LCOV - code coverage report
Current view: top level - src/eap_server - ikev2.c (source / functions) Hit Total Coverage
Test: wpa_supplicant/hostapd combined for hwsim test run 1401264779 Lines: 431 617 69.9 %
Date: 2014-05-28 Functions: 26 27 96.3 %

          Line data    Source code
       1             : /*
       2             :  * IKEv2 initiator (RFC 4306) for EAP-IKEV2
       3             :  * Copyright (c) 2007, Jouni Malinen <j@w1.fi>
       4             :  *
       5             :  * This software may be distributed under the terms of the BSD license.
       6             :  * See README for more details.
       7             :  */
       8             : 
       9             : #include "includes.h"
      10             : 
      11             : #include "common.h"
      12             : #include "crypto/dh_groups.h"
      13             : #include "crypto/random.h"
      14             : #include "ikev2.h"
      15             : 
      16             : 
      17             : static int ikev2_process_idr(struct ikev2_initiator_data *data,
      18             :                              const u8 *idr, size_t idr_len);
      19             : 
      20             : 
      21           6 : void ikev2_initiator_deinit(struct ikev2_initiator_data *data)
      22             : {
      23           6 :         ikev2_free_keys(&data->keys);
      24           6 :         wpabuf_free(data->r_dh_public);
      25           6 :         wpabuf_free(data->i_dh_private);
      26           6 :         os_free(data->IDi);
      27           6 :         os_free(data->IDr);
      28           6 :         os_free(data->shared_secret);
      29           6 :         wpabuf_free(data->i_sign_msg);
      30           6 :         wpabuf_free(data->r_sign_msg);
      31           6 :         os_free(data->key_pad);
      32           6 : }
      33             : 
      34             : 
      35           6 : static int ikev2_derive_keys(struct ikev2_initiator_data *data)
      36             : {
      37             :         u8 *buf, *pos, *pad, skeyseed[IKEV2_MAX_HASH_LEN];
      38             :         size_t buf_len, pad_len;
      39             :         struct wpabuf *shared;
      40             :         const struct ikev2_integ_alg *integ;
      41             :         const struct ikev2_prf_alg *prf;
      42             :         const struct ikev2_encr_alg *encr;
      43             :         int ret;
      44             :         const u8 *addr[2];
      45             :         size_t len[2];
      46             : 
      47             :         /* RFC 4306, Sect. 2.14 */
      48             : 
      49           6 :         integ = ikev2_get_integ(data->proposal.integ);
      50           6 :         prf = ikev2_get_prf(data->proposal.prf);
      51           6 :         encr = ikev2_get_encr(data->proposal.encr);
      52           6 :         if (integ == NULL || prf == NULL || encr == NULL) {
      53           0 :                 wpa_printf(MSG_INFO, "IKEV2: Unsupported proposal");
      54           0 :                 return -1;
      55             :         }
      56             : 
      57           6 :         shared = dh_derive_shared(data->r_dh_public, data->i_dh_private,
      58             :                                   data->dh);
      59           6 :         if (shared == NULL)
      60           0 :                 return -1;
      61             : 
      62             :         /* Construct Ni | Nr | SPIi | SPIr */
      63             : 
      64           6 :         buf_len = data->i_nonce_len + data->r_nonce_len + 2 * IKEV2_SPI_LEN;
      65           6 :         buf = os_malloc(buf_len);
      66           6 :         if (buf == NULL) {
      67           0 :                 wpabuf_free(shared);
      68           0 :                 return -1;
      69             :         }
      70             : 
      71           6 :         pos = buf;
      72           6 :         os_memcpy(pos, data->i_nonce, data->i_nonce_len);
      73           6 :         pos += data->i_nonce_len;
      74           6 :         os_memcpy(pos, data->r_nonce, data->r_nonce_len);
      75           6 :         pos += data->r_nonce_len;
      76           6 :         os_memcpy(pos, data->i_spi, IKEV2_SPI_LEN);
      77           6 :         pos += IKEV2_SPI_LEN;
      78           6 :         os_memcpy(pos, data->r_spi, IKEV2_SPI_LEN);
      79             : 
      80             :         /* SKEYSEED = prf(Ni | Nr, g^ir) */
      81             : 
      82             :         /* Use zero-padding per RFC 4306, Sect. 2.14 */
      83           6 :         pad_len = data->dh->prime_len - wpabuf_len(shared);
      84           6 :         pad = os_zalloc(pad_len ? pad_len : 1);
      85           6 :         if (pad == NULL) {
      86           0 :                 wpabuf_free(shared);
      87           0 :                 os_free(buf);
      88           0 :                 return -1;
      89             :         }
      90           6 :         addr[0] = pad;
      91           6 :         len[0] = pad_len;
      92           6 :         addr[1] = wpabuf_head(shared);
      93           6 :         len[1] = wpabuf_len(shared);
      94           6 :         if (ikev2_prf_hash(prf->id, buf, data->i_nonce_len + data->r_nonce_len,
      95             :                            2, addr, len, skeyseed) < 0) {
      96           0 :                 wpabuf_free(shared);
      97           0 :                 os_free(buf);
      98           0 :                 os_free(pad);
      99           0 :                 return -1;
     100             :         }
     101           6 :         os_free(pad);
     102           6 :         wpabuf_free(shared);
     103             : 
     104             :         /* DH parameters are not needed anymore, so free them */
     105           6 :         wpabuf_free(data->r_dh_public);
     106           6 :         data->r_dh_public = NULL;
     107           6 :         wpabuf_free(data->i_dh_private);
     108           6 :         data->i_dh_private = NULL;
     109             : 
     110           6 :         wpa_hexdump_key(MSG_DEBUG, "IKEV2: SKEYSEED",
     111             :                         skeyseed, prf->hash_len);
     112             : 
     113           6 :         ret = ikev2_derive_sk_keys(prf, integ, encr, skeyseed, buf, buf_len,
     114             :                                    &data->keys);
     115           6 :         os_free(buf);
     116           6 :         return ret;
     117             : }
     118             : 
     119             : 
     120          24 : static int ikev2_parse_transform(struct ikev2_initiator_data *data,
     121             :                                  struct ikev2_proposal_data *prop,
     122             :                                  const u8 *pos, const u8 *end)
     123             : {
     124             :         int transform_len;
     125             :         const struct ikev2_transform *t;
     126             :         u16 transform_id;
     127             :         const u8 *tend;
     128             : 
     129          24 :         if (end - pos < (int) sizeof(*t)) {
     130           0 :                 wpa_printf(MSG_INFO, "IKEV2: Too short transform");
     131           0 :                 return -1;
     132             :         }
     133             : 
     134          24 :         t = (const struct ikev2_transform *) pos;
     135          24 :         transform_len = WPA_GET_BE16(t->transform_length);
     136          24 :         if (transform_len < (int) sizeof(*t) || pos + transform_len > end) {
     137           0 :                 wpa_printf(MSG_INFO, "IKEV2: Invalid transform length %d",
     138             :                            transform_len);
     139           0 :                 return -1;
     140             :         }
     141          24 :         tend = pos + transform_len;
     142             : 
     143          24 :         transform_id = WPA_GET_BE16(t->transform_id);
     144             : 
     145          24 :         wpa_printf(MSG_DEBUG, "IKEV2:   Transform:");
