EAP-SIM/AKA: Separate identity for MK derivation
This allows a separate configuration parameter (imsi_identity) to be used in EAP-SIM/AKA/AKA' profiles to override the identity used in MK derivation for the case where the identity is expected to be from the last AT_IDENTITY attribute (or EAP-Response/Identity if AT_IDENTITY was not used). This may be needed to avoid sending out an unprotected permanent identity information over-the-air and if the EAP-SIM/AKA server ends up using a value based on the real IMSI during the internal key derivation operation (that does not expose the data to others). Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This commit is contained in:
parent
b6b5e3554a
commit
9e834fc648
6 changed files with 29 additions and 4 deletions
|
@ -1025,8 +1025,17 @@ static struct wpabuf * eap_aka_process_challenge(struct eap_sm *sm,
|
|||
} else if (data->pseudonym) {
|
||||
identity = data->pseudonym;
|
||||
identity_len = data->pseudonym_len;
|
||||
} else
|
||||
identity = eap_get_config_identity(sm, &identity_len);
|
||||
} else {
|
||||
struct eap_peer_config *config;
|
||||
|
||||
config = eap_get_config(sm);
|
||||
if (config && config->imsi_identity) {
|
||||
identity = config->imsi_identity;
|
||||
identity_len = config->imsi_identity_len;
|
||||
} else {
|
||||
identity = eap_get_config_identity(sm, &identity_len);
|
||||
}
|
||||
}
|
||||
wpa_hexdump_ascii(MSG_DEBUG, "EAP-AKA: Selected identity for MK "
|
||||
"derivation", identity, identity_len);
|
||||
if (data->eap_method == EAP_TYPE_AKA_PRIME) {
|
||||
|
|
|
@ -46,6 +46,9 @@ struct eap_peer_config {
|
|||
*/
|
||||
size_t anonymous_identity_len;
|
||||
|
||||
u8 *imsi_identity;
|
||||
size_t imsi_identity_len;
|
||||
|
||||
/**
|
||||
* password - Password string for EAP
|
||||
*
|
||||
|
|
|
@ -767,8 +767,17 @@ static struct wpabuf * eap_sim_process_challenge(struct eap_sm *sm,
|
|||
} else if (data->pseudonym) {
|
||||
identity = data->pseudonym;
|
||||
identity_len = data->pseudonym_len;
|
||||
} else
|
||||
identity = eap_get_config_identity(sm, &identity_len);
|
||||
} else {
|
||||
struct eap_peer_config *config;
|
||||
|
||||
config = eap_get_config(sm);
|
||||
if (config && config->imsi_identity) {
|
||||
identity = config->imsi_identity;
|
||||
identity_len = config->imsi_identity_len;
|
||||
} else {
|
||||
identity = eap_get_config_identity(sm, &identity_len);
|
||||
}
|
||||
}
|
||||
wpa_hexdump_ascii(MSG_DEBUG, "EAP-SIM: Selected identity for MK "
|
||||
"derivation", identity, identity_len);
|
||||
eap_sim_derive_mk(identity, identity_len, data->nonce_mt,
|
||||
|
|
|
@ -2154,6 +2154,7 @@ static const struct parse_data ssid_fields[] = {
|
|||
{ FUNC(eap) },
|
||||
{ STR_LENe(identity) },
|
||||
{ STR_LENe(anonymous_identity) },
|
||||
{ STR_LENe(imsi_identity) },
|
||||
{ FUNC_KEY(password) },
|
||||
{ STRe(ca_cert) },
|
||||
{ STRe(ca_path) },
|
||||
|
@ -2412,6 +2413,7 @@ static void eap_peer_config_free(struct eap_peer_config *eap)
|
|||
os_free(eap->eap_methods);
|
||||
bin_clear_free(eap->identity, eap->identity_len);
|
||||
os_free(eap->anonymous_identity);
|
||||
os_free(eap->imsi_identity);
|
||||
bin_clear_free(eap->password, eap->password_len);
|
||||
os_free(eap->ca_cert);
|
||||
os_free(eap->ca_path);
|
||||
|
|
|
@ -760,6 +760,7 @@ static void wpa_config_write_network(FILE *f, struct wpa_ssid *ssid)
|
|||
write_eap(f, ssid);
|
||||
STR(identity);
|
||||
STR(anonymous_identity);
|
||||
STR(imsi_identity);
|
||||
STR(password);
|
||||
STR(ca_cert);
|
||||
STR(ca_path);
|
||||
|
|
|
@ -880,6 +880,7 @@ static int wpa_config_write_network(HKEY hk, struct wpa_ssid *ssid, int id)
|
|||
write_eap(netw, ssid);
|
||||
STR(identity);
|
||||
STR(anonymous_identity);
|
||||
STR(imsi_identity);
|
||||
STR(password);
|
||||
STR(ca_cert);
|
||||
STR(ca_path);
|
||||
|
|
Loading…
Reference in a new issue