sharpetronics/strongswan
1
0
Fork 0
mirror of https://github.com/strongswan/strongswan.git synced 2025-10-03 00:00:24 -04:00
Code Issues Projects Releases Wiki Activity

keymat_v2: Include optional IntAuth in signed octets

Browse Source
This commit is contained in:
Tobias Brunner 2019-08-20 16:18:05 +02:00
parent 91f09b8d25
commit e5828d26ea
8 changed files with 49 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/charon-tkm/src/tkm/tkm_keymat.c
View File

@ -256,8 +256,8 @@ METHOD(keymat_v2_t, get_int_auth, bool,
METHOD(keymat_v2_t, get_auth_octets, bool,
private_tkm_keymat_t *this, bool verify, chunk_t ike_sa_init,
chunk_t nonce, chunk_t ppk, identification_t *id, char reserved[3],
chunk_t *octets, array_t *schemes)
chunk_t nonce, chunk_t int_auth, chunk_t ppk, identification_t *id,
char reserved[3], chunk_t *octets, array_t *schemes)
{
sign_info_t *sign;
@ -299,8 +299,8 @@ METHOD(keymat_v2_t, get_skd, pseudo_random_function_t,
METHOD(keymat_v2_t, get_psk_sig, bool,
private_tkm_keymat_t *this, bool verify, chunk_t ike_sa_init, chunk_t nonce,
chunk_t secret, chunk_t ppk, identification_t *id, char reserved[3],
chunk_t *sig)
chunk_t int_auth, chunk_t secret, chunk_t ppk, identification_t *id,
char reserved[3], chunk_t *sig)
{
return FALSE;
}

4
src/conftest/hooks/pretend_auth.c
View File

@ -239,8 +239,8 @@ static bool build_auth(private_pretend_auth_t *this,
}
keymat = (keymat_v2_t*)ike_sa->get_keymat(ike_sa);
if (!keymat->get_auth_octets(keymat, TRUE, this->ike_init, this->nonce,
chunk_empty, this->id, this->reserved,
&octets, NULL))
chunk_empty, chunk_empty, this->id,
this->reserved, &octets, NULL))
{
private->destroy(private);
return FALSE;

3
src/conftest/hooks/rebuild_auth.c
View File

@ -138,7 +138,8 @@ static bool rebuild_auth(private_rebuild_auth_t *this, ike_sa_t *ike_sa,
}
keymat = (keymat_v2_t*)ike_sa->get_keymat(ike_sa);
if (!keymat->get_auth_octets(keymat, FALSE, this->ike_init, this->nonce,
chunk_empty, id, reserved, &octets, NULL))
chunk_empty, chunk_empty, id, reserved,
&octets, NULL))
{
private->destroy(private);
id->destroy(id);

13
src/libcharon/sa/ikev2/authenticators/eap_authenticator.c
View File

@ -495,8 +495,8 @@ static bool verify_auth(private_eap_authenticator_t *this, message_t *message,
other_id = this->ike_sa->get_other_id(this->ike_sa);
keymat = (keymat_v2_t*)this->ike_sa->get_keymat(this->ike_sa);
if (!keymat->get_psk_sig(keymat, TRUE, init, nonce, this->msk, this->ppk,
other_id, this->reserved, &auth_data))
if (!keymat->get_psk_sig(keymat, TRUE, init, nonce, chunk_empty, this->msk,
this->ppk, other_id, this->reserved, &auth_data))
{
return FALSE;
}
@ -541,8 +541,8 @@ static bool build_auth(private_eap_authenticator_t *this, message_t *message,
DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N",
my_id, auth_class_names, AUTH_CLASS_EAP);
if (!keymat->get_psk_sig(keymat, FALSE, init, nonce, this->msk, this->ppk,
my_id, this->reserved, &auth_data))
if (!keymat->get_psk_sig(keymat, FALSE, init, nonce, chunk_empty, this->msk,
this->ppk, my_id, this->reserved, &auth_data))
{
return FALSE;
}
@ -554,8 +554,9 @@ static bool build_auth(private_eap_authenticator_t *this, message_t *message,
if (this->no_ppk_auth)
{
if (!keymat->get_psk_sig(keymat, FALSE, init, nonce, this->msk,
chunk_empty, my_id, this->reserved, &auth_data))
if (!keymat->get_psk_sig(keymat, FALSE, init, nonce, chunk_empty,
this->msk, chunk_empty, my_id, this->reserved,
&auth_data))
{
DBG1(DBG_IKE, "failed adding NO_PPK_AUTH notify");
return FALSE;

