1 /*
2  * IKEv2 common routines for initiator and responder
3  * Copyright (c) 2007, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #include "includes.h"
10 
11 #include "common.h"
12 #include "crypto/crypto.h"
13 #include "crypto/md5.h"
14 #include "crypto/sha1.h"
15 #include "crypto/random.h"
16 #include "ikev2_common.h"
17 
18 
19 static const struct ikev2_integ_alg ikev2_integ_algs[] = {
20           { AUTH_HMAC_SHA1_96, 20, 12 },
21           { AUTH_HMAC_MD5_96, 16, 12 }
22 };
23 
24 #define NUM_INTEG_ALGS ARRAY_SIZE(ikev2_integ_algs)
25 
26 
27 static const struct ikev2_prf_alg ikev2_prf_algs[] = {
28           { PRF_HMAC_SHA1, 20, 20 },
29           { PRF_HMAC_MD5, 16, 16 }
30 };
31 
32 #define NUM_PRF_ALGS ARRAY_SIZE(ikev2_prf_algs)
33 
34 
35 static const struct ikev2_encr_alg ikev2_encr_algs[] = {
36           { ENCR_AES_CBC, 16, 16 }, /* only 128-bit keys supported for now */
37           { ENCR_3DES, 24, 8 }
38 };
39 
40 #define NUM_ENCR_ALGS ARRAY_SIZE(ikev2_encr_algs)
41 
42 
ikev2_get_integ(int id)43 const struct ikev2_integ_alg * ikev2_get_integ(int id)
44 {
45           size_t i;
46 
47           for (i = 0; i < NUM_INTEG_ALGS; i++) {
48                     if (ikev2_integ_algs[i].id == id)
49                               return &ikev2_integ_algs[i];
50           }
51 
52           return NULL;
53 }
54 
55 
ikev2_integ_hash(int alg,const u8 * key,size_t key_len,const u8 * data,size_t data_len,u8 * hash)56 int ikev2_integ_hash(int alg, const u8 *key, size_t key_len, const u8 *data,
57                          size_t data_len, u8 *hash)
58 {
59           u8 tmphash[IKEV2_MAX_HASH_LEN];
60 
61           switch (alg) {
62           case AUTH_HMAC_SHA1_96:
63                     if (key_len != 20)
64                               return -1;
65                     if (hmac_sha1(key, key_len, data, data_len, tmphash) < 0)
66                               return -1;
67                     os_memcpy(hash, tmphash, 12);
68                     break;
69           case AUTH_HMAC_MD5_96:
70                     if (key_len != 16)
71                               return -1;
72                     if (hmac_md5(key, key_len, data, data_len, tmphash) < 0)
73                               return -1;
74                     os_memcpy(hash, tmphash, 12);
75                     break;
76           default:
77                     return -1;
78           }
79 
80           return 0;
81 }
82 
83 
ikev2_get_prf(int id)84 const struct ikev2_prf_alg * ikev2_get_prf(int id)
85 {
86           size_t i;
87 
88           for (i = 0; i < NUM_PRF_ALGS; i++) {
89                     if (ikev2_prf_algs[i].id == id)
90                               return &ikev2_prf_algs[i];
91           }
92 
93           return NULL;
94 }
95 
96 
ikev2_prf_hash(int alg,const u8 * key,size_t key_len,size_t num_elem,const u8 * addr[],const size_t * len,u8 * hash)97 int ikev2_prf_hash(int alg, const u8 *key, size_t key_len,
98                        size_t num_elem, const u8 *addr[], const size_t *len,
99                        u8 *hash)
100 {
101           switch (alg) {
102           case PRF_HMAC_SHA1:
103                     return hmac_sha1_vector(key, key_len, num_elem, addr, len,
104                                                   hash);
105           case PRF_HMAC_MD5:
106                     return hmac_md5_vector(key, key_len, num_elem, addr, len, hash);
107           default:
108                     return -1;
109           }
110 }
111 
112 
ikev2_prf_plus(int alg,const u8 * key,size_t key_len,const u8 * data,size_t data_len,u8 * out,size_t out_len)113 int ikev2_prf_plus(int alg, const u8 *key, size_t key_len,
114                        const u8 *data, size_t data_len,
115                        u8 *out, size_t out_len)
116 {
117           u8 hash[IKEV2_MAX_HASH_LEN];
118           size_t hash_len;
119           u8 iter, *pos, *end;
120           const u8 *addr[3];
121           size_t len[3];
122           const struct ikev2_prf_alg *prf;
123           int res;
124 
125           prf = ikev2_get_prf(alg);
126           if (prf == NULL)
127                     return -1;
128           hash_len = prf->hash_len;
129 
130           addr[0] = hash;
131           len[0] = hash_len;
132           addr[1] = data;
133           len[1] = data_len;
134           addr[2] = &iter;
135           len[2] = 1;
136 
137           pos = out;
138           end = out + out_len;
139           iter = 1;
140           while (pos < end) {
141                     size_t clen;
142                     if (iter == 1)
143                               res = ikev2_prf_hash(alg, key, key_len, 2, &addr[1],
144                                                        &len[1], hash);
145                     else
146                               res = ikev2_prf_hash(alg, key, key_len, 3, addr, len,
