1 /*
2 * IKEv2 common routines for initiator and responder
3 * Copyright (c) 2007, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include "includes.h"
10
11 #include "common.h"
12 #include "crypto/crypto.h"
13 #include "crypto/md5.h"
14 #include "crypto/sha1.h"
15 #include "crypto/random.h"
16 #include "ikev2_common.h"
17
18
19 static struct ikev2_integ_alg ikev2_integ_algs[] = {
20 { AUTH_HMAC_SHA1_96, 20, 12 },
21 { AUTH_HMAC_MD5_96, 16, 12 }
22 };
23
24 #define NUM_INTEG_ALGS (sizeof(ikev2_integ_algs) / sizeof(ikev2_integ_algs[0]))
25
26
27 static struct ikev2_prf_alg ikev2_prf_algs[] = {
28 { PRF_HMAC_SHA1, 20, 20 },
29 { PRF_HMAC_MD5, 16, 16 }
30 };
31
32 #define NUM_PRF_ALGS (sizeof(ikev2_prf_algs) / sizeof(ikev2_prf_algs[0]))
33
34
35 static struct ikev2_encr_alg ikev2_encr_algs[] = {
36 { ENCR_AES_CBC, 16, 16 }, /* only 128-bit keys supported for now */
37 { ENCR_3DES, 24, 8 }
38 };
39
40 #define NUM_ENCR_ALGS (sizeof(ikev2_encr_algs) / sizeof(ikev2_encr_algs[0]))
41
42
ikev2_get_integ(int id)43 const struct ikev2_integ_alg * ikev2_get_integ(int id)
44 {
45 size_t i;
46
47 for (i = 0; i < NUM_INTEG_ALGS; i++) {
48 if (ikev2_integ_algs[i].id == id)
49 return &ikev2_integ_algs[i];
50 }
51
52 return NULL;
53 }
54
55
ikev2_integ_hash(int alg,const u8 * key,size_t key_len,const u8 * data,size_t data_len,u8 * hash)56 int ikev2_integ_hash(int alg, const u8 *key, size_t key_len, const u8 *data,
57 size_t data_len, u8 *hash)
58 {
59 u8 tmphash[IKEV2_MAX_HASH_LEN];
60
61 switch (alg) {
62 case AUTH_HMAC_SHA1_96:
63 if (key_len != 20)
64 return -1;
65 hmac_sha1(key, key_len, data, data_len, tmphash);
66 os_memcpy(hash, tmphash, 12);
67 break;
68 case AUTH_HMAC_MD5_96:
69 if (key_len != 16)
70 return -1;
71 hmac_md5(key, key_len, data, data_len, tmphash);
72 os_memcpy(hash, tmphash, 12);
73 break;
74 default:
75 return -1;
76 }
77
78 return 0;
79 }
80
81
ikev2_get_prf(int id)82 const struct ikev2_prf_alg * ikev2_get_prf(int id)
83 {
84 size_t i;
85
86 for (i = 0; i < NUM_PRF_ALGS; i++) {
87 if (ikev2_prf_algs[i].id == id)
88 return &ikev2_prf_algs[i];
89 }
90
91 return NULL;
92 }
93
94
ikev2_prf_hash(int alg,const u8 * key,size_t key_len,size_t num_elem,const u8 * addr[],const size_t * len,u8 * hash)95 int ikev2_prf_hash(int alg, const u8 *key, size_t key_len,
96 size_t num_elem, const u8 *addr[], const size_t *len,
97 u8 *hash)
98 {
99 switch (alg) {
100 case PRF_HMAC_SHA1:
101 hmac_sha1_vector(key, key_len, num_elem, addr, len, hash);
102 break;
103 case PRF_HMAC_MD5:
104 hmac_md5_vector(key, key_len, num_elem, addr, len, hash);
105 break;
106 default:
107 return -1;
108 }
109
110 return 0;
111 }
112
113
