]> git.ipfire.org Git - thirdparty/hostap.git/blob - tests/hwsim/test_eap_proto.py
projects / thirdparty / hostap.git / blob
? search:


2276b2056c6eead5075c0c8742fc6008bbfe25cc
[thirdparty/hostap.git] / tests / hwsim / test_eap_proto.py
1 # EAP protocol tests
2 # Copyright (c) 2014-2015, Jouni Malinen <j@w1.fi>
3 #
4 # This software may be distributed under the terms of the BSD license.
5 # See README for more details.
6
7 import binascii
8 import hashlib
9 import hmac
10 import logging
11 logger = logging.getLogger()
12 import select
13 import struct
14 import threading
15 import time
16
17 import hostapd
18 from utils import HwsimSkip, alloc_fail, fail_test, wait_fail_trigger
19 from test_ap_eap import check_eap_capa, check_hlr_auc_gw_support
20 from test_erp import check_erp_capa
21
22 EAP_CODE_REQUEST = 1
23 EAP_CODE_RESPONSE = 2
24 EAP_CODE_SUCCESS = 3
25 EAP_CODE_FAILURE = 4
26 EAP_CODE_INITIATE = 5
27 EAP_CODE_FINISH = 6
28
29 EAP_TYPE_IDENTITY = 1
30 EAP_TYPE_NOTIFICATION = 2
31 EAP_TYPE_NAK = 3
32 EAP_TYPE_MD5 = 4
33 EAP_TYPE_OTP = 5
34 EAP_TYPE_GTC = 6
35 EAP_TYPE_TLS = 13
36 EAP_TYPE_LEAP = 17
37 EAP_TYPE_SIM = 18
38 EAP_TYPE_TTLS = 21
39 EAP_TYPE_AKA = 23
40 EAP_TYPE_PEAP = 25
41 EAP_TYPE_MSCHAPV2 = 26
42 EAP_TYPE_TLV = 33
43 EAP_TYPE_TNC = 38
44 EAP_TYPE_FAST = 43
45 EAP_TYPE_PAX = 46
46 EAP_TYPE_PSK = 47
47 EAP_TYPE_SAKE = 48
48 EAP_TYPE_IKEV2 = 49
49 EAP_TYPE_AKA_PRIME = 50
50 EAP_TYPE_GPSK = 51
51 EAP_TYPE_PWD = 52
52 EAP_TYPE_EKE = 53
53 EAP_TYPE_EXPANDED = 254
54
55 # Type field in EAP-Initiate and EAP-Finish messages
56 EAP_ERP_TYPE_REAUTH_START = 1
57 EAP_ERP_TYPE_REAUTH = 2
58
59 EAP_ERP_TLV_KEYNAME_NAI = 1
60 EAP_ERP_TV_RRK_LIFETIME = 2
61 EAP_ERP_TV_RMSK_LIFETIME = 3
62 EAP_ERP_TLV_DOMAIN_NAME = 4
63 EAP_ERP_TLV_CRYPTOSUITES = 5
64 EAP_ERP_TLV_AUTHORIZATION_INDICATION = 6
65 EAP_ERP_TLV_CALLED_STATION_ID = 128
66 EAP_ERP_TLV_CALLING_STATION_ID = 129
67 EAP_ERP_TLV_NAS_IDENTIFIER = 130
68 EAP_ERP_TLV_NAS_IP_ADDRESS = 131
69 EAP_ERP_TLV_NAS_IPV6_ADDRESS = 132
70
71 def run_pyrad_server(srv, t_stop, eap_handler):
72 srv.RunWithStop(t_stop, eap_handler)
73
74 def start_radius_server(eap_handler):
75 try:
76 import pyrad.server
77 import pyrad.packet
78 import pyrad.dictionary
79 except ImportError:
80 raise HwsimSkip("No pyrad modules available")
81
82 class TestServer(pyrad.server.Server):
83 def _HandleAuthPacket(self, pkt):
84 pyrad.server.Server._HandleAuthPacket(self, pkt)
85 eap = ""
86 for p in pkt[79]:
87 eap += p
88 eap_req = self.eap_handler(self.ctx, eap)
89 reply = self.CreateReplyPacket(pkt)
90 if eap_req:
91 while True:
92 if len(eap_req) > 253:
93 reply.AddAttribute("EAP-Message", eap_req[0:253])
94 eap_req = eap_req[253:]
95 else:
96 reply.AddAttribute("EAP-Message", eap_req)
97 break
98 else:
99 logger.info("No EAP request available")
100 reply.code = pyrad.packet.AccessChallenge
101
102 hmac_obj = hmac.new(reply.secret)
103 hmac_obj.update(struct.pack("B", reply.code))
104 hmac_obj.update(struct.pack("B", reply.id))
105
106 # reply attributes
107 reply.AddAttribute("Message-Authenticator",
108 "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00")
109 attrs = reply._PktEncodeAttributes()
110
111 # Length
112 flen = 4 + 16 + len(attrs)
113 hmac_obj.update(struct.pack(">H", flen))
114 hmac_obj.update(pkt.authenticator)
115 hmac_obj.update(attrs)
116 del reply[80]
117 reply.AddAttribute("Message-Authenticator", hmac_obj.digest())
118
119 self.SendReplyPacket(pkt.fd, reply)
120
121 def RunWithStop(self, t_stop, eap_handler):
122 self._poll = select.poll()
123 self._fdmap = {}
124 self._PrepareSockets()
125 self.t_stop = t_stop
126 self.eap_handler = eap_handler
127 self.ctx = {}
128
129 while not t_stop.is_set():
130 for (fd, event) in self._poll.poll(200):
131 if event == select.POLLIN:
132 try:
133 fdo = self._fdmap[fd]
134 self._ProcessInput(fdo)
135 except pyrad.server.ServerPacketError as err:
136 logger.info("pyrad server dropping packet: " + str(err))
137 except pyrad.packet.PacketError as err:
138 logger.info("pyrad server received invalid packet: " + str(err))
139 else:
140 logger.error("Unexpected event in pyrad server main loop")
141
142 srv = TestServer(dict=pyrad.dictionary.Dictionary("dictionary.radius"),
143 authport=18138, acctport=18139)
144 srv.hosts["127.0.0.1"] = pyrad.server.RemoteHost("127.0.0.1",
145 "radius",
146 "localhost")
147 srv.BindToAddress("")
148 t_stop = threading.Event()
149 t = threading.Thread(target=run_pyrad_server, args=(srv, t_stop, eap_handler))
150 t.start()
151
152 return { 'srv': srv, 'stop': t_stop, 'thread': t }
153
154 def stop_radius_server(srv):
155 srv['stop'].set()
156 srv['thread'].join()
157
158 def start_ap(ifname):
159 params = hostapd.wpa2_eap_params(ssid="eap-test")
160 params['auth_server_port'] = "18138"
161 hapd = hostapd.add_ap(ifname, params)
162 return hapd
163
164 def test_eap_proto(dev, apdev):
165 """EAP protocol tests"""
166 check_eap_capa(dev[0], "MD5")
167 def eap_handler(ctx, req):
168 logger.info("eap_handler - RX " + req.encode("hex"))
169 if 'num' not in ctx:
170 ctx['num'] = 0
171 ctx['num'] = ctx['num'] + 1
172 if 'id' not in ctx:
173 ctx['id'] = 1
174 ctx['id'] = (ctx['id'] + 1) % 256
175 idx = 0
176
177 idx += 1
178 if ctx['num'] == idx:
179 logger.info("Test: MD5 challenge")
180 return struct.pack(">BBHBBBB", EAP_CODE_REQUEST, ctx['id'],
181 4 + 1 + 3,
182 EAP_TYPE_MD5,
183 1, 0xaa, ord('n'))
184 idx += 1
185 if ctx['num'] == idx:
186 logger.info("Test: EAP-Success - id off by 2")
187 return struct.pack(">BBH", EAP_CODE_SUCCESS, ctx['id'] + 1, 4)
188
189 idx += 1
190 if ctx['num'] == idx:
191 logger.info("Test: MD5 challenge")
192 return struct.pack(">BBHBBBB", EAP_CODE_REQUEST, ctx['id'],
193 4 + 1 + 3,
194 EAP_TYPE_MD5,
195 1, 0xaa, ord('n'))
196 idx += 1
197 if ctx['num'] == idx:
198 logger.info("Test: EAP-Success - id off by 3")
199 return struct.pack(">BBH", EAP_CODE_SUCCESS, ctx['id'] + 2, 4)
200
201 idx += 1
202 if ctx['num'] == idx:
203 logger.info("Test: MD5 challenge")
204 return struct.pack(">BBHBBBB", EAP_CODE_REQUEST, ctx['id'],
205 4 + 1 + 3,
206 EAP_TYPE_MD5,
207 1, 0xaa, ord('n'))
208 idx += 1
209 if ctx['num'] == idx:
210 logger.info("Test: EAP-Notification/Request")
211 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
212 4 + 1 + 1,
213 EAP_TYPE_NOTIFICATION,
214 ord('A'))
215 idx += 1
216 if ctx['num'] == idx:
217 logger.info("Test: EAP-Success")
218 return struct.pack(">BBH", EAP_CODE_SUCCESS, ctx['id'] - 1, 4)
219
220 idx += 1
221 if ctx['num'] == idx:
222 logger.info("Test: EAP-Notification/Request")
223 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
224 4 + 1 + 1,
225 EAP_TYPE_NOTIFICATION,
226 ord('B'))
227 idx += 1
228 if ctx['num'] == idx:
229 logger.info("Test: MD5 challenge")
230 return struct.pack(">BBHBBBB", EAP_CODE_REQUEST, ctx['id'],
231 4 + 1 + 3,
232 EAP_TYPE_MD5,
233 1, 0xaa, ord('n'))
234 idx += 1
235 if ctx['num'] == idx:
236 logger.info("Test: EAP-Success")
237 return struct.pack(">BBH", EAP_CODE_SUCCESS, ctx['id'] - 1, 4)
238
239 idx += 1
240 if ctx['num'] == idx:
241 logger.info("Test: EAP-Notification/Request")
242 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
243 4 + 1 + 1,
244 EAP_TYPE_NOTIFICATION,
245 ord('C'))
246 idx += 1
247 if ctx['num'] == idx:
248 logger.info("Test: MD5 challenge")
249 return struct.pack(">BBHBBBB", EAP_CODE_REQUEST, ctx['id'],
250 4 + 1 + 3,
251 EAP_TYPE_MD5,
252 1, 0xaa, ord('n'))
253 idx += 1
254 if ctx['num'] == idx:
255 logger.info("Test: EAP-Notification/Request")
256 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
257 4 + 1 + 1,
258 EAP_TYPE_NOTIFICATION,
259 ord('D'))
260 idx += 1
261 if ctx['num'] == idx:
262 logger.info("Test: EAP-Success")
263 return struct.pack(">BBH", EAP_CODE_SUCCESS, ctx['id'] - 1, 4)
264
265 idx += 1
266 if ctx['num'] == idx:
267 logger.info("Test: EAP-Notification/Request")
268 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
269 4 + 1 + 1,
270 EAP_TYPE_NOTIFICATION,
271 ord('E'))
272 idx += 1
273 if ctx['num'] == idx:
274 logger.info("Test: EAP-Notification/Request (same id)")
275 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'] - 1,
276 4 + 1 + 1,
277 EAP_TYPE_NOTIFICATION,
278 ord('F'))
279 idx += 1
280 if ctx['num'] == idx:
281 logger.info("Test: Unexpected EAP-Success")
282 return struct.pack(">BBH", EAP_CODE_SUCCESS, ctx['id'] - 2, 4)
283
284 return None
285
286 srv = start_radius_server(eap_handler)
287
288 try:
289 hapd = start_ap(apdev[0]['ifname'])
290
291 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
292 eap="MD5", identity="user", password="password",
293 wait_connect=False)
294 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"], timeout=15)
295 if ev is None:
296 raise Exception("Timeout on EAP start")
297 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
298 if ev is None:
299 raise Exception("Timeout on EAP success")
300 dev[0].request("REMOVE_NETWORK all")
301
302 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
303 eap="MD5", identity="user", password="password",
304 wait_connect=False)
305 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"], timeout=15)
306 if ev is None:
307 raise Exception("Timeout on EAP start")
308 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=1)
309 if ev is not None:
310 raise Exception("Unexpected EAP success")
311 dev[0].request("REMOVE_NETWORK all")
312
313 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
314 eap="MD5", identity="user", password="password",
315 wait_connect=False)
316 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"], timeout=15)
317 if ev is None:
318 raise Exception("Timeout on EAP start")
319 ev = dev[0].wait_event(["CTRL-EVENT-EAP-NOTIFICATION"], timeout=10)
320 if ev is None:
321 raise Exception("Timeout on EAP notification")
322 if ev != "<3>CTRL-EVENT-EAP-NOTIFICATION A":
323 raise Exception("Unexpected notification contents: " + ev)
324 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
325 if ev is None:
326 raise Exception("Timeout on EAP success")
327 dev[0].request("REMOVE_NETWORK all")
328
329 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
330 eap="MD5", identity="user", password="password",
331 wait_connect=False)
332 ev = dev[0].wait_event(["CTRL-EVENT-EAP-NOTIFICATION"], timeout=10)
333 if ev is None:
334 raise Exception("Timeout on EAP notification")
335 if ev != "<3>CTRL-EVENT-EAP-NOTIFICATION B":
336 raise Exception("Unexpected notification contents: " + ev)
337 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"], timeout=15)
338 if ev is None:
339 raise Exception("Timeout on EAP start")
340 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
341 if ev is None:
342 raise Exception("Timeout on EAP success")
343 dev[0].request("REMOVE_NETWORK all")
344
345 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
346 eap="MD5", identity="user", password="password",
347 wait_connect=False)
348 ev = dev[0].wait_event(["CTRL-EVENT-EAP-NOTIFICATION"], timeout=10)
349 if ev is None:
350 raise Exception("Timeout on EAP notification")
351 if ev != "<3>CTRL-EVENT-EAP-NOTIFICATION C":
352 raise Exception("Unexpected notification contents: " + ev)
353 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"], timeout=15)
354 if ev is None:
355 raise Exception("Timeout on EAP start")
356 ev = dev[0].wait_event(["CTRL-EVENT-EAP-NOTIFICATION"], timeout=10)
357 if ev is None:
358 raise Exception("Timeout on EAP notification")
359 if ev != "<3>CTRL-EVENT-EAP-NOTIFICATION D":
360 raise Exception("Unexpected notification contents: " + ev)
361 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
362 if ev is None:
363 raise Exception("Timeout on EAP success")
364 dev[0].request("REMOVE_NETWORK all")
365
366 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
367 eap="MD5", identity="user", password="password",
368 wait_connect=False)
369 ev = dev[0].wait_event(["CTRL-EVENT-EAP-NOTIFICATION"], timeout=10)
370 if ev is None:
371 raise Exception("Timeout on EAP notification")
372 if ev != "<3>CTRL-EVENT-EAP-NOTIFICATION E":
373 raise Exception("Unexpected notification contents: " + ev)
374 ev = dev[0].wait_event(["CTRL-EVENT-EAP-NOTIFICATION"], timeout=10)
375 if ev is None:
376 raise Exception("Timeout on EAP notification")
377 if ev != "<3>CTRL-EVENT-EAP-NOTIFICATION F":
378 raise Exception("Unexpected notification contents: " + ev)
379 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
380 if ev is None:
381 raise Exception("Timeout on EAP failure")
382 dev[0].request("REMOVE_NETWORK all")
383 finally:
384 stop_radius_server(srv)
385
386 EAP_SAKE_VERSION = 2
387
388 EAP_SAKE_SUBTYPE_CHALLENGE = 1
389 EAP_SAKE_SUBTYPE_CONFIRM = 2
390 EAP_SAKE_SUBTYPE_AUTH_REJECT = 3
391 EAP_SAKE_SUBTYPE_IDENTITY = 4
392
393 EAP_SAKE_AT_RAND_S = 1
394 EAP_SAKE_AT_RAND_P = 2
395 EAP_SAKE_AT_MIC_S = 3
396 EAP_SAKE_AT_MIC_P = 4
397 EAP_SAKE_AT_SERVERID = 5
398 EAP_SAKE_AT_PEERID = 6
399 EAP_SAKE_AT_SPI_S = 7
400 EAP_SAKE_AT_SPI_P = 8
401 EAP_SAKE_AT_ANY_ID_REQ = 9
402 EAP_SAKE_AT_PERM_ID_REQ = 10
403 EAP_SAKE_AT_ENCR_DATA = 128
404 EAP_SAKE_AT_IV = 129
405 EAP_SAKE_AT_PADDING = 130
406 EAP_SAKE_AT_NEXT_TMPID = 131
407 EAP_SAKE_AT_MSK_LIFE = 132
408
409 def test_eap_proto_sake(dev, apdev):
410 """EAP-SAKE protocol tests"""
411 global eap_proto_sake_test_done
412 eap_proto_sake_test_done = False
413
414 def sake_challenge(ctx):
415 logger.info("Test: Challenge subtype")
416 return struct.pack(">BBHBBBBBBLLLL", EAP_CODE_REQUEST, ctx['id'],
417 4 + 1 + 3 + 18,
418 EAP_TYPE_SAKE,
419 EAP_SAKE_VERSION, 0, EAP_SAKE_SUBTYPE_CHALLENGE,
420 EAP_SAKE_AT_RAND_S, 18, 0, 0, 0, 0)
421
422 def sake_handler(ctx, req):
423 logger.info("sake_handler - RX " + req.encode("hex"))
424 if 'num' not in ctx:
425 ctx['num'] = 0
426 ctx['num'] += 1
427 if 'id' not in ctx:
428 ctx['id'] = 1
429 ctx['id'] = (ctx['id'] + 1) % 256
430 idx = 0
431
432 idx += 1
433 if ctx['num'] == idx:
434 logger.info("Test: Missing payload")
435 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'], 4 + 1,
436 EAP_TYPE_SAKE)
437
438 idx += 1
439 if ctx['num'] == idx:
440 logger.info("Test: Identity subtype without any attributes")
441 return struct.pack(">BBHBBBB", EAP_CODE_REQUEST, ctx['id'],
442 4 + 1 + 3,
443 EAP_TYPE_SAKE,
444 EAP_SAKE_VERSION, 0, EAP_SAKE_SUBTYPE_IDENTITY)
445
446 idx += 1
447 if ctx['num'] == idx:
448 logger.info("Test: Identity subtype")
449 return struct.pack(">BBHBBBBBBH", EAP_CODE_REQUEST, ctx['id'],
450 4 + 1 + 3 + 4,
451 EAP_TYPE_SAKE,
452 EAP_SAKE_VERSION, 0, EAP_SAKE_SUBTYPE_IDENTITY,
453 EAP_SAKE_AT_ANY_ID_REQ, 4, 0)
454 idx += 1
455 if ctx['num'] == idx:
456 logger.info("Test: Identity subtype (different session id)")
457 return struct.pack(">BBHBBBBBBH", EAP_CODE_REQUEST, ctx['id'],
458 4 + 1 + 3 + 4,
459 EAP_TYPE_SAKE,
460 EAP_SAKE_VERSION, 1, EAP_SAKE_SUBTYPE_IDENTITY,
461 EAP_SAKE_AT_PERM_ID_REQ, 4, 0)
462
463 idx += 1
464 if ctx['num'] == idx:
465 logger.info("Test: Identity subtype with too short attribute")
466 return struct.pack(">BBHBBBBBB", EAP_CODE_REQUEST, ctx['id'],
467 4 + 1 + 3 + 2,
468 EAP_TYPE_SAKE,
469 EAP_SAKE_VERSION, 0, EAP_SAKE_SUBTYPE_IDENTITY,
470 EAP_SAKE_AT_ANY_ID_REQ, 2)
471
472 idx += 1
473 if ctx['num'] == idx:
474 logger.info("Test: Identity subtype with truncated attribute")
475 return struct.pack(">BBHBBBBBB", EAP_CODE_REQUEST, ctx['id'],
476 4 + 1 + 3 + 2,
477 EAP_TYPE_SAKE,
478 EAP_SAKE_VERSION, 0, EAP_SAKE_SUBTYPE_IDENTITY,
479 EAP_SAKE_AT_ANY_ID_REQ, 4)
480
481 idx += 1
482 if ctx['num'] == idx:
483 logger.info("Test: Identity subtype with too short attribute header")
484 payload = struct.pack("B", EAP_SAKE_AT_ANY_ID_REQ)
485 return struct.pack(">BBHBBBB", EAP_CODE_REQUEST, ctx['id'],
486 4 + 1 + 3 + len(payload),
487 EAP_TYPE_SAKE, EAP_SAKE_VERSION, 0,
488 EAP_SAKE_SUBTYPE_IDENTITY) + payload
489
490 idx += 1
491 if ctx['num'] == idx:
492 logger.info("Test: Identity subtype with AT_IV but not AT_ENCR_DATA")
493 payload = struct.pack("BB", EAP_SAKE_AT_IV, 2)
494 return struct.pack(">BBHBBBB", EAP_CODE_REQUEST, ctx['id'],
495 4 + 1 + 3 + len(payload),
496 EAP_TYPE_SAKE, EAP_SAKE_VERSION, 0,
497 EAP_SAKE_SUBTYPE_IDENTITY) + payload
498
499 idx += 1
500 if ctx['num'] == idx:
501 logger.info("Test: Identity subtype with skippable and non-skippable unknown attribute")
502 payload = struct.pack("BBBB", 255, 2, 127, 2)
503 return struct.pack(">BBHBBBB", EAP_CODE_REQUEST, ctx['id'],
504 4 + 1 + 3 + len(payload),
505 EAP_TYPE_SAKE, EAP_SAKE_VERSION, 0,
506 EAP_SAKE_SUBTYPE_IDENTITY) + payload
507
508 idx += 1
509 if ctx['num'] == idx:
510 logger.info("Test: Identity subtype: AT_RAND_P with invalid payload length")
511 payload = struct.pack("BB", EAP_SAKE_AT_RAND_P, 2)
512 return struct.pack(">BBHBBBB", EAP_CODE_REQUEST, ctx['id'],
513 4 + 1 + 3 + len(payload),
514 EAP_TYPE_SAKE, EAP_SAKE_VERSION, 0,
515 EAP_SAKE_SUBTYPE_IDENTITY) + payload
516
517 idx += 1
518 if ctx['num'] == idx:
519 logger.info("Test: Identity subtype: AT_MIC_P with invalid payload length")
520 payload = struct.pack("BB", EAP_SAKE_AT_MIC_P, 2)
521 return struct.pack(">BBHBBBB", EAP_CODE_REQUEST, ctx['id'],
522 4 + 1 + 3 + len(payload),
523 EAP_TYPE_SAKE, EAP_SAKE_VERSION, 0,
524 EAP_SAKE_SUBTYPE_IDENTITY) + payload
525
526 idx += 1
527 if ctx['num'] == idx:
528 logger.info("Test: Identity subtype: AT_PERM_ID_REQ with invalid payload length")
529 payload = struct.pack("BBBBBBBBBBBBBB",
530 EAP_SAKE_AT_SPI_S, 2,
531 EAP_SAKE_AT_SPI_P, 2,
532 EAP_SAKE_AT_ENCR_DATA, 2,
533 EAP_SAKE_AT_NEXT_TMPID, 2,
534 EAP_SAKE_AT_PERM_ID_REQ, 4, 0, 0,
535 EAP_SAKE_AT_PERM_ID_REQ, 2)
536 return struct.pack(">BBHBBBB", EAP_CODE_REQUEST, ctx['id'],
537 4 + 1 + 3 + len(payload),
538 EAP_TYPE_SAKE, EAP_SAKE_VERSION, 0,
539 EAP_SAKE_SUBTYPE_IDENTITY) + payload
540
541 idx += 1
542 if ctx['num'] == idx:
543 logger.info("Test: Identity subtype: AT_PADDING")
544 payload = struct.pack("BBBBBB",
545 EAP_SAKE_AT_PADDING, 3, 0,
546 EAP_SAKE_AT_PADDING, 3, 1)
547 return struct.pack(">BBHBBBB", EAP_CODE_REQUEST, ctx['id'],
548 4 + 1 + 3 + len(payload),
549 EAP_TYPE_SAKE, EAP_SAKE_VERSION, 0,
550 EAP_SAKE_SUBTYPE_IDENTITY) + payload
551
552 idx += 1
553 if ctx['num'] == idx:
554 logger.info("Test: Identity subtype: AT_MSK_LIFE")
555 payload = struct.pack(">BBLBBH",
556 EAP_SAKE_AT_MSK_LIFE, 6, 0,
557 EAP_SAKE_AT_MSK_LIFE, 4, 0)
558 return struct.pack(">BBHBBBB", EAP_CODE_REQUEST, ctx['id'],
559 4 + 1 + 3 + len(payload),
560 EAP_TYPE_SAKE, EAP_SAKE_VERSION, 0,
561 EAP_SAKE_SUBTYPE_IDENTITY) + payload
562
563 idx += 1
564 if ctx['num'] == idx:
565 logger.info("Test: Identity subtype with invalid attribute length")
566 payload = struct.pack("BB", EAP_SAKE_AT_ANY_ID_REQ, 0)
567 return struct.pack(">BBHBBBB", EAP_CODE_REQUEST, ctx['id'],
568 4 + 1 + 3 + len(payload),
569 EAP_TYPE_SAKE, EAP_SAKE_VERSION, 0,
570 EAP_SAKE_SUBTYPE_IDENTITY) + payload
571
572 idx += 1
573 if ctx['num'] == idx:
574 logger.info("Test: Unknown subtype")
575 return struct.pack(">BBHBBBB", EAP_CODE_REQUEST, ctx['id'],
576 4 + 1 + 3,
577 EAP_TYPE_SAKE,
578 EAP_SAKE_VERSION, 0, 123)
579
580 idx += 1
581 if ctx['num'] == idx:
582 logger.info("Test: Challenge subtype without any attributes")
583 return struct.pack(">BBHBBBB", EAP_CODE_REQUEST, ctx['id'],
584 4 + 1 + 3,
585 EAP_TYPE_SAKE,
586 EAP_SAKE_VERSION, 0, EAP_SAKE_SUBTYPE_CHALLENGE)
587
588 idx += 1
589 if ctx['num'] == idx:
590 logger.info("Test: Challenge subtype with too short AT_RAND_S")
591 return struct.pack(">BBHBBBBBB", EAP_CODE_REQUEST, ctx['id'],
592 4 + 1 + 3 + 2,
593 EAP_TYPE_SAKE,
594 EAP_SAKE_VERSION, 0, EAP_SAKE_SUBTYPE_CHALLENGE,
595 EAP_SAKE_AT_RAND_S, 2)
596
597 idx += 1
598 if ctx['num'] == idx:
599 return sake_challenge(ctx)
600 idx += 1
601 if ctx['num'] == idx:
602 logger.info("Test: Unexpected Identity subtype")
603 return struct.pack(">BBHBBBBBBH", EAP_CODE_REQUEST, ctx['id'],
604 4 + 1 + 3 + 4,
605 EAP_TYPE_SAKE,
606 EAP_SAKE_VERSION, 0, EAP_SAKE_SUBTYPE_IDENTITY,
607 EAP_SAKE_AT_ANY_ID_REQ, 4, 0)
608
609 idx += 1
610 if ctx['num'] == idx:
611 return sake_challenge(ctx)
612 idx += 1
613 if ctx['num'] == idx:
614 logger.info("Test: Unexpected Challenge subtype")
615 return struct.pack(">BBHBBBBBBLLLL", EAP_CODE_REQUEST, ctx['id'],
616 4 + 1 + 3 + 18,
617 EAP_TYPE_SAKE,
618 EAP_SAKE_VERSION, 0, EAP_SAKE_SUBTYPE_CHALLENGE,
619 EAP_SAKE_AT_RAND_S, 18, 0, 0, 0, 0)
620
621 idx += 1
622 if ctx['num'] == idx:
623 return sake_challenge(ctx)
624 idx += 1
625 if ctx['num'] == idx:
626 logger.info("Test: Confirm subtype without any attributes")
627 return struct.pack(">BBHBBBB", EAP_CODE_REQUEST, ctx['id'],
628 4 + 1 + 3,
629 EAP_TYPE_SAKE,
630 EAP_SAKE_VERSION, 0, EAP_SAKE_SUBTYPE_CONFIRM)
631
632 idx += 1
633 if ctx['num'] == idx:
634 return sake_challenge(ctx)
635 idx += 1
636 if ctx['num'] == idx:
637 logger.info("Test: Confirm subtype with too short AT_MIC_S")
638 return struct.pack(">BBHBBBBBB", EAP_CODE_REQUEST, ctx['id'],
639 4 + 1 + 3 + 2,
640 EAP_TYPE_SAKE,
641 EAP_SAKE_VERSION, 0, EAP_SAKE_SUBTYPE_CONFIRM,
642 EAP_SAKE_AT_MIC_S, 2)
643
644 idx += 1
645 if ctx['num'] == idx:
646 logger.info("Test: Unexpected Confirm subtype")
647 return struct.pack(">BBHBBBBBBLLLL", EAP_CODE_REQUEST, ctx['id'],
648 4 + 1 + 3 + 18,
649 EAP_TYPE_SAKE,
650 EAP_SAKE_VERSION, 0, EAP_SAKE_SUBTYPE_CONFIRM,
651 EAP_SAKE_AT_MIC_S, 18, 0, 0, 0, 0)
652
653 idx += 1
654 if ctx['num'] == idx:
655 return sake_challenge(ctx)
656 idx += 1
657 if ctx['num'] == idx:
658 logger.info("Test: Confirm subtype with incorrect AT_MIC_S")
659 return struct.pack(">BBHBBBBBBLLLL", EAP_CODE_REQUEST, ctx['id'],
660 4 + 1 + 3 + 18,
661 EAP_TYPE_SAKE,
662 EAP_SAKE_VERSION, 0, EAP_SAKE_SUBTYPE_CONFIRM,
663 EAP_SAKE_AT_MIC_S, 18, 0, 0, 0, 0)
664
665 global eap_proto_sake_test_done
666 if eap_proto_sake_test_done:
667 return sake_challenge(ctx)
668
669 logger.info("No more test responses available - test case completed")
670 eap_proto_sake_test_done = True
671 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
672
673 srv = start_radius_server(sake_handler)
674
675 try:
676 hapd = start_ap(apdev[0]['ifname'])
677
678 while not eap_proto_sake_test_done:
679 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
680 eap="SAKE", identity="sake user",
681 password_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
682 wait_connect=False)
683 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"], timeout=15)
684 if ev is None:
685 raise Exception("Timeout on EAP start")
686 time.sleep(0.1)
687 dev[0].request("REMOVE_NETWORK all")
688
689 logger.info("Too short password")
690 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
691 eap="SAKE", identity="sake user",
692 password_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcd",
693 wait_connect=False)
694 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"], timeout=15)
695 if ev is None:
696 raise Exception("Timeout on EAP start")
697 time.sleep(0.1)
698 finally:
699 stop_radius_server(srv)
700
701 def test_eap_proto_sake_errors(dev, apdev):
702 """EAP-SAKE local error cases"""
703 check_eap_capa(dev[0], "SAKE")
704 params = hostapd.wpa2_eap_params(ssid="eap-test")
705 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
706
707 for i in range(1, 3):
708 with alloc_fail(dev[0], i, "eap_sake_init"):
709 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
710 eap="SAKE", identity="sake user",
711 password_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
712 wait_connect=False)
713 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method"],
714 timeout=15)
715 if ev is None:
716 raise Exception("Timeout on EAP start")
717 dev[0].request("REMOVE_NETWORK all")
718 dev[0].wait_disconnected()
719
720 tests = [ ( 1, "eap_msg_alloc;eap_sake_build_msg;eap_sake_process_challenge" ),
721 ( 1, "=eap_sake_process_challenge" ),
722 ( 1, "eap_sake_compute_mic;eap_sake_process_challenge" ),
723 ( 1, "eap_sake_build_msg;eap_sake_process_confirm" ),
724 ( 2, "eap_sake_compute_mic;eap_sake_process_confirm" ),
725 ( 1, "eap_sake_getKey" ),
726 ( 1, "eap_sake_get_emsk" ),
727 ( 1, "eap_sake_get_session_id" ) ]
728 for count, func in tests:
729 with alloc_fail(dev[0], count, func):
730 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
731 eap="SAKE", identity="sake user",
732 password_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
733 erp="1",
734 wait_connect=False)
735 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
736 timeout=15)
737 if ev is None:
738 raise Exception("Timeout on EAP start")
739 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
740 dev[0].request("REMOVE_NETWORK all")
741 dev[0].wait_disconnected()
742
743 with fail_test(dev[0], 1, "os_get_random;eap_sake_process_challenge"):
744 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
745 eap="SAKE", identity="sake user",
746 password_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
747 wait_connect=False)
748 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"], timeout=15)
749 if ev is None:
750 raise Exception("Timeout on EAP start")
751 wait_fail_trigger(dev[0], "GET_FAIL")
752 dev[0].request("REMOVE_NETWORK all")
753 dev[0].wait_disconnected()
754
755 def test_eap_proto_sake_errors2(dev, apdev):
756 """EAP-SAKE protocol tests (2)"""
757 def sake_handler(ctx, req):
758 logger.info("sake_handler - RX " + req.encode("hex"))
759 if 'num' not in ctx:
760 ctx['num'] = 0
761 ctx['num'] += 1
762 if 'id' not in ctx:
763 ctx['id'] = 1
764 ctx['id'] = (ctx['id'] + 1) % 256
765 idx = 0
766
767 idx += 1
768 if ctx['num'] == idx:
769 logger.info("Test: Identity subtype")
770 return struct.pack(">BBHBBBBBBH", EAP_CODE_REQUEST, ctx['id'],
771 4 + 1 + 3 + 4,
772 EAP_TYPE_SAKE,
773 EAP_SAKE_VERSION, 0, EAP_SAKE_SUBTYPE_IDENTITY,
774 EAP_SAKE_AT_ANY_ID_REQ, 4, 0)
775
776 srv = start_radius_server(sake_handler)
777
778 try:
779 hapd = start_ap(apdev[0]['ifname'])
780
781 with alloc_fail(dev[0], 1, "eap_msg_alloc;eap_sake_build_msg;eap_sake_process_identity"):
782 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
783 eap="SAKE", identity="sake user",
784 password_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
785 wait_connect=False)
786 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
787 timeout=15)
788 if ev is None:
789 raise Exception("Timeout on EAP start")
790 dev[0].request("REMOVE_NETWORK all")
791 dev[0].wait_disconnected()
792
793 finally:
794 stop_radius_server(srv)
795
796 def test_eap_proto_leap(dev, apdev):
797 """EAP-LEAP protocol tests"""
798 check_eap_capa(dev[0], "LEAP")
799 def leap_handler(ctx, req):
800 logger.info("leap_handler - RX " + req.encode("hex"))
801 if 'num' not in ctx:
802 ctx['num'] = 0
803 ctx['num'] = ctx['num'] + 1
804 if 'id' not in ctx:
805 ctx['id'] = 1
806 ctx['id'] = (ctx['id'] + 1) % 256
807
808 if ctx['num'] == 1:
809 logger.info("Test: Missing payload")
810 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
811 4 + 1,
812 EAP_TYPE_LEAP)
813
814 if ctx['num'] == 2:
815 logger.info("Test: Unexpected version")
816 return struct.pack(">BBHBBBB", EAP_CODE_REQUEST, ctx['id'],
817 4 + 1 + 3,
818 EAP_TYPE_LEAP,
819 0, 0, 0)
820
821 if ctx['num'] == 3:
822 logger.info("Test: Invalid challenge length")
823 return struct.pack(">BBHBBBB", EAP_CODE_REQUEST, ctx['id'],
824 4 + 1 + 3,
825 EAP_TYPE_LEAP,
826 1, 0, 0)
827
828 if ctx['num'] == 4:
829 logger.info("Test: Truncated challenge")
830 return struct.pack(">BBHBBBB", EAP_CODE_REQUEST, ctx['id'],
831 4 + 1 + 3,
832 EAP_TYPE_LEAP,
833 1, 0, 8)
834
835 if ctx['num'] == 5:
836 logger.info("Test: Valid challenge")
837 return struct.pack(">BBHBBBBLL", EAP_CODE_REQUEST, ctx['id'],
838 4 + 1 + 3 + 8,
839 EAP_TYPE_LEAP,
840 1, 0, 8, 0, 0)
841 if ctx['num'] == 6:
842 logger.info("Test: Missing payload in Response")
843 return struct.pack(">BBHB", EAP_CODE_RESPONSE, ctx['id'],
844 4 + 1,
845 EAP_TYPE_LEAP)
846
847 if ctx['num'] == 7:
848 logger.info("Test: Valid challenge")
849 return struct.pack(">BBHBBBBLL", EAP_CODE_REQUEST, ctx['id'],
850 4 + 1 + 3 + 8,
851 EAP_TYPE_LEAP,
852 1, 0, 8, 0, 0)
853 if ctx['num'] == 8:
854 logger.info("Test: Unexpected version in Response")
855 return struct.pack(">BBHBBBB", EAP_CODE_RESPONSE, ctx['id'],
856 4 + 1 + 3,
857 EAP_TYPE_LEAP,
858 0, 0, 8)
859
860 if ctx['num'] == 9:
861 logger.info("Test: Valid challenge")
862 return struct.pack(">BBHBBBBLL", EAP_CODE_REQUEST, ctx['id'],
863 4 + 1 + 3 + 8,
864 EAP_TYPE_LEAP,
865 1, 0, 8, 0, 0)
866 if ctx['num'] == 10:
867 logger.info("Test: Invalid challenge length in Response")
868 return struct.pack(">BBHBBBB", EAP_CODE_RESPONSE, ctx['id'],
869 4 + 1 + 3,
870 EAP_TYPE_LEAP,
871 1, 0, 0)
872
873 if ctx['num'] == 11:
874 logger.info("Test: Valid challenge")
875 return struct.pack(">BBHBBBBLL", EAP_CODE_REQUEST, ctx['id'],
876 4 + 1 + 3 + 8,
877 EAP_TYPE_LEAP,
878 1, 0, 8, 0, 0)
879 if ctx['num'] == 12:
880 logger.info("Test: Truncated challenge in Response")
881 return struct.pack(">BBHBBBB", EAP_CODE_RESPONSE, ctx['id'],
882 4 + 1 + 3,
883 EAP_TYPE_LEAP,
884 1, 0, 24)
885
886 if ctx['num'] == 13:
887 logger.info("Test: Valid challenge")
888 return struct.pack(">BBHBBBBLL", EAP_CODE_REQUEST, ctx['id'],
889 4 + 1 + 3 + 8,
890 EAP_TYPE_LEAP,
891 1, 0, 8, 0, 0)
892 if ctx['num'] == 14:
893 logger.info("Test: Invalid challange value in Response")
894 return struct.pack(">BBHBBBB6L", EAP_CODE_RESPONSE, ctx['id'],
895 4 + 1 + 3 + 24,
896 EAP_TYPE_LEAP,
897 1, 0, 24,
898 0, 0, 0, 0, 0, 0)
899
900 if ctx['num'] == 15:
901 logger.info("Test: Valid challenge")
902 return struct.pack(">BBHBBBBLL", EAP_CODE_REQUEST, ctx['id'],
903 4 + 1 + 3 + 8,
904 EAP_TYPE_LEAP,
905 1, 0, 8, 0, 0)
906 if ctx['num'] == 16:
907 logger.info("Test: Valid challange value in Response")
908 return struct.pack(">BBHBBBB24B", EAP_CODE_RESPONSE, ctx['id'],
909 4 + 1 + 3 + 24,
910 EAP_TYPE_LEAP,
911 1, 0, 24,
912 0x48, 0x4e, 0x46, 0xe3, 0x88, 0x49, 0x46, 0xbd,
913 0x28, 0x48, 0xf8, 0x53, 0x82, 0x50, 0x00, 0x04,
914 0x93, 0x50, 0x30, 0xd7, 0x25, 0xea, 0x5f, 0x66)
915
916 if ctx['num'] == 17:
917 logger.info("Test: Valid challenge")
918 return struct.pack(">BBHBBBBLL", EAP_CODE_REQUEST, ctx['id'],
