METHOD(keymat_v2_t, get_auth_octets, bool,
private_tkm_keymat_t *this, bool verify, chunk_t ike_sa_init,
- chunk_t nonce, chunk_t ppk, identification_t *id, char reserved[3],
- chunk_t *octets, array_t *schemes)
+ chunk_t nonce, chunk_t int_auth, chunk_t ppk, identification_t *id,
+ char reserved[3], chunk_t *octets, array_t *schemes)
{
sign_info_t *sign;
METHOD(keymat_v2_t, get_psk_sig, bool,
private_tkm_keymat_t *this, bool verify, chunk_t ike_sa_init, chunk_t nonce,
- chunk_t secret, chunk_t ppk, identification_t *id, char reserved[3],
- chunk_t *sig)
+ chunk_t int_auth, chunk_t secret, chunk_t ppk, identification_t *id,
+ char reserved[3], chunk_t *sig)
{
return FALSE;
}
}
keymat = (keymat_v2_t*)ike_sa->get_keymat(ike_sa);
if (!keymat->get_auth_octets(keymat, TRUE, this->ike_init, this->nonce,
- chunk_empty, this->id, this->reserved,
- &octets, NULL))
+ chunk_empty, chunk_empty, this->id,
+ this->reserved, &octets, NULL))
{
private->destroy(private);
return FALSE;
}
keymat = (keymat_v2_t*)ike_sa->get_keymat(ike_sa);
if (!keymat->get_auth_octets(keymat, FALSE, this->ike_init, this->nonce,
- chunk_empty, id, reserved, &octets, NULL))
+ chunk_empty, chunk_empty, id, reserved,
+ &octets, NULL))
{
private->destroy(private);
id->destroy(id);
other_id = this->ike_sa->get_other_id(this->ike_sa);
keymat = (keymat_v2_t*)this->ike_sa->get_keymat(this->ike_sa);
- if (!keymat->get_psk_sig(keymat, TRUE, init, nonce, this->msk, this->ppk,
- other_id, this->reserved, &auth_data))
+ if (!keymat->get_psk_sig(keymat, TRUE, init, nonce, chunk_empty, this->msk,
+ this->ppk, other_id, this->reserved, &auth_data))
{
return FALSE;
}
DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N",
my_id, auth_class_names, AUTH_CLASS_EAP);
- if (!keymat->get_psk_sig(keymat, FALSE, init, nonce, this->msk, this->ppk,
- my_id, this->reserved, &auth_data))
+ if (!keymat->get_psk_sig(keymat, FALSE, init, nonce, chunk_empty, this->msk,
+ this->ppk, my_id, this->reserved, &auth_data))
{
return FALSE;
}
if (this->no_ppk_auth)
{
- if (!keymat->get_psk_sig(keymat, FALSE, init, nonce, this->msk,
- chunk_empty, my_id, this->reserved, &auth_data))
+ if (!keymat->get_psk_sig(keymat, FALSE, init, nonce, chunk_empty,
+ this->msk, chunk_empty, my_id, this->reserved,
+ &auth_data))
{
DBG1(DBG_IKE, "failed adding NO_PPK_AUTH notify");
return FALSE;
return NOT_FOUND;
}
if (!keymat->get_psk_sig(keymat, FALSE, this->ike_sa_init, this->nonce,
- key->get_key(key), this->ppk, my_id,
- this->reserved, &auth_data))
+ chunk_empty, key->get_key(key), this->ppk,
+ my_id, this->reserved, &auth_data))
{
key->destroy(key);
return FAILED;
if (this->no_ppk_auth)
{
if (!keymat->get_psk_sig(keymat, FALSE, this->ike_sa_init, this->nonce,
- key->get_key(key), chunk_empty, my_id,
- this->reserved, &auth_data))
+ chunk_empty, key->get_key(key), chunk_empty,
+ my_id, this->reserved, &auth_data))
{
DBG1(DBG_IKE, "failed adding NO_PPK_AUTH notify");
key->destroy(key);
keys_found++;
if (!keymat->get_psk_sig(keymat, TRUE, this->ike_sa_init, this->nonce,
- key->get_key(key), this->ppk, other_id,
- this->reserved, &auth_data))
+ chunk_empty, key->get_key(key), this->ppk,
+ other_id, this->reserved, &auth_data))
{
continue;
}
}
if (keymat->get_auth_octets(keymat, FALSE, this->ike_sa_init, this->nonce,
- this->ppk, id, this->reserved, &octets, schemes))
+ chunk_empty, this->ppk, id, this->reserved,
+ &octets, schemes))
{
enumerator = array_create_enumerator(schemes);
while (enumerator->enumerate(enumerator, ¶ms))
chunk_free(&octets);
if (keymat->get_auth_octets(keymat, FALSE, this->ike_sa_init,
- this->nonce, chunk_empty, id,
- this->reserved, &octets, schemes) &&
+ this->nonce, chunk_empty,
+ chunk_empty, id, this->reserved,
+ &octets, schemes) &&
private->sign(private, params->scheme, params->params,
octets, &auth_data) &&
