xref: /freebsd/contrib/wpa/src/eap_common/ikev2_common.c (revision 49b49cda41feabe3439f7318e8bf40e3896c7bf4)
1 /*
2  * IKEv2 common routines for initiator and responder
3  * Copyright (c) 2007, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #include "includes.h"
10 
11 #include "common.h"
12 #include "crypto/crypto.h"
13 #include "crypto/md5.h"
14 #include "crypto/sha1.h"
15 #include "crypto/random.h"
16 #include "ikev2_common.h"
17 
18 
19 static const struct ikev2_integ_alg ikev2_integ_algs[] = {
20 	{ AUTH_HMAC_SHA1_96, 20, 12 },
21 	{ AUTH_HMAC_MD5_96, 16, 12 }
22 };
23 
24 #define NUM_INTEG_ALGS ARRAY_SIZE(ikev2_integ_algs)
25 
26 
27 static const struct ikev2_prf_alg ikev2_prf_algs[] = {
28 	{ PRF_HMAC_SHA1, 20, 20 },
29 	{ PRF_HMAC_MD5, 16, 16 }
30 };
31 
32 #define NUM_PRF_ALGS ARRAY_SIZE(ikev2_prf_algs)
33 
34 
35 static const struct ikev2_encr_alg ikev2_encr_algs[] = {
36 	{ ENCR_AES_CBC, 16, 16 }, /* only 128-bit keys supported for now */
37 	{ ENCR_3DES, 24, 8 }
38 };
39 
40 #define NUM_ENCR_ALGS ARRAY_SIZE(ikev2_encr_algs)
41 
42 
43 const struct ikev2_integ_alg * ikev2_get_integ(int id)
44 {
45 	size_t i;
46 
47 	for (i = 0; i < NUM_INTEG_ALGS; i++) {
48 		if (ikev2_integ_algs[i].id == id)
49 			return &ikev2_integ_algs[i];
50 	}
51 
52 	return NULL;
53 }
54 
55 
56 int ikev2_integ_hash(int alg, const u8 *key, size_t key_len, const u8 *data,
57 		     size_t data_len, u8 *hash)
58 {
59 	u8 tmphash[IKEV2_MAX_HASH_LEN];
60 
61 	switch (alg) {
62 	case AUTH_HMAC_SHA1_96:
63 		if (key_len != 20)
64 			return -1;
65 		hmac_sha1(key, key_len, data, data_len, tmphash);
66 		os_memcpy(hash, tmphash, 12);
67 		break;
68 	case AUTH_HMAC_MD5_96:
69 		if (key_len != 16)
70 			return -1;
71 		hmac_md5(key, key_len, data, data_len, tmphash);
72 		os_memcpy(hash, tmphash, 12);
73 		break;
74 	default:
75 		return -1;
76 	}
77 
78 	return 0;
79 }
80 
81 
82 const struct ikev2_prf_alg * ikev2_get_prf(int id)
83 {
84 	size_t i;
85 
86 	for (i = 0; i < NUM_PRF_ALGS; i++) {
87 		if (ikev2_prf_algs[i].id == id)
88 			return &ikev2_prf_algs[i];
89 	}
90 
91 	return NULL;
92 }
93 
94 
95 int ikev2_prf_hash(int alg, const u8 *key, size_t key_len,
96 		   size_t num_elem, const u8 *addr[], const size_t *len,
97 		   u8 *hash)
98 {
99 	switch (alg) {
100 	case PRF_HMAC_SHA1:
101 		hmac_sha1_vector(key, key_len, num_elem, addr, len, hash);
102 		break;
103 	case PRF_HMAC_MD5:
104 		hmac_md5_vector(key, key_len, num_elem, addr, len, hash);
105 		break;
106 	default:
107 		return -1;
108 	}
109 
110 	return 0;
111 }
112 
113 
114 int ikev2_prf_plus(int alg, const u8 *key, size_t key_len,
115 		   const u8 *data, size_t data_len,
116 		   u8 *out, size_t out_len)
117 {
118 	u8 hash[IKEV2_MAX_HASH_LEN];
119 	size_t hash_len;
120 	u8 iter, *pos, *end;
121 	const u8 *addr[3];
122 	size_t len[3];
123 	const struct ikev2_prf_alg *prf;
124 	int res;
125 
126 	prf = ikev2_get_prf(alg);
127 	if (prf == NULL)
128 		return -1;
129 	hash_len = prf->hash_len;
130 
131 	addr[0] = hash;
132 	len[0] = hash_len;
133 	addr[1] = data;
134 	len[1] = data_len;
135 	addr[2] = &iter;
136 	len[2] = 1;
137 
138 	pos = out;
139 	end = out + out_len;
140 	iter = 1;
141 	while (pos < end) {
142 		size_t clen;
143 		if (iter == 1)
144 			res = ikev2_prf_hash(alg, key, key_len, 2, &addr[1],
145 					     &len[1], hash);
146 		else
147 			res = ikev2_prf_hash(alg, key, key_len, 3, addr, len,
148 					     hash);
149 		if (res < 0)
150 			return -1;
151 		clen = hash_len;
152 		if ((int) clen > end - pos)
153 			clen = end - pos;
154 		os_memcpy(pos, hash, clen);
155 		pos += clen;
156 		iter++;
157 	}
158 
159 	return 0;
160 }
161 
162 
163 const struct ikev2_encr_alg * ikev2_get_encr(int id)
164 {
165 	size_t i;
166 
167 	for (i = 0; i < NUM_ENCR_ALGS; i++) {
168 		if (ikev2_encr_algs[i].id == id)
169 			return &ikev2_encr_algs[i];
170 	}
171 
172 	return NULL;
173 }
174 
175 
176 int ikev2_encr_encrypt(int alg, const u8 *key, size_t key_len, const u8 *iv,
177 		       const u8 *plain, u8 *crypt, size_t len)
178 {
179 	struct crypto_cipher *cipher;
180 	int encr_alg;
181 
182 	switch (alg) {
183 	case ENCR_3DES:
184 		encr_alg = CRYPTO_CIPHER_ALG_3DES;
185 		break;
186 	case ENCR_AES_CBC:
187 		encr_alg = CRYPTO_CIPHER_ALG_AES;
188 		break;
189 	default:
190 		wpa_printf(MSG_DEBUG, "IKEV2: Unsupported encr alg %d", alg);
191 		return -1;
192 	}
193 
194 	cipher = crypto_cipher_init(encr_alg, iv, key, key_len);
195 	if (cipher == NULL) {
196 		wpa_printf(MSG_INFO, "IKEV2: Failed to initialize cipher");
197 		return -1;
198 	}
199 
200 	if (crypto_cipher_encrypt(cipher, plain, crypt, len) < 0) {
201 		wpa_printf(MSG_INFO, "IKEV2: Encryption failed");
202 		crypto_cipher_deinit(cipher);
203 		return -1;
204 	}
205 	crypto_cipher_deinit(cipher);
206 
207 	return 0;
208 }
209 
210 
211 int ikev2_encr_decrypt(int alg, const u8 *key, size_t key_len, const u8 *iv,
212 		       const u8 *crypt, u8 *plain, size_t len)
213 {
214 	struct crypto_cipher *cipher;
215 	int encr_alg;
216 
217 	switch (alg) {
218 	case ENCR_3DES:
219 		encr_alg = CRYPTO_CIPHER_ALG_3DES;
220 		break;
221 	case ENCR_AES_CBC:
222 		encr_alg = CRYPTO_CIPHER_ALG_AES;
223 		break;
224 	default:
225 		wpa_printf(MSG_DEBUG, "IKEV2: Unsupported encr alg %d", alg);
226 		return -1;
227 	}
228 
229 	cipher = crypto_cipher_init(encr_alg, iv, key, key_len);
230 	if (cipher == NULL) {
231 		wpa_printf(MSG_INFO, "IKEV2: Failed to initialize cipher");
232 		return -1;
233 	}
234 
235 	if (crypto_cipher_decrypt(cipher, crypt, plain, len) < 0) {
236 		wpa_printf(MSG_INFO, "IKEV2: Decryption failed");
237 		crypto_cipher_deinit(cipher);
238 		return -1;
239 	}
240 	crypto_cipher_deinit(cipher);
241 
242 	return 0;
243 }
244 
245 
246 int ikev2_parse_payloads(struct ikev2_payloads *payloads,
247 			 u8 next_payload, const u8 *pos, const u8 *end)
248 {
249 	const struct ikev2_payload_hdr *phdr;
250 
251 	os_memset(payloads, 0, sizeof(*payloads));
252 
253 	while (next_payload != IKEV2_PAYLOAD_NO_NEXT_PAYLOAD) {
254 		unsigned int plen, pdatalen, left;
255 		const u8 *pdata;
256 		wpa_printf(MSG_DEBUG, "IKEV2: Processing payload %u",
257 			   next_payload);
258 		if (end < pos)
