diff options
Diffstat (limited to 'src/libcharon/sa/ikev2')
| -rw-r--r-- | src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c | 39 | ||||
| -rw-r--r-- | src/libcharon/sa/ikev2/keymat_v2.c | 6 | ||||
| -rw-r--r-- | src/libcharon/sa/ikev2/keymat_v2.h | 6 |
3 files changed, 39 insertions, 12 deletions
diff --git a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c index 592f49770..19ea72d0b 100644 --- a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c +++ b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c @@ -217,7 +217,8 @@ static status_t sign_signature_auth(private_pubkey_authenticator_t *this, } if (keymat->get_auth_octets(keymat, FALSE, this->ike_sa_init, - this->nonce, id, this->reserved, &octets)) + this->nonce, id, this->reserved, &octets, + schemes)) { enumerator = array_create_enumerator(schemes); while (enumerator->enumerate(enumerator, &schemep)) @@ -247,6 +248,32 @@ static status_t sign_signature_auth(private_pubkey_authenticator_t *this, } /** + * Get the auth octets and the signature scheme (in case it is changed by the + * keymat). + */ +static bool get_auth_octets_scheme(private_pubkey_authenticator_t *this, + bool verify, identification_t *id, + chunk_t *octets, signature_scheme_t *scheme) +{ + keymat_v2_t *keymat; + array_t *schemes; + bool success = FALSE; + + schemes = array_create(sizeof(signature_scheme_t), 0); + array_insert(schemes, ARRAY_TAIL, scheme); + + keymat = (keymat_v2_t*)this->ike_sa->get_keymat(this->ike_sa); + if (keymat->get_auth_octets(keymat, verify, this->ike_sa_init, this->nonce, + id, this->reserved, octets, schemes) && + array_get(schemes, 0, &scheme)) + { + success = TRUE; + } + array_destroy(schemes); + return success; +} + +/** * Create a classic IKEv2 signature */ static status_t sign_classic(private_pubkey_authenticator_t *this, @@ -255,7 +282,6 @@ static status_t sign_classic(private_pubkey_authenticator_t *this, chunk_t *auth_data) { signature_scheme_t scheme; - keymat_v2_t *keymat; chunk_t octets = chunk_empty; status_t status = FAILED; @@ -293,9 +319,7 @@ static status_t sign_classic(private_pubkey_authenticator_t *this, return FAILED; } - keymat = (keymat_v2_t*)this->ike_sa->get_keymat(this->ike_sa); - if (keymat->get_auth_octets(keymat, FALSE, this->ike_sa_init, - this->nonce, id, this->reserved, &octets) && + if (get_auth_octets_scheme(this, FALSE, id, &octets, &scheme) && private->sign(private, scheme, octets, auth_data)) { status = SUCCESS; @@ -363,7 +387,6 @@ METHOD(authenticator_t, process, status_t, key_type_t key_type = KEY_ECDSA; signature_scheme_t scheme; status_t status = NOT_FOUND; - keymat_v2_t *keymat; const char *reason = "unsupported"; bool online; @@ -402,9 +425,7 @@ METHOD(authenticator_t, process, status_t, return INVALID_ARG; } id = this->ike_sa->get_other_id(this->ike_sa); - keymat = (keymat_v2_t*)this->ike_sa->get_keymat(this->ike_sa); - if (!keymat->get_auth_octets(keymat, TRUE, this->ike_sa_init, - this->nonce, id, this->reserved, &octets)) + if (!get_auth_octets_scheme(this, TRUE, id, &octets, &scheme)) { return FAILED; } diff --git a/src/libcharon/sa/ikev2/keymat_v2.c b/src/libcharon/sa/ikev2/keymat_v2.c index 58efdbabe..70dacd1dc 100644 --- a/src/libcharon/sa/ikev2/keymat_v2.c +++ b/src/libcharon/sa/ikev2/keymat_v2.c @@ -629,7 +629,8 @@ METHOD(keymat_t, get_aead, aead_t*, METHOD(keymat_v2_t, get_auth_octets, bool, private_keymat_v2_t *this, bool verify, chunk_t ike_sa_init, - chunk_t nonce, identification_t *id, char reserved[3], chunk_t *octets) + chunk_t nonce, identification_t *id, char reserved[3], chunk_t *octets, + array_t *schemes) { chunk_t chunk, idx; chunk_t skp; @@ -669,7 +670,8 @@ METHOD(keymat_v2_t, get_psk_sig, bool, { /* EAP uses SK_p if no MSK has been established */ secret = verify ? this->skp_verify : this->skp_build; } - if (!get_auth_octets(this, verify, ike_sa_init, nonce, id, reserved, &octets)) + if (!get_auth_octets(this, verify, ike_sa_init, nonce, id, reserved, + &octets, NULL)) { return FALSE; } diff --git a/src/libcharon/sa/ikev2/keymat_v2.h b/src/libcharon/sa/ikev2/keymat_v2.h index 927b62b03..36bf149fe 100644 --- a/src/libcharon/sa/ikev2/keymat_v2.h +++ b/src/libcharon/sa/ikev2/keymat_v2.h @@ -22,6 +22,7 @@ #define KEYMAT_V2_H_ #include <sa/keymat.h> +#include <collections/array.h> typedef struct keymat_v2_t keymat_v2_t; @@ -100,11 +101,14 @@ struct keymat_v2_t { * @param id identity * @param reserved reserved bytes of id_payload * @param octests chunk receiving allocated auth octets + * @param schemes array containing signature schemes in case they + * need to be modified by the keymat implementation * @return TRUE if octets created successfully */ bool (*get_auth_octets)(keymat_v2_t *this, bool verify, chunk_t ike_sa_init, chunk_t nonce, identification_t *id, - char reserved[3], chunk_t *octets); + char reserved[3], chunk_t *octets, + array_t *schemes); /** * Build the shared secret signature used for PSK and EAP authentication. * |