1/* 2 * IKEv2 common routines for initiator and responder 3 * Copyright (c) 2007, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9#include "includes.h" 10 11#include "common.h" 12#include "crypto/crypto.h" 13#include "crypto/md5.h" 14#include "crypto/sha1.h" 15#include "crypto/random.h" 16#include "ikev2_common.h" 17 18 19static const struct ikev2_integ_alg ikev2_integ_algs[] = { 20 { AUTH_HMAC_SHA1_96, 20, 12 }, 21 { AUTH_HMAC_MD5_96, 16, 12 } 22}; 23 24#define NUM_INTEG_ALGS ARRAY_SIZE(ikev2_integ_algs) 25 26 27static const struct ikev2_prf_alg ikev2_prf_algs[] = { 28 { PRF_HMAC_SHA1, 20, 20 }, 29 { PRF_HMAC_MD5, 16, 16 } 30}; 31 32#define NUM_PRF_ALGS ARRAY_SIZE(ikev2_prf_algs) 33 34 35static const struct ikev2_encr_alg ikev2_encr_algs[] = { 36 { ENCR_AES_CBC, 16, 16 }, /* only 128-bit keys supported for now */ 37 { ENCR_3DES, 24, 8 } 38}; 39 40#define NUM_ENCR_ALGS ARRAY_SIZE(ikev2_encr_algs) 41 42 43const struct ikev2_integ_alg * ikev2_get_integ(int id) 44{ 45 size_t i; 46 47 for (i = 0; i < NUM_INTEG_ALGS; i++) { 48 if (ikev2_integ_algs[i].id == id) 49 return &ikev2_integ_algs[i]; 50 } 51 52 return NULL; 53} 54 55 56int ikev2_integ_hash(int alg, const u8 *key, size_t key_len, const u8 *data, 57 size_t data_len, u8 *hash) 58{ 59 u8 tmphash[IKEV2_MAX_HASH_LEN]; 60 61 switch (alg) { 62 case AUTH_HMAC_SHA1_96: 63 if (key_len != 20) 64 return -1; 65 hmac_sha1(key, key_len, data, data_len, tmphash); 66 os_memcpy(hash, tmphash, 12); 67 break; 68 case AUTH_HMAC_MD5_96: 69 if (key_len != 16) 70 return -1; 71 hmac_md5(key, key_len, data, data_len, tmphash); 72 os_memcpy(hash, tmphash, 12); 73 break; 74 default: 75 return -1; 76 } 77 78 return 0; 79} 80 81 82const struct ikev2_prf_alg * ikev2_get_prf(int id) 83{ 84 size_t i; 85 86 for (i = 0; i < NUM_PRF_ALGS; i++) { 87 if (ikev2_prf_algs[i].id == id) 88 return &ikev2_prf_algs[i]; 89 } 90 91 return NULL; 92} 93 94 95int ikev2_prf_hash(int alg, const u8 *key, size_t key_len, 96 size_t num_elem, const u8 *addr[], const size_t *len, 97 u8 *hash) 98{ 99 switch (alg) { 100 case PRF_HMAC_SHA1: 101 hmac_sha1_vector(key, key_len, num_elem, addr, len, hash); 102 break; 103 case PRF_HMAC_MD5: 104 hmac_md5_vector(key, key_len, num_elem, addr, len, hash); 105 break; 106 default: 107 return -1; 108 } 109 110 return 0; 111} 112 113 114int ikev2_prf_plus(int alg, const u8 *key, size_t key_len, 115 const u8 *data, size_t data_len, 116 u8 *out, size_t out_len) 117{ 118 u8 hash[IKEV2_MAX_HASH_LEN]; 119 size_t hash_len; 120 u8 iter, *pos, *end; 121 const u8 *addr[3]; 122 size_t len[3]; 123 const struct ikev2_prf_alg *prf; 124 int res; 125 126 prf = ikev2_get_prf(alg); 127 if (prf == NULL) 128 return -1; 129 hash_len = prf->hash_len; 130 131 addr[0] = hash; 132 len[0] = hash_len; 133 addr[1] = data; 134 len[1] = data_len; 135 addr[2] = &iter; 136 len[2] = 1; 137 138 pos = out; 139 end = out + out_len; 140 iter = 1; 141 while (pos < end) { 142 size_t clen; 143 if (iter == 1) 144 res = ikev2_prf_hash(alg, key, key_len, 2, &addr[1], 145 &len[1], hash); 146 else 147 res = ikev2_prf_hash(alg, key, key_len, 3, addr, len, 148 hash); 149 if (res < 0) 150 return -1; 151 clen = hash_len; 152 if ((int) clen > end - pos) 153 clen = end - pos; 154 os_memcpy(pos, hash, clen); 155 pos += clen; 156 iter++; 157 } 158 159 return 0; 160} 161 162 163const struct ikev2_encr_alg * ikev2_get_encr(int id) 164{ 165 size_t i; 166 167 for (i = 0; i < NUM_ENCR_ALGS; i++) { 168 if (ikev2_encr_algs[i].id == id) 169 return &ikev2_encr_algs[i]; 170 } 171 172 return NULL; 173} 174 175 176int ikev2_encr_encrypt(int alg, const u8 *key, size_t key_len, const u8 *iv, 177 const u8 *plain, u8 *crypt, size_t len) 178{ 179 struct crypto_cipher *cipher; 180 int encr_alg; 181 182 switch (alg) { 183 case ENCR_3DES: 184 encr_alg = CRYPTO_CIPHER_ALG_3DES; 185 break; 186 case ENCR_AES_CBC: 187 encr_alg = CRYPTO_CIPHER_ALG_AES; 188 break; 189 default: 190 wpa_printf(MSG_DEBUG, "IKEV2: Unsupported encr alg %d", alg); 191 return -1; 192 } 193 194 cipher = crypto_cipher_init(encr_alg, iv, key, key_len); 195 if (cipher == NULL) { 196 wpa_printf(MSG_INFO, "IKEV2: Failed to initialize cipher"); 197 return -1; 198 } 199 200 if (crypto_cipher_encrypt(cipher, plain, crypt, len) < 0) { 201 wpa_printf(MSG_INFO, "IKEV2: Encryption failed"); 202 crypto_cipher_deinit(cipher); 203 return -1; 204 } 205 crypto_cipher_deinit(cipher); 206 207 return 0; 208} 209 210 211int ikev2_encr_decrypt(int alg, const u8 *key, size_t key_len, const u8 *iv, 212 const u8 *crypt, u8 *plain, size_t len) 213{ 214 struct crypto_cipher *cipher; 215 int encr_alg; 216 217 switch (alg) { 218 case ENCR_3DES: 219 encr_alg = CRYPTO_CIPHER_ALG_3DES; 220 break; 221 case ENCR_AES_CBC: 222 encr_alg = CRYPTO_CIPHER_ALG_AES; 223 break; 224 default: 225 wpa_printf(MSG_DEBUG, "IKEV2: Unsupported encr alg %d", alg); 226 return -1; 227 } 228 229 cipher = crypto_cipher_init(encr_alg, iv, key, key_len); 230 if (cipher == NULL) { 231 wpa_printf(MSG_INFO, "IKEV2: Failed to initialize cipher"); 232 return -1; 233 } 234 235 if (crypto_cipher_decrypt(cipher, crypt, plain, len) < 0) { 236 wpa_printf(MSG_INFO, "IKEV2: Decryption failed"); 237 crypto_cipher_deinit(cipher); 238 return -1; 239 } 240 crypto_cipher_deinit(cipher); 241 242 return 0; 243} 244 245 246int ikev2_parse_payloads(struct ikev2_payloads *payloads, 247 u8 next_payload, const u8 *pos, const u8 *end) 248{ 249 