147                                                        hash);
148                     if (res < 0)
149                               return -1;
150                     clen = hash_len;
151                     if ((int) clen > end - pos)
152                               clen = end - pos;
153                     os_memcpy(pos, hash, clen);
154                     pos += clen;
155                     iter++;
156           }
157 
158           return 0;
159 }
160 
161 
ikev2_get_encr(int id)162 const struct ikev2_encr_alg * ikev2_get_encr(int id)
163 {
164           size_t i;
165 
166           for (i = 0; i < NUM_ENCR_ALGS; i++) {
167                     if (ikev2_encr_algs[i].id == id)
168                               return &ikev2_encr_algs[i];
169           }
170 
171           return NULL;
172 }
173 
174 
ikev2_encr_encrypt(int alg,const u8 * key,size_t key_len,const u8 * iv,const u8 * plain,u8 * crypt,size_t len)175 int ikev2_encr_encrypt(int alg, const u8 *key, size_t key_len, const u8 *iv,
176                            const u8 *plain, u8 *crypt, size_t len)
177 {
178           struct crypto_cipher *cipher;
179           int encr_alg;
180 
181           switch (alg) {
182           case ENCR_3DES:
183                     encr_alg = CRYPTO_CIPHER_ALG_3DES;
184                     break;
185           case ENCR_AES_CBC:
186                     encr_alg = CRYPTO_CIPHER_ALG_AES;
187                     break;
188           default:
189                     wpa_printf(MSG_DEBUG, "IKEV2: Unsupported encr alg %d", alg);
190                     return -1;
191           }
192 
193           cipher = crypto_cipher_init(encr_alg, iv, key, key_len);
194           if (cipher == NULL) {
195                     wpa_printf(MSG_INFO, "IKEV2: Failed to initialize cipher");
196                     return -1;
197           }
198 
199           if (crypto_cipher_encrypt(cipher, plain, crypt, len) < 0) {
200                     wpa_printf(MSG_INFO, "IKEV2: Encryption failed");
201                     crypto_cipher_deinit(cipher);
202                     return -1;
203           }
204           crypto_cipher_deinit(cipher);
205 
206           return 0;
207 }
208 
209 
ikev2_encr_decrypt(int alg,const u8 * key,size_t key_len,const u8 * iv,const u8 * crypt,u8 * plain,size_t len)210 int ikev2_encr_decrypt(int alg, const u8 *key, size_t key_len, const u8 *iv,
211                            const u8 *crypt, u8 *plain, size_t len)
212 {
213           struct crypto_cipher *cipher;
214           int encr_alg;
215 
216           switch (alg) {
217           case ENCR_3DES:
218                     encr_alg = CRYPTO_CIPHER_ALG_3DES;
219                     break;
220           case ENCR_AES_CBC:
221                     encr_alg = CRYPTO_CIPHER_ALG_AES;
222                     break;
223           default:
224                     wpa_printf(MSG_DEBUG, "IKEV2: Unsupported encr alg %d", alg);
225                     return -1;
226           }
227 
228           cipher = crypto_cipher_init(encr_alg, iv, key, key_len);
229           if (cipher == NULL) {
230                     wpa_printf(MSG_INFO, "IKEV2: Failed to initialize cipher");
231                     return -1;
232           }
233 
234           if (crypto_cipher_decrypt(cipher, crypt, plain, len) < 0) {
235                     wpa_printf(MSG_INFO, "IKEV2: Decryption failed");
236                     crypto_cipher_deinit(cipher);
237                     return -1;
238           }
239           crypto_cipher_deinit(cipher);
240 
241           return 0;
242 }
243 
244 
ikev2_parse_payloads(struct ikev2_payloads * payloads,u8 next_payload,const u8 * pos,const u8 * end)245 int ikev2_parse_payloads(struct ikev2_payloads *payloads,
246                                u8 next_payload, const u8 *pos, const u8 *end)
247 {
248           const struct ikev2_payload_hdr *phdr;
249 
250           os_memset(payloads, 0, sizeof(*payloads));
251 
252           while (next_payload != IKEV2_PAYLOAD_NO_NEXT_PAYLOAD) {
253                     unsigned int plen, pdatalen, left;
254                     const u8 *pdata;
255                     wpa_printf(MSG_DEBUG, "IKEV2: Processing payload %u",
256                                  next_payload);
257                     if (end < pos)
258                               return -1;
259                     left = end - pos;
260                     if (left < sizeof(*phdr)) {
261                               wpa_printf(MSG_INFO, "IKEV2:   Too short message for "
262                                            "payload header (left=%ld)",
263                                            (long) (end - pos));
264                               return -1;
265                     }
266                     phdr = (const struct ikev2_payload_hdr *) pos;
267                     plen = WPA_GET_BE16(phdr->payload_length);
