From c1b2365214beacd834811fad2774e03177e008ce Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Wed, 31 Jul 2019 22:33:04 +0300 Subject: [PATCH] EAP-SIM/AKA: Do not allow anonymous@realm "pseudonym" to be cleared If the EAP-SIM/AKA server does not provide a new pseudonym and the locally configured "pseudonym" in anonymous_identity is actually an anonymous identitity instead of a real EAP-SIM/AKA pseudonym, do not clear the anonymous_identity network profile parameter. This is needed to avoid forgetting the anonymous identity when going through EAP-SIM/AKA authentication and then reverting back to using IMSI-based (e.g., encrypted) identity. Fixes: 4df4133917ab ("EAP-SIM/AKA: Add support for anonymous@realm") Signed-off-by: Jouni Malinen --- src/eap_peer/eap_aka.c | 9 +++++++-- src/eap_peer/eap_sim.c | 9 +++++++-- 2 files changed, 14 insertions(+), 4 deletions(-) diff --git a/src/eap_peer/eap_aka.c b/src/eap_peer/eap_aka.c index f5abb79fc..d50bc6186 100644 --- a/src/eap_peer/eap_aka.c +++ b/src/eap_peer/eap_aka.c @@ -632,8 +632,13 @@ static struct wpabuf * eap_aka_response_identity(struct eap_sm *sm, } else if (id_req != NO_ID_REQ) { identity = eap_get_config_identity(sm, &identity_len); if (identity) { - eap_aka_clear_identities(sm, data, CLEAR_PSEUDONYM | - CLEAR_REAUTH_ID); + int ids = CLEAR_PSEUDONYM | CLEAR_REAUTH_ID; + + if (data->pseudonym && + eap_sim_anonymous_username(data->pseudonym, + data->pseudonym_len)) + ids &= ~CLEAR_PSEUDONYM; + eap_aka_clear_identities(sm, data, ids); } } if (id_req != NO_ID_REQ) diff --git a/src/eap_peer/eap_sim.c b/src/eap_peer/eap_sim.c index c4070ab33..2ea4efd07 100644 --- a/src/eap_peer/eap_sim.c +++ b/src/eap_peer/eap_sim.c @@ -502,8 +502,13 @@ static struct wpabuf * eap_sim_response_start(struct eap_sm *sm, } else if (id_req != NO_ID_REQ) { identity = eap_get_config_identity(sm, &identity_len); if (identity) { - eap_sim_clear_identities(sm, data, CLEAR_PSEUDONYM | - CLEAR_REAUTH_ID); + int ids = CLEAR_PSEUDONYM | CLEAR_REAUTH_ID; + + if (data->pseudonym && + eap_sim_anonymous_username(data->pseudonym, + data->pseudonym_len)) + ids &= ~CLEAR_PSEUDONYM; + eap_sim_clear_identities(sm, data, ids); } } if (id_req != NO_ID_REQ)