2008-02-27 20:34:43 -05:00
|
|
|
/*
|
|
|
|
* IKEv2 common routines for initiator and responder
|
|
|
|
* Copyright (c) 2007, Jouni Malinen <j@w1.fi>
|
|
|
|
*
|
|
|
|
* This program is free software; you can redistribute it and/or modify
|
|
|
|
* it under the terms of the GNU General Public License version 2 as
|
|
|
|
* published by the Free Software Foundation.
|
|
|
|
*
|
|
|
|
* Alternatively, this software may be distributed under the terms of BSD
|
|
|
|
* license.
|
|
|
|
*
|
|
|
|
* See README and COPYING for more details.
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include "includes.h"
|
|
|
|
|
|
|
|
#include "common.h"
|
2009-11-29 16:04:43 -05:00
|
|
|
#include "crypto/crypto.h"
|
|
|
|
#include "crypto/md5.h"
|
|
|
|
#include "crypto/sha1.h"
|
2008-02-27 20:34:43 -05:00
|
|
|
#include "ikev2_common.h"
|
|
|
|
|
|
|
|
|
|
|
|
static struct ikev2_integ_alg ikev2_integ_algs[] = {
|
|
|
|
{ AUTH_HMAC_SHA1_96, 20, 12 },
|
|
|
|
{ AUTH_HMAC_MD5_96, 16, 12 }
|
|
|
|
};
|
|
|
|
|
|
|
|
#define NUM_INTEG_ALGS (sizeof(ikev2_integ_algs) / sizeof(ikev2_integ_algs[0]))
|
|
|
|
|
|
|
|
|
|
|
|
static struct ikev2_prf_alg ikev2_prf_algs[] = {
|
|
|
|
{ PRF_HMAC_SHA1, 20, 20 },
|
|
|
|
{ PRF_HMAC_MD5, 16, 16 }
|
|
|
|
};
|
|
|
|
|
|
|
|
#define NUM_PRF_ALGS (sizeof(ikev2_prf_algs) / sizeof(ikev2_prf_algs[0]))
|
|
|
|
|
|
|
|
|
|
|
|
static struct ikev2_encr_alg ikev2_encr_algs[] = {
|
|
|
|
{ ENCR_AES_CBC, 16, 16 }, /* only 128-bit keys supported for now */
|
|
|
|
{ ENCR_3DES, 24, 8 }
|
|
|
|
};
|
|
|
|
|
|
|
|
#define NUM_ENCR_ALGS (sizeof(ikev2_encr_algs) / sizeof(ikev2_encr_algs[0]))
|
|
|
|
|
|
|
|
|
|
|
|
const struct ikev2_integ_alg * ikev2_get_integ(int id)
|
|
|
|
{
|
|
|
|
size_t i;
|
|
|
|
|
|
|
|
for (i = 0; i < NUM_INTEG_ALGS; i++) {
|
|
|
|
if (ikev2_integ_algs[i].id == id)
|
|
|
|
return &ikev2_integ_algs[i];
|
|
|
|
}
|
|
|
|
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
int ikev2_integ_hash(int alg, const u8 *key, size_t key_len, const u8 *data,
|
|
|
|
size_t data_len, u8 *hash)
|
|
|
|
{
|
|
|
|
u8 tmphash[IKEV2_MAX_HASH_LEN];
|
|
|
|
|
|
|
|
switch (alg) {
|
|
|
|
case AUTH_HMAC_SHA1_96:
|
|
|
|
if (key_len != 20)
|
|
|
|
return -1;
|
|
|
|
hmac_sha1(key, key_len, data, data_len, tmphash);
|
|
|
|
os_memcpy(hash, tmphash, 12);
|
|
|
|
break;
|
|
|
|
case AUTH_HMAC_MD5_96:
|
|
|
|
if (key_len != 16)
|
|
|
|
return -1;
|
|
|
|
hmac_md5(key, key_len, data, data_len, tmphash);
|
|
|
|
os_memcpy(hash, tmphash, 12);
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
const struct ikev2_prf_alg * ikev2_get_prf(int id)
|
|
|
|
{
|
|
|
|
size_t i;
|
|
|
|
|
|
|
|
for (i = 0; i < NUM_PRF_ALGS; i++) {
|
|
|
|
if (ikev2_prf_algs[i].id == id)
|
|
|
|
return &ikev2_prf_algs[i];
|
|
|
|
}
|
|
|
|
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
int ikev2_prf_hash(int alg, const u8 *key, size_t key_len,
|
|
|
|
size_t num_elem, const u8 *addr[], const size_t *len,
|
|
|
|
u8 *hash)
|
|
|
|
{
|
|
|
|
switch (alg) {
|
|
|
|
case PRF_HMAC_SHA1:
|
|
|
|
hmac_sha1_vector(key, key_len, num_elem, addr, len, hash);