const struct ikev2_payload_hdr *phdr; 250 251 os_memset(payloads, 0, sizeof(*payloads)); 252 253 while (next_payload != IKEV2_PAYLOAD_NO_NEXT_PAYLOAD) { 254 unsigned int plen, pdatalen, left; 255 const u8 *pdata; 256 wpa_printf(MSG_DEBUG, "IKEV2: Processing payload %u", 257 next_payload); 258 if (end < pos) 259 return -1; 260 left = end - pos; 261 if (left < sizeof(*phdr)) { 262 wpa_printf(MSG_INFO, "IKEV2: Too short message for " 263 "payload header (left=%ld)", 264 (long) (end - pos)); 265 return -1; 266 } 267 phdr = (const struct ikev2_payload_hdr *) pos; 268 plen = WPA_GET_BE16(phdr->payload_length); 269 if (plen < sizeof(*phdr) || plen > left) { 270 wpa_printf(MSG_INFO, "IKEV2: Invalid payload header " 271 "length %d", plen); 272 return -1; 273 } 274 275 wpa_printf(MSG_DEBUG, "IKEV2: Next Payload: %u Flags: 0x%x" 276 " Payload Length: %u", 277 phdr->next_payload, phdr->flags, plen); 278 279 pdata = (const u8 *) (phdr + 1); 280 pdatalen = plen - sizeof(*phdr); 281 282 switch (next_payload) { 283 case IKEV2_PAYLOAD_SA: 284 wpa_printf(MSG_DEBUG, "IKEV2: Payload: Security " 285 "Association"); 286 payloads->sa = pdata; 287 payloads->sa_len = pdatalen; 288 break; 289 case IKEV2_PAYLOAD_KEY_EXCHANGE: 290 wpa_printf(MSG_DEBUG, "IKEV2: Payload: Key " 291 "Exchange"); 292 payloads->ke = pdata; 293 payloads->ke_len = pdatalen; 294 break; 295 case IKEV2_PAYLOAD_IDi: 296 wpa_printf(MSG_DEBUG, "IKEV2: Payload: IDi"); 297 payloads->idi = pdata; 298 payloads->idi_len = pdatalen; 299 break; 300 case IKEV2_PAYLOAD_IDr: 301 wpa_printf(MSG_DEBUG, "IKEV2: Payload: IDr"); 302 payloads->idr = pdata; 303 payloads->idr_len = pdatalen; 304 break; 305 case IKEV2_PAYLOAD_CERTIFICATE: 306 wpa_printf(MSG_DEBUG, "IKEV2: Payload: Certificate"); 307 payloads->cert = pdata; 308 payloads->cert_len = pdatalen; 309 break; 310 case IKEV2_PAYLOAD_AUTHENTICATION: 311 wpa_printf(MSG_DEBUG, "IKEV2: Payload: " 312 "Authentication"); 313 payloads->auth = pdata; 314 payloads->auth_len = pdatalen; 315 break; 316 case IKEV2_PAYLOAD_NONCE: 317 wpa_printf(MSG_DEBUG, "IKEV2: Payload: Nonce"); 318 payloads->nonce = pdata; 319 payloads->nonce_len = pdatalen; 320 break; 321 case IKEV2_PAYLOAD_ENCRYPTED: 322 wpa_printf(MSG_DEBUG, "IKEV2: Payload: Encrypted"); 323 payloads->encrypted = pdata; 324 payloads->encrypted_len = pdatalen; 325 break; 326 case IKEV2_PAYLOAD_NOTIFICATION: 327 wpa_printf(MSG_DEBUG, "IKEV2: Payload: " 328 "Notification"); 329 payloads->notification = pdata; 330 payloads->notification_len = pdatalen; 331 break; 332 default: 333 if (phdr->flags & IKEV2_PAYLOAD_FLAGS_CRITICAL) { 334 wpa_printf(MSG_INFO, "IKEV2: Unsupported " 335 "critical payload %u - reject the " 336 "entire message", next_payload); 337 return -1; 338 } else { 339 wpa_printf(MSG_DEBUG, "IKEV2: Skipped " 340 "unsupported payload %u", 341 next_payload); 342 } 343 } 344 345 if (next_payload == IKEV2_PAYLOAD_ENCRYPTED && 346 pos + plen == end) { 347 /* 348 * Next Payload in the case of Encrypted Payload is 349 * actually the payload type for the first embedded 350 * payload. 