1/*
2 * IKEv2 common routines for initiator and responder
3 * Copyright (c) 2007, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9#include "includes.h"
10
11#include "common.h"
12#include "crypto/crypto.h"
13#include "crypto/md5.h"
14#include "crypto/sha1.h"
15#include "crypto/random.h"
16#include "ikev2_common.h"
17
18
19static const struct ikev2_integ_alg ikev2_integ_algs[] = {
20	{ AUTH_HMAC_SHA1_96, 20, 12 },
21	{ AUTH_HMAC_MD5_96, 16, 12 }
22};
23
24#define NUM_INTEG_ALGS ARRAY_SIZE(ikev2_integ_algs)
25
26
27static const struct ikev2_prf_alg ikev2_prf_algs[] = {
28	{ PRF_HMAC_SHA1, 20, 20 },
29	{ PRF_HMAC_MD5, 16, 16 }
30};
31
32#define NUM_PRF_ALGS ARRAY_SIZE(ikev2_prf_algs)
33
34
35static const struct ikev2_encr_alg ikev2_encr_algs[] = {
36	{ ENCR_AES_CBC, 16, 16 }, /* only 128-bit keys supported for now */
37	{ ENCR_3DES, 24, 8 }
38};
39
40#define NUM_ENCR_ALGS ARRAY_SIZE(ikev2_encr_algs)
41
42
43const struct ikev2_integ_alg * ikev2_get_integ(int id)
44{
45	size_t i;
46
47	for (i = 0; i < NUM_INTEG_ALGS; i++) {
48		if (ikev2_integ_algs[i].id == id)
49			return &ikev2_integ_algs[i];
50	}
51
52	return NULL;
53}
54
55
56int ikev2_integ_hash(int alg, const u8 *key, size_t key_len, const u8 *data,
57		     size_t data_len, u8 *hash)
58{
59	u8 tmphash[IKEV2_MAX_HASH_LEN];
60
61	switch (alg) {
62	case AUTH_HMAC_SHA1_96:
63		if (key_len != 20)
64			return -1;
65		hmac_sha1(key, key_len, data, data_len, tmphash);
66		os_memcpy(hash, tmphash, 12);
67		break;
68	case AUTH_HMAC_MD5_96:
69		if (key_len != 16)
70			return -1;
71		hmac_md5(key, key_len, data, data_len, tmphash);
72		os_memcpy(hash, tmphash, 12);
73		break;
74	default:
75		return -1;
76	}
77
78	return 0;
79}
80
81
82const struct ikev2_prf_alg * ikev2_get_prf(int id)
83{
84	size_t i;
85
86	for (i = 0; i < NUM_PRF_ALGS; i++) {
87		if (ikev2_prf_algs[i].id == id)
88			return &ikev2_prf_algs[i];
89	}
90
91	return NULL;
92}
93
94
95int ikev2_prf_hash(int alg, const u8 *key, size_t key_len,
96		   size_t num_elem, const u8 *addr[], const size_t *len,
97		   u8 *hash)
98{
99	switch (alg) {
100	case PRF_HMAC_SHA1:
101		hmac_sha1_vector(key, key_len, num_elem, addr, len, hash);
102		break;
103	case PRF_HMAC_MD5:
104		hmac_md5_vector(key, key_len, num_elem, addr, len, hash);
105		break;
106	default:
107		return -1;
108	}
109
110	return 0;
111}
112
113
114int ikev2_prf_plus(int alg, const u8 *key, size_t key_len,
115		   const u8 *data, size_t data_len,
116		   u8 *out, size_t out_len)
117{
118	u8 hash[IKEV2_MAX_HASH_LEN];
119	size_t hash_len;
120	u8 iter, *pos, *end;
121	const u8 *addr[3];
122	size_t len[3];
123	const struct ikev2_prf_alg *prf;
124	int res;
125
126	prf = ikev2_get_prf(alg);
127	if (prf == NULL)
128		return -1;
129	hash_len = prf->hash_len;
130
131	addr[0] = hash;
132	len[0] = hash_len;
133	addr[1] = data;
134	len[1] = data_len;
135	addr[2] = &iter;
136	len[2] = 1;
137
138	pos = out;
139	end = out + out_len;
140	iter = 1;
