Do not try to use network profile with invalid imsi_privacy_key

Disable a network profile that has set the imsi_privacy_key if a valid
key cannot be read from the specified file. Previously, this check was
done only after having associated, but there is no point in associating
just to see EAP authentication fail in such a case. This is needed for
avoiding connection attempts if the X.509 certificate for IMSI privacy
has expired.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>

diff --git a/wpa_supplicant/wpa_supplicant.c b/wpa_supplicant/wpa_supplicant.c
index 15215c3b1ae00606a7112036819efa0127683fd5..611cf53b8c3d3bffc6b6d4cd1e2307df5eaa1f85 100644 (file)
--- a/wpa_supplicant/wpa_supplicant.c
+++ b/wpa_supplicant/wpa_supplicant.c
@@ -17,6 +17,7 @@
 #endif /* CONFIG_MATCH_IFACE */
 
 #include "common.h"
+#include "crypto/crypto.h"
 #include "crypto/random.h"
 #include "crypto/sha1.h"
 #include "eapol_supp/eapol_supp_sm.h"
@@ -7999,6 +8000,24 @@ int wpas_network_disabled(struct wpa_supplicant *wpa_s, struct wpa_ssid *ssid)
            !ssid->mem_only_psk)
                return 1;
 
+#ifdef CRYPTO_RSA_OAEP_SHA256
+       if (ssid->eap.imsi_privacy_key) {
+               struct crypto_rsa_key *key;
+               bool failed = false;
+
+               key = crypto_rsa_key_read(ssid->eap.imsi_privacy_key, false);
+               if (!key)
+                       failed = true;
+               crypto_rsa_key_free(key);
+               if (failed) {
+                       wpa_printf(MSG_DEBUG,
+                                  "Invalid imsi_privacy_key (%s) - disable network",
+                                  ssid->eap.imsi_privacy_key);
+                       return 1;
+               }
+       }
+#endif /* CRYPTO_RSA_OAEP_SHA256 */
+
        return 0;
 }