1 /* 2 * IKEv2 common routines for initiator and responder 3 * Copyright (c) 2007, Jouni Malinen <j (at) w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "includes.h" 10 11 #include "common.h" 12 #include "crypto/crypto.h" 13 #include "crypto/md5.h" 14 #include "crypto/sha1.h" 15 #include "crypto/random.h" 16 #include "ikev2_common.h" 17 18 19 static struct ikev2_integ_alg ikev2_integ_algs[] = { 20 { AUTH_HMAC_SHA1_96, 20, 12 }, 21 { AUTH_HMAC_MD5_96, 16, 12 } 22 }; 23 24 #define NUM_INTEG_ALGS (sizeof(ikev2_integ_algs) / sizeof(ikev2_integ_algs[0])) 25 26 27 static struct ikev2_prf_alg ikev2_prf_algs[] = { 28 { PRF_HMAC_SHA1, 20, 20 }, 29 { PRF_HMAC_MD5, 16, 16 } 30 }; 31 32 #define NUM_PRF_ALGS (sizeof(ikev2_prf_algs) / sizeof(ikev2_prf_algs[0])) 33 34 35 static struct ikev2_encr_alg ikev2_encr_algs[] = { 36 { ENCR_AES_CBC, 16, 16 }, /* only 128-bit keys supported for now */ 37 { ENCR_3DES, 24, 8 } 38 }; 39 40 #define NUM_ENCR_ALGS (sizeof(ikev2_encr_algs) / sizeof(ikev2_encr_algs[0])) 41 42 43 const struct ikev2_integ_alg * ikev2_get_integ(int id) 44 { 45 size_t i; 46 47 for (i = 0; i < NUM_INTEG_ALGS; i++) { 48 if (ikev2_integ_algs[i].id == id) 49 return &ikev2_integ_algs[i]; 50 } 51 52 return NULL; 53 } 54 55 56 int ikev2_integ_hash(int alg, const u8 *key, size_t key_len, const u8 *data, 57 size_t data_len, u8 *hash) 58 { 59 u8 tmphash[IKEV2_MAX_HASH_LEN]; 60 61 switch (alg) { 62 case AUTH_HMAC_SHA1_96: 63 if (key_len != 20) 64 return -1; 65 hmac_sha1(key, key_len, data, data_len, tmphash); 66 os_memcpy(hash, tmphash, 12); 67 break; 68 case AUTH_HMAC_MD5_96: 69 if (key_len != 16) 70 return -1; 71 hmac_md5(key, key_len, data, data_len, tmphash); 72 os_memcpy(hash, tmphash, 12); 73 break; 74 default: 75 return -1; 76 } 77 78 return 0; 79 } 80 81 82 const struct ikev2_prf_alg * ikev2_get_prf(int id) 83 { 84 size_t i; 85 86 for (i = 0; i < NUM_PRF_ALGS; i++) { 87 if (ikev2_prf_algs[i].id == id) 88 return &ikev2_prf_algs[i]; 89 } 90 91 return NULL; 92 } 93 94 95 int ikev2_prf_hash(int alg, const u8 *key, size_t key_len, 96 size_t num_elem, const u8 *addr[], const size_t *len, 97 u8 *hash) 98 { 99 switch (alg) { 100 case PRF_HMAC_SHA1: 101 hmac_sha1_vector(key, key_len, num_elem, addr, len, hash); 102 break; 103 case PRF_HMAC_MD5: 104 hmac_md5_vector(key, key_len, num_elem, addr, len, hash); 105 break; 106 default: 107 return -1; 108 } 109 110 return 0; 111 } 112 113 114 int ikev2_prf_plus(int alg, const u8 *key, size_t key_len, 115 const u8 *data, size_t data_len, 116 u8 *out, size_t out_len) 117 { 118 u8 hash[IKEV2_MAX_HASH_LEN]; 119 size_t hash_len; 120 u8 iter, *pos, *end; 121 const u8 *addr[3]; 122 size_t len[3]; 123 const struct ikev2_prf_alg *prf; 124 int res; 125 126 prf = ikev2_get_prf(alg); 127 if (prf == NULL) 128 return -1; 129 hash_len = prf->hash_len; 130 131 addr[0] = hash; 132 len[0] = hash_len; 133 addr[1] = data; 134 len[1] = data_len; 135 addr[2] = &iter; 136 len[2] = 1; 137 