diff options
Diffstat (limited to 'service')
6 files changed, 32 insertions, 168 deletions
diff --git a/service/java/com/android/server/wifi/CarrierNetworkConfig.java b/service/java/com/android/server/wifi/CarrierNetworkConfig.java index 20aac5bc1..4c92d6b39 100644 --- a/service/java/com/android/server/wifi/CarrierNetworkConfig.java +++ b/service/java/com/android/server/wifi/CarrierNetworkConfig.java @@ -60,31 +60,8 @@ public class CarrierNetworkConfig { private final Map<String, NetworkInfo> mCarrierNetworkMap; private boolean mIsCarrierImsiEncryptionInfoAvailable = false; - private int mBase64EncodingMethod = Base64.DEFAULT; - private int mEapIdentitySequence = IDENTITY_SEQUENCE_IMSI_V1_0; private ImsiEncryptionInfo mLastImsiEncryptionInfo = null; // used for dumpsys only - // RFC2045: adds Line Feed at each 76 chars and encode it. - public static final int ENCODING_METHOD_RFC_2045 = 2045; - - // RFC4648: encodes whole data into one string. - public static final int ENCODING_METHOD_RFC_4648 = 4648; - - // Send encrypted IMSI with the format of V1.0 - // V1.0 format: "\0"|<encrypted IMSI>|@NAIRealm - // <encrypted IMSI>: Base64{RSA Public Key Encryption{<permanent ID>}} - // <permanent ID>: One char ("0" for AKA, "1" for SIM, "6" for AKA')|IMSI - public static final int IDENTITY_SEQUENCE_IMSI_V1_0 = 1; - - // Send anonymous identity and encrypted IMSI identity with the format of V1.0 - public static final int IDENTITY_SEQUENCE_ANONYMOUS_THEN_IMSI_V1_0 = 2; - - // Send anonymous identity and encrypted IMSI identity with the format of V1.6 - // V1.6 format: "\0"|<encrypted identity> - // <encrypted identity>: Base64{RSA Public Key Encryption{<permanent ID>}}. - // <permanent ID>: One char ("0" for AKA, "1" for SIM, "6" for AKA')|IMSI|@NAIRealm - public static final int IDENTITY_SEQUENCE_ANONYMOUS_THEN_IMSI_V1_6 = 3; - /** * Enable/disable verbose logging. */ @@ -142,29 +119,6 @@ public class CarrierNetworkConfig { } /** - * @return the base64 encoding flag for current carrier. - */ - public int getBase64EncodingFlag() { - return mBase64EncodingMethod; - } - - /** - * @return the sequence of sending EAP-IDENTITY during EAP SIM/AKA authentication. - */ - public int getEapIdentitySequence() { - return mEapIdentitySequence; - } - - /** - * @return {@code true} if current carrier wifi network supports anonymous identity, {@code - * false} otherwise. - */ - public boolean isSupportAnonymousIdentity() { - return mEapIdentitySequence == IDENTITY_SEQUENCE_ANONYMOUS_THEN_IMSI_V1_0 - || mEapIdentitySequence == IDENTITY_SEQUENCE_ANONYMOUS_THEN_IMSI_V1_6; - } - - /** * @return True if carrier IMSI encryption info is available, False otherwise. */ public boolean isCarrierEncryptionInfoAvailable() { @@ -281,27 +235,6 @@ public class CarrierNetworkConfig { return; } - int encodeMethod = carrierConfig.getInt( - CarrierConfigManager.KEY_IMSI_ENCODING_METHOD_INT, ENCODING_METHOD_RFC_2045); - if (encodeMethod != ENCODING_METHOD_RFC_2045 && encodeMethod != ENCODING_METHOD_RFC_4648) { - Log.e(TAG, "Invalid encoding method type: " + encodeMethod); - return; - } - mBase64EncodingMethod = Base64.DEFAULT; - if (encodeMethod == ENCODING_METHOD_RFC_4648) { - mBase64EncodingMethod = Base64.NO_WRAP; - } - - int sequence = carrierConfig.getInt(CarrierConfigManager.KEY_EAP_IDENTITY_SEQUENCE_INT, - IDENTITY_SEQUENCE_IMSI_V1_0); - if (sequence != IDENTITY_SEQUENCE_IMSI_V1_0 - && sequence != IDENTITY_SEQUENCE_ANONYMOUS_THEN_IMSI_V1_0 - && sequence != IDENTITY_SEQUENCE_ANONYMOUS_THEN_IMSI_V1_6) { - Log.e(TAG, "Invalid eap identity sequence: " + sequence); - return; - } - mEapIdentitySequence = sequence; - for (String networkConfig : networkConfigs) { String[] configArr = networkConfig.split(NETWORK_CONFIG_SEPARATOR); if (configArr.length != CONFIG_ELEMENT_SIZE) { @@ -311,7 +244,7 @@ public class CarrierNetworkConfig { try { String ssid = new String(Base64.decode( - configArr[ENCODED_SSID_INDEX], mBase64EncodingMethod)); + configArr[ENCODED_SSID_INDEX], Base64.NO_WRAP)); int eapType = parseEapType(Integer.parseInt(configArr[EAP_TYPE_INDEX])); // Verify EAP type, must be a SIM based EAP type. @@ -355,8 +288,6 @@ public class CarrierNetworkConfig { pw.println("mCarrierNetworkMap=" + mCarrierNetworkMap); pw.println("mIsCarrierImsiEncryptionInfoAvailable=" + mIsCarrierImsiEncryptionInfoAvailable); - pw.println("mBase64EncodingMethod=" + mBase64EncodingMethod); - pw.println("mEapIdentitySequence=" + mEapIdentitySequence); pw.println("mLastImsiEncryptionInfo=" + mLastImsiEncryptionInfo); } } diff --git a/service/java/com/android/server/wifi/CarrierNetworkEvaluator.java b/service/java/com/android/server/wifi/CarrierNetworkEvaluator.java index 3b19eaff8..8bd024bf5 100644 --- a/service/java/com/android/server/wifi/CarrierNetworkEvaluator.java +++ b/service/java/com/android/server/wifi/CarrierNetworkEvaluator.java @@ -121,6 +121,9 @@ public class CarrierNetworkEvaluator implements NetworkEvaluator { config.enterpriseConfig = new WifiEnterpriseConfig(); } config.enterpriseConfig.setEapMethod(eapType); + // Send anonymous@realm as EAP-IDENTITY response. + config.enterpriseConfig.setAnonymousIdentity( + TelephonyUtil.getAnonymousIdentityWith3GppRealm(getTelephonyManager())); // Check if we already have a network with the same credentials in WifiConfigManager // database. If yes, we should check if the network is currently blacklisted. @@ -158,13 +161,6 @@ public class CarrierNetworkEvaluator implements NetworkEvaluator { WifiConfiguration.NetworkSelectionStatus nss = null; if (config != null) { nss = config.getNetworkSelectionStatus(); - - // In case of a carrier supporting anonymous identity, we need - // to send anonymous@realm as EAP-IDENTITY response. - if (mCarrierNetworkConfig.isSupportAnonymousIdentity()) { - config.enterpriseConfig.setAnonymousIdentity( - TelephonyUtil.getAnonymousIdentityWith3GppRealm(getTelephonyManager())); - } } if (nss == null) { mLocalLog.log(TAG + ": null network selection status for: " + config); diff --git a/service/java/com/android/server/wifi/ClientModeImpl.java b/service/java/com/android/server/wifi/ClientModeImpl.java index 4adf27ff0..f181cd295 100644 --- a/service/java/com/android/server/wifi/ClientModeImpl.java +++ b/service/java/com/android/server/wifi/ClientModeImpl.java @@ -4433,28 +4433,15 @@ public class ClientModeImpl extends StateMachine { // We need to get the updated pseudonym from supplicant for EAP-SIM/AKA/AKA' if (config.enterpriseConfig != null && TelephonyUtil.isSimEapMethod( - config.enterpriseConfig.getEapMethod())) { + config.enterpriseConfig.getEapMethod()) + && !TelephonyUtil.isAnonymousAtRealmIdentity( + config.enterpriseConfig.getAnonymousIdentity())) { String anonymousIdentity = mWifiNative.getEapAnonymousIdentity(mInterfaceName); - if (anonymousIdentity != null) { - config.enterpriseConfig.setAnonymousIdentity(anonymousIdentity); - } else { - CarrierNetworkConfig carrierNetworkConfig = - mWifiInjector.getCarrierNetworkConfig(); - if (carrierNetworkConfig.isCarrierEncryptionInfoAvailable() - && carrierNetworkConfig.isSupportAnonymousIdentity()) { - // In case of a carrier supporting encrypted IMSI and - // anonymous identity, we need to send anonymous@realm as - // EAP-IDENTITY response. - config.enterpriseConfig.setAnonymousIdentity( - TelephonyUtil.getAnonymousIdentityWith3GppRealm( - getTelephonyManager())); - } else { - Log.d(TAG, "Failed to get updated anonymous identity" - + " from supplicant, reset it in WifiConfiguration."); - config.enterpriseConfig.setAnonymousIdentity(null); - } + if (mVerboseLoggingEnabled) { + log("EAP Pseudonym: " + anonymousIdentity); } + config.enterpriseConfig.setAnonymousIdentity(anonymousIdentity); mWifiConfigManager.addOrUpdateNetwork(config, Process.WIFI_UID); } sendNetworkStateChangeBroadcast(mLastBssid); diff --git a/service/java/com/android/server/wifi/WifiConfigManager.java b/service/java/com/android/server/wifi/WifiConfigManager.java index c48601010..1d287f02d 100644 --- a/service/java/com/android/server/wifi/WifiConfigManager.java +++ b/service/java/com/android/server/wifi/WifiConfigManager.java @@ -2806,7 +2806,10 @@ public class WifiConfigManager { } else { // reset identity as well: supplicant will ask us for it config.enterpriseConfig.setIdentity(""); - config.enterpriseConfig.setAnonymousIdentity(""); + if (!TelephonyUtil.isAnonymousAtRealmIdentity( + config.enterpriseConfig.getAnonymousIdentity())) { + config.enterpriseConfig.setAnonymousIdentity(""); + } } } } diff --git a/service/java/com/android/server/wifi/hotspot2/PasspointNetworkEvaluator.java b/service/java/com/android/server/wifi/hotspot2/PasspointNetworkEvaluator.java index 5629ec573..a2838b5fd 100644 --- a/service/java/com/android/server/wifi/hotspot2/PasspointNetworkEvaluator.java +++ b/service/java/com/android/server/wifi/hotspot2/PasspointNetworkEvaluator.java @@ -222,10 +222,8 @@ public class PasspointNetworkEvaluator implements WifiNetworkSelector.NetworkEva private WifiConfiguration createWifiConfigForProvider(PasspointNetworkCandidate networkInfo) { WifiConfiguration config = networkInfo.mProvider.getWifiConfig(); if (TelephonyUtil.isSimEapMethod(config.enterpriseConfig.getEapMethod()) - && mCarrierNetworkConfig.isCarrierEncryptionInfoAvailable() - && mCarrierNetworkConfig.isSupportAnonymousIdentity()) { - // In case of a carrier supporting encrypted IMSI and anonymous identity, we need - // to send anonymous@realm as EAP-IDENTITY response. + && mCarrierNetworkConfig.isCarrierEncryptionInfoAvailable()) { + // Send anonymous@realm as EAP-IDENTITY response. config.enterpriseConfig.setAnonymousIdentity( TelephonyUtil.getAnonymousIdentityWith3GppRealm( getTelephonyManager())); diff --git a/service/java/com/android/server/wifi/util/TelephonyUtil.java b/service/java/com/android/server/wifi/util/TelephonyUtil.java index 1d19c9f5e..4af40ddf2 100644 --- a/service/java/com/android/server/wifi/util/TelephonyUtil.java +++ b/service/java/com/android/server/wifi/util/TelephonyUtil.java @@ -16,10 +16,6 @@ package com.android.server.wifi.util; -import static com.android.server.wifi.CarrierNetworkConfig.IDENTITY_SEQUENCE_ANONYMOUS_THEN_IMSI_V1_0; -import static com.android.server.wifi.CarrierNetworkConfig.IDENTITY_SEQUENCE_ANONYMOUS_THEN_IMSI_V1_6; -import static com.android.server.wifi.CarrierNetworkConfig.IDENTITY_SEQUENCE_IMSI_V1_0; - import android.annotation.NonNull; import android.net.wifi.WifiConfiguration; import android.net.wifi.WifiEnterpriseConfig; @@ -130,23 +126,12 @@ public class TelephonyUtil { return Pair.create(identity, ""); } - int base64EncodingFlag = carrierNetworkConfig.getBase64EncodingFlag(); - - String encryptedIdentity = null; - int eapSequence = carrierNetworkConfig.getEapIdentitySequence(); - if (eapSequence == IDENTITY_SEQUENCE_ANONYMOUS_THEN_IMSI_V1_6) { - encryptedIdentity = buildEncryptedIdentityV1_6(telephonyUtil, identity, - imsiEncryptionInfo, base64EncodingFlag); - } else if (eapSequence == IDENTITY_SEQUENCE_IMSI_V1_0 - || eapSequence == IDENTITY_SEQUENCE_ANONYMOUS_THEN_IMSI_V1_0) { - encryptedIdentity = buildEncryptedIdentityV1_0(telephonyUtil, - getSimMethodForConfig(config), imsi, mccMnc, imsiEncryptionInfo, - base64EncodingFlag); - } + String encryptedIdentity = buildEncryptedIdentity(telephonyUtil, identity, + imsiEncryptionInfo); // In case of failure for