ikev2_prf_plus(int alg,const u8 * key,size_t key_len,const u8 * data,size_t data_len,u8 * out,size_t out_len)114 int ikev2_prf_plus(int alg, const u8 *key, size_t key_len,
115 const u8 *data, size_t data_len,
116 u8 *out, size_t out_len)
117 {
118 u8 hash[IKEV2_MAX_HASH_LEN];
119 size_t hash_len;
120 u8 iter, *pos, *end;
121 const u8 *addr[3];
122 size_t len[3];
123 const struct ikev2_prf_alg *prf;
124 int res;
125
126 prf = ikev2_get_prf(alg);
127 if (prf == NULL)
128 return -1;
129 hash_len = prf->hash_len;
130
131 addr[0] = hash;
132 len[0] = hash_len;
133 addr[1] = data;
134 len[1] = data_len;
135 addr[2] = &iter;
136 len[2] = 1;
137
138 pos = out;
139 end = out + out_len;
140 iter = 1;
141 while (pos < end) {
142 size_t clen;
143 if (iter == 1)
144 res = ikev2_prf_hash(alg, key, key_len, 2, &addr[1],
145 &len[1], hash);
146 else
147 res = ikev2_prf_hash(alg, key, key_len, 3, addr, len,
148 hash);
149 if (res < 0)
150 return -1;
151 clen = hash_len;
152 if ((int) clen > end - pos)
153 clen = end - pos;
154 os_memcpy(pos, hash, clen);
155 pos += clen;
156 iter++;
157 }
158
159 return 0;
160 }
161
162
ikev2_get_encr(int id)163 const struct ikev2_encr_alg * ikev2_get_encr(int id)
164 {
165 size_t i;
166
167 for (i = 0; i < NUM_ENCR_ALGS; i++) {
168 if (ikev2_encr_algs[i].id == id)
169 return &ikev2_encr_algs[i];
170 }
171
172 return NULL;
173 }
174
175
176 #ifdef CCNS_PL
177 /* from des.c */
178 struct des3_key_s {
179 u32 ek[3][32];
180 u32 dk[3][32];
181 };
182
183 void des3_key_setup(const u8 *key, struct des3_key_s *dkey);
184 void des3_encrypt(const u8 *plain, const struct des3_key_s *key, u8 *crypt);
185 void des3_decrypt(const u8 *crypt, const struct des3_key_s *key, u8 *plain);
186 #endif /* CCNS_PL */
187
188
ikev2_encr_encrypt(int alg,const u8 * key,size_t key_len,const u8 * iv,const u8 * plain,u8 * crypt,size_t len)189 int ikev2_encr_encrypt(int alg, const u8 *key, size_t key_len, const u8 *iv,
190 const u8 *plain, u8 *crypt, size_t len)
191 {
192 struct crypto_cipher *cipher;
193 int encr_alg;
194
195 #ifdef CCNS_PL
196 if (alg == ENCR_3DES) {
197 struct des3_key_s des3key;
198 size_t i, blocks;
199 u8 *pos;
200
201 /* ECB mode is used incorrectly for 3DES!? */
202 if (key_len != 24) {
203 wpa_printf(MSG_INFO, "IKEV2: Invalid encr key length");
204 return -1;
205 }
206 des3_key_setup(key, &des3key);
207
208 blocks = len / 8;
209 pos = crypt;
210 for (i = 0; i < blocks; i++) {
211 des3_encrypt(pos, &des3key, pos);
212 pos += 8;
213 }
214 } else {
215 #endif /* CCNS_PL */
216 switch (alg) {
217 case ENCR_3DES:
218 encr_alg = CRYPTO_CIPHER_ALG_3DES;
219 break;
220 case ENCR_AES_CBC:
221 encr_alg = CRYPTO_CIPHER_ALG_AES;
222 break;
223 default:
224 wpa_printf(MSG_DEBUG, "IKEV2: Unsupported encr alg %d", alg);
225 return -1;
226 }
227
228 cipher = crypto_cipher_init(encr_alg, iv, key, key_len);
229 if (cipher == NULL) {
230 wpa_printf(MSG_INFO, "IKEV2: Failed to initialize cipher");
231 return -1;
232 }
233
234 if (crypto_cipher_encrypt(cipher, plain, crypt, len) < 0) {
235 wpa_printf(MSG_INFO, "IKEV2: Encryption failed");
236 crypto_cipher_deinit(cipher);
237 return -1;
238 }
239 crypto_cipher_deinit(cipher);
240 #ifdef CCNS_PL
241 }
242 #endif /* CCNS_PL */
243
244 return 0;
245 }
246
247
ikev2_encr_decrypt(int alg,const u8 * key,size_t key_len,const u8 * iv,const u8 * crypt,u8 * plain,size_t len)248 int ikev2_encr_decrypt(int alg, const u8 *key, size_t key_len, const u8 *iv,
249 const u8 *crypt, u8 *plain, size_t len)
250 {
251 struct crypto_cipher *cipher;
252 int encr_alg;
253
254 #ifdef CCNS_PL
255 if (alg == ENCR_3DES) {
256 struct des3_key_s des3key;
257 size_t i, blocks;
258
259 /* ECB mode is used incorrectly for 3DES!? */
260 if (key_len != 24) {
261 wpa_printf(MSG_INFO, "IKEV2: Invalid encr key length");
262 return -1;
263 }
264 des3_key_setup(key, &des3key);
265
266 if (len % 8) {
267 wpa_printf(MSG_INFO, "IKEV2: Invalid encrypted "
268 "length");
269 return -1;
270 }
271 blocks = len / 8;
272 for (i = 0; i < blocks; i++) {
273 des3_decrypt(crypt, &des3key, plain);
274 plain += 8;
275 crypt += 8;
276 }
277 } else {
278 #endif /* CCNS_PL */
279 switch (alg) {
280 case ENCR_3DES:
281 encr_alg = CRYPTO_CIPHER_ALG_3DES;
282 break;
283 case ENCR_AES_CBC:
284 encr_alg = CRYPTO_CIPHER_ALG_AES;
285 break;
286 default:
287 wpa_printf(MSG_DEBUG, "IKEV2: Unsupported encr alg %d", alg);
288 return -1;
289 }
290
291 cipher = crypto_cipher_init(encr_alg, iv, key, key_len);
292 if (cipher == NULL) {
293 wpa_printf(MSG_INFO, "IKEV2: Failed to initialize cipher");
294 return -1;
295 }
296
297 if (crypto_cipher_decrypt(cipher, crypt, plain, len) < 0) {
298 wpa_printf(MSG_INFO, "IKEV2: Decryption failed");
299 crypto_cipher_deinit(cipher);
300 return -1;
301 }
302 crypto_cipher_deinit(cipher);
303 #ifdef CCNS_PL
304 }
305 #endif /* CCNS_PL */
306
307 return 0;
308 }
309
310
ikev2_parse_payloads(struct ikev2_payloads * payloads,u8 next_payload,const u8 * pos,const u8 * end)311 int ikev2_parse_payloads(struct ikev2_payloads *payloads,
312 u8 next_payload, const u8 *pos, const u8 *end)
313 {
314 const struct ikev2_payload_hdr *phdr;
315
316 os_memset(payloads, 0, sizeof(*payloads));
317
318 while (next_payload != IKEV2_PAYLOAD_NO_NEXT_PAYLOAD) {
319 int plen, pdatalen;
320 const u8 *pdata;
321 wpa_printf(MSG_DEBUG, "IKEV2: Processing payload %u",
322 next_payload);
323 if (end - pos < (int) sizeof(*phdr)) {
