]> git.ipfire.org Git - thirdparty/hostap.git/blob - tests/hwsim/test_eap_proto.py
projects / thirdparty / hostap.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
tests: EAP-LEAP protocol tests (error paths)
[thirdparty/hostap.git] / tests / hwsim / test_eap_proto.py
1 # EAP protocol tests
2 # Copyright (c) 2014-2015, Jouni Malinen <j@w1.fi>
3 #
4 # This software may be distributed under the terms of the BSD license.
5 # See README for more details.
6
7 import binascii
8 import hashlib
9 import hmac
10 import logging
11 logger = logging.getLogger()
12 import select
13 import struct
14 import threading
15 import time
16
17 import hostapd
18 from utils import HwsimSkip, alloc_fail, fail_test, wait_fail_trigger
19 from test_ap_eap import check_eap_capa, check_hlr_auc_gw_support
20 from test_erp import check_erp_capa
21
22 EAP_CODE_REQUEST = 1
23 EAP_CODE_RESPONSE = 2
24 EAP_CODE_SUCCESS = 3
25 EAP_CODE_FAILURE = 4
26 EAP_CODE_INITIATE = 5
27 EAP_CODE_FINISH = 6
28
29 EAP_TYPE_IDENTITY = 1
30 EAP_TYPE_NOTIFICATION = 2
31 EAP_TYPE_NAK = 3
32 EAP_TYPE_MD5 = 4
33 EAP_TYPE_OTP = 5
34 EAP_TYPE_GTC = 6
35 EAP_TYPE_TLS = 13
36 EAP_TYPE_LEAP = 17
37 EAP_TYPE_SIM = 18
38 EAP_TYPE_TTLS = 21
39 EAP_TYPE_AKA = 23
40 EAP_TYPE_PEAP = 25
41 EAP_TYPE_MSCHAPV2 = 26
42 EAP_TYPE_TLV = 33
43 EAP_TYPE_TNC = 38
44 EAP_TYPE_FAST = 43
45 EAP_TYPE_PAX = 46
46 EAP_TYPE_PSK = 47
47 EAP_TYPE_SAKE = 48
48 EAP_TYPE_IKEV2 = 49
49 EAP_TYPE_AKA_PRIME = 50
50 EAP_TYPE_GPSK = 51
51 EAP_TYPE_PWD = 52
52 EAP_TYPE_EKE = 53
53 EAP_TYPE_EXPANDED = 254
54
55 # Type field in EAP-Initiate and EAP-Finish messages
56 EAP_ERP_TYPE_REAUTH_START = 1
57 EAP_ERP_TYPE_REAUTH = 2
58
59 EAP_ERP_TLV_KEYNAME_NAI = 1
60 EAP_ERP_TV_RRK_LIFETIME = 2
61 EAP_ERP_TV_RMSK_LIFETIME = 3
62 EAP_ERP_TLV_DOMAIN_NAME = 4
63 EAP_ERP_TLV_CRYPTOSUITES = 5
64 EAP_ERP_TLV_AUTHORIZATION_INDICATION = 6
65 EAP_ERP_TLV_CALLED_STATION_ID = 128
66 EAP_ERP_TLV_CALLING_STATION_ID = 129
67 EAP_ERP_TLV_NAS_IDENTIFIER = 130
68 EAP_ERP_TLV_NAS_IP_ADDRESS = 131
69 EAP_ERP_TLV_NAS_IPV6_ADDRESS = 132
70
71 def run_pyrad_server(srv, t_stop, eap_handler):
72 srv.RunWithStop(t_stop, eap_handler)
73
74 def start_radius_server(eap_handler):
75 try:
76 import pyrad.server
77 import pyrad.packet
78 import pyrad.dictionary
79 except ImportError:
80 raise HwsimSkip("No pyrad modules available")
81
82 class TestServer(pyrad.server.Server):
83 def _HandleAuthPacket(self, pkt):
84 pyrad.server.Server._HandleAuthPacket(self, pkt)
85 eap = ""
86 for p in pkt[79]:
87 eap += p
88 eap_req = self.eap_handler(self.ctx, eap)
89 reply = self.CreateReplyPacket(pkt)
90 if eap_req:
91 while True:
92 if len(eap_req) > 253:
93 reply.AddAttribute("EAP-Message", eap_req[0:253])
94 eap_req = eap_req[253:]
95 else:
96 reply.AddAttribute("EAP-Message", eap_req)
97 break
98 else:
99 logger.info("No EAP request available")
100 reply.code = pyrad.packet.AccessChallenge
101
102 hmac_obj = hmac.new(reply.secret)
103 hmac_obj.update(struct.pack("B", reply.code))
104 hmac_obj.update(struct.pack("B", reply.id))
105
106 # reply attributes
107 reply.AddAttribute("Message-Authenticator",
108 "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00")
109 attrs = reply._PktEncodeAttributes()
110
111 # Length
112 flen = 4 + 16 + len(attrs)
113 hmac_obj.update(struct.pack(">H", flen))
114 hmac_obj.update(pkt.authenticator)
115 hmac_obj.update(attrs)
116 del reply[80]
117 reply.AddAttribute("Message-Authenticator", hmac_obj.digest())
118
119 self.SendReplyPacket(pkt.fd, reply)
120
121 def RunWithStop(self, t_stop, eap_handler):
122 self._poll = select.poll()
123 self._fdmap = {}
124 self._PrepareSockets()
125 self.t_stop = t_stop
126 self.eap_handler = eap_handler
127 self.ctx = {}
128
129 while not t_stop.is_set():
130 for (fd, event) in self._poll.poll(200):
131 if event == select.POLLIN:
132 try:
133 fdo = self._fdmap[fd]
134 self._ProcessInput(fdo)
135 except pyrad.server.ServerPacketError as err:
136 logger.info("pyrad server dropping packet: " + str(err))