919 4 + 1 + 3 + 8,
920 EAP_TYPE_LEAP,
921 1, 0, 8, 0, 0)
922 if ctx['num'] == 18:
923 logger.info("Test: Success")
924 return struct.pack(">BBHB", EAP_CODE_SUCCESS, ctx['id'],
925 4 + 1,
926 EAP_TYPE_LEAP)
927 # hostapd will drop the next frame in the sequence
928
929 if ctx['num'] == 19:
930 logger.info("Test: Valid challenge")
931 return struct.pack(">BBHBBBBLL", EAP_CODE_REQUEST, ctx['id'],
932 4 + 1 + 3 + 8,
933 EAP_TYPE_LEAP,
934 1, 0, 8, 0, 0)
935 if ctx['num'] == 20:
936 logger.info("Test: Failure")
937 return struct.pack(">BBHB", EAP_CODE_FAILURE, ctx['id'],
938 4 + 1,
939 EAP_TYPE_LEAP)
940
941 return None
942
943 srv = start_radius_server(leap_handler)
944
945 try:
946 hapd = start_ap(apdev[0]['ifname'])
947
948 for i in range(0, 12):
949 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
950 eap="LEAP", identity="user", password="password",
951 wait_connect=False)
952 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"], timeout=15)
953 if ev is None:
954 raise Exception("Timeout on EAP start")
955 time.sleep(0.1)
956 if i == 10:
957 logger.info("Wait for additional roundtrip")
958 time.sleep(1)
959 dev[0].request("REMOVE_NETWORK all")
960 finally:
961 stop_radius_server(srv)
962
963 def test_eap_proto_leap_errors(dev, apdev):
964 """EAP-LEAP protocol tests (error paths)"""
965 check_eap_capa(dev[0], "LEAP")
966
967 def leap_handler2(ctx, req):
968 logger.info("leap_handler2 - RX " + req.encode("hex"))
969 if 'num' not in ctx:
970 ctx['num'] = 0
971 ctx['num'] = ctx['num'] + 1
972 if 'id' not in ctx:
973 ctx['id'] = 1
974 ctx['id'] = (ctx['id'] + 1) % 256
975 idx = 0
976
977 idx += 1
978 if ctx['num'] == idx:
979 logger.info("Test: Valid challenge")
980 return struct.pack(">BBHBBBBLL", EAP_CODE_REQUEST, ctx['id'],
981 4 + 1 + 3 + 8,
982 EAP_TYPE_LEAP,
983 1, 0, 8, 0, 0)
984 idx += 1
985 if ctx['num'] == idx:
986 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
987
988 idx += 1
989 if ctx['num'] == idx:
990 logger.info("Test: Valid challenge")
991 return struct.pack(">BBHBBBBLL", EAP_CODE_REQUEST, ctx['id'],
992 4 + 1 + 3 + 8,
993 EAP_TYPE_LEAP,
994 1, 0, 8, 0, 0)
995
996 idx += 1
997 if ctx['num'] == idx:
998 logger.info("Test: Valid challenge")
999 return struct.pack(">BBHBBBBLL", EAP_CODE_REQUEST, ctx['id'],
1000 4 + 1 + 3 + 8,
1001 EAP_TYPE_LEAP,
1002 1, 0, 8, 0, 0)
1003 idx += 1
1004 if ctx['num'] == idx:
1005 logger.info("Test: Success")
1006 return struct.pack(">BBH", EAP_CODE_SUCCESS, ctx['id'], 4)
1007
1008 idx += 1
1009 if ctx['num'] == idx:
1010 logger.info("Test: Valid challenge")
1011 return struct.pack(">BBHBBBBLL", EAP_CODE_REQUEST, ctx['id'],
1012 4 + 1 + 3 + 8,
1013 EAP_TYPE_LEAP,
1014 1, 0, 8, 0, 0)
1015 idx += 1
1016 if ctx['num'] == idx:
1017 logger.info("Test: Success")
1018 return struct.pack(">BBH", EAP_CODE_SUCCESS, ctx['id'], 4)
1019
1020 idx += 1
1021 if ctx['num'] == idx:
1022 logger.info("Test: Valid challenge")
1023 return struct.pack(">BBHBBBBLL", EAP_CODE_REQUEST, ctx['id'],
1024 4 + 1 + 3 + 8,
1025 EAP_TYPE_LEAP,
1026 1, 0, 8, 0, 0)
1027 idx += 1
1028 if ctx['num'] == idx:
1029 logger.info("Test: Valid challange value in Response")
1030 return struct.pack(">BBHBBBB24B", EAP_CODE_RESPONSE, ctx['id'],
1031 4 + 1 + 3 + 24,
1032 EAP_TYPE_LEAP,
1033 1, 0, 24,
1034 0x48, 0x4e, 0x46, 0xe3, 0x88, 0x49, 0x46, 0xbd,
1035 0x28, 0x48, 0xf8, 0x53, 0x82, 0x50, 0x00, 0x04,
1036 0x93, 0x50, 0x30, 0xd7, 0x25, 0xea, 0x5f, 0x66)
1037
1038 idx += 1
1039 if ctx['num'] == idx:
1040 logger.info("Test: Valid challenge")
1041 return struct.pack(">BBHBBBBLL", EAP_CODE_REQUEST, ctx['id'],
1042 4 + 1 + 3 + 8,
1043 EAP_TYPE_LEAP,
1044 1, 0, 8, 0, 0)
1045 idx += 1
1046 if ctx['num'] == idx:
1047 logger.info("Test: Valid challange value in Response")
1048 return struct.pack(">BBHBBBB24B", EAP_CODE_RESPONSE, ctx['id'],
1049 4 + 1 + 3 + 24,
1050 EAP_TYPE_LEAP,
1051 1, 0, 24,
1052 0x48, 0x4e, 0x46, 0xe3, 0x88, 0x49, 0x46, 0xbd,
1053 0x28, 0x48, 0xf8, 0x53, 0x82, 0x50, 0x00, 0x04,
1054 0x93, 0x50, 0x30, 0xd7, 0x25, 0xea, 0x5f, 0x66)
1055
1056 idx += 1
1057 if ctx['num'] == idx:
1058 logger.info("Test: Valid challenge")
1059 return struct.pack(">BBHBBBBLL", EAP_CODE_REQUEST, ctx['id'],
1060 4 + 1 + 3 + 8,
1061 EAP_TYPE_LEAP,
1062 1, 0, 8, 0, 0)
1063 idx += 1
1064 if ctx['num'] == idx:
1065 logger.info("Test: Valid challange value in Response")
1066 return struct.pack(">BBHBBBB24B", EAP_CODE_RESPONSE, ctx['id'],
1067 4 + 1 + 3 + 24,
1068 EAP_TYPE_LEAP,
1069 1, 0, 24,
1070 0x48, 0x4e, 0x46, 0xe3, 0x88, 0x49, 0x46, 0xbd,
1071 0x28, 0x48, 0xf8, 0x53, 0x82, 0x50, 0x00, 0x04,
1072 0x93, 0x50, 0x30, 0xd7, 0x25, 0xea, 0x5f, 0x66)
1073
1074 idx += 1
1075 if ctx['num'] == idx:
1076 logger.info("Test: Valid challenge")
1077 return struct.pack(">BBHBBBBLL", EAP_CODE_REQUEST, ctx['id'],
1078 4 + 1 + 3 + 8,
1079 EAP_TYPE_LEAP,
1080 1, 0, 8, 0, 0)
1081 idx += 1
1082 if ctx['num'] == idx:
1083 logger.info("Test: Valid challange value in Response")
1084 return struct.pack(">BBHBBBB24B", EAP_CODE_RESPONSE, ctx['id'],
1085 4 + 1 + 3 + 24,
1086 EAP_TYPE_LEAP,
1087 1, 0, 24,
1088 0x48, 0x4e, 0x46, 0xe3, 0x88, 0x49, 0x46, 0xbd,
1089 0x28, 0x48, 0xf8, 0x53, 0x82, 0x50, 0x00, 0x04,
1090 0x93, 0x50, 0x30, 0xd7, 0x25, 0xea, 0x5f, 0x66)
1091
1092 idx += 1
1093 if ctx['num'] == idx:
1094 logger.info("Test: Valid challenge")
1095 return struct.pack(">BBHBBBBLL", EAP_CODE_REQUEST, ctx['id'],
1096 4 + 1 + 3 + 8,
1097 EAP_TYPE_LEAP,
1098 1, 0, 8, 0, 0)
1099 idx += 1
1100 if ctx['num'] == idx:
1101 logger.info("Test: Valid challange value in Response")
1102 return struct.pack(">BBHBBBB24B", EAP_CODE_RESPONSE, ctx['id'],
1103 4 + 1 + 3 + 24,
1104 EAP_TYPE_LEAP,
1105 1, 0, 24,
1106 0x48, 0x4e, 0x46, 0xe3, 0x88, 0x49, 0x46, 0xbd,
1107 0x28, 0x48, 0xf8, 0x53, 0x82, 0x50, 0x00, 0x04,
1108 0x93, 0x50, 0x30, 0xd7, 0x25, 0xea, 0x5f, 0x66)
1109
1110 idx += 1
1111 if ctx['num'] == idx:
1112 logger.info("Test: Valid challenge")
1113 return struct.pack(">BBHBBBBLL", EAP_CODE_REQUEST, ctx['id'],
1114 4 + 1 + 3 + 8,
1115 EAP_TYPE_LEAP,
1116 1, 0, 8, 0, 0)
1117 idx += 1
1118 if ctx['num'] == idx:
1119 logger.info("Test: Valid challange value in Response")
1120 return struct.pack(">BBHBBBB24B", EAP_CODE_RESPONSE, ctx['id'],
1121 4 + 1 + 3 + 24,
1122 EAP_TYPE_LEAP,
1123 1, 0, 24,
1124 0x48, 0x4e, 0x46, 0xe3, 0x88, 0x49, 0x46, 0xbd,
1125 0x28, 0x48, 0xf8, 0x53, 0x82, 0x50, 0x00, 0x04,
1126 0x93, 0x50, 0x30, 0xd7, 0x25, 0xea, 0x5f, 0x66)
1127
1128 idx += 1
1129 if ctx['num'] == idx:
1130 logger.info("Test: Valid challenge")
1131 return struct.pack(">BBHBBBBLL", EAP_CODE_REQUEST, ctx['id'],
1132 4 + 1 + 3 + 8,
1133 EAP_TYPE_LEAP,
1134 1, 0, 8, 0, 0)
1135 idx += 1
1136 if ctx['num'] == idx:
1137 logger.info("Test: Valid challange value in Response")
1138 return struct.pack(">BBHBBBB24B", EAP_CODE_RESPONSE, ctx['id'],
1139 4 + 1 + 3 + 24,
1140 EAP_TYPE_LEAP,
1141 1, 0, 24,
1142 0x48, 0x4e, 0x46, 0xe3, 0x88, 0x49, 0x46, 0xbd,
1143 0x28, 0x48, 0xf8, 0x53, 0x82, 0x50, 0x00, 0x04,
1144 0x93, 0x50, 0x30, 0xd7, 0x25, 0xea, 0x5f, 0x66)
1145
1146 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
1147
1148 srv = start_radius_server(leap_handler2)
1149
1150 try:
1151 hapd = start_ap(apdev[0]['ifname'])
1152
1153 with alloc_fail(dev[0], 1, "eap_leap_init"):
1154 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
1155 eap="LEAP", identity="user", password="password",
1156 wait_connect=False)
1157 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
1158 dev[0].request("REMOVE_NETWORK all")
1159 dev[0].wait_disconnected()
1160
1161 with alloc_fail(dev[0], 1, "eap_msg_alloc;eap_leap_process_request"):
1162 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
1163 eap="LEAP", identity="user",
1164 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
1165 wait_connect=False)
1166 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
1167 dev[0].request("REMOVE_NETWORK all")
1168 dev[0].wait_disconnected()
1169
1170 with alloc_fail(dev[0], 1, "eap_leap_process_success"):
1171 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
1172 eap="LEAP", identity="user", password="password",
1173 wait_connect=False)
1174 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
1175 dev[0].request("REMOVE_NETWORK all")
1176 dev[0].wait_disconnected()
1177
1178 with fail_test(dev[0], 1, "os_get_random;eap_leap_process_success"):
1179 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
1180 eap="LEAP", identity="user", password="password",
1181 wait_connect=False)
1182 wait_fail_trigger(dev[0], "GET_FAIL")
1183 dev[0].request("REMOVE_NETWORK all")
1184 dev[0].wait_disconnected()
1185
1186 with fail_test(dev[0], 1, "eap_leap_process_response"):
1187 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
1188 eap="LEAP", identity="user",
1189 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
1190 wait_connect=False)
1191 wait_fail_trigger(dev[0], "GET_FAIL")
1192 dev[0].request("REMOVE_NETWORK all")
1193 dev[0].wait_disconnected()
1194
1195 with fail_test(dev[0], 1, "nt_password_hash;eap_leap_process_response"):
1196 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
1197 eap="LEAP", identity="user", password="password",
1198 wait_connect=False)
1199 wait_fail_trigger(dev[0], "GET_FAIL")
1200 dev[0].request("REMOVE_NETWORK all")
1201 dev[0].wait_disconnected()
1202
1203 with fail_test(dev[0], 1, "hash_nt_password_hash;eap_leap_process_response"):
1204 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
1205 eap="LEAP", identity="user", password="password",
1206 wait_connect=False)
1207 wait_fail_trigger(dev[0], "GET_FAIL")
1208 dev[0].request("REMOVE_NETWORK all")
1209 dev[0].wait_disconnected()
1210
1211 with alloc_fail(dev[0], 1, "eap_leap_getKey"):
1212 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
1213 eap="LEAP", identity="user",
1214 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
1215 wait_connect=False)
1216 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
1217 dev[0].request("REMOVE_NETWORK all")
1218 dev[0].wait_disconnected()
1219
1220 with fail_test(dev[0], 1, "eap_leap_getKey"):
1221 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
1222 eap="LEAP", identity="user",
1223 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
1224 wait_connect=False)
1225 wait_fail_trigger(dev[0], "GET_FAIL")
1226 dev[0].request("REMOVE_NETWORK all")
1227 dev[0].wait_disconnected()
1228
1229 with fail_test(dev[0], 1, "nt_password_hash;eap_leap_getKey"):
1230 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
1231 eap="LEAP", identity="user", password="password",
1232 wait_connect=False)
1233 wait_fail_trigger(dev[0], "GET_FAIL")
1234 dev[0].request("REMOVE_NETWORK all")
1235 dev[0].wait_disconnected()
1236
1237 with fail_test(dev[0], 1, "hash_nt_password_hash;eap_leap_getKey"):
1238 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
1239 eap="LEAP", identity="user", password="password",
1240 wait_connect=False)
1241 wait_fail_trigger(dev[0], "GET_FAIL")
1242 dev[0].request("REMOVE_NETWORK all")
1243 dev[0].wait_disconnected()
1244 finally:
1245 stop_radius_server(srv)
1246
1247 def test_eap_proto_md5(dev, apdev):
1248 """EAP-MD5 protocol tests"""
1249 check_eap_capa(dev[0], "MD5")
1250
1251 def md5_handler(ctx, req):
1252 logger.info("md5_handler - RX " + req.encode("hex"))
1253 if 'num' not in ctx:
1254 ctx['num'] = 0
1255 ctx['num'] = ctx['num'] + 1
1256 if 'id' not in ctx:
1257 ctx['id'] = 1
1258 ctx['id'] = (ctx['id'] + 1) % 256
1259
1260 if ctx['num'] == 1:
1261 logger.info("Test: Missing payload")
1262 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
1263 4 + 1,
1264 EAP_TYPE_MD5)
1265
1266 if ctx['num'] == 2:
1267 logger.info("Test: Zero-length challenge")
1268 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
1269 4 + 1 + 1,
1270 EAP_TYPE_MD5,
1271 0)
1272
1273 if ctx['num'] == 3:
1274 logger.info("Test: Truncated challenge")
1275 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
1276 4 + 1 + 1,
1277 EAP_TYPE_MD5,
1278 1)
1279
1280 if ctx['num'] == 4:
1281 logger.info("Test: Shortest possible challenge and name")
1282 return struct.pack(">BBHBBBB", EAP_CODE_REQUEST, ctx['id'],
1283 4 + 1 + 3,
1284 EAP_TYPE_MD5,
1285 1, 0xaa, ord('n'))
1286
1287 return None
1288
1289 srv = start_radius_server(md5_handler)
1290
1291 try:
1292 hapd = start_ap(apdev[0]['ifname'])
1293
1294 for i in range(0, 4):
1295 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
1296 eap="MD5", identity="user", password="password",
1297 wait_connect=False)
1298 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"], timeout=15)
1299 if ev is None:
1300 raise Exception("Timeout on EAP start")
1301 time.sleep(0.1)
1302 dev[0].request("REMOVE_NETWORK all")
1303 finally:
1304 stop_radius_server(srv)
1305
1306 def test_eap_proto_md5_errors(dev, apdev):
1307 """EAP-MD5 local error cases"""
1308 check_eap_capa(dev[0], "MD5")
1309 params = hostapd.wpa2_eap_params(ssid="eap-test")
1310 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1311
1312 with fail_test(dev[0], 1, "chap_md5"):
1313 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
1314 eap="MD5", identity="phase1-user", password="password",
1315 wait_connect=False)
1316 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
1317 if ev is None:
1318 raise Exception("Timeout on EAP start")
1319 dev[0].request("REMOVE_NETWORK all")
1320 dev[0].wait_disconnected()
1321
1322 with alloc_fail(dev[0], 1, "eap_msg_alloc;eap_md5_process"):
1323 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
1324 eap="MD5", identity="phase1-user", password="password",
1325 wait_connect=False)
1326 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
1327 if ev is None:
1328 raise Exception("Timeout on EAP start")
1329 time.sleep(0.1)
1330 dev[0].request("REMOVE_NETWORK all")
1331
1332 def test_eap_proto_otp(dev, apdev):
1333 """EAP-OTP protocol tests"""
1334 def otp_handler(ctx, req):
1335 logger.info("otp_handler - RX " + req.encode("hex"))
1336 if 'num' not in ctx:
1337 ctx['num'] = 0
1338 ctx['num'] = ctx['num'] + 1
1339 if 'id' not in ctx:
1340 ctx['id'] = 1
1341 ctx['id'] = (ctx['id'] + 1) % 256
1342
1343 if ctx['num'] == 1:
1344 logger.info("Test: Empty payload")
1345 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
1346 4 + 1,
1347 EAP_TYPE_OTP)
1348 if ctx['num'] == 2:
1349 logger.info("Test: Success")
1350 return struct.pack(">BBH", EAP_CODE_SUCCESS, ctx['id'],
1351 4)
1352
1353 if ctx['num'] == 3:
1354 logger.info("Test: Challenge included")
1355 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
1356 4 + 1 + 1,
1357 EAP_TYPE_OTP,
1358 ord('A'))
1359 if ctx['num'] == 4:
1360 logger.info("Test: Success")
1361 return struct.pack(">BBH", EAP_CODE_SUCCESS, ctx['id'],
1362 4)
1363
1364 return None
1365
1366 srv = start_radius_server(otp_handler)
1367
1368 try:
1369 hapd = start_ap(apdev[0]['ifname'])
1370
1371 for i in range(0, 1):
1372 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
1373 eap="OTP", identity="user", password="password",
1374 wait_connect=False)
1375 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
1376 timeout=15)
1377 if ev is None:
1378 raise Exception("Timeout on EAP start")
1379 time.sleep(0.1)
1380 dev[0].request("REMOVE_NETWORK all")
1381
1382 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
1383 eap="OTP", identity="user", wait_connect=False)
1384 ev = dev[0].wait_event(["CTRL-REQ-OTP"])
1385 if ev is None:
1386 raise Exception("Request for password timed out")
1387 id = ev.split(':')[0].split('-')[-1]
1388 dev[0].request("CTRL-RSP-OTP-" + id + ":password")
1389 ev = dev[0].wait_event("CTRL-EVENT-EAP-SUCCESS")
1390 if ev is None:
1391 raise Exception("Success not reported")
1392 finally:
1393 stop_radius_server(srv)
1394
1395 EAP_GPSK_OPCODE_GPSK_1 = 1
1396 EAP_GPSK_OPCODE_GPSK_2 = 2
1397 EAP_GPSK_OPCODE_GPSK_3 = 3
1398 EAP_GPSK_OPCODE_GPSK_4 = 4
1399 EAP_GPSK_OPCODE_FAIL = 5
1400 EAP_GPSK_OPCODE_PROTECTED_FAIL = 6
1401
1402 def test_eap_proto_gpsk(dev, apdev):
1403 """EAP-GPSK protocol tests"""
1404 def gpsk_handler(ctx, req):
1405 logger.info("gpsk_handler - RX " + req.encode("hex"))
1406 if 'num' not in ctx:
1407 ctx['num'] = 0
1408 ctx['num'] = ctx['num'] + 1
1409 if 'id' not in ctx:
1410 ctx['id'] = 1
1411 ctx['id'] = (ctx['id'] + 1) % 256
1412
1413 idx = 0
1414
1415 idx += 1
1416 if ctx['num'] == idx:
1417 logger.info("Test: Missing payload")
1418 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
1419 4 + 1,
1420 EAP_TYPE_GPSK)
1421
1422 idx += 1
1423 if ctx['num'] == idx:
1424 logger.info("Test: Unknown opcode")
1425 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
1426 4 + 1 + 1,
1427 EAP_TYPE_GPSK,
1428 255)
1429
1430 idx += 1
1431 if ctx['num'] == idx:
1432 logger.info("Test: Unexpected GPSK-3")
1433 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
1434 4 + 1 + 1,
1435 EAP_TYPE_GPSK,
1436 EAP_GPSK_OPCODE_GPSK_3)
1437
1438 idx += 1
1439 if ctx['num'] == idx:
1440 logger.info("Test: GPSK-1 Too short GPSK-1")
1441 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
1442 4 + 1 + 1,
1443 EAP_TYPE_GPSK,
1444 EAP_GPSK_OPCODE_GPSK_1)
1445
1446 idx += 1
1447 if ctx['num'] == idx:
1448 logger.info("Test: GPSK-1 Truncated ID_Server")
1449 return struct.pack(">BBHBBH", EAP_CODE_REQUEST, ctx['id'],
1450 4 + 1 + 1 + 2,
1451 EAP_TYPE_GPSK,
1452 EAP_GPSK_OPCODE_GPSK_1, 1)
1453
1454 idx += 1
1455 if ctx['num'] == idx:
1456 logger.info("Test: GPSK-1 Missing RAND_Server")
1457 return struct.pack(">BBHBBH", EAP_CODE_REQUEST, ctx['id'],
1458 4 + 1 + 1 + 2,
1459 EAP_TYPE_GPSK,
1460 EAP_GPSK_OPCODE_GPSK_1, 0)
1461
1462 idx += 1
1463 if ctx['num'] == idx:
1464 logger.info("Test: GPSK-1 Missing CSuite_List")
1465 return struct.pack(">BBHBBH8L", EAP_CODE_REQUEST, ctx['id'],
1466 4 + 1 + 1 + 2 + 32,
1467 EAP_TYPE_GPSK,
1468 EAP_GPSK_OPCODE_GPSK_1, 0,
1469 0, 0, 0, 0, 0, 0, 0, 0)
1470
1471 idx += 1
1472 if ctx['num'] == idx:
1473 logger.info("Test: GPSK-1 Truncated CSuite_List")
1474 return struct.pack(">BBHBBH8LH", EAP_CODE_REQUEST, ctx['id'],
1475 4 + 1 + 1 + 2 + 32 + 2,
1476 EAP_TYPE_GPSK,
1477 EAP_GPSK_OPCODE_GPSK_1, 0,
1478 0, 0, 0, 0, 0, 0, 0, 0,
1479 1)
1480
1481 idx += 1
1482 if ctx['num'] == idx:
1483 logger.info("Test: GPSK-1 Empty CSuite_List")
1484 return struct.pack(">BBHBBH8LH", EAP_CODE_REQUEST, ctx['id'],
1485 4 + 1 + 1 + 2 + 32 + 2,
1486 EAP_TYPE_GPSK,
1487 EAP_GPSK_OPCODE_GPSK_1, 0,
1488 0, 0, 0, 0, 0, 0, 0, 0,
1489 0)
1490
1491 idx += 1
1492 if ctx['num'] == idx:
1493 logger.info("Test: GPSK-1 Invalid CSuite_List")
1494 return struct.pack(">BBHBBH8LHB", EAP_CODE_REQUEST, ctx['id'],
1495 4 + 1 + 1 + 2 + 32 + 2 + 1,
1496 EAP_TYPE_GPSK,
1497 EAP_GPSK_OPCODE_GPSK_1, 0,
1498 0, 0, 0, 0, 0, 0, 0, 0,
1499 1, 0)
1500
1501 idx += 1
1502 if ctx['num'] == idx:
1503 logger.info("Test: GPSK-1 No supported CSuite")
1504 return struct.pack(">BBHBBH8LHLH", EAP_CODE_REQUEST, ctx['id'],
1505 4 + 1 + 1 + 2 + 32 + 2 + 6,
1506 EAP_TYPE_GPSK,
1507 EAP_GPSK_OPCODE_GPSK_1, 0,
1508 0, 0, 0, 0, 0, 0, 0, 0,
1509 6, 0, 0)
1510
1511 idx += 1
1512 if ctx['num'] == idx:
1513 logger.info("Test: GPSK-1 Supported CSuite")
1514 return struct.pack(">BBHBBH8LHLH", EAP_CODE_REQUEST, ctx['id'],
1515 4 + 1 + 1 + 2 + 32 + 2 + 6,
1516 EAP_TYPE_GPSK,
1517 EAP_GPSK_OPCODE_GPSK_1, 0,
1518 0, 0, 0, 0, 0, 0, 0, 0,
1519 6, 0, 1)
1520 idx += 1
1521 if ctx['num'] == idx:
1522 logger.info("Test: Unexpected GPSK-1")
1523 return struct.pack(">BBHBBH8LHLH", EAP_CODE_REQUEST, ctx['id'],
1524 4 + 1 + 1 + 2 + 32 + 2 + 6,
1525 EAP_TYPE_GPSK,
1526 EAP_GPSK_OPCODE_GPSK_1, 0,
1527 0, 0, 0, 0, 0, 0, 0, 0,
1528 6, 0, 1)
1529
1530 idx += 1
1531 if ctx['num'] == idx:
1532 logger.info("Test: GPSK-1 Supported CSuite but too short key")
1533 return struct.pack(">BBHBBH8LHLH", EAP_CODE_REQUEST, ctx['id'],
1534 4 + 1 + 1 + 2 + 32 + 2 + 6,
1535 EAP_TYPE_GPSK,
1536 EAP_GPSK_OPCODE_GPSK_1, 0,
1537 0, 0, 0, 0, 0, 0, 0, 0,
1538 6, 0, 1)
1539
1540 idx += 1
1541 if ctx['num'] == idx:
1542 logger.info("Test: GPSK-1 Supported CSuite")
1543 return struct.pack(">BBHBBH8LHLH", EAP_CODE_REQUEST, ctx['id'],
1544 4 + 1 + 1 + 2 + 32 + 2 + 6,
1545 EAP_TYPE_GPSK,
1546 EAP_GPSK_OPCODE_GPSK_1, 0,
1547 0, 0, 0, 0, 0, 0, 0, 0,
1548 6, 0, 1)
1549 idx += 1
1550 if ctx['num'] == idx:
1551 logger.info("Test: Too short GPSK-3")
1552 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
1553 4 + 1 + 1,
1554 EAP_TYPE_GPSK,
1555 EAP_GPSK_OPCODE_GPSK_3)
1556
1557 idx += 1
1558 if ctx['num'] == idx:
1559 logger.info("Test: GPSK-1 Supported CSuite")
1560 return struct.pack(">BBHBBH8LHLH", EAP_CODE_REQUEST, ctx['id'],
1561 4 + 1 + 1 + 2 + 32 + 2 + 6,
1562 EAP_TYPE_GPSK,
1563 EAP_GPSK_OPCODE_GPSK_1, 0,
1564 0, 0, 0, 0, 0, 0, 0, 0,
1565 6, 0, 1)
1566 idx += 1
1567 if ctx['num'] == idx:
1568 logger.info("Test: GPSK-3 Mismatch in RAND_Peer")
1569 return struct.pack(">BBHBB8L", EAP_CODE_REQUEST, ctx['id'],
1570 4 + 1 + 1 + 32,
1571 EAP_TYPE_GPSK,
1572 EAP_GPSK_OPCODE_GPSK_3,
1573 0, 0, 0, 0, 0, 0, 0, 0)
1574
1575 idx += 1
1576 if ctx['num'] == idx:
1577 logger.info("Test: GPSK-1 Supported CSuite")
1578 return struct.pack(">BBHBBH8LHLH", EAP_CODE_REQUEST, ctx['id'],
1579 4 + 1 + 1 + 2 + 32 + 2 + 6,
1580 EAP_TYPE_GPSK,
1581 EAP_GPSK_OPCODE_GPSK_1, 0,
1582 0, 0, 0, 0, 0, 0, 0, 0,
1583 6, 0, 1)
1584 idx += 1
1585 if ctx['num'] == idx:
1586 logger.info("Test: GPSK-3 Missing RAND_Server")
1587 msg = struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
1588 4 + 1 + 1 + 32,
1589 EAP_TYPE_GPSK,
1590 EAP_GPSK_OPCODE_GPSK_3)
1591 msg += req[14:46]
1592 return msg
1593
1594 idx += 1
1595 if ctx['num'] == idx:
1596 logger.info("Test: GPSK-1 Supported CSuite")
1597 return struct.pack(">BBHBBH8LHLH", EAP_CODE_REQUEST, ctx['id'],
1598 4 + 1 + 1 + 2 + 32 + 2 + 6,
1599 EAP_TYPE_GPSK,
1600 EAP_GPSK_OPCODE_GPSK_1, 0,
1601 0, 0, 0, 0, 0, 0, 0, 0,
1602 6, 0, 1)
1603 idx += 1
1604 if ctx['num'] == idx:
1605 logger.info("Test: GPSK-3 Mismatch in RAND_Server")
1606 msg = struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
1607 4 + 1 + 1 + 32 + 32,
1608 EAP_TYPE_GPSK,
1609 EAP_GPSK_OPCODE_GPSK_3)
1610 msg += req[14:46]
1611 msg += struct.pack(">8L", 1, 1, 1, 1, 1, 1, 1, 1)
1612 return msg
1613
1614 idx += 1
1615 if ctx['num'] == idx:
1616 logger.info("Test: GPSK-1 Supported CSuite")
1617 return struct.pack(">BBHBBH8LHLH", EAP_CODE_REQUEST, ctx['id'],
1618 4 + 1 + 1 + 2 + 32 + 2 + 6,
1619 EAP_TYPE_GPSK,
1620 EAP_GPSK_OPCODE_GPSK_1, 0,
1621 0, 0, 0, 0, 0, 0, 0, 0,
1622 6, 0, 1)
1623 idx += 1
1624 if ctx['num'] == idx:
1625 logger.info("Test: GPSK-3 Missing ID_Server")
1626 msg = struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
1627 4 + 1 + 1 + 32 + 32,
1628 EAP_TYPE_GPSK,
1629 EAP_GPSK_OPCODE_GPSK_3)
1630 msg += req[14:46]
1631 msg += struct.pack(">8L", 0, 0, 0, 0, 0, 0, 0, 0)
1632 return msg
1633
1634 idx += 1
1635 if ctx['num'] == idx:
1636 logger.info("Test: GPSK-1 Supported CSuite")
1637 return struct.pack(">BBHBBH8LHLH", EAP_CODE_REQUEST, ctx['id'],
1638 4 + 1 + 1 + 2 + 32 + 2 + 6,
1639 EAP_TYPE_GPSK,
1640 EAP_GPSK_OPCODE_GPSK_1, 0,
1641 0, 0, 0, 0, 0, 0, 0, 0,
1642 6, 0, 1)
1643 idx += 1
1644 if ctx['num'] == idx:
1645 logger.info("Test: GPSK-3 Truncated ID_Server")
1646 msg = struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
1647 4 + 1 + 1 + 32 + 32 + 2,
1648 EAP_TYPE_GPSK,
1649 EAP_GPSK_OPCODE_GPSK_3)
1650 msg += req[14:46]
1651 msg += struct.pack(">8LH", 0, 0, 0, 0, 0, 0, 0, 0, 1)
1652 return msg
1653
1654 idx += 1
1655 if ctx['num'] == idx:
1656 logger.info("Test: GPSK-1 Supported CSuite")
1657 return struct.pack(">BBHBBH8LHLH", EAP_CODE_REQUEST, ctx['id'],
1658 4 + 1 + 1 + 2 + 32 + 2 + 6,
1659 EAP_TYPE_GPSK,
1660 EAP_GPSK_OPCODE_GPSK_1, 0,
1661 0, 0, 0, 0, 0, 0, 0, 0,
1662 6, 0, 1)
1663 idx += 1
1664 if ctx['num'] == idx:
1665 logger.info("Test: GPSK-3 Mismatch in ID_Server")
1666 msg = struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
1667 4 + 1 + 1 + 32 + 32 + 3,
1668 EAP_TYPE_GPSK,
1669 EAP_GPSK_OPCODE_GPSK_3)
1670 msg += req[14:46]
1671 msg += struct.pack(">8LHB", 0, 0, 0, 0, 0, 0, 0, 0, 1, ord('B'))
1672 return msg
1673
1674 idx += 1
1675 if ctx['num'] == idx:
1676 logger.info("Test: GPSK-1 Supported CSuite")
1677 return struct.pack(">BBHBBHB8LHLH", EAP_CODE_REQUEST, ctx['id'],
1678 4 + 1 + 1 + 3 + 32 + 2 + 6,
1679 EAP_TYPE_GPSK,
1680 EAP_GPSK_OPCODE_GPSK_1, 1, ord('A'),
1681 0, 0, 0, 0, 0, 0, 0, 0,
1682 6, 0, 1)
1683 idx += 1
1684 if ctx['num'] == idx:
1685 logger.info("Test: GPSK-3 Mismatch in ID_Server (same length)")
1686 msg = struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
1687 4 + 1 + 1 + 32 + 32 + 3,
1688 EAP_TYPE_GPSK,
1689 EAP_GPSK_OPCODE_GPSK_3)
1690 msg += req[15:47]
1691 msg += struct.pack(">8LHB", 0, 0, 0, 0, 0, 0, 0, 0, 1, ord('B'))
1692 return msg
1693
1694 idx += 1
1695 if ctx['num'] == idx:
1696 logger.info("Test: GPSK-1 Supported CSuite")
1697 return struct.pack(">BBHBBH8LHLH", EAP_CODE_REQUEST, ctx['id'],
1698 4 + 1 + 1 + 2 + 32 + 2 + 6,
1699 EAP_TYPE_GPSK,
1700 EAP_GPSK_OPCODE_GPSK_1, 0,
1701 0, 0, 0, 0, 0, 0, 0, 0,
1702 6, 0, 1)
1703 idx += 1
1704 if ctx['num'] == idx:
1705 logger.info("Test: GPSK-3 Missing CSuite_Sel")
1706 msg = struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
1707 4 + 1 + 1 + 32 + 32 + 2,
1708 EAP_TYPE_GPSK,
1709 EAP_GPSK_OPCODE_GPSK_3)
1710 msg += req[14:46]
1711 msg += struct.pack(">8LH", 0, 0, 0, 0, 0, 0, 0, 0, 0)
1712 return msg
1713
1714 idx += 1
1715 if ctx['num'] == idx:
1716 logger.info("Test: GPSK-1 Supported CSuite")
1717 return struct.pack(">BBHBBH8LHLH", EAP_CODE_REQUEST, ctx['id'],
1718 4 + 1 + 1 + 2 + 32 + 2 + 6,
1719 EAP_TYPE_GPSK,
1720 EAP_GPSK_OPCODE_GPSK_1, 0,
1721 0, 0, 0, 0, 0, 0, 0, 0,
1722 6, 0, 1)
1723 idx += 1
1724 if ctx['num'] == idx:
1725 logger.info("Test: GPSK-3 Mismatch in CSuite_Sel")
1726 msg = struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
1727 4 + 1 + 1 + 32 + 32 + 2 + 6,
1728 EAP_TYPE_GPSK,
1729 EAP_GPSK_OPCODE_GPSK_3)
1730 msg += req[14:46]
1731 msg += struct.pack(">8LHLH", 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 2)
1732 return msg
1733
1734 idx += 1
1735 if ctx['num'] == idx:
1736 logger.info("Test: GPSK-1 Supported CSuite")
1737 return struct.pack(">BBHBBH8LHLH", EAP_CODE_REQUEST, ctx['id'],
1738 4 + 1 + 1 + 2 + 32 + 2 + 6,
1739 EAP_TYPE_GPSK,
1740 EAP_GPSK_OPCODE_GPSK_1, 0,
1741 0, 0, 0, 0, 0, 0, 0, 0,
1742 6, 0, 1)
1743 idx += 1
1744 if ctx['num'] == idx:
1745 logger.info("Test: GPSK-3 Missing len(PD_Payload_Block)")
1746 msg = struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
1747 4 + 1 + 1 + 32 + 32 + 2 + 6,
1748 EAP_TYPE_GPSK,
1749 EAP_GPSK_OPCODE_GPSK_3)
1750 msg += req[14:46]
1751 msg += struct.pack(">8LHLH", 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1)
1752 return msg
1753
1754 idx += 1
1755 if ctx['num'] == idx:
1756 logger.info("Test: GPSK-1 Supported CSuite")
1757 return struct.pack(">BBHBBH8LHLH", EAP_CODE_REQUEST, ctx['id'],
1758 4 + 1 + 1 + 2 + 32 + 2 + 6,
1759 EAP_TYPE_GPSK,
1760 EAP_GPSK_OPCODE_GPSK_1, 0,
1761 0, 0, 0, 0, 0, 0, 0, 0,
1762 6, 0, 1)
1763 idx += 1
1764 if ctx['num'] == idx:
1765 logger.info("Test: GPSK-3 Truncated PD_Payload_Block")
1766 msg = struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
1767 4 + 1 + 1 + 32 + 32 + 2 + 6 + 2,
1768 EAP_TYPE_GPSK,
1769 EAP_GPSK_OPCODE_GPSK_3)
1770 msg += req[14:46]
1771 msg += struct.pack(">8LHLHH", 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 1)
1772 return msg
1773
1774 idx += 1
1775 if ctx['num'] == idx:
1776 logger.info("Test: GPSK-1 Supported CSuite")
1777 return struct.pack(">BBHBBH8LHLH", EAP_CODE_REQUEST, ctx['id'],
1778 4 + 1 + 1 + 2 + 32 + 2 + 6,
1779 EAP_TYPE_GPSK,
1780 EAP_GPSK_OPCODE_GPSK_1, 0,
1781 0, 0, 0, 0, 0, 0, 0, 0,
1782 6, 0, 1)
1783 idx += 1
1784 if ctx['num'] == idx:
1785 logger.info("Test: GPSK-3 Missing MAC")
1786 msg = struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
1787 4 + 1 + 1 + 32 + 32 + 2 + 6 + 3,
1788 EAP_TYPE_GPSK,
1789 EAP_GPSK_OPCODE_GPSK_3)
1790 msg += req[14:46]
1791 msg += struct.pack(">8LHLHHB",
1792 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 123)
1793 return msg
1794
1795 idx += 1
1796 if ctx['num'] == idx:
1797 logger.info("Test: GPSK-1 Supported CSuite")
1798 return struct.pack(">BBHBBH8LHLH", EAP_CODE_REQUEST, ctx['id'],
1799 4 + 1 + 1 + 2 + 32 + 2 + 6,
1800 EAP_TYPE_GPSK,
1801 EAP_GPSK_OPCODE_GPSK_1, 0,
1802 0, 0, 0, 0, 0, 0, 0, 0,
1803 6, 0, 1)
1804 idx += 1
1805 if ctx['num'] == idx:
1806 logger.info("Test: GPSK-3 Incorrect MAC")
1807 msg = struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
1808 4 + 1 + 1 + 32 + 32 + 2 + 6 + 3 + 16,
1809 EAP_TYPE_GPSK,
1810 EAP_GPSK_OPCODE_GPSK_3)
1811 msg += req[14:46]
1812 msg += struct.pack(">8LHLHHB4L",
1813 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 123,
1814 0, 0, 0, 0)
1815 return msg
1816
1817 return None
1818
1819 srv = start_radius_server(gpsk_handler)
1820
1821 try:
1822 hapd = start_ap(apdev[0]['ifname'])
1823
1824 for i in range(0, 27):
1825 if i == 12:
1826 pw = "short"
1827 else:
1828 pw = "abcdefghijklmnop0123456789abcdef"
1829 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
1830 eap="GPSK", identity="user", password=pw,
1831 wait_connect=False)
1832 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
1833 timeout=15)
1834 if ev is None:
1835 raise Exception("Timeout on EAP start")
1836 time.sleep(0.05)
1837 dev[0].request("REMOVE_NETWORK all")
1838 finally:
1839 stop_radius_server(srv)
1840
1841 EAP_EKE_ID = 1
1842 EAP_EKE_COMMIT = 2
1843 EAP_EKE_CONFIRM = 3
1844 EAP_EKE_FAILURE = 4
1845
1846 def test_eap_proto_eke(dev, apdev):
1847 """EAP-EKE protocol tests"""
1848 def eke_handler(ctx, req):
1849 logger.info("eke_handler - RX " + req.encode("hex"))
1850 if 'num' not in ctx:
1851 ctx['num'] = 0
1852 ctx['num'] = ctx['num'] + 1
1853 if 'id' not in ctx:
1854 ctx['id'] = 1
1855 ctx['id'] = (ctx['id'] + 1) % 256
1856
1857 idx = 0
1858
1859 idx += 1
1860 if ctx['num'] == idx:
1861 logger.info("Test: Missing payload")
1862 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
1863 4 + 1,
1864 EAP_TYPE_EKE)
1865
1866 idx += 1
1867 if ctx['num'] == idx:
1868 logger.info("Test: Unknown exchange")
1869 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
1870 4 + 1 + 1,
1871 EAP_TYPE_EKE,
1872 255)
1873
1874 idx += 1
1875 if ctx['num'] == idx:
1876 logger.info("Test: No NumProposals in EAP-EKE-ID/Request")
1877 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
1878 4 + 1 + 1,
1879 EAP_TYPE_EKE,
1880 EAP_EKE_ID)
1881 idx += 1
1882 if ctx['num'] == idx:
1883 logger.info("Test: EAP-Failure")
1884 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
1885
1886 idx += 1
1887 if ctx['num'] == idx:
1888 logger.info("Test: NumProposals=0 in EAP-EKE-ID/Request")
1889 return struct.pack(">BBHBBB", EAP_CODE_REQUEST, ctx['id'],
1890 4 + 1 + 1 + 1,
1891 EAP_TYPE_EKE,
1892 EAP_EKE_ID,
1893 0)
1894 idx += 1
1895 if ctx['num'] == idx:
1896 logger.info("Test: EAP-Failure")
1897 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
1898
1899 idx += 1
1900 if ctx['num'] == idx:
1901 logger.info("Test: Truncated Proposals list in EAP-EKE-ID/Request")
1902 return struct.pack(">BBHBBBB4B", EAP_CODE_REQUEST, ctx['id'],
1903 4 + 1 + 1 + 2 + 4,
1904 EAP_TYPE_EKE,
1905 EAP_EKE_ID,
1906 2, 0, 0, 0, 0, 0)
1907 idx += 1
1908 if ctx['num'] == idx:
1909 logger.info("Test: EAP-Failure")
1910 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
1911
1912 idx += 1
1913 if ctx['num'] == idx:
1914 logger.info("Test: Unsupported proposals in EAP-EKE-ID/Request")
1915 return struct.pack(">BBHBBBB4B4B4B4B", EAP_CODE_REQUEST, ctx['id'],
1916 4 + 1 + 1 + 2 + 4 * 4,
1917 EAP_TYPE_EKE,
1918 EAP_EKE_ID,
1919 4, 0,
1920 0, 0, 0, 0,
1921 3, 0, 0, 0,
1922 3, 1, 0, 0,
1923 3, 1, 1, 0)
1924 idx += 1
1925 if ctx['num'] == idx:
1926 logger.info("Test: EAP-Failure")
1927 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
1928
1929 idx += 1
1930 if ctx['num'] == idx:
1931 logger.info("Test: Missing IDType/Identity in EAP-EKE-ID/Request")
1932 return struct.pack(">BBHBBBB4B4B4B4B4B",
1933 EAP_CODE_REQUEST, ctx['id'],
1934 4 + 1 + 1 + 2 + 5 * 4,
1935 EAP_TYPE_EKE,
1936 EAP_EKE_ID,
1937 5, 0,
1938 0, 0, 0, 0,
1939 3, 0, 0, 0,
1940 3, 1, 0, 0,
1941 3, 1, 1, 0,
1942 3, 1, 1, 1)
1943 idx += 1
1944 if ctx['num'] == idx:
1945 logger.info("Test: EAP-Failure")
1946 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
1947
1948 idx += 1
1949 if ctx['num'] == idx:
1950 logger.info("Test: Valid EAP-EKE-ID/Request")
1951 return struct.pack(">BBHBBBB4BB",
1952 EAP_CODE_REQUEST, ctx['id'],
1953 4 + 1 + 1 + 2 + 4 + 1,
1954 EAP_TYPE_EKE,
1955 EAP_EKE_ID,
1956 1, 0,
1957 3, 1, 1, 1,
1958 255)
1959 idx += 1
1960 if ctx['num'] == idx:
1961 logger.info("Test: Unexpected EAP-EKE-ID/Request")
1962 return struct.pack(">BBHBBBB4BB",
1963 EAP_CODE_REQUEST, ctx['id'],
1964 4 + 1 + 1 + 2 + 4 + 1,
1965 EAP_TYPE_EKE,
1966 EAP_EKE_ID,
1967 1, 0,
1968 3, 1, 1, 1,
1969 255)
1970 idx += 1
1971 if ctx['num'] == idx:
1972 logger.info("Test: EAP-Failure")
1973 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
1974
1975 idx += 1
1976 if ctx['num'] == idx:
1977 logger.info("Test: Valid EAP-EKE-ID/Request")
1978 return struct.pack(">BBHBBBB4BB",
1979 EAP_CODE_REQUEST, ctx['id'],
1980 4 + 1 + 1 + 2 + 4 + 1,
1981 EAP_TYPE_EKE,
1982 EAP_EKE_ID,
1983 1, 0,
1984 3, 1, 1, 1,
1985 255)
1986 idx += 1
1987 if ctx['num'] == idx:
1988 logger.info("Test: Unexpected EAP-EKE-Confirm/Request")
1989 return struct.pack(">BBHBB",
1990 EAP_CODE_REQUEST, ctx['id'],
1991 4 + 1 + 1,
1992 EAP_TYPE_EKE,
1993 EAP_EKE_CONFIRM)
1994 idx += 1
1995 if ctx['num'] == idx:
1996 logger.info("Test: EAP-Failure")
1997 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
1998
1999 idx += 1
2000 if ctx['num'] == idx:
2001 logger.info("Test: Too short EAP-EKE-Failure/Request")
2002 return struct.pack(">BBHBB",
2003 EAP_CODE_REQUEST, ctx['id'],
2004 4 + 1 + 1,
2005 EAP_TYPE_EKE,
2006 EAP_EKE_FAILURE)
2007 idx += 1
2008 if ctx['num'] == idx:
2009 logger.info("Test: EAP-Failure")
2010 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
2011
2012 idx += 1
2013 if ctx['num'] == idx:
2014 logger.info("Test: Unexpected EAP-EKE-Commit/Request")
2015 return struct.pack(">BBHBB",
2016 EAP_CODE_REQUEST, ctx['id'],
2017 4 + 1 + 1,
2018 EAP_TYPE_EKE,
2019 EAP_EKE_COMMIT)
2020 idx += 1
2021 if ctx['num'] == idx:
2022 logger.info("Test: EAP-Failure")
2023 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
2024
2025 idx += 1
2026 if ctx['num'] == idx:
2027 logger.info("Test: Valid EAP-EKE-ID/Request")
2028 return struct.pack(">BBHBBBB4BB",
2029 EAP_CODE_REQUEST, ctx['id'],
2030 4 + 1 + 1 + 2 + 4 + 1,
2031 EAP_TYPE_EKE,
2032 EAP_EKE_ID,
2033 1, 0,
2034 3, 1, 1, 1,
2035 255)
2036 idx += 1
2037 if ctx['num'] == idx:
2038 logger.info("Test: Too short EAP-EKE-Commit/Request")
2039 return struct.pack(">BBHBB",
2040 EAP_CODE_REQUEST, ctx['id'],
2041 4 + 1 + 1,
2042 EAP_TYPE_EKE,
2043 EAP_EKE_COMMIT)
2044 idx += 1
2045 if ctx['num'] == idx:
2046 logger.info("Test: EAP-Failure")
2047 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
2048
2049 idx += 1
2050 if ctx['num'] == idx:
2051 logger.info("Test: Valid EAP-EKE-ID/Request")
2052 return struct.pack(">BBHBBBB4BB",
2053 EAP_CODE_REQUEST, ctx['id'],
2054 4 + 1 + 1 + 2 + 4 + 1,
2055 EAP_TYPE_EKE,
2056 EAP_EKE_ID,
2057 1, 0,
2058 1, 1, 1, 1,
2059 255)
2060 idx += 1
2061 if ctx['num'] == idx:
2062 logger.info("Test: All zeroes DHComponent_S and empty CBvalue in EAP-EKE-Commit/Request")
2063 return struct.pack(">BBHBB4L32L",
2064 EAP_CODE_REQUEST, ctx['id'],
2065 4 + 1 + 1 + 16 + 128,
2066 EAP_TYPE_EKE,
2067 EAP_EKE_COMMIT,
2068 0, 0, 0, 0,
2069 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
2070 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0)
2071 idx += 1
2072 if ctx['num'] == idx:
2073 logger.info("Test: Too short EAP-EKE-Confirm/Request")
2074 return struct.pack(">BBHBB",
2075 EAP_CODE_REQUEST, ctx['id'],
2076 4 + 1 + 1,
2077 EAP_TYPE_EKE,
2078 EAP_EKE_CONFIRM)
2079 idx += 1
2080 if ctx['num'] == idx:
2081 logger.info("Test: EAP-Failure")
2082 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
2083
2084 idx += 1
2085 if ctx['num'] == idx:
2086 logger.info("Test: Valid EAP-EKE-ID/Request")
2087 return struct.pack(">BBHBBBB4BB",
2088 EAP_CODE_REQUEST, ctx['id'],
2089 4 + 1 + 1 + 2 + 4 + 1,
2090 EAP_TYPE_EKE,
2091 EAP_EKE_ID,
2092 1, 0,
2093 1, 1, 1, 1,
2094 255)
2095 idx += 1
2096 if ctx['num'] == idx:
2097 logger.info("Test: All zeroes DHComponent_S and empty CBvalue in EAP-EKE-Commit/Request")
2098 return struct.pack(">BBHBB4L32L",
2099 EAP_CODE_REQUEST, ctx['id'],
2100 4 + 1 + 1 + 16 + 128,
2101 EAP_TYPE_EKE,
2102 EAP_EKE_COMMIT,
2103 0, 0, 0, 0,
2104 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
2105 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0)
2106 idx += 1
2107 if ctx['num'] == idx:
2108 logger.info("Test: Invalid PNonce_PS and Auth_S values in EAP-EKE-Confirm/Request")
2109 return struct.pack(">BBHBB4L8L5L5L",
2110 EAP_CODE_REQUEST, ctx['id'],
2111 4 + 1 + 1 + 16 + 2 * 16 + 20 + 20,
2112 EAP_TYPE_EKE,
2113 EAP_EKE_CONFIRM,
2114 0, 0, 0, 0,
2115 0, 0, 0, 0, 0, 0, 0, 0,
2116 0, 0, 0, 0, 0,
2117 0, 0, 0, 0, 0)
2118 idx += 1
2119 if ctx['num'] == idx:
2120 logger.info("Test: EAP-Failure")
2121 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
2122
2123 return None
2124
2125 srv = start_radius_server(eke_handler)
2126
2127 try:
2128 hapd = start_ap(apdev[0]['ifname'])
2129
2130 for i in range(0, 14):
2131 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
2132 eap="EKE", identity="user", password="password",
2133 wait_connect=False)
2134 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
2135 timeout=15)
2136 if ev is None:
2137 raise Exception("Timeout on EAP start")
2138 if i in [ 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13 ]:
2139 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"],
2140 timeout=10)
2141 if ev is None:
2142 raise Exception("Timeout on EAP failure")
2143 else:
2144 time.sleep(0.05)
2145 dev[0].request("REMOVE_NETWORK all")
2146 dev[0].dump_monitor()
2147 finally:
2148 stop_radius_server(srv)
2149
2150 def eap_eke_test_fail(dev, phase1=None, success=False):
2151 dev.connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
2152 eap="EKE", identity="eke user", password="hello",
2153 phase1=phase1, erp="1", wait_connect=False)
2154 ev = dev.wait_event([ "CTRL-EVENT-EAP-FAILURE",
2155 "CTRL-EVENT-EAP-SUCCESS" ], timeout=5)
2156 if ev is None:
2157 raise Exception("Timeout on EAP failure")
2158 if not success and "CTRL-EVENT-EAP-FAILURE" not in ev:
2159 raise Exception("EAP did not fail during failure test")
2160 dev.request("REMOVE_NETWORK all")
2161 dev.wait_disconnected()
2162
2163 def test_eap_proto_eke_errors(dev, apdev):
2164 """EAP-EKE local error cases"""
2165 check_eap_capa(dev[0], "EKE")
2166 params = hostapd.wpa2_eap_params(ssid="eap-test")
2167 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2168
2169 for i in range(1, 3):
2170 with alloc_fail(dev[0], i, "eap_eke_init"):
2171 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
2172 eap="EKE", identity="eke user", password="hello",
2173 wait_connect=False)
2174 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method"],
2175 timeout=15)
2176 if ev is None:
2177 raise Exception("Timeout on EAP start")
2178 dev[0].request("REMOVE_NETWORK all")
2179 dev[0].wait_disconnected()
2180
2181 tests = [ (1, "eap_eke_dh_init", None),
2182 (1, "eap_eke_prf_hmac_sha1", "dhgroup=3 encr=1 prf=1 mac=1"),
2183 (1, "eap_eke_prf_hmac_sha256", "dhgroup=5 encr=1 prf=2 mac=2"),
2184 (1, "eap_eke_prf", None),
2185 (1, "os_get_random;eap_eke_dhcomp", None),
2186 (1, "aes_128_cbc_encrypt;eap_eke_dhcomp", None),
2187 (1, "aes_128_cbc_decrypt;eap_eke_shared_secret", None),
2188 (1, "eap_eke_prf;eap_eke_shared_secret", None),
2189 (1, "eap_eke_prfplus;eap_eke_derive_ke_ki", None),
2190 (1, "eap_eke_prfplus;eap_eke_derive_ka", None),
2191 (1, "eap_eke_prfplus;eap_eke_derive_msk", None),
2192 (1, "os_get_random;eap_eke_prot", None),
2193 (1, "aes_128_cbc_decrypt;eap_eke_decrypt_prot", None),
2194 (1, "eap_eke_derive_key;eap_eke_process_commit", None),
2195 (1, "eap_eke_dh_init;eap_eke_process_commit", None),
2196 (1, "eap_eke_shared_secret;eap_eke_process_commit", None),
2197 (1, "eap_eke_derive_ke_ki;eap_eke_process_commit", None),
2198 (1, "eap_eke_dhcomp;eap_eke_process_commit", None),
2199 (1, "os_get_random;eap_eke_process_commit", None),
2200 (1, "os_get_random;=eap_eke_process_commit", None),
2201 (1, "eap_eke_prot;eap_eke_process_commit", None),
2202 (1, "eap_eke_decrypt_prot;eap_eke_process_confirm", None),
2203 (1, "eap_eke_derive_ka;eap_eke_process_confirm", None),
2204 (1, "eap_eke_auth;eap_eke_process_confirm", None),
2205 (2, "eap_eke_auth;eap_eke_process_confirm", None),
2206 (1, "eap_eke_prot;eap_eke_process_confirm", None),
2207 (1, "eap_eke_derive_msk;eap_eke_process_confirm", None) ]
2208 for count, func, phase1 in tests:
2209 with fail_test(dev[0], count, func):
2210 eap_eke_test_fail(dev[0], phase1)
2211
2212 tests = [ (1, "=eap_eke_derive_ke_ki", None),
2213 (1, "=eap_eke_derive_ka", None),
2214 (1, "=eap_eke_derive_msk", None),
2215 (1, "eap_eke_build_msg;eap_eke_process_id", None),
2216 (1, "wpabuf_alloc;eap_eke_process_id", None),
2217 (1, "=eap_eke_process_id", None),
2218 (1, "wpabuf_alloc;=eap_eke_process_id", None),
2219 (1, "wpabuf_alloc;eap_eke_process_id", None),
2220 (1, "eap_eke_build_msg;eap_eke_process_commit", None),
2221 (1, "wpabuf_resize;eap_eke_process_commit", None),
2222 (1, "eap_eke_build_msg;eap_eke_process_confirm", None) ]
2223 for count, func, phase1 in tests:
2224 with alloc_fail(dev[0], count, func):
2225 eap_eke_test_fail(dev[0], phase1)
2226
2227 tests = [ (1, "eap_eke_getKey", None),
2228 (1, "eap_eke_get_emsk", None),
2229 (1, "eap_eke_get_session_id", None) ]
2230 for count, func, phase1 in tests:
2231 with alloc_fail(dev[0], count, func):
2232 eap_eke_test_fail(dev[0], phase1, success=True)
2233
2234 EAP_PAX_OP_STD_1 = 0x01
2235 EAP_PAX_OP_STD_2 = 0x02
2236 EAP_PAX_OP_STD_3 = 0x03
2237 EAP_PAX_OP_SEC_1 = 0x11
2238 EAP_PAX_OP_SEC_2 = 0x12
2239 EAP_PAX_OP_SEC_3 = 0x13
2240 EAP_PAX_OP_SEC_4 = 0x14
2241 EAP_PAX_OP_SEC_5 = 0x15
2242 EAP_PAX_OP_ACK = 0x21
2243
2244 EAP_PAX_FLAGS_MF = 0x01
2245 EAP_PAX_FLAGS_CE = 0x02
2246 EAP_PAX_FLAGS_AI = 0x04
2247
2248 EAP_PAX_MAC_HMAC_SHA1_128 = 0x01
2249 EAP_PAX_HMAC_SHA256_128 = 0x02
2250
2251 EAP_PAX_DH_GROUP_NONE = 0x00
2252 EAP_PAX_DH_GROUP_2048_MODP = 0x01
2253 EAP_PAX_DH_GROUP_3072_MODP = 0x02
2254 EAP_PAX_DH_GROUP_NIST_ECC_P_256 = 0x03
2255
2256 EAP_PAX_PUBLIC_KEY_NONE = 0x00
2257 EAP_PAX_PUBLIC_KEY_RSAES_OAEP = 0x01
2258 EAP_PAX_PUBLIC_KEY_RSA_PKCS1_V1_5 = 0x02
2259 EAP_PAX_PUBLIC_KEY_EL_GAMAL_NIST_ECC = 0x03
2260
2261 EAP_PAX_ADE_VENDOR_SPECIFIC = 0x01
2262 EAP_PAX_ADE_CLIENT_CHANNEL_BINDING = 0x02
2263 EAP_PAX_ADE_SERVER_CHANNEL_BINDING = 0x03
2264
2265 def test_eap_proto_pax(dev, apdev):
2266 """EAP-PAX protocol tests"""
2267 def pax_std_1(ctx):
2268 logger.info("Test: STD-1")
2269 ctx['id'] = 10
2270 return struct.pack(">BBHBBBBBBH8L16B", EAP_CODE_REQUEST, ctx['id'],
2271 4 + 1 + 5 + 2 + 32 + 16,
2272 EAP_TYPE_PAX,
2273 EAP_PAX_OP_STD_1, 0, EAP_PAX_MAC_HMAC_SHA1_128,
2274 EAP_PAX_DH_GROUP_NONE, EAP_PAX_PUBLIC_KEY_NONE,
2275 32, 0, 0, 0, 0, 0, 0, 0, 0,
2276 0x16, 0xc9, 0x08, 0x9d, 0x98, 0xa5, 0x6e, 0x1f,
2277 0xf0, 0xac, 0xcf, 0xc4, 0x66, 0xcd, 0x2d, 0xbf)
2278
2279 def pax_handler(ctx, req):
2280 logger.info("pax_handler - RX " + req.encode("hex"))
2281 if 'num' not in ctx:
2282 ctx['num'] = 0
2283 ctx['num'] = ctx['num'] + 1
2284 if 'id' not in ctx:
2285 ctx['id'] = 1
2286 ctx['id'] = (ctx['id'] + 1) % 256
2287
2288 idx = 0
2289
2290 idx += 1
2291 if ctx['num'] == idx:
2292 logger.info("Test: Missing payload")
2293 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
2294 4 + 1,
2295 EAP_TYPE_PAX)
2296
2297 idx += 1
2298 if ctx['num'] == idx:
2299 logger.info("Test: Minimum length payload")
2300 return struct.pack(">BBHB4L", EAP_CODE_REQUEST, ctx['id'],
2301 4 + 1 + 16,
2302 EAP_TYPE_PAX,
2303 0, 0, 0, 0)
2304
2305 idx += 1
2306 if ctx['num'] == idx:
2307 logger.info("Test: Unsupported MAC ID")
2308 return struct.pack(">BBHBBBBBB4L", EAP_CODE_REQUEST, ctx['id'],
2309 4 + 1 + 5 + 16,
2310 EAP_TYPE_PAX,
2311 EAP_PAX_OP_STD_1, 0, 255, EAP_PAX_DH_GROUP_NONE,
2312 EAP_PAX_PUBLIC_KEY_NONE,
2313 0, 0, 0, 0)
2314
2315 idx += 1
2316 if ctx['num'] == idx:
2317 logger.info("Test: Unsupported DH Group ID")
2318 return struct.pack(">BBHBBBBBB4L", EAP_CODE_REQUEST, ctx['id'],
2319 4 + 1 + 5 + 16,
2320 EAP_TYPE_PAX,
2321 EAP_PAX_OP_STD_1, 0, EAP_PAX_MAC_HMAC_SHA1_128,
2322 255, EAP_PAX_PUBLIC_KEY_NONE,
2323 0, 0, 0, 0)
2324
2325 idx += 1
2326 if ctx['num'] == idx:
2327 logger.info("Test: Unsupported Public Key ID")
2328 return struct.pack(">BBHBBBBBB4L", EAP_CODE_REQUEST, ctx['id'],
2329 4 + 1 + 5 + 16,
2330 EAP_TYPE_PAX,
2331 EAP_PAX_OP_STD_1, 0, EAP_PAX_MAC_HMAC_SHA1_128,
2332 EAP_PAX_DH_GROUP_NONE, 255,
2333 0, 0, 0, 0)
2334
2335 idx += 1
2336 if ctx['num'] == idx:
2337 logger.info("Test: More fragments")
2338 return struct.pack(">BBHBBBBBB4L", EAP_CODE_REQUEST, ctx['id'],
2339 4 + 1 + 5 + 16,
2340 EAP_TYPE_PAX,
2341 EAP_PAX_OP_STD_1, EAP_PAX_FLAGS_MF,
2342 EAP_PAX_MAC_HMAC_SHA1_128,
2343 EAP_PAX_DH_GROUP_NONE, EAP_PAX_PUBLIC_KEY_NONE,
2344 0, 0, 0, 0)
2345
2346 idx += 1
2347 if ctx['num'] == idx:
2348 logger.info("Test: Invalid ICV")
2349 return struct.pack(">BBHBBBBBB4L", EAP_CODE_REQUEST, ctx['id'],
2350 4 + 1 + 5 + 16,
2351 EAP_TYPE_PAX,
2352 EAP_PAX_OP_STD_1, 0, EAP_PAX_MAC_HMAC_SHA1_128,
2353 EAP_PAX_DH_GROUP_NONE, EAP_PAX_PUBLIC_KEY_NONE,
2354 0, 0, 0, 0)
2355
2356 idx += 1
2357 if ctx['num'] == idx:
2358 logger.info("Test: Invalid ICV in short frame")
2359 return struct.pack(">BBHBBBBBB3L", EAP_CODE_REQUEST, ctx['id'],
2360 4 + 1 + 5 + 12,
2361 EAP_TYPE_PAX,
2362 EAP_PAX_OP_STD_1, 0, EAP_PAX_MAC_HMAC_SHA1_128,
2363 EAP_PAX_DH_GROUP_NONE, EAP_PAX_PUBLIC_KEY_NONE,
2364 0, 0, 0)
2365
2366 idx += 1
2367 if ctx['num'] == idx:
2368 logger.info("Test: Correct ICV - unsupported op_code")
2369 ctx['id'] = 10
2370 return struct.pack(">BBHBBBBBB16B", EAP_CODE_REQUEST, ctx['id'],
2371 4 + 1 + 5 + 16,
2372 EAP_TYPE_PAX,
2373 255, 0, EAP_PAX_MAC_HMAC_SHA1_128,
2374 EAP_PAX_DH_GROUP_NONE, EAP_PAX_PUBLIC_KEY_NONE,
2375 0x90, 0x78, 0x97, 0x38, 0x29, 0x94, 0x32, 0xd4,
2376 0x81, 0x27, 0xe0, 0xf6, 0x3b, 0x0d, 0xb2, 0xb2)
2377
2378 idx += 1
2379 if ctx['num'] == idx:
2380 logger.info("Test: Correct ICV - CE flag in STD-1")
2381 ctx['id'] = 10
2382 return struct.pack(">BBHBBBBBB16B", EAP_CODE_REQUEST, ctx['id'],
2383 4 + 1 + 5 + 16,
2384 EAP_TYPE_PAX,
2385 EAP_PAX_OP_STD_1, EAP_PAX_FLAGS_CE,
2386 EAP_PAX_MAC_HMAC_SHA1_128,
2387 EAP_PAX_DH_GROUP_NONE, EAP_PAX_PUBLIC_KEY_NONE,
2388 0x9c, 0x98, 0xb4, 0x0b, 0x94, 0x90, 0xde, 0x88,
2389 0xb7, 0x72, 0x63, 0x44, 0x1d, 0xe3, 0x7c, 0x5c)
2390
2391 idx += 1
2392 if ctx['num'] == idx:
2393 logger.info("Test: Correct ICV - too short STD-1 payload")
2394 ctx['id'] = 10
2395 return struct.pack(">BBHBBBBBB16B", EAP_CODE_REQUEST, ctx['id'],
2396 4 + 1 + 5 + 16,
2397 EAP_TYPE_PAX,
2398 EAP_PAX_OP_STD_1, 0, EAP_PAX_MAC_HMAC_SHA1_128,
2399 EAP_PAX_DH_GROUP_NONE, EAP_PAX_PUBLIC_KEY_NONE,
2400 0xda, 0xab, 0x2c, 0xe7, 0x84, 0x41, 0xb5, 0x5c,
2401 0xee, 0xcf, 0x62, 0x03, 0xc5, 0x69, 0xcb, 0xf4)
2402
2403 idx += 1
2404 if ctx['num'] == idx:
2405 logger.info("Test: Correct ICV - incorrect A length in STD-1")
2406 ctx['id'] = 10
2407 return struct.pack(">BBHBBBBBBH8L16B", EAP_CODE_REQUEST, ctx['id'],
2408 4 + 1 + 5 + 2 + 32 + 16,
2409 EAP_TYPE_PAX,
2410 EAP_PAX_OP_STD_1, 0, EAP_PAX_MAC_HMAC_SHA1_128,
2411 EAP_PAX_DH_GROUP_NONE, EAP_PAX_PUBLIC_KEY_NONE,
2412 0, 0, 0, 0, 0, 0, 0, 0, 0,
2413 0xc4, 0xb0, 0x81, 0xe4, 0x6c, 0x8c, 0x20, 0x23,
2414 0x60, 0x46, 0x89, 0xea, 0x94, 0x60, 0xf3, 0x2a)
2415
2416 idx += 1
2417 if ctx['num'] == idx:
2418 logger.info("Test: Correct ICV - extra data in STD-1")
2419 ctx['id'] = 10
2420 return struct.pack(">BBHBBBBBBH8LB16B", EAP_CODE_REQUEST, ctx['id'],
2421 4 + 1 + 5 + 2 + 32 + 1 + 16,
2422 EAP_TYPE_PAX,
2423 EAP_PAX_OP_STD_1, 0, EAP_PAX_MAC_HMAC_SHA1_128,
2424 EAP_PAX_DH_GROUP_NONE, EAP_PAX_PUBLIC_KEY_NONE,
2425 32, 0, 0, 0, 0, 0, 0, 0, 0,
2426 1,
2427 0x61, 0x49, 0x65, 0x37, 0x21, 0xe8, 0xd8, 0xbf,
2428 0xf3, 0x02, 0x01, 0xe5, 0x42, 0x51, 0xd3, 0x34)
2429 idx += 1
2430 if ctx['num'] == idx:
2431 logger.info("Test: Unexpected STD-1")
2432 return struct.pack(">BBHBBBBBBH8L16B", EAP_CODE_REQUEST, ctx['id'],
2433 4 + 1 + 5 + 2 + 32 + 16,
2434 EAP_TYPE_PAX,
2435 EAP_PAX_OP_STD_1, 0, EAP_PAX_MAC_HMAC_SHA1_128,
2436 EAP_PAX_DH_GROUP_NONE, EAP_PAX_PUBLIC_KEY_NONE,
2437 32, 0, 0, 0, 0, 0, 0, 0, 0,
2438 0xe5, 0x1d, 0xbf, 0xb8, 0x70, 0x20, 0x5c, 0xba,
2439 0x41, 0xbb, 0x34, 0xda, 0x1a, 0x08, 0xe6, 0x8d)
2440
2441 idx += 1
2442 if ctx['num'] == idx:
2443 return pax_std_1(ctx)
2444 idx += 1
2445 if ctx['num'] == idx:
2446 logger.info("Test: MAC ID changed during session")
2447 return struct.pack(">BBHBBBBBBH8L16B", EAP_CODE_REQUEST, ctx['id'],
2448 4 + 1 + 5 + 2 + 32 + 16,
2449 EAP_TYPE_PAX,
2450 EAP_PAX_OP_STD_1, 0, EAP_PAX_HMAC_SHA256_128,
2451 EAP_PAX_DH_GROUP_NONE, EAP_PAX_PUBLIC_KEY_NONE,
2452 32, 0, 0, 0, 0, 0, 0, 0, 0,
2453 0xee, 0x00, 0xbf, 0xb8, 0x70, 0x20, 0x5c, 0xba,
2454 0x41, 0xbb, 0x34, 0xda, 0x1a, 0x08, 0xe6, 0x8d)
2455
2456 idx += 1
2457 if ctx['num'] == idx:
2458 return pax_std_1(ctx)
2459 idx += 1
2460 if ctx['num'] == idx:
2461 logger.info("Test: DH Group ID changed during session")
2462 return struct.pack(">BBHBBBBBBH8L16B", EAP_CODE_REQUEST, ctx['id'],
2463 4 + 1 + 5 + 2 + 32 + 16,
2464 EAP_TYPE_PAX,
2465 EAP_PAX_OP_STD_1, 0, EAP_PAX_MAC_HMAC_SHA1_128,
2466 EAP_PAX_DH_GROUP_2048_MODP,
2467 EAP_PAX_PUBLIC_KEY_NONE,
2468 32, 0, 0, 0, 0, 0, 0, 0, 0,
2469 0xee, 0x01, 0xbf, 0xb8, 0x70, 0x20, 0x5c, 0xba,
2470 0x41, 0xbb, 0x34, 0xda, 0x1a, 0x08, 0xe6, 0x8d)
2471
2472 idx += 1
2473 if ctx['num'] == idx:
2474 return pax_std_1(ctx)
2475 idx += 1
2476 if ctx['num'] == idx:
2477 logger.info("Test: Public Key ID changed during session")
2478 return struct.pack(">BBHBBBBBBH8L16B", EAP_CODE_REQUEST, ctx['id'],
2479 4 + 1 + 5 + 2 + 32 + 16,
2480 EAP_TYPE_PAX,
2481 EAP_PAX_OP_STD_1, 0, EAP_PAX_MAC_HMAC_SHA1_128,
2482 EAP_PAX_DH_GROUP_NONE,
2483 EAP_PAX_PUBLIC_KEY_RSAES_OAEP,
2484 32, 0, 0, 0, 0, 0, 0, 0, 0,
2485 0xee, 0x02, 0xbf, 0xb8, 0x70, 0x20, 0x5c, 0xba,
2486 0x41, 0xbb, 0x34, 0xda, 0x1a, 0x08, 0xe6, 0x8d)
2487
2488 idx += 1
2489 if ctx['num'] == idx:
2490 logger.info("Test: Unexpected STD-3")
2491 ctx['id'] = 10
2492 return struct.pack(">BBHBBBBBBH8L16B", EAP_CODE_REQUEST, ctx['id'],
2493 4 + 1 + 5 + 2 + 32 + 16,
2494 EAP_TYPE_PAX,
2495 EAP_PAX_OP_STD_3, 0, EAP_PAX_MAC_HMAC_SHA1_128,
2496 EAP_PAX_DH_GROUP_NONE, EAP_PAX_PUBLIC_KEY_NONE,
2497 32, 0, 0, 0, 0, 0, 0, 0, 0,
2498 0x47, 0xbb, 0xc0, 0xf9, 0xb9, 0x69, 0xf5, 0xcb,
2499 0x3a, 0xe8, 0xe7, 0xd6, 0x80, 0x28, 0xf2, 0x59)
2500
2501 idx += 1
2502 if ctx['num'] == idx:
2503 return pax_std_1(ctx)
2504 idx += 1
2505 if ctx['num'] == idx:
2506 # TODO: MAC calculation; for now, this gets dropped due to incorrect
2507 # ICV
2508 logger.info("Test: STD-3 with CE flag")
2509 return struct.pack(">BBHBBBBBBH8L16B", EAP_CODE_REQUEST, ctx['id'],
2510 4 + 1 + 5 + 2 + 32 + 16,
2511 EAP_TYPE_PAX,
2512 EAP_PAX_OP_STD_3, EAP_PAX_FLAGS_CE,
2513 EAP_PAX_MAC_HMAC_SHA1_128,
2514 EAP_PAX_DH_GROUP_NONE, EAP_PAX_PUBLIC_KEY_NONE,
2515 32, 0, 0, 0, 0, 0, 0, 0, 0,
2516 0x8a, 0xc2, 0xf9, 0xf4, 0x8b, 0x75, 0x72, 0xa2,
2517 0x4d, 0xd3, 0x1e, 0x54, 0x77, 0x04, 0x05, 0xe2)
2518
2519 idx += 1
2520 if ctx['num'] & 0x1 == idx & 0x1:
2521 logger.info("Test: Default request")
2522 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
2523 4 + 1,
2524 EAP_TYPE_PAX)
2525 else:
2526 logger.info("Test: Default EAP-Failure")
2527 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
2528
2529 srv = start_radius_server(pax_handler)
2530
2531 try:
2532 hapd = start_ap(apdev[0]['ifname'])
2533
2534 for i in range(0, 18):
2535 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
2536 eap="PAX", identity="user",
2537 password_hex="0123456789abcdef0123456789abcdef",
2538 wait_connect=False)
2539 logger.info("Waiting for EAP method to start")
2540 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
2541 timeout=15)
2542 if ev is None:
2543 raise Exception("Timeout on EAP start")
2544 time.sleep(0.05)
2545 dev[0].request("REMOVE_NETWORK all")
2546 dev[0].dump_monitor()
2547
2548 logger.info("Too short password")
2549 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
2550 eap="PAX", identity="user",
2551 password_hex="0123456789abcdef0123456789abcd",
2552 wait_connect=False)
2553 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"], timeout=15)
2554 if ev is None:
2555 raise Exception("Timeout on EAP start")
2556 time.sleep(0.1)
2557 dev[0].request("REMOVE_NETWORK all")
2558 dev[0].dump_monitor()
2559
2560 logger.info("No password")
2561 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
2562 eap="PAX", identity="user",
2563 wait_connect=False)
2564 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"], timeout=15)
2565 if ev is None:
2566 raise Exception("Timeout on EAP start")
2567 time.sleep(0.1)
2568 dev[0].request("REMOVE_NETWORK all")
2569 dev[0].dump_monitor()
2570 finally:
2571 stop_radius_server(srv)
2572
2573 def test_eap_proto_psk(dev, apdev):
2574 """EAP-PSK protocol tests"""
2575 def psk_handler(ctx, req):
2576 logger.info("psk_handler - RX " + req.encode("hex"))
2577 if 'num' not in ctx:
2578 ctx['num'] = 0
2579 ctx['num'] = ctx['num'] + 1
2580 if 'id' not in ctx:
2581 ctx['id'] = 1
2582 ctx['id'] = (ctx['id'] + 1) % 256
2583
2584 idx = 0
2585
2586 idx += 1
2587 if ctx['num'] == idx:
2588 logger.info("Test: Missing payload")
2589 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
2590 4 + 1,
2591 EAP_TYPE_PSK)
2592
2593 idx += 1
2594 if ctx['num'] == idx:
2595 logger.info("Test: Non-zero T in first message")
2596 return struct.pack(">BBHBB4L", EAP_CODE_REQUEST, ctx['id'],
2597 4 + 1 + 1 + 16,
2598 EAP_TYPE_PSK, 0xc0, 0, 0, 0, 0)
2599
2600 idx += 1
2601 if ctx['num'] == idx:
2602 logger.info("Test: Valid first message")
2603 return struct.pack(">BBHBB4L", EAP_CODE_REQUEST, ctx['id'],
2604 4 + 1 + 1 + 16,
2605 EAP_TYPE_PSK, 0, 0, 0, 0, 0)
2606 idx += 1
2607 if ctx['num'] == idx:
2608 logger.info("Test: Too short third message")
2609 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
2610 4 + 1,
2611 EAP_TYPE_PSK)
2612
2613 idx += 1
2614 if ctx['num'] == idx:
2615 logger.info("Test: Valid first message")
2616 return struct.pack(">BBHBB4L", EAP_CODE_REQUEST, ctx['id'],
2617 4 + 1 + 1 + 16,
2618 EAP_TYPE_PSK, 0, 0, 0, 0, 0)
2619 idx += 1
2620 if ctx['num'] == idx:
2621 logger.info("Test: Incorrect T in third message")
2622 return struct.pack(">BBHBB4L4L", EAP_CODE_REQUEST, ctx['id'],
2623 4 + 1 + 1 + 16 + 16,
2624 EAP_TYPE_PSK, 0, 0, 0, 0, 0, 0, 0, 0, 0)
2625
2626 idx += 1
2627 if ctx['num'] == idx:
2628 logger.info("Test: Valid first message")
2629 return struct.pack(">BBHBB4L", EAP_CODE_REQUEST, ctx['id'],
2630 4 + 1 + 1 + 16,
2631 EAP_TYPE_PSK, 0, 0, 0, 0, 0)
2632 idx += 1
2633 if ctx['num'] == idx:
2634 logger.info("Test: Missing PCHANNEL in third message")
2635 return struct.pack(">BBHBB4L4L", EAP_CODE_REQUEST, ctx['id'],
2636 4 + 1 + 1 + 16 + 16,
2637 EAP_TYPE_PSK, 0x80, 0, 0, 0, 0, 0, 0, 0, 0)
2638
2639 idx += 1
2640 if ctx['num'] == idx:
2641 logger.info("Test: Valid first message")
2642 return struct.pack(">BBHBB4L", EAP_CODE_REQUEST, ctx['id'],
2643 4 + 1 + 1 + 16,
2644 EAP_TYPE_PSK, 0, 0, 0, 0, 0)
2645 idx += 1
2646 if ctx['num'] == idx:
2647 logger.info("Test: Invalic MAC_S in third message")
2648 return struct.pack(">BBHBB4L4L5LB", EAP_CODE_REQUEST, ctx['id'],
2649 4 + 1 + 1 + 16 + 16 + 21,
2650 EAP_TYPE_PSK, 0x80, 0, 0, 0, 0, 0, 0, 0, 0,
2651 0, 0, 0, 0, 0, 0)
2652
2653 idx += 1
2654 if ctx['num'] == idx:
2655 logger.info("Test: Valid first message")
2656 return struct.pack(">BBHBB4L", EAP_CODE_REQUEST, ctx['id'],
2657 4 + 1 + 1 + 16,
2658 EAP_TYPE_PSK, 0, 0, 0, 0, 0)
2659 idx += 1
2660 if ctx['num'] == idx:
2661 logger.info("Test: EAP-Failure")
2662 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
2663
2664 return None
2665
2666 srv = start_radius_server(psk_handler)
2667
2668 try:
2669 hapd = start_ap(apdev[0]['ifname'])
2670
2671 for i in range(0, 6):
2672 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
2673 eap="PSK", identity="user",
2674 password_hex="0123456789abcdef0123456789abcdef",
2675 wait_connect=False)
2676 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
2677 timeout=15)
2678 if ev is None:
2679 raise Exception("Timeout on EAP start")
2680 time.sleep(0.1)
2681 dev[0].request("REMOVE_NETWORK all")
2682
2683 logger.info("Test: Invalid PSK length")
2684 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
2685 eap="PSK", identity="user",
2686 password_hex="0123456789abcdef0123456789abcd",
2687 wait_connect=False)
2688 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
2689 timeout=15)
2690 if ev is None:
2691 raise Exception("Timeout on EAP start")
2692 time.sleep(0.1)
2693 dev[0].request("REMOVE_NETWORK all")
2694 finally:
2695 stop_radius_server(srv)
2696
2697 def test_eap_proto_psk_errors(dev, apdev):
2698 """EAP-PSK local error cases"""
2699 check_eap_capa(dev[0], "PSK")
2700 params = hostapd.wpa2_eap_params(ssid="eap-test")
2701 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2702
2703 for i in range(1, 6):
2704 with alloc_fail(dev[0], i, "eap_psk_init"):
2705 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
2706 eap="PSK", identity="psk.user@example.com",
2707 password_hex="0123456789abcdef0123456789abcdef",
2708 wait_connect=False)
2709 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method"],
2710 timeout=15)
2711 if ev is None:
2712 raise Exception("Timeout on EAP start")
2713 dev[0].request("REMOVE_NETWORK all")
2714 dev[0].wait_disconnected()
2715
2716 tests = [ (1, "=eap_psk_process_1"),
2717 (2, "=eap_psk_process_1"),
2718 (1, "eap_msg_alloc;eap_psk_process_1"),
2719 (1, "=eap_psk_process_3"),
2720 (2, "=eap_psk_process_3"),
2721 (1, "eap_msg_alloc;eap_psk_process_3"),
2722 (1, "aes_128_encrypt_block;eap_psk_derive_keys;eap_psk_process_3"),
2723 (2, "aes_128_encrypt_block;eap_psk_derive_keys;eap_psk_process_3"),
2724 (3, "aes_128_encrypt_block;eap_psk_derive_keys;eap_psk_process_3"),
2725 (4, "aes_128_encrypt_block;eap_psk_derive_keys;eap_psk_process_3"),
2726 (5, "aes_128_encrypt_block;eap_psk_derive_keys;eap_psk_process_3"),
2727 (6, "aes_128_encrypt_block;eap_psk_derive_keys;eap_psk_process_3"),
2728 (7, "aes_128_encrypt_block;eap_psk_derive_keys;eap_psk_process_3"),
2729 (8, "aes_128_encrypt_block;eap_psk_derive_keys;eap_psk_process_3"),
2730 (9, "aes_128_encrypt_block;eap_psk_derive_keys;eap_psk_process_3"),
2731 (10, "aes_128_encrypt_block;eap_psk_derive_keys;eap_psk_process_3"),
2732 (1, "aes_128_ctr_encrypt;aes_128_eax_decrypt;eap_psk_process_3"),
2733 (1, "aes_128_ctr_encrypt;aes_128_eax_encrypt;eap_psk_process_3"),
2734 (1, "eap_psk_getKey"),
2735 (1, "eap_psk_get_session_id"),
2736 (1, "eap_psk_get_emsk") ]
2737 for count, func in tests:
2738 with alloc_fail(dev[0], count, func):
2739 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
2740 eap="PSK", identity="psk.user@example.com",
2741 password_hex="0123456789abcdef0123456789abcdef",
2742 erp="1", wait_connect=False)
2743 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
2744 timeout=15)
2745 if ev is None:
2746 raise Exception("Timeout on EAP start")
2747 ok = False
2748 for j in range(10):
2749 state = dev[0].request('GET_ALLOC_FAIL')
2750 if state.startswith('0:'):
2751 ok = True
2752 break
2753 time.sleep(0.1)
2754 if not ok:
2755 raise Exception("No allocation failure seen for %d:%s" % (count, func))
2756 dev[0].request("REMOVE_NETWORK all")
2757 dev[0].wait_disconnected()
2758
2759 tests = [ (1, "os_get_random;eap_psk_process_1"),
2760 (1, "omac1_aes_128;eap_psk_process_3"),
2761 (1, "aes_128_eax_decrypt;eap_psk_process_3"),
2762 (2, "aes_128_eax_decrypt;eap_psk_process_3"),
2763 (3, "aes_128_eax_decrypt;eap_psk_process_3"),
2764 (1, "aes_128_eax_encrypt;eap_psk_process_3"),
2765 (2, "aes_128_eax_encrypt;eap_psk_process_3"),
2766 (3, "aes_128_eax_encrypt;eap_psk_process_3") ]
2767 for count, func in tests:
2768 with fail_test(dev[0], count, func):
2769 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
2770 eap="PSK", identity="psk.user@example.com",
2771 password_hex="0123456789abcdef0123456789abcdef",
2772 wait_connect=False)
2773 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
2774 timeout=15)
2775 if ev is None:
2776 raise Exception("Timeout on EAP start")
2777 ok = False
2778 for j in range(10):
2779 state = dev[0].request('GET_FAIL')
2780 if state.startswith('0:'):
2781 ok = True
2782 break
2783 time.sleep(0.1)
2784 if not ok:
2785 raise Exception("No failure seen for %d:%s" % (count, func))
2786 dev[0].request("REMOVE_NETWORK all")
2787 dev[0].wait_disconnected()
2788
2789 EAP_SIM_SUBTYPE_START = 10
2790 EAP_SIM_SUBTYPE_CHALLENGE = 11
2791 EAP_SIM_SUBTYPE_NOTIFICATION = 12
2792 EAP_SIM_SUBTYPE_REAUTHENTICATION = 13
2793 EAP_SIM_SUBTYPE_CLIENT_ERROR = 14
2794
2795 EAP_AKA_SUBTYPE_CHALLENGE = 1
2796 EAP_AKA_SUBTYPE_AUTHENTICATION_REJECT = 2
2797 EAP_AKA_SUBTYPE_SYNCHRONIZATION_FAILURE = 4
2798 EAP_AKA_SUBTYPE_IDENTITY = 5
2799 EAP_AKA_SUBTYPE_NOTIFICATION = 12
2800 EAP_AKA_SUBTYPE_REAUTHENTICATION = 13
2801 EAP_AKA_SUBTYPE_CLIENT_ERROR = 14
2802
2803 EAP_SIM_AT_RAND = 1
2804 EAP_SIM_AT_AUTN = 2
2805 EAP_SIM_AT_RES = 3
2806 EAP_SIM_AT_AUTS = 4
2807 EAP_SIM_AT_PADDING = 6
2808 EAP_SIM_AT_NONCE_MT = 7
2809 EAP_SIM_AT_PERMANENT_ID_REQ = 10
2810 EAP_SIM_AT_MAC = 11
2811 EAP_SIM_AT_NOTIFICATION = 12
2812 EAP_SIM_AT_ANY_ID_REQ = 13
2813 EAP_SIM_AT_IDENTITY = 14
2814 EAP_SIM_AT_VERSION_LIST = 15
2815 EAP_SIM_AT_SELECTED_VERSION = 16
2816 EAP_SIM_AT_FULLAUTH_ID_REQ = 17
2817 EAP_SIM_AT_COUNTER = 19
2818 EAP_SIM_AT_COUNTER_TOO_SMALL = 20
2819 EAP_SIM_AT_NONCE_S = 21
2820 EAP_SIM_AT_CLIENT_ERROR_CODE = 22
2821 EAP_SIM_AT_KDF_INPUT = 23
2822 EAP_SIM_AT_KDF = 24
2823 EAP_SIM_AT_IV = 129
2824 EAP_SIM_AT_ENCR_DATA = 130
2825 EAP_SIM_AT_NEXT_PSEUDONYM = 132
2826 EAP_SIM_AT_NEXT_REAUTH_ID = 133
2827 EAP_SIM_AT_CHECKCODE = 134
2828 EAP_SIM_AT_RESULT_IND = 135
2829 EAP_SIM_AT_BIDDING = 136
2830
2831 def test_eap_proto_aka(dev, apdev):
2832 """EAP-AKA protocol tests"""
2833 def aka_handler(ctx, req):
2834 logger.info("aka_handler - RX " + req.encode("hex"))
2835 if 'num' not in ctx:
2836 ctx['num'] = 0
2837 ctx['num'] = ctx['num'] + 1
2838 if 'id' not in ctx:
2839 ctx['id'] = 1
2840 ctx['id'] = (ctx['id'] + 1) % 256
2841
2842 idx = 0
2843
2844 idx += 1
2845 if ctx['num'] == idx:
2846 logger.info("Test: Missing payload")
2847 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
2848 4 + 1,
2849 EAP_TYPE_AKA)
2850
2851 idx += 1
2852 if ctx['num'] == idx:
2853 logger.info("Test: Unknown subtype")
2854 return struct.pack(">BBHBBH", EAP_CODE_REQUEST, ctx['id'],
2855 4 + 1 + 3,
2856 EAP_TYPE_AKA, 255, 0)
2857 idx += 1
2858 if ctx['num'] == idx:
2859 logger.info("Test: EAP-Failure")
2860 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
2861
2862 idx += 1
2863 if ctx['num'] == idx:
2864 logger.info("Test: Client Error")
2865 return struct.pack(">BBHBBH", EAP_CODE_REQUEST, ctx['id'],
2866 4 + 1 + 3,
2867 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_CLIENT_ERROR, 0)
2868 idx += 1
2869 if ctx['num'] == idx:
2870 logger.info("Test: EAP-Failure")
2871 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
2872
2873 idx += 1
2874 if ctx['num'] == idx:
2875 logger.info("Test: Too short attribute header")
2876 return struct.pack(">BBHBBHB", EAP_CODE_REQUEST, ctx['id'],
2877 4 + 1 + 1 + 3,
2878 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0, 255)
2879 idx += 1
2880 if ctx['num'] == idx:
2881 logger.info("Test: EAP-Failure")
2882 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
2883
2884 idx += 1
2885 if ctx['num'] == idx:
2886 logger.info("Test: Truncated attribute")
2887 return struct.pack(">BBHBBHBB", EAP_CODE_REQUEST, ctx['id'],
2888 4 + 1 + 1 + 4,
2889 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0, 255,
2890 255)
2891 idx += 1
2892 if ctx['num'] == idx:
2893 logger.info("Test: EAP-Failure")
2894 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
2895
2896 idx += 1
2897 if ctx['num'] == idx:
2898 logger.info("Test: Too short attribute data")
2899 return struct.pack(">BBHBBHBB", EAP_CODE_REQUEST, ctx['id'],
2900 4 + 1 + 1 + 4,
2901 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0, 255,
2902 0)
2903 idx += 1
2904 if ctx['num'] == idx:
2905 logger.info("Test: EAP-Failure")
2906 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
2907
2908 idx += 1
2909 if ctx['num'] == idx:
2910 logger.info("Test: Skippable/non-skippable unrecognzized attribute")
2911 return struct.pack(">BBHBBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
2912 4 + 1 + 1 + 10,
2913 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
2914 255, 1, 0, 127, 1, 0)
2915 idx += 1
2916 if ctx['num'] == idx:
2917 logger.info("Test: EAP-Failure")
2918 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
2919
2920 idx += 1
2921 if ctx['num'] == idx:
2922 logger.info("Test: Identity request without ID type")
2923 return struct.pack(">BBHBBH", EAP_CODE_REQUEST, ctx['id'],
2924 4 + 1 + 3,
2925 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0)
2926 idx += 1
2927 if ctx['num'] == idx:
2928 logger.info("Test: Identity request ANY_ID")
2929 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
2930 4 + 1 + 3 + 4,
2931 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
2932 EAP_SIM_AT_ANY_ID_REQ, 1, 0)
2933 idx += 1
2934 if ctx['num'] == idx:
2935 logger.info("Test: Identity request ANY_ID (duplicate)")
2936 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
2937 4 + 1 + 3 + 4,
2938 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
2939 EAP_SIM_AT_ANY_ID_REQ, 1, 0)
2940 idx += 1
2941 if ctx['num'] == idx:
2942 logger.info("Test: EAP-Failure")
2943 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
2944
2945 idx += 1
2946 if ctx['num'] == idx:
2947 logger.info("Test: Identity request ANY_ID")
2948 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
2949 4 + 1 + 3 + 4,
2950 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
2951 EAP_SIM_AT_ANY_ID_REQ, 1, 0)
2952 idx += 1
2953 if ctx['num'] == idx:
2954 logger.info("Test: Identity request FULLAUTH_ID")
2955 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
2956 4 + 1 + 3 + 4,
2957 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
2958 EAP_SIM_AT_FULLAUTH_ID_REQ, 1, 0)
2959 idx += 1
2960 if ctx['num'] == idx:
2961 logger.info("Test: Identity request FULLAUTH_ID (duplicate)")
2962 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
2963 4 + 1 + 3 + 4,
2964 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
2965 EAP_SIM_AT_FULLAUTH_ID_REQ, 1, 0)
2966 idx += 1
2967 if ctx['num'] == idx:
2968 logger.info("Test: EAP-Failure")
2969 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
2970
2971 idx += 1
2972 if ctx['num'] == idx:
2973 logger.info("Test: Identity request ANY_ID")
2974 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
2975 4 + 1 + 3 + 4,
2976 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
2977 EAP_SIM_AT_ANY_ID_REQ, 1, 0)
2978 idx += 1
2979 if ctx['num'] == idx:
2980 logger.info("Test: Identity request FULLAUTH_ID")
2981 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
2982 4 + 1 + 3 + 4,
2983 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
2984 EAP_SIM_AT_FULLAUTH_ID_REQ, 1, 0)
2985 idx += 1
2986 if ctx['num'] == idx:
2987 logger.info("Test: Identity request PERMANENT_ID")
2988 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
2989 4 + 1 + 3 + 4,
2990 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
2991 EAP_SIM_AT_PERMANENT_ID_REQ, 1, 0)
2992 idx += 1
2993 if ctx['num'] == idx:
2994 logger.info("Test: Identity request PERMANENT_ID (duplicate)")
2995 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
2996 4 + 1 + 3 + 4,
2997 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
2998 EAP_SIM_AT_PERMANENT_ID_REQ, 1, 0)
2999 idx += 1
3000 if ctx['num'] == idx:
3001 logger.info("Test: EAP-Failure")
3002 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3003
3004 idx += 1
3005 if ctx['num'] == idx:
3006 logger.info("Test: Challenge with no attributes")
3007 return struct.pack(">BBHBBH", EAP_CODE_REQUEST, ctx['id'],
3008 4 + 1 + 3,
3009 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_CHALLENGE, 0)
3010 idx += 1
3011 if ctx['num'] == idx:
3012 logger.info("Test: EAP-Failure")
3013 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3014
3015 idx += 1
3016 if ctx['num'] == idx:
3017 logger.info("Test: AKA Challenge with BIDDING")
3018 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
3019 4 + 1 + 3 + 4,
3020 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_CHALLENGE, 0,
3021 EAP_SIM_AT_BIDDING, 1, 0x8000)
3022 idx += 1
3023 if ctx['num'] == idx:
3024 logger.info("Test: EAP-Failure")
3025 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3026
3027 idx += 1
3028 if ctx['num'] == idx:
3029 logger.info("Test: Notification with no attributes")
3030 return struct.pack(">BBHBBH", EAP_CODE_REQUEST, ctx['id'],
3031 4 + 1 + 3,
3032 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_NOTIFICATION, 0)
3033 idx += 1
3034 if ctx['num'] == idx:
3035 logger.info("Test: EAP-Failure")
3036 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3037
3038 idx += 1
3039 if ctx['num'] == idx:
3040 logger.info("Test: Notification indicating success, but no MAC")
3041 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
3042 4 + 1 + 3 + 4,
3043 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_NOTIFICATION, 0,
3044 EAP_SIM_AT_NOTIFICATION, 1, 32768)
3045 idx += 1
3046 if ctx['num'] == idx:
3047 logger.info("Test: EAP-Failure")
3048 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3049
3050 idx += 1
3051 if ctx['num'] == idx:
3052 logger.info("Test: Notification indicating success, but invalid MAC value")
3053 return struct.pack(">BBHBBHBBHBBH4L", EAP_CODE_REQUEST, ctx['id'],
3054 4 + 1 + 3 + 4 + 20,
3055 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_NOTIFICATION, 0,
3056 EAP_SIM_AT_NOTIFICATION, 1, 32768,
3057 EAP_SIM_AT_MAC, 5, 0, 0, 0, 0, 0)
3058 idx += 1
3059 if ctx['num'] == idx:
3060 logger.info("Test: EAP-Failure")
3061 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3062
3063 idx += 1
3064 if ctx['num'] == idx:
3065 logger.info("Test: Notification indicating success with zero-key MAC")
3066 return struct.pack(">BBHBBHBBHBBH16B", EAP_CODE_REQUEST,
3067 ctx['id'] - 2,
3068 4 + 1 + 3 + 4 + 20,
3069 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_NOTIFICATION, 0,
3070 EAP_SIM_AT_NOTIFICATION, 1, 32768,
3071 EAP_SIM_AT_MAC, 5, 0,
3072 0xbe, 0x2e, 0xbb, 0xa9, 0xfa, 0x2e, 0x82, 0x36,
3073 0x37, 0x8c, 0x32, 0x41, 0xb7, 0xc7, 0x58, 0xa3)
3074 idx += 1
3075 if ctx['num'] == idx:
3076 logger.info("Test: EAP-Success")
3077 return struct.pack(">BBH", EAP_CODE_SUCCESS, ctx['id'], 4)
3078
3079 idx += 1
3080 if ctx['num'] == idx:
3081 logger.info("Test: Notification before auth")
3082 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
3083 4 + 1 + 3 + 4,
3084 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_NOTIFICATION, 0,
3085 EAP_SIM_AT_NOTIFICATION, 1, 16384)
3086 idx += 1
3087 if ctx['num'] == idx:
3088 logger.info("Test: EAP-Failure")
3089 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3090
3091 idx += 1
3092 if ctx['num'] == idx:
3093 logger.info("Test: Notification before auth")
3094 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
3095 4 + 1 + 3 + 4,
3096 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_NOTIFICATION, 0,
3097 EAP_SIM_AT_NOTIFICATION, 1, 16385)
3098 idx += 1
3099 if ctx['num'] == idx:
3100 logger.info("Test: EAP-Failure")
3101 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3102
3103 idx += 1
3104 if ctx['num'] == idx:
3105 logger.info("Test: Notification with unrecognized non-failure")
3106 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
3107 4 + 1 + 3 + 4,
3108 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_NOTIFICATION, 0,
3109 EAP_SIM_AT_NOTIFICATION, 1, 0xc000)
3110 idx += 1
3111 if ctx['num'] == idx:
3112 logger.info("Test: Notification before auth (duplicate)")
3113 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
3114 4 + 1 + 3 + 4,
3115 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_NOTIFICATION, 0,
3116 EAP_SIM_AT_NOTIFICATION, 1, 0xc000)
3117 idx += 1
3118 if ctx['num'] == idx:
3119 logger.info("Test: EAP-Failure")
3120 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3121
3122 idx += 1
3123 if ctx['num'] == idx:
3124 logger.info("Test: Re-authentication (unexpected) with no attributes")
3125 return struct.pack(">BBHBBH", EAP_CODE_REQUEST, ctx['id'],
3126 4 + 1 + 3,
3127 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_REAUTHENTICATION,
3128 0)
3129 idx += 1
3130 if ctx['num'] == idx:
3131 logger.info("Test: EAP-Failure")
3132 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3133
3134 idx += 1
3135 if ctx['num'] == idx:
3136 logger.info("Test: AKA Challenge with Checkcode claiming identity round was used")
3137 return struct.pack(">BBHBBHBBH5L", EAP_CODE_REQUEST, ctx['id'],
3138 4 + 1 + 3 + 24,
3139 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_CHALLENGE, 0,
3140 EAP_SIM_AT_CHECKCODE, 6, 0, 0, 0, 0, 0, 0)
3141 idx += 1
3142 if ctx['num'] == idx:
3143 logger.info("Test: EAP-Failure")
3144 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3145
3146 idx += 1
3147 if ctx['num'] == idx:
3148 logger.info("Test: Identity request ANY_ID")
3149 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
3150 4 + 1 + 3 + 4,
3151 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
3152 EAP_SIM_AT_ANY_ID_REQ, 1, 0)
3153 idx += 1
3154 if ctx['num'] == idx:
3155 logger.info("Test: AKA Challenge with Checkcode claiming no identity round was used")
3156 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
3157 4 + 1 + 3 + 4,
3158 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_CHALLENGE, 0,
3159 EAP_SIM_AT_CHECKCODE, 1, 0)
3160 idx += 1
3161 if ctx['num'] == idx:
3162 logger.info("Test: EAP-Failure")
3163 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3164
3165 idx += 1
3166 if ctx['num'] == idx:
3167 logger.info("Test: Identity request ANY_ID")
3168 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
3169 4 + 1 + 3 + 4,
3170 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
3171 EAP_SIM_AT_ANY_ID_REQ, 1, 0)
3172 idx += 1
3173 if ctx['num'] == idx:
3174 logger.info("Test: AKA Challenge with mismatching Checkcode value")
3175 return struct.pack(">BBHBBHBBH5L", EAP_CODE_REQUEST, ctx['id'],
3176 4 + 1 + 3 + 24,
3177 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_CHALLENGE, 0,
3178 EAP_SIM_AT_CHECKCODE, 6, 0, 0, 0, 0, 0, 0)
3179 idx += 1
3180 if ctx['num'] == idx:
3181 logger.info("Test: EAP-Failure")
3182 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3183
3184 idx += 1
3185 if ctx['num'] == idx:
3186 logger.info("Test: Re-authentication (unexpected) with Checkcode claimin identity round was used")
3187 return struct.pack(">BBHBBHBBH5L", EAP_CODE_REQUEST, ctx['id'],
3188 4 + 1 + 3 + 24,
3189 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_REAUTHENTICATION,
3190 0,
3191 EAP_SIM_AT_CHECKCODE, 6, 0, 0, 0, 0, 0, 0)
3192 idx += 1
3193 if ctx['num'] == idx:
3194 logger.info("Test: EAP-Failure")
3195 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3196
3197 idx += 1
3198 if ctx['num'] == idx:
3199 logger.info("Test: Invalid AT_RAND length")
3200 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
3201 4 + 1 + 3 + 4,
3202 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
3203 EAP_SIM_AT_RAND, 1, 0)
3204 idx += 1
3205 if ctx['num'] == idx:
3206 logger.info("Test: EAP-Failure")
3207 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3208
3209 idx += 1
3210 if ctx['num'] == idx:
3211 logger.info("Test: Invalid AT_AUTN length")
3212 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
3213 4 + 1 + 3 + 4,
3214 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
3215 EAP_SIM_AT_AUTN, 1, 0)
3216 idx += 1
3217 if ctx['num'] == idx:
3218 logger.info("Test: EAP-Failure")
3219 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3220
3221 idx += 1
3222 if ctx['num'] == idx:
3223 logger.info("Test: Unencrypted AT_PADDING")
3224 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
3225 4 + 1 + 3 + 4,
3226 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
3227 EAP_SIM_AT_PADDING, 1, 0)
3228 idx += 1
3229 if ctx['num'] == idx:
3230 logger.info("Test: EAP-Failure")
3231 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3232
3233 idx += 1
3234 if ctx['num'] == idx:
3235 logger.info("Test: Invalid AT_NONCE_MT length")
3236 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
3237 4 + 1 + 3 + 4,
3238 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
3239 EAP_SIM_AT_NONCE_MT, 1, 0)
3240 idx += 1
3241 if ctx['num'] == idx:
3242 logger.info("Test: EAP-Failure")
3243 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3244
3245 idx += 1
3246 if ctx['num'] == idx:
3247 logger.info("Test: Invalid AT_MAC length")
3248 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
3249 4 + 1 + 3 + 4,
3250 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
3251 EAP_SIM_AT_MAC, 1, 0)
3252 idx += 1
3253 if ctx['num'] == idx:
3254 logger.info("Test: EAP-Failure")
3255 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3256
3257 idx += 1
3258 if ctx['num'] == idx:
3259 logger.info("Test: Invalid AT_NOTIFICATION length")
3260 return struct.pack(">BBHBBHBBHL", EAP_CODE_REQUEST, ctx['id'],
3261 4 + 1 + 3 + 8,
3262 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
3263 EAP_SIM_AT_NOTIFICATION, 2, 0, 0)
3264 idx += 1
3265 if ctx['num'] == idx:
3266 logger.info("Test: EAP-Failure")
3267 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3268
3269 idx += 1
3270 if ctx['num'] == idx:
3271 logger.info("Test: AT_IDENTITY overflow")
3272 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
3273 4 + 1 + 3 + 4,
3274 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
3275 EAP_SIM_AT_IDENTITY, 1, 0xffff)
3276 idx += 1
3277 if ctx['num'] == idx:
3278 logger.info("Test: EAP-Failure")
3279 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3280
3281 idx += 1
3282 if ctx['num'] == idx:
3283 logger.info("Test: Unexpected AT_VERSION_LIST")
3284 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
3285 4 + 1 + 3 + 4,
3286 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
3287 EAP_SIM_AT_VERSION_LIST, 1, 0)
3288 idx += 1
3289 if ctx['num'] == idx:
3290 logger.info("Test: EAP-Failure")
3291 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3292
3293 idx += 1
3294 if ctx['num'] == idx:
3295 logger.info("Test: Invalid AT_SELECTED_VERSION length")
3296 return struct.pack(">BBHBBHBBHL", EAP_CODE_REQUEST, ctx['id'],
3297 4 + 1 + 3 + 8,
3298 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
3299 EAP_SIM_AT_SELECTED_VERSION, 2, 0, 0)
3300 idx += 1
3301 if ctx['num'] == idx:
3302 logger.info("Test: EAP-Failure")
3303 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3304
3305 idx += 1
3306 if ctx['num'] == idx:
3307 logger.info("Test: Unencrypted AT_COUNTER")
3308 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
3309 4 + 1 + 3 + 4,
3310 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
3311 EAP_SIM_AT_COUNTER, 1, 0)
3312 idx += 1
3313 if ctx['num'] == idx:
3314 logger.info("Test: EAP-Failure")
3315 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3316
3317 idx += 1
3318 if ctx['num'] == idx:
3319 logger.info("Test: Unencrypted AT_COUNTER_TOO_SMALL")
3320 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
3321 4 + 1 + 3 + 4,
3322 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
3323 EAP_SIM_AT_COUNTER_TOO_SMALL, 1, 0)
3324 idx += 1
3325 if ctx['num'] == idx:
3326 logger.info("Test: EAP-Failure")
3327 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3328
3329 idx += 1
3330 if ctx['num'] == idx:
3331 logger.info("Test: Unencrypted AT_NONCE_S")
3332 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
3333 4 + 1 + 3 + 4,
3334 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
3335 EAP_SIM_AT_NONCE_S, 1, 0)
3336 idx += 1
3337 if ctx['num'] == idx:
3338 logger.info("Test: EAP-Failure")
3339 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3340
3341 idx += 1
3342 if ctx['num'] == idx:
3343 logger.info("Test: Invalid AT_CLIENT_ERROR_CODE length")
3344 return struct.pack(">BBHBBHBBHL", EAP_CODE_REQUEST, ctx['id'],
3345 4 + 1 + 3 + 8,
3346 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
3347 EAP_SIM_AT_CLIENT_ERROR_CODE, 2, 0, 0)
3348 idx += 1
3349 if ctx['num'] == idx:
3350 logger.info("Test: EAP-Failure")
3351 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3352
3353 idx += 1
3354 if ctx['num'] == idx:
3355 logger.info("Test: Invalid AT_IV length")
3356 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
3357 4 + 1 + 3 + 4,
3358 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
3359 EAP_SIM_AT_IV, 1, 0)
3360 idx += 1
3361 if ctx['num'] == idx:
3362 logger.info("Test: EAP-Failure")
3363 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3364
3365 idx += 1
3366 if ctx['num'] == idx:
3367 logger.info("Test: Invalid AT_ENCR_DATA length")
3368 return struct.pack(">BBHBBHBBHL", EAP_CODE_REQUEST, ctx['id'],
3369 4 + 1 + 3 + 8,
3370 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
3371 EAP_SIM_AT_ENCR_DATA, 2, 0, 0)
3372 idx += 1
3373 if ctx['num'] == idx:
3374 logger.info("Test: EAP-Failure")
3375 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3376
3377 idx += 1
3378 if ctx['num'] == idx:
3379 logger.info("Test: Unencrypted AT_NEXT_PSEUDONYM")
3380 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
3381 4 + 1 + 3 + 4,
3382 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
3383 EAP_SIM_AT_NEXT_PSEUDONYM, 1, 0)
3384 idx += 1
3385 if ctx['num'] == idx:
3386 logger.info("Test: EAP-Failure")
3387 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3388
3389 idx += 1
3390 if ctx['num'] == idx:
3391 logger.info("Test: Unencrypted AT_NEXT_REAUTH_ID")
3392 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
3393 4 + 1 + 3 + 4,
3394 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
3395 EAP_SIM_AT_NEXT_REAUTH_ID, 1, 0)
3396 idx += 1
3397 if ctx['num'] == idx:
3398 logger.info("Test: EAP-Failure")
3399 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3400
3401 idx += 1
3402 if ctx['num'] == idx:
3403 logger.info("Test: Invalid AT_RES length")
3404 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
3405 4 + 1 + 3 + 4,
3406 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
3407 EAP_SIM_AT_RES, 1, 0)
3408 idx += 1
3409 if ctx['num'] == idx:
3410 logger.info("Test: EAP-Failure")
3411 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3412
3413 idx += 1
3414 if ctx['num'] == idx:
3415 logger.info("Test: Invalid AT_RES length")
3416 return struct.pack(">BBHBBHBBH5L", EAP_CODE_REQUEST, ctx['id'],
3417 4 + 1 + 3 + 24,
3418 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
3419 EAP_SIM_AT_RES, 6, 0xffff, 0, 0, 0, 0, 0)
3420 idx += 1
3421 if ctx['num'] == idx:
3422 logger.info("Test: EAP-Failure")
3423 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3424
3425 idx += 1
3426 if ctx['num'] == idx:
3427 logger.info("Test: Invalid AT_AUTS length")
3428 return struct.pack(">BBHBBHBBHL", EAP_CODE_REQUEST, ctx['id'],
3429 4 + 1 + 3 + 8,
3430 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
3431 EAP_SIM_AT_AUTS, 2, 0, 0)
3432 idx += 1
3433 if ctx['num'] == idx:
3434 logger.info("Test: EAP-Failure")
3435 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3436
3437 idx += 1
3438 if ctx['num'] == idx:
3439 logger.info("Test: Invalid AT_CHECKCODE length")
3440 return struct.pack(">BBHBBHBBHL", EAP_CODE_REQUEST, ctx['id'],
3441 4 + 1 + 3 + 8,
3442 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
3443 EAP_SIM_AT_CHECKCODE, 2, 0, 0)
3444 idx += 1
3445 if ctx['num'] == idx:
3446 logger.info("Test: EAP-Failure")
3447 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3448
3449 idx += 1
3450 if ctx['num'] == idx:
3451 logger.info("Test: Invalid AT_RESULT_IND length")
3452 return struct.pack(">BBHBBHBBHL", EAP_CODE_REQUEST, ctx['id'],
3453 4 + 1 + 3 + 8,
3454 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
3455 EAP_SIM_AT_RESULT_IND, 2, 0, 0)
3456 idx += 1
3457 if ctx['num'] == idx:
3458 logger.info("Test: EAP-Failure")
3459 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3460
3461 idx += 1
3462 if ctx['num'] == idx:
3463 logger.info("Test: Unexpected AT_KDF_INPUT")
3464 return struct.pack(">BBHBBHBBHL", EAP_CODE_REQUEST, ctx['id'],
3465 4 + 1 + 3 + 8,
3466 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
3467 EAP_SIM_AT_KDF_INPUT, 2, 0, 0)
3468 idx += 1
3469 if ctx['num'] == idx:
3470 logger.info("Test: EAP-Failure")
3471 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3472
3473 idx += 1
3474 if ctx['num'] == idx:
3475 logger.info("Test: Unexpected AT_KDF")
3476 return struct.pack(">BBHBBHBBHL", EAP_CODE_REQUEST, ctx['id'],
3477 4 + 1 + 3 + 8,
3478 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
3479 EAP_SIM_AT_KDF, 2, 0, 0)
3480 idx += 1
3481 if ctx['num'] == idx:
3482 logger.info("Test: EAP-Failure")
3483 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3484
3485 idx += 1
3486 if ctx['num'] == idx:
3487 logger.info("Test: Invalid AT_BIDDING length")
3488 return struct.pack(">BBHBBHBBHL", EAP_CODE_REQUEST, ctx['id'],
3489 4 + 1 + 3 + 8,
3490 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
3491 EAP_SIM_AT_BIDDING, 2, 0, 0)
3492 idx += 1
3493 if ctx['num'] == idx:
3494 logger.info("Test: EAP-Failure")
3495 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3496
3497 return None
3498
3499 srv = start_radius_server(aka_handler)
3500
3501 try:
3502 hapd = start_ap(apdev[0]['ifname'])
3503
3504 for i in range(0, 49):
3505 eap = "AKA AKA'" if i == 11 else "AKA"
3506 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
3507 eap=eap, identity="0232010000000000",
3508 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
3509 wait_connect=False)
3510 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
3511 timeout=15)
3512 if ev is None:
3513 raise Exception("Timeout on EAP start")
3514 if i in [ 0, 15 ]:
3515 time.sleep(0.1)
3516 else:
3517 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"],
3518 timeout=10)
3519 if ev is None:
3520 raise Exception("Timeout on EAP failure")
3521 dev[0].request("REMOVE_NETWORK all")
3522 dev[0].dump_monitor()
3523 finally:
3524 stop_radius_server(srv)
3525
3526 def test_eap_proto_aka_prime(dev, apdev):
3527 """EAP-AKA' protocol tests"""
3528 def aka_prime_handler(ctx, req):
3529 logger.info("aka_prime_handler - RX " + req.encode("hex"))
3530 if 'num' not in ctx:
3531 ctx['num'] = 0
3532 ctx['num'] = ctx['num'] + 1
3533 if 'id' not in ctx:
3534 ctx['id'] = 1
3535 ctx['id'] = (ctx['id'] + 1) % 256
3536
3537 idx = 0
3538
3539 idx += 1
3540 if ctx['num'] == idx:
3541 logger.info("Test: Missing payload")
3542 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
3543 4 + 1,
3544 EAP_TYPE_AKA_PRIME)
3545
3546 idx += 1
3547 if ctx['num'] == idx:
3548 logger.info("Test: Challenge with no attributes")
3549 return struct.pack(">BBHBBH", EAP_CODE_REQUEST, ctx['id'],
3550 4 + 1 + 3,
3551 EAP_TYPE_AKA_PRIME, EAP_AKA_SUBTYPE_CHALLENGE, 0)
3552 idx += 1
3553 if ctx['num'] == idx:
3554 logger.info("Test: EAP-Failure")
3555 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3556
3557 idx += 1
3558 if ctx['num'] == idx:
3559 logger.info("Test: Challenge with empty AT_KDF_INPUT")
3560 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
3561 4 + 1 + 3 + 4,
3562 EAP_TYPE_AKA_PRIME, EAP_AKA_SUBTYPE_CHALLENGE, 0,
3563 EAP_SIM_AT_KDF_INPUT, 1, 0)
3564 idx += 1
3565 if ctx['num'] == idx:
3566 logger.info("Test: EAP-Failure")
3567 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3568
3569 idx += 1
3570 if ctx['num'] == idx:
3571 logger.info("Test: Challenge with AT_KDF_INPUT")
3572 return struct.pack(">BBHBBHBBHBBBB", EAP_CODE_REQUEST, ctx['id'],
3573 4 + 1 + 3 + 8,
3574 EAP_TYPE_AKA_PRIME, EAP_AKA_SUBTYPE_CHALLENGE, 0,
3575 EAP_SIM_AT_KDF_INPUT, 2, 1, ord('a'), ord('b'),
3576 ord('c'), ord('d'))
3577 idx += 1
3578 if ctx['num'] == idx:
3579 logger.info("Test: EAP-Failure")
3580 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3581
3582 idx += 1
3583 if ctx['num'] == idx:
3584 logger.info("Test: Challenge with duplicated KDF")
3585 return struct.pack(">BBHBBHBBHBBBBBBHBBHBBH",
3586 EAP_CODE_REQUEST, ctx['id'],
3587 4 + 1 + 3 + 8 + 3 * 4,
3588 EAP_TYPE_AKA_PRIME, EAP_AKA_SUBTYPE_CHALLENGE, 0,
3589 EAP_SIM_AT_KDF_INPUT, 2, 1, ord('a'), ord('b'),
3590 ord('c'), ord('d'),
3591 EAP_SIM_AT_KDF, 1, 1,
3592 EAP_SIM_AT_KDF, 1, 2,
3593 EAP_SIM_AT_KDF, 1, 1)
3594 idx += 1
3595 if ctx['num'] == idx:
3596 logger.info("Test: EAP-Failure")
3597 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3598
3599 idx += 1
3600 if ctx['num'] == idx:
3601 logger.info("Test: Challenge with multiple KDF proposals")
3602 return struct.pack(">BBHBBHBBHBBBBBBHBBHBBH",
3603 EAP_CODE_REQUEST, ctx['id'],
3604 4 + 1 + 3 + 8 + 3 * 4,
3605 EAP_TYPE_AKA_PRIME, EAP_AKA_SUBTYPE_CHALLENGE, 0,
3606 EAP_SIM_AT_KDF_INPUT, 2, 1, ord('a'), ord('b'),
3607 ord('c'), ord('d'),
3608 EAP_SIM_AT_KDF, 1, 255,
3609 EAP_SIM_AT_KDF, 1, 254,
3610 EAP_SIM_AT_KDF, 1, 1)
3611 idx += 1
3612 if ctx['num'] == idx:
3613 logger.info("Test: Challenge with incorrect KDF selected")
3614 return struct.pack(">BBHBBHBBHBBBBBBHBBHBBHBBH",
3615 EAP_CODE_REQUEST, ctx['id'],
3616 4 + 1 + 3 + 8 + 4 * 4,
3617 EAP_TYPE_AKA_PRIME, EAP_AKA_SUBTYPE_CHALLENGE, 0,
3618 EAP_SIM_AT_KDF_INPUT, 2, 1, ord('a'), ord('b'),
3619 ord('c'), ord('d'),
3620 EAP_SIM_AT_KDF, 1, 255,
3621 EAP_SIM_AT_KDF, 1, 255,
3622 EAP_SIM_AT_KDF, 1, 254,
3623 EAP_SIM_AT_KDF, 1, 1)
3624 idx += 1
3625 if ctx['num'] == idx:
3626 logger.info("Test: EAP-Failure")
3627 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3628
3629 idx += 1
3630 if ctx['num'] == idx:
3631 logger.info("Test: Challenge with multiple KDF proposals")
3632 return struct.pack(">BBHBBHBBHBBBBBBHBBHBBH",
3633 EAP_CODE_REQUEST, ctx['id'],
3634 4 + 1 + 3 + 8 + 3 * 4,
3635 EAP_TYPE_AKA_PRIME, EAP_AKA_SUBTYPE_CHALLENGE, 0,
3636 EAP_SIM_AT_KDF_INPUT, 2, 1, ord('a'), ord('b'),
3637 ord('c'), ord('d'),
3638 EAP_SIM_AT_KDF, 1, 255,
3639 EAP_SIM_AT_KDF, 1, 254,
3640 EAP_SIM_AT_KDF, 1, 1)
3641 idx += 1
3642 if ctx['num'] == idx:
3643 logger.info("Test: Challenge with selected KDF not duplicated")
3644 return struct.pack(">BBHBBHBBHBBBBBBHBBHBBH",
3645 EAP_CODE_REQUEST, ctx['id'],
3646 4 + 1 + 3 + 8 + 3 * 4,
3647 EAP_TYPE_AKA_PRIME, EAP_AKA_SUBTYPE_CHALLENGE, 0,
3648 EAP_SIM_AT_KDF_INPUT, 2, 1, ord('a'), ord('b'),
3649 ord('c'), ord('d'),
3650 EAP_SIM_AT_KDF, 1, 1,
3651 EAP_SIM_AT_KDF, 1, 255,
3652 EAP_SIM_AT_KDF, 1, 254)
3653 idx += 1
3654 if ctx['num'] == idx:
3655 logger.info("Test: EAP-Failure")
3656 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3657
3658 idx += 1
3659 if ctx['num'] == idx:
3660 logger.info("Test: Challenge with multiple KDF proposals")
3661 return struct.pack(">BBHBBHBBHBBBBBBHBBHBBH",
3662 EAP_CODE_REQUEST, ctx['id'],
3663 4 + 1 + 3 + 8 + 3 * 4,
3664 EAP_TYPE_AKA_PRIME, EAP_AKA_SUBTYPE_CHALLENGE, 0,
3665 EAP_SIM_AT_KDF_INPUT, 2, 1, ord('a'), ord('b'),
3666 ord('c'), ord('d'),
3667 EAP_SIM_AT_KDF, 1, 255,
3668 EAP_SIM_AT_KDF, 1, 254,
3669 EAP_SIM_AT_KDF, 1, 1)
3670 idx += 1
3671 if ctx['num'] == idx:
3672 logger.info("Test: Challenge with selected KDF duplicated (missing MAC, RAND, AUTN)")
3673 return struct.pack(">BBHBBHBBHBBBBBBHBBHBBHBBH",
3674 EAP_CODE_REQUEST, ctx['id'],
3675 4 + 1 + 3 + 8 + 4 * 4,
3676 EAP_TYPE_AKA_PRIME, EAP_AKA_SUBTYPE_CHALLENGE, 0,
3677 EAP_SIM_AT_KDF_INPUT, 2, 1, ord('a'), ord('b'),
3678 ord('c'), ord('d'),
3679 EAP_SIM_AT_KDF, 1, 1,
3680 EAP_SIM_AT_KDF, 1, 255,
3681 EAP_SIM_AT_KDF, 1, 254,
3682 EAP_SIM_AT_KDF, 1, 1)
3683 idx += 1
3684 if ctx['num'] == idx:
3685 logger.info("Test: EAP-Failure")
3686 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3687
3688 idx += 1
3689 if ctx['num'] == idx:
3690 logger.info("Test: Challenge with multiple unsupported KDF proposals")
3691 return struct.pack(">BBHBBHBBHBBBBBBHBBH",
3692 EAP_CODE_REQUEST, ctx['id'],
3693 4 + 1 + 3 + 8 + 2 * 4,
3694 EAP_TYPE_AKA_PRIME, EAP_AKA_SUBTYPE_CHALLENGE, 0,
3695 EAP_SIM_AT_KDF_INPUT, 2, 1, ord('a'), ord('b'),
3696 ord('c'), ord('d'),
3697 EAP_SIM_AT_KDF, 1, 255,
3698 EAP_SIM_AT_KDF, 1, 254)
3699 idx += 1
3700 if ctx['num'] == idx:
3701 logger.info("Test: EAP-Failure")
3702 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3703
3704 idx += 1
3705 if ctx['num'] == idx:
3706 logger.info("Test: Challenge with multiple KDF proposals")
3707 return struct.pack(">BBHBBHBBHBBBBBBHBBHBBH",
3708 EAP_CODE_REQUEST, ctx['id'],
3709 4 + 1 + 3 + 8 + 3 * 4,
3710 EAP_TYPE_AKA_PRIME, EAP_AKA_SUBTYPE_CHALLENGE, 0,
3711 EAP_SIM_AT_KDF_INPUT, 2, 1, ord('a'), ord('b'),
3712 ord('c'), ord('d'),
3713 EAP_SIM_AT_KDF, 1, 255,
3714 EAP_SIM_AT_KDF, 1, 254,
3715 EAP_SIM_AT_KDF, 1, 1)
3716 idx += 1
3717 if ctx['num'] == idx:
3718 logger.info("Test: Challenge with invalid MAC, RAND, AUTN values)")
3719 return struct.pack(">BBHBBHBBHBBBBBBHBBHBBHBBHBBH4LBBH4LBBH4L",
3720 EAP_CODE_REQUEST, ctx['id'],
3721 4 + 1 + 3 + 8 + 4 * 4 + 20 + 20 + 20,
3722 EAP_TYPE_AKA_PRIME, EAP_AKA_SUBTYPE_CHALLENGE, 0,
3723 EAP_SIM_AT_KDF_INPUT, 2, 1, ord('a'), ord('b'),
3724 ord('c'), ord('d'),
3725 EAP_SIM_AT_KDF, 1, 1,
3726 EAP_SIM_AT_KDF, 1, 255,
3727 EAP_SIM_AT_KDF, 1, 254,
3728 EAP_SIM_AT_KDF, 1, 1,
3729 EAP_SIM_AT_MAC, 5, 0, 0, 0, 0, 0,
3730 EAP_SIM_AT_RAND, 5, 0, 0, 0, 0, 0,
3731 EAP_SIM_AT_AUTN, 5, 0, 0, 0, 0, 0)
3732 idx += 1
3733 if ctx['num'] == idx:
3734 logger.info("Test: EAP-Failure")
3735 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3736
3737 idx += 1
3738 if ctx['num'] == idx:
3739 logger.info("Test: Challenge - AMF separation bit not set)")
3740 return struct.pack(">BBHBBHBBHBBBBBBHBBH4LBBH4LBBH4L",
3741 EAP_CODE_REQUEST, ctx['id'],
3742 4 + 1 + 3 + 8 + 4 + 20 + 20 + 20,
3743 EAP_TYPE_AKA_PRIME, EAP_AKA_SUBTYPE_CHALLENGE, 0,
3744 EAP_SIM_AT_KDF_INPUT, 2, 1, ord('a'), ord('b'),
3745 ord('c'), ord('d'),
3746 EAP_SIM_AT_KDF, 1, 1,
3747 EAP_SIM_AT_MAC, 5, 0, 1, 2, 3, 4,
3748 EAP_SIM_AT_RAND, 5, 0, 5, 6, 7, 8,
3749 EAP_SIM_AT_AUTN, 5, 0, 9, 10,
3750 0x2fda8ef7, 0xbba518cc)
3751 idx += 1
3752 if ctx['num'] == idx:
3753 logger.info("Test: EAP-Failure")
3754 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3755
3756 idx += 1
3757 if ctx['num'] == idx:
3758 logger.info("Test: Challenge - Invalid MAC")
3759 return struct.pack(">BBHBBHBBHBBBBBBHBBH4LBBH4LBBH4L",
3760 EAP_CODE_REQUEST, ctx['id'],
3761 4 + 1 + 3 + 8 + 4 + 20 + 20 + 20,
3762 EAP_TYPE_AKA_PRIME, EAP_AKA_SUBTYPE_CHALLENGE, 0,
3763 EAP_SIM_AT_KDF_INPUT, 2, 1, ord('a'), ord('b'),
3764 ord('c'), ord('d'),
3765 EAP_SIM_AT_KDF, 1, 1,
3766 EAP_SIM_AT_MAC, 5, 0, 1, 2, 3, 4,
3767 EAP_SIM_AT_RAND, 5, 0, 5, 6, 7, 8,
3768 EAP_SIM_AT_AUTN, 5, 0, 0xffffffff, 0xffffffff,
3769 0xd1f90322, 0x40514cb4)
3770 idx += 1
3771 if ctx['num'] == idx:
3772 logger.info("Test: EAP-Failure")
3773 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3774
3775 idx += 1
3776 if ctx['num'] == idx:
3777 logger.info("Test: Challenge - Valid MAC")
3778 return struct.pack(">BBHBBHBBHBBBBBBHBBH4LBBH4LBBH4L",
3779 EAP_CODE_REQUEST, ctx['id'],
3780 4 + 1 + 3 + 8 + 4 + 20 + 20 + 20,
3781 EAP_TYPE_AKA_PRIME, EAP_AKA_SUBTYPE_CHALLENGE, 0,
3782 EAP_SIM_AT_KDF_INPUT, 2, 1, ord('a'), ord('b'),
3783 ord('c'), ord('d'),
3784 EAP_SIM_AT_KDF, 1, 1,
3785 EAP_SIM_AT_MAC, 5, 0,
3786 0xf4a3c1d3, 0x7c901401, 0x34bd8b01, 0x6f7fa32f,
3787 EAP_SIM_AT_RAND, 5, 0, 5, 6, 7, 8,
3788 EAP_SIM_AT_AUTN, 5, 0, 0xffffffff, 0xffffffff,
3789 0xd1f90322, 0x40514cb4)
3790 idx += 1
3791 if ctx['num'] == idx:
3792 logger.info("Test: EAP-Failure")
3793 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3794
3795 idx += 1
3796 if ctx['num'] == idx:
3797 logger.info("Test: Invalid AT_KDF_INPUT length")
3798 return struct.pack(">BBHBBHBBHL", EAP_CODE_REQUEST, ctx['id'],
3799 4 + 1 + 3 + 8,
3800 EAP_TYPE_AKA_PRIME, EAP_AKA_SUBTYPE_IDENTITY, 0,
3801 EAP_SIM_AT_KDF_INPUT, 2, 0xffff, 0)
3802 idx += 1
3803 if ctx['num'] == idx:
3804 logger.info("Test: EAP-Failure")
3805 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3806
3807 idx += 1
3808 if ctx['num'] == idx:
3809 logger.info("Test: Invalid AT_KDF length")
3810 return struct.pack(">BBHBBHBBHL", EAP_CODE_REQUEST, ctx['id'],
3811 4 + 1 + 3 + 8,
3812 EAP_TYPE_AKA_PRIME, EAP_AKA_SUBTYPE_IDENTITY, 0,
3813 EAP_SIM_AT_KDF, 2, 0, 0)
3814 idx += 1
3815 if ctx['num'] == idx:
3816 logger.info("Test: EAP-Failure")
3817 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3818
3819 idx += 1
3820 if ctx['num'] == idx:
3821 logger.info("Test: Challenge with large number of KDF proposals")
3822 return struct.pack(">BBHBBHBBHBBHBBHBBHBBHBBHBBHBBHBBHBBHBBHBBH",
3823 EAP_CODE_REQUEST, ctx['id'],
3824 4 + 1 + 3 + 12 * 4,
3825 EAP_TYPE_AKA_PRIME, EAP_AKA_SUBTYPE_CHALLENGE, 0,
3826 EAP_SIM_AT_KDF, 1, 255,
3827 EAP_SIM_AT_KDF, 1, 254,
3828 EAP_SIM_AT_KDF, 1, 253,
3829 EAP_SIM_AT_KDF, 1, 252,
3830 EAP_SIM_AT_KDF, 1, 251,
3831 EAP_SIM_AT_KDF, 1, 250,
3832 EAP_SIM_AT_KDF, 1, 249,
3833 EAP_SIM_AT_KDF, 1, 248,
3834 EAP_SIM_AT_KDF, 1, 247,
3835 EAP_SIM_AT_KDF, 1, 246,
3836 EAP_SIM_AT_KDF, 1, 245,
3837 EAP_SIM_AT_KDF, 1, 244)
3838 idx += 1
3839 if ctx['num'] == idx:
3840 logger.info("Test: EAP-Failure")
3841 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3842
3843 return None
3844
3845 srv = start_radius_server(aka_prime_handler)
3846
3847 try:
3848 hapd = start_ap(apdev[0]['ifname'])
3849
3850 for i in range(0, 16):
3851 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
3852 eap="AKA'", identity="6555444333222111",
3853 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
3854 wait_connect=False)
3855 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
3856 timeout=15)
3857 if ev is None:
3858 raise Exception("Timeout on EAP start")
3859 if i in [ 0 ]:
3860 time.sleep(0.1)
3861 else:
3862 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"],
3863 timeout=10)
3864 if ev is None:
3865 raise Exception("Timeout on EAP failure")
3866 dev[0].request("REMOVE_NETWORK all")
3867 dev[0].dump_monitor()
3868 finally:
3869 stop_radius_server(srv)
3870
3871 def test_eap_proto_sim(dev, apdev):
3872 """EAP-SIM protocol tests"""
3873 def sim_handler(ctx, req):
3874 logger.info("sim_handler - RX " + req.encode("hex"))
3875 if 'num' not in ctx:
3876 ctx['num'] = 0
3877 ctx['num'] = ctx['num'] + 1
3878 if 'id' not in ctx:
3879 ctx['id'] = 1
3880 ctx['id'] = (ctx['id'] + 1) % 256
3881
3882 idx = 0
3883
3884 idx += 1
3885 if ctx['num'] == idx:
3886 logger.info("Test: Missing payload")
3887 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
3888 4 + 1,
3889 EAP_TYPE_SIM)
3890
3891 idx += 1
3892 if ctx['num'] == idx:
3893 logger.info("Test: Unexpected AT_AUTN")
3894 return struct.pack(">BBHBBHBBHL", EAP_CODE_REQUEST, ctx['id'],
3895 4 + 1 + 3 + 8,
3896 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_START, 0,
3897 EAP_SIM_AT_AUTN, 2, 0, 0)
3898 idx += 1
3899 if ctx['num'] == idx:
3900 logger.info("Test: EAP-Failure")
3901 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3902
3903 idx += 1
3904 if ctx['num'] == idx:
3905 logger.info("Test: Too short AT_VERSION_LIST")
3906 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
3907 4 + 1 + 3 + 4,
3908 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_START, 0,
3909 EAP_SIM_AT_VERSION_LIST, 1, 0)
3910 idx += 1
3911 if ctx['num'] == idx:
3912 logger.info("Test: EAP-Failure")
3913 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3914
3915 idx += 1
3916 if ctx['num'] == idx:
3917 logger.info("Test: AT_VERSION_LIST overflow")
3918 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
3919 4 + 1 + 3 + 4,
3920 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_START, 0,
3921 EAP_SIM_AT_VERSION_LIST, 1, 0xffff)
3922 idx += 1
3923 if ctx['num'] == idx:
3924 logger.info("Test: EAP-Failure")
3925 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3926
3927 idx += 1
3928 if ctx['num'] == idx:
3929 logger.info("Test: Unexpected AT_AUTS")
3930 return struct.pack(">BBHBBHBBHL", EAP_CODE_REQUEST, ctx['id'],
3931 4 + 1 + 3 + 8,
3932 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_START, 0,
3933 EAP_SIM_AT_AUTS, 2, 0, 0)
3934 idx += 1
3935 if ctx['num'] == idx:
3936 logger.info("Test: EAP-Failure")
3937 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3938
3939 idx += 1
3940 if ctx['num'] == idx:
3941 logger.info("Test: Unexpected AT_CHECKCODE")
3942 return struct.pack(">BBHBBHBBHL", EAP_CODE_REQUEST, ctx['id'],
3943 4 + 1 + 3 + 8,
3944 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_START, 0,
3945 EAP_SIM_AT_CHECKCODE, 2, 0, 0)
3946 idx += 1
3947 if ctx['num'] == idx:
3948 logger.info("Test: EAP-Failure")
3949 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3950
3951 idx += 1
3952 if ctx['num'] == idx:
3953 logger.info("Test: No AT_VERSION_LIST in Start")
3954 return struct.pack(">BBHBBH", EAP_CODE_REQUEST, ctx['id'],
3955 4 + 1 + 3,
3956 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_START, 0)
3957 idx += 1
3958 if ctx['num'] == idx:
3959 logger.info("Test: EAP-Failure")
3960 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3961
3962 idx += 1
3963 if ctx['num'] == idx:
3964 logger.info("Test: No support version in AT_VERSION_LIST")
3965 return struct.pack(">BBHBBHBBH4B", EAP_CODE_REQUEST, ctx['id'],
3966 4 + 1 + 3 + 8,
3967 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_START, 0,
3968 EAP_SIM_AT_VERSION_LIST, 2, 3, 2, 3, 4, 5)
3969 idx += 1
3970 if ctx['num'] == idx:
3971 logger.info("Test: EAP-Failure")
3972 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3973
3974
3975 idx += 1
3976 if ctx['num'] == idx:
3977 logger.info("Test: Identity request without ID type")
3978 return struct.pack(">BBHBBHBBH2H", EAP_CODE_REQUEST, ctx['id'],
3979 4 + 1 + 3 + 8,
3980 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_START, 0,
3981 EAP_SIM_AT_VERSION_LIST, 2, 2, 1, 0)
3982 idx += 1
3983 if ctx['num'] == idx:
3984 logger.info("Test: Identity request ANY_ID")
3985 return struct.pack(">BBHBBHBBH2HBBH", EAP_CODE_REQUEST, ctx['id'],
3986 4 + 1 + 3 + 8 + 4,
3987 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_START, 0,
3988 EAP_SIM_AT_VERSION_LIST, 2, 2, 1, 0,
3989 EAP_SIM_AT_ANY_ID_REQ, 1, 0)
3990 idx += 1
3991 if ctx['num'] == idx:
3992 logger.info("Test: Identity request ANY_ID (duplicate)")
3993 return struct.pack(">BBHBBHBBH2HBBH", EAP_CODE_REQUEST, ctx['id'],
3994 4 + 1 + 3 + 8 + 4,
3995 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_START, 0,
3996 EAP_SIM_AT_VERSION_LIST, 2, 2, 1, 0,
3997 EAP_SIM_AT_ANY_ID_REQ, 1, 0)
3998 idx += 1
3999 if ctx['num'] == idx:
4000 logger.info("Test: EAP-Failure")
4001 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
4002
4003 idx += 1
4004 if ctx['num'] == idx:
4005 logger.info("Test: Identity request ANY_ID")
4006 return struct.pack(">BBHBBHBBH2HBBH", EAP_CODE_REQUEST, ctx['id'],
4007 4 + 1 + 3 + 8 + 4,
4008 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_START, 0,
4009 EAP_SIM_AT_VERSION_LIST, 2, 2, 1, 0,
4010 EAP_SIM_AT_ANY_ID_REQ, 1, 0)
4011 idx += 1
4012 if ctx['num'] == idx:
4013 logger.info("Test: Identity request FULLAUTH_ID")
4014 return struct.pack(">BBHBBHBBH2HBBH", EAP_CODE_REQUEST, ctx['id'],
4015 4 + 1 + 3 + 8 + 4,
4016 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_START, 0,
4017 EAP_SIM_AT_VERSION_LIST, 2, 2, 1, 0,
4018 EAP_SIM_AT_FULLAUTH_ID_REQ, 1, 0)
4019 idx += 1
4020 if ctx['num'] == idx:
4021 logger.info("Test: Identity request FULLAUTH_ID (duplicate)")
4022 return struct.pack(">BBHBBHBBH2HBBH", EAP_CODE_REQUEST, ctx['id'],
4023 4 + 1 + 3 + 8 + 4,
4024 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_START, 0,
4025 EAP_SIM_AT_VERSION_LIST, 2, 2, 1, 0,
4026 EAP_SIM_AT_FULLAUTH_ID_REQ, 1, 0)
4027 idx += 1
4028 if ctx['num'] == idx:
4029 logger.info("Test: EAP-Failure")
4030 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
4031
4032 idx += 1
4033 if ctx['num'] == idx:
4034 logger.info("Test: Identity request ANY_ID")
4035 return struct.pack(">BBHBBHBBH2HBBH", EAP_CODE_REQUEST, ctx['id'],
4036 4 + 1 + 3 + 8 + 4,
4037 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_START, 0,
4038 EAP_SIM_AT_VERSION_LIST, 2, 2, 1, 0,
4039 EAP_SIM_AT_ANY_ID_REQ, 1, 0)
4040 idx += 1
4041 if ctx['num'] == idx:
4042 logger.info("Test: Identity request FULLAUTH_ID")
4043 return struct.pack(">BBHBBHBBH2HBBH", EAP_CODE_REQUEST, ctx['id'],
4044 4 + 1 + 3 + 8 + 4,
4045 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_START, 0,
4046 EAP_SIM_AT_VERSION_LIST, 2, 2, 1, 0,
4047 EAP_SIM_AT_FULLAUTH_ID_REQ, 1, 0)
4048 idx += 1
4049 if ctx['num'] == idx:
4050 logger.info("Test: Identity request PERMANENT_ID")
4051 return struct.pack(">BBHBBHBBH2HBBH", EAP_CODE_REQUEST, ctx['id'],
4052 4 + 1 + 3 + 8 + 4,
4053 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_START, 0,
4054 EAP_SIM_AT_VERSION_LIST, 2, 2, 1, 0,
4055 EAP_SIM_AT_PERMANENT_ID_REQ, 1, 0)
4056 idx += 1
4057 if ctx['num'] == idx:
4058 logger.info("Test: Identity request PERMANENT_ID (duplicate)")
4059 return struct.pack(">BBHBBHBBH2HBBH", EAP_CODE_REQUEST, ctx['id'],
4060 4 + 1 + 3 + 8 + 4,
4061 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_START, 0,
4062 EAP_SIM_AT_VERSION_LIST, 2, 2, 1, 0,
4063 EAP_SIM_AT_PERMANENT_ID_REQ, 1, 0)
4064 idx += 1
4065 if ctx['num'] == idx:
4066 logger.info("Test: EAP-Failure")
4067 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
4068
4069 idx += 1
4070 if ctx['num'] == idx:
4071 logger.info("Test: No AT_MAC and AT_RAND in Challenge")
4072 return struct.pack(">BBHBBH", EAP_CODE_REQUEST, ctx['id'],
4073 4 + 1 + 3,
4074 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_CHALLENGE, 0)
4075 idx += 1
4076 if ctx['num'] == idx:
4077 logger.info("Test: EAP-Failure")
4078 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
4079
4080 idx += 1
4081 if ctx['num'] == idx:
4082 logger.info("Test: No AT_RAND in Challenge")
4083 return struct.pack(">BBHBBHBBH4L", EAP_CODE_REQUEST, ctx['id'],
4084 4 + 1 + 3 + 20,
4085 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_CHALLENGE, 0,
4086 EAP_SIM_AT_MAC, 5, 0, 0, 0, 0, 0)
4087 idx += 1
4088 if ctx['num'] == idx:
4089 logger.info("Test: EAP-Failure")
4090 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
4091
4092 idx += 1
4093 if ctx['num'] == idx:
4094 logger.info("Test: Insufficient number of challenges in Challenge")
4095 return struct.pack(">BBHBBHBBH4LBBH4L", EAP_CODE_REQUEST, ctx['id'],
4096 4 + 1 + 3 + 20 + 20,
4097 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_CHALLENGE, 0,
4098 EAP_SIM_AT_RAND, 5, 0, 0, 0, 0, 0,
4099 EAP_SIM_AT_MAC, 5, 0, 0, 0, 0, 0)
4100 idx += 1
4101 if ctx['num'] == idx:
4102 logger.info("Test: EAP-Failure")
4103 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
4104
4105 idx += 1
4106 if ctx['num'] == idx:
4107 logger.info("Test: Too many challenges in Challenge")
4108 return struct.pack(">BBHBBHBBH4L4L4L4LBBH4L", EAP_CODE_REQUEST,
4109 ctx['id'],
4110 4 + 1 + 3 + 4 + 4 * 16 + 20,
4111 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_CHALLENGE, 0,
4112 EAP_SIM_AT_RAND, 17, 0, 0, 0, 0, 0, 0, 0, 0, 0,
4113 0, 0, 0, 0, 0, 0, 0, 0,
4114 EAP_SIM_AT_MAC, 5, 0, 0, 0, 0, 0)
4115 idx += 1
4116 if ctx['num'] == idx:
4117 logger.info("Test: EAP-Failure")
4118 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
4119
4120 idx += 1
4121 if ctx['num'] == idx:
4122 logger.info("Test: Same RAND multiple times in Challenge")
4123 return struct.pack(">BBHBBHBBH4L4L4LBBH4L", EAP_CODE_REQUEST,
4124 ctx['id'],
4125 4 + 1 + 3 + 4 + 3 * 16 + 20,
4126 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_CHALLENGE, 0,
4127 EAP_SIM_AT_RAND, 13, 0, 0, 0, 0, 0, 0, 0, 0, 1,
4128 0, 0, 0, 0,
4129 EAP_SIM_AT_MAC, 5, 0, 0, 0, 0, 0)
4130 idx += 1
4131 if ctx['num'] == idx:
4132 logger.info("Test: EAP-Failure")
4133 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
4134
4135 idx += 1
4136 if ctx['num'] == idx:
4137 logger.info("Test: Notification with no attributes")
4138 return struct.pack(">BBHBBH", EAP_CODE_REQUEST, ctx['id'],
4139 4 + 1 + 3,
4140 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_NOTIFICATION, 0)
4141 idx += 1
4142 if ctx['num'] == idx:
4143 logger.info("Test: EAP-Failure")
4144 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
4145
4146 idx += 1
4147 if ctx['num'] == idx:
4148 logger.info("Test: Notification indicating success, but no MAC")
4149 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
4150 4 + 1 + 3 + 4,
4151 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_NOTIFICATION, 0,
4152 EAP_SIM_AT_NOTIFICATION, 1, 32768)
4153 idx += 1
4154 if ctx['num'] == idx:
4155 logger.info("Test: EAP-Failure")
4156 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
4157
4158 idx += 1
4159 if ctx['num'] == idx:
4160 logger.info("Test: Notification indicating success, but invalid MAC value")
4161 return struct.pack(">BBHBBHBBHBBH4L", EAP_CODE_REQUEST, ctx['id'],
4162 4 + 1 + 3 + 4 + 20,
4163 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_NOTIFICATION, 0,
4164 EAP_SIM_AT_NOTIFICATION, 1, 32768,
4165 EAP_SIM_AT_MAC, 5, 0, 0, 0, 0, 0)
4166 idx += 1
4167 if ctx['num'] == idx:
4168 logger.info("Test: EAP-Failure")
4169 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
4170
4171 idx += 1
4172 if ctx['num'] == idx:
4173 logger.info("Test: Notification before auth")
4174 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
4175 4 + 1 + 3 + 4,
4176 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_NOTIFICATION, 0,
4177 EAP_SIM_AT_NOTIFICATION, 1, 16384)
4178 idx += 1
4179 if ctx['num'] == idx:
4180 logger.info("Test: EAP-Failure")
4181 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
4182
4183 idx += 1
4184 if ctx['num'] == idx:
4185 logger.info("Test: Notification before auth")
4186 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
4187 4 + 1 + 3 + 4,
4188 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_NOTIFICATION, 0,
4189 EAP_SIM_AT_NOTIFICATION, 1, 16385)
4190 idx += 1
4191 if ctx['num'] == idx:
4192 logger.info("Test: EAP-Failure")
4193 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
4194
4195 idx += 1
4196 if ctx['num'] == idx:
4197 logger.info("Test: Notification with unrecognized non-failure")
4198 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
4199 4 + 1 + 3 + 4,
4200 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_NOTIFICATION, 0,
4201 EAP_SIM_AT_NOTIFICATION, 1, 0xc000)
4202 idx += 1
4203 if ctx['num'] == idx:
4204 logger.info("Test: Notification before auth (duplicate)")
4205 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
4206 4 + 1 + 3 + 4,
4207 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_NOTIFICATION, 0,
4208 EAP_SIM_AT_NOTIFICATION, 1, 0xc000)
4209 idx += 1
4210 if ctx['num'] == idx:
4211 logger.info("Test: EAP-Failure")
4212 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
4213
4214 idx += 1
4215 if ctx['num'] == idx:
4216 logger.info("Test: Re-authentication (unexpected) with no attributes")
4217 return struct.pack(">BBHBBH", EAP_CODE_REQUEST, ctx['id'],
4218 4 + 1 + 3,
4219 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_REAUTHENTICATION,
4220 0)
4221 idx += 1
4222 if ctx['num'] == idx:
4223 logger.info("Test: EAP-Failure")
4224 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
4225
4226 idx += 1
4227 if ctx['num'] == idx:
4228 logger.info("Test: Client Error")
4229 return struct.pack(">BBHBBH", EAP_CODE_REQUEST, ctx['id'],
4230 4 + 1 + 3,
4231 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_CLIENT_ERROR, 0)
4232 idx += 1
4233 if ctx['num'] == idx:
4234 logger.info("Test: EAP-Failure")
4235 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
4236
4237 idx += 1
4238 if ctx['num'] == idx:
4239 logger.info("Test: Unknown subtype")
4240 return struct.pack(">BBHBBH", EAP_CODE_REQUEST, ctx['id'],
4241 4 + 1 + 3,
4242 EAP_TYPE_SIM, 255, 0)
4243 idx += 1
4244 if ctx['num'] == idx:
4245 logger.info("Test: EAP-Failure")
4246 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
4247
4248 return None
4249
4250 srv = start_radius_server(sim_handler)
4251
4252 try:
4253 hapd = start_ap(apdev[0]['ifname'])
4254
4255 for i in range(0, 25):
4256 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
4257 eap="SIM", identity="1232010000000000",
4258 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
4259 wait_connect=False)
4260 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
4261 timeout=15)
4262 if ev is None:
4263 raise Exception("Timeout on EAP start")
4264 if i in [ 0 ]:
4265 time.sleep(0.1)
4266 else:
4267 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"],
4268 timeout=10)
4269 if ev is None:
4270 raise Exception("Timeout on EAP failure")
4271 dev[0].request("REMOVE_NETWORK all")
4272 dev[0].dump_monitor()
4273 finally:
4274 stop_radius_server(srv)
4275
4276 def test_eap_proto_sim_errors(dev, apdev):
4277 """EAP-SIM protocol tests (error paths)"""
4278 check_hlr_auc_gw_support()
4279 params = hostapd.wpa2_eap_params(ssid="eap-test")
4280 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4281
4282 with alloc_fail(dev[0], 1, "eap_sim_init"):
4283 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
4284 eap="SIM", identity="1232010000000000",
4285 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
4286 wait_connect=False)
4287 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method"],
4288 timeout=15)
4289 if ev is None:
4290 raise Exception("Timeout on EAP start")
4291 dev[0].request("REMOVE_NETWORK all")
4292 dev[0].wait_disconnected()
4293
4294 with fail_test(dev[0], 1, "os_get_random;eap_sim_init"):
4295 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
4296 eap="SIM", identity="1232010000000000",
4297 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
4298 wait_connect=False)
4299 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method"],
4300 timeout=15)
4301 if ev is None:
4302 raise Exception("Timeout on EAP start")
4303 dev[0].request("REMOVE_NETWORK all")
4304 dev[0].wait_disconnected()
4305
4306 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
4307 eap="SIM", identity="1232010000000000",
4308 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
4309
4310 with fail_test(dev[0], 1, "aes_128_cbc_encrypt;eap_sim_response_reauth"):
4311 hapd.request("EAPOL_REAUTH " + dev[0].own_addr())
4312 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=5)
4313 if ev is None:
4314 raise Exception("EAP re-authentication did not start")
4315 wait_fail_trigger(dev[0], "GET_FAIL")
4316 dev[0].request("REMOVE_NETWORK all")
4317 dev[0].dump_monitor()
4318
4319 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
4320 eap="SIM", identity="1232010000000000",
4321 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
4322
4323 with fail_test(dev[0], 1, "os_get_random;eap_sim_msg_add_encr_start"):
4324 hapd.request("EAPOL_REAUTH " + dev[0].own_addr())
4325 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=5)
4326 if ev is None:
4327 raise Exception("EAP re-authentication did not start")
4328 wait_fail_trigger(dev[0], "GET_FAIL")
4329 dev[0].request("REMOVE_NETWORK all")
4330 dev[0].dump_monitor()
4331
4332 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
4333 eap="SIM", identity="1232010000000000",
4334 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
4335
4336 with fail_test(dev[0], 1, "os_get_random;eap_sim_init_for_reauth"):
4337 hapd.request("EAPOL_REAUTH " + dev[0].own_addr())
4338 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=5)
4339 if ev is None:
4340 raise Exception("EAP re-authentication did not start")
4341 wait_fail_trigger(dev[0], "GET_FAIL")
4342 dev[0].request("REMOVE_NETWORK all")
4343 dev[0].dump_monitor()
4344
4345 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
4346 eap="SIM", identity="1232010000000000",
4347 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
4348
4349 with alloc_fail(dev[0], 1, "eap_sim_parse_encr;eap_sim_process_reauthentication"):
4350 hapd.request("EAPOL_REAUTH " + dev[0].own_addr())
4351 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=5)
4352 if ev is None:
4353 raise Exception("EAP re-authentication did not start")
4354 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
4355 dev[0].request("REMOVE_NETWORK all")
4356 dev[0].dump_monitor()
4357
4358 tests = [ (1, "eap_sim_verify_mac;eap_sim_process_challenge"),
4359 (1, "eap_sim_parse_encr;eap_sim_process_challenge"),
4360 (1, "eap_sim_msg_init;eap_sim_response_start"),
4361 (1, "wpabuf_alloc;eap_sim_msg_init;eap_sim_response_start"),
4362 (1, "=eap_sim_learn_ids"),
4363 (2, "=eap_sim_learn_ids"),
4364 (2, "eap_sim_learn_ids"),
4365 (3, "eap_sim_learn_ids"),
4366 (1, "eap_sim_process_start"),
4367 (1, "eap_sim_getKey"),
4368 (1, "eap_sim_get_emsk"),
4369 (1, "eap_sim_get_session_id") ]
4370 for count, func in tests:
4371 with alloc_fail(dev[0], count, func):
4372 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
4373 eap="SIM", identity="1232010000000000",
4374 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
4375 erp="1", wait_connect=False)
4376 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
4377 dev[0].request("REMOVE_NETWORK all")
4378 dev[0].dump_monitor()
4379
4380 tests = [ (1, "aes_128_cbc_decrypt;eap_sim_parse_encr") ]
4381 for count, func in tests:
4382 with fail_test(dev[0], count, func):
4383 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
4384 eap="SIM", identity="1232010000000000",
4385 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
4386 wait_connect=False)
4387 wait_fail_trigger(dev[0], "GET_FAIL")
4388 dev[0].request("REMOVE_NETWORK all")
4389 dev[0].dump_monitor()
4390
4391 def test_eap_proto_aka_errors(dev, apdev):
4392 """EAP-AKA protocol tests (error paths)"""
4393 check_hlr_auc_gw_support()
4394 params = hostapd.wpa2_eap_params(ssid="eap-test")
4395 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4396
4397 with alloc_fail(dev[0], 1, "eap_aka_init"):
4398 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
4399 eap="AKA", identity="0232010000000000",
4400 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
4401 wait_connect=False)
4402 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method"],
4403 timeout=15)
4404 if ev is None:
4405 raise Exception("Timeout on EAP start")
4406 dev[0].request("REMOVE_NETWORK all")
4407 dev[0].wait_disconnected()
4408
4409 tests = [ (1, "=eap_aka_learn_ids"),
4410 (2, "=eap_aka_learn_ids"),
4411 (1, "eap_sim_parse_encr;eap_aka_process_challenge"),
4412 (1, "eap_aka_getKey"),
4413 (1, "eap_aka_get_emsk"),
4414 (1, "eap_aka_get_session_id") ]
4415 for count, func in tests:
4416 with alloc_fail(dev[0], count, func):
4417 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
4418 eap="AKA", identity="0232010000000000",
4419 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
4420 erp="1", wait_connect=False)
4421 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
4422 dev[0].request("REMOVE_NETWORK all")
4423 dev[0].dump_monitor()
4424
4425 def test_eap_proto_aka_prime_errors(dev, apdev):
4426 """EAP-AKA' protocol tests (error paths)"""
4427 check_hlr_auc_gw_support()
4428 params = hostapd.wpa2_eap_params(ssid="eap-test")
4429 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4430
4431 with alloc_fail(dev[0], 1, "eap_aka_init"):
4432 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
4433 eap="AKA'", identity="6555444333222111",
4434 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
4435 wait_connect=False)
4436 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method"],
4437 timeout=15)
4438 if ev is None:
4439 raise Exception("Timeout on EAP start")
4440 dev[0].request("REMOVE_NETWORK all")
4441 dev[0].wait_disconnected()
4442
4443 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
4444 eap="AKA'", identity="6555444333222111",
4445 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
4446
