static int ikev2_process_auth_secret(struct ikev2_responder_data *data, u8 method, const u8 *auth, size_t auth_len) { u8 auth_data[IKEV2_MAX_HASH_LEN]; const struct ikev2_prf_alg *prf; if (method != AUTH_SHARED_KEY_MIC) { wpa_printf(MSG_INFO, "IKEV2: Unsupported authentication " "method %d", method); return -1; } /* msg | Nr | prf(SK_pi,IDi') */ if (ikev2_derive_auth_data(data->proposal.prf, data->i_sign_msg, data->IDi, data->IDi_len, data->IDi_type, &data->keys, 1, data->shared_secret, data->shared_secret_len, data->r_nonce, data->r_nonce_len, data->key_pad, data->key_pad_len, auth_data) < 0) { wpa_printf(MSG_INFO, "IKEV2: Could not derive AUTH data"); return -1; } wpabuf_free(data->i_sign_msg); data->i_sign_msg = NULL; prf = ikev2_get_prf(data->proposal.prf); if (prf == NULL) return -1; if (auth_len != prf->hash_len || os_memcmp(auth, auth_data, auth_len) != 0) { wpa_printf(MSG_INFO, "IKEV2: Invalid Authentication Data"); wpa_hexdump(MSG_DEBUG, "IKEV2: Received Authentication Data", auth, auth_len); wpa_hexdump(MSG_DEBUG, "IKEV2: Expected Authentication Data", auth_data, prf->hash_len); data->error_type = AUTHENTICATION_FAILED; data->state = NOTIFY; return -1; } wpa_printf(MSG_DEBUG, "IKEV2: Server authenticated successfully " "using shared keys"); return 0; }
static int ikev2_process_auth_secret(struct ikev2_initiator_data *data, u8 method, const u8 *auth, size_t auth_len) { u8 auth_data[IKEV2_MAX_HASH_LEN]; const struct ikev2_prf_alg *prf; if (method != AUTH_SHARED_KEY_MIC) { asd_printf(ASD_DEFAULT,MSG_DEBUG, "IKEV2: Unsupported authentication " "method %d", method); return -1; } /* msg | Ni | prf(SK_pr,IDr') */ if (ikev2_derive_auth_data(data->proposal.prf, data->r_sign_msg, data->IDr, data->IDr_len, data->IDr_type, &data->keys, 0, data->shared_secret, data->shared_secret_len, data->i_nonce, data->i_nonce_len, data->key_pad, data->key_pad_len, auth_data) < 0) { asd_printf(ASD_DEFAULT,MSG_DEBUG, "IKEV2: Could not derive AUTH data"); return -1; } wpabuf_free(data->r_sign_msg); data->r_sign_msg = NULL; prf = ikev2_get_prf(data->proposal.prf); if (prf == NULL) return -1; if (auth_len != prf->hash_len || os_memcmp(auth, auth_data, auth_len) != 0) { asd_printf(ASD_DEFAULT,MSG_DEBUG, "IKEV2: Invalid Authentication Data"); wpa_hexdump(MSG_DEBUG, "IKEV2: Received Authentication Data", auth, auth_len); wpa_hexdump(MSG_DEBUG, "IKEV2: Expected Authentication Data", auth_data, prf->hash_len); return -1; } asd_printf(ASD_DEFAULT,MSG_DEBUG, "IKEV2: Peer authenticated successfully " "using shared keys"); return 0; }
int ikev2_prf_plus(int alg, const u8 *key, size_t key_len, const u8 *data, size_t data_len, u8 *out, size_t out_len) { u8 hash[IKEV2_MAX_HASH_LEN]; size_t hash_len; u8 iter, *pos, *end; const u8 *addr[3]; size_t len[3]; const struct ikev2_prf_alg *prf; int res; prf = ikev2_get_prf(alg); if (prf == NULL) return -1; hash_len = prf->hash_len; addr[0] = hash; len[0] = hash_len; addr[1] = data; len[1] = data_len; addr[2] = &iter; len[2] = 1; pos = out; end = out + out_len; iter = 1; while (pos < end) { size_t clen; if (iter == 1) res = ikev2_prf_hash(alg, key, key_len, 2, &addr[1], &len[1], hash); else res = ikev2_prf_hash(alg, key, key_len, 3, addr, len, hash); if (res < 0) return -1; clen = hash_len; if ((int) clen > end - pos) clen = end - pos; os_memcpy(pos, hash, clen); pos += clen; iter++; } return 0; }
