1 /*
2 * IKEv2 common routines for initiator and responder
3 * Copyright (c) 2007, Jouni Malinen <j@w1.fi>
4 *
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation.
8 *
9 * Alternatively, this software may be distributed under the terms of BSD
10 * license.
11 *
12 * See README and COPYING for more details.
13 */
14
15 #include "includes.h"
16
17 #include "common.h"
18 #include "sha1.h"
19 #include "md5.h"
20 #include "crypto.h"
21 #include "ikev2_common.h"
22
23
24 static struct ikev2_integ_alg ikev2_integ_algs[] = {
25 { AUTH_HMAC_SHA1_96, 20, 12 },
26 { AUTH_HMAC_MD5_96, 16, 12 }
27 };
28
29 #define NUM_INTEG_ALGS (sizeof(ikev2_integ_algs) / sizeof(ikev2_integ_algs[0]))
30
31
32 static struct ikev2_prf_alg ikev2_prf_algs[] = {
33 { PRF_HMAC_SHA1, 20, 20 },
34 { PRF_HMAC_MD5, 16, 16 }
35 };
36
37 #define NUM_PRF_ALGS (sizeof(ikev2_prf_algs) / sizeof(ikev2_prf_algs[0]))
38
39
40 static struct ikev2_encr_alg ikev2_encr_algs[] = {
41 { ENCR_AES_CBC, 16, 16 }, /* only 128-bit keys supported for now */
42 { ENCR_3DES, 24, 8 }
43 };
44
45 #define NUM_ENCR_ALGS (sizeof(ikev2_encr_algs) / sizeof(ikev2_encr_algs[0]))
46
47
ikev2_get_integ(int id)48 const struct ikev2_integ_alg * ikev2_get_integ(int id)
49 {
50 size_t i;
51
52 for (i = 0; i < NUM_INTEG_ALGS; i++) {
53 if (ikev2_integ_algs[i].id == id)
54 return &ikev2_integ_algs[i];
55 }
56
57 return NULL;
58 }
59
60
ikev2_integ_hash(int alg,const u8 * key,size_t key_len,const u8 * data,size_t data_len,u8 * hash)61 int ikev2_integ_hash(int alg, const u8 *key, size_t key_len, const u8 *data,
62 size_t data_len, u8 *hash)
63 {
64 u8 tmphash[IKEV2_MAX_HASH_LEN];
65
66 switch (alg) {
67 case AUTH_HMAC_SHA1_96:
68 if (key_len != 20)
69 return -1;
70 hmac_sha1(key, key_len, data, data_len, tmphash);
71 os_memcpy(hash, tmphash, 12);
72 break;
73 case AUTH_HMAC_MD5_96:
74 if (key_len != 16)
75 return -1;
76 hmac_md5(key, key_len, data, data_len, tmphash);
77 os_memcpy(hash, tmphash, 12);
78 break;
79 default:
80 return -1;
81 }
82
83 return 0;
84 }
85
86
ikev2_get_prf(int id)87 const struct ikev2_prf_alg * ikev2_get_prf(int id)
88 {
89 size_t i;
90
91 for (i = 0; i < NUM_PRF_ALGS; i++) {
92 if (ikev2_prf_algs[i].id == id)
93 return &ikev2_prf_algs[i];
94 }
95
96 return NULL;
97 }
98
99
ikev2_prf_hash(int alg,const u8 * key,size_t key_len,size_t num_elem,const u8 * addr[],const size_t * len,u8 * hash)100 int ikev2_prf_hash(int alg, const u8 *key, size_t key_len,
101 size_t num_elem, const u8 *addr[], const size_t *len,
102 u8 *hash)
103 {
104 switch (alg) {
105 case PRF_HMAC_SHA1:
106 hmac_sha1_vector(key, key_len, num_elem, addr, len, hash);
107 break;
108 case PRF_HMAC_MD5:
109 hmac_md5_vector(key, key_len, num_elem, addr, len, hash);
