, [CERTREQ],
745 		 * [SK{IDr}] */
746 		if (exchange_type != IKE_SA_INIT) {
747 			wpa_printf(MSG_INFO, "IKEV2: Unexpected Exchange Type "
748 				   "%u in SA_INIT state", exchange_type);
749 			return -1;
750 		}
751 		if (message_id != 0) {
752 			wpa_printf(MSG_INFO, "IKEV2: Unexpected Message ID %u "
753 				   "in SA_INIT state", message_id);
754 			return -1;
755 		}
756 		break;
757 	case SA_AUTH:
758 		/* Expect to receive IKE_SA_AUTH:
759 		 * HDR, SK {IDr, [CERT,] [CERTREQ,] [NFID,] AUTH}
760 		 */
761 		if (exchange_type != IKE_SA_AUTH) {
762 			wpa_printf(MSG_INFO, "IKEV2: Unexpected Exchange Type "
763 				   "%u in SA_AUTH state", exchange_type);
764 			return -1;
765 		}
766 		if (message_id != 1) {
767 			wpa_printf(MSG_INFO, "IKEV2: Unexpected Message ID %u "
768 				   "in SA_AUTH state", message_id);
769 			return -1;
770 		}
771 		break;
772 	case CHILD_SA:
773 		if (exchange_type != CREATE_CHILD_SA) {
774 			wpa_printf(MSG_INFO, "IKEV2: Unexpected Exchange Type "
775 				   "%u in CHILD_SA state", exchange_type);
776 			return -1;
777 		}
778 		if (message_id != 2) {
779 			wpa_printf(MSG_INFO, "IKEV2: Unexpected Message ID %u "
780 				   "in CHILD_SA state", message_id);
781 			return -1;
782 		}
783 		break;
784 	case IKEV2_DONE:
785 		return -1;
786 	}
787 
788 	return 0;
789 }
790 
791 
792 int ikev2_initiator_process(struct ikev2_initiator_data *data,
793 			    const struct wpabuf *buf)
794 {
795 	const struct ikev2_hdr *hdr;
796 	u32 length, message_id;
797 	const u8 *pos, *end;
798 	struct ikev2_payloads pl;
799 
800 	wpa_printf(MSG_MSGDUMP, "IKEV2: Received message (len %lu)",
801 		   (unsigned long) wpabuf_len(buf));
802 
803 	if (wpabuf_len(buf) < sizeof(*hdr)) {
804 		wpa_printf(MSG_INFO, "IKEV2: Too short frame to include HDR");
805 		return -1;
806 	}
807 
808 	hdr = (const struct ikev2_hdr *) wpabuf_head(buf);
809 	end = wpabuf_head_u8(buf) + wpabuf_len(buf);
810 	message_id = WPA_GET_BE32(hdr->message_id);
811 	length = WPA_GET_BE32(hdr->length);
812 
813 	wpa_hexdump(MSG_DEBUG, "IKEV2:   IKE_SA Initiator's SPI",
814 		    hdr->i_spi, IKEV2_SPI_LEN);
815 	wpa_hexdump(MSG_DEBUG, "IKEV2:   IKE_SA Initiator's SPI",
816 		    hdr->r_spi, IKEV2_SPI_LEN);
817 	wpa_printf(MSG_DEBUG, "IKEV2:   Next Payload: %u  Version: 0x%x  "
818 		   "Exchange Type: %u",
819 		   hdr->next_payload, hdr->version, hdr->exchange_type);
820 	wpa_printf(MSG_DEBUG, "IKEV2:   Message ID: %u  Length: %u",
821 		   message_id, length);
822 
823 	if (hdr->version != IKEV2_VERSION) {
824 		wpa_printf(MSG_INFO, "IKEV2: Unsupported HDR version 0x%x "
825 			   "(expected 0x%x)", hdr->version, IKEV2_VERSION);
826 		return -1;
827 	}
828 
829 	if (length != wpabuf_len(buf)) {
830 		wpa_printf(MSG_INFO, "IKEV2: Invalid length (HDR: %lu != "
831 			   "RX: %lu)", (unsigned long) length,
832 			   (unsigned long) wpabuf_len(buf));
