DGNum/hostapd
6
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

Rename wpa_supplicant imsi_privacy_key configuration parameter

Browse source 
Use imsi_privacy_cert as the name of the configuration parameter for the
X.509v3 certificate that contains the RSA public key needed for IMSI
privacy. The only allowed format for this information is a PEM-encoded
X.509 certificate, so the previous name was somewhat confusing.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
This commit is contained in:
Jouni Malinen 2022-05-24 00:07:12 +03:00 committed by Jouni Malinen
parent dde7f90a41
commit 99165cc4b0
11 changed files with 47 additions and 47 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
src/eap_peer/eap.c
View file

@ -1696,7 +1696,7 @@ struct wpabuf * eap_sm_buildIdentity(struct eap_sm *sm, int id, int encrypted)
identity_len = config->machine_identity_len;
wpa_hexdump_ascii(MSG_DEBUG, "EAP: using machine identity",
identity, identity_len);
} else if (config->imsi_privacy_key && config->identity &&
} else if (config->imsi_privacy_cert && config->identity &&
config->identity_len > 0) {
const u8 *pos = config->identity;
const u8 *end = config->identity + config->identity_len;

10
src/eap_peer/eap_aka.c
View file

@ -103,20 +103,20 @@ static void * eap_aka_init(struct eap_sm *sm)
data->eap_method = EAP_TYPE_AKA;
if (config && config->imsi_privacy_key) {
if (config && config->imsi_privacy_cert) {
#ifdef CRYPTO_RSA_OAEP_SHA256
data->imsi_privacy_key = crypto_rsa_key_read(
config->imsi_privacy_key, false);
config->imsi_privacy_cert, false);
if (!data->imsi_privacy_key) {
wpa_printf(MSG_ERROR,
"EAP-AKA: Failed to read/parse IMSI privacy key %s",
config->imsi_privacy_key);
"EAP-AKA: Failed to read/parse IMSI privacy certificate %s",
config->imsi_privacy_cert);
os_free(data);
return NULL;
}
#else /* CRYPTO_RSA_OAEP_SHA256 */
wpa_printf(MSG_ERROR,
"EAP-AKA: No support for imsi_privacy_key in the build");
"EAP-AKA: No support for imsi_privacy_cert in the build");
os_free(data);
return NULL;
#endif /* CRYPTO_RSA_OAEP_SHA256 */

10
src/eap_peer/eap_config.h
View file

@ -318,14 +318,14 @@ struct eap_peer_config {
size_t imsi_identity_len;
/**
* imsi_privacy_key - IMSI privacy key (PEM encoded X.509v3 certificate)
* imsi_privacy_cert - IMSI privacy certificate
*
* This field is used with EAP-SIM/AKA/AKA' to encrypt the permanent
* identity (IMSI) to improve privacy. The X.509v3 certificate needs to
* include a 2048-bit RSA public key and this is from the operator who
* authenticates the SIM/USIM.
* identity (IMSI) to improve privacy. The referenced PEM-encoded
* X.509v3 certificate needs to include a 2048-bit RSA public key and
* this is from the operator who authenticates the SIM/USIM.
*/
char *imsi_privacy_key;
char *imsi_privacy_cert;
/**
* machine_identity - EAP Identity for machine credential

10
src/eap_peer/eap_sim.c
View file

@ -101,20 +101,20 @@ static void * eap_sim_init(struct eap_sm *sm)
return NULL;
}
if (config && config->imsi_privacy_key) {
if (config && config->imsi_privacy_cert) {
#ifdef CRYPTO_RSA_OAEP_SHA256
data->imsi_privacy_key = crypto_rsa_key_read(
config->imsi_privacy_key, false);
config->imsi_privacy_cert, false);
if (!data->imsi_privacy_key) {
wpa_printf(MSG_ERROR,
"EAP-SIM: Failed to read/parse IMSI privacy key %s",
config->imsi_privacy_key);
"EAP-SIM: Failed to read/parse IMSI privacy certificate %s",
config->imsi_privacy_cert);
os_free(data);
return NULL;
}
#else /* CRYPTO_RSA_OAEP_SHA256 */
wpa_printf(MSG_ERROR,
"EAP-SIM: No support for imsi_privacy_key in the build");
"EAP-SIM: No support for imsi_privacy_cert in the build");
os_free(data);
return NULL;
#endif /* CRYPTO_RSA_OAEP_SHA256 */

