static int ikev2_process_auth_secret(struct ikev2_responder_data *data,
u8 method, const u8 *auth,
size_t auth_len)
{
u8 auth_data[IKEV2_MAX_HASH_LEN];
const struct ikev2_prf_alg *prf;
if (method != AUTH_SHARED_KEY_MIC) {
wpa_printf(MSG_INFO, "IKEV2: Unsupported authentication "
"method %d", method);
return -1;
}
/* msg | Nr | prf(SK_pi,IDi') */
if (ikev2_derive_auth_data(data->proposal.prf, data->i_sign_msg,
data->IDi, data->IDi_len, data->IDi_type,
&data->keys, 1, data->shared_secret,
data->shared_secret_len,
data->r_nonce, data->r_nonce_len,
data->key_pad, data->key_pad_len,
auth_data) < 0) {
wpa_printf(MSG_INFO, "IKEV2: Could not derive AUTH data");
return -1;
}
wpabuf_free(data->i_sign_msg);
data->i_sign_msg = NULL;
prf = ikev2_get_prf(data->proposal.prf);
if (prf == NULL)
return -1;
if (auth_len != prf->hash_len ||
os_memcmp(auth, auth_data, auth_len) != 0) {
wpa_printf(MSG_INFO, "IKEV2: Invalid Authentication Data");
wpa_hexdump(MSG_DEBUG, "IKEV2: Received Authentication Data",
auth, auth_len);
wpa_hexdump(MSG_DEBUG, "IKEV2: Expected Authentication Data",
auth_data, prf->hash_len);
data->error_type = AUTHENTICATION_FAILED;
data->state = NOTIFY;
return -1;
}
wpa_printf(MSG_DEBUG, "IKEV2: Server authenticated successfully "
"using shared keys");
return 0;
}
static int ikev2_process_auth_secret(struct ikev2_initiator_data *data,
u8 method, const u8 *auth,
size_t auth_len)
{
u8 auth_data[IKEV2_MAX_HASH_LEN];
const struct ikev2_prf_alg *prf;
if (method != AUTH_SHARED_KEY_MIC) {
asd_printf(ASD_DEFAULT,MSG_DEBUG, "IKEV2: Unsupported authentication "
"method %d", method);
return -1;
}
/* msg | Ni | prf(SK_pr,IDr') */
if (ikev2_derive_auth_data(data->proposal.prf, data->r_sign_msg,
data->IDr, data->IDr_len, data->IDr_type,
&data->keys, 0, data->shared_secret,
data->shared_secret_len,
data->i_nonce, data->i_nonce_len,
data->key_pad, data->key_pad_len,
auth_data) < 0) {
asd_printf(ASD_DEFAULT,MSG_DEBUG, "IKEV2: Could not derive AUTH data");
return -1;
}
wpabuf_free(data->r_sign_msg);
data->r_sign_msg = NULL;
prf = ikev2_get_prf(data->proposal.prf);
if (prf == NULL)
return -1;
if (auth_len != prf->hash_len ||
os_memcmp(auth, auth_data, auth_len) != 0) {
asd_printf(ASD_DEFAULT,MSG_DEBUG, "IKEV2: Invalid Authentication Data");
wpa_hexdump(MSG_DEBUG, "IKEV2: Received Authentication Data",
auth, auth_len);
wpa_hexdump(MSG_DEBUG, "IKEV2: Expected Authentication Data",
auth_data, prf->hash_len);
return -1;
}
asd_printf(ASD_DEFAULT,MSG_DEBUG, "IKEV2: Peer authenticated successfully "
"using shared keys");
return 0;
}
int ikev2_prf_plus(int alg, const u8 *key, size_t key_len,
const u8 *data, size_t data_len,
u8 *out, size_t out_len)
{
u8 hash[IKEV2_MAX_HASH_LEN];
size_t hash_len;
u8 iter, *pos, *end;
const u8 *addr[3];