     146          72 :         wpa_printf(MSG_DEBUG, "IKEV2:     Type: %d  Transform Length: %d  "
     147             :                    "Transform Type: %d  Transform ID: %d",
     148          48 :                    t->type, transform_len, t->transform_type, transform_id);
     149             : 
     150          24 :         if (t->type != 0 && t->type != 3) {
     151           0 :                 wpa_printf(MSG_INFO, "IKEV2: Unexpected Transform type");
     152           0 :                 return -1;
     153             :         }
     154             : 
     155          24 :         pos = (const u8 *) (t + 1);
     156          24 :         if (pos < tend) {
     157           6 :                 wpa_hexdump(MSG_DEBUG, "IKEV2:     Transform Attributes",
     158           6 :                             pos, tend - pos);
     159             :         }
     160             : 
     161          24 :         switch (t->transform_type) {
     162             :         case IKEV2_TRANSFORM_ENCR:
     163          12 :                 if (ikev2_get_encr(transform_id) &&
     164           6 :                     transform_id == data->proposal.encr) {
     165           6 :                         if (transform_id == ENCR_AES_CBC) {
     166           6 :                                 if (tend - pos != 4) {
     167           0 :                                         wpa_printf(MSG_DEBUG, "IKEV2: No "
     168             :                                                    "Transform Attr for AES");
     169           0 :                                         break;
     170             :                                 }
     171           6 :                                 if (WPA_GET_BE16(pos) != 0x800e) {
     172           0 :                                         wpa_printf(MSG_DEBUG, "IKEV2: Not a "
     173             :                                                    "Key Size attribute for "
     174             :                                                    "AES");
     175           0 :                                         break;
     176             :                                 }
     177           6 :                                 if (WPA_GET_BE16(pos + 2) != 128) {
     178           0 :                                         wpa_printf(MSG_DEBUG, "IKEV2: "
     179             :                                                    "Unsupported AES key size "
     180             :                                                    "%d bits",
     181           0 :                                                    WPA_GET_BE16(pos + 2));
     182           0 :                                         break;
     183             :                                 }
     184             :                         }
     185           6 :                         prop->encr = transform_id;
     186             :                 }
     187           6 :                 break;
     188             :         case IKEV2_TRANSFORM_PRF:
     189          12 :                 if (ikev2_get_prf(transform_id) &&
     190           6 :                     transform_id == data->proposal.prf)
     191           6 :                         prop->prf = transform_id;
     192           6 :                 break;
     193             :         case IKEV2_TRANSFORM_INTEG:
     194          12 :                 if (ikev2_get_integ(transform_id) &&
     195           6 :                     transform_id == data->proposal.integ)
     196           6 :                         prop->integ = transform_id;
     197           6 :                 break;
     198             :         case IKEV2_TRANSFORM_DH:
     199          12 :                 if (dh_groups_get(transform_id) &&
     200           6 :                     transform_id == data->proposal.dh)
     201           6 :                         prop->dh = transform_id;
     202           6 :                 break;
     203             :         }
     204             : 
     205          24 :         return transform_len;
     206             : }
     207             : 
     208             : 
     209           6 : static int ikev2_parse_proposal(struct ikev2_initiator_data *data,
     210             :                                 struct ikev2_proposal_data *prop,
     211             :                                 const u8 *pos, const u8 *end)
     212             : {
     213             :         const u8 *pend, *ppos;
     214             :         int proposal_len, i;
     215             :         const struct ikev2_proposal *p;
     216             : 
     217           6 :         if (end - pos < (int) sizeof(*p)) {
     218           0 :                 wpa_printf(MSG_INFO, "IKEV2: Too short proposal");
     219           0 :                 return -1;
     220             :         }
     221             : 
     222           6 :         p = (const struct ikev2_proposal *) pos;
     223           6 :         proposal_len = WPA_GET_BE16(p->proposal_length);
     224           6 :         if (proposal_len < (int) sizeof(*p) || pos + proposal_len > end) {
     225           0 :                 wpa_printf(MSG_INFO, "IKEV2: Invalid proposal length %d",
     226             :                            proposal_len);
     227           0 :                 return -1;
     228             :         }
     229           6 :         wpa_printf(MSG_DEBUG, "IKEV2: SAi1 Proposal # %d",
     230           6 :                    p->proposal_num);
     231          12 :         wpa_printf(MSG_DEBUG, "IKEV2:   Type: %d  Proposal Length: %d "
     232             :                    " Protocol ID: %d",
     233          12 :                    p->type, proposal_len, p->protocol_id);
     234          12 :         wpa_printf(MSG_DEBUG, "IKEV2:   SPI Size: %d  Transforms: %d",
     235          12 :                    p->spi_size, p->num_transforms);
     236             : 
     237           6 :         if (p->type != 0 && p->type != 2) {
     238           0 :                 wpa_printf(MSG_INFO, "IKEV2: Unexpected Proposal type");
     239           0 :                 return -1;
     240             :         }
     241             : 
     242           6 :         if (p->protocol_id != IKEV2_PROTOCOL_IKE) {
     243           0 :                 wpa_printf(MSG_DEBUG, "IKEV2: Unexpected Protocol ID "
     244             :                            "(only IKE allowed for EAP-IKEv2)");
     245           0 :                 return -1;
     246             :         }
     247             : 
     248           6 :         if (p->proposal_num != prop->proposal_num) {
     249           0 :                 if (p->proposal_num == prop->proposal_num + 1)
     250           0 :                         prop->proposal_num = p->proposal_num;
     251             :                 else {
     252           0 :                         wpa_printf(MSG_INFO, "IKEV2: Unexpected Proposal #");
     253           0 :                         return -1;
     254             :                 }
     255             :         }
     256             : 
     257           6 :         ppos = (const u8 *) (p + 1);
     258           6 :         pend = pos + proposal_len;
     259           6 :         if (ppos + p->spi_size > pend) {
     260           0 :                 wpa_printf(MSG_INFO, "IKEV2: Not enough room for SPI "
     261             :                            "in proposal");
     262           0 :                 return -1;
     263             :         }
     264           6 :         if (p->spi_size) {
     265           0 :                 wpa_hexdump(MSG_DEBUG, "IKEV2:    SPI",
     266           0 :                             ppos, p->spi_size);
     267           0 :                 ppos += p->spi_size;
     268             :         }
     269             : 
     270             :         /*
     271             :          * For initial IKE_SA negotiation, SPI Size MUST be zero; for
     272             :          * subsequent negotiations, it must be 8 for IKE. We only support
     273             :          * initial case for now.