141	while (pos < end) {
142		size_t clen;
143		if (iter == 1)
144			res = ikev2_prf_hash(alg, key, key_len, 2, &addr[1],
145					     &len[1], hash);
146		else
147			res = ikev2_prf_hash(alg, key, key_len, 3, addr, len,
148					     hash);
149		if (res < 0)
150			return -1;
151		clen = hash_len;
152		if ((int) clen > end - pos)
153			clen = end - pos;
154		os_memcpy(pos, hash, clen);
155		pos += clen;
156		iter++;
157	}
158
159	return 0;
160}
161
162
163const struct ikev2_encr_alg * ikev2_get_encr(int id)
164{
165	size_t i;
166
167	for (i = 0; i < NUM_ENCR_ALGS; i++) {
168		if (ikev2_encr_algs[i].id == id)
169			return &ikev2_encr_algs[i];
170	}
171
172	return NULL;
173}
174
175
176int ikev2_encr_encrypt(int alg, const u8 *key, size_t key_len, const u8 *iv,
177		       const u8 *plain, u8 *crypt, size_t len)
178{
179	struct crypto_cipher *cipher;
180	int encr_alg;
181
182	switch (alg) {
183	case ENCR_3DES:
184		encr_alg = CRYPTO_CIPHER_ALG_3DES;
185		break;
186	case ENCR_AES_CBC:
187		encr_alg = CRYPTO_CIPHER_ALG_AES;
188		break;
189	default:
190		wpa_printf(MSG_DEBUG, "IKEV2: Unsupported encr alg %d", alg);
191		return -1;
192	}
193
194	cipher = crypto_cipher_init(encr_alg, iv, key, key_len);
195	if (cipher == NULL) {
196		wpa_printf(MSG_INFO, "IKEV2: Failed to initialize cipher");
197		return -1;
198	}
199
200	if (crypto_cipher_encrypt(cipher, plain, crypt, len) < 0) {
201		wpa_printf(MSG_INFO, "IKEV2: Encryption failed");
202		crypto_cipher_deinit(cipher);
203		return -1;
204	}
205	crypto_cipher_deinit(cipher);
206
207	return 0;
208}
209
210
211int ikev2_encr_decrypt(int alg, const u8 *key, size_t key_len, const u8 *iv,
212		       const u8 *crypt, u8 *plain, size_t len)
213{
214	struct crypto_cipher *cipher;
215	int encr_alg;
216
217	switch (alg) {
218	case ENCR_3DES:
219		encr_alg = CRYPTO_CIPHER_ALG_3DES;
220		break;
221	case ENCR_AES_CBC:
222		encr_alg = CRYPTO_CIPHER_ALG_AES;
223		break;
224	default:
225		wpa_printf(MSG_DEBUG, "IKEV2: Unsupported encr alg %d", alg);
226		return -1;
227	}
228
229	cipher = crypto_cipher_init(encr_alg, iv, key, key_len);
230	if (cipher == NULL) {
231		wpa_printf(MSG_INFO, "IKEV2: Failed to initialize cipher");
232		return -1;
233	}
234
235	if (crypto_cipher_decrypt(cipher, crypt, plain, len) < 0) {
236		wpa_printf(MSG_INFO, "IKEV2: Decryption failed");
237		crypto_cipher_deinit(cipher);
238		return -1;
239	}
240	crypto_cipher_deinit(cipher);
241
242	return 0;
243}
244
245
246int ikev2_parse_payloads(struct ikev2_payloads *payloads,
247			 u8 next_payload, const u8 *pos, const u8 *end)
248{
249	const struct ikev2_payload_hdr *phdr;
250
251	os_memset(payloads, 0, sizeof(*payloads));
252
253	while (next_payload != IKEV2_PAYLOAD_NO_NEXT_PAYLOAD) {
254		unsigned int plen, pdatalen, left;
255		const u8 *pdata;
256		wpa_printf(MSG_DEBUG, "IKEV2: Processing payload %u",
257			   next_payload);
258		if (end < pos)
259			return -1;
260		left = end - pos;
261		if (left < sizeof(*phdr)) {
262			wpa_printf(MSG_INFO, "IKEV2:   Too short message for "
263				   "payload header (left=%ld)",
264				   (long) (end - pos));
265			return -1;
266		}
267		phdr = (const struct ikev2_payload_hdr *) pos;
268		plen = WPA_GET_BE16(phdr->payload_length);
269		if (plen < sizeof(*phdr) || plen > left) {
270			wpa_printf(MSG_INFO, "IKEV2:   Invalid payload header "
271				   "length %d", plen);
272			return -1;
273		}
274
275		wpa_printf(MSG_DEBUG, "IKEV2:   Next Payload: %u  Flags: 0x%x"
276			   "  Payload Length: %u",
277			   phdr->next_payload, phdr->flags, plen);
278
279		pdata = (const u8 *) (phdr + 1);
280		pdatalen = plen - sizeof(*phdr);
281
282		switch (next_payload) {
283		case IKEV2_PAYLOAD_SA:
284			wpa_printf(MSG_DEBUG, "IKEV2:   Payload: Security "
285				   "Association");
286			payloads->sa = pdata;
287			payloads->sa_len = pdatalen;
288			break;
289		case IKEV2_PAYLOAD_KEY_EXCHANGE:
290			wpa_printf(MSG_DEBUG, "IKEV2:   Payload: Key "
291				   "Exchange");
292			payloads->ke = pdata;
293			payloads->ke_len = pdatalen;
294			break;
295		case IKEV2_PAYLOAD_IDi:
296			wpa_printf(MSG_DEBUG, "IKEV2:   Payload: IDi");
297			payloads->idi = pdata;
298			payloads->idi_len = pdatalen;
299			break;
300		case IKEV2_PAYLOAD_IDr:
301			wpa_printf(MSG_DEBUG, "IKEV2:   Payload: IDr");
302			payloads->idr = pdata;
303			payloads->idr_len = pdatalen;
304			break;
305		case IKEV2_PAYLOAD_CERTIFICATE:
306			wpa_printf(MSG_DEBUG, "IKEV2:   Payload: Certificate");
307			payloads->cert = pdata;
308			payloads->cert_len = pdatalen;
309			break;
310		case IKEV2_PAYLOAD_AUTHENTICATION:
311			wpa_printf(MSG_DEBUG, "IKEV2:   Payload: "
312				   "Authentication");
313			payloads->auth = pdata;
314			payloads->auth_len = pdatalen;
315			break;
316		case IKEV2_PAYLOAD_NONCE:
317			wpa_printf(MSG_DEBUG, "IKEV2:   Payload: Nonce");
318			payloads->nonce = pdata;
319			payloads->nonce_len = pdatalen;
320			break;
321		case IKEV2_PAYLOAD_ENCRYPTED:
322			wpa_printf(MSG_DEBUG, "IKEV2:   Payload: Encrypted");
323			payloads->encrypted = pdata;
324			payloads->encrypted_len = pdatalen;
325			break;
326		case IKEV2_PAYLOAD_NOTIFICATION:
327			wpa_printf(MSG_DEBUG, "IKEV2:   Payload: "
328				   "Notification");
329			payloads->notification = pdata;
330			payloads->notification_len = pdatalen;
331			break;
332		default:
333			if (phdr->flags & IKEV2_PAYLOAD_FLAGS_CRITICAL) {
334				wpa_printf(MSG_INFO, "IKEV2:   Unsupported "
335					   "critical payload %u - reject the "
336					   "entire message", next_payload);
337				return -1;
338			} else {
339				wpa_printf(MSG_DEBUG, "IKEV2:   Skipped "
340					   "unsupported payload %u",
341					   next_payload);
342			}
343		}
344
345		if (next_payload == IKEV2_PAYLOAD_ENCRYPTED &&
346		    pos + plen == end) {
347			/*
348			 * Next Payload in the case of Encrypted Payload is
349			 * actually the payload type for the first embedded
350			 * payload.
351			 */
352			payloads->encr_next_payload = phdr->next_payload;
353			next_payload = IKEV2_PAYLOAD_NO_NEXT_PAYLOAD;
354		} else
355			next_payload = phdr->next_payload;
356
357		pos += plen;
358	}
359
360	if (pos != end) {
361		wpa_printf(MSG_INFO, "IKEV2: Unexpected extra data after "
362			   "payloads");
363		return -1;
364	}
365
366	return 0;
367}
368
369
370int ikev2_derive_auth_data(int prf_alg, const struct wpabuf *sign_msg,
371			   const u8 *ID, size_t ID_len, u8 ID_type,
372			   struct ikev2_keys *keys, int initiator,
373			   const u8 *shared_secret, size_t shared_secret_len,
374			   const u8 *nonce, size_t nonce_len,
375			   const u8 *key_pad, size_t key_pad_len,
376			   u8 *auth_data)
377{
378	size_t sign_len, buf_len;
379	u8 *sign_data, *pos, *buf, hash[IKEV2_MAX_HASH_LEN];
380	const struct ikev2_prf_alg *prf;
381	const u8 *SK_p = initiator ? keys->SK_pi : keys->SK_pr;
382
383	prf = ikev2_get_prf(prf_alg);
384	if (sign_msg == NULL || ID == NULL || SK_p == NULL ||
385	    shared_secret == NULL || nonce == NULL || prf == NULL)
386		return -1;
387
388	/* prf(SK_pi/r,IDi/r') */
389	buf_len = 4 + ID_len;
390	buf = os_zalloc(buf_len);
391	if (buf == NULL)
392		return -1;
393	buf[0] = ID_type;
394	os_memcpy(buf + 4, ID, ID_len);
395	if (ikev2_prf_hash(prf->id, SK_p, keys->SK_prf_len,
396			   1, (const u8 **) &buf, &buf_len, hash) < 0) {
397		os_free(buf);
398		return -1;
399	}
400	os_free(buf);
401
402	/* sign_data = msg | Nr/i | prf(SK_pi/r,IDi/r') */
403	sign_len = wpabuf_len(sign_msg) + nonce_len + prf->hash_len;
404	sign_data = os_malloc(sign_len);
405	if (sign_data == NULL)
406		return -1;
407	pos = sign_data;
408	os_memcpy(pos, wpabuf_head(sign_msg), wpabuf_len(sign_msg));
409	pos += wpabuf_len(sign_msg);
410	os_memcpy(pos, nonce, nonce_len);
411	pos += nonce_len;
412	os_memcpy(pos, hash, prf->hash_len);
413
414	/* AUTH = prf(prf(Shared Secret, key pad, sign_data) */
415	if (ikev2_prf_hash(prf->id, shared_secret, shared_secret_len, 1,
416			   &key_pad, &key_pad_len, hash) < 0 ||
417	    ikev2_prf_hash(prf->id, hash, prf->hash_len, 1,
418			   (const u8 **) &sign_data, &sign_len, auth_data) < 0)
419	{
420		os_free(sign_data);
421		return -1;
422	}
423	os_free(sign_data);
424
425	return 0;
426}
427
428
429u8 * ikev2_decrypt_payload(int encr_id, int integ_id,
430			   struct ikev2_keys *keys, int initiator,
431			   const struct ikev2_hdr *hdr,
432			   const u8 *encrypted, size_t encrypted_len,
433			   size_t *res_len)
434{
435	size_t iv_len;
436	const u8 *pos, *end, *iv, *integ;
437	u8 hash[IKEV2_MAX_HASH_LEN], *decrypted;
438	size_t decrypted_len, pad_len;
439	const struct ikev2_integ_alg *integ_alg;
