EAP-FAST: Verify that identity from PAC-Opaque matches with Phase 2 (GTC)

src/eap_server/eap_fast.c

@@ -1448,6 +1448,7 @@ static void eap_fast_process_phase2_start(struct eap_sm *sm,
 		data->identity = NULL;
 		sm->identity_len = data->identity_len;
 		data->identity_len = 0;
+		sm->require_identity_match = 1;
 		if (eap_user_get(sm, sm->identity, sm->identity_len, 1) != 0) {
 			wpa_hexdump_ascii(MSG_DEBUG, "EAP-FAST: "
 					  "Phase2 Identity not found "

src/eap_server/eap_gtc.c

@@ -134,14 +134,26 @@ static void eap_gtc_process(struct eap_sm *sm, void *priv,
 
 		wpa_hexdump_ascii(MSG_MSGDUMP, "EAP-GTC: Response user",
 				  pos, pos2 - pos);
-		os_free(sm->identity);
-		sm->identity_len = pos2 - pos;
-		sm->identity = os_malloc(sm->identity_len);
-		if (sm->identity == NULL) {
+		if (sm->identity && sm->require_identity_match &&
+		    (pos2 - pos != (int) sm->identity_len ||
+		     os_memcmp(pos, sm->identity, sm->identity_len))) {
+			wpa_printf(MSG_DEBUG, "EAP-GTC: Phase 2 Identity did "
+				   "not match with required Identity");
+			wpa_hexdump_ascii(MSG_MSGDUMP, "EAP-GTC: Expected "
+					  "identity",
+					  sm->identity, sm->identity_len);
 			data->state = FAILURE;
 			return;
+		} else {
+			os_free(sm->identity);
+			sm->identity_len = pos2 - pos;
+			sm->identity = os_malloc(sm->identity_len);
+			if (sm->identity == NULL) {
+				data->state = FAILURE;
+				return;
+			}
+			os_memcpy(sm->identity, pos, sm->identity_len);
 		}
-		os_memcpy(sm->identity, pos, sm->identity_len);
 
 		if (eap_user_get(sm, sm->identity, sm->identity_len, 1) != 0) {
 			wpa_hexdump_ascii(MSG_DEBUG, "EAP-GTC: Phase2 "

src/eap_server/eap_i.h

@@ -150,6 +150,8 @@ struct eap_sm {
 	void *eap_method_priv;
 	u8 *identity;
 	size_t identity_len;
+	/* Whether Phase 2 method should validate identity match */
+	int require_identity_match;
 	int lastId; /* Identifier used in the last EAP-Packet */
 	struct eap_user *user;
 	int user_eap_method_index;