eap-authenticator: Handle IntAuth data

diff --git a/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c b/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c
index 02b734aa4b6e0779bc2d7b14e6bed3790e77b749..05a8c206f7f310453d1c01dbd59107102b658236 100644 (file)
--- a/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c
+++ b/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c
@@ -60,6 +60,11 @@ struct private_eap_authenticator_t {
         */
        chunk_t sent_init;
 
+       /**
+        * IntAuth data to include in AUTH calculation
+        */
+       chunk_t int_auth;
+
        /**
         * Reserved bytes of ID payload
         */
@@ -495,8 +500,9 @@ static bool verify_auth(private_eap_authenticator_t *this, message_t *message,
 
        other_id = this->ike_sa->get_other_id(this->ike_sa);
        keymat = (keymat_v2_t*)this->ike_sa->get_keymat(this->ike_sa);
-       if (!keymat->get_psk_sig(keymat, TRUE, init, nonce, chunk_empty, this->msk,
-                                                        this->ppk, other_id, this->reserved, &auth_data))
+       if (!keymat->get_psk_sig(keymat, TRUE, init, nonce, this->int_auth,
+                                                        this->msk, this->ppk, other_id, this->reserved,
+                                                        &auth_data))
        {
                return FALSE;
        }
@@ -541,8 +547,9 @@ static bool build_auth(private_eap_authenticator_t *this, message_t *message,
        DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N",
                 my_id, auth_class_names, AUTH_CLASS_EAP);
 
-       if (!keymat->get_psk_sig(keymat, FALSE, init, nonce, chunk_empty, this->msk,
-                                                        this->ppk, my_id, this->reserved, &auth_data))
+       if (!keymat->get_psk_sig(keymat, FALSE, init, nonce, this->int_auth,
+                                                        this->msk, this->ppk, my_id, this->reserved,
+                                                        &auth_data))
        {
                return FALSE;
        }
@@ -554,7 +561,7 @@ static bool build_auth(private_eap_authenticator_t *this, message_t *message,
 
        if (this->no_ppk_auth)
        {
-               if (!keymat->get_psk_sig(keymat, FALSE, init, nonce, chunk_empty,
+               if (!keymat->get_psk_sig(keymat, FALSE, init, nonce, this->int_auth,
                                                                 this->msk, chunk_empty, my_id, this->reserved,
                                                                 &auth_data))
                {
@@ -767,6 +774,12 @@ METHOD(authenticator_t, use_ppk, void,
        this->no_ppk_auth = no_ppk_auth;
 }
 
+METHOD(authenticator_t, set_int_auth, void,
+       private_eap_authenticator_t *this, chunk_t int_auth)
+{
+       this->int_auth = int_auth;
+}
+
 METHOD(authenticator_t, destroy, void,
        private_eap_authenticator_t *this)
 {
@@ -793,6 +806,7 @@ eap_authenticator_t *eap_authenticator_create_builder(ike_sa_t *ike_sa,
                                .build = _build_client,
                                .process = _process_client,
                                .use_ppk = _use_ppk,
+                               .set_int_auth = _set_int_auth,
                                .is_mutual = _is_mutual,
                                .destroy = _destroy,
                        },
@@ -824,6 +838,7 @@ eap_authenticator_t *eap_authenticator_create_verifier(ike_sa_t *ike_sa,
                                .build = _build_server,
                                .process = _process_server,
                                .use_ppk = _use_ppk,
+                               .set_int_auth = _set_int_auth,
                                .is_mutual = _is_mutual,
                                .destroy = _destroy,
                        },