351 */ 352 payloads->encr_next_payload = phdr->next_payload; 353 next_payload = IKEV2_PAYLOAD_NO_NEXT_PAYLOAD; 354 } else 355 next_payload = phdr->next_payload; 356 357 pos += plen; 358 } 359 360 if (pos != end) { 361 wpa_printf(MSG_INFO, "IKEV2: Unexpected extra data after " 362 "payloads"); 363 return -1; 364 } 365 366 return 0; 367} 368 369 370int ikev2_derive_auth_data(int prf_alg, const struct wpabuf *sign_msg, 371 const u8 *ID, size_t ID_len, u8 ID_type, 372 struct ikev2_keys *keys, int initiator, 373 const u8 *shared_secret, size_t shared_secret_len, 374 const u8 *nonce, size_t nonce_len, 375 const u8 *key_pad, size_t key_pad_len, 376 u8 *auth_data) 377{ 378 size_t sign_len, buf_len; 379 u8 *sign_data, *pos, *buf, hash[IKEV2_MAX_HASH_LEN]; 380 const struct ikev2_prf_alg *prf; 381 const u8 *SK_p = initiator ? keys->SK_pi : keys->SK_pr; 382 383 prf = ikev2_get_prf(prf_alg); 384 if (sign_msg == NULL || ID == NULL || SK_p == NULL || 385 shared_secret == NULL || nonce == NULL || prf == NULL) 386 return -1; 387 388 /* prf(SK_pi/r,IDi/r') */ 389 buf_len = 4 + ID_len; 390 buf = os_zalloc(buf_len); 391 if (buf == NULL) 392 return -1; 393 buf[0] = ID_type; 394 os_memcpy(buf + 4, ID, ID_len); 395 if (ikev2_prf_hash(prf->id, SK_p, keys->SK_prf_len, 396 1, (const u8 **) &buf, &buf_len, hash) < 0) { 397 os_free(buf); 398 return -1; 399 } 400 os_free(buf); 401 402 /* sign_data = msg | Nr/i | prf(SK_pi/r,IDi/r') */ 403 sign_len = wpabuf_len(sign_msg) + nonce_len + prf->hash_len; 404 sign_data = os_malloc(sign_len); 405 if (sign_data == NULL) 406 return -1; 407 pos = sign_data; 408 os_memcpy(pos, wpabuf_head(sign_msg), wpabuf_len(sign_msg)); 409 pos += wpabuf_len(sign_msg); 410 os_memcpy(pos, nonce, nonce_len); 411 pos += nonce_len; 412 os_memcpy(pos, hash, prf->hash_len); 413 414 /* AUTH = prf(prf(Shared Secret, key pad, sign_data) */ 415 if (ikev2_prf_hash(prf->id, shared_secret, shared_secret_len, 1, 416 &key_pad, &key_pad_len, hash) < 0 || 417 ikev2_prf_hash(prf->id, hash, prf->hash_len, 1, 418 (const u8 **) &sign_data, &sign_len, auth_data) < 0) 419 { 420 os_free(sign_data); 421 return -1; 422 } 423 os_free(sign_data); 424 425 return 0; 426} 427 428 429u8 * ikev2_decrypt_payload(int encr_id, int integ_id, 430 struct ikev2_keys *keys, int initiator, 431 const struct ikev2_hdr *hdr, 432 const u8 *encrypted, size_t encrypted_len, 433 size_t *res_len) 434{ 435 size_t iv_len; 436 const u8 *pos, *end, *iv, *integ; 437 u8 hash[IKEV2_MAX_HASH_LEN], *decrypted; 438 size_t decrypted_len, pad_len; 439 const struct ikev2_integ_alg *integ_alg; 440 const struct ikev2_encr_alg *encr_alg; 441 const u8 *SK_e = initiator ? keys->SK_ei : keys->SK_er; 442 const u8 *SK_a = initiator ? keys->SK_ai : keys->SK_ar; 443 444 if (encrypted == NULL) { 445 wpa_printf(MSG_INFO, "IKEV2: No Encrypted payload in SA_AUTH"); 446 return NULL; 447 } 448 449 encr_alg = ikev2_get_encr(encr_id); 450 if (encr_alg == NULL) { 451 wpa_printf(MSG_INFO, "IKEV2: Unsupported encryption type"); 452 return NULL; 453 } 454 iv_len = encr_alg->block_size; 455 456 integ_alg = ikev2_get_integ(integ_id); 457 if (integ_alg == NULL) { 458 wpa_printf(MSG_INFO, "IKEV2: Unsupported intergrity type"); 459 return NULL; 460 } 461 462 if (encrypted_len < iv_len + 1 + integ_alg->hash_len) { 463 wpa_printf(MSG_INFO, "IKEV2: No room for IV or Integrity " 464 "Checksum"); 465 return NULL; 466 } 467 468 iv = encrypted; 469 pos = iv + iv_len; 470 end = encrypted + encrypted_len; 471 integ = end - integ_alg->hash_len; 472 473 if (SK_a == NULL) { 474 wpa_printf(MSG_INFO, "IKEV2: No SK_a available"); 475 return NULL; 476 } 477 if (ikev2_integ_hash(integ_id, SK_a, keys->SK_integ_len, 478 (const u8 *) hdr, 479 integ - (const u8 *) hdr, hash) < 0) { 480 wpa_printf(MSG_INFO, "IKEV2: Failed to calculate integrity " 481 "hash"); 482 return NULL; 483 } 484 if (os_memcmp_const(integ, hash, integ_alg->hash_len) != 0) { 485 wpa_printf(MSG_INFO, "IKEV2: Incorrect Integrity Checksum " 486 "Data"); 487 return NULL; 488 } 489 490 if (SK_e == NULL) { 491 wpa_printf(MSG_INFO, "IKEV2: No SK_e available"); 492 return NULL; 493 } 494 495 decrypted_len = integ - pos; 496 decrypted = os_malloc(decrypted_len); 497 if (decrypted == NULL) 498 return NULL; 499 500 if (ikev2_encr_decrypt(encr_alg->id, SK_e, keys->SK_encr_len, iv, pos, 501 decrypted, decrypted_len) < 0) { 502 os_free(decrypted); 503 return NULL; 504 } 505 506 pad_len = decrypted[decrypted_len - 1]; 507 if (decrypted_len < pad_len + 1) { 508 wpa_printf(MSG_INFO, "IKEV2: Invalid padding in encrypted " 509 "payload"); 510 os_free(decrypted); 511 return NULL; 512 } 513 514 decrypted_len -= pad_len + 1; 515 516 *res_len = decrypted_len; 517 return decrypted; 518} 519 520 521void ikev2_update_hdr(struct wpabuf *msg) 522{ 523 struct ikev2_hdr *hdr; 524 525 /* Update lenth field in HDR */ 526 hdr = wpabuf_mhead(msg); 527 WPA_PUT_BE32(hdr->length, wpabuf_len(msg)); 528} 529 530 531int ikev2_build_encrypted(int encr_id, int integ_id, struct ikev2_keys *keys, 532 int initiator, struct