110 break;
111 default:
112 return -1;
113 }
114
115 return 0;
116 }
117
118
ikev2_prf_plus(int alg,const u8 * key,size_t key_len,const u8 * data,size_t data_len,u8 * out,size_t out_len)119 int ikev2_prf_plus(int alg, const u8 *key, size_t key_len,
120 const u8 *data, size_t data_len,
121 u8 *out, size_t out_len)
122 {
123 u8 hash[IKEV2_MAX_HASH_LEN];
124 size_t hash_len;
125 u8 iter, *pos, *end;
126 const u8 *addr[3];
127 size_t len[3];
128 const struct ikev2_prf_alg *prf;
129 int res;
130
131 prf = ikev2_get_prf(alg);
132 if (prf == NULL)
133 return -1;
134 hash_len = prf->hash_len;
135
136 addr[0] = hash;
137 len[0] = hash_len;
138 addr[1] = data;
139 len[1] = data_len;
140 addr[2] = &iter;
141 len[2] = 1;
142
143 pos = out;
144 end = out + out_len;
145 iter = 1;
146 while (pos < end) {
147 size_t clen;
148 if (iter == 1)
149 res = ikev2_prf_hash(alg, key, key_len, 2, &addr[1],
150 &len[1], hash);
151 else
152 res = ikev2_prf_hash(alg, key, key_len, 3, addr, len,
153 hash);
154 if (res < 0)
155 return -1;
156 clen = hash_len;
157 if ((int) clen > end - pos)
158 clen = end - pos;
159 os_memcpy(pos, hash, clen);
160 pos += clen;
161 iter++;
162 }
163
164 return 0;
165 }
166
167
ikev2_get_encr(int id)168 const struct ikev2_encr_alg * ikev2_get_encr(int id)
169 {
170 size_t i;
171
172 for (i = 0; i < NUM_ENCR_ALGS; i++) {
173 if (ikev2_encr_algs[i].id == id)
174 return &ikev2_encr_algs[i];
175 }
176
177 return NULL;
178 }
179
180
181 #ifdef CCNS_PL
182 /* from des.c */
183 struct des3_key_s {
184 u32 ek[3][32];
185 u32 dk[3][32];
186 };
187
188 void des3_key_setup(const u8 *key, struct des3_key_s *dkey);
189 void des3_encrypt(const u8 *plain, const struct des3_key_s *key, u8 *crypt);
190 void des3_decrypt(const u8 *crypt, const struct des3_key_s *key, u8 *plain);
191 #endif /* CCNS_PL */
192
193
ikev2_encr_encrypt(int alg,const u8 * key,size_t key_len,const u8 * iv,const u8 * plain,u8 * crypt,size_t len)194 int ikev2_encr_encrypt(int alg, const u8 *key, size_t key_len, const u8 *iv,
195 const u8 *plain, u8 *crypt, size_t len)
196 {
197 struct crypto_cipher *cipher;
198 int encr_alg;
199
200 #ifdef CCNS_PL
201 if (alg == ENCR_3DES) {
202 struct des3_key_s des3key;
203 size_t i, blocks;
204 u8 *pos;
205
206 /* ECB mode is used incorrectly for 3DES!? */
207 if (key_len != 24) {
208 wpa_printf(MSG_INFO, "IKEV2: Invalid encr key length");
209 return -1;
210 }
211 des3_key_setup(key, &des3key);
212
213 blocks = len / 8;
214 pos = crypt;
215 for (i = 0; i < blocks; i++) {
216 des3_encrypt(pos, &des3key, pos);
217 pos += 8;
218 }
219 } else {
220 #endif /* CCNS_PL */
221 switch (alg) {
222 case ENCR_3DES:
223 encr_alg = CRYPTO_CIPHER_ALG_3DES;
224 break;
225 case ENCR_AES_CBC:
