1 /*
2 * IKEv2 responder (RFC 4306) for EAP-IKEV2
3 * Copyright (c) 2007, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "includes.h"
10
11 #include "common.h"
12 #include "crypto/dh_groups.h"
13 #include "crypto/random.h"
14 #include "ikev2.h"
15
16
ikev2_responder_deinit(struct ikev2_responder_data * data)17 void ikev2_responder_deinit(struct ikev2_responder_data *data)
18 {
19 ikev2_free_keys(&data->keys);
20 wpabuf_free(data->i_dh_public);
21 wpabuf_free(data->r_dh_private);
22 os_free(data->IDi);
23 os_free(data->IDr);
24 os_free(data->shared_secret);
25 wpabuf_free(data->i_sign_msg);
26 wpabuf_free(data->r_sign_msg);
27 os_free(data->key_pad);
28 }
29
30
ikev2_derive_keys(struct ikev2_responder_data * data)31 static int ikev2_derive_keys(struct ikev2_responder_data *data)
32 {
33 u8 *buf, *pos, *pad, skeyseed[IKEV2_MAX_HASH_LEN];
34 size_t buf_len, pad_len;
35 struct wpabuf *shared;
36 const struct ikev2_integ_alg *integ;
37 const struct ikev2_prf_alg *prf;
38 const struct ikev2_encr_alg *encr;
39 int ret;
40 const u8 *addr[2];
41 size_t len[2];
42
43 /* RFC 4306, Sect. 2.14 */
44
45 integ = ikev2_get_integ(data->proposal.integ);
46 prf = ikev2_get_prf(data->proposal.prf);
47 encr = ikev2_get_encr(data->proposal.encr);
48 if (integ == NULL || prf == NULL || encr == NULL) {
49 wpa_printf(MSG_INFO, "IKEV2: Unsupported proposal");
50 return -1;
51 }
52
53 shared = dh_derive_shared(data->i_dh_public, data->r_dh_private,
54 data->dh);
55 if (shared == NULL)
56 return -1;
57
58 /* Construct Ni | Nr | SPIi | SPIr */
59
60 buf_len = data->i_nonce_len + data->r_nonce_len + 2 * IKEV2_SPI_LEN;
61 buf = os_malloc(buf_len);
62 if (buf == NULL) {
63 wpabuf_free(shared);
64 return -1;
65 }
66
67 pos = buf;
68 os_memcpy(pos, data->i_nonce, data->i_nonce_len);
69 pos += data->i_nonce_len;
70 os_memcpy(pos, data->r_nonce, data->r_nonce_len);
71 pos += data->r_nonce_len;
72 os_memcpy(pos, data->i_spi, IKEV2_SPI_LEN);
73 pos += IKEV2_SPI_LEN;
74 os_memcpy(pos, data->r_spi, IKEV2_SPI_LEN);
75
76 /* SKEYSEED = prf(Ni | Nr, g^ir) */
77 /* Use zero-padding per RFC 4306, Sect. 2.14 */
78 pad_len = data->dh->prime_len - wpabuf_len(shared);
79 pad = os_zalloc(pad_len ? pad_len : 1);
80 if (pad == NULL) {
81 wpabuf_free(shared);
82 os_free(buf);
83 return -1;
84 }
85
86 addr[0] = pad;
87 len[0] = pad_len;
88 addr[1] = wpabuf_head(shared);
89 len[1] = wpabuf_len(shared);
90 if (ikev2_prf_hash(prf->id, buf, data->i_nonce_len + data->r_nonce_len,
91 2, addr, len, skeyseed) < 0) {
92 wpabuf_free(shared);
93 os_free(buf);
94 os_free(pad);
95 return -1;
96 }
97 os_free(pad);
98 wpabuf_free(shared);
99
100 /* DH parameters are not needed anymore, so free them */
101 wpabuf_free(data->i_dh_public);
102 data->i_dh_public = NULL;
103 wpabuf_free(data->r_dh_private);
104 data->r_dh_private = NULL;
105
106 wpa_hexdump_key(MSG_DEBUG, "IKEV2: SKEYSEED",
107 skeyseed, prf->hash_len);
108
109 ret = ikev2_derive_sk_keys(prf, integ, encr, skeyseed, buf, buf_len,
110 &data->keys);
111 os_free(buf);
112 return ret;
113 }
114
115
ikev2_parse_transform(struct ikev2_proposal_data * prop,const u8 * pos,const u8 * end)116 static int ikev2_parse_transform(struct ikev2_proposal_data *prop,
117 const u8 *pos, const u8 *end)
118 {
119 int transform_len;
120 const struct ikev2_transform *t;
121 u16 transform_id;
122 const u8 *tend;
123
124 if (end - pos < (int) sizeof(*t)) {
125 wpa_printf(MSG_INFO, "IKEV2: Too short transform");
126 return -1;
127 }
128
129 t = (const struct ikev2_transform *) pos;
130 transform_len = WPA_GET_BE16(t->transform_length);
131 if (transform_len < (int) sizeof(*t) || transform_len > end - pos) {
132 wpa_printf(MSG_INFO, "IKEV2: Invalid transform length %d",
133 transform_len);
134 return -1;
135 }
136 tend = pos + transform_len;
137
138 transform_id = WPA_GET_BE16(t->transform_id);
139
140 wpa_printf(MSG_DEBUG, "IKEV2: Transform:");
141 wpa_printf(MSG_DEBUG, "IKEV2: Type: %d Transform Length: %d "
142 "Transform Type: %d Transform ID: %d",
143 t->type, transform_len, t->transform_type, transform_id);
144
145 if (t->type != 0 && t->type != 3) {
146 wpa_printf(MSG_INFO, "IKEV2: Unexpected Transform type");
147 return -1;
148 }
149
150 pos = (const u8 *) (t + 1);
151 if (pos < tend) {
152 wpa_hexdump(MSG_DEBUG, "IKEV2: Transform Attributes",
153 pos, tend - pos);
154 }
155
156 switch (t->transform_type) {
157 case IKEV2_TRANSFORM_ENCR:
158 if (ikev2_get_encr(transform_id)) {
