+++ /dev/null
-/*
- * IKEv2 responder (RFC 4306) for EAP-IKEV2
- * Copyright (c) 2007, Jouni Malinen <j@w1.fi>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
- *
- * Alternatively, this software may be distributed under the terms of BSD
- * license.
- *
- * See README and COPYING for more details.
- */
-
-#include "includes.h"
-
-#include "common.h"
-#include "crypto/dh_groups.h"
-#include "ikev2.h"
-
-
-void ikev2_responder_deinit(struct ikev2_responder_data *data)
-{
- ikev2_free_keys(&data->keys);
- wpabuf_free(data->i_dh_public);
- wpabuf_free(data->r_dh_private);
- os_free(data->IDi);
- os_free(data->IDr);
- os_free(data->shared_secret);
- wpabuf_free(data->i_sign_msg);
- wpabuf_free(data->r_sign_msg);
- os_free(data->key_pad);
-}
-
-
-static int ikev2_derive_keys(struct ikev2_responder_data *data)
-{
- u8 *buf, *pos, *pad, skeyseed[IKEV2_MAX_HASH_LEN];
- size_t buf_len, pad_len;
- struct wpabuf *shared;
- const struct ikev2_integ_alg *integ;
- const struct ikev2_prf_alg *prf;
- const struct ikev2_encr_alg *encr;
- int ret;
- const u8 *addr[2];
- size_t len[2];
-
- /* RFC 4306, Sect. 2.14 */
-
- integ = ikev2_get_integ(data->proposal.integ);
- prf = ikev2_get_prf(data->proposal.prf);
- encr = ikev2_get_encr(data->proposal.encr);
- if (integ == NULL || prf == NULL || encr == NULL) {
- wpa_printf(MSG_INFO, "IKEV2: Unsupported proposal");
- return -1;
- }
-
- shared = dh_derive_shared(data->i_dh_public, data->r_dh_private,
- data->dh);
- if (shared == NULL)
- return -1;
-
- /* Construct Ni | Nr | SPIi | SPIr */
-
- buf_len = data->i_nonce_len + data->r_nonce_len + 2 * IKEV2_SPI_LEN;
- buf = os_malloc(buf_len);
- if (buf == NULL) {
- wpabuf_free(shared);
- return -1;
- }
-
- pos = buf;
- os_memcpy(pos, data->i_nonce, data->i_nonce_len);
- pos += data->i_nonce_len;
- os_memcpy(pos, data->r_nonce, data->r_nonce_len);
- pos += data->r_nonce_len;
- os_memcpy(pos, data->i_spi, IKEV2_SPI_LEN);
- pos += IKEV2_SPI_LEN;
- os_memcpy(pos, data->r_spi, IKEV2_SPI_LEN);
-#ifdef CCNS_PL
-#if __BYTE_ORDER == __LITTLE_ENDIAN
- {
- int i;
- u8 *tmp = pos - IKEV2_SPI_LEN;
- /* Incorrect byte re-ordering on little endian hosts.. */
- for (i = 0; i < IKEV2_SPI_LEN; i++)
- *tmp++ = data->i_spi[IKEV2_SPI_LEN - 1 - i];
- for (i = 0; i < IKEV2_SPI_LEN; i++)
- *tmp++ = data->r_spi[IKEV2_SPI_LEN - 1 - i];
- }
-#endif
-#endif /* CCNS_PL */
-
- /* SKEYSEED = prf(Ni | Nr, g^ir) */
- /* Use zero-padding per RFC 4306, Sect. 2.14 */
- pad_len = data->dh->prime_len - wpabuf_len(shared);
-#ifdef CCNS_PL
- /* Shared secret is not zero-padded correctly */
- pad_len = 0;
-#endif /* CCNS_PL */
- pad = os_zalloc(pad_len ? pad_len : 1);
- if (pad == NULL) {
- wpabuf_free(shared);
- os_free(buf);
- return -1;
- }
-
- addr[0] = pad;
- len[0] = pad_len;
- addr[1] = wpabuf_head(shared);
- len[1] = wpabuf_len(shared);
- if (ikev2_prf_hash(prf->id, buf, data->i_nonce_len + data->r_nonce_len,
- 2, addr, len, skeyseed) < 0) {
- wpabuf_free(shared);
- os_free(buf);
- os_free(pad);
- return -1;
- }
- os_free(pad);
- wpabuf_free(shared);
-
- /* DH parameters are not needed anymore, so free them */
- wpabuf_free(data->i_dh_public);
- data->i_dh_public = NULL;
- wpabuf_free(data->r_dh_private);
- data->r_dh_private = NULL;
-
- wpa_hexdump_key(MSG_DEBUG, "IKEV2: SKEYSEED",
- skeyseed, prf->hash_len);
-
- ret = ikev2_derive_sk_keys(prf, integ, encr, skeyseed, buf, buf_len,
- &data->keys);
- os_free(buf);
- return ret;
-}
-
-
-static int ikev2_parse_transform(struct ikev2_proposal_data *prop,
- const u8 *pos, const u8 *end)
-{
- int transform_len;
- const struct ikev2_transform *t;
- u16 transform_id;
- const u8 *tend;
-
- if (end - pos < (int) sizeof(*t)) {
- wpa_printf(MSG_INFO, "IKEV2: Too short transform");
- return -1;
- }
-
