xref: /freebsd/contrib/wpa/src/eap_common/ikev2_common.c (revision 6472ac3d8a86336899b6cfb789a4cd9897e3fab5)
1 /*
2  * IKEv2 common routines for initiator and responder
3  * Copyright (c) 2007, Jouni Malinen <j@w1.fi>
4  *
5  * This program is free software; you can redistribute it and/or modify
6  * it under the terms of the GNU General Public License version 2 as
7  * published by the Free Software Foundation.
8  *
9  * Alternatively, this software may be distributed under the terms of BSD
10  * license.
11  *
12  * See README and COPYING for more details.
13  */
14 
15 #include "includes.h"
16 
17 #include "common.h"
18 #include "crypto/crypto.h"
19 #include "crypto/md5.h"
20 #include "crypto/sha1.h"
21 #include "ikev2_common.h"
22 
23 
24 static struct ikev2_integ_alg ikev2_integ_algs[] = {
25 	{ AUTH_HMAC_SHA1_96, 20, 12 },
26 	{ AUTH_HMAC_MD5_96, 16, 12 }
27 };
28 
29 #define NUM_INTEG_ALGS (sizeof(ikev2_integ_algs) / sizeof(ikev2_integ_algs[0]))
30 
31 
32 static struct ikev2_prf_alg ikev2_prf_algs[] = {
33 	{ PRF_HMAC_SHA1, 20, 20 },
34 	{ PRF_HMAC_MD5, 16, 16 }
35 };
36 
37 #define NUM_PRF_ALGS (sizeof(ikev2_prf_algs) / sizeof(ikev2_prf_algs[0]))
38 
39 
40 static struct ikev2_encr_alg ikev2_encr_algs[] = {
41 	{ ENCR_AES_CBC, 16, 16 }, /* only 128-bit keys supported for now */
42 	{ ENCR_3DES, 24, 8 }
43 };
44 
45 #define NUM_ENCR_ALGS (sizeof(ikev2_encr_algs) / sizeof(ikev2_encr_algs[0]))
46 
47 
48 const struct ikev2_integ_alg * ikev2_get_integ(int id)
49 {
50 	size_t i;
51 
52 	for (i = 0; i < NUM_INTEG_ALGS; i++) {
53 		if (ikev2_integ_algs[i].id == id)
54 			return &ikev2_integ_algs[i];
55 	}
56 
57 	return NULL;
58 }
59 
60 
61 int ikev2_integ_hash(int alg, const u8 *key, size_t key_len, const u8 *data,
62 		     size_t data_len, u8 *hash)
63 {
64 	u8 tmphash[IKEV2_MAX_HASH_LEN];
65 
66 	switch (alg) {
67 	case AUTH_HMAC_SHA1_96:
68 		if (key_len != 20)
69 			return -1;
70 		hmac_sha1(key, key_len, data, data_len, tmphash);
71 		os_memcpy(hash, tmphash, 12);
72 		break;
73 	case AUTH_HMAC_MD5_96:
74 		if (key_len != 16)
75 			return -1;
76 		hmac_md5(key, key_len, data, data_len, tmphash);
77 		os_memcpy(hash, tmphash, 12);
78 		break;
79 	default:
80 		return -1;
81 	}
82 
83 	return 0;
84 }
85 
86 
87 const struct ikev2_prf_alg * ikev2_get_prf(int id)
88 {
89 	size_t i;
90 
91 	for (i = 0; i < NUM_PRF_ALGS; i++) {
92 		if (ikev2_prf_algs[i].id == id)
93 			return &ikev2_prf_algs[i];
94 	}
95 
96 	return NULL;
97 }
98 
99 
100 int ikev2_prf_hash(int alg, const u8 *key, size_t key_len,
101 		   size_t num_elem, const u8 *addr[], const size_t *len,
102 		   u8 *hash)
103 {
104 	switch (alg) {
105 	case PRF_HMAC_SHA1:
106 		hmac_sha1_vector(key, key_len, num_elem, addr, len, hash);
107 		break;
108 	case PRF_HMAC_MD5:
109 		hmac_md5_vector(key, key_len, num_elem, addr, len, hash);
110 		break;
111 	default:
112 		return -1;
113 	}
114 
115 	return 0;
116 }
117 
118 
119 int ikev2_prf_plus(int alg, const u8 *key, size_t key_len,
120 		   const u8 *data, size_t data_len,
121 		   u8 *out, size_t out_len)
122 {
123 	u8 hash[IKEV2_MAX_HASH_LEN];
124 	size_t hash_len;
125 	u8 iter, *pos, *end;
126 	const u8 *addr[3];
127 	size_t len[3];
128 	const struct ikev2_prf_alg *prf;
129 	int res;
130 
131 	prf = ikev2_get_prf(alg);
132 	if (prf == NULL)
133 		return -1;
134 	hash_len = prf->hash_len;
135 
136 	addr[0] = hash;
137 	len[0] = hash_len;
138 	addr[1] = data;
139 	len[1] = data_len;
140 	addr[2] = &iter;
141 	len[2] = 1;
142 
143 	pos = out;
144 	end = out + out_len;
145 	iter = 1;
146 	while (pos < end) {
147 		size_t clen;
148 		if (iter == 1)
149 			res = ikev2_prf_hash(alg, key, key_len, 2, &addr[1],
150 					     &len[1], hash);
151 		else
152 			res = ikev2_prf_hash(alg, key, key_len, 3, addr, len,
153 					     hash);
154 		if (res < 0)
155 			return -1;
156 		clen = hash_len;
157 		if ((int) clen > end - pos)
158 			clen = end - pos;
159 		os_memcpy(pos, hash, clen);
160 		pos += clen;
161 		iter++;
162 	}
163 
164 	return 0;
165 }
166 
167 
168 const struct ikev2_encr_alg * ikev2_get_encr(int id)
169 {
170 	size_t i;
171 
172 	for (i = 0; i < NUM_ENCR_ALGS; i++) {
173 		if (ikev2_encr_algs[i].id == id)
174 			return &ikev2_encr_algs[i];
175 	}
176 
177 	return NULL;
178 }
179 
180 
181 #ifdef CCNS_PL
182 /* from des.c */
183 struct des3_key_s {
184 	u32 ek[3][32];
185 	u32 dk[3][32];
186 };
187 
188 void des3_key_setup(const u8 *key, struct des3_key_s *dkey);
189 void des3_encrypt(const u8 *plain, const struct des3_key_s *key, u8 *crypt);
190 void des3_decrypt(const u8 *crypt, const struct des3_key_s *key, u8 *plain);
191 #endif /* CCNS_PL */
192 
193 
194 int ikev2_encr_encrypt(int alg, const u8 *key, size_t key_len, const u8 *iv,
195 		       const u8 *plain, u8 *crypt, size_t len)
196 {
197 	struct crypto_cipher *cipher;
198 	int encr_alg;
199 
200 #ifdef CCNS_PL
201 	if (alg == ENCR_3DES) {
202 		struct des3_key_s des3key;
203 		size_t i, blocks;
204 		u8 *pos;
205 
206 		/* ECB mode is used incorrectly for 3DES!? */
207 		if (key_len != 24) {
208 			wpa_printf(MSG_INFO, "IKEV2: Invalid encr key length");
209 			return -1;
210 		}
211 		des3_key_setup(key, &des3key);
212 
213 		blocks = len / 8;
214 		pos = crypt;
215 		for (i = 0; i < blocks; i++) {
216 			des3_encrypt(pos, &des3key, pos);
217 			pos += 8;
218 		}
219 	} else {
220 #endif /* CCNS_PL */
221 	switch (alg) {
222 	case ENCR_3DES:
223 		encr_alg = CRYPTO_CIPHER_ALG_3DES;
224 		break;
225 	case ENCR_AES_CBC:
226 		encr_alg = CRYPTO_CIPHER_ALG_AES;
227 		break;
228 	default:
229 		wpa_printf(MSG_DEBUG, "IKEV2: Unsupported encr alg %d", alg);