226 encr_alg = CRYPTO_CIPHER_ALG_AES;
227 break;
228 default:
229 wpa_printf(MSG_DEBUG, "IKEV2: Unsupported encr alg %d", alg);
230 return -1;
231 }
232
233 cipher = crypto_cipher_init(encr_alg, iv, key, key_len);
234 if (cipher == NULL) {
235 wpa_printf(MSG_INFO, "IKEV2: Failed to initialize cipher");
236 return -1;
237 }
238
239 if (crypto_cipher_encrypt(cipher, plain, crypt, len) < 0) {
240 wpa_printf(MSG_INFO, "IKEV2: Encryption failed");
241 crypto_cipher_deinit(cipher);
242 return -1;
243 }
244 crypto_cipher_deinit(cipher);
245 #ifdef CCNS_PL
246 }
247 #endif /* CCNS_PL */
248
249 return 0;
250 }
251
252
ikev2_encr_decrypt(int alg,const u8 * key,size_t key_len,const u8 * iv,const u8 * crypt,u8 * plain,size_t len)253 int ikev2_encr_decrypt(int alg, const u8 *key, size_t key_len, const u8 *iv,
254 const u8 *crypt, u8 *plain, size_t len)
255 {
256 struct crypto_cipher *cipher;
257 int encr_alg;
258
259 #ifdef CCNS_PL
260 if (alg == ENCR_3DES) {
261 struct des3_key_s des3key;
262 size_t i, blocks;
263
264 /* ECB mode is used incorrectly for 3DES!? */
265 if (key_len != 24) {
266 wpa_printf(MSG_INFO, "IKEV2: Invalid encr key length");
267 return -1;
268 }
269 des3_key_setup(key, &des3key);
270
271 if (len % 8) {
272 wpa_printf(MSG_INFO, "IKEV2: Invalid encrypted "
273 "length");
274 return -1;
275 }
276 blocks = len / 8;
277 for (i = 0; i < blocks; i++) {
278 des3_decrypt(crypt, &des3key, plain);
279 plain += 8;
280 crypt += 8;
281 }
282 } else {
283 #endif /* CCNS_PL */
284 switch (alg) {
285 case ENCR_3DES:
286 encr_alg = CRYPTO_CIPHER_ALG_3DES;
287 break;
288 case ENCR_AES_CBC:
289 encr_alg = CRYPTO_CIPHER_ALG_AES;
290 break;
291 default:
292 wpa_printf(MSG_DEBUG, "IKEV2: Unsupported encr alg %d", alg);
293 return -1;
294 }
295
296 cipher = crypto_cipher_init(encr_alg, iv, key, key_len);
297 if (cipher == NULL) {
298 wpa_printf(MSG_INFO, "IKEV2: Failed to initialize cipher");
299 return -1;
300 }
301
302 if (crypto_cipher_decrypt(cipher, crypt, plain, len) < 0) {
303 wpa_printf(MSG_INFO, "IKEV2: Decryption failed");
304 crypto_cipher_deinit(cipher);
305 return -1;
306 }
307 crypto_cipher_deinit(cipher);
308 #ifdef CCNS_PL
309 }
310 #endif /* CCNS_PL */
311
312 return 0;
313 }
314
315
ikev2_parse_payloads(struct ikev2_payloads * payloads,u8 next_payload,const u8 * pos,const u8 * end)316 int ikev2_parse_payloads(struct ikev2_payloads *payloads,
317 u8 next_payload, const u8 *pos, const u8 *end)
318 {
319 const struct ikev2_payload_hdr *phdr;
320
321 os_memset(payloads, 0, sizeof(*payloads));
322
323 while (next_payload != IKEV2_PAYLOAD_NO_NEXT_PAYLOAD) {
324 int plen, pdatalen;
325 const u8 *pdata;
326 wpa_printf(MSG_DEBUG, "IKEV2: Processing payload %u",
327 next_payload);