size_t len[3];
const struct ikev2_prf_alg *prf;
int res;
prf = ikev2_get_prf(alg);
if (prf == NULL)
return -1;
hash_len = prf->hash_len;
addr[0] = hash;
len[0] = hash_len;
addr[1] = data;
len[1] = data_len;
addr[2] = &iter;
len[2] = 1;
pos = out;
end = out + out_len;
iter = 1;
while (pos < end) {
size_t clen;
if (iter == 1)
res = ikev2_prf_hash(alg, key, key_len, 2, &addr[1],
&len[1], hash);
else
res = ikev2_prf_hash(alg, key, key_len, 3, addr, len,
hash);
if (res < 0)
return -1;
clen = hash_len;
if ((int) clen > end - pos)
clen = end - pos;
os_memcpy(pos, hash, clen);
pos += clen;
iter++;
}
return 0;
}
static int ikev2_build_auth(struct ikev2_responder_data *data,
struct wpabuf *msg, u8 next_payload)
{
struct ikev2_payload_hdr *phdr;
size_t plen;
const struct ikev2_prf_alg *prf;
wpa_printf(MSG_DEBUG, "IKEV2: Adding AUTH payload");
prf = ikev2_get_prf(data->proposal.prf);
if (prf == NULL)
return -1;
/* Authentication - RFC 4306, Sect. 3.8 */
phdr = wpabuf_put(msg, sizeof(*phdr));
phdr->next_payload = next_payload;
phdr->flags = 0;
wpabuf_put_u8(msg, AUTH_SHARED_KEY_MIC);
wpabuf_put(msg, 3); /* RESERVED */
/* msg | Ni | prf(SK_pr,IDr') */
if (ikev2_derive_auth_data(data->proposal.prf, data->r_sign_msg,
data->IDr, data->IDr_len, ID_KEY_ID,
&data->keys, 0, data->shared_secret,
data->shared_secret_len,
data->i_nonce, data->i_nonce_len,
data->key_pad, data->key_pad_len,
wpabuf_put(msg, prf->hash_len)) < 0) {
wpa_printf(MSG_INFO, "IKEV2: Could not derive AUTH data");
return -1;
}
wpabuf_free(data->r_sign_msg);
data->r_sign_msg = NULL;
plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
WPA_PUT_BE16(phdr->payload_length, plen);
return 0;
}
static int ikev2_derive_keys(struct ikev2_responder_data *data)
{
u8 *buf, *pos, *pad, skeyseed[IKEV2_MAX_HASH_LEN];
size_t buf_len, pad_len;
struct wpabuf *shared;
const struct ikev2_integ_alg *integ;
const struct ikev2_prf_alg *prf;
const struct ikev2_encr_alg *encr;
int ret;
const u8 *addr[2];
size_t len[2];
/* RFC 4306, Sect. 2.14 */
integ = ikev2_get_integ(data->proposal.integ);
prf = ikev2_get_prf(data->proposal.prf);
encr = ikev2_get_encr(data->proposal.encr);
if (integ == NULL || prf == NULL || encr == NULL) {
wpa_printf(MSG_INFO, "IKEV2: Unsupported proposal");
return -1;
}
shared = dh_derive_shared(data->i_dh_public, data->r_dh_private,
data->dh);
if (shared == NULL)
return -1;
/* Construct Ni | Nr | SPIi | SPIr */
buf_len = data->i_nonce_len + data->r_nonce_len + 2 * IKEV2_SPI_LEN;
buf = os_malloc(buf_len);
if (buf == NULL) {
wpabuf_free(shared);
return -1;
}
pos = buf;
os_memcpy(pos, data->i_nonce, data->i_nonce_len);
pos += data->i_nonce_len;
os_memcpy(pos, data->r_nonce, data->r_nonce_len);
pos += data->r_nonce_len;
os_memcpy(pos, data->i_spi, IKEV2_SPI_LEN);