138 pos = out; 139 end = out + out_len; 140 iter = 1; 141 while (pos < end) { 142 size_t clen; 143 if (iter == 1) 144 res = ikev2_prf_hash(alg, key, key_len, 2, &addr[1], 145 &len[1], hash); 146 else 147 res = ikev2_prf_hash(alg, key, key_len, 3, addr, len, 148 hash); 149 if (res < 0) 150 return -1; 151 clen = hash_len; 152 if ((int) clen > end - pos) 153 clen = end - pos; 154 os_memcpy(pos, hash, clen); 155 pos += clen; 156 iter++; 157 } 158 159 return 0; 160 } 161 162 163 const struct ikev2_encr_alg * ikev2_get_encr(int id) 164 { 165 size_t i; 166 167 for (i = 0; i < NUM_ENCR_ALGS; i++) { 168 if (ikev2_encr_algs[i].id == id) 169 return &ikev2_encr_algs[i]; 170 } 171 172 return NULL; 173 } 174 175 176 #ifdef CCNS_PL 177 /* from des.c */ 178 struct des3_key_s { 179 u32 ek[3][32]; 180 u32 dk[3][32]; 181 }; 182 183 void des3_key_setup(const u8 *key, struct des3_key_s *dkey); 184 void des3_encrypt(const u8 *plain, const struct des3_key_s *key, u8 *crypt); 185 void des3_decrypt(const u8 *crypt, const struct des3_key_s *key, u8 *plain); 186 #endif /* CCNS_PL */ 187 188 189 int ikev2_encr_encrypt(int alg, const u8 *key, size_t key_len, const u8 *iv, 190 const u8 *plain, u8 *crypt, size_t len) 191 { 192 struct crypto_cipher *cipher; 193 int encr_alg; 194 195 #ifdef CCNS_PL 196 if (alg == ENCR_3DES) { 197 struct des3_key_s des3key; 198 size_t i, blocks; 199 u8 *pos; 200 201 /* ECB mode is used incorrectly for 3DES!? */ 202 if (key_len != 24) { 203 wpa_printf(MSG_INFO, "IKEV2: Invalid encr key length"); 204 return -1; 205 } 206 des3_key_setup(key, &des3key); 207 208 blocks = len / 8; 209 pos = crypt; 210 for (i = 0; i < blocks; i++) { 211 des3_encrypt(pos, &des3key, pos); 212 pos += 8; 213 } 214 } else { 215 #endif /* CCNS_PL */ 216 switch (alg) { 217 case ENCR_3DES: 218 encr_alg = CRYPTO_CIPHER_ALG_3DES; 219 break; 220 case ENCR_AES_CBC: 221 encr_alg = CRYPTO_CIPHER_ALG_AES; 222 break; 223 default: 224 wpa_printf(MSG_DEBUG, "IKEV2: Unsupported encr alg %d", alg); 225 return -1; 226 } 227 228 cipher = crypto_cipher_init(encr_alg, iv, key, key_len); 229 if (cipher == NULL) { 230 wpa_printf(MSG_INFO, "IKEV2: Failed to initialize cipher"); 231 return -1; 232 } 233 234 if (crypto_cipher_encrypt(cipher, plain, crypt, len) < 0) { 235 wpa_printf(MSG_INFO, "IKEV2: Encryption failed"); 236 crypto_cipher_deinit(cipher); 237 return -1; 238 } 239 crypto_cipher_deinit(cipher); 240 #ifdef CCNS_PL 241 } 242 #endif /* CCNS_PL */ 243 244 return 0; 245 } 246 247 248 int ikev2_encr_decrypt(int alg, const u8 *key, size_t key_len, const u8 *iv, 249 const u8 *crypt, u8 *plain, size_t len) 250 { 251 struct crypto_cipher *cipher; 252 int encr_alg; 253 254 #ifdef CCNS_PL 255 if (alg == ENCR_3DES) { 256 struct des3_key_s des3key; 257 size_t i, blocks; 258 259 /* ECB mode is used incorrectly for 3DES!? */ 260 if (key_len != 24) { 261 wpa_printf(MSG_INFO, "IKEV2: Invalid encr key length"); 262 return -1; 263 } 264 des3_key_setup(key, &des3key); 