159 if (transform_id == ENCR_AES_CBC) {
160 if (tend - pos != 4) {
161 wpa_printf(MSG_DEBUG, "IKEV2: No "
162 "Transform Attr for AES");
163 break;
164 }
165 if (WPA_GET_BE16(pos) != 0x800e) {
166 wpa_printf(MSG_DEBUG, "IKEV2: Not a "
167 "Key Size attribute for "
168 "AES");
169 break;
170 }
171 if (WPA_GET_BE16(pos + 2) != 128) {
172 wpa_printf(MSG_DEBUG, "IKEV2: "
173 "Unsupported AES key size "
174 "%d bits",
175 WPA_GET_BE16(pos + 2));
176 break;
177 }
178 }
179 prop->encr = transform_id;
180 }
181 break;
182 case IKEV2_TRANSFORM_PRF:
183 if (ikev2_get_prf(transform_id))
184 prop->prf = transform_id;
185 break;
186 case IKEV2_TRANSFORM_INTEG:
187 if (ikev2_get_integ(transform_id))
188 prop->integ = transform_id;
189 break;
190 case IKEV2_TRANSFORM_DH:
191 if (dh_groups_get(transform_id))
192 prop->dh = transform_id;
193 break;
194 }
195
196 return transform_len;
197 }
198
199
ikev2_parse_proposal(struct ikev2_proposal_data * prop,const u8 * pos,const u8 * end)200 static int ikev2_parse_proposal(struct ikev2_proposal_data *prop,
201 const u8 *pos, const u8 *end)
202 {
203 const u8 *pend, *ppos;
204 int proposal_len;
205 unsigned int i, num;
206 const struct ikev2_proposal *p;
207
208 if (end - pos < (int) sizeof(*p)) {
209 wpa_printf(MSG_INFO, "IKEV2: Too short proposal");
210 return -1;
211 }
212
213 /* FIX: AND processing if multiple proposals use the same # */
214
215 p = (const struct ikev2_proposal *) pos;
216 proposal_len = WPA_GET_BE16(p->proposal_length);
217 if (proposal_len < (int) sizeof(*p) || proposal_len > end - pos) {
218 wpa_printf(MSG_INFO, "IKEV2: Invalid proposal length %d",
219 proposal_len);
220 return -1;
221 }
222 wpa_printf(MSG_DEBUG, "IKEV2: SAi1 Proposal # %d",
223 p->proposal_num);
224 wpa_printf(MSG_DEBUG, "IKEV2: Type: %d Proposal Length: %d "
225 " Protocol ID: %d",
226 p->type, proposal_len, p->protocol_id);
227 wpa_printf(MSG_DEBUG, "IKEV2: SPI Size: %d Transforms: %d",
228 p->spi_size, p->num_transforms);
229
230 if (p->type != 0 && p->type != 2) {
231 wpa_printf(MSG_INFO, "IKEV2: Unexpected Proposal type");
232 return -1;
233 }
234
235 if (p->protocol_id != IKEV2_PROTOCOL_IKE) {
236 wpa_printf(MSG_DEBUG, "IKEV2: Unexpected Protocol ID "
237 "(only IKE allowed for EAP-IKEv2)");
238 return -1;
239 }
240
241 if (p->proposal_num != prop->proposal_num) {
242 if (p->proposal_num == prop->proposal_num + 1)
243 prop->proposal_num = p->proposal_num;
244 else {
245 wpa_printf(MSG_INFO, "IKEV2: Unexpected Proposal #");
246 return -1;
247 }
248 }
249
250 ppos = (const u8 *) (p + 1);
251 pend = pos + proposal_len;
252 if (p->spi_size > pend - ppos) {
253 wpa_printf(MSG_INFO, "IKEV2: Not enough room for SPI "
254 "in proposal");
255 return -1;
256 }
257 if (p->spi_size) {
258 wpa_hexdump(MSG_DEBUG, "IKEV2: SPI",
259 ppos, p->spi_size);
260 ppos += p->spi_size;
261 }
262
263 /*
264 * For initial IKE_SA negotiation, SPI Size MUST be zero; for
265 * subsequent negotiations, it must be 8 for IKE. We only support
266 * initial case for now.
267 */
268 if (p->spi_size != 0) {
269 wpa_printf(MSG_INFO, "IKEV2: Unexpected SPI Size");
270 return -1;
271 }
272
273 num = p->num_transforms;
274 if (num == 0 || num > 255) {
275 wpa_printf(MSG_INFO, "IKEV2: At least one transform required");
276 return -1;
277 }
278
279 for (i = 0; i < num; i++) {
280 int tlen = ikev2_parse_transform(prop, ppos, pend);
281 if (tlen < 0)
282 return -1;
283 ppos += tlen;
284 }
285
286 if (ppos != pend) {
287 wpa_printf(MSG_INFO, "IKEV2: Unexpected data after "
288 "transforms");
289 return -1;
290 }
291
292 return proposal_len;
293 }
294
295
ikev2_process_sai1(struct ikev2_responder_data * data,const u8 * sai1,size_t sai1_len)296 static int ikev2_process_sai1(struct ikev2_responder_data *data,
297 const u8 *sai1, size_t sai1_len)
298 {
299 struct ikev2_proposal_data prop;
300 const u8 *pos, *end;
301 int found = 0;
302
303 /* Security Association Payloads: <Proposals> */
304
305 if (sai1 == NULL) {
306 wpa_printf(MSG_INFO, "IKEV2: SAi1 not received");
307 return -1;
308 }
309
310 os_memset(&prop, 0, sizeof(prop));
311 prop.proposal_num = 1;
312
313 pos = sai1;
314 end = sai1 + sai1_len;
315
316 while (pos < end) {
317 int plen;
318
319 prop.integ = -1;
320 prop.prf = -1;
321 prop.encr = -1;
322 prop.dh = -1;
323 plen = ikev2_parse_proposal(&prop, pos, end);
324 if (plen < 0)
325 return -1;
326
327 if (!found && prop.integ != -1 && prop.prf != -1 &&
