From 8fcc04c02b7dec0f6fa806944a21ed7a2074ca2b Mon Sep 17 00:00:00 2001 From: Etan Cohen Date: Wed, 22 May 2019 14:57:17 -0700 Subject: Modify Encrypted IMSI, remove deprecated protocols Bug: 133431451 Test: atest com.android.server.wifi Test: live test with Carrer test network Change-Id: I71a9df1e60934b798057ca8e7bbaa2a3ccc3c58f --- .../android/server/wifi/CarrierNetworkConfig.java | 71 +----------- .../server/wifi/CarrierNetworkEvaluator.java | 9 +- .../com/android/server/wifi/ClientModeImpl.java | 7 +- .../wifi/hotspot2/PasspointNetworkEvaluator.java | 6 +- .../android/server/wifi/util/TelephonyUtil.java | 75 ++----------- .../server/wifi/CarrierNetworkConfigTest.java | 79 +------------ .../server/wifi/CarrierNetworkEvaluatorTest.java | 7 +- .../android/server/wifi/ClientModeImplTest.java | 1 - .../hotspot2/PasspointNetworkEvaluatorTest.java | 1 - .../server/wifi/util/TelephonyUtilTest.java | 123 +-------------------- 10 files changed, 26 insertions(+), 353 deletions(-) diff --git a/service/java/com/android/server/wifi/CarrierNetworkConfig.java b/service/java/com/android/server/wifi/CarrierNetworkConfig.java index 20aac5bc1..4c92d6b39 100644 --- a/service/java/com/android/server/wifi/CarrierNetworkConfig.java +++ b/service/java/com/android/server/wifi/CarrierNetworkConfig.java @@ -60,31 +60,8 @@ public class CarrierNetworkConfig { private final Map mCarrierNetworkMap; private boolean mIsCarrierImsiEncryptionInfoAvailable = false; - private int mBase64EncodingMethod = Base64.DEFAULT; - private int mEapIdentitySequence = IDENTITY_SEQUENCE_IMSI_V1_0; private ImsiEncryptionInfo mLastImsiEncryptionInfo = null; // used for dumpsys only - // RFC2045: adds Line Feed at each 76 chars and encode it. - public static final int ENCODING_METHOD_RFC_2045 = 2045; - - // RFC4648: encodes whole data into one string. - public static final int ENCODING_METHOD_RFC_4648 = 4648; - - // Send encrypted IMSI with the format of V1.0 - // V1.0 format: "\0"||@NAIRealm - // : Base64{RSA Public Key Encryption{}} - // : One char ("0" for AKA, "1" for SIM, "6" for AKA')|IMSI - public static final int IDENTITY_SEQUENCE_IMSI_V1_0 = 1; - - // Send anonymous identity and encrypted IMSI identity with the format of V1.0 - public static final int IDENTITY_SEQUENCE_ANONYMOUS_THEN_IMSI_V1_0 = 2; - - // Send anonymous identity and encrypted IMSI identity with the format of V1.6 - // V1.6 format: "\0"| - // : Base64{RSA Public Key Encryption{}}. - // : One char ("0" for AKA, "1" for SIM, "6" for AKA')|IMSI|@NAIRealm - public static final int IDENTITY_SEQUENCE_ANONYMOUS_THEN_IMSI_V1_6 = 3; - /** * Enable/disable verbose logging. */ @@ -141,29 +118,6 @@ public class CarrierNetworkConfig { return info == null ? null : info.mCarrierName; } - /** - * @return the base64 encoding flag for current carrier. - */ - public int getBase64EncodingFlag() { - return mBase64EncodingMethod; - } - - /** - * @return the sequence of sending EAP-IDENTITY during EAP SIM/AKA authentication. - */ - public int getEapIdentitySequence() { - return mEapIdentitySequence; - } - - /** - * @return {@code true} if current carrier wifi network supports anonymous identity, {@code - * false} otherwise. - */ - public boolean isSupportAnonymousIdentity() { - return mEapIdentitySequence == IDENTITY_SEQUENCE_ANONYMOUS_THEN_IMSI_V1_0 - || mEapIdentitySequence == IDENTITY_SEQUENCE_ANONYMOUS_THEN_IMSI_V1_6; - } - /** * @return True if carrier IMSI encryption info is available, False otherwise. */ @@ -281,27 +235,6 @@ public class CarrierNetworkConfig { return; } - int encodeMethod = carrierConfig.getInt( - CarrierConfigManager.KEY_IMSI_ENCODING_METHOD_INT, ENCODING_METHOD_RFC_2045); - if (encodeMethod != ENCODING_METHOD_RFC_2045 && encodeMethod != ENCODING_METHOD_RFC_4648) { - Log.e(TAG, "Invalid encoding method type: " + encodeMethod); - return; - } - mBase64EncodingMethod = Base64.DEFAULT; - if (encodeMethod == ENCODING_METHOD_RFC_4648) { - mBase64EncodingMethod = Base64.NO_WRAP; - } - - int sequence = carrierConfig.getInt(CarrierConfigManager.KEY_EAP_IDENTITY_SEQUENCE_INT, - IDENTITY_SEQUENCE_IMSI_V1_0); - if (sequence != IDENTITY_SEQUENCE_IMSI_V1_0 - && sequence != IDENTITY_SEQUENCE_ANONYMOUS_THEN_IMSI_V1_0 - && sequence != IDENTITY_SEQUENCE_ANONYMOUS_THEN_IMSI_V1_6) { - Log.e(TAG, "Invalid eap identity sequence: " + sequence); - return; - } - mEapIdentitySequence = sequence; - for (String networkConfig : networkConfigs) { String[] configArr = networkConfig.split(NETWORK_CONFIG_SEPARATOR); if (configArr.length != CONFIG_ELEMENT_SIZE) { @@ -311,7 +244,7 @@ public class CarrierNetworkConfig { try { String ssid = new String(Base64.decode( - configArr[ENCODED_SSID_INDEX], mBase64EncodingMethod)); + configArr[ENCODED_SSID_INDEX], Base64.NO_WRAP)); int eapType = parseEapType(Integer.parseInt(configArr[EAP_TYPE_INDEX])); // Verify EAP type, must be a SIM based EAP type. @@ -355,8 +288,6 @@ public class CarrierNetworkConfig { pw.println("mCarrierNetworkMap=" + mCarrierNetworkMap); pw.println("mIsCarrierImsiEncryptionInfoAvailable=" + mIsCarrierImsiEncryptionInfoAvailable); - pw.println("mBase64EncodingMethod=" + mBase64EncodingMethod); - pw.println("mEapIdentitySequence=" + mEapIdentitySequence); pw.println("mLastImsiEncryptionInfo=" + mLastImsiEncryptionInfo); } } diff --git a/service/java/com/android/server/wifi/CarrierNetworkEvaluator.java b/service/java/com/android/server/wifi/CarrierNetworkEvaluator.java index 3b19eaff8..f042e796c 100644 --- a/service/java/com/android/server/wifi/CarrierNetworkEvaluator.java +++ b/service/java/com/android/server/wifi/CarrierNetworkEvaluator.java @@ -159,12 +159,9 @@ public class CarrierNetworkEvaluator implements NetworkEvaluator { if (config != null) { nss = config.getNetworkSelectionStatus(); - // In case of a carrier supporting anonymous identity, we need - // to send anonymous@realm as EAP-IDENTITY response. - if (mCarrierNetworkConfig.isSupportAnonymousIdentity()) { - config.enterpriseConfig.setAnonymousIdentity( - TelephonyUtil.getAnonymousIdentityWith3GppRealm(getTelephonyManager())); - } + // Send anonymous@realm as EAP-IDENTITY response. + config.enterpriseConfig.setAnonymousIdentity( + TelephonyUtil.getAnonymousIdentityWith3GppRealm(getTelephonyManager())); } if (nss == null) { mLocalLog.log(TAG + ": null network selection status for: " + config); diff --git a/service/java/com/android/server/wifi/ClientModeImpl.java b/service/java/com/android/server/wifi/ClientModeImpl.java index 4adf27ff0..2b39ea164 100644 --- a/service/java/com/android/server/wifi/ClientModeImpl.java +++ b/service/java/com/android/server/wifi/ClientModeImpl.java @@ -4441,11 +4441,8 @@ public class ClientModeImpl extends StateMachine { } else { CarrierNetworkConfig carrierNetworkConfig = mWifiInjector.getCarrierNetworkConfig(); - if (carrierNetworkConfig.isCarrierEncryptionInfoAvailable() - && carrierNetworkConfig.isSupportAnonymousIdentity()) { - // In case of a carrier supporting encrypted IMSI and - // anonymous identity, we need to send anonymous@realm as - // EAP-IDENTITY response. + if (carrierNetworkConfig.isCarrierEncryptionInfoAvailable()) { + // Send anonymous@realm as EAP-IDENTITY response. config.enterpriseConfig.setAnonymousIdentity( TelephonyUtil.getAnonymousIdentityWith3GppRealm( getTelephonyManager())); diff --git a/service/java/com/android/server/wifi/hotspot2/PasspointNetworkEvaluator.java b/service/java/com/android/server/wifi/hotspot2/PasspointNetworkEvaluator.java index 5629ec573..a2838b5fd 100644 --- a/service/java/com/android/server/wifi/hotspot2/PasspointNetworkEvaluator.java +++ b/service/java/com/android/server/wifi/hotspot2/PasspointNetworkEvaluator.java @@ -222,10 +222,8 @@ public class PasspointNetworkEvaluator implements WifiNetworkSelector.NetworkEva private WifiConfiguration createWifiConfigForProvider(PasspointNetworkCandidate networkInfo) { WifiConfiguration config = networkInfo.mProvider.getWifiConfig(); if (TelephonyUtil.isSimEapMethod(config.enterpriseConfig.getEapMethod()) - && mCarrierNetworkConfig.isCarrierEncryptionInfoAvailable() - && mCarrierNetworkConfig.isSupportAnonymousIdentity()) { - // In case of a carrier supporting encrypted IMSI and anonymous identity, we need - // to send anonymous@realm as EAP-IDENTITY response. + && mCarrierNetworkConfig.isCarrierEncryptionInfoAvailable()) { + // Send anonymous@realm as EAP-IDENTITY response. config.enterpriseConfig.setAnonymousIdentity( TelephonyUtil.getAnonymousIdentityWith3GppRealm( getTelephonyManager())); diff --git a/service/java/com/android/server/wifi/util/TelephonyUtil.java b/service/java/com/android/server/wifi/util/TelephonyUtil.java index 1d19c9f5e..16d75e38f 100644 --- a/service/java/com/android/server/wifi/util/TelephonyUtil.java +++ b/service/java/com/android/server/wifi/util/TelephonyUtil.java @@ -16,10 +16,6 @@ package com.android.server.wifi.util; -import static com.android.server.wifi.CarrierNetworkConfig.IDENTITY_SEQUENCE_ANONYMOUS_THEN_IMSI_V1_0; -import static com.android.server.wifi.CarrierNetworkConfig.IDENTITY_SEQUENCE_ANONYMOUS_THEN_IMSI_V1_6; -import static com.android.server.wifi.CarrierNetworkConfig.IDENTITY_SEQUENCE_IMSI_V1_0; - import android.annotation.NonNull; import android.net.wifi.WifiConfiguration; import android.net.wifi.WifiEnterpriseConfig; @@ -130,23 +126,12 @@ public class TelephonyUtil { return Pair.create(identity, ""); } - int base64EncodingFlag = carrierNetworkConfig.getBase64EncodingFlag(); - - String encryptedIdentity = null; - int eapSequence = carrierNetworkConfig.getEapIdentitySequence(); - if (eapSequence == IDENTITY_SEQUENCE_ANONYMOUS_THEN_IMSI_V1_6) { - encryptedIdentity = buildEncryptedIdentityV1_6(telephonyUtil, identity, - imsiEncryptionInfo, base64EncodingFlag); - } else if (eapSequence == IDENTITY_SEQUENCE_IMSI_V1_0 - || eapSequence == IDENTITY_SEQUENCE_ANONYMOUS_THEN_IMSI_V1_0) { - encryptedIdentity = buildEncryptedIdentityV1_0(telephonyUtil, - getSimMethodForConfig(config), imsi, mccMnc, imsiEncryptionInfo, - base64EncodingFlag); - } + String