833 		return -1;
834 	}
835 
836 	if (ikev2_validate_rx_state(data, hdr->exchange_type, message_id) < 0)
837 		return -1;
838 
839 	if ((hdr->flags & (IKEV2_HDR_INITIATOR | IKEV2_HDR_RESPONSE)) !=
840 	    IKEV2_HDR_RESPONSE) {
841 		wpa_printf(MSG_INFO, "IKEV2: Unexpected Flags value 0x%x",
842 			   hdr->flags);
843 		return -1;
844 	}
845 
846 	if (data->state != SA_INIT) {
847 		if (os_memcmp(data->i_spi, hdr->i_spi, IKEV2_SPI_LEN) != 0) {
848 			wpa_printf(MSG_INFO, "IKEV2: Unexpected IKE_SA "
849 				   "Initiator's SPI");
850 			return -1;
851 		}
852 		if (os_memcmp(data->r_spi, hdr->r_spi, IKEV2_SPI_LEN) != 0) {
853 			wpa_printf(MSG_INFO, "IKEV2: Unexpected IKE_SA "
854 				   "Responder's SPI");
855 			return -1;
856 		}
857 	}
858 
859 	pos = (const u8 *) (hdr + 1);
860 	if (ikev2_parse_payloads(&pl, hdr->next_payload, pos, end) < 0)
861 		return -1;
862 
863 	switch (data->state) {
864 	case SA_INIT:
865 		if (ikev2_process_sa_init(data, hdr, &pl) < 0)
866 			return -1;
867 		wpabuf_free(data->r_sign_msg);
868 		data->r_sign_msg = wpabuf_dup(buf);
869 		break;
870 	case SA_AUTH:
871 		if (ikev2_process_sa_auth(data, hdr, &pl) < 0)
872 			return -1;
873 		break;
874 	case CHILD_SA:
875 	case IKEV2_DONE:
876 		break;
877 	}
878 
879 	return 0;
880 }
881 
882 
883 static void ikev2_build_hdr(struct ikev2_initiator_data *data,
884 			    struct wpabuf *msg, u8 exchange_type,
885 			    u8 next_payload, u32 message_id)
886 {
887 	struct ikev2_hdr *hdr;
888 
889 	wpa_printf(MSG_DEBUG, "IKEV2: Adding HDR");
890 
891 	/* HDR - RFC 4306, Sect. 3.1 */
892 	hdr = wpabuf_put(msg, sizeof(*hdr));
893 	os_memcpy(hdr->i_spi, data->i_spi, IKEV2_SPI_LEN);
894 	os_memcpy(hdr->r_spi, data->r_spi, IKEV2_SPI_LEN);
895 	hdr->next_payload = next_payload;
896 	hdr->version = IKEV2_VERSION;
897 	hdr->exchange_type = exchange_type;
898 	hdr->flags = IKEV2_HDR_INITIATOR;
899 	WPA_PUT_BE32(hdr->message_id, message_id);
900 }
901 
902 
903 static int ikev2_build_sai(struct ikev2_initiator_data *data,
904 			    struct wpabuf *msg, u8 next_payload)
905 {
906 	struct ikev2_payload_hdr *phdr;
907 	size_t plen;
908 	struct ikev2_proposal *p;
909 	struct ikev2_transform *t;
910 
911 	wpa_printf(MSG_DEBUG, "IKEV2: Adding SAi payload");
912 
913 	/* SAi1 - RFC 4306, Sect. 2.7 and 3.3 */
914 	phdr = wpabuf_put(msg, sizeof(*phdr));
915 	phdr->next_payload = next_payload;
916 	phdr->flags = 0;
917 
918 	/* TODO: support for multiple proposals */
919 	p = wpabuf_put(msg, sizeof(*p));
920 	p->proposal_num = data->proposal.proposal_num;
921 	p->protocol_id = IKEV2_PROTOCOL_IKE;
922 	p->num_transforms = 4;
923 
924 	t = wpabuf_put(msg, sizeof(*t));
925 	t->type = 3;
926 	t->transform_type = IKEV2_TRANSFORM_ENCR;
927 	WPA_PUT_BE16(t->transform_id, data->proposal.encr);
928 	if (data->proposal.encr == ENCR_AES_CBC) {
