EAP-SIM/AKA server: IMSI privacy
Add support for IMSI privacy in the EAP-SIM/AKA server implementation. If the new hostapd configuration parameter imsi_privacy_key is used to specify an RSA private key, that key will be used to decrypt encrypted permanent identity. Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
This commit is contained in:
Jouni Malinen
Jouni Malinen
parent
36b11bbcff
commit
21098e39fe
9 changed files with 181 additions and 7 deletions
|
|
@ -809,6 +809,7 @@ void hostapd_config_free_bss(struct hostapd_bss_config *conf)
|
|||
os_free(conf->eap_fast_a_id);
|
||||
os_free(conf->eap_fast_a_id_info);
|
||||
os_free(conf->eap_sim_db);
|
||||
os_free(conf->imsi_privacy_key);
|
||||
os_free(conf->radius_server_clients);
|
||||
os_free(conf->radius);
|
||||
os_free(conf->radius_das_shared_secret);
|
||||
|
|
|
|||
|
|
@ -443,6 +443,7 @@ struct hostapd_bss_config {
|
|||
int eap_teap_id;
|
||||
int eap_sim_aka_result_ind;
|
||||
int eap_sim_id;
|
||||
char *imsi_privacy_key;
|
||||
int tnc;
|
||||
int fragment_size;
|
||||
u16 pwd_group;
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@
|
|||
#include "utils/includes.h"
|
||||
|
||||
#include "utils/common.h"
|
||||
#include "crypto/crypto.h"
|
||||
#include "crypto/tls.h"
|
||||
#include "eap_server/eap.h"
|
||||
#include "eap_server/eap_sim_db.h"
|
||||
|
|
@ -209,6 +210,7 @@ static struct eap_config * authsrv_eap_config(struct hostapd_data *hapd)
|
|||
cfg->eap_teap_id = hapd->conf->eap_teap_id;
|
||||
cfg->eap_sim_aka_result_ind = hapd->conf->eap_sim_aka_result_ind;
|
||||
cfg->eap_sim_id = hapd->conf->eap_sim_id;
|
||||
cfg->imsi_privacy_key = hapd->imsi_privacy_key;
|
||||
cfg->tnc = hapd->conf->tnc;
|
||||
cfg->wps = hapd->wps;
|
||||
cfg->fragment_size = hapd->conf->fragment_size;
|
||||
|
|
@ -295,6 +297,22 @@ int authsrv_init(struct hostapd_data *hapd)
|
|||
}
|
||||
#endif /* EAP_TLS_FUNCS */
|
||||
|
||||
#ifdef CRYPTO_RSA_OAEP_SHA256
|
||||
crypto_rsa_key_free(hapd->imsi_privacy_key);
|
||||
hapd->imsi_privacy_key = NULL;
|
||||
if (hapd->conf->imsi_privacy_key) {
|
||||
hapd->imsi_privacy_key = crypto_rsa_key_read(
|
||||
hapd->conf->imsi_privacy_key, true);
|
||||
if (!hapd->imsi_privacy_key) {
|
||||
wpa_printf(MSG_ERROR,
|
||||
"Failed to read/parse IMSI privacy key %s",
|
||||
hapd->conf->imsi_privacy_key);
|
||||
authsrv_deinit(hapd);
|
||||
return -1;
|
||||
}
|
||||
}
|
||||
#endif /* CRYPTO_RSA_OAEP_SHA256 */
|
||||
|
||||
#ifdef EAP_SIM_DB
|
||||
if (hapd->conf->eap_sim_db) {
|
||||
hapd->eap_sim_db_priv =
|
||||
|
|
@ -335,6 +353,11 @@ void authsrv_deinit(struct hostapd_data *hapd)
|
|||
hapd->radius_srv = NULL;
|
||||
#endif /* RADIUS_SERVER */
|
||||
|
||||
#ifdef CRYPTO_RSA_OAEP_SHA256
|
||||
crypto_rsa_key_free(hapd->imsi_privacy_key);
|
||||
hapd->imsi_privacy_key = NULL;
|
||||
#endif /* CRYPTO_RSA_OAEP_SHA256 */
|
||||
|
||||
#ifdef EAP_TLS_FUNCS
|
||||
if (hapd->ssl_ctx) {
|
||||
tls_deinit(hapd->ssl_ctx);
|
||||
|
|
|
|||
|
|
@ -208,6 +208,7 @@ struct hostapd_data {
|
|||
|
||||
void *ssl_ctx;
|
||||
void *eap_sim_db_priv;
|
||||
struct crypto_rsa_key *imsi_privacy_key;
|
||||
struct radius_server_data *radius_srv;
|
||||
struct dl_list erp_keys; /* struct eap_server_erp_key */
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue