xref: /freebsd/contrib/wpa/src/eap_server/ikev2.c (revision a0ee8cc636cd5c2374ec44ca71226564ea0bca95)
1 /*
2  * IKEv2 initiator (RFC 4306) for EAP-IKEV2
3  * Copyright (c) 2007, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #include "includes.h"
10 
11 #include "common.h"
12 #include "crypto/dh_groups.h"
13 #include "crypto/random.h"
14 #include "ikev2.h"
15 
16 
17 static int ikev2_process_idr(struct ikev2_initiator_data *data,
18 			     const u8 *idr, size_t idr_len);
19 
20 
21 void ikev2_initiator_deinit(struct ikev2_initiator_data *data)
22 {
23 	ikev2_free_keys(&data->keys);
24 	wpabuf_free(data->r_dh_public);
25 	wpabuf_free(data->i_dh_private);
26 	os_free(data->IDi);
27 	os_free(data->IDr);
28 	os_free(data->shared_secret);
29 	wpabuf_free(data->i_sign_msg);
30 	wpabuf_free(data->r_sign_msg);
31 	os_free(data->key_pad);
32 }
33 
34 
35 static int ikev2_derive_keys(struct ikev2_initiator_data *data)
36 {
37 	u8 *buf, *pos, *pad, skeyseed[IKEV2_MAX_HASH_LEN];
38 	size_t buf_len, pad_len;
39 	struct wpabuf *shared;
40 	const struct ikev2_integ_alg *integ;
41 	const struct ikev2_prf_alg *prf;
42 	const struct ikev2_encr_alg *encr;
43 	int ret;
44 	const u8 *addr[2];
45 	size_t len[2];
46 
47 	/* RFC 4306, Sect. 2.14 */
48 
49 	integ = ikev2_get_integ(data->proposal.integ);
50 	prf = ikev2_get_prf(data->proposal.prf);
51 	encr = ikev2_get_encr(data->proposal.encr);
52 	if (integ == NULL || prf == NULL || encr == NULL) {
53 		wpa_printf(MSG_INFO, "IKEV2: Unsupported proposal");
54 		return -1;
55 	}
56 
57 	shared = dh_derive_shared(data->r_dh_public, data->i_dh_private,
58 				  data->dh);
59 	if (shared == NULL)
60 		return -1;
61 
62 	/* Construct Ni | Nr | SPIi | SPIr */
63 
64 	buf_len = data->i_nonce_len + data->r_nonce_len + 2 * IKEV2_SPI_LEN;
65 	buf = os_malloc(buf_len);
66 	if (buf == NULL) {
67 		wpabuf_free(shared);
68 		return -1;
69 	}
70 
71 	pos = buf;
72 	os_memcpy(pos, data->i_nonce, data->i_nonce_len);
73 	pos += data->i_nonce_len;
74 	os_memcpy(pos, data->r_nonce, data->r_nonce_len);
75 	pos += data->r_nonce_len;
76 	os_memcpy(pos, data->i_spi, IKEV2_SPI_LEN);
77 	pos += IKEV2_SPI_LEN;
78 	os_memcpy(pos, data->r_spi, IKEV2_SPI_LEN);
79 
80 	/* SKEYSEED = prf(Ni | Nr, g^ir) */
81 
82 	/* Use zero-padding per RFC 4306, Sect. 2.14 */
83 	pad_len = data->dh->prime_len - wpabuf_len(shared);
84 	pad = os_zalloc(pad_len ? pad_len : 1);
85 	if (pad == NULL) {
86 		wpabuf_free(shared);
87 		os_free(buf);
88 		return -1;
89 	}
90 	addr[0] = pad;
91 	len[0] = pad_len;
92 	addr[1] = wpabuf_head(shared);
93 	len[1] = wpabuf_len(shared);
94 	if (ikev2_prf_hash(prf->id, buf, data->i_nonce_len + data->r_nonce_len,
95 			   2, addr, len, skeyseed) < 0) {
96 		wpabuf_free(shared);
97 		os_free(buf);
98 		os_free(pad);
99 		return -1;
100 	}
101 	os_free(pad);
102 	wpabuf_free(shared);
103 
104 	/* DH parameters are not needed anymore, so free them */
105 	wpabuf_free(data->r_dh_public);
106 	data->r_dh_public = NULL;
107 	wpabuf_free(data->i_dh_private);
108 	data->i_dh_private = NULL;
109 
110 	wpa_hexdump_key(MSG_DEBUG, "IKEV2: SKEYSEED",
111 			skeyseed, prf->hash_len);
112 
113 	ret = ikev2_derive_sk_keys(prf, integ, encr, skeyseed, buf, buf_len,
114 				   &data->keys);
115 	os_free(buf);
116 	return ret;
117 }
118 
119 
120 static int ikev2_parse_transform(struct ikev2_initiator_data *data,
121 				 struct ikev2_proposal_data *prop,
122 				 const u8 *pos, const u8 *end)
123 {
124 	int transform_len;
125 	const struct ikev2_transform *t;
126 	u16 transform_id;
127 	const u8 *tend;
128 
129 	if (end - pos < (int) sizeof(*t)) {
130 		wpa_printf(MSG_INFO, "IKEV2: Too short transform");
131 		return -1;
132 	}
133 
134 	t = (const struct ikev2_transform *) pos;
135 	transform_len = WPA_GET_BE16(t->transform_length);
136 	if (transform_len < (int) sizeof(*t) || pos + transform_len > end) {
137 		wpa_printf(MSG_INFO, "IKEV2: Invalid transform length %d",
138 			   transform_len);
139 		return -1;
140 	}
141 	tend = pos + transform_len;
142 
