2 * IKEv2 common routines for initiator and responder
3 * Copyright (c) 2007, Jouni Malinen <j@w1.fi>
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation.
9 * Alternatively, this software may be distributed under the terms of BSD
12 * See README and COPYING for more details.
18 #include "crypto/crypto.h"
19 #include "crypto/md5.h"
20 #include "crypto/sha1.h"
21 #include "ikev2_common.h"
24 static struct ikev2_integ_alg ikev2_integ_algs[] = {
25 { AUTH_HMAC_SHA1_96, 20, 12 },
26 { AUTH_HMAC_MD5_96, 16, 12 }
29 #define NUM_INTEG_ALGS (sizeof(ikev2_integ_algs) / sizeof(ikev2_integ_algs[0]))
32 static struct ikev2_prf_alg ikev2_prf_algs[] = {
33 { PRF_HMAC_SHA1, 20, 20 },
34 { PRF_HMAC_MD5, 16, 16 }
37 #define NUM_PRF_ALGS (sizeof(ikev2_prf_algs) / sizeof(ikev2_prf_algs[0]))
40 static struct ikev2_encr_alg ikev2_encr_algs[] = {
41 { ENCR_AES_CBC, 16, 16 }, /* only 128-bit keys supported for now */
45 #define NUM_ENCR_ALGS (sizeof(ikev2_encr_algs) / sizeof(ikev2_encr_algs[0]))
48 const struct ikev2_integ_alg * ikev2_get_integ(int id)
52 for (i = 0; i < NUM_INTEG_ALGS; i++) {
53 if (ikev2_integ_algs[i].id == id)
54 return &ikev2_integ_algs[i];
61 int ikev2_integ_hash(int alg, const u8 *key, size_t key_len, const u8 *data,
62 size_t data_len, u8 *hash)
64 u8 tmphash[IKEV2_MAX_HASH_LEN];
67 case AUTH_HMAC_SHA1_96:
70 hmac_sha1(key, key_len, data, data_len, tmphash);
71 os_memcpy(hash, tmphash, 12);
73 case AUTH_HMAC_MD5_96:
76 hmac_md5(key, key_len, data, data_len, tmphash);
77 os_memcpy(hash, tmphash, 12);
87 const struct ikev2_prf_alg * ikev2_get_prf(int id)
91 for (i = 0; i < NUM_PRF_ALGS; i++) {
92 if (ikev2_prf_algs[i].id == id)
93 return &ikev2_prf_algs[i];
100 int ikev2_prf_hash(int alg, const u8 *key, size_t key_len,
101 size_t num_elem, const u8 *addr[], const size_t *len,
106 hmac_sha1_vector(key, key_len, num_elem, addr, len, hash);
109 hmac_md5_vector(key, key_len, num_elem, addr, len, hash);
119 int ikev2_prf_plus(int alg, const u8 *key, size_t key_len,
120 const u8 *data, size_t data_len,
121 u8 *out, size_t out_len)
123 u8 hash[IKEV2_MAX_HASH_LEN];
128 const struct ikev2_prf_alg *prf;
131 prf = ikev2_get_prf(alg);
134 hash_len = prf->hash_len;
149 res = ikev2_prf_hash(alg, key, key_len, 2, &addr[1],
152 res = ikev2_prf_hash(alg, key, key_len, 3, addr, len,
157 if ((int) clen > end - pos)
159 os_memcpy(pos, hash, clen);
168 const struct ikev2_encr_alg * ikev2_get_encr(int id)
172 for (i = 0; i < NUM_ENCR_ALGS; i++) {
173 if (ikev2_encr_algs[i].id == id)
174 return &ikev2_encr_algs[i];
188 void des3_key_setup(const u8 *key, struct des3_key_s *dkey);
189 void des3_encrypt(const u8 *plain, const struct des3_key_s *key, u8 *crypt);
190 void des3_decrypt(const u8 *crypt, const struct des3_key_s *key, u8 *plain);
194 int ikev2_encr_encrypt(int alg, const u8 *key, size_t key_len, const u8 *iv,
195 const u8 *plain, u8 *crypt, size_t len)
197 struct crypto_cipher *cipher;
201 if (alg == ENCR_3DES) {
202 struct des3_key_s des3key;
206 /* ECB mode is used incorrectly for 3DES!? */
208 wpa_printf(MSG_INFO, "IKEV2: Invalid encr key length");
211 des3_key_setup(key, &des3key);
215 for (i = 0; i < blocks; i++) {