4447 with fail_test(dev[0], 1, "aes_128_cbc_encrypt;eap_aka_response_reauth"):
4448 hapd.request("EAPOL_REAUTH " + dev[0].own_addr())
4449 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=5)
4450 if ev is None:
4451 raise Exception("EAP re-authentication did not start")
4452 wait_fail_trigger(dev[0], "GET_FAIL")
4453 dev[0].request("REMOVE_NETWORK all")
4454 dev[0].dump_monitor()
4455
4456 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
4457 eap="AKA'", identity="6555444333222111",
4458 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
4459
4460 with alloc_fail(dev[0], 1, "eap_sim_parse_encr;eap_aka_process_reauthentication"):
4461 hapd.request("EAPOL_REAUTH " + dev[0].own_addr())
4462 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=5)
4463 if ev is None:
4464 raise Exception("EAP re-authentication did not start")
4465 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
4466 dev[0].request("REMOVE_NETWORK all")
4467 dev[0].dump_monitor()
4468
4469 tests = [ (1, "eap_sim_verify_mac_sha256"),
4470 (1, "=eap_aka_process_challenge") ]
4471 for count, func in tests:
4472 with alloc_fail(dev[0], count, func):
4473 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
4474 eap="AKA'", identity="6555444333222111",
4475 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
4476 erp="1", wait_connect=False)
4477 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
4478 dev[0].request("REMOVE_NETWORK all")
4479 dev[0].dump_monitor()
4480
4481 def test_eap_proto_ikev2(dev, apdev):
4482 """EAP-IKEv2 protocol tests"""
4483 check_eap_capa(dev[0], "IKEV2")
4484 def ikev2_handler(ctx, req):
4485 logger.info("ikev2_handler - RX " + req.encode("hex"))
4486 if 'num' not in ctx:
4487 ctx['num'] = 0
4488 ctx['num'] = ctx['num'] + 1
4489 if 'id' not in ctx:
4490 ctx['id'] = 1
4491 ctx['id'] = (ctx['id'] + 1) % 256
4492
4493 idx = 0
4494
4495 idx += 1
4496 if ctx['num'] == idx:
4497 logger.info("Test: Missing payload")
4498 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
4499 4 + 1,
4500 EAP_TYPE_IKEV2)
4501
4502 idx += 1
4503 if ctx['num'] == idx:
4504 logger.info("Test: Truncated Message Length field")
4505 return struct.pack(">BBHBB3B", EAP_CODE_REQUEST, ctx['id'],
4506 4 + 1 + 1 + 3,
4507 EAP_TYPE_IKEV2, 0x80, 0, 0, 0)
4508
4509 idx += 1
4510 if ctx['num'] == idx:
4511 logger.info("Test: Too short Message Length value")
4512 return struct.pack(">BBHBBLB", EAP_CODE_REQUEST, ctx['id'],
4513 4 + 1 + 1 + 4 + 1,
4514 EAP_TYPE_IKEV2, 0x80, 0, 1)
4515
4516 idx += 1
4517 if ctx['num'] == idx:
4518 logger.info("Test: Truncated message")
4519 return struct.pack(">BBHBBL", EAP_CODE_REQUEST, ctx['id'],
4520 4 + 1 + 1 + 4,
4521 EAP_TYPE_IKEV2, 0x80, 1)
4522
4523 idx += 1
4524 if ctx['num'] == idx:
4525 logger.info("Test: Truncated message(2)")
4526 return struct.pack(">BBHBBL", EAP_CODE_REQUEST, ctx['id'],
4527 4 + 1 + 1 + 4,
4528 EAP_TYPE_IKEV2, 0x80, 0xffffffff)
4529
4530 idx += 1
4531 if ctx['num'] == idx:
4532 logger.info("Test: Truncated message(3)")
4533 return struct.pack(">BBHBBL", EAP_CODE_REQUEST, ctx['id'],
4534 4 + 1 + 1 + 4,
4535 EAP_TYPE_IKEV2, 0xc0, 0xffffffff)
4536
4537 idx += 1
4538 if ctx['num'] == idx:
4539 logger.info("Test: Truncated message(4)")
4540 return struct.pack(">BBHBBL", EAP_CODE_REQUEST, ctx['id'],
4541 4 + 1 + 1 + 4,
4542 EAP_TYPE_IKEV2, 0xc0, 10000000)
4543
4544 idx += 1
4545 if ctx['num'] == idx:
4546 logger.info("Test: Too long fragments (first fragment)")
4547 return struct.pack(">BBHBBLB", EAP_CODE_REQUEST, ctx['id'],
4548 4 + 1 + 1 + 4 + 1,
4549 EAP_TYPE_IKEV2, 0xc0, 2, 1)
4550
4551 idx += 1
4552 if ctx['num'] == idx:
4553 logger.info("Test: Too long fragments (second fragment)")
4554 return struct.pack(">BBHBB2B", EAP_CODE_REQUEST, ctx['id'],
4555 4 + 1 + 1 + 2,
4556 EAP_TYPE_IKEV2, 0x00, 2, 3)
4557
4558 idx += 1
4559 if ctx['num'] == idx:
4560 logger.info("Test: No Message Length field in first fragment")
4561 return struct.pack(">BBHBBB", EAP_CODE_REQUEST, ctx['id'],
4562 4 + 1 + 1 + 1,
4563 EAP_TYPE_IKEV2, 0x40, 1)
4564
4565 idx += 1
4566 if ctx['num'] == idx:
4567 logger.info("Test: ICV before keys")
4568 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
4569 4 + 1 + 1,
4570 EAP_TYPE_IKEV2, 0x20)
4571
4572 idx += 1
4573 if ctx['num'] == idx:
4574 logger.info("Test: Unsupported IKEv2 header version")
4575 return struct.pack(">BBHBB2L2LBBBBLL", EAP_CODE_REQUEST, ctx['id'],
4576 4 + 1 + 1 + 28,
4577 EAP_TYPE_IKEV2, 0x00,
4578 0, 0, 0, 0,
4579 0, 0, 0, 0, 0, 0)
4580
4581 idx += 1
4582 if ctx['num'] == idx:
4583 logger.info("Test: Incorrect IKEv2 header Length")
4584 return struct.pack(">BBHBB2L2LBBBBLL", EAP_CODE_REQUEST, ctx['id'],
4585 4 + 1 + 1 + 28,
4586 EAP_TYPE_IKEV2, 0x00,
4587 0, 0, 0, 0,
4588 0, 0x20, 0, 0, 0, 0)
4589
4590 idx += 1
4591 if ctx['num'] == idx:
4592 logger.info("Test: Unexpected IKEv2 Exchange Type in SA_INIT state")
4593 return struct.pack(">BBHBB2L2LBBBBLL", EAP_CODE_REQUEST, ctx['id'],
4594 4 + 1 + 1 + 28,
4595 EAP_TYPE_IKEV2, 0x00,
4596 0, 0, 0, 0,
4597 0, 0x20, 0, 0, 0, 28)
4598
4599 idx += 1
4600 if ctx['num'] == idx:
4601 logger.info("Test: Unexpected IKEv2 Message ID in SA_INIT state")
4602 return struct.pack(">BBHBB2L2LBBBBLL", EAP_CODE_REQUEST, ctx['id'],
4603 4 + 1 + 1 + 28,
4604 EAP_TYPE_IKEV2, 0x00,
4605 0, 0, 0, 0,
4606 0, 0x20, 34, 0, 1, 28)
4607
4608 idx += 1
4609 if ctx['num'] == idx:
4610 logger.info("Test: Unexpected IKEv2 Flags value")
4611 return struct.pack(">BBHBB2L2LBBBBLL", EAP_CODE_REQUEST, ctx['id'],
4612 4 + 1 + 1 + 28,
4613 EAP_TYPE_IKEV2, 0x00,
4614 0, 0, 0, 0,
4615 0, 0x20, 34, 0, 0, 28)
4616
4617 idx += 1
4618 if ctx['num'] == idx:
4619 logger.info("Test: Unexpected IKEv2 Flags value(2)")
4620 return struct.pack(">BBHBB2L2LBBBBLL", EAP_CODE_REQUEST, ctx['id'],
4621 4 + 1 + 1 + 28,
4622 EAP_TYPE_IKEV2, 0x00,
4623 0, 0, 0, 0,
4624 0, 0x20, 34, 0x20, 0, 28)
4625
4626 idx += 1
4627 if ctx['num'] == idx:
4628 logger.info("Test: No SAi1 in SA_INIT")
4629 return struct.pack(">BBHBB2L2LBBBBLL", EAP_CODE_REQUEST, ctx['id'],
4630 4 + 1 + 1 + 28,
4631 EAP_TYPE_IKEV2, 0x00,
4632 0, 0, 0, 0,
4633 0, 0x20, 34, 0x08, 0, 28)
4634
4635 def build_ike(id, next=0, exch_type=34, flags=0x00, ike=''):
4636 return struct.pack(">BBHBB2L2LBBBBLL", EAP_CODE_REQUEST, id,
4637 4 + 1 + 1 + 28 + len(ike),
4638 EAP_TYPE_IKEV2, flags,
4639 0, 0, 0, 0,
4640 next, 0x20, exch_type, 0x08, 0,
4641 28 + len(ike)) + ike
4642
4643 idx += 1
4644 if ctx['num'] == idx:
4645 logger.info("Test: Unexpected extra data after payloads")
4646 return build_ike(ctx['id'], ike=struct.pack(">B", 1))
4647
4648 idx += 1
4649 if ctx['num'] == idx:
4650 logger.info("Test: Truncated payload header")
4651 return build_ike(ctx['id'], next=128, ike=struct.pack(">B", 1))
4652
4653 idx += 1
4654 if ctx['num'] == idx:
4655 logger.info("Test: Too small payload header length")
4656 ike = struct.pack(">BBH", 0, 0, 3)
4657 return build_ike(ctx['id'], next=128, ike=ike)
4658
4659 idx += 1
4660 if ctx['num'] == idx:
4661 logger.info("Test: Too large payload header length")
4662 ike = struct.pack(">BBH", 0, 0, 5)
4663 return build_ike(ctx['id'], next=128, ike=ike)
4664
4665 idx += 1
4666 if ctx['num'] == idx:
4667 logger.info("Test: Unsupported payload (non-critical and critical)")
4668 ike = struct.pack(">BBHBBH", 129, 0, 4, 0, 0x01, 4)
4669 return build_ike(ctx['id'], next=128, ike=ike)
4670
4671 idx += 1
4672 if ctx['num'] == idx:
4673 logger.info("Test: Certificate and empty SAi1")
4674 ike = struct.pack(">BBHBBH", 33, 0, 4, 0, 0, 4)
4675 return build_ike(ctx['id'], next=37, ike=ike)
4676
4677 idx += 1
4678 if ctx['num'] == idx:
4679 logger.info("Test: Too short proposal")
4680 ike = struct.pack(">BBHBBHBBB", 0, 0, 4 + 7,
4681 0, 0, 7, 0, 0, 0)
4682 return build_ike(ctx['id'], next=33, ike=ike)
4683
4684 idx += 1
4685 if ctx['num'] == idx:
4686 logger.info("Test: Too small proposal length in SAi1")
4687 ike = struct.pack(">BBHBBHBBBB", 0, 0, 4 + 8,
4688 0, 0, 7, 0, 0, 0, 0)
4689 return build_ike(ctx['id'], next=33, ike=ike)
4690
4691 idx += 1
4692 if ctx['num'] == idx:
4693 logger.info("Test: Too large proposal length in SAi1")
4694 ike = struct.pack(">BBHBBHBBBB", 0, 0, 4 + 8,
4695 0, 0, 9, 0, 0, 0, 0)
4696 return build_ike(ctx['id'], next=33, ike=ike)
4697
4698 idx += 1
4699 if ctx['num'] == idx:
4700 logger.info("Test: Unexpected proposal type in SAi1")
4701 ike = struct.pack(">BBHBBHBBBB", 0, 0, 4 + 8,
4702 1, 0, 8, 0, 0, 0, 0)
4703 return build_ike(ctx['id'], next=33, ike=ike)
4704
4705 idx += 1
4706 if ctx['num'] == idx:
4707 logger.info("Test: Unexpected Protocol ID in SAi1")
4708 ike = struct.pack(">BBHBBHBBBB", 0, 0, 4 + 8,
4709 0, 0, 8, 0, 0, 0, 0)
4710 return build_ike(ctx['id'], next=33, ike=ike)
4711
4712 idx += 1
4713 if ctx['num'] == idx:
4714 logger.info("Test: Unexpected proposal number in SAi1")
4715 ike = struct.pack(">BBHBBHBBBB", 0, 0, 4 + 8,
4716 0, 0, 8, 0, 1, 0, 0)
4717 return build_ike(ctx['id'], next=33, ike=ike)
4718
4719 idx += 1
4720 if ctx['num'] == idx:
4721 logger.info("Test: Not enough room for SPI in SAi1")
4722 ike = struct.pack(">BBHBBHBBBB", 0, 0, 4 + 8,
4723 0, 0, 8, 1, 1, 1, 0)
4724 return build_ike(ctx['id'], next=33, ike=ike)
4725
4726 idx += 1
4727 if ctx['num'] == idx:
4728 logger.info("Test: Unexpected SPI in SAi1")
4729 ike = struct.pack(">BBHBBHBBBBB", 0, 0, 4 + 9,
4730 0, 0, 9, 1, 1, 1, 0, 1)
4731 return build_ike(ctx['id'], next=33, ike=ike)
4732
4733 idx += 1
4734 if ctx['num'] == idx:
4735 logger.info("Test: No transforms in SAi1")
4736 ike = struct.pack(">BBHBBHBBBB", 0, 0, 4 + 8,
4737 0, 0, 8, 1, 1, 0, 0)
4738 return build_ike(ctx['id'], next=33, ike=ike)
4739
4740 idx += 1
4741 if ctx['num'] == idx:
4742 logger.info("Test: Too short transform in SAi1")
4743 ike = struct.pack(">BBHBBHBBBB", 0, 0, 4 + 8,
4744 0, 0, 8, 1, 1, 0, 1)
4745 return build_ike(ctx['id'], next=33, ike=ike)
4746
4747 idx += 1
4748 if ctx['num'] == idx:
4749 logger.info("Test: Too small transform length in SAi1")
4750 ike = struct.pack(">BBHBBHBBBBBBHBBH", 0, 0, 4 + 8 + 8,
4751 0, 0, 8 + 8, 1, 1, 0, 1,
4752 0, 0, 7, 0, 0, 0)
4753 return build_ike(ctx['id'], next=33, ike=ike)
4754
4755 idx += 1
4756 if ctx['num'] == idx:
4757 logger.info("Test: Too large transform length in SAi1")
4758 ike = struct.pack(">BBHBBHBBBBBBHBBH", 0, 0, 4 + 8 + 8,
4759 0, 0, 8 + 8, 1, 1, 0, 1,
4760 0, 0, 9, 0, 0, 0)
4761 return build_ike(ctx['id'], next=33, ike=ike)
4762
4763 idx += 1
4764 if ctx['num'] == idx:
4765 logger.info("Test: Unexpected Transform type in SAi1")
4766 ike = struct.pack(">BBHBBHBBBBBBHBBH", 0, 0, 4 + 8 + 8,
4767 0, 0, 8 + 8, 1, 1, 0, 1,
4768 1, 0, 8, 0, 0, 0)
4769 return build_ike(ctx['id'], next=33, ike=ike)
4770
4771 idx += 1
4772 if ctx['num'] == idx:
4773 logger.info("Test: No transform attributes in SAi1")
4774 ike = struct.pack(">BBHBBHBBBBBBHBBH", 0, 0, 4 + 8 + 8,
4775 0, 0, 8 + 8, 1, 1, 0, 1,
4776 0, 0, 8, 0, 0, 0)
4777 return build_ike(ctx['id'], next=33, ike=ike)
4778
4779 idx += 1
4780 if ctx['num'] == idx:
4781 logger.info("Test: No transform attr for AES and unexpected data after transforms in SAi1")
4782 tlen1 = 8 + 3
4783 tlen2 = 8 + 4
4784 tlen3 = 8 + 4
4785 tlen = tlen1 + tlen2 + tlen3
4786 ike = struct.pack(">BBHBBHBBBBBBHBBH3BBBHBBHHHBBHBBHHHB",
4787 0, 0, 4 + 8 + tlen + 1,
4788 0, 0, 8 + tlen + 1, 1, 1, 0, 3,
4789 3, 0, tlen1, 1, 0, 12, 1, 2, 3,
4790 3, 0, tlen2, 1, 0, 12, 0, 128,
4791 0, 0, tlen3, 1, 0, 12, 0x8000 | 14, 127,
4792 1)
4793 return build_ike(ctx['id'], next=33, ike=ike)
4794
4795 def build_sa(next=0):
4796 tlen = 5 * 8
4797 return struct.pack(">BBHBBHBBBBBBHBBHBBHBBHBBHBBHBBHBBHBBHBBH",
4798 next, 0, 4 + 8 + tlen,
4799 0, 0, 8 + tlen, 1, 1, 0, 5,
4800 3, 0, 8, 1, 0, 3,
4801 3, 0, 8, 2, 0, 1,
4802 3, 0, 8, 3, 0, 1,
4803 3, 0, 8, 4, 0, 5,
4804 0, 0, 8, 241, 0, 0)
4805
4806 idx += 1
4807 if ctx['num'] == idx:
4808 logger.info("Test: Valid proposal, but no KEi in SAi1")
4809 ike = build_sa()
4810 return build_ike(ctx['id'], next=33, ike=ike)
4811
4812 idx += 1
4813 if ctx['num'] == idx:
4814 logger.info("Test: Empty KEi in SAi1")
4815 ike = build_sa(next=34) + struct.pack(">BBH", 0, 0, 4)
4816 return build_ike(ctx['id'], next=33, ike=ike)
4817
4818 idx += 1
4819 if ctx['num'] == idx:
4820 logger.info("Test: Mismatch in DH Group in SAi1")
4821 ike = build_sa(next=34)
4822 ike += struct.pack(">BBHHH", 0, 0, 4 + 4 + 96, 12345, 0)
4823 ike += 96*'\x00'
4824 return build_ike(ctx['id'], next=33, ike=ike)
4825 idx += 1
4826 if ctx['num'] == idx:
4827 logger.info("Test: EAP-Failure")
4828 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
4829
4830 idx += 1
4831 if ctx['num'] == idx:
4832 logger.info("Test: Invalid DH public value length in SAi1")
4833 ike = build_sa(next=34)
4834 ike += struct.pack(">BBHHH", 0, 0, 4 + 4 + 96, 5, 0)
4835 ike += 96*'\x00'
4836 return build_ike(ctx['id'], next=33, ike=ike)
4837
4838 def build_ke(next=0):
4839 ke = struct.pack(">BBHHH", next, 0, 4 + 4 + 192, 5, 0)
4840 ke += 192*'\x00'
4841 return ke
4842
4843 idx += 1
4844 if ctx['num'] == idx:
4845 logger.info("Test: Valid proposal and KEi, but no Ni in SAi1")
4846 ike = build_sa(next=34)
4847 ike += build_ke()
4848 return build_ike(ctx['id'], next=33, ike=ike)
4849
4850 idx += 1
4851 if ctx['num'] == idx:
4852 logger.info("Test: Too short Ni in SAi1")
4853 ike = build_sa(next=34)
4854 ike += build_ke(next=40)
4855 ike += struct.pack(">BBH", 0, 0, 4)
4856 return build_ike(ctx['id'], next=33, ike=ike)
4857
4858 idx += 1
4859 if ctx['num'] == idx:
4860 logger.info("Test: Too long Ni in SAi1")
4861 ike = build_sa(next=34)
4862 ike += build_ke(next=40)
4863 ike += struct.pack(">BBH", 0, 0, 4 + 257) + 257*'\x00'
4864 return build_ike(ctx['id'], next=33, ike=ike)
4865
4866 def build_ni(next=0):
4867 return struct.pack(">BBH", next, 0, 4 + 256) + 256*'\x00'
4868
4869 def build_sai1(id):
4870 ike = build_sa(next=34)
4871 ike += build_ke(next=40)
4872 ike += build_ni()
4873 return build_ike(ctx['id'], next=33, ike=ike)
4874
4875 idx += 1
4876 if ctx['num'] == idx:
4877 logger.info("Test: Valid proposal, KEi, and Ni in SAi1")
4878 return build_sai1(ctx['id'])
4879 idx += 1
4880 if ctx['num'] == idx:
4881 logger.info("Test: EAP-Failure")
4882 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
4883
4884 idx += 1
4885 if ctx['num'] == idx:
4886 logger.info("Test: Valid proposal, KEi, and Ni in SAi1")
4887 return build_sai1(ctx['id'])
4888 idx += 1
4889 if ctx['num'] == idx:
4890 logger.info("Test: No integrity checksum")
4891 ike = ''
4892 return build_ike(ctx['id'], next=37, ike=ike)
4893
4894 idx += 1
4895 if ctx['num'] == idx:
4896 logger.info("Test: Valid proposal, KEi, and Ni in SAi1")
4897 return build_sai1(ctx['id'])
4898 idx += 1
4899 if ctx['num'] == idx:
4900 logger.info("Test: Truncated integrity checksum")
4901 return struct.pack(">BBHBB",
4902 EAP_CODE_REQUEST, ctx['id'],
4903 4 + 1 + 1,
4904 EAP_TYPE_IKEV2, 0x20)
4905
4906 idx += 1
4907 if ctx['num'] == idx:
4908 logger.info("Test: Valid proposal, KEi, and Ni in SAi1")
4909 return build_sai1(ctx['id'])
4910 idx += 1
4911 if ctx['num'] == idx:
4912 logger.info("Test: Invalid integrity checksum")
4913 ike = ''
4914 return build_ike(ctx['id'], next=37, flags=0x20, ike=ike)
4915
4916 return None
4917
4918 srv = start_radius_server(ikev2_handler)
4919
4920 try:
4921 hapd = start_ap(apdev[0]['ifname'])
4922
4923 for i in range(49):
4924 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
4925 eap="IKEV2", identity="user",
4926 password="password",
4927 wait_connect=False)
4928 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
4929 timeout=15)
4930 if ev is None:
4931 raise Exception("Timeout on EAP start")
4932 if i in [ 40, 45 ]:
4933 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"],
4934 timeout=10)
4935 if ev is None:
4936 raise Exception("Timeout on EAP failure")
4937 else:
4938 time.sleep(0.05)
4939 dev[0].request("REMOVE_NETWORK all")
4940 finally:
4941 stop_radius_server(srv)
4942
4943 def NtPasswordHash(password):
4944 pw = password.encode('utf_16_le')
4945 return hashlib.new('md4', pw).digest()
4946
4947 def HashNtPasswordHash(password_hash):
4948 return hashlib.new('md4', password_hash).digest()
4949
4950 def ChallengeHash(peer_challenge, auth_challenge, username):
4951 data = peer_challenge + auth_challenge + username
4952 return hashlib.sha1(data).digest()[0:8]
4953
4954 def GenerateAuthenticatorResponse(password, nt_response, peer_challenge,
4955 auth_challenge, username):
4956 magic1 = binascii.unhexlify("4D616769632073657276657220746F20636C69656E74207369676E696E6720636F6E7374616E74")
4957 magic2 = binascii.unhexlify("50616420746F206D616B6520697420646F206D6F7265207468616E206F6E6520697465726174696F6E")
4958
4959 password_hash = NtPasswordHash(password)
4960 password_hash_hash = HashNtPasswordHash(password_hash)
4961 data = password_hash_hash + nt_response + magic1
4962 digest = hashlib.sha1(data).digest()
4963
4964 challenge = ChallengeHash(peer_challenge, auth_challenge, username)
4965
4966 data = digest + challenge + magic2
4967 resp = hashlib.sha1(data).digest()
4968 return resp
4969
4970 def test_eap_proto_ikev2_errors(dev, apdev):
4971 """EAP-IKEv2 local error cases"""
4972 check_eap_capa(dev[0], "IKEV2")
4973 params = hostapd.wpa2_eap_params(ssid="eap-test")
4974 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4975
4976 for i in range(1, 5):
4977 with alloc_fail(dev[0], i, "eap_ikev2_init"):
4978 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
4979 eap="IKEV2", identity="ikev2 user",
4980 password="ike password",
4981 wait_connect=False)
4982 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method"],
4983 timeout=15)
4984 if ev is None:
4985 raise Exception("Timeout on EAP start")
4986 dev[0].request("REMOVE_NETWORK all")
4987 dev[0].wait_disconnected()
4988
4989 tests = [ (1, "ikev2_encr_encrypt"),
4990 (1, "ikev2_encr_decrypt"),
4991 (1, "ikev2_derive_auth_data"),
4992 (2, "ikev2_derive_auth_data"),
4993 (1, "=ikev2_decrypt_payload"),
4994 (1, "ikev2_encr_decrypt;ikev2_decrypt_payload"),
4995 (1, "ikev2_encr_encrypt;ikev2_build_encrypted"),
4996 (1, "ikev2_derive_sk_keys"),
4997 (2, "ikev2_derive_sk_keys"),
4998 (3, "ikev2_derive_sk_keys"),
4999 (4, "ikev2_derive_sk_keys"),
5000 (5, "ikev2_derive_sk_keys"),
5001 (6, "ikev2_derive_sk_keys"),
5002 (7, "ikev2_derive_sk_keys"),
5003 (8, "ikev2_derive_sk_keys"),
5004 (1, "eap_ikev2_derive_keymat;eap_ikev2_peer_keymat"),
5005 (1, "eap_msg_alloc;eap_ikev2_build_msg"),
5006 (1, "eap_ikev2_getKey"),
5007 (1, "eap_ikev2_get_emsk"),
5008 (1, "eap_ikev2_get_session_id"),
5009 (1, "=ikev2_derive_keys"),
5010 (2, "=ikev2_derive_keys"),
5011 (1, "wpabuf_alloc;ikev2_process_kei"),
5012 (1, "=ikev2_process_idi"),
5013 (1, "ikev2_derive_auth_data;ikev2_build_auth"),
5014 (1, "wpabuf_alloc;ikev2_build_sa_init"),
5015 (2, "wpabuf_alloc;ikev2_build_sa_init"),
5016 (3, "wpabuf_alloc;ikev2_build_sa_init"),
5017 (4, "wpabuf_alloc;ikev2_build_sa_init"),
5018 (5, "wpabuf_alloc;ikev2_build_sa_init"),
5019 (6, "wpabuf_alloc;ikev2_build_sa_init"),
5020 (1, "wpabuf_alloc;ikev2_build_sa_auth"),
5021 (2, "wpabuf_alloc;ikev2_build_sa_auth"),
5022 (1, "ikev2_build_auth;ikev2_build_sa_auth") ]
5023 for count, func in tests:
5024 with alloc_fail(dev[0], count, func):
5025 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
5026 eap="IKEV2", identity="ikev2 user",
5027 password="ike password", erp="1", wait_connect=False)
5028 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
5029 timeout=15)
5030 if ev is None:
5031 raise Exception("Timeout on EAP start")
5032 ok = False
5033 for j in range(10):
5034 state = dev[0].request('GET_ALLOC_FAIL')
5035 if state.startswith('0:'):
5036 ok = True
5037 break
5038 time.sleep(0.1)
5039 if not ok:
5040 raise Exception("No allocation failure seen for %d:%s" % (count, func))
5041 dev[0].request("REMOVE_NETWORK all")
5042 dev[0].wait_disconnected()
5043
5044 tests = [ (1, "wpabuf_alloc;ikev2_build_notify"),
5045 (2, "wpabuf_alloc;ikev2_build_notify"),
5046 (1, "ikev2_build_encrypted;ikev2_build_notify") ]
5047 for count, func in tests:
5048 with alloc_fail(dev[0], count, func):
5049 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
5050 eap="IKEV2", identity="ikev2 user",
5051 password="wrong password", erp="1",
5052 wait_connect=False)
5053 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
5054 timeout=15)
5055 if ev is None:
5056 raise Exception("Timeout on EAP start")
5057 ok = False
5058 for j in range(10):
5059 state = dev[0].request('GET_ALLOC_FAIL')
5060 if state.startswith('0:'):
5061 ok = True
5062 break
5063 time.sleep(0.1)
5064 if not ok:
5065 raise Exception("No allocation failure seen for %d:%s" % (count, func))
5066 dev[0].request("REMOVE_NETWORK all")
5067 dev[0].wait_disconnected()
5068
5069 tests = [ (1, "ikev2_integ_hash"),
5070 (1, "ikev2_integ_hash;ikev2_decrypt_payload"),
5071 (1, "os_get_random;ikev2_build_encrypted"),
5072 (1, "ikev2_prf_plus;ikev2_derive_sk_keys"),
5073 (1, "eap_ikev2_derive_keymat;eap_ikev2_peer_keymat"),
5074 (1, "os_get_random;ikev2_build_sa_init"),
5075 (2, "os_get_random;ikev2_build_sa_init"),
5076 (1, "ikev2_integ_hash;eap_ikev2_validate_icv"),
5077 (1, "hmac_sha1_vector;?ikev2_prf_hash;ikev2_derive_keys"),
5078 (1, "hmac_sha1_vector;?ikev2_prf_hash;ikev2_derive_auth_data"),
5079 (2, "hmac_sha1_vector;?ikev2_prf_hash;ikev2_derive_auth_data"),
5080 (3, "hmac_sha1_vector;?ikev2_prf_hash;ikev2_derive_auth_data") ]
5081 for count, func in tests:
5082 with fail_test(dev[0], count, func):
5083 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
5084 eap="IKEV2", identity="ikev2 user",
5085 password="ike password", wait_connect=False)
5086 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
5087 timeout=15)
5088 if ev is None:
5089 raise Exception("Timeout on EAP start")
5090 ok = False
5091 for j in range(10):
5092 state = dev[0].request('GET_FAIL')
5093 if state.startswith('0:'):
5094 ok = True
5095 break
5096 time.sleep(0.1)
5097 if not ok:
5098 raise Exception("No failure seen for %d:%s" % (count, func))
5099 dev[0].request("REMOVE_NETWORK all")
5100 dev[0].wait_disconnected()
5101
5102 params = { "ssid": "eap-test2", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
5103 "rsn_pairwise": "CCMP", "ieee8021x": "1",
5104 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
5105 "fragment_size": "50" }
5106 hostapd.add_ap(apdev[1]['ifname'], params)
5107
5108 tests = [ (1, "eap_ikev2_build_frag_ack"),
5109 (1, "wpabuf_alloc;eap_ikev2_process_fragment") ]
5110 for count, func in tests:
5111 with alloc_fail(dev[0], count, func):
5112 dev[0].connect("eap-test2", key_mgmt="WPA-EAP", scan_freq="2412",
5113 eap="IKEV2", identity="ikev2 user",
5114 password="ike password", erp="1", wait_connect=False)
5115 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
5116 timeout=15)
5117 if ev is None:
5118 raise Exception("Timeout on EAP start")
5119 ok = False
5120 for j in range(10):
5121 state = dev[0].request('GET_ALLOC_FAIL')
5122 if state.startswith('0:'):
5123 ok = True
5124 break
5125 time.sleep(0.1)
5126 if not ok:
5127 raise Exception("No allocation failure seen for %d:%s" % (count, func))
5128 dev[0].request("REMOVE_NETWORK all")
5129 dev[0].wait_disconnected()
5130
5131 def test_eap_proto_mschapv2(dev, apdev):
5132 """EAP-MSCHAPv2 protocol tests"""
5133 check_eap_capa(dev[0], "MSCHAPV2")
5134
5135 def mschapv2_handler(ctx, req):
5136 logger.info("mschapv2_handler - RX " + req.encode("hex"))
5137 if 'num' not in ctx:
5138 ctx['num'] = 0
5139 ctx['num'] = ctx['num'] + 1
5140 if 'id' not in ctx:
5141 ctx['id'] = 1
5142 ctx['id'] = (ctx['id'] + 1) % 256
5143 idx = 0
5144
5145 idx += 1
5146 if ctx['num'] == idx:
5147 logger.info("Test: Missing payload")
5148 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
5149 4 + 1,
5150 EAP_TYPE_MSCHAPV2)
5151
5152 idx += 1
5153 if ctx['num'] == idx:
5154 logger.info("Test: Unknown MSCHAPv2 op_code")
5155 return struct.pack(">BBHBBBHB", EAP_CODE_REQUEST, ctx['id'],
5156 4 + 1 + 4 + 1,
5157 EAP_TYPE_MSCHAPV2,
5158 0, 0, 5, 0)
5159
5160 idx += 1
5161 if ctx['num'] == idx:
5162 logger.info("Test: Invalid ms_len and unknown MSCHAPv2 op_code")
5163 return struct.pack(">BBHBBBHB", EAP_CODE_REQUEST, ctx['id'],
5164 4 + 1 + 4 + 1,
5165 EAP_TYPE_MSCHAPV2,
5166 255, 0, 0, 0)
5167
5168 idx += 1
5169 if ctx['num'] == idx:
5170 logger.info("Test: Success before challenge")
5171 return struct.pack(">BBHBBBHB", EAP_CODE_REQUEST, ctx['id'],
5172 4 + 1 + 4 + 1,
5173 EAP_TYPE_MSCHAPV2,
5174 3, 0, 5, 0)
5175
5176 idx += 1
5177 if ctx['num'] == idx:
5178 logger.info("Test: Failure before challenge - required challenge field not present")
5179 return struct.pack(">BBHBBBHB", EAP_CODE_REQUEST, ctx['id'],
5180 4 + 1 + 4 + 1,
5181 EAP_TYPE_MSCHAPV2,
5182 4, 0, 5, 0)
5183 idx += 1
5184 if ctx['num'] == idx:
5185 logger.info("Test: Failure")
5186 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
5187
5188 idx += 1
5189 if ctx['num'] == idx:
5190 logger.info("Test: Failure before challenge - invalid failure challenge len")
5191 payload = 'C=12'
5192 return struct.pack(">BBHBBBH", EAP_CODE_REQUEST, ctx['id'],
5193 4 + 1 + 4 + len(payload),
5194 EAP_TYPE_MSCHAPV2,
5195 4, 0, 4 + len(payload)) + payload
5196 idx += 1
5197 if ctx['num'] == idx:
5198 logger.info("Test: Failure")
5199 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
5200
5201 idx += 1
5202 if ctx['num'] == idx:
5203 logger.info("Test: Failure before challenge - invalid failure challenge len")
5204 payload = 'C=12 V=3'
5205 return struct.pack(">BBHBBBH", EAP_CODE_REQUEST, ctx['id'],
5206 4 + 1 + 4 + len(payload),
5207 EAP_TYPE_MSCHAPV2,
5208 4, 0, 4 + len(payload)) + payload
5209 idx += 1
5210 if ctx['num'] == idx:
5211 logger.info("Test: Failure")
5212 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
5213
5214 idx += 1
5215 if ctx['num'] == idx:
5216 logger.info("Test: Failure before challenge - invalid failure challenge")
5217 payload = 'C=00112233445566778899aabbccddeefQ '
5218 return struct.pack(">BBHBBBH", EAP_CODE_REQUEST, ctx['id'],
5219 4 + 1 + 4 + len(payload),
5220 EAP_TYPE_MSCHAPV2,
5221 4, 0, 4 + len(payload)) + payload
5222 idx += 1
5223 if ctx['num'] == idx:
5224 logger.info("Test: Failure")
5225 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
5226
5227 idx += 1
5228 if ctx['num'] == idx:
5229 logger.info("Test: Failure before challenge - password expired")
5230 payload = 'E=648 R=1 C=00112233445566778899aabbccddeeff V=3 M=Password expired'
5231 return struct.pack(">BBHBBBH", EAP_CODE_REQUEST, ctx['id'],
5232 4 + 1 + 4 + len(payload),
5233 EAP_TYPE_MSCHAPV2,
5234 4, 0, 4 + len(payload)) + payload
5235 idx += 1
5236 if ctx['num'] == idx:
5237 logger.info("Test: Success after password change")
5238 payload = "S=1122334455667788990011223344556677889900"
5239 return struct.pack(">BBHBBBH", EAP_CODE_REQUEST, ctx['id'],
5240 4 + 1 + 4 + len(payload),
5241 EAP_TYPE_MSCHAPV2,
5242 3, 0, 4 + len(payload)) + payload
5243
5244 idx += 1
5245 if ctx['num'] == idx:
5246 logger.info("Test: Invalid challenge length")
5247 return struct.pack(">BBHBBBHB", EAP_CODE_REQUEST, ctx['id'],
5248 4 + 1 + 4 + 1,
5249 EAP_TYPE_MSCHAPV2,
5250 1, 0, 4 + 1, 0)
5251
5252 idx += 1
5253 if ctx['num'] == idx:
5254 logger.info("Test: Too short challenge packet")
5255 return struct.pack(">BBHBBBHB", EAP_CODE_REQUEST, ctx['id'],
5256 4 + 1 + 4 + 1,
5257 EAP_TYPE_MSCHAPV2,
5258 1, 0, 4 + 1, 16)
5259
5260 idx += 1
5261 if ctx['num'] == idx:
5262 logger.info("Test: Challenge")
5263 return struct.pack(">BBHBBBHB", EAP_CODE_REQUEST, ctx['id'],
5264 4 + 1 + 4 + 1 + 16 + 6,
5265 EAP_TYPE_MSCHAPV2,
5266 1, 0, 4 + 1 + 16 + 6, 16) + 16*'A' + 'foobar'
5267 idx += 1
5268 if ctx['num'] == idx:
5269 logger.info("Test: Failure - password expired")
5270 payload = 'E=648 R=1 C=00112233445566778899aabbccddeeff V=3 M=Password expired'
5271 return struct.pack(">BBHBBBH", EAP_CODE_REQUEST, ctx['id'],
5272 4 + 1 + 4 + len(payload),
5273 EAP_TYPE_MSCHAPV2,
5274 4, 0, 4 + len(payload)) + payload
5275 idx += 1
5276 if ctx['num'] == idx:
5277 logger.info("Test: Success after password change")
5278 if len(req) != 591:
5279 logger.info("Unexpected Change-Password packet length: %s" % len(req))
5280 return None
5281 data = req[9:]
5282 enc_pw = data[0:516]
5283 data = data[516:]
5284 enc_hash = data[0:16]
5285 data = data[16:]
5286 peer_challenge = data[0:16]
5287 data = data[16:]
5288 # Reserved
5289 data = data[8:]
5290 nt_response = data[0:24]
5291 data = data[24:]
5292 flags = data
5293 logger.info("enc_hash: " + enc_hash.encode("hex"))
5294 logger.info("peer_challenge: " + peer_challenge.encode("hex"))
5295 logger.info("nt_response: " + nt_response.encode("hex"))
5296 logger.info("flags: " + flags.encode("hex"))
5297
5298 auth_challenge = binascii.unhexlify("00112233445566778899aabbccddeeff")
5299 logger.info("auth_challenge: " + auth_challenge.encode("hex"))
5300
5301 auth_resp = GenerateAuthenticatorResponse("new-pw", nt_response,
5302 peer_challenge,
5303 auth_challenge, "user")
5304 payload = "S=" + auth_resp.encode('hex').upper()
5305 logger.info("Success message payload: " + payload)
5306 return struct.pack(">BBHBBBH", EAP_CODE_REQUEST, ctx['id'],
5307 4 + 1 + 4 + len(payload),
5308 EAP_TYPE_MSCHAPV2,
5309 3, 0, 4 + len(payload)) + payload
5310 idx += 1
5311 if ctx['num'] == idx:
5312 logger.info("Test: EAP-Success")
5313 return struct.pack(">BBH", EAP_CODE_SUCCESS, ctx['id'], 4)
5314
5315 idx += 1
5316 if ctx['num'] == idx:
5317 logger.info("Test: Failure - password expired")
5318 payload = 'E=648 R=1 C=00112233445566778899aabbccddeeff V=3 M=Password expired'
5319 return struct.pack(">BBHBBBH", EAP_CODE_REQUEST, ctx['id'],
5320 4 + 1 + 4 + len(payload),
5321 EAP_TYPE_MSCHAPV2,
5322 4, 0, 4 + len(payload)) + payload
5323 idx += 1
5324 if ctx['num'] == idx:
5325 logger.info("Test: Success after password change")
5326 if len(req) != 591:
5327 logger.info("Unexpected Change-Password packet length: %s" % len(req))
5328 return None
5329 data = req[9:]
5330 enc_pw = data[0:516]
5331 data = data[516:]
5332 enc_hash = data[0:16]
5333 data = data[16:]