328 if (end - pos < (int) sizeof(*phdr)) {
329 wpa_printf(MSG_INFO, "IKEV2: Too short message for "
330 "payload header (left=%ld)",
331 (long) (end - pos));
332 }
333 phdr = (const struct ikev2_payload_hdr *) pos;
334 plen = WPA_GET_BE16(phdr->payload_length);
335 if (plen < (int) sizeof(*phdr) || pos + plen > end) {
336 wpa_printf(MSG_INFO, "IKEV2: Invalid payload header "
337 "length %d", plen);
338 return -1;
339 }
340
341 wpa_printf(MSG_DEBUG, "IKEV2: Next Payload: %u Flags: 0x%x"
342 " Payload Length: %d",
343 phdr->next_payload, phdr->flags, plen);
344
345 pdata = (const u8 *) (phdr + 1);
346 pdatalen = plen - sizeof(*phdr);
347
348 switch (next_payload) {
349 case IKEV2_PAYLOAD_SA:
350 wpa_printf(MSG_DEBUG, "IKEV2: Payload: Security "
351 "Association");
352 payloads->sa = pdata;
353 payloads->sa_len = pdatalen;
354 break;
355 case IKEV2_PAYLOAD_KEY_EXCHANGE:
356 wpa_printf(MSG_DEBUG, "IKEV2: Payload: Key "
357 "Exchange");
358 payloads->ke = pdata;
359 payloads->ke_len = pdatalen;
360 break;
361 case IKEV2_PAYLOAD_IDi:
362 wpa_printf(MSG_DEBUG, "IKEV2: Payload: IDi");
363 payloads->idi = pdata;
364 payloads->idi_len = pdatalen;
365 break;
366 case IKEV2_PAYLOAD_IDr:
367 wpa_printf(MSG_DEBUG, "IKEV2: Payload: IDr");
368 payloads->idr = pdata;
369 payloads->idr_len = pdatalen;
370 break;
371 case IKEV2_PAYLOAD_CERTIFICATE:
372 wpa_printf(MSG_DEBUG, "IKEV2: Payload: Certificate");
373 payloads->cert = pdata;
374 payloads->cert_len = pdatalen;
375 break;
376 case IKEV2_PAYLOAD_AUTHENTICATION:
377 wpa_printf(MSG_DEBUG, "IKEV2: Payload: "
378 "Authentication");
379 payloads->auth = pdata;
380 payloads->auth_len = pdatalen;
381 break;
382 case IKEV2_PAYLOAD_NONCE:
383 wpa_printf(MSG_DEBUG, "IKEV2: Payload: Nonce");
384 payloads->nonce = pdata;
385 payloads->nonce_len = pdatalen;
386 break;
387 case IKEV2_PAYLOAD_ENCRYPTED:
388 wpa_printf(MSG_DEBUG, "IKEV2: Payload: Encrypted");
389 payloads->encrypted = pdata;
390 payloads->encrypted_len = pdatalen;
391 break;
392 case IKEV2_PAYLOAD_NOTIFICATION:
393 wpa_printf(MSG_DEBUG, "IKEV2: Payload: "
394 "Notification");
395 payloads->notification = pdata;
396 payloads->notification_len = pdatalen;
397 break;
398 default:
399 if (phdr->flags & IKEV2_PAYLOAD_FLAGS_CRITICAL) {
400 wpa_printf(MSG_INFO, "IKEV2: Unsupported "
401 "critical payload %u - reject the "
402 "entire message", next_payload);
403 return -1;
404 } else {
405 wpa_printf(MSG_DEBUG, "IKEV2: Skipped "
406 "unsupported payload %u",
407 next_payload);
408 }
409 }
410
411 if (next_payload == IKEV2_PAYLOAD_ENCRYPTED &&
412 pos + plen == end) {
413 /*
414 * Next Payload in the case of Encrypted Payload is
415 * actually the payload type for the first embedded
416 * payload.