|
|
|
|
break;
|
|
|
|
case PRF_HMAC_MD5:
|
|
|
|
hmac_md5_vector(key, key_len, num_elem, addr, len, hash);
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
int ikev2_prf_plus(int alg, const u8 *key, size_t key_len,
|
|
|
|
const u8 *data, size_t data_len,
|
|
|
|
u8 *out, size_t out_len)
|
|
|
|
{
|
|
|
|
u8 hash[IKEV2_MAX_HASH_LEN];
|
|
|
|
size_t hash_len;
|
|
|
|
u8 iter, *pos, *end;
|
|
|
|
const u8 *addr[3];
|
|
|
|
size_t len[3];
|
|
|
|
const struct ikev2_prf_alg *prf;
|
|
|
|
int res;
|
|
|
|
|
|
|
|
prf = ikev2_get_prf(alg);
|
|
|
|
if (prf == NULL)
|
|
|
|
return -1;
|
|
|
|
hash_len = prf->hash_len;
|
|
|
|
|
|
|
|
addr[0] = hash;
|
|
|
|
len[0] = hash_len;
|
|
|
|
addr[1] = data;
|
|
|
|
len[1] = data_len;
|
|
|
|
addr[2] = &iter;
|
|
|
|
len[2] = 1;
|
|
|
|
|
|
|
|
pos = out;
|
|
|
|
end = out + out_len;
|
|
|
|
iter = 1;
|
|
|
|
while (pos < end) {
|
|
|
|
size_t clen;
|
|
|
|
if (iter == 1)
|
|
|
|
res = ikev2_prf_hash(alg, key, key_len, 2, &addr[1],
|
|
|
|
&len[1], hash);
|
|
|
|
else
|
|
|
|
res = ikev2_prf_hash(alg, key, key_len, 3, addr, len,
|
|
|
|
hash);
|
|
|
|
if (res < 0)
|
|
|
|
return -1;
|
|
|
|
clen = hash_len;
|
|
|
|
if ((int) clen > end - pos)
|
|
|
|
clen = end - pos;
|
|
|
|
os_memcpy(pos, hash, clen);
|
|
|
|
pos += clen;
|
|
|
|
iter++;
|
|
|
|
}
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
const struct ikev2_encr_alg * ikev2_get_encr(int id)
|
|
|
|
{
|
|
|
|
size_t i;
|
|
|
|
|
|
|
|
for (i = 0; i < NUM_ENCR_ALGS; i++) {
|
|
|
|
if (ikev2_encr_algs[i].id == id)
|
|
|
|
return &ikev2_encr_algs[i];
|
|
|
|
}
|
|
|
|
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
#ifdef CCNS_PL
|
|
|
|
/* from des.c */
|
|
|
|
struct des3_key_s {
|
|
|
|
u32 ek[3][32];
|
|
|
|
u32 dk[3][32];
|
|
|
|
};
|
|
|
|
|
|
|
|
void des3_key_setup(const u8 *key, struct des3_key_s *dkey);
|
|
|
|
void des3_encrypt(const u8 *plain, const struct des3_key_s *key, u8 *crypt);
|
|
|
|
void des3_decrypt(const u8 *crypt, const struct des3_key_s *key, u8 *plain);
|
|
|
|
#endif /* CCNS_PL */
|
|
|
|
|
|
|
|
|
|
|
|
int ikev2_encr_encrypt(int alg, const u8 *key, size_t key_len, const u8 *iv,
|
|
|
|
const u8 *plain, u8 *crypt, size_t len)
|
|
|
|
{
|
|
|
|
struct crypto_cipher *cipher;
|
|
|
|
int encr_alg;
|
|
|
|
|
|
|
|
#ifdef CCNS_PL
|
|
|
|
if (alg == ENCR_3DES) {
|
|
|
|
struct des3_key_s des3key;
|
|
|
|
size_t i, blocks;
|
|
|
|
u8 *pos;
|
|
|
|
|
|
|
|
/* ECB mode is used incorrectly for 3DES!? */
|
|
|
|
if (key_len != 24) {
|
|
|
|
wpa_printf(MSG_INFO, "IKEV2: Invalid encr key length");
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
des3_key_setup(key, &des3key);
|
|
|
|
|
|
|
|
blocks = len / 8;
|
|
|
|
pos = crypt;
|
|
|
|
for (i = 0; i < blocks; i++) {
|
|
|
|
des3_encrypt(pos, &des3key, pos);
|
|
|
|
pos += 8;
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
#endif /* CCNS_PL */
|
|
|
|
switch (alg) {
|
|
|
|
case ENCR_3DES:
|
|
|
|
encr_alg = CRYPTO_CIPHER_ALG_3DES;
|
|
|
|
break;
|
|
|
|
case ENCR_AES_CBC:
|
|
|
|
encr_alg = CRYPTO_CIPHER_ALG_AES;
