aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/libcharon/sa/ikev1/keymat_v1.c10
-rw-r--r--src/libcharon/sa/ikev2/keymat_v2.c10
-rw-r--r--src/libstrongswan/crypto/prf_plus.h2
3 files changed, 21 insertions, 1 deletions
diff --git a/src/libcharon/sa/ikev1/keymat_v1.c b/src/libcharon/sa/ikev1/keymat_v1.c
index 3cc944c1d..77f0a5651 100644
--- a/src/libcharon/sa/ikev1/keymat_v1.c
+++ b/src/libcharon/sa/ikev1/keymat_v1.c
@@ -614,6 +614,11 @@ METHOD(keymat_v1_t, derive_child_keys, bool,
DBG4(DBG_CHD, "initiator SA seed %B", &seed);
prf_plus = prf_plus_create(this->prf, FALSE, seed);
+ if (!prf_plus)
+ {
+ chunk_clear(&secret);
+ return FALSE;
+ }
if (!prf_plus->allocate_bytes(prf_plus, enc_size, encr_i) ||
!prf_plus->allocate_bytes(prf_plus, int_size, integ_i))
{
@@ -627,6 +632,11 @@ METHOD(keymat_v1_t, derive_child_keys, bool,
chunk_from_thing(spi_i), nonce_i, nonce_r);
DBG4(DBG_CHD, "responder SA seed %B", &seed);
prf_plus = prf_plus_create(this->prf, FALSE, seed);
+ if (!prf_plus)
+ {
+ chunk_clear(&secret);
+ return FALSE;
+ }
if (!prf_plus->allocate_bytes(prf_plus, enc_size, encr_r) ||
!prf_plus->allocate_bytes(prf_plus, int_size, integ_r))
{
diff --git a/src/libcharon/sa/ikev2/keymat_v2.c b/src/libcharon/sa/ikev2/keymat_v2.c
index 55af8f1ec..3e36b098f 100644
--- a/src/libcharon/sa/ikev2/keymat_v2.c
+++ b/src/libcharon/sa/ikev2/keymat_v2.c
@@ -355,6 +355,12 @@ METHOD(keymat_v2_t, derive_ike_keys, bool,
chunk_free(&fixed_nonce);
chunk_clear(&prf_plus_seed);
+ if (!prf_plus)
+ {
+ DESTROY_IF(rekey_prf);
+ return FALSE;
+ }
+
/* KEYMAT = SK_d | SK_ai | SK_ar | SK_ei | SK_er | SK_pi | SK_pr */
/* SK_d is used for generating CHILD_SA key mat => store for later use */
@@ -528,6 +534,10 @@ METHOD(keymat_v2_t, derive_child_keys, bool,
this->prf->set_key(this->prf, this->skd);
prf_plus = prf_plus_create(this->prf, TRUE, seed);
+ if (!prf_plus)
+ {
+ return FALSE;
+ }
if (!prf_plus->allocate_bytes(prf_plus, enc_size, encr_i) ||
!prf_plus->allocate_bytes(prf_plus, int_size, integ_i) ||
diff --git a/src/libstrongswan/crypto/prf_plus.h b/src/libstrongswan/crypto/prf_plus.h
index 1f668edf2..92f5dd76d 100644
--- a/src/libstrongswan/crypto/prf_plus.h
+++ b/src/libstrongswan/crypto/prf_plus.h
@@ -63,7 +63,7 @@ struct prf_plus_t {
* @param prf prf object to use, must be destroyd after prf+.
* @param counter use an appending counter byte (for IKEv2 variant)
* @param seed input seed for prf
- * @return prf_plus_t object
+ * @return prf_plus_t object, NULL on failure
*/
prf_plus_t *prf_plus_create(prf_t *prf, bool counter, chunk_t seed);
generated by cgit v1.2.3 (git 2.25.1) at 2024-10-05 12:17:45 +0000