static struct wpabuf * eap_aka_process_identity(struct eap_sm *sm,
struct eap_aka_data *data,
u8 id,
const struct wpabuf *reqData,
struct eap_sim_attrs *attr)
{
int id_error;
struct wpabuf *buf;
wpa_printf(MSG_DEBUG, "EAP-AKA: subtype Identity");
id_error = 0;
switch (attr->id_req) {
case NO_ID_REQ:
break;
case ANY_ID:
if (data->num_id_req > 0)
id_error++;
data->num_id_req++;
break;
case FULLAUTH_ID:
if (data->num_id_req > 1)
id_error++;
data->num_id_req++;
break;
case PERMANENT_ID:
if (data->num_id_req > 2)
id_error++;
data->num_id_req++;
break;
}
if (id_error) {
wpa_printf(MSG_INFO, "EAP-AKA: Too many ID requests "
"used within one authentication");
return eap_aka_client_error(data, id,
EAP_AKA_UNABLE_TO_PROCESS_PACKET);
}
buf = eap_aka_response_identity(sm, data, id, attr->id_req);
if (data->prev_id != id) {
eap_aka_add_id_msg(data, reqData);
eap_aka_add_id_msg(data, buf);
data->prev_id = id;
}
return buf;
}
static void eap_aka_process_identity(struct eap_sm *sm,
struct eap_aka_data *data,
struct wpabuf *respData,
struct eap_sim_attrs *attr)
{
wpa_printf(MSG_DEBUG, "EAP-AKA: Processing Identity");
if (attr->mac || attr->iv || attr->encr_data) {
wpa_printf(MSG_WARNING, "EAP-AKA: Unexpected attribute "
"received in EAP-Response/AKA-Identity");
data->notification = EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH;
eap_aka_state(data, NOTIFICATION);
return;
}
if (attr->identity) {
os_free(sm->identity);
sm->identity = os_malloc(attr->identity_len);
if (sm->identity) {
os_memcpy(sm->identity, attr->identity,
attr->identity_len);
sm->identity_len = attr->identity_len;
}
}
eap_aka_determine_identity(sm, data, 0, 0);
if (eap_get_id(respData) == data->pending_id) {
data->pending_id = -1;
eap_aka_add_id_msg(data, respData);
}
}
static struct wpabuf * eap_aka_build_identity(struct eap_sm *sm,
struct eap_aka_data *data, u8 id)
{
struct eap_sim_msg *msg;
struct wpabuf *buf;
wpa_printf(MSG_DEBUG, "EAP-AKA: Generating Identity");
msg = eap_sim_msg_init(EAP_CODE_REQUEST, id, data->eap_method,
EAP_AKA_SUBTYPE_IDENTITY);
if (eap_sim_db_identity_known(sm->eap_sim_db_priv, sm->identity,
sm->identity_len)) {
wpa_printf(MSG_DEBUG, " AT_PERMANENT_ID_REQ");
eap_sim_msg_add(msg, EAP_SIM_AT_PERMANENT_ID_REQ, 0, NULL, 0);
} else {
/*
* RFC 4187, Chap. 4.1.4 recommends that identity from EAP is
* ignored and the AKA/Identity is used to request the
* identity.
*/
wpa_printf(MSG_DEBUG, " AT_ANY_ID_REQ");
eap_sim_msg_add(msg, EAP_SIM_AT_ANY_ID_REQ, 0, NULL, 0);
}
buf = eap_sim_msg_finish(msg, NULL, NULL, 0);
if (eap_aka_add_id_msg(data, buf) < 0) {
wpabuf_free(buf);
return NULL;
}
data->pending_id = id;
return buf;
}
static void eap_aka_process_identity(struct eap_sm *sm,
struct eap_aka_data *data,
struct wpabuf *respData,
struct eap_sim_attrs *attr)
{
u8 *new_identity;
wpa_printf(MSG_DEBUG, "EAP-AKA: Processing Identity");
if (attr->mac || attr->iv || attr->encr_data) {
wpa_printf(MSG_WARNING, "EAP-AKA: Unexpected attribute "
"received in EAP-Response/AKA-Identity");
data->notification = EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH;
eap_aka_state(data, NOTIFICATION);
return;
}
/*
* We always request identity with AKA/Identity, so the peer is
* required to have replied with one.
*/
if (!attr->identity || attr->identity_len == 0) {
wpa_printf(MSG_DEBUG, "EAP-AKA: Peer did not provide any "
"identity");
data->notification = EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH;
eap_aka_state(data, NOTIFICATION);
return;
}
new_identity = os_malloc(attr->identity_len);
if (new_identity == NULL) {
data->notification = EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH;
eap_aka_state(data, NOTIFICATION);
return;
}
os_free(sm->identity);
sm->identity = new_identity;
os_memcpy(sm->identity, attr->identity, attr->identity_len);
sm->identity_len = attr->identity_len;
eap_aka_determine_identity(sm, data);
if (eap_get_id(respData) == data->pending_id) {
data->pending_id = -1;
eap_aka_add_id_msg(data, respData);
}
}
static struct wpabuf * eap_aka_build_identity(struct eap_sm *sm,
struct eap_aka_data *data, u8 id)
{
struct eap_sim_msg *msg;
struct wpabuf *buf;
wpa_printf(MSG_DEBUG, "EAP-AKA: Generating Identity");
msg = eap_sim_msg_init(EAP_CODE_REQUEST, id, data->eap_method,
EAP_AKA_SUBTYPE_IDENTITY);
data->identity_round++;
if (data->identity_round == 1) {
/*
* RFC 4187, Chap. 4.1.4 recommends that identity from EAP is
* ignored and the AKA/Identity is used to request the
* identity.
*/
wpa_printf(MSG_DEBUG, " AT_ANY_ID_REQ");
eap_sim_msg_add(msg, EAP_SIM_AT_ANY_ID_REQ, 0, NULL, 0);
} else if (data->identity_round > 3) {
/* Cannot use more than three rounds of Identity messages */
eap_sim_msg_free(msg);
return NULL;
} else if (sm->identity && sm->identity_len > 0 &&
(sm->identity[0] == EAP_AKA_REAUTH_ID_PREFIX ||
sm->identity[0] == EAP_AKA_PRIME_REAUTH_ID_PREFIX)) {
/* Reauth id may have expired - try fullauth */
wpa_printf(MSG_DEBUG, " AT_FULLAUTH_ID_REQ");
eap_sim_msg_add(msg, EAP_SIM_AT_FULLAUTH_ID_REQ, 0, NULL, 0);
} else {
wpa_printf(MSG_DEBUG, " AT_PERMANENT_ID_REQ");
eap_sim_msg_add(msg, EAP_SIM_AT_PERMANENT_ID_REQ, 0, NULL, 0);
}
buf = eap_sim_msg_finish(msg, data->eap_method, NULL, NULL, 0);
if (eap_aka_add_id_msg(data, buf) < 0) {
wpabuf_free(buf);
return NULL;
}
data->pending_id = id;
return buf;
}
