EAP servers check if the received EAP message was expected
authorMartin Willi <martin@strongswan.org>
Thu, 22 Oct 2009 12:05:10 +0000 (14:05 +0200)
committerMartin Willi <martin@strongswan.org>
Thu, 12 Nov 2009 09:33:59 +0000 (10:33 +0100)
src/charon/plugins/eap_aka/eap_aka_server.c
src/charon/plugins/eap_sim/eap_sim_server.c

index 6a2f970..db0c532 100644 (file)
@@ -62,6 +62,16 @@ struct private_eap_aka_server_t {
         * Random value RAND
         */
        chunk_t rand;
+
+       /**
+        * EAP-AKA message we have initiated
+        */
+       simaka_subtype_t pending;
+
+       /**
+        * Did the client send a synchronize request?
+        */
+       bool synchronized;
 };
 
 /**
@@ -122,6 +132,8 @@ static status_t initiate(private_eap_aka_server_t *this, eap_payload_t **out)
        message->add_attribute(message, AT_AUTN, chunk_create(autn, AKA_AUTN_LEN));
        *out = message->generate(message, this->crypto, chunk_empty);
        message->destroy(message);
+
+       this->pending = AKA_CHALLENGE;
        return NEED_MORE;
 }
 
@@ -135,6 +147,12 @@ static status_t process_challenge(private_eap_aka_server_t *this,
        simaka_attribute_t type;
        chunk_t data, res = chunk_empty;
 
+       if (this->pending != AKA_CHALLENGE)
+       {
+               DBG1(DBG_IKE, "received %N, but not expected",
+                        simaka_subtype_names, AKA_CHALLENGE);
+               return FAILED;
+       }
        enumerator = in->create_attribute_enumerator(in);
        while (enumerator->enumerate(enumerator, &type, &data))
        {
@@ -183,6 +201,13 @@ static status_t process_synchronize(private_eap_aka_server_t *this,
        chunk_t data, auts = chunk_empty;
        bool found = FALSE;
 
+       if (this->synchronized)
+       {
+               DBG1(DBG_IKE, "received %N, but peer did already resynchronize",
+                        simaka_subtype_names, AKA_SYNCHRONIZATION_FAILURE);
+               return FAILED;
+       }
+
        DBG1(DBG_IKE, "received synchronization request, retrying...");
 
        enumerator = in->create_attribute_enumerator(in);
@@ -229,6 +254,7 @@ static status_t process_synchronize(private_eap_aka_server_t *this,
                         "resynchronization for '%Y'", this->peer);
                return FAILED;
        }
+       this->synchronized = TRUE;
        return initiate(this, out);
 }
 
@@ -384,6 +410,8 @@ eap_aka_server_t *eap_aka_server_create(identification_t *server,
        this->msk = chunk_empty;
        this->xres = chunk_empty;
        this->rand = chunk_empty;
+       this->pending = 0;
+       this->synchronized = FALSE;
        /* generate a non-zero identifier */
        do {
                this->identifier = random();
index 82ed1e0..5e4d115 100644 (file)
@@ -59,6 +59,11 @@ struct private_eap_sim_server_t {
         * MSK, used for EAP-SIM based IKEv2 authentication
         */
        chunk_t msk;
+
+       /**
+        * EAP-SIM message we have initiated
+        */
+       simaka_subtype_t pending;
 };
 
 /* version of SIM protocol we speak */
@@ -103,6 +108,13 @@ static status_t process_start(private_eap_sim_server_t *this,
        bool supported = FALSE;
        int i;
 
+       if (this->pending != SIM_START)
+       {
+               DBG1(DBG_IKE, "received %N, but not expected",
+                        simaka_subtype_names, SIM_START);
+               return FAILED;
+       }
+
        enumerator = in->create_attribute_enumerator(in);
        while (enumerator->enumerate(enumerator, &type, &data))
        {
@@ -166,6 +178,8 @@ static status_t process_start(private_eap_sim_server_t *this,
        message->add_attribute(message, AT_RAND, rands);
        *out = message->generate(message, this->crypto, nonce);
        message->destroy(message);
+
+       this->pending = SIM_CHALLENGE;
        return NEED_MORE;
 }
 
@@ -179,6 +193,13 @@ static status_t process_challenge(private_eap_sim_server_t *this,
        simaka_attribute_t type;
        chunk_t data;
 
+       if (this->pending != SIM_CHALLENGE)
+       {
+               DBG1(DBG_IKE, "received %N, but not expected",
+                        simaka_subtype_names, SIM_CHALLENGE);
+               return FAILED;
+       }
+
        enumerator = in->create_attribute_enumerator(in);
        while (enumerator->enumerate(enumerator, &type, &data))
        {
@@ -281,6 +302,8 @@ static status_t initiate(private_eap_sim_server_t *this, eap_payload_t **out)
        message->add_attribute(message, AT_VERSION_LIST, version);
        *out = message->generate(message, this->crypto, chunk_empty);
        message->destroy(message);
+
+       this->pending = SIM_START;
        return NEED_MORE;
 }
 
@@ -350,6 +373,7 @@ eap_sim_server_t *eap_sim_server_create(identification_t *server,
        this->peer = peer->clone(peer);
        this->sreses = chunk_empty;
        this->msk = chunk_empty;
+       this->pending = 0;
        /* generate a non-zero identifier */
        do {
                this->identifier = random();