Rename wpa_supplicant imsi_privacy_key configuration parameter

Use imsi_privacy_cert as the name of the configuration parameter for the X.509v3 certificate that contains the RSA public key needed for IMSI privacy. The only allowed format for this information is a PEM-encoded X.509 certificate, so the previous name was somewhat confusing. Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-05-24 00:07:12 +03:00 · 2022-05-24 00:07:12 +03:00 · 99165cc4b0
commit 99165cc4b0
parent dde7f90a41
11 changed files with 47 additions and 47 deletions
--- a/src/eap_peer/eap.c
+++ b/src/eap_peer/eap.c
@ -1696,7 +1696,7 @@ struct wpabuf * eap_sm_buildIdentity(struct eap_sm *sm, int id, int encrypted)
 		identity_len = config->machine_identity_len;
 		wpa_hexdump_ascii(MSG_DEBUG, "EAP: using machine identity",
 				  identity, identity_len);
-	} else if (config->imsi_privacy_key && config->identity &&
+	} else if (config->imsi_privacy_cert && config->identity &&
 		   config->identity_len > 0) {
 		const u8 *pos = config->identity;
 		const u8 *end = config->identity + config->identity_len;
--- a/src/eap_peer/eap_aka.c
+++ b/src/eap_peer/eap_aka.c
@ -103,20 +103,20 @@ static void * eap_aka_init(struct eap_sm *sm)
 	data->eap_method = EAP_TYPE_AKA;
-	if (config && config->imsi_privacy_key) {
+	if (config && config->imsi_privacy_cert) {
 #ifdef CRYPTO_RSA_OAEP_SHA256
 		data->imsi_privacy_key = crypto_rsa_key_read(
-			config->imsi_privacy_key, false);
+			config->imsi_privacy_cert, false);
 		if (!data->imsi_privacy_key) {
 			wpa_printf(MSG_ERROR,
-				   "EAP-AKA: Failed to read/parse IMSI privacy key %s",
+				   "EAP-AKA: Failed to read/parse IMSI privacy certificate %s",
-				   config->imsi_privacy_key);
+				   config->imsi_privacy_cert);
 			os_free(data);
 			return NULL;
 		}
 #else /* CRYPTO_RSA_OAEP_SHA256 */
 		wpa_printf(MSG_ERROR,
-			   "EAP-AKA: No support for imsi_privacy_key in the build");
+			   "EAP-AKA: No support for imsi_privacy_cert in the build");
 		os_free(data);
 		return NULL;
 #endif /* CRYPTO_RSA_OAEP_SHA256 */
--- a/src/eap_peer/eap_config.h
+++ b/src/eap_peer/eap_config.h
@ -318,14 +318,14 @@ struct eap_peer_config {
 	size_t imsi_identity_len;
 	/**
-	 * imsi_privacy_key - IMSI privacy key (PEM encoded X.509v3 certificate)
+	 * imsi_privacy_cert - IMSI privacy certificate
 	 *
 	 * This field is used with EAP-SIM/AKA/AKA' to encrypt the permanent
-	 * identity (IMSI) to improve privacy. The X.509v3 certificate needs to
+	 * identity (IMSI) to improve privacy. The referenced PEM-encoded
-	 * include a 2048-bit RSA public key and this is from the operator who
+	 * X.509v3 certificate needs to include a 2048-bit RSA public key and
-	 * authenticates the SIM/USIM.
+	 * this is from the operator who authenticates the SIM/USIM.