440	const struct ikev2_encr_alg *encr_alg;
441	const u8 *SK_e = initiator ? keys->SK_ei : keys->SK_er;
442	const u8 *SK_a = initiator ? keys->SK_ai : keys->SK_ar;
443
444	if (encrypted == NULL) {
445		wpa_printf(MSG_INFO, "IKEV2: No Encrypted payload in SA_AUTH");
446		return NULL;
447	}
448
449	encr_alg = ikev2_get_encr(encr_id);
450	if (encr_alg == NULL) {
451		wpa_printf(MSG_INFO, "IKEV2: Unsupported encryption type");
452		return NULL;
453	}
454	iv_len = encr_alg->block_size;
455
456	integ_alg = ikev2_get_integ(integ_id);
457	if (integ_alg == NULL) {
458		wpa_printf(MSG_INFO, "IKEV2: Unsupported intergrity type");
459		return NULL;
460	}
461
462	if (encrypted_len < iv_len + 1 + integ_alg->hash_len) {
463		wpa_printf(MSG_INFO, "IKEV2: No room for IV or Integrity "
464			  "Checksum");
465		return NULL;
466	}
467
468	iv = encrypted;
469	pos = iv + iv_len;
470	end = encrypted + encrypted_len;
471	integ = end - integ_alg->hash_len;
472
473	if (SK_a == NULL) {
474		wpa_printf(MSG_INFO, "IKEV2: No SK_a available");
475		return NULL;
476	}
477	if (ikev2_integ_hash(integ_id, SK_a, keys->SK_integ_len,
478			     (const u8 *) hdr,
479			     integ - (const u8 *) hdr, hash) < 0) {
480		wpa_printf(MSG_INFO, "IKEV2: Failed to calculate integrity "
481			   "hash");
482		return NULL;
483	}
484	if (os_memcmp_const(integ, hash, integ_alg->hash_len) != 0) {
485		wpa_printf(MSG_INFO, "IKEV2: Incorrect Integrity Checksum "
486			   "Data");
487		return NULL;
488	}
489
490	if (SK_e == NULL) {
491		wpa_printf(MSG_INFO, "IKEV2: No SK_e available");
492		return NULL;
493	}
494
495	decrypted_len = integ - pos;
496	decrypted = os_malloc(decrypted_len);
497	if (decrypted == NULL)
498		return NULL;
499
500	if (ikev2_encr_decrypt(encr_alg->id, SK_e, keys->SK_encr_len, iv, pos,
501			       decrypted, decrypted_len) < 0) {
502		os_free(decrypted);
503		return NULL;
504	}
505
506	pad_len = decrypted[decrypted_len - 1];
507	if (decrypted_len < pad_len + 1) {
508		wpa_printf(MSG_INFO, "IKEV2: Invalid padding in encrypted "
509			   "payload");
510		os_free(decrypted);
511		return NULL;
512	}
513
514	decrypted_len -= pad_len + 1;
515
516	*res_len = decrypted_len;
517	return decrypted;
518}
519
520
521void ikev2_update_hdr(struct wpabuf *msg)
522{
523	struct ikev2_hdr *hdr;
524
525	/* Update lenth field in HDR */
526	hdr = wpabuf_mhead(msg);
527	WPA_PUT_BE32(hdr->length, wpabuf_len(msg));
528}
529
530
531int ikev2_build_encrypted(int encr_id, int integ_id, struct ikev2_keys *keys,
532			  int initiator, struct wpabuf *msg,
533			  struct wpabuf *plain, u8 next_payload)
534{
535	struct ikev2_payload_hdr *phdr;
536	size_t plen;
537	size_t iv_len, pad_len;