417 */
418 payloads->encr_next_payload = phdr->next_payload;
419 next_payload = IKEV2_PAYLOAD_NO_NEXT_PAYLOAD;
420 } else
421 next_payload = phdr->next_payload;
422
423 pos += plen;
424 }
425
426 if (pos != end) {
427 wpa_printf(MSG_INFO, "IKEV2: Unexpected extra data after "
428 "payloads");
429 return -1;
430 }
431
432 return 0;
433 }
434
435
ikev2_derive_auth_data(int prf_alg,const struct wpabuf * sign_msg,const u8 * ID,size_t ID_len,u8 ID_type,struct ikev2_keys * keys,int initiator,const u8 * shared_secret,size_t shared_secret_len,const u8 * nonce,size_t nonce_len,const u8 * key_pad,size_t key_pad_len,u8 * auth_data)436 int ikev2_derive_auth_data(int prf_alg, const struct wpabuf *sign_msg,
437 const u8 *ID, size_t ID_len, u8 ID_type,
438 struct ikev2_keys *keys, int initiator,
439 const u8 *shared_secret, size_t shared_secret_len,
440 const u8 *nonce, size_t nonce_len,
441 const u8 *key_pad, size_t key_pad_len,
442 u8 *auth_data)
443 {
444 size_t sign_len, buf_len;
445 u8 *sign_data, *pos, *buf, hash[IKEV2_MAX_HASH_LEN];
446 const struct ikev2_prf_alg *prf;
447 const u8 *SK_p = initiator ? keys->SK_pi : keys->SK_pr;
448
449 prf = ikev2_get_prf(prf_alg);
450 if (sign_msg == NULL || ID == NULL || SK_p == NULL ||
451 shared_secret == NULL || nonce == NULL || prf == NULL)
452 return -1;
453
454 /* prf(SK_pi/r,IDi/r') */
455 buf_len = 4 + ID_len;
456 buf = os_zalloc(buf_len);
457 if (buf == NULL)
458 return -1;
459 buf[0] = ID_type;
460 os_memcpy(buf + 4, ID, ID_len);
461 if (ikev2_prf_hash(prf->id, SK_p, keys->SK_prf_len,
462 1, (const u8 **) &buf, &buf_len, hash) < 0) {
463 os_free(buf);
464 return -1;
465 }
466 os_free(buf);
467
468 /* sign_data = msg | Nr/i | prf(SK_pi/r,IDi/r') */
469 sign_len = wpabuf_len(sign_msg) + nonce_len + prf->hash_len;
470 sign_data = os_malloc(sign_len);
471 if (sign_data == NULL)
472 return -1;
473 pos = sign_data;
474 os_memcpy(pos, wpabuf_head(sign_msg), wpabuf_len(sign_msg));
475 pos += wpabuf_len(sign_msg);
476 os_memcpy(pos, nonce, nonce_len);
477 pos += nonce_len;
478 os_memcpy(pos, hash, prf->hash_len);
479
480 /* AUTH = prf(prf(Shared Secret, key pad, sign_data) */
481 if (ikev2_prf_hash(prf->id, shared_secret, shared_secret_len, 1,
482 &key_pad, &key_pad_len, hash) < 0 ||
483 ikev2_prf_hash(prf->id, hash, prf->hash_len, 1,
484 (const u8 **) &sign_data, &sign_len, auth_data) < 0)
485 {
486 os_free(sign_data);
487 return -1;
488 }
489 os_free(sign_data);
490
491 return 0;
492 }
493
494
ikev2_decrypt_payload(int encr_id,int integ_id,struct ikev2_keys * keys,int initiator,const struct ikev2_hdr * hdr,const u8 * encrypted,size_t encrypted_len,size_t * res_len)495 u8 * ikev2_decrypt_payload(int encr_id, int integ_id,
496 struct ikev2_keys *keys, int initiator,
497 const struct ikev2_hdr *hdr,
498 const u8 *encrypted, size_t encrypted_len,
499 size_t *res_len)
500 {
501 size_t iv_len;