12
src/libcharon/sa/ikev2/authenticators/psk_authenticator.c
View File

@ -86,8 +86,8 @@ METHOD(authenticator_t, build, status_t,
return NOT_FOUND;
}
if (!keymat->get_psk_sig(keymat, FALSE, this->ike_sa_init, this->nonce,
key->get_key(key), this->ppk, my_id,
this->reserved, &auth_data))
chunk_empty, key->get_key(key), this->ppk,
my_id, this->reserved, &auth_data))
{
key->destroy(key);
return FAILED;
@ -103,8 +103,8 @@ METHOD(authenticator_t, build, status_t,
if (this->no_ppk_auth)
{
if (!keymat->get_psk_sig(keymat, FALSE, this->ike_sa_init, this->nonce,
key->get_key(key), chunk_empty, my_id,
this->reserved, &auth_data))
chunk_empty, key->get_key(key), chunk_empty,
my_id, this->reserved, &auth_data))
{
DBG1(DBG_IKE, "failed adding NO_PPK_AUTH notify");
key->destroy(key);
@ -160,8 +160,8 @@ METHOD(authenticator_t, process, status_t,
keys_found++;
if (!keymat->get_psk_sig(keymat, TRUE, this->ike_sa_init, this->nonce,
key->get_key(key), this->ppk, other_id,
this->reserved, &auth_data))
chunk_empty, key->get_key(key), this->ppk,
other_id, this->reserved, &auth_data))
{
continue;
}

10
src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c
View File

@ -325,7 +325,8 @@ static status_t sign_signature_auth(private_pubkey_authenticator_t *this,
}
if (keymat->get_auth_octets(keymat, FALSE, this->ike_sa_init, this->nonce,
this->ppk, id, this->reserved, &octets, schemes))
chunk_empty, this->ppk, id, this->reserved,
&octets, schemes))
{
enumerator = array_create_enumerator(schemes);
while (enumerator->enumerate(enumerator, &params))
@ -347,8 +348,9 @@ static status_t sign_signature_auth(private_pubkey_authenticator_t *this,
chunk_free(&octets);
if (keymat->get_auth_octets(keymat, FALSE, this->ike_sa_init,
this->nonce, chunk_empty, id,
this->reserved, &octets, schemes) &&
this->nonce, chunk_empty,
chunk_empty, id, this->reserved,
&octets, schemes) &&
private->sign(private, params->scheme, params->params,
octets, &auth_data) &&
build_signature_auth_data(&auth_data, params))
@ -412,7 +414,7 @@ static bool get_auth_octets_scheme(private_pubkey_authenticator_t *this,
keymat = (keymat_v2_t*)this->ike_sa->get_keymat(this->ike_sa);
if (keymat->get_auth_octets(keymat, verify, this->ike_sa_init, this->nonce,
ppk, id, this->reserved, octets,
chunk_empty, ppk, id, this->reserved, octets,
schemes) &&
array_remove(schemes, 0, scheme))
{