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
wpa_printf(MSG_DEBUG, "IKEV2: Unsupported encr alg %d", alg);
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
cipher = crypto_cipher_init(encr_alg, iv, key, key_len);
|
|
|
|
if (cipher == NULL) {
|
|
|
|
wpa_printf(MSG_INFO, "IKEV2: Failed to initialize cipher");
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (crypto_cipher_encrypt(cipher, plain, crypt, len) < 0) {
|
|
|
|
wpa_printf(MSG_INFO, "IKEV2: Encryption failed");
|
|
|
|
crypto_cipher_deinit(cipher);
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
crypto_cipher_deinit(cipher);
|
|
|
|
#ifdef CCNS_PL
|
|
|
|
}
|
|
|
|
#endif /* CCNS_PL */
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
int ikev2_encr_decrypt(int alg, const u8 *key, size_t key_len, const u8 *iv,
|
|
|
|
const u8 *crypt, u8 *plain, size_t len)
|
|
|
|
{
|
|
|
|
struct crypto_cipher *cipher;
|
|
|
|
int encr_alg;
|
|
|
|
|
|
|
|
#ifdef CCNS_PL
|
|
|
|
if (alg == ENCR_3DES) {
|
|
|
|
struct des3_key_s des3key;
|
|
|
|
size_t i, blocks;
|
|
|
|
|
|
|
|
/* ECB mode is used incorrectly for 3DES!? */
|
|
|
|
if (key_len != 24) {
|
|
|
|
wpa_printf(MSG_INFO, "IKEV2: Invalid encr key length");
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
des3_key_setup(key, &des3key);
|
|
|
|
|
|
|
|
if (len % 8) {
|
|
|
|
wpa_printf(MSG_INFO, "IKEV2: Invalid encrypted "
|
|
|
|
"length");
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
blocks = len / 8;
|
|
|
|
for (i = 0; i < blocks; i++) {
|
|
|
|
des3_decrypt(crypt, &des3key, plain);
|
|
|
|
plain += 8;
|
|
|
|
crypt += 8;
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
#endif /* CCNS_PL */
|
|
|
|
switch (alg) {
|
|
|
|
case ENCR_3DES:
|
|
|
|
encr_alg = CRYPTO_CIPHER_ALG_3DES;
|
|
|
|
break;
|
|
|
|
case ENCR_AES_CBC:
|
|
|
|
encr_alg = CRYPTO_CIPHER_ALG_AES;
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
wpa_printf(MSG_DEBUG, "IKEV2: Unsupported encr alg %d", alg);
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
cipher = crypto_cipher_init(encr_alg, iv, key, key_len);
|
|
|
|
if (cipher == NULL) {
|
|
|
|
wpa_printf(MSG_INFO, "IKEV2: Failed to initialize cipher");
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (crypto_cipher_decrypt(cipher, crypt, plain, len) < 0) {
|
|
|
|
wpa_printf(MSG_INFO, "IKEV2: Decryption failed");
|
|
|
|
crypto_cipher_deinit(cipher);
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
crypto_cipher_deinit(cipher);
|
|
|
|
#ifdef CCNS_PL
|
|
|
|
}
|
|
|
|
#endif /* CCNS_PL */
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
int ikev2_parse_payloads(struct ikev2_payloads *payloads,
|
|
|
|
u8 next_payload, const u8 *pos, const u8 *end)
|
|
|
|
{
|
|
|
|
const struct ikev2_payload_hdr *phdr;
|
|
|
|
|
|
|
|
os_memset(payloads, 0, sizeof(*payloads));
|
|
|
|
|
|
|
|
while (next_payload != IKEV2_PAYLOAD_NO_NEXT_PAYLOAD) {
|
|
|
|
int plen, pdatalen;
|
|
|
|
const u8 *pdata;
|
|
|
|
wpa_printf(MSG_DEBUG, "IKEV2: Processing payload %u",
|
|
|
|
next_payload);
|
|
|
|
if (end - pos < (int) sizeof(*phdr)) {
|
|
|
