From: Jouni Malinen Date: Fri, 15 Jun 2012 15:49:54 +0000 (+0300) Subject: EAP-SIM/AKA server: Allow pseudonym to be used after unknown reauth id X-Git-Tag: hostap_2_0~632 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1cebaabd80db8f346b3f2d996b5d7d1629029be3;p=thirdparty%2Fhostap.git EAP-SIM/AKA server: Allow pseudonym to be used after unknown reauth id If the peer uses an unknown reauth id, it would still be possible to use pseudonym instead of permanent id. Allow this by changing the AT_PERMANENT_ID_REQ to AT_FULLAUTH_ID_REQ in case unknown reauth id is used in EAP-Response/Identity. Signed-hostap: Jouni Malinen --- diff --git a/src/eap_server/eap_server_aka.c b/src/eap_server/eap_server_aka.c index de05dd5a4..9cd550936 100644 --- a/src/eap_server/eap_server_aka.c +++ b/src/eap_server/eap_server_aka.c @@ -266,8 +266,18 @@ static struct wpabuf * eap_aka_build_identity(struct eap_sm *sm, EAP_AKA_SUBTYPE_IDENTITY); if (eap_sim_db_identity_known(sm->eap_sim_db_priv, sm->identity, sm->identity_len)) { - wpa_printf(MSG_DEBUG, " AT_PERMANENT_ID_REQ"); - eap_sim_msg_add(msg, EAP_SIM_AT_PERMANENT_ID_REQ, 0, NULL, 0); + if (sm->identity_len > 0 && + (sm->identity[0] == EAP_AKA_REAUTH_ID_PREFIX || + sm->identity[0] == EAP_AKA_PRIME_REAUTH_ID_PREFIX)) { + /* Reauth id may have expired - try fullauth */ + wpa_printf(MSG_DEBUG, " AT_FULLAUTH_ID_REQ"); + eap_sim_msg_add(msg, EAP_SIM_AT_FULLAUTH_ID_REQ, 0, + NULL, 0); + } else { + wpa_printf(MSG_DEBUG, " AT_PERMANENT_ID_REQ"); + eap_sim_msg_add(msg, EAP_SIM_AT_PERMANENT_ID_REQ, 0, + NULL, 0); + } } else { /* * RFC 4187, Chap. 4.1.4 recommends that identity from EAP is diff --git a/src/eap_server/eap_server_sim.c b/src/eap_server/eap_server_sim.c index 60ab0d4c4..6658d9c1e 100644 --- a/src/eap_server/eap_server_sim.c +++ b/src/eap_server/eap_server_sim.c @@ -107,8 +107,17 @@ static struct wpabuf * eap_sim_build_start(struct eap_sm *sm, EAP_SIM_SUBTYPE_START); if (eap_sim_db_identity_known(sm->eap_sim_db_priv, sm->identity, sm->identity_len)) { - wpa_printf(MSG_DEBUG, " AT_PERMANENT_ID_REQ"); - eap_sim_msg_add(msg, EAP_SIM_AT_PERMANENT_ID_REQ, 0, NULL, 0); + if (sm->identity_len > 0 && + sm->identity[0] == EAP_SIM_REAUTH_ID_PREFIX) { + /* Reauth id may have expired - try fullauth */ + wpa_printf(MSG_DEBUG, " AT_FULLAUTH_ID_REQ"); + eap_sim_msg_add(msg, EAP_SIM_AT_FULLAUTH_ID_REQ, 0, + NULL, 0); + } else { + wpa_printf(MSG_DEBUG, " AT_PERMANENT_ID_REQ"); + eap_sim_msg_add(msg, EAP_SIM_AT_PERMANENT_ID_REQ, 0, + NULL, 0); + } } else { /* * RFC 4186, Chap. 4.2.4 recommends that identity from EAP is