From 9e834fc648db2e181aaa72663db09c757037bd8e Mon Sep 17 00:00:00 2001
From: Jouni Malinen <jouni@qca.qualcomm.com>
Date: Fri, 8 Dec 2017 17:05:40 +0200
Subject: [PATCH] EAP-SIM/AKA: Separate identity for MK derivation

This allows a separate configuration parameter (imsi_identity) to be
used in EAP-SIM/AKA/AKA' profiles to override the identity used in MK
derivation for the case where the identity is expected to be from the
last AT_IDENTITY attribute (or EAP-Response/Identity if AT_IDENTITY was
not used). This may be needed to avoid sending out an unprotected
permanent identity information over-the-air and if the EAP-SIM/AKA
server ends up using a value based on the real IMSI during the internal
key derivation operation (that does not expose the data to others).

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
---
 src/eap_peer/eap_aka.c         | 13 +++++++++++--
 src/eap_peer/eap_config.h      |  3 +++
 src/eap_peer/eap_sim.c         | 13 +++++++++++--
 wpa_supplicant/config.c        |  2 ++
 wpa_supplicant/config_file.c   |  1 +
 wpa_supplicant/config_winreg.c |  1 +
 6 files changed, 29 insertions(+), 4 deletions(-)

diff --git a/src/eap_peer/eap_aka.c b/src/eap_peer/eap_aka.c
index f7e3cd6b8..7a6bfc99f 100644
--- a/src/eap_peer/eap_aka.c
+++ b/src/eap_peer/eap_aka.c
@@ -1025,8 +1025,17 @@ static struct wpabuf * eap_aka_process_challenge(struct eap_sm *sm,
 	} else if (data->pseudonym) {
 		identity = data->pseudonym;
 		identity_len = data->pseudonym_len;
-	} else
-		identity = eap_get_config_identity(sm, &identity_len);
+	} else {
+		struct eap_peer_config *config;
+
+		config = eap_get_config(sm);
+		if (config && config->imsi_identity) {
+			identity = config->imsi_identity;
+			identity_len = config->imsi_identity_len;
+		} else {
+			identity = eap_get_config_identity(sm, &identity_len);
+		}
+	}
 	wpa_hexdump_ascii(MSG_DEBUG, "EAP-AKA: Selected identity for MK "
 			  "derivation", identity, identity_len);
 	if (data->eap_method == EAP_TYPE_AKA_PRIME) {
diff --git a/src/eap_peer/eap_config.h b/src/eap_peer/eap_config.h
index 16521c3a1..d416afd56 100644
--- a/src/eap_peer/eap_config.h
+++ b/src/eap_peer/eap_config.h
@@ -46,6 +46,9 @@ struct eap_peer_config {
 	 */
 	size_t anonymous_identity_len;
 
+	u8 *imsi_identity;
+	size_t imsi_identity_len;
+
 	/**
 	 * password - Password string for EAP
 	 *
diff --git a/src/eap_peer/eap_sim.c b/src/eap_peer/eap_sim.c
index 25f592cde..cd687cbf8 100644
--- a/src/eap_peer/eap_sim.c
+++ b/src/eap_peer/eap_sim.c
@@ -767,8 +767,17 @@ static struct wpabuf * eap_sim_process_challenge(struct eap_sm *sm,
 	} else if (data->pseudonym) {
 		identity = data->pseudonym;
 		identity_len = data->pseudonym_len;
-	} else
-		identity = eap_get_config_identity(sm, &identity_len);
+	} else {
+		struct eap_peer_config *config;
+
+		config = eap_get_config(sm);
+		if (config && config->imsi_identity) {
+			identity = config->imsi_identity;
+			identity_len = config->imsi_identity_len;
+		} else {
+			identity = eap_get_config_identity(sm, &identity_len);
+		}
+	}
 	wpa_hexdump_ascii(MSG_DEBUG, "EAP-SIM: Selected identity for MK "
 			  "derivation", identity, identity_len);
 	eap_sim_derive_mk(identity, identity_len, data->nonce_mt,
diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
index 0ee4d2f4c..c13383d80 100644
--- a/wpa_supplicant/config.c
+++ b/wpa_supplicant/config.c
@@ -2154,6 +2154,7 @@ static const struct parse_data ssid_fields[] = {
 	{ FUNC(eap) },
 	{ STR_LENe(identity) },
 	{ STR_LENe(anonymous_identity) },
+	{ STR_LENe(imsi_identity) },
 	{ FUNC_KEY(password) },
 	{ STRe(ca_cert) },
 	{ STRe(ca_path) },
@@ -2412,6 +2413,7 @@ static void eap_peer_config_free(struct eap_peer_config *eap)
 	os_free(eap->eap_methods);
 	bin_clear_free(eap->identity, eap->identity_len);
 	os_free(eap->anonymous_identity);
+	os_free(eap->imsi_identity);
 	bin_clear_free(eap->password, eap->password_len);
 	os_free(eap->ca_cert);
 	os_free(eap->ca_path);
diff --git a/wpa_supplicant/config_file.c b/wpa_supplicant/config_file.c
index 370fe2af0..6f2161ea6 100644
--- a/wpa_supplicant/config_file.c
+++ b/wpa_supplicant/config_file.c
@@ -760,6 +760,7 @@ static void wpa_config_write_network(FILE *f, struct wpa_ssid *ssid)
 	write_eap(f, ssid);
 	STR(identity);
 	STR(anonymous_identity);
+	STR(imsi_identity);
 	STR(password);
 	STR(ca_cert);
 	STR(ca_path);
diff --git a/wpa_supplicant/config_winreg.c b/wpa_supplicant/config_winreg.c
index 24f496b10..0ba1aa5e8 100644
--- a/wpa_supplicant/config_winreg.c
+++ b/wpa_supplicant/config_winreg.c
@@ -880,6 +880,7 @@ static int wpa_config_write_network(HKEY hk, struct wpa_ssid *ssid, int id)
 	write_eap(netw, ssid);
 	STR(identity);
 	STR(anonymous_identity);
+	STR(imsi_identity);
 	STR(password);
 	STR(ca_cert);
 	STR(ca_path);