aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJouni Malinen <jouni@qca.qualcomm.com>2017-12-08 15:05:40 (GMT)
committerJouni Malinen <j@w1.fi>2018-01-21 09:28:53 (GMT)
commit9e834fc648db2e181aaa72663db09c757037bd8e (patch)
treea35d8e6d22156c742e9de4cea74f15830eb5e5d4
parentb6b5e3554a73006eefaf5ce83464ec996e944839 (diff)
downloadhostap-9e834fc648db2e181aaa72663db09c757037bd8e.zip
hostap-9e834fc648db2e181aaa72663db09c757037bd8e.tar.gz
hostap-9e834fc648db2e181aaa72663db09c757037bd8e.tar.bz2
EAP-SIM/AKA: Separate identity for MK derivation
This allows a separate configuration parameter (imsi_identity) to be used in EAP-SIM/AKA/AKA' profiles to override the identity used in MK derivation for the case where the identity is expected to be from the last AT_IDENTITY attribute (or EAP-Response/Identity if AT_IDENTITY was not used). This may be needed to avoid sending out an unprotected permanent identity information over-the-air and if the EAP-SIM/AKA server ends up using a value based on the real IMSI during the internal key derivation operation (that does not expose the data to others). Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
-rw-r--r--src/eap_peer/eap_aka.c13
-rw-r--r--src/eap_peer/eap_config.h3
-rw-r--r--src/eap_peer/eap_sim.c13
-rw-r--r--wpa_supplicant/config.c2
-rw-r--r--wpa_supplicant/config_file.c1
-rw-r--r--wpa_supplicant/config_winreg.c1
6 files changed, 29 insertions, 4 deletions
diff --git a/src/eap_peer/eap_aka.c b/src/eap_peer/eap_aka.c
index f7e3cd6..7a6bfc9 100644
--- a/src/eap_peer/eap_aka.c
+++ b/src/eap_peer/eap_aka.c
@@ -1025,8 +1025,17 @@ static struct wpabuf * eap_aka_process_challenge(struct eap_sm *sm,
} else if (data->pseudonym) {
identity = data->pseudonym;
identity_len = data->pseudonym_len;
- } else
- identity = eap_get_config_identity(sm, &identity_len);
+ } else {
+ struct eap_peer_config *config;
+
+ config = eap_get_config(sm);
+ if (config && config->imsi_identity) {
+ identity = config->imsi_identity;
+ identity_len = config->imsi_identity_len;
+ } else {
+ identity = eap_get_config_identity(sm, &identity_len);
+ }
+ }
wpa_hexdump_ascii(MSG_DEBUG, "EAP-AKA: Selected identity for MK "
"derivation", identity, identity_len);
if (data->eap_method == EAP_TYPE_AKA_PRIME) {
diff --git a/src/eap_peer/eap_config.h b/src/eap_peer/eap_config.h
index 16521c3..d416afd 100644
--- a/src/eap_peer/eap_config.h
+++ b/src/eap_peer/eap_config.h
@@ -46,6 +46,9 @@ struct eap_peer_config {
*/
size_t anonymous_identity_len;
+ u8 *imsi_identity;
+ size_t imsi_identity_len;
+
/**
* password - Password string for EAP
*
diff --git a/src/eap_peer/eap_sim.c b/src/eap_peer/eap_sim.c
index 25f592c..cd687cb 100644
--- a/src/eap_peer/eap_sim.c
+++ b/src/eap_peer/eap_sim.c
@@ -767,8 +767,17 @@ static struct wpabuf * eap_sim_process_challenge(struct eap_sm *sm,
} else if (data->pseudonym) {
identity = data->pseudonym;
identity_len = data->pseudonym_len;
- } else
- identity = eap_get_config_identity(sm, &identity_len);
+ } else {
+ struct eap_peer_config *config;
+
+ config = eap_get_config(sm);
+ if (config && config->imsi_identity) {
+ identity = config->imsi_identity;
+ identity_len = config->imsi_identity_len;
+ } else {
+ identity = eap_get_config_identity(sm, &identity_len);
+ }
+ }
wpa_hexdump_ascii(MSG_DEBUG, "EAP-SIM: Selected identity for MK "
"derivation", identity, identity_len);
eap_sim_derive_mk(identity, identity_len, data->nonce_mt,
diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c
index 0ee4d2f..c13383d 100644
--- a/wpa_supplicant/config.c
+++ b/wpa_supplicant/config.c
@@ -2154,6 +2154,7 @@ static const struct parse_data ssid_fields[] = {
{ FUNC(eap) },
{ STR_LENe(identity) },
{ STR_LENe(anonymous_identity) },
+ { STR_LENe(imsi_identity) },
{ FUNC_KEY(password) },
{ STRe(ca_cert) },
{ STRe(ca_path) },
@@ -2412,6 +2413,7 @@ static void eap_peer_config_free(struct eap_peer_config *eap)
os_free(eap->eap_methods);
bin_clear_free(eap->identity, eap->identity_len);
os_free(eap->anonymous_identity);
+ os_free(eap->imsi_identity);
bin_clear_free(eap->password, eap->password_len);
os_free(eap->ca_cert);
os_free(eap->ca_path);
diff --git a/wpa_supplicant/config_file.c b/wpa_supplicant/config_file.c
index 370fe2a..6f2161e 100644
--- a/wpa_supplicant/config_file.c
+++ b/wpa_supplicant/config_file.c
@@ -760,6 +760,7 @@ static void wpa_config_write_network(FILE *f, struct wpa_ssid *ssid)
write_eap(f, ssid);
STR(identity);
STR(anonymous_identity);
+ STR(imsi_identity);
STR(password);
STR(ca_cert);
STR(ca_path);
diff --git a/wpa_supplicant/config_winreg.c b/wpa_supplicant/config_winreg.c
index 24f496b..0ba1aa5 100644
--- a/wpa_supplicant/config_winreg.c
+++ b/wpa_supplicant/config_winreg.c
@@ -880,6 +880,7 @@ static int wpa_config_write_network(HKEY hk, struct wpa_ssid *ssid, int id)
write_eap(netw, ssid);
STR(identity);
STR(anonymous_identity);
+ STR(imsi_identity);
STR(password);
STR(ca_cert);
STR(ca_path);