return FALSE;
}
keymat = (keymat_v2_t*)ike_sa->get_keymat(ike_sa);
- octets = keymat->get_auth_octets(keymat, TRUE, this->ike_init,
- this->nonce, this->id, this->reserved);
+ if (!keymat->get_auth_octets(keymat, TRUE, this->ike_init,
+ this->nonce, this->id, this->reserved, &octets))
+ {
+ private->destroy(private);
+ return FALSE;
+ }
if (!private->sign(private, scheme, octets, &auth_data))
{
chunk_free(&octets);
return FALSE;
}
keymat = (keymat_v2_t*)ike_sa->get_keymat(ike_sa);
- octets = keymat->get_auth_octets(keymat, FALSE, this->ike_init,
- this->nonce, id, reserved);
+ if (!keymat->get_auth_octets(keymat, FALSE, this->ike_init,
+ this->nonce, id, reserved, &octets))
+ {
+ private->destroy(private);
+ id->destroy(id);
+ return FALSE;
+ }
if (!private->sign(private, scheme, octets, &auth_data))
{
chunk_free(&octets);
METHOD(authenticator_t, build, status_t,
private_pubkey_authenticator_t *this, message_t *message)
{
- chunk_t octets, auth_data;
+ chunk_t octets = chunk_empty, auth_data;
status_t status = FAILED;
private_key_t *private;
identification_t *id;
return status;
}
keymat = (keymat_v2_t*)this->ike_sa->get_keymat(this->ike_sa);
- octets = keymat->get_auth_octets(keymat, FALSE, this->ike_sa_init,
- this->nonce, id, this->reserved);
- if (private->sign(private, scheme, octets, &auth_data))
+ if (keymat->get_auth_octets(keymat, FALSE, this->ike_sa_init,
+ this->nonce, id, this->reserved, &octets) &&
+ private->sign(private, scheme, octets, &auth_data))
{
auth_payload = auth_payload_create();
auth_payload->set_auth_method(auth_payload, auth_method);
auth_data = auth_payload->get_data(auth_payload);
id = this->ike_sa->get_other_id(this->ike_sa);
keymat = (keymat_v2_t*)this->ike_sa->get_keymat(this->ike_sa);
- octets = keymat->get_auth_octets(keymat, TRUE, this->ike_sa_init,
- this->nonce, id, this->reserved);
+ if (!keymat->get_auth_octets(keymat, TRUE, this->ike_sa_init,
+ this->nonce, id, this->reserved, &octets))
+ {
+ return FAILED;
+ }
auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
enumerator = lib->credmgr->create_public_enumerator(lib->credmgr,
key_type, id, auth);
return in ? this->aead_in : this->aead_out;
}
-METHOD(keymat_v2_t, get_auth_octets, chunk_t,
+METHOD(keymat_v2_t, get_auth_octets, bool,
private_keymat_v2_t *this, bool verify, chunk_t ike_sa_init,
- chunk_t nonce, identification_t *id, char reserved[3])
+ chunk_t nonce, identification_t *id, char reserved[3], chunk_t *octets)
{
- chunk_t chunk, idx, octets;
+ chunk_t chunk, idx;
chunk_t skp;
skp = verify ? this->skp_verify : this->skp_build;
this->prf->set_key(this->prf, skp);
this->prf->allocate_bytes(this->prf, idx, &chunk);
- octets = chunk_cat("ccm", ike_sa_init, nonce, chunk);
- DBG3(DBG_IKE, "octets = message + nonce + prf(Sk_px, IDx') %B", &octets);
- return octets;
+ *octets = chunk_cat("ccm", ike_sa_init, nonce, chunk);
+ DBG3(DBG_IKE, "octets = message + nonce + prf(Sk_px, IDx') %B", octets);
+ return TRUE;
}
/**
{ /* EAP uses SK_p if no MSK has been established */
secret = verify ? this->skp_verify : this->skp_build;
}
- octets = get_auth_octets(this, verify, ike_sa_init, nonce, id, reserved);
+ if (!get_auth_octets(this, verify, ike_sa_init, nonce, id, reserved, &octets))
+ {
+ return FALSE;
+ }
/* AUTH = prf(prf(Shared Secret,"Key Pad for IKEv2"), <msg octets>) */
key_pad = chunk_create(IKEV2_KEY_PAD, IKEV2_KEY_PAD_LENGTH);
this->prf->set_key(this->prf, secret);
* @param nonce nonce value
* @param id identity
* @param reserved reserved bytes of id_payload
- * @return authentication octets
+ * @param octests chunk receiving allocated auth octets
+ * @return TRUE if octets created successfully
*/
- chunk_t (*get_auth_octets)(keymat_v2_t *this, bool verify,
- chunk_t ike_sa_init, chunk_t nonce,
- identification_t *id, char reserved[3]);
+ bool (*get_auth_octets)(keymat_v2_t *this, bool verify, chunk_t ike_sa_init,
+ chunk_t nonce, identification_t *id,
+ char reserved[3], chunk_t *octets);
/**
* Build the shared secret signature used for PSK and EAP authentication.
*