From 1cebaabd80db8f346b3f2d996b5d7d1629029be3 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <jouni@qca.qualcomm.com>
Date: Fri, 15 Jun 2012 18:49:54 +0300
Subject: EAP-SIM/AKA server: Allow pseudonym to be used after unknown reauth
 id

If the peer uses an unknown reauth id, it would still be possible to use
pseudonym instead of permanent id. Allow this by changing the
AT_PERMANENT_ID_REQ to AT_FULLAUTH_ID_REQ in case unknown reauth id is
used in EAP-Response/Identity.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
---
 src/eap_server/eap_server_aka.c | 14 ++++++++++++--
 src/eap_server/eap_server_sim.c | 13 +++++++++++--
 2 files changed, 23 insertions(+), 4 deletions(-)

(limited to 'src/eap_server')

diff --git a/src/eap_server/eap_server_aka.c b/src/eap_server/eap_server_aka.c
index de05dd5..9cd5509 100644
--- a/src/eap_server/eap_server_aka.c
+++ b/src/eap_server/eap_server_aka.c
@@ -266,8 +266,18 @@ static struct wpabuf * eap_aka_build_identity(struct eap_sm *sm,
 			       EAP_AKA_SUBTYPE_IDENTITY);
 	if (eap_sim_db_identity_known(sm->eap_sim_db_priv, sm->identity,
 				      sm->identity_len)) {
-		wpa_printf(MSG_DEBUG, "   AT_PERMANENT_ID_REQ");
-		eap_sim_msg_add(msg, EAP_SIM_AT_PERMANENT_ID_REQ, 0, NULL, 0);
+		if (sm->identity_len > 0 &&
+		    (sm->identity[0] == EAP_AKA_REAUTH_ID_PREFIX ||
+		     sm->identity[0] == EAP_AKA_PRIME_REAUTH_ID_PREFIX)) {
+			/* Reauth id may have expired - try fullauth */
+			wpa_printf(MSG_DEBUG, "   AT_FULLAUTH_ID_REQ");
+			eap_sim_msg_add(msg, EAP_SIM_AT_FULLAUTH_ID_REQ, 0,
+					NULL, 0);
+		} else {
+			wpa_printf(MSG_DEBUG, "   AT_PERMANENT_ID_REQ");
+			eap_sim_msg_add(msg, EAP_SIM_AT_PERMANENT_ID_REQ, 0,
+					NULL, 0);
+		}
 	} else {
 		/*
 		 * RFC 4187, Chap. 4.1.4 recommends that identity from EAP is
diff --git a/src/eap_server/eap_server_sim.c b/src/eap_server/eap_server_sim.c
index 60ab0d4..6658d9c 100644
--- a/src/eap_server/eap_server_sim.c
+++ b/src/eap_server/eap_server_sim.c
@@ -107,8 +107,17 @@ static struct wpabuf * eap_sim_build_start(struct eap_sm *sm,
 			       EAP_SIM_SUBTYPE_START);
 	if (eap_sim_db_identity_known(sm->eap_sim_db_priv, sm->identity,
 				      sm->identity_len)) {
-		wpa_printf(MSG_DEBUG, "   AT_PERMANENT_ID_REQ");
-		eap_sim_msg_add(msg, EAP_SIM_AT_PERMANENT_ID_REQ, 0, NULL, 0);
+		if (sm->identity_len > 0 &&
+		    sm->identity[0] == EAP_SIM_REAUTH_ID_PREFIX) {
+			/* Reauth id may have expired - try fullauth */
+			wpa_printf(MSG_DEBUG, "   AT_FULLAUTH_ID_REQ");
+			eap_sim_msg_add(msg, EAP_SIM_AT_FULLAUTH_ID_REQ, 0,
+					NULL, 0);
+		} else {
+			wpa_printf(MSG_DEBUG, "   AT_PERMANENT_ID_REQ");
+			eap_sim_msg_add(msg, EAP_SIM_AT_PERMANENT_ID_REQ, 0,
+					NULL, 0);
+		}
 	} else {
 		/*
 		 * RFC 4186, Chap. 4.2.4 recommends that identity from EAP is
-- 
cgit v1.1