230 		return -1;
231 	}
232 
233 	cipher = crypto_cipher_init(encr_alg, iv, key, key_len);
234 	if (cipher == NULL) {
235 		wpa_printf(MSG_INFO, "IKEV2: Failed to initialize cipher");
236 		return -1;
237 	}
238 
239 	if (crypto_cipher_encrypt(cipher, plain, crypt, len) < 0) {
240 		wpa_printf(MSG_INFO, "IKEV2: Encryption failed");
241 		crypto_cipher_deinit(cipher);
242 		return -1;
243 	}
244 	crypto_cipher_deinit(cipher);
245 #ifdef CCNS_PL
246 	}
247 #endif /* CCNS_PL */
248 
249 	return 0;
250 }
251 
252 
253 int ikev2_encr_decrypt(int alg, const u8 *key, size_t key_len, const u8 *iv,
254 		       const u8 *crypt, u8 *plain, size_t len)
255 {
256 	struct crypto_cipher *cipher;
257 	int encr_alg;
258 
259 #ifdef CCNS_PL
260 	if (alg == ENCR_3DES) {
261 		struct des3_key_s des3key;
262 		size_t i, blocks;
263 
264 		/* ECB mode is used incorrectly for 3DES!? */
265 		if (key_len != 24) {
266 			wpa_printf(MSG_INFO, "IKEV2: Invalid encr key length");
267 			return -1;
268 		}
269 		des3_key_setup(key, &des3key);
270 
271 		if (len % 8) {
272 			wpa_printf(MSG_INFO, "IKEV2: Invalid encrypted "
273 				   "length");
274 			return -1;
275 		}
276 		blocks = len / 8;
277 		for (i = 0; i < blocks; i++) {
278 			des3_decrypt(crypt, &des3key, plain);
279 			plain += 8;
280 			crypt += 8;
281 		}
282 	} else {
283 #endif /* CCNS_PL */
284 	switch (alg) {
285 	case ENCR_3DES:
286 		encr_alg = CRYPTO_CIPHER_ALG_3DES;
287 		break;
288 	case ENCR_AES_CBC:
289 		encr_alg = CRYPTO_CIPHER_ALG_AES;
290 		break;
291 	default:
292 		wpa_printf(MSG_DEBUG, "IKEV2: Unsupported encr alg %d", alg);
293 		return -1;
294 	}
295 
296 	cipher = crypto_cipher_init(encr_alg, iv, key, key_len);
297 	if (cipher == NULL) {
298 		wpa_printf(MSG_INFO, "IKEV2: Failed to initialize cipher");
299 		return -1;
300 	}
301 
302 	if (crypto_cipher_decrypt(cipher, crypt, plain, len) < 0) {
303 		wpa_printf(MSG_INFO, "IKEV2: Decryption failed");
304 		crypto_cipher_deinit(cipher);
305 		return -1;
306 	}
307 	crypto_cipher_deinit(cipher);
308 #ifdef CCNS_PL
309 	}
310 #endif /* CCNS_PL */
311 
312 	return 0;
313 }
314 
315 
316 int ikev2_parse_payloads(struct ikev2_payloads *payloads,
317 			 u8 next_payload, const u8 *pos, const u8 *end)
318 {
319 	const struct ikev2_payload_hdr *phdr;
320 
321 	os_memset(payloads, 0, sizeof(*payloads));
322 
323 	while (next_payload != IKEV2_PAYLOAD_NO_NEXT_PAYLOAD) {
324 		int plen, pdatalen;
325 		const u8 *pdata;
326 		wpa_printf(MSG_DEBUG, "IKEV2: Processing payload %u",
327 			   next_payload);
328 		if (end - pos < (int) sizeof(*phdr)) {
329 			wpa_printf(MSG_INFO, "IKEV2:   Too short message for "
330 				   "payload header (left=%ld)",
331 				   (long) (end - pos));
332 		}
333 		phdr = (const struct ikev2_payload_hdr *) pos;
