keymat: Call ike_isa_sign_psk in get_psk_sig

Get PSK signed AUTH octets from TKM in initiator case.

1 files changed, 26 insertions, 1 deletions

diff --git a/src/charon-tkm/src/tkm/tkm_keymat.c b/src/charon-tkm/src/tkm/tkm_keymat.c
index 36067eae8..0c71967e3 100644
--- a/src/charon-tkm/src/tkm/tkm_keymat.c
+++ b/src/charon-tkm/src/tkm/tkm_keymat.c
@@ -298,8 +298,33 @@ METHOD(tkm_keymat_t, get_psk_sig, bool,
 	chunk_t secret, identification_t *id, char reserved[3], chunk_t *sig)
 {
 	DBG1(DBG_IKE, "returning PSK signature");
-	return this->proxy->get_psk_sig(this->proxy, verify, ike_sa_init, nonce,
+	if (!verify)
+	{
+		signature_type signature;
+		init_message_type msg;
+		chunk_to_sequence(&ike_sa_init, &msg);
+
+		chunk_t idx_chunk, chunk = chunk_alloca(4);
+		chunk.ptr[0] = id->get_type(id);
+		memcpy(chunk.ptr + 1, reserved, 3);
+		idx_chunk = chunk_cata("cc", chunk, id->get_encoding(id));
+		idx_type idx;
+		chunk_to_sequence(&idx_chunk, &idx);
+
+		if (ike_isa_sign_psk(1, msg, idx, &signature) != TKM_OK)
+		{
+			DBG1(DBG_IKE, "get local PSK signature failed");
+			return FALSE;
+		}
+
+		sequence_to_chunk(&signature.data[0], signature.size, sig);
+		return TRUE;
+	}
+	else
+	{
+		return this->proxy->get_psk_sig(this->proxy, verify, ike_sa_init, nonce,
 			secret, id, reserved, sig);
+	}
 }
 
 METHOD(keymat_t, destroy, void,