502 const u8 *pos, *end, *iv, *integ;
503 u8 hash[IKEV2_MAX_HASH_LEN], *decrypted;
504 size_t decrypted_len, pad_len;
505 const struct ikev2_integ_alg *integ_alg;
506 const struct ikev2_encr_alg *encr_alg;
507 const u8 *SK_e = initiator ? keys->SK_ei : keys->SK_er;
508 const u8 *SK_a = initiator ? keys->SK_ai : keys->SK_ar;
509
510 if (encrypted == NULL) {
511 wpa_printf(MSG_INFO, "IKEV2: No Encrypted payload in SA_AUTH");
512 return NULL;
513 }
514
515 encr_alg = ikev2_get_encr(encr_id);
516 if (encr_alg == NULL) {
517 wpa_printf(MSG_INFO, "IKEV2: Unsupported encryption type");
518 return NULL;
519 }
520 iv_len = encr_alg->block_size;
521
522 integ_alg = ikev2_get_integ(integ_id);
523 if (integ_alg == NULL) {
524 wpa_printf(MSG_INFO, "IKEV2: Unsupported intergrity type");
525 return NULL;
526 }
527
528 if (encrypted_len < iv_len + 1 + integ_alg->hash_len) {
529 wpa_printf(MSG_INFO, "IKEV2: No room for IV or Integrity "
530 "Checksum");
531 return NULL;
532 }
533
534 iv = encrypted;
535 pos = iv + iv_len;
536 end = encrypted + encrypted_len;
537 integ = end - integ_alg->hash_len;
538
539 if (SK_a == NULL) {
540 wpa_printf(MSG_INFO, "IKEV2: No SK_a available");
541 return NULL;
542 }
543 if (ikev2_integ_hash(integ_id, SK_a, keys->SK_integ_len,
544 (const u8 *) hdr,
545 integ - (const u8 *) hdr, hash) < 0) {
546 wpa_printf(MSG_INFO, "IKEV2: Failed to calculate integrity "
547 "hash");
548 return NULL;
549 }
550 if (os_memcmp(integ, hash, integ_alg->hash_len) != 0) {
551 wpa_printf(MSG_INFO, "IKEV2: Incorrect Integrity Checksum "
552 "Data");
553 return NULL;
554 }
555
556 if (SK_e == NULL) {
557 wpa_printf(MSG_INFO, "IKEV2: No SK_e available");
558 return NULL;
559 }
560
561 decrypted_len = integ - pos;
562 decrypted = os_malloc(decrypted_len);
563 if (decrypted == NULL)
564 return NULL;
565
566 if (ikev2_encr_decrypt(encr_alg->id, SK_e, keys->SK_encr_len, iv, pos,
567 decrypted, decrypted_len) < 0) {
568 os_free(decrypted);
569 return NULL;
570 }
571
572 pad_len = decrypted[decrypted_len - 1];
573 if (decrypted_len < pad_len + 1) {
574 wpa_printf(MSG_INFO, "IKEV2: Invalid padding in encrypted "
575 "payload");
576 os_free(decrypted);
577 return NULL;
578 }
579
580 decrypted_len -= pad_len + 1;
581
582 *res_len = decrypted_len;
583 return decrypted;
584 }
585
586
ikev2_update_hdr(struct wpabuf * msg)587 void ikev2_update_hdr(struct wpabuf *msg)
588 {
589 struct ikev2_hdr *hdr;
590
591 /* Update lenth field in HDR */
592 hdr = wpabuf_mhead(msg);
593 WPA_PUT_BE32(hdr->length, wpabuf_len(msg));
594 }
595
596
ikev2_build_encrypted(int encr_id,int integ_id,struct ikev2_keys * keys,int initiator,struct wpabuf * msg,struct wpabuf * plain,u8 next_payload)597 int ikev2_build_encrypted(int encr_id, int integ_id, struct ikev2_keys *keys,
598 int initiator, struct wpabuf *msg,
599 struct wpabuf *plain, u8 next_payload)
600 {
601 struct ikev2_payload_hdr *phdr;
