Verify EAP-SIM/AKA AT_MAC before processing any attributes
[strongswan.git] / src / charon / plugins / eap_aka / eap_aka_peer.c
index d1ab554..2654680 100644 (file)
@@ -327,8 +327,8 @@ static status_t process_reauthentication(private_eap_aka_peer_t *this,
        this->crypto->derive_keys_reauth(this->crypto,
                                                                         chunk_create(this->mk, HASH_SIZE_SHA1));
 
-       /* parse again with decryption key */
-       if (!in->parse(in))
+       /* verify MAC and parse again with decryption key */
+       if (!in->verify(in, chunk_empty) || !in->parse(in))
        {
                *out = create_client_error(this, in->get_identifier(in));
                return NEED_MORE;
@@ -366,11 +366,6 @@ static status_t process_reauthentication(private_eap_aka_peer_t *this,
                *out = create_client_error(this, in->get_identifier(in));
                return NEED_MORE;
        }
-       if (!in->verify(in, chunk_empty))
-       {
-               *out = create_client_error(this, in->get_identifier(in));
-               return NEED_MORE;
-       }
 
        message = simaka_message_create(FALSE, in->get_identifier(in), EAP_AKA,
                                                                        AKA_REAUTHENTICATION, this->crypto);