143 	transform_id = WPA_GET_BE16(t->transform_id);
144 
145 	wpa_printf(MSG_DEBUG, "IKEV2:   Transform:");
146 	wpa_printf(MSG_DEBUG, "IKEV2:     Type: %d  Transform Length: %d  "
147 		   "Transform Type: %d  Transform ID: %d",
148 		   t->type, transform_len, t->transform_type, transform_id);
149 
150 	if (t->type != 0 && t->type != 3) {
151 		wpa_printf(MSG_INFO, "IKEV2: Unexpected Transform type");
152 		return -1;
153 	}
154 
155 	pos = (const u8 *) (t + 1);
156 	if (pos < tend) {
157 		wpa_hexdump(MSG_DEBUG, "IKEV2:     Transform Attributes",
158 			    pos, tend - pos);
159 	}
160 
161 	switch (t->transform_type) {
162 	case IKEV2_TRANSFORM_ENCR:
163 		if (ikev2_get_encr(transform_id) &&
164 		    transform_id == data->proposal.encr) {
165 			if (transform_id == ENCR_AES_CBC) {
166 				if (tend - pos != 4) {
167 					wpa_printf(MSG_DEBUG, "IKEV2: No "
168 						   "Transform Attr for AES");
169 					break;
170 				}
171 				if (WPA_GET_BE16(pos) != 0x800e) {
172 					wpa_printf(MSG_DEBUG, "IKEV2: Not a "
173 						   "Key Size attribute for "
174 						   "AES");
175 					break;
176 				}
177 				if (WPA_GET_BE16(pos + 2) != 128) {
178 					wpa_printf(MSG_DEBUG, "IKEV2: "
179 						   "Unsupported AES key size "
180 						   "%d bits",
181 						   WPA_GET_BE16(pos + 2));
182 					break;
183 				}
184 			}
185 			prop->encr = transform_id;
186 		}
187 		break;
188 	case IKEV2_TRANSFORM_PRF:
189 		if (ikev2_get_prf(transform_id) &&
190 		    transform_id == data->proposal.prf)
191 			prop->prf = transform_id;
192 		break;
193 	case IKEV2_TRANSFORM_INTEG:
194 		if (ikev2_get_integ(transform_id) &&
195 		    transform_id == data->proposal.integ)
196 			prop->integ = transform_id;
197 		break;
198 	case IKEV2_TRANSFORM_DH:
199 		if (dh_groups_get(transform_id) &&
200 		    transform_id == data->proposal.dh)
201 			prop->dh = transform_id;
202 		break;
203 	}
204 
205 	return transform_len;
206 }
207 
208 
209 static int ikev2_parse_proposal(struct ikev2_initiator_data *data,
210 				struct ikev2_proposal_data *prop,
211 				const u8 *pos, const u8 *end)
212 {
213 	const u8 *pend, *ppos;
214 	int proposal_len, i;
215 	const struct ikev2_proposal *p;
216 
217 	if (end - pos < (int) sizeof(*p)) {
218 		wpa_printf(MSG_INFO, "IKEV2: Too short proposal");
219 		return -1;
220 	}
221 
222 	p = (const struct ikev2_proposal *) pos;
223 	proposal_len = WPA_GET_BE16(p->proposal_length);
224 	if (proposal_len < (int) sizeof(*p) || pos + proposal_len > end) {
225 		wpa_printf(MSG_INFO, "IKEV2: Invalid proposal length %d",
226 			   proposal_len);
227 		return -1;
228 	}
229 	wpa_printf(MSG_DEBUG, "IKEV2: SAi1 Proposal # %d",
230 		   p->proposal_num);
231 	wpa_printf(MSG_DEBUG, "IKEV2:   Type: %d  Proposal Length: %d "
232 		   " Protocol ID: %d",
233 		   p->type, proposal_len, p->protocol_id);
234 	wpa_printf(MSG_DEBUG, "IKEV2:   SPI Size: %d  Transforms: %d",
235 		   p->spi_size, p->num_transforms);
236 
237 	if (p->type != 0 && p->type != 2) {
238 		wpa_printf(MSG_INFO, "IKEV2: Unexpected Proposal type");
239 		return -1;
240 	}
241 
242 	if (p->protocol_id != IKEV2_PROTOCOL_IKE) {
243 		wpa_printf(MSG_DEBUG, "IKEV2: Unexpected Protocol ID "
244 			   "(only IKE allowed for EAP-IKEv2)");
245 		return -1;
246 	}
247 
248 	if (p->proposal_num != prop->proposal_num) {
249 		if (p->proposal_num == prop->proposal_num + 1)
250 			prop->proposal_num = p->proposal_num;
251 		else {
252 			wpa_printf(MSG_INFO, "IKEV2: Unexpected Proposal #");
253 			return -1;
254 		}
255 	}
256 
257 	ppos = (const u8 *) (p + 1);
258 	pend = pos + proposal_len;
259 	if (ppos + p->spi_size > pend) {
260 		wpa_printf(MSG_INFO, "IKEV2: Not enough room for SPI "
261 			   "in proposal");
262 		return -1;
263 	}
264 	if (p->spi_size) {
265 		wpa_hexdump(MSG_DEBUG, "IKEV2:    SPI",
266 			    ppos, p->spi_size);
267 		ppos += p->spi_size;
268 	}
269 
270 	/*
271 	 * For initial IKE_SA negotiation, SPI Size MUST be zero; for
272 	 * subsequent negotiations, it must be 8 for IKE. We only support
273 	 * initial case for now.
