diff options
| -rw-r--r-- | src/libcharon/sa/ikev2/authenticators/eap_authenticator.c | 25 | ||||
| -rw-r--r-- | src/libcharon/sa/ikev2/authenticators/psk_authenticator.c | 15 | ||||
| -rw-r--r-- | src/libcharon/sa/ikev2/keymat_v2.c | 14 | ||||
| -rw-r--r-- | src/libcharon/sa/ikev2/keymat_v2.h | 9 |
4 files changed, 39 insertions, 24 deletions
diff --git a/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c b/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c index 2e661dc66..2c282dc06 100644 --- a/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c +++ b/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c @@ -420,8 +420,11 @@ static bool verify_auth(private_eap_authenticator_t *this, message_t *message, } other_id = this->ike_sa->get_other_id(this->ike_sa); keymat = (keymat_v2_t*)this->ike_sa->get_keymat(this->ike_sa); - auth_data = keymat->get_psk_sig(keymat, TRUE, init, nonce, - this->msk, other_id, this->reserved); + if (!keymat->get_psk_sig(keymat, TRUE, init, nonce, + this->msk, other_id, this->reserved, &auth_data)) + { + return FALSE; + } recv_auth_data = auth_payload->get_data(auth_payload); if (!auth_data.len || !chunk_equals(auth_data, recv_auth_data)) { @@ -443,7 +446,7 @@ static bool verify_auth(private_eap_authenticator_t *this, message_t *message, /** * Build AUTH payload */ -static void build_auth(private_eap_authenticator_t *this, message_t *message, +static bool build_auth(private_eap_authenticator_t *this, message_t *message, chunk_t nonce, chunk_t init) { auth_payload_t *auth_payload; @@ -457,13 +460,17 @@ static void build_auth(private_eap_authenticator_t *this, message_t *message, DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N", my_id, auth_class_names, AUTH_CLASS_EAP); - auth_data = keymat->get_psk_sig(keymat, FALSE, init, nonce, - this->msk, my_id, this->reserved); + if (!keymat->get_psk_sig(keymat, FALSE, init, nonce, + this->msk, my_id, this->reserved, &auth_data)) + { + return FALSE; + } auth_payload = auth_payload_create(); auth_payload->set_auth_method(auth_payload, AUTH_PSK); auth_payload->set_data(auth_payload, auth_data); message->add_payload(message, (payload_t*)auth_payload); chunk_free(&auth_data); + return TRUE; } METHOD(authenticator_t, process_server, status_t, @@ -513,9 +520,9 @@ METHOD(authenticator_t, build_server, status_t, } return NEED_MORE; } - if (this->eap_complete && this->auth_complete) + if (this->eap_complete && this->auth_complete && + build_auth(this, message, this->received_nonce, this->sent_init)) { - build_auth(this, message, this->received_nonce, this->sent_init); return SUCCESS; } return FAILED; @@ -611,9 +618,9 @@ METHOD(authenticator_t, build_client, status_t, this->eap_payload = NULL; return NEED_MORE; } - if (this->eap_complete) + if (this->eap_complete && + build_auth(this, message, this->received_nonce, this->sent_init)) { - build_auth(this, message, this->received_nonce, this->sent_init); return NEED_MORE; } return NEED_MORE; diff --git a/src/libcharon/sa/ikev2/authenticators/psk_authenticator.c b/src/libcharon/sa/ikev2/authenticators/psk_authenticator.c index 2d3434cdf..997efe359 100644 --- a/src/libcharon/sa/ikev2/authenticators/psk_authenticator.c +++ b/src/libcharon/sa/ikev2/authenticators/psk_authenticator.c @@ -73,8 +73,12 @@ METHOD(authenticator_t, build, status_t, DBG1(DBG_IKE, "no shared key found for '%Y' - '%Y'", my_id, other_id); return NOT_FOUND; } - auth_data = keymat->get_psk_sig(keymat, FALSE, this->ike_sa_init, - this->nonce, key->get_key(key), my_id, this->reserved); + if (!keymat->get_psk_sig(keymat, FALSE, this->ike_sa_init, this->nonce, + key->get_key(key), my_id, this->reserved, &auth_data)) + { + key->destroy(key); + return FAILED; + } key->destroy(key); DBG2(DBG_IKE, "successfully created shared key MAC"); auth_payload = auth_payload_create(); @@ -114,8 +118,11 @@ METHOD(authenticator_t, process, status_t, { keys_found++; - auth_data = keymat->get_psk_sig(keymat, TRUE, this->ike_sa_init, - this->nonce, key->get_key(key), other_id, this->reserved); + if (!keymat->get_psk_sig(keymat, TRUE, this->ike_sa_init, this->nonce, + key->get_key(key), other_id, this->reserved, &auth_data)) + { + continue; + } if (auth_data.len && chunk_equals(auth_data, recv_auth_data)) { DBG1(DBG_IKE, "authentication of '%Y' with %N successful", diff --git a/src/libcharon/sa/ikev2/keymat_v2.c b/src/libcharon/sa/ikev2/keymat_v2.c index 3e36b098f..86bc85967 100644 --- a/src/libcharon/sa/ikev2/keymat_v2.c +++ b/src/libcharon/sa/ikev2/keymat_v2.c @@ -606,11 +606,11 @@ METHOD(keymat_v2_t, get_auth_octets, chunk_t, #define IKEV2_KEY_PAD "Key Pad for IKEv2" #define IKEV2_KEY_PAD_LENGTH 17 -METHOD(keymat_v2_t, get_psk_sig, chunk_t, - private_keymat_v2_t *this, bool verify, chunk_t ike_sa_init, - chunk_t nonce, chunk_t secret, identification_t *id, char reserved[3]) +METHOD(keymat_v2_t, get_psk_sig, bool, + private_keymat_v2_t *this, bool verify, chunk_t ike_sa_init, chunk_t nonce, + chunk_t secret, identification_t *id, char reserved[3], chunk_t *sig) { - chunk_t key_pad, key, sig, octets; + chunk_t key_pad, key, octets; if (!secret.len) { /* EAP uses SK_p if no MSK has been established */ @@ -622,14 +622,14 @@ METHOD(keymat_v2_t, get_psk_sig, chunk_t, this->prf->set_key(this->prf, secret); this->prf->allocate_bytes(this->prf, key_pad, &key); this->prf->set_key(this->prf, key); - this->prf->allocate_bytes(this->prf, octets, &sig); + this->prf->allocate_bytes(this->prf, octets, sig); DBG4(DBG_IKE, "secret %B", &secret); DBG4(DBG_IKE, "prf(secret, keypad) %B", &key); - DBG3(DBG_IKE, "AUTH = prf(prf(secret, keypad), octets) %B", &sig); + DBG3(DBG_IKE, "AUTH = prf(prf(secret, keypad), octets) %B", sig); chunk_free(&octets); chunk_free(&key); - return sig; + return TRUE; } METHOD(keymat_t, destroy, void, diff --git a/src/libcharon/sa/ikev2/keymat_v2.h b/src/libcharon/sa/ikev2/keymat_v2.h index 89c65bb30..a3167a13c 100644 --- a/src/libcharon/sa/ikev2/keymat_v2.h +++ b/src/libcharon/sa/ikev2/keymat_v2.h @@ -117,11 +117,12 @@ struct keymat_v2_t { * @param secret optional secret to include into signature * @param id identity * @param reserved reserved bytes of id_payload - * @return signature octets + * @param sign chunk receiving allocated signature octets + * @return TRUE if signature created successfully */ - chunk_t (*get_psk_sig)(keymat_v2_t *this, bool verify, chunk_t ike_sa_init, - chunk_t nonce, chunk_t secret, - identification_t *id, char reserved[3]); + bool (*get_psk_sig)(keymat_v2_t *this, bool verify, chunk_t ike_sa_init, + chunk_t nonce, chunk_t secret, + identification_t *id, char reserved[3], chunk_t *sig); }; /** |