259 			return -1;
260 		left = end - pos;
261 		if (left < sizeof(*phdr)) {
262 			wpa_printf(MSG_INFO, "IKEV2:   Too short message for "
263 				   "payload header (left=%ld)",
264 				   (long) (end - pos));
265 			return -1;
266 		}
267 		phdr = (const struct ikev2_payload_hdr *) pos;
268 		plen = WPA_GET_BE16(phdr->payload_length);
269 		if (plen < sizeof(*phdr) || plen > left) {
270 			wpa_printf(MSG_INFO, "IKEV2:   Invalid payload header "
271 				   "length %d", plen);
272 			return -1;
273 		}
274 
275 		wpa_printf(MSG_DEBUG, "IKEV2:   Next Payload: %u  Flags: 0x%x"
276 			   "  Payload Length: %u",
277 			   phdr->next_payload, phdr->flags, plen);
278 
279 		pdata = (const u8 *) (phdr + 1);
280 		pdatalen = plen - sizeof(*phdr);
281 
282 		switch (next_payload) {
283 		case IKEV2_PAYLOAD_SA:
284 			wpa_printf(MSG_DEBUG, "IKEV2:   Payload: Security "
285 				   "Association");
286 			payloads->sa = pdata;
287 			payloads->sa_len = pdatalen;
288 			break;
289 		case IKEV2_PAYLOAD_KEY_EXCHANGE:
290 			wpa_printf(MSG_DEBUG, "IKEV2:   Payload: Key "
291 				   "Exchange");
292 			payloads->ke = pdata;
293 			payloads->ke_len = pdatalen;
294 			break;
295 		case IKEV2_PAYLOAD_IDi:
296 			wpa_printf(MSG_DEBUG, "IKEV2:   Payload: IDi");
297 			payloads->idi = pdata;
298 			payloads->idi_len = pdatalen;
299 			break;
300 		case IKEV2_PAYLOAD_IDr:
301 			wpa_printf(MSG_DEBUG, "IKEV2:   Payload: IDr");
302 			payloads->idr = pdata;
303 			payloads->idr_len = pdatalen;
304 			break;
305 		case IKEV2_PAYLOAD_CERTIFICATE:
306 			wpa_printf(MSG_DEBUG, "IKEV2:   Payload: Certificate");
307 			payloads->cert = pdata;
308 			payloads->cert_len = pdatalen;
309 			break;
310 		case IKEV2_PAYLOAD_AUTHENTICATION:
311 			wpa_printf(MSG_DEBUG, "IKEV2:   Payload: "
312 				   "Authentication");
313 			payloads->auth = pdata;
314 			payloads->auth_len = pdatalen;
315 			break;
316 		case IKEV2_PAYLOAD_NONCE:
317 			wpa_printf(MSG_DEBUG, "IKEV2:   Payload: Nonce");
318 			payloads->nonce = pdata;
319 			payloads->nonce_len = pdatalen;
320 			break;
321 		case IKEV2_PAYLOAD_ENCRYPTED:
322 			wpa_printf(MSG_DEBUG, "IKEV2:   Payload: Encrypted");
323 			payloads->encrypted = pdata;
324 			payloads->encrypted_len = pdatalen;
325 			break;
326 		case IKEV2_PAYLOAD_NOTIFICATION:
327 			wpa_printf(MSG_DEBUG, "IKEV2:   Payload: "
328 				   "Notification");
329 			payloads->notification = pdata;
330 			payloads->notification_len = pdatalen;
331 			break;
332 		default:
333 			if (phdr->flags & IKEV2_PAYLOAD_FLAGS_CRITICAL) {
334 				wpa_printf(MSG_INFO, "IKEV2:   Unsupported "
335 					   "critical payload %u - reject the "
336 					   "entire message", next_payload);
337 				return -1;
338 			} else {
339 				wpa_printf(MSG_DEBUG, "IKEV2:   Skipped "
340 					   "unsupported payload %u",
341 					   next_payload);
342 			}
343 		}
344 
345 		if (next_payload == IKEV2_PAYLOAD_ENCRYPTED &&
346 		    pos + plen == end) {
347 			/*
348 			 * Next Payload in the case of Encrypted Payload is
349 			 * actually the payload type for the first embedded
350 			 * payload.