- t = (const struct ikev2_transform *) pos;
- transform_len = WPA_GET_BE16(t->transform_length);
- if (transform_len < (int) sizeof(*t) || pos + transform_len > end) {
- wpa_printf(MSG_INFO, "IKEV2: Invalid transform length %d",
- transform_len);
- return -1;
- }
- tend = pos + transform_len;
-
- transform_id = WPA_GET_BE16(t->transform_id);
-
- wpa_printf(MSG_DEBUG, "IKEV2: Transform:");
- wpa_printf(MSG_DEBUG, "IKEV2: Type: %d Transform Length: %d "
- "Transform Type: %d Transform ID: %d",
- t->type, transform_len, t->transform_type, transform_id);
-
- if (t->type != 0 && t->type != 3) {
- wpa_printf(MSG_INFO, "IKEV2: Unexpected Transform type");
- return -1;
- }
-
- pos = (const u8 *) (t + 1);
- if (pos < tend) {
- wpa_hexdump(MSG_DEBUG, "IKEV2: Transform Attributes",
- pos, tend - pos);
- }
-
- switch (t->transform_type) {
- case IKEV2_TRANSFORM_ENCR:
- if (ikev2_get_encr(transform_id)) {
- if (transform_id == ENCR_AES_CBC) {
- if (tend - pos != 4) {
- wpa_printf(MSG_DEBUG, "IKEV2: No "
- "Transform Attr for AES");
- break;
- }
-#ifdef CCNS_PL
- if (WPA_GET_BE16(pos) != 0x001d /* ?? */) {
- wpa_printf(MSG_DEBUG, "IKEV2: Not a "
- "Key Size attribute for "
- "AES");
- break;
- }
-#else /* CCNS_PL */
- if (WPA_GET_BE16(pos) != 0x800e) {
- wpa_printf(MSG_DEBUG, "IKEV2: Not a "
- "Key Size attribute for "
- "AES");
- break;
- }
-#endif /* CCNS_PL */
- if (WPA_GET_BE16(pos + 2) != 128) {
- wpa_printf(MSG_DEBUG, "IKEV2: "
- "Unsupported AES key size "
- "%d bits",
- WPA_GET_BE16(pos + 2));
- break;
- }
- }
- prop->encr = transform_id;
- }
- break;
- case IKEV2_TRANSFORM_PRF:
- if (ikev2_get_prf(transform_id))
- prop->prf = transform_id;
- break;
- case IKEV2_TRANSFORM_INTEG:
- if (ikev2_get_integ(transform_id))
- prop->integ = transform_id;
- break;
- case IKEV2_TRANSFORM_DH:
- if (dh_groups_get(transform_id))
- prop->dh = transform_id;
- break;
- }
-
- return transform_len;
-}
-
-
-static int ikev2_parse_proposal(struct ikev2_proposal_data *prop,
- const u8 *pos, const u8 *end)
-{
- const u8 *pend, *ppos;
- int proposal_len, i;
- const struct ikev2_proposal *p;
-
- if (end - pos < (int) sizeof(*p)) {
- wpa_printf(MSG_INFO, "IKEV2: Too short proposal");
- return -1;
- }
-
- /* FIX: AND processing if multiple proposals use the same # */
-
- p = (const struct ikev2_proposal *) pos;
- proposal_len = WPA_GET_BE16(p->proposal_length);
- if (proposal_len < (int) sizeof(*p) || pos + proposal_len > end) {
- wpa_printf(MSG_INFO, "IKEV2: Invalid proposal length %d",
- proposal_len);
- return -1;
- }
- wpa_printf(MSG_DEBUG, "IKEV2: SAi1 Proposal # %d",
- p->proposal_num);
- wpa_printf(MSG_DEBUG, "IKEV2: Type: %d Proposal Length: %d "
- " Protocol ID: %d",
- p->type, proposal_len, p->protocol_id);
- wpa_printf(MSG_DEBUG, "IKEV2: SPI Size: %d Transforms: %d",
- p->spi_size, p->num_transforms);
-
- if (p->type != 0 && p->type != 2) {
- wpa_printf(MSG_INFO, "IKEV2: Unexpected Proposal type");
- return -1;
- }
-
- if (p->protocol_id != IKEV2_PROTOCOL_IKE) {
- wpa_printf(MSG_DEBUG, "IKEV2: Unexpected Protocol ID "
- "(only IKE allowed for EAP-IKEv2)");
- return -1;
- }
-
- if (p->proposal_num != prop->proposal_num) {
- if (p->proposal_num == prop->proposal_num + 1)
- prop->proposal_num = p->proposal_num;
- else {
- wpa_printf(MSG_INFO, "IKEV2: Unexpected Proposal #");
- return -1;
- }
- }
-
- ppos = (const u8 *) (p + 1);
- pend = pos + proposal_len;
- if (ppos + p->spi_size > pend) {
- wpa_printf(MSG_INFO, "IKEV2: Not enough room for SPI "
- "in proposal");
- return -1;
- }
- if (p->spi_size) {
- wpa_hexdump(MSG_DEBUG, "IKEV2: SPI",
- ppos, p->spi_size);
- ppos += p->spi_size;
- }
-
- /*
- * For initial IKE_SA negotiation, SPI Size MUST be zero; for
- * subsequent negotiations, it must be 8 for IKE. We only support
- * initial case for now.
