diff --git a/src/eap_peer/eap.c b/src/eap_peer/eap.c index 729388f4f..a39a86d54 100644 --- a/src/eap_peer/eap.c +++ b/src/eap_peer/eap.c @@ -1696,7 +1696,7 @@ struct wpabuf * eap_sm_buildIdentity(struct eap_sm *sm, int id, int encrypted) identity_len = config->machine_identity_len; wpa_hexdump_ascii(MSG_DEBUG, "EAP: using machine identity", identity, identity_len); - } else if (config->imsi_privacy_key && config->identity && + } else if (config->imsi_privacy_cert && config->identity && config->identity_len > 0) { const u8 *pos = config->identity; const u8 *end = config->identity + config->identity_len; diff --git a/src/eap_peer/eap_aka.c b/src/eap_peer/eap_aka.c index 8caae1d6a..0c9b4b3a9 100644 --- a/src/eap_peer/eap_aka.c +++ b/src/eap_peer/eap_aka.c @@ -103,20 +103,20 @@ static void * eap_aka_init(struct eap_sm *sm) data->eap_method = EAP_TYPE_AKA; - if (config && config->imsi_privacy_key) { + if (config && config->imsi_privacy_cert) { #ifdef CRYPTO_RSA_OAEP_SHA256 data->imsi_privacy_key = crypto_rsa_key_read( - config->imsi_privacy_key, false); + config->imsi_privacy_cert, false); if (!data->imsi_privacy_key) { wpa_printf(MSG_ERROR, - "EAP-AKA: Failed to read/parse IMSI privacy key %s", - config->imsi_privacy_key); + "EAP-AKA: Failed to read/parse IMSI privacy certificate %s", + config->imsi_privacy_cert); os_free(data); return NULL; } #else /* CRYPTO_RSA_OAEP_SHA256 */ wpa_printf(MSG_ERROR, - "EAP-AKA: No support for imsi_privacy_key in the build"); + "EAP-AKA: No support for imsi_privacy_cert in the build"); os_free(data); return NULL; #endif /* CRYPTO_RSA_OAEP_SHA256 */ diff --git a/src/eap_peer/eap_config.h b/src/eap_peer/eap_config.h index eaf514b19..b52007263 100644 --- a/src/eap_peer/eap_config.h +++ b/src/eap_peer/eap_config.h @@ -318,14 +318,14 @@ struct eap_peer_config { size_t imsi_identity_len; /** - * imsi_privacy_key - IMSI privacy key (PEM encoded X.509v3 certificate) + * imsi_privacy_cert - IMSI privacy certificate * * This field is used with EAP-SIM/AKA/AKA' to encrypt the permanent - * identity (IMSI) to improve privacy. The X.509v3 certificate needs to - * include a 2048-bit RSA public key and this is from the operator who - * authenticates the SIM/USIM. + * identity (IMSI) to improve privacy. The referenced PEM-encoded + * X.509v3 certificate needs to include a 2048-bit RSA public key and + * this is from the operator who authenticates the SIM/USIM. */ - char *imsi_privacy_key; + char *imsi_privacy_cert; /** * machine_identity - EAP Identity for machine credential diff --git a/src/eap_peer/eap_sim.c b/src/eap_peer/eap_sim.c index 04a213464..b23222eec 100644 --- a/src/eap_peer/eap_sim.c +++ b/src/eap_peer/eap_sim.c @@ -101,20 +101,20 @@ static void * eap_sim_init(struct eap_sm *sm) return NULL; } - if (config && config->imsi_privacy_key) { + if (config && config->imsi_privacy_cert) { #ifdef CRYPTO_RSA_OAEP_SHA256 data->imsi_privacy_key = crypto_rsa_key_read( - config->imsi_privacy_key, false); + config->imsi_privacy_cert, false); if (!data->imsi_privacy_key) { wpa_printf(MSG_ERROR, - "EAP-SIM: Failed to read/parse IMSI privacy key %s", - config->imsi_privacy_key); + "EAP-SIM: Failed to read/parse IMSI privacy certificate %s", + config->imsi_privacy_cert); os_free(data); return NULL; } #else /* CRYPTO_RSA_OAEP_SHA256 */ wpa_printf(MSG_ERROR, - "EAP-SIM: No support for imsi_privacy_key in the build"); + "EAP-SIM: No support for imsi_privacy_cert in the build"); os_free(data); return NULL; #endif /* CRYPTO_RSA_OAEP_SHA256 */ diff --git a/tests/hwsim/test_ap_eap.py b/tests/hwsim/test_ap_eap.py index b84e42c96..9eebaf53f 100644 --- a/tests/hwsim/test_ap_eap.py +++ b/tests/hwsim/test_ap_eap.py @@ -346,7 +346,7 @@ def test_ap_wpa2_eap_sim_imsi_identity(dev, apdev, params): eap_reauth(dev[0], "SIM") def test_ap_wpa2_eap_sim_imsi_privacy_key(dev, apdev): - """WPA2-Enterprise connection using EAP-SIM and imsi_privacy_key""" + """WPA2-Enterprise connection using EAP-SIM and imsi_privacy_cert""" tls = dev[0].request("GET tls_library") if not tls.startswith("OpenSSL"): raise HwsimSkip("IMSI privacy not supported with this TLS library: " + tls) @@ -359,7 +359,7 @@ def test_ap_wpa2_eap_sim_imsi_privacy_key(dev, apdev): eap_connect(dev[0], hapd, "SIM", "1232010000000000@wlan.mnc232.mcc02.3gppnetwork.org", - imsi_privacy_key="auth_serv/imsi-privacy-cert.pem", + imsi_privacy_cert="auth_serv/imsi-privacy-cert.pem", password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581") eap_reauth(dev[0], "SIM") @@ -1131,7 +1131,7 @@ def test_ap_wpa2_eap_aka_imsi_identity(dev, apdev, params): eap_reauth(dev[0], "AKA") def test_ap_wpa2_eap_aka_imsi_privacy_key(dev, apdev): - """WPA2-Enterprise connection using EAP-AKA and imsi_privacy_key""" + """WPA2-Enterprise connection using EAP-AKA and imsi_privacy_cert""" tls = dev[0].request("GET tls_library") if not tls.startswith("OpenSSL"): raise HwsimSkip("IMSI privacy not supported with this TLS library: " + tls) @@ -1144,12 +1144,12 @@ def test_ap_wpa2_eap_aka_imsi_privacy_key(dev, apdev): eap_connect(dev[0], hapd, "AKA", "0232010000000000@wlan.mnc232.mcc02.3gppnetwork.org", - imsi_privacy_key="auth_serv/imsi-privacy-cert.pem", + imsi_privacy_cert="auth_serv/imsi-privacy-cert.pem", password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123") eap_reauth(dev[0], "AKA") def test_ap_wpa2_eap_aka_imsi_privacy_key_expired(dev, apdev): - """WPA2-Enterprise connection using EAP-AKA and expired imsi_privacy_key""" + """WPA2-Enterprise connection using EAP-AKA and expired imsi_privacy_cert""" tls = dev[0].request("GET tls_library") if not tls.startswith("OpenSSL"): raise HwsimSkip("IMSI privacy not supported with this TLS library: " + tls) @@ -1166,7 +1166,7 @@ def test_ap_wpa2_eap_aka_imsi_privacy_key_expired(dev, apdev): eap="AKA", identity="0232010000000000@wlan.mnc232.mcc02.3gppnetwork.org", wait_connect=False, scan_freq="2412", ieee80211w="1", - imsi_privacy_key="auth_serv/imsi-privacy-cert-2.pem", + imsi_privacy_cert="auth_serv/imsi-privacy-cert-2.pem", password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123") ev = dev[0].wait_event(["Trying to associate with"], timeout=10) if ev is not None: @@ -1428,7 +1428,7 @@ def test_ap_wpa2_eap_aka_prime_imsi_identity(dev, apdev, params): eap_reauth(dev[0], "AKA'") def test_ap_wpa2_eap_aka_prime_imsi_privacy_key(dev, apdev): - """WPA2-Enterprise connection using EAP-AKA' and imsi_privacy_key""" + """WPA2-Enterprise