5 files changed, 37 insertions, 21 deletions

diff --git a/src/conftest/hooks/pretend_auth.c b/src/conftest/hooks/pretend_auth.c
index cfc39e3a9..4166afc79 100644
--- a/src/conftest/hooks/pretend_auth.c
+++ b/src/conftest/hooks/pretend_auth.c
@@ -237,8 +237,12 @@ static bool build_auth(private_pretend_auth_t *this,
 			return FALSE;
 	}
 	keymat = (keymat_v2_t*)ike_sa->get_keymat(ike_sa);
-	octets = keymat->get_auth_octets(keymat, TRUE, this->ike_init,
-									 this->nonce, this->id, this->reserved);
+	if (!keymat->get_auth_octets(keymat, TRUE, this->ike_init,
+								 this->nonce, this->id, this->reserved, &octets))
+	{
+		private->destroy(private);
+		return FALSE;
+	}
 	if (!private->sign(private, scheme, octets, &auth_data))
 	{
 		chunk_free(&octets);
diff --git a/src/conftest/hooks/rebuild_auth.c b/src/conftest/hooks/rebuild_auth.c
index eb95833e8..b7e6f22e7 100644
--- a/src/conftest/hooks/rebuild_auth.c
+++ b/src/conftest/hooks/rebuild_auth.c
@@ -136,8 +136,13 @@ static bool rebuild_auth(private_rebuild_auth_t *this, ike_sa_t *ike_sa,
 			return FALSE;
 	}
 	keymat = (keymat_v2_t*)ike_sa->get_keymat(ike_sa);
-	octets = keymat->get_auth_octets(keymat, FALSE, this->ike_init,
-									 this->nonce, id, reserved);
+	if (!keymat->get_auth_octets(keymat, FALSE, this->ike_init,
+								 this->nonce, id, reserved, &octets))
+	{
+		private->destroy(private);
+		id->destroy(id);
+		return FALSE;
+	}
 	if (!private->sign(private, scheme, octets, &auth_data))
 	{
 		chunk_free(&octets);
diff --git a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c
index 179be3977..5ceff40ba 100644
--- a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c
+++ b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c
@@ -57,7 +57,7 @@ struct private_pubkey_authenticator_t {
 METHOD(authenticator_t, build, status_t,
 	private_pubkey_authenticator_t *this, message_t *message)
 {
-	chunk_t octets, auth_data;
+	chunk_t octets = chunk_empty, auth_data;
 	status_t status = FAILED;
 	private_key_t *private;
 	identification_t *id;
@@ -112,9 +112,9 @@ METHOD(authenticator_t, build, status_t,
 			return status;
 	}
 	keymat = (keymat_v2_t*)this->ike_sa->get_keymat(this->ike_sa);
-	octets = keymat->get_auth_octets(keymat, FALSE, this->ike_sa_init,
-									 this->nonce, id, this->reserved);
-	if (private->sign(private, scheme, octets, &auth_data))
+	if (keymat->get_auth_octets(keymat, FALSE, this->ike_sa_init,
+								this->nonce, id, this->reserved, &octets) &&
+		private->sign(private, scheme, octets, &auth_data))
 	{
 		auth_payload = auth_payload_create();
 		auth_payload->set_auth_method(auth_payload, auth_method);
@@ -176,8 +176,11 @@ METHOD(authenticator_t, process, status_t,
 	auth_data = auth_payload->get_data(auth_payload);
 	id = this->ike_sa->get_other_id(this->ike_sa);
 	keymat = (keymat_v2_t*)this->ike_sa->get_keymat(this->ike_sa);
-	octets = keymat->get_auth_octets(keymat, TRUE, this->ike_sa_init,
-									 this->nonce, id, this->reserved);
+	if (!keymat->get_auth_octets(keymat, TRUE, this->ike_sa_init,
+								 this->nonce, id, this->reserved, &octets))
+	{
+		return FAILED;
+	}
 	auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
 	enumerator = lib->credmgr->create_public_enumerator(lib->credmgr,
 														key_type, id, auth);
diff --git a/src/libcharon/sa/ikev2/keymat_v2.c b/src/libcharon/sa/ikev2/keymat_v2.c
index 86bc85967..4db02be7f 100644
--- a/src/libcharon/sa/ikev2/keymat_v2.c
+++ b/src/libcharon/sa/ikev2/keymat_v2.c
@@ -576,11 +576,11 @@ METHOD(keymat_t, get_aead, aead_t*,
 	return in ? this->aead_in : this->aead_out;
 }
 
-METHOD(keymat_v2_t, get_auth_octets, chunk_t,
+METHOD(keymat_v2_t, get_auth_octets, bool,
 	private_keymat_v2_t *this, bool verify, chunk_t ike_sa_init,
-	chunk_t nonce, identification_t *id, char reserved[3])
+	chunk_t nonce, identification_t *id, char reserved[3], chunk_t *octets)
 {
-	chunk_t chunk, idx, octets;
+	chunk_t chunk, idx;
 	chunk_t skp;
 
 	skp = verify ? this->skp_verify : this->skp_build;
@@ -595,9 +595,9 @@ METHOD(keymat_v2_t, get_auth_octets, chunk_t,
 	this->prf->set_key(this->prf, skp);
 	this->prf->allocate_bytes(this->prf, idx, &chunk);
 
-	octets = chunk_cat("ccm", ike_sa_init, nonce, chunk);
-	DBG3(DBG_IKE, "octets = message + nonce + prf(Sk_px, IDx') %B", &octets);
-	return octets;
+	*octets = chunk_cat("ccm", ike_sa_init, nonce, chunk);
+	DBG3(DBG_IKE, "octets = message + nonce + prf(Sk_px, IDx') %B", octets);
+	return TRUE;
 }
 
 /**
@@ -616,7 +616,10 @@ METHOD(keymat_v2_t, get_psk_sig, bool,
 	{	/* EAP uses SK_p if no MSK has been established */
 		secret = verify ? this->skp_verify : this->skp_build;
 	}
-	octets = get_auth_octets(this, verify, ike_sa_init, nonce, id, reserved);
+	if (!get_auth_octets(this, verify, ike_sa_init, nonce, id, reserved, &octets))
+	{
+		return FALSE;
+	}
 	/* AUTH = prf(prf(Shared Secret,"Key Pad for IKEv2"), <msg octets>) */
 	key_pad = chunk_create(IKEV2_KEY_PAD, IKEV2_KEY_PAD_LENGTH);
 	this->prf->set_key(this->prf, secret);
diff --git a/src/libcharon/sa/ikev2/keymat_v2.h b/src/libcharon/sa/ikev2/keymat_v2.h
index a3167a13c..04432f05b 100644
--- a/src/libcharon/sa/ikev2/keymat_v2.h
+++ b/src/libcharon/sa/ikev2/keymat_v2.h
@@ -99,11 +99,12 @@ struct keymat_v2_t {
 	 * @param nonce			nonce value
 	 * @param id			identity
 	 * @param reserved		reserved bytes of id_payload
-	 * @return				authentication octets
+	 * @param octests		chunk receiving allocated auth octets
+	 * @return				TRUE if octets created successfully
 	 */
-	chunk_t (*get_auth_octets)(keymat_v2_t *this, bool verify,
-							   chunk_t ike_sa_init, chunk_t nonce,
-							   identification_t *id, char reserved[3]);
+	bool (*get_auth_octets)(keymat_v2_t *this, bool verify, chunk_t ike_sa_init,
+							chunk_t nonce, identification_t *id,
+							char reserved[3], chunk_t *octets);
 	/**
 	 * Build the shared secret signature used for PSK and EAP authentication.
 	 *