aboutsummaryrefslogtreecommitdiffstats
path: root/src/eap_peer
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2008-12-05 20:25:47 (GMT)
committerJouni Malinen <j@w1.fi>2008-12-05 20:25:47 (GMT)
commit01b05694372c718f88d921785f8f1133e9992c36 (patch)
tree9d4f378895c79970100a31af249869b0d938a7af /src/eap_peer
parent8de5048e26835ccb430c04a5ec3a78a86282368d (diff)
downloadhostap-06-01b05694372c718f88d921785f8f1133e9992c36.zip
hostap-06-01b05694372c718f88d921785f8f1133e9992c36.tar.gz
hostap-06-01b05694372c718f88d921785f8f1133e9992c36.tar.bz2
Added protection against EAP-AKA' -> EAP-AKA bidding down attacks
AT_BIDDING attribute is included in EAP-AKA/Challenge to allow peer to know whether the server would have preferred EAP-AKA'.
Diffstat (limited to 'src/eap_peer')
-rw-r--r--src/eap_peer/eap.c2
-rw-r--r--src/eap_peer/eap_aka_prime.c12
-rw-r--r--src/eap_peer/eap_i.h1
3 files changed, 14 insertions, 1 deletions
diff --git a/src/eap_peer/eap.c b/src/eap_peer/eap.c
index 88377b9..5f1c9e0 100644
--- a/src/eap_peer/eap.c
+++ b/src/eap_peer/eap.c
@@ -106,7 +106,7 @@ static void eap_deinit_prev_method(struct eap_sm *sm, const char *txt)
* @method: EAP type
* Returns: 1 = allowed EAP method, 0 = not allowed
*/
-static int eap_allowed_method(struct eap_sm *sm, int vendor, u32 method)
+int eap_allowed_method(struct eap_sm *sm, int vendor, u32 method)
{
struct eap_peer_config *config = eap_get_config(sm);
int i;
diff --git a/src/eap_peer/eap_aka_prime.c b/src/eap_peer/eap_aka_prime.c
index 52f74ee..bf1d472 100644
--- a/src/eap_peer/eap_aka_prime.c
+++ b/src/eap_peer/eap_aka_prime.c
@@ -791,6 +791,18 @@ static struct wpabuf * eap_aka_process_challenge(struct eap_sm *sm,
data->kdf = EAP_AKA_PRIME_KDF;
wpa_printf(MSG_DEBUG, "EAP-AKA': KDF %d selected", data->kdf);
}
+
+ if (data->eap_method == EAP_TYPE_AKA && attr->bidding) {
+ u16 flags = WPA_GET_BE16(attr->bidding);
+ if ((flags & EAP_AKA_BIDDING_FLAG_D) &&
+ eap_allowed_method(sm, EAP_VENDOR_IETF,
+ EAP_TYPE_AKA_PRIME)) {
+ wpa_printf(MSG_WARNING, "EAP-AKA: Bidding down from "
+ "AKA' to AKA detected");
+ /* Fail authentication as if AUTN had been incorrect */
+ return eap_aka_authentication_reject(data, id);
+ }
+ }
#endif /* EAP_AKA_PRIME */
data->reauth = 0;
diff --git a/src/eap_peer/eap_i.h b/src/eap_peer/eap_i.h
index 73f3f83..25c0bb6 100644
--- a/src/eap_peer/eap_i.h
+++ b/src/eap_peer/eap_i.h
@@ -349,5 +349,6 @@ void eap_set_config_blob(struct eap_sm *sm, struct wpa_config_blob *blob);
const struct wpa_config_blob *
eap_get_config_blob(struct eap_sm *sm, const char *name);
void eap_notify_pending(struct eap_sm *sm);
+int eap_allowed_method(struct eap_sm *sm, int vendor, u32 method);
#endif /* EAP_I_H */