334 		plen = WPA_GET_BE16(phdr->payload_length);
335 		if (plen < (int) sizeof(*phdr) || pos + plen > end) {
336 			wpa_printf(MSG_INFO, "IKEV2:   Invalid payload header "
337 				   "length %d", plen);
338 			return -1;
339 		}
340 
341 		wpa_printf(MSG_DEBUG, "IKEV2:   Next Payload: %u  Flags: 0x%x"
342 			   "  Payload Length: %d",
343 			   phdr->next_payload, phdr->flags, plen);
344 
345 		pdata = (const u8 *) (phdr + 1);
346 		pdatalen = plen - sizeof(*phdr);
347 
348 		switch (next_payload) {
349 		case IKEV2_PAYLOAD_SA:
350 			wpa_printf(MSG_DEBUG, "IKEV2:   Payload: Security "
351 				   "Association");
352 			payloads->sa = pdata;
353 			payloads->sa_len = pdatalen;
354 			break;
355 		case IKEV2_PAYLOAD_KEY_EXCHANGE:
356 			wpa_printf(MSG_DEBUG, "IKEV2:   Payload: Key "
357 				   "Exchange");
358 			payloads->ke = pdata;
359 			payloads->ke_len = pdatalen;
360 			break;
361 		case IKEV2_PAYLOAD_IDi:
362 			wpa_printf(MSG_DEBUG, "IKEV2:   Payload: IDi");
363 			payloads->idi = pdata;
364 			payloads->idi_len = pdatalen;
365 			break;
366 		case IKEV2_PAYLOAD_IDr:
367 			wpa_printf(MSG_DEBUG, "IKEV2:   Payload: IDr");
368 			payloads->idr = pdata;
369 			payloads->idr_len = pdatalen;
370 			break;
371 		case IKEV2_PAYLOAD_CERTIFICATE:
372 			wpa_printf(MSG_DEBUG, "IKEV2:   Payload: Certificate");
373 			payloads->cert = pdata;
374 			payloads->cert_len = pdatalen;
375 			break;
376 		case IKEV2_PAYLOAD_AUTHENTICATION:
377 			wpa_printf(MSG_DEBUG, "IKEV2:   Payload: "
378 				   "Authentication");
379 			payloads->auth = pdata;
380 			payloads->auth_len = pdatalen;
381 			break;
382 		case IKEV2_PAYLOAD_NONCE:
383 			wpa_printf(MSG_DEBUG, "IKEV2:   Payload: Nonce");
384 			payloads->nonce = pdata;
385 			payloads->nonce_len = pdatalen;
386 			break;
387 		case IKEV2_PAYLOAD_ENCRYPTED:
388 			wpa_printf(MSG_DEBUG, "IKEV2:   Payload: Encrypted");
389 			payloads->encrypted = pdata;
390 			payloads->encrypted_len = pdatalen;
391 			break;
392 		case IKEV2_PAYLOAD_NOTIFICATION:
393 			wpa_printf(MSG_DEBUG, "IKEV2:   Payload: "
394 				   "Notification");
395 			payloads->notification = pdata;
396 			payloads->notification_len = pdatalen;
397 			break;
398 		default:
399 			if (phdr->flags & IKEV2_PAYLOAD_FLAGS_CRITICAL) {
400 				wpa_printf(MSG_INFO, "IKEV2:   Unsupported "
401 					   "critical payload %u - reject the "
402 					   "entire message", next_payload);
403 				return -1;
404 			} else {
405 				wpa_printf(MSG_DEBUG, "IKEV2:   Skipped "
406 					   "unsupported payload %u",
407 					   next_payload);
408 			}
409 		}
410 
411 		if (next_payload == IKEV2_PAYLOAD_ENCRYPTED &&
412 		    pos + plen == end) {
413 			/*
414 			 * Next Payload in the case of Encrypted Payload is
415 			 * actually the payload type for the first embedded
416 			 * payload.