- */
- if (p->spi_size != 0) {
- wpa_printf(MSG_INFO, "IKEV2: Unexpected SPI Size");
- return -1;
- }
-
- if (p->num_transforms == 0) {
- wpa_printf(MSG_INFO, "IKEV2: At least one transform required");
- return -1;
- }
-
- for (i = 0; i < (int) p->num_transforms; i++) {
- int tlen = ikev2_parse_transform(prop, ppos, pend);
- if (tlen < 0)
- return -1;
- ppos += tlen;
- }
-
- if (ppos != pend) {
- wpa_printf(MSG_INFO, "IKEV2: Unexpected data after "
- "transforms");
- return -1;
- }
-
- return proposal_len;
-}
-
-
-static int ikev2_process_sai1(struct ikev2_responder_data *data,
- const u8 *sai1, size_t sai1_len)
-{
- struct ikev2_proposal_data prop;
- const u8 *pos, *end;
- int found = 0;
-
- /* Security Association Payloads: <Proposals> */
-
- if (sai1 == NULL) {
- wpa_printf(MSG_INFO, "IKEV2: SAi1 not received");
- return -1;
- }
-
- os_memset(&prop, 0, sizeof(prop));
- prop.proposal_num = 1;
-
- pos = sai1;
- end = sai1 + sai1_len;
-
- while (pos < end) {
- int plen;
-
- prop.integ = -1;
- prop.prf = -1;
- prop.encr = -1;
- prop.dh = -1;
- plen = ikev2_parse_proposal(&prop, pos, end);
- if (plen < 0)
- return -1;
-
- if (!found && prop.integ != -1 && prop.prf != -1 &&
- prop.encr != -1 && prop.dh != -1) {
- os_memcpy(&data->proposal, &prop, sizeof(prop));
- data->dh = dh_groups_get(prop.dh);
- found = 1;
- }
-
- pos += plen;
- }
-
- if (pos != end) {
- wpa_printf(MSG_INFO, "IKEV2: Unexpected data after proposals");
- return -1;
- }
-
- if (!found) {
- wpa_printf(MSG_INFO, "IKEV2: No acceptable proposal found");
- return -1;
- }
-
- wpa_printf(MSG_DEBUG, "IKEV2: Accepted proposal #%d: ENCR:%d PRF:%d "
- "INTEG:%d D-H:%d", data->proposal.proposal_num,
- data->proposal.encr, data->proposal.prf,
- data->proposal.integ, data->proposal.dh);
-
- return 0;
-}
-
-
-static int ikev2_process_kei(struct ikev2_responder_data *data,
- const u8 *kei, size_t kei_len)
-{
- u16 group;
-
- /*
- * Key Exchange Payload:
- * DH Group # (16 bits)
- * RESERVED (16 bits)
- * Key Exchange Data (Diffie-Hellman public value)
- */
-
- if (kei == NULL) {
- wpa_printf(MSG_INFO, "IKEV2: KEi not received");
- return -1;
- }
-
- if (kei_len < 4 + 96) {
- wpa_printf(MSG_INFO, "IKEV2: Too show Key Exchange Payload");
- return -1;
- }
-
- group = WPA_GET_BE16(kei);
- wpa_printf(MSG_DEBUG, "IKEV2: KEi DH Group #%u", group);
-
- if (group != data->proposal.dh) {
- wpa_printf(MSG_DEBUG, "IKEV2: KEi DH Group #%u does not match "
- "with the selected proposal (%u)",
- group, data->proposal.dh);
- /* Reject message with Notify payload of type
- * INVALID_KE_PAYLOAD (RFC 4306, Sect. 3.4) */
- data->error_type = INVALID_KE_PAYLOAD;
- data->state = NOTIFY;
- return -1;
- }
-
- if (data->dh == NULL) {
- wpa_printf(MSG_INFO, "IKEV2: Unsupported DH group");
- return -1;
- }
-
- /* RFC 4306, Section 3.4:
- * The length of DH public value MUST be equal to the lenght of the
- * prime modulus.
- */
- if (kei_len - 4 != data->dh->prime_len) {
- wpa_printf(MSG_INFO, "IKEV2: Invalid DH public value length "
- "%ld (expected %ld)",
- (long) (kei_len - 4), (long) data->dh->prime_len);
- return -1;
- }
-
- wpabuf_free(data->i_dh_public);
- data->i_dh_public = wpabuf_alloc(kei_len - 4);
- if (data->i_dh_public == NULL)
- return -1;
- wpabuf_put_data(data->i_dh_public, kei + 4, kei_len - 4);
-
- wpa_hexdump_buf(MSG_DEBUG, "IKEV2: KEi Diffie-Hellman Public Value",
- data->i_dh_public);
-
- return 0;
-}
-
-
-static int ikev2_process_ni(struct ikev2_responder_data *data,
- const u8 *ni, size_t ni_len)
-{
- if (ni == NULL) {
- wpa_printf(MSG_INFO, "IKEV2: Ni not received");
- return -1;
- }
-
- if (ni_len < IKEV2_NONCE_MIN_LEN || ni_len > IKEV2_NONCE_MAX_LEN) {
- wpa_printf(MSG_INFO, "IKEV2: Invalid Ni length %ld",
- (long) ni_len);
- return -1;
- }
-
-#ifdef CCNS_PL
- /* Zeros are removed incorrectly from the beginning of the nonces */
- while (ni_len > 1 && *ni == 0) {
- ni_len--;
- ni++;
- }
-#endif /* CCNS_PL */
-
- data->i_nonce_len = ni_len;
- os_memcpy(data->i_nonce, ni, ni_len);
- wpa_hexdump(MSG_MSGDUMP, "IKEV2: Ni",
- data->i_nonce, data->i_nonce_len);
-
- return 0;
-}
-
-
-static int ikev2_process_sa_init(struct ikev2_responder_data *data,
- const struct ikev2_hdr *hdr,
- struct ikev2_payloads *pl)
-{