929 		/* Transform Attribute: Key Len = 128 bits */
930 		wpabuf_put_be16(msg, 0x800e); /* AF=1, AttrType=14 */
931 		wpabuf_put_be16(msg, 128); /* 128-bit key */
932 	}
933 	plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) t;
934 	WPA_PUT_BE16(t->transform_length, plen);
935 
936 	t = wpabuf_put(msg, sizeof(*t));
937 	t->type = 3;
938 	WPA_PUT_BE16(t->transform_length, sizeof(*t));
939 	t->transform_type = IKEV2_TRANSFORM_PRF;
940 	WPA_PUT_BE16(t->transform_id, data->proposal.prf);
941 
942 	t = wpabuf_put(msg, sizeof(*t));
943 	t->type = 3;
944 	WPA_PUT_BE16(t->transform_length, sizeof(*t));
945 	t->transform_type = IKEV2_TRANSFORM_INTEG;
946 	WPA_PUT_BE16(t->transform_id, data->proposal.integ);
947 
948 	t = wpabuf_put(msg, sizeof(*t));
949 	WPA_PUT_BE16(t->transform_length, sizeof(*t));
950 	t->transform_type = IKEV2_TRANSFORM_DH;
951 	WPA_PUT_BE16(t->transform_id, data->proposal.dh);
952 
953 	plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) p;
954 	WPA_PUT_BE16(p->proposal_length, plen);
955 
956 	plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
957 	WPA_PUT_BE16(phdr->payload_length, plen);
958 
959 	return 0;
960 }
961 
962 
963 static int ikev2_build_kei(struct ikev2_initiator_data *data,
964 			   struct wpabuf *msg, u8 next_payload)
965 {
966 	struct ikev2_payload_hdr *phdr;
967 	size_t plen;
968 	struct wpabuf *pv;
969 
970 	wpa_printf(MSG_DEBUG, "IKEV2: Adding KEi payload");
971 
972 	data->dh = dh_groups_get(data->proposal.dh);
973 	pv = dh_init(data->dh, &data->i_dh_private);
974 	if (pv == NULL) {
975 		wpa_printf(MSG_DEBUG, "IKEV2: Failed to initialize DH");
976 		return -1;
977 	}
978 
979 	/* KEi - RFC 4306, Sect. 3.4 */
980 	phdr = wpabuf_put(msg, sizeof(*phdr));
981 	phdr->next_payload = next_payload;
982 	phdr->flags = 0;
983 
984 	wpabuf_put_be16(msg, data->proposal.dh); /* DH Group # */
985 	wpabuf_put(msg, 2); /* RESERVED */
986 	/*
987 	 * RFC 4306, Sect. 3.4: possible zero padding for public value to
988 	 * match the length of the prime.
989 	 */
990 	wpabuf_put(msg, data->dh->prime_len - wpabuf_len(pv));
991 	wpabuf_put_buf(msg, pv);
992 	wpabuf_free(pv);
993 
994 	plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
995 	WPA_PUT_BE16(phdr->payload_length, plen);
996 	return 0;
997 }
998 
999 
1000 static int ikev2_build_ni(struct ikev2_initiator_data *data,
1001 			  struct wpabuf *msg, u8 next_payload)
1002 {
1003 	struct ikev2_payload_hdr *phdr;
1004 	size_t plen;
1005 
1006 	wpa_printf(MSG_DEBUG, "IKEV2: Adding Ni payload");
1007 
1008 	/* Ni - RFC 4306, Sect. 3.9 */
1009 	phdr = wpabuf_put(msg, sizeof(*phdr));
1010 	phdr->next_payload = next_payload;
1011 	phdr->flags = 0;
1012 	wpabuf_put_data(msg, data->i_nonce, data->i_nonce_len);
1013 	plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
1014 	WPA_PUT_BE16(phdr->payload_length, plen);
1015 	return 0;
1016 }
1017 
1018 