16
tests/hwsim/test_ap_eap.py
View file

@ -346,7 +346,7 @@ def test_ap_wpa2_eap_sim_imsi_identity(dev, apdev, params):
eap_reauth(dev[0], "SIM")
def test_ap_wpa2_eap_sim_imsi_privacy_key(dev, apdev):
"""WPA2-Enterprise connection using EAP-SIM and imsi_privacy_key"""
"""WPA2-Enterprise connection using EAP-SIM and imsi_privacy_cert"""
tls = dev[0].request("GET tls_library")
if not tls.startswith("OpenSSL"):
raise HwsimSkip("IMSI privacy not supported with this TLS library: " + tls)
@ -359,7 +359,7 @@ def test_ap_wpa2_eap_sim_imsi_privacy_key(dev, apdev):
eap_connect(dev[0], hapd, "SIM",
"1232010000000000@wlan.mnc232.mcc02.3gppnetwork.org",
imsi_privacy_key="auth_serv/imsi-privacy-cert.pem",
imsi_privacy_cert="auth_serv/imsi-privacy-cert.pem",
password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
eap_reauth(dev[0], "SIM")
@ -1131,7 +1131,7 @@ def test_ap_wpa2_eap_aka_imsi_identity(dev, apdev, params):
eap_reauth(dev[0], "AKA")
def test_ap_wpa2_eap_aka_imsi_privacy_key(dev, apdev):
"""WPA2-Enterprise connection using EAP-AKA and imsi_privacy_key"""
"""WPA2-Enterprise connection using EAP-AKA and imsi_privacy_cert"""
tls = dev[0].request("GET tls_library")
if not tls.startswith("OpenSSL"):
raise HwsimSkip("IMSI privacy not supported with this TLS library: " + tls)
@ -1144,12 +1144,12 @@ def test_ap_wpa2_eap_aka_imsi_privacy_key(dev, apdev):
eap_connect(dev[0], hapd, "AKA",
"0232010000000000@wlan.mnc232.mcc02.3gppnetwork.org",
imsi_privacy_key="auth_serv/imsi-privacy-cert.pem",
imsi_privacy_cert="auth_serv/imsi-privacy-cert.pem",
password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
eap_reauth(dev[0], "AKA")
def test_ap_wpa2_eap_aka_imsi_privacy_key_expired(dev, apdev):
"""WPA2-Enterprise connection using EAP-AKA and expired imsi_privacy_key"""
"""WPA2-Enterprise connection using EAP-AKA and expired imsi_privacy_cert"""
tls = dev[0].request("GET tls_library")
if not tls.startswith("OpenSSL"):
raise HwsimSkip("IMSI privacy not supported with this TLS library: " + tls)
@ -1166,7 +1166,7 @@ def test_ap_wpa2_eap_aka_imsi_privacy_key_expired(dev, apdev):
eap="AKA",
identity="0232010000000000@wlan.mnc232.mcc02.3gppnetwork.org",
wait_connect=False, scan_freq="2412", ieee80211w="1",
imsi_privacy_key="auth_serv/imsi-privacy-cert-2.pem",
imsi_privacy_cert="auth_serv/imsi-privacy-cert-2.pem",
password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
ev = dev[0].wait_event(["Trying to associate with"], timeout=10)
if ev is not None:
@ -1428,7 +1428,7 @@ def test_ap_wpa2_eap_aka_prime_imsi_identity(dev, apdev, params):
eap_reauth(dev[0], "AKA'")
def test_ap_wpa2_eap_aka_prime_imsi_privacy_key(dev, apdev):
"""WPA2-Enterprise connection using EAP-AKA' and imsi_privacy_key"""
"""WPA2-Enterprise connection using EAP-AKA' and imsi_privacy_cert"""
tls = dev[0].request("GET tls_library")
if not tls.startswith("OpenSSL"):
raise HwsimSkip("IMSI privacy not supported with this TLS library: " + tls)
@ -1441,7 +1441,7 @@ def test_ap_wpa2_eap_aka_prime_imsi_privacy_key(dev, apdev):
eap_connect(dev[0], hapd, "AKA'",
"6555444333222111@wlan.mnc555.mcc44.3gppnetwork.org",
imsi_privacy_key="auth_serv/imsi-privacy-cert.pem",
imsi_privacy_cert="auth_serv/imsi-privacy-cert.pem",
password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
eap_reauth(dev[0], "AKA'")

2
tests/hwsim/test_ap_hs20.py
View file

@ -545,7 +545,7 @@ def hs20_simulated_sim(dev, ap, method, imsi_privacy=False):
tls = dev.request("GET tls_library")
if not tls.startswith("OpenSSL"):
raise HwsimSkip("IMSI privacy not supported with this TLS library: " + tls)
params['imsi_privacy_key'] = "auth_serv/imsi-privacy-cert.pem"
params['imsi_privacy_cert'] = "auth_serv/imsi-privacy-cert.pem"
dev.add_cred_values(params)
interworking_select(dev, bssid, "home", freq="2412")
interworking_connect(dev, bssid, method)

4
tests/hwsim/wpasupplicant.py
View file

@ -454,7 +454,7 @@ class WpaSupplicant:
"excluded_ssid", "milenage", "ca_cert", "client_cert",
"private_key", "domain_suffix_match", "provisioning_sp",
"roaming_partner", "phase1", "phase2", "private_key_passwd",
"roaming_consortiums", "imsi_privacy_key"]
"roaming_consortiums", "imsi_privacy_cert"]
for field in quoted:
if field in params:
self.set_cred_quoted(id, field, params[field])
@ -1083,7 +1083,7 @@ class WpaSupplicant:
"sae_password_id", "check_cert_subject",
"machine_ca_cert", "machine_client_cert",
"machine_private_key", "machine_phase2",
"imsi_identity", "imsi_privacy_key"]
"imsi_identity", "imsi_privacy_cert"]
for field in quoted:
if field in kwargs and kwargs[field]:
self.set_network_quoted(id, field, kwargs[field])