351 			 */
352 			payloads->encr_next_payload = phdr->next_payload;
353 			next_payload = IKEV2_PAYLOAD_NO_NEXT_PAYLOAD;
354 		} else
355 			next_payload = phdr->next_payload;
356 
357 		pos += plen;
358 	}
359 
360 	if (pos != end) {
361 		wpa_printf(MSG_INFO, "IKEV2: Unexpected extra data after "
362 			   "payloads");
363 		return -1;
364 	}
365 
366 	return 0;
367 }
368 
369 
370 int ikev2_derive_auth_data(int prf_alg, const struct wpabuf *sign_msg,
371 			   const u8 *ID, size_t ID_len, u8 ID_type,
372 			   struct ikev2_keys *keys, int initiator,
373 			   const u8 *shared_secret, size_t shared_secret_len,
374 			   const u8 *nonce, size_t nonce_len,
375 			   const u8 *key_pad, size_t key_pad_len,
376 			   u8 *auth_data)
377 {
378 	size_t sign_len, buf_len;
379 	u8 *sign_data, *pos, *buf, hash[IKEV2_MAX_HASH_LEN];
380 	const struct ikev2_prf_alg *prf;
381 	const u8 *SK_p = initiator ? keys->SK_pi : keys->SK_pr;
382 
383 	prf = ikev2_get_prf(prf_alg);
384 	if (sign_msg == NULL || ID == NULL || SK_p == NULL ||
385 	    shared_secret == NULL || nonce == NULL || prf == NULL)
386 		return -1;
387 
388 	/* prf(SK_pi/r,IDi/r') */
389 	buf_len = 4 + ID_len;
390 	buf = os_zalloc(buf_len);
391 	if (buf == NULL)
392 		return -1;
393 	buf[0] = ID_type;
394 	os_memcpy(buf + 4, ID, ID_len);
395 	if (ikev2_prf_hash(prf->id, SK_p, keys->SK_prf_len,
396 			   1, (const u8 **) &buf, &buf_len, hash) < 0) {
397 		os_free(buf);
398 		return -1;
399 	}
400 	os_free(buf);
401 
402 	/* sign_data = msg | Nr/i | prf(SK_pi/r,IDi/r') */
403 	sign_len = wpabuf_len(sign_msg) + nonce_len + prf->hash_len;
404 	sign_data = os_malloc(sign_len);
405 	if (sign_data == NULL)
406 		return -1;
407 	pos = sign_data;
408 	os_memcpy(pos, wpabuf_head(sign_msg), wpabuf_len(sign_msg));
409 	pos += wpabuf_len(sign_msg);
410 	os_memcpy(pos, nonce, nonce_len);
411 	pos += nonce_len;
412 	os_memcpy(pos, hash, prf->hash_len);
413 
414 	/* AUTH = prf(prf(Shared Secret, key pad, sign_data) */
415 	if (ikev2_prf_hash(prf->id, shared_secret, shared_secret_len, 1,
416 			   &key_pad, &key_pad_len, hash) < 0 ||
417 	    ikev2_prf_hash(prf->id, hash, prf->hash_len, 1,
418 			   (const u8 **) &sign_data, &sign_len, auth_data) < 0)
419 	{
420 		os_free(sign_data);
421 		return -1;
422 	}
423 	os_free(sign_data);
424 
425 	return 0;
426 }
427 
428 
429 u8 * ikev2_decrypt_payload(int encr_id, int integ_id,
430 			   struct ikev2_keys *keys, int initiator,
431 			   const struct ikev2_hdr *hdr,
432 			   const u8 *encrypted, size_t encrypted_len,
433 			   size_t *res_len)
434 {
435 	size_t iv_len;
436 	const u8 *pos, *end, *iv, *integ;
437 	u8 hash[IKEV2_MAX_HASH_LEN], *decrypted;
438 	size_t decrypted_len, pad_len;
439 	const struct ikev2_integ_alg *integ_alg;