     274             :          */
     275           6 :         if (p->spi_size != 0) {
     276           0 :                 wpa_printf(MSG_INFO, "IKEV2: Unexpected SPI Size");
     277           0 :                 return -1;
     278             :         }
     279             : 
     280           6 :         if (p->num_transforms == 0) {
     281           0 :                 wpa_printf(MSG_INFO, "IKEV2: At least one transform required");
     282           0 :                 return -1;
     283             :         }
     284             : 
     285          30 :         for (i = 0; i < (int) p->num_transforms; i++) {
     286          24 :                 int tlen = ikev2_parse_transform(data, prop, ppos, pend);
     287          24 :                 if (tlen < 0)
     288           0 :                         return -1;
     289          24 :                 ppos += tlen;
     290             :         }
     291             : 
     292           6 :         if (ppos != pend) {
     293           0 :                 wpa_printf(MSG_INFO, "IKEV2: Unexpected data after "
     294             :                            "transforms");
     295           0 :                 return -1;
     296             :         }
     297             : 
     298           6 :         return proposal_len;
     299             : }
     300             : 
     301             : 
     302           6 : static int ikev2_process_sar1(struct ikev2_initiator_data *data,
     303             :                               const u8 *sar1, size_t sar1_len)
     304             : {
     305             :         struct ikev2_proposal_data prop;
     306             :         const u8 *pos, *end;
     307           6 :         int found = 0;
     308             : 
     309             :         /* Security Association Payloads: <Proposals> */
     310             : 
     311           6 :         if (sar1 == NULL) {
     312           0 :                 wpa_printf(MSG_INFO, "IKEV2: SAr1 not received");
     313           0 :                 return -1;
     314             :         }
     315             : 
     316           6 :         os_memset(&prop, 0, sizeof(prop));
     317           6 :         prop.proposal_num = 1;
     318             : 
     319           6 :         pos = sar1;
     320           6 :         end = sar1 + sar1_len;
     321             : 
     322           6 :         while (pos < end) {
     323             :                 int plen;
     324             : 
     325           6 :                 prop.integ = -1;
     326           6 :                 prop.prf = -1;
     327           6 :                 prop.encr = -1;
     328           6 :                 prop.dh = -1;
     329           6 :                 plen = ikev2_parse_proposal(data, &prop, pos, end);
     330           6 :                 if (plen < 0)
     331           0 :                         return -1;
     332             : 
     333          12 :                 if (!found && prop.integ != -1 && prop.prf != -1 &&
     334          12 :                     prop.encr != -1 && prop.dh != -1) {
     335           6 :                         found = 1;
     336             :                 }
     337             : 
     338           6 :                 pos += plen;
     339             : 
     340             :                 /* Only one proposal expected in SAr */
     341           6 :                 break;
     342             :         }
     343             : 
     344           6 :         if (pos != end) {
     345           0 :                 wpa_printf(MSG_INFO, "IKEV2: Unexpected data after proposal");
     346           0 :                 return -1;
     347             :         }
     348             : 
     349           6 :         if (!found) {
     350           0 :                 wpa_printf(MSG_INFO, "IKEV2: No acceptable proposal found");
     351           0 :                 return -1;
     352             :         }
     353             : 
     354          12 :         wpa_printf(MSG_DEBUG, "IKEV2: Accepted proposal #%d: ENCR:%d PRF:%d "
     355           6 :                    "INTEG:%d D-H:%d", data->proposal.proposal_num,
     356             :                    data->proposal.encr, data->proposal.prf,
     357             :                    data->proposal.integ, data->proposal.dh);
     358             : 
     359           6 :         return 0;
     360             : }
     361             : 
     362             : 
     363           6 : static int ikev2_process_ker(struct ikev2_initiator_data *data,
     364             :                              const u8 *ker, size_t ker_len)
     365             : {
     366             :         u16 group;
     367             : 
     368             :         /*
     369             :          * Key Exchange Payload:
     370             :          * DH Group # (16 bits)
     371             :          * RESERVED (16 bits)
     372             :          * Key Exchange Data (Diffie-Hellman public value)
     373             :          */
     374             : 
     375           6 :         if (ker == NULL) {
     376           0 :                 wpa_printf(MSG_INFO, "IKEV2: KEr not received");
     377           0 :                 return -1;
     378             :         }
     379             : 
     380           6 :         if (ker_len < 4 + 96) {
     381           0 :                 wpa_printf(MSG_INFO, "IKEV2: Too show Key Exchange Payload");
     382           0 :                 return -1;
     383             :         }
     384             : 
     385           6 :         group = WPA_GET_BE16(ker);
     386           6 :         wpa_printf(MSG_DEBUG, "IKEV2: KEr DH Group #%u", group);
     387             : 
     388           6 :         if (group != data->proposal.dh) {
     389           0 :                 wpa_printf(MSG_DEBUG, "IKEV2: KEr DH Group #%u does not match "
     390             :                            "with the selected proposal (%u)",
     391             :                            group, data->proposal.dh);
     392           0 :                 return -1;
     393             :         }
     394             : 
     395           6 :         if (data->dh == NULL) {
     396           0 :                 wpa_printf(MSG_INFO, "IKEV2: Unsupported DH group");
     397           0 :                 return -1;
     398             :         }
     399             : 
     400             :         /* RFC 4306, Section 3.4:
     401             :          * The length of DH public value MUST be equal to the length of the
     402             :          * prime modulus.
     403             :          */
     404           6 :         if (ker_len - 4 != data->dh->prime_len) {
     405           0 :                 wpa_printf(MSG_INFO, "IKEV2: Invalid DH public value length "
     406             :                            "%ld (expected %ld)",
     407           0 :                            (long) (ker_len - 4), (long) data->dh->prime_len);
     408           0 :                 return -1;
     409             :         }
     410             : 
     411           6 :         wpabuf_free(data->r_dh_public);
     412           6 :         data->r_dh_public = wpabuf_alloc_copy(ker + 4, ker_len - 4);
     413           6 :         if (data->r_dh_public == NULL)
     414           0 :                 return -1;
     415             : 
     416           6 :         wpa_hexdump_buf(MSG_DEBUG, "IKEV2: KEr Diffie-Hellman Public Value",
     417           6 :                         data->r_dh_public);
     418             :         
     419           6 :         return 0;
     420             : }
     421             : 
     422             : 
     423           6 : static int ikev2_process_nr(struct ikev2_initiator_data *data,
     424             :                             const u8 *nr, size_t nr_len)
     425             : {
     426           6 :         if (nr == NULL) {
     427           0 :                 wpa_printf(MSG_INFO, "IKEV2: Nr not received");
     428           0 :                 return -1;
     429             :         }
     430             : 
     431           6 :         if (nr_len < IKEV2_NONCE_MIN_LEN || nr_len > IKEV2_NONCE_MAX_LEN) {
     432           0 :                 wpa_printf(MSG_INFO, "IKEV2: Invalid Nr length %ld",
     433             :                            (long) nr_len);
     434           0 :                 return -1;
     435             :         }
     436             : 
     437           6 :         data->r_nonce_len = nr_len;
     438           6 :         os_memcpy(data->r_nonce, nr, nr_len);
     439          12 :         wpa_hexdump(MSG_MSGDUMP, "IKEV2: Nr",
