1 /* 2 * IKEv2 common routines for initiator and responder 3 * Copyright (c) 2007, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "includes.h" 10 11 #include "common.h" 12 #include "crypto/crypto.h" 13 #include "crypto/md5.h" 14 #include "crypto/sha1.h" 15 #include "crypto/random.h" 16 #include "ikev2_common.h" 17 18 19 static const struct ikev2_integ_alg ikev2_integ_algs[] = { 20 { AUTH_HMAC_SHA1_96, 20, 12 }, 21 { AUTH_HMAC_MD5_96, 16, 12 } 22 }; 23 24 #define NUM_INTEG_ALGS ARRAY_SIZE(ikev2_integ_algs) 25 26 27 static const struct ikev2_prf_alg ikev2_prf_algs[] = { 28 { PRF_HMAC_SHA1, 20, 20 }, 29 { PRF_HMAC_MD5, 16, 16 } 30 }; 31 32 #define NUM_PRF_ALGS ARRAY_SIZE(ikev2_prf_algs) 33 34 35 static const struct ikev2_encr_alg ikev2_encr_algs[] = { 36 { ENCR_AES_CBC, 16, 16 }, /* only 128-bit keys supported for now */ 37 { ENCR_3DES, 24, 8 } 38 }; 39 40 #define NUM_ENCR_ALGS ARRAY_SIZE(ikev2_encr_algs) 41 42 43 const struct ikev2_integ_alg * ikev2_get_integ(int id) 44 { 45 size_t i; 46 47 for (i = 0; i < NUM_INTEG_ALGS; i++) { 48 if (ikev2_integ_algs[i].id == id) 49 return &ikev2_integ_algs[i]; 50 } 51 52 return NULL; 53 } 54 55 56 int ikev2_integ_hash(int alg, const u8 *key, size_t key_len, const u8 *data, 57 size_t data_len, u8 *hash) 58 { 59 u8 tmphash[IKEV2_MAX_HASH_LEN]; 60 61 switch (alg) { 62 case AUTH_HMAC_SHA1_96: 63 if (key_len != 20) 64 return -1; 65 if (hmac_sha1(key, key_len, data, data_len, tmphash) < 0) 66 return -1; 67 os_memcpy(hash, tmphash, 12); 68 break; 69 case AUTH_HMAC_MD5_96: 70 if (key_len != 16) 71 return -1; 72 if (hmac_md5(key, key_len, data, data_len, tmphash) < 0) 73 return -1; 74 os_memcpy(hash, tmphash, 12); 75 break; 76 default: 77 return -1; 78 } 79 80 return 0; 81 } 82 83 84 const struct ikev2_prf_alg * ikev2_get_prf(int id) 85 { 86 size_t i; 87 88 for (i = 0; i < NUM_PRF_ALGS; i++) { 89 if (ikev2_prf_algs[i].id == id) 90 return &ikev2_prf_algs[i]; 91 } 92 93 return NULL; 94 } 95 96 97 int ikev2_prf_hash(int alg, const u8 *key, size_t key_len, 98 size_t num_elem, const u8 *addr[], const size_t *len, 99 u8 *hash) 100 { 101 switch (alg) { 102 case PRF_HMAC_SHA1: 103 return hmac_sha1_vector(key, key_len, num_elem, addr, len, 104 hash); 105 case PRF_HMAC_MD5: 106 return hmac_md5_vector(key, key_len, num_elem, addr, len, hash); 107 default: 108 return -1; 109 } 110 } 111 112 113 int ikev2_prf_plus(int alg, const u8 *key, size_t key_len, 114 const u8 *data, size_t data_len, 115 u8 *out, size_t out_len) 116 { 117 u8 hash[IKEV2_MAX_HASH_LEN]; 118 size_t hash_len; 119 u8 iter, *pos, *end; 120 const u8 *addr[3]; 121 size_t len[3]; 122 const struct ikev2_prf_alg *prf; 123 int res; 124 125 prf = ikev2_get_prf(alg); 126 if (prf == NULL) 