Do not try to use network profile with invalid imsi_privacy_key
Disable a network profile that has set the imsi_privacy_key if a valid key cannot be read from the specified file. Previously, this check was done only after having associated, but there is no point in associating just to see EAP authentication fail in such a case. This is needed for avoiding connection attempts if the X.509 certificate for IMSI privacy has expired. Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
This commit is contained in:
Jouni Malinen
Jouni Malinen
parent
d1652dc7cc
commit
1328cdeb19
1 changed files with 19 additions and 0 deletions
|
|
@ -17,6 +17,7 @@
|
|||
#endif /* CONFIG_MATCH_IFACE */
|
||||
|
||||
#include "common.h"
|
||||
#include "crypto/crypto.h"
|
||||
#include "crypto/random.h"
|
||||
#include "crypto/sha1.h"
|
||||
#include "eapol_supp/eapol_supp_sm.h"
|
||||
|
|
@ -7999,6 +8000,24 @@ int wpas_network_disabled(struct wpa_supplicant *wpa_s, struct wpa_ssid *ssid)
|
|||
!ssid->mem_only_psk)
|
||||
return 1;
|
||||
|
||||
#ifdef CRYPTO_RSA_OAEP_SHA256
|
||||
if (ssid->eap.imsi_privacy_key) {
|
||||
struct crypto_rsa_key *key;
|
||||
bool failed = false;
|
||||
|
||||
key = crypto_rsa_key_read(ssid->eap.imsi_privacy_key, false);
|
||||
if (!key)
|
||||
failed = true;
|
||||
crypto_rsa_key_free(key);
|
||||
if (failed) {
|
||||
wpa_printf(MSG_DEBUG,
|
||||
"Invalid imsi_privacy_key (%s) - disable network",
|
||||
ssid->eap.imsi_privacy_key);
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
#endif /* CRYPTO_RSA_OAEP_SHA256 */
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue