EAP-SIM/AKA: Do not allow anonymous@realm "pseudonym" to be cleared

If the EAP-SIM/AKA server does not provide a new pseudonym and the
locally configured "pseudonym" in anonymous_identity is actually an
anonymous identitity instead of a real EAP-SIM/AKA pseudonym, do not
clear the anonymous_identity network profile parameter. This is needed
to avoid forgetting the anonymous identity when going through
EAP-SIM/AKA authentication and then reverting back to using IMSI-based
(e.g., encrypted) identity.

Fixes: 4df4133917 ("EAP-SIM/AKA: Add support for anonymous@realm")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This commit is contained in:
Jouni Malinen 2019-07-31 22:33:04 +03:00 committed by Jouni Malinen
parent cc2fd94258
commit c1b2365214
2 changed files with 14 additions and 4 deletions

View File

@ -632,8 +632,13 @@ static struct wpabuf * eap_aka_response_identity(struct eap_sm *sm,
} else if (id_req != NO_ID_REQ) {
identity = eap_get_config_identity(sm, &identity_len);
if (identity) {
eap_aka_clear_identities(sm, data, CLEAR_PSEUDONYM |
CLEAR_REAUTH_ID);
int ids = CLEAR_PSEUDONYM | CLEAR_REAUTH_ID;
if (data->pseudonym &&
eap_sim_anonymous_username(data->pseudonym,
data->pseudonym_len))
ids &= ~CLEAR_PSEUDONYM;
eap_aka_clear_identities(sm, data, ids);
}
}
if (id_req != NO_ID_REQ)

View File

@ -502,8 +502,13 @@ static struct wpabuf * eap_sim_response_start(struct eap_sm *sm,
} else if (id_req != NO_ID_REQ) {
identity = eap_get_config_identity(sm, &identity_len);
if (identity) {
eap_sim_clear_identities(sm, data, CLEAR_PSEUDONYM |
CLEAR_REAUTH_ID);
int ids = CLEAR_PSEUDONYM | CLEAR_REAUTH_ID;
if (data->pseudonym &&
eap_sim_anonymous_username(data->pseudonym,
data->pseudonym_len))
ids &= ~CLEAR_PSEUDONYM;
eap_sim_clear_identities(sm, data, ids);
}
}
if (id_req != NO_ID_REQ)