127 return -1; 128 hash_len = prf->hash_len; 129 130 addr[0] = hash; 131 len[0] = hash_len; 132 addr[1] = data; 133 len[1] = data_len; 134 addr[2] = &iter; 135 len[2] = 1; 136 137 pos = out; 138 end = out + out_len; 139 iter = 1; 140 while (pos < end) { 141 size_t clen; 142 if (iter == 1) 143 res = ikev2_prf_hash(alg, key, key_len, 2, &addr[1], 144 &len[1], hash); 145 else 146 res = ikev2_prf_hash(alg, key, key_len, 3, addr, len, 147 hash); 148 if (res < 0) 149 return -1; 150 clen = hash_len; 151 if ((int) clen > end - pos) 152 clen = end - pos; 153 os_memcpy(pos, hash, clen); 154 pos += clen; 155 iter++; 156 } 157 158 return 0; 159 } 160 161 162 const struct ikev2_encr_alg * ikev2_get_encr(int id) 163 { 164 size_t i; 165 166 for (i = 0; i < NUM_ENCR_ALGS; i++) { 167 if (ikev2_encr_algs[i].id == id) 168 return &ikev2_encr_algs[i]; 169 } 170 171 return NULL; 172 } 173 174 175 int ikev2_encr_encrypt(int alg, const u8 *key, size_t key_len, const u8 *iv, 176 const u8 *plain, u8 *crypt, size_t len) 177 { 178 struct crypto_cipher *cipher; 179 int encr_alg; 180 181 switch (alg) { 182 case ENCR_3DES: 183 encr_alg = CRYPTO_CIPHER_ALG_3DES; 184 break; 185 case ENCR_AES_CBC: 186 encr_alg = CRYPTO_CIPHER_ALG_AES; 187 break; 188 default: 189 wpa_printf(MSG_DEBUG, "IKEV2: Unsupported encr alg %d", alg); 190 return -1; 191 } 192 193 cipher = crypto_cipher_init(encr_alg, iv, key, key_len); 194 if (cipher == NULL) { 195 wpa_printf(MSG_INFO, "IKEV2: Failed to initialize cipher"); 196 return -1; 197 } 198 199 if (crypto_cipher_encrypt(cipher, plain, crypt, len) < 0) { 200 wpa_printf(MSG_INFO, "IKEV2: Encryption failed"); 201 crypto_cipher_deinit(cipher); 202 return -1; 203 } 204 crypto_cipher_deinit(cipher); 205 206 return 0; 207 } 208 209 210 int ikev2_encr_decrypt(int alg, const u8 *key, size_t key_len, const u8 *iv, 211 const u8 *crypt, u8 *plain, size_t len) 212 { 213 struct crypto_cipher *cipher; 214 int encr_alg; 215 216 switch (alg) { 217 case ENCR_3DES: 218 encr_alg = CRYPTO_CIPHER_ALG_3DES; 219 break; 220 case ENCR_AES_CBC: 221 encr_alg = CRYPTO_CIPHER_ALG_AES; 222 break; 223 default: 224 wpa_printf(MSG_DEBUG, "IKEV2: Unsupported encr alg %d", alg); 225 return -1; 226 } 227 228 cipher = crypto_cipher_init(encr_alg, iv, key, key_len); 229 if (cipher == NULL) { 230 wpa_printf(MSG_INFO, "IKEV2: Failed to initialize cipher"); 231 return -1; 232 } 233 234 if (crypto_cipher_decrypt(cipher, crypt, plain, len) < 0) { 235 wpa_printf(MSG_INFO, "IKEV2: Decryption failed"); 236 crypto_cipher_deinit(cipher); 237 return -1; 238 } 239 crypto_cipher_deinit(cipher); 240 241 return 0; 242 } 243 244 245 int ikev2_parse_payloads(struct ikev2_payloads *payloads, 246 u8 next_payload, const