Add a return value to keymat_v2_t.get_psk_sig()
authorMartin Willi <martin@revosec.ch>
Fri, 6 Jul 2012 08:47:20 +0000 (10:47 +0200)
committerMartin Willi <martin@revosec.ch>
Mon, 16 Jul 2012 12:53:34 +0000 (14:53 +0200)
src/libcharon/sa/ikev2/authenticators/eap_authenticator.c
src/libcharon/sa/ikev2/authenticators/psk_authenticator.c
src/libcharon/sa/ikev2/keymat_v2.c
src/libcharon/sa/ikev2/keymat_v2.h

index 2e661dc..2c282dc 100644 (file)
@@ -420,8 +420,11 @@ static bool verify_auth(private_eap_authenticator_t *this, message_t *message,
        }
        other_id = this->ike_sa->get_other_id(this->ike_sa);
        keymat = (keymat_v2_t*)this->ike_sa->get_keymat(this->ike_sa);
-       auth_data = keymat->get_psk_sig(keymat, TRUE, init, nonce,
-                                                                       this->msk, other_id, this->reserved);
+       if (!keymat->get_psk_sig(keymat, TRUE, init, nonce,
+                                                        this->msk, other_id, this->reserved, &auth_data))
+       {
+               return FALSE;
+       }
        recv_auth_data = auth_payload->get_data(auth_payload);
        if (!auth_data.len || !chunk_equals(auth_data, recv_auth_data))
        {
@@ -443,7 +446,7 @@ static bool verify_auth(private_eap_authenticator_t *this, message_t *message,
 /**
  * Build AUTH payload
  */
-static void build_auth(private_eap_authenticator_t *this, message_t *message,
+static bool build_auth(private_eap_authenticator_t *this, message_t *message,
                                           chunk_t nonce, chunk_t init)
 {
        auth_payload_t *auth_payload;
@@ -457,13 +460,17 @@ static void build_auth(private_eap_authenticator_t *this, message_t *message,
        DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N",
                 my_id, auth_class_names, AUTH_CLASS_EAP);
 
-       auth_data = keymat->get_psk_sig(keymat, FALSE, init, nonce,
-                                                                       this->msk, my_id, this->reserved);
+       if (!keymat->get_psk_sig(keymat, FALSE, init, nonce,
+                                                       this->msk, my_id, this->reserved, &auth_data))
+       {
+               return FALSE;
+       }
        auth_payload = auth_payload_create();
        auth_payload->set_auth_method(auth_payload, AUTH_PSK);
        auth_payload->set_data(auth_payload, auth_data);
        message->add_payload(message, (payload_t*)auth_payload);
        chunk_free(&auth_data);
+       return TRUE;
 }
 
 METHOD(authenticator_t, process_server, status_t,
@@ -513,9 +520,9 @@ METHOD(authenticator_t, build_server, status_t,
                }
                return NEED_MORE;
        }
-       if (this->eap_complete && this->auth_complete)
+       if (this->eap_complete && this->auth_complete &&
+               build_auth(this, message, this->received_nonce, this->sent_init))
        {
-               build_auth(this, message, this->received_nonce, this->sent_init);
                return SUCCESS;
        }
        return FAILED;
@@ -611,9 +618,9 @@ METHOD(authenticator_t, build_client, status_t,
                this->eap_payload = NULL;
                return NEED_MORE;
        }
-       if (this->eap_complete)
+       if (this->eap_complete &&
+               build_auth(this, message, this->received_nonce, this->sent_init))
        {
-               build_auth(this, message, this->received_nonce, this->sent_init);
                return NEED_MORE;
        }
        return NEED_MORE;
index 2d3434c..997efe3 100644 (file)
@@ -73,8 +73,12 @@ METHOD(authenticator_t, build, status_t,
                DBG1(DBG_IKE, "no shared key found for '%Y' - '%Y'", my_id, other_id);
                return NOT_FOUND;
        }
-       auth_data = keymat->get_psk_sig(keymat, FALSE, this->ike_sa_init,
-                                               this->nonce, key->get_key(key), my_id, this->reserved);
+       if (!keymat->get_psk_sig(keymat, FALSE, this->ike_sa_init, this->nonce,
+                                               key->get_key(key), my_id, this->reserved, &auth_data))
+       {
+               key->destroy(key);
+               return FAILED;
+       }
        key->destroy(key);
        DBG2(DBG_IKE, "successfully created shared key MAC");
        auth_payload = auth_payload_create();
@@ -114,8 +118,11 @@ METHOD(authenticator_t, process, status_t,
        {
                keys_found++;
 
