aboutsummaryrefslogtreecommitdiffstats
path: root/src/eap_server/eap_server_aka.c
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2012-05-02 17:45:01 (GMT)
committerJouni Malinen <j@w1.fi>2012-05-02 17:45:01 (GMT)
commit762e4ce620125f233bec964413354601b0d9654c (patch)
treeeb7577b1d6a44bd21d3fed38aad7348bdeeb1bc6 /src/eap_server/eap_server_aka.c
parent83519983138b0e9c19a4beb3a763e2289d5a51cb (diff)
downloadhostap-762e4ce620125f233bec964413354601b0d9654c.zip
hostap-762e4ce620125f233bec964413354601b0d9654c.tar.gz
hostap-762e4ce620125f233bec964413354601b0d9654c.tar.bz2
EAP-AKA': Update to RFC 5448
There was a technical change between the last IETF draft version (draft-arkko-eap-aka-kdf-10) and RFC 5448 in the leading characters used in the username (i.e., use unique characters for EAP-AKA' instead of reusing the EAP-AKA ones). This commit updates EAP-AKA' server and peer implementations to use the leading characters based on the final RFC. Note: This will make EAP-AKA' not interoperate between the earlier draft version and the new version. Signed-hostap: Jouni Malinen <j@w1.fi> intended-for: hostap-1
Diffstat (limited to 'src/eap_server/eap_server_aka.c')
-rw-r--r--src/eap_server/eap_server_aka.c17
1 files changed, 12 insertions, 5 deletions
diff --git a/src/eap_server/eap_server_aka.c b/src/eap_server/eap_server_aka.c
index 54f6ba1..de05dd5 100644
--- a/src/eap_server/eap_server_aka.c
+++ b/src/eap_server/eap_server_aka.c
@@ -1,6 +1,6 @@
/*
- * hostapd / EAP-AKA (RFC 4187) and EAP-AKA' (draft-arkko-eap-aka-kdf)
- * Copyright (c) 2005-2008, Jouni Malinen <j@w1.fi>
+ * hostapd / EAP-AKA (RFC 4187) and EAP-AKA' (RFC 5448)
+ * Copyright (c) 2005-2012, Jouni Malinen <j@w1.fi>
*
* This software may be distributed under the terms of the BSD license.
* See README for more details.
@@ -294,7 +294,10 @@ static int eap_aka_build_encr(struct eap_sm *sm, struct eap_aka_data *data,
os_free(data->next_pseudonym);
if (nonce_s == NULL) {
data->next_pseudonym =
- eap_sim_db_get_next_pseudonym(sm->eap_sim_db_priv, 1);
+ eap_sim_db_get_next_pseudonym(
+ sm->eap_sim_db_priv,
+ data->eap_method == EAP_TYPE_AKA_PRIME ?
+ EAP_SIM_DB_AKA_PRIME : EAP_SIM_DB_AKA);
} else {
/* Do not update pseudonym during re-authentication */
data->next_pseudonym = NULL;
@@ -302,7 +305,10 @@ static int eap_aka_build_encr(struct eap_sm *sm, struct eap_aka_data *data,
os_free(data->next_reauth_id);
if (data->counter <= EAP_AKA_MAX_FAST_REAUTHS) {
data->next_reauth_id =
- eap_sim_db_get_next_reauth_id(sm->eap_sim_db_priv, 1);
+ eap_sim_db_get_next_reauth_id(
+ sm->eap_sim_db_priv,
+ data->eap_method == EAP_TYPE_AKA_PRIME ?
+ EAP_SIM_DB_AKA_PRIME : EAP_SIM_DB_AKA);
} else {
wpa_printf(MSG_DEBUG, "EAP-AKA: Max fast re-authentication "
"count exceeded - force full authentication");
@@ -620,7 +626,8 @@ static void eap_aka_determine_identity(struct eap_sm *sm,
identity = data->reauth->identity;
identity_len = data->reauth->identity_len;
} else if (sm->identity && sm->identity_len > 0 &&
- sm->identity[0] == EAP_AKA_PERMANENT_PREFIX) {
+ (sm->identity[0] == EAP_AKA_PERMANENT_PREFIX ||
+ sm->identity[0] == EAP_AKA_PRIME_PERMANENT_PREFIX)) {
identity = sm->identity;
identity_len = sm->identity_len;
} else {