pos += IKEV2_SPI_LEN;
os_memcpy(pos, data->r_spi, IKEV2_SPI_LEN);
#ifdef CCNS_PL
#if __BYTE_ORDER == __LITTLE_ENDIAN
{
int i;
u8 *tmp = pos - IKEV2_SPI_LEN;
/* Incorrect byte re-ordering on little endian hosts.. */
for (i = 0; i < IKEV2_SPI_LEN; i++)
*tmp++ = data->i_spi[IKEV2_SPI_LEN - 1 - i];
for (i = 0; i < IKEV2_SPI_LEN; i++)
*tmp++ = data->r_spi[IKEV2_SPI_LEN - 1 - i];
}
#endif
#endif /* CCNS_PL */
/* SKEYSEED = prf(Ni | Nr, g^ir) */
/* Use zero-padding per RFC 4306, Sect. 2.14 */
pad_len = data->dh->prime_len - wpabuf_len(shared);
#ifdef CCNS_PL
/* Shared secret is not zero-padded correctly */
pad_len = 0;
#endif /* CCNS_PL */
pad = os_zalloc(pad_len ? pad_len : 1);
if (pad == NULL) {
wpabuf_free(shared);
os_free(buf);
return -1;
}
addr[0] = pad;
len[0] = pad_len;
addr[1] = wpabuf_head(shared);
len[1] = wpabuf_len(shared);
if (ikev2_prf_hash(prf->id, buf, data->i_nonce_len + data->r_nonce_len,
2, addr, len, skeyseed) < 0) {
wpabuf_free(shared);
os_free(buf);
os_free(pad);
return -1;
}
os_free(pad);
wpabuf_free(shared);
/* DH parameters are not needed anymore, so free them */
wpabuf_free(data->i_dh_public);
data->i_dh_public = NULL;
wpabuf_free(data->r_dh_private);
data->r_dh_private = NULL;
wpa_hexdump_key(MSG_DEBUG, "IKEV2: SKEYSEED",
skeyseed, prf->hash_len);
ret = ikev2_derive_sk_keys(prf, integ, encr, skeyseed, buf, buf_len,
&data->keys);
os_free(buf);
return ret;
}
static int ikev2_parse_transform(struct ikev2_proposal_data *prop,
const u8 *pos, const u8 *end)
{
int transform_len;
const struct ikev2_transform *t;
u16 transform_id;
const u8 *tend;
if (end - pos < (int) sizeof(*t)) {
wpa_printf(MSG_INFO, "IKEV2: Too short transform");
return -1;
}
t = (const struct ikev2_transform *) pos;
transform_len = WPA_GET_BE16(t->transform_length);
if (transform_len < (int) sizeof(*t) || pos + transform_len > end) {
wpa_printf(MSG_INFO, "IKEV2: Invalid transform length %d",
transform_len);
return -1;
}
tend = pos + transform_len;
transform_id = WPA_GET_BE16(t->transform_id);
wpa_printf(MSG_DEBUG, "IKEV2: Transform:");
wpa_printf(MSG_DEBUG, "IKEV2: Type: %d Transform Length: %d "
"Transform Type: %d Transform ID: %d",
t->type, transform_len, t->transform_type, transform_id);
if (t->type != 0 && t->type != 3) {
wpa_printf(MSG_INFO, "IKEV2: Unexpected Transform type");
return -1;
}
pos = (const u8 *) (t + 1);
if (pos < tend) {
wpa_hexdump(MSG_DEBUG, "IKEV2: Transform Attributes",
pos, tend - pos);
}
switch (t->transform_type) {
case IKEV2_TRANSFORM_ENCR:
if (ikev2_get_encr(transform_id)) {
if (transform_id == ENCR_AES_CBC) {
if (tend - pos != 4) {
wpa_printf(MSG_DEBUG, "IKEV2: No "
"Transform Attr for AES");
break;
}
#ifdef CCNS_PL
if (WPA_GET_BE16(pos) != 0x001d /* ?? */) {
wpa_printf(MSG_DEBUG, "IKEV2: Not a "