encryptedIdentity = buildEncryptedIdentity(telephonyUtil, identity, + imsiEncryptionInfo); // In case of failure for encryption, abort current EAP authentication. if (encryptedIdentity == null) { - Log.e(TAG, "failed to encrypt the identity, eapIdentitySequence: " + eapSequence); + Log.e(TAG, "failed to encrypt the identity"); return null; } return Pair.create(identity, encryptedIdentity); @@ -209,65 +194,21 @@ public class TelephonyUtil { } /** - * Create the encrypted identity for V1.0. - * - * Prefix value: - * "0" - EAP-AKA Identity - * "1" - EAP-SIM Identity - * "6" - EAP-AKA' Identity - * Encrypted Identity format for V1.0: prefix|IMSI - * @param eapMethod EAP authentication method: EAP-SIM, EAP-AKA, EAP-AKA' - * @param imsi The IMSI retrieved from the SIM - * @param mccMnc The MCC MNC identifier retrieved from the SIM - * @param imsiEncryptionInfo The IMSI encryption info retrieved from the SIM - * @param base64EncodingFlag base64 encoding flag - * @return "\0" + encryptedIdentity@ + "{, Key Identifier AVP}" - */ - private static String buildEncryptedIdentityV1_0(TelephonyUtil telephonyUtil, int eapMethod, - String imsi, String mccMnc, - ImsiEncryptionInfo imsiEncryptionInfo, int base64EncodingFlag) { - if (imsiEncryptionInfo == null) { - return null; - } - - String prefix = EAP_METHOD_PREFIX.get(eapMethod); - if (prefix == null) { - return null; - } - imsi = prefix + imsi; - - // Build and return the encrypted identity. - String encryptedImsi = telephonyUtil.encryptDataUsingPublicKey( - imsiEncryptionInfo.getPublicKey(), imsi.getBytes(), base64EncodingFlag); - if (encryptedImsi == null) { - Log.e(TAG, "Failed to encrypt IMSI"); - return null; - } - String encryptedIdentity = buildIdentity(eapMethod, encryptedImsi, mccMnc, true); - if (imsiEncryptionInfo.getKeyIdentifier() != null) { - // Include key identifier AVP (Attribute Value Pair). - encryptedIdentity = encryptedIdentity + "," + imsiEncryptionInfo.getKeyIdentifier(); - } - return encryptedIdentity; - } - - /** - * Create the encrypted identity for V1.6. + * Create the encrypted identity. * * Prefix value: * "0" - EAP-AKA Identity * "1" - EAP-SIM Identity * "6" - EAP-AKA' Identity - * Encrypted identity format for V1.6: prefix|IMSI@ + * Encrypted identity format: prefix|IMSI@ * @param telephonyUtil TelephonyUtil instance * @param identity permanent identity with format based on section 4.1.1.6 of RFC 4187 * and 4.2.1.6 of RFC 4186. * @param imsiEncryptionInfo The IMSI encryption info retrieved from the SIM - * @param base64EncodingFlag base64 encoding flag * @return "\0" + encryptedIdentity + "{, Key Identifier AVP}" */ - private static String buildEncryptedIdentityV1_6(TelephonyUtil telephonyUtil, String identity, - ImsiEncryptionInfo imsiEncryptionInfo, int base64EncodingFlag) { + private static String buildEncryptedIdentity(TelephonyUtil telephonyUtil, String identity, + ImsiEncryptionInfo imsiEncryptionInfo) { if (imsiEncryptionInfo == null) { Log.e(TAG, "imsiEncryptionInfo is not valid"); return null; @@ -279,7 +220,7 @@ public class TelephonyUtil { // Build and return the encrypted identity. String encryptedIdentity = telephonyUtil.encryptDataUsingPublicKey( - imsiEncryptionInfo.getPublicKey(), identity.getBytes(), base64EncodingFlag); + imsiEncryptionInfo.getPublicKey(), identity.getBytes(), Base64.NO_WRAP); if (encryptedIdentity == null) { Log.e(TAG, "Failed to encrypt IMSI"); return null; diff --git a/tests/wifitests/src/com/android/server/wifi/CarrierNetworkConfigTest.java b/tests/wifitests/src/com/android/server/wifi/CarrierNetworkConfigTest.java index 9ff5be97d..d89358df0 100644 --- a/tests/wifitests/src/com/android/server/wifi/CarrierNetworkConfigTest.java +++ b/tests/wifitests/src/com/android/server/wifi/CarrierNetworkConfigTest.java @@ -82,19 +82,14 @@ public class CarrierNetworkConfigTest { * * @param ssid The SSID of the carrier network * @param eapType The EAP type of the carrier network - * @param encodingMethod base64 encoding method - * @param eapIdentitySequence eap identity sequence * @return {@link PersistableBundle} containing carrier config */ - private PersistableBundle generateTestConfig(String ssid, int eapType, int encodingMethod, - int eapIdentitySequence) { + private PersistableBundle generateTestConfig(String ssid, int eapType) { PersistableBundle bundle = new PersistableBundle(); String networkConfig = new String(Base64.encode(ssid.getBytes(), Base64.DEFAULT)) + "," + eapType; bundle.putStringArray(CarrierConfigManager.KEY_CARRIER_WIFI_STRING_ARRAY, new String[]{networkConfig}); - bundle.putInt(CarrierConfigManager.KEY_IMSI_ENCODING_METHOD_INT, encodingMethod); - bundle.putInt(CarrierConfigManager.KEY_EAP_IDENTITY_SEQUENCE_INT, eapIdentitySequence); return bundle; } @@ -111,9 +106,7 @@ public class CarrierNetworkConfigTest { when(mContext.getSystemService(Context.TELEPHONY_SERVICE)).thenReturn(mTelephonyManager); when(mTelephonyManager.createForSubscriptionId(anyInt())).thenReturn(mDataTelephonyManager); when(mCarrierConfigManager.getConfigForSubId(TEST_SUBSCRIPTION_ID)) - .thenReturn(generateTestConfig(TEST_SSID, TEST_STANDARD_EAP_TYPE, - CarrierNetworkConfig.ENCODING_METHOD_RFC_2045, - CarrierNetworkConfig.IDENTITY_SEQUENCE_IMSI_V1_0)); + .thenReturn(generateTestConfig(TEST_SSID, TEST_STANDARD_EAP_TYPE)); when(mSubscriptionManager.getActiveSubscriptionInfoList()) .thenReturn(Arrays.asList(new SubscriptionInfo[] {TEST_SUBSCRIPTION_INFO})); when(mDataTelephonyManager.getCarrierInfoForImsiEncryption(TelephonyManager.KEY_TYPE_WLAN)) @@ -145,9 +138,6 @@ public class CarrierNetworkConfigTest { assertTrue(mCarrierNetworkConfig.isCarrierNetwork(TEST_SSID)); assertEquals(TEST_INTERNAL_EAP_TYPE, mCarrierNetworkConfig.getNetworkEapType(TEST_SSID)); assertEquals(TEST_CARRIER_NAME, mCarrierNetworkConfig.getCarrierName(TEST_SSID)); - assertEquals(Base64.DEFAULT, mCarrierNetworkConfig.getBase64EncodingFlag()); - assertEquals(CarrierNetworkConfig.IDENTITY_SEQUENCE_IMSI_V1_0, - mCarrierNetworkConfig.getEapIdentitySequence()); } /** @@ -157,9 +147,7 @@ public class CarrierNetworkConfigTest { @Test public void getExistingCarrierNetworkInfo_nullDisplayName_shouldNotThrowNpe() { when(mCarrierConfigManager.getConfigForSubId(TEST_SUBSCRIPTION_ID)) - .thenReturn(generateTestConfig(TEST_SSID, TEST_STANDARD_EAP_TYPE, - CarrierNetworkConfig.ENCODING_METHOD_RFC_2045, - CarrierNetworkConfig.IDENTITY_SEQUENCE_IMSI_V1_0)); + .thenReturn(generateTestConfig(TEST_SSID, TEST_STANDARD_EAP_TYPE)); SubscriptionInfo testSubscriptionInfoNullDisplayName = new SubscriptionInfo( TEST_SUBSCRIPTION_ID, null, 0, null, null, 0, 0, null, 0, null, "0", "0", null, false, null, null); @@ -233,9 +221,7 @@ public class CarrierNetworkConfigTest { when(mSubscriptionManager.getActiveSubscriptionInfoList()) .thenReturn(Arrays.asList(new SubscriptionInfo[] {updatedSubscriptionInfo})); when(mCarrierConfigManager.getConfigForSubId(TEST_SUBSCRIPTION_ID)) - .thenReturn(generateTestConfig(updatedSsid, updatedStandardEapType, - CarrierNetworkConfig.ENCODING_METHOD_RFC_2045, - CarrierNetworkConfig.IDENTITY_SEQUENCE_IMSI_V1_0)); + .thenReturn(generateTestConfig(updatedSsid, updatedStandardEapType)); mBroadcastReceiver.onReceive(mContext, new Intent(CarrierConfigManager.ACTION_CARRIER_CONFIG_CHANGED)); @@ -243,17 +229,11 @@ public class CarrierNetworkConfigTest { assertFalse(mCarrierNetworkConfig.isCarrierNetwork(TEST_SSID)); assertEquals(-1, mCarrierNetworkConfig.getNetworkEapType(TEST_SSID)); assertEquals(null, mCarrierNetworkConfig.getCarrierName(TEST_SSID)); - assertEquals(Base64.DEFAULT, mCarrierNetworkConfig.getBase64EncodingFlag()); - assertEquals(CarrierNetworkConfig.IDENTITY_SEQUENCE_IMSI_V1_0, - mCarrierNetworkConfig.getEapIdentitySequence()); // Verify that updated SSID is associated with a carrier network. assertTrue(mCarrierNetworkConfig.isCarrierNetwork(updatedSsid)); assertEquals(updatedInternalEapType, mCarrierNetworkConfig.getNetworkEapType(updatedSsid)); assertEquals(updatedCarrierName, mCarrierNetworkConfig.getCarrierName(updatedSsid)); - assertEquals(Base64.DEFAULT, mCarrierNetworkConfig.getBase64EncodingFlag()); - assertEquals(CarrierNetworkConfig.IDENTITY_SEQUENCE_IMSI_V1_0, - mCarrierNetworkConfig.getEapIdentitySequence()); } /** @@ -285,55 +265,4 @@ public class CarrierNetworkConfigTest { mContentObserver.onChange(false); assertTrue(mCarrierNetworkConfig.isCarrierEncryptionInfoAvailable()); } - - /** - * Verify that base64Encoding type should be {@link Base64#NO_WRAP} when carrier configuration - * defines RFC4648 for encoding method. - */ - @Test - public void verifyBase64EncodingTypeWithRfc4648() { - when(mCarrierConfigManager.getConfigForSubId(TEST_SUBSCRIPTION_ID)) - .thenReturn(generateTestConfig(TEST_SSID, TEST_STANDARD_EAP_TYPE, - CarrierNetworkConfig.ENCODING_METHOD_RFC_4648, - CarrierNetworkConfig.IDENTITY_SEQUENCE_IMSI_V1_0)); - mBroadcastReceiver.onReceive(mContext, - new Intent(CarrierConfigManager.ACTION_CARRIER_CONFIG_CHANGED)); - assertEquals(Base64.NO_WRAP, mCarrierNetworkConfig.getBase64EncodingFlag()); - } - - /** - * Verify that carrier network config is not generated when carrier configuration defines - * unsupported encoding method. - */ - @Test - public void verifyBase64EncodingTypeWithUnsupportedEncodingMethod() { - String ssid = "invalid carrier AP"; - when(mCarrierConfigManager.getConfigForSubId(TEST_SUBSCRIPTION_ID)) - .thenReturn(generateTestConfig(ssid, TEST_STANDARD_EAP_TYPE, 123, - CarrierNetworkConfig.IDENTITY_SEQUENCE_IMSI_V1_0)); - mBroadcastReceiver.onReceive(mContext, - new Intent(CarrierConfigManager.ACTION_CARRIER_CONFIG_CHANGED)); - - assertFalse(mCarrierNetworkConfig.isCarrierNetwork(ssid)); - assertEquals(-1, mCarrierNetworkConfig.getNetworkEapType(ssid)); - assertEquals(null, mCarrierNetworkConfig.getCarrierName(ssid)); - assertEquals(Base64.DEFAULT, mCarrierNetworkConfig.getBase64EncodingFlag()); - } - - /** - * Verify that anonymous identity should