From: Tobias Brunner <tobias@strongswan.org>
Date: Tue, 20 Aug 2019 14:32:17 +0000 (+0200)
Subject: eap-authenticator: Handle IntAuth data
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f3b02d88deba7957a9c99815361ddebcc4d9541c;p=thirdparty%2Fstrongswan.git

eap-authenticator: Handle IntAuth data
---

diff --git a/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c b/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c
index 02b734aa4b..05a8c206f7 100644
--- a/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c
+++ b/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c
@@ -60,6 +60,11 @@ struct private_eap_authenticator_t {
 	 */
 	chunk_t sent_init;
 
+	/**
+	 * IntAuth data to include in AUTH calculation
+	 */
+	chunk_t int_auth;
+
 	/**
 	 * Reserved bytes of ID payload
 	 */
@@ -495,8 +500,9 @@ static bool verify_auth(private_eap_authenticator_t *this, message_t *message,
 
 	other_id = this->ike_sa->get_other_id(this->ike_sa);
 	keymat = (keymat_v2_t*)this->ike_sa->get_keymat(this->ike_sa);
-	if (!keymat->get_psk_sig(keymat, TRUE, init, nonce, chunk_empty, this->msk,
-							 this->ppk, other_id, this->reserved, &auth_data))
+	if (!keymat->get_psk_sig(keymat, TRUE, init, nonce, this->int_auth,
+							 this->msk, this->ppk, other_id, this->reserved,
+							 &auth_data))
 	{
 		return FALSE;
 	}
@@ -541,8 +547,9 @@ static bool build_auth(private_eap_authenticator_t *this, message_t *message,
 	DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N",
 		 my_id, auth_class_names, AUTH_CLASS_EAP);
 
-	if (!keymat->get_psk_sig(keymat, FALSE, init, nonce, chunk_empty, this->msk,
-							 this->ppk, my_id, this->reserved, &auth_data))
+	if (!keymat->get_psk_sig(keymat, FALSE, init, nonce, this->int_auth,
+							 this->msk, this->ppk, my_id, this->reserved,
+							 &auth_data))
 	{
 		return FALSE;
 	}
@@ -554,7 +561,7 @@ static bool build_auth(private_eap_authenticator_t *this, message_t *message,
 
 	if (this->no_ppk_auth)
 	{
-		if (!keymat->get_psk_sig(keymat, FALSE, init, nonce, chunk_empty,
+		if (!keymat->get_psk_sig(keymat, FALSE, init, nonce, this->int_auth,
 								 this->msk, chunk_empty, my_id, this->reserved,
 								 &auth_data))
 		{
@@ -767,6 +774,12 @@ METHOD(authenticator_t, use_ppk, void,
 	this->no_ppk_auth = no_ppk_auth;
 }
 
+METHOD(authenticator_t, set_int_auth, void,
+	private_eap_authenticator_t *this, chunk_t int_auth)
+{
+	this->int_auth = int_auth;
+}
+
 METHOD(authenticator_t, destroy, void,
 	private_eap_authenticator_t *this)
 {
@@ -793,6 +806,7 @@ eap_authenticator_t *eap_authenticator_create_builder(ike_sa_t *ike_sa,
 				.build = _build_client,
 				.process = _process_client,
 				.use_ppk = _use_ppk,
+				.set_int_auth = _set_int_auth,
 				.is_mutual = _is_mutual,
 				.destroy = _destroy,
 			},
@@ -824,6 +838,7 @@ eap_authenticator_t *eap_authenticator_create_verifier(ike_sa_t *ike_sa,
 				.build = _build_server,
 				.process = _process_server,
 				.use_ppk = _use_ppk,
+				.set_int_auth = _set_int_auth,
 				.is_mutual = _is_mutual,
 				.destroy = _destroy,
 			},