265 266 if (len % 8) { 267 wpa_printf(MSG_INFO, "IKEV2: Invalid encrypted " 268 "length"); 269 return -1; 270 } 271 blocks = len / 8; 272 for (i = 0; i < blocks; i++) { 273 des3_decrypt(crypt, &des3key, plain); 274 plain += 8; 275 crypt += 8; 276 } 277 } else { 278 #endif /* CCNS_PL */ 279 switch (alg) { 280 case ENCR_3DES: 281 encr_alg = CRYPTO_CIPHER_ALG_3DES; 282 break; 283 case ENCR_AES_CBC: 284 encr_alg = CRYPTO_CIPHER_ALG_AES; 285 break; 286 default: 287 wpa_printf(MSG_DEBUG, "IKEV2: Unsupported encr alg %d", alg); 288 return -1; 289 } 290 291 cipher = crypto_cipher_init(encr_alg, iv, key, key_len); 292 if (cipher == NULL) { 293 wpa_printf(MSG_INFO, "IKEV2: Failed to initialize cipher"); 294 return -1; 295 } 296 297 if (crypto_cipher_decrypt(cipher, crypt, plain, len) < 0) { 298 wpa_printf(MSG_INFO, "IKEV2: Decryption failed"); 299 crypto_cipher_deinit(cipher); 300 return -1; 301 } 302 crypto_cipher_deinit(cipher); 303 #ifdef CCNS_PL 304 } 305 #endif /* CCNS_PL */ 306 307 return 0; 308 } 309 310 311 int ikev2_parse_payloads(struct ikev2_payloads *payloads, 312 u8 next_payload, const u8 *pos, const u8 *end) 313 { 314 const struct ikev2_payload_hdr *phdr; 315 316 os_memset(payloads, 0, sizeof(*payloads)); 317 318 while (next_payload != IKEV2_PAYLOAD_NO_NEXT_PAYLOAD) { 319 int plen, pdatalen; 320 const u8 *pdata; 321 wpa_printf(MSG_DEBUG, "IKEV2: Processing payload %u", 322 next_payload); 323 if (end - pos < (int) sizeof(*phdr)) { 324 wpa_printf(MSG_INFO, "IKEV2: Too short message for " 325 "payload header (left=%ld)", 326 (long) (end - pos)); 327 } 328 phdr = (const struct ikev2_payload_hdr *) pos; 329 plen = WPA_GET_BE16(phdr->payload_length); 330 if (plen < (int) sizeof(*phdr) || pos + plen > end) { 331 wpa_printf(MSG_INFO, "IKEV2: Invalid payload header " 332 "length %d", plen); 333 return -1; 334 } 335 336 wpa_printf(MSG_DEBUG, "IKEV2: Next Payload: %u Flags: 0x%x" 337 " Payload Length: %d", 338 phdr->next_payload, phdr->flags, plen); 339 340 pdata = (const u8 *) (phdr + 1); 341 pdatalen = plen - sizeof(*phdr); 342 343 switch (next_payload) { 344 case IKEV2_PAYLOAD_SA: 345 wpa_printf(MSG_DEBUG, "IKEV2: Payload: Security " 346 "Association"); 347 payloads->sa = pdata; 348 payloads->sa_len = pdatalen; 349 break; 350 case IKEV2_PAYLOAD_KEY_EXCHANGE: 351 wpa_printf(MSG_DEBUG, "IKEV2: Payload: Key " 352 "Exchange"); 353 payloads->ke = pdata; 354 payloads->ke_len = pdatalen; 355 break; 356 case IKEV2_PAYLOAD_IDi: 357 wpa_printf(MSG_DEBUG, "IKEV2: Payload: IDi"); 358 payloads->idi = pdata; 359 payloads->idi_len = pdatalen; 360 break; 361 case IKEV2_PAYLOAD_IDr: 362 wpa_printf(MSG_DEBUG, "IKEV2: Payload: IDr"); 363 payloads->idr = pdata; 364 payloads->idr_len = pdatalen; 365 break; 366 case IKEV2_PAYLOAD_CERTIFICATE: 367 wpa_printf(MSG_DEBUG, "IKEV2: Payload: Certificate"); 368 payloads->cert = pdata; 369 payloads->cert_len = pdatalen; 370 break; 371 case IKEV2_PAYLOAD_AUTHENTICATION: 