be supported when carrier configuration is configured - * to support anonymous followed by encrypted IMSI for eap identity. - */ - @Test - public void verifyEapIdentitySequenceWithAnonymous() { - when(mCarrierConfigManager.getConfigForSubId(TEST_SUBSCRIPTION_ID)) - .thenReturn(generateTestConfig(TEST_SSID, TEST_STANDARD_EAP_TYPE, - CarrierNetworkConfig.ENCODING_METHOD_RFC_2045, - CarrierNetworkConfig.IDENTITY_SEQUENCE_ANONYMOUS_THEN_IMSI_V1_0)); - mBroadcastReceiver.onReceive(mContext, - new Intent(CarrierConfigManager.ACTION_CARRIER_CONFIG_CHANGED)); - - assertEquals(CarrierNetworkConfig.IDENTITY_SEQUENCE_ANONYMOUS_THEN_IMSI_V1_0, - mCarrierNetworkConfig.getEapIdentitySequence()); - } } diff --git a/tests/wifitests/src/com/android/server/wifi/CarrierNetworkEvaluatorTest.java b/tests/wifitests/src/com/android/server/wifi/CarrierNetworkEvaluatorTest.java index 650b9ee8b..963156dc8 100644 --- a/tests/wifitests/src/com/android/server/wifi/CarrierNetworkEvaluatorTest.java +++ b/tests/wifitests/src/com/android/server/wifi/CarrierNetworkEvaluatorTest.java @@ -53,6 +53,7 @@ import java.util.HashMap; import java.util.List; import java.util.Map; + /** * Unit tests for CarrierNeteworkEvaluator */ @@ -160,8 +161,6 @@ public class CarrierNetworkEvaluatorTest { when(mDataTelephonyManager.getSimOperator()).thenReturn(TEST_MCC_MNC); when(mDataTelephonyManager.getSimState()).thenReturn(TelephonyManager.SIM_STATE_READY); when(mCarrierNetworkConfig.isCarrierEncryptionInfoAvailable()).thenReturn(true); - when(mCarrierNetworkConfig.getEapIdentitySequence()).thenReturn( - CarrierNetworkConfig.IDENTITY_SEQUENCE_IMSI_V1_0); when(mCarrierNetworkConfig.isCarrierNetwork(eq(CARRIER1_SSID.replace("\"", "")))) .thenReturn(true); @@ -259,7 +258,8 @@ public class CarrierNetworkEvaluatorTest { assertTrue(config4.allowedKeyManagement.get(WifiConfiguration.KeyMgmt.WPA_EAP)); assertEquals(config2.configKey(), selected.configKey()); // SSID2 has the highest RSSI - assertEquals("", selected.enterpriseConfig.getAnonymousIdentity()); + assertEquals("anonymous@wlan.mnc456.mcc123.3gppnetwork.org", + selected.enterpriseConfig.getAnonymousIdentity()); } /** @@ -398,7 +398,6 @@ public class CarrierNetworkEvaluatorTest { int[] levels = {10}; String expectedAnonymousIdentity = "anonymous@wlan.mnc456.mcc123.3gppnetwork.org"; when(mCarrierNetworkConfig.isCarrierEncryptionInfoAvailable()).thenReturn(true); - when(mCarrierNetworkConfig.isSupportAnonymousIdentity()).thenReturn(true); List scanDetails = WifiNetworkSelectorTestUtil.buildScanDetails(ssids, bssids, freqs, caps, levels, mClock); WifiConfiguration carrierConfig = configureNewSsid(CARRIER1_NET_ID, scanDetails.get(0), diff --git a/tests/wifitests/src/com/android/server/wifi/ClientModeImplTest.java b/tests/wifitests/src/com/android/server/wifi/ClientModeImplTest.java index 0fd040c7e..1837acb7d 100644 --- a/tests/wifitests/src/com/android/server/wifi/ClientModeImplTest.java +++ b/tests/wifitests/src/com/android/server/wifi/ClientModeImplTest.java @@ -1027,7 +1027,6 @@ public class ClientModeImplTest { triggerConnect(); when(mCarrierNetworkConfig.isCarrierEncryptionInfoAvailable()).thenReturn(true); - when(mCarrierNetworkConfig.isSupportAnonymousIdentity()).thenReturn(true); when(mWifiConfigManager.getScanDetailCacheForNetwork(FRAMEWORK_NETWORK_ID)) .thenReturn(mScanDetailCache); diff --git a/tests/wifitests/src/com/android/server/wifi/hotspot2/PasspointNetworkEvaluatorTest.java b/tests/wifitests/src/com/android/server/wifi/hotspot2/PasspointNetworkEvaluatorTest.java index 3048abae0..ef019b416 100644 --- a/tests/wifitests/src/com/android/server/wifi/hotspot2/PasspointNetworkEvaluatorTest.java +++ b/tests/wifitests/src/com/android/server/wifi/hotspot2/PasspointNetworkEvaluatorTest.java @@ -421,7 +421,6 @@ public class PasspointNetworkEvaluatorTest { // SIM is present when(mSubscriptionManager.getActiveSubscriptionIdList()).thenReturn(new int[1]); when(mCarrierNetworkConfig.isCarrierEncryptionInfoAvailable()).thenReturn(true); - when(mCarrierNetworkConfig.isSupportAnonymousIdentity()).thenReturn(true); when(mWifiConfigManager.addOrUpdateNetwork(any(WifiConfiguration.class), anyInt())) .thenReturn(new NetworkUpdateResult(TEST_NETWORK_ID)); when(mWifiConfigManager.getConfiguredNetwork(TEST_NETWORK_ID)).thenReturn(config); diff --git a/tests/wifitests/src/com/android/server/wifi/util/TelephonyUtilTest.java b/tests/wifitests/src/com/android/server/wifi/util/TelephonyUtilTest.java index 490cdfef2..531673f0e 100644 --- a/tests/wifitests/src/com/android/server/wifi/util/TelephonyUtilTest.java +++ b/tests/wifitests/src/com/android/server/wifi/util/TelephonyUtilTest.java @@ -16,8 +16,6 @@ package com.android.server.wifi.util; -import static com.android.server.wifi.CarrierNetworkConfig.IDENTITY_SEQUENCE_IMSI_V1_0; - import static org.junit.Assert.*; import static org.mockito.Mockito.