5334 peer_challenge = data[0:16]
5335 data = data[16:]
5336 # Reserved
5337 data = data[8:]
5338 nt_response = data[0:24]
5339 data = data[24:]
5340 flags = data
5341 logger.info("enc_hash: " + enc_hash.encode("hex"))
5342 logger.info("peer_challenge: " + peer_challenge.encode("hex"))
5343 logger.info("nt_response: " + nt_response.encode("hex"))
5344 logger.info("flags: " + flags.encode("hex"))
5345
5346 auth_challenge = binascii.unhexlify("00112233445566778899aabbccddeeff")
5347 logger.info("auth_challenge: " + auth_challenge.encode("hex"))
5348
5349 auth_resp = GenerateAuthenticatorResponse("new-pw", nt_response,
5350 peer_challenge,
5351 auth_challenge, "user")
5352 payload = "S=" + auth_resp.encode('hex').upper()
5353 logger.info("Success message payload: " + payload)
5354 return struct.pack(">BBHBBBH", EAP_CODE_REQUEST, ctx['id'],
5355 4 + 1 + 4 + len(payload),
5356 EAP_TYPE_MSCHAPV2,
5357 3, 0, 4 + len(payload)) + payload
5358 idx += 1
5359 if ctx['num'] == idx:
5360 logger.info("Test: EAP-Success")
5361 return struct.pack(">BBH", EAP_CODE_SUCCESS, ctx['id'], 4)
5362
5363 idx += 1
5364 if ctx['num'] == idx:
5365 logger.info("Test: Challenge")
5366 return struct.pack(">BBHBBBHB", EAP_CODE_REQUEST, ctx['id'],
5367 4 + 1 + 4 + 1 + 16 + 6,
5368 EAP_TYPE_MSCHAPV2,
5369 1, 0, 4 + 1 + 16 + 6, 16) + 16*'A' + 'foobar'
5370 idx += 1
5371 if ctx['num'] == idx:
5372 logger.info("Test: Failure - authentication failure")
5373 payload = 'E=691 R=1 C=00112233445566778899aabbccddeeff V=3 M=Authentication failed'
5374 return struct.pack(">BBHBBBH", EAP_CODE_REQUEST, ctx['id'],
5375 4 + 1 + 4 + len(payload),
5376 EAP_TYPE_MSCHAPV2,
5377 4, 0, 4 + len(payload)) + payload
5378
5379 idx += 1
5380 if ctx['num'] == idx:
5381 logger.info("Test: Challenge")
5382 return struct.pack(">BBHBBBHB", EAP_CODE_REQUEST, ctx['id'],
5383 4 + 1 + 4 + 1 + 16 + 6,
5384 EAP_TYPE_MSCHAPV2,
5385 1, 0, 4 + 1 + 16 + 6, 16) + 16*'A' + 'foobar'
5386 idx += 1
5387 if ctx['num'] == idx:
5388 logger.info("Test: Failure - authentication failure")
5389 payload = 'E=691 R=1 C=00112233445566778899aabbccddeeff V=3 M=Authentication failed (2)'
5390 return struct.pack(">BBHBBBH", EAP_CODE_REQUEST, ctx['id'],
5391 4 + 1 + 4 + len(payload),
5392 EAP_TYPE_MSCHAPV2,
5393 4, 0, 4 + len(payload)) + payload
5394 idx += 1
5395 if ctx['num'] == idx:
5396 logger.info("Test: Failure")
5397 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
5398
5399 return None
5400
5401 srv = start_radius_server(mschapv2_handler)
5402
5403 try:
5404 hapd = start_ap(apdev[0]['ifname'])
5405
5406 for i in range(0, 15):
5407 logger.info("RUN: %d" % i)
5408 if i == 12:
5409 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
5410 eap="MSCHAPV2", identity="user",
5411 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
5412 wait_connect=False)
5413 elif i == 14:
5414 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
5415 eap="MSCHAPV2", identity="user",
5416 phase2="mschapv2_retry=0",
5417 password="password", wait_connect=False)
5418 else:
5419 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
5420 eap="MSCHAPV2", identity="user",
5421 password="password", wait_connect=False)
5422 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"], timeout=15)
5423 if ev is None:
5424 raise Exception("Timeout on EAP start")
5425
5426 if i in [ 8, 11, 12 ]:
5427 ev = dev[0].wait_event(["CTRL-REQ-NEW_PASSWORD"],
5428 timeout=10)
5429 if ev is None:
5430 raise Exception("Timeout on new password request")
5431 id = ev.split(':')[0].split('-')[-1]
5432 dev[0].request("CTRL-RSP-NEW_PASSWORD-" + id + ":new-pw")
5433 if i in [ 11, 12 ]:
5434 ev = dev[0].wait_event(["CTRL-EVENT-PASSWORD-CHANGED"],
5435 timeout=10)
5436 if ev is None:
5437 raise Exception("Timeout on password change")
5438 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"],
5439 timeout=10)
5440 if ev is None:
5441 raise Exception("Timeout on EAP success")
5442 else:
5443 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"],
5444 timeout=10)
5445 if ev is None:
5446 raise Exception("Timeout on EAP failure")
5447
5448 if i in [ 13 ]:
5449 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"],
5450 timeout=10)
5451 if ev is None:
5452 raise Exception("Timeout on identity request")
5453 id = ev.split(':')[0].split('-')[-1]
5454 dev[0].request("CTRL-RSP-IDENTITY-" + id + ":user")
5455
5456 ev = dev[0].wait_event(["CTRL-REQ-PASSWORD"],
5457 timeout=10)
5458 if ev is None:
5459 raise Exception("Timeout on password request")
5460 id = ev.split(':')[0].split('-')[-1]
5461 dev[0].request("CTRL-RSP-PASSWORD-" + id + ":password")
5462
5463 # TODO: Does this work correctly?
5464
5465 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"],
5466 timeout=10)
5467 if ev is None:
5468 raise Exception("Timeout on EAP failure")
5469
5470 if i in [ 4, 5, 6, 7, 14 ]:
5471 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"],
5472 timeout=10)
5473 if ev is None:
5474 raise Exception("Timeout on EAP failure")
5475 else:
5476 time.sleep(0.05)
5477 dev[0].request("REMOVE_NETWORK all")
5478 dev[0].wait_disconnected(timeout=1)
5479 finally:
5480 stop_radius_server(srv)
5481
5482 def test_eap_proto_mschapv2_errors(dev, apdev):
5483 """EAP-MSCHAPv2 protocol tests (error paths)"""
5484 check_eap_capa(dev[0], "MSCHAPV2")
5485
5486 def mschapv2_handler(ctx, req):
5487 logger.info("mschapv2_handler - RX " + req.encode("hex"))
5488 if 'num' not in ctx:
5489 ctx['num'] = 0
5490 ctx['num'] = ctx['num'] + 1
5491 if 'id' not in ctx:
5492 ctx['id'] = 1
5493 ctx['id'] = (ctx['id'] + 1) % 256
5494 idx = 0
5495
5496 idx += 1
5497 if ctx['num'] == idx:
5498 logger.info("Test: Failure before challenge - password expired")
5499 payload = 'E=648 R=1 C=00112233445566778899aabbccddeeff V=3 M=Password expired'
5500 return struct.pack(">BBHBBBH", EAP_CODE_REQUEST, ctx['id'],
5501 4 + 1 + 4 + len(payload),
5502 EAP_TYPE_MSCHAPV2,
5503 4, 0, 4 + len(payload)) + payload
5504 idx += 1
5505 if ctx['num'] == idx:
5506 logger.info("Test: Success after password change")
5507 payload = "S=1122334455667788990011223344556677889900"
5508 return struct.pack(">BBHBBBH", EAP_CODE_REQUEST, ctx['id'],
5509 4 + 1 + 4 + len(payload),
5510 EAP_TYPE_MSCHAPV2,
5511 3, 0, 4 + len(payload)) + payload
5512
5513 idx += 1
5514 if ctx['num'] == idx:
5515 logger.info("Test: Failure before challenge - password expired")
5516 payload = 'E=648 R=1 C=00112233445566778899aabbccddeeff V=3 M=Password expired'
5517 return struct.pack(">BBHBBBH", EAP_CODE_REQUEST, ctx['id'],
5518 4 + 1 + 4 + len(payload),
5519 EAP_TYPE_MSCHAPV2,
5520 4, 0, 4 + len(payload)) + payload
5521 idx += 1
5522 if ctx['num'] == idx:
5523 logger.info("Test: Success after password change")
5524 payload = "S=1122334455667788990011223344556677889900"
5525 return struct.pack(">BBHBBBH", EAP_CODE_REQUEST, ctx['id'],
5526 4 + 1 + 4 + len(payload),
5527 EAP_TYPE_MSCHAPV2,
5528 3, 0, 4 + len(payload)) + payload
5529
5530 return None
5531
5532 srv = start_radius_server(mschapv2_handler)
5533
5534 try:
5535 hapd = start_ap(apdev[0]['ifname'])
5536
5537 with fail_test(dev[0], 1, "eap_mschapv2_change_password"):
5538 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
5539 eap="MSCHAPV2", identity="user",
5540 password="password", wait_connect=False)
5541 ev = dev[0].wait_event(["CTRL-REQ-NEW_PASSWORD"], timeout=10)
5542 if ev is None:
5543 raise Exception("Timeout on new password request")
5544 id = ev.split(':')[0].split('-')[-1]
5545 dev[0].request("CTRL-RSP-NEW_PASSWORD-" + id + ":new-pw")
5546 wait_fail_trigger(dev[0], "GET_FAIL")
5547 dev[0].request("REMOVE_NETWORK all")
5548 dev[0].wait_disconnected(timeout=1)
5549
5550 with fail_test(dev[0], 1, "get_master_key;eap_mschapv2_change_password"):
5551 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
5552 eap="MSCHAPV2", identity="user",
5553 password="password", wait_connect=False)
5554 ev = dev[0].wait_event(["CTRL-REQ-NEW_PASSWORD"], timeout=10)
5555 if ev is None:
5556 raise Exception("Timeout on new password request")
5557 id = ev.split(':')[0].split('-')[-1]
5558 dev[0].request("CTRL-RSP-NEW_PASSWORD-" + id + ":new-pw")
5559 wait_fail_trigger(dev[0], "GET_FAIL")
5560 dev[0].request("REMOVE_NETWORK all")
5561 dev[0].wait_disconnected(timeout=1)
5562 finally:
5563 stop_radius_server(srv)
5564
5565 def test_eap_proto_pwd(dev, apdev):
5566 """EAP-pwd protocol tests"""
5567 check_eap_capa(dev[0], "PWD")
5568
5569 global eap_proto_pwd_test_done, eap_proto_pwd_test_wait
5570 eap_proto_pwd_test_done = False
5571 eap_proto_pwd_test_wait = False
5572
5573 def pwd_handler(ctx, req):
5574 logger.info("pwd_handler - RX " + req.encode("hex"))
5575 if 'num' not in ctx:
5576 ctx['num'] = 0
5577 ctx['num'] = ctx['num'] + 1
5578 if 'id' not in ctx:
5579 ctx['id'] = 1
5580 ctx['id'] = (ctx['id'] + 1) % 256
5581 idx = 0
5582
5583 global eap_proto_pwd_test_wait
5584 eap_proto_pwd_test_wait = False
5585
5586 idx += 1
5587 if ctx['num'] == idx:
5588 logger.info("Test: Missing payload")
5589 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'], 4 + 1,
5590 EAP_TYPE_PWD)
5591
5592 idx += 1
5593 if ctx['num'] == idx:
5594 logger.info("Test: Missing Total-Length field")
5595 payload = struct.pack("B", 0x80)
5596 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
5597 4 + 1 + len(payload), EAP_TYPE_PWD) + payload
5598
5599 idx += 1
5600 if ctx['num'] == idx:
5601 logger.info("Test: Too large Total-Length")
5602 payload = struct.pack(">BH", 0x80, 65535)
5603 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
5604 4 + 1 + len(payload), EAP_TYPE_PWD) + payload
5605
5606 idx += 1
5607 if ctx['num'] == idx:
5608 eap_proto_pwd_test_wait = True
5609 logger.info("Test: First fragment")
5610 payload = struct.pack(">BH", 0xc0, 10)
5611 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
5612 4 + 1 + len(payload), EAP_TYPE_PWD) + payload
5613 idx += 1
5614 if ctx['num'] == idx:
5615 logger.info("Test: Unexpected Total-Length value in the second fragment")
5616 payload = struct.pack(">BH", 0x80, 0)
5617 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
5618 4 + 1 + len(payload), EAP_TYPE_PWD) + payload
5619
5620 idx += 1
5621 if ctx['num'] == idx:
5622 logger.info("Test: First and only fragment")
5623 payload = struct.pack(">BH", 0x80, 0)
5624 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
5625 4 + 1 + len(payload), EAP_TYPE_PWD) + payload
5626
5627 idx += 1
5628 if ctx['num'] == idx:
5629 logger.info("Test: First and only fragment with extra data")
5630 payload = struct.pack(">BHB", 0x80, 0, 0)
5631 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
5632 4 + 1 + len(payload), EAP_TYPE_PWD) + payload
5633
5634 idx += 1
5635 if ctx['num'] == idx:
5636 eap_proto_pwd_test_wait = True
5637 logger.info("Test: First fragment")
5638 payload = struct.pack(">BHB", 0xc0, 2, 1)
5639 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
5640 4 + 1 + len(payload), EAP_TYPE_PWD) + payload
5641 idx += 1
5642 if ctx['num'] == idx:
5643 logger.info("Test: Extra data in the second fragment")
5644 payload = struct.pack(">BBB", 0x0, 2, 3)
5645 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
5646 4 + 1 + len(payload), EAP_TYPE_PWD) + payload
5647
5648 idx += 1
5649 if ctx['num'] == idx:
5650 logger.info("Test: Too short id exchange")
5651 payload = struct.pack(">B", 0x01)
5652 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
5653 4 + 1 + len(payload), EAP_TYPE_PWD) + payload
5654
5655 idx += 1
5656 if ctx['num'] == idx:
5657 logger.info("Test: Unsupported rand func in id exchange")
5658 payload = struct.pack(">BHBBLB", 0x01, 0, 0, 0, 0, 0)
5659 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
5660 4 + 1 + len(payload), EAP_TYPE_PWD) + payload
5661
5662 idx += 1
5663 if ctx['num'] == idx:
5664 logger.info("Test: Unsupported prf in id exchange")
5665 payload = struct.pack(">BHBBLB", 0x01, 19, 1, 0, 0, 0)
5666 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
5667 4 + 1 + len(payload), EAP_TYPE_PWD) + payload
5668
5669 idx += 1
5670 if ctx['num'] == idx:
5671 logger.info("Test: Unsupported password pre-processing technique in id exchange")
5672 payload = struct.pack(">BHBBLB", 0x01, 19, 1, 1, 0, 255)
5673 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
5674 4 + 1 + len(payload), EAP_TYPE_PWD) + payload
5675
5676 idx += 1
5677 if ctx['num'] == idx:
5678 eap_proto_pwd_test_wait = True
5679 logger.info("Test: Valid id exchange")
5680 payload = struct.pack(">BHBBLB", 0x01, 19, 1, 1, 0, 0)
5681 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
5682 4 + 1 + len(payload), EAP_TYPE_PWD) + payload
5683 idx += 1
5684 if ctx['num'] == idx:
5685 logger.info("Test: Unexpected id exchange")
5686 payload = struct.pack(">BHBBLB", 0x01, 19, 1, 1, 0, 0)
5687 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
5688 4 + 1 + len(payload), EAP_TYPE_PWD) + payload
5689
5690 idx += 1
5691 if ctx['num'] == idx:
5692 logger.info("Test: Unexpected commit exchange")
5693 payload = struct.pack(">B", 0x02)
5694 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
5695 4 + 1 + len(payload), EAP_TYPE_PWD) + payload
5696
5697 idx += 1
5698 if ctx['num'] == idx:
5699 eap_proto_pwd_test_wait = True
5700 logger.info("Test: Valid id exchange")
5701 payload = struct.pack(">BHBBLB", 0x01, 19, 1, 1, 0, 0)
5702 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
5703 4 + 1 + len(payload), EAP_TYPE_PWD) + payload
5704 idx += 1
5705 if ctx['num'] == idx:
5706 logger.info("Test: Unexpected Commit payload length")
5707 payload = struct.pack(">B", 0x02)
5708 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
5709 4 + 1 + len(payload), EAP_TYPE_PWD) + payload
5710
5711 idx += 1
5712 if ctx['num'] == idx:
5713 eap_proto_pwd_test_wait = True
5714 logger.info("Test: Valid id exchange")
5715 payload = struct.pack(">BHBBLB", 0x01, 19, 1, 1, 0, 0)
5716 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
5717 4 + 1 + len(payload), EAP_TYPE_PWD) + payload
5718 idx += 1
5719 if ctx['num'] == idx:
5720 logger.info("Test: Commit payload with all zeros values --> Shared key at infinity")
5721 payload = struct.pack(">B", 0x02) + 96*'\0'
5722 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
5723 4 + 1 + len(payload), EAP_TYPE_PWD) + payload
5724
5725 idx += 1
5726 if ctx['num'] == idx:
5727 eap_proto_pwd_test_wait = True
5728 logger.info("Test: Valid id exchange")
5729 payload = struct.pack(">BHBBLB", 0x01, 19, 1, 1, 0, 0)
5730 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
5731 4 + 1 + len(payload), EAP_TYPE_PWD) + payload
5732 idx += 1
5733 if ctx['num'] == idx:
5734 eap_proto_pwd_test_wait = True
5735 logger.info("Test: Commit payload with valid values")
5736 element = binascii.unhexlify("8dcab2862c5396839a6bac0c689ff03d962863108e7c275bbf1d6eedf634ee832a214db99f0d0a1a6317733eecdd97f0fc4cda19f57e1bb9bb9c8dcf8c60ba6f")
5737 scalar = binascii.unhexlify("450f31e058cf2ac2636a5d6e2b3c70b1fcc301957f0716e77f13aa69f9a2e5bd")
5738 payload = struct.pack(">B", 0x02) + element + scalar
5739 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
5740 4 + 1 + len(payload), EAP_TYPE_PWD) + payload
5741 idx += 1
5742 if ctx['num'] == idx:
5743 logger.info("Test: Unexpected Confirm payload length 0")
5744 payload = struct.pack(">B", 0x03)
5745 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
5746 4 + 1 + len(payload), EAP_TYPE_PWD) + payload
5747
5748 idx += 1
5749 if ctx['num'] == idx:
5750 eap_proto_pwd_test_wait = True
5751 logger.info("Test: Valid id exchange")
5752 payload = struct.pack(">BHBBLB", 0x01, 19, 1, 1, 0, 0)
5753 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
5754 4 + 1 + len(payload), EAP_TYPE_PWD) + payload
5755 idx += 1
5756 if ctx['num'] == idx:
5757 eap_proto_pwd_test_wait = True
5758 logger.info("Test: Commit payload with valid values")
5759 element = binascii.unhexlify("8dcab2862c5396839a6bac0c689ff03d962863108e7c275bbf1d6eedf634ee832a214db99f0d0a1a6317733eecdd97f0fc4cda19f57e1bb9bb9c8dcf8c60ba6f")
5760 scalar = binascii.unhexlify("450f31e058cf2ac2636a5d6e2b3c70b1fcc301957f0716e77f13aa69f9a2e5bd")
5761 payload = struct.pack(">B", 0x02) + element + scalar
5762 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
5763 4 + 1 + len(payload), EAP_TYPE_PWD) + payload
5764 idx += 1
5765 if ctx['num'] == idx:
5766 logger.info("Test: Confirm payload with incorrect value")
5767 payload = struct.pack(">B", 0x03) + 32*'\0'
5768 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
5769 4 + 1 + len(payload), EAP_TYPE_PWD) + payload
5770
5771 idx += 1
5772 if ctx['num'] == idx:
5773 logger.info("Test: Unexpected confirm exchange")
5774 payload = struct.pack(">B", 0x03)
5775 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
5776 4 + 1 + len(payload), EAP_TYPE_PWD) + payload
5777
5778 logger.info("No more test responses available - test case completed")
5779 global eap_proto_pwd_test_done
5780 eap_proto_pwd_test_done = True
5781 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
5782
5783 srv = start_radius_server(pwd_handler)
5784
5785 try:
5786 hapd = start_ap(apdev[0]['ifname'])
5787
5788 i = 0
5789 while not eap_proto_pwd_test_done:
5790 i += 1
5791 logger.info("Running connection iteration %d" % i)
5792 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
5793 eap="PWD", identity="pwd user",
5794 password="secret password",
5795 wait_connect=False)
5796 ok = False
5797 for j in range(5):
5798 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS",
5799 "CTRL-EVENT-EAP-PROPOSED-METHOD"],
5800 timeout=5)
5801 if ev is None:
5802 raise Exception("Timeout on EAP start")
5803 if "CTRL-EVENT-EAP-PROPOSED-METHOD" in ev:
5804 ok = True
5805 break
5806 if "CTRL-EVENT-EAP-STATUS" in ev and "status='completion' parameter='failure'" in ev:
5807 ok = True
5808 break
5809 if not ok:
5810 raise Exception("Expected EAP event not seen")
5811 if eap_proto_pwd_test_wait:
5812 for k in range(10):
5813 time.sleep(0.1)
5814 if not eap_proto_pwd_test_wait:
5815 break
5816 dev[0].request("REMOVE_NETWORK all")
5817 dev[0].wait_disconnected(timeout=1)
5818 dev[0].dump_monitor()
5819 finally:
5820 stop_radius_server(srv)
5821
5822 def test_eap_proto_pwd_errors(dev, apdev):
5823 """EAP-pwd local error cases"""
5824 check_eap_capa(dev[0], "PWD")
5825 params = hostapd.wpa2_eap_params(ssid="eap-test")
5826 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
5827
5828 for i in range(1, 4):
5829 with alloc_fail(dev[0], i, "eap_pwd_init"):
5830 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
5831 eap="PWD", identity="pwd user",
5832 password="secret password",
5833 wait_connect=False)
5834 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method"],
5835 timeout=15)
5836 if ev is None:
5837 raise Exception("Timeout on EAP start")
5838 dev[0].request("REMOVE_NETWORK all")
5839 dev[0].wait_disconnected()
5840
5841 with alloc_fail(dev[0], 1, "eap_pwd_get_session_id"):
5842 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
5843 eap="PWD", identity="pwd user",
5844 password="secret password")
5845 dev[0].request("REMOVE_NETWORK all")
5846 dev[0].wait_disconnected()
5847
5848 for i in range(1, 7):
5849 with alloc_fail(dev[0], i, "eap_pwd_perform_id_exchange"):
5850 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
5851 eap="PWD", identity="pwd user",
5852 password="secret password",
5853 wait_connect=False)
5854 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
5855 timeout=15)
5856 if ev is None:
5857 raise Exception("Timeout on EAP start")
5858 ok = False
5859 for j in range(10):
5860 state = dev[0].request('GET_ALLOC_FAIL')
5861 if state.startswith('0:'):
5862 ok = True
5863 break
5864 time.sleep(0.1)
5865 if not ok:
5866 raise Exception("No allocation failure seen")
5867 dev[0].request("REMOVE_NETWORK all")
5868 dev[0].wait_disconnected()
5869
5870 with alloc_fail(dev[0], 1, "wpabuf_alloc;eap_pwd_perform_id_exchange"):
5871 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
5872 eap="PWD", identity="pwd user",
5873 password="secret password",
5874 wait_connect=False)
5875 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
5876 timeout=15)
5877 if ev is None:
5878 raise Exception("Timeout on EAP start")
5879 dev[0].request("REMOVE_NETWORK all")
5880 dev[0].wait_disconnected()
5881
5882 for i in range(1, 4):
5883 with alloc_fail(dev[0], i, "eap_pwd_perform_commit_exchange"):
5884 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
5885 eap="PWD", identity="pwd user",
5886 password="secret password",
5887 wait_connect=False)
5888 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
5889 timeout=15)
5890 if ev is None:
5891 raise Exception("Timeout on EAP start")
5892 ok = False
5893 for j in range(10):
5894 state = dev[0].request('GET_ALLOC_FAIL')
5895 if state.startswith('0:'):
5896 ok = True
5897 break
5898 time.sleep(0.1)
5899 if not ok:
5900 raise Exception("No allocation failure seen")
5901 dev[0].request("REMOVE_NETWORK all")
5902 dev[0].wait_disconnected()
5903
5904 for i in range(1, 12):
5905 with alloc_fail(dev[0], i, "eap_pwd_perform_confirm_exchange"):
5906 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
5907 eap="PWD", identity="pwd user",
5908 password="secret password",
5909 wait_connect=False)
5910 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
5911 timeout=15)
5912 if ev is None:
5913 raise Exception("Timeout on EAP start")
5914 ok = False
5915 for j in range(10):
5916 state = dev[0].request('GET_ALLOC_FAIL')
5917 if state.startswith('0:'):
5918 ok = True
5919 break
5920 time.sleep(0.1)
5921 if not ok:
5922 raise Exception("No allocation failure seen")
5923 dev[0].request("REMOVE_NETWORK all")
5924 dev[0].wait_disconnected()
5925
5926 for i in range(1, 4):
5927 with alloc_fail(dev[0], i, "eap_msg_alloc;=eap_pwd_process"):
5928 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
5929 eap="PWD", identity="pwd user",
5930 password="secret password",
5931 wait_connect=False)
5932 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
5933 timeout=15)
5934 if ev is None:
5935 raise Exception("Timeout on EAP start")
5936 ok = False
5937 for j in range(10):
5938 state = dev[0].request('GET_ALLOC_FAIL')
5939 if state.startswith('0:'):
5940 ok = True
5941 break
5942 time.sleep(0.1)
5943 if not ok:
5944 raise Exception("No allocation failure seen")
5945 dev[0].request("REMOVE_NETWORK all")
5946 dev[0].wait_disconnected()
5947
5948 # No password configured
5949 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
5950 eap="PWD", identity="pwd user",
5951 wait_connect=False)
5952 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=52"],
5953 timeout=15)
5954 if ev is None:
5955 raise Exception("EAP-pwd not started")
5956 dev[0].request("REMOVE_NETWORK all")
5957 dev[0].wait_disconnected()
5958
5959 def test_eap_proto_erp(dev, apdev):
5960 """ERP protocol tests"""
5961 check_erp_capa(dev[0])
5962
5963 global eap_proto_erp_test_done
5964 eap_proto_erp_test_done = False
5965
5966 def erp_handler(ctx, req):
5967 logger.info("erp_handler - RX " + req.encode("hex"))
5968 if 'num' not in ctx:
5969 ctx['num'] = 0
5970 ctx['num'] += 1
5971 if 'id' not in ctx:
5972 ctx['id'] = 1
5973 ctx['id'] = (ctx['id'] + 1) % 256
5974 idx = 0
5975
5976 idx += 1
5977 if ctx['num'] == idx:
5978 logger.info("Test: Missing type")
5979 return struct.pack(">BBH", EAP_CODE_INITIATE, ctx['id'], 4)
5980
5981 idx += 1
5982 if ctx['num'] == idx:
5983 logger.info("Test: Unexpected type")
5984 return struct.pack(">BBHB", EAP_CODE_INITIATE, ctx['id'], 4 + 1,
5985 255)
5986
5987 idx += 1
5988 if ctx['num'] == idx:
5989 logger.info("Test: Missing Reserved field")
5990 return struct.pack(">BBHB", EAP_CODE_INITIATE, ctx['id'], 4 + 1,
5991 EAP_ERP_TYPE_REAUTH_START)
5992
5993 idx += 1
5994 if ctx['num'] == idx:
5995 logger.info("Test: Zero-length TVs/TLVs")
5996 payload = ""
5997 return struct.pack(">BBHBB", EAP_CODE_INITIATE, ctx['id'],
5998 4 + 1 + 1 + len(payload),
5999 EAP_ERP_TYPE_REAUTH_START, 0) + payload
6000
6001 idx += 1
6002 if ctx['num'] == idx:
6003 logger.info("Test: Too short TLV")
6004 payload = struct.pack("B", 191)
6005 return struct.pack(">BBHBB", EAP_CODE_INITIATE, ctx['id'],
6006 4 + 1 + 1 + len(payload),
6007 EAP_ERP_TYPE_REAUTH_START, 0) + payload
6008
6009 idx += 1
6010 if ctx['num'] == idx:
6011 logger.info("Test: Truncated TLV")
6012 payload = struct.pack("BB", 191, 1)
6013 return struct.pack(">BBHBB", EAP_CODE_INITIATE, ctx['id'],
6014 4 + 1 + 1 + len(payload),
6015 EAP_ERP_TYPE_REAUTH_START, 0) + payload
6016
6017 idx += 1
6018 if ctx['num'] == idx:
6019 logger.info("Test: Ignored unknown TLV and unknown TV/TLV terminating parsing")
6020 payload = struct.pack("BBB", 191, 0, 192)
6021 return struct.pack(">BBHBB", EAP_CODE_INITIATE, ctx['id'],
6022 4 + 1 + 1 + len(payload),
6023 EAP_ERP_TYPE_REAUTH_START, 0) + payload
6024
6025 idx += 1
6026 if ctx['num'] == idx:
6027 logger.info("Test: More than one keyName-NAI")
6028 payload = struct.pack("BBBB", EAP_ERP_TLV_KEYNAME_NAI, 0,
6029 EAP_ERP_TLV_KEYNAME_NAI, 0)
6030 return struct.pack(">BBHBB", EAP_CODE_INITIATE, ctx['id'],
6031 4 + 1 + 1 + len(payload),
6032 EAP_ERP_TYPE_REAUTH_START, 0) + payload
6033
6034 idx += 1
6035 if ctx['num'] == idx:
6036 logger.info("Test: Too short TLV keyName-NAI")
6037 payload = struct.pack("B", EAP_ERP_TLV_KEYNAME_NAI)
6038 return struct.pack(">BBHBB", EAP_CODE_INITIATE, ctx['id'],
6039 4 + 1 + 1 + len(payload),
6040 EAP_ERP_TYPE_REAUTH_START, 0) + payload
6041
6042 idx += 1
6043 if ctx['num'] == idx:
6044 logger.info("Test: Truncated TLV keyName-NAI")
6045 payload = struct.pack("BB", EAP_ERP_TLV_KEYNAME_NAI, 1)
6046 return struct.pack(">BBHBB", EAP_CODE_INITIATE, ctx['id'],
6047 4 + 1 + 1 + len(payload),
6048 EAP_ERP_TYPE_REAUTH_START, 0) + payload
6049
6050 idx += 1
6051 if ctx['num'] == idx:
6052 logger.info("Test: Valid rRK lifetime TV followed by too short rMSK lifetime TV")
6053 payload = struct.pack(">BLBH", EAP_ERP_TV_RRK_LIFETIME, 0,
6054 EAP_ERP_TV_RMSK_LIFETIME, 0)
6055 return struct.pack(">BBHBB", EAP_CODE_INITIATE, ctx['id'],
6056 4 + 1 + 1 + len(payload),
6057 EAP_ERP_TYPE_REAUTH_START, 0) + payload
6058
6059 idx += 1
6060 if ctx['num'] == idx:
6061 logger.info("Test: Missing type (Finish)")
6062 return struct.pack(">BBH", EAP_CODE_FINISH, ctx['id'], 4)
6063
6064 idx += 1
6065 if ctx['num'] == idx:
6066 logger.info("Test: Unexpected type (Finish)")
6067 return struct.pack(">BBHB", EAP_CODE_FINISH, ctx['id'], 4 + 1,
6068 255)
6069
6070 idx += 1
6071 if ctx['num'] == idx:
6072 logger.info("Test: Missing fields (Finish)")
6073 return struct.pack(">BBHB", EAP_CODE_FINISH, ctx['id'], 4 + 1,
6074 EAP_ERP_TYPE_REAUTH)
6075
6076 idx += 1
6077 if ctx['num'] == idx:
6078 logger.info("Test: Unexpected SEQ (Finish)")
6079 return struct.pack(">BBHBBHB", EAP_CODE_FINISH, ctx['id'],
6080 4 + 1 + 4,
6081 EAP_ERP_TYPE_REAUTH, 0, 0xffff, 0)
6082
6083 logger.info("No more test responses available - test case completed")
6084 global eap_proto_erp_test_done
6085 eap_proto_erp_test_done = True
6086 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
6087
6088 srv = start_radius_server(erp_handler)
6089
6090 try:
6091 hapd = start_ap(apdev[0]['ifname'])
6092
6093 i = 0
6094 while not eap_proto_erp_test_done:
6095 i += 1
6096 logger.info("Running connection iteration %d" % i)
6097 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
6098 eap="PAX", identity="pax.user@example.com",
6099 password_hex="0123456789abcdef0123456789abcdef",
6100 wait_connect=False)
6101 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=5)
6102 if ev is None:
6103 raise Exception("Timeout on EAP start")
6104 time.sleep(0.1)
6105 dev[0].request("REMOVE_NETWORK all")
6106 dev[0].wait_disconnected(timeout=1)
6107 dev[0].dump_monitor()
6108 finally:
6109 stop_radius_server(srv)
6110
6111 def test_eap_proto_fast_errors(dev, apdev):
6112 """EAP-FAST local error cases"""
6113 check_eap_capa(dev[0], "FAST")
6114 params = hostapd.wpa2_eap_params(ssid="eap-test")
6115 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
6116
6117 for i in range(1, 5):
6118 with alloc_fail(dev[0], i, "eap_fast_init"):
6119 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
6120 eap="FAST", anonymous_identity="FAST",
6121 identity="user", password="password",
6122 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
6123 phase1="fast_provisioning=2",
6124 pac_file="blob://fast_pac_auth",
6125 wait_connect=False)
6126 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method"],
6127 timeout=5)
6128 if ev is None:
6129 raise Exception("Timeout on EAP start")
6130 dev[0].request("REMOVE_NETWORK all")
6131 dev[0].wait_disconnected()
6132
6133 tests = [ (1, "wpabuf_alloc;eap_fast_tlv_eap_payload"),
6134 (1, "eap_fast_derive_key;eap_fast_derive_key_auth"),
6135 (1, "eap_msg_alloc;eap_peer_tls_phase2_nak"),
6136 (1, "wpabuf_alloc;eap_fast_tlv_result"),
6137 (1, "wpabuf_alloc;eap_fast_tlv_pac_ack"),
6138 (1, "=eap_peer_tls_derive_session_id;eap_fast_process_crypto_binding"),
6139 (1, "eap_peer_tls_decrypt;eap_fast_decrypt"),
6140 (1, "eap_fast_getKey"),
6141 (1, "eap_fast_get_session_id"),
6142 (1, "eap_fast_get_emsk") ]
6143 for count, func in tests:
6144 dev[0].request("SET blob fast_pac_auth_errors ")
6145 with alloc_fail(dev[0], count, func):
6146 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
6147 eap="FAST", anonymous_identity="FAST",
6148 identity="user", password="password",
6149 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
6150 phase1="fast_provisioning=2",
6151 pac_file="blob://fast_pac_auth_errors",
6152 erp="1",
6153 wait_connect=False)
6154 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
6155 timeout=15)
6156 if ev is None:
6157 raise Exception("Timeout on EAP start")
6158 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
6159 dev[0].request("REMOVE_NETWORK all")
6160 dev[0].wait_disconnected()
6161
6162 tests = [ (1, "eap_fast_derive_key;eap_fast_derive_key_provisioning"),
6163 (1, "eap_mschapv2_getKey;eap_fast_get_phase2_key"),
6164 (1, "=eap_fast_use_pac_opaque"),
6165 (1, "eap_fast_copy_buf"),
6166 (1, "=eap_fast_add_pac"),
6167 (1, "=eap_fast_init_pac_data"),