372 wpa_printf(MSG_DEBUG, "IKEV2: Payload: " 373 "Authentication"); 374 payloads->auth = pdata; 375 payloads->auth_len = pdatalen; 376 break; 377 case IKEV2_PAYLOAD_NONCE: 378 wpa_printf(MSG_DEBUG, "IKEV2: Payload: Nonce"); 379 payloads->nonce = pdata; 380 payloads->nonce_len = pdatalen; 381 break; 382 case IKEV2_PAYLOAD_ENCRYPTED: 383 wpa_printf(MSG_DEBUG, "IKEV2: Payload: Encrypted"); 384 payloads->encrypted = pdata; 385 payloads->encrypted_len = pdatalen; 386 break; 387 case IKEV2_PAYLOAD_NOTIFICATION: 388 wpa_printf(MSG_DEBUG, "IKEV2: Payload: " 389 "Notification"); 390 payloads->notification = pdata; 391 payloads->notification_len = pdatalen; 392 break; 393 default: 394 if (phdr->flags & IKEV2_PAYLOAD_FLAGS_CRITICAL) { 395 wpa_printf(MSG_INFO, "IKEV2: Unsupported " 396 "critical payload %u - reject the " 397 "entire message", next_payload); 398 return -1; 399 } else { 400 wpa_printf(MSG_DEBUG, "IKEV2: Skipped " 401 "unsupported payload %u", 402 next_payload); 403 } 404 } 405 406 if (next_payload == IKEV2_PAYLOAD_ENCRYPTED && 407 pos + plen == end) { 408 /* 409 * Next Payload in the case of Encrypted Payload is 410 * actually the payload type for the first embedded 411 * payload. 412 */ 413 payloads->encr_next_payload = phdr->next_payload; 414 next_payload = IKEV2_PAYLOAD_NO_NEXT_PAYLOAD; 415 } else 416 next_payload = phdr->next_payload; 417 418 pos += plen; 419 } 420 421 if (pos != end) { 422 wpa_printf(MSG_INFO, "IKEV2: Unexpected extra data after " 423 "payloads"); 424 return -1; 425 } 426 427 return 0; 428 } 429 430 431 int ikev2_derive_auth_data(int prf_alg, const struct wpabuf *sign_msg, 432 const u8 *ID, size_t ID_len, u8 ID_type, 433 struct ikev2_keys *keys, int initiator, 434 const u8 *shared_secret, size_t shared_secret_len, 435 const u8 *nonce, size_t nonce_len, 436 const u8 *key_pad, size_t key_pad_len, 437 u8 *auth_data) 438 { 439 size_t sign_len, buf_len; 440 u8 *sign_data, *pos, *buf, hash[IKEV2_MAX_HASH_LEN]; 441 const struct ikev2_prf_alg *prf; 442 const u8 *SK_p = initiator ? keys->SK_pi : keys->SK_pr; 443 444 prf = ikev2_get_prf(prf_alg); 445 if (sign_msg == NULL || ID == NULL || SK_p == NULL || 446 shared_secret == NULL || nonce == NULL || prf == NULL) 447 return -1; 448 449 /* prf(SK_pi/r,IDi/r') */ 450 buf_len = 4 + ID_len; 451 buf = os_zalloc(buf_len); 452 if (buf == NULL) 453 return -1; 454 buf[0] = ID_type; 455 os_memcpy(buf + 4, ID, ID_len); 456 if (ikev2_prf_hash(prf->id, SK_p, keys->SK_prf_len, 457 1, (const u8 **) &buf, &buf_len, hash) < 0) { 458 os_free(buf); 459 return -1; 460 } 461 os_free(buf); 462 463 /* sign_data = msg | Nr/i | prf(SK_pi/r,IDi/r') */ 464 sign_len = wpabuf_len(sign_msg) + nonce_len + prf->hash_len; 465 sign_data = os_malloc(sign_len); 466 if (sign_data == NULL) 467 return -1; 468 pos = sign_data; 469 os_memcpy(pos, wpabuf_head(sign_msg), wpabuf_len(sign_msg)); 470 pos += wpabuf_len(sign_msg); 471 os_memcpy(pos, nonce, nonce_len); 472 pos += nonce_len; 473 os_memcpy(pos, hash, prf->hash_len); 474 475 /* AUTH = prf(prf(Shared Secret, key pad, sign_data) */ 476 if (ikev2_prf_hash(prf->id, shared_secret, shared_secret_len, 1, 477 &key_pad, &key_pad_len, hash) < 0 || 478 ikev2_prf_hash(prf->id, hash, prf->hash_len, 1, 479 (const u8 **) &sign_data, &sign_len, auth_data) < 0) 480 { 481 os_free(sign_data); 482 return -1; 483 } 484 os_free(sign_data); 485 486 return 0; 487 } 488 489 490 u8 * ikev2_decrypt_payload(int encr_id, int integ_id, 491 struct ikev2_keys *keys, int initiator, 492 const struct ikev2_hdr *hdr, 493 const u8 *encrypted, size_t encrypted_len, 494 size_t *res_len) 495 { 496 size_t iv_len; 497 const u8 *pos, *end, *iv, *integ; 498 u8 hash[IKEV2_MAX_HASH_LEN], *decrypted; 499 size_t decrypted_len, pad_len; 500 const struct ikev2_integ_alg *integ_alg; 501 const struct ikev2_encr_alg *encr_alg; 502 const u8 *SK_e = initiator ? keys->SK_ei : keys->SK_er; 503 const u8 *SK_a = initiator ? keys->SK_ai : keys->SK_ar; 504 505 if (encrypted == NULL) { 506 wpa_printf(MSG_INFO, "IKEV2: No Encrypted payload in SA_AUTH"); 507 return NULL; 508 } 509 510 encr_alg = ikev2_get_encr(encr_id); 511 if (encr_alg == NULL) { 512 wpa_printf(MSG_INFO, "IKEV2: Unsupported encryption type"); 513 return NULL; 514 } 515 iv_len = encr_alg->block_size; 516 517 integ_alg = ikev2_get_integ(integ_id); 518 if (integ_alg == NULL) { 519 wpa_printf(MSG_INFO, "IKEV2: Unsupported intergrity type"); 520 return NULL; 521 } 522 523 if (encrypted_len < iv_len + 1 + integ_alg->hash_len) { 524 wpa_printf(MSG_INFO, "IKEV2: No room for IV or Integrity " 525 "Checksum"); 526 return NULL; 527 } 528 529 iv = encrypted; 530 pos = iv + iv_len; 531 end = encrypted + encrypted_len; 532 integ = end - integ_alg->hash_len; 533 534 if (SK_a == NULL) { 535 wpa_printf(MSG_INFO, "IKEV2: No SK_a available"); 536 return NULL; 537 } 538 if (ikev2_integ_hash(integ_id, SK_a, keys->SK_integ_len, 539 (const u8 *) hdr, 540 integ - (const u8 *) hdr, hash) < 0) { 541 wpa_printf(MSG_INFO, "IKEV2: Failed to calculate integrity " 542 "hash"); 543 return NULL; 544 } 545 if (os_memcmp(integ, hash, integ_alg->hash_len) != 0) { 546 wpa_printf(MSG_INFO, "IKEV2: Incorrect Integrity Checksum " 547 "Data"); 548 return NULL; 549 } 550 551 if (SK_e == NULL) { 552 wpa_printf(MSG_INFO, "IKEV2: No SK_e available"); 553 return NULL; 554 } 555 556 decrypted_len = integ - pos; 557 decrypted = os_malloc(decrypted_len); 558 if (decrypted == NULL) 559 return NULL; 560 561 if (ikev2_encr_decrypt(encr_alg->id, SK_e, keys->SK_encr_len, iv, pos, 562 decrypted, decrypted_len) < 0) { 563 os_free(decrypted); 564 return NULL; 565 } 566 567 pad_len = decrypted[decrypted_len - 1]; 568 if (decrypted_len < pad_len + 1) { 569 wpa_printf(MSG_INFO, "IKEV2: Invalid padding in encrypted " 570 "payload"); 571 os_free(decrypted); 572 return NULL; 573 } 574 575 decrypted_len -= pad_len + 1; 576 577 *res_len = decrypted_len; 578 return