*; @@ -64,9 +62,6 @@ public class TelephonyUtilTest { @Before public void setUp() throws Exception { MockitoAnnotations.initMocks(this); - when(mCarrierNetworkConfig.getBase64EncodingFlag()).thenReturn(Base64.DEFAULT); - when(mCarrierNetworkConfig.getEapIdentitySequence()).thenReturn( - IDENTITY_SEQUENCE_IMSI_V1_0); mTelephonyUtil = new TelephonyUtil(); when(mTelephonyManager.createForSubscriptionId(anyInt())).thenReturn(mDataTelephonyManager); } @@ -133,59 +128,17 @@ public class TelephonyUtilTest { } /** - * Verify that an expected identity is returned when using the encrypted identity for V1.0 - * encoded by RFC4648. - */ - @Test - public void getEncryptedIdentity_V_1_0_WithRfc4648() throws Exception { - Cipher cipher = mock(Cipher.class); - PublicKey key = null; - int flag = Base64.NO_WRAP; - String imsi = "3214561234567890"; - String encryptedImsi = Base64.encodeToString(imsi.getBytes(), 0, imsi.getBytes().length, - flag); - String encryptedIdentity = "\0" + encryptedImsi + "@wlan.mnc456.mcc321.3gppnetwork.org"; - final Pair expectedIdentity = Pair.create( - "03214561234567890@wlan.mnc456.mcc321.3gppnetwork.org", encryptedIdentity); - - // static mocking - MockitoSession session = ExtendedMockito.mockitoSession().mockStatic( - Cipher.class).startMocking(); - try { - when(Cipher.getInstance(anyString())).thenReturn(cipher); - when(cipher.doFinal(any(byte[].class))).thenReturn(imsi.getBytes()); - when(mDataTelephonyManager.getSubscriberId()).thenReturn(imsi); - when(mDataTelephonyManager.getSimState()).thenReturn(TelephonyManager.SIM_STATE_READY); - when(mDataTelephonyManager.getSimOperator()).thenReturn("321456"); - ImsiEncryptionInfo info = new ImsiEncryptionInfo("321", "456", - TelephonyManager.KEY_TYPE_WLAN, null, key, null); - when(mDataTelephonyManager.getCarrierInfoForImsiEncryption( - eq(TelephonyManager.KEY_TYPE_WLAN))) - .thenReturn(info); - when(mCarrierNetworkConfig.getBase64EncodingFlag()).thenReturn(flag); - - assertEquals(expectedIdentity, - TelephonyUtil.getSimIdentity(mTelephonyManager, mTelephonyUtil, - WifiConfigurationTestUtil.createEapNetwork(WifiEnterpriseConfig.Eap.AKA, - WifiEnterpriseConfig.Phase2.NONE), mCarrierNetworkConfig)); - } finally { - session.finishMocking(); - } - } - - /** - * Verify that an expected identity is returned when using the encrypted identity for V1.6 + * Verify that an expected identity is returned when using the encrypted identity * encoded by RFC4648. */ @Test - public void getEncryptedIdentity_V_1_6_WithRfc4648() throws Exception { + public void getEncryptedIdentity_WithRfc4648() throws Exception { Cipher cipher = mock(Cipher.class); PublicKey key = null; - int flag = Base64.NO_WRAP; String imsi = "3214561234567890"; String permanentIdentity = "03214561234567890@wlan.mnc456.mcc321.3gppnetwork.org"; String encryptedImsi = Base64.encodeToString(permanentIdentity.getBytes(), 0, - permanentIdentity.getBytes().length, flag); + permanentIdentity.getBytes().length, Base64.NO_WRAP); String encryptedIdentity = "\0" + encryptedImsi; final Pair expectedIdentity = Pair.create(permanentIdentity, encryptedIdentity); @@ -204,52 +157,6 @@ public class TelephonyUtilTest { when(mDataTelephonyManager.getCarrierInfoForImsiEncryption( eq(TelephonyManager.KEY_TYPE_WLAN))) .thenReturn(info); - when(mCarrierNetworkConfig.getBase64EncodingFlag()).thenReturn(flag); - when(mCarrierNetworkConfig.getEapIdentitySequence()).thenReturn( - CarrierNetworkConfig.IDENTITY_SEQUENCE_ANONYMOUS_THEN_IMSI_V1_6); - - assertEquals(expectedIdentity, - TelephonyUtil.getSimIdentity(mTelephonyManager, mTelephonyUtil, - WifiConfigurationTestUtil.createEapNetwork(WifiEnterpriseConfig.Eap.AKA, - WifiEnterpriseConfig.Phase2.NONE), mCarrierNetworkConfig)); - } finally { - session.finishMocking(); - } - } - - /** - * Verify that an expected identity is returned when using the encrypted IMSI encoded by RFC2045 - * with key identifier. - */ - @Test - public void getEncryptedIdentityKeyIdentifierWithRfc2045() throws Exception { - Cipher cipher = mock(Cipher.class); - int flag = Base64.DEFAULT; - PublicKey key = null; - String keyIdentifier = "key=testKey"; - String imsi = "3214561234567890"; - String encryptedImsi = Base64.encodeToString(imsi.getBytes(), 0, imsi.getBytes().length, - flag); - String encryptedIdentity = "\0" + encryptedImsi + "@wlan.mnc456.mcc321.3gppnetwork.org," - + keyIdentifier; - final Pair expectedIdentity = Pair.create( - "03214561234567890@wlan.mnc456.mcc321.3gppnetwork.org", encryptedIdentity); - - // static mocking - MockitoSession session = ExtendedMockito.mockitoSession().mockStatic( - Cipher.class).startMocking(); - try { - when(Cipher.getInstance(anyString())).thenReturn(cipher); - when(cipher.doFinal(any(byte[].class))).thenReturn(imsi.getBytes()); - when(mDataTelephonyManager.getSubscriberId()).thenReturn(imsi); - when(mDataTelephonyManager.getSimState()).thenReturn(TelephonyManager.SIM_STATE_READY); - when(mDataTelephonyManager.getSimOperator()).thenReturn("321456"); - ImsiEncryptionInfo info = new