6168 (1, "=eap_fast_write_pac"),
6169 (2, "=eap_fast_write_pac") ]
6170 for count, func in tests:
6171 dev[0].request("SET blob fast_pac_errors ")
6172 with alloc_fail(dev[0], count, func):
6173 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
6174 eap="FAST", anonymous_identity="FAST",
6175 identity="user", password="password",
6176 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
6177 phase1="fast_provisioning=1",
6178 pac_file="blob://fast_pac_errors",
6179 erp="1",
6180 wait_connect=False)
6181 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
6182 timeout=15)
6183 if ev is None:
6184 raise Exception("Timeout on EAP start")
6185 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
6186 dev[0].request("REMOVE_NETWORK all")
6187 dev[0].wait_disconnected()
6188
6189 tests = [ (1, "eap_fast_get_cmk;eap_fast_process_crypto_binding"),
6190 (1, "eap_fast_derive_eap_msk;eap_fast_process_crypto_binding"),
6191 (1, "eap_fast_derive_eap_emsk;eap_fast_process_crypto_binding") ]
6192 for count, func in tests:
6193 dev[0].request("SET blob fast_pac_auth_errors ")
6194 with fail_test(dev[0], count, func):
6195 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
6196 eap="FAST", anonymous_identity="FAST",
6197 identity="user", password="password",
6198 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
6199 phase1="fast_provisioning=2",
6200 pac_file="blob://fast_pac_auth_errors",
6201 erp="1",
6202 wait_connect=False)
6203 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
6204 timeout=15)
6205 if ev is None:
6206 raise Exception("Timeout on EAP start")
6207 wait_fail_trigger(dev[0], "GET_FAIL")
6208 dev[0].request("REMOVE_NETWORK all")
6209 dev[0].wait_disconnected()
6210
6211 dev[0].request("SET blob fast_pac_errors ")
6212 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
6213 eap="FAST", anonymous_identity="FAST",
6214 identity="user", password="password",
6215 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
6216 phase1="fast_provisioning=1",
6217 pac_file="blob://fast_pac_errors",
6218 wait_connect=False)
6219 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
6220 if ev is None:
6221 raise Exception("Timeout on EAP start")
6222 # EAP-FAST: Only EAP-MSCHAPv2 is allowed during unauthenticated
6223 # provisioning; reject phase2 type 6
6224 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
6225 if ev is None:
6226 raise Exception("Timeout on EAP failure")
6227 dev[0].request("REMOVE_NETWORK all")
6228 dev[0].wait_disconnected()
6229
6230 logger.info("Wrong password in Phase 2")
6231 dev[0].request("SET blob fast_pac_errors ")
6232 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
6233 eap="FAST", anonymous_identity="FAST",
6234 identity="user", password="wrong password",
6235 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
6236 phase1="fast_provisioning=1",
6237 pac_file="blob://fast_pac_errors",
6238 wait_connect=False)
6239 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
6240 if ev is None:
6241 raise Exception("Timeout on EAP start")
6242 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
6243 if ev is None:
6244 raise Exception("Timeout on EAP failure")
6245 dev[0].request("REMOVE_NETWORK all")
6246 dev[0].wait_disconnected()
6247
6248 tests = [ "FOOBAR\n",
6249 "wpa_supplicant EAP-FAST PAC file - version 1\nFOOBAR\n",
6250 "wpa_supplicant EAP-FAST PAC file - version 1\nSTART\n",
6251 "wpa_supplicant EAP-FAST PAC file - version 1\nSTART\nSTART\n",
6252 "wpa_supplicant EAP-FAST PAC file - version 1\nEND\n",
6253 "wpa_supplicant EAP-FAST PAC file - version 1\nSTART\nPAC-Type=12345\nEND\n"
6254 "wpa_supplicant EAP-FAST PAC file - version 1\nSTART\nPAC-Key=12\nEND\n",
6255 "wpa_supplicant EAP-FAST PAC file - version 1\nSTART\nPAC-Key=1\nEND\n",
6256 "wpa_supplicant EAP-FAST PAC file - version 1\nSTART\nPAC-Key=1q\nEND\n",
6257 "wpa_supplicant EAP-FAST PAC file - version 1\nSTART\nPAC-Opaque=1\nEND\n",
6258 "wpa_supplicant EAP-FAST PAC file - version 1\nSTART\nA-ID=1\nEND\n",
6259 "wpa_supplicant EAP-FAST PAC file - version 1\nSTART\nI-ID=1\nEND\n",
6260 "wpa_supplicant EAP-FAST PAC file - version 1\nSTART\nA-ID-Info=1\nEND\n" ]
6261 for pac in tests:
6262 blob = binascii.hexlify(pac)
6263 dev[0].request("SET blob fast_pac_errors " + blob)
6264 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
6265 eap="FAST", anonymous_identity="FAST",
6266 identity="user", password="password",
6267 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
6268 phase1="fast_provisioning=2",
6269 pac_file="blob://fast_pac_errors",
6270 wait_connect=False)
6271 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method"],
6272 timeout=5)
6273 if ev is None:
6274 raise Exception("Timeout on EAP start")
6275 dev[0].request("REMOVE_NETWORK all")
6276 dev[0].wait_disconnected()
6277
6278 tests = [ "wpa_supplicant EAP-FAST PAC file - version 1\nSTART\nEND\n",
6279 "wpa_supplicant EAP-FAST PAC file - version 1\nSTART\nEND\nSTART\nEND\nSTART\nEND\n" ]
6280 for pac in tests:
6281 blob = binascii.hexlify(pac)
6282 dev[0].request("SET blob fast_pac_errors " + blob)
6283 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
6284 eap="FAST", anonymous_identity="FAST",
6285 identity="user", password="password",
6286 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
6287 phase1="fast_provisioning=2",
6288 pac_file="blob://fast_pac_errors")
6289 dev[0].request("REMOVE_NETWORK all")
6290 dev[0].wait_disconnected()
6291
6292 dev[0].request("SET blob fast_pac_errors ")
6293
6294 def test_eap_proto_peap_errors(dev, apdev):
6295 """EAP-PEAP local error cases"""
6296 check_eap_capa(dev[0], "PEAP")
6297 check_eap_capa(dev[0], "MSCHAPV2")
6298 params = hostapd.wpa2_eap_params(ssid="eap-test")
6299 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
6300
6301 for i in range(1, 5):
6302 with alloc_fail(dev[0], i, "eap_peap_init"):
6303 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
6304 eap="PEAP", anonymous_identity="peap",
6305 identity="user", password="password",
6306 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
6307 wait_connect=False)
6308 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method"],
6309 timeout=5)
6310 if ev is None:
6311 raise Exception("Timeout on EAP start")
6312 dev[0].request("REMOVE_NETWORK all")
6313 dev[0].wait_disconnected()
6314
6315 tests = [ (1, "eap_mschapv2_getKey;eap_peap_get_isk;eap_peap_derive_cmk"),
6316 (1, "eap_msg_alloc;eap_tlv_build_result"),
6317 (1, "eap_mschapv2_init;eap_peap_phase2_request"),
6318 (1, "eap_peer_tls_decrypt;eap_peap_decrypt"),
6319 (1, "wpabuf_alloc;=eap_peap_decrypt"),
6320 (1, "eap_peer_tls_encrypt;eap_peap_decrypt"),
6321 (1, "eap_peer_tls_process_helper;eap_peap_process"),
6322 (1, "eap_peer_tls_derive_key;eap_peap_process"),
6323 (1, "eap_peer_tls_derive_session_id;eap_peap_process"),
6324 (1, "eap_peap_getKey"),
6325 (1, "eap_peap_get_session_id") ]
6326 for count, func in tests:
6327 with alloc_fail(dev[0], count, func):
6328 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
6329 eap="PEAP", anonymous_identity="peap",
6330 identity="user", password="password",
6331 phase1="peapver=0 crypto_binding=2",
6332 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
6333 erp="1", wait_connect=False)
6334 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
6335 timeout=15)
6336 if ev is None:
6337 raise Exception("Timeout on EAP start")
6338 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
6339 dev[0].request("REMOVE_NETWORK all")
6340 dev[0].wait_disconnected()
6341
6342 tests = [ (1, "peap_prfplus;eap_peap_derive_cmk"),
6343 (1, "eap_tlv_add_cryptobinding;eap_tlv_build_result"),
6344 (1, "peap_prfplus;eap_peap_getKey") ]
6345 for count, func in tests:
6346 with fail_test(dev[0], count, func):
6347 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
6348 eap="PEAP", anonymous_identity="peap",
6349 identity="user", password="password",
6350 phase1="peapver=0 crypto_binding=2",
6351 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
6352 erp="1", wait_connect=False)
6353 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
6354 timeout=15)
6355 if ev is None:
6356 raise Exception("Timeout on EAP start")
6357 wait_fail_trigger(dev[0], "GET_FAIL")
6358 dev[0].request("REMOVE_NETWORK all")
6359 dev[0].wait_disconnected()
6360
6361 with alloc_fail(dev[0], 1,
6362 "eap_peer_tls_phase2_nak;eap_peap_phase2_request"):
6363 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
6364 eap="PEAP", anonymous_identity="peap",
6365 identity="cert user", password="password",
6366 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
6367 wait_connect=False)
6368 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
6369 dev[0].request("REMOVE_NETWORK all")
6370 dev[0].wait_disconnected()
6371
6372 def test_eap_proto_ttls_errors(dev, apdev):
6373 """EAP-TTLS local error cases"""
6374 check_eap_capa(dev[0], "TTLS")
6375 check_eap_capa(dev[0], "MSCHAPV2")
6376 params = hostapd.wpa2_eap_params(ssid="eap-test")
6377 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
6378
6379 for i in range(1, 5):
6380 with alloc_fail(dev[0], i, "eap_ttls_init"):
6381 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
6382 eap="TTLS", anonymous_identity="ttls",
6383 identity="user", password="password",
6384 ca_cert="auth_serv/ca.pem",
6385 phase2="autheap=MSCHAPV2",
6386 wait_connect=False)
6387 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method"],
6388 timeout=5)
6389 if ev is None:
6390 raise Exception("Timeout on EAP start")
6391 dev[0].request("REMOVE_NETWORK all")
6392 dev[0].wait_disconnected()
6393
6394 tests = [ (1, "eap_peer_tls_derive_key;eap_ttls_v0_derive_key",
6395 "DOMAIN\mschapv2 user", "auth=MSCHAPV2"),
6396 (1, "eap_peer_tls_derive_session_id;eap_ttls_v0_derive_key",
6397 "DOMAIN\mschapv2 user", "auth=MSCHAPV2"),
6398 (1, "wpabuf_alloc;eap_ttls_phase2_request_mschapv2",
6399 "DOMAIN\mschapv2 user", "auth=MSCHAPV2"),
6400 (1, "eap_peer_tls_derive_key;eap_ttls_phase2_request_mschapv2",
6401 "DOMAIN\mschapv2 user", "auth=MSCHAPV2"),
6402 (1, "eap_peer_tls_encrypt;eap_ttls_encrypt_response;eap_ttls_implicit_identity_request",
6403 "DOMAIN\mschapv2 user", "auth=MSCHAPV2"),
6404 (1, "eap_peer_tls_decrypt;eap_ttls_decrypt",
6405 "DOMAIN\mschapv2 user", "auth=MSCHAPV2"),
6406 (1, "eap_ttls_getKey",
6407 "DOMAIN\mschapv2 user", "auth=MSCHAPV2"),
6408 (1, "eap_ttls_get_session_id",
6409 "DOMAIN\mschapv2 user", "auth=MSCHAPV2"),
6410 (1, "eap_ttls_get_emsk",
6411 "DOMAIN\mschapv2 user", "auth=MSCHAPV2"),
6412 (1, "wpabuf_alloc;eap_ttls_phase2_request_mschap",
6413 "mschap user", "auth=MSCHAP"),
6414 (1, "eap_peer_tls_derive_key;eap_ttls_phase2_request_mschap",
6415 "mschap user", "auth=MSCHAP"),
6416 (1, "wpabuf_alloc;eap_ttls_phase2_request_chap",
6417 "chap user", "auth=CHAP"),
6418 (1, "eap_peer_tls_derive_key;eap_ttls_phase2_request_chap",
6419 "chap user", "auth=CHAP"),
6420 (1, "wpabuf_alloc;eap_ttls_phase2_request_pap",
6421 "pap user", "auth=PAP"),
6422 (1, "wpabuf_alloc;eap_ttls_avp_encapsulate",
6423 "user", "autheap=MSCHAPV2"),
6424 (1, "eap_mschapv2_init;eap_ttls_phase2_request_eap_method",
6425 "user", "autheap=MSCHAPV2"),
6426 (1, "eap_sm_buildIdentity;eap_ttls_phase2_request_eap",
6427 "user", "autheap=MSCHAPV2"),
6428 (1, "eap_ttls_avp_encapsulate;eap_ttls_phase2_request_eap",
6429 "user", "autheap=MSCHAPV2"),
6430 (1, "eap_ttls_parse_attr_eap",
6431 "user", "autheap=MSCHAPV2"),
6432 (1, "eap_peer_tls_encrypt;eap_ttls_encrypt_response;eap_ttls_process_decrypted",
6433 "user", "autheap=MSCHAPV2"),
6434 (1, "eap_ttls_fake_identity_request",
6435 "user", "autheap=MSCHAPV2"),
6436 (1, "eap_msg_alloc;eap_tls_process_output",
6437 "user", "autheap=MSCHAPV2"),
6438 (1, "eap_msg_alloc;eap_peer_tls_build_ack",
6439 "user", "autheap=MSCHAPV2"),
6440 (1, "tls_connection_decrypt;eap_peer_tls_decrypt",
6441 "user", "autheap=MSCHAPV2"),
6442 (1, "eap_peer_tls_phase2_nak;eap_ttls_phase2_request_eap_method",
6443 "cert user", "autheap=MSCHAPV2") ]
6444 for count, func, identity, phase2 in tests:
6445 with alloc_fail(dev[0], count, func):
6446 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
6447 eap="TTLS", anonymous_identity="ttls",
6448 identity=identity, password="password",
6449 ca_cert="auth_serv/ca.pem", phase2=phase2,
6450 erp="1", wait_connect=False)
6451 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
6452 timeout=15)
6453 if ev is None:
6454 raise Exception("Timeout on EAP start")
6455 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL",
6456 note="Allocation failure not triggered for: %d:%s" % (count, func))
6457 dev[0].request("REMOVE_NETWORK all")
6458 dev[0].wait_disconnected()
6459
6460 tests = [ (1, "os_get_random;eap_ttls_phase2_request_mschapv2"),
6461 (1, "mschapv2_derive_response;eap_ttls_phase2_request_mschapv2") ]
6462 for count, func in tests:
6463 with fail_test(dev[0], count, func):
6464 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
6465 eap="TTLS", anonymous_identity="ttls",
6466 identity="DOMAIN\mschapv2 user", password="password",
6467 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
6468 erp="1", wait_connect=False)
6469 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
6470 timeout=15)
6471 if ev is None:
6472 raise Exception("Timeout on EAP start")
6473 wait_fail_trigger(dev[0], "GET_FAIL",
6474 note="Test failure not triggered for: %d:%s" % (count, func))
6475 dev[0].request("REMOVE_NETWORK all")
6476 dev[0].wait_disconnected()
6477
6478 def test_eap_proto_expanded(dev, apdev):
6479 """EAP protocol tests with expanded header"""
6480 global eap_proto_expanded_test_done
6481 eap_proto_expanded_test_done = False
6482
6483 def expanded_handler(ctx, req):
6484 logger.info("expanded_handler - RX " + req.encode("hex"))
6485 if 'num' not in ctx:
6486 ctx['num'] = 0
6487 ctx['num'] += 1
6488 if 'id' not in ctx:
6489 ctx['id'] = 1
6490 ctx['id'] = (ctx['id'] + 1) % 256
6491 idx = 0
6492
6493 idx += 1
6494 if ctx['num'] == idx:
6495 logger.info("Test: MD5 challenge in expanded header")
6496 return struct.pack(">BBHB3BLBBB", EAP_CODE_REQUEST, ctx['id'],
6497 4 + 1 + 3 + 4 + 3,
6498 EAP_TYPE_EXPANDED, 0, 0, 0, EAP_TYPE_MD5,
6499 1, 0xaa, ord('n'))
6500 idx += 1
6501 if ctx['num'] == idx:
6502 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
6503
6504 idx += 1
6505 if ctx['num'] == idx:
6506 logger.info("Test: Invalid expanded EAP length")
6507 return struct.pack(">BBHB3BH", EAP_CODE_REQUEST, ctx['id'],
6508 4 + 1 + 3 + 2,
6509 EAP_TYPE_EXPANDED, 0, 0, 0, EAP_TYPE_MD5)
6510 idx += 1
6511 if ctx['num'] == idx:
6512 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
6513
6514 idx += 1
6515 if ctx['num'] == idx:
6516 logger.info("Test: Invalid expanded frame type")
6517 return struct.pack(">BBHB3BL", EAP_CODE_REQUEST, ctx['id'],
6518 4 + 1 + 3 + 4,
6519 EAP_TYPE_EXPANDED, 0, 0, 1, EAP_TYPE_MD5)
6520 idx += 1
6521 if ctx['num'] == idx:
6522 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
6523
6524 idx += 1
6525 if ctx['num'] == idx:
6526 logger.info("Test: MSCHAPv2 Challenge")
6527 return struct.pack(">BBHBBBHB", EAP_CODE_REQUEST, ctx['id'],
6528 4 + 1 + 4 + 1 + 16 + 6,
6529 EAP_TYPE_MSCHAPV2,
6530 1, 0, 4 + 1 + 16 + 6, 16) + 16*'A' + 'foobar'
6531 idx += 1
6532 if ctx['num'] == idx:
6533 logger.info("Test: Invalid expanded frame type")
6534 return struct.pack(">BBHB3BL", EAP_CODE_REQUEST, ctx['id'],
6535 4 + 1 + 3 + 4,
6536 EAP_TYPE_EXPANDED, 0, 0, 1, EAP_TYPE_MSCHAPV2)
6537
6538 logger.info("No more test responses available - test case completed")
6539 global eap_proto_expanded_test_done
6540 eap_proto_expanded_test_done = True
6541 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
6542
6543 srv = start_radius_server(expanded_handler)
6544
6545 try:
6546 hapd = start_ap(apdev[0]['ifname'])
6547
6548 i = 0
6549 while not eap_proto_expanded_test_done:
6550 i += 1
6551 logger.info("Running connection iteration %d" % i)
6552 if i == 4:
6553 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
6554 eap="MSCHAPV2", identity="user",
6555 password="password",
6556 wait_connect=False)
6557 else:
6558 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
6559 eap="MD5", identity="user", password="password",
6560 wait_connect=False)
6561 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=5)
6562 if ev is None:
6563 raise Exception("Timeout on EAP start")
6564 if i in [ 1 ]:
6565 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
6566 if ev is None:
6567 raise Exception("Timeout on EAP method start")
6568 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
6569 if ev is None:
6570 raise Exception("Timeout on EAP failure")
6571 elif i in [ 2, 3 ]:
6572 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
6573 timeout=5)
6574 if ev is None:
6575 raise Exception("Timeout on EAP proposed method")
6576 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
6577 if ev is None:
6578 raise Exception("Timeout on EAP failure")
6579 else:
6580 time.sleep(0.1)
6581 dev[0].request("REMOVE_NETWORK all")
6582 dev[0].wait_disconnected(timeout=1)
6583 dev[0].dump_monitor()
6584 finally:
6585 stop_radius_server(srv)
6586
6587 def test_eap_proto_tnc(dev, apdev):
6588 """EAP-TNC protocol tests"""
6589 check_eap_capa(dev[0], "TNC")
6590 global eap_proto_tnc_test_done
6591 eap_proto_tnc_test_done = False
6592
6593 def tnc_handler(ctx, req):
6594 logger.info("tnc_handler - RX " + req.encode("hex"))
6595 if 'num' not in ctx:
6596 ctx['num'] = 0
6597 ctx['num'] += 1
6598 if 'id' not in ctx:
6599 ctx['id'] = 1
6600 ctx['id'] = (ctx['id'] + 1) % 256
6601 idx = 0
6602
6603 idx += 1
6604 if ctx['num'] == idx:
6605 logger.info("Test: TNC start with unsupported version")
6606 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
6607 4 + 1 + 1,
6608 EAP_TYPE_TNC, 0x20)
6609
6610 idx += 1
6611 if ctx['num'] == idx:
6612 logger.info("Test: TNC without Flags field")
6613 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
6614 4 + 1,
6615 EAP_TYPE_TNC)
6616
6617 idx += 1
6618 if ctx['num'] == idx:
6619 logger.info("Test: Message underflow due to missing Message Length")
6620 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
6621 4 + 1 + 1,
6622 EAP_TYPE_TNC, 0xa1)
6623
6624 idx += 1
6625 if ctx['num'] == idx:
6626 logger.info("Test: Invalid Message Length")
6627 return struct.pack(">BBHBBLB", EAP_CODE_REQUEST, ctx['id'],
6628 4 + 1 + 1 + 4 + 1,
6629 EAP_TYPE_TNC, 0xa1, 0, 0)
6630
6631 idx += 1
6632 if ctx['num'] == idx:
6633 logger.info("Test: Invalid Message Length")
6634 return struct.pack(">BBHBBL", EAP_CODE_REQUEST, ctx['id'],
6635 4 + 1 + 1 + 4,
6636 EAP_TYPE_TNC, 0xe1, 75001)
6637
6638 idx += 1
6639 if ctx['num'] == idx:
6640 logger.info("Test: Start with Message Length")
6641 return struct.pack(">BBHBBL", EAP_CODE_REQUEST, ctx['id'],
6642 4 + 1 + 1 + 4,
6643 EAP_TYPE_TNC, 0xa1, 1)
6644 idx += 1
6645 if ctx['num'] == idx:
6646 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
6647
6648 idx += 1
6649 if ctx['num'] == idx:
6650 logger.info("Test: Server used start flag again")
6651 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
6652 4 + 1 + 1,
6653 EAP_TYPE_TNC, 0x21)
6654 idx += 1
6655 if ctx['num'] == idx:
6656 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
6657 4 + 1 + 1,
6658 EAP_TYPE_TNC, 0x21)
6659
6660 idx += 1
6661 if ctx['num'] == idx:
6662 logger.info("Test: Fragmentation and unexpected payload in ack")
6663 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
6664 4 + 1 + 1,
6665 EAP_TYPE_TNC, 0x21)
6666 idx += 1
6667 if ctx['num'] == idx:
6668 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
6669 4 + 1 + 1,
6670 EAP_TYPE_TNC, 0x01)
6671 idx += 1
6672 if ctx['num'] == idx:
6673 return struct.pack(">BBHBBB", EAP_CODE_REQUEST, ctx['id'],
6674 4 + 1 + 1 + 1,
6675 EAP_TYPE_TNC, 0x01, 0)
6676
6677 idx += 1
6678 if ctx['num'] == idx:
6679 logger.info("Test: Server fragmenting and fragment overflow")
6680 return struct.pack(">BBHBBLB", EAP_CODE_REQUEST, ctx['id'],
6681 4 + 1 + 1 + 4 + 1,
6682 EAP_TYPE_TNC, 0xe1, 2, 1)
6683 idx += 1
6684 if ctx['num'] == idx:
6685 return struct.pack(">BBHBBBB", EAP_CODE_REQUEST, ctx['id'],
6686 4 + 1 + 1 + 2,
6687 EAP_TYPE_TNC, 0x01, 2, 3)
6688
6689 idx += 1
6690 if ctx['num'] == idx:
6691 logger.info("Test: Server fragmenting and no message length in a fragment")
6692 return struct.pack(">BBHBBB", EAP_CODE_REQUEST, ctx['id'],
6693 4 + 1 + 1 + 1,
6694 EAP_TYPE_TNC, 0x61, 2)
6695
6696 idx += 1
6697 if ctx['num'] == idx:
6698 logger.info("Test: TNC start followed by invalid TNCCS-Batch")
6699 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
6700 4 + 1 + 1,
6701 EAP_TYPE_TNC, 0x21)
6702 idx += 1
6703 if ctx['num'] == idx:
6704 logger.info("Received TNCCS-Batch: " + req[6:])
6705 resp = "FOO"
6706 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
6707 4 + 1 + 1 + len(resp),
6708 EAP_TYPE_TNC, 0x01) + resp
6709
6710 idx += 1
6711 if ctx['num'] == idx:
6712 logger.info("Test: TNC start followed by invalid TNCCS-Batch (2)")
6713 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
6714 4 + 1 + 1,
6715 EAP_TYPE_TNC, 0x21)
6716 idx += 1
6717 if ctx['num'] == idx:
6718 logger.info("Received TNCCS-Batch: " + req[6:])
6719 resp = "</TNCCS-Batch><TNCCS-Batch>"
6720 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
6721 4 + 1 + 1 + len(resp),
6722 EAP_TYPE_TNC, 0x01) + resp
6723
6724 idx += 1
6725 if ctx['num'] == idx:
6726 logger.info("Test: TNCCS-Batch missing BatchId attribute")
6727 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
6728 4 + 1 + 1,
6729 EAP_TYPE_TNC, 0x21)
6730 idx += 1
6731 if ctx['num'] == idx:
6732 logger.info("Received TNCCS-Batch: " + req[6:])
6733 resp = "<TNCCS-Batch foo=3></TNCCS-Batch>"
6734 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
6735 4 + 1 + 1 + len(resp),
6736 EAP_TYPE_TNC, 0x01) + resp
6737
6738 idx += 1
6739 if ctx['num'] == idx:
6740 logger.info("Test: Unexpected IF-TNCCS BatchId")
6741 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
6742 4 + 1 + 1,
6743 EAP_TYPE_TNC, 0x21)
6744 idx += 1
6745 if ctx['num'] == idx:
6746 logger.info("Received TNCCS-Batch: " + req[6:])
6747 resp = "<TNCCS-Batch BatchId=123456789></TNCCS-Batch>"
6748 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
6749 4 + 1 + 1 + len(resp),
6750 EAP_TYPE_TNC, 0x01) + resp
6751
6752 idx += 1
6753 if ctx['num'] == idx:
6754 logger.info("Test: Missing IMC-IMV-Message and TNCC-TNCS-Message end tags")
6755 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
6756 4 + 1 + 1,
6757 EAP_TYPE_TNC, 0x21)
6758 idx += 1
6759 if ctx['num'] == idx:
6760 logger.info("Received TNCCS-Batch: " + req[6:])
6761 resp = "<TNCCS-Batch BatchId=2><IMC-IMV-Message><TNCC-TNCS-Message></TNCCS-Batch>"
6762 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
6763 4 + 1 + 1 + len(resp),
6764 EAP_TYPE_TNC, 0x01) + resp
6765 idx += 1
6766 if ctx['num'] == idx:
6767 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
6768
6769 idx += 1
6770 if ctx['num'] == idx:
6771 logger.info("Test: Missing IMC-IMV-Message and TNCC-TNCS-Message Type")
6772 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
6773 4 + 1 + 1,
6774 EAP_TYPE_TNC, 0x21)
6775 idx += 1
6776 if ctx['num'] == idx:
6777 logger.info("Received TNCCS-Batch: " + req[6:])
6778 resp = "<TNCCS-Batch BatchId=2><IMC-IMV-Message></IMC-IMV-Message><TNCC-TNCS-Message></TNCC-TNCS-Message></TNCCS-Batch>"
6779 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
6780 4 + 1 + 1 + len(resp),
6781 EAP_TYPE_TNC, 0x01) + resp
6782 idx += 1
6783 if ctx['num'] == idx:
6784 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
6785
6786 idx += 1
6787 if ctx['num'] == idx:
6788 logger.info("Test: Missing TNCC-TNCS-Message XML end tag")
6789 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
6790 4 + 1 + 1,
6791 EAP_TYPE_TNC, 0x21)
6792 idx += 1
6793 if ctx['num'] == idx:
6794 logger.info("Received TNCCS-Batch: " + req[6:])
6795 resp = "<TNCCS-Batch BatchId=2><TNCC-TNCS-Message><Type>00000001</Type><XML></TNCC-TNCS-Message></TNCCS-Batch>"
6796 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
6797 4 + 1 + 1 + len(resp),
6798 EAP_TYPE_TNC, 0x01) + resp
6799 idx += 1
6800 if ctx['num'] == idx:
6801 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
6802
6803 idx += 1
6804 if ctx['num'] == idx:
6805 logger.info("Test: Missing TNCC-TNCS-Message Base64 start tag")
6806 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
6807 4 + 1 + 1,
6808 EAP_TYPE_TNC, 0x21)
6809 idx += 1
6810 if ctx['num'] == idx:
6811 logger.info("Received TNCCS-Batch: " + req[6:])
6812 resp = "<TNCCS-Batch BatchId=2><TNCC-TNCS-Message><Type>00000001</Type></TNCC-TNCS-Message></TNCCS-Batch>"
6813 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
6814 4 + 1 + 1 + len(resp),
6815 EAP_TYPE_TNC, 0x01) + resp
6816 idx += 1
6817 if ctx['num'] == idx:
6818 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
6819
6820 idx += 1
6821 if ctx['num'] == idx:
6822 logger.info("Test: Missing TNCC-TNCS-Message Base64 end tag")
6823 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
6824 4 + 1 + 1,
6825 EAP_TYPE_TNC, 0x21)
6826 idx += 1
6827 if ctx['num'] == idx:
6828 logger.info("Received TNCCS-Batch: " + req[6:])
6829 resp = "<TNCCS-Batch BatchId=2><TNCC-TNCS-Message><Type>00000001</Type><Base64>abc</TNCC-TNCS-Message></TNCCS-Batch>"
6830 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
6831 4 + 1 + 1 + len(resp),
6832 EAP_TYPE_TNC, 0x01) + resp
6833 idx += 1
6834 if ctx['num'] == idx:
6835 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
6836
6837 idx += 1
6838 if ctx['num'] == idx:
6839 logger.info("Test: TNCC-TNCS-Message Base64 message")
6840 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
6841 4 + 1 + 1,
6842 EAP_TYPE_TNC, 0x21)
6843 idx += 1
6844 if ctx['num'] == idx:
6845 logger.info("Received TNCCS-Batch: " + req[6:])
6846 resp = "<TNCCS-Batch BatchId=2><TNCC-TNCS-Message><Type>00000001</Type><Base64>aGVsbG8=</Base64></TNCC-TNCS-Message></TNCCS-Batch>"
6847 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
6848 4 + 1 + 1 + len(resp),
6849 EAP_TYPE_TNC, 0x01) + resp
6850 idx += 1
6851 if ctx['num'] == idx:
6852 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
6853
6854 idx += 1
6855 if ctx['num'] == idx:
6856 logger.info("Test: Invalid TNCC-TNCS-Message XML message")
6857 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
6858 4 + 1 + 1,
6859 EAP_TYPE_TNC, 0x21)
6860 idx += 1
6861 if ctx['num'] == idx:
6862 logger.info("Received TNCCS-Batch: " + req[6:])
6863 resp = "<TNCCS-Batch BatchId=2><TNCC-TNCS-Message><Type>00000001</Type><XML>hello</XML></TNCC-TNCS-Message></TNCCS-Batch>"
6864 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
6865 4 + 1 + 1 + len(resp),
6866 EAP_TYPE_TNC, 0x01) + resp
6867 idx += 1
6868 if ctx['num'] == idx:
6869 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
6870
6871 idx += 1
6872 if ctx['num'] == idx:
6873 logger.info("Test: Missing TNCCS-Recommendation type")
6874 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
6875 4 + 1 + 1,
6876 EAP_TYPE_TNC, 0x21)
6877 idx += 1
6878 if ctx['num'] == idx:
6879 logger.info("Received TNCCS-Batch: " + req[6:])
6880 resp = '<TNCCS-Batch BatchId=2><TNCC-TNCS-Message><Type>00000001</Type><XML><TNCCS-Recommendation foo=1></TNCCS-Recommendation></XML></TNCC-TNCS-Message></TNCCS-Batch>'
6881 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
6882 4 + 1 + 1 + len(resp),
6883 EAP_TYPE_TNC, 0x01) + resp
6884 idx += 1
6885 if ctx['num'] == idx:
6886 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
6887
6888 idx += 1
6889 if ctx['num'] == idx:
6890 logger.info("Test: TNCCS-Recommendation type=none")
6891 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
6892 4 + 1 + 1,
6893 EAP_TYPE_TNC, 0x21)
6894 idx += 1
6895 if ctx['num'] == idx:
6896 logger.info("Received TNCCS-Batch: " + req[6:])
6897 resp = '<TNCCS-Batch BatchId=2><TNCC-TNCS-Message><Type>00000001</Type><XML><TNCCS-Recommendation type="none"></TNCCS-Recommendation></XML></TNCC-TNCS-Message></TNCCS-Batch>'
6898 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
6899 4 + 1 + 1 + len(resp),
6900 EAP_TYPE_TNC, 0x01) + resp
6901 idx += 1
6902 if ctx['num'] == idx:
6903 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
6904
6905 idx += 1
6906 if ctx['num'] == idx:
6907 logger.info("Test: TNCCS-Recommendation type=isolate")
6908 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
6909 4 + 1 + 1,
6910 EAP_TYPE_TNC, 0x21)
6911 idx += 1
6912 if ctx['num'] == idx:
6913 logger.info("Received TNCCS-Batch: " + req[6:])
6914 resp = '<TNCCS-Batch BatchId=2><TNCC-TNCS-Message><Type>00000001</Type><XML><TNCCS-Recommendation type="isolate"></TNCCS-Recommendation></XML></TNCC-TNCS-Message></TNCCS-Batch>'
6915 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
6916 4 + 1 + 1 + len(resp),
6917 EAP_TYPE_TNC, 0x01) + resp
6918 idx += 1
6919 if ctx['num'] == idx:
6920 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
6921
6922 logger.info("No more test responses available - test case completed")
6923 global eap_proto_tnc_test_done
6924 eap_proto_tnc_test_done = True
6925 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
6926
6927 srv = start_radius_server(tnc_handler)
6928
6929 try:
6930 hapd = start_ap(apdev[0]['ifname'])
6931
6932 i = 0
6933 while not eap_proto_tnc_test_done:
6934 i += 1
6935 logger.info("Running connection iteration %d" % i)
6936 frag = 1400
6937 if i == 8:
6938 frag = 150
6939 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
6940 eap="TNC", identity="tnc", fragment_size=str(frag),
6941 wait_connect=False)
6942 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=5)
6943 if ev is None:
6944 raise Exception("Timeout on EAP start")
6945 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
6946 "CTRL-EVENT-EAP-STATUS"], timeout=5)
6947 if ev is None:
6948 raise Exception("Timeout on EAP method start")
6949 time.sleep(0.1)
6950 dev[0].request("REMOVE_NETWORK all")
6951 dev[0].wait_disconnected(timeout=1)
6952 dev[0].dump_monitor()
6953 finally:
6954 stop_radius_server(srv)
Unnamed repository; edit this file 'description' to name the repository.