Verify EAP-SIM/AKA AT_MAC before processing any attributes

[strongswan.git] / src / charon / plugins / eap_sim / eap_sim_peer.c

diff --git a/src/charon/plugins/eap_sim/eap_sim_peer.c b/src/charon/plugins/eap_sim/eap_sim_peer.c
index 66365b3..961cfd3 100644 (file)
--- a/src/charon/plugins/eap_sim/eap_sim_peer.c
+++ b/src/charon/plugins/eap_sim/eap_sim_peer.c
@@ -387,8 +387,8 @@ static status_t process_reauthentication(private_eap_sim_peer_t *this,
        this->crypto->derive_keys_reauth(this->crypto,
                                                                         chunk_create(this->mk, HASH_SIZE_SHA1));
 
-       /* parse again with decryption key */
-       if (!in->parse(in))
+       /* verify MAC and parse again with decryption key */
+       if (!in->verify(in, chunk_empty) || !in->parse(in))
        {
                *out = create_client_error(this, in->get_identifier(in),
                                                                   SIM_UNABLE_TO_PROCESS);
@@ -429,12 +429,6 @@ static status_t process_reauthentication(private_eap_sim_peer_t *this,
                                                                   SIM_UNABLE_TO_PROCESS);
                return NEED_MORE;
        }
-       if (!in->verify(in, chunk_empty))
-       {
-               *out = create_client_error(this, in->get_identifier(in),
-                                                                  SIM_UNABLE_TO_PROCESS);
-               return NEED_MORE;
-       }
 
        message = simaka_message_create(FALSE, in->get_identifier(in), EAP_SIM,
                                                                        SIM_REAUTHENTICATION, this->crypto);