- if (ikev2_process_sai1(data, pl->sa, pl->sa_len) < 0 ||
- ikev2_process_kei(data, pl->ke, pl->ke_len) < 0 ||
- ikev2_process_ni(data, pl->nonce, pl->nonce_len) < 0)
- return -1;
-
- os_memcpy(data->i_spi, hdr->i_spi, IKEV2_SPI_LEN);
-
- return 0;
-}
-
-
-static int ikev2_process_idi(struct ikev2_responder_data *data,
- const u8 *idi, size_t idi_len)
-{
- u8 id_type;
-
- if (idi == NULL) {
- wpa_printf(MSG_INFO, "IKEV2: No IDi received");
- return -1;
- }
-
- if (idi_len < 4) {
- wpa_printf(MSG_INFO, "IKEV2: Too short IDi payload");
- return -1;
- }
-
- id_type = idi[0];
- idi += 4;
- idi_len -= 4;
-
- wpa_printf(MSG_DEBUG, "IKEV2: IDi ID Type %d", id_type);
- wpa_hexdump_ascii(MSG_DEBUG, "IKEV2: IDi", idi, idi_len);
- os_free(data->IDi);
- data->IDi = os_malloc(idi_len);
- if (data->IDi == NULL)
- return -1;
- os_memcpy(data->IDi, idi, idi_len);
- data->IDi_len = idi_len;
- data->IDi_type = id_type;
-
- return 0;
-}
-
-
-static int ikev2_process_cert(struct ikev2_responder_data *data,
- const u8 *cert, size_t cert_len)
-{
- u8 cert_encoding;
-
- if (cert == NULL) {
- if (data->peer_auth == PEER_AUTH_CERT) {
- wpa_printf(MSG_INFO, "IKEV2: No Certificate received");
- return -1;
- }
- return 0;
- }
-
- if (cert_len < 1) {
- wpa_printf(MSG_INFO, "IKEV2: No Cert Encoding field");
- return -1;
- }
-
- cert_encoding = cert[0];
- cert++;
- cert_len--;
-
- wpa_printf(MSG_DEBUG, "IKEV2: Cert Encoding %d", cert_encoding);
- wpa_hexdump(MSG_MSGDUMP, "IKEV2: Certificate Data", cert, cert_len);
-
- /* TODO: validate certificate */
-
- return 0;
-}
-
-
-static int ikev2_process_auth_cert(struct ikev2_responder_data *data,
- u8 method, const u8 *auth, size_t auth_len)
-{
- if (method != AUTH_RSA_SIGN) {
- wpa_printf(MSG_INFO, "IKEV2: Unsupported authentication "
- "method %d", method);
- return -1;
- }
-
- /* TODO: validate AUTH */
- return 0;
-}
-
-
-static int ikev2_process_auth_secret(struct ikev2_responder_data *data,
- u8 method, const u8 *auth,
- size_t auth_len)
-{
- u8 auth_data[IKEV2_MAX_HASH_LEN];
- const struct ikev2_prf_alg *prf;
-
- if (method != AUTH_SHARED_KEY_MIC) {
- wpa_printf(MSG_INFO, "IKEV2: Unsupported authentication "
- "method %d", method);
- return -1;
- }
-
- /* msg | Nr | prf(SK_pi,IDi') */
- if (ikev2_derive_auth_data(data->proposal.prf, data->i_sign_msg,
- data->IDi, data->IDi_len, data->IDi_type,
- &data->keys, 1, data->shared_secret,
- data->shared_secret_len,
- data->r_nonce, data->r_nonce_len,
- data->key_pad, data->key_pad_len,
- auth_data) < 0) {
- wpa_printf(MSG_INFO, "IKEV2: Could not derive AUTH data");
- return -1;
- }
-
- wpabuf_free(data->i_sign_msg);
- data->i_sign_msg = NULL;
-
- prf = ikev2_get_prf(data->proposal.prf);
- if (prf == NULL)
- return -1;
-
- if (auth_len != prf->hash_len ||
- os_memcmp(auth, auth_data, auth_len) != 0) {
- wpa_printf(MSG_INFO, "IKEV2: Invalid Authentication Data");
- wpa_hexdump(MSG_DEBUG, "IKEV2: Received Authentication Data",
- auth, auth_len);
- wpa_hexdump(MSG_DEBUG, "IKEV2: Expected Authentication Data",
- auth_data, prf->hash_len);
- data->error_type = AUTHENTICATION_FAILED;
- data->state = NOTIFY;
- return -1;
- }
-
- wpa_printf(MSG_DEBUG, "IKEV2: Server authenticated successfully "
- "using shared keys");
-
- return 0;
-}
-
-
-static int ikev2_process_auth(struct ikev2_responder_data *data,
- const u8 *auth, size_t auth_len)
-{
- u8 auth_method;
-
- if (auth == NULL) {
- wpa_printf(MSG_INFO, "IKEV2: No Authentication Payload");
- return -1;
- }
-
- if (auth_len < 4) {
- wpa_printf(MSG_INFO, "IKEV2: Too short Authentication "
- "Payload");
- return -1;
- }
-
- auth_method = auth[0];
- auth += 4;
- auth_len -= 4;
-
- wpa_printf(MSG_DEBUG, "IKEV2: Auth Method %d", auth_method);
- wpa_hexdump(MSG_MSGDUMP, "IKEV2: Authentication Data", auth, auth_len);
-
- switch (data->peer_auth) {
- case PEER_AUTH_CERT:
- return ikev2_process_auth_cert(data, auth_method, auth,
- auth_len);
- case PEER_AUTH_SECRET:
- return ikev2_process_auth_secret(data, auth_method, auth,
- auth_len);
- }
-
- return -1;
-}
-
-
-static int ikev2_process_sa_auth_decrypted(struct ikev2_responder_data *data,
- u8 next_payload,
- u8 *payload, size_t payload_len)
-{
- struct ikev2_payloads pl;
-
- wpa_printf(MSG_DEBUG, "IKEV2: Processing decrypted payloads");