538	u8 *icv, *iv;
539	const struct ikev2_integ_alg *integ_alg;
540	const struct ikev2_encr_alg *encr_alg;
541	const u8 *SK_e = initiator ? keys->SK_ei : keys->SK_er;
542	const u8 *SK_a = initiator ? keys->SK_ai : keys->SK_ar;
543
544	wpa_printf(MSG_DEBUG, "IKEV2: Adding Encrypted payload");
545
546	/* Encr - RFC 4306, Sect. 3.14 */
547
548	encr_alg = ikev2_get_encr(encr_id);
549	if (encr_alg == NULL) {
550		wpa_printf(MSG_INFO, "IKEV2: Unsupported encryption type");
551		return -1;
552	}
553	iv_len = encr_alg->block_size;
554
555	integ_alg = ikev2_get_integ(integ_id);
556	if (integ_alg == NULL) {
557		wpa_printf(MSG_INFO, "IKEV2: Unsupported intergrity type");
558		return -1;
559	}
560
561	if (SK_e == NULL) {
562		wpa_printf(MSG_INFO, "IKEV2: No SK_e available");
563		return -1;
564	}
565
566	if (SK_a == NULL) {
567		wpa_printf(MSG_INFO, "IKEV2: No SK_a available");
568		return -1;
569	}
570
571	phdr = wpabuf_put(msg, sizeof(*phdr));
572	phdr->next_payload = next_payload;
573	phdr->flags = 0;
574
575	iv = wpabuf_put(msg, iv_len);
576	if (random_get_bytes(iv, iv_len)) {
577		wpa_printf(MSG_INFO, "IKEV2: Could not generate IV");
578		return -1;
579	}
580
581	pad_len = iv_len - (wpabuf_len(plain) + 1) % iv_len;
582	if (pad_len == iv_len)
583		pad_len = 0;
584	wpabuf_put(plain, pad_len);
585	wpabuf_put_u8(plain, pad_len);
586
587	if (ikev2_encr_encrypt(encr_alg->id, SK_e, keys->SK_encr_len, iv,
588			       wpabuf_head(plain), wpabuf_mhead(plain),
589			       wpabuf_len(plain)) < 0)
590		return -1;
591
592	wpabuf_put_buf(msg, plain);
593
594	/* Need to update all headers (Length fields) prior to hash func */
595	icv = wpabuf_put(msg, integ_alg->hash_len);
596	plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
597	WPA_PUT_BE16(phdr->payload_length, plen);
598
599	ikev2_update_hdr(msg);
600
601	return ikev2_integ_hash(integ_id, SK_a, keys->SK_integ_len,
602				wpabuf_head(msg),
603				wpabuf_len(msg) - integ_alg->hash_len, icv);
604
605	return 0;
606}
607
608
609int ikev2_keys_set(struct ikev2_keys *keys)
610{
611	return keys->SK_d && keys->SK_ai && keys->SK_ar && keys->SK_ei &&
612		keys->SK_er && keys->SK_pi && keys->SK_pr;
613}
614
615
616void ikev2_free_keys(struct ikev2_keys *keys)
617{
618	os_free(keys->SK_d);
619	os_free(keys->SK_ai);
620	os_free(keys->SK_ar);
621	os_free(keys->SK_ei);
622	os_free(keys->SK_er);
623	os_free(keys->SK_pi);
624	os_free(keys->SK_pr);
625	keys->SK_d = keys->SK_ai = keys->SK_ar = keys->SK_ei = keys->SK_er =
626		keys->SK_pi = keys->SK_pr = NULL;
627}
628
629
630int ikev2_derive_sk_keys(const struct ikev2_prf_alg *prf,
631			 const struct ikev2_integ_alg *integ,
632			 const struct ikev2_encr_alg *encr,
