aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorJouni Malinen <jouni@codeaurora.org>2019-07-31 19:33:04 (GMT)
committerJouni Malinen <j@w1.fi>2019-07-31 19:33:04 (GMT)
commitc1b2365214beacd834811fad2774e03177e008ce (patch)
tree94e8ab3f8f3823ad379646800a5c08036e5a8a0a /src
parentcc2fd94258c528a576c94c2fe133a2c47c965b84 (diff)
downloadhostap-c1b2365214beacd834811fad2774e03177e008ce.zip
hostap-c1b2365214beacd834811fad2774e03177e008ce.tar.gz
hostap-c1b2365214beacd834811fad2774e03177e008ce.tar.bz2
EAP-SIM/AKA: Do not allow anonymous@realm "pseudonym" to be cleared
If the EAP-SIM/AKA server does not provide a new pseudonym and the locally configured "pseudonym" in anonymous_identity is actually an anonymous identitity instead of a real EAP-SIM/AKA pseudonym, do not clear the anonymous_identity network profile parameter. This is needed to avoid forgetting the anonymous identity when going through EAP-SIM/AKA authentication and then reverting back to using IMSI-based (e.g., encrypted) identity. Fixes: 4df4133917ab ("EAP-SIM/AKA: Add support for anonymous@realm") Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Diffstat (limited to 'src')
-rw-r--r--src/eap_peer/eap_aka.c9
-rw-r--r--src/eap_peer/eap_sim.c9
2 files changed, 14 insertions, 4 deletions
diff --git a/src/eap_peer/eap_aka.c b/src/eap_peer/eap_aka.c
index f5abb79..d50bc61 100644
--- a/src/eap_peer/eap_aka.c
+++ b/src/eap_peer/eap_aka.c
@@ -632,8 +632,13 @@ static struct wpabuf * eap_aka_response_identity(struct eap_sm *sm,
} else if (id_req != NO_ID_REQ) {
identity = eap_get_config_identity(sm, &identity_len);
if (identity) {
- eap_aka_clear_identities(sm, data, CLEAR_PSEUDONYM |
- CLEAR_REAUTH_ID);
+ int ids = CLEAR_PSEUDONYM | CLEAR_REAUTH_ID;
+
+ if (data->pseudonym &&
+ eap_sim_anonymous_username(data->pseudonym,
+ data->pseudonym_len))
+ ids &= ~CLEAR_PSEUDONYM;
+ eap_aka_clear_identities(sm, data, ids);
}
}
if (id_req != NO_ID_REQ)
diff --git a/src/eap_peer/eap_sim.c b/src/eap_peer/eap_sim.c
index c4070ab..2ea4efd 100644
--- a/src/eap_peer/eap_sim.c
+++ b/src/eap_peer/eap_sim.c
@@ -502,8 +502,13 @@ static struct wpabuf * eap_sim_response_start(struct eap_sm *sm,
} else if (id_req != NO_ID_REQ) {
identity = eap_get_config_identity(sm, &identity_len);
if (identity) {
- eap_sim_clear_identities(sm, data, CLEAR_PSEUDONYM |
- CLEAR_REAUTH_ID);
+ int ids = CLEAR_PSEUDONYM | CLEAR_REAUTH_ID;
+
+ if (data->pseudonym &&
+ eap_sim_anonymous_username(data->pseudonym,
+ data->pseudonym_len))
+ ids &= ~CLEAR_PSEUDONYM;
+ eap_sim_clear_identities(sm, data, ids);
}
}
if (id_req != NO_ID_REQ)