440 	const struct ikev2_encr_alg *encr_alg;
441 	const u8 *SK_e = initiator ? keys->SK_ei : keys->SK_er;
442 	const u8 *SK_a = initiator ? keys->SK_ai : keys->SK_ar;
443 
444 	if (encrypted == NULL) {
445 		wpa_printf(MSG_INFO, "IKEV2: No Encrypted payload in SA_AUTH");
446 		return NULL;
447 	}
448 
449 	encr_alg = ikev2_get_encr(encr_id);
450 	if (encr_alg == NULL) {
451 		wpa_printf(MSG_INFO, "IKEV2: Unsupported encryption type");
452 		return NULL;
453 	}
454 	iv_len = encr_alg->block_size;
455 
456 	integ_alg = ikev2_get_integ(integ_id);
457 	if (integ_alg == NULL) {
458 		wpa_printf(MSG_INFO, "IKEV2: Unsupported intergrity type");
459 		return NULL;
460 	}
461 
462 	if (encrypted_len < iv_len + 1 + integ_alg->hash_len) {
463 		wpa_printf(MSG_INFO, "IKEV2: No room for IV or Integrity "
464 			  "Checksum");
465 		return NULL;
466 	}
467 
468 	iv = encrypted;
469 	pos = iv + iv_len;
470 	end = encrypted + encrypted_len;
471 	integ = end - integ_alg->hash_len;
472 
473 	if (SK_a == NULL) {
474 		wpa_printf(MSG_INFO, "IKEV2: No SK_a available");
475 		return NULL;
476 	}
477 	if (ikev2_integ_hash(integ_id, SK_a, keys->SK_integ_len,
478 			     (const u8 *) hdr,
479 			     integ - (const u8 *) hdr, hash) < 0) {
480 		wpa_printf(MSG_INFO, "IKEV2: Failed to calculate integrity "
481 			   "hash");
482 		return NULL;
483 	}
484 	if (os_memcmp_const(integ, hash, integ_alg->hash_len) != 0) {
485 		wpa_printf(MSG_INFO, "IKEV2: Incorrect Integrity Checksum "
486 			   "Data");
487 		return NULL;
488 	}
489 
490 	if (SK_e == NULL) {
491 		wpa_printf(MSG_INFO, "IKEV2: No SK_e available");
492 		return NULL;
493 	}
494 
495 	decrypted_len = integ - pos;
496 	decrypted = os_malloc(decrypted_len);
497 	if (decrypted == NULL)
498 		return NULL;
499 
500 	if (ikev2_encr_decrypt(encr_alg->id, SK_e, keys->SK_encr_len, iv, pos,
501 			       decrypted, decrypted_len) < 0) {
502 		os_free(decrypted);
503 		return NULL;
504 	}
505 
506 	pad_len = decrypted[decrypted_len - 1];
507 	if (decrypted_len < pad_len + 1) {
508 		wpa_printf(MSG_INFO, "IKEV2: Invalid padding in encrypted "
509 			   "payload");
510 		os_free(decrypted);
511 		return NULL;
512 	}
513 
514 	decrypted_len -= pad_len + 1;
515 
516 	*res_len = decrypted_len;
517 	return decrypted;
518 }
519 
520 
521 void ikev2_update_hdr(struct wpabuf *msg)
522 {
523 	struct ikev2_hdr *hdr;
524 
525 	/* Update lenth field in HDR */
526 	hdr = wpabuf_mhead(msg);
527 	WPA_PUT_BE32(hdr->length, wpabuf_len(msg));
528 }
529 
530 
531 int ikev2_build_encrypted(int encr_id, int integ_id, struct ikev2_keys *keys,
532 			  int initiator, struct wpabuf *msg,
533 			  struct wpabuf *plain, u8 next_payload)
534 {
535 	struct ikev2_payload_hdr *phdr;
536 	size_t plen;
537 	size_t iv_len, pad_len;