324 wpa_printf(MSG_INFO, "IKEV2: Too short message for "
325 "payload header (left=%ld)",
326 (long) (end - pos));
327 }
328 phdr = (const struct ikev2_payload_hdr *) pos;
329 plen = WPA_GET_BE16(phdr->payload_length);
330 if (plen < (int) sizeof(*phdr) || pos + plen > end) {
331 wpa_printf(MSG_INFO, "IKEV2: Invalid payload header "
332 "length %d", plen);
333 return -1;
334 }
335
336 wpa_printf(MSG_DEBUG, "IKEV2: Next Payload: %u Flags: 0x%x"
337 " Payload Length: %d",
338 phdr->next_payload, phdr->flags, plen);
339
340 pdata = (const u8 *) (phdr + 1);
341 pdatalen = plen - sizeof(*phdr);
342
343 switch (next_payload) {
344 case IKEV2_PAYLOAD_SA:
345 wpa_printf(MSG_DEBUG, "IKEV2: Payload: Security "
346 "Association");
347 payloads->sa = pdata;
348 payloads->sa_len = pdatalen;
349 break;
350 case IKEV2_PAYLOAD_KEY_EXCHANGE:
351 wpa_printf(MSG_DEBUG, "IKEV2: Payload: Key "
352 "Exchange");
353 payloads->ke = pdata;
354 payloads->ke_len = pdatalen;
355 break;
356 case IKEV2_PAYLOAD_IDi:
357 wpa_printf(MSG_DEBUG, "IKEV2: Payload: IDi");
358 payloads->idi = pdata;
359 payloads->idi_len = pdatalen;
360 break;
361 case IKEV2_PAYLOAD_IDr:
362 wpa_printf(MSG_DEBUG, "IKEV2: Payload: IDr");
363 payloads->idr = pdata;
364 payloads->idr_len = pdatalen;
365 break;
366 case IKEV2_PAYLOAD_CERTIFICATE:
367 wpa_printf(MSG_DEBUG, "IKEV2: Payload: Certificate");
368 payloads->cert = pdata;
369 payloads->cert_len = pdatalen;
370 break;
371 case IKEV2_PAYLOAD_AUTHENTICATION:
372 wpa_printf(MSG_DEBUG, "IKEV2: Payload: "
373 "Authentication");
374 payloads->auth = pdata;
375 payloads->auth_len = pdatalen;
376 break;
377 case IKEV2_PAYLOAD_NONCE:
378 wpa_printf(MSG_DEBUG, "IKEV2: Payload: Nonce");
379 payloads->nonce = pdata;
380 payloads->nonce_len = pdatalen;
381 break;
382 case IKEV2_PAYLOAD_ENCRYPTED:
383 wpa_printf(MSG_DEBUG, "IKEV2: Payload: Encrypted");
384 payloads->encrypted = pdata;
385 payloads->encrypted_len = pdatalen;
386 break;
387 case IKEV2_PAYLOAD_NOTIFICATION:
388 wpa_printf(MSG_DEBUG, "IKEV2: Payload: "
389 "Notification");
390 payloads->notification = pdata;
391 payloads->notification_len = pdatalen;
392 break;
393 default:
394 if (phdr->flags & IKEV2_PAYLOAD_FLAGS_CRITICAL) {
395 wpa_printf(MSG_INFO, "IKEV2: Unsupported "
396 "critical payload %u - reject the "
397 "entire message", next_payload);
398 return -1;
399 } else {
400 wpa_printf(MSG_DEBUG, "IKEV2: Skipped "
401 "unsupported payload %u",
402 next_payload);
403 }
404 }
405
406 if (next_payload == IKEV2_PAYLOAD_ENCRYPTED &&
407 pos + plen == end) {
408 /*
409 * Next Payload in the case of Encrypted Payload is
410 * actually the payload type for the first embedded
411 * payload.
412 */
413 payloads->encr_next_payload = phdr->next_payload;
414 next_payload = IKEV2_PAYLOAD_NO_NEXT_PAYLOAD;
415 } else
416 next_payload = phdr->next_payload;
417
418 pos += plen;
419 }
420
421 if (pos != end) {
422 wpa_printf(MSG_INFO, "IKEV2: Unexpected extra data after "
423 "payloads");
424 return -1;
425 }
426
427 return 0;
428 }
429
430
ikev2_derive_auth_data(int prf_alg,const struct wpabuf * sign_msg,const u8 * ID,size_t ID_len,u8 ID_type,struct ikev2_keys * keys,int initiator,const u8 * shared_secret,size_t shared_secret_len,const u8 * nonce,size_t nonce_len,const u8 * key_pad,size_t key_pad_len,u8 * auth_data)431 int ikev2_derive_auth_data(int prf_alg, const struct wpabuf *sign_msg,
432 const u8 *ID, size_t ID_len, u8 ID_type,
433 struct ikev2_keys *keys, int initiator,
434 const u8 *shared_secret, size_t shared_secret_len,
435 const u8 *nonce, size_t nonce_len,
436 const u8 *key_pad, size_t key_pad_len,
437 u8 *auth_data)
438 {
439 size_t sign_len, buf_len;
440 u8 *sign_data, *pos, *buf, hash[IKEV2_MAX_HASH_LEN];
441 const struct ikev2_prf_alg *prf;
442 const u8 *SK_p = initiator ? keys->SK_pi : keys->SK_pr;
443
444 prf = ikev2_get_prf(prf_alg);
445 if (sign_msg == NULL || ID == NULL || SK_p == NULL ||
446 shared_secret == NULL || nonce == NULL || prf == NULL)
447 return -1;
448
449 /* prf(SK_pi/r,IDi/r') */
450 buf_len = 4 + ID_len;
451 buf = os_zalloc(buf_len);
452 if (buf == NULL)
453 return -1;
454 buf[0] = ID_type;
455 os_memcpy(buf + 4, ID, ID_len);
456 if (ikev2_prf_hash(prf->id, SK_p, keys->SK_prf_len,
457 1, (const u8 **) &buf, &buf_len, hash) < 0) {
458 os_free(buf);
459 return -1;
460 }
461 os_free(buf);
462
463 /* sign_data = msg | Nr/i | prf(SK_pi/r,IDi/r') */
464 sign_len = wpabuf_len(sign_msg) + nonce_len + prf->hash_len;
465 sign_data = os_malloc(sign_len);
466 if (sign_data == NULL)
467 return -1;
468 pos = sign_data;
469 os_memcpy(pos, wpabuf_head(sign_msg), wpabuf_len(sign_msg));
470 pos += wpabuf_len(sign_msg);
471 os_memcpy(pos, nonce, nonce_len);
472 pos += nonce_len;
473 os_memcpy(pos, hash, prf->hash_len);
474
475 /* AUTH = prf(prf(Shared Secret, key pad, sign_data) */
476 if (ikev2_prf_hash(prf->id, shared_secret, shared_secret_len, 1,
477 &key_pad, &key_pad_len, hash) < 0 ||
478 ikev2_prf_hash(prf->id, hash, prf->hash_len, 1,
479 (const u8 **) &sign_data, &sign_len, auth_data) < 0)
480 {
481 os_free(sign_data);
482 return -1;
483 }
484 os_free(sign_data);
485
486 return 0;
487 }
488
489
ikev2_decrypt_payload(int encr_id,int integ_id,struct ikev2_keys * keys,int initiator,const struct ikev2_hdr * hdr,const u8 * encrypted,size_t encrypted_len,size_t * res_len)490 u8 * ikev2_decrypt_payload(int encr_id, int integ_id,
491 struct ikev2_keys *keys, int initiator,
492 const struct ikev2_hdr *hdr,
493 const u8 *encrypted, size_t encrypted_len,
494 size_t *res_len)
495 {
496 size_t iv_len;
