From b4569a3bd859c77df9f0fa3fbfb98ff65a2ab721 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Sat, 1 Sep 2012 19:19:45 +0300 Subject: [PATCH] EAP-AKA server: Use simpler AKA/Identity request determination There is no need to use eap_sim_db_identity_known() here since a new AKA/Identity message is built only if the identity in the previous response was not recognized. The first round is always used to request AT_ANY_ID_REQ to meet the RFC 4187 recommendation on EAP method specific identity request. Signed-hostap: Jouni Malinen --- src/eap_server/eap_server_aka.c | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/src/eap_server/eap_server_aka.c b/src/eap_server/eap_server_aka.c index 78d78c8f6..e8d355de0 100644 --- a/src/eap_server/eap_server_aka.c +++ b/src/eap_server/eap_server_aka.c @@ -49,6 +49,7 @@ struct eap_aka_data { u8 *network_name; size_t network_name_len; u16 kdf; + int identity_round; }; @@ -264,21 +265,8 @@ static struct wpabuf * eap_aka_build_identity(struct eap_sm *sm, wpa_printf(MSG_DEBUG, "EAP-AKA: Generating Identity"); msg = eap_sim_msg_init(EAP_CODE_REQUEST, id, data->eap_method, EAP_AKA_SUBTYPE_IDENTITY); - if (eap_sim_db_identity_known(sm->eap_sim_db_priv, sm->identity, - sm->identity_len)) { - if (sm->identity_len > 0 && - (sm->identity[0] == EAP_AKA_REAUTH_ID_PREFIX || - sm->identity[0] == EAP_AKA_PRIME_REAUTH_ID_PREFIX)) { - /* Reauth id may have expired - try fullauth */ - wpa_printf(MSG_DEBUG, " AT_FULLAUTH_ID_REQ"); - eap_sim_msg_add(msg, EAP_SIM_AT_FULLAUTH_ID_REQ, 0, - NULL, 0); - } else { - wpa_printf(MSG_DEBUG, " AT_PERMANENT_ID_REQ"); - eap_sim_msg_add(msg, EAP_SIM_AT_PERMANENT_ID_REQ, 0, - NULL, 0); - } - } else { + data->identity_round++; + if (data->identity_round == 1) { /* * RFC 4187, Chap. 4.1.4 recommends that identity from EAP is * ignored and the AKA/Identity is used to request the @@ -286,6 +274,18 @@ static struct wpabuf * eap_aka_build_identity(struct eap_sm *sm, */ wpa_printf(MSG_DEBUG, " AT_ANY_ID_REQ"); eap_sim_msg_add(msg, EAP_SIM_AT_ANY_ID_REQ, 0, NULL, 0); + } else if (data->identity_round > 3) { + /* Cannot use more than three rounds of Identity messages */ + return NULL; + } else if (sm->identity && sm->identity_len > 0 && + (sm->identity[0] == EAP_AKA_REAUTH_ID_PREFIX || + sm->identity[0] == EAP_AKA_PRIME_REAUTH_ID_PREFIX)) { + /* Reauth id may have expired - try fullauth */ + wpa_printf(MSG_DEBUG, " AT_FULLAUTH_ID_REQ"); + eap_sim_msg_add(msg, EAP_SIM_AT_FULLAUTH_ID_REQ, 0, NULL, 0); + } else { + wpa_printf(MSG_DEBUG, " AT_PERMANENT_ID_REQ"); + eap_sim_msg_add(msg, EAP_SIM_AT_PERMANENT_ID_REQ, 0, NULL, 0); } buf = eap_sim_msg_finish(msg, NULL, NULL, 0); if (eap_aka_add_id_msg(data, buf) < 0) {