417 			 */
418 			payloads->encr_next_payload = phdr->next_payload;
419 			next_payload = IKEV2_PAYLOAD_NO_NEXT_PAYLOAD;
420 		} else
421 			next_payload = phdr->next_payload;
422 
423 		pos += plen;
424 	}
425 
426 	if (pos != end) {
427 		wpa_printf(MSG_INFO, "IKEV2: Unexpected extra data after "
428 			   "payloads");
429 		return -1;
430 	}
431 
432 	return 0;
433 }
434 
435 
436 int ikev2_derive_auth_data(int prf_alg, const struct wpabuf *sign_msg,
437 			   const u8 *ID, size_t ID_len, u8 ID_type,
438 			   struct ikev2_keys *keys, int initiator,
439 			   const u8 *shared_secret, size_t shared_secret_len,
440 			   const u8 *nonce, size_t nonce_len,
441 			   const u8 *key_pad, size_t key_pad_len,
442 			   u8 *auth_data)
443 {
444 	size_t sign_len, buf_len;
445 	u8 *sign_data, *pos, *buf, hash[IKEV2_MAX_HASH_LEN];
446 	const struct ikev2_prf_alg *prf;
447 	const u8 *SK_p = initiator ? keys->SK_pi : keys->SK_pr;
448 
449 	prf = ikev2_get_prf(prf_alg);
450 	if (sign_msg == NULL || ID == NULL || SK_p == NULL ||
451 	    shared_secret == NULL || nonce == NULL || prf == NULL)
452 		return -1;
453 
454 	/* prf(SK_pi/r,IDi/r') */
455 	buf_len = 4 + ID_len;
456 	buf = os_zalloc(buf_len);
457 	if (buf == NULL)
458 		return -1;
459 	buf[0] = ID_type;
460 	os_memcpy(buf + 4, ID, ID_len);
461 	if (ikev2_prf_hash(prf->id, SK_p, keys->SK_prf_len,
462 			   1, (const u8 **) &buf, &buf_len, hash) < 0) {
463 		os_free(buf);
464 		return -1;
465 	}
466 	os_free(buf);
467 
468 	/* sign_data = msg | Nr/i | prf(SK_pi/r,IDi/r') */
469 	sign_len = wpabuf_len(sign_msg) + nonce_len + prf->hash_len;
470 	sign_data = os_malloc(sign_len);
471 	if (sign_data == NULL)
472 		return -1;
473 	pos = sign_data;
474 	os_memcpy(pos, wpabuf_head(sign_msg), wpabuf_len(sign_msg));
475 	pos += wpabuf_len(sign_msg);
476 	os_memcpy(pos, nonce, nonce_len);
477 	pos += nonce_len;
478 	os_memcpy(pos, hash, prf->hash_len);
479 
480 	/* AUTH = prf(prf(Shared Secret, key pad, sign_data) */
481 	if (ikev2_prf_hash(prf->id, shared_secret, shared_secret_len, 1,
482 			   &key_pad, &key_pad_len, hash) < 0 ||
483 	    ikev2_prf_hash(prf->id, hash, prf->hash_len, 1,
484 			   (const u8 **) &sign_data, &sign_len, auth_data) < 0)
485 	{
486 		os_free(sign_data);
487 		return -1;
488 	}
489 	os_free(sign_data);
490 
491 	return 0;
492 }
493 
494 
495 u8 * ikev2_decrypt_payload(int encr_id, int integ_id,
496 			   struct ikev2_keys *keys, int initiator,
497 			   const struct ikev2_hdr *hdr,
498 			   const u8 *encrypted, size_t encrypted_len,
499 			   size_t *res_len)
500 {
501 	size_t iv_len;
502 	const u8 *pos, *end, *iv, *integ;
503 	u8 hash[IKEV2_MAX_HASH_LEN], *decrypted;
504 	size_t decrypted_len, pad_len;
505 	const struct ikev2_integ_alg *integ_alg;
506 	const struct ikev2_encr_alg *encr_alg;