19
src/libcharon/sa/ikev2/keymat_v2.c
View File

@ -680,8 +680,8 @@ METHOD(keymat_v2_t, get_int_auth, bool,
METHOD(keymat_v2_t, get_auth_octets, bool,
private_keymat_v2_t *this, bool verify, chunk_t ike_sa_init,
chunk_t nonce, chunk_t ppk, identification_t *id, char reserved[3],
chunk_t *octets, array_t *schemes)
chunk_t nonce, chunk_t int_auth, chunk_t ppk, identification_t *id,
char reserved[3], chunk_t *octets, array_t *schemes)
{
chunk_t chunk, idx;
chunk_t skp_ppk = chunk_empty;
@ -712,8 +712,9 @@ METHOD(keymat_v2_t, get_auth_octets, bool,
return FALSE;
}
chunk_clear(&skp_ppk);
*octets = chunk_cat("ccm", ike_sa_init, nonce, chunk);
DBG3(DBG_IKE, "octets = message + nonce + prf(Sk_px, IDx') %B", octets);
*octets = chunk_cat("ccmc", ike_sa_init, nonce, chunk, int_auth);
DBG3(DBG_IKE, "octets = message + nonce + prf(Sk_px, IDx') + IntAuth %B",
octets);
return TRUE;
}
@ -724,9 +725,9 @@ METHOD(keymat_v2_t, get_auth_octets, bool,
#define IKEV2_KEY_PAD_LENGTH 17
METHOD(keymat_v2_t, get_psk_sig, bool,
private_keymat_v2_t *this, bool verify, chunk_t ike_sa_init, chunk_t nonce,
chunk_t secret, chunk_t ppk, identification_t *id, char reserved[3],
chunk_t *sig)
private_keymat_v2_t *this, bool verify, chunk_t ike_sa_init,
chunk_t nonce, chunk_t int_auth, chunk_t secret, chunk_t ppk,
identification_t *id, char reserved[3], chunk_t *sig)
{
chunk_t skp_ppk = chunk_empty, key = chunk_empty, octets = chunk_empty;
chunk_t key_pad;
@ -744,8 +745,8 @@ METHOD(keymat_v2_t, get_psk_sig, bool,
secret = skp_ppk;
}
}
if (!get_auth_octets(this, verify, ike_sa_init, nonce, ppk, id, reserved,
&octets, NULL))
if (!get_auth_octets(this, verify, ike_sa_init, nonce, int_auth, ppk, id,
reserved, &octets, NULL))
{
goto failure;
}

20
src/libcharon/sa/ikev2/keymat_v2.h
View File

@ -124,21 +124,23 @@ struct keymat_v2_t {
* the get_psk_sig() method instead.
*
* @param verify TRUE to create for verification, FALSE to sign
* @param ike_sa_init encoded ike_sa_init message
* @param ike_sa_init encoded IKE_SA_INIT message
* @param nonce nonce value
* @param int_auth concatenated data of IKE_INTERMEDIATE exchanges
* @param ppk optional postquantum preshared key
* @param id identity
* @param reserved reserved bytes of id_payload
* @param octests chunk receiving allocated auth octets
* @param octets chunk receiving allocated auth octets
* @param schemes array containing signature schemes
* (signature_params_t*) in case they need to be
* modified by the keymat implementation
* @return TRUE if octets created successfully
*/
bool (*get_auth_octets)(keymat_v2_t *this, bool verify, chunk_t ike_sa_init,
chunk_t nonce, chunk_t ppk, identification_t *id,
char reserved[3], chunk_t *octets,
array_t *schemes);
chunk_t nonce, chunk_t int_auth, chunk_t ppk,
identification_t *id, char reserved[3],
chunk_t *octets, array_t *schemes);
/**
* Build the shared secret signature used for PSK and EAP authentication.
*
@ -147,8 +149,9 @@ struct keymat_v2_t {
* used as secret (used for EAP methods without MSK).
*
* @param verify TRUE to create for verification, FALSE to sign
* @param ike_sa_init encoded ike_sa_init message
* @param ike_sa_init encoded IKE_SA_INIT message
* @param nonce nonce value
* @param int_auth concatenated data of IKE_INTERMEDIATE exchanges
* @param secret optional secret to include into signature
* @param ppk optional postquantum preshared key
* @param id identity
@ -157,8 +160,9 @@ struct keymat_v2_t {
* @return TRUE if signature created successfully
*/
bool (*get_psk_sig)(keymat_v2_t *this, bool verify, chunk_t ike_sa_init,
chunk_t nonce, chunk_t secret, chunk_t ppk,
identification_t *id, char reserved[3], chunk_t *sig);
chunk_t nonce, chunk_t int_auth, chunk_t secret,
chunk_t ppk, identification_t *id, char reserved[3],
chunk_t *sig);
/**
* Add a hash algorithm supported by the peer for signature authentication.