int ca_setauth(struct iked *env, struct iked_sa *sa, struct ibuf *authmsg, enum privsep_procid id) { struct iovec iov[3]; int iovcnt = 3; struct iked_policy *policy = sa->sa_policy; u_int8_t type = policy->pol_auth.auth_method; if (type == IKEV2_AUTH_SHARED_KEY_MIC) { sa->sa_stateflags |= IKED_REQ_AUTH; return (ikev2_msg_authsign(env, sa, &policy->pol_auth, authmsg)); } iov[0].iov_base = &sa->sa_hdr; iov[0].iov_len = sizeof(sa->sa_hdr); iov[1].iov_base = &type; iov[1].iov_len = sizeof(type); if (type == IKEV2_AUTH_NONE) iovcnt--; else { iov[2].iov_base = ibuf_data(authmsg); iov[2].iov_len = ibuf_size(authmsg); log_debug("%s: auth length %d", __func__, ibuf_size(authmsg)); } if (proc_composev_imsg(env, id, IMSG_AUTH, -1, iov, iovcnt) == -1) return (-1); return (0); }
int ca_getauth(struct iked *env, struct imsg *imsg) { struct ca_store *store = env->sc_priv; struct iked_sahdr sh; uint8_t method; uint8_t *ptr; size_t len; unsigned int i; int ret = -1; struct iked_sa sa; struct iked_policy policy; struct iked_id *id; struct ibuf *authmsg; ptr = (uint8_t *)imsg->data; len = IMSG_DATA_SIZE(imsg); i = sizeof(method) + sizeof(sh); if (len <= i) return (-1); memcpy(&sh, ptr, sizeof(sh)); memcpy(&method, ptr + sizeof(sh), sizeof(uint8_t)); if (method == IKEV2_AUTH_SHARED_KEY_MIC) return (-1); ptr += i; len -= i; if ((authmsg = ibuf_new(ptr, len)) == NULL) return (-1); /* * Create fake SA and policy */ bzero(&sa, sizeof(sa)); bzero(&policy, sizeof(policy)); memcpy(&sa.sa_hdr, &sh, sizeof(sh)); sa.sa_policy = &policy; policy.pol_auth.auth_method = method; if (sh.sh_initiator) id = &sa.sa_icert; else id = &sa.sa_rcert; memcpy(id, &store->ca_privkey, sizeof(*id)); if (ikev2_msg_authsign(env, &sa, &policy.pol_auth, authmsg) != 0) { log_debug("%s: AUTH sign failed", __func__); policy.pol_auth.auth_method = IKEV2_AUTH_NONE; } ret = ca_setauth(env, &sa, sa.sa_localauth.id_buf, PROC_IKEV2); ibuf_release(sa.sa_localauth.id_buf); ibuf_release(authmsg); return (ret); }
int ca_setauth(struct iked *env, struct iked_sa *sa, struct ibuf *authmsg, enum privsep_procid id) { struct iovec iov[3]; int iovcnt = 3; struct iked_policy *policy = sa->sa_policy; uint8_t type = policy->pol_auth.auth_method; /* switch encoding to IKEV2_AUTH_SIG if SHA2 is supported */ if (sa->sa_sigsha2 && type == IKEV2_AUTH_RSA_SIG) { log_debug("%s: switching from RSA_SIG to SIG", __func__); type = IKEV2_AUTH_SIG; } if (type == IKEV2_AUTH_SHARED_KEY_MIC) { sa->sa_stateflags |= IKED_REQ_AUTH; return (ikev2_msg_authsign(env, sa, &policy->pol_auth, authmsg)); } iov[0].iov_base = &sa->sa_hdr; iov[0].iov_len = sizeof(sa->sa_hdr); iov[1].iov_base = &type; iov[1].iov_len = sizeof(type); if (type == IKEV2_AUTH_NONE) iovcnt--; else { iov[2].iov_base = ibuf_data(authmsg); iov[2].iov_len = ibuf_size(authmsg); log_debug("%s: auth length %zu", __func__, ibuf_size(authmsg)); } if (proc_composev(&env->sc_ps, id, IMSG_AUTH, iov, iovcnt) == -1) return (-1); return (0); }