EAP-SIM: Don't use anonymous identity in phase2
The "anonymous_identity" configuration field has more than one semantic meaning. For tunneled EAP methods, this refers to the outer EAP identity. For EAP-SIM, this refers to the pseudonym identity. Also, interestingly, EAP-SIM can overwrite the "anonymous_identity" field if one is provided to it by the authenticator. When EAP-SIM is tunneled within an outer method, it makes sense to only use this value for the outer method, since it's unlikely that this will also be valid as an identity for the inner EAP-SIM method. Also, presumably since the outer method protects the EAP-SIM transaction, there is no need for a pseudonym in this usage. Similarly, if EAP-SIM is being used as an inner method, it must not push the pseudonym identity using eap_set_anon_id() since it could overwrite the identity for the outer EAP method. Signed-off-by: Paul Stewart <pstew@google.com>
This commit is contained in:
parent
ed9b1c16d5
commit
9e2afe10e6
1 changed files with 8 additions and 3 deletions
|
@ -46,6 +46,7 @@ struct eap_sim_data {
|
||||||
CONTINUE, RESULT_SUCCESS, SUCCESS, FAILURE
|
CONTINUE, RESULT_SUCCESS, SUCCESS, FAILURE
|
||||||
} state;
|
} state;
|
||||||
int result_ind, use_result_ind;
|
int result_ind, use_result_ind;
|
||||||
|
int use_pseudonym;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
||||||
|
@ -115,7 +116,8 @@ static void * eap_sim_init(struct eap_sm *sm)
|
||||||
NULL;
|
NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (config && config->anonymous_identity) {
|
data->use_pseudonym = !sm->init_phase2;
|
||||||
|
if (config && config->anonymous_identity && data->use_pseudonym) {
|
||||||
data->pseudonym = os_malloc(config->anonymous_identity_len);
|
data->pseudonym = os_malloc(config->anonymous_identity_len);
|
||||||
if (data->pseudonym) {
|
if (data->pseudonym) {
|
||||||
os_memcpy(data->pseudonym, config->anonymous_identity,
|
os_memcpy(data->pseudonym, config->anonymous_identity,
|
||||||
|
@ -372,7 +374,8 @@ static void eap_sim_clear_identities(struct eap_sm *sm,
|
||||||
os_free(data->pseudonym);
|
os_free(data->pseudonym);
|
||||||
data->pseudonym = NULL;
|
data->pseudonym = NULL;
|
||||||
data->pseudonym_len = 0;
|
data->pseudonym_len = 0;
|
||||||
eap_set_anon_id(sm, NULL, 0);
|
if (data->use_pseudonym)
|
||||||
|
eap_set_anon_id(sm, NULL, 0);
|
||||||
}
|
}
|
||||||
if ((id & CLEAR_REAUTH_ID) && data->reauth_id) {
|
if ((id & CLEAR_REAUTH_ID) && data->reauth_id) {
|
||||||
wpa_printf(MSG_DEBUG, "EAP-SIM: forgetting old reauth_id");
|
wpa_printf(MSG_DEBUG, "EAP-SIM: forgetting old reauth_id");
|
||||||
|
@ -427,7 +430,9 @@ static int eap_sim_learn_ids(struct eap_sm *sm, struct eap_sim_data *data,
|
||||||
realm, realm_len);
|
realm, realm_len);
|
||||||
}
|
}
|
||||||
data->pseudonym_len = attr->next_pseudonym_len + realm_len;
|
data->pseudonym_len = attr->next_pseudonym_len + realm_len;
|
||||||
eap_set_anon_id(sm, data->pseudonym, data->pseudonym_len);
|
if (data->use_pseudonym)
|
||||||
|
eap_set_anon_id(sm, data->pseudonym,
|
||||||
|
data->pseudonym_len);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (attr->next_reauth_id) {
|
if (attr->next_reauth_id) {
|
||||||
|
|
Loading…
Reference in a new issue