274 	 */
275 	if (p->spi_size != 0) {
276 		wpa_printf(MSG_INFO, "IKEV2: Unexpected SPI Size");
277 		return -1;
278 	}
279 
280 	if (p->num_transforms == 0) {
281 		wpa_printf(MSG_INFO, "IKEV2: At least one transform required");
282 		return -1;
283 	}
284 
285 	for (i = 0; i < (int) p->num_transforms; i++) {
286 		int tlen = ikev2_parse_transform(data, prop, ppos, pend);
287 		if (tlen < 0)
288 			return -1;
289 		ppos += tlen;
290 	}
291 
292 	if (ppos != pend) {
293 		wpa_printf(MSG_INFO, "IKEV2: Unexpected data after "
294 			   "transforms");
295 		return -1;
296 	}
297 
298 	return proposal_len;
299 }
300 
301 
302 static int ikev2_process_sar1(struct ikev2_initiator_data *data,
303 			      const u8 *sar1, size_t sar1_len)
304 {
305 	struct ikev2_proposal_data prop;
306 	const u8 *pos, *end;
307 	int found = 0;
308 
309 	/* Security Association Payloads: <Proposals> */
310 
311 	if (sar1 == NULL) {
312 		wpa_printf(MSG_INFO, "IKEV2: SAr1 not received");
313 		return -1;
314 	}
315 
316 	os_memset(&prop, 0, sizeof(prop));
317 	prop.proposal_num = 1;
318 
319 	pos = sar1;
320 	end = sar1 + sar1_len;
321 
322 	while (pos < end) {
323 		int plen;
324 
325 		prop.integ = -1;
326 		prop.prf = -1;
327 		prop.encr = -1;
328 		prop.dh = -1;
329 		plen = ikev2_parse_proposal(data, &prop, pos, end);
330 		if (plen < 0)
331 			return -1;
332 
333 		if (!found && prop.integ != -1 && prop.prf != -1 &&
334 		    prop.encr != -1 && prop.dh != -1) {
335 			found = 1;
336 		}
337 
338 		pos += plen;
339 
340 		/* Only one proposal expected in SAr */
341 		break;
342 	}
343 
344 	if (pos != end) {
345 		wpa_printf(MSG_INFO, "IKEV2: Unexpected data after proposal");
346 		return -1;
347 	}
348 
349 	if (!found) {
350 		wpa_printf(MSG_INFO, "IKEV2: No acceptable proposal found");
351 		return -1;
352 	}
353 
354 	wpa_printf(MSG_DEBUG, "IKEV2: Accepted proposal #%d: ENCR:%d PRF:%d "
355 		   "INTEG:%d D-H:%d", data->proposal.proposal_num,
356 		   data->proposal.encr, data->proposal.prf,
357 		   data->proposal.integ, data->proposal.dh);
358 
359 	return 0;
360 }
361 
362 
363 static int ikev2_process_ker(struct ikev2_initiator_data *data,
364 			     const u8 *ker, size_t ker_len)
365 {
366 	u16 group;
367 
368 	/*
369 	 * Key Exchange Payload:
370 	 * DH Group # (16 bits)
371 	 * RESERVED (16 bits)
372 	 * Key Exchange Data (Diffie-Hellman public value)
373 	 */
374 
375 	if (ker == NULL) {
376 		wpa_printf(MSG_INFO, "IKEV2: KEr not received");
377 		return -1;
378 	}
379 
380 	if (ker_len < 4 + 96) {
381 		wpa_printf(MSG_INFO, "IKEV2: Too show Key Exchange Payload");
382 		return -1;
383 	}
384 
385 	group = WPA_GET_BE16(ker);
386 	wpa_printf(MSG_DEBUG, "IKEV2: KEr DH Group #%u", group);
387 
388 	if (group != data->proposal.dh) {
389 		wpa_printf(MSG_DEBUG, "IKEV2: KEr DH Group #%u does not match "
390 			   "with the selected proposal (%u)",
391 			   group, data->proposal.dh);
392 		return -1;
393 	}
394 
395 	if (data->dh == NULL) {
396 		wpa_printf(MSG_INFO, "IKEV2: Unsupported DH group");
397 		return -1;
398 	}
399 
400 	/* RFC 4306, Section 3.4:
401 	 * The length of DH public value MUST be equal to the length of the
402 	 * prime modulus.
403 	 */
404 	if (ker_len - 4 != data->dh->prime_len) {
405 		wpa_printf(MSG_INFO, "IKEV2: Invalid DH public value length "
406 			   "%ld (expected %ld)",
407 			   (long) (ker_len - 4), (long) data->dh->prime_len);
408 		return -1;
409 	}
410 
411 	wpabuf_free(data->r_dh_public);
412 	data->r_dh_public = wpabuf_alloc_copy(ker + 4, ker_len - 4);
413 	if (data->r_dh_public == NULL)
414 		return -1;
415 
416 	wpa_hexdump_buf(MSG_DEBUG, "IKEV2: KEr Diffie-Hellman Public Value",
417 			data->r_dh_public);
418 
419 	return 0;
420 }
421 
422 
423 static int ikev2_process_nr(struct ikev2_initiator_data *data,
424 			    const u8 *nr, size_t nr_len)
425 {
426 	if (nr == NULL) {
427 		wpa_printf(MSG_INFO, "IKEV2: Nr not received");
428 		return -1;
429 	}
430 
431 	if (nr_len < IKEV2_NONCE_MIN_LEN || nr_len > IKEV2_NONCE_MAX_LEN) {
432 		wpa_printf(MSG_INFO, "IKEV2: Invalid Nr length %ld",
433 			   (long) nr_len);
434 		return -1;
435 	}
436 
437 	data->r_nonce_len = nr_len;
438 	os_memcpy(data->r_nonce, nr, nr_len);
439 	wpa_hexdump(MSG_MSGDUMP, "IKEV2: Nr",
440 		    data->r_nonce, data->r_nonce_len);
441 
442 	return 0;
443 }
444 
445 
446 static int ikev2_process_sa_init_encr(struct ikev2_initiator_data *data,
447 				      const struct ikev2_hdr *hdr,
448 				      const u8 *encrypted,
449 				      size_t encrypted_len, u8 next_payload)