     440           6 :                     data->r_nonce, data->r_nonce_len);
     441             : 
     442           6 :         return 0;
     443             : }
     444             : 
     445             : 
     446           6 : static int ikev2_process_sa_init_encr(struct ikev2_initiator_data *data,
     447             :                                       const struct ikev2_hdr *hdr,
     448             :                                       const u8 *encrypted,
     449             :                                       size_t encrypted_len, u8 next_payload)
     450             : {
     451             :         u8 *decrypted;
     452             :         size_t decrypted_len;
     453             :         struct ikev2_payloads pl;
     454           6 :         int ret = 0;
     455             : 
     456           6 :         decrypted = ikev2_decrypt_payload(data->proposal.encr,
     457             :                                           data->proposal.integ, &data->keys, 0,
     458             :                                           hdr, encrypted, encrypted_len,
     459             :                                           &decrypted_len);
     460           6 :         if (decrypted == NULL)
     461           0 :                 return -1;
     462             : 
     463           6 :         wpa_printf(MSG_DEBUG, "IKEV2: Processing decrypted payloads");
     464             : 
     465           6 :         if (ikev2_parse_payloads(&pl, next_payload, decrypted,
     466             :                                  decrypted + decrypted_len) < 0) {
     467           0 :                 wpa_printf(MSG_INFO, "IKEV2: Failed to parse decrypted "
     468             :                            "payloads");
     469           0 :                 return -1;
     470             :         }
     471             : 
     472           6 :         if (pl.idr)
     473           6 :                 ret = ikev2_process_idr(data, pl.idr, pl.idr_len);
     474             : 
     475           6 :         os_free(decrypted);
     476             : 
     477           6 :         return ret;
     478             : }
     479             : 
     480             : 
     481           6 : static int ikev2_process_sa_init(struct ikev2_initiator_data *data,
     482             :                                  const struct ikev2_hdr *hdr,
     483             :                                  struct ikev2_payloads *pl)
     484             : {
     485          12 :         if (ikev2_process_sar1(data, pl->sa, pl->sa_len) < 0 ||
     486          12 :             ikev2_process_ker(data, pl->ke, pl->ke_len) < 0 ||
     487           6 :             ikev2_process_nr(data, pl->nonce, pl->nonce_len) < 0)
     488           0 :                 return -1;
     489             : 
     490           6 :         os_memcpy(data->r_spi, hdr->r_spi, IKEV2_SPI_LEN);
     491             : 
     492           6 :         if (ikev2_derive_keys(data) < 0)
     493           0 :                 return -1;
     494             : 
     495           6 :         if (pl->encrypted) {
     496           6 :                 wpa_printf(MSG_DEBUG, "IKEV2: Encrypted payload in SA_INIT - "
     497             :                            "try to get IDr from it");
     498           6 :                 if (ikev2_process_sa_init_encr(data, hdr, pl->encrypted,
     499             :                                                pl->encrypted_len,
     500           6 :                                                pl->encr_next_payload) < 0) {
     501           0 :                         wpa_printf(MSG_INFO, "IKEV2: Failed to process "
     502             :                                    "encrypted payload");
     503           0 :                         return -1;
     504             :                 }
     505             :         }
     506             : 
     507           6 :         data->state = SA_AUTH;
     508             : 
     509           6 :         return 0;
     510             : }
     511             : 
     512             : 
     513          12 : static int ikev2_process_idr(struct ikev2_initiator_data *data,
     514             :                              const u8 *idr, size_t idr_len)
     515             : {
     516             :         u8 id_type;
     517             : 
     518          12 :         if (idr == NULL) {
     519           1 :                 wpa_printf(MSG_INFO, "IKEV2: No IDr received");
     520           1 :                 return -1;
     521             :         }
     522             : 
     523          11 :         if (idr_len < 4) {
     524           0 :                 wpa_printf(MSG_INFO, "IKEV2: Too short IDr payload");
     525           0 :                 return -1;
     526             :         }
     527             : 
     528          11 :         id_type = idr[0];
     529          11 :         idr += 4;
     530          11 :         idr_len -= 4;
     531             : 
     532          11 :         wpa_printf(MSG_DEBUG, "IKEV2: IDr ID Type %d", id_type);
     533          11 :         wpa_hexdump_ascii(MSG_DEBUG, "IKEV2: IDr", idr, idr_len);
     534          11 :         if (data->IDr) {
     535          10 :                 if (id_type != data->IDr_type || idr_len != data->IDr_len ||
     536           5 :                     os_memcmp(idr, data->IDr, idr_len) != 0) {
     537           0 :                         wpa_printf(MSG_INFO, "IKEV2: IDr differs from the one "
     538             :                                    "received earlier");
     539           0 :                         wpa_printf(MSG_DEBUG, "IKEV2: Previous IDr ID Type %d",
     540             :                                    id_type);
     541           0 :                         wpa_hexdump_ascii(MSG_DEBUG, "Previous IKEV2: IDr",
     542           0 :                                           data->IDr, data->IDr_len);
     543           0 :                         return -1;
     544             :                 }
     545           5 :                 os_free(data->IDr);
     546             :         }
     547          11 :         data->IDr = os_malloc(idr_len);
     548          11 :         if (data->IDr == NULL)
     549           0 :                 return -1;
     550          11 :         os_memcpy(data->IDr, idr, idr_len);
     551          11 :         data->IDr_len = idr_len;
     552          11 :         data->IDr_type = id_type;
     553             : 
     554          11 :         return 0;
     555             : }
     556             : 
     557             : 
     558           5 : static int ikev2_process_cert(struct ikev2_initiator_data *data,
     559             :                               const u8 *cert, size_t cert_len)
     560             : {
     561             :         u8 cert_encoding;
     562             : 
     563           5 :         if (cert == NULL) {
     564           5 :                 if (data->peer_auth == PEER_AUTH_CERT) {
     565           0 :                         wpa_printf(MSG_INFO, "IKEV2: No Certificate received");
     566           0 :                         return -1;
     567             :                 }
     568           5 :                 return 0;
     569             :         }
     570             : 
     571           0 :         if (cert_len < 1) {
     572           0 :                 wpa_printf(MSG_INFO, "IKEV2: No Cert Encoding field");
     573           0 :                 return -1;
     574             :         }
     575             : 
     576           0 :         cert_encoding = cert[0];
     577           0 :         cert++;
     578           0 :         cert_len--;
     579             : 
     580           0 :         wpa_printf(MSG_DEBUG, "IKEV2: Cert Encoding %d", cert_encoding);
     581           0 :         wpa_hexdump(MSG_MSGDUMP, "IKEV2: Certificate Data", cert, cert_len);
     582             : 
     583             :         /* TODO: validate certificate */
     584             : 
     585           0 :         return 0;
     586             : }
     587             : 
     588             : 
     589           0 : static int ikev2_process_auth_cert(struct ikev2_initiator_data *data,
     590             :                                    u8 method, const u8 *auth, size_t auth_len)
     591             : {
     592           0 :         if (method != AUTH_RSA_SIGN) {
     593           0 :                 wpa_printf(MSG_INFO, "IKEV2: Unsupported authentication "
     594             :                            "method %d", method);
     595           0 :                 return -1;
     596             :         }
     597             : 
     598             :         /* TODO: validate AUTH */