268                     if (plen < sizeof(*phdr) || plen > left) {
269                               wpa_printf(MSG_INFO, "IKEV2:   Invalid payload header "
270                                            "length %d", plen);
271                               return -1;
272                     }
273 
274                     wpa_printf(MSG_DEBUG, "IKEV2:   Next Payload: %u  Flags: 0x%x"
275                                  "  Payload Length: %u",
276                                  phdr->next_payload, phdr->flags, plen);
277 
278                     pdata = (const u8 *) (phdr + 1);
279                     pdatalen = plen - sizeof(*phdr);
280 
281                     switch (next_payload) {
282                     case IKEV2_PAYLOAD_SA:
283                               wpa_printf(MSG_DEBUG, "IKEV2:   Payload: Security "
284                                            "Association");
285                               payloads->sa = pdata;
286                               payloads->sa_len = pdatalen;
287                               break;
288                     case IKEV2_PAYLOAD_KEY_EXCHANGE:
289                               wpa_printf(MSG_DEBUG, "IKEV2:   Payload: Key "
290                                            "Exchange");
291                               payloads->ke = pdata;
292                               payloads->ke_len = pdatalen;
293                               break;
294                     case IKEV2_PAYLOAD_IDi:
295                               wpa_printf(MSG_DEBUG, "IKEV2:   Payload: IDi");
296                               payloads->idi = pdata;
297                               payloads->idi_len = pdatalen;
298                               break;
299                     case IKEV2_PAYLOAD_IDr:
300                               wpa_printf(MSG_DEBUG, "IKEV2:   Payload: IDr");
301                               payloads->idr = pdata;
302                               payloads->idr_len = pdatalen;
303                               break;
304                     case IKEV2_PAYLOAD_CERTIFICATE:
305                               wpa_printf(MSG_DEBUG, "IKEV2:   Payload: Certificate");
306                               payloads->cert = pdata;
307                               payloads->cert_len = pdatalen;
308                               break;
309                     case IKEV2_PAYLOAD_AUTHENTICATION:
310                               wpa_printf(MSG_DEBUG, "IKEV2:   Payload: "
311                                            "Authentication");
312                               payloads->auth = pdata;
313                               payloads->auth_len = pdatalen;
314                               break;
315                     case IKEV2_PAYLOAD_NONCE:
316                               wpa_printf(MSG_DEBUG, "IKEV2:   Payload: Nonce");
317                               payloads->nonce = pdata;
318                               payloads->nonce_len = pdatalen;
319                               break;
320                     case IKEV2_PAYLOAD_ENCRYPTED:
321                               wpa_printf(MSG_DEBUG, "IKEV2:   Payload: Encrypted");
322                               payloads->encrypted = pdata;
323                               payloads->encrypted_len = pdatalen;
324                               break;
325                     case IKEV2_PAYLOAD_NOTIFICATION:
326                               wpa_printf(MSG_DEBUG, "IKEV2:   Payload: "
327                                            "Notification");
328                               payloads->notification = pdata;
329                               payloads->notification_len = pdatalen;
330                               break;
331                     default:
332                               if (phdr->flags & IKEV2_PAYLOAD_FLAGS_CRITICAL) {
333                                         wpa_printf(MSG_INFO, "IKEV2:   Unsupported "
334                                                      "critical payload %u - reject the "
335                                                      "entire message", next_payload);
336                                         return -1;
337                               } else {
338                                         wpa_printf(MSG_DEBUG, "IKEV2:   Skipped "
339                                                      "unsupported payload %u",
340                                                      next_payload);
341                               }
342                     }
343 
344                     if (next_payload == IKEV2_PAYLOAD_ENCRYPTED &&
345                         pos + plen == end) {
346                               /*
347                                * Next Payload in the case of Encrypted Payload is
348                                * actually the payload type for the first embedded
349                                * payload.