450 {
451 	u8 *decrypted;
452 	size_t decrypted_len;
453 	struct ikev2_payloads pl;
454 	int ret = 0;
455 
456 	decrypted = ikev2_decrypt_payload(data->proposal.encr,
457 					  data->proposal.integ, &data->keys, 0,
458 					  hdr, encrypted, encrypted_len,
459 					  &decrypted_len);
460 	if (decrypted == NULL)
461 		return -1;
462 
463 	wpa_printf(MSG_DEBUG, "IKEV2: Processing decrypted payloads");
464 
465 	if (ikev2_parse_payloads(&pl, next_payload, decrypted,
466 				 decrypted + decrypted_len) < 0) {
467 		wpa_printf(MSG_INFO, "IKEV2: Failed to parse decrypted "
468 			   "payloads");
469 		return -1;
470 	}
471 
472 	if (pl.idr)
473 		ret = ikev2_process_idr(data, pl.idr, pl.idr_len);
474 
475 	os_free(decrypted);
476 
477 	return ret;
478 }
479 
480 
481 static int ikev2_process_sa_init(struct ikev2_initiator_data *data,
482 				 const struct ikev2_hdr *hdr,
483 				 struct ikev2_payloads *pl)
484 {
485 	if (ikev2_process_sar1(data, pl->sa, pl->sa_len) < 0 ||
486 	    ikev2_process_ker(data, pl->ke, pl->ke_len) < 0 ||
487 	    ikev2_process_nr(data, pl->nonce, pl->nonce_len) < 0)
488 		return -1;
489 
490 	os_memcpy(data->r_spi, hdr->r_spi, IKEV2_SPI_LEN);
491 
492 	if (ikev2_derive_keys(data) < 0)
493 		return -1;
494 
495 	if (pl->encrypted) {
496 		wpa_printf(MSG_DEBUG, "IKEV2: Encrypted payload in SA_INIT - "
497 			   "try to get IDr from it");
498 		if (ikev2_process_sa_init_encr(data, hdr, pl->encrypted,
499 					       pl->encrypted_len,
500 					       pl->encr_next_payload) < 0) {
501 			wpa_printf(MSG_INFO, "IKEV2: Failed to process "
502 				   "encrypted payload");
503 			return -1;
504 		}
505 	}
506 
507 	data->state = SA_AUTH;
508 
509 	return 0;
510 }
511 
512 
513 static int ikev2_process_idr(struct ikev2_initiator_data *data,
514 			     const u8 *idr, size_t idr_len)
515 {
516 	u8 id_type;
517 
518 	if (idr == NULL) {
519 		wpa_printf(MSG_INFO, "IKEV2: No IDr received");
520 		return -1;
521 	}
522 
523 	if (idr_len < 4) {
524 		wpa_printf(MSG_INFO, "IKEV2: Too short IDr payload");
525 		return -1;
526 	}
527 
528 	id_type = idr[0];
529 	idr += 4;
530 	idr_len -= 4;
531 
532 	wpa_printf(MSG_DEBUG, "IKEV2: IDr ID Type %d", id_type);
533 	wpa_hexdump_ascii(MSG_DEBUG, "IKEV2: IDr", idr, idr_len);
534 	if (data->IDr) {
535 		if (id_type != data->IDr_type || idr_len != data->IDr_len ||
536 		    os_memcmp(idr, data->IDr, idr_len) != 0) {
537 			wpa_printf(MSG_INFO, "IKEV2: IDr differs from the one "
538 				   "received earlier");
539 			wpa_printf(MSG_DEBUG, "IKEV2: Previous IDr ID Type %d",
540 				   id_type);
541 			wpa_hexdump_ascii(MSG_DEBUG, "Previous IKEV2: IDr",
542 					  data->IDr, data->IDr_len);
543 			return -1;
544 		}
545 		os_free(data->IDr);
546 	}
547 	data->IDr = os_malloc(idr_len);
548 	if (data->IDr == NULL)
549 		return -1;
550 	os_memcpy(data->IDr, idr, idr_len);
551 	data->IDr_len = idr_len;
552 	data->IDr_type = id_type;
553 
554 	return 0;
555 }
556 
557 
558 static int ikev2_process_cert(struct ikev2_initiator_data *data,
559 			      const u8 *cert, size_t cert_len)
560 {
561 	u8 cert_encoding;
562 
563 	if (cert == NULL) {
564 		if (data->peer_auth == PEER_AUTH_CERT) {
565 			wpa_printf(MSG_INFO, "IKEV2: No Certificate received");
566 			return -1;
567 		}
568 		return 0;
569 	}
570 
571 	if (cert_len < 1) {
572 		wpa_printf(MSG_INFO, "IKEV2: No Cert Encoding field");
573 		return -1;
574 	}
575 
576 	cert_encoding = cert[0];
577 	cert++;
578 	cert_len--;
579 
580 	wpa_printf(MSG_DEBUG, "IKEV2: Cert Encoding %d", cert_encoding);
581 	wpa_hexdump(MSG_MSGDUMP, "IKEV2: Certificate Data", cert, cert_len);
582 
583 	/* TODO: validate certificate */
584 
585 	return 0;
586 }
587 
588 
589 static int ikev2_process_auth_cert(struct ikev2_initiator_data *data,
590 				   u8 method, const u8 *auth, size_t auth_len)
591 {
592 	if (method != AUTH_RSA_SIGN) {
593 		wpa_printf(MSG_INFO, "IKEV2: Unsupported authentication "
594 			   "method %d", method);
595 		return -1;
596 	}
597 
598 	/* TODO: validate AUTH */
599 	return 0;
600 }
601 
602 
603 static int ikev2_process_auth_secret(struct ikev2_initiator_data *data,
604 				     u8 method, const u8 *auth,
605 				     size_t auth_len)
606 {
607 	u8 auth_data[IKEV2_MAX_HASH_LEN];
608 	const struct ikev2_prf_alg *prf;
609 
610 	if (method != AUTH_SHARED_KEY_MIC) {
611 		wpa_printf(MSG_INFO, "IKEV2: Unsupported authentication "
612 			   "method %d", method);
613 		return -1;
614 	}
615 
616 	/* msg | Ni | prf(SK_pr,IDr') */