328 prop.encr != -1 && prop.dh != -1) {
329 os_memcpy(&data->proposal, &prop, sizeof(prop));
330 data->dh = dh_groups_get(prop.dh);
331 found = 1;
332 }
333
334 pos += plen;
335 }
336
337 if (pos != end) {
338 wpa_printf(MSG_INFO, "IKEV2: Unexpected data after proposals");
339 return -1;
340 }
341
342 if (!found) {
343 wpa_printf(MSG_INFO, "IKEV2: No acceptable proposal found");
344 return -1;
345 }
346
347 wpa_printf(MSG_DEBUG, "IKEV2: Accepted proposal #%d: ENCR:%d PRF:%d "
348 "INTEG:%d D-H:%d", data->proposal.proposal_num,
349 data->proposal.encr, data->proposal.prf,
350 data->proposal.integ, data->proposal.dh);
351
352 return 0;
353 }
354
355
ikev2_process_kei(struct ikev2_responder_data * data,const u8 * kei,size_t kei_len)356 static int ikev2_process_kei(struct ikev2_responder_data *data,
357 const u8 *kei, size_t kei_len)
358 {
359 u16 group;
360
361 /*
362 * Key Exchange Payload:
363 * DH Group # (16 bits)
364 * RESERVED (16 bits)
365 * Key Exchange Data (Diffie-Hellman public value)
366 */
367
368 if (kei == NULL) {
369 wpa_printf(MSG_INFO, "IKEV2: KEi not received");
370 return -1;
371 }
372
373 if (kei_len < 4 + 96) {
374 wpa_printf(MSG_INFO, "IKEV2: Too short Key Exchange Payload");
375 return -1;
376 }
377
378 group = WPA_GET_BE16(kei);
379 wpa_printf(MSG_DEBUG, "IKEV2: KEi DH Group #%u", group);
380
381 if (group != data->proposal.dh) {
382 wpa_printf(MSG_DEBUG, "IKEV2: KEi DH Group #%u does not match "
383 "with the selected proposal (%u)",
384 group, data->proposal.dh);
385 /* Reject message with Notify payload of type
386 * INVALID_KE_PAYLOAD (RFC 4306, Sect. 3.4) */
387 data->error_type = INVALID_KE_PAYLOAD;
388 data->state = NOTIFY;
389 return -1;
390 }
391
392 if (data->dh == NULL) {
393 wpa_printf(MSG_INFO, "IKEV2: Unsupported DH group");
394 return -1;
395 }
396
397 /* RFC 4306, Section 3.4:
398 * The length of DH public value MUST be equal to the length of the
399 * prime modulus.
400 */
401 if (kei_len - 4 != data->dh->prime_len) {
402 wpa_printf(MSG_INFO, "IKEV2: Invalid DH public value length "
403 "%ld (expected %ld)",
404 (long) (kei_len - 4), (long) data->dh->prime_len);
405 return -1;
406 }
407
408 wpabuf_free(data->i_dh_public);
409 data->i_dh_public = wpabuf_alloc(kei_len - 4);
410 if (data->i_dh_public == NULL)
411 return -1;
412 wpabuf_put_data(data->i_dh_public, kei + 4, kei_len - 4);
413
414 wpa_hexdump_buf(MSG_DEBUG, "IKEV2: KEi Diffie-Hellman Public Value",
415 data->i_dh_public);
416
417 return 0;
418 }
419
420
ikev2_process_ni(struct ikev2_responder_data * data,const u8 * ni,size_t ni_len)421 static int ikev2_process_ni(struct ikev2_responder_data *data,
422 const u8 *ni, size_t ni_len)
423 {
424 if (ni == NULL) {
425 wpa_printf(MSG_INFO, "IKEV2: Ni not received");
426 return -1;
427 }
428
429 if (ni_len < IKEV2_NONCE_MIN_LEN || ni_len > IKEV2_NONCE_MAX_LEN) {
430 wpa_printf(MSG_INFO, "IKEV2: Invalid Ni length %ld",
431 (long) ni_len);
432 return -1;
433 }
434
435 data->i_nonce_len = ni_len;
436 os_memcpy(data->i_nonce, ni, ni_len);
437 wpa_hexdump(MSG_MSGDUMP, "IKEV2: Ni",
438 data->i_nonce, data->i_nonce_len);
439
440 return 0;
441 }
442
443
ikev2_process_sa_init(struct ikev2_responder_data * data,const struct ikev2_hdr * hdr,struct ikev2_payloads * pl)444 static int ikev2_process_sa_init(struct ikev2_responder_data *data,
445 const struct ikev2_hdr *hdr,
446 struct ikev2_payloads *pl)
447 {
448 if (ikev2_process_sai1(data, pl->sa, pl->sa_len) < 0 ||
449 ikev2_process_kei(data, pl->ke, pl->ke_len) < 0 ||
450 ikev2_process_ni(data, pl->nonce, pl->nonce_len) < 0)
451 return -1;
452
453 os_memcpy(data->i_spi, hdr->i_spi, IKEV2_SPI_LEN);
454
455 return 0;
456 }
457
458
ikev2_process_idi(struct ikev2_responder_data * data,const u8 * idi,size_t idi_len)459 static int ikev2_process_idi(struct ikev2_responder_data *data,
460 const u8 *idi, size_t idi_len)
461 {
462 u8 id_type;
463
464 if (idi == NULL) {
465 wpa_printf(MSG_INFO, "IKEV2: No IDi received");
466 return -1;
467 }
468
469 if (idi_len < 4) {
470 wpa_printf(MSG_INFO, "IKEV2: Too short IDi payload");
471 return -1;
472 }
473
474 id_type = idi[0];
475 idi += 4;
476 idi_len -= 4;
477
478 wpa_printf(MSG_DEBUG, "IKEV2: IDi ID Type %d", id_type);
479 wpa_hexdump_ascii(MSG_DEBUG, "IKEV2: IDi", idi, idi_len);
480 os_free(data->IDi);
481 data->IDi = os_memdup(idi, idi_len);
482 if (data->IDi == NULL)
483 return -1;
484 data->IDi_len = idi_len;
485 data->IDi_type = id_type;
486
487 return 0;
488 }
489
490
ikev2_process_cert(struct ikev2_responder_data * data,const u8 * cert,size_t cert_len)491 static int ikev2_process_cert(struct ikev2_responder_data *data,
492 const u8 *cert, size_t cert_len)
493 {
494 u8 cert_encoding;
495
496 if (cert == NULL) {
497 if (data->peer_auth == PEER_AUTH_CERT) {
498 wpa_printf(MSG_INFO, "IKEV2: No Certificate received");
499 return -1;
500 }
501 return 0;
502 }
503
504 if (cert_len < 1) {
505 wpa_printf(MSG_INFO, "IKEV2: No Cert Encoding field");
506 return -1;
507 }
508
509 cert_encoding = cert[0];
510 cert++;
511 cert_len--;
512
513 wpa_printf(MSG_DEBUG, "IKEV2: Cert Encoding %d", cert_encoding);
514 wpa_hexdump(MSG_MSGDUMP, "IKEV2: Certificate Data", cert, cert_len);
515
516 /* TODO: validate certificate */
517
518 return 0;
519 }
520
521
ikev2_process_auth_cert(struct ikev2_responder_data * data,u8 method,const u8 * auth,size_t auth_len)522 static int ikev2_process_auth_cert(struct ikev2_responder_data *data,
523 u8 method, const u8 *auth, size_t auth_len)
524 {
525 if (method != AUTH_RSA_SIGN) {
526 wpa_printf(MSG_INFO, "IKEV2: Unsupported authentication "
527 "method %d", method);
528 return -1;
529 }
530
531 /* TODO: validate AUTH */
532 return 0;
533 }
534
535
ikev2_process_auth_secret(struct ikev2_responder_data * data,u8 method,const u8 * auth,size_t auth_len)536 static int ikev2_process_auth_secret(struct ikev2_responder_data *data,
537 u8 method, const u8 *auth,
538 size_t auth_len)
539 {
540 u8 auth_data[IKEV2_MAX_HASH_LEN];
541 const struct ikev2_prf_alg *prf;
542
543 if (method != AUTH_SHARED_KEY_MIC) {
544 wpa_printf(MSG_INFO, "IKEV2: Unsupported authentication "
545 "method %d", method);
546 return -1;
547 }
548
549 /* msg | Nr | prf(SK_pi,IDi') */
550 if (ikev2_derive_auth_data(data->proposal.prf, data->i_sign_msg,
551 data->IDi, data->IDi_len, data->IDi_type,
552 &data->keys, 1, data->shared_secret,
553 data->shared_secret_len,
554 data->r_nonce, data->r_nonce_len,
555 data->key_pad, data->key_pad_len,
556 auth_data) < 0) {
557 wpa_printf(MSG_INFO, "IKEV2: Could not derive AUTH data");
558 return -1;
559 }
560
561 wpabuf_free(data->i_sign_msg);
562 data->i_sign_msg = NULL;
563
564 prf = ikev2_get_prf(data->proposal.prf);
565 if (prf == NULL)
566 return -1;
567
568 if (auth_len != prf->hash_len ||
569 os_memcmp_const(auth, auth_data, auth_len) != 0) {
570 wpa_printf(MSG_INFO, "IKEV2: Invalid Authentication Data");
571 wpa_hexdump(MSG_DEBUG, "IKEV2: Received Authentication Data",
572 auth, auth_len);
573 wpa_hexdump(MSG_DEBUG, "IKEV2: Expected Authentication Data",
574 auth_data, prf->hash_len);
575 data->error_type = AUTHENTICATION_FAILED;
576 data->state = NOTIFY;
577 return -1;
578 }
579
580 wpa_printf(MSG_DEBUG, "IKEV2: Server authenticated successfully "
581 "using shared keys");
582
583 return 0;
584 }
585
586
ikev2_process_auth(struct ikev2_responder_data * data,const u8 * auth,size_t auth_len)587 static int ikev2_process_auth(struct ikev2_responder_data *data,
588 const u8 *auth, size_t auth_len)
589 {
590 u8 auth_method;
591
592 if (auth == NULL) {
593 wpa_printf(MSG_INFO, "IKEV2: No Authentication Payload");
594 return -1;
595 }
596
597 if (auth_len < 4) {
598 wpa_printf(MSG_INFO, "IKEV2: Too short Authentication "
599 "Payload");
600 return -1;
601 }
602
603 auth_method = auth[0];
604 auth += 4;
605 auth_len -= 4;
606
607 wpa_printf(MSG_DEBUG, "IKEV2: Auth Method %d", auth_method);
608 wpa_hexdump(MSG_MSGDUMP, "IKEV2: Authentication Data", auth, auth_len);
609
610 switch (data->peer_auth) {
611 case PEER_AUTH_CERT:
612 return ikev2_process_auth_cert(data, auth_method, auth,
613 auth_len);
614 case PEER_AUTH_SECRET:
615 return ikev2_process_auth_secret(data, auth_method, auth,
616 auth_len);
617 }
618
619 return -1;
620 }
621
622
ikev2_process_sa_auth_decrypted(struct ikev2_responder_data * data,u8 next_payload,u8 * payload,size_t payload_len)623 static int ikev2_process_sa_auth_decrypted(struct ikev2_responder_data *data,
624 u8 next_payload,
625 u8 *payload, size_t payload_len)
626 {
627 struct ikev2_payloads pl;
628
629 wpa_printf(MSG_DEBUG, "IKEV2: Processing decrypted payloads");
630
631 if (ikev2_parse_payloads(&pl, next_payload, payload, payload +
632 payload_len) < 0) {
633 wpa_printf(MSG_INFO, "IKEV2: Failed to parse decrypted "
634 "payloads");
635 return -1;
636 }
637
638 if (ikev2_process_idi(data, pl.idi, pl.idi_len) < 0 ||
639 ikev2_process_cert(data, pl.cert, pl.cert_len) < 0 ||
640 ikev2_process_auth(data, pl.auth, pl.auth_len) < 0)
641 return -1;
642
643 return 0;
644 }
645
646
ikev2_process_sa_auth(struct ikev2_responder_data * data,const struct ikev2_hdr * hdr,struct ikev2_payloads * pl)647 static int ikev2_process_sa_auth(struct ikev2_responder_data *data,
648 const struct ikev2_hdr *hdr,
649 struct ikev2_payloads *pl)
650 {
651 u8 *decrypted;
652 size_t decrypted_len;
653 int ret;
654
655 decrypted = ikev2_decrypt_payload(data->proposal.encr,
656 data->proposal.integ,
657 &data->keys, 1, hdr, pl->encrypted,
658 pl->encrypted_len, &decrypted_len);
659 if (decrypted == NULL)
660 return -1;
661
662 ret = ikev2_process_sa_auth_decrypted(data, pl->encr_next_payload,
663 decrypted, decrypted_len);
664 os_free(decrypted);
665
666 return ret;
667 }
668
669
ikev2_validate_rx_state(struct ikev2_responder_data * data,u8 exchange_type,u32 message_id)670 static int ikev2_validate_rx_state(struct ikev2_responder_data *data,
671 u8 exchange_type, u32 message_id)
672 {
673 switch (data->state) {
674 case SA_INIT:
675 /* Expect to receive IKE_SA_INIT: HDR, SAi1, KEi, Ni */
676 if (exchange_type != IKE_SA_INIT) {
677 wpa_printf(MSG_INFO, "IKEV2: Unexpected Exchange Type "
678 "%u in SA_INIT state", exchange_type);
679 return -1;
680 }
681 if (message_id != 0) {
682 wpa_printf(MSG_INFO, "IKEV2: Unexpected Message ID %u "
683 "in SA_INIT state", message_id);
684 return -1;
685 }
686 break;
687 case SA_AUTH:
688 /* Expect to receive IKE_SA_AUTH:
689 * HDR, SK {IDi, [CERT,] [CERTREQ,] [IDr,]
690 * AUTH, SAi2, TSi, TSr}
691 */
692 if (exchange_type != IKE_SA_AUTH) {
693 wpa_printf(MSG_INFO, "IKEV2: Unexpected Exchange Type "
694 "%u in SA_AUTH state", exchange_type);
695 return -1;
696 }
697 if (message_id != 1) {
698 wpa_printf(MSG_INFO, "IKEV2: Unexpected Message ID %u "
699 "in SA_AUTH state", message_id);
700 return -1;
701 }
702 break;
703 case CHILD_SA:
704 if (exchange_type != CREATE_CHILD_SA) {
705 wpa_printf(MSG_INFO, "IKEV2: Unexpected Exchange Type "
706 "%u in CHILD_SA state", exchange_type);
707 return -1;
708 }
709 if (message_id != 2) {
710 wpa_printf(MSG_INFO, "IKEV2: Unexpected Message ID %u "
711 "in CHILD_SA state", message_id);
712 return -1;
713 }
714 break;
715 case NOTIFY:
716 case IKEV2_DONE:
717 case IKEV2_FAILED:
718 return -1;
719 }
720
721 return 0;
722 }
723
724
ikev2_responder_process(struct ikev2_responder_data * data,const struct wpabuf * buf)725 int ikev2_responder_process(struct ikev2_responder_data *data,
726 const struct wpabuf *buf)
727 {
728 const struct ikev2_hdr *hdr;
729 u32 length, message_id;
730 const u8 *pos, *end;
731 struct ikev2_payloads pl;
732
733 wpa_printf(MSG_MSGDUMP, "IKEV2: Received message (len %lu)",
734 (unsigned long) wpabuf_len(buf));
735
736 if (wpabuf_len(buf) < sizeof(*hdr)) {
737 wpa_printf(MSG_INFO, "IKEV2: Too short frame to include HDR");
738 return -1;
739 }
740
741 data->error_type = 0;
742 hdr = (const struct ikev2_hdr *) wpabuf_head(buf);
743 end = wpabuf_head_u8(buf) + wpabuf_len(buf);
744 message_id = WPA_GET_BE32(hdr->message_id);
745 length = WPA_GET_BE32(hdr->length);
746
747 wpa_hexdump(MSG_DEBUG, "IKEV2: IKE_SA Initiator's SPI",
748 hdr->i_spi, IKEV2_SPI_LEN);
749 wpa_hexdump(MSG_DEBUG, "IKEV2: IKE_SA Responder's SPI",
750 hdr->r_spi, IKEV2_SPI_LEN);
751 wpa_printf(MSG_DEBUG, "IKEV2: Next Payload: %u Version: 0x%x "
752 "Exchange Type: %u",
753 hdr->next_payload, hdr->version, hdr->exchange_type);
754 wpa_printf(MSG_DEBUG, "IKEV2: Message ID: %u Length: %u",
755 message_id, length);
756
757 if (hdr->version != IKEV2_VERSION) {
758 wpa_printf(MSG_INFO, "IKEV2: Unsupported HDR version 0x%x "
759 "(expected 0x%x)", hdr->version, IKEV2_VERSION);
760 return -1;
761 }
762
763 if (length != wpabuf_len(buf)) {
764 wpa_printf(MSG_INFO, "IKEV2: Invalid length (HDR: %lu != "
765 "RX: %lu)", (unsigned long) length,
766 (unsigned long) wpabuf_len(buf));
767 return -1;
768 }
769
770 if (ikev2_validate_rx_state(data, hdr->exchange_type, message_id) < 0)
771 return -1;
772
773 if ((hdr->flags & (IKEV2_HDR_INITIATOR | IKEV2_HDR_RESPONSE)) !=
774 IKEV2_HDR_INITIATOR) {
775 wpa_printf(MSG_INFO, "IKEV2: Unexpected Flags value 0x%x",
776 hdr->flags);
777 return -1;
778 }
779
780 if (data->state != SA_INIT) {
781 if (os_memcmp(data->i_spi, hdr->i_spi, IKEV2_SPI_LEN) != 0) {
782 wpa_printf(MSG_INFO, "IKEV2: Unexpected IKE_SA "
783 "Initiator's SPI");
784 return -1;
785 }