"Key Size attribute for "
"AES");
break;
}
#else /* CCNS_PL */
if (WPA_GET_BE16(pos) != 0x800e) {
wpa_printf(MSG_DEBUG, "IKEV2: Not a "
"Key Size attribute for "
"AES");
break;
}
#endif /* CCNS_PL */
if (WPA_GET_BE16(pos + 2) != 128) {
wpa_printf(MSG_DEBUG, "IKEV2: "
"Unsupported AES key size "
"%d bits",
WPA_GET_BE16(pos + 2));
break;
}
}
prop->encr = transform_id;
}
break;
case IKEV2_TRANSFORM_PRF:
if (ikev2_get_prf(transform_id))
prop->prf = transform_id;
break;
case IKEV2_TRANSFORM_INTEG:
if (ikev2_get_integ(transform_id))
prop->integ = transform_id;
break;
case IKEV2_TRANSFORM_DH:
if (dh_groups_get(transform_id))
prop->dh = transform_id;
break;
}
return transform_len;
}
static int ikev2_derive_keys(struct ikev2_initiator_data *data)
{
u8 *buf, *pos, *pad, skeyseed[IKEV2_MAX_HASH_LEN];
size_t buf_len, pad_len;
struct wpabuf *shared;
const struct ikev2_integ_alg *integ;
const struct ikev2_prf_alg *prf;
const struct ikev2_encr_alg *encr;
int ret;
const u8 *addr[2];
size_t len[2];
/* RFC 4306, Sect. 2.14 */
integ = ikev2_get_integ(data->proposal.integ);
prf = ikev2_get_prf(data->proposal.prf);
encr = ikev2_get_encr(data->proposal.encr);
if (integ == NULL || prf == NULL || encr == NULL) {
asd_printf(ASD_DEFAULT,MSG_DEBUG, "IKEV2: Unsupported proposal");
return -1;
}
shared = dh_derive_shared(data->r_dh_public, data->i_dh_private,
data->dh);
if (shared == NULL)
return -1;
/* Construct Ni | Nr | SPIi | SPIr */
buf_len = data->i_nonce_len + data->r_nonce_len + 2 * IKEV2_SPI_LEN;
buf = os_zalloc(buf_len);
if (buf == NULL) {
wpabuf_free(shared);
return -1;
}
pos = buf;
os_memcpy(pos, data->i_nonce, data->i_nonce_len);
pos += data->i_nonce_len;
os_memcpy(pos, data->r_nonce, data->r_nonce_len);
pos += data->r_nonce_len;
os_memcpy(pos, data->i_spi, IKEV2_SPI_LEN);
pos += IKEV2_SPI_LEN;
os_memcpy(pos, data->r_spi, IKEV2_SPI_LEN);
/* SKEYSEED = prf(Ni | Nr, g^ir) */
/* Use zero-padding per RFC 4306, Sect. 2.14 */
pad_len = data->dh->prime_len - wpabuf_len(shared);
pad = os_zalloc(pad_len ? pad_len : 1);
if (pad == NULL) {
wpabuf_free(shared);
os_free(buf);
return -1;
}
addr[0] = pad;
len[0] = pad_len;
addr[1] = wpabuf_head(shared);
len[1] = wpabuf_len(shared);
if (ikev2_prf_hash(prf->id, buf, data->i_nonce_len + data->r_nonce_len,
2, addr, len, skeyseed) < 0) {
wpabuf_free(shared);
os_free(buf);
os_free(pad);
return -1;
}
os_free(pad);
wpabuf_free(shared);
/* DH parameters are not needed anymore, so free them */
wpabuf_free(data->r_dh_public);
data->r_dh_public = NULL;
wpabuf_free(data->i_dh_private);
data->i_dh_private = NULL;
wpa_hexdump_key(MSG_DEBUG, "IKEV2: SKEYSEED",
skeyseed, prf->hash_len);
ret = ikev2_derive_sk_keys(prf, integ, encr, skeyseed, buf, buf_len,
&data->keys);
os_free(buf);
return ret;
}