617 	if (ikev2_derive_auth_data(data->proposal.prf, data->r_sign_msg,
618 				   data->IDr, data->IDr_len, data->IDr_type,
619 				   &data->keys, 0, data->shared_secret,
620 				   data->shared_secret_len,
621 				   data->i_nonce, data->i_nonce_len,
622 				   data->key_pad, data->key_pad_len,
623 				   auth_data) < 0) {
624 		wpa_printf(MSG_INFO, "IKEV2: Could not derive AUTH data");
625 		return -1;
626 	}
627 
628 	wpabuf_free(data->r_sign_msg);
629 	data->r_sign_msg = NULL;
630 
631 	prf = ikev2_get_prf(data->proposal.prf);
632 	if (prf == NULL)
633 		return -1;
634 
635 	if (auth_len != prf->hash_len ||
636 	    os_memcmp_const(auth, auth_data, auth_len) != 0) {
637 		wpa_printf(MSG_INFO, "IKEV2: Invalid Authentication Data");
638 		wpa_hexdump(MSG_DEBUG, "IKEV2: Received Authentication Data",
639 			    auth, auth_len);
640 		wpa_hexdump(MSG_DEBUG, "IKEV2: Expected Authentication Data",
641 			    auth_data, prf->hash_len);
642 		return -1;
643 	}
644 
645 	wpa_printf(MSG_DEBUG, "IKEV2: Peer authenticated successfully "
646 		   "using shared keys");
647 
648 	return 0;
649 }
650 
651 
652 static int ikev2_process_auth(struct ikev2_initiator_data *data,
653 			      const u8 *auth, size_t auth_len)
654 {
655 	u8 auth_method;
656 
657 	if (auth == NULL) {
658 		wpa_printf(MSG_INFO, "IKEV2: No Authentication Payload");
659 		return -1;
660 	}
661 
662 	if (auth_len < 4) {
663 		wpa_printf(MSG_INFO, "IKEV2: Too short Authentication "
664 			   "Payload");
665 		return -1;
666 	}
667 
668 	auth_method = auth[0];
669 	auth += 4;
670 	auth_len -= 4;
671 
672 	wpa_printf(MSG_DEBUG, "IKEV2: Auth Method %d", auth_method);
673 	wpa_hexdump(MSG_MSGDUMP, "IKEV2: Authentication Data", auth, auth_len);
674 
675 	switch (data->peer_auth) {
676 	case PEER_AUTH_CERT:
677 		return ikev2_process_auth_cert(data, auth_method, auth,
678 					       auth_len);
679 	case PEER_AUTH_SECRET:
680 		return ikev2_process_auth_secret(data, auth_method, auth,
681 						 auth_len);
682 	}
683 
684 	return -1;
685 }
686 
687 
688 static int ikev2_process_sa_auth_decrypted(struct ikev2_initiator_data *data,
689 					   u8 next_payload,
690 					   u8 *payload, size_t payload_len)
691 {
692 	struct ikev2_payloads pl;
693 
694 	wpa_printf(MSG_DEBUG, "IKEV2: Processing decrypted payloads");
695 
696 	if (ikev2_parse_payloads(&pl, next_payload, payload, payload +
697 				 payload_len) < 0) {
698 		wpa_printf(MSG_INFO, "IKEV2: Failed to parse decrypted "
699 			   "payloads");
700 		return -1;
701 	}
702 
703 	if (ikev2_process_idr(data, pl.idr, pl.idr_len) < 0 ||
704 	    ikev2_process_cert(data, pl.cert, pl.cert_len) < 0 ||
705 	    ikev2_process_auth(data, pl.auth, pl.auth_len) < 0)
706 		return -1;
707 
708 	return 0;
709 }
710 
711 
712 static int ikev2_process_sa_auth(struct ikev2_initiator_data *data,
713 				 const struct ikev2_hdr *hdr,
714 				 struct ikev2_payloads *pl)
715 {
716 	u8 *decrypted;
717 	size_t decrypted_len;
718 	int ret;
719 
720 	decrypted = ikev2_decrypt_payload(data->proposal.encr,
721 					  data->proposal.integ,
722 					  &data->keys, 0, hdr, pl->encrypted,
723 					  pl->encrypted_len, &decrypted_len);
724 	if (decrypted == NULL)
725 		return -1;
726 
727 	ret = ikev2_process_sa_auth_decrypted(data, pl->encr_next_payload,
728 					      decrypted, decrypted_len);
729 	os_free(decrypted);
730 
731 	if (ret == 0 && !data->unknown_user) {
732 		wpa_printf(MSG_DEBUG, "IKEV2: Authentication completed");
733 		data->state = IKEV2_DONE;
734 	}
735 
736 	return ret;
737 }
738 
739 
740 static int ikev2_validate_rx_state(struct ikev2_initiator_data *data,
741 				   u8 exchange_type, u32 message_id)
742 {
743 	switch (data->state) {
744 	case SA_INIT:
745 		/* Expect to receive IKE_SA_INIT: HDR, SAr, KEr, Nr, [CERTREQ],
746 		 * [SK{IDr}] */
747 		if (exchange_type != IKE_SA_INIT) {
748 			wpa_printf(MSG_INFO, "IKEV2: Unexpected Exchange Type "
749 				   "%u in SA_INIT state", exchange_type);
750 			return -1;
751 		}
752 		if (message_id != 0) {
753 			wpa_printf(MSG_INFO, "IKEV2: Unexpected Message ID %u "
754 				   "in SA_INIT state", message_id);
755 			return -1;
756 		}
757 		break;
758 	case SA_AUTH:
759 		/* Expect to receive IKE_SA_AUTH:
760 		 * HDR, SK {IDr, [CERT,] [CERTREQ,] [NFID,] AUTH}
761 		 */
762 		if (exchange_type != IKE_SA_AUTH) {
763 			wpa_printf(MSG_INFO, "IKEV2: Unexpected Exchange Type "
764 				   "%u in SA_AUTH state", exchange_type);
765 			return -1;
766 		}
767 		if (message_id != 1) {
768 			wpa_printf(MSG_INFO, "IKEV2: Unexpected Message ID %u "
