Home Explore Help
Register Sign In
wareck
/
krackattacks
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

EAP-SIM/AKA server: Allow pseudonym to be used after unknown reauth id

If the peer uses an unknown reauth id, it would still be possible to use
pseudonym instead of permanent id. Allow this by changing the
AT_PERMANENT_ID_REQ to AT_FULLAUTH_ID_REQ in case unknown reauth id is
used in EAP-Response/Identity.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen 12 years ago
parent
ef35f5a0fd
commit
1cebaabd80
2 changed files with 23 additions and 4 deletions
Split View Show Diff Stats
  1. 12 2
      src/eap_server/eap_server_aka.c
  2. 11 2
      src/eap_server/eap_server_sim.c

+ 12 - 2
src/eap_server/eap_server_aka.c
View File 

@@ -266,8 +266,18 @@ static struct wpabuf * eap_aka_build_identity(struct eap_sm *sm,
 
 			       EAP_AKA_SUBTYPE_IDENTITY);
 
 	if (eap_sim_db_identity_known(sm->eap_sim_db_priv, sm->identity,
 
 				      sm->identity_len)) {
 
-		wpa_printf(MSG_DEBUG, "   AT_PERMANENT_ID_REQ");
 
-		eap_sim_msg_add(msg, EAP_SIM_AT_PERMANENT_ID_REQ, 0, NULL, 0);
 
+		if (sm->identity_len > 0 &&
 
+		    (sm->identity[0] == EAP_AKA_REAUTH_ID_PREFIX ||
 
+		     sm->identity[0] == EAP_AKA_PRIME_REAUTH_ID_PREFIX)) {
 
+			/* Reauth id may have expired - try fullauth */
 
+			wpa_printf(MSG_DEBUG, "   AT_FULLAUTH_ID_REQ");
 
+			eap_sim_msg_add(msg, EAP_SIM_AT_FULLAUTH_ID_REQ, 0,
 
+					NULL, 0);
 
+		} else {
 
+			wpa_printf(MSG_DEBUG, "   AT_PERMANENT_ID_REQ");
 
+			eap_sim_msg_add(msg, EAP_SIM_AT_PERMANENT_ID_REQ, 0,
 
+					NULL, 0);
 
+		}
 
 	} else {
 
 		/*
 
 		 * RFC 4187, Chap. 4.1.4 recommends that identity from EAP is

+ 11 - 2
src/eap_server/eap_server_sim.c
View File 

@@ -107,8 +107,17 @@ static struct wpabuf * eap_sim_build_start(struct eap_sm *sm,
 
 			       EAP_SIM_SUBTYPE_START);
 
 	if (eap_sim_db_identity_known(sm->eap_sim_db_priv, sm->identity,
 
 				      sm->identity_len)) {
 
-		wpa_printf(MSG_DEBUG, "   AT_PERMANENT_ID_REQ");
 
-		eap_sim_msg_add(msg, EAP_SIM_AT_PERMANENT_ID_REQ, 0, NULL, 0);
 
+		if (sm->identity_len > 0 &&
 
+		    sm->identity[0] == EAP_SIM_REAUTH_ID_PREFIX) {
 
+			/* Reauth id may have expired - try fullauth */
 
+			wpa_printf(MSG_DEBUG, "   AT_FULLAUTH_ID_REQ");
 
+			eap_sim_msg_add(msg, EAP_SIM_AT_FULLAUTH_ID_REQ, 0,
 
+					NULL, 0);
 
+		} else {
 
+			wpa_printf(MSG_DEBUG, "   AT_PERMANENT_ID_REQ");
 
+			eap_sim_msg_add(msg, EAP_SIM_AT_PERMANENT_ID_REQ, 0,
 
+					NULL, 0);
 
+		}
 
 	} else {
 
 		/*
 
 		 * RFC 4186, Chap. 4.2.4 recommends that identity from EAP is