216 des3_encrypt(pos, &des3key, pos);
223 encr_alg = CRYPTO_CIPHER_ALG_3DES;
226 encr_alg = CRYPTO_CIPHER_ALG_AES;
229 wpa_printf(MSG_DEBUG, "IKEV2: Unsupported encr alg %d", alg);
233 cipher = crypto_cipher_init(encr_alg, iv, key, key_len);
234 if (cipher == NULL) {
235 wpa_printf(MSG_INFO, "IKEV2: Failed to initialize cipher");
239 if (crypto_cipher_encrypt(cipher, plain, crypt, len) < 0) {
240 wpa_printf(MSG_INFO, "IKEV2: Encryption failed");
241 crypto_cipher_deinit(cipher);
244 crypto_cipher_deinit(cipher);
253 int ikev2_encr_decrypt(int alg, const u8 *key, size_t key_len, const u8 *iv,
254 const u8 *crypt, u8 *plain, size_t len)
256 struct crypto_cipher *cipher;
260 if (alg == ENCR_3DES) {
261 struct des3_key_s des3key;
264 /* ECB mode is used incorrectly for 3DES!? */
266 wpa_printf(MSG_INFO, "IKEV2: Invalid encr key length");
269 des3_key_setup(key, &des3key);
272 wpa_printf(MSG_INFO, "IKEV2: Invalid encrypted "
277 for (i = 0; i < blocks; i++) {
278 des3_decrypt(crypt, &des3key, plain);
286 encr_alg = CRYPTO_CIPHER_ALG_3DES;
289 encr_alg = CRYPTO_CIPHER_ALG_AES;
292 wpa_printf(MSG_DEBUG, "IKEV2: Unsupported encr alg %d", alg);
296 cipher = crypto_cipher_init(encr_alg, iv, key, key_len);
297 if (cipher == NULL) {
298 wpa_printf(MSG_INFO, "IKEV2: Failed to initialize cipher");
302 if (crypto_cipher_decrypt(cipher, crypt, plain, len) < 0) {
303 wpa_printf(MSG_INFO, "IKEV2: Decryption failed");
304 crypto_cipher_deinit(cipher);
307 crypto_cipher_deinit(cipher);
316 int ikev2_parse_payloads(struct ikev2_payloads *payloads,
317 u8 next_payload, const u8 *pos, const u8 *end)
319 const struct ikev2_payload_hdr *phdr;
321 os_memset(payloads, 0, sizeof(*payloads));
323 while (next_payload != IKEV2_PAYLOAD_NO_NEXT_PAYLOAD) {
326 wpa_printf(MSG_DEBUG, "IKEV2: Processing payload %u",
328 if (end - pos < (int) sizeof(*phdr)) {
329 wpa_printf(MSG_INFO, "IKEV2: Too short message for "
330 "payload header (left=%ld)",
333 phdr = (const struct ikev2_payload_hdr *) pos;
334 plen = WPA_GET_BE16(phdr->payload_length);
335 if (plen < (int) sizeof(*phdr) || pos + plen > end) {
336 wpa_printf(MSG_INFO, "IKEV2: Invalid payload header "
341 wpa_printf(MSG_DEBUG, "IKEV2: Next Payload: %u Flags: 0x%x"
342 " Payload Length: %d",
343 phdr->next_payload, phdr->flags, plen);
345 pdata = (const u8 *) (phdr + 1);
346 pdatalen = plen - sizeof(*phdr);
348 switch (next_payload) {
349 case IKEV2_PAYLOAD_SA:
350 wpa_printf(MSG_DEBUG, "IKEV2: Payload: Security "
352 payloads->sa = pdata;
353 payloads->sa_len = pdatalen;
355 case IKEV2_PAYLOAD_KEY_EXCHANGE:
356 wpa_printf(MSG_DEBUG, "IKEV2: Payload: Key "
358 payloads->ke = pdata;
359 payloads->ke_len = pdatalen;
361 case IKEV2_PAYLOAD_IDi:
362 wpa_printf(MSG_DEBUG, "IKEV2: Payload: IDi");
363 payloads->idi = pdata;
364 payloads->idi_len = pdatalen;
366 case IKEV2_PAYLOAD_IDr:
367 wpa_printf(MSG_DEBUG, "IKEV2: Payload: IDr");
368 payloads->idr = pdata;
369 payloads->idr_len = pdatalen;
371 case IKEV2_PAYLOAD_CERTIFICATE:
372 wpa_printf(MSG_DEBUG, "IKEV2: Payload: Certificate");
373 payloads->cert = pdata;
374 payloads->cert_len = pdatalen;
376 case IKEV2_PAYLOAD_AUTHENTICATION:
377 wpa_printf(MSG_DEBUG, "IKEV2: Payload: "
379 payloads->auth = pdata;
380 payloads->auth_len = pdatalen;
382 case IKEV2_PAYLOAD_NONCE:
383 wpa_printf(MSG_DEBUG, "IKEV2: Payload: Nonce");
384 payloads->nonce = pdata;
385 payloads->nonce_len = pdatalen;
387 case IKEV2_PAYLOAD_ENCRYPTED:
388 wpa_printf(MSG_DEBUG, "IKEV2: Payload: Encrypted");
389 payloads->encrypted = pdata;
390 payloads->encrypted_len = pdatalen;
392 case IKEV2_PAYLOAD_NOTIFICATION:
393 wpa_printf(MSG_DEBUG, "IKEV2: Payload: "
395 payloads->notification = pdata;
396 payloads->notification_len = pdatalen;
399 if (phdr->flags & IKEV2_PAYLOAD_FLAGS_CRITICAL) {
400 wpa_printf(MSG_INFO, "IKEV2: Unsupported "
401 "critical payload %u - reject the "
402 "entire message", next_payload);
405 wpa_printf(MSG_DEBUG, "IKEV2: Skipped "
406 "unsupported payload %u",
411 if (next_payload == IKEV2_PAYLOAD_ENCRYPTED &&
414 * Next Payload in the case of Encrypted Payload is
415 * actually the payload type for the first embedded
418 payloads->encr_next_payload = phdr->next_payload;
419 next_payload = IKEV2_PAYLOAD_NO_NEXT_PAYLOAD;
421 next_payload = phdr->next_payload;
427 wpa_printf(MSG_INFO, "IKEV2: Unexpected extra data after "
436 int ikev2_derive_auth_data(int prf_alg, const struct wpabuf *sign_msg,
437 const u8 *ID, size_t ID_len, u8 ID_type,
438 struct ikev2_keys *keys, int initiator,
439 const u8 *shared_secret, size_t shared_secret_len,
440 const u8 *nonce, size_t nonce_len,
441 const u8 *key_pad, size_t key_pad_len,
444 size_t sign_len, buf_len;
445 u8 *sign_data, *pos, *buf, hash[IKEV2_MAX_HASH_LEN];
446 const struct ikev2_prf_alg *prf;
447 const u8 *SK_p = initiator ? keys->SK_pi : keys->SK_pr;
449 prf = ikev2_get_prf(prf_alg);
450 if (sign_msg == NULL || ID == NULL || SK_p == NULL ||
451 shared_secret == NULL || nonce == NULL || prf == NULL)
454 /* prf(SK_pi/r,IDi/r') */
455 buf_len = 4 + ID_len;
456 buf = os_zalloc(buf_len);
460 os_memcpy(buf + 4, ID, ID_len);
461 if (ikev2_prf_hash(prf->id, SK_p, keys->SK_prf_len,
462 1, (const u8 **) &buf, &buf_len, hash) < 0) {
468 /* sign_data = msg | Nr/i | prf(SK_pi/r,IDi/r') */
469 sign_len = wpabuf_len(sign_msg) + nonce_len + prf->hash_len;
470 sign_data = os_malloc(sign_len);
471 if (sign_data == NULL)
474 os_memcpy(pos, wpabuf_head(sign_msg), wpabuf_len(sign_msg));
475 pos += wpabuf_len(sign_msg);
476 os_memcpy(pos, nonce, nonce_len);
478 os_memcpy(pos, hash, prf->hash_len);
480 /* AUTH = prf(prf(Shared Secret, key pad, sign_data) */
481 if (ikev2_prf_hash(prf->id, shared_secret, shared_secret_len, 1,
482 &key_pad, &key_pad_len, hash) < 0 ||
483 ikev2_prf_hash(prf->id, hash, prf->hash_len, 1,
484 (const u8 **) &sign_data, &sign_len, auth_data) < 0)
495 u8 * ikev2_decrypt_payload(int encr_id, int integ_id,
496 struct ikev2_keys *keys, int initiator,
497 const struct ikev2_hdr *hdr,
498 const u8 *encrypted, size_t encrypted_len,
502 const u8 *pos, *end, *iv, *integ;
503 u8 hash[IKEV2_MAX_HASH_LEN], *decrypted;
504 size_t decrypted_len, pad_len;
505 const struct ikev2_integ_alg *integ_alg;
506 const struct ikev2_encr_alg *encr_alg;
507 const u8 *SK_e = initiator ? keys->SK_ei : keys->SK_er;
508 const u8 *SK_a = initiator ? keys->SK_ai : keys->SK_ar;
