diff --git a/src/eap_server/eap_fast.c b/src/eap_server/eap_fast.c index 170f3faf6..e685a1dc7 100644 --- a/src/eap_server/eap_fast.c +++ b/src/eap_server/eap_fast.c @@ -1448,6 +1448,7 @@ static void eap_fast_process_phase2_start(struct eap_sm *sm, data->identity = NULL; sm->identity_len = data->identity_len; data->identity_len = 0; + sm->require_identity_match = 1; if (eap_user_get(sm, sm->identity, sm->identity_len, 1) != 0) { wpa_hexdump_ascii(MSG_DEBUG, "EAP-FAST: " "Phase2 Identity not found " diff --git a/src/eap_server/eap_gtc.c b/src/eap_server/eap_gtc.c index 8a0bed5ca..97e328b83 100644 --- a/src/eap_server/eap_gtc.c +++ b/src/eap_server/eap_gtc.c @@ -134,14 +134,26 @@ static void eap_gtc_process(struct eap_sm *sm, void *priv, wpa_hexdump_ascii(MSG_MSGDUMP, "EAP-GTC: Response user", pos, pos2 - pos); - os_free(sm->identity); - sm->identity_len = pos2 - pos; - sm->identity = os_malloc(sm->identity_len); - if (sm->identity == NULL) { + if (sm->identity && sm->require_identity_match && + (pos2 - pos != (int) sm->identity_len || + os_memcmp(pos, sm->identity, sm->identity_len))) { + wpa_printf(MSG_DEBUG, "EAP-GTC: Phase 2 Identity did " + "not match with required Identity"); + wpa_hexdump_ascii(MSG_MSGDUMP, "EAP-GTC: Expected " + "identity", + sm->identity, sm->identity_len); data->state = FAILURE; return; + } else { + os_free(sm->identity); + sm->identity_len = pos2 - pos; + sm->identity = os_malloc(sm->identity_len); + if (sm->identity == NULL) { + data->state = FAILURE; + return; + } + os_memcpy(sm->identity, pos, sm->identity_len); } - os_memcpy(sm->identity, pos, sm->identity_len); if (eap_user_get(sm, sm->identity, sm->identity_len, 1) != 0) { wpa_hexdump_ascii(MSG_DEBUG, "EAP-GTC: Phase2 " diff --git a/src/eap_server/eap_i.h b/src/eap_server/eap_i.h index b63558807..60873306f 100644 --- a/src/eap_server/eap_i.h +++ b/src/eap_server/eap_i.h @@ -150,6 +150,8 @@ struct eap_sm { void *eap_method_priv; u8 *identity; size_t identity_len; + /* Whether Phase 2 method should validate identity match */ + int require_identity_match; int lastId; /* Identifier used in the last EAP-Packet */ struct eap_user *user; int user_eap_method_index;