From: Jouni Malinen Date: Thu, 21 Sep 2023 08:45:37 +0000 (+0300) Subject: EAP-SIM/AKA peer: Fix identity selection for MK derivation with AT_IDENTITY X-Git-Tag: hostap_2_11~972 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=40af6560bab6d75b31f3999e91779afea7da794e;p=thirdparty%2Fhostap.git EAP-SIM/AKA peer: Fix identity selection for MK derivation with AT_IDENTITY A case was missing in the way wpa_supplicant was tracking the identity that is used when deriving MK if the EAP server does not follow the RFC guidance on using EAP method specific identity determination (i.e., AT_IDENTITY for EAP-SIM/AKA) combined with a fallback from fast re-authentication to full authentication. wpa_supplicant ended up using the actual identity instead of the last identity included in an EAP message even though MK derivation is supposed to use the identity that was included in the last AT_IDENTITY or in the EAP-Response/Identity if AT_IDENTITY was not used. This resulted in such an authentication attempt failing due to incorrect MK being derived and AT_MAC validation resulting in an mismatch. Fix this by checking for the case where fast re-authentication is attempted and the server recognizes the fast re-auth identity, but decides to fall back to full authentication without a separate EAP method specific identity exchange using AT_IDENTITY. This allows the fast re-auth identity from EAP-Response/Identity to be used in MK derivation in such cases. Signed-off-by: Jouni Malinen --- diff --git a/src/eap_peer/eap_aka.c b/src/eap_peer/eap_aka.c index 5c9a8c739..6fe939b5c 100644 --- a/src/eap_peer/eap_aka.c +++ b/src/eap_peer/eap_aka.c @@ -1150,6 +1150,9 @@ static struct wpabuf * eap_aka_process_challenge(struct eap_sm *sm, if (data->last_eap_identity) { identity = data->last_eap_identity; identity_len = data->last_eap_identity_len; + } else if (data->reauth_id) { + identity = data->reauth_id; + identity_len = data->reauth_id_len; } else if (data->pseudonym && !eap_sim_anonymous_username(data->pseudonym, data->pseudonym_len)) { diff --git a/src/eap_peer/eap_sim.c b/src/eap_peer/eap_sim.c index c5a7d0174..71da424d2 100644 --- a/src/eap_peer/eap_sim.c +++ b/src/eap_peer/eap_sim.c @@ -889,6 +889,9 @@ static struct wpabuf * eap_sim_process_challenge(struct eap_sm *sm, if (data->last_eap_identity) { identity = data->last_eap_identity; identity_len = data->last_eap_identity_len; + } else if (data->reauth_id) { + identity = data->reauth_id; + identity_len = data->reauth_id_len; } else if (data->pseudonym && !eap_sim_anonymous_username(data->pseudonym, data->pseudonym_len)) {