|
wpa_printf(MSG_INFO, "IKEV2: Too short message for "
|
|
|
|
"payload header (left=%ld)",
|
|
|
|
(long) (end - pos));
|
|
|
|
}
|
|
|
|
phdr = (const struct ikev2_payload_hdr *) pos;
|
|
|
|
plen = WPA_GET_BE16(phdr->payload_length);
|
|
|
|
if (plen < (int) sizeof(*phdr) || pos + plen > end) {
|
|
|
|
wpa_printf(MSG_INFO, "IKEV2: Invalid payload header "
|
|
|
|
"length %d", plen);
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
wpa_printf(MSG_DEBUG, "IKEV2: Next Payload: %u Flags: 0x%x"
|
|
|
|
" Payload Length: %d",
|
|
|
|
phdr->next_payload, phdr->flags, plen);
|
|
|
|
|
|
|
|
pdata = (const u8 *) (phdr + 1);
|
|
|
|
pdatalen = plen - sizeof(*phdr);
|
|
|
|
|
|
|
|
switch (next_payload) {
|
|
|
|
case IKEV2_PAYLOAD_SA:
|
|
|
|
wpa_printf(MSG_DEBUG, "IKEV2: Payload: Security "
|
|
|
|
"Association");
|
|
|
|
payloads->sa = pdata;
|
|
|
|
payloads->sa_len = pdatalen;
|
|
|
|
break;
|
|
|
|
case IKEV2_PAYLOAD_KEY_EXCHANGE:
|
|
|
|
wpa_printf(MSG_DEBUG, "IKEV2: Payload: Key "
|
|
|
|
"Exchange");
|
|
|
|
payloads->ke = pdata;
|
|
|
|
payloads->ke_len = pdatalen;
|
|
|
|
break;
|
|
|
|
case IKEV2_PAYLOAD_IDi:
|
|
|
|
wpa_printf(MSG_DEBUG, "IKEV2: Payload: IDi");
|
|
|
|
payloads->idi = pdata;
|
|
|
|
payloads->idi_len = pdatalen;
|
|
|
|
break;
|
|
|
|
case IKEV2_PAYLOAD_IDr:
|
|
|
|
wpa_printf(MSG_DEBUG, "IKEV2: Payload: IDr");
|
|
|
|
payloads->idr = pdata;
|
|
|
|
payloads->idr_len = pdatalen;
|
|
|
|
break;
|
|
|
|
case IKEV2_PAYLOAD_CERTIFICATE:
|
|
|
|
wpa_printf(MSG_DEBUG, "IKEV2: Payload: Certificate");
|
|
|
|
payloads->cert = pdata;
|
|
|
|
payloads->cert_len = pdatalen;
|
|
|
|
break;
|
|
|
|
case IKEV2_PAYLOAD_AUTHENTICATION:
|
|
|
|
wpa_printf(MSG_DEBUG, "IKEV2: Payload: "
|
|
|
|
"Authentication");
|
|
|
|
payloads->auth = pdata;
|
|
|
|
payloads->auth_len = pdatalen;
|
|
|
|
break;
|
|
|
|
case IKEV2_PAYLOAD_NONCE:
|
|
|
|
wpa_printf(MSG_DEBUG, "IKEV2: Payload: Nonce");
|
|
|
|
payloads->nonce = pdata;
|
|
|
|
payloads->nonce_len = pdatalen;
|
|
|
|
break;
|
|
|
|
case IKEV2_PAYLOAD_ENCRYPTED:
|
|
|
|
wpa_printf(MSG_DEBUG, "IKEV2: Payload: Encrypted");
|
|
|
|
payloads->encrypted = pdata;
|
|
|
|
payloads->encrypted_len = pdatalen;
|
|
|
|
break;
|
|
|
|
case IKEV2_PAYLOAD_NOTIFICATION:
|
|
|
|
wpa_printf(MSG_DEBUG, "IKEV2: Payload: "
|
|
|
|
"Notification");
|
|
|
|
payloads->notification = pdata;
|
|
|
|
payloads->notification_len = pdatalen;
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
if (phdr->flags & IKEV2_PAYLOAD_FLAGS_CRITICAL) {
|
|
|
|
wpa_printf(MSG_INFO, "IKEV2: Unsupported "
|
|
|
|
"critical payload %u - reject the "
|
|
|
|
"entire message", next_payload);
|
|
|
|
return -1;
|
|
|
|
} else {
|
|
|
|
wpa_printf(MSG_DEBUG, "IKEV2: Skipped "
|
|
|
|
"unsupported payload %u",
|
|
|
|
next_payload);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if (next_payload == IKEV2_PAYLOAD_ENCRYPTED &&
|
|
|
|
pos + plen == end) {
|
|
|
|
/*
|
|
|
|
* Next Payload in the case of Encrypted Payload is
|
|
|
|
* actually the payload type for the first embedded
|
|
|
|
* payload.
