identity_len = config->machine_identity_len;
wpa_hexdump_ascii(MSG_DEBUG, "EAP: using machine identity",
identity, identity_len);
- } else if (config->imsi_privacy_key && config->identity &&
+ } else if (config->imsi_privacy_cert && config->identity &&
config->identity_len > 0) {
const u8 *pos = config->identity;
const u8 *end = config->identity + config->identity_len;
data->eap_method = EAP_TYPE_AKA;
- if (config && config->imsi_privacy_key) {
+ if (config && config->imsi_privacy_cert) {
#ifdef CRYPTO_RSA_OAEP_SHA256
data->imsi_privacy_key = crypto_rsa_key_read(
- config->imsi_privacy_key, false);
+ config->imsi_privacy_cert, false);
if (!data->imsi_privacy_key) {
wpa_printf(MSG_ERROR,
- "EAP-AKA: Failed to read/parse IMSI privacy key %s",
- config->imsi_privacy_key);
+ "EAP-AKA: Failed to read/parse IMSI privacy certificate %s",
+ config->imsi_privacy_cert);
os_free(data);
return NULL;
}
#else /* CRYPTO_RSA_OAEP_SHA256 */
wpa_printf(MSG_ERROR,
- "EAP-AKA: No support for imsi_privacy_key in the build");
+ "EAP-AKA: No support for imsi_privacy_cert in the build");
os_free(data);
return NULL;
#endif /* CRYPTO_RSA_OAEP_SHA256 */
size_t imsi_identity_len;
/**
- * imsi_privacy_key - IMSI privacy key (PEM encoded X.509v3 certificate)
+ * imsi_privacy_cert - IMSI privacy certificate
*
* This field is used with EAP-SIM/AKA/AKA' to encrypt the permanent
- * identity (IMSI) to improve privacy. The X.509v3 certificate needs to
- * include a 2048-bit RSA public key and this is from the operator who
- * authenticates the SIM/USIM.
+ * identity (IMSI) to improve privacy. The referenced PEM-encoded
+ * X.509v3 certificate needs to include a 2048-bit RSA public key and
+ * this is from the operator who authenticates the SIM/USIM.
*/
- char *imsi_privacy_key;
+ char *imsi_privacy_cert;
/**
* machine_identity - EAP Identity for machine credential
return NULL;
}
- if (config && config->imsi_privacy_key) {
+ if (config && config->imsi_privacy_cert) {
#ifdef CRYPTO_RSA_OAEP_SHA256
data->imsi_privacy_key = crypto_rsa_key_read(
- config->imsi_privacy_key, false);
+ config->imsi_privacy_cert, false);
if (!data->imsi_privacy_key) {
wpa_printf(MSG_ERROR,
- "EAP-SIM: Failed to read/parse IMSI privacy key %s",
- config->imsi_privacy_key);
+ "EAP-SIM: Failed to read/parse IMSI privacy certificate %s",
+ config->imsi_privacy_cert);
os_free(data);
return NULL;
}
#else /* CRYPTO_RSA_OAEP_SHA256 */
wpa_printf(MSG_ERROR,
- "EAP-SIM: No support for imsi_privacy_key in the build");
+ "EAP-SIM: No support for imsi_privacy_cert in the build");
os_free(data);
return NULL;
#endif /* CRYPTO_RSA_OAEP_SHA256 */
eap_reauth(dev[0], "SIM")
def test_ap_wpa2_eap_sim_imsi_privacy_key(dev, apdev):
- """WPA2-Enterprise connection using EAP-SIM and imsi_privacy_key"""
+ """WPA2-Enterprise connection using EAP-SIM and imsi_privacy_cert"""
tls = dev[0].request("GET tls_library")
if not tls.startswith("OpenSSL"):
raise HwsimSkip("IMSI privacy not supported with this TLS library: " + tls)
eap_connect(dev[0], hapd, "SIM",
"1232010000000000@wlan.mnc232.mcc02.3gppnetwork.org",
- imsi_privacy_key="auth_serv/imsi-privacy-cert.pem",