16
wpa_supplicant/config.c
View file

@ -2503,7 +2503,7 @@ static const struct parse_data ssid_fields[] = {
{ INTe(machine_ocsp, machine_cert.ocsp) },
{ INT(eapol_flags) },
{ INTe(sim_num, sim_num) },
{ STRe(imsi_privacy_key, imsi_privacy_key) },
{ STRe(imsi_privacy_cert, imsi_privacy_cert) },
{ STRe(openssl_ciphers, openssl_ciphers) },
{ INTe(erp, erp) },
#endif /* IEEE8021X_EAPOL */
@ -2771,7 +2771,7 @@ static void eap_peer_config_free(struct eap_peer_config *eap)
bin_clear_free(eap->identity, eap->identity_len);
os_free(eap->anonymous_identity);
os_free(eap->imsi_identity);
os_free(eap->imsi_privacy_key);
os_free(eap->imsi_privacy_cert);
os_free(eap->machine_identity);
bin_clear_free(eap->password, eap->password_len);
bin_clear_free(eap->machine_password, eap->machine_password_len);
@ -2875,7 +2875,7 @@ void wpa_config_free_cred(struct wpa_cred *cred)
os_free(cred->req_conn_capab_port[i]);
os_free(cred->req_conn_capab_port);
os_free(cred->req_conn_capab_proto);
os_free(cred->imsi_privacy_key);
os_free(cred->imsi_privacy_cert);
os_free(cred);
}
@ -3911,9 +3911,9 @@ int wpa_config_set_cred(struct wpa_cred *cred, const char *var,
return 0;
}
if (os_strcmp(var, "imsi_privacy_key") == 0) {
os_free(cred->imsi_privacy_key);
cred->imsi_privacy_key = val;
if (os_strcmp(var, "imsi_privacy_cert") == 0) {
os_free(cred->imsi_privacy_cert);
cred->imsi_privacy_cert = val;
return 0;
}
@ -4067,8 +4067,8 @@ char * wpa_config_get_cred_no_key(struct wpa_cred *cred, const char *var)
if (os_strcmp(var, "imsi") == 0)
return alloc_strdup(cred->imsi);
if (os_strcmp(var, "imsi_privacy_key") == 0)
return alloc_strdup(cred->imsi_privacy_key);
if (os_strcmp(var, "imsi_privacy_cert") == 0)
return alloc_strdup(cred->imsi_privacy_cert);
if (os_strcmp(var, "milenage") == 0) {
if (!(cred->milenage))

10
wpa_supplicant/config.h
View file

@ -181,14 +181,14 @@ struct wpa_cred {
char *milenage;
/**
* imsi_privacy_key - IMSI privacy key (PEM encoded X.509v3 certificate)
* imsi_privacy_cert - IMSI privacy certificate
*
* This field is used with EAP-SIM/AKA/AKA' to encrypt the permanent
* identity (IMSI) to improve privacy. The X.509v3 certificate needs to
* include a 2048-bit RSA public key and this is from the operator who
* authenticates the SIM/USIM.
* identity (IMSI) to improve privacy. The referenced PEM-encoded
* X.509v3 certificate needs to include a 2048-bit RSA public key and
* this is from the operator who authenticates the SIM/USIM.
*/
char *imsi_privacy_key;
char *imsi_privacy_cert;
/**
* engine - Use an engine for private key operations

6
wpa_supplicant/interworking.c
View file

@ -1065,9 +1065,9 @@ static int interworking_connect_3gpp(struct wpa_supplicant *wpa_s,
goto fail;
}
if (cred->imsi_privacy_key && cred->imsi_privacy_key[0]) {
if (wpa_config_set_quoted(ssid, "imsi_privacy_key",
cred->imsi_privacy_key) < 0)
if (cred->imsi_privacy_cert && cred->imsi_privacy_cert[0]) {
if (wpa_config_set_quoted(ssid, "imsi_privacy_cert",
cred->imsi_privacy_cert) < 0)
goto fail;
}

8
wpa_supplicant/wpa_supplicant.c
View file

@ -8001,18 +8001,18 @@ int wpas_network_disabled(struct wpa_supplicant *wpa_s, struct wpa_ssid *ssid)
return 1;
#ifdef CRYPTO_RSA_OAEP_SHA256
if (ssid->eap.imsi_privacy_key) {
if (ssid->eap.imsi_privacy_cert) {
struct crypto_rsa_key *key;
bool failed = false;
key = crypto_rsa_key_read(ssid->eap.imsi_privacy_key, false);
key = crypto_rsa_key_read(ssid->eap.imsi_privacy_cert, false);
if (!key)
failed = true;
crypto_rsa_key_free(key);
if (failed) {
wpa_printf(MSG_DEBUG,
"Invalid imsi_privacy_key (%s) - disable network",
ssid->eap.imsi_privacy_key);
"Invalid imsi_privacy_cert (%s) - disable network",
ssid->eap.imsi_privacy_cert);
return 1;
}
}