2 * IKEv2 common routines for initiator and responder
3 * Copyright (c) 2007, Jouni Malinen <j@w1.fi>
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
12 #include "crypto/crypto.h"
13 #include "crypto/md5.h"
14 #include "crypto/sha1.h"
15 #include "crypto/random.h"
16 #include "ikev2_common.h"
19 static struct ikev2_integ_alg ikev2_integ_algs[] = {
20 { AUTH_HMAC_SHA1_96, 20, 12 },
21 { AUTH_HMAC_MD5_96, 16, 12 }
24 #define NUM_INTEG_ALGS ARRAY_SIZE(ikev2_integ_algs)
27 static struct ikev2_prf_alg ikev2_prf_algs[] = {
28 { PRF_HMAC_SHA1, 20, 20 },
29 { PRF_HMAC_MD5, 16, 16 }
32 #define NUM_PRF_ALGS ARRAY_SIZE(ikev2_prf_algs)
35 static struct ikev2_encr_alg ikev2_encr_algs[] = {
36 { ENCR_AES_CBC, 16, 16 }, /* only 128-bit keys supported for now */
40 #define NUM_ENCR_ALGS ARRAY_SIZE(ikev2_encr_algs)
43 const struct ikev2_integ_alg * ikev2_get_integ(int id)
47 for (i = 0; i < NUM_INTEG_ALGS; i++) {
48 if (ikev2_integ_algs[i].id == id)
49 return &ikev2_integ_algs[i];
56 int ikev2_integ_hash(int alg, const u8 *key, size_t key_len, const u8 *data,
57 size_t data_len, u8 *hash)
59 u8 tmphash[IKEV2_MAX_HASH_LEN];
62 case AUTH_HMAC_SHA1_96:
65 hmac_sha1(key, key_len, data, data_len, tmphash);
66 os_memcpy(hash, tmphash, 12);
68 case AUTH_HMAC_MD5_96:
71 hmac_md5(key, key_len, data, data_len, tmphash);
72 os_memcpy(hash, tmphash, 12);
82 const struct ikev2_prf_alg * ikev2_get_prf(int id)
86 for (i = 0; i < NUM_PRF_ALGS; i++) {
87 if (ikev2_prf_algs[i].id == id)
88 return &ikev2_prf_algs[i];
95 int ikev2_prf_hash(int alg, const u8 *key, size_t key_len,
96 size_t num_elem, const u8 *addr[], const size_t *len,
101 hmac_sha1_vector(key, key_len, num_elem, addr, len, hash);
104 hmac_md5_vector(key, key_len, num_elem, addr, len, hash);
114 int ikev2_prf_plus(int alg, const u8 *key, size_t key_len,
115 const u8 *data, size_t data_len,
116 u8 *out, size_t out_len)
118 u8 hash[IKEV2_MAX_HASH_LEN];
123 const struct ikev2_prf_alg *prf;
126 prf = ikev2_get_prf(alg);
129 hash_len = prf->hash_len;
144 res = ikev2_prf_hash(alg, key, key_len, 2, &addr[1],
147 res = ikev2_prf_hash(alg, key, key_len, 3, addr, len,
152 if ((int) clen > end - pos)
154 os_memcpy(pos, hash, clen);
163 const struct ikev2_encr_alg * ikev2_get_encr(int id)
167 for (i = 0; i < NUM_ENCR_ALGS; i++) {
168 if (ikev2_encr_algs[i].id == id)
169 return &ikev2_encr_algs[i];
176 int ikev2_encr_encrypt(int alg, const u8 *key, size_t key_len, const u8 *iv,
177 const u8 *plain, u8 *crypt, size_t len)
179 struct crypto_cipher *cipher;
184 encr_alg = CRYPTO_CIPHER_ALG_3DES;
187 encr_alg = CRYPTO_CIPHER_ALG_AES;
190 wpa_printf(MSG_DEBUG, "IKEV2: Unsupported encr alg %d", alg);
194 cipher = crypto_cipher_init(encr_alg, iv, key, key_len);
195 if (cipher == NULL) {
196 wpa_printf(MSG_INFO, "IKEV2: Failed to initialize cipher");
200 if (crypto_cipher_encrypt(cipher, plain, crypt, len) < 0) {
201 wpa_printf(MSG_INFO, "IKEV2: Encryption failed");
202 crypto_cipher_deinit(cipher);
205 crypto_cipher_deinit(cipher);
211 int ikev2_encr_decrypt(int alg, const u8 *key, size_t key_len, const u8 *iv,
212 const u8 *crypt, u8 *plain, size_t len)
214 struct crypto_cipher *cipher;
219 encr_alg = CRYPTO_CIPHER_ALG_3DES;
222 encr_alg = CRYPTO_CIPHER_ALG_AES;
225 wpa_printf(MSG_DEBUG, "IKEV2: Unsupported encr alg %d", alg);
229 cipher = crypto_cipher_init(encr_alg, iv, key, key_len);
230 if (cipher == NULL) {
231 wpa_printf(MSG_INFO, "IKEV2: Failed to initialize cipher");
235 if (crypto_cipher_decrypt(cipher, crypt, plain, len) < 0) {
236 wpa_printf(MSG_INFO, "IKEV2: Decryption failed");
237 crypto_cipher_deinit(cipher);
240 crypto_cipher_deinit(cipher);
246 int ikev2_parse_payloads(struct ikev2_payloads *payloads,
247 u8 next_payload, const u8 *pos, const u8 *end)
249 const struct ikev2_payload_hdr *phdr;
251 os_memset(payloads, 0, sizeof(*payloads));
253 while (next_payload != IKEV2_PAYLOAD_NO_NEXT_PAYLOAD) {
254 unsigned int plen, pdatalen;
256 wpa_printf(MSG_DEBUG, "IKEV2: Processing payload %u",
258 if (end - pos < (int) sizeof(*phdr)) {
259 wpa_printf(MSG_INFO, "IKEV2: Too short message for "
260 "payload header (left=%ld)",
264 phdr = (const struct ikev2_payload_hdr *) pos;
265 plen = WPA_GET_BE16(phdr->payload_length);
266 if (plen < sizeof(*phdr) || pos + plen > end) {
267 wpa_printf(MSG_INFO, "IKEV2: Invalid payload header "
272 wpa_printf(MSG_DEBUG, "IKEV2: Next Payload: %u Flags: 0x%x"
273 " Payload Length: %u",
274 phdr->next_payload, phdr->flags, plen);
276 pdata = (const u8 *) (phdr + 1);
277 pdatalen = plen - sizeof(*phdr);
279 switch (next_payload) {
280 case IKEV2_PAYLOAD_SA:
281 wpa_printf(MSG_DEBUG, "IKEV2: Payload: Security "
283 payloads->sa = pdata;
284 payloads->sa_len = pdatalen;
286 case IKEV2_PAYLOAD_KEY_EXCHANGE:
287 wpa_printf(MSG_DEBUG, "IKEV2: Payload: Key "
289 payloads->ke = pdata;
290 payloads->ke_len = pdatalen;
292 case IKEV2_PAYLOAD_IDi:
293 wpa_printf(MSG_DEBUG, "IKEV2: Payload: IDi");
294 payloads->idi = pdata;
295 payloads->idi_len = pdatalen;
297 case IKEV2_PAYLOAD_IDr:
298 wpa_printf(MSG_DEBUG, "IKEV2: Payload: IDr");
299 payloads->idr = pdata;
300 payloads->idr_len = pdatalen;
302 case IKEV2_PAYLOAD_CERTIFICATE:
303 wpa_printf(MSG_DEBUG, "IKEV2: Payload: Certificate");
304 payloads->cert = pdata;
305 payloads->cert_len = pdatalen;
307 case IKEV2_PAYLOAD_AUTHENTICATION:
308 wpa_printf(MSG_DEBUG, "IKEV2: Payload: "
310 payloads->auth = pdata;
311 payloads->auth_len = pdatalen;
313 case IKEV2_PAYLOAD_NONCE:
314 wpa_printf(MSG_DEBUG, "IKEV2: Payload: Nonce");
315 payloads->nonce = pdata;
316 payloads->nonce_len = pdatalen;
318 case IKEV2_PAYLOAD_ENCRYPTED:
319 wpa_printf(MSG_DEBUG, "IKEV2: Payload: Encrypted");
320 payloads->encrypted = pdata;
321 payloads->encrypted_len = pdatalen;
323 case IKEV2_PAYLOAD_NOTIFICATION:
324 wpa_printf(MSG_DEBUG, "IKEV2: Payload: "
326 payloads->notification = pdata;
327 payloads->notification_len = pdatalen;
330 if (phdr->flags & IKEV2_PAYLOAD_FLAGS_CRITICAL) {
331 wpa_printf(MSG_INFO, "IKEV2: Unsupported "
332 "critical payload %u - reject the "
333 "entire message", next_payload);
336 wpa_printf(MSG_DEBUG, "IKEV2: Skipped "
337 "unsupported payload %u",
342 if (next_payload == IKEV2_PAYLOAD_ENCRYPTED &&
345 * Next Payload in the case of Encrypted Payload is
346 * actually the payload type for the first embedded
349 payloads->encr_next_payload = phdr->next_payload;
350 next_payload = IKEV2_PAYLOAD_NO_NEXT_PAYLOAD;
352 next_payload = phdr->next_payload;
358 wpa_printf(MSG_INFO, "IKEV2: Unexpected extra data after "
367 int ikev2_derive_auth_data(int prf_alg, const struct wpabuf *sign_msg,
368 const u8 *ID, size_t ID_len, u8 ID_type,
369 struct ikev2_keys *keys, int initiator,
370 const u8 *shared_secret, size_t shared_secret_len,
371 const u8 *nonce, size_t nonce_len,
372 const u8 *key_pad, size_t key_pad_len,
375 size_t sign_len, buf_len;
376 u8 *sign_data, *pos, *buf, hash[IKEV2_MAX_HASH_LEN];
377 const struct ikev2_prf_alg *prf;
378 const u8 *SK_p = initiator ? keys->SK_pi : keys->SK_pr;
380 prf = ikev2_get_prf(prf_alg);
381 if (sign_msg == NULL || ID == NULL || SK_p == NULL ||
382 shared_secret == NULL || nonce == NULL || prf == NULL)
385 /* prf(SK_pi/r,IDi/r') */
386 buf_len = 4 + ID_len;
387 buf = os_zalloc(buf_len);
391 os_memcpy(buf + 4, ID, ID_len);
392 if (ikev2_prf_hash(prf->id, SK_p, keys->SK_prf_len,
393 1, (const u8 **) &buf, &buf_len, hash) < 0) {
399 /* sign_data = msg | Nr/i | prf(SK_pi/r,IDi/r') */
400 sign_len = wpabuf_len(sign_msg) + nonce_len + prf->hash_len;
401 sign_data = os_malloc(sign_len);
402 if (sign_data == NULL)
405 os_memcpy(pos, wpabuf_head(sign_msg), wpabuf_len(sign_msg));
406 pos += wpabuf_len(sign_msg);
407 os_memcpy(pos, nonce, nonce_len);
409 os_memcpy(pos, hash, prf->hash_len);
411 /* AUTH = prf(prf(Shared Secret, key pad, sign_data) */
412 if (ikev2_prf_hash(prf->id, shared_secret, shared_secret_len, 1,
413 &key_pad, &key_pad_len, hash) < 0 ||
414 ikev2_prf_hash(prf->id, hash, prf->hash_len, 1,
415 (const u8 **) &sign_data, &sign_len, auth_data) < 0)
426 u8 * ikev2_decrypt_payload(int encr_id, int integ_id,
427 struct ikev2_keys *keys, int initiator,
428 const struct ikev2_hdr *hdr,
429 const u8 *encrypted, size_t encrypted_len,
433 const u8 *pos, *end, *iv, *integ;
434 u8 hash[IKEV2_MAX_HASH_LEN], *decrypted;
435 size_t decrypted_len, pad_len;
436 const struct ikev2_integ_alg *integ_alg;
437 const struct ikev2_encr_alg *encr_alg;
438 const u8 *SK_e = initiator ? keys->SK_ei : keys->SK_er;
439 const u8 *SK_a = initiator ? keys->SK_ai : keys->SK_ar;
441 if (encrypted == NULL) {
442 wpa_printf(MSG_INFO, "IKEV2: No Encrypted payload in SA_AUTH");
446 encr_alg = ikev2_get_encr(encr_id);
447 if (encr_alg == NULL) {
448 wpa_printf(MSG_INFO, "IKEV2: Unsupported encryption type");
451 iv_len = encr_alg->block_size;
453 integ_alg = ikev2_get_integ(integ_id);
454 if (integ_alg == NULL) {
455 wpa_printf(MSG_INFO, "IKEV2: Unsupported intergrity type");
459 if (encrypted_len < iv_len + 1 + integ_alg->hash_len) {
460 wpa_printf(MSG_INFO, "IKEV2: No room for IV or Integrity "
467 end = encrypted + encrypted_len;
468 integ = end - integ_alg->hash_len;
471 wpa_printf(MSG_INFO, "IKEV2: No SK_a available");
474 if (ikev2_integ_hash(integ_id, SK_a, keys->SK_integ_len,
476 integ - (const u8 *) hdr, hash) < 0) {
477 wpa_printf(MSG_INFO, "IKEV2: Failed to calculate integrity "
481 if (os_memcmp_const(integ, hash, integ_alg->hash_len) != 0) {
482 wpa_printf(MSG_INFO, "IKEV2: Incorrect Integrity Checksum "
488 wpa_printf(MSG_INFO, "IKEV2: No SK_e available");
492 decrypted_len = integ - pos;
493 decrypted = os_malloc(decrypted_len);
494 if (decrypted == NULL)
497 if (ikev2_encr_decrypt(encr_alg->id, SK_e, keys->SK_encr_len, iv, pos,
498 decrypted, decrypted_len) < 0) {
503 pad_len = decrypted[decrypted_len - 1];
504 if (decrypted_len < pad_len + 1) {
505 wpa_printf(MSG_INFO, "IKEV2: Invalid padding in encrypted "
511 decrypted_len -= pad_len + 1;
513 *res_len = decrypted_len;
518 void ikev2_update_hdr(struct wpabuf *msg)
520 struct ikev2_hdr *hdr;
522 /* Update lenth field in HDR */
523 hdr = wpabuf_mhead(msg);
524 WPA_PUT_BE32(hdr->length, wpabuf_len(msg));
528 int ikev2_build_encrypted(int encr_id, int integ_id, struct ikev2_keys *keys,
529 int initiator, struct wpabuf *msg,
530 struct wpabuf *plain, u8 next_payload)
532 struct ikev2_payload_hdr *phdr;
534 size_t iv_len, pad_len;
536 const struct ikev2_integ_alg *integ_alg;
537 const struct ikev2_encr_alg *encr_alg;
538 const u8 *SK_e = initiator ? keys->SK_ei : keys->SK_er;
539 const u8 *SK_a = initiator ? keys->SK_ai : keys->SK_ar;
541 wpa_printf(MSG_DEBUG, "IKEV2: Adding Encrypted payload");
543 /* Encr - RFC 4306, Sect. 3.14 */
545 encr_alg = ikev2_get_encr(encr_id);
546 if (encr_alg == NULL) {
547 wpa_printf(MSG_INFO, "IKEV2: Unsupported encryption type");
550 iv_len = encr_alg->block_size;
552 integ_alg = ikev2_get_integ(integ_id);
553 if (integ_alg == NULL) {
554 wpa_printf(MSG_INFO, "IKEV2: Unsupported intergrity type");
559 wpa_printf(MSG_INFO, "IKEV2: No SK_e available");
564 wpa_printf(MSG_INFO, "IKEV2: No SK_a available");
568 phdr = wpabuf_put(msg, sizeof(*phdr));
569 phdr->next_payload = next_payload;
572 iv = wpabuf_put(msg, iv_len);
573 if (random_get_bytes(iv, iv_len)) {
574 wpa_printf(MSG_INFO, "IKEV2: Could not generate IV");
578 pad_len = iv_len - (wpabuf_len(plain) + 1) % iv_len;
579 if (pad_len == iv_len)
581 wpabuf_put(plain, pad_len);
582 wpabuf_put_u8(plain, pad_len);
584 if (ikev2_encr_encrypt(encr_alg->id, SK_e, keys->SK_encr_len, iv,
585 wpabuf_head(plain), wpabuf_mhead(plain),
586 wpabuf_len(plain)) < 0)
589 wpabuf_put_buf(msg, plain);
591 /* Need to update all headers (Length fields) prior to hash func */
592 icv = wpabuf_put(msg, integ_alg->hash_len);
593 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
594 WPA_PUT_BE16(phdr->payload_length, plen);
596 ikev2_update_hdr(msg);
598 return ikev2_integ_hash(integ_id, SK_a, keys->SK_integ_len,
600 wpabuf_len(msg) - integ_alg->hash_len, icv);
606 int ikev2_keys_set(struct ikev2_keys *keys)
608 return keys->SK_d && keys->SK_ai && keys->SK_ar && keys->SK_ei &&
609 keys->SK_er && keys->SK_pi && keys->SK_pr;
613 void ikev2_free_keys(struct ikev2_keys *keys)
616 os_free(keys->SK_ai);
617 os_free(keys->SK_ar);
618 os_free(keys->SK_ei);
619 os_free(keys->SK_er);
620 os_free(keys->SK_pi);
621 os_free(keys->SK_pr);
622 keys->SK_d = keys->SK_ai = keys->SK_ar = keys->SK_ei = keys->SK_er =
623 keys->SK_pi = keys->SK_pr = NULL;
627 int ikev2_derive_sk_keys(const struct ikev2_prf_alg *prf,
628 const struct ikev2_integ_alg *integ,
629 const struct ikev2_encr_alg *encr,
630 const u8 *skeyseed, const u8 *data, size_t data_len,
631 struct ikev2_keys *keys)
637 * {SK_d | SK_ai | SK_ar | SK_ei | SK_er | SK_pi | SK_pr } =
638 * prf+(SKEYSEED, Ni | Nr | SPIi | SPIr )
640 ikev2_free_keys(keys);
641 keys->SK_d_len = prf->key_len;
642 keys->SK_integ_len = integ->key_len;
643 keys->SK_encr_len = encr->key_len;
644 keys->SK_prf_len = prf->key_len;
646 keybuf_len = keys->SK_d_len + 2 * keys->SK_integ_len +
647 2 * keys->SK_encr_len + 2 * keys->SK_prf_len;
648 keybuf = os_malloc(keybuf_len);
652 if (ikev2_prf_plus(prf->id, skeyseed, prf->hash_len,
653 data, data_len, keybuf, keybuf_len)) {
660 keys->SK_d = os_malloc(keys->SK_d_len);
662 os_memcpy(keys->SK_d, pos, keys->SK_d_len);
663 wpa_hexdump_key(MSG_DEBUG, "IKEV2: SK_d",
664 keys->SK_d, keys->SK_d_len);
666 pos += keys->SK_d_len;
668 keys->SK_ai = os_malloc(keys->SK_integ_len);
670 os_memcpy(keys->SK_ai, pos, keys->SK_integ_len);
671 wpa_hexdump_key(MSG_DEBUG, "IKEV2: SK_ai",
672 keys->SK_ai, keys->SK_integ_len);
674 pos += keys->SK_integ_len;
676 keys->SK_ar = os_malloc(keys->SK_integ_len);
678 os_memcpy(keys->SK_ar, pos, keys->SK_integ_len);
679 wpa_hexdump_key(MSG_DEBUG, "IKEV2: SK_ar",
680 keys->SK_ar, keys->SK_integ_len);
682 pos += keys->SK_integ_len;
684 keys->SK_ei = os_malloc(keys->SK_encr_len);
686 os_memcpy(keys->SK_ei, pos, keys->SK_encr_len);
687 wpa_hexdump_key(MSG_DEBUG, "IKEV2: SK_ei",
688 keys->SK_ei, keys->SK_encr_len);
690 pos += keys->SK_encr_len;
692 keys->SK_er = os_malloc(keys->SK_encr_len);
694 os_memcpy(keys->SK_er, pos, keys->SK_encr_len);
695 wpa_hexdump_key(MSG_DEBUG, "IKEV2: SK_er",
696 keys->SK_er, keys->SK_encr_len);
698 pos += keys->SK_encr_len;
700 keys->SK_pi = os_malloc(keys->SK_prf_len);
702 os_memcpy(keys->SK_pi, pos, keys->SK_prf_len);
703 wpa_hexdump_key(MSG_DEBUG, "IKEV2: SK_pi",
704 keys->SK_pi, keys->SK_prf_len);
706 pos += keys->SK_prf_len;
708 keys->SK_pr = os_malloc(keys->SK_prf_len);
710 os_memcpy(keys->SK_pr, pos, keys->SK_prf_len);
711 wpa_hexdump_key(MSG_DEBUG, "IKEV2: SK_pr",
712 keys->SK_pr, keys->SK_prf_len);
717 if (!ikev2_keys_set(keys)) {
718 ikev2_free_keys(keys);