-
- if (ikev2_parse_payloads(&pl, next_payload, payload, payload +
- payload_len) < 0) {
- wpa_printf(MSG_INFO, "IKEV2: Failed to parse decrypted "
- "payloads");
- return -1;
- }
-
- if (ikev2_process_idi(data, pl.idi, pl.idi_len) < 0 ||
- ikev2_process_cert(data, pl.cert, pl.cert_len) < 0 ||
- ikev2_process_auth(data, pl.auth, pl.auth_len) < 0)
- return -1;
-
- return 0;
-}
-
-
-static int ikev2_process_sa_auth(struct ikev2_responder_data *data,
- const struct ikev2_hdr *hdr,
- struct ikev2_payloads *pl)
-{
- u8 *decrypted;
- size_t decrypted_len;
- int ret;
-
- decrypted = ikev2_decrypt_payload(data->proposal.encr,
- data->proposal.integ,
- &data->keys, 1, hdr, pl->encrypted,
- pl->encrypted_len, &decrypted_len);
- if (decrypted == NULL)
- return -1;
-
- ret = ikev2_process_sa_auth_decrypted(data, pl->encr_next_payload,
- decrypted, decrypted_len);
- os_free(decrypted);
-
- return ret;
-}
-
-
-static int ikev2_validate_rx_state(struct ikev2_responder_data *data,
- u8 exchange_type, u32 message_id)
-{
- switch (data->state) {
- case SA_INIT:
- /* Expect to receive IKE_SA_INIT: HDR, SAi1, KEi, Ni */
- if (exchange_type != IKE_SA_INIT) {
- wpa_printf(MSG_INFO, "IKEV2: Unexpected Exchange Type "
- "%u in SA_INIT state", exchange_type);
- return -1;
- }
- if (message_id != 0) {
- wpa_printf(MSG_INFO, "IKEV2: Unexpected Message ID %u "
- "in SA_INIT state", message_id);
- return -1;
- }
- break;
- case SA_AUTH:
- /* Expect to receive IKE_SA_AUTH:
- * HDR, SK {IDi, [CERT,] [CERTREQ,] [IDr,]
- * AUTH, SAi2, TSi, TSr}
- */
- if (exchange_type != IKE_SA_AUTH) {
- wpa_printf(MSG_INFO, "IKEV2: Unexpected Exchange Type "
- "%u in SA_AUTH state", exchange_type);
- return -1;
- }
- if (message_id != 1) {
- wpa_printf(MSG_INFO, "IKEV2: Unexpected Message ID %u "
- "in SA_AUTH state", message_id);
- return -1;
- }
- break;
- case CHILD_SA:
- if (exchange_type != CREATE_CHILD_SA) {
- wpa_printf(MSG_INFO, "IKEV2: Unexpected Exchange Type "
- "%u in CHILD_SA state", exchange_type);
- return -1;
- }
- if (message_id != 2) {
- wpa_printf(MSG_INFO, "IKEV2: Unexpected Message ID %u "
- "in CHILD_SA state", message_id);
- return -1;
- }
- break;
- case NOTIFY:
- case IKEV2_DONE:
- case IKEV2_FAILED:
- return -1;
- }
-
- return 0;
-}
-
-
-int ikev2_responder_process(struct ikev2_responder_data *data,
- const struct wpabuf *buf)
-{
- const struct ikev2_hdr *hdr;
- u32 length, message_id;
- const u8 *pos, *end;
- struct ikev2_payloads pl;
-
- wpa_printf(MSG_MSGDUMP, "IKEV2: Received message (len %lu)",
- (unsigned long) wpabuf_len(buf));
-
- if (wpabuf_len(buf) < sizeof(*hdr)) {
- wpa_printf(MSG_INFO, "IKEV2: Too short frame to include HDR");
- return -1;
- }
-
- data->error_type = 0;
- hdr = (const struct ikev2_hdr *) wpabuf_head(buf);
- end = wpabuf_head_u8(buf) + wpabuf_len(buf);
- message_id = WPA_GET_BE32(hdr->message_id);
- length = WPA_GET_BE32(hdr->length);
-
- wpa_hexdump(MSG_DEBUG, "IKEV2: IKE_SA Initiator's SPI",
- hdr->i_spi, IKEV2_SPI_LEN);
- wpa_hexdump(MSG_DEBUG, "IKEV2: IKE_SA Responder's SPI",
- hdr->r_spi, IKEV2_SPI_LEN);
- wpa_printf(MSG_DEBUG, "IKEV2: Next Payload: %u Version: 0x%x "
- "Exchange Type: %u",
- hdr->next_payload, hdr->version, hdr->exchange_type);
- wpa_printf(MSG_DEBUG, "IKEV2: Message ID: %u Length: %u",
- message_id, length);
-
- if (hdr->version != IKEV2_VERSION) {
- wpa_printf(MSG_INFO, "IKEV2: Unsupported HDR version 0x%x "
- "(expected 0x%x)", hdr->version, IKEV2_VERSION);
- return -1;
- }
-
- if (length != wpabuf_len(buf)) {
- wpa_printf(MSG_INFO, "IKEV2: Invalid length (HDR: %lu != "
- "RX: %lu)", (unsigned long) length,
- (unsigned long) wpabuf_len(buf));
- return -1;
- }
-
- if (ikev2_validate_rx_state(data, hdr->exchange_type, message_id) < 0)
- return -1;
-
- if ((hdr->flags & (IKEV2_HDR_INITIATOR | IKEV2_HDR_RESPONSE)) !=
- IKEV2_HDR_INITIATOR) {
- wpa_printf(MSG_INFO, "IKEV2: Unexpected Flags value 0x%x",
- hdr->flags);
- return -1;
- }
-
- if (data->state != SA_INIT) {
- if (os_memcmp(data->i_spi, hdr->i_spi, IKEV2_SPI_LEN) != 0) {
- wpa_printf(MSG_INFO, "IKEV2: Unexpected IKE_SA "
- "Initiator's SPI");
- return -1;
- }
- if (os_memcmp(data->r_spi, hdr->r_spi, IKEV2_SPI_LEN) != 0) {
- wpa_printf(MSG_INFO, "IKEV2: Unexpected IKE_SA "
