EAP-SIM: Don't use anonymous identity in phase2

The "anonymous_identity" configuration field has more than one
semantic meaning. For tunneled EAP methods, this refers to the
outer EAP identity. For EAP-SIM, this refers to the pseudonym
identity. Also, interestingly, EAP-SIM can overwrite the
"anonymous_identity" field if one is provided to it by the
authenticator.

When EAP-SIM is tunneled within an outer method, it makes sense
to only use this value for the outer method, since it's unlikely
that this will also be valid as an identity for the inner EAP-SIM
method. Also, presumably since the outer method protects the
EAP-SIM transaction, there is no need for a pseudonym in this
usage.

Similarly, if EAP-SIM is being used as an inner method, it must
not push the pseudonym identity using eap_set_anon_id() since it
could overwrite the identity for the outer EAP method.

Signed-off-by: Paul Stewart <pstew@google.com>
This commit is contained in:
Paul Stewart 2017-02-08 17:47:57 -08:00 committed by Jouni Malinen
parent ed9b1c16d5
commit 9e2afe10e6

View File

@ -46,6 +46,7 @@ struct eap_sim_data {
CONTINUE, RESULT_SUCCESS, SUCCESS, FAILURE CONTINUE, RESULT_SUCCESS, SUCCESS, FAILURE
} state; } state;
int result_ind, use_result_ind; int result_ind, use_result_ind;
int use_pseudonym;
}; };
@ -115,7 +116,8 @@ static void * eap_sim_init(struct eap_sm *sm)
NULL; NULL;
} }
if (config && config->anonymous_identity) { data->use_pseudonym = !sm->init_phase2;
if (config && config->anonymous_identity && data->use_pseudonym) {
data->pseudonym = os_malloc(config->anonymous_identity_len); data->pseudonym = os_malloc(config->anonymous_identity_len);
if (data->pseudonym) { if (data->pseudonym) {
os_memcpy(data->pseudonym, config->anonymous_identity, os_memcpy(data->pseudonym, config->anonymous_identity,
@ -372,7 +374,8 @@ static void eap_sim_clear_identities(struct eap_sm *sm,
os_free(data->pseudonym); os_free(data->pseudonym);
data->pseudonym = NULL; data->pseudonym = NULL;
data->pseudonym_len = 0; data->pseudonym_len = 0;
eap_set_anon_id(sm, NULL, 0); if (data->use_pseudonym)
eap_set_anon_id(sm, NULL, 0);
} }
if ((id & CLEAR_REAUTH_ID) && data->reauth_id) { if ((id & CLEAR_REAUTH_ID) && data->reauth_id) {
wpa_printf(MSG_DEBUG, "EAP-SIM: forgetting old reauth_id"); wpa_printf(MSG_DEBUG, "EAP-SIM: forgetting old reauth_id");
@ -427,7 +430,9 @@ static int eap_sim_learn_ids(struct eap_sm *sm, struct eap_sim_data *data,
realm, realm_len); realm, realm_len);
} }
data->pseudonym_len = attr->next_pseudonym_len + realm_len; data->pseudonym_len = attr->next_pseudonym_len + realm_len;
eap_set_anon_id(sm, data->pseudonym, data->pseudonym_len); if (data->use_pseudonym)
eap_set_anon_id(sm, data->pseudonym,
data->pseudonym_len);
} }
if (attr->next_reauth_id) { if (attr->next_reauth_id) {