602 size_t plen;
603 size_t iv_len, pad_len;
604 u8 *icv, *iv;
605 const struct ikev2_integ_alg *integ_alg;
606 const struct ikev2_encr_alg *encr_alg;
607 const u8 *SK_e = initiator ? keys->SK_ei : keys->SK_er;
608 const u8 *SK_a = initiator ? keys->SK_ai : keys->SK_ar;
609
610 wpa_printf(MSG_DEBUG, "IKEV2: Adding Encrypted payload");
611
612 /* Encr - RFC 4306, Sect. 3.14 */
613
614 encr_alg = ikev2_get_encr(encr_id);
615 if (encr_alg == NULL) {
616 wpa_printf(MSG_INFO, "IKEV2: Unsupported encryption type");
617 return -1;
618 }
619 iv_len = encr_alg->block_size;
620
621 integ_alg = ikev2_get_integ(integ_id);
622 if (integ_alg == NULL) {
623 wpa_printf(MSG_INFO, "IKEV2: Unsupported intergrity type");
624 return -1;
625 }
626
627 if (SK_e == NULL) {
628 wpa_printf(MSG_INFO, "IKEV2: No SK_e available");
629 return -1;
630 }
631
632 if (SK_a == NULL) {
633 wpa_printf(MSG_INFO, "IKEV2: No SK_a available");
634 return -1;
635 }
636
637 phdr = wpabuf_put(msg, sizeof(*phdr));
638 phdr->next_payload = next_payload;
639 phdr->flags = 0;
640
641 iv = wpabuf_put(msg, iv_len);
642 if (os_get_random(iv, iv_len)) {
643 wpa_printf(MSG_INFO, "IKEV2: Could not generate IV");
644 return -1;
645 }
646
647 pad_len = iv_len - (wpabuf_len(plain) + 1) % iv_len;
648 if (pad_len == iv_len)
649 pad_len = 0;
650 wpabuf_put(plain, pad_len);
651 wpabuf_put_u8(plain, pad_len);
652
653 if (ikev2_encr_encrypt(encr_alg->id, SK_e, keys->SK_encr_len, iv,
654 wpabuf_head(plain), wpabuf_mhead(plain),
655 wpabuf_len(plain)) < 0)
656 return -1;
657
658 wpabuf_put_buf(msg, plain);
659
660 /* Need to update all headers (Length fields) prior to hash func */
661 icv = wpabuf_put(msg, integ_alg->hash_len);
662 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
663 WPA_PUT_BE16(phdr->payload_length, plen);
664
665 ikev2_update_hdr(msg);
666
667 return ikev2_integ_hash(integ_id, SK_a, keys->SK_integ_len,
668 wpabuf_head(msg),
669 wpabuf_len(msg) - integ_alg->hash_len, icv);
670
671 return 0;
672 }
673
674
ikev2_keys_set(struct ikev2_keys * keys)675 int ikev2_keys_set(struct ikev2_keys *keys)
676 {
677 return keys->SK_d && keys->SK_ai && keys->SK_ar && keys->SK_ei &&
678 keys->SK_er && keys->SK_pi && keys->SK_pr;
679 }
680
681
ikev2_free_keys(struct ikev2_keys * keys)682 void ikev2_free_keys(struct ikev2_keys *keys)
683 {
684 os_free(keys->SK_d);
685 os_free(keys->SK_ai);
686 os_free(keys->SK_ar);
687 os_free(keys->SK_ei);
688 os_free(keys->SK_er);
689 os_free(keys->SK_pi);
690 os_free(keys->SK_pr);
691 keys->SK_d = keys->SK_ai = keys->SK_ar = keys->SK_ei = keys->SK_er =
692 keys->SK_pi = keys->SK_pr = NULL;
693 }
694
695
ikev2_derive_sk_keys(const struct ikev2_prf_alg * prf,const struct ikev2_integ_alg * integ,const struct ikev2_encr_alg * encr,const u8 * skeyseed,const u8 * data,size_t data_len,struct ikev2_keys * keys)696 int ikev2_derive_sk_keys(const struct ikev2_prf_alg *prf,
