00001
00016 #include "includes.h"
00017
00018 #include "common.h"
00019 #include "eap_defs.h"
00020 #include "eap_common.h"
00021 #include "ikev2_common.h"
00022 #include "eap_ikev2_common.h"
00023
00024
00025 int eap_ikev2_derive_keymat(int prf, struct ikev2_keys *keys,
00026 const u8 *i_nonce, size_t i_nonce_len,
00027 const u8 *r_nonce, size_t r_nonce_len,
00028 u8 *keymat)
00029 {
00030 u8 *nonces;
00031 size_t nlen;
00032
00033
00034 if (keys->SK_d == NULL || i_nonce == NULL || r_nonce == NULL)
00035 return -1;
00036
00037 nlen = i_nonce_len + r_nonce_len;
00038 nonces = os_malloc(nlen);
00039 if (nonces == NULL)
00040 return -1;
00041 os_memcpy(nonces, i_nonce, i_nonce_len);
00042 os_memcpy(nonces + i_nonce_len, r_nonce, r_nonce_len);
00043
00044 if (ikev2_prf_plus(prf, keys->SK_d, keys->SK_d_len, nonces, nlen,
00045 keymat, EAP_MSK_LEN + EAP_EMSK_LEN)) {
00046 os_free(nonces);
00047 return -1;
00048 }
00049 os_free(nonces);
00050
00051 wpa_hexdump_key(MSG_DEBUG, "EAP-IKEV2: KEYMAT",
00052 keymat, EAP_MSK_LEN + EAP_EMSK_LEN);
00053
00054 return 0;
00055 }
00056
00057
00058 struct wpabuf * eap_ikev2_build_frag_ack(u8 id, u8 code)
00059 {
00060 struct wpabuf *msg;
00061
00062 #ifdef CCNS_PL
00063 msg = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_IKEV2, 1, code, id);
00064 if (msg == NULL) {
00065 wpa_printf(MSG_ERROR, "EAP-IKEV2: Failed to allocate memory "
00066 "for fragment ack");
00067 return NULL;
00068 }
00069 wpabuf_put_u8(msg, 0);
00070 #else
00071 msg = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_IKEV2, 0, code, id);
00072 if (msg == NULL) {
00073 wpa_printf(MSG_ERROR, "EAP-IKEV2: Failed to allocate memory "
00074 "for fragment ack");
00075 return NULL;
00076 }
00077 #endif
00078
00079 wpa_printf(MSG_DEBUG, "EAP-IKEV2: Send fragment ack");
00080
00081 return msg;
00082 }
00083
00084
00085 int eap_ikev2_validate_icv(int integ_alg, struct ikev2_keys *keys,
00086 int initiator, const struct wpabuf *msg,
00087 const u8 *pos, const u8 *end)
00088 {
00089 const struct ikev2_integ_alg *integ;
00090 size_t icv_len;
00091 u8 icv[IKEV2_MAX_HASH_LEN];
00092 const u8 *SK_a = initiator ? keys->SK_ai : keys->SK_ar;
00093
00094 integ = ikev2_get_integ(integ_alg);
00095 if (integ == NULL) {
00096 wpa_printf(MSG_DEBUG, "EAP-IKEV2: Unknown INTEG "
00097 "transform / cannot validate ICV");
00098 return -1;
00099 }
00100 icv_len = integ->hash_len;
00101
00102 if (end - pos < (int) icv_len) {
00103 wpa_printf(MSG_DEBUG, "EAP-IKEV2: Not enough room in the "
00104 "message for Integrity Checksum Data");
00105 return -1;
00106 }
00107
00108 if (SK_a == NULL) {
00109 wpa_printf(MSG_DEBUG, "EAP-IKEV2: No SK_a for ICV validation");
00110 return -1;
00111 }
00112
00113 if (ikev2_integ_hash(integ_alg, SK_a, keys->SK_integ_len,
00114 wpabuf_head(msg),
00115 wpabuf_len(msg) - icv_len, icv) < 0) {
00116 wpa_printf(MSG_INFO, "EAP-IKEV2: Could not calculate ICV");
00117 return -1;
00118 }
00119
00120 if (os_memcmp(icv, end - icv_len, icv_len) != 0) {
00121 wpa_printf(MSG_INFO, "EAP-IKEV2: Invalid ICV");
00122 wpa_hexdump(MSG_DEBUG, "EAP-IKEV2: Calculated ICV",
00123 icv, icv_len);
00124 wpa_hexdump(MSG_DEBUG, "EAP-IKEV2: Received ICV",
00125 end - icv_len, icv_len);
00126 return -1;
00127 }
00128
00129 wpa_printf(MSG_DEBUG, "EAP-IKEV2: Valid Integrity Checksum Data in "
00130 "the received message");
00131
00132 return icv_len;
00133 }
00134
1.6.1