wpabuf *msg, 533 struct wpabuf *plain, u8 next_payload) 534{ 535 struct ikev2_payload_hdr *phdr; 536 size_t plen; 537 size_t iv_len, pad_len; 538 u8 *icv, *iv; 539 const struct ikev2_integ_alg *integ_alg; 540 const struct ikev2_encr_alg *encr_alg; 541 const u8 *SK_e = initiator ? keys->SK_ei : keys->SK_er; 542 const u8 *SK_a = initiator ? keys->SK_ai : keys->SK_ar; 543 544 wpa_printf(MSG_DEBUG, "IKEV2: Adding Encrypted payload"); 545 546 /* Encr - RFC 4306, Sect. 3.14 */ 547 548 encr_alg = ikev2_get_encr(encr_id); 549 if (encr_alg == NULL) { 550 wpa_printf(MSG_INFO, "IKEV2: Unsupported encryption type"); 551 return -1; 552 } 553 iv_len = encr_alg->block_size; 554 555 integ_alg = ikev2_get_integ(integ_id); 556 if (integ_alg == NULL) { 557 wpa_printf(MSG_INFO, "IKEV2: Unsupported intergrity type"); 558 return -1; 559 } 560 561 if (SK_e == NULL) { 562 wpa_printf(MSG_INFO, "IKEV2: No SK_e available"); 563 return -1; 564 } 565 566 if (SK_a == NULL) { 567 wpa_printf(MSG_INFO, "IKEV2: No SK_a available"); 568 return -1; 569 } 570 571 phdr = wpabuf_put(msg, sizeof(*phdr)); 572 phdr->next_payload = next_payload; 573 phdr->flags = 0; 574 575 iv = wpabuf_put(msg, iv_len); 576 if (random_get_bytes(iv, iv_len)) { 577 wpa_printf(MSG_INFO, "IKEV2: Could not generate IV"); 578 return -1; 579 } 580 581 pad_len = iv_len - (wpabuf_len(plain) + 1) % iv_len; 582 if (pad_len == iv_len) 583 pad_len = 0; 584 wpabuf_put(plain, pad_len); 585 wpabuf_put_u8(plain, pad_len); 586 587 if (ikev2_encr_encrypt(encr_alg->id, SK_e, keys->SK_encr_len, iv, 588 wpabuf_head(plain), wpabuf_mhead(plain), 589 wpabuf_len(plain)) < 0) 590 return -1; 591 592 wpabuf_put_buf(msg, plain); 593 594 /* Need to update all headers (Length fields) prior to hash func */ 595 icv = wpabuf_put(msg, integ_alg->hash_len); 596 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr; 597 WPA_PUT_BE16(phdr->payload_length, plen); 598 599 ikev2_update_hdr(msg); 600 601 return ikev2_integ_hash(integ_id, SK_a, keys->SK_integ_len, 602 wpabuf_head(msg), 603 wpabuf_len(msg) - integ_alg->hash_len, icv); 604 605 return 0; 606} 607 608 609int ikev2_keys_set(struct ikev2_keys *keys) 610{ 611 return keys->SK_d && keys->SK_ai && keys->SK_ar && keys->SK_ei && 612 keys->SK_er && keys->SK_pi && keys->SK_pr; 613} 614 615 616void ikev2_free_keys(struct ikev2_keys *keys) 617{ 618 os_free(keys->SK_d); 619 os_free(keys->SK_ai); 620 os_free(keys->SK_ar); 621 os_free(keys->SK_ei); 622 os_free(keys->SK_er); 623 os_free(keys->SK_pi); 624 os_free(keys->SK_pr); 625 keys->SK_d = keys->SK_ai = keys->SK_ar = keys->SK_ei = keys->SK_er = 626 keys->SK_pi = keys->SK_pr = NULL; 627} 628 629 630int ikev2_derive_sk_keys(const struct ikev2_prf_alg *prf, 