|
|
|
|
*/
|
|
|
|
payloads->encr_next_payload = phdr->next_payload;
|
|
|
|
next_payload = IKEV2_PAYLOAD_NO_NEXT_PAYLOAD;
|
|
|
|
} else
|
|
|
|
next_payload = phdr->next_payload;
|
|
|
|
|
|
|
|
pos += plen;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (pos != end) {
|
|
|
|
wpa_printf(MSG_INFO, "IKEV2: Unexpected extra data after "
|
|
|
|
"payloads");
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
int ikev2_derive_auth_data(int prf_alg, const struct wpabuf *sign_msg,
|
|
|
|
const u8 *ID, size_t ID_len, u8 ID_type,
|
|
|
|
struct ikev2_keys *keys, int initiator,
|
|
|
|
const u8 *shared_secret, size_t shared_secret_len,
|
|
|
|
const u8 *nonce, size_t nonce_len,
|
|
|
|
const u8 *key_pad, size_t key_pad_len,
|
|
|
|
u8 *auth_data)
|
|
|
|
{
|
|
|
|
size_t sign_len, buf_len;
|
|
|
|
u8 *sign_data, *pos, *buf, hash[IKEV2_MAX_HASH_LEN];
|
|
|
|
const struct ikev2_prf_alg *prf;
|
|
|
|
const u8 *SK_p = initiator ? keys->SK_pi : keys->SK_pr;
|
|
|
|
|
|
|
|
prf = ikev2_get_prf(prf_alg);
|
|
|
|
if (sign_msg == NULL || ID == NULL || SK_p == NULL ||
|
|
|
|
shared_secret == NULL || nonce == NULL || prf == NULL)
|
|
|
|
return -1;
|
|
|
|
|
|
|
|
/* prf(SK_pi/r,IDi/r') */
|
|
|
|
buf_len = 4 + ID_len;
|
|
|
|
buf = os_zalloc(buf_len);
|
|
|
|
if (buf == NULL)
|
|
|
|
return -1;
|
|
|
|
buf[0] = ID_type;
|
|
|
|
os_memcpy(buf + 4, ID, ID_len);
|
|
|
|
if (ikev2_prf_hash(prf->id, SK_p, keys->SK_prf_len,
|
|
|
|
1, (const u8 **) &buf, &buf_len, hash) < 0) {
|
|
|
|
os_free(buf);
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
os_free(buf);
|
|
|
|
|
|
|
|
/* sign_data = msg | Nr/i | prf(SK_pi/r,IDi/r') */
|
|
|
|
sign_len = wpabuf_len(sign_msg) + nonce_len + prf->hash_len;
|
|
|
|
sign_data = os_malloc(sign_len);
|
|
|
|
if (sign_data == NULL)
|
|
|
|
return -1;
|
|
|
|
pos = sign_data;
|
|
|
|
os_memcpy(pos, wpabuf_head(sign_msg), wpabuf_len(sign_msg));
|
|
|
|
pos += wpabuf_len(sign_msg);
|
|
|
|
os_memcpy(pos, nonce, nonce_len);
|
|
|
|
pos += nonce_len;
|
|
|
|
os_memcpy(pos, hash, prf->hash_len);
|
|
|
|
|
|
|
|
/* AUTH = prf(prf(Shared Secret, key pad, sign_data) */
|
|
|
|
if (ikev2_prf_hash(prf->id, shared_secret, shared_secret_len, 1,
|
|
|
|
&key_pad, &key_pad_len, hash) < 0 ||
|
|
|
|
ikev2_prf_hash(prf->id, hash, prf->hash_len, 1,
|
|
|
|
(const u8 **) &sign_data, &sign_len, auth_data) < 0)
|
|
|
|
{
|
|
|
|
os_free(sign_data);
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
os_free(sign_data);
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
u8 * ikev2_decrypt_payload(int encr_id, int integ_id,
|
|
|
|
struct ikev2_keys *keys, int initiator,
|
|
|
|
const struct ikev2_hdr *hdr,
|
|
|
|
const u8 *encrypted, size_t encrypted_len,
|
|
|
|
size_t *res_len)
|
|
|
|
{
|
|
|
|
size_t iv_len;
|
|
|
|
const u8 *pos, *end, *iv, *integ;
|
|
|
|
u8 hash[IKEV2_MAX_HASH_LEN], *decrypted;
|
|
|
|
size_t decrypted_len, pad_len;
|
|
|
|
const struct ikev2_integ_alg *integ_alg;
|
|
|
|
const struct ikev2_encr_alg *encr_alg;
|
|
|
|
const u8 *SK_e = initiator ? keys->SK_ei : keys->SK_er;
|
|
|
|