u8 *pos, const u8 *end) 247 { 248 const struct ikev2_payload_hdr *phdr; 249 250 os_memset(payloads, 0, sizeof(*payloads)); 251 252 while (next_payload != IKEV2_PAYLOAD_NO_NEXT_PAYLOAD) { 253 unsigned int plen, pdatalen, left; 254 const u8 *pdata; 255 wpa_printf(MSG_DEBUG, "IKEV2: Processing payload %u", 256 next_payload); 257 if (end < pos) 258 return -1; 259 left = end - pos; 260 if (left < sizeof(*phdr)) { 261 wpa_printf(MSG_INFO, "IKEV2: Too short message for " 262 "payload header (left=%ld)", 263 (long) (end - pos)); 264 return -1; 265 } 266 phdr = (const struct ikev2_payload_hdr *) pos; 267 plen = WPA_GET_BE16(phdr->payload_length); 268 if (plen < sizeof(*phdr) || plen > left) { 269 wpa_printf(MSG_INFO, "IKEV2: Invalid payload header " 270 "length %d", plen); 271 return -1; 272 } 273 274 wpa_printf(MSG_DEBUG, "IKEV2: Next Payload: %u Flags: 0x%x" 275 " Payload Length: %u", 276 phdr->next_payload, phdr->flags, plen); 277 278 pdata = (const u8 *) (phdr + 1); 279 pdatalen = plen - sizeof(*phdr); 280 281 switch (next_payload) { 282 case IKEV2_PAYLOAD_SA: 283 wpa_printf(MSG_DEBUG, "IKEV2: Payload: Security " 284 "Association"); 285 payloads->sa = pdata; 286 payloads->sa_len = pdatalen; 287 break; 288 case IKEV2_PAYLOAD_KEY_EXCHANGE: 289 wpa_printf(MSG_DEBUG, "IKEV2: Payload: Key " 290 "Exchange"); 291 payloads->ke = pdata; 292 payloads->ke_len = pdatalen; 293 break; 294 case IKEV2_PAYLOAD_IDi: 295 wpa_printf(MSG_DEBUG, "IKEV2: Payload: IDi"); 296 payloads->idi = pdata; 297 payloads->idi_len = pdatalen; 298 break; 299 case IKEV2_PAYLOAD_IDr: 300 wpa_printf(MSG_DEBUG, "IKEV2: Payload: IDr"); 301 payloads->idr = pdata; 302 payloads->idr_len = pdatalen; 303 break; 304 case IKEV2_PAYLOAD_CERTIFICATE: 305 wpa_printf(MSG_DEBUG, "IKEV2: Payload: Certificate"); 306 payloads->cert = pdata; 307 payloads->cert_len = pdatalen; 308 break; 309 case IKEV2_PAYLOAD_AUTHENTICATION: 310 wpa_printf(MSG_DEBUG, "IKEV2: Payload: " 311 "Authentication"); 312 payloads->auth = pdata; 313 payloads->auth_len = pdatalen; 314 break; 315 case IKEV2_PAYLOAD_NONCE: 316 wpa_printf(MSG_DEBUG, "IKEV2: Payload: Nonce"); 317 payloads->nonce = pdata; 318 payloads->nonce_len = pdatalen; 319 break; 320 case IKEV2_PAYLOAD_ENCRYPTED: 321 wpa_printf(MSG_DEBUG, "IKEV2: Payload: Encrypted"); 322 payloads->encrypted = pdata; 323 payloads->encrypted_len = pdatalen; 324 break; 325 case IKEV2_PAYLOAD_NOTIFICATION: 326 wpa_printf(MSG_DEBUG, "IKEV2: Payload: " 327 "Notification"); 328 payloads->notification = pdata; 329 payloads->notification_len = pdatalen; 330 break; 331 default: 332 if (phdr->flags & IKEV2_PAYLOAD_FLAGS_CRITICAL) { 333 wpa_printf(MSG_INFO, "IKEV2: Unsupported " 334 "critical payload %u - reject the " 335 "entire message", next_payload); 336 return -1; 337 } else { 338 wpa_printf(MSG_DEBUG, "IKEV2: Skipped " 339 "unsupported payload %u", 340 next_payload); 341 } 342 } 343 344 if (next_payload == IKEV2_PAYLOAD_ENCRYPTED && 345 pos + plen == end) { 346 /* 347 * Next Payload in the case of Encrypted Payload is 348 * actually the payload type for the first embedded 349 * payload. 350 */ 351 payloads->encr_next_payload = phdr->next_payload; 352 next_payload = IKEV2_PAYLOAD_NO_NEXT_PAYLOAD; 353 } else 354 next_payload = phdr->next_payload; 355 356 pos += plen; 357 } 358 359 if (pos != end) { 360 wpa_printf(MSG_INFO, "IKEV2: Unexpected extra data after " 361 "payloads"); 362 return -1; 363 } 364 365 return 0; 366 } 367 368 369 int ikev2_derive_auth_data(int prf_alg, const struct wpabuf *sign_msg, 370 const u8 *ID, size_t ID_len, u8 ID_type, 371 struct ikev2_keys *keys, int initiator, 372 const u8 *shared_secret, size_t shared_secret_len, 373 const u8 *nonce, size_t nonce_len, 374 const u8 *key_pad, size_t key_pad_len, 375 u8 *auth_data) 376 { 377 size_t sign_len, buf_len; 378 u8 *sign_data, *pos, *buf, hash[IKEV2_MAX_HASH_LEN]; 379 const struct ikev2_prf_alg *prf; 380 const u8 *SK_p = initiator ? keys->SK_pi : keys->SK_pr; 381 382 prf = ikev2_get_prf(prf_alg); 383 if (sign_msg == NULL || ID == NULL || SK_p == NULL || 384 shared_secret == NULL || nonce == NULL || prf == NULL) 385 return -1; 386 387 /* prf(SK_pi/r,IDi/r') */ 388 buf_len = 4 + ID_len; 389 buf = os_zalloc(buf_len); 390 if (buf == NULL) 391 return -1; 392 buf[0] = ID_type; 393 os_memcpy(buf + 4, ID, ID_len); 394 if (ikev2_prf_hash(prf->id, SK_p, keys->SK_prf_len, 395 1, (const u8 **) &buf, &buf_len, hash) < 0) { 396 os_free(buf); 397 return -1; 398 } 399 os_free(buf); 400 401 /* sign_data = msg | Nr/i | prf(SK_pi/r,IDi/r') */ 402 sign_len = wpabuf_len(sign_msg) + nonce_len + prf->hash_len; 403 sign_data = os_malloc(sign_len); 404 if (sign_data == NULL) 405 return -1; 406 pos = sign_data; 407 os_memcpy(pos, wpabuf_head(sign_msg), wpabuf_len(sign_msg)); 408 pos += wpabuf_len(sign_msg); 409 os_memcpy(pos, nonce, nonce_len); 410 pos += nonce_len; 411 os_memcpy(pos, hash, prf->hash_len); 412 413 /* AUTH = prf(prf(Shared Secret, key pad, sign_data) */ 414 if (ikev2_prf_hash(prf->id, shared_secret, shared_secret_len, 1, 415 &key_pad, &key_pad_len, hash) < 0 || 416 ikev2_prf_hash(prf->id, hash, prf->hash_len, 1, 417 (const u8 **) &sign_data, &sign_len, auth_data) < 0) 418 { 419 os_free(sign_data); 420 return -1; 421 } 422 os_free(sign_data); 423 424 return 0; 425 } 426 427 428 u8 * ikev2_decrypt_payload(int encr_id, int integ_id, 429 struct ikev2_keys *keys, int initiator, 430 const struct ikev2_hdr *hdr, 