From 07fe134d9cb80e022bad0fc2307ca9edc9549f6a Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Mon, 23 Dec 2019 23:59:16 +0200 Subject: [PATCH] EAP-SIM peer: Do not accept SIM/Challenge without SIM/Start EAP-SIM full authentication starts with one or more SIM/Start rounds, so reject an unexpected SIM/Challenge round without any preceeding SIM/Start rounds to avoid unexpected behavior. In practice, an attempt to start with SIM/Challenge would have resulted in different MK being derived and the Challenge message getting rejected due to mismatching AT_MAC unless the misbehaving server has access to valid Kc, so the end result is identical, but it is cleaner to reject the unexpected message explicitly to avoid any risk of trying to proceed without NONCE_MT. Signed-off-by: Jouni Malinen --- src/eap_peer/eap_sim.c | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/src/eap_peer/eap_sim.c b/src/eap_peer/eap_sim.c index 2ea4efd07..dd9848ec6 100644 --- a/src/eap_peer/eap_sim.c +++ b/src/eap_peer/eap_sim.c @@ -44,7 +44,7 @@ struct eap_sim_data { u8 *last_eap_identity; size_t last_eap_identity_len; enum { - CONTINUE, RESULT_SUCCESS, SUCCESS, FAILURE + CONTINUE, START_DONE, RESULT_SUCCESS, SUCCESS, FAILURE } state; int result_ind, use_result_ind; int use_pseudonym; @@ -58,6 +58,8 @@ static const char * eap_sim_state_txt(int state) switch (state) { case CONTINUE: return "CONTINUE"; + case START_DONE: + return "START_DONE"; case RESULT_SUCCESS: return "RESULT_SUCCESS"; case SUCCESS: @@ -486,6 +488,7 @@ static struct wpabuf * eap_sim_response_start(struct eap_sm *sm, const u8 *identity = NULL; size_t identity_len = 0; struct eap_sim_msg *msg; + struct wpabuf *resp; data->reauth = 0; if (id_req == ANY_ID && data->reauth_id) { @@ -535,7 +538,10 @@ static struct wpabuf * eap_sim_response_start(struct eap_sm *sm, identity, identity_len); } - return eap_sim_msg_finish(msg, EAP_TYPE_SIM, NULL, NULL, 0); + resp = eap_sim_msg_finish(msg, EAP_TYPE_SIM, NULL, NULL, 0); + if (resp) + eap_sim_state(data, START_DONE); + return resp; } @@ -721,6 +727,13 @@ static struct wpabuf * eap_sim_process_challenge(struct eap_sm *sm, int res; wpa_printf(MSG_DEBUG, "EAP-SIM: subtype Challenge"); + if (data->state != START_DONE) { + wpa_printf(MSG_DEBUG, + "EAP-SIM: Unexpected Challenge in state %s", + eap_sim_state_txt(data->state)); + return eap_sim_client_error(data, id, + EAP_SIM_UNABLE_TO_PROCESS_PACKET); + } data->reauth = 0; if (!attr->mac || !attr->rand) { wpa_printf(MSG_WARNING, "EAP-SIM: Challenge message "