 	 */
-	char *imsi_privacy_key;
+	char *imsi_privacy_cert;
 	/**
 	 * machine_identity - EAP Identity for machine credential
--- a/src/eap_peer/eap_sim.c
+++ b/src/eap_peer/eap_sim.c
@ -101,20 +101,20 @@ static void * eap_sim_init(struct eap_sm *sm)
 		return NULL;
 	}
-	if (config && config->imsi_privacy_key) {
+	if (config && config->imsi_privacy_cert) {
 #ifdef CRYPTO_RSA_OAEP_SHA256
 		data->imsi_privacy_key = crypto_rsa_key_read(
-			config->imsi_privacy_key, false);
+			config->imsi_privacy_cert, false);
 		if (!data->imsi_privacy_key) {
 			wpa_printf(MSG_ERROR,
-				   "EAP-SIM: Failed to read/parse IMSI privacy key %s",
+				   "EAP-SIM: Failed to read/parse IMSI privacy certificate %s",
-				   config->imsi_privacy_key);
+				   config->imsi_privacy_cert);
 			os_free(data);
 			return NULL;
 		}
 #else /* CRYPTO_RSA_OAEP_SHA256 */
 		wpa_printf(MSG_ERROR,
-			   "EAP-SIM: No support for imsi_privacy_key in the build");
+			   "EAP-SIM: No support for imsi_privacy_cert in the build");
 		os_free(data);
 		return NULL;
 #endif /* CRYPTO_RSA_OAEP_SHA256 */
--- a/tests/hwsim/test_ap_eap.py
+++ b/tests/hwsim/test_ap_eap.py
@ -346,7 +346,7 @@ def test_ap_wpa2_eap_sim_imsi_identity(dev, apdev, params):
    eap_reauth(dev[0], "SIM")
 def test_ap_wpa2_eap_sim_imsi_privacy_key(dev, apdev):
-    """WPA2-Enterprise connection using EAP-SIM and imsi_privacy_key"""
+    """WPA2-Enterprise connection using EAP-SIM and imsi_privacy_cert"""
    tls = dev[0].request("GET tls_library")
    if not tls.startswith("OpenSSL"):
        raise HwsimSkip("IMSI privacy not supported with this TLS library: " + tls)
@ -359,7 +359,7 @@ def test_ap_wpa2_eap_sim_imsi_privacy_key(dev, apdev):
    eap_connect(dev[0], hapd, "SIM",
                "1232010000000000@wlan.mnc232.mcc02.3gppnetwork.org",
-                imsi_privacy_key="auth_serv/imsi-privacy-cert.pem",
+                imsi_privacy_cert="auth_serv/imsi-privacy-cert.pem",
                password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
    eap_reauth(dev[0], "SIM")
@ -1131,7 +1131,7 @@ def test_ap_wpa2_eap_aka_imsi_identity(dev, apdev, params):
    eap_reauth(dev[0], "AKA")
 def test_ap_wpa2_eap_aka_imsi_privacy_key(dev, apdev):
-    """WPA2-Enterprise connection using EAP-AKA and imsi_privacy_key"""
+    """WPA2-Enterprise connection using EAP-AKA and imsi_privacy_cert"""
    tls = dev[0].request("GET tls_library")
    if not tls.startswith("OpenSSL"):
        raise HwsimSkip("IMSI privacy not supported with this TLS library: " + tls)
@ -1144,12 +1144,12 @@ def test_ap_wpa2_eap_aka_imsi_privacy_key(dev, apdev):
    eap_connect(dev[0], hapd, "AKA",
                "0232010000000000@wlan.mnc232.mcc02.3gppnetwork.org",
-                imsi_privacy_key="auth_serv/imsi-privacy-cert.pem",
+                imsi_privacy_cert="auth_serv/imsi-privacy-cert.pem",
                password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
    eap_reauth(dev[0], "AKA")
 def test_ap_wpa2_eap_aka_imsi_privacy_key_expired(dev, apdev):
-    """WPA2-Enterprise connection using EAP-AKA and expired imsi_privacy_key"""
+    """WPA2-Enterprise connection using EAP-AKA and expired imsi_privacy_cert"""
    tls = dev[0].request("GET tls_library")
    if not tls.startswith("OpenSSL"):
        raise HwsimSkip("IMSI privacy not supported with this TLS library: " + tls)
@ -1166,7 +1166,7 @@ def test_ap_wpa2_eap_aka_imsi_privacy_key_expired(dev, apdev):
                   eap="AKA",
                   identity="0232010000000000@wlan.mnc232.mcc02.3gppnetwork.org",