connection using EAP-AKA' and imsi_privacy_cert""" tls = dev[0].request("GET tls_library") if not tls.startswith("OpenSSL"): raise HwsimSkip("IMSI privacy not supported with this TLS library: " + tls) @@ -1441,7 +1441,7 @@ def test_ap_wpa2_eap_aka_prime_imsi_privacy_key(dev, apdev): eap_connect(dev[0], hapd, "AKA'", "6555444333222111@wlan.mnc555.mcc44.3gppnetwork.org", - imsi_privacy_key="auth_serv/imsi-privacy-cert.pem", + imsi_privacy_cert="auth_serv/imsi-privacy-cert.pem", password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123") eap_reauth(dev[0], "AKA'") diff --git a/tests/hwsim/test_ap_hs20.py b/tests/hwsim/test_ap_hs20.py index ad2d05f16..7255b1c45 100644 --- a/tests/hwsim/test_ap_hs20.py +++ b/tests/hwsim/test_ap_hs20.py @@ -545,7 +545,7 @@ def hs20_simulated_sim(dev, ap, method, imsi_privacy=False): tls = dev.request("GET tls_library") if not tls.startswith("OpenSSL"): raise HwsimSkip("IMSI privacy not supported with this TLS library: " + tls) - params['imsi_privacy_key'] = "auth_serv/imsi-privacy-cert.pem" + params['imsi_privacy_cert'] = "auth_serv/imsi-privacy-cert.pem" dev.add_cred_values(params) interworking_select(dev, bssid, "home", freq="2412") interworking_connect(dev, bssid, method) diff --git a/tests/hwsim/wpasupplicant.py b/tests/hwsim/wpasupplicant.py index b33e57ac7..b864db30a 100644 --- a/tests/hwsim/wpasupplicant.py +++ b/tests/hwsim/wpasupplicant.py @@ -454,7 +454,7 @@ class WpaSupplicant: "excluded_ssid", "milenage", "ca_cert", "client_cert", "private_key", "domain_suffix_match", "provisioning_sp", "roaming_partner", "phase1", "phase2", "private_key_passwd", - "roaming_consortiums", "imsi_privacy_key"] + "roaming_consortiums", "imsi_privacy_cert"] for field in quoted: if field in params: self.set_cred_quoted(id, field, params[field]) @@ -1083,7 +1083,7 @@ class WpaSupplicant: "sae_password_id", "check_cert_subject", "machine_ca_cert", "machine_client_cert", "machine_private_key", "machine_phase2", - "imsi_identity", "imsi_privacy_key"] + "imsi_identity", "imsi_privacy_cert"] for field in quoted: if field in kwargs and kwargs[field]: self.set_network_quoted(id, field, kwargs[field]) diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c index e511ab6b5..49d3244f6 100644 --- a/wpa_supplicant/config.c +++ b/wpa_supplicant/config.c @@ -2503,7 +2503,7 @@ static const struct parse_data ssid_fields[] = { { INTe(machine_ocsp, machine_cert.ocsp) }, { INT(eapol_flags) }, { INTe(sim_num, sim_num) }, - { STRe(imsi_privacy_key, imsi_privacy_key) }, + { STRe(imsi_privacy_cert, imsi_privacy_cert) }, { STRe(openssl_ciphers, openssl_ciphers) }, { INTe(erp, erp) }, #endif /* IEEE8021X_EAPOL */ @@ -2771,7 +2771,7 @@ static void eap_peer_config_free(struct eap_peer_config *eap) bin_clear_free(eap->identity, eap->identity_len); os_free(eap->anonymous_identity); os_free(eap->imsi_identity); - os_free(eap->imsi_privacy_key); + os_free(eap->imsi_privacy_cert); os_free(eap->machine_identity); bin_clear_free(eap->password, eap->password_len); bin_clear_free(eap->machine_password, eap->machine_password_len); @@ -2875,7 +2875,7 @@ void wpa_config_free_cred(struct wpa_cred *cred) os_free(cred->req_conn_capab_port[i]); os_free(cred->req_conn_capab_port); os_free(cred->req_conn_capab_proto); - os_free(cred->imsi_privacy_key); + os_free(cred->imsi_privacy_cert); os_free(cred); } @@ -3911,9 +3911,9 @@ int wpa_config_set_cred(struct wpa_cred *cred, const char *var, return 0; } - if (os_strcmp(var, "imsi_privacy_key") == 0) { - os_free(cred->imsi_privacy_key); - cred->imsi_privacy_key = val; + if (os_strcmp(var, "imsi_privacy_cert") == 0) { + os_free(cred->imsi_privacy_cert); + cred->imsi_privacy_cert = val; return 0; } @@ -4067,8 +4067,8 @@ char * wpa_config_get_cred_no_key(struct wpa_cred *cred, const char *var) if (os_strcmp(var, "imsi") == 0) return alloc_strdup(cred->imsi); - if (os_strcmp(var, "imsi_privacy_key") == 0) - return alloc_strdup(cred->imsi_privacy_key); + if (os_strcmp(var, "imsi_privacy_cert") == 0) + return alloc_strdup(cred->imsi_privacy_cert); if (os_strcmp(var, "milenage") == 0) { if (!(cred->milenage)) diff --git a/wpa_supplicant/config.h b/wpa_supplicant/config.h index 326953fb8..9e6ee87cf 100644 --- a/wpa_supplicant/config.h +++ b/wpa_supplicant/config.h @@ -181,14 +181,14 @@ struct wpa_cred { char *milenage; /** - * imsi_privacy_key - IMSI privacy key (PEM encoded X.509v3 certificate) + * imsi_privacy_cert - IMSI privacy certificate * * This field is used with EAP-SIM/AKA/AKA' to encrypt the permanent - * identity (IMSI) to improve privacy. The X.509v3 certificate needs to - * include a 2048-bit RSA public key and this is from the operator who - * authenticates the SIM/USIM. + * identity (IMSI) to improve privacy. The referenced PEM-encoded + * X.509v3 certificate needs to include a 2048-bit RSA public key and + * this is from the operator who authenticates the SIM/USIM. */ - char *imsi_privacy_key; + char *imsi_privacy_cert; /** * engine - Use an engine for private key operations diff --git a/wpa_supplicant/interworking.c b/wpa_supplicant/interworking.c index e66e402d7..78e3087de 100644 --- a/wpa_supplicant/interworking.c +++ b/wpa_supplicant/interworking.c @@ -1065,9 +1065,9 @@ static int interworking_connect_3gpp(struct wpa_supplicant *wpa_s, goto fail; } - if (cred->imsi_privacy_key && cred->imsi_privacy_key[0]) { - if (wpa_config_set_quoted(ssid, "imsi_privacy_key", - cred->imsi_privacy_key) < 0) + if (cred->imsi_privacy_cert && cred->imsi_privacy_cert[0]) { + if (wpa_config_set_quoted(ssid, "imsi_privacy_cert", + cred->imsi_privacy_cert) < 0) goto fail; } diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c index 611cf53b8..cf68417ca 100644 --- a/wpa_supplicant/wpa_supplicant.c +++ b/wpa_supplicant/wpa_supplicant.c @@ -8001,18 +8001,18 @@ int wpas_network_disabled(struct wpa_supplicant *wpa_s, struct wpa_ssid *ssid) return 1; #ifdef CRYPTO_RSA_OAEP_SHA256 - if (ssid->eap.imsi_privacy_key) { + if (ssid->eap.imsi_privacy_cert) { struct crypto_rsa_key *key; bool failed = false; - key = crypto_rsa_key_read(ssid->eap.imsi_privacy_key, false); + key = crypto_rsa_key_read(ssid->eap.imsi_privacy_cert, false); if (!key) failed = true; crypto_rsa_key_free(key); if (failed) { wpa_printf(MSG_DEBUG, - "Invalid imsi_privacy_key (%s) - disable network", - ssid->eap.imsi_privacy_key); + "Invalid imsi_privacy_cert (%s) - disable network", + ssid->eap.imsi_privacy_cert); return 1; } }