ImsiEncryptionInfo("321", "456", - TelephonyManager.KEY_TYPE_WLAN, keyIdentifier, key, null); - when(mDataTelephonyManager.getCarrierInfoForImsiEncryption( - eq(TelephonyManager.KEY_TYPE_WLAN))) - .thenReturn(info); - when(mCarrierNetworkConfig.getBase64EncodingFlag()).thenReturn(flag); assertEquals(expectedIdentity, TelephonyUtil.getSimIdentity(mTelephonyManager, mTelephonyUtil, @@ -293,30 +200,6 @@ public class TelephonyUtilTest { } } - /** - * Verify that {@code null} will be returned when IMSI encryption failed because - * the sequence of EAP identity is not valid. - */ - @Test - public void getEncryptedIdentityFailedWithInvalidEapIdentitySequence() throws Exception { - final Pair expectedIdentity = Pair.create( - "03214561234567890@wlan.mnc456.mcc321.3gppnetwork.org", ""); - - when(mDataTelephonyManager.getSubscriberId()).thenReturn("3214561234567890"); - when(mDataTelephonyManager.getSimState()).thenReturn(TelephonyManager.SIM_STATE_READY); - when(mDataTelephonyManager.getSimOperator()).thenReturn("321456"); - ImsiEncryptionInfo info = new ImsiEncryptionInfo("321", "456", - TelephonyManager.KEY_TYPE_WLAN, null, (PublicKey) null, null); - when(mDataTelephonyManager.getCarrierInfoForImsiEncryption( - eq(TelephonyManager.KEY_TYPE_WLAN))) - .thenReturn(info); - when(mCarrierNetworkConfig.getEapIdentitySequence()).thenReturn(-1); - - assertNull(TelephonyUtil.getSimIdentity(mTelephonyManager, mTelephonyUtil, - WifiConfigurationTestUtil.createEapNetwork(WifiEnterpriseConfig.Eap.AKA, - WifiEnterpriseConfig.Phase2.NONE), mCarrierNetworkConfig)); - } - @Test public void getSimIdentity2DigitMnc() { final Pair expectedIdentity = Pair.create( -- cgit v1.2.3 From 84641ba60a4c3518e6b60cf7d44a09fc1e5b5f69 Mon Sep 17 00:00:00 2001 From: David Su Date: Tue, 28 May 2019 14:12:56 -0700 Subject: Fixed code setting anonymous_identity to anonymous@ Need to set anonymous@ in enterprise config before saving WifiConfiguration to WifiConfigManager. Bug: 133431451 Test: frameworks/opt/net/wifi/tests/wifitests/runtests.sh Test: Manual Change-Id: I2dcf85e6fdabd98fc15dc946ddf30a3d95297016 --- .../server/wifi/CarrierNetworkEvaluator.java | 7 +++---- .../com/android/server/wifi/ClientModeImpl.java | 22 ++++++---------------- .../com/android/server/wifi/WifiConfigManager.java | 5 ++++- .../android/server/wifi/util/TelephonyUtil.java | 8 ++++++++ .../server/wifi/CarrierNetworkEvaluatorTest.java | 6 ++++-- .../android/server/wifi/ClientModeImplTest.java | 7 +++++++ 6 files changed, 32 insertions(+), 23 deletions(-) diff --git a/service/java/com/android/server/wifi/CarrierNetworkEvaluator.java b/service/java/com/android/server/wifi/CarrierNetworkEvaluator.java index f042e796c..8bd024bf5 100644 --- a/service/java/com/android/server/wifi/CarrierNetworkEvaluator.java +++ b/service/java/com/android/server/wifi/CarrierNetworkEvaluator.java @@ -121,6 +121,9 @@ public class CarrierNetworkEvaluator implements NetworkEvaluator { config.enterpriseConfig = new WifiEnterpriseConfig(); } config.enterpriseConfig.setEapMethod(eapType); + // Send anonymous@realm as EAP-IDENTITY response. + config.enterpriseConfig.setAnonymousIdentity( + TelephonyUtil.getAnonymousIdentityWith3GppRealm(getTelephonyManager())); // Check if we already have a network with the same credentials in WifiConfigManager // database. If yes, we should check if the network is currently blacklisted. @@ -158,10 +161,6 @@ public class CarrierNetworkEvaluator implements NetworkEvaluator { WifiConfiguration.NetworkSelectionStatus nss = null; if (config != null) { nss = config.getNetworkSelectionStatus(); - - // Send anonymous@realm as EAP-IDENTITY response. - config.enterpriseConfig.setAnonymousIdentity( - TelephonyUtil.getAnonymousIdentityWith3GppRealm(getTelephonyManager())); } if (nss == null) { mLocalLog.log(TAG + ": null network selection status for: " + config); diff --git a/service/java/com/android/server/wifi/ClientModeImpl.java b/service/java/com/android/server/wifi/ClientModeImpl.java index 2b39ea164..f181cd295 100644 --- a/service/java/com/android/server/wifi/ClientModeImpl.java +++ b/service/java/com/android/server/wifi/ClientModeImpl.java @@ -4433,25 +4433,15 @@ public class ClientModeImpl extends StateMachine { // We need to get the updated pseudonym from supplicant for EAP-SIM/AKA/AKA' if (config.enterpriseConfig != null && TelephonyUtil.isSimEapMethod( - config.enterpriseConfig.getEapMethod())) { + config.enterpriseConfig.getEapMethod()) + && !TelephonyUtil.isAnonymousAtRealmIdentity( + config.enterpriseConfig.getAnonymousIdentity())) { String anonymousIdentity = mWifiNative.getEapAnonymousIdentity(mInterfaceName); - if (anonymousIdentity != null) { - config.enterpriseConfig.setAnonymousIdentity(anonymousIdentity); - } else { - CarrierNetworkConfig carrierNetworkConfig = - mWifiInjector.getCarrierNetworkConfig(); - if (carrierNetworkConfig.isCarrierEncryptionInfoAvailable()) { - // Send anonymous@realm as EAP-IDENTITY response. - config.enterpriseConfig.setAnonymousIdentity( - TelephonyUtil.getAnonymousIdentityWith3GppRealm( - getTelephonyManager())); - } else { - Log.d(TAG, "Failed to get updated anonymous identity" - + " from supplicant, reset it in WifiConfiguration."); - config.enterpriseConfig.setAnonymousIdentity(null); - } + if (mVerboseLoggingEnabled) { + log("EAP Pseudonym: " + anonymousIdentity); } + config.enterpriseConfig.setAnonymousIdentity(anonymousIdentity); mWifiConfigManager.addOrUpdateNetwork(config, Process.WIFI_UID); } sendNetworkStateChangeBroadcast(mLastBssid); diff --git a/service/java/com/android/server/wifi/WifiConfigManager.java b/service/java/com/android/server/wifi/WifiConfigManager.java index c48601010..1d287f02d 100644 --- a/service/java/com/android/server/wifi/WifiConfigManager.java +++ b/service/java/com/android/server/wifi/WifiConfigManager.java @@ -2806,7 +2806,10 @@ public class WifiConfigManager { } else { // reset identity as well: supplicant will ask us for it config.enterpriseConfig.setIdentity(""); - config.enterpriseConfig.setAnonymousIdentity(""); + if (!TelephonyUtil.isAnonymousAtRealmIdentity( + config.enterpriseConfig.getAnonymousIdentity())) { + config.enterpriseConfig.setAnonymousIdentity(""); + } } } } diff --git a/service/java/com/android/server/wifi/util/TelephonyUtil.java b/service/java/com/android/server/wifi/util/TelephonyUtil.java index 16d75e38f..4af40ddf2 100644 --- a/service/java/com/android/server/wifi/util/TelephonyUtil.java +++ b/service/java/com/android/server/wifi/util/TelephonyUtil.java @@ -332,6 +332,14 @@ public class TelephonyUtil { return getSimMethodForConfig(config) != WifiEnterpriseConfig.Eap.NONE; } + /** + * Returns true if {@code identity} contains an anonymous@realm identity, false otherwise. + */ + public static boolean isAnonymousAtRealmIdentity(String identity) { + if (identity == null) return false; + return identity.startsWith(TelephonyUtil.ANONYMOUS_IDENTITY + "@"); + } + /** * Checks if the EAP outer method is SIM related. * diff --git a/tests/wifitests/src/com/android/server/wifi/CarrierNetworkEvaluatorTest.java b/tests/wifitests/src/com/android/server/wifi/CarrierNetworkEvaluatorTest.java index 963156dc8..57a40dc8f 100644 --- a/tests/wifitests/src/com/android/server/wifi/CarrierNetworkEvaluatorTest.java +++ b/tests/wifitests/src/com/android/server/wifi/CarrierNetworkEvaluatorTest.java @@ -17,7 +17,6 @@ package com.android.server.wifi; import static org.junit.Assert.assertEquals; -import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertNull; import static org.junit.Assert.assertTrue; import static org.mockito.ArgumentMatchers.any; @@ -117,6 +116,8 @@ public class CarrierNetworkEvaluatorTest { Integer networkId = mConfigs.get(config.configKey()); if (networkId == null) return null; + when(mWifiConfigManager.getConfiguredNetwork(networkId)).thenReturn(config); + NetworkUpdateResult networkUpdateResult = mock(NetworkUpdateResult.class); when(networkUpdateResult.isSuccess()).thenReturn(true); when(networkUpdateResult.getNetworkId()).thenReturn(networkId); @@ -250,7 +251,8 @@ public class CarrierNetworkEvaluatorTest { assertTrue(config2.allowedKeyManagement.get(WifiConfiguration.KeyMgmt.WPA_EAP)); WifiConfiguration config3 = mWifiConfigCaptor.getAllValues().get(2); assertEquals(CARRIER_SAVED_SSID, config3.SSID); - assertFalse(config3.isEphemeral()); + // all configs returned by CarrierNetworkEvaluator are ephemeral. + assertTrue(config3.isEphemeral()); assertTrue(config3.allowedKeyManagement.get(WifiConfiguration.KeyMgmt.WPA_EAP)); WifiConfiguration config4 = mWifiConfigCaptor.getAllValues().get(3); assertEquals(CARRIER_SAVED_EPH_SSID, config4.SSID); diff --git a/tests/wifitests/src/com/android/server/wifi/ClientModeImplTest.java b/tests/wifitests/src/com/android/server/wifi/ClientModeImplTest.java index 1837acb7d..597ccae7b 100644 --- a/tests/wifitests/src/com/android/server/wifi/ClientModeImplTest.java +++ b/tests/wifitests/src/com/android/server/wifi/ClientModeImplTest.java @@ -1024,6 +1024,9 @@ public class ClientModeImplTest { when(mDataTelephonyManager.getSimState()).thenReturn(TelephonyManager.SIM_STATE_READY); String expectedAnonymousIdentity = TelephonyUtil.getAnonymousIdentityWith3GppRealm( mTelephonyManager); + // we are using anonymous@ as our anonymous identity before connection + mConnectedNetwork.enterpriseConfig.setAnonymousIdentity(expectedAnonymousIdentity); + triggerConnect(); when(mCarrierNetworkConfig.isCarrierEncryptionInfoAvailable()).thenReturn(true); @@ -1038,6 +1041,10 @@ public class ClientModeImplTest { mCmi.sendMessage(WifiMonitor.NETWORK_CONNECTION_EVENT, 0, 0, sBSSID); mLooper.dispatchAll(); + // verify that WifiNative#getEapAnonymousIdentity() was never called since we are using + // encrypted IMSI full authentication and not using pseudonym identity. + verify(mWifiNative, never()).getEapAnonymousIdentity(any()); + // check that the anonymous identity remains anonymous@ for subsequent connections. assertEquals(expectedAnonymousIdentity, mConnectedNetwork.enterpriseConfig.getAnonymousIdentity()); } -- cgit v1.2.3