EAP-AKA server: Use simpler AKA/Identity request determination

There is no need to use eap_sim_db_identity_known() here since a new
AKA/Identity message is built only if the identity in the previous
response was not recognized. The first round is always used to request
AT_ANY_ID_REQ to meet the RFC 4187 recommendation on EAP method specific
identity request.

Signed-hostap: Jouni Malinen <j@w1.fi>

diff --git a/src/eap_server/eap_server_aka.c b/src/eap_server/eap_server_aka.c
index 78d78c8f69ae7543d54d35957b2b5767e405a506..e8d355de0b0ad8678ba7d4ab8f23bde7d2ef069f 100644 (file)
--- a/src/eap_server/eap_server_aka.c
+++ b/src/eap_server/eap_server_aka.c
@@ -49,6 +49,7 @@ struct eap_aka_data {
        u8 *network_name;
        size_t network_name_len;
        u16 kdf;
+       int identity_round;
 };
 
 
@@ -264,21 +265,8 @@ static struct wpabuf * eap_aka_build_identity(struct eap_sm *sm,
        wpa_printf(MSG_DEBUG, "EAP-AKA: Generating Identity");
        msg = eap_sim_msg_init(EAP_CODE_REQUEST, id, data->eap_method,
                               EAP_AKA_SUBTYPE_IDENTITY);
-       if (eap_sim_db_identity_known(sm->eap_sim_db_priv, sm->identity,
-                                     sm->identity_len)) {
-               if (sm->identity_len > 0 &&
-                   (sm->identity[0] == EAP_AKA_REAUTH_ID_PREFIX ||
-                    sm->identity[0] == EAP_AKA_PRIME_REAUTH_ID_PREFIX)) {
-                       /* Reauth id may have expired - try fullauth */
-                       wpa_printf(MSG_DEBUG, "   AT_FULLAUTH_ID_REQ");
-                       eap_sim_msg_add(msg, EAP_SIM_AT_FULLAUTH_ID_REQ, 0,
-                                       NULL, 0);
-               } else {
-                       wpa_printf(MSG_DEBUG, "   AT_PERMANENT_ID_REQ");
-                       eap_sim_msg_add(msg, EAP_SIM_AT_PERMANENT_ID_REQ, 0,
-                                       NULL, 0);
-               }
-       } else {
+       data->identity_round++;
+       if (data->identity_round == 1) {
                /*
                 * RFC 4187, Chap. 4.1.4 recommends that identity from EAP is
                 * ignored and the AKA/Identity is used to request the
@@ -286,6 +274,18 @@ static struct wpabuf * eap_aka_build_identity(struct eap_sm *sm,
                 */
                wpa_printf(MSG_DEBUG, "   AT_ANY_ID_REQ");
                eap_sim_msg_add(msg, EAP_SIM_AT_ANY_ID_REQ, 0, NULL, 0);
+       } else if (data->identity_round > 3) {
+               /* Cannot use more than three rounds of Identity messages */
+               return NULL;
+       } else if (sm->identity && sm->identity_len > 0 &&
+                  (sm->identity[0] == EAP_AKA_REAUTH_ID_PREFIX ||
+                   sm->identity[0] == EAP_AKA_PRIME_REAUTH_ID_PREFIX)) {
+               /* Reauth id may have expired - try fullauth */
+               wpa_printf(MSG_DEBUG, "   AT_FULLAUTH_ID_REQ");
+               eap_sim_msg_add(msg, EAP_SIM_AT_FULLAUTH_ID_REQ, 0, NULL, 0);
+       } else {
+               wpa_printf(MSG_DEBUG, "   AT_PERMANENT_ID_REQ");
+               eap_sim_msg_add(msg, EAP_SIM_AT_PERMANENT_ID_REQ, 0, NULL, 0);
        }
        buf = eap_sim_msg_finish(msg, NULL, NULL, 0);
        if (eap_aka_add_id_msg(data, buf) < 0) {