786 if (os_memcmp(data->r_spi, hdr->r_spi, IKEV2_SPI_LEN) != 0) {
787 wpa_printf(MSG_INFO, "IKEV2: Unexpected IKE_SA "
788 "Responder's SPI");
789 return -1;
790 }
791 }
792
793 pos = (const u8 *) (hdr + 1);
794 if (ikev2_parse_payloads(&pl, hdr->next_payload, pos, end) < 0)
795 return -1;
796
797 if (data->state == SA_INIT) {
798 data->last_msg = LAST_MSG_SA_INIT;
799 if (ikev2_process_sa_init(data, hdr, &pl) < 0) {
800 if (data->state == NOTIFY)
801 return 0;
802 return -1;
803 }
804 wpabuf_free(data->i_sign_msg);
805 data->i_sign_msg = wpabuf_dup(buf);
806 }
807
808 if (data->state == SA_AUTH) {
809 data->last_msg = LAST_MSG_SA_AUTH;
810 if (ikev2_process_sa_auth(data, hdr, &pl) < 0) {
811 if (data->state == NOTIFY)
812 return 0;
813 return -1;
814 }
815 }
816
817 return 0;
818 }
819
820
ikev2_build_hdr(struct ikev2_responder_data * data,struct wpabuf * msg,u8 exchange_type,u8 next_payload,u32 message_id)821 static void ikev2_build_hdr(struct ikev2_responder_data *data,
822 struct wpabuf *msg, u8 exchange_type,
823 u8 next_payload, u32 message_id)
824 {
825 struct ikev2_hdr *hdr;
826
827 wpa_printf(MSG_DEBUG, "IKEV2: Adding HDR");
828
829 /* HDR - RFC 4306, Sect. 3.1 */
830 hdr = wpabuf_put(msg, sizeof(*hdr));
831 os_memcpy(hdr->i_spi, data->i_spi, IKEV2_SPI_LEN);
832 os_memcpy(hdr->r_spi, data->r_spi, IKEV2_SPI_LEN);
833 hdr->next_payload = next_payload;
834 hdr->version = IKEV2_VERSION;
835 hdr->exchange_type = exchange_type;
836 hdr->flags = IKEV2_HDR_RESPONSE;
837 WPA_PUT_BE32(hdr->message_id, message_id);
838 }
839
840
ikev2_build_sar1(struct ikev2_responder_data * data,struct wpabuf * msg,u8 next_payload)841 static int ikev2_build_sar1(struct ikev2_responder_data *data,
842 struct wpabuf *msg, u8 next_payload)
843 {
844 struct ikev2_payload_hdr *phdr;
845 size_t plen;
846 struct ikev2_proposal *p;
847 struct ikev2_transform *t;
848
849 wpa_printf(MSG_DEBUG, "IKEV2: Adding SAr1 payload");
850
851 /* SAr1 - RFC 4306, Sect. 2.7 and 3.3 */
852 phdr = wpabuf_put(msg, sizeof(*phdr));
853 phdr->next_payload = next_payload;
854 phdr->flags = 0;
855
856 p = wpabuf_put(msg, sizeof(*p));
857 p->proposal_num = data->proposal.proposal_num;
858 p->protocol_id = IKEV2_PROTOCOL_IKE;
859 p->num_transforms = 4;
860
861 t = wpabuf_put(msg, sizeof(*t));
862 t->type = 3;
863 t->transform_type = IKEV2_TRANSFORM_ENCR;
864 WPA_PUT_BE16(t->transform_id, data->proposal.encr);
865 if (data->proposal.encr == ENCR_AES_CBC) {
866 /* Transform Attribute: Key Len = 128 bits */
867 wpabuf_put_be16(msg, 0x800e); /* AF=1, AttrType=14 */
868 wpabuf_put_be16(msg, 128); /* 128-bit key */
869 }
870 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) t;
871 WPA_PUT_BE16(t->transform_length, plen);
872
873 t = wpabuf_put(msg, sizeof(*t));
874 t->type = 3;
875 WPA_PUT_BE16(t->transform_length, sizeof(*t));
876 t->transform_type = IKEV2_TRANSFORM_PRF;
877 WPA_PUT_BE16(t->transform_id, data->proposal.prf);
878
879 t = wpabuf_put(msg, sizeof(*t));
880 t->type = 3;
881 WPA_PUT_BE16(t->transform_length, sizeof(*t));
882 t->transform_type = IKEV2_TRANSFORM_INTEG;
883 WPA_PUT_BE16(t->transform_id, data->proposal.integ);
884
885 t = wpabuf_put(msg, sizeof(*t));
886 WPA_PUT_BE16(t->transform_length, sizeof(*t));
887 t->transform_type = IKEV2_TRANSFORM_DH;
888 WPA_PUT_BE16(t->transform_id, data->proposal.dh);
889
890 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) p;
891 WPA_PUT_BE16(p->proposal_length, plen);
892
893 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
894 WPA_PUT_BE16(phdr->payload_length, plen);
895
896 return 0;
897 }
898
899
ikev2_build_ker(struct ikev2_responder_data * data,struct wpabuf * msg,u8 next_payload)900 static int ikev2_build_ker(struct ikev2_responder_data *data,
901 struct wpabuf *msg, u8 next_payload)
902 {
903 struct ikev2_payload_hdr *phdr;
904 size_t plen;
905 struct wpabuf *pv;
906
907 wpa_printf(MSG_DEBUG, "IKEV2: Adding KEr payload");
908
909 pv = dh_init(data->dh, &data->r_dh_private);
910 if (pv == NULL) {
911 wpa_printf(MSG_DEBUG, "IKEV2: Failed to initialize DH");
912 return -1;
913 }
914
915 /* KEr - RFC 4306, Sect. 3.4 */
916 phdr = wpabuf_put(msg, sizeof(*phdr));
917 phdr->next_payload = next_payload;
918 phdr->flags = 0;
919
920 wpabuf_put_be16(msg, data->proposal.dh); /* DH Group # */
921 wpabuf_put(msg, 2); /* RESERVED */
922 /*
923 * RFC 4306, Sect. 3.4: possible zero padding for public value to
924 * match the length of the prime.
925 */
926 wpabuf_put(msg, data->dh->prime_len - wpabuf_len(pv));
927 wpabuf_put_buf(msg, pv);
928 wpabuf_free(pv);
929
930 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
931 WPA_PUT_BE16(phdr->payload_length, plen);
932 return 0;
933 }
934
935
ikev2_build_nr(struct ikev2_responder_data * data,struct wpabuf * msg,u8 next_payload)936 static int ikev2_build_nr(struct ikev2_responder_data *data,
937 struct wpabuf *msg, u8 next_payload)
938 {
939 struct ikev2_payload_hdr *phdr;
940 size_t plen;
941
942 wpa_printf(MSG_DEBUG, "IKEV2: Adding Nr payload");
943
944 /* Nr - RFC 4306, Sect. 3.9 */
945 phdr = wpabuf_put(msg, sizeof(*phdr));
946 phdr->next_payload = next_payload;
947 phdr->flags = 0;
948 wpabuf_put_data(msg, data->r_nonce, data->r_nonce_len);
949 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
950 WPA_PUT_BE16(phdr->payload_length, plen);
951 return 0;
952 }
953
954
ikev2_build_idr(struct ikev2_responder_data * data,struct wpabuf * msg,u8 next_payload)955 static int ikev2_build_idr(struct ikev2_responder_data *data,
956 struct wpabuf *msg, u8 next_payload)
957 {
958 struct ikev2_payload_hdr *phdr;
959 size_t plen;
960
961 wpa_printf(MSG_DEBUG, "IKEV2: Adding IDr payload");
962
963 if (data->IDr == NULL) {
964 wpa_printf(MSG_INFO, "IKEV2: No IDr available");
965 return -1;
966 }
967
968 /* IDr - RFC 4306, Sect. 3.5 */
969 phdr = wpabuf_put(msg, sizeof(*phdr));
970 phdr->next_payload = next_payload;
971 phdr->flags = 0;
972 wpabuf_put_u8(msg, ID_KEY_ID);
973 wpabuf_put(msg, 3); /* RESERVED */
974 wpabuf_put_data(msg, data->IDr, data->IDr_len);
975 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
976 WPA_PUT_BE16(phdr->payload_length, plen);
977 return 0;
978 }
979
980
ikev2_build_auth(struct ikev2_responder_data * data,struct wpabuf * msg,u8 next_payload)981 static int ikev2_build_auth(struct ikev2_responder_data *data,
982 struct wpabuf *msg, u8 next_payload)
983 {
984 struct ikev2_payload_hdr *phdr;
985 size_t plen;
986 const struct ikev2_prf_alg *prf;
987
988 wpa_printf(MSG_DEBUG, "IKEV2: Adding AUTH payload");
989
990 prf = ikev2_get_prf(data->proposal.prf);
991 if (prf == NULL)
992 return -1;
993
994 /* Authentication - RFC 4306, Sect. 3.8 */
995 phdr = wpabuf_put(msg, sizeof(*phdr));
996 phdr->next_payload = next_payload;
997 phdr->flags = 0;
998 wpabuf_put_u8(msg, AUTH_SHARED_KEY_MIC);
999 wpabuf_put(msg, 3); /* RESERVED */
1000
1001 /* msg | Ni | prf(SK_pr,IDr') */
1002 if (ikev2_derive_auth_data(data->proposal.prf, data->r_sign_msg,
1003 data->IDr, data->IDr_len, ID_KEY_ID,
1004 &data->keys, 0, data->shared_secret,
1005 data->shared_secret_len,
1006 data->i_nonce, data->i_nonce_len,
1007 data->key_pad, data->key_pad_len,
1008 wpabuf_put(msg, prf->hash_len)) < 0) {
1009 wpa_printf(MSG_INFO, "IKEV2: Could not derive AUTH data");
1010 return -1;
1011 }
1012 wpabuf_free(data->r_sign_msg);
1013 data->r_sign_msg = NULL;
1014
1015 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
1016 WPA_PUT_BE16(phdr->payload_length, plen);
1017 return 0;
1018 }
1019
1020
ikev2_build_notification(struct ikev2_responder_data * data,struct wpabuf * msg,u8 next_payload)1021 static int ikev2_build_notification(struct ikev2_responder_data *data,
1022 struct wpabuf *msg, u8 next_payload)
1023 {
1024 struct ikev2_payload_hdr *phdr;
1025 size_t plen;
1026
1027 wpa_printf(MSG_DEBUG, "IKEV2: Adding Notification payload");
1028
1029 if (data->error_type == 0) {
1030 wpa_printf(MSG_INFO, "IKEV2: No Notify Message Type "
1031 "available");
1032 return -1;
1033 }
1034
1035 /* Notify - RFC 4306, Sect. 3.10 */
1036 phdr = wpabuf_put(msg, sizeof(*phdr));
1037 phdr->next_payload = next_payload;
1038 phdr->flags = 0;
1039 wpabuf_put_u8(msg, 0); /* Protocol ID: no existing SA */
1040 wpabuf_put_u8(msg, 0); /* SPI Size */
1041 wpabuf_put_be16(msg, data->error_type);
1042
1043 switch (data->error_type) {
1044 case INVALID_KE_PAYLOAD:
1045 if (data->proposal.dh == -1) {
1046 wpa_printf(MSG_INFO, "IKEV2: No DH Group selected for "
1047 "INVALID_KE_PAYLOAD notifications");
1048 return -1;
1049 }
1050 wpabuf_put_be16(msg, data->proposal.dh);
1051 wpa_printf(MSG_DEBUG, "IKEV2: INVALID_KE_PAYLOAD - request "
1052 "DH Group #%d", data->proposal.dh);
1053 break;
1054 case AUTHENTICATION_FAILED:
1055 /* no associated data */
1056 break;
1057 default:
1058 wpa_printf(MSG_INFO, "IKEV2: Unsupported Notify Message Type "
1059 "%d", data->error_type);
1060 return -1;
1061 }
1062
1063 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
1064 WPA_PUT_BE16(phdr->payload_length, plen);
1065 return 0;
1066 }
1067
1068
ikev2_build_sa_init(struct ikev2_responder_data * data)1069 static struct wpabuf * ikev2_build_sa_init(struct ikev2_responder_data *data)
1070 {
1071 struct wpabuf *msg;
1072
1073 /* build IKE_SA_INIT: HDR, SAr1, KEr, Nr, [CERTREQ], [SK{IDr}] */
1074
1075 if (os_get_random(data->r_spi, IKEV2_SPI_LEN))
1076 return NULL;
1077 wpa_hexdump(MSG_DEBUG, "IKEV2: IKE_SA Responder's SPI",
1078 data->r_spi, IKEV2_SPI_LEN);
1079
1080 data->r_nonce_len = IKEV2_NONCE_MIN_LEN;
1081 if (random_get_bytes(data->r_nonce, data->r_nonce_len))
1082 return NULL;
1083 wpa_hexdump(MSG_DEBUG, "IKEV2: Nr", data->r_nonce, data->r_nonce_len);
1084
1085 msg = wpabuf_alloc(sizeof(struct ikev2_hdr) + data->IDr_len + 1500);
1086 if (msg == NULL)
1087 return NULL;
1088
1089 ikev2_build_hdr(data, msg, IKE_SA_INIT, IKEV2_PAYLOAD_SA, 0);
1090 if (ikev2_build_sar1(data, msg, IKEV2_PAYLOAD_KEY_EXCHANGE) ||
1091 ikev2_build_ker(data, msg, IKEV2_PAYLOAD_NONCE) ||
1092 ikev2_build_nr(data, msg, data->peer_auth == PEER_AUTH_SECRET ?