static int ikev2_build_auth(struct ikev2_responder_data *data, struct wpabuf *msg, u8 next_payload) { struct ikev2_payload_hdr *phdr; size_t plen; const struct ikev2_prf_alg *prf; wpa_printf(MSG_DEBUG, "IKEV2: Adding AUTH payload"); prf = ikev2_get_prf(data->proposal.prf); if (prf == NULL) return -1; /* Authentication - RFC 4306, Sect. 3.8 */ phdr = wpabuf_put(msg, sizeof(*phdr)); phdr->next_payload = next_payload; phdr->flags = 0; wpabuf_put_u8(msg, AUTH_SHARED_KEY_MIC); wpabuf_put(msg, 3); /* RESERVED */ /* msg | Ni | prf(SK_pr,IDr') */ if (ikev2_derive_auth_data(data->proposal.prf, data->r_sign_msg, data->IDr, data->IDr_len, ID_KEY_ID, &data->keys, 0, data->shared_secret, data->shared_secret_len, data->i_nonce, data->i_nonce_len, data->key_pad, data->key_pad_len, wpabuf_put(msg, prf->hash_len)) < 0) { wpa_printf(MSG_INFO, "IKEV2: Could not derive AUTH data"); return -1; } wpabuf_free(data->r_sign_msg); data->r_sign_msg = NULL; plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr; WPA_PUT_BE16(phdr->payload_length, plen); return 0; }
static int ikev2_derive_keys(struct ikev2_responder_data *data) { u8 *buf, *pos, *pad, skeyseed[IKEV2_MAX_HASH_LEN]; size_t buf_len, pad_len; struct wpabuf *shared; const struct ikev2_integ_alg *integ; const struct ikev2_prf_alg *prf; const struct ikev2_encr_alg *encr; int ret; const u8 *addr[2]; size_t len[2]; /* RFC 4306, Sect. 2.14 */ integ = ikev2_get_integ(data->proposal.integ); prf = ikev2_get_prf(data->proposal.prf); encr = ikev2_get_encr(data->proposal.encr); if (integ == NULL || prf == NULL || encr == NULL) { wpa_printf(MSG_INFO, "IKEV2: Unsupported proposal"); return -1; } shared = dh_derive_shared(data->i_dh_public, data->r_dh_private, data->dh); if (shared == NULL) return -1; /* Construct Ni | Nr | SPIi | SPIr */ buf_len = data->i_nonce_len + data->r_nonce_len + 2 * IKEV2_SPI_LEN; buf = os_malloc(buf_len); if (buf == NULL) { wpabuf_free(shared); return -1; } pos = buf; os_memcpy(pos, data->i_nonce, data->i_nonce_len); pos += data->i_nonce_len; os_memcpy(pos, data->r_nonce, data->r_nonce_len); pos += data->r_nonce_len; os_memcpy(pos, data->i_spi, IKEV2_SPI_LEN); pos += IKEV2_SPI_LEN; os_memcpy(pos, data->r_spi, IKEV2_SPI_LEN); #ifdef CCNS_PL #if __BYTE_ORDER == __LITTLE_ENDIAN { int i; u8 *tmp = pos - IKEV2_SPI_LEN; /* Incorrect byte re-ordering on little endian hosts.. */ for (i = 0; i < IKEV2_SPI_LEN; i++) *tmp++ = data->i_spi[IKEV2_SPI_LEN - 1 - i]; for (i = 0; i < IKEV2_SPI_LEN; i++) *tmp++ = data->r_spi[IKEV2_SPI_LEN - 1 - i]; } #endif #endif /* CCNS_PL */ /* SKEYSEED = prf(Ni | Nr, g^ir) */ /* Use zero-padding per RFC 4306, Sect. 2.14 */ pad_len = data->dh->prime_len - wpabuf_len(shared); #ifdef CCNS_PL /* Shared secret is not zero-padded correctly */ pad_len = 0; #endif /* CCNS_PL */ pad = os_zalloc(pad_len ? pad_len : 1); if (pad == NULL) { wpabuf_free(shared); os_free(buf); return -1; } addr[0] = pad; len[0] = pad_len; addr[1] = wpabuf_head(shared); len[1] = wpabuf_len(shared); if (ikev2_prf_hash(prf->id, buf, data->i_nonce_len + data->r_nonce_len, 2, addr, len, skeyseed) < 0) { wpabuf_free(shared); os_free(buf); os_free(pad); return -1; } os_free(pad); wpabuf_free(shared); /* DH parameters are not needed anymore, so free them */ wpabuf_free(data->i_dh_public); data->i_dh_public = NULL; wpabuf_free(data->r_dh_private); data->r_dh_private = NULL; wpa_hexdump_key(MSG_DEBUG, "IKEV2: SKEYSEED", skeyseed, prf->hash_len); ret = ikev2_derive_sk_keys(prf, integ, encr, skeyseed, buf, buf_len, &data->keys); os_free(buf); return ret; }