                   wait_connect=False, scan_freq="2412", ieee80211w="1",
-                   imsi_privacy_key="auth_serv/imsi-privacy-cert-2.pem",
+                   imsi_privacy_cert="auth_serv/imsi-privacy-cert-2.pem",
                   password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
    ev = dev[0].wait_event(["Trying to associate with"], timeout=10)
    if ev is not None:
@ -1428,7 +1428,7 @@ def test_ap_wpa2_eap_aka_prime_imsi_identity(dev, apdev, params):
    eap_reauth(dev[0], "AKA'")
 def test_ap_wpa2_eap_aka_prime_imsi_privacy_key(dev, apdev):
-    """WPA2-Enterprise connection using EAP-AKA' and imsi_privacy_key"""
+    """WPA2-Enterprise connection using EAP-AKA' and imsi_privacy_cert"""
    tls = dev[0].request("GET tls_library")
    if not tls.startswith("OpenSSL"):
        raise HwsimSkip("IMSI privacy not supported with this TLS library: " + tls)
@ -1441,7 +1441,7 @@ def test_ap_wpa2_eap_aka_prime_imsi_privacy_key(dev, apdev):
    eap_connect(dev[0], hapd, "AKA'",
                "6555444333222111@wlan.mnc555.mcc44.3gppnetwork.org",
-                imsi_privacy_key="auth_serv/imsi-privacy-cert.pem",
+                imsi_privacy_cert="auth_serv/imsi-privacy-cert.pem",
                password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
    eap_reauth(dev[0], "AKA'")
--- a/tests/hwsim/test_ap_hs20.py
+++ b/tests/hwsim/test_ap_hs20.py
@ -545,7 +545,7 @@ def hs20_simulated_sim(dev, ap, method, imsi_privacy=False):
        tls = dev.request("GET tls_library")
        if not tls.startswith("OpenSSL"):
            raise HwsimSkip("IMSI privacy not supported with this TLS library: " + tls)
-        params['imsi_privacy_key'] = "auth_serv/imsi-privacy-cert.pem"
+        params['imsi_privacy_cert'] = "auth_serv/imsi-privacy-cert.pem"
    dev.add_cred_values(params)
    interworking_select(dev, bssid, "home", freq="2412")
    interworking_connect(dev, bssid, method)
--- a/tests/hwsim/wpasupplicant.py
+++ b/tests/hwsim/wpasupplicant.py
@ -454,7 +454,7 @@ class WpaSupplicant:
                  "excluded_ssid", "milenage", "ca_cert", "client_cert",
                  "private_key", "domain_suffix_match", "provisioning_sp",
                  "roaming_partner", "phase1", "phase2", "private_key_passwd",
-                  "roaming_consortiums", "imsi_privacy_key"]
+                  "roaming_consortiums", "imsi_privacy_cert"]
        for field in quoted:
            if field in params:
                self.set_cred_quoted(id, field, params[field])
@ -1083,7 +1083,7 @@ class WpaSupplicant:
                  "sae_password_id", "check_cert_subject",
                  "machine_ca_cert", "machine_client_cert",
                  "machine_private_key", "machine_phase2",
-                  "imsi_identity", "imsi_privacy_key"]
+                  "imsi_identity", "imsi_privacy_cert"]
        for field in quoted:
            if field in kwargs and kwargs[field]:
                self.set_network_quoted(id, field, kwargs[field])
--- a/wpa_supplicant/config.c
+++ b/wpa_supplicant/config.c
@ -2503,7 +2503,7 @@ static const struct parse_data ssid_fields[] = {
 	{ INTe(machine_ocsp, machine_cert.ocsp) },
 	{ INT(eapol_flags) },
 	{ INTe(sim_num, sim_num) },
-	{ STRe(imsi_privacy_key, imsi_privacy_key) },
+	{ STRe(imsi_privacy_cert, imsi_privacy_cert) },
 	{ STRe(openssl_ciphers, openssl_ciphers) },
 	{ INTe(erp, erp) },
 #endif /* IEEE8021X_EAPOL */
@ -2771,7 +2771,7 @@ static void eap_peer_config_free(struct eap_peer_config *eap)