350                                */
351                               payloads->encr_next_payload = phdr->next_payload;
352                               next_payload = IKEV2_PAYLOAD_NO_NEXT_PAYLOAD;
353                     } else
354                               next_payload = phdr->next_payload;
355 
356                     pos += plen;
357           }
358 
359           if (pos != end) {
360                     wpa_printf(MSG_INFO, "IKEV2: Unexpected extra data after "
361                                  "payloads");
362                     return -1;
363           }
364 
365           return 0;
366 }
367 
368 
ikev2_derive_auth_data(int prf_alg,const struct wpabuf * sign_msg,const u8 * ID,size_t ID_len,u8 ID_type,struct ikev2_keys * keys,int initiator,const u8 * shared_secret,size_t shared_secret_len,const u8 * nonce,size_t nonce_len,const u8 * key_pad,size_t key_pad_len,u8 * auth_data)369 int ikev2_derive_auth_data(int prf_alg, const struct wpabuf *sign_msg,
370                                  const u8 *ID, size_t ID_len, u8 ID_type,
371                                  struct ikev2_keys *keys, int initiator,
372                                  const u8 *shared_secret, size_t shared_secret_len,
373                                  const u8 *nonce, size_t nonce_len,
374                                  const u8 *key_pad, size_t key_pad_len,
375                                  u8 *auth_data)
376 {
377           size_t sign_len, buf_len;
378           u8 *sign_data, *pos, *buf, hash[IKEV2_MAX_HASH_LEN];
379           const struct ikev2_prf_alg *prf;
380           const u8 *SK_p = initiator ? keys->SK_pi : keys->SK_pr;
381 
382           prf = ikev2_get_prf(prf_alg);
383           if (sign_msg == NULL || ID == NULL || SK_p == NULL ||
384               shared_secret == NULL || nonce == NULL || prf == NULL)
385                     return -1;
386 
387           /* prf(SK_pi/r,IDi/r') */
388           buf_len = 4 + ID_len;
389           buf = os_zalloc(buf_len);
390           if (buf == NULL)
391                     return -1;
392           buf[0] = ID_type;
393           os_memcpy(buf + 4, ID, ID_len);
394           if (ikev2_prf_hash(prf->id, SK_p, keys->SK_prf_len,
395                                  1, (const u8 **) &buf, &buf_len, hash) < 0) {
396                     os_free(buf);
397                     return -1;
398           }
399           os_free(buf);
400 
401           /* sign_data = msg | Nr/i | prf(SK_pi/r,IDi/r') */
402           sign_len = wpabuf_len(sign_msg) + nonce_len + prf->hash_len;
403           sign_data = os_malloc(sign_len);
404           if (sign_data == NULL)
405                     return -1;
406           pos = sign_data;
407           os_memcpy(pos, wpabuf_head(sign_msg), wpabuf_len(sign_msg));
408           pos += wpabuf_len(sign_msg);
409           os_memcpy(pos, nonce, nonce_len);
410           pos += nonce_len;
411           os_memcpy(pos, hash, prf->hash_len);
412 
413           /* AUTH = prf(prf(Shared Secret, key pad, sign_data) */
414           if (ikev2_prf_hash(prf->id, shared_secret, shared_secret_len, 1,
415                                  &key_pad, &key_pad_len, hash) < 0 ||
416               ikev2_prf_hash(prf->id, hash, prf->hash_len, 1,
417                                  (const u8 **) &sign_data, &sign_len, auth_data) < 0)
418           {
419                     os_free(sign_data);
420                     return -1;
421           }
422           os_free(sign_data);
423 
424           return 0;
425 }
426 
427 
ikev2_decrypt_payload(int encr_id,int integ_id,struct ikev2_keys * keys,int initiator,const struct ikev2_hdr * hdr,const u8 * encrypted,size_t encrypted_len,size_t * res_len)428 u8 * ikev2_decrypt_payload(int encr_id, int integ_id,
429                                  struct ikev2_keys *keys, int initiator,
430                                  const struct ikev2_hdr *hdr,
431                                  const u8 *encrypted, size_t encrypted_len,
432                                  size_t *res_len)