decrypted; 579 } 580 581 582 void ikev2_update_hdr(struct wpabuf *msg) 583 { 584 struct ikev2_hdr *hdr; 585 586 /* Update lenth field in HDR */ 587 hdr = wpabuf_mhead(msg); 588 WPA_PUT_BE32(hdr->length, wpabuf_len(msg)); 589 } 590 591 592 int ikev2_build_encrypted(int encr_id, int integ_id, struct ikev2_keys *keys, 593 int initiator, struct wpabuf *msg, 594 struct wpabuf *plain, u8 next_payload) 595 { 596 struct ikev2_payload_hdr *phdr; 597 size_t plen; 598 size_t iv_len, pad_len; 599 u8 *icv, *iv; 600 const struct ikev2_integ_alg *integ_alg; 601 const struct ikev2_encr_alg *encr_alg; 602 const u8 *SK_e = initiator ? keys->SK_ei : keys->SK_er; 603 const u8 *SK_a = initiator ? keys->SK_ai : keys->SK_ar; 604 605 wpa_printf(MSG_DEBUG, "IKEV2: Adding Encrypted payload"); 606 607 /* Encr - RFC 4306, Sect. 3.14 */ 608 609 encr_alg = ikev2_get_encr(encr_id); 610 if (encr_alg == NULL) { 611 wpa_printf(MSG_INFO, "IKEV2: Unsupported encryption type"); 612 return -1; 613 } 614 iv_len = encr_alg->block_size; 615 616 integ_alg = ikev2_get_integ(integ_id); 617 if (integ_alg == NULL) { 618 wpa_printf(MSG_INFO, "IKEV2: Unsupported intergrity type"); 619 return -1; 620 } 621 622 if (SK_e == NULL) { 623 wpa_printf(MSG_INFO, "IKEV2: No SK_e available"); 624 return -1; 625 } 626 627 if (SK_a == NULL) { 628 wpa_printf(MSG_INFO, "IKEV2: No SK_a available"); 629 return -1; 630 } 631 632 phdr = wpabuf_put(msg, sizeof(*phdr)); 633 phdr->next_payload = next_payload; 634 phdr->flags = 0; 635 636 iv = wpabuf_put(msg, iv_len); 637 if (random_get_bytes(iv, iv_len)) { 638 wpa_printf(MSG_INFO, "IKEV2: Could not generate IV"); 639 return -1; 640 } 641 642 pad_len = iv_len - (wpabuf_len(plain) + 1) % iv_len; 643 if (pad_len == iv_len) 644 pad_len = 0; 645 wpabuf_put(plain, pad_len); 646 wpabuf_put_u8(plain, pad_len); 647 648 if (ikev2_encr_encrypt(encr_alg->id, SK_e, keys->SK_encr_len, iv, 649 wpabuf_head(plain), wpabuf_mhead(plain), 650 wpabuf_len(plain)) < 0) 651 return -1; 652 653 wpabuf_put_buf(msg, plain); 654 655 /* Need to update all headers (Length fields) prior to hash func */ 656 icv = wpabuf_put(msg, integ_alg->hash_len); 657 plen = (u8 *) wpabuf_put(msg, 0) - (u8 *) phdr; 658 WPA_PUT_BE16(phdr->payload_length, plen); 659 660 ikev2_update_hdr(msg); 661 662 return ikev2_integ_hash(integ_id, SK_a, keys->SK_integ_len, 663 wpabuf_head(msg), 664 wpabuf_len(msg) - integ_alg->hash_len, icv); 665 666 return 0; 667 } 668 669 670 int ikev2_keys_set(struct ikev2_keys *keys) 671 { 672 return keys->SK_d && keys->SK_ai && keys->SK_ar && keys->SK_ei && 673 keys->SK_er && keys->SK_pi && keys->SK_pr; 674 } 675 676 677 void ikev2_free_keys(struct ikev2_keys *keys) 678 { 679 os_free(keys->SK_d); 680 os_free(keys->SK_ai); 681 os_free(keys->SK_ar); 682 os_free(keys->SK_ei); 683 os_free(keys->SK_er); 684 os_free(keys->SK_pi); 685 os_free(keys->SK_pr); 686 keys->SK_d = keys->SK_ai = keys->SK_ar = keys->SK_ei = keys->SK_er = 687 keys->SK_pi = keys->SK_pr = NULL; 688 } 689 690 691 int ikev2_derive_sk_keys(const struct ikev2_prf_alg *prf, 692 const struct ikev2_integ_alg *integ, 693 const struct ikev2_encr_alg *encr, 694 const u8 *skeyseed, const u8 *data, size_t data_len, 695 struct ikev2_keys *keys) 696 { 697 u8 *keybuf, *pos; 698 size_t keybuf_len; 699 700 /* 701 * {SK_d | SK_ai | SK_ar | SK_ei | SK_er | SK_pi | SK_pr } = 702 * prf+(SKEYSEED, Ni | Nr | SPIi | SPIr ) 703 */ 704 ikev2_free_keys(keys); 705 keys->SK_d_len = prf->key_len; 706 keys->SK_integ_len = integ->key_len; 707 keys->SK_encr_len = encr->key_len; 708 keys->SK_prf_len = prf->key_len; 709 #ifdef CCNS_PL 710 /* Uses encryption key length for SK_d; should be PRF length */ 711 keys->SK_d_len = keys->SK_encr_len; 712 #endif /* CCNS_PL */ 713 714 keybuf_len = keys->SK_d_len + 2 * keys->SK_integ_len + 715 2 * keys->SK_encr_len + 2 * keys->SK_prf_len; 716 keybuf = os_malloc(keybuf_len); 717 if (keybuf == NULL) 718 return -1; 719 720 if (ikev2_prf_plus(prf->id, skeyseed, prf->hash_len, 721 data, data_len, keybuf, keybuf_len)) { 722 os_free(keybuf); 723 return -1; 724 } 725 726 pos = keybuf; 727 728 keys->SK_d = os_malloc(keys->SK_d_len); 729 if (keys->SK_d) { 730 os_memcpy(keys->SK_d, pos, keys->SK_d_len); 731 wpa_hexdump_key(MSG_DEBUG, "IKEV2: SK_d", 732 keys->SK_d, keys->SK_d_len); 733 } 734 pos += keys->SK_d_len; 735 736 keys->SK_ai = os_malloc(keys->SK_integ_len); 737 if (keys->SK_ai) { 738 os_memcpy(keys->SK_ai, pos, keys->SK_integ_len); 739 wpa_hexdump_key(MSG_DEBUG, "IKEV2: SK_ai", 740 keys->SK_ai, keys->SK_integ_len); 741 } 742 pos += keys->SK_integ_len; 743 744 keys->SK_ar = os_malloc(keys->SK_integ_len); 745 if (keys->SK_ar) { 746 os_memcpy(keys->SK_ar, pos, keys->SK_integ_len); 747 wpa_hexdump_key(MSG_DEBUG, "IKEV2: SK_ar", 748 keys->SK_ar, keys->SK_integ_len); 749 } 750 pos += keys->SK_integ_len; 751 752 keys->SK_ei = os_malloc(keys->SK_encr_len); 753 if (keys->SK_ei) { 754 os_memcpy(keys->SK_ei, pos, keys->SK_encr_len); 755 wpa_hexdump_key(MSG_DEBUG, "IKEV2: SK_ei", 756 keys->SK_ei, keys->SK_encr_len); 757 } 758 pos += keys->SK_encr_len; 759 760 keys->SK_er = os_malloc(keys->SK_encr_len); 761 if (keys->SK_er) { 762 os_memcpy(keys->SK_er, pos, keys->SK_encr_len); 763 wpa_hexdump_key(MSG_DEBUG, "IKEV2: SK_er", 764 keys->SK_er, keys->SK_encr_len); 765 } 766 pos += keys->SK_encr_len; 767 768 keys->SK_pi = os_malloc(keys->SK_prf_len); 769 if (keys->SK_pi) { 770 os_memcpy(keys->SK_pi, pos, keys->SK_prf_len); 771 wpa_hexdump_key(MSG_DEBUG, "IKEV2: SK_pi", 772 keys->SK_pi, keys->SK_prf_len); 773 } 774 pos += keys->SK_prf_len; 775 776 keys->SK_pr = os_malloc(keys->SK_prf_len); 777 if (keys->SK_pr) { 778 os_memcpy(keys->SK_pr, pos, keys->SK_prf_len); 779 wpa_hexdump_key(MSG_DEBUG, "IKEV2: SK_pr", 780 keys->SK_pr, keys->SK_prf_len); 781 } 782 783 os_free(keybuf); 784 785 if (!ikev2_keys_set(keys)) { 786 ikev2_free_keys(keys); 787 return -1; 788 } 789 790 return 0; 791 } 792