     599           0 :         return 0;
     600             : }
     601             : 
     602             : 
     603           5 : static int ikev2_process_auth_secret(struct ikev2_initiator_data *data,
     604             :                                      u8 method, const u8 *auth,
     605             :                                      size_t auth_len)
     606             : {
     607             :         u8 auth_data[IKEV2_MAX_HASH_LEN];
     608             :         const struct ikev2_prf_alg *prf;
     609             : 
     610           5 :         if (method != AUTH_SHARED_KEY_MIC) {
     611           0 :                 wpa_printf(MSG_INFO, "IKEV2: Unsupported authentication "
     612             :                            "method %d", method);
     613           0 :                 return -1;
     614             :         }
     615             : 
     616             :         /* msg | Ni | prf(SK_pr,IDr') */
     617          30 :         if (ikev2_derive_auth_data(data->proposal.prf, data->r_sign_msg,
     618          10 :                                    data->IDr, data->IDr_len, data->IDr_type,
     619           5 :                                    &data->keys, 0, data->shared_secret,
     620             :                                    data->shared_secret_len,
     621           5 :                                    data->i_nonce, data->i_nonce_len,
     622           5 :                                    data->key_pad, data->key_pad_len,
     623             :                                    auth_data) < 0) {
     624           0 :                 wpa_printf(MSG_INFO, "IKEV2: Could not derive AUTH data");
     625           0 :                 return -1;
     626             :         }
     627             : 
     628           5 :         wpabuf_free(data->r_sign_msg);
     629           5 :         data->r_sign_msg = NULL;
     630             : 
     631           5 :         prf = ikev2_get_prf(data->proposal.prf);
     632           5 :         if (prf == NULL)
     633           0 :                 return -1;
     634             : 
     635          10 :         if (auth_len != prf->hash_len ||
     636           5 :             os_memcmp(auth, auth_data, auth_len) != 0) {
     637           0 :                 wpa_printf(MSG_INFO, "IKEV2: Invalid Authentication Data");
     638           0 :                 wpa_hexdump(MSG_DEBUG, "IKEV2: Received Authentication Data",
     639             :                             auth, auth_len);
     640           0 :                 wpa_hexdump(MSG_DEBUG, "IKEV2: Expected Authentication Data",
     641             :                             auth_data, prf->hash_len);
     642           0 :                 return -1;
     643             :         }
     644             : 
     645           5 :         wpa_printf(MSG_DEBUG, "IKEV2: Peer authenticated successfully "
     646             :                    "using shared keys");
     647             : 
     648           5 :         return 0;
     649             : }
     650             : 
     651             : 
     652           5 : static int ikev2_process_auth(struct ikev2_initiator_data *data,
     653             :                               const u8 *auth, size_t auth_len)
     654             : {
     655             :         u8 auth_method;
     656             : 
     657           5 :         if (auth == NULL) {
     658           0 :                 wpa_printf(MSG_INFO, "IKEV2: No Authentication Payload");
     659           0 :                 return -1;
     660             :         }
     661             : 
     662           5 :         if (auth_len < 4) {
     663           0 :                 wpa_printf(MSG_INFO, "IKEV2: Too short Authentication "
     664             :                            "Payload");
     665           0 :                 return -1;
     666             :         }
     667             : 
     668           5 :         auth_method = auth[0];
     669           5 :         auth += 4;
     670           5 :         auth_len -= 4;
     671             : 
     672           5 :         wpa_printf(MSG_DEBUG, "IKEV2: Auth Method %d", auth_method);
     673           5 :         wpa_hexdump(MSG_MSGDUMP, "IKEV2: Authentication Data", auth, auth_len);
     674             : 
     675           5 :         switch (data->peer_auth) {
     676             :         case PEER_AUTH_CERT:
     677           0 :                 return ikev2_process_auth_cert(data, auth_method, auth,
     678             :                                                auth_len);
     679             :         case PEER_AUTH_SECRET:
     680           5 :                 return ikev2_process_auth_secret(data, auth_method, auth,
     681             :                                                  auth_len);
     682             :         }
     683             : 
     684           0 :         return -1;
     685             : }
     686             : 
     687             : 
     688           6 : static int ikev2_process_sa_auth_decrypted(struct ikev2_initiator_data *data,
     689             :                                            u8 next_payload,
     690             :                                            u8 *payload, size_t payload_len)
     691             : {
     692             :         struct ikev2_payloads pl;
     693             : 
     694           6 :         wpa_printf(MSG_DEBUG, "IKEV2: Processing decrypted payloads");
     695             : 
     696           6 :         if (ikev2_parse_payloads(&pl, next_payload, payload, payload +
     697             :                                  payload_len) < 0) {
     698           0 :                 wpa_printf(MSG_INFO, "IKEV2: Failed to parse decrypted "
     699             :                            "payloads");
     700           0 :                 return -1;
     701             :         }
     702             : 
     703          11 :         if (ikev2_process_idr(data, pl.idr, pl.idr_len) < 0 ||
     704          10 :             ikev2_process_cert(data, pl.cert, pl.cert_len) < 0 ||
     705           5 :             ikev2_process_auth(data, pl.auth, pl.auth_len) < 0)
     706           1 :                 return -1;
     707             : 
     708           5 :         return 0;
     709             : }
     710             : 
     711             : 
     712           6 : static int ikev2_process_sa_auth(struct ikev2_initiator_data *data,
     713             :                                  const struct ikev2_hdr *hdr,
     714             :                                  struct ikev2_payloads *pl)
     715             : {
     716             :         u8 *decrypted;
     717             :         size_t decrypted_len;
     718             :         int ret;
     719             : 
     720           6 :         decrypted = ikev2_decrypt_payload(data->proposal.encr,
     721             :                                           data->proposal.integ,
     722             :                                           &data->keys, 0, hdr, pl->encrypted,
     723             :                                           pl->encrypted_len, &decrypted_len);
     724           6 :         if (decrypted == NULL)
     725           0 :                 return -1;
     726             : 
     727           6 :         ret = ikev2_process_sa_auth_decrypted(data, pl->encr_next_payload,
     728             :                                               decrypted, decrypted_len);
     729           6 :         os_free(decrypted);
     730             : 
     731           6 :         if (ret == 0 && !data->unknown_user) {
     732           5 :                 wpa_printf(MSG_DEBUG, "IKEV2: Authentication completed");
     733           5 :                 data->state = IKEV2_DONE;
     734             :         }
     735             : 
     736           6 :         return ret;
     737             : }
     738             : 
     739             : 
     740          12 : static int ikev2_validate_rx_state(struct ikev2_initiator_data *data,
     741             :                                    u8 exchange_type, u32 message_id)
     742             : {
     743          12 :         switch (data->state) {
     744             :         case SA_INIT:
     745             :                 /* Expect to receive IKE_SA_INIT: HDR, SAr, KEr, Nr, [CERTREQ],
     746             :                  * [SK{IDr}] */
     747           6 :                 if (exchange_type != IKE_SA_INIT) {
     748           0 :                         wpa_printf(MSG_INFO, "IKEV2: Unexpected Exchange Type "
     749             :                                    "%u in SA_INIT state", exchange_type);