const u8 *SK_a = initiator ? keys->SK_ai : keys->SK_ar;
|
|
|
|
|
|
|
|
if (encrypted == NULL) {
|
|
|
|
wpa_printf(MSG_INFO, "IKEV2: No Encrypted payload in SA_AUTH");
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
encr_alg = ikev2_get_encr(encr_id);
|
|
|
|
if (encr_alg == NULL) {
|
|
|
|
wpa_printf(MSG_INFO, "IKEV2: Unsupported encryption type");
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
iv_len = encr_alg->block_size;
|
|
|
|
|
|
|
|
integ_alg = ikev2_get_integ(integ_id);
|
|
|
|
if (integ_alg == NULL) {
|
|
|
|
wpa_printf(MSG_INFO, "IKEV2: Unsupported intergrity type");
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (encrypted_len < iv_len + 1 + integ_alg->hash_len) {
|
|
|
|
wpa_printf(MSG_INFO, "IKEV2: No room for IV or Integrity "
|
|
|
|
"Checksum");
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
iv = encrypted;
|
|
|
|
pos = iv + iv_len;
|
|
|
|
end = encrypted + encrypted_len;
|
|
|
|
integ = end - integ_alg->hash_len;
|
|
|
|
|
|
|
|
if (SK_a == NULL) {
|
|
|
|
wpa_printf(MSG_INFO, "IKEV2: No SK_a available");
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
if (ikev2_integ_hash(integ_id, SK_a, keys->SK_integ_len,
|
|
|
|
(const u8 *) hdr,
|
|
|
|
integ - (const u8 *) hdr, hash) < 0) {
|
|
|
|
wpa_printf(MSG_INFO, "IKEV2: Failed to calculate integrity "
|
|
|
|
"hash");
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
if (os_memcmp(integ, hash, integ_alg->hash_len) != 0) {
|
|
|
|
wpa_printf(MSG_INFO, "IKEV2: Incorrect Integrity Checksum "
|
|
|
|
"Data");
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (SK_e == NULL) {
|
|
|
|
wpa_printf(MSG_INFO, "IKEV2: No SK_e available");
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
decrypted_len = integ - pos;
|
|
|
|
decrypted = os_malloc(decrypted_len);
|
|
|
|
if (decrypted == NULL)
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
if (ikev2_encr_decrypt(encr_alg->id, SK_e, keys->SK_encr_len, iv, pos,
|
|
|
|
decrypted, decrypted_len) < 0) {
|
|
|
|
os_free(decrypted);
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
pad_len = decrypted[decrypted_len - 1];
|
|
|
|
if (decrypted_len < pad_len + 1) {
|
|
|
|
wpa_printf(MSG_INFO, "IKEV2: Invalid padding in encrypted "
|
|
|
|
"payload");
|
|
|
|
os_free(decrypted);
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
decrypted_len -= pad_len + 1;
|
|
|
|
|
|
|
|
*res_len = decrypted_len;
|
|
|
|
return decrypted;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
void ikev2_update_hdr(struct wpabuf *msg)
|
|
|
|
{
|
|
|
|
struct ikev2_hdr *hdr;
|
|
|
|
|
|
|
|
/* Update lenth field in HDR */
|
|
|
|
hdr = wpabuf_mhead(msg);
|
|
|
|
WPA_PUT_BE32(hdr->length, wpabuf_len(msg));
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
int ikev2_build_encrypted(int encr_id, int integ_id, struct ikev2_keys *keys,
|
|
|
|
int initiator, struct wpabuf *msg,
|
|
|
|
struct wpabuf *plain, u8 next_payload)
|
|
|
|
{
|
|
|
|
struct ikev2_payload_hdr *phdr;
|
|
|
|
size_t plen;
|
|
|
|
size_t iv_len, pad_len;
|
|
|
|
u8 *icv, *iv;
|
|
|
|
const struct ikev2_integ_alg *integ_alg;
|
|
|
|
