EAP-AKA server: Require AKA/Identity response to include identity

Since we always request an identity in the request, the response
has to include AT_IDENTITY. This allows the AKA/Identity response
processing to be simplified a bit.

Signed-hostap: Jouni Malinen <j@w1.fi>

diff --git a/src/eap_server/eap_server_aka.c b/src/eap_server/eap_server_aka.c
index e8d355de0b0ad8678ba7d4ab8f23bde7d2ef069f..e98eaa4253390878f3d9cac0a67997d78e83de38 100644 (file)
--- a/src/eap_server/eap_server_aka.c
+++ b/src/eap_server/eap_server_aka.c
@@ -773,6 +773,8 @@ static void eap_aka_process_identity(struct eap_sm *sm,
                                     struct wpabuf *respData,
                                     struct eap_sim_attrs *attr)
 {
+       u8 *new_identity;
+
        wpa_printf(MSG_DEBUG, "EAP-AKA: Processing Identity");
 
        if (attr->mac || attr->iv || attr->encr_data) {
@@ -783,15 +785,28 @@ static void eap_aka_process_identity(struct eap_sm *sm,
                return;
        }
 
-       if (attr->identity) {
-               os_free(sm->identity);
-               sm->identity = os_malloc(attr->identity_len);
-               if (sm->identity) {
-                       os_memcpy(sm->identity, attr->identity,
-                                 attr->identity_len);
-                       sm->identity_len = attr->identity_len;
-               }
+       /*
+        * We always request identity with AKA/Identity, so the peer is
+        * required to have replied with one.
+        */
+       if (!attr->identity || attr->identity_len == 0) {
+               wpa_printf(MSG_DEBUG, "EAP-AKA: Peer did not provide any "
+                          "identity");
+               data->notification = EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH;
+               eap_aka_state(data, NOTIFICATION);
+               return;
+       }
+
+       new_identity = os_malloc(attr->identity_len);
+       if (new_identity == NULL) {
+               data->notification = EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH;
+               eap_aka_state(data, NOTIFICATION);
+               return;
        }
+       os_free(sm->identity);
+       sm->identity = new_identity;
+       os_memcpy(sm->identity, attr->identity, attr->identity_len);
+       sm->identity_len = attr->identity_len;
 
        eap_aka_determine_identity(sm, data, 0, 0);
        if (eap_get_id(respData) == data->pending_id) {