497 const u8 *pos, *end, *iv, *integ;
498 u8 hash[IKEV2_MAX_HASH_LEN], *decrypted;
499 size_t decrypted_len, pad_len;
500 const struct ikev2_integ_alg *integ_alg;
501 const struct ikev2_encr_alg *encr_alg;
502 const u8 *SK_e = initiator ? keys->SK_ei : keys->SK_er;
503 const u8 *SK_a = initiator ? keys->SK_ai : keys->SK_ar;
504
505 if (encrypted == NULL) {
506 wpa_printf(MSG_INFO, "IKEV2: No Encrypted payload in SA_AUTH");
507 return NULL;
508 }
509
510 encr_alg = ikev2_get_encr(encr_id);
511 if (encr_alg == NULL) {
512 wpa_printf(MSG_INFO, "IKEV2: Unsupported encryption type");
513 return NULL;
514 }
515 iv_len = encr_alg->block_size;
516
517 integ_alg = ikev2_get_integ(integ_id);
518 if (integ_alg == NULL) {
519 wpa_printf(MSG_INFO, "IKEV2: Unsupported intergrity type");
520 return NULL;
521 }
522
523 if (encrypted_len < iv_len + 1 + integ_alg->hash_len) {
524 wpa_printf(MSG_INFO, "IKEV2: No room for IV or Integrity "
525 "Checksum");
526 return NULL;
527 }
528
529 iv = encrypted;
530 pos = iv + iv_len;
531 end = encrypted + encrypted_len;
532 integ = end - integ_alg->hash_len;
533
534 if (SK_a == NULL) {
535 wpa_printf(MSG_INFO, "IKEV2: No SK_a available");
536 return NULL;
537 }
538 if (ikev2_integ_hash(integ_id, SK_a, keys->SK_integ_len,
539 (const u8 *) hdr,
540 integ - (const u8 *) hdr, hash) < 0) {
541 wpa_printf(MSG_INFO, "IKEV2: Failed to calculate integrity "
542 "hash");
543 return NULL;
544 }
545 if (os_memcmp(integ, hash, integ_alg->hash_len) != 0) {
546 wpa_printf(MSG_INFO, "IKEV2: Incorrect Integrity Checksum "
547 "Data");
548 return NULL;
549 }
550
551 if (SK_e == NULL) {
552 wpa_printf(MSG_INFO, "IKEV2: No SK_e available");
553 return NULL;
554 }
555
556 decrypted_len = integ - pos;
557 decrypted = os_malloc(decrypted_len);
558 if (decrypted == NULL)
559 return NULL;
560
561 if (ikev2_encr_decrypt(encr_alg->id, SK_e, keys->SK_encr_len, iv, pos,
562 decrypted, decrypted_len) < 0) {
563 os_free(decrypted);
564 return NULL;
565 }
566
567 pad_len = decrypted[decrypted_len - 1];
568 if (decrypted_len < pad_len + 1) {
569 wpa_printf(MSG_INFO, "IKEV2: Invalid padding in encrypted "
570 "payload");
571 os_free(decrypted);
572 return NULL;
573 }
574
575 decrypted_len -= pad_len + 1;
576
577 *res_len = decrypted_len;
578 return decrypted;
579 }
580
581
ikev2_update_hdr(struct wpabuf * msg)582 void ikev2_update_hdr(struct wpabuf *msg)
583 {
584 struct ikev2_hdr *hdr;
585
586 /* Update lenth field in HDR */
587 hdr = wpabuf_mhead(msg);
588 WPA_PUT_BE32(hdr->length, wpabuf_len(msg));
589 }
590
591
ikev2_build_encrypted(int encr_id,int integ_id,struct ikev2_keys * keys,int initiator,struct wpabuf * msg,struct wpabuf * plain,u8 next_payload)592 int ikev2_build_encrypted(int encr_id, int integ_id, struct ikev2_keys *keys,
593 int initiator, struct wpabuf *msg,
594 struct wpabuf *plain, u8 next_payload)
595 {
596 struct ikev2_payload_hdr *phdr;
