/*
+ * Copyright (C) 2018 Tobias Brunner
* Copyright (C) 2005-2009 Martin Willi
* Copyright (C) 2005 Jan Hutter
* HSR Hochschule fuer Technik Rapperswil
* Reserved bytes of ID payload
*/
char reserved[3];
+
+ /**
+ * PPK to use
+ */
+ chunk_t ppk;
+
+ /**
+ * Add a NO_PPK_AUTH notify
+ */
+ bool no_ppk_auth;
};
METHOD(authenticator_t, build, status_t,
DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N",
my_id, auth_method_names, AUTH_PSK);
key = lib->credmgr->get_shared(lib->credmgr, SHARED_IKE, my_id, other_id);
- if (key == NULL)
+ if (!key)
{
DBG1(DBG_IKE, "no shared key found for '%Y' - '%Y'", my_id, other_id);
return NOT_FOUND;
}
if (!keymat->get_psk_sig(keymat, FALSE, this->ike_sa_init, this->nonce,
- key->get_key(key), chunk_empty, my_id,
+ key->get_key(key), this->ppk, my_id,
this->reserved, &auth_data))
{
key->destroy(key);
return FAILED;
}
- key->destroy(key);
+
DBG2(DBG_IKE, "successfully created shared key MAC");
auth_payload = auth_payload_create();
auth_payload->set_auth_method(auth_payload, AUTH_PSK);
chunk_free(&auth_data);
message->add_payload(message, (payload_t*)auth_payload);
+ if (this->no_ppk_auth)
+ {
+ if (!keymat->get_psk_sig(keymat, FALSE, this->ike_sa_init, this->nonce,
+ key->get_key(key), chunk_empty, my_id,
+ this->reserved, &auth_data))
+ {
+ DBG1(DBG_IKE, "failed adding NO_PPK_AUTH notify");
+ key->destroy(key);
+ return SUCCESS;
+ }
+ DBG2(DBG_IKE, "successfully created shared key MAC without PPK");
+ message->add_notify(message, FALSE, NO_PPK_AUTH, auth_data);
+ chunk_free(&auth_data);
+ }
+ key->destroy(key);
return SUCCESS;
}
chunk_t auth_data, recv_auth_data;
identification_t *my_id, *other_id;
auth_payload_t *auth_payload;
+ notify_payload_t *notify;
auth_cfg_t *auth;
shared_key_t *key;
enumerator_t *enumerator;
{
return FAILED;
}
- keymat = (keymat_v2_t*)this->ike_sa->get_keymat(this->ike_sa);
recv_auth_data = auth_payload->get_data(auth_payload);
+
+ if (this->ike_sa->supports_extension(this->ike_sa, EXT_PPK) &&
+ !this->ppk.ptr)
+ { /* look for a NO_PPK_AUTH notify if we have no PPK */
+ notify = message->get_notify(message, NO_PPK_AUTH);
+ if (notify)
+ {
+ DBG1(DBG_IKE, "no PPK available, using NO_PPK_AUTH notify");
+ recv_auth_data = notify->get_notification_data(notify);
+ }
+ }
+
+ keymat = (keymat_v2_t*)this->ike_sa->get_keymat(this->ike_sa);
my_id = this->ike_sa->get_my_id(this->ike_sa);
other_id = this->ike_sa->get_other_id(this->ike_sa);
enumerator = lib->credmgr->create_shared_enumerator(lib->credmgr,
keys_found++;
if (!keymat->get_psk_sig(keymat, TRUE, this->ike_sa_init, this->nonce,
- key->get_key(key), chunk_empty, other_id,
+ key->get_key(key), this->ppk, other_id,
this->reserved, &auth_data))
{
continue;
return SUCCESS;
}
+METHOD(authenticator_t, use_ppk, void,
+ private_psk_authenticator_t *this, chunk_t ppk, bool no_ppk_auth)
+{
+ this->ppk = ppk;
+ this->no_ppk_auth = no_ppk_auth;
+}
+
METHOD(authenticator_t, destroy, void,
private_psk_authenticator_t *this)
{
.authenticator = {
.build = _build,
.process = (void*)return_failed,
+ .use_ppk = _use_ppk,
.is_mutual = (void*)return_false,
.destroy = _destroy,
},
.authenticator = {
.build = (void*)return_failed,
.process = _process,
+ .use_ppk = _use_ppk,
.is_mutual = (void*)return_false,
.destroy = _destroy,
},
projects / thirdparty / strongswan.git / commitdiff