510 if (encrypted == NULL) {
511 wpa_printf(MSG_INFO, "IKEV2: No Encrypted payload in SA_AUTH");
515 encr_alg = ikev2_get_encr(encr_id);
516 if (encr_alg == NULL) {
517 wpa_printf(MSG_INFO, "IKEV2: Unsupported encryption type");
520 iv_len = encr_alg->block_size;
522 integ_alg = ikev2_get_integ(integ_id);
523 if (integ_alg == NULL) {
524 wpa_printf(MSG_INFO, "IKEV2: Unsupported intergrity type");
528 if (encrypted_len < iv_len + 1 + integ_alg->hash_len) {
529 wpa_printf(MSG_INFO, "IKEV2: No room for IV or Integrity "
536 end = encrypted + encrypted_len;
537 integ = end - integ_alg->hash_len;
540 wpa_printf(MSG_INFO, "IKEV2: No SK_a available");
543 if (ikev2_integ_hash(integ_id, SK_a, keys->SK_integ_len,
545 integ - (const u8 *) hdr, hash) < 0) {
546 wpa_printf(MSG_INFO, "IKEV2: Failed to calculate integrity "
550 if (os_memcmp(integ, hash, integ_alg->hash_len) != 0) {
551 wpa_printf(MSG_INFO, "IKEV2: Incorrect Integrity Checksum "
557 wpa_printf(MSG_INFO, "IKEV2: No SK_e available");
561 decrypted_len = integ - pos;
562 decrypted = os_malloc(decrypted_len);
563 if (decrypted == NULL)
566 if (ikev2_encr_decrypt(encr_alg->id, SK_e, keys->SK_encr_len, iv, pos,
567 decrypted, decrypted_len) < 0) {
572 pad_len = decrypted[decrypted_len - 1];
573 if (decrypted_len < pad_len + 1) {
574 wpa_printf(MSG_INFO, "IKEV2: Invalid padding in encrypted "
580 decrypted_len -= pad_len + 1;
582 *res_len = decrypted_len;
587 void ikev2_update_hdr(struct wpabuf *msg)
589 struct ikev2_hdr *hdr;
591 /* Update lenth field in HDR */
592 hdr = wpabuf_mhead(msg);
593 WPA_PUT_BE32(hdr->length, wpabuf_len(msg));
597 int ikev2_build_encrypted(int encr_id, int integ_id, struct ikev2_keys *keys,
598 int initiator, struct wpabuf *msg,
599 struct wpabuf *plain, u8 next_payload)
601 struct ikev2_payload_hdr *phdr;
603 size_t iv_len, pad_len;
605 const struct ikev2_integ_alg *integ_alg;
606 const struct ikev2_encr_alg *encr_alg;
607 const u8 *SK_e = initiator ? keys->SK_ei : keys->SK_er;
608 const u8 *SK_a = initiator ? keys->SK_ai : keys->SK_ar;
610 wpa_printf(MSG_DEBUG, "IKEV2: Adding Encrypted payload");
612 /* Encr - RFC 4306, Sect. 3.14 */
614 encr_alg = ikev2_get_encr(encr_id);
615 if (encr_alg == NULL) {
616 wpa_printf(MSG_INFO, "IKEV2: Unsupported encryption type");
619 iv_len = encr_alg->block_size;
621 integ_alg = ikev2_get_integ(integ_id);
622 if (integ_alg == NULL) {
623 wpa_printf(MSG_INFO, "IKEV2: Unsupported intergrity type");
628 wpa_printf(MSG_INFO, "IKEV2: No SK_e available");
633 wpa_printf(MSG_INFO, "IKEV2: No SK_a available");
637 phdr = wpabuf_put(msg, sizeof(*phdr));
638 phdr->next_payload = next_payload;
641 iv = wpabuf_put(msg, iv_len);
642 if (os_get_random(iv, iv_len)) {
643 wpa_printf(MSG_INFO, "IKEV2: Could not generate IV");
647 pad_len = iv_len - (wpabuf_len(plain) + 1) % iv_len;
648 if (pad_len == iv_len)
650 wpabuf_put(plain, pad_len);
651 wpabuf_put_u8(plain, pad_len);
653 if (ikev2_encr_encrypt(encr_alg->id, SK_e, keys->SK_encr_len, iv,
654 wpabuf_head(plain), wpabuf_mhead(plain),
655 wpabuf_len(plain)) < 0)
658 wpabuf_put_buf(msg, plain);
660 /* Need to update all headers (Length fields) prior to hash func */