1019 static int ikev2_build_idi(struct ikev2_initiator_data *data,
1020 			   struct wpabuf *msg, u8 next_payload)
1021 {
1022 	struct ikev2_payload_hdr *phdr;
1023 	size_t plen;
1024 
1025 	wpa_printf(MSG_DEBUG, "IKEV2: Adding IDi payload");
1026 
1027 	if (data->IDi == NULL) {
1028 		wpa_printf(MSG_INFO, "IKEV2: No IDi available");
1029 		return -1;
1030 	}
1031 
1032 	/* IDi - RFC 4306, Sect. 3.5 */
1033 	phdr = wpabuf_put(msg, sizeof(*phdr));
1034 	phdr->next_payload = next_payload;
1035 	phdr->flags = 0;
1036 	wpabuf_put_u8(msg, ID_KEY_ID);
1037 	wpabuf_put(msg, 3); /* RESERVED */
1038 	wpabuf_put_data(msg, data->IDi, data->IDi_len);
1039 	plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
1040 	WPA_PUT_BE16(phdr->payload_length, plen);
1041 	return 0;
1042 }
1043 
1044 
1045 static int ikev2_build_auth(struct ikev2_initiator_data *data,
1046 			    struct wpabuf *msg, u8 next_payload)
1047 {
1048 	struct ikev2_payload_hdr *phdr;
1049 	size_t plen;
1050 	const struct ikev2_prf_alg *prf;
1051 
1052 	wpa_printf(MSG_DEBUG, "IKEV2: Adding AUTH payload");
1053 
1054 	prf = ikev2_get_prf(data->proposal.prf);
1055 	if (prf == NULL)
1056 		return -1;
1057 
1058 	/* Authentication - RFC 4306, Sect. 3.8 */
1059 	phdr = wpabuf_put(msg, sizeof(*phdr));
1060 	phdr->next_payload = next_payload;
1061 	phdr->flags = 0;
1062 	wpabuf_put_u8(msg, AUTH_SHARED_KEY_MIC);
1063 	wpabuf_put(msg, 3); /* RESERVED */
1064 
1065 	/* msg | Nr | prf(SK_pi,IDi') */
1066 	if (ikev2_derive_auth_data(data->proposal.prf, data->i_sign_msg,
1067 				   data->IDi, data->IDi_len, ID_KEY_ID,
1068 				   &data->keys, 1, data->shared_secret,
1069 				   data->shared_secret_len,
1070 				   data->r_nonce, data->r_nonce_len,
1071 				   data->key_pad, data->key_pad_len,
1072 				   wpabuf_put(msg, prf->hash_len)) < 0) {
1073 		wpa_printf(MSG_INFO, "IKEV2: Could not derive AUTH data");
1074 		return -1;
1075 	}
1076 	wpabuf_free(data->i_sign_msg);
1077 	data->i_sign_msg = NULL;
1078 
1079 	plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
1080 	WPA_PUT_BE16(phdr->payload_length, plen);
1081 	return 0;
1082 }
1083 
1084 
1085 static struct wpabuf * ikev2_build_sa_init(struct ikev2_initiator_data *data)
1086 {
1087 	struct wpabuf *msg;
1088 
1089 	/* build IKE_SA_INIT: HDR, SAi, KEi, Ni */
1090 
1091 	if (os_get_random(data->i_spi, IKEV2_SPI_LEN))
1092 		return NULL;
1093 	wpa_hexdump(MSG_DEBUG, "IKEV2: IKE_SA Initiator's SPI",
1094 		    data->i_spi, IKEV2_SPI_LEN);
1095 
1096 	data->i_nonce_len = IKEV2_NONCE_MIN_LEN;
1097 	if (random_get_bytes(data->i_nonce, data->i_nonce_len))
1098 		return NULL;
1099 	wpa_hexdump(MSG_DEBUG, "IKEV2: Ni", data->i_nonce, data->i_nonce_len);
1100 
1101 	msg = wpabuf_alloc(sizeof(struct ikev2_hdr) + 1000);
1102 	if (msg == NULL)
1103 		return NULL;
1104 
1105 	ikev2_build_hdr(data, msg, IKE_SA_INIT, IKEV2_PAYLOAD_SA, 0);