538 	u8 *icv, *iv;
539 	const struct ikev2_integ_alg *integ_alg;
540 	const struct ikev2_encr_alg *encr_alg;
541 	const u8 *SK_e = initiator ? keys->SK_ei : keys->SK_er;
542 	const u8 *SK_a = initiator ? keys->SK_ai : keys->SK_ar;
543 
544 	wpa_printf(MSG_DEBUG, "IKEV2: Adding Encrypted payload");
545 
546 	/* Encr - RFC 4306, Sect. 3.14 */
547 
548 	encr_alg = ikev2_get_encr(encr_id);
549 	if (encr_alg == NULL) {
550 		wpa_printf(MSG_INFO, "IKEV2: Unsupported encryption type");
551 		return -1;
552 	}
553 	iv_len = encr_alg->block_size;
554 
555 	integ_alg = ikev2_get_integ(integ_id);
556 	if (integ_alg == NULL) {
557 		wpa_printf(MSG_INFO, "IKEV2: Unsupported intergrity type");
558 		return -1;
559 	}
560 
561 	if (SK_e == NULL) {
562 		wpa_printf(MSG_INFO, "IKEV2: No SK_e available");
563 		return -1;
564 	}
565 
566 	if (SK_a == NULL) {
567 		wpa_printf(MSG_INFO, "IKEV2: No SK_a available");
568 		return -1;
569 	}
570 
571 	phdr = wpabuf_put(msg, sizeof(*phdr));
572 	phdr->next_payload = next_payload;
573 	phdr->flags = 0;
574 
575 	iv = wpabuf_put(msg, iv_len);
576 	if (random_get_bytes(iv, iv_len)) {
577 		wpa_printf(MSG_INFO, "IKEV2: Could not generate IV");
578 		return -1;
579 	}
580 
581 	pad_len = iv_len - (wpabuf_len(plain) + 1) % iv_len;
582 	if (pad_len == iv_len)
583 		pad_len = 0;
584 	wpabuf_put(plain, pad_len);
585 	wpabuf_put_u8(plain, pad_len);
586 
587 	if (ikev2_encr_encrypt(encr_alg->id, SK_e, keys->SK_encr_len, iv,
588 			       wpabuf_head(plain), wpabuf_mhead(plain),
589 			       wpabuf_len(plain)) < 0)
590 		return -1;
591 
592 	wpabuf_put_buf(msg, plain);
593 
594 	/* Need to update all headers (Length fields) prior to hash func */
595 	icv = wpabuf_put(msg, integ_alg->hash_len);
596 	plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
597 	WPA_PUT_BE16(phdr->payload_length, plen);
598 
599 	ikev2_update_hdr(msg);
600 
601 	return ikev2_integ_hash(integ_id, SK_a, keys->SK_integ_len,
602 				wpabuf_head(msg),
603 				wpabuf_len(msg) - integ_alg->hash_len, icv);
604 
605 	return 0;
606 }
607 
608 
609 int ikev2_keys_set(struct ikev2_keys *keys)
610 {
611 	return keys->SK_d && keys->SK_ai && keys->SK_ar && keys->SK_ei &&
612 		keys->SK_er && keys->SK_pi && keys->SK_pr;
613 }
614 
615 
616 void ikev2_free_keys(struct ikev2_keys *keys)
617 {
618 	os_free(keys->SK_d);
619 	os_free(keys->SK_ai);
620 	os_free(keys->SK_ar);
621 	os_free(keys->SK_ei);
622 	os_free(keys->SK_er);
623 	os_free(keys->SK_pi);
624 	os_free(keys->SK_pr);
625 	keys->SK_d = keys->SK_ai = keys->SK_ar = keys->SK_ei = keys->SK_er =
626 		keys->SK_pi = keys->SK_pr = NULL;
627 }
628 
629 
630 int ikev2_derive_sk_keys(const struct ikev2_prf_alg *prf,
631 			 const struct ikev2_integ_alg *integ,
632 			 const struct ikev2_encr_alg *encr,
