Add a return value to keymat_v2_t.get_auth_octets()
authorMartin Willi <martin@revosec.ch>
Fri, 6 Jul 2012 08:58:19 +0000 (10:58 +0200)
committerMartin Willi <martin@revosec.ch>
Mon, 16 Jul 2012 12:53:34 +0000 (14:53 +0200)
src/conftest/hooks/pretend_auth.c
src/conftest/hooks/rebuild_auth.c
src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c
src/libcharon/sa/ikev2/keymat_v2.c
src/libcharon/sa/ikev2/keymat_v2.h

index cfc39e3..4166afc 100644 (file)
@@ -237,8 +237,12 @@ static bool build_auth(private_pretend_auth_t *this,
                        return FALSE;
        }
        keymat = (keymat_v2_t*)ike_sa->get_keymat(ike_sa);
-       octets = keymat->get_auth_octets(keymat, TRUE, this->ike_init,
-                                                                        this->nonce, this->id, this->reserved);
+       if (!keymat->get_auth_octets(keymat, TRUE, this->ike_init,
+                                                                this->nonce, this->id, this->reserved, &octets))
+       {
+               private->destroy(private);
+               return FALSE;
+       }
        if (!private->sign(private, scheme, octets, &auth_data))
        {
                chunk_free(&octets);
index eb95833..b7e6f22 100644 (file)
@@ -136,8 +136,13 @@ static bool rebuild_auth(private_rebuild_auth_t *this, ike_sa_t *ike_sa,
                        return FALSE;
        }
        keymat = (keymat_v2_t*)ike_sa->get_keymat(ike_sa);
-       octets = keymat->get_auth_octets(keymat, FALSE, this->ike_init,
-                                                                        this->nonce, id, reserved);
+       if (!keymat->get_auth_octets(keymat, FALSE, this->ike_init,
+                                                                this->nonce, id, reserved, &octets))
+       {
+               private->destroy(private);
+               id->destroy(id);
+               return FALSE;
+       }
        if (!private->sign(private, scheme, octets, &auth_data))
        {
                chunk_free(&octets);
index 179be39..5ceff40 100644 (file)
@@ -57,7 +57,7 @@ struct private_pubkey_authenticator_t {
 METHOD(authenticator_t, build, status_t,
        private_pubkey_authenticator_t *this, message_t *message)
 {
-       chunk_t octets, auth_data;
+       chunk_t octets = chunk_empty, auth_data;
        status_t status = FAILED;
        private_key_t *private;
        identification_t *id;
@@ -112,9 +112,9 @@ METHOD(authenticator_t, build, status_t,
                        return status;
        }
        keymat = (keymat_v2_t*)this->ike_sa->get_keymat(this->ike_sa);
-       octets = keymat->get_auth_octets(keymat, FALSE, this->ike_sa_init,
-                                                                        this->nonce, id, this->reserved);
-       if (private->sign(private, scheme, octets, &auth_data))
+       if (keymat->get_auth_octets(keymat, FALSE, this->ike_sa_init,
+                                                               this->nonce, id, this->reserved, &octets) &&
+               private->sign(private, scheme, octets, &auth_data))
        {
                auth_payload = auth_payload_create();
                auth_payload->set_auth_method(auth_payload, auth_method);
@@ -176,8 +176,11 @@ METHOD(authenticator_t, process, status_t,
        auth_data = auth_payload->get_data(auth_payload);
        id = this->ike_sa->get_other_id(this->ike_sa);
        keymat = (keymat_v2_t*)this->ike_sa->get_keymat(this->ike_sa);
-       octets = keymat->get_auth_octets(keymat, TRUE, this->ike_sa_init,
-                                                                        this->nonce, id, this->reserved);
+       if (!keymat->get_auth_octets(keymat, TRUE, this->ike_sa_init,
+                                                                this->nonce, id, this->reserved, &octets))
+       {
+               return FAILED;
+       }
        auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
        enumerator = lib->credmgr->create_public_enumerator(lib->credmgr,
                                                                                                                key_type, id, auth);
index 86bc859..4db02be 100644 (file)
@@ -576,11 +576,11 @@ METHOD(keymat_t, get_aead, aead_t*,
        return in ? this->aead_in : this->aead_out;
 }
 
-METHOD(keymat_v2_t, get_auth_octets, chunk_t,
+METHOD(keymat_v2_t, get_auth_octets, bool,
        private_keymat_v2_t *this, bool verify, chunk_t ike_sa_init,
-       chunk_t nonce, identification_t *id, char reserved[3])
+       chunk_t nonce, identification_t *id, char reserved[3], chunk_t *octets)
 {
-       chunk_t chunk, idx, octets;
+       chunk_t chunk, idx;
        chunk_t skp;
 
        skp = verify ? this->skp_verify : this->skp_build;
@@ -595,9 +595,9 @@ METHOD(keymat_v2_t, get_auth_octets, chunk_t,
        this->prf->set_key(this->prf, skp);
        this->prf->allocate_bytes(this->prf, idx, &chunk);
 
-       octets = chunk_cat("ccm", ike_sa_init, nonce, chunk);
-       DBG3(DBG_IKE, "octets = message + nonce + prf(Sk_px, IDx') %B", &octets);
-       return octets;
+       *octets = chunk_cat("ccm", ike_sa_init, nonce, chunk);
+       DBG3(DBG_IKE, "octets = message + nonce + prf(Sk_px, IDx') %B", octets);
+       return TRUE;
 }
 
 /**
@@ -616,7 +616,10 @@ METHOD(keymat_v2_t, get_psk_sig, bool,
        {       /* EAP uses SK_p if no MSK has been established */
                secret = verify ? this->skp_verify : this->skp_build;
        }
-       octets = get_auth_octets(this, verify, ike_sa_init, nonce, id, reserved);
+       if (!get_auth_octets(this, verify, ike_sa_init, nonce, id, reserved, &octets))
+       {
+               return FALSE;
+       }
        /* AUTH = prf(prf(Shared Secret,"Key Pad for IKEv2"), <msg octets>) */
        key_pad = chunk_create(IKEV2_KEY_PAD, IKEV2_KEY_PAD_LENGTH);
        this->prf->set_key(this->prf, secret);
index a3167a1..04432f0 100644 (file)
@@ -99,11 +99,12 @@ struct keymat_v2_t {
         * @param nonce                 nonce value
         * @param id                    identity
         * @param reserved              reserved bytes of id_payload
-        * @return                              authentication octets
+        * @param octests               chunk receiving allocated auth octets
+        * @return                              TRUE if octets created successfully
         */
-       chunk_t (*get_auth_octets)(keymat_v2_t *this, bool verify,
-                                                          chunk_t ike_sa_init, chunk_t nonce,
-                                                          identification_t *id, char reserved[3]);
+       bool (*get_auth_octets)(keymat_v2_t *this, bool verify, chunk_t ike_sa_init,
+                                                       chunk_t nonce, identification_t *id,
+                                                       char reserved[3], chunk_t *octets);
        /**
         * Build the shared secret signature used for PSK and EAP authentication.
         *