aboutsummaryrefslogtreecommitdiffstats
path: root/src/eap_server/eap_server_aka.c
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2012-02-16 21:27:01 (GMT)
committerJouni Malinen <j@w1.fi>2012-02-16 21:31:30 (GMT)
commit0047c047fc8bae4a78f48bc687011acc093d9680 (patch)
tree3c920edb29a96b254922955dbdbc550a9575d523 /src/eap_server/eap_server_aka.c
parent05c15c897d11e15dbb42679f5483e83b73d5044a (diff)
downloadhostap-0047c047fc8bae4a78f48bc687011acc093d9680.zip
hostap-0047c047fc8bae4a78f48bc687011acc093d9680.tar.gz
hostap-0047c047fc8bae4a78f48bc687011acc093d9680.tar.bz2
EAP-SIM/AKA server: Fix re-authentication not to update pseudonym
AT_NEXT_PSEUDONYM is supposed to be included only in the Challenge messages, not in the Re-authentication messages. This attribute was incorrectly included in the Re-authentication messages and could have been used to update the pseudonym state on the server without the peer updating its state. Signed-hostap: Jouni Malinen <j@w1.fi> intended-for: hostap-1
Diffstat (limited to 'src/eap_server/eap_server_aka.c')
-rw-r--r--src/eap_server/eap_server_aka.c14
1 files changed, 7 insertions, 7 deletions
diff --git a/src/eap_server/eap_server_aka.c b/src/eap_server/eap_server_aka.c
index 135c02b..1dc8dd1 100644
--- a/src/eap_server/eap_server_aka.c
+++ b/src/eap_server/eap_server_aka.c
@@ -292,8 +292,13 @@ static int eap_aka_build_encr(struct eap_sm *sm, struct eap_aka_data *data,
const u8 *nonce_s)
{
os_free(data->next_pseudonym);
- data->next_pseudonym =
- eap_sim_db_get_next_pseudonym(sm->eap_sim_db_priv, 1);
+ if (nonce_s == NULL) {
+ data->next_pseudonym =
+ eap_sim_db_get_next_pseudonym(sm->eap_sim_db_priv, 1);
+ } else {
+ /* Do not update pseudonym during re-authentication */
+ data->next_pseudonym = NULL;
+ }
os_free(data->next_reauth_id);
if (data->counter <= EAP_AKA_MAX_FAST_REAUTHS) {
data->next_reauth_id =
@@ -1017,11 +1022,6 @@ static void eap_aka_process_reauth(struct eap_sm *sm,
identity_len = id2_len;
}
- if (data->next_pseudonym) {
- eap_sim_db_add_pseudonym(sm->eap_sim_db_priv, identity,
- identity_len, data->next_pseudonym);
- data->next_pseudonym = NULL;
- }
if (data->next_reauth_id) {
if (data->eap_method == EAP_TYPE_AKA_PRIME) {
#ifdef EAP_SERVER_AKA_PRIME