- "Responder's SPI");
- return -1;
- }
- }
-
- pos = (const u8 *) (hdr + 1);
- if (ikev2_parse_payloads(&pl, hdr->next_payload, pos, end) < 0)
- return -1;
-
- if (data->state == SA_INIT) {
- data->last_msg = LAST_MSG_SA_INIT;
- if (ikev2_process_sa_init(data, hdr, &pl) < 0) {
- if (data->state == NOTIFY)
- return 0;
- return -1;
- }
- wpabuf_free(data->i_sign_msg);
- data->i_sign_msg = wpabuf_dup(buf);
- }
-
- if (data->state == SA_AUTH) {
- data->last_msg = LAST_MSG_SA_AUTH;
- if (ikev2_process_sa_auth(data, hdr, &pl) < 0) {
- if (data->state == NOTIFY)
- return 0;
- return -1;
- }
- }
-
- return 0;
-}
-
-
-static void ikev2_build_hdr(struct ikev2_responder_data *data,
- struct wpabuf *msg, u8 exchange_type,
- u8 next_payload, u32 message_id)
-{
- struct ikev2_hdr *hdr;
-
- wpa_printf(MSG_DEBUG, "IKEV2: Adding HDR");
-
- /* HDR - RFC 4306, Sect. 3.1 */
- hdr = wpabuf_put(msg, sizeof(*hdr));
- os_memcpy(hdr->i_spi, data->i_spi, IKEV2_SPI_LEN);
- os_memcpy(hdr->r_spi, data->r_spi, IKEV2_SPI_LEN);
- hdr->next_payload = next_payload;
- hdr->version = IKEV2_VERSION;
- hdr->exchange_type = exchange_type;
- hdr->flags = IKEV2_HDR_RESPONSE;
- WPA_PUT_BE32(hdr->message_id, message_id);
-}
-
-
-static int ikev2_build_sar1(struct ikev2_responder_data *data,
- struct wpabuf *msg, u8 next_payload)
-{
- struct ikev2_payload_hdr *phdr;
- size_t plen;
- struct ikev2_proposal *p;
- struct ikev2_transform *t;
-
- wpa_printf(MSG_DEBUG, "IKEV2: Adding SAr1 payload");
-
- /* SAr1 - RFC 4306, Sect. 2.7 and 3.3 */
- phdr = wpabuf_put(msg, sizeof(*phdr));
- phdr->next_payload = next_payload;
- phdr->flags = 0;
-
- p = wpabuf_put(msg, sizeof(*p));
-#ifdef CCNS_PL
- /* Seems to require that the Proposal # is 1 even though RFC 4306
- * Sect 3.3.1 has following requirement "When a proposal is accepted,
- * all of the proposal numbers in the SA payload MUST be the same and
- * MUST match the number on the proposal sent that was accepted.".
- */
- p->proposal_num = 1;
-#else /* CCNS_PL */
- p->proposal_num = data->proposal.proposal_num;
-#endif /* CCNS_PL */
- p->protocol_id = IKEV2_PROTOCOL_IKE;
- p->num_transforms = 4;
-
- t = wpabuf_put(msg, sizeof(*t));
- t->type = 3;
- t->transform_type = IKEV2_TRANSFORM_ENCR;
- WPA_PUT_BE16(t->transform_id, data->proposal.encr);
- if (data->proposal.encr == ENCR_AES_CBC) {
- /* Transform Attribute: Key Len = 128 bits */
-#ifdef CCNS_PL
- wpabuf_put_be16(msg, 0x001d); /* ?? */
-#else /* CCNS_PL */
- wpabuf_put_be16(msg, 0x800e); /* AF=1, AttrType=14 */
-#endif /* CCNS_PL */
- wpabuf_put_be16(msg, 128); /* 128-bit key */
- }
- plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) t;
- WPA_PUT_BE16(t->transform_length, plen);
-
- t = wpabuf_put(msg, sizeof(*t));
- t->type = 3;
- WPA_PUT_BE16(t->transform_length, sizeof(*t));
- t->transform_type = IKEV2_TRANSFORM_PRF;
- WPA_PUT_BE16(t->transform_id, data->proposal.prf);
-
- t = wpabuf_put(msg, sizeof(*t));
- t->type = 3;
- WPA_PUT_BE16(t->transform_length, sizeof(*t));
- t->transform_type = IKEV2_TRANSFORM_INTEG;
- WPA_PUT_BE16(t->transform_id, data->proposal.integ);
-
- t = wpabuf_put(msg, sizeof(*t));
- WPA_PUT_BE16(t->transform_length, sizeof(*t));
- t->transform_type = IKEV2_TRANSFORM_DH;
- WPA_PUT_BE16(t->transform_id, data->proposal.dh);
-
- plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) p;
- WPA_PUT_BE16(p->proposal_length, plen);
-
- plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
- WPA_PUT_BE16(phdr->payload_length, plen);
-
- return 0;
-}
-
-
-static int ikev2_build_ker(struct ikev2_responder_data *data,
- struct wpabuf *msg, u8 next_payload)
-{
- struct ikev2_payload_hdr *phdr;
- size_t plen;
- struct wpabuf *pv;
-
- wpa_printf(MSG_DEBUG, "IKEV2: Adding KEr payload");
-
- pv = dh_init(data->dh, &data->r_dh_private);
- if (pv == NULL) {
- wpa_printf(MSG_DEBUG, "IKEV2: Failed to initialize DH");
- return -1;
- }
-
- /* KEr - RFC 4306, Sect. 3.4 */
- phdr = wpabuf_put(msg, sizeof(*phdr));
- phdr->next_payload = next_payload;
- phdr->flags = 0;
-
- wpabuf_put_be16(msg, data->proposal.dh); /* DH Group # */
- wpabuf_put(msg, 2); /* RESERVED */
- /*
- * RFC 4306, Sect. 3.4: possible zero padding for public value to
- * match the length of the prime.