-               auth_data = keymat->get_psk_sig(keymat, TRUE, this->ike_sa_init,
-                               this->nonce, key->get_key(key), other_id, this->reserved);
+               if (!keymat->get_psk_sig(keymat, TRUE, this->ike_sa_init, this->nonce,
+                                       key->get_key(key), other_id, this->reserved, &auth_data))
+               {
+                       continue;
+               }
                if (auth_data.len && chunk_equals(auth_data, recv_auth_data))
                {
                        DBG1(DBG_IKE, "authentication of '%Y' with %N successful",
index 3e36b09..86bc859 100644 (file)
@@ -606,11 +606,11 @@ METHOD(keymat_v2_t, get_auth_octets, chunk_t,
 #define IKEV2_KEY_PAD "Key Pad for IKEv2"
 #define IKEV2_KEY_PAD_LENGTH 17
 
-METHOD(keymat_v2_t, get_psk_sig, chunk_t,
-       private_keymat_v2_t *this, bool verify, chunk_t ike_sa_init,
-       chunk_t nonce, chunk_t secret, identification_t *id, char reserved[3])
+METHOD(keymat_v2_t, get_psk_sig, bool,
+       private_keymat_v2_t *this, bool verify, chunk_t ike_sa_init, chunk_t nonce,
+       chunk_t secret, identification_t *id, char reserved[3], chunk_t *sig)
 {
-       chunk_t key_pad, key, sig, octets;
+       chunk_t key_pad, key, octets;
 
        if (!secret.len)
        {       /* EAP uses SK_p if no MSK has been established */
@@ -622,14 +622,14 @@ METHOD(keymat_v2_t, get_psk_sig, chunk_t,
        this->prf->set_key(this->prf, secret);
        this->prf->allocate_bytes(this->prf, key_pad, &key);
        this->prf->set_key(this->prf, key);
-       this->prf->allocate_bytes(this->prf, octets, &sig);
+       this->prf->allocate_bytes(this->prf, octets, sig);
        DBG4(DBG_IKE, "secret %B", &secret);
        DBG4(DBG_IKE, "prf(secret, keypad) %B", &key);
-       DBG3(DBG_IKE, "AUTH = prf(prf(secret, keypad), octets) %B", &sig);
+       DBG3(DBG_IKE, "AUTH = prf(prf(secret, keypad), octets) %B", sig);
        chunk_free(&octets);
        chunk_free(&key);
 
-       return sig;
+       return TRUE;
 }
 
 METHOD(keymat_t, destroy, void,
index 89c65bb..a3167a1 100644 (file)
@@ -117,11 +117,12 @@ struct keymat_v2_t {
         * @param secret                optional secret to include into signature
         * @param id                    identity
         * @param reserved              reserved bytes of id_payload
-        * @return                              signature octets
+        * @param sign                  chunk receiving allocated signature octets
+        * @return                              TRUE if signature created successfully
         */
-       chunk_t (*get_psk_sig)(keymat_v2_t *this, bool verify, chunk_t ike_sa_init,
-                                                  chunk_t nonce, chunk_t secret,
-                                                  identification_t *id, char reserved[3]);
+       bool (*get_psk_sig)(keymat_v2_t *this, bool verify, chunk_t ike_sa_init,
+                                               chunk_t nonce, chunk_t secret,
+                                               identification_t *id, char reserved[3], chunk_t *sig);
 };
 
 /**