const struct ikev2_encr_alg *encr_alg;
|
|
|
|
const u8 *SK_e = initiator ? keys->SK_ei : keys->SK_er;
|
|
|
|
const u8 *SK_a = initiator ? keys->SK_ai : keys->SK_ar;
|
|
|
|
|
|
|
|
wpa_printf(MSG_DEBUG, "IKEV2: Adding Encrypted payload");
|
|
|
|
|
|
|
|
/* Encr - RFC 4306, Sect. 3.14 */
|
|
|
|
|
|
|
|
encr_alg = ikev2_get_encr(encr_id);
|
|
|
|
if (encr_alg == NULL) {
|
|
|
|
wpa_printf(MSG_INFO, "IKEV2: Unsupported encryption type");
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
iv_len = encr_alg->block_size;
|
|
|
|
|
|
|
|
integ_alg = ikev2_get_integ(integ_id);
|
|
|
|
if (integ_alg == NULL) {
|
|
|
|
wpa_printf(MSG_INFO, "IKEV2: Unsupported intergrity type");
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (SK_e == NULL) {
|
|
|
|
wpa_printf(MSG_INFO, "IKEV2: No SK_e available");
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (SK_a == NULL) {
|
|
|
|
wpa_printf(MSG_INFO, "IKEV2: No SK_a available");
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
phdr = wpabuf_put(msg, sizeof(*phdr));
|
|
|
|
phdr->next_payload = next_payload;
|
|
|
|
phdr->flags = 0;
|
|
|
|
|
|
|
|
iv = wpabuf_put(msg, iv_len);
|
|
|
|
if (os_get_random(iv, iv_len)) {
|
|
|
|
wpa_printf(MSG_INFO, "IKEV2: Could not generate IV");
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
pad_len = iv_len - (wpabuf_len(plain) + 1) % iv_len;
|
|
|
|
if (pad_len == iv_len)
|
|
|
|
pad_len = 0;
|
|
|
|
wpabuf_put(plain, pad_len);
|
|
|
|
wpabuf_put_u8(plain, pad_len);
|
|
|
|
|
|
|
|
if (ikev2_encr_encrypt(encr_alg->id, SK_e, keys->SK_encr_len, iv,
|
|
|
|
wpabuf_head(plain), wpabuf_mhead(plain),
|
|
|
|
wpabuf_len(plain)) < 0)
|
|
|
|
return -1;
|
|
|
|
|
|
|
|
wpabuf_put_buf(msg, plain);
|
|
|
|
|
|
|
|
/* Need to update all headers (Length fields) prior to hash func */
|
|
|
|
icv = wpabuf_put(msg, integ_alg->hash_len);
|
|
|
|
plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
|
|
|
|
WPA_PUT_BE16(phdr->payload_length, plen);
|
|
|
|
|
|
|
|
ikev2_update_hdr(msg);
|
|
|
|
|
|
|
|
return ikev2_integ_hash(integ_id, SK_a, keys->SK_integ_len,
|
|
|
|
wpabuf_head(msg),
|
|
|
|
wpabuf_len(msg) - integ_alg->hash_len, icv);
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
int ikev2_keys_set(struct ikev2_keys *keys)
|
|
|
|
{
|
|
|
|
return keys->SK_d && keys->SK_ai && keys->SK_ar && keys->SK_ei &&
|
|
|
|
keys->SK_er && keys->SK_pi && keys->SK_pr;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
void ikev2_free_keys(struct ikev2_keys *keys)
|
|
|
|
{
|
|
|
|
os_free(keys->SK_d);
|
|
|
|
os_free(keys->SK_ai);
|
|
|
|
os_free(keys->SK_ar);
|
|
|
|
os_free(keys->SK_ei);
|
|
|
|
os_free(keys->SK_er);
|
|
|
|
os_free(keys->SK_pi);
|
|
|
|
os_free(keys->SK_pr);
|
|
|
|
keys->SK_d = keys->SK_ai = keys->SK_ar = keys->SK_ei = keys->SK_er =
|
|
|
|
keys->SK_pi = keys->SK_pr = NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
int ikev2_derive_sk_keys(const struct ikev2_prf_alg *prf,
|
|
|
|
const struct ikev2_integ_alg *integ,
|
|
|
|
const struct ikev2_encr_alg *encr,
|
|
|
|
const u8 *skeyseed, const u8 *data, size_t data_len,
|
|
|
|
struct ikev2_keys *keys)