- */
- wpabuf_put(msg, data->dh->prime_len - wpabuf_len(pv));
- wpabuf_put_buf(msg, pv);
- wpabuf_free(pv);
-
- plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
- WPA_PUT_BE16(phdr->payload_length, plen);
- return 0;
-}
-
-
-static int ikev2_build_nr(struct ikev2_responder_data *data,
- struct wpabuf *msg, u8 next_payload)
-{
- struct ikev2_payload_hdr *phdr;
- size_t plen;
-
- wpa_printf(MSG_DEBUG, "IKEV2: Adding Nr payload");
-
- /* Nr - RFC 4306, Sect. 3.9 */
- phdr = wpabuf_put(msg, sizeof(*phdr));
- phdr->next_payload = next_payload;
- phdr->flags = 0;
- wpabuf_put_data(msg, data->r_nonce, data->r_nonce_len);
- plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
- WPA_PUT_BE16(phdr->payload_length, plen);
- return 0;
-}
-
-
-static int ikev2_build_idr(struct ikev2_responder_data *data,
- struct wpabuf *msg, u8 next_payload)
-{
- struct ikev2_payload_hdr *phdr;
- size_t plen;
-
- wpa_printf(MSG_DEBUG, "IKEV2: Adding IDr payload");
-
- if (data->IDr == NULL) {
- wpa_printf(MSG_INFO, "IKEV2: No IDr available");
- return -1;
- }
-
- /* IDr - RFC 4306, Sect. 3.5 */
- phdr = wpabuf_put(msg, sizeof(*phdr));
- phdr->next_payload = next_payload;
- phdr->flags = 0;
- wpabuf_put_u8(msg, ID_KEY_ID);
- wpabuf_put(msg, 3); /* RESERVED */
- wpabuf_put_data(msg, data->IDr, data->IDr_len);
- plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
- WPA_PUT_BE16(phdr->payload_length, plen);
- return 0;
-}
-
-
-static int ikev2_build_auth(struct ikev2_responder_data *data,
- struct wpabuf *msg, u8 next_payload)
-{
- struct ikev2_payload_hdr *phdr;
- size_t plen;
- const struct ikev2_prf_alg *prf;
-
- wpa_printf(MSG_DEBUG, "IKEV2: Adding AUTH payload");
-
- prf = ikev2_get_prf(data->proposal.prf);
- if (prf == NULL)
- return -1;
-
- /* Authentication - RFC 4306, Sect. 3.8 */
- phdr = wpabuf_put(msg, sizeof(*phdr));
- phdr->next_payload = next_payload;
- phdr->flags = 0;
- wpabuf_put_u8(msg, AUTH_SHARED_KEY_MIC);
- wpabuf_put(msg, 3); /* RESERVED */
-
- /* msg | Ni | prf(SK_pr,IDr') */
- if (ikev2_derive_auth_data(data->proposal.prf, data->r_sign_msg,
- data->IDr, data->IDr_len, ID_KEY_ID,
- &data->keys, 0, data->shared_secret,
- data->shared_secret_len,
- data->i_nonce, data->i_nonce_len,
- data->key_pad, data->key_pad_len,
- wpabuf_put(msg, prf->hash_len)) < 0) {
- wpa_printf(MSG_INFO, "IKEV2: Could not derive AUTH data");
- return -1;
- }
- wpabuf_free(data->r_sign_msg);
- data->r_sign_msg = NULL;
-
- plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
- WPA_PUT_BE16(phdr->payload_length, plen);
- return 0;
-}
-
-
-static int ikev2_build_notification(struct ikev2_responder_data *data,
- struct wpabuf *msg, u8 next_payload)
-{
- struct ikev2_payload_hdr *phdr;
- size_t plen;
-
- wpa_printf(MSG_DEBUG, "IKEV2: Adding Notification payload");
-
- if (data->error_type == 0) {
- wpa_printf(MSG_INFO, "IKEV2: No Notify Message Type "
- "available");
- return -1;
- }
-
- /* Notify - RFC 4306, Sect. 3.10 */
- phdr = wpabuf_put(msg, sizeof(*phdr));
- phdr->next_payload = next_payload;
- phdr->flags = 0;
-#ifdef CCNS_PL
- wpabuf_put_u8(msg, 1); /* Protocol ID: IKE_SA notification */
-#else /* CCNS_PL */
- wpabuf_put_u8(msg, 0); /* Protocol ID: no existing SA */
-#endif /* CCNS_PL */
- wpabuf_put_u8(msg, 0); /* SPI Size */
- wpabuf_put_be16(msg, data->error_type);
-
- switch (data->error_type) {
- case INVALID_KE_PAYLOAD:
- if (data->proposal.dh == -1) {
- wpa_printf(MSG_INFO, "IKEV2: No DH Group selected for "
- "INVALID_KE_PAYLOAD notifications");
- return -1;
- }
- wpabuf_put_be16(msg, data->proposal.dh);
- wpa_printf(MSG_DEBUG, "IKEV2: INVALID_KE_PAYLOAD - request "
- "DH Group #%d", data->proposal.dh);
- break;
- case AUTHENTICATION_FAILED:
- /* no associated data */
- break;
- default:
- wpa_printf(MSG_INFO, "IKEV2: Unsupported Notify Message Type "
- "%d", data->error_type);
- return -1;
- }
-
- plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
- WPA_PUT_BE16(phdr->payload_length, plen);
- return 0;
-}
-
-
-static struct wpabuf * ikev2_build_sa_init(struct ikev2_responder_data *data)
-{
- struct wpabuf *msg;
-
- /* build IKE_SA_INIT: HDR, SAr1, KEr, Nr, [CERTREQ], [SK{IDr}] */
-
- if (os_get_random(data->r_spi, IKEV2_SPI_LEN))
- return NULL;
- wpa_hexdump(MSG_DEBUG, "IKEV2: IKE_SA Responder's SPI",
- data->r_spi, IKEV2_SPI_LEN);
-
- data->r_nonce_len = IKEV2_NONCE_MIN_LEN;
- if (os_get_random(data->r_nonce, data->r_nonce_len))
- return NULL;
-#ifdef CCNS_PL
- /* Zeros are removed incorrectly from the beginning of the nonces in
- * key derivation; as a workaround, make sure Nr does not start with
- * zero.. */
- if (data->r_nonce[0] == 0)
- data->r_nonce[0] = 1;
-#endif /* CCNS_PL */
- wpa_hexdump(MSG_DEBUG, "IKEV2: Nr", data->r_nonce, data->r_nonce_len);
-
- msg = wpabuf_alloc(sizeof(struct ikev2_hdr) + data->IDr_len + 1500);
- if (msg == NULL)
- return NULL;
-
- ikev2_build_hdr(data, msg, IKE_SA_INIT, IKEV2_PAYLOAD_SA, 0);
- if (ikev2_build_sar1(data, msg, IKEV2_PAYLOAD_KEY_EXCHANGE) ||
- ikev2_build_ker(data, msg, IKEV2_PAYLOAD_NONCE) ||
- ikev2_build_nr(data, msg, data->peer_auth == PEER_AUTH_SECRET ?
