projects / mech_eap.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 7914585)
EAP-FAST: Verify that identity from PAC-Opaque matches with Phase 2 (GTC)
authorJouni Malinen <j@w1.fi>
Thu, 28 Feb 2008 02:00:12 +0000 (18:00 -0800)
committerJouni Malinen <j@w1.fi>
Thu, 28 Feb 2008 02:00:12 +0000 (18:00 -0800)
src/eap_server/eap_fast.c patch | blob | history
src/eap_server/eap_gtc.c patch | blob | history
src/eap_server/eap_i.h patch | blob | history

diff --git a/src/eap_server/eap_fast.c b/src/eap_server/eap_fast.c
index 170f3fa..e685a1d 100644 (file)
--- a/src/eap_server/eap_fast.c
+++ b/src/eap_server/eap_fast.c
@@ -1448,6 +1448,7 @@ static void eap_fast_process_phase2_start(struct eap_sm *sm,
                data->identity = NULL;
                sm->identity_len = data->identity_len;
                data->identity_len = 0;
+               sm->require_identity_match = 1;
                if (eap_user_get(sm, sm->identity, sm->identity_len, 1) != 0) {
                        wpa_hexdump_ascii(MSG_DEBUG, "EAP-FAST: "
                                          "Phase2 Identity not found "
diff --git a/src/eap_server/eap_gtc.c b/src/eap_server/eap_gtc.c
index 8a0bed5..97e328b 100644 (file)
--- a/src/eap_server/eap_gtc.c
+++ b/src/eap_server/eap_gtc.c
@@ -134,14 +134,26 @@ static void eap_gtc_process(struct eap_sm *sm, void *priv,
 
                wpa_hexdump_ascii(MSG_MSGDUMP, "EAP-GTC: Response user",
                                  pos, pos2 - pos);
-               os_free(sm->identity);
-               sm->identity_len = pos2 - pos;
-               sm->identity = os_malloc(sm->identity_len);
-               if (sm->identity == NULL) {
+               if (sm->identity && sm->require_identity_match &&
+                   (pos2 - pos != (int) sm->identity_len ||
+                    os_memcmp(pos, sm->identity, sm->identity_len))) {
+                       wpa_printf(MSG_DEBUG, "EAP-GTC: Phase 2 Identity did "
+                                  "not match with required Identity");
+                       wpa_hexdump_ascii(MSG_MSGDUMP, "EAP-GTC: Expected "
+                                         "identity",
+                                         sm->identity, sm->identity_len);
                        data->state = FAILURE;
                        return;
+               } else {
+                       os_free(sm->identity);
+                       sm->identity_len = pos2 - pos;
+                       sm->identity = os_malloc(sm->identity_len);
+                       if (sm->identity == NULL) {
+                               data->state = FAILURE;
+                               return;
+                       }
+                       os_memcpy(sm->identity, pos, sm->identity_len);
                }
-               os_memcpy(sm->identity, pos, sm->identity_len);
 
                if (eap_user_get(sm, sm->identity, sm->identity_len, 1) != 0) {
                        wpa_hexdump_ascii(MSG_DEBUG, "EAP-GTC: Phase2 "
diff --git a/src/eap_server/eap_i.h b/src/eap_server/eap_i.h
index b635588..6087330 100644 (file)
--- a/src/eap_server/eap_i.h
+++ b/src/eap_server/eap_i.h
@@ -150,6 +150,8 @@ struct eap_sm {
        void *eap_method_priv;
        u8 *identity;
        size_t identity_len;
+       /* Whether Phase 2 method should validate identity match */
+       int require_identity_match;
        int lastId; /* Identifier used in the last EAP-Packet */
        struct eap_user *user;
        int user_eap_method_index;
Moonshot GSS-API mechanism