Use remote PSK signature computed by TKM
[strongswan.git] / src / charon-tkm / src / tkm / tkm_keymat.c
index 36067ea..3b1fd1c 100644 (file)
@@ -179,6 +179,14 @@ METHOD(tkm_keymat_t, derive_ike_keys, bool,
                                INTEGRITY_ALGORITHM);
                return FALSE;
        }
+       if (!(enc_alg == ENCR_AES_CBC && key_size == 256 &&
+                       int_alg == AUTH_HMAC_SHA2_512_256))
+       {
+               DBG1(DBG_IKE, "the TKM only supports aes256-sha512 at the moment, please"
+                               " update your configuration");
+               return FALSE;
+       }
+
        DBG2(DBG_IKE, "using %N for encryption, %N for integrity",
                        encryption_algorithm_names, enc_alg,
                        integrity_algorithm_names, int_alg);
@@ -297,9 +305,28 @@ METHOD(tkm_keymat_t, get_psk_sig, bool,
        private_tkm_keymat_t *this, bool verify, chunk_t ike_sa_init, chunk_t nonce,
        chunk_t secret, identification_t *id, char reserved[3], chunk_t *sig)
 {
-       DBG1(DBG_IKE, "returning PSK signature");
-       return this->proxy->get_psk_sig(this->proxy, verify, ike_sa_init, nonce,
-                       secret, id, reserved, sig);
+       DBG1(DBG_IKE, "returning %s PSK signature", verify ? "remote" : "local");
+
+       signature_type signature;
+       init_message_type msg;
+       chunk_to_sequence(&ike_sa_init, &msg);
+
+       chunk_t idx_chunk, chunk = chunk_alloca(4);
+       chunk.ptr[0] = id->get_type(id);
+       memcpy(chunk.ptr + 1, reserved, 3);
+       idx_chunk = chunk_cata("cc", chunk, id->get_encoding(id));
+       idx_type idx;
+       chunk_to_sequence(&idx_chunk, &idx);
+
+       if (ike_isa_sign_psk(1, msg, idx, verify == TRUE, &signature) != TKM_OK)
+       {
+               DBG1(DBG_IKE, "get %s PSK signature failed", verify ?
+                               "remote" : "local");
+               return FALSE;
+       }
+
+       sequence_to_chunk(&signature.data[0], signature.size, sig);
+       return TRUE;
 }
 
 METHOD(keymat_t, destroy, void,