+ imsi_privacy_cert="auth_serv/imsi-privacy-cert.pem",
password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
eap_reauth(dev[0], "SIM")
eap_reauth(dev[0], "AKA")
def test_ap_wpa2_eap_aka_imsi_privacy_key(dev, apdev):
- """WPA2-Enterprise connection using EAP-AKA and imsi_privacy_key"""
+ """WPA2-Enterprise connection using EAP-AKA and imsi_privacy_cert"""
tls = dev[0].request("GET tls_library")
if not tls.startswith("OpenSSL"):
raise HwsimSkip("IMSI privacy not supported with this TLS library: " + tls)
eap_connect(dev[0], hapd, "AKA",
"0232010000000000@wlan.mnc232.mcc02.3gppnetwork.org",
- imsi_privacy_key="auth_serv/imsi-privacy-cert.pem",
+ imsi_privacy_cert="auth_serv/imsi-privacy-cert.pem",
password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
eap_reauth(dev[0], "AKA")
def test_ap_wpa2_eap_aka_imsi_privacy_key_expired(dev, apdev):
- """WPA2-Enterprise connection using EAP-AKA and expired imsi_privacy_key"""
+ """WPA2-Enterprise connection using EAP-AKA and expired imsi_privacy_cert"""
tls = dev[0].request("GET tls_library")
if not tls.startswith("OpenSSL"):
raise HwsimSkip("IMSI privacy not supported with this TLS library: " + tls)
eap="AKA",
identity="0232010000000000@wlan.mnc232.mcc02.3gppnetwork.org",
wait_connect=False, scan_freq="2412", ieee80211w="1",
- imsi_privacy_key="auth_serv/imsi-privacy-cert-2.pem",
+ imsi_privacy_cert="auth_serv/imsi-privacy-cert-2.pem",
password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
ev = dev[0].wait_event(["Trying to associate with"], timeout=10)
if ev is not None:
eap_reauth(dev[0], "AKA'")
def test_ap_wpa2_eap_aka_prime_imsi_privacy_key(dev, apdev):
- """WPA2-Enterprise connection using EAP-AKA' and imsi_privacy_key"""
+ """WPA2-Enterprise connection using EAP-AKA' and imsi_privacy_cert"""
tls = dev[0].request("GET tls_library")
if not tls.startswith("OpenSSL"):
raise HwsimSkip("IMSI privacy not supported with this TLS library: " + tls)
eap_connect(dev[0], hapd, "AKA'",
"6555444333222111@wlan.mnc555.mcc44.3gppnetwork.org",
- imsi_privacy_key="auth_serv/imsi-privacy-cert.pem",
+ imsi_privacy_cert="auth_serv/imsi-privacy-cert.pem",
password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
eap_reauth(dev[0], "AKA'")
tls = dev.request("GET tls_library")
if not tls.startswith("OpenSSL"):
raise HwsimSkip("IMSI privacy not supported with this TLS library: " + tls)
- params['imsi_privacy_key'] = "auth_serv/imsi-privacy-cert.pem"
+ params['imsi_privacy_cert'] = "auth_serv/imsi-privacy-cert.pem"
dev.add_cred_values(params)
interworking_select(dev, bssid, "home", freq="2412")
interworking_connect(dev, bssid, method)
"excluded_ssid", "milenage", "ca_cert", "client_cert",
"private_key", "domain_suffix_match", "provisioning_sp",
"roaming_partner", "phase1", "phase2", "private_key_passwd",
- "roaming_consortiums", "imsi_privacy_key"]
+ "roaming_consortiums", "imsi_privacy_cert"]
for field in quoted:
if field in params:
self.set_cred_quoted(id, field, params[field])
"sae_password_id", "check_cert_subject",
"machine_ca_cert", "machine_client_cert",
"machine_private_key", "machine_phase2",
- "imsi_identity", "imsi_privacy_key"]
+ "imsi_identity", "imsi_privacy_cert"]