633			 const u8 *skeyseed, const u8 *data, size_t data_len,
634			 struct ikev2_keys *keys)
635{
636	u8 *keybuf, *pos;
637	size_t keybuf_len;
638
639	/*
640	 * {SK_d | SK_ai | SK_ar | SK_ei | SK_er | SK_pi | SK_pr } =
641	 *	prf+(SKEYSEED, Ni | Nr | SPIi | SPIr )
642	 */
643	ikev2_free_keys(keys);
644	keys->SK_d_len = prf->key_len;
645	keys->SK_integ_len = integ->key_len;
646	keys->SK_encr_len = encr->key_len;
647	keys->SK_prf_len = prf->key_len;
648
649	keybuf_len = keys->SK_d_len + 2 * keys->SK_integ_len +
650		2 * keys->SK_encr_len + 2 * keys->SK_prf_len;
651	keybuf = os_malloc(keybuf_len);
652	if (keybuf == NULL)
653		return -1;
654
655	if (ikev2_prf_plus(prf->id, skeyseed, prf->hash_len,
656			   data, data_len, keybuf, keybuf_len)) {
657		os_free(keybuf);
658		return -1;
659	}
660
661	pos = keybuf;
662
663	keys->SK_d = os_malloc(keys->SK_d_len);
664	if (keys->SK_d) {
665		os_memcpy(keys->SK_d, pos, keys->SK_d_len);
666		wpa_hexdump_key(MSG_DEBUG, "IKEV2: SK_d",
667				keys->SK_d, keys->SK_d_len);
668	}
669	pos += keys->SK_d_len;
670
671	keys->SK_ai = os_malloc(keys->SK_integ_len);
672	if (keys->SK_ai) {
673		os_memcpy(keys->SK_ai, pos, keys->SK_integ_len);
674		wpa_hexdump_key(MSG_DEBUG, "IKEV2: SK_ai",
675				keys->SK_ai, keys->SK_integ_len);
676	}
677	pos += keys->SK_integ_len;
678
679	keys->SK_ar = os_malloc(keys->SK_integ_len);
680	if (keys->SK_ar) {
681		os_memcpy(keys->SK_ar, pos, keys->SK_integ_len);
682		wpa_hexdump_key(MSG_DEBUG, "IKEV2: SK_ar",
683				keys->SK_ar, keys->SK_integ_len);
684	}
685	pos += keys->SK_integ_len;
686
687	keys->SK_ei = os_malloc(keys->SK_encr_len);
688	if (keys->SK_ei) {
689		os_memcpy(keys->SK_ei, pos, keys->SK_encr_len);
690		wpa_hexdump_key(MSG_DEBUG, "IKEV2: SK_ei",
691				keys->SK_ei, keys->SK_encr_len);
692	}
693	pos += keys->SK_encr_len;
694
695	keys->SK_er = os_malloc(keys->SK_encr_len);
696	if (keys->SK_er) {
697		os_memcpy(keys->SK_er, pos, keys->SK_encr_len);
698		wpa_hexdump_key(MSG_DEBUG, "IKEV2: SK_er",
699				keys->SK_er, keys->SK_encr_len);
700	}
701	pos += keys->SK_encr_len;
702
703	keys->SK_pi = os_malloc(keys->SK_prf_len);
704	if (keys->SK_pi) {
705		os_memcpy(keys->SK_pi, pos, keys->SK_prf_len);
706		wpa_hexdump_key(MSG_DEBUG, "IKEV2: SK_pi",
707				keys->SK_pi, keys->SK_prf_len);
708	}
709	pos += keys->SK_prf_len;
710
711	keys->SK_pr = os_malloc(keys->SK_prf_len);
712	if (keys->SK_pr) {
713		os_memcpy(keys->SK_pr, pos, keys->SK_prf_len);
714		wpa_hexdump_key(MSG_DEBUG, "IKEV2: SK_pr",
715				keys->SK_pr, keys->SK_prf_len);
716	}
717
718	os_free(keybuf);
719
720	if (!ikev2_keys_set(keys)) {
721		ikev2_free_keys(keys);
722		return -1;
723	}
724
725	return 0;
726}
727