DGNum/hostapd
6
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

EAP-SIM/AKA peer: Fix identity selection for MK derivation with AT_IDENTITY

Browse source 
A case was missing in the way wpa_supplicant was tracking the identity
that is used when deriving MK if the EAP server does not follow the RFC
guidance on using EAP method specific identity determination (i.e.,
AT_IDENTITY for EAP-SIM/AKA) combined with a fallback from fast
re-authentication to full authentication. wpa_supplicant ended up using
the actual identity instead of the last identity included in an EAP
message even though MK derivation is supposed to use the identity that
was included in the last AT_IDENTITY or in the EAP-Response/Identity if
AT_IDENTITY was not used. This resulted in such an authentication
attempt failing due to incorrect MK being derived and AT_MAC validation
resulting in an mismatch.

Fix this by checking for the case where fast re-authentication is
attempted and the server recognizes the fast re-auth identity, but
decides to fall back to full authentication without a separate EAP
method specific identity exchange using AT_IDENTITY. This allows the
fast re-auth identity from EAP-Response/Identity to be used in MK
derivation in such cases.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
This commit is contained in:
Jouni Malinen 2023-09-21 11:45:37 +03:00 committed by Jouni Malinen
parent bc9256980e
commit 40af6560ba
2 changed files with 6 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
src/eap_peer/eap_aka.c
View file

@ -1150,6 +1150,9 @@ static struct wpabuf * eap_aka_process_challenge(struct eap_sm *sm,
if (data->last_eap_identity) {
identity = data->last_eap_identity;
identity_len = data->last_eap_identity_len;
} else if (data->reauth_id) {
identity = data->reauth_id;
identity_len = data->reauth_id_len;
} else if (data->pseudonym &&
!eap_sim_anonymous_username(data->pseudonym,
data->pseudonym_len)) {

3
src/eap_peer/eap_sim.c
View file

@ -889,6 +889,9 @@ static struct wpabuf * eap_sim_process_challenge(struct eap_sm *sm,
if (data->last_eap_identity) {
identity = data->last_eap_identity;
identity_len = data->last_eap_identity_len;
} else if (data->reauth_id) {
identity = data->reauth_id;
identity_len = data->reauth_id_len;
} else if (data->pseudonym &&
!eap_sim_anonymous_username(data->pseudonym,
data->pseudonym_len)) {