EAP-SIM/AKA: Do not allow anonymous@realm "pseudonym" to be cleared

If the EAP-SIM/AKA server does not provide a new pseudonym and the
locally configured "pseudonym" in anonymous_identity is actually an
anonymous identitity instead of a real EAP-SIM/AKA pseudonym, do not
clear the anonymous_identity network profile parameter. This is needed
to avoid forgetting the anonymous identity when going through
EAP-SIM/AKA authentication and then reverting back to using IMSI-based
(e.g., encrypted) identity.

Fixes: 4df4133917ab ("EAP-SIM/AKA: Add support for anonymous@realm")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>

diff --git a/src/eap_peer/eap_aka.c b/src/eap_peer/eap_aka.c
index f5abb79fc93114b763d3b1f220f135655be7fb4e..d50bc6186d91fa7feecc75ab26a5916cf8fda36e 100644 (file)
--- a/src/eap_peer/eap_aka.c
+++ b/src/eap_peer/eap_aka.c
@@ -632,8 +632,13 @@ static struct wpabuf * eap_aka_response_identity(struct eap_sm *sm,
        } else if (id_req != NO_ID_REQ) {
                identity = eap_get_config_identity(sm, &identity_len);
                if (identity) {
-                       eap_aka_clear_identities(sm, data, CLEAR_PSEUDONYM |
-                                                CLEAR_REAUTH_ID);
+                       int ids = CLEAR_PSEUDONYM | CLEAR_REAUTH_ID;
+
+                       if (data->pseudonym &&
+                           eap_sim_anonymous_username(data->pseudonym,
+                                                      data->pseudonym_len))
+                               ids &= ~CLEAR_PSEUDONYM;
+                       eap_aka_clear_identities(sm, data, ids);
                }
        }
        if (id_req != NO_ID_REQ)

diff --git a/src/eap_peer/eap_sim.c b/src/eap_peer/eap_sim.c
index c4070ab3329724563eee5f5012d77365211cd469..2ea4efd07c6dc5d6ea7ba96c288682c33b3697ed 100644 (file)
--- a/src/eap_peer/eap_sim.c
+++ b/src/eap_peer/eap_sim.c
@@ -502,8 +502,13 @@ static struct wpabuf * eap_sim_response_start(struct eap_sm *sm,
        } else if (id_req != NO_ID_REQ) {
                identity = eap_get_config_identity(sm, &identity_len);
                if (identity) {
-                       eap_sim_clear_identities(sm, data, CLEAR_PSEUDONYM |
-                                                CLEAR_REAUTH_ID);
+                       int ids = CLEAR_PSEUDONYM | CLEAR_REAUTH_ID;
+
+                       if (data->pseudonym &&
+                           eap_sim_anonymous_username(data->pseudonym,
+                                                      data->pseudonym_len))
+                               ids &= ~CLEAR_PSEUDONYM;
+                       eap_sim_clear_identities(sm, data, ids);
                }
        }
        if (id_req != NO_ID_REQ)