633 			 const u8 *skeyseed, const u8 *data, size_t data_len,
634 			 struct ikev2_keys *keys)
635 {
636 	u8 *keybuf, *pos;
637 	size_t keybuf_len;
638 
639 	/*
640 	 * {SK_d | SK_ai | SK_ar | SK_ei | SK_er | SK_pi | SK_pr } =
641 	 *	prf+(SKEYSEED, Ni | Nr | SPIi | SPIr )
642 	 */
643 	ikev2_free_keys(keys);
644 	keys->SK_d_len = prf->key_len;
645 	keys->SK_integ_len = integ->key_len;
646 	keys->SK_encr_len = encr->key_len;
647 	keys->SK_prf_len = prf->key_len;
648 
649 	keybuf_len = keys->SK_d_len + 2 * keys->SK_integ_len +
650 		2 * keys->SK_encr_len + 2 * keys->SK_prf_len;
651 	keybuf = os_malloc(keybuf_len);
652 	if (keybuf == NULL)
653 		return -1;
654 
655 	if (ikev2_prf_plus(prf->id, skeyseed, prf->hash_len,
656 			   data, data_len, keybuf, keybuf_len)) {
657 		os_free(keybuf);
658 		return -1;
659 	}
660 
661 	pos = keybuf;
662 
663 	keys->SK_d = os_malloc(keys->SK_d_len);
664 	if (keys->SK_d) {
665 		os_memcpy(keys->SK_d, pos, keys->SK_d_len);
666 		wpa_hexdump_key(MSG_DEBUG, "IKEV2: SK_d",
667 				keys->SK_d, keys->SK_d_len);
668 	}
669 	pos += keys->SK_d_len;
670 
671 	keys->SK_ai = os_malloc(keys->SK_integ_len);
672 	if (keys->SK_ai) {
673 		os_memcpy(keys->SK_ai, pos, keys->SK_integ_len);
674 		wpa_hexdump_key(MSG_DEBUG, "IKEV2: SK_ai",
675 				keys->SK_ai, keys->SK_integ_len);
676 	}
677 	pos += keys->SK_integ_len;
678 
679 	keys->SK_ar = os_malloc(keys->SK_integ_len);
680 	if (keys->SK_ar) {
681 		os_memcpy(keys->SK_ar, pos, keys->SK_integ_len);
682 		wpa_hexdump_key(MSG_DEBUG, "IKEV2: SK_ar",
683 				keys->SK_ar, keys->SK_integ_len);
684 	}
685 	pos += keys->SK_integ_len;
686 
687 	keys->SK_ei = os_malloc(keys->SK_encr_len);
688 	if (keys->SK_ei) {
689 		os_memcpy(keys->SK_ei, pos, keys->SK_encr_len);
690 		wpa_hexdump_key(MSG_DEBUG, "IKEV2: SK_ei",
691 				keys->SK_ei, keys->SK_encr_len);
692 	}
693 	pos += keys->SK_encr_len;
694 
695 	keys->SK_er = os_malloc(keys->SK_encr_len);
696 	if (keys->SK_er) {
697 		os_memcpy(keys->SK_er, pos, keys->SK_encr_len);
698 		wpa_hexdump_key(MSG_DEBUG, "IKEV2: SK_er",
699 				keys->SK_er, keys->SK_encr_len);
700 	}
701 	pos += keys->SK_encr_len;
702 
703 	keys->SK_pi = os_malloc(keys->SK_prf_len);
704 	if (keys->SK_pi) {
705 		os_memcpy(keys->SK_pi, pos, keys->SK_prf_len);
706 		wpa_hexdump_key(MSG_DEBUG, "IKEV2: SK_pi",
707 				keys->SK_pi, keys->SK_prf_len);
708 	}
709 	pos += keys->SK_prf_len;
710 
711 	keys->SK_pr = os_malloc(keys->SK_prf_len);
712 	if (keys->SK_pr) {
713 		os_memcpy(keys->SK_pr, pos, keys->SK_prf_len);
714 		wpa_hexdump_key(MSG_DEBUG, "IKEV2: SK_pr",
715 				keys->SK_pr, keys->SK_prf_len);
716 	}
717 
718 	os_free(keybuf);
719 
720 	if (!ikev2_keys_set(keys)) {
721 		ikev2_free_keys(keys);
722 		return -1;
723 	}
724 
725 	return 0;
726 }
727