433 {
434           size_t iv_len;
435           const u8 *pos, *end, *iv, *integ;
436           u8 hash[IKEV2_MAX_HASH_LEN], *decrypted;
437           size_t decrypted_len, pad_len;
438           const struct ikev2_integ_alg *integ_alg;
439           const struct ikev2_encr_alg *encr_alg;
440           const u8 *SK_e = initiator ? keys->SK_ei : keys->SK_er;
441           const u8 *SK_a = initiator ? keys->SK_ai : keys->SK_ar;
442 
443           if (encrypted == NULL) {
444                     wpa_printf(MSG_INFO, "IKEV2: No Encrypted payload in SA_AUTH");
445                     return NULL;
446           }
447 
448           encr_alg = ikev2_get_encr(encr_id);
449           if (encr_alg == NULL) {
450                     wpa_printf(MSG_INFO, "IKEV2: Unsupported encryption type");
451                     return NULL;
452           }
453           iv_len = encr_alg->block_size;
454 
455           integ_alg = ikev2_get_integ(integ_id);
456           if (integ_alg == NULL) {
457                     wpa_printf(MSG_INFO, "IKEV2: Unsupported intergrity type");
458                     return NULL;
459           }
460 
461           if (encrypted_len < iv_len + 1 + integ_alg->hash_len) {
462                     wpa_printf(MSG_INFO, "IKEV2: No room for IV or Integrity "
463                                 "Checksum");
464                     return NULL;
465           }
466 
467           iv = encrypted;
468           pos = iv + iv_len;
469           end = encrypted + encrypted_len;
470           integ = end - integ_alg->hash_len;
471 
472           if (SK_a == NULL) {
473                     wpa_printf(MSG_INFO, "IKEV2: No SK_a available");
474                     return NULL;
475           }
476           if (ikev2_integ_hash(integ_id, SK_a, keys->SK_integ_len,
477                                    (const u8 *) hdr,
478                                    integ - (const u8 *) hdr, hash) < 0) {
479                     wpa_printf(MSG_INFO, "IKEV2: Failed to calculate integrity "
480                                  "hash");
481                     return NULL;
482           }
483           if (os_memcmp_const(integ, hash, integ_alg->hash_len) != 0) {
484                     wpa_printf(MSG_INFO, "IKEV2: Incorrect Integrity Checksum "
485                                  "Data");
486                     return NULL;
487           }
488 
489           if (SK_e == NULL) {
490                     wpa_printf(MSG_INFO, "IKEV2: No SK_e available");
491                     return NULL;
492           }
493 
494           decrypted_len = integ - pos;
495           decrypted = os_malloc(decrypted_len);
496           if (decrypted == NULL)
497                     return NULL;
498 
499           if (ikev2_encr_decrypt(encr_alg->id, SK_e, keys->SK_encr_len, iv, pos,
500                                      decrypted, decrypted_len) < 0) {
501                     os_free(decrypted);
502                     return NULL;
503           }
504 
505           pad_len = decrypted[decrypted_len - 1];
506           if (decrypted_len < pad_len + 1) {
507                     wpa_printf(MSG_INFO, "IKEV2: Invalid padding in encrypted "
508                                  "payload");
509                     os_free(decrypted);
510                     return NULL;
511           }
512 
513           decrypted_len -= pad_len + 1;
514 
515           *res_len = decrypted_len;
516           return decrypted;
517 }
518 
519 
ikev2_update_hdr(struct wpabuf * msg)520 void ikev2_update_hdr(struct wpabuf *msg)
521 {
522           struct ikev2_hdr *hdr;
523 
524           /* Update lenth field in HDR */
525           hdr = wpabuf_mhead(msg);
526           WPA_PUT_BE32(hdr->length, wpabuf_len(msg));
527 }
528 
529 
ikev2_build_encrypted(int encr_id,int integ_id,struct ikev2_keys * keys,int initiator,struct wpabuf * msg,struct wpabuf * plain,u8 next_payload)530 int ikev2_build_encrypted(int encr_id, int integ_id, struct ikev2_keys *keys,
531                                 int initiator, struct wpabuf *msg,