- IKEV2_PAYLOAD_ENCRYPTED :
- IKEV2_PAYLOAD_NO_NEXT_PAYLOAD)) {
- wpabuf_free(msg);
- return NULL;
- }
-
- if (ikev2_derive_keys(data)) {
- wpabuf_free(msg);
- return NULL;
- }
-
- if (data->peer_auth == PEER_AUTH_CERT) {
- /* TODO: CERTREQ with SHA-1 hashes of Subject Public Key Info
- * for trust agents */
- }
-
- if (data->peer_auth == PEER_AUTH_SECRET) {
- struct wpabuf *plain = wpabuf_alloc(data->IDr_len + 1000);
- if (plain == NULL) {
- wpabuf_free(msg);
- return NULL;
- }
- if (ikev2_build_idr(data, plain,
- IKEV2_PAYLOAD_NO_NEXT_PAYLOAD) ||
- ikev2_build_encrypted(data->proposal.encr,
- data->proposal.integ,
- &data->keys, 0, msg, plain,
- IKEV2_PAYLOAD_IDr)) {
- wpabuf_free(plain);
- wpabuf_free(msg);
- return NULL;
- }
- wpabuf_free(plain);
- }
-
- ikev2_update_hdr(msg);
-
- wpa_hexdump_buf(MSG_MSGDUMP, "IKEV2: Sending message (SA_INIT)", msg);
-
- data->state = SA_AUTH;
-
- wpabuf_free(data->r_sign_msg);
- data->r_sign_msg = wpabuf_dup(msg);
-
- return msg;
-}
-
-
-static struct wpabuf * ikev2_build_sa_auth(struct ikev2_responder_data *data)
-{
- struct wpabuf *msg, *plain;
-
- /* build IKE_SA_AUTH: HDR, SK {IDr, [CERT,] AUTH} */
-
- msg = wpabuf_alloc(sizeof(struct ikev2_hdr) + data->IDr_len + 1000);
- if (msg == NULL)
- return NULL;
- ikev2_build_hdr(data, msg, IKE_SA_AUTH, IKEV2_PAYLOAD_ENCRYPTED, 1);
-
- plain = wpabuf_alloc(data->IDr_len + 1000);
- if (plain == NULL) {
- wpabuf_free(msg);
- return NULL;
- }
-
- if (ikev2_build_idr(data, plain, IKEV2_PAYLOAD_AUTHENTICATION) ||
- ikev2_build_auth(data, plain, IKEV2_PAYLOAD_NO_NEXT_PAYLOAD) ||
- ikev2_build_encrypted(data->proposal.encr, data->proposal.integ,
- &data->keys, 0, msg, plain,
- IKEV2_PAYLOAD_IDr)) {
- wpabuf_free(plain);
- wpabuf_free(msg);
- return NULL;
- }
- wpabuf_free(plain);
-
- wpa_hexdump_buf(MSG_MSGDUMP, "IKEV2: Sending message (SA_AUTH)", msg);
-
- data->state = IKEV2_DONE;
-
- return msg;
-}
-
-
-static struct wpabuf * ikev2_build_notify(struct ikev2_responder_data *data)
-{
- struct wpabuf *msg;
-
- msg = wpabuf_alloc(sizeof(struct ikev2_hdr) + 1000);
- if (msg == NULL)
- return NULL;
- if (data->last_msg == LAST_MSG_SA_AUTH) {
- /* HDR, SK{N} */
- struct wpabuf *plain = wpabuf_alloc(100);
- if (plain == NULL) {
- wpabuf_free(msg);
- return NULL;
- }
- ikev2_build_hdr(data, msg, IKE_SA_AUTH,
- IKEV2_PAYLOAD_ENCRYPTED, 1);
- if (ikev2_build_notification(data, plain,
- IKEV2_PAYLOAD_NO_NEXT_PAYLOAD) ||
- ikev2_build_encrypted(data->proposal.encr,
- data->proposal.integ,
- &data->keys, 0, msg, plain,
- IKEV2_PAYLOAD_NOTIFICATION)) {
- wpabuf_free(plain);
- wpabuf_free(msg);
- return NULL;
- }
- data->state = IKEV2_FAILED;
- } else {
- /* HDR, N */
- ikev2_build_hdr(data, msg, IKE_SA_INIT,
- IKEV2_PAYLOAD_NOTIFICATION, 0);
- if (ikev2_build_notification(data, msg,
- IKEV2_PAYLOAD_NO_NEXT_PAYLOAD)) {
- wpabuf_free(msg);
- return NULL;
- }
- data->state = SA_INIT;
- }
-
- ikev2_update_hdr(msg);
-
- wpa_hexdump_buf(MSG_MSGDUMP, "IKEV2: Sending message (Notification)",
- msg);
-
- return msg;
-}
-
-
-struct wpabuf * ikev2_responder_build(struct ikev2_responder_data *data)
-{
- switch (data->state) {
- case SA_INIT:
- return ikev2_build_sa_init(data);
- case SA_AUTH:
- return ikev2_build_sa_auth(data);
- case CHILD_SA:
- return NULL;
- case NOTIFY:
- return ikev2_build_notify(data);
- case IKEV2_DONE:
- case IKEV2_FAILED:
- return NULL;
- }
- return NULL;
-}
projects / mech_eap.git / blobdiff