encryption, abort current EAP authentication. if (encryptedIdentity == null) { - Log.e(TAG, "failed to encrypt the identity, eapIdentitySequence: " + eapSequence); + Log.e(TAG, "failed to encrypt the identity"); return null; } return Pair.create(identity, encryptedIdentity); @@ -209,65 +194,21 @@ public class TelephonyUtil { } /** - * Create the encrypted identity for V1.0. + * Create the encrypted identity. * * Prefix value: * "0" - EAP-AKA Identity * "1" - EAP-SIM Identity * "6" - EAP-AKA' Identity - * Encrypted Identity format for V1.0: prefix|IMSI - * @param eapMethod EAP authentication method: EAP-SIM, EAP-AKA, EAP-AKA' - * @param imsi The IMSI retrieved from the SIM - * @param mccMnc The MCC MNC identifier retrieved from the SIM - * @param imsiEncryptionInfo The IMSI encryption info retrieved from the SIM - * @param base64EncodingFlag base64 encoding flag - * @return "\0" + encryptedIdentity@<NAIRealm> + "{, Key Identifier AVP}" - */ - private static String buildEncryptedIdentityV1_0(TelephonyUtil telephonyUtil, int eapMethod, - String imsi, String mccMnc, - ImsiEncryptionInfo imsiEncryptionInfo, int base64EncodingFlag) { - if (imsiEncryptionInfo == null) { - return null; - } - - String prefix = EAP_METHOD_PREFIX.get(eapMethod); - if (prefix == null) { - return null; - } - imsi = prefix + imsi; - - // Build and return the encrypted identity. - String encryptedImsi = telephonyUtil.encryptDataUsingPublicKey( - imsiEncryptionInfo.getPublicKey(), imsi.getBytes(), base64EncodingFlag); - if (encryptedImsi == null) { - Log.e(TAG, "Failed to encrypt IMSI"); - return null; - } - String encryptedIdentity = buildIdentity(eapMethod, encryptedImsi, mccMnc, true); - if (imsiEncryptionInfo.getKeyIdentifier() != null) { - // Include key identifier AVP (Attribute Value Pair). - encryptedIdentity = encryptedIdentity + "," + imsiEncryptionInfo.getKeyIdentifier(); - } - return encryptedIdentity; - } - - /** - * Create the encrypted identity for V1.6. - * - * Prefix value: - * "0" - EAP-AKA Identity - * "1" - EAP-SIM Identity - * "6" - EAP-AKA' Identity - * Encrypted identity format for V1.6: prefix|IMSI@<NAIRealm> + * Encrypted identity format: prefix|IMSI@<NAIRealm> * @param telephonyUtil TelephonyUtil instance * @param identity permanent identity with format based on section 4.1.1.6 of RFC 4187 * and 4.2.1.6 of RFC 4186. * @param imsiEncryptionInfo The IMSI encryption info retrieved from the SIM - * @param base64EncodingFlag base64 encoding flag * @return "\0" + encryptedIdentity + "{, Key Identifier AVP}" */ - private static String buildEncryptedIdentityV1_6(TelephonyUtil telephonyUtil, String identity, - ImsiEncryptionInfo imsiEncryptionInfo, int base64EncodingFlag) { + private static String buildEncryptedIdentity(TelephonyUtil telephonyUtil, String identity, + ImsiEncryptionInfo imsiEncryptionInfo) { if (imsiEncryptionInfo == null) { Log.e(TAG, "imsiEncryptionInfo is not valid"); return null; @@ -279,7 +220,7 @@ public class TelephonyUtil { // Build and return the encrypted identity. String encryptedIdentity = telephonyUtil.encryptDataUsingPublicKey( - imsiEncryptionInfo.getPublicKey(), identity.getBytes(), base64EncodingFlag); + imsiEncryptionInfo.getPublicKey(), identity.getBytes(), Base64.NO_WRAP); if (encryptedIdentity == null) { Log.e(TAG, "Failed to encrypt IMSI"); return null; @@ -392,6 +333,14 @@ public class TelephonyUtil { } /** + * Returns true if {@code identity} contains an anonymous@realm identity, false otherwise. + */ + public static boolean isAnonymousAtRealmIdentity(String identity) { + if (identity == null) return false; + return identity.startsWith(TelephonyUtil.ANONYMOUS_IDENTITY + "@"); + } + + /** * Checks if the EAP outer method is SIM related. * * @param eapMethod WifiEnterpriseConfig Eap method. |