aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/charon/plugins/eap_aka/eap_aka_server.c28
-rw-r--r--src/charon/plugins/eap_sim/eap_sim_server.c24
2 files changed, 52 insertions, 0 deletions
diff --git a/src/charon/plugins/eap_aka/eap_aka_server.c b/src/charon/plugins/eap_aka/eap_aka_server.c
index 6a2f970ab..db0c53212 100644
--- a/src/charon/plugins/eap_aka/eap_aka_server.c
+++ b/src/charon/plugins/eap_aka/eap_aka_server.c
@@ -62,6 +62,16 @@ struct private_eap_aka_server_t {
* Random value RAND
*/
chunk_t rand;
+
+ /**
+ * EAP-AKA message we have initiated
+ */
+ simaka_subtype_t pending;
+
+ /**
+ * Did the client send a synchronize request?
+ */
+ bool synchronized;
};
/**
@@ -122,6 +132,8 @@ static status_t initiate(private_eap_aka_server_t *this, eap_payload_t **out)
message->add_attribute(message, AT_AUTN, chunk_create(autn, AKA_AUTN_LEN));
*out = message->generate(message, this->crypto, chunk_empty);
message->destroy(message);
+
+ this->pending = AKA_CHALLENGE;
return NEED_MORE;
}
@@ -135,6 +147,12 @@ static status_t process_challenge(private_eap_aka_server_t *this,
simaka_attribute_t type;
chunk_t data, res = chunk_empty;
+ if (this->pending != AKA_CHALLENGE)
+ {
+ DBG1(DBG_IKE, "received %N, but not expected",
+ simaka_subtype_names, AKA_CHALLENGE);
+ return FAILED;
+ }
enumerator = in->create_attribute_enumerator(in);
while (enumerator->enumerate(enumerator, &type, &data))
{
@@ -183,6 +201,13 @@ static status_t process_synchronize(private_eap_aka_server_t *this,
chunk_t data, auts = chunk_empty;
bool found = FALSE;
+ if (this->synchronized)
+ {
+ DBG1(DBG_IKE, "received %N, but peer did already resynchronize",
+ simaka_subtype_names, AKA_SYNCHRONIZATION_FAILURE);
+ return FAILED;
+ }
+
DBG1(DBG_IKE, "received synchronization request, retrying...");
enumerator = in->create_attribute_enumerator(in);
@@ -229,6 +254,7 @@ static status_t process_synchronize(private_eap_aka_server_t *this,
"resynchronization for '%Y'", this->peer);
return FAILED;
}
+ this->synchronized = TRUE;
return initiate(this, out);
}
@@ -384,6 +410,8 @@ eap_aka_server_t *eap_aka_server_create(identification_t *server,
this->msk = chunk_empty;
this->xres = chunk_empty;
this->rand = chunk_empty;
+ this->pending = 0;
+ this->synchronized = FALSE;
/* generate a non-zero identifier */
do {
this->identifier = random();
diff --git a/src/charon/plugins/eap_sim/eap_sim_server.c b/src/charon/plugins/eap_sim/eap_sim_server.c
index 82ed1e093..5e4d11530 100644
--- a/src/charon/plugins/eap_sim/eap_sim_server.c
+++ b/src/charon/plugins/eap_sim/eap_sim_server.c
@@ -59,6 +59,11 @@ struct private_eap_sim_server_t {
* MSK, used for EAP-SIM based IKEv2 authentication
*/
chunk_t msk;
+
+ /**
+ * EAP-SIM message we have initiated
+ */
+ simaka_subtype_t pending;
};
/* version of SIM protocol we speak */
@@ -103,6 +108,13 @@ static status_t process_start(private_eap_sim_server_t *this,
bool supported = FALSE;
int i;
+ if (this->pending != SIM_START)
+ {
+ DBG1(DBG_IKE, "received %N, but not expected",
+ simaka_subtype_names, SIM_START);
+ return FAILED;
+ }
+
enumerator = in->create_attribute_enumerator(in);
while (enumerator->enumerate(enumerator, &type, &data))
{
@@ -166,6 +178,8 @@ static status_t process_start(private_eap_sim_server_t *this,
message->add_attribute(message, AT_RAND, rands);
*out = message->generate(message, this->crypto, nonce);
message->destroy(message);
+
+ this->pending = SIM_CHALLENGE;
return NEED_MORE;
}
@@ -179,6 +193,13 @@ static status_t process_challenge(private_eap_sim_server_t *this,
simaka_attribute_t type;
chunk_t data;
+ if (this->pending != SIM_CHALLENGE)
+ {
+ DBG1(DBG_IKE, "received %N, but not expected",
+ simaka_subtype_names, SIM_CHALLENGE);
+ return FAILED;
+ }
+
enumerator = in->create_attribute_enumerator(in);
while (enumerator->enumerate(enumerator, &type, &data))
{
@@ -281,6 +302,8 @@ static status_t initiate(private_eap_sim_server_t *this, eap_payload_t **out)
message->add_attribute(message, AT_VERSION_LIST, version);
*out = message->generate(message, this->crypto, chunk_empty);
message->destroy(message);
+
+ this->pending = SIM_START;
return NEED_MORE;
}
@@ -350,6 +373,7 @@ eap_sim_server_t *eap_sim_server_create(identification_t *server,
this->peer = peer->clone(peer);
this->sreses = chunk_empty;
this->msk = chunk_empty;
+ this->pending = 0;
/* generate a non-zero identifier */
do {
this->identifier = random();
generated by cgit v1.2.3 (git 2.25.1) at 2025-09-14 04:45:50 +0000