static int ikev2_parse_transform(struct ikev2_proposal_data *prop, const u8 *pos, const u8 *end) { int transform_len; const struct ikev2_transform *t; u16 transform_id; const u8 *tend; if (end - pos < (int) sizeof(*t)) { wpa_printf(MSG_INFO, "IKEV2: Too short transform"); return -1; } t = (const struct ikev2_transform *) pos; transform_len = WPA_GET_BE16(t->transform_length); if (transform_len < (int) sizeof(*t) || pos + transform_len > end) { wpa_printf(MSG_INFO, "IKEV2: Invalid transform length %d", transform_len); return -1; } tend = pos + transform_len; transform_id = WPA_GET_BE16(t->transform_id); wpa_printf(MSG_DEBUG, "IKEV2: Transform:"); wpa_printf(MSG_DEBUG, "IKEV2: Type: %d Transform Length: %d " "Transform Type: %d Transform ID: %d", t->type, transform_len, t->transform_type, transform_id); if (t->type != 0 && t->type != 3) { wpa_printf(MSG_INFO, "IKEV2: Unexpected Transform type"); return -1; } pos = (const u8 *) (t + 1); if (pos < tend) { wpa_hexdump(MSG_DEBUG, "IKEV2: Transform Attributes", pos, tend - pos); } switch (t->transform_type) { case IKEV2_TRANSFORM_ENCR: if (ikev2_get_encr(transform_id)) { if (transform_id == ENCR_AES_CBC) { if (tend - pos != 4) { wpa_printf(MSG_DEBUG, "IKEV2: No " "Transform Attr for AES"); break; } #ifdef CCNS_PL if (WPA_GET_BE16(pos) != 0x001d /* ?? */) { wpa_printf(MSG_DEBUG, "IKEV2: Not a " "Key Size attribute for " "AES"); break; } #else /* CCNS_PL */ if (WPA_GET_BE16(pos) != 0x800e) { wpa_printf(MSG_DEBUG, "IKEV2: Not a " "Key Size attribute for " "AES"); break; } #endif /* CCNS_PL */ if (WPA_GET_BE16(pos + 2) != 128) { wpa_printf(MSG_DEBUG, "IKEV2: " "Unsupported AES key size " "%d bits", WPA_GET_BE16(pos + 2)); break; } } prop->encr = transform_id; } break; case IKEV2_TRANSFORM_PRF: if (ikev2_get_prf(transform_id)) prop->prf = transform_id; break; case IKEV2_TRANSFORM_INTEG: if (ikev2_get_integ(transform_id)) prop->integ = transform_id; break; case IKEV2_TRANSFORM_DH: if (dh_groups_get(transform_id)) prop->dh = transform_id; break; } return transform_len; }
static int ikev2_derive_keys(struct ikev2_initiator_data *data) { u8 *buf, *pos, *pad, skeyseed[IKEV2_MAX_HASH_LEN]; size_t buf_len, pad_len; struct wpabuf *shared; const struct ikev2_integ_alg *integ; const struct ikev2_prf_alg *prf; const struct ikev2_encr_alg *encr; int ret; const u8 *addr[2]; size_t len[2]; /* RFC 4306, Sect. 2.14 */ integ = ikev2_get_integ(data->proposal.integ); prf = ikev2_get_prf(data->proposal.prf); encr = ikev2_get_encr(data->proposal.encr); if (integ == NULL || prf == NULL || encr == NULL) { asd_printf(ASD_DEFAULT,MSG_DEBUG, "IKEV2: Unsupported proposal"); return -1; } shared = dh_derive_shared(data->r_dh_public, data->i_dh_private, data->dh); if (shared == NULL) return -1; /* Construct Ni | Nr | SPIi | SPIr */ buf_len = data->i_nonce_len + data->r_nonce_len + 2 * IKEV2_SPI_LEN; buf = os_zalloc(buf_len); if (buf == NULL) { wpabuf_free(shared); return -1; } pos = buf; os_memcpy(pos, data->i_nonce, data->i_nonce_len); pos += data->i_nonce_len; os_memcpy(pos, data->r_nonce, data->r_nonce_len); pos += data->r_nonce_len; os_memcpy(pos, data->i_spi, IKEV2_SPI_LEN); pos += IKEV2_SPI_LEN; os_memcpy(pos, data->r_spi, IKEV2_SPI_LEN); /* SKEYSEED = prf(Ni | Nr, g^ir) */ /* Use zero-padding per RFC 4306, Sect. 2.14 */ pad_len = data->dh->prime_len - wpabuf_len(shared); pad = os_zalloc(pad_len ? pad_len : 1); if (pad == NULL) { wpabuf_free(shared); os_free(buf); return -1; } addr[0] = pad; len[0] = pad_len; addr[1] = wpabuf_head(shared); len[1] = wpabuf_len(shared); if (ikev2_prf_hash(prf->id, buf, data->i_nonce_len + data->r_nonce_len, 2, addr, len, skeyseed) < 0) { wpabuf_free(shared); os_free(buf); os_free(pad); return -1; } os_free(pad); wpabuf_free(shared); /* DH parameters are not needed anymore, so free them */ wpabuf_free(data->r_dh_public); data->r_dh_public = NULL; wpabuf_free(data->i_dh_private); data->i_dh_private = NULL; wpa_hexdump_key(MSG_DEBUG, "IKEV2: SKEYSEED", skeyseed, prf->hash_len); ret = ikev2_derive_sk_keys(prf, integ, encr, skeyseed, buf, buf_len, &data->keys); os_free(buf); return ret; }