597 size_t plen;
598 size_t iv_len, pad_len;
599 u8 *icv, *iv;
600 const struct ikev2_integ_alg *integ_alg;
601 const struct ikev2_encr_alg *encr_alg;
602 const u8 *SK_e = initiator ? keys->SK_ei : keys->SK_er;
603 const u8 *SK_a = initiator ? keys->SK_ai : keys->SK_ar;
604
605 wpa_printf(MSG_DEBUG, "IKEV2: Adding Encrypted payload");
606
607 /* Encr - RFC 4306, Sect. 3.14 */
608
609 encr_alg = ikev2_get_encr(encr_id);
610 if (encr_alg == NULL) {
611 wpa_printf(MSG_INFO, "IKEV2: Unsupported encryption type");
612 return -1;
613 }
614 iv_len = encr_alg->block_size;
615
616 integ_alg = ikev2_get_integ(integ_id);
617 if (integ_alg == NULL) {
618 wpa_printf(MSG_INFO, "IKEV2: Unsupported intergrity type");
619 return -1;
620 }
621
622 if (SK_e == NULL) {
623 wpa_printf(MSG_INFO, "IKEV2: No SK_e available");
624 return -1;
625 }
626
627 if (SK_a == NULL) {
628 wpa_printf(MSG_INFO, "IKEV2: No SK_a available");
629 return -1;
630 }
631
632 phdr = wpabuf_put(msg, sizeof(*phdr));
633 phdr->next_payload = next_payload;
634 phdr->flags = 0;
635
636 iv = wpabuf_put(msg, iv_len);
637 if (random_get_bytes(iv, iv_len)) {
638 wpa_printf(MSG_INFO, "IKEV2: Could not generate IV");
639 return -1;
640 }
641
642 pad_len = iv_len - (wpabuf_len(plain) + 1) % iv_len;
643 if (pad_len == iv_len)
644 pad_len = 0;
645 wpabuf_put(plain, pad_len);
646 wpabuf_put_u8(plain, pad_len);
647
648 if (ikev2_encr_encrypt(encr_alg->id, SK_e, keys->SK_encr_len, iv,
649 wpabuf_head(plain), wpabuf_mhead(plain),
650 wpabuf_len(plain)) < 0)
651 return -1;
652
653 wpabuf_put_buf(msg, plain);
654
655 /* Need to update all headers (Length fields) prior to hash func */
656 icv = wpabuf_put(msg, integ_alg->hash_len);
657 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
658 WPA_PUT_BE16(phdr->payload_length, plen);
659
660 ikev2_update_hdr(msg);
661
662 return ikev2_integ_hash(integ_id, SK_a, keys->SK_integ_len,
663 wpabuf_head(msg),
664 wpabuf_len(msg) - integ_alg->hash_len, icv);
665
666 return 0;
667 }
668
669
ikev2_keys_set(struct ikev2_keys * keys)670 int ikev2_keys_set(struct ikev2_keys *keys)
671 {
672 return keys->SK_d && keys->SK_ai && keys->SK_ar && keys->SK_ei &&
673 keys->SK_er && keys->SK_pi && keys->SK_pr;
674 }
675
676
ikev2_free_keys(struct ikev2_keys * keys)677 void ikev2_free_keys(struct ikev2_keys *keys)
678 {
679 os_free(keys->SK_d);
680 os_free(keys->SK_ai);
681 os_free(keys->SK_ar);
682 os_free(keys->SK_ei);
683 os_free(keys->SK_er);
684 os_free(keys->SK_pi);
685 os_free(keys->SK_pr);
686 keys->SK_d = keys->SK_ai = keys->SK_ar = keys->SK_ei = keys->SK_er =
687 keys->SK_pi = keys->SK_pr = NULL;
688 }
689
690
ikev2_derive_sk_keys(const struct ikev2_prf_alg * prf,const struct ikev2_integ_alg * integ,const struct ikev2_encr_alg * encr,const u8 * skeyseed,const u8 * data,size_t data_len,struct ikev2_keys * keys)691 int ikev2_derive_sk_keys(const struct ikev2_prf_alg *prf,