631 const struct ikev2_integ_alg *integ, 632 const struct ikev2_encr_alg *encr, 633 const u8 *skeyseed, const u8 *data, size_t data_len, 634 struct ikev2_keys *keys) 635{ 636 u8 *keybuf, *pos; 637 size_t keybuf_len; 638 639 /* 640 * {SK_d | SK_ai | SK_ar | SK_ei | SK_er | SK_pi | SK_pr } = 641 * prf+(SKEYSEED, Ni | Nr | SPIi | SPIr ) 642 */ 643 ikev2_free_keys(keys); 644 keys->SK_d_len = prf->key_len; 645 keys->SK_integ_len = integ->key_len; 646 keys->SK_encr_len = encr->key_len; 647 keys->SK_prf_len = prf->key_len; 648 649 keybuf_len = keys->SK_d_len + 2 * keys->SK_integ_len + 650 2 * keys->SK_encr_len + 2 * keys->SK_prf_len; 651 keybuf = os_malloc(keybuf_len); 652 if (keybuf == NULL) 653 return -1; 654 655 if (ikev2_prf_plus(prf->id, skeyseed, prf->hash_len, 656 data, data_len, keybuf, keybuf_len)) { 657 os_free(keybuf); 658 return -1; 659 } 660 661 pos = keybuf; 662 663 keys->SK_d = os_malloc(keys->SK_d_len); 664 if (keys->SK_d) { 665 os_memcpy(keys->SK_d, pos, keys->SK_d_len); 666 wpa_hexdump_key(MSG_DEBUG, "IKEV2: SK_d", 667 keys->SK_d, keys->SK_d_len); 668 } 669 pos += keys->SK_d_len; 670 671 keys->SK_ai = os_malloc(keys->SK_integ_len); 672 if (keys->SK_ai) { 673 os_memcpy(keys->SK_ai, pos, keys->SK_integ_len); 674 wpa_hexdump_key(MSG_DEBUG, "IKEV2: SK_ai", 675 keys->SK_ai, keys->SK_integ_len); 676 } 677 pos += keys->SK_integ_len; 678 679 keys->SK_ar = os_malloc(keys->SK_integ_len); 680 if (keys->SK_ar) { 681 os_memcpy(keys->SK_ar, pos, keys->SK_integ_len); 682 wpa_hexdump_key(MSG_DEBUG, "IKEV2: SK_ar", 683 keys->SK_ar, keys->SK_integ_len); 684 } 685 pos += keys->SK_integ_len; 686 687 keys->SK_ei = os_malloc(keys->SK_encr_len); 688 if (keys->SK_ei) { 689 os_memcpy(keys->SK_ei, pos, keys->SK_encr_len); 690 wpa_hexdump_key(MSG_DEBUG, "IKEV2: SK_ei", 691 keys->SK_ei, keys->SK_encr_len); 692 } 693 pos += keys->SK_encr_len; 694 695 keys->SK_er = os_malloc(keys->SK_encr_len); 696 if (keys->SK_er) { 697 os_memcpy(keys->SK_er, pos, keys->SK_encr_len); 698 wpa_hexdump_key(MSG_DEBUG, "IKEV2: SK_er", 699 keys->SK_er, keys->SK_encr_len); 700 } 701 pos += keys->SK_encr_len; 702 703 keys->SK_pi = os_malloc(keys->SK_prf_len); 704 if (keys->SK_pi) { 705 os_memcpy(keys->SK_pi, pos, keys->SK_prf_len); 706 wpa_hexdump_key(MSG_DEBUG, "IKEV2: SK_pi", 707 keys->SK_pi, keys->SK_prf_len); 708 } 709 pos += keys->SK_prf_len; 710 711 keys->SK_pr = os_malloc(keys->SK_prf_len); 712 if (keys->SK_pr) { 713 os_memcpy(keys->SK_pr, pos, keys->SK_prf_len); 714 wpa_hexdump_key(MSG_DEBUG, "IKEV2: SK_pr", 715 keys->SK_pr, keys->SK_prf_len); 716 } 717 718 os_free(keybuf); 719 720 if (!ikev2_keys_set(keys)) { 721 ikev2_free_keys(keys); 722 return -1; 723 } 724 725 return 0; 726} 727