build_signature_auth_data(&auth_data, params))
keymat = (keymat_v2_t*)this->ike_sa->get_keymat(this->ike_sa);
if (keymat->get_auth_octets(keymat, verify, this->ike_sa_init, this->nonce,
- ppk, id, this->reserved, octets,
+ chunk_empty, ppk, id, this->reserved, octets,
schemes) &&
array_remove(schemes, 0, scheme))
{
METHOD(keymat_v2_t, get_auth_octets, bool,
private_keymat_v2_t *this, bool verify, chunk_t ike_sa_init,
- chunk_t nonce, chunk_t ppk, identification_t *id, char reserved[3],
- chunk_t *octets, array_t *schemes)
+ chunk_t nonce, chunk_t int_auth, chunk_t ppk, identification_t *id,
+ char reserved[3], chunk_t *octets, array_t *schemes)
{
chunk_t chunk, idx;
chunk_t skp_ppk = chunk_empty;
return FALSE;
}
chunk_clear(&skp_ppk);
- *octets = chunk_cat("ccm", ike_sa_init, nonce, chunk);
- DBG3(DBG_IKE, "octets = message + nonce + prf(Sk_px, IDx') %B", octets);
+ *octets = chunk_cat("ccmc", ike_sa_init, nonce, chunk, int_auth);
+ DBG3(DBG_IKE, "octets = message + nonce + prf(Sk_px, IDx') + IntAuth %B",
+ octets);
return TRUE;
}
#define IKEV2_KEY_PAD_LENGTH 17
METHOD(keymat_v2_t, get_psk_sig, bool,
- private_keymat_v2_t *this, bool verify, chunk_t ike_sa_init, chunk_t nonce,
- chunk_t secret, chunk_t ppk, identification_t *id, char reserved[3],
- chunk_t *sig)
+ private_keymat_v2_t *this, bool verify, chunk_t ike_sa_init,
+ chunk_t nonce, chunk_t int_auth, chunk_t secret, chunk_t ppk,
+ identification_t *id, char reserved[3], chunk_t *sig)
{
chunk_t skp_ppk = chunk_empty, key = chunk_empty, octets = chunk_empty;
chunk_t key_pad;
secret = skp_ppk;
}
}
- if (!get_auth_octets(this, verify, ike_sa_init, nonce, ppk, id, reserved,
- &octets, NULL))
+ if (!get_auth_octets(this, verify, ike_sa_init, nonce, int_auth, ppk, id,
+ reserved, &octets, NULL))
{
goto failure;
}
* the get_psk_sig() method instead.
*
* @param verify TRUE to create for verification, FALSE to sign
- * @param ike_sa_init encoded ike_sa_init message
+ * @param ike_sa_init encoded IKE_SA_INIT message
* @param nonce nonce value
+ * @param int_auth concatenated data of IKE_INTERMEDIATE exchanges
* @param ppk optional postquantum preshared key
* @param id identity
* @param reserved reserved bytes of id_payload
- * @param octests chunk receiving allocated auth octets
+ * @param octets chunk receiving allocated auth octets
* @param schemes array containing signature schemes
* (signature_params_t*) in case they need to be
* modified by the keymat implementation
* @return TRUE if octets created successfully
*/
bool (*get_auth_octets)(keymat_v2_t *this, bool verify, chunk_t ike_sa_init,
- chunk_t nonce, chunk_t ppk, identification_t *id,
- char reserved[3], chunk_t *octets,
- array_t *schemes);
+ chunk_t nonce, chunk_t int_auth, chunk_t ppk,
+ identification_t *id, char reserved[3],
+ chunk_t *octets, array_t *schemes);
+
/**
* Build the shared secret signature used for PSK and EAP authentication.
*
* used as secret (used for EAP methods without MSK).
*
* @param verify TRUE to create for verification, FALSE to sign
- * @param ike_sa_init encoded ike_sa_init message
+ * @param ike_sa_init encoded IKE_SA_INIT message
* @param nonce nonce value
+ * @param int_auth concatenated data of IKE_INTERMEDIATE exchanges
* @param secret optional secret to include into signature
* @param ppk optional postquantum preshared key
* @param id identity
* @return TRUE if signature created successfully
*/
bool (*get_psk_sig)(keymat_v2_t *this, bool verify, chunk_t ike_sa_init,
- chunk_t nonce, chunk_t secret, chunk_t ppk,
- identification_t *id, char reserved[3], chunk_t *sig);
+ chunk_t nonce, chunk_t int_auth, chunk_t secret,
+ chunk_t ppk, identification_t *id, char reserved[3],
+ chunk_t *sig);
/**
* Add a hash algorithm supported by the peer for signature authentication.
projects / thirdparty / strongswan.git / commitdiff
