EAP-SIM server: Use Notification before EAP-Failure
RFC 4186, chapter 6.3.3 mandates that EAP-Failure is used only after Client-Error and Notification messages. Convert the direct jumps to the FAILURE state with a notification round before sending out EAP-Failure. Signed-hostap: Jouni Malinen <j@w1.fi>
This commit is contained in:
parent
9343498989
commit
c95c8b1859
1 changed files with 26 additions and 20 deletions
|
@ -432,15 +432,12 @@ static void eap_sim_process_start(struct eap_sm *sm,
|
||||||
if (!attr->identity || attr->identity_len == 0) {
|
if (!attr->identity || attr->identity_len == 0) {
|
||||||
wpa_printf(MSG_DEBUG, "EAP-SIM: Peer did not provide any "
|
wpa_printf(MSG_DEBUG, "EAP-SIM: Peer did not provide any "
|
||||||
"identity");
|
"identity");
|
||||||
eap_sim_state(data, FAILURE);
|
goto failed;
|
||||||
return;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
new_identity = os_malloc(attr->identity_len);
|
new_identity = os_malloc(attr->identity_len);
|
||||||
if (new_identity == NULL) {
|
if (new_identity == NULL)
|
||||||
eap_sim_state(data, FAILURE);
|
goto failed;
|
||||||
return;
|
|
||||||
}
|
|
||||||
os_free(sm->identity);
|
os_free(sm->identity);
|
||||||
sm->identity = new_identity;
|
sm->identity = new_identity;
|
||||||
os_memcpy(sm->identity, attr->identity, attr->identity_len);
|
os_memcpy(sm->identity, attr->identity, attr->identity_len);
|
||||||
|
@ -449,10 +446,8 @@ static void eap_sim_process_start(struct eap_sm *sm,
|
||||||
wpa_hexdump_ascii(MSG_DEBUG, "EAP-SIM: Identity",
|
wpa_hexdump_ascii(MSG_DEBUG, "EAP-SIM: Identity",
|
||||||
sm->identity, sm->identity_len);
|
sm->identity, sm->identity_len);
|
||||||
username = sim_get_username(sm->identity, sm->identity_len);
|
username = sim_get_username(sm->identity, sm->identity_len);
|
||||||
if (username == NULL) {
|
if (username == NULL)
|
||||||
eap_sim_state(data, FAILURE);
|
goto failed;
|
||||||
return;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (username[0] == EAP_SIM_REAUTH_ID_PREFIX) {
|
if (username[0] == EAP_SIM_REAUTH_ID_PREFIX) {
|
||||||
wpa_printf(MSG_DEBUG, "EAP-SIM: Reauth username '%s'",
|
wpa_printf(MSG_DEBUG, "EAP-SIM: Reauth username '%s'",
|
||||||
|
@ -499,8 +494,7 @@ static void eap_sim_process_start(struct eap_sm *sm,
|
||||||
wpa_printf(MSG_DEBUG, "EAP-SIM: Unrecognized username '%s'",
|
wpa_printf(MSG_DEBUG, "EAP-SIM: Unrecognized username '%s'",
|
||||||
username);
|
username);
|
||||||
os_free(username);
|
os_free(username);
|
||||||
eap_sim_state(data, FAILURE);
|
goto failed;
|
||||||
return;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
skip_id_update:
|
skip_id_update:
|
||||||
|
@ -509,15 +503,13 @@ skip_id_update:
|
||||||
if (attr->nonce_mt == NULL || attr->selected_version < 0) {
|
if (attr->nonce_mt == NULL || attr->selected_version < 0) {
|
||||||
wpa_printf(MSG_DEBUG, "EAP-SIM: Start/Response missing "
|
wpa_printf(MSG_DEBUG, "EAP-SIM: Start/Response missing "
|
||||||
"required attributes");
|
"required attributes");
|
||||||
eap_sim_state(data, FAILURE);
|
goto failed;
|
||||||
return;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!eap_sim_supported_ver(data, attr->selected_version)) {
|
if (!eap_sim_supported_ver(data, attr->selected_version)) {
|
||||||