697 const struct ikev2_integ_alg *integ,
698 const struct ikev2_encr_alg *encr,
699 const u8 *skeyseed, const u8 *data, size_t data_len,
700 struct ikev2_keys *keys)
701 {
702 u8 *keybuf, *pos;
703 size_t keybuf_len;
704
705 /*
706 * {SK_d | SK_ai | SK_ar | SK_ei | SK_er | SK_pi | SK_pr } =
707 * prf+(SKEYSEED, Ni | Nr | SPIi | SPIr )
708 */
709 ikev2_free_keys(keys);
710 keys->SK_d_len = prf->key_len;
711 keys->SK_integ_len = integ->key_len;
712 keys->SK_encr_len = encr->key_len;
713 keys->SK_prf_len = prf->key_len;
714 #ifdef CCNS_PL
715 /* Uses encryption key length for SK_d; should be PRF length */
716 keys->SK_d_len = keys->SK_encr_len;
717 #endif /* CCNS_PL */
718
719 keybuf_len = keys->SK_d_len + 2 * keys->SK_integ_len +
720 2 * keys->SK_encr_len + 2 * keys->SK_prf_len;
721 keybuf = os_malloc(keybuf_len);
722 if (keybuf == NULL)
723 return -1;
724
725 if (ikev2_prf_plus(prf->id, skeyseed, prf->hash_len,
726 data, data_len, keybuf, keybuf_len)) {
727 os_free(keybuf);
728 return -1;
729 }
730
731 pos = keybuf;
732
733 keys->SK_d = os_malloc(keys->SK_d_len);
734 if (keys->SK_d) {
735 os_memcpy(keys->SK_d, pos, keys->SK_d_len);
736 wpa_hexdump_key(MSG_DEBUG, "IKEV2: SK_d",
737 keys->SK_d, keys->SK_d_len);
738 }
739 pos += keys->SK_d_len;
740
741 keys->SK_ai = os_malloc(keys->SK_integ_len);
742 if (keys->SK_ai) {
743 os_memcpy(keys->SK_ai, pos, keys->SK_integ_len);
744 wpa_hexdump_key(MSG_DEBUG, "IKEV2: SK_ai",
745 keys->SK_ai, keys->SK_integ_len);
746 }
747 pos += keys->SK_integ_len;
748
749 keys->SK_ar = os_malloc(keys->SK_integ_len);
750 if (keys->SK_ar) {
751 os_memcpy(keys->SK_ar, pos, keys->SK_integ_len);
752 wpa_hexdump_key(MSG_DEBUG, "IKEV2: SK_ar",
753 keys->SK_ar, keys->SK_integ_len);
754 }
755 pos += keys->SK_integ_len;
756
757 keys->SK_ei = os_malloc(keys->SK_encr_len);
758 if (keys->SK_ei) {
759 os_memcpy(keys->SK_ei, pos, keys->SK_encr_len);
760 wpa_hexdump_key(MSG_DEBUG, "IKEV2: SK_ei",
761 keys->SK_ei, keys->SK_encr_len);
762 }
763 pos += keys->SK_encr_len;
764
765 keys->SK_er = os_malloc(keys->SK_encr_len);
766 if (keys->SK_er) {
767 os_memcpy(keys->SK_er, pos, keys->SK_encr_len);
768 wpa_hexdump_key(MSG_DEBUG, "IKEV2: SK_er",
769 keys->SK_er, keys->SK_encr_len);
770 }
771 pos += keys->SK_encr_len;
772
773 keys->SK_pi = os_malloc(keys->SK_prf_len);
774 if (keys->SK_pi) {
775 os_memcpy(keys->SK_pi, pos, keys->SK_prf_len);
776 wpa_hexdump_key(MSG_DEBUG, "IKEV2: SK_pi",
777 keys->SK_pi, keys->SK_prf_len);
778 }
779 pos += keys->SK_prf_len;
780
781 keys->SK_pr = os_malloc(keys->SK_prf_len);
782 if (keys->SK_pr) {
783 os_memcpy(keys->SK_pr, pos, keys->SK_prf_len);
784 wpa_hexdump_key(MSG_DEBUG, "IKEV2: SK_pr",
785 keys->SK_pr, keys->SK_prf_len);
786 }
787
788 os_free(keybuf);
789
790 if (!ikev2_keys_set(keys)) {
791 ikev2_free_keys(keys);
792 return -1;
793 }
794
795 return 0;
796 }
797