     750           0 :                         return -1;
     751             :                 }
     752           6 :                 if (message_id != 0) {
     753           0 :                         wpa_printf(MSG_INFO, "IKEV2: Unexpected Message ID %u "
     754             :                                    "in SA_INIT state", message_id);
     755           0 :                         return -1;
     756             :                 }
     757           6 :                 break;
     758             :         case SA_AUTH:
     759             :                 /* Expect to receive IKE_SA_AUTH:
     760             :                  * HDR, SK {IDr, [CERT,] [CERTREQ,] [NFID,] AUTH}
     761             :                  */
     762           6 :                 if (exchange_type != IKE_SA_AUTH) {
     763           0 :                         wpa_printf(MSG_INFO, "IKEV2: Unexpected Exchange Type "
     764             :                                    "%u in SA_AUTH state", exchange_type);
     765           0 :                         return -1;
     766             :                 }
     767           6 :                 if (message_id != 1) {
     768           0 :                         wpa_printf(MSG_INFO, "IKEV2: Unexpected Message ID %u "
     769             :                                    "in SA_AUTH state", message_id);
     770           0 :                         return -1;
     771             :                 }
     772           6 :                 break;
     773             :         case CHILD_SA:
     774           0 :                 if (exchange_type != CREATE_CHILD_SA) {
     775           0 :                         wpa_printf(MSG_INFO, "IKEV2: Unexpected Exchange Type "
     776             :                                    "%u in CHILD_SA state", exchange_type);
     777           0 :                         return -1;
     778             :                 }
     779           0 :                 if (message_id != 2) {
     780           0 :                         wpa_printf(MSG_INFO, "IKEV2: Unexpected Message ID %u "
     781             :                                    "in CHILD_SA state", message_id);
     782           0 :                         return -1;
     783             :                 }
     784           0 :                 break;
     785             :         case IKEV2_DONE:
     786           0 :                 return -1;
     787             :         }
     788             : 
     789          12 :         return 0;
     790             : }
     791             : 
     792             : 
     793          12 : int ikev2_initiator_process(struct ikev2_initiator_data *data,
     794             :                             const struct wpabuf *buf)
     795             : {
     796             :         const struct ikev2_hdr *hdr;
     797             :         u32 length, message_id;
     798             :         const u8 *pos, *end;
     799             :         struct ikev2_payloads pl;
     800             : 
     801          12 :         wpa_printf(MSG_MSGDUMP, "IKEV2: Received message (len %lu)",
     802             :                    (unsigned long) wpabuf_len(buf));
     803             : 
     804          12 :         if (wpabuf_len(buf) < sizeof(*hdr)) {
     805           0 :                 wpa_printf(MSG_INFO, "IKEV2: Too short frame to include HDR");
     806           0 :                 return -1;
     807             :         }
     808             : 
     809          12 :         hdr = (const struct ikev2_hdr *) wpabuf_head(buf);
     810          12 :         end = wpabuf_head_u8(buf) + wpabuf_len(buf);
     811          12 :         message_id = WPA_GET_BE32(hdr->message_id);
     812          12 :         length = WPA_GET_BE32(hdr->length);
     813             : 
     814          12 :         wpa_hexdump(MSG_DEBUG, "IKEV2:   IKE_SA Initiator's SPI",
     815          12 :                     hdr->i_spi, IKEV2_SPI_LEN);
     816          12 :         wpa_hexdump(MSG_DEBUG, "IKEV2:   IKE_SA Initiator's SPI",
     817          12 :                     hdr->r_spi, IKEV2_SPI_LEN);
     818          36 :         wpa_printf(MSG_DEBUG, "IKEV2:   Next Payload: %u  Version: 0x%x  "
     819             :                    "Exchange Type: %u",
     820          36 :                    hdr->next_payload, hdr->version, hdr->exchange_type);
     821          12 :         wpa_printf(MSG_DEBUG, "IKEV2:   Message ID: %u  Length: %u",
     822             :                    message_id, length);
     823             : 
     824          12 :         if (hdr->version != IKEV2_VERSION) {
     825           0 :                 wpa_printf(MSG_INFO, "IKEV2: Unsupported HDR version 0x%x "
     826           0 :                            "(expected 0x%x)", hdr->version, IKEV2_VERSION);
     827           0 :                 return -1;
     828             :         }
     829             : 
     830          12 :         if (length != wpabuf_len(buf)) {
     831           0 :                 wpa_printf(MSG_INFO, "IKEV2: Invalid length (HDR: %lu != "
     832             :                            "RX: %lu)", (unsigned long) length,
     833             :                            (unsigned long) wpabuf_len(buf));
     834           0 :                 return -1;
     835             :         }
     836             : 
     837          12 :         if (ikev2_validate_rx_state(data, hdr->exchange_type, message_id) < 0)
     838           0 :                 return -1;
     839             : 
     840          12 :         if ((hdr->flags & (IKEV2_HDR_INITIATOR | IKEV2_HDR_RESPONSE)) !=
     841             :             IKEV2_HDR_RESPONSE) {
     842           0 :                 wpa_printf(MSG_INFO, "IKEV2: Unexpected Flags value 0x%x",
     843           0 :                            hdr->flags);
     844           0 :                 return -1;
     845             :         }
     846             : 
     847          12 :         if (data->state != SA_INIT) {
     848           6 :                 if (os_memcmp(data->i_spi, hdr->i_spi, IKEV2_SPI_LEN) != 0) {
     849           0 :                         wpa_printf(MSG_INFO, "IKEV2: Unexpected IKE_SA "
     850             :                                    "Initiator's SPI");
     851           0 :                         return -1;
     852             :                 }
     853           6 :                 if (os_memcmp(data->r_spi, hdr->r_spi, IKEV2_SPI_LEN) != 0) {
     854           0 :                         wpa_printf(MSG_INFO, "IKEV2: Unexpected IKE_SA "
     855             :                                    "Responder's SPI");
     856           0 :                         return -1;
     857             :                 }
     858             :         }
     859             : 
     860          12 :         pos = (const u8 *) (hdr + 1);
     861          12 :         if (ikev2_parse_payloads(&pl, hdr->next_payload, pos, end) < 0)
     862           0 :                 return -1;
     863             : 
     864          12 :         switch (data->state) {
     865             :         case SA_INIT:
     866           6 :                 if (ikev2_process_sa_init(data, hdr, &pl) < 0)
     867           0 :                         return -1;
     868           6 :                 wpabuf_free(data->r_sign_msg);
     869           6 :                 data->r_sign_msg = wpabuf_dup(buf);
     870           6 :                 break;
     871             :         case SA_AUTH:
     872           6 :                 if (ikev2_process_sa_auth(data, hdr, &pl) < 0)
     873           1 :                         return -1;
     874           5 :                 break;
     875             :         case CHILD_SA:
     876             :         case IKEV2_DONE:
     877           0 :                 break;
     878             :         }
     879             : 
     880          11 :         return 0;
     881             : }
     882             : 
     883             : 
     884          12 : static void ikev2_build_hdr(struct ikev2_initiator_data *data,
     885             :                             struct wpabuf *msg, u8 exchange_type,
     886             :                             u8 next_payload, u32 message_id)
     887             : {
     888             :         struct ikev2_hdr *hdr;
     889             : 
     890          12 :         wpa_printf(MSG_DEBUG, "IKEV2: Adding HDR");
     891             : 
     892             :         /* HDR - RFC 4306, Sect. 3.1 */
     893          12 :         hdr = wpabuf_put(msg, sizeof(*hdr));
     894          12 :         os_memcpy(hdr->i_spi, data->i_spi, IKEV2_SPI_LEN);
     895          12 :         os_memcpy(hdr->r_spi, data->r_spi, IKEV2_SPI_LEN);
     896          12 :         hdr->next_payload = next_payload;
     897          12 :         hdr->version = IKEV2_VERSION;
     898          12 :         hdr->exchange_type = exchange_type;
     899          12 :         hdr->flags = IKEV2_HDR_INITIATOR;
     900          12 :         WPA_PUT_BE32(hdr->message_id, message_id);
     901          12 : }
     902             : 
     903             : 
     904           6 : static int ikev2_build_sai(struct ikev2_initiator_data *data,
     905             :                             struct wpabuf *msg, u8 next_payload)
     906             : {
     907             :         struct ikev2_payload_hdr *phdr;
     908             :         size_t plen;
     909             :         struct ikev2_proposal *p;
     910             :         struct ikev2_transform *t;
     911             : 
     912           6 :         wpa_printf(MSG_DEBUG, "IKEV2: Adding SAi payload");
     913             : 
     914             :         /* SAi1 - RFC 4306, Sect. 2.7 and 3.3 */
     915           6 :         phdr = wpabuf_put(msg, sizeof(*phdr));
     916           6 :         phdr->next_payload = next_payload;
     917           6 :         phdr->flags = 0;
     918             : 
     919             :         /* TODO: support for multiple proposals */
     920           6 :         p = wpabuf_put(msg, sizeof(*p));
     921           6 :         p->proposal_num = data->proposal.proposal_num;
     922           6 :         p->protocol_id = IKEV2_PROTOCOL_IKE;
     923           6 :         p->num_transforms = 4;
     924             : 
     925           6 :         t = wpabuf_put(msg, sizeof(*t));
     926           6 :         t->type = 3;
     927           6 :         t->transform_type = IKEV2_TRANSFORM_ENCR;
     928           6 :         WPA_PUT_BE16(t->transform_id, data->proposal.encr);
     929           6 :         if (data->proposal.encr == ENCR_AES_CBC) {
     930             :                 /* Transform Attribute: Key Len = 128 bits */
     931           6 :                 wpabuf_put_be16(msg, 0x800e); /* AF=1, AttrType=14 */
     932           6 :                 wpabuf_put_be16(msg, 128); /* 128-bit key */
     933             :         }
     934           6 :         plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) t;
     935           6 :         WPA_PUT_BE16(t->transform_length, plen);
     936             : 
     937           6 :         t = wpabuf_put(msg, sizeof(*t));
     938           6 :         t->type = 3;
     939           6 :         WPA_PUT_BE16(t->transform_length, sizeof(*t));
     940           6 :         t->transform_type = IKEV2_TRANSFORM_PRF;
     941           6 :         WPA_PUT_BE16(t->transform_id, data->proposal.prf);
     942             : 
     943           6 :         t = wpabuf_put(msg, sizeof(*t));
     944           6 :         t->type = 3;
     945           6 :         WPA_PUT_BE16(t->transform_length, sizeof(*t));
     946           6 :         t->transform_type = IKEV2_TRANSFORM_INTEG;
     947           6 :         WPA_PUT_BE16(t->transform_id, data->proposal.integ);
     948             : 
     949           6 :         t = wpabuf_put(msg, sizeof(*t));
     950           6 :         WPA_PUT_BE16(t->transform_length, sizeof(*t));
     951           6 :         t->transform_type = IKEV2_TRANSFORM_DH;
     952           6 :         WPA_PUT_BE16(t->transform_id, data->proposal.dh);
     953             : 
     954           6 :         plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) p;
     955           6 :         WPA_PUT_BE16(p->proposal_length, plen);
     956             : 
     957           6 :         plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
     958           6 :         WPA_PUT_BE16(phdr->payload_length, plen);
     959             : 
     960           6 :         return 0;
     961             : }
     962             : 
     963             : 
     964           6 : static int ikev2_build_kei(struct ikev2_initiator_data *data,
     965             :                            struct wpabuf *msg, u8 next_payload)
     966             : {
     967             :         struct ikev2_payload_hdr *phdr;
     968             :         size_t plen;
     969             :         struct wpabuf *pv;
     970             : 
     971           6 :         wpa_printf(MSG_DEBUG, "IKEV2: Adding KEi payload");
     972             : 
     973           6 :         data->dh = dh_groups_get(data->proposal.dh);
     974           6 :         pv = dh_init(data->dh, &data->i_dh_private);
     975           6 :         if (pv == NULL) {
     976           0 :                 wpa_printf(MSG_DEBUG, "IKEV2: Failed to initialize DH");
     977           0 :                 return -1;
     978             :         }
     979             : 
     980             :         /* KEi - RFC 4306, Sect. 3.4 */
     981           6 :         phdr = wpabuf_put(msg, sizeof(*phdr));
     982           6 :         phdr->next_payload = next_payload;
     983           6 :         phdr->flags = 0;
     984             : 
     985           6 :         wpabuf_put_be16(msg, data->proposal.dh); /* DH Group # */
     986           6 :         wpabuf_put(msg, 2); /* RESERVED */
     987             :         /*
     988             :          * RFC 4306, Sect. 3.4: possible zero padding for public value to
     989             :          * match the length of the prime.
     990             :          */
     991           6 :         wpabuf_put(msg, data->dh->prime_len - wpabuf_len(pv));
     992           6 :         wpabuf_put_buf(msg, pv);
     993           6 :         wpabuf_free(pv);
     994             : 
     995           6 :         plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
     996           6 :         WPA_PUT_BE16(phdr->payload_length, plen);
     997           6 :         return 0;
     998             : }
     999             : 
    1000             : 
    1001           6 : static int ikev2_build_ni(struct ikev2_initiator_data *data,
    1002             :                           struct wpabuf *msg, u8 next_payload)
    1003             : {
    1004             :         struct ikev2_payload_hdr *phdr;
    1005             :         size_t plen;
    1006             : 
    1007           6 :         wpa_printf(MSG_DEBUG, "IKEV2: Adding Ni payload");
    1008             : 
    1009             :         /* Ni - RFC 4306, Sect. 3.9 */
    1010           6 :         phdr = wpabuf_put(msg, sizeof(*phdr));
    1011           6 :         phdr->next_payload = next_payload;
    1012           6 :         phdr->flags = 0;
    1013           6 :         wpabuf_put_data(msg, data->i_nonce, data->i_nonce_len);
    1014           6 :         plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
    1015           6 :         WPA_PUT_BE16(phdr->payload_length, plen);
    1016           6 :         return 0;
    1017             : }
    1018             : 
    1019             : 
    1020           6 : static int ikev2_build_idi(struct ikev2_initiator_data *data,
    1021             :                            struct wpabuf *msg, u8 next_payload)
    1022             : {
    1023             :         struct ikev2_payload_hdr *phdr;
    1024             :         size_t plen;
    1025             : 
    1026           6 :         wpa_printf(MSG_DEBUG, "IKEV2: Adding IDi payload");
    1027             : 
    1028           6 :         if (data->IDi == NULL) {
    1029           0 :                 wpa_printf(MSG_INFO, "IKEV2: No IDi available");
    1030           0 :                 return -1;
    1031             :         }
    1032             : 
    1033             :         /* IDi - RFC 4306, Sect. 3.5 */
    1034           6 :         phdr = wpabuf_put(msg, sizeof(*phdr));
    1035           6 :         phdr->next_payload = next_payload;
    1036           6 :         phdr->flags = 0;
    1037           6 :         wpabuf_put_u8(msg, ID_KEY_ID);
    1038           6 :         wpabuf_put(msg, 3); /* RESERVED */
    1039           6 :         wpabuf_put_data(msg, data->IDi, data->IDi_len);
    1040           6 :         plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
    1041           6 :         WPA_PUT_BE16(phdr->payload_length, plen);
    1042           6 :         return 0;
    1043             : }
    1044             : 
    1045             : 
    1046           6 : static int ikev2_build_auth(struct ikev2_initiator_data *data,
    1047             :                             struct wpabuf *msg, u8 next_payload)
    1048             : {
    1049             :         struct ikev2_payload_hdr *phdr;
    1050             :         size_t plen;