661 icv = wpabuf_put(msg, integ_alg->hash_len);
662 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
663 WPA_PUT_BE16(phdr->payload_length, plen);
665 ikev2_update_hdr(msg);
667 return ikev2_integ_hash(integ_id, SK_a, keys->SK_integ_len,
669 wpabuf_len(msg) - integ_alg->hash_len, icv);
675 int ikev2_keys_set(struct ikev2_keys *keys)
677 return keys->SK_d && keys->SK_ai && keys->SK_ar && keys->SK_ei &&
678 keys->SK_er && keys->SK_pi && keys->SK_pr;
682 void ikev2_free_keys(struct ikev2_keys *keys)
685 os_free(keys->SK_ai);
686 os_free(keys->SK_ar);
687 os_free(keys->SK_ei);
688 os_free(keys->SK_er);
689 os_free(keys->SK_pi);
690 os_free(keys->SK_pr);
691 keys->SK_d = keys->SK_ai = keys->SK_ar = keys->SK_ei = keys->SK_er =
692 keys->SK_pi = keys->SK_pr = NULL;
696 int ikev2_derive_sk_keys(const struct ikev2_prf_alg *prf,
697 const struct ikev2_integ_alg *integ,
698 const struct ikev2_encr_alg *encr,
699 const u8 *skeyseed, const u8 *data, size_t data_len,
700 struct ikev2_keys *keys)
706 * {SK_d | SK_ai | SK_ar | SK_ei | SK_er | SK_pi | SK_pr } =
707 * prf+(SKEYSEED, Ni | Nr | SPIi | SPIr )
709 ikev2_free_keys(keys);
710 keys->SK_d_len = prf->key_len;
711 keys->SK_integ_len = integ->key_len;
712 keys->SK_encr_len = encr->key_len;
713 keys->SK_prf_len = prf->key_len;
715 /* Uses encryption key length for SK_d; should be PRF length */
716 keys->SK_d_len = keys->SK_encr_len;
719 keybuf_len = keys->SK_d_len + 2 * keys->SK_integ_len +
720 2 * keys->SK_encr_len + 2 * keys->SK_prf_len;
721 keybuf = os_malloc(keybuf_len);
725 if (ikev2_prf_plus(prf->id, skeyseed, prf->hash_len,
726 data, data_len, keybuf, keybuf_len)) {
733 keys->SK_d = os_malloc(keys->SK_d_len);
735 os_memcpy(keys->SK_d, pos, keys->SK_d_len);
736 wpa_hexdump_key(MSG_DEBUG, "IKEV2: SK_d",
737 keys->SK_d, keys->SK_d_len);
739 pos += keys->SK_d_len;
741 keys->SK_ai = os_malloc(keys->SK_integ_len);
743 os_memcpy(keys->SK_ai, pos, keys->SK_integ_len);
744 wpa_hexdump_key(MSG_DEBUG, "IKEV2: SK_ai",
745 keys->SK_ai, keys->SK_integ_len);
747 pos += keys->SK_integ_len;
749 keys->SK_ar = os_malloc(keys->SK_integ_len);
751 os_memcpy(keys->SK_ar, pos, keys->SK_integ_len);
752 wpa_hexdump_key(MSG_DEBUG, "IKEV2: SK_ar",
753 keys->SK_ar, keys->SK_integ_len);
755 pos += keys->SK_integ_len;
757 keys->SK_ei = os_malloc(keys->SK_encr_len);
759 os_memcpy(keys->SK_ei, pos, keys->SK_encr_len);
760 wpa_hexdump_key(MSG_DEBUG, "IKEV2: SK_ei",
761 keys->SK_ei, keys->SK_encr_len);
763 pos += keys->SK_encr_len;
765 keys->SK_er = os_malloc(keys->SK_encr_len);
767 os_memcpy(keys->SK_er, pos, keys->SK_encr_len);
768 wpa_hexdump_key(MSG_DEBUG, "IKEV2: SK_er",
769 keys->SK_er, keys->SK_encr_len);
771 pos += keys->SK_encr_len;
773 keys->SK_pi = os_malloc(keys->SK_prf_len);
775 os_memcpy(keys->SK_pi, pos, keys->SK_prf_len);
776 wpa_hexdump_key(MSG_DEBUG, "IKEV2: SK_pi",
777 keys->SK_pi, keys->SK_prf_len);
779 pos += keys->SK_prf_len;
781 keys->SK_pr = os_malloc(keys->SK_prf_len);
783 os_memcpy(keys->SK_pr, pos, keys->SK_prf_len);
784 wpa_hexdump_key(MSG_DEBUG, "IKEV2: SK_pr",
785 keys->SK_pr, keys->SK_prf_len);
790 if (!ikev2_keys_set(keys)) {
791 ikev2_free_keys(keys);