wpa_printf(MSG_DEBUG, "EAP-SIM: Peer selected unsupported "
|
wpa_printf(MSG_DEBUG, "EAP-SIM: Peer selected unsupported "
|
||||||
"version %d", attr->selected_version);
|
"version %d", attr->selected_version);
|
||||||
eap_sim_state(data, FAILURE);
|
goto failed;
|
||||||
return;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
data->counter = 0; /* reset re-auth counter since this is full auth */
|
data->counter = 0; /* reset re-auth counter since this is full auth */
|
||||||
|
@ -535,8 +527,7 @@ skip_id_update:
|
||||||
if (data->num_chal < 2) {
|
if (data->num_chal < 2) {
|
||||||
wpa_printf(MSG_INFO, "EAP-SIM: Failed to get GSM "
|
wpa_printf(MSG_INFO, "EAP-SIM: Failed to get GSM "
|
||||||
"authentication triplets for the peer");
|
"authentication triplets for the peer");
|
||||||
eap_sim_state(data, FAILURE);
|
goto failed;
|
||||||
return;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
identity_len = sm->identity_len;
|
identity_len = sm->identity_len;
|
||||||
|
@ -557,6 +548,11 @@ skip_id_update:
|
||||||
data->emsk);
|
data->emsk);
|
||||||
|
|
||||||
eap_sim_state(data, CHALLENGE);
|
eap_sim_state(data, CHALLENGE);
|
||||||
|
return;
|
||||||
|
|
||||||
|
failed:
|
||||||
|
data->notification = EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH;
|
||||||
|
eap_sim_state(data, NOTIFICATION);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
@ -571,7 +567,8 @@ static void eap_sim_process_challenge(struct eap_sm *sm,
|
||||||
data->num_chal * EAP_SIM_SRES_LEN)) {
|
data->num_chal * EAP_SIM_SRES_LEN)) {
|
||||||
wpa_printf(MSG_WARNING, "EAP-SIM: Challenge message "
|
wpa_printf(MSG_WARNING, "EAP-SIM: Challenge message "
|
||||||
"did not include valid AT_MAC");
|
"did not include valid AT_MAC");
|
||||||
eap_sim_state(data, FAILURE);
|
data->notification = EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH;
|
||||||
|
eap_sim_state(data, NOTIFICATION);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -670,7 +667,8 @@ static void eap_sim_process_reauth(struct eap_sm *sm,
|
||||||
return;
|
return;
|
||||||
|
|
||||||
fail:
|
fail:
|
||||||
eap_sim_state(data, FAILURE);
|
data->notification = EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH;
|
||||||
|
eap_sim_state(data, NOTIFICATION);
|
||||||
eap_sim_db_remove_reauth(sm->eap_sim_db_priv, data->reauth);
|
eap_sim_db_remove_reauth(sm->eap_sim_db_priv, data->reauth);
|
||||||
data->reauth = NULL;
|
data->reauth = NULL;
|
||||||
os_free(decrypted);
|
os_free(decrypted);
|
||||||
|
@ -723,6 +721,14 @@ static void eap_sim_process(struct eap_sm *sm, void *priv,
|
||||||
|
|
||||||
if (eap_sim_parse_attr(pos, end, &attr, 0, 0)) {
|
if (eap_sim_parse_attr(pos, end, &attr, 0, 0)) {
|
||||||
wpa_printf(MSG_DEBUG, "EAP-SIM: Failed to parse attributes");
|
wpa_printf(MSG_DEBUG, "EAP-SIM: Failed to parse attributes");
|
||||||
|
if (subtype != EAP_SIM_SUBTYPE_CLIENT_ERROR &&
|
||||||
|
(data->state == START || data->state == CHALLENGE ||
|
||||||
|
data->state == REAUTH)) {
|
||||||
|
data->notification =
|
||||||
|
EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH;
|
||||||
|
eap_sim_state(data, NOTIFICATION);
|
||||||
|
return;
|
||||||
|
}
|
||||||
eap_sim_state(data, FAILURE);
|
eap_sim_state(data, FAILURE);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue