int
ca_setreq(struct iked *env, struct iked_sa *sa,
struct iked_static_id *localid, uint8_t type, uint8_t *data,
size_t len, enum privsep_procid procid)
{
struct iovec iov[4];
int iovcnt = 0;
struct iked_static_id idb;
struct iked_id id;
int ret = -1;
/* Convert to a static Id */
bzero(&id, sizeof(id));
if (ikev2_policy2id(localid, &id, 1) != 0)
return (-1);
bzero(&idb, sizeof(idb));
idb.id_type = id.id_type;
idb.id_offset = id.id_offset;
idb.id_length = ibuf_length(id.id_buf);
memcpy(&idb.id_data, ibuf_data(id.id_buf),
ibuf_length(id.id_buf));
iov[iovcnt].iov_base = &idb;
iov[iovcnt].iov_len = sizeof(idb);
iovcnt++;
iov[iovcnt].iov_base = &sa->sa_hdr;
iov[iovcnt].iov_len = sizeof(sa->sa_hdr);
iovcnt++;
iov[iovcnt].iov_base = &type;
iov[iovcnt].iov_len = sizeof(type);
iovcnt++;
iov[iovcnt].iov_base = data;
iov[iovcnt].iov_len = len;
iovcnt++;
if (proc_composev(&env->sc_ps, procid, IMSG_CERTREQ, iov, iovcnt) == -1)
goto done;
sa_stateflags(sa, IKED_REQ_CERTREQ);
ret = 0;
done:
ibuf_release(id.id_buf);
return (ret);
}
int
ikev2_msg_authverify(struct iked *env, struct iked_sa *sa,
struct iked_auth *auth, uint8_t *buf, size_t len, struct ibuf *authmsg)
{
uint8_t *key, *psk = NULL;
ssize_t keylen;
struct iked_id *id;
struct iked_dsa *dsa = NULL;
int ret = -1;
uint8_t keytype;
if (sa->sa_hdr.sh_initiator)
id = &sa->sa_rcert;
else
id = &sa->sa_icert;
if ((dsa = dsa_verify_new(auth->auth_method, sa->sa_prf)) == NULL) {
log_debug("%s: invalid auth method", __func__);
return (-1);
}
switch (auth->auth_method) {
case IKEV2_AUTH_SHARED_KEY_MIC:
if (!auth->auth_length) {
log_debug("%s: no pre-shared key found", __func__);
goto done;
}
if ((keylen = ikev2_psk(sa, auth->auth_data,
auth->auth_length, &psk)) == -1) {
log_debug("%s: failed to get PSK", __func__);
goto done;
}
key = psk;
keytype = 0;
break;
default:
if (!id->id_type || !ibuf_length(id->id_buf)) {
log_debug("%s: no cert found", __func__);
goto done;
}
key = ibuf_data(id->id_buf);
keylen = ibuf_size(id->id_buf);
keytype = id->id_type;
break;
}
log_debug("%s: method %s keylen %zd type %s", __func__,
print_map(auth->auth_method, ikev2_auth_map), keylen,
print_map(id->id_type, ikev2_cert_map));
if (dsa_setkey(dsa, key, keylen, keytype) == NULL ||
dsa_init(dsa, buf, len) != 0 ||
dsa_update(dsa, ibuf_data(authmsg), ibuf_size(authmsg))) {
log_debug("%s: failed to compute digital signature", __func__);
goto done;
}
if ((ret = dsa_verify_final(dsa, buf, len)) == 0) {
log_debug("%s: authentication successful", __func__);
sa_state(env, sa, IKEV2_STATE_AUTH_SUCCESS);
sa_stateflags(sa, IKED_REQ_AUTHVALID);
} else {
log_debug("%s: authentication failed", __func__);
sa_state(env, sa, IKEV2_STATE_AUTH_REQUEST);
}
done:
free(psk);
dsa_free(dsa);
return (ret);
}