507 	const u8 *SK_e = initiator ? keys->SK_ei : keys->SK_er;
508 	const u8 *SK_a = initiator ? keys->SK_ai : keys->SK_ar;
509 
510 	if (encrypted == NULL) {
511 		wpa_printf(MSG_INFO, "IKEV2: No Encrypted payload in SA_AUTH");
512 		return NULL;
513 	}
514 
515 	encr_alg = ikev2_get_encr(encr_id);
516 	if (encr_alg == NULL) {
517 		wpa_printf(MSG_INFO, "IKEV2: Unsupported encryption type");
518 		return NULL;
519 	}
520 	iv_len = encr_alg->block_size;
521 
522 	integ_alg = ikev2_get_integ(integ_id);
523 	if (integ_alg == NULL) {
524 		wpa_printf(MSG_INFO, "IKEV2: Unsupported intergrity type");
525 		return NULL;
526 	}
527 
528 	if (encrypted_len < iv_len + 1 + integ_alg->hash_len) {
529 		wpa_printf(MSG_INFO, "IKEV2: No room for IV or Integrity "
530 			  "Checksum");
531 		return NULL;
532 	}
533 
534 	iv = encrypted;
535 	pos = iv + iv_len;
536 	end = encrypted + encrypted_len;
537 	integ = end - integ_alg->hash_len;
538 
539 	if (SK_a == NULL) {
540 		wpa_printf(MSG_INFO, "IKEV2: No SK_a available");
541 		return NULL;
542 	}
543 	if (ikev2_integ_hash(integ_id, SK_a, keys->SK_integ_len,
544 			     (const u8 *) hdr,
545 			     integ - (const u8 *) hdr, hash) < 0) {
546 		wpa_printf(MSG_INFO, "IKEV2: Failed to calculate integrity "
547 			   "hash");
548 		return NULL;
549 	}
550 	if (os_memcmp(integ, hash, integ_alg->hash_len) != 0) {
551 		wpa_printf(MSG_INFO, "IKEV2: Incorrect Integrity Checksum "
552 			   "Data");
553 		return NULL;
554 	}
555 
556 	if (SK_e == NULL) {
557 		wpa_printf(MSG_INFO, "IKEV2: No SK_e available");
558 		return NULL;
559 	}
560 
561 	decrypted_len = integ - pos;
562 	decrypted = os_malloc(decrypted_len);
563 	if (decrypted == NULL)
564 		return NULL;
565 
566 	if (ikev2_encr_decrypt(encr_alg->id, SK_e, keys->SK_encr_len, iv, pos,
567 			       decrypted, decrypted_len) < 0) {
568 		os_free(decrypted);
569 		return NULL;
570 	}
571 
572 	pad_len = decrypted[decrypted_len - 1];
573 	if (decrypted_len < pad_len + 1) {
574 		wpa_printf(MSG_INFO, "IKEV2: Invalid padding in encrypted "
575 			   "payload");
576 		os_free(decrypted);
577 		return NULL;
578 	}
579 
580 	decrypted_len -= pad_len + 1;
581 
582 	*res_len = decrypted_len;
583 	return decrypted;
584 }
585 
586 
587 void ikev2_update_hdr(struct wpabuf *msg)
588 {
589 	struct ikev2_hdr *hdr;
590 
591 	/* Update lenth field in HDR */
592 	hdr = wpabuf_mhead(msg);
593 	WPA_PUT_BE32(hdr->length, wpabuf_len(msg));
594 }
595 
596 
597 int ikev2_build_encrypted(int encr_id, int integ_id, struct ikev2_keys *keys,
598 			  int initiator, struct wpabuf *msg,
599 			  struct wpabuf *plain, u8 next_payload)
600 {
601 	struct ikev2_payload_hdr *phdr;
602 	size_t plen;
603 	size_t iv_len, pad_len;
604 	u8 *icv, *iv;
605 	const struct ikev2_integ_alg *integ_alg;