|
|
|
|
{
|
|
|
|
u8 *keybuf, *pos;
|
|
|
|
size_t keybuf_len;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* {SK_d | SK_ai | SK_ar | SK_ei | SK_er | SK_pi | SK_pr } =
|
|
|
|
* prf+(SKEYSEED, Ni | Nr | SPIi | SPIr )
|
|
|
|
*/
|
|
|
|
ikev2_free_keys(keys);
|
|
|
|
keys->SK_d_len = prf->key_len;
|
|
|
|
keys->SK_integ_len = integ->key_len;
|
|
|
|
keys->SK_encr_len = encr->key_len;
|
|
|
|
keys->SK_prf_len = prf->key_len;
|
|
|
|
#ifdef CCNS_PL
|
|
|
|
/* Uses encryption key length for SK_d; should be PRF length */
|
|
|
|
keys->SK_d_len = keys->SK_encr_len;
|
|
|
|
#endif /* CCNS_PL */
|
|
|
|
|
|
|
|
keybuf_len = keys->SK_d_len + 2 * keys->SK_integ_len +
|
|
|
|
2 * keys->SK_encr_len + 2 * keys->SK_prf_len;
|
|
|
|
keybuf = os_malloc(keybuf_len);
|
|
|
|
if (keybuf == NULL)
|
|
|
|
return -1;
|
|
|
|
|
|
|
|
if (ikev2_prf_plus(prf->id, skeyseed, prf->hash_len,
|
|
|
|
data, data_len, keybuf, keybuf_len)) {
|
|
|
|
os_free(keybuf);
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
pos = keybuf;
|
|
|
|
|
|
|
|
keys->SK_d = os_malloc(keys->SK_d_len);
|
|
|
|
if (keys->SK_d) {
|
|
|
|
os_memcpy(keys->SK_d, pos, keys->SK_d_len);
|
|
|
|
wpa_hexdump_key(MSG_DEBUG, "IKEV2: SK_d",
|
|
|
|
keys->SK_d, keys->SK_d_len);
|
|
|
|
}
|
|
|
|
pos += keys->SK_d_len;
|
|
|
|
|
|
|
|
keys->SK_ai = os_malloc(keys->SK_integ_len);
|
|
|
|
if (keys->SK_ai) {
|
|
|
|
os_memcpy(keys->SK_ai, pos, keys->SK_integ_len);
|
|
|
|
wpa_hexdump_key(MSG_DEBUG, "IKEV2: SK_ai",
|
|
|
|
keys->SK_ai, keys->SK_integ_len);
|
|
|
|
}
|
|
|
|
pos += keys->SK_integ_len;
|
|
|
|
|
|
|
|
keys->SK_ar = os_malloc(keys->SK_integ_len);
|
|
|
|
if (keys->SK_ar) {
|
|
|
|
os_memcpy(keys->SK_ar, pos, keys->SK_integ_len);
|
|
|
|
wpa_hexdump_key(MSG_DEBUG, "IKEV2: SK_ar",
|
|
|
|
keys->SK_ar, keys->SK_integ_len);
|
|
|
|
}
|
|
|
|
pos += keys->SK_integ_len;
|
|
|
|
|
|
|
|
keys->SK_ei = os_malloc(keys->SK_encr_len);
|
|
|
|
if (keys->SK_ei) {
|
|
|
|
os_memcpy(keys->SK_ei, pos, keys->SK_encr_len);
|
|
|
|
wpa_hexdump_key(MSG_DEBUG, "IKEV2: SK_ei",
|
|
|
|
keys->SK_ei, keys->SK_encr_len);
|
|
|
|
}
|
|
|
|
pos += keys->SK_encr_len;
|
|
|
|
|
|
|
|
keys->SK_er = os_malloc(keys->SK_encr_len);
|
|
|
|
if (keys->SK_er) {
|
|
|
|
os_memcpy(keys->SK_er, pos, keys->SK_encr_len);
|
|
|
|
wpa_hexdump_key(MSG_DEBUG, "IKEV2: SK_er",
|
|
|
|
keys->SK_er, keys->SK_encr_len);
|
|
|
|
}
|
|
|
|
pos += keys->SK_encr_len;
|
|
|
|
|
|
|
|
keys->SK_pi = os_malloc(keys->SK_prf_len);
|
|
|
|
if (keys->SK_pi) {
|
|
|
|
os_memcpy(keys->SK_pi, pos, keys->SK_prf_len);
|
|
|
|
wpa_hexdump_key(MSG_DEBUG, "IKEV2: SK_pi",
|
|
|
|
keys->SK_pi, keys->SK_prf_len);
|
|
|
|
}
|
|
|
|
pos += keys->SK_prf_len;
|
|
|
|
|
|
|
|
keys->SK_pr = os_malloc(keys->SK_prf_len);
|
|
|
|
if (keys->SK_pr) {
|
|
|
|
os_memcpy(keys->SK_pr, pos, keys->SK_prf_len);
|
|
|
|
wpa_hexdump_key(MSG_DEBUG, "IKEV2: SK_pr",
|
|
|
|
keys->SK_pr, keys->SK_prf_len);
|
|
|
|
}
|
|
|
|
|
|
|
|
os_free(keybuf);
|
|
|
|
|
|
|
|
if (!ikev2_keys_set(keys)) {
|
|
|
|
ikev2_free_keys(keys);
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|