EAP-SIM/AKA: Add support for anonymous@realm

SIM-based EAP authentication with IMSI encryption requires a special EAP
Identity response: anonymous@realm. Then the server sends AKA-Identity
request which is answered with the encrypted IMSI. Add logic that
indicates if the special anonymous identity is used. Otherwise, this
field is used for storing the pseudonym.

Test: Connect to Carrier Wi-Fi, verify correct behavior from captures
Test: Connect to non IMSI encrypted EAP-AKA AP, verify pseudonym usage
Signed-off-by: Hai Shalom <haishalom@google.com>

diff --git a/src/eap_common/eap_sim_common.c b/src/eap_common/eap_sim_common.c
index 6290c35f1a6b81e0f082fa3fcd88f8d3acb683e3..cfdd1bf4a8ab5cae00d1852fcaaf524e4d925409 100644 (file)
--- a/src/eap_common/eap_sim_common.c
+++ b/src/eap_common/eap_sim_common.c
@@ -1203,3 +1203,19 @@ void eap_sim_report_notification(void *msg_ctx, int notification, int aka)
                }
        }
 }
+
+
+int eap_sim_anonymous_username(const u8 *id, size_t id_len)
+{
+       static const char *anonymous_id_prefix = "anonymous@";
+       size_t anonymous_id_len = os_strlen(anonymous_id_prefix);
+
+       if (id_len > anonymous_id_len &&
+           os_memcmp(id, anonymous_id_prefix, anonymous_id_len) == 0)
+               return 1; /* 'anonymous@realm' */
+
+       if (id_len > 1 && id[0] == '@')
+               return 1; /* '@realm' */
+
+       return 0;
+}

diff --git a/src/eap_common/eap_sim_common.h b/src/eap_common/eap_sim_common.h
index daeb0e2da0c4d2dd9fc3ebf2ffb1d6a32ec4dee7..7142b94c9801ad377825cf270dd005070fb8a142 100644 (file)
--- a/src/eap_common/eap_sim_common.h
+++ b/src/eap_common/eap_sim_common.h
@@ -226,5 +226,6 @@ int eap_sim_msg_add_encr_end(struct eap_sim_msg *msg, u8 *k_encr,
                             int attr_pad);
 
 void eap_sim_report_notification(void *msg_ctx, int notification, int aka);
+int eap_sim_anonymous_username(const u8 *id, size_t id_len);
 
 #endif /* EAP_SIM_COMMON_H */

diff --git a/src/eap_peer/eap_aka.c b/src/eap_peer/eap_aka.c
index da5beee21977b341a9768b8dc14d9a2f7c76bea3..e3fb3adca4ecc14a4c71875bc264cceee97852c5 100644 (file)
--- a/src/eap_peer/eap_aka.c
+++ b/src/eap_peer/eap_aka.c
@@ -623,7 +623,9 @@ static struct wpabuf * eap_aka_response_identity(struct eap_sm *sm,
                identity_len = data->reauth_id_len;
                data->reauth = 1;
        } else if ((id_req == ANY_ID || id_req == FULLAUTH_ID) &&
-                  data->pseudonym) {
+                  data->pseudonym &&
+                  !eap_sim_anonymous_username(data->pseudonym,
+                                              data->pseudonym_len)) {
                identity = data->pseudonym;
                identity_len = data->pseudonym_len;
                eap_aka_clear_identities(sm, data, CLEAR_REAUTH_ID);
@@ -1027,7 +1029,9 @@ static struct wpabuf * eap_aka_process_challenge(struct eap_sm *sm,
        if (data->last_eap_identity) {
                identity = data->last_eap_identity;
                identity_len = data->last_eap_identity_len;
-       } else if (data->pseudonym) {
+       } else if (data->pseudonym &&
+                  !eap_sim_anonymous_username(data->pseudonym,
+                                              data->pseudonym_len)) {
                identity = data->pseudonym;
                identity_len = data->pseudonym_len;
        } else {

diff --git a/src/eap_peer/eap_sim.c b/src/eap_peer/eap_sim.c
index 59a208b1ff7d49bb47b59eefd58430bf07cff843..b60577b7d4f5eb117ea709736103a0faac83e94f 100644 (file)
--- a/src/eap_peer/eap_sim.c
+++ b/src/eap_peer/eap_sim.c
@@ -493,7 +493,9 @@ static struct wpabuf * eap_sim_response_start(struct eap_sm *sm,
                identity_len = data->reauth_id_len;
                data->reauth = 1;
        } else if ((id_req == ANY_ID || id_req == FULLAUTH_ID) &&
-                  data->pseudonym) {
+                  data->pseudonym &&
+                  !eap_sim_anonymous_username(data->pseudonym,
+                                              data->pseudonym_len)) {
                identity = data->pseudonym;
                identity_len = data->pseudonym_len;
                eap_sim_clear_identities(sm, data, CLEAR_REAUTH_ID);
@@ -769,7 +771,9 @@ static struct wpabuf * eap_sim_process_challenge(struct eap_sm *sm,
        if (data->last_eap_identity) {
                identity = data->last_eap_identity;
                identity_len = data->last_eap_identity_len;
-       } else if (data->pseudonym) {
+       } else if (data->pseudonym &&
+                  !eap_sim_anonymous_username(data->pseudonym,
+                                              data->pseudonym_len)) {
                identity = data->pseudonym;
                identity_len = data->pseudonym_len;
        } else {