769 				   "in SA_AUTH state", message_id);
770 			return -1;
771 		}
772 		break;
773 	case CHILD_SA:
774 		if (exchange_type != CREATE_CHILD_SA) {
775 			wpa_printf(MSG_INFO, "IKEV2: Unexpected Exchange Type "
776 				   "%u in CHILD_SA state", exchange_type);
777 			return -1;
778 		}
779 		if (message_id != 2) {
780 			wpa_printf(MSG_INFO, "IKEV2: Unexpected Message ID %u "
781 				   "in CHILD_SA state", message_id);
782 			return -1;
783 		}
784 		break;
785 	case IKEV2_DONE:
786 		return -1;
787 	}
788 
789 	return 0;
790 }
791 
792 
793 int ikev2_initiator_process(struct ikev2_initiator_data *data,
794 			    const struct wpabuf *buf)
795 {
796 	const struct ikev2_hdr *hdr;
797 	u32 length, message_id;
798 	const u8 *pos, *end;
799 	struct ikev2_payloads pl;
800 
801 	wpa_printf(MSG_MSGDUMP, "IKEV2: Received message (len %lu)",
802 		   (unsigned long) wpabuf_len(buf));
803 
804 	if (wpabuf_len(buf) < sizeof(*hdr)) {
805 		wpa_printf(MSG_INFO, "IKEV2: Too short frame to include HDR");
806 		return -1;
807 	}
808 
809 	hdr = (const struct ikev2_hdr *) wpabuf_head(buf);
810 	end = wpabuf_head_u8(buf) + wpabuf_len(buf);
811 	message_id = WPA_GET_BE32(hdr->message_id);
812 	length = WPA_GET_BE32(hdr->length);
813 
814 	wpa_hexdump(MSG_DEBUG, "IKEV2:   IKE_SA Initiator's SPI",
815 		    hdr->i_spi, IKEV2_SPI_LEN);
816 	wpa_hexdump(MSG_DEBUG, "IKEV2:   IKE_SA Initiator's SPI",
817 		    hdr->r_spi, IKEV2_SPI_LEN);
818 	wpa_printf(MSG_DEBUG, "IKEV2:   Next Payload: %u  Version: 0x%x  "
819 		   "Exchange Type: %u",
820 		   hdr->next_payload, hdr->version, hdr->exchange_type);
821 	wpa_printf(MSG_DEBUG, "IKEV2:   Message ID: %u  Length: %u",
822 		   message_id, length);
823 
824 	if (hdr->version != IKEV2_VERSION) {
825 		wpa_printf(MSG_INFO, "IKEV2: Unsupported HDR version 0x%x "
826 			   "(expected 0x%x)", hdr->version, IKEV2_VERSION);
827 		return -1;
828 	}
829 
830 	if (length != wpabuf_len(buf)) {
831 		wpa_printf(MSG_INFO, "IKEV2: Invalid length (HDR: %lu != "
832 			   "RX: %lu)", (unsigned long) length,
833 			   (unsigned long) wpabuf_len(buf));
834 		return -1;
835 	}
836 
837 	if (ikev2_validate_rx_state(data, hdr->exchange_type, message_id) < 0)
838 		return -1;
839 
840 	if ((hdr->flags & (IKEV2_HDR_INITIATOR | IKEV2_HDR_RESPONSE)) !=
841 	    IKEV2_HDR_RESPONSE) {
842 		wpa_printf(MSG_INFO, "IKEV2: Unexpected Flags value 0x%x",
843 			   hdr->flags);
844 		return -1;
845 	}
846 
847 	if (data->state != SA_INIT) {
848 		if (os_memcmp(data->i_spi, hdr->i_spi, IKEV2_SPI_LEN) != 0) {
849 			wpa_printf(MSG_INFO, "IKEV2: Unexpected IKE_SA "
850 				   "Initiator's SPI");
851 			return -1;
852 		}
853 		if (os_memcmp(data->r_spi, hdr->r_spi, IKEV2_SPI_LEN) != 0) {
854 			wpa_printf(MSG_INFO, "IKEV2: Unexpected IKE_SA "
855 				   "Responder's SPI");
856 			return -1;
857 		}
858 	}
859 
860 	pos = (const u8 *) (hdr + 1);
861 	if (ikev2_parse_payloads(&pl, hdr->next_payload, pos, end) < 0)
862 		return -1;
863 
864 	switch (data->state) {
865 	case SA_INIT:
866 		if (ikev2_process_sa_init(data, hdr, &pl) < 0)
867 			return -1;
868 		wpabuf_free(data->r_sign_msg);
869 		data->r_sign_msg = wpabuf_dup(buf);
870 		break;
871 	case SA_AUTH:
872 		if (ikev2_process_sa_auth(data, hdr, &pl) < 0)
873 			return -1;
874 		break;
875 	case CHILD_SA:
876 	case IKEV2_DONE:
877 		break;
878 	}
879 
880 	return 0;
881 }
882 
883 
884 static void ikev2_build_hdr(struct ikev2_initiator_data *data,
885 			    struct wpabuf *msg, u8 exchange_type,
886 			    u8 next_payload, u32 message_id)
887 {
888 	struct ikev2_hdr *hdr;
889 
890 	wpa_printf(MSG_DEBUG, "IKEV2: Adding HDR");
891 
892 	/* HDR - RFC 4306, Sect. 3.1 */
893 	hdr = wpabuf_put(msg, sizeof(*hdr));
894 	os_memcpy(hdr->i_spi, data->i_spi, IKEV2_SPI_LEN);
895 	os_memcpy(hdr->r_spi, data->r_spi, IKEV2_SPI_LEN);
896 	hdr->next_payload = next_payload;
897 	hdr->version = IKEV2_VERSION;
898 	hdr->exchange_type = exchange_type;
899 	hdr->flags = IKEV2_HDR_INITIATOR;
900 	WPA_PUT_BE32(hdr->message_id, message_id);
901 }
902 
903 
904 static int ikev2_build_sai(struct ikev2_initiator_data *data,
905 			    struct wpabuf *msg, u8 next_payload)
906 {
907 	struct ikev2_payload_hdr *phdr;
908 	size_t plen;
909 	struct ikev2_proposal *p;
910 	struct ikev2_transform *t;
911 
912 	wpa_printf(MSG_DEBUG, "IKEV2: Adding SAi payload");
913 
914 	/* SAi1 - RFC 4306, Sect. 2.7 and 3.3 */
915 	phdr = wpabuf_put(msg, sizeof(*phdr));
916 	phdr->next_payload = next_payload;
917 	phdr->flags = 0;
918 
919 	/* TODO: support for multiple proposals */
920 	p = wpabuf_put(msg, sizeof(*p));
921 	p->proposal_num = data->proposal.proposal_num;
922 	p->protocol_id = IKEV2_PROTOCOL_IKE;
923 	p->num_transforms = 4;
924 
925 	t = wpabuf_put(msg, sizeof(*t));
926 	t->type = 3;
927 	t->transform_type = IKEV2_TRANSFORM_ENCR;
928 	WPA_PUT_BE16(t->transform_id, data->proposal.encr);
929 	if (data->proposal.encr == ENCR_AES_CBC) {
930 		/* Transform Attribute: Key Len = 128 bits */
931 		wpabuf_put_be16(msg, 0x800e); /* AF=1, AttrType=14 */
932 		wpabuf_put_be16(msg, 128); /* 128-bit key */
933 	}
934 	plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) t;
935 	WPA_PUT_BE16(t->transform_length, plen);
936 
937 	t = wpabuf_put(msg, sizeof(*t));
938 	t->type = 3;
939 	WPA_PUT_BE16(t->transform_length, sizeof(*t));
940 	t->transform_type = IKEV2_TRANSFORM_PRF;
941 	WPA_PUT_BE16(t->transform_id, data->proposal.prf);
942 
943 	t = wpabuf_put(msg, sizeof(*t));
944 	t->type = 3;
945 	WPA_PUT_BE16(t->transform_length, sizeof(*t));
946 	t->transform_type = IKEV2_TRANSFORM_INTEG;
947 	WPA_PUT_BE16(t->transform_id, data->proposal.integ);
948 
949 	t = wpabuf_put(msg, sizeof(*t));
950 	WPA_PUT_BE16(t->transform_length, sizeof(*t));
951 	t->transform_type = IKEV2_TRANSFORM_DH;
952 	WPA_PUT_BE16(t->transform_id, data->proposal.dh);
953 
954 	plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) p;
955 	WPA_PUT_BE16(p->proposal_length, plen);
956 
957 	plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
958 	WPA_PUT_BE16(phdr->payload_length, plen);
959 
960 	return 0;
961 }
962 
963 
964 static int ikev2_build_kei(struct ikev2_initiator_data *data,
965 			   struct wpabuf *msg, u8 next_payload)
966 {
967 	struct ikev2_payload_hdr *phdr;
968 	size_t plen;
969 	struct wpabuf *pv;
970 
971 	wpa_printf(MSG_DEBUG, "IKEV2: Adding KEi payload");
972 
973 	data->dh = dh_groups_get(data->proposal.dh);
974 	pv = dh_init(data->dh, &data->i_dh_private);
975 	if (pv == NULL) {
976 		wpa_printf(MSG_DEBUG, "IKEV2: Failed to initialize DH");
977 		return -1;
978 	}
979 
980 	/* KEi - RFC 4306, Sect. 3.4 */
981 	phdr = wpabuf_put(msg, sizeof(*phdr));
982 	phdr->next_payload = next_payload;
983 	phdr->flags = 0;
984 
985 	wpabuf_put_be16(msg, data->proposal.dh); /* DH Group # */
986 	wpabuf_put(msg, 2); /* RESERVED */
987 	/*
988 	 * RFC 4306, Sect. 3.4: possible zero padding for public value to
989 	 * match the length of the prime.
990 	 */
991 	wpabuf_put(msg, data->dh->prime_len - wpabuf_len(pv));
992 	wpabuf_put_buf(msg, pv);
993 	wpabuf_free(pv);
994 
995 	plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
996 	WPA_PUT_BE16(phdr->payload_length, plen);
997 	return 0;
998 }
999 
1000 
1001 static int ikev2_build_ni(struct ikev2_initiator_data *data,
1002 			  struct wpabuf *msg, u8 next_payload)
1003 {
1004 	struct ikev2_payload_hdr *phdr;
1005 	size_t plen;
1006 
1007 	wpa_printf(MSG_DEBUG, "IKEV2: Adding Ni payload");
1008 
1009 	/* Ni - RFC 4306, Sect. 3.9 */
1010 	phdr = wpabuf_put(msg, sizeof(*phdr));
1011 	phdr->next_payload = next_payload;
1012 	phdr->flags = 0;
1013 	wpabuf_put_data(msg, data->i_nonce, data->i_nonce_len);
1014 	plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
1015 	WPA_PUT_BE16(phdr->payload_length, plen);
1016 	return 0;
1017 }
1018 
1019 
1020 static int ikev2_build_idi(struct ikev2_initiator_data *data,
1021 			   struct wpabuf *msg, u8 next_payload)
1022 {
1023 	struct ikev2_payload_hdr *phdr;
1024 	size_t plen;
1025 
1026 	wpa_printf(MSG_DEBUG, "IKEV2: Adding IDi payload");
1027 
1028 	if (data->IDi == NULL) {
1029 		wpa_printf(MSG_INFO, "IKEV2: No IDi available");
1030 		return -1;
1031 	}
1032 
1033 	/* IDi - RFC 4306, Sect. 3.5 */
1034 	phdr = wpabuf_put(msg, sizeof(*phdr));
1035 	phdr->next_payload = next_payload;
1036 	phdr->flags = 0;
1037 	wpabuf_put_u8(msg, ID_KEY_ID);
1038 	wpabuf_put(msg, 3); /* RESERVED */
1039 	wpabuf_put_data(msg, data->IDi, data->IDi_len);
1040 	plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
1041 	WPA_PUT_BE16(phdr->payload_length, plen);
1042 	return 0;
1043 }
1044 
1045 
1046 static int ikev2_build_auth(struct ikev2_initiator_data *data,
1047 			    struct wpabuf *msg, u8 next_payload)
1048 {
1049 	struct ikev2_payload_hdr *phdr;
1050 	size_t plen;
1051 	const struct ikev2_prf_alg *prf;
1052 
1053 	wpa_printf(MSG_DEBUG, "IKEV2: Adding AUTH payload");
1054 
1055 	prf = ikev2_get_prf(data->proposal.prf);
1056 	if (prf == NULL)
1057 		return -1;
1058 
1059 	/* Authentication - RFC 4306, Sect. 3.8 */
1060 	phdr = wpabuf_put(msg, sizeof(*phdr));
1061 	phdr->next_payload = next_payload;
1062 	phdr->flags = 0;
1063 	wpabuf_put_u8(msg, AUTH_SHARED_KEY_MIC);
1064 	wpabuf_put(msg, 3); /* RESERVED */
1065 
1066 	/* msg | Nr | prf(SK_pi,IDi') */
1067 	if (ikev2_derive_auth_data(data->proposal.prf, data->i_sign_msg,
1068 				   data->IDi, data->IDi_len, ID_KEY_ID,
1069 				   &data->keys, 1, data->shared_secret,
1070 				   data->shared_secret_len,
1071 				   data->r_nonce, data->r_nonce_len,
1072 				   data->key_pad, data->key_pad_len,
1073 				   wpabuf_put(msg, prf->hash_len)) < 0) {
1074 		wpa_printf(MSG_INFO, "IKEV2: Could not derive AUTH data");
1075 		return -1;
1076 	}
1077 	wpabuf_free(data->i_sign_msg);
1078 	data->i_sign_msg = NULL;
1079 
1080 	plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
1081 	WPA_PUT_BE16(phdr->payload_length, plen);
1082 	return 0;
1083 }
1084 
1085 
1086 static struct wpabuf * ikev2_build_sa_init(struct ikev2_initiator_data *data)
1087 {
1088 	struct wpabuf *msg;
1089 
1090 	/* build IKE_SA_INIT: HDR, SAi, KEi, Ni */
1091 
1092 	if (os_get_random(data->i_spi, IKEV2_SPI_LEN))
1093 		return NULL;
1094 	wpa_hexdump(MSG_DEBUG, "IKEV2: IKE_SA Initiator's SPI",
1095 		    data->i_spi, IKEV2_SPI_LEN);
1096 
1097 	data->i_nonce_len = IKEV2_NONCE_MIN_LEN;
1098 	if (random_get_bytes(data->i_nonce, data->i_nonce_len))
1099 		return NULL;
1100 	wpa_hexdump(MSG_DEBUG, "IKEV2: Ni", data->i_nonce, data->i_nonce_len);
1101 
1102 	msg = wpabuf_alloc(sizeof(struct ikev2_hdr) + 1000);
1103 	if (msg == NULL)
1104 		return NULL;
1105 
1106 	ikev2_build_hdr(data, msg, IKE_SA_INIT, IKEV2_PAYLOAD_SA, 0);
1107 	if (ikev2_build_sai(data, msg, IKEV2_PAYLOAD_KEY_EXCHANGE) ||
1108 	    ikev2_build_kei(data, msg, IKEV2_PAYLOAD_NONCE) ||
1109 	    ikev2_build_ni(data, msg, IKEV2_PAYLOAD_NO_NEXT_PAYLOAD)) {
1110 		wpabuf_free(msg);
1111 		return NULL;
1112 	}
1113 
1114 	ikev2_update_hdr(msg);
1115 
1116 	wpa_hexdump_buf(MSG_MSGDUMP, "IKEV2: Sending message (SA_INIT)", msg);
1117 
1118 	wpabuf_free(data->i_sign_msg);
1119 	data->i_sign_msg = wpabuf_dup(msg);
1120 
1121 	return msg;
1122 }
1123 
1124 
1125 static struct wpabuf * ikev2_build_sa_auth(struct ikev2_initiator_data *data)
1126 {
1127 	struct wpabuf *msg, *plain;
1128 	const u8 *secret;
1129 	size_t secret_len;
1130 
1131 	secret = data->get_shared_secret(data->cb_ctx, data->IDr,
1132 					 data->IDr_len, &secret_len);
1133 	if (secret == NULL) {
1134 		wpa_printf(MSG_INFO, "IKEV2: Could not get shared secret - "
1135 			   "use fake value");
1136 		/* RFC 5106, Sect. 7:
1137 		 * Use a random key to fake AUTH generation in order to prevent
1138 		 * probing of user identities.
1139 		 */
1140 		data->unknown_user = 1;
1141 		os_free(data->shared_secret);
1142 		data->shared_secret = os_malloc(16);
1143 		if (data->shared_secret == NULL)
1144 			return NULL;
1145 		data->shared_secret_len = 16;
1146 		if (random_get_bytes(data->shared_secret, 16))
1147 			return NULL;
1148 	} else {
1149 		os_free(data->shared_secret);
1150 		data->shared_secret = os_malloc(secret_len);
1151 		if (data->shared_secret == NULL)
1152 			return NULL;
1153 		os_memcpy(data->shared_secret, secret, secret_len);
1154 		data->shared_secret_len = secret_len;
1155 	}
1156 
1157 	/* build IKE_SA_AUTH: HDR, SK {IDi, [CERT,] [CERTREQ,] AUTH} */
1158 
1159 	msg = wpabuf_alloc(sizeof(struct ikev2_hdr) + data->IDr_len + 1000);
1160 	if (msg == NULL)
1161 		return NULL;
1162 	ikev2_build_hdr(data, msg, IKE_SA_AUTH, IKEV2_PAYLOAD_ENCRYPTED, 1);
1163 
1164 	plain = wpabuf_alloc(data->IDr_len + 1000);
1165 	if (plain == NULL) {
1166 		wpabuf_free(msg);
1167 		return NULL;
1168 	}
1169 
1170 	if (ikev2_build_idi(data, plain, IKEV2_PAYLOAD_AUTHENTICATION) ||
1171 	    ikev2_build_auth(data, plain, IKEV2_PAYLOAD_NO_NEXT_PAYLOAD) ||
1172 	    ikev2_build_encrypted(data->proposal.encr, data->proposal.integ,
1173 				  &data->keys, 1, msg, plain,
1174 				  IKEV2_PAYLOAD_IDi)) {
1175 		wpabuf_free(plain);
1176 		wpabuf_free(msg);
1177 		return NULL;
1178 	}
1179 	wpabuf_free(plain);
1180 
1181 	wpa_hexdump_buf(MSG_MSGDUMP, "IKEV2: Sending message (SA_AUTH)", msg);
1182 
1183 	return msg;
1184 }
1185 
1186 
1187 struct wpabuf * ikev2_initiator_build(struct ikev2_initiator_data *data)
1188 {
1189 	switch (data->state) {
1190 	case SA_INIT:
1191 		return ikev2_build_sa_init(data);
1192 	case SA_AUTH:
1193 		return ikev2_build_sa_auth(data);
1194 	case CHILD_SA:
1195 		return NULL;
1196 	case IKEV2_DONE:
1197 		return NULL;
1198 	}
1199 	return NULL;
1200 }
1201