1106 	if (ikev2_build_sai(data, msg, IKEV2_PAYLOAD_KEY_EXCHANGE) ||
1107 	    ikev2_build_kei(data, msg, IKEV2_PAYLOAD_NONCE) ||
1108 	    ikev2_build_ni(data, msg, IKEV2_PAYLOAD_NO_NEXT_PAYLOAD)) {
1109 		wpabuf_free(msg);
1110 		return NULL;
1111 	}
1112 
1113 	ikev2_update_hdr(msg);
1114 
1115 	wpa_hexdump_buf(MSG_MSGDUMP, "IKEV2: Sending message (SA_INIT)", msg);
1116 
1117 	wpabuf_free(data->i_sign_msg);
1118 	data->i_sign_msg = wpabuf_dup(msg);
1119 
1120 	return msg;
1121 }
1122 
1123 
1124 static struct wpabuf * ikev2_build_sa_auth(struct ikev2_initiator_data *data)
1125 {
1126 	struct wpabuf *msg, *plain;
1127 	const u8 *secret;
1128 	size_t secret_len;
1129 
1130 	secret = data->get_shared_secret(data->cb_ctx, data->IDr,
1131 					 data->IDr_len, &secret_len);
1132 	if (secret == NULL) {
1133 		wpa_printf(MSG_INFO, "IKEV2: Could not get shared secret - "
1134 			   "use fake value");
1135 		/* RFC 5106, Sect. 7:
1136 		 * Use a random key to fake AUTH generation in order to prevent
1137 		 * probing of user identities.
1138 		 */
1139 		data->unknown_user = 1;
1140 		os_free(data->shared_secret);
1141 		data->shared_secret = os_malloc(16);
1142 		if (data->shared_secret == NULL)
1143 			return NULL;
1144 		data->shared_secret_len = 16;
1145 		if (random_get_bytes(data->shared_secret, 16))
1146 			return NULL;
1147 	} else {
1148 		os_free(data->shared_secret);
1149 		data->shared_secret = os_memdup(secret, secret_len);
1150 		if (data->shared_secret == NULL)
1151 			return NULL;
1152 		data->shared_secret_len = secret_len;
1153 	}
1154 
1155 	/* build IKE_SA_AUTH: HDR, SK {IDi, [CERT,] [CERTREQ,] AUTH} */
1156 
1157 	msg = wpabuf_alloc(sizeof(struct ikev2_hdr) + data->IDr_len + 1000);
1158 	if (msg == NULL)
1159 		return NULL;
1160 	ikev2_build_hdr(data, msg, IKE_SA_AUTH, IKEV2_PAYLOAD_ENCRYPTED, 1);
1161 
1162 	plain = wpabuf_alloc(data->IDr_len + 1000);
1163 	if (plain == NULL) {
1164 		wpabuf_free(msg);
1165 		return NULL;
1166 	}
1167 
1168 	if (ikev2_build_idi(data, plain, IKEV2_PAYLOAD_AUTHENTICATION) ||
1169 	    ikev2_build_auth(data, plain, IKEV2_PAYLOAD_NO_NEXT_PAYLOAD) ||
1170 	    ikev2_build_encrypted(data->proposal.encr, data->proposal.integ,
1171 				  &data->keys, 1, msg, plain,
1172 				  IKEV2_PAYLOAD_IDi)) {
1173 		wpabuf_free(plain);
1174 		wpabuf_free(msg);
1175 		return NULL;
1176 	}
1177 	wpabuf_free(plain);
1178 
1179 	wpa_hexdump_buf(MSG_MSGDUMP, "IKEV2: Sending message (SA_AUTH)", msg);
1180 
1181 	return msg;
1182 }
1183 
1184 
1185 struct wpabuf * ikev2_initiator_build(struct ikev2_initiator_data *data)
1186 {
1187 	switch (data->state) {
1188 	case SA_INIT:
1189 		return ikev2_build_sa_init(data);
1190 	case SA_AUTH:
1191 		return ikev2_build_sa_auth(data);
1192 	case CHILD_SA:
1193 		return NULL;
1194 	case IKEV2_DONE:
1195 		return NULL;
1196 	}
1197 	return NULL;
1198 }
1199