1093 IKEV2_PAYLOAD_ENCRYPTED :
1094 IKEV2_PAYLOAD_NO_NEXT_PAYLOAD)) {
1095 wpabuf_free(msg);
1096 return NULL;
1097 }
1098
1099 if (ikev2_derive_keys(data)) {
1100 wpabuf_free(msg);
1101 return NULL;
1102 }
1103
1104 if (data->peer_auth == PEER_AUTH_CERT) {
1105 /* TODO: CERTREQ with SHA-1 hashes of Subject Public Key Info
1106 * for trust agents */
1107 }
1108
1109 if (data->peer_auth == PEER_AUTH_SECRET) {
1110 struct wpabuf *plain = wpabuf_alloc(data->IDr_len + 1000);
1111 if (plain == NULL) {
1112 wpabuf_free(msg);
1113 return NULL;
1114 }
1115 if (ikev2_build_idr(data, plain,
1116 IKEV2_PAYLOAD_NO_NEXT_PAYLOAD) ||
1117 ikev2_build_encrypted(data->proposal.encr,
1118 data->proposal.integ,
1119 &data->keys, 0, msg, plain,
1120 IKEV2_PAYLOAD_IDr)) {
1121 wpabuf_free(plain);
1122 wpabuf_free(msg);
1123 return NULL;
1124 }
1125 wpabuf_free(plain);
1126 }
1127
1128 ikev2_update_hdr(msg);
1129
1130 wpa_hexdump_buf(MSG_MSGDUMP, "IKEV2: Sending message (SA_INIT)", msg);
1131
1132 data->state = SA_AUTH;
1133
1134 wpabuf_free(data->r_sign_msg);
1135 data->r_sign_msg = wpabuf_dup(msg);
1136
1137 return msg;
1138 }
1139
1140
ikev2_build_sa_auth(struct ikev2_responder_data * data)1141 static struct wpabuf * ikev2_build_sa_auth(struct ikev2_responder_data *data)
1142 {
1143 struct wpabuf *msg, *plain;
1144
1145 /* build IKE_SA_AUTH: HDR, SK {IDr, [CERT,] AUTH} */
1146
1147 msg = wpabuf_alloc(sizeof(struct ikev2_hdr) + data->IDr_len + 1000);
1148 if (msg == NULL)
1149 return NULL;
1150 ikev2_build_hdr(data, msg, IKE_SA_AUTH, IKEV2_PAYLOAD_ENCRYPTED, 1);
1151
1152 plain = wpabuf_alloc(data->IDr_len + 1000);
1153 if (plain == NULL) {
1154 wpabuf_free(msg);
1155 return NULL;
1156 }
1157
1158 if (ikev2_build_idr(data, plain, IKEV2_PAYLOAD_AUTHENTICATION) ||
1159 ikev2_build_auth(data, plain, IKEV2_PAYLOAD_NO_NEXT_PAYLOAD) ||
1160 ikev2_build_encrypted(data->proposal.encr, data->proposal.integ,
1161 &data->keys, 0, msg, plain,
1162 IKEV2_PAYLOAD_IDr)) {
1163 wpabuf_free(plain);
1164 wpabuf_free(msg);
1165 return NULL;
1166 }
1167 wpabuf_free(plain);
1168
1169 wpa_hexdump_buf(MSG_MSGDUMP, "IKEV2: Sending message (SA_AUTH)", msg);
1170
1171 data->state = IKEV2_DONE;
1172
1173 return msg;
1174 }
1175
1176
ikev2_build_notify(struct ikev2_responder_data * data)1177 static struct wpabuf * ikev2_build_notify(struct ikev2_responder_data *data)
1178 {
1179 struct wpabuf *msg;
1180
1181 msg = wpabuf_alloc(sizeof(struct ikev2_hdr) + 1000);
1182 if (msg == NULL)
1183 return NULL;
1184 if (data->last_msg == LAST_MSG_SA_AUTH) {
1185 /* HDR, SK{N} */
1186 struct wpabuf *plain = wpabuf_alloc(100);
1187 if (plain == NULL) {
1188 wpabuf_free(msg);
1189 return NULL;
1190 }
1191 ikev2_build_hdr(data, msg, IKE_SA_AUTH,
1192 IKEV2_PAYLOAD_ENCRYPTED, 1);
1193 if (ikev2_build_notification(data, plain,
1194 IKEV2_PAYLOAD_NO_NEXT_PAYLOAD) ||
1195 ikev2_build_encrypted(data->proposal.encr,
1196 data->proposal.integ,
1197 &data->keys, 0, msg, plain,
1198 IKEV2_PAYLOAD_NOTIFICATION)) {
1199 wpabuf_free(plain);
1200 wpabuf_free(msg);
1201 return NULL;
1202 }
1203 wpabuf_free(plain);
1204 data->state = IKEV2_FAILED;
1205 } else {
1206 /* HDR, N */
1207 ikev2_build_hdr(data, msg, IKE_SA_INIT,
1208 IKEV2_PAYLOAD_NOTIFICATION, 0);
1209 if (ikev2_build_notification(data, msg,
1210 IKEV2_PAYLOAD_NO_NEXT_PAYLOAD)) {
1211 wpabuf_free(msg);
1212 return NULL;
1213 }
1214 data->state = SA_INIT;
1215 }
1216
1217 ikev2_update_hdr(msg);
1218
1219 wpa_hexdump_buf(MSG_MSGDUMP, "IKEV2: Sending message (Notification)",
1220 msg);
1221
1222 return msg;
1223 }
1224
1225
ikev2_responder_build(struct ikev2_responder_data * data)1226 struct wpabuf * ikev2_responder_build(struct ikev2_responder_data *data)
1227 {
1228 switch (data->state) {
1229 case SA_INIT:
1230 return ikev2_build_sa_init(data);
1231 case SA_AUTH:
1232 return ikev2_build_sa_auth(data);
1233 case CHILD_SA:
1234 return NULL;
1235 case NOTIFY:
1236 return ikev2_build_notify(data);
1237 case IKEV2_DONE:
1238 case IKEV2_FAILED:
1239 return NULL;
1240 }
1241 return NULL;
1242 }
1243