}
other_id = this->ike_sa->get_other_id(this->ike_sa);
keymat = (keymat_v2_t*)this->ike_sa->get_keymat(this->ike_sa);
- auth_data = keymat->get_psk_sig(keymat, TRUE, init, nonce,
- this->msk, other_id, this->reserved);
+ if (!keymat->get_psk_sig(keymat, TRUE, init, nonce,
+ this->msk, other_id, this->reserved, &auth_data))
+ {
+ return FALSE;
+ }
recv_auth_data = auth_payload->get_data(auth_payload);
if (!auth_data.len || !chunk_equals(auth_data, recv_auth_data))
{
/**
* Build AUTH payload
*/
-static void build_auth(private_eap_authenticator_t *this, message_t *message,
+static bool build_auth(private_eap_authenticator_t *this, message_t *message,
chunk_t nonce, chunk_t init)
{
auth_payload_t *auth_payload;
DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N",
my_id, auth_class_names, AUTH_CLASS_EAP);
- auth_data = keymat->get_psk_sig(keymat, FALSE, init, nonce,
- this->msk, my_id, this->reserved);
+ if (!keymat->get_psk_sig(keymat, FALSE, init, nonce,
+ this->msk, my_id, this->reserved, &auth_data))
+ {
+ return FALSE;
+ }
auth_payload = auth_payload_create();
auth_payload->set_auth_method(auth_payload, AUTH_PSK);
auth_payload->set_data(auth_payload, auth_data);
message->add_payload(message, (payload_t*)auth_payload);
chunk_free(&auth_data);
+ return TRUE;
}
METHOD(authenticator_t, process_server, status_t,
}
return NEED_MORE;
}
- if (this->eap_complete && this->auth_complete)
+ if (this->eap_complete && this->auth_complete &&
+ build_auth(this, message, this->received_nonce, this->sent_init))
{
- build_auth(this, message, this->received_nonce, this->sent_init);
return SUCCESS;
}
return FAILED;
this->eap_payload = NULL;
return NEED_MORE;
}
- if (this->eap_complete)
+ if (this->eap_complete &&
+ build_auth(this, message, this->received_nonce, this->sent_init))
{
- build_auth(this, message, this->received_nonce, this->sent_init);
return NEED_MORE;
}
return NEED_MORE;
DBG1(DBG_IKE, "no shared key found for '%Y' - '%Y'", my_id, other_id);
return NOT_FOUND;
}
- auth_data = keymat->get_psk_sig(keymat, FALSE, this->ike_sa_init,
- this->nonce, key->get_key(key), my_id, this->reserved);
+ if (!keymat->get_psk_sig(keymat, FALSE, this->ike_sa_init, this->nonce,
+ key->get_key(key), my_id, this->reserved, &auth_data))
+ {
+ key->destroy(key);
+ return FAILED;
+ }
key->destroy(key);
DBG2(DBG_IKE, "successfully created shared key MAC");
auth_payload = auth_payload_create();
{
keys_found++;
- auth_data = keymat->get_psk_sig(keymat, TRUE, this->ike_sa_init,
- this->nonce, key->get_key(key), other_id, this->reserved);
+ if (!keymat->get_psk_sig(keymat, TRUE, this->ike_sa_init, this->nonce,
+ key->get_key(key), other_id, this->reserved, &auth_data))
+ {
+ continue;
+ }
if (auth_data.len && chunk_equals(auth_data, recv_auth_data))
{
DBG1(DBG_IKE, "authentication of '%Y' with %N successful",
#define IKEV2_KEY_PAD "Key Pad for IKEv2"
#define IKEV2_KEY_PAD_LENGTH 17
-METHOD(keymat_v2_t, get_psk_sig, chunk_t,
- private_keymat_v2_t *this, bool verify, chunk_t ike_sa_init,
- chunk_t nonce, chunk_t secret, identification_t *id, char reserved[3])
+METHOD(keymat_v2_t, get_psk_sig, bool,
+ private_keymat_v2_t *this, bool verify, chunk_t ike_sa_init, chunk_t nonce,
+ chunk_t secret, identification_t *id, char reserved[3], chunk_t *sig)
{
- chunk_t key_pad, key, sig, octets;
+ chunk_t key_pad, key, octets;
if (!secret.len)
{ /* EAP uses SK_p if no MSK has been established */
this->prf->set_key(this->prf, secret);
this->prf->allocate_bytes(this->prf, key_pad, &key);
this->prf->set_key(this->prf, key);
- this->prf->allocate_bytes(this->prf, octets, &sig);
+ this->prf->allocate_bytes(this->prf, octets, sig);
DBG4(DBG_IKE, "secret %B", &secret);
DBG4(DBG_IKE, "prf(secret, keypad) %B", &key);
- DBG3(DBG_IKE, "AUTH = prf(prf(secret, keypad), octets) %B", &sig);
+ DBG3(DBG_IKE, "AUTH = prf(prf(secret, keypad), octets) %B", sig);
chunk_free(&octets);
chunk_free(&key);
- return sig;
+ return TRUE;
}
METHOD(keymat_t, destroy, void,
* @param secret optional secret to include into signature
* @param id identity
* @param reserved reserved bytes of id_payload
- * @return signature octets
+ * @param sign chunk receiving allocated signature octets
+ * @return TRUE if signature created successfully
*/
- chunk_t (*get_psk_sig)(keymat_v2_t *this, bool verify, chunk_t ike_sa_init,
- chunk_t nonce, chunk_t secret,
- identification_t *id, char reserved[3]);
+ bool (*get_psk_sig)(keymat_v2_t *this, bool verify, chunk_t ike_sa_init,
+ chunk_t nonce, chunk_t secret,
+ identification_t *id, char reserved[3], chunk_t *sig);
};
/**
projects / thirdparty / strongswan.git / commitdiff
