EAP-SIM/AKA server: Fix re-authentication not to update pseudonym

AT_NEXT_PSEUDONYM is supposed to be included only in the Challenge
messages, not in the Re-authentication messages. This attribute was
incorrectly included in the Re-authentication messages and could have
been used to update the pseudonym state on the server without the peer
updating its state.

Signed-hostap: Jouni Malinen <j@w1.fi>
intended-for: hostap-1

diff --git a/src/eap_server/eap_server_aka.c b/src/eap_server/eap_server_aka.c
index 135c02b1573b8e217495a0864874fc3509f1054c..1dc8dd1f3544cc1112c612c4b5d3b61ccfcabd5c 100644 (file)
--- a/src/eap_server/eap_server_aka.c
+++ b/src/eap_server/eap_server_aka.c
@@ -292,8 +292,13 @@ static int eap_aka_build_encr(struct eap_sm *sm, struct eap_aka_data *data,
                              const u8 *nonce_s)
 {
        os_free(data->next_pseudonym);
-       data->next_pseudonym =
-               eap_sim_db_get_next_pseudonym(sm->eap_sim_db_priv, 1);
+       if (nonce_s == NULL) {
+               data->next_pseudonym =
+                       eap_sim_db_get_next_pseudonym(sm->eap_sim_db_priv, 1);
+       } else {
+               /* Do not update pseudonym during re-authentication */
+               data->next_pseudonym = NULL;
+       }
        os_free(data->next_reauth_id);
        if (data->counter <= EAP_AKA_MAX_FAST_REAUTHS) {
                data->next_reauth_id =
@@ -1017,11 +1022,6 @@ static void eap_aka_process_reauth(struct eap_sm *sm,
                identity_len = id2_len;
        }
 
-       if (data->next_pseudonym) {
-               eap_sim_db_add_pseudonym(sm->eap_sim_db_priv, identity,
-                                        identity_len, data->next_pseudonym);
-               data->next_pseudonym = NULL;
-       }
        if (data->next_reauth_id) {
                if (data->eap_method == EAP_TYPE_AKA_PRIME) {
 #ifdef EAP_SERVER_AKA_PRIME

diff --git a/src/eap_server/eap_server_sim.c b/src/eap_server/eap_server_sim.c
index f49f70ea5032162de79f036b0fe834b8078180eb..b578eccd94698a3753fffdd4248f1514899048e5 100644 (file)
--- a/src/eap_server/eap_server_sim.c
+++ b/src/eap_server/eap_server_sim.c
@@ -131,8 +131,13 @@ static int eap_sim_build_encr(struct eap_sm *sm, struct eap_sim_data *data,
                              const u8 *nonce_s)
 {
        os_free(data->next_pseudonym);
-       data->next_pseudonym =
-               eap_sim_db_get_next_pseudonym(sm->eap_sim_db_priv, 0);
+       if (nonce_s == NULL) {
+               data->next_pseudonym =
+                       eap_sim_db_get_next_pseudonym(sm->eap_sim_db_priv, 0);
+       } else {
+               /* Do not update pseudonym during re-authentication */
+               data->next_pseudonym = NULL;
+       }
        os_free(data->next_reauth_id);
        if (data->counter <= EAP_SIM_MAX_FAST_REAUTHS) {
                data->next_reauth_id =
@@ -616,11 +621,6 @@ static void eap_sim_process_reauth(struct eap_sm *sm,
                identity_len = id2_len;
        }
 
-       if (data->next_pseudonym) {
-               eap_sim_db_add_pseudonym(sm->eap_sim_db_priv, identity,
-                                        identity_len, data->next_pseudonym);
-               data->next_pseudonym = NULL;
-       }
        if (data->next_reauth_id) {
                eap_sim_db_add_reauth(sm->eap_sim_db_priv, identity,
                                      identity_len, data->next_reauth_id,