From 5e7fdceeb953c09584d6395dc077690c4500c030 Mon Sep 17 00:00:00 2001
From: Domenico Verde <domenico.verde.96@xxxxxxxxxxxxxxxxxx>
Date: Fri, 4 Jul 2025 16:07:23 +0200
Subject: [PATCH] IKEv2: Add support for null encryption
This patch adds support for null encryption (ENC_NULL) in IKEv2,
as described in RFC 2410.
The patch implements the null cipher by reusing the OpenSSL
EVP_enc_null() function, adding support for ENC_NULL in both
encrypt and decrypt operations.
As specified in RFC 2410:
- The cipher does not use an IV, so an explicit check prevents
a potential floating point exception.
- Padding is not required; so a pad length field with value 0
is appended to the ciphertext.
Null encryption can be useful for (1) debugging purposes and (2)
supporting emerging scenarios, such as 5G networks, where the TNGF
(Trusted Non-3GPP Gateway Function) leverages IKEv2 with null
encryption.
Tested with Free5GC (v4.0.1) using wpa_supplicant.
Signed-off-by: Domenico Verde <domenico.verde.96@xxxxxxxxxxxxxxxxxx>
---
src/crypto/crypto_openssl.c | 5 +++++
src/eap_common/ikev2_common.c | 20 +++++++++++++++++---
2 files changed, 22 insertions(+), 3 deletions(-)
diff --git a/src/crypto/crypto_openssl.c b/src/crypto/crypto_openssl.c
index 2efe3ed94..d99572ec0 100644
--- a/src/crypto/crypto_openssl.c
+++ b/src/crypto/crypto_openssl.c
@@ -966,6 +966,11 @@ struct crypto_cipher * crypto_cipher_init(enum crypto_cipher_alg alg,
cipher = EVP_rc2_ecb();
break;
#endif /* OPENSSL_NO_RC2 */
+#ifndef OPENSSL_NO_NULL
+ case CRYPTO_CIPHER_NULL:
+ cipher = EVP_enc_null();
+ break;
+#endif /* OPENSSL_NO_NULL */
default:
os_free(ctx);
return NULL;
diff --git a/src/eap_common/ikev2_common.c b/src/eap_common/ikev2_common.c
index 90fb89e24..47d3e1c35 100644
--- a/src/eap_common/ikev2_common.c
+++ b/src/eap_common/ikev2_common.c
@@ -34,7 +34,8 @@ static const struct ikev2_prf_alg ikev2_prf_algs[] = {
static const struct ikev2_encr_alg ikev2_encr_algs[] = {
{ ENCR_AES_CBC, 16, 16 }, /* only 128-bit keys supported for now */
- { ENCR_3DES, 24, 8 }
+ { ENCR_3DES, 24, 8 },
+ { ENCR_NULL, 0, 0 }
};
#define NUM_ENCR_ALGS ARRAY_SIZE(ikev2_encr_algs)
@@ -185,6 +186,9 @@ int ikev2_encr_encrypt(int alg, const u8 *key, size_t key_len, const u8 *iv,
case ENCR_AES_CBC:
encr_alg = CRYPTO_CIPHER_ALG_AES;
break;
+ case ENCR_NULL:
+ encr_alg = CRYPTO_CIPHER_NULL;
+ break;
default:
wpa_printf(MSG_DEBUG, "IKEV2: Unsupported encr alg %d", alg);
return -1;
@@ -220,6 +224,9 @@ int ikev2_encr_decrypt(int alg, const u8 *key, size_t key_len, const u8 *iv,
case ENCR_AES_CBC:
encr_alg = CRYPTO_CIPHER_ALG_AES;
break;
+ case ENCR_NULL:
+ encr_alg = CRYPTO_CIPHER_NULL;
+ break;
default:
wpa_printf(MSG_DEBUG, "IKEV2: Unsupported encr alg %d", alg);
return -1;
@@ -577,9 +584,16 @@ int ikev2_build_encrypted(int encr_id, int integ_id, struct ikev2_keys *keys,
return -1;
}
- pad_len = iv_len - (wpabuf_len(plain) + 1) % iv_len;
- if (pad_len == iv_len)
+ if (iv_len != 0) {
+ // Prevent floating point exception when iv is not used
+ pad_len = iv_len - (wpabuf_len(plain) + 1) % iv_len;
+ if (pad_len == iv_len)
+ pad_len = 0;
+ } else {
+ // Avoid to use padding when not necessary
pad_len = 0;
+ }
+
wpabuf_put(plain, pad_len);
wpabuf_put_u8(plain, pad_len);
--
2.34.1
_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