532                                 struct wpabuf *plain, u8 next_payload)
533 {
534           struct ikev2_payload_hdr *phdr;
535           size_t plen;
536           size_t iv_len, pad_len;
537           u8 *icv, *iv;
538           const struct ikev2_integ_alg *integ_alg;
539           const struct ikev2_encr_alg *encr_alg;
540           const u8 *SK_e = initiator ? keys->SK_ei : keys->SK_er;
541           const u8 *SK_a = initiator ? keys->SK_ai : keys->SK_ar;
542 
543           wpa_printf(MSG_DEBUG, "IKEV2: Adding Encrypted payload");
544 
545           /* Encr - RFC 4306, Sect. 3.14 */
546 
547           encr_alg = ikev2_get_encr(encr_id);
548           if (encr_alg == NULL) {
549                     wpa_printf(MSG_INFO, "IKEV2: Unsupported encryption type");
550                     return -1;
551           }
552           iv_len = encr_alg->block_size;
553 
554           integ_alg = ikev2_get_integ(integ_id);
555           if (integ_alg == NULL) {
556                     wpa_printf(MSG_INFO, "IKEV2: Unsupported intergrity type");
557                     return -1;
558           }
559 
560           if (SK_e == NULL) {
561                     wpa_printf(MSG_INFO, "IKEV2: No SK_e available");
562                     return -1;
563           }
564 
565           if (SK_a == NULL) {
566                     wpa_printf(MSG_INFO, "IKEV2: No SK_a available");
567                     return -1;
568           }
569 
570           phdr = wpabuf_put(msg, sizeof(*phdr));
571           phdr->next_payload = next_payload;
572           phdr->flags = 0;
573 
574           iv = wpabuf_put(msg, iv_len);
575           if (random_get_bytes(iv, iv_len)) {
576                     wpa_printf(MSG_INFO, "IKEV2: Could not generate IV");
577                     return -1;
578           }
579 
580           pad_len = iv_len - (wpabuf_len(plain) + 1) % iv_len;
581           if (pad_len == iv_len)
582                     pad_len = 0;
583           wpabuf_put(plain, pad_len);
584           wpabuf_put_u8(plain, pad_len);
585 
586           if (ikev2_encr_encrypt(encr_alg->id, SK_e, keys->SK_encr_len, iv,
587                                      wpabuf_head(plain), wpabuf_mhead(plain),
588                                      wpabuf_len(plain)) < 0)
589                     return -1;
590 
591           wpabuf_put_buf(msg, plain);
592 
593           /* Need to update all headers (Length fields) prior to hash func */
594           icv = wpabuf_put(msg, integ_alg->hash_len);
595           plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr;
596           WPA_PUT_BE16(phdr->payload_length, plen);
597 
598           ikev2_update_hdr(msg);
599 
600           return ikev2_integ_hash(integ_id, SK_a, keys->SK_integ_len,
601                                         wpabuf_head(msg),
602                                         wpabuf_len(msg) - integ_alg->hash_len, icv);
603 
604           return 0;
605 }
606 
607 
ikev2_keys_set(struct ikev2_keys * keys)608 int ikev2_keys_set(struct ikev2_keys *keys)
609 {
610           return keys->SK_d && keys->SK_ai && keys->SK_ar && keys->SK_ei &&
611                     keys->SK_er && keys->SK_pi && keys->SK_pr;
612 }
613 
614 
ikev2_free_keys(struct ikev2_keys * keys)615 void ikev2_free_keys(struct ikev2_keys *keys)
616 {
617           os_free(keys->SK_d);
618           os_free(keys->SK_ai);
619           os_free(keys->SK_ar);
620           os_free(keys->SK_ei);
621           os_free(keys->SK_er);
622           os_free(keys->SK_pi);
623           os_free(keys->SK_pr);
624           keys->SK_d = keys->SK_ai = keys->SK_ar = keys->SK_ei = keys->SK_er =
625                     keys->SK_pi = keys->SK_pr = NULL;
626 }
627 
628 
ikev2_derive_sk_keys(const struct ikev2_prf_alg * prf,const struct ikev2_integ_alg * integ,const struct ikev2_encr_alg * encr,const u8 * skeyseed,const u8 * data,size_t data_len,struct ikev2_keys * keys)629 int ikev2_derive_sk_keys(const struct ikev2_prf_alg *prf,