692 const struct ikev2_integ_alg *integ,
693 const struct ikev2_encr_alg *encr,
694 const u8 *skeyseed, const u8 *data, size_t data_len,
695 struct ikev2_keys *keys)
696 {
697 u8 *keybuf, *pos;
698 size_t keybuf_len;
699
700 /*
701 * {SK_d | SK_ai | SK_ar | SK_ei | SK_er | SK_pi | SK_pr } =
702 * prf+(SKEYSEED, Ni | Nr | SPIi | SPIr )
703 */
704 ikev2_free_keys(keys);
705 keys->SK_d_len = prf->key_len;
706 keys->SK_integ_len = integ->key_len;
707 keys->SK_encr_len = encr->key_len;
708 keys->SK_prf_len = prf->key_len;
709 #ifdef CCNS_PL
710 /* Uses encryption key length for SK_d; should be PRF length */
711 keys->SK_d_len = keys->SK_encr_len;
712 #endif /* CCNS_PL */
713
714 keybuf_len = keys->SK_d_len + 2 * keys->SK_integ_len +
715 2 * keys->SK_encr_len + 2 * keys->SK_prf_len;
716 keybuf = os_malloc(keybuf_len);
717 if (keybuf == NULL)
718 return -1;
719
720 if (ikev2_prf_plus(prf->id, skeyseed, prf->hash_len,
721 data, data_len, keybuf, keybuf_len)) {
722 os_free(keybuf);
723 return -1;
724 }
725
726 pos = keybuf;
727
728 keys->SK_d = os_malloc(keys->SK_d_len);
729 if (keys->SK_d) {
730 os_memcpy(keys->SK_d, pos, keys->SK_d_len);
731 wpa_hexdump_key(MSG_DEBUG, "IKEV2: SK_d",
732 keys->SK_d, keys->SK_d_len);
733 }
734 pos += keys->SK_d_len;
735
736 keys->SK_ai = os_malloc(keys->SK_integ_len);
737 if (keys->SK_ai) {
738 os_memcpy(keys->SK_ai, pos, keys->SK_integ_len);
739 wpa_hexdump_key(MSG_DEBUG, "IKEV2: SK_ai",
740 keys->SK_ai, keys->SK_integ_len);
741 }
742 pos += keys->SK_integ_len;
743
744 keys->SK_ar = os_malloc(keys->SK_integ_len);
745 if (keys->SK_ar) {
746 os_memcpy(keys->SK_ar, pos, keys->SK_integ_len);
747 wpa_hexdump_key(MSG_DEBUG, "IKEV2: SK_ar",
748 keys->SK_ar, keys->SK_integ_len);
749 }
750 pos += keys->SK_integ_len;
751
752 keys->SK_ei = os_malloc(keys->SK_encr_len);
753 if (keys->SK_ei) {
754 os_memcpy(keys->SK_ei, pos, keys->SK_encr_len);
755 wpa_hexdump_key(MSG_DEBUG, "IKEV2: SK_ei",
756 keys->SK_ei, keys->SK_encr_len);
757 }
758 pos += keys->SK_encr_len;
759
760 keys->SK_er = os_malloc(keys->SK_encr_len);
761 if (keys->SK_er) {
762 os_memcpy(keys->SK_er, pos, keys->SK_encr_len);
763 wpa_hexdump_key(MSG_DEBUG, "IKEV2: SK_er",
764 keys->SK_er, keys->SK_encr_len);
765 }
766 pos += keys->SK_encr_len;
767
768 keys->SK_pi = os_malloc(keys->SK_prf_len);
769 if (keys->SK_pi) {
770 os_memcpy(keys->SK_pi, pos, keys->SK_prf_len);
771 wpa_hexdump_key(MSG_DEBUG, "IKEV2: SK_pi",
772 keys->SK_pi, keys->SK_prf_len);
773 }
774 pos += keys->SK_prf_len;
775
776 keys->SK_pr = os_malloc(keys->SK_prf_len);
777 if (keys->SK_pr) {
778 os_memcpy(keys->SK_pr, pos, keys->SK_prf_len);
779 wpa_hexdump_key(MSG_DEBUG, "IKEV2: SK_pr",
780 keys->SK_pr, keys->SK_prf_len);
781 }
782
783 os_free(keybuf);
784
785 if (!ikev2_keys_set(keys)) {
786 ikev2_free_keys(keys);
787 return -1;
788 }
789
790 return 0;
791 }
792