606 	const struct ikev2_encr_alg *encr_alg;
607 	const u8 *SK_e = initiator ? keys->SK_ei : keys->SK_er;
608 	const u8 *SK_a = initiator ? keys->SK_ai : keys->SK_ar;
609 
610 	wpa_printf(MSG_DEBUG, "IKEV2: Adding Encrypted payload");
611 
612 	/* Encr - RFC 4306, Sect. 3.14 */
613 
614 	encr_alg = ikev2_get_encr(encr_id);
615 	if (encr_alg == NULL) {
616 		wpa_printf(MSG_INFO, "IKEV2: Unsupported encryption type");
617 		return -1;
618 	}
619 	iv_len = encr_alg->block_size;
620 
621 	integ_alg = ikev2_get_integ(integ_id);
622 	if (integ_alg == NULL) {
623 		wpa_printf(MSG_INFO, "IKEV2: Unsupported intergrity type");
624 		return -1;
625 	}
626 
627 	if (SK_e == NULL) {
628 		wpa_printf(MSG_INFO, "IKEV2: No SK_e available");
629 		return -1;
630 	}
631 
632 	if (SK_a == NULL) {
633 		wpa_printf(MSG_INFO, "IKEV2: No SK_a available");
634 		return -1;
635 	}
636 
637 	phdr = wpabuf_put(msg, sizeof(*phdr));
638 	phdr->next_payload = next_payload;
639 	phdr->flags = 0;
640 
641 	iv = wpabuf_put(msg, iv_len);
642 	if (os_get_random(iv, iv_len)) {
643 		wpa_printf(MSG_INFO, "IKEV2: Could not generate IV");
644 		return -1;
645 	}
646 
647 	pad_len = iv_len - (wpabuf_len(plain) + 1) % iv_len;
648 	if (pad_len == iv_len)
649 		pad_len = 0;
650 	wpabuf_put(plain, pad_len);
651 	wpabuf_put_u8(plain, pad_len);
652 
653 	if (ikev2_encr_encrypt(encr_alg->id, SK_e, keys->SK_encr_len, iv,
654 			       wpabuf_head(plain), wpabuf_mhead(plain),
655 			       wpabuf_len(plain)) < 0)
656 		return -1;
657 
658 	wpabuf_put_buf(msg, plain);
659 
660 	/* Need to update all headers (Length fields) prior to hash func */
661 	icv = wpabuf_put(msg, integ_alg->hash_len);
662 	plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
663 	WPA_PUT_BE16(phdr->payload_length, plen);
664 
665 	ikev2_update_hdr(msg);
666 
667 	return ikev2_integ_hash(integ_id, SK_a, keys->SK_integ_len,
668 				wpabuf_head(msg),
669 				wpabuf_len(msg) - integ_alg->hash_len, icv);
670 
671 	return 0;
672 }
673 
674 
675 int ikev2_keys_set(struct ikev2_keys *keys)
676 {
677 	return keys->SK_d && keys->SK_ai && keys->SK_ar && keys->SK_ei &&
678 		keys->SK_er && keys->SK_pi && keys->SK_pr;
679 }
680 
681 
682 void ikev2_free_keys(struct ikev2_keys *keys)
683 {
684 	os_free(keys->SK_d);
685 	os_free(keys->SK_ai);
686 	os_free(keys->SK_ar);
687 	os_free(keys->SK_ei);
688 	os_free(keys->SK_er);
689 	os_free(keys->SK_pi);
690 	os_free(keys->SK_pr);
691 	keys->SK_d = keys->SK_ai = keys->SK_ar = keys->SK_ei = keys->SK_er =
692 		keys->SK_pi = keys->SK_pr = NULL;
693 }
694 
695 
696 int ikev2_derive_sk_keys(const struct ikev2_prf_alg *prf,
697 			 const struct ikev2_integ_alg *integ,
698 			 const struct ikev2_encr_alg *encr,
699 			 const u8 *skeyseed, const u8 *data, size_t data_len,
700 			 struct ikev2_keys *keys)
701 {
702 	u8 *keybuf, *pos;