    1051             :         const struct ikev2_prf_alg *prf;
    1052             : 
    1053           6 :         wpa_printf(MSG_DEBUG, "IKEV2: Adding AUTH payload");
    1054             : 
    1055           6 :         prf = ikev2_get_prf(data->proposal.prf);
    1056           6 :         if (prf == NULL)
    1057           0 :                 return -1;
    1058             : 
    1059             :         /* Authentication - RFC 4306, Sect. 3.8 */
    1060           6 :         phdr = wpabuf_put(msg, sizeof(*phdr));
    1061           6 :         phdr->next_payload = next_payload;
    1062           6 :         phdr->flags = 0;
    1063           6 :         wpabuf_put_u8(msg, AUTH_SHARED_KEY_MIC);
    1064           6 :         wpabuf_put(msg, 3); /* RESERVED */
    1065             : 
    1066             :         /* msg | Nr | prf(SK_pi,IDi') */
    1067          30 :         if (ikev2_derive_auth_data(data->proposal.prf, data->i_sign_msg,
    1068           6 :                                    data->IDi, data->IDi_len, ID_KEY_ID,
    1069           6 :                                    &data->keys, 1, data->shared_secret,
    1070             :                                    data->shared_secret_len,
    1071           6 :                                    data->r_nonce, data->r_nonce_len,
    1072           6 :                                    data->key_pad, data->key_pad_len,
    1073           6 :                                    wpabuf_put(msg, prf->hash_len)) < 0) {
    1074           0 :                 wpa_printf(MSG_INFO, "IKEV2: Could not derive AUTH data");
    1075           0 :                 return -1;
    1076             :         }
    1077           6 :         wpabuf_free(data->i_sign_msg);
    1078           6 :         data->i_sign_msg = NULL;
    1079             : 
    1080           6 :         plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
    1081           6 :         WPA_PUT_BE16(phdr->payload_length, plen);
    1082           6 :         return 0;
    1083             : }
    1084             : 
    1085             : 
    1086           6 : static struct wpabuf * ikev2_build_sa_init(struct ikev2_initiator_data *data)
    1087             : {
    1088             :         struct wpabuf *msg;
    1089             : 
    1090             :         /* build IKE_SA_INIT: HDR, SAi, KEi, Ni */
    1091             : 
    1092           6 :         if (os_get_random(data->i_spi, IKEV2_SPI_LEN))
    1093           0 :                 return NULL;
    1094           6 :         wpa_hexdump(MSG_DEBUG, "IKEV2: IKE_SA Initiator's SPI",
    1095           6 :                     data->i_spi, IKEV2_SPI_LEN);
    1096             : 
    1097           6 :         data->i_nonce_len = IKEV2_NONCE_MIN_LEN;
    1098           6 :         if (random_get_bytes(data->i_nonce, data->i_nonce_len))
    1099           0 :                 return NULL;
    1100           6 :         wpa_hexdump(MSG_DEBUG, "IKEV2: Ni", data->i_nonce, data->i_nonce_len);
    1101             : 
    1102           6 :         msg = wpabuf_alloc(sizeof(struct ikev2_hdr) + 1000);
    1103           6 :         if (msg == NULL)
    1104           0 :                 return NULL;
    1105             : 
    1106           6 :         ikev2_build_hdr(data, msg, IKE_SA_INIT, IKEV2_PAYLOAD_SA, 0);
    1107          12 :         if (ikev2_build_sai(data, msg, IKEV2_PAYLOAD_KEY_EXCHANGE) ||
    1108          12 :             ikev2_build_kei(data, msg, IKEV2_PAYLOAD_NONCE) ||
    1109           6 :             ikev2_build_ni(data, msg, IKEV2_PAYLOAD_NO_NEXT_PAYLOAD)) {
    1110           0 :                 wpabuf_free(msg);
    1111           0 :                 return NULL;
    1112             :         }
    1113             : 
    1114           6 :         ikev2_update_hdr(msg);
    1115             : 
    1116           6 :         wpa_hexdump_buf(MSG_MSGDUMP, "IKEV2: Sending message (SA_INIT)", msg);
    1117             : 
    1118           6 :         wpabuf_free(data->i_sign_msg);
    1119           6 :         data->i_sign_msg = wpabuf_dup(msg);
    1120             : 
    1121           6 :         return msg;
    1122             : }
    1123             : 
    1124             : 
    1125           6 : static struct wpabuf * ikev2_build_sa_auth(struct ikev2_initiator_data *data)
    1126             : {
    1127             :         struct wpabuf *msg, *plain;
    1128             :         const u8 *secret;
    1129             :         size_t secret_len;
    1130             : 
    1131           6 :         secret = data->get_shared_secret(data->cb_ctx, data->IDr,
    1132             :                                          data->IDr_len, &secret_len);
    1133           6 :         if (secret == NULL) {
    1134           0 :                 wpa_printf(MSG_INFO, "IKEV2: Could not get shared secret - "
    1135             :                            "use fake value");
    1136             :                 /* RFC 5106, Sect. 7:
    1137             :                  * Use a random key to fake AUTH generation in order to prevent
    1138             :                  * probing of user identities.
    1139             :                  */
    1140           0 :                 data->unknown_user = 1;
    1141           0 :                 os_free(data->shared_secret);
    1142           0 :                 data->shared_secret = os_malloc(16);
    1143           0 :                 if (data->shared_secret == NULL)
    1144           0 :                         return NULL;
    1145           0 :                 data->shared_secret_len = 16;
    1146           0 :                 if (random_get_bytes(data->shared_secret, 16))
    1147           0 :                         return NULL;
    1148             :         } else {
    1149           6 :                 os_free(data->shared_secret);
    1150           6 :                 data->shared_secret = os_malloc(secret_len);
    1151           6 :                 if (data->shared_secret == NULL)
    1152           0 :                         return NULL;
    1153           6 :                 os_memcpy(data->shared_secret, secret, secret_len);
    1154           6 :                 data->shared_secret_len = secret_len;
    1155             :         }
    1156             : 
    1157             :         /* build IKE_SA_AUTH: HDR, SK {IDi, [CERT,] [CERTREQ,] AUTH} */
    1158             : 
    1159           6 :         msg = wpabuf_alloc(sizeof(struct ikev2_hdr) + data->IDr_len + 1000);
    1160           6 :         if (msg == NULL)
    1161           0 :                 return NULL;
    1162           6 :         ikev2_build_hdr(data, msg, IKE_SA_AUTH, IKEV2_PAYLOAD_ENCRYPTED, 1);
    1163             : 
    1164           6 :         plain = wpabuf_alloc(data->IDr_len + 1000);
    1165           6 :         if (plain == NULL) {
    1166           0 :                 wpabuf_free(msg);
    1167           0 :                 return NULL;
    1168             :         }
    1169             : 
    1170          12 :         if (ikev2_build_idi(data, plain, IKEV2_PAYLOAD_AUTHENTICATION) ||
    1171          12 :             ikev2_build_auth(data, plain, IKEV2_PAYLOAD_NO_NEXT_PAYLOAD) ||
    1172           6 :             ikev2_build_encrypted(data->proposal.encr, data->proposal.integ,
    1173             :                                   &data->keys, 1, msg, plain,
    1174             :                                   IKEV2_PAYLOAD_IDi)) {
    1175           0 :                 wpabuf_free(plain);
    1176           0 :                 wpabuf_free(msg);
    1177           0 :                 return NULL;
    1178             :         }
    1179           6 :         wpabuf_free(plain);
    1180             : 
    1181           6 :         wpa_hexdump_buf(MSG_MSGDUMP, "IKEV2: Sending message (SA_AUTH)", msg);
    1182             : 
    1183           6 :         return msg;
    1184             : }
    1185             : 
    1186             : 
    1187          12 : struct wpabuf * ikev2_initiator_build(struct ikev2_initiator_data *data)
    1188             : {
    1189          12 :         switch (data->state) {
    1190             :         case SA_INIT:
    1191           6 :                 return ikev2_build_sa_init(data);
    1192             :         case SA_AUTH:
    1193           6 :                 return ikev2_build_sa_auth(data);
    1194             :         case CHILD_SA:
    1195           0 :                 return NULL;
    1196             :         case IKEV2_DONE:
    1197           0 :                 return NULL;
    1198             :         }
    1199           0 :         return NULL;
    1200             : }

Generated by: LCOV version 1.10