630                                const struct ikev2_integ_alg *integ,
631                                const struct ikev2_encr_alg *encr,
632                                const u8 *skeyseed, const u8 *data, size_t data_len,
633                                struct ikev2_keys *keys)
634 {
635           u8 *keybuf, *pos;
636           size_t keybuf_len;
637 
638           /*
639            * {SK_d | SK_ai | SK_ar | SK_ei | SK_er | SK_pi | SK_pr } =
640            *        prf+(SKEYSEED, Ni | Nr | SPIi | SPIr )
641            */
642           ikev2_free_keys(keys);
643           keys->SK_d_len = prf->key_len;
644           keys->SK_integ_len = integ->key_len;
645           keys->SK_encr_len = encr->key_len;
646           keys->SK_prf_len = prf->key_len;
647 
648           keybuf_len = keys->SK_d_len + 2 * keys->SK_integ_len +
649                     2 * keys->SK_encr_len + 2 * keys->SK_prf_len;
650           keybuf = os_malloc(keybuf_len);
651           if (keybuf == NULL)
652                     return -1;
653 
654           if (ikev2_prf_plus(prf->id, skeyseed, prf->hash_len,
655                                  data, data_len, keybuf, keybuf_len)) {
656                     os_free(keybuf);
657                     return -1;
658           }
659 
660           pos = keybuf;
661 
662           keys->SK_d = os_malloc(keys->SK_d_len);
663           if (keys->SK_d) {
664                     os_memcpy(keys->SK_d, pos, keys->SK_d_len);
665                     wpa_hexdump_key(MSG_DEBUG, "IKEV2: SK_d",
666                                         keys->SK_d, keys->SK_d_len);
667           }
668           pos += keys->SK_d_len;
669 
670           keys->SK_ai = os_malloc(keys->SK_integ_len);
671           if (keys->SK_ai) {
672                     os_memcpy(keys->SK_ai, pos, keys->SK_integ_len);
673                     wpa_hexdump_key(MSG_DEBUG, "IKEV2: SK_ai",
674                                         keys->SK_ai, keys->SK_integ_len);
675           }
676           pos += keys->SK_integ_len;
677 
678           keys->SK_ar = os_malloc(keys->SK_integ_len);
679           if (keys->SK_ar) {
680                     os_memcpy(keys->SK_ar, pos, keys->SK_integ_len);
681                     wpa_hexdump_key(MSG_DEBUG, "IKEV2: SK_ar",
682                                         keys->SK_ar, keys->SK_integ_len);
683           }
684           pos += keys->SK_integ_len;
685 
686           keys->SK_ei = os_malloc(keys->SK_encr_len);
687           if (keys->SK_ei) {
688                     os_memcpy(keys->SK_ei, pos, keys->SK_encr_len);
689                     wpa_hexdump_key(MSG_DEBUG, "IKEV2: SK_ei",
690                                         keys->SK_ei, keys->SK_encr_len);
691           }
692           pos += keys->SK_encr_len;
693 
694           keys->SK_er = os_malloc(keys->SK_encr_len);
695           if (keys->SK_er) {
696                     os_memcpy(keys->SK_er, pos, keys->SK_encr_len);
697                     wpa_hexdump_key(MSG_DEBUG, "IKEV2: SK_er",
698                                         keys->SK_er, keys->SK_encr_len);
699           }
700           pos += keys->SK_encr_len;
701 
702           keys->SK_pi = os_malloc(keys->SK_prf_len);
703           if (keys->SK_pi) {
704                     os_memcpy(keys->SK_pi, pos, keys->SK_prf_len);
705                     wpa_hexdump_key(MSG_DEBUG, "IKEV2: SK_pi",
706                                         keys->SK_pi, keys->SK_prf_len);
707           }
708           pos += keys->SK_prf_len;
709 
710           keys->SK_pr = os_malloc(keys->SK_prf_len);
711           if (keys->SK_pr) {
712                     os_memcpy(keys->SK_pr, pos, keys->SK_prf_len);
713                     wpa_hexdump_key(MSG_DEBUG, "IKEV2: SK_pr",
714                                         keys->SK_pr, keys->SK_prf_len);
715           }
716 
717           os_free(keybuf);
718 
719           if (!ikev2_keys_set(keys)) {
720                     ikev2_free_keys(keys);
721                     return -1;
722           }
723 
724           return 0;
725 }
726