431 const u8 *encrypted, size_t encrypted_len, 432 size_t *res_len) 433 { 434 size_t iv_len; 435 const u8 *pos, *end, *iv, *integ; 436 u8 hash[IKEV2_MAX_HASH_LEN], *decrypted; 437 size_t decrypted_len, pad_len; 438 const struct ikev2_integ_alg *integ_alg; 439 const struct ikev2_encr_alg *encr_alg; 440 const u8 *SK_e = initiator ? keys->SK_ei : keys->SK_er; 441 const u8 *SK_a = initiator ? keys->SK_ai : keys->SK_ar; 442 443 if (encrypted == NULL) { 444 wpa_printf(MSG_INFO, "IKEV2: No Encrypted payload in SA_AUTH"); 445 return NULL; 446 } 447 448 encr_alg = ikev2_get_encr(encr_id); 449 if (encr_alg == NULL) { 450 wpa_printf(MSG_INFO, "IKEV2: Unsupported encryption type"); 451 return NULL; 452 } 453 iv_len = encr_alg->block_size; 454 455 integ_alg = ikev2_get_integ(integ_id); 456 if (integ_alg == NULL) { 457 wpa_printf(MSG_INFO, "IKEV2: Unsupported intergrity type"); 458 return NULL; 459 } 460 461 if (encrypted_len < iv_len + 1 + integ_alg->hash_len) { 462 wpa_printf(MSG_INFO, "IKEV2: No room for IV or Integrity " 463 "Checksum"); 464 return NULL; 465 } 466 467 iv = encrypted; 468 pos = iv + iv_len; 469 end = encrypted + encrypted_len; 470 integ = end - integ_alg->hash_len; 471 472 if (SK_a == NULL) { 473 wpa_printf(MSG_INFO, "IKEV2: No SK_a available"); 474 return NULL; 475 } 476 if (ikev2_integ_hash(integ_id, SK_a, keys->SK_integ_len, 477 (const u8 *) hdr, 478 integ - (const u8 *) hdr, hash) < 0) { 479 wpa_printf(MSG_INFO, "IKEV2: Failed to calculate integrity " 480 "hash"); 481 return NULL; 482 } 483 if (os_memcmp_const(integ, hash, integ_alg->hash_len) != 0) { 484 wpa_printf(MSG_INFO, "IKEV2: Incorrect Integrity Checksum " 485 "Data"); 486 return NULL; 487 } 488 489 if (SK_e == NULL) { 490 wpa_printf(MSG_INFO, "IKEV2: No SK_e available"); 491 return NULL; 492 } 493 494 decrypted_len = integ - pos; 495 decrypted = os_malloc(decrypted_len); 496 if (decrypted == NULL) 497 return NULL; 498 499 if (ikev2_encr_decrypt(encr_alg->id, SK_e, keys->SK_encr_len, iv, pos, 500 decrypted, decrypted_len) < 0) { 501 os_free(decrypted); 502 return NULL; 503 } 504 505 pad_len = decrypted[decrypted_len - 1]; 506 if (decrypted_len < pad_len + 1) { 507 wpa_printf(MSG_INFO, "IKEV2: Invalid padding in encrypted " 508 "payload"); 509 os_free(decrypted); 510 return NULL; 511 } 512 513 decrypted_len -= pad_len + 1; 514 515 *res_len = decrypted_len; 516 return decrypted; 517 } 518 519 520 void ikev2_update_hdr(struct wpabuf *msg) 521 { 522 struct ikev2_hdr *hdr; 523 524 /* Update lenth field in HDR */ 525 hdr = wpabuf_mhead(msg); 526 WPA_PUT_BE32(hdr->length, wpabuf_len(msg)); 527 } 528 529 530 int ikev2_build_encrypted(int encr_id, int integ_id, struct ikev2_keys *keys, 531 int initiator, struct wpabuf *msg, 532 struct wpabuf *plain, u8 next_payload) 533 { 534 struct ikev2_payload_hdr *phdr; 535 size_t plen; 536 size_t iv_len, pad_len; 537 u8 *icv, *iv; 538 const struct ikev2_integ_alg *integ_alg; 539 const struct ikev2_encr_alg *encr_alg; 540 const u8 *SK_e = initiator ? keys->SK_ei : keys->SK_er; 541 const u8 *SK_a = initiator ? keys->SK_ai : keys->SK_ar; 542 543 wpa_printf(MSG_DEBUG, "IKEV2: Adding Encrypted payload"); 544 545 /* Encr - RFC 4306, Sect. 3.14 */ 546 547 encr_alg = ikev2_get_encr(encr_id); 548 if (encr_alg == NULL) { 549 wpa_printf(MSG_INFO, "IKEV2: Unsupported encryption type"); 550 return -1; 551 } 552 iv_len = encr_alg->block_size; 553 554 integ_alg = ikev2_get_integ(integ_id); 555 if (integ_alg == NULL) { 556 wpa_printf(MSG_INFO, "IKEV2: Unsupported intergrity type"); 557 return -1; 558 } 559 560 if (SK_e == NULL) { 561 wpa_printf(MSG_INFO, "IKEV2: No SK_e available"); 562 return -1; 563 } 564 565 if (SK_a == NULL) { 566 wpa_printf(MSG_INFO, "IKEV2: No SK_a available"); 567 return -1; 568 } 569 570 phdr = wpabuf_put(msg, sizeof(*phdr)); 571 phdr->next_payload = next_payload; 572 phdr->flags = 0; 573 574 iv = wpabuf_put(msg, iv_len); 575 if (random_get_bytes(iv, iv_len)) { 576 wpa_printf(MSG_INFO, "IKEV2: Could not generate IV"); 577 return -1; 578 } 579 580 pad_len = iv_len - (wpabuf_len(plain) + 1) % iv_len; 581 if (pad_len == iv_len) 582 pad_len = 0; 583 wpabuf_put(plain, pad_len); 584 wpabuf_put_u8(plain, pad_len); 585 586 if (ikev2_encr_encrypt(encr_alg->id, SK_e, keys->SK_encr_len, iv, 587 wpabuf_head(plain), wpabuf_mhead(plain), 588 wpabuf_len(plain)) < 0) 589 return -1; 590 591 wpabuf_put_buf(msg, plain); 592 593 /* Need to update all headers (Length fields) prior to hash func */ 594 icv = wpabuf_put(msg, integ_alg->hash_len); 595 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr; 596 WPA_PUT_BE16(phdr->payload_length, plen); 597 598 ikev2_update_hdr(msg); 599 600 return ikev2_integ_hash(integ_id, SK_a, keys->SK_integ_len, 601 wpabuf_head(msg), 602 wpabuf_len(msg) - integ_alg->hash_len, icv); 603 604 return 0; 605 } 606 607 608 int ikev2_keys_set(struct ikev2_keys *keys) 609 { 610 return keys->SK_d && keys->SK_ai && keys->SK_ar && keys->SK_ei && 611 keys->SK_er && keys->SK_pi && keys->SK_pr; 612 } 613 614 615 void ikev2_free_keys(struct ikev2_keys *keys) 616 { 617 os_free(keys->SK_d); 618 os_free(keys->SK_ai); 619 os_free(keys->SK_ar); 620 os_free(keys->SK_ei); 621 os_free(keys->SK_er); 622 os_free(keys->SK_pi); 623 os_free(keys->SK_pr); 624 keys->SK_d = keys->SK_ai = keys->SK_ar = keys->SK_ei = keys->SK_er = 625 keys->SK_pi = keys->SK_pr = NULL; 626 } 627 628 629 int ikev2_derive_sk_keys(const struct ikev2_prf_alg *prf, 630 const struct ikev2_integ_alg *integ, 631 const struct ikev2_encr_alg *encr, 632 const u8 *skeyseed, const u8 *data, size_t data_len, 633 struct ikev2_keys *keys) 634 { 635 u8 *keybuf, *pos; 636 size_t keybuf_len; 637 638 /* 639 * {SK_d | SK_ai | SK_ar | SK_ei | SK_er | SK_pi | SK_pr } = 640 * prf+(SKEYSEED, Ni | Nr | SPIi | SPIr ) 641 */ 642 ikev2_free_keys(keys); 643 keys->SK_d_len = prf->key_len; 644 keys->SK_integ_len = integ->key_len; 645 keys->SK_encr_len = encr->key_len; 646 keys->SK_prf_len = prf->key_len; 647 648 keybuf_len = keys->SK_d_len + 2 * keys->SK_integ_len + 649 2 * keys->SK_encr_len + 2 * keys->SK_prf_len; 650 keybuf = os_malloc(keybuf_len); 651 if (keybuf == NULL) 652 return -1; 653 654 if (ikev2_prf_plus(prf->id, skeyseed, prf->hash_len, 655 data, data_len, keybuf, keybuf_len)) { 656 os_free(keybuf); 657 return -1; 658 } 659 660 pos = keybuf; 661 662 keys->SK_d = os_malloc(keys->SK_d_len); 663 if (keys->SK_d) { 664 os_memcpy(keys->SK_d, pos, keys->SK_d_len); 665 wpa_hexdump_key(MSG_DEBUG, "IKEV2: SK_d", 666 keys->SK_d, keys->SK_d_len); 667 } 668 pos += keys->SK_d_len; 669 670 keys->SK_ai = os_malloc(keys->SK_integ_len); 671 if (keys->SK_ai) { 672 os_memcpy(keys->SK_ai, pos, keys->SK_integ_len); 673 wpa_hexdump_key(MSG_DEBUG, "IKEV2: SK_ai", 674 keys->SK_ai, keys->SK_integ_len); 675 } 676 pos += keys->SK_integ_len; 677 678 keys->SK_ar = os_malloc(keys->SK_integ_len); 679 if (keys->SK_ar) { 680 os_memcpy(keys->SK_ar, pos, keys->SK_integ_len); 681 wpa_hexdump_key(MSG_DEBUG, "IKEV2: SK_ar", 682 keys->SK_ar, keys->SK_integ_len); 683 } 684 pos += keys->SK_integ_len; 685 686 keys->SK_ei = os_malloc(keys->SK_encr_len); 687 if (keys->SK_ei) { 688 os_memcpy(keys->SK_ei, pos, keys->SK_encr_len); 689 wpa_hexdump_key(MSG_DEBUG, "IKEV2: SK_ei", 690 keys->SK_ei, keys->SK_encr_len); 691 } 692 pos += keys->SK_encr_len; 693 694 keys->SK_er = os_malloc(keys->SK_encr_len); 695 if (keys->SK_er) { 696 os_memcpy(keys->SK_er, pos, keys->SK_encr_len); 697 wpa_hexdump_key(MSG_DEBUG, "IKEV2: SK_er", 698 keys->SK_er, keys->SK_encr_len); 699 } 700 pos += keys->SK_encr_len; 701 702 keys->SK_pi = os_malloc(keys->SK_prf_len); 703 if (keys->SK_pi) { 704 os_memcpy(keys->SK_pi, pos, keys->SK_prf_len); 705 wpa_hexdump_key(MSG_DEBUG, "IKEV2: SK_pi", 706 keys->SK_pi, keys->SK_prf_len); 707 } 708 pos += keys->SK_prf_len; 709 710 keys->SK_pr = os_malloc(keys->SK_prf_len); 711 if (keys->SK_pr) { 712 os_memcpy(keys->SK_pr, pos, keys->SK_prf_len); 713 wpa_hexdump_key(MSG_DEBUG, "IKEV2: SK_pr", 714 keys->SK_pr, keys->SK_prf_len); 715 } 716 717 os_free(keybuf); 718 719 if (!ikev2_keys_set(keys)) { 720 ikev2_free_keys(keys); 721 return -1; 722 } 723 724 return 0; 725 } 726