 	bin_clear_free(eap->identity, eap->identity_len);
 	os_free(eap->anonymous_identity);
 	os_free(eap->imsi_identity);
-	os_free(eap->imsi_privacy_key);
+	os_free(eap->imsi_privacy_cert);
 	os_free(eap->machine_identity);
 	bin_clear_free(eap->password, eap->password_len);
 	bin_clear_free(eap->machine_password, eap->machine_password_len);
@ -2875,7 +2875,7 @@ void wpa_config_free_cred(struct wpa_cred *cred)
 		os_free(cred->req_conn_capab_port[i]);
 	os_free(cred->req_conn_capab_port);
 	os_free(cred->req_conn_capab_proto);
-	os_free(cred->imsi_privacy_key);
+	os_free(cred->imsi_privacy_cert);
 	os_free(cred);
 }
@ -3911,9 +3911,9 @@ int wpa_config_set_cred(struct wpa_cred *cred, const char *var,
 		return 0;
 	}
-	if (os_strcmp(var, "imsi_privacy_key") == 0) {
+	if (os_strcmp(var, "imsi_privacy_cert") == 0) {
-		os_free(cred->imsi_privacy_key);
+		os_free(cred->imsi_privacy_cert);
-		cred->imsi_privacy_key = val;
+		cred->imsi_privacy_cert = val;
 		return 0;
 	}
@ -4067,8 +4067,8 @@ char * wpa_config_get_cred_no_key(struct wpa_cred *cred, const char *var)
 	if (os_strcmp(var, "imsi") == 0)
 		return alloc_strdup(cred->imsi);
-	if (os_strcmp(var, "imsi_privacy_key") == 0)
+	if (os_strcmp(var, "imsi_privacy_cert") == 0)
-		return alloc_strdup(cred->imsi_privacy_key);
+		return alloc_strdup(cred->imsi_privacy_cert);
 	if (os_strcmp(var, "milenage") == 0) {
 		if (!(cred->milenage))
--- a/wpa_supplicant/config.h
+++ b/wpa_supplicant/config.h
@ -181,14 +181,14 @@ struct wpa_cred {
 	char *milenage;
 	/**
-	 * imsi_privacy_key - IMSI privacy key (PEM encoded X.509v3 certificate)
+	 * imsi_privacy_cert - IMSI privacy certificate
 	 *
 	 * This field is used with EAP-SIM/AKA/AKA' to encrypt the permanent
-	 * identity (IMSI) to improve privacy. The X.509v3 certificate needs to
+	 * identity (IMSI) to improve privacy. The referenced PEM-encoded
-	 * include a 2048-bit RSA public key and this is from the operator who
+	 * X.509v3 certificate needs to include a 2048-bit RSA public key and
-	 * authenticates the SIM/USIM.
+	 * this is from the operator who authenticates the SIM/USIM.
 	 */
-	char *imsi_privacy_key;
+	char *imsi_privacy_cert;
 	/**
 	 * engine - Use an engine for private key operations
--- a/wpa_supplicant/interworking.c
+++ b/wpa_supplicant/interworking.c
@ -1065,9 +1065,9 @@ static int interworking_connect_3gpp(struct wpa_supplicant *wpa_s,
 			goto fail;
 	}
-	if (cred->imsi_privacy_key && cred->imsi_privacy_key[0]) {
+	if (cred->imsi_privacy_cert && cred->imsi_privacy_cert[0]) {
-		if (wpa_config_set_quoted(ssid, "imsi_privacy_key",
+		if (wpa_config_set_quoted(ssid, "imsi_privacy_cert",
-					  cred->imsi_privacy_key) < 0)
+					  cred->imsi_privacy_cert) < 0)
 			goto fail;
 	}
--- a/wpa_supplicant/wpa_supplicant.c
+++ b/wpa_supplicant/wpa_supplicant.c
@ -8001,18 +8001,18 @@ int wpas_network_disabled(struct wpa_supplicant *wpa_s, struct wpa_ssid *ssid)
 		return 1;
 #ifdef CRYPTO_RSA_OAEP_SHA256
-	if (ssid->eap.imsi_privacy_key) {
+	if (ssid->eap.imsi_privacy_cert) {
 		struct crypto_rsa_key *key;
 		bool failed = false;
-		key = crypto_rsa_key_read(ssid->eap.imsi_privacy_key, false);
+		key = crypto_rsa_key_read(ssid->eap.imsi_privacy_cert, false);
 		if (!key)
 			failed = true;
 		crypto_rsa_key_free(key);
 		if (failed) {
 			wpa_printf(MSG_DEBUG,
-				   "Invalid imsi_privacy_key (%s) - disable network",
+				   "Invalid imsi_privacy_cert (%s) - disable network",
-				   ssid->eap.imsi_privacy_key);
+				   ssid->eap.imsi_privacy_cert);
 			return 1;
 		}
 	}