for field in quoted:
if field in kwargs and kwargs[field]:
self.set_network_quoted(id, field, kwargs[field])
{ INTe(machine_ocsp, machine_cert.ocsp) },
{ INT(eapol_flags) },
{ INTe(sim_num, sim_num) },
- { STRe(imsi_privacy_key, imsi_privacy_key) },
+ { STRe(imsi_privacy_cert, imsi_privacy_cert) },
{ STRe(openssl_ciphers, openssl_ciphers) },
{ INTe(erp, erp) },
#endif /* IEEE8021X_EAPOL */
bin_clear_free(eap->identity, eap->identity_len);
os_free(eap->anonymous_identity);
os_free(eap->imsi_identity);
- os_free(eap->imsi_privacy_key);
+ os_free(eap->imsi_privacy_cert);
os_free(eap->machine_identity);
bin_clear_free(eap->password, eap->password_len);
bin_clear_free(eap->machine_password, eap->machine_password_len);
os_free(cred->req_conn_capab_port[i]);
os_free(cred->req_conn_capab_port);
os_free(cred->req_conn_capab_proto);
- os_free(cred->imsi_privacy_key);
+ os_free(cred->imsi_privacy_cert);
os_free(cred);
}
return 0;
}
- if (os_strcmp(var, "imsi_privacy_key") == 0) {
- os_free(cred->imsi_privacy_key);
- cred->imsi_privacy_key = val;
+ if (os_strcmp(var, "imsi_privacy_cert") == 0) {
+ os_free(cred->imsi_privacy_cert);
+ cred->imsi_privacy_cert = val;
return 0;
}
if (os_strcmp(var, "imsi") == 0)
return alloc_strdup(cred->imsi);
- if (os_strcmp(var, "imsi_privacy_key") == 0)
- return alloc_strdup(cred->imsi_privacy_key);
+ if (os_strcmp(var, "imsi_privacy_cert") == 0)
+ return alloc_strdup(cred->imsi_privacy_cert);
if (os_strcmp(var, "milenage") == 0) {
if (!(cred->milenage))
char *milenage;
/**
- * imsi_privacy_key - IMSI privacy key (PEM encoded X.509v3 certificate)
+ * imsi_privacy_cert - IMSI privacy certificate
*
* This field is used with EAP-SIM/AKA/AKA' to encrypt the permanent
- * identity (IMSI) to improve privacy. The X.509v3 certificate needs to
- * include a 2048-bit RSA public key and this is from the operator who
- * authenticates the SIM/USIM.
+ * identity (IMSI) to improve privacy. The referenced PEM-encoded
+ * X.509v3 certificate needs to include a 2048-bit RSA public key and
+ * this is from the operator who authenticates the SIM/USIM.
*/
- char *imsi_privacy_key;
+ char *imsi_privacy_cert;
/**
* engine - Use an engine for private key operations
goto fail;
}
- if (cred->imsi_privacy_key && cred->imsi_privacy_key[0]) {
- if (wpa_config_set_quoted(ssid, "imsi_privacy_key",
- cred->imsi_privacy_key) < 0)
+ if (cred->imsi_privacy_cert && cred->imsi_privacy_cert[0]) {
+ if (wpa_config_set_quoted(ssid, "imsi_privacy_cert",
+ cred->imsi_privacy_cert) < 0)
goto fail;
}
return 1;
#ifdef CRYPTO_RSA_OAEP_SHA256
- if (ssid->eap.imsi_privacy_key) {
+ if (ssid->eap.imsi_privacy_cert) {
struct crypto_rsa_key *key;
bool failed = false;
- key = crypto_rsa_key_read(ssid->eap.imsi_privacy_key, false);
+ key = crypto_rsa_key_read(ssid->eap.imsi_privacy_cert, false);
if (!key)
failed = true;
crypto_rsa_key_free(key);
if (failed) {
wpa_printf(MSG_DEBUG,
- "Invalid imsi_privacy_key (%s) - disable network",
- ssid->eap.imsi_privacy_key);
+ "Invalid imsi_privacy_cert (%s) - disable network",
+ ssid->eap.imsi_privacy_cert);
return 1;
}
}
projects / thirdparty / hostap.git / commitdiff
