EAP-SIM/AKA: Add support for anonymous@realm
SIM-based EAP authentication with IMSI encryption requires a special EAP Identity response: anonymous@realm. Then the server sends AKA-Identity request which is answered with the encrypted IMSI. Add logic that indicates if the special anonymous identity is used. Otherwise, this field is used for storing the pseudonym. Test: Connect to Carrier Wi-Fi, verify correct behavior from captures Test: Connect to non IMSI encrypted EAP-AKA AP, verify pseudonym usage Signed-off-by: Hai Shalom <haishalom@google.com>
This commit is contained in:
Hai Shalom
Jouni Malinen
parent
14d85a5af7
commit
4df4133917
4 changed files with 29 additions and 4 deletions
|
|
@ -1203,3 +1203,19 @@ void eap_sim_report_notification(void *msg_ctx, int notification, int aka)
|
|||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
int eap_sim_anonymous_username(const u8 *id, size_t id_len)
|
||||
{
|
||||
static const char *anonymous_id_prefix = "anonymous@";
|
||||
size_t anonymous_id_len = os_strlen(anonymous_id_prefix);
|
||||
|
||||
if (id_len > anonymous_id_len &&
|
||||
os_memcmp(id, anonymous_id_prefix, anonymous_id_len) == 0)
|
||||
return 1; /* 'anonymous@realm' */
|
||||
|
||||
if (id_len > 1 && id[0] == '@')
|
||||
return 1; /* '@realm' */
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -226,5 +226,6 @@ int eap_sim_msg_add_encr_end(struct eap_sim_msg *msg, u8 *k_encr,
|
|||
int attr_pad);
|
||||
|
||||
void eap_sim_report_notification(void *msg_ctx, int notification, int aka);
|
||||
int eap_sim_anonymous_username(const u8 *id, size_t id_len);
|
||||
|
||||
#endif /* EAP_SIM_COMMON_H */
|
||||
|
|
|
|||
|
|
@ -623,7 +623,9 @@ static struct wpabuf * eap_aka_response_identity(struct eap_sm *sm,
|
|||
identity_len = data->reauth_id_len;
|
||||
data->reauth = 1;
|
||||
} else if ((id_req == ANY_ID || id_req == FULLAUTH_ID) &&
|
||||
data->pseudonym) {
|
||||
data->pseudonym &&
|
||||
!eap_sim_anonymous_username(data->pseudonym,
|
||||
data->pseudonym_len)) {
|
||||
identity = data->pseudonym;
|
||||
identity_len = data->pseudonym_len;
|
||||
eap_aka_clear_identities(sm, data, CLEAR_REAUTH_ID);
|
||||
|
|
@ -1027,7 +1029,9 @@ static struct wpabuf * eap_aka_process_challenge(struct eap_sm *sm,
|
|||
if (data->last_eap_identity) {
|
||||
identity = data->last_eap_identity;
|
||||
identity_len = data->last_eap_identity_len;
|
||||
} else if (data->pseudonym) {
|
||||
} else if (data->pseudonym &&
|
||||
!eap_sim_anonymous_username(data->pseudonym,
|
||||
data->pseudonym_len)) {
|
||||
identity = data->pseudonym;
|
||||
identity_len = data->pseudonym_len;
|
||||
} else {
|
||||
|
|
|
|||
|
|
@ -493,7 +493,9 @@ static struct wpabuf * eap_sim_response_start(struct eap_sm *sm,
|
|||
identity_len = data->reauth_id_len;
|
||||
data->reauth = 1;
|
||||
} else if ((id_req == ANY_ID || id_req == FULLAUTH_ID) &&
|
||||
data->pseudonym) {
|
||||
data->pseudonym &&
|
||||
!eap_sim_anonymous_username(data->pseudonym,
|
||||
data->pseudonym_len)) {
|
||||
identity = data->pseudonym;
|
||||
identity_len = data->pseudonym_len;
|
||||
eap_sim_clear_identities(sm, data, CLEAR_REAUTH_ID);
|
||||
|
|
@ -769,7 +771,9 @@ static struct wpabuf * eap_sim_process_challenge(struct eap_sm *sm,
|
|||
if (data->last_eap_identity) {
|
||||
identity = data->last_eap_identity;
|
||||
identity_len = data->last_eap_identity_len;
|
||||
} else if (data->pseudonym) {
|
||||
} else if (data->pseudonym &&
|
||||
!eap_sim_anonymous_username(data->pseudonym,
|
||||
data->pseudonym_len)) {
|
||||
identity = data->pseudonym;
|
||||
identity_len = data->pseudonym_len;
|
||||
} else {
|
||||
|
|
|
|||
Loading…
Reference in a new issue