703 	size_t keybuf_len;
704 
705 	/*
706 	 * {SK_d | SK_ai | SK_ar | SK_ei | SK_er | SK_pi | SK_pr } =
707 	 *	prf+(SKEYSEED, Ni | Nr | SPIi | SPIr )
708 	 */
709 	ikev2_free_keys(keys);
710 	keys->SK_d_len = prf->key_len;
711 	keys->SK_integ_len = integ->key_len;
712 	keys->SK_encr_len = encr->key_len;
713 	keys->SK_prf_len = prf->key_len;
714 #ifdef CCNS_PL
715 	/* Uses encryption key length for SK_d; should be PRF length */
716 	keys->SK_d_len = keys->SK_encr_len;
717 #endif /* CCNS_PL */
718 
719 	keybuf_len = keys->SK_d_len + 2 * keys->SK_integ_len +
720 		2 * keys->SK_encr_len + 2 * keys->SK_prf_len;
721 	keybuf = os_malloc(keybuf_len);
722 	if (keybuf == NULL)
723 		return -1;
724 
725 	if (ikev2_prf_plus(prf->id, skeyseed, prf->hash_len,
726 			   data, data_len, keybuf, keybuf_len)) {
727 		os_free(keybuf);
728 		return -1;
729 	}
730 
731 	pos = keybuf;
732 
733 	keys->SK_d = os_malloc(keys->SK_d_len);
734 	if (keys->SK_d) {
735 		os_memcpy(keys->SK_d, pos, keys->SK_d_len);
736 		wpa_hexdump_key(MSG_DEBUG, "IKEV2: SK_d",
737 				keys->SK_d, keys->SK_d_len);
738 	}
739 	pos += keys->SK_d_len;
740 
741 	keys->SK_ai = os_malloc(keys->SK_integ_len);
742 	if (keys->SK_ai) {
743 		os_memcpy(keys->SK_ai, pos, keys->SK_integ_len);
744 		wpa_hexdump_key(MSG_DEBUG, "IKEV2: SK_ai",
745 				keys->SK_ai, keys->SK_integ_len);
746 	}
747 	pos += keys->SK_integ_len;
748 
749 	keys->SK_ar = os_malloc(keys->SK_integ_len);
750 	if (keys->SK_ar) {
751 		os_memcpy(keys->SK_ar, pos, keys->SK_integ_len);
752 		wpa_hexdump_key(MSG_DEBUG, "IKEV2: SK_ar",
753 				keys->SK_ar, keys->SK_integ_len);
754 	}
755 	pos += keys->SK_integ_len;
756 
757 	keys->SK_ei = os_malloc(keys->SK_encr_len);
758 	if (keys->SK_ei) {
759 		os_memcpy(keys->SK_ei, pos, keys->SK_encr_len);
760 		wpa_hexdump_key(MSG_DEBUG, "IKEV2: SK_ei",
761 				keys->SK_ei, keys->SK_encr_len);
762 	}
763 	pos += keys->SK_encr_len;
764 
765 	keys->SK_er = os_malloc(keys->SK_encr_len);
766 	if (keys->SK_er) {
767 		os_memcpy(keys->SK_er, pos, keys->SK_encr_len);
768 		wpa_hexdump_key(MSG_DEBUG, "IKEV2: SK_er",
769 				keys->SK_er, keys->SK_encr_len);
770 	}
771 	pos += keys->SK_encr_len;
772 
773 	keys->SK_pi = os_malloc(keys->SK_prf_len);
774 	if (keys->SK_pi) {
775 		os_memcpy(keys->SK_pi, pos, keys->SK_prf_len);
776 		wpa_hexdump_key(MSG_DEBUG, "IKEV2: SK_pi",
777 				keys->SK_pi, keys->SK_prf_len);
778 	}
779 	pos += keys->SK_prf_len;
780 
781 	keys->SK_pr = os_malloc(keys->SK_prf_len);
782 	if (keys->SK_pr) {
783 		os_memcpy(keys->SK_pr, pos, keys->SK_prf_len);
784 		wpa_hexdump_key(MSG_DEBUG, "IKEV2: SK_pr",
785 				keys->SK_pr, keys->SK_prf_len);
786 	}
787 
788 	os_free(keybuf);
789 
790 	if (!ikev2_keys_set(keys)) {
791 		ikev2_free_keys(keys);
792 		return -1;
793 	}
794 
795 	return 0;
796 }
797