137 except pyrad.packet.PacketError as err:
138 logger.info("pyrad server received invalid packet: " + str(err))
139 else:
140 logger.error("Unexpected event in pyrad server main loop")
141
142 srv = TestServer(dict=pyrad.dictionary.Dictionary("dictionary.radius"),
143 authport=18138, acctport=18139)
144 srv.hosts["127.0.0.1"] = pyrad.server.RemoteHost("127.0.0.1",
145 "radius",
146 "localhost")
147 srv.BindToAddress("")
148 t_stop = threading.Event()
149 t = threading.Thread(target=run_pyrad_server, args=(srv, t_stop, eap_handler))
150 t.start()
151
152 return { 'srv': srv, 'stop': t_stop, 'thread': t }
153
154 def stop_radius_server(srv):
155 srv['stop'].set()
156 srv['thread'].join()
157
158 def start_ap(ifname):
159 params = hostapd.wpa2_eap_params(ssid="eap-test")
160 params['auth_server_port'] = "18138"
161 hapd = hostapd.add_ap(ifname, params)
162 return hapd
163
164 def test_eap_proto(dev, apdev):
165 """EAP protocol tests"""
166 check_eap_capa(dev[0], "MD5")
167 def eap_handler(ctx, req):
168 logger.info("eap_handler - RX " + req.encode("hex"))
169 if 'num' not in ctx:
170 ctx['num'] = 0
171 ctx['num'] = ctx['num'] + 1
172 if 'id' not in ctx:
173 ctx['id'] = 1
174 ctx['id'] = (ctx['id'] + 1) % 256
175 idx = 0
176
177 idx += 1
178 if ctx['num'] == idx:
179 logger.info("Test: MD5 challenge")
180 return struct.pack(">BBHBBBB", EAP_CODE_REQUEST, ctx['id'],
181 4 + 1 + 3,
182 EAP_TYPE_MD5,
183 1, 0xaa, ord('n'))
184 idx += 1
185 if ctx['num'] == idx:
186 logger.info("Test: EAP-Success - id off by 2")
187 return struct.pack(">BBH", EAP_CODE_SUCCESS, ctx['id'] + 1, 4)
188
189 idx += 1
190 if ctx['num'] == idx:
191 logger.info("Test: MD5 challenge")
192 return struct.pack(">BBHBBBB", EAP_CODE_REQUEST, ctx['id'],
193 4 + 1 + 3,
194 EAP_TYPE_MD5,
195 1, 0xaa, ord('n'))
196 idx += 1
197 if ctx['num'] == idx:
198 logger.info("Test: EAP-Success - id off by 3")
199 return struct.pack(">BBH", EAP_CODE_SUCCESS, ctx['id'] + 2, 4)
200
201 idx += 1
202 if ctx['num'] == idx:
203 logger.info("Test: MD5 challenge")
204 return struct.pack(">BBHBBBB", EAP_CODE_REQUEST, ctx['id'],
205 4 + 1 + 3,
206 EAP_TYPE_MD5,
207 1, 0xaa, ord('n'))
208 idx += 1
209 if ctx['num'] == idx:
210 logger.info("Test: EAP-Notification/Request")
211 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
212 4 + 1 + 1,
213 EAP_TYPE_NOTIFICATION,
214 ord('A'))
215 idx += 1
216 if ctx['num'] == idx:
217 logger.info("Test: EAP-Success")
218 return struct.pack(">BBH", EAP_CODE_SUCCESS, ctx['id'] - 1, 4)
219
220 idx += 1
221 if ctx['num'] == idx:
222 logger.info("Test: EAP-Notification/Request")
223 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
224 4 + 1 + 1,
225 EAP_TYPE_NOTIFICATION,
226 ord('B'))
227 idx += 1
228 if ctx['num'] == idx:
229 logger.info("Test: MD5 challenge")
230 return struct.pack(">BBHBBBB", EAP_CODE_REQUEST, ctx['id'],
231 4 + 1 + 3,
232 EAP_TYPE_MD5,
233 1, 0xaa, ord('n'))
234 idx += 1
235 if ctx['num'] == idx:
236 logger.info("Test: EAP-Success")
237 return struct.pack(">BBH", EAP_CODE_SUCCESS, ctx['id'] - 1, 4)
238
239 idx += 1
240 if ctx['num'] == idx:
241 logger.info("Test: EAP-Notification/Request")
242 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
243 4 + 1 + 1,
244 EAP_TYPE_NOTIFICATION,
245 ord('C'))
246 idx += 1
247 if ctx['num'] == idx:
248 logger.info("Test: MD5 challenge")
249 return struct.pack(">BBHBBBB", EAP_CODE_REQUEST, ctx['id'],
250 4 + 1 + 3,
251 EAP_TYPE_MD5,
252 1, 0xaa, ord('n'))
253 idx += 1
254 if ctx['num'] == idx:
255 logger.info("Test: EAP-Notification/Request")
256 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
257 4 + 1 + 1,
258 EAP_TYPE_NOTIFICATION,
259 ord('D'))
260 idx += 1
261 if ctx['num'] == idx:
262 logger.info("Test: EAP-Success")
263 return struct.pack(">BBH", EAP_CODE_SUCCESS, ctx['id'] - 1, 4)
264
265 idx += 1
266 if ctx['num'] == idx:
267 logger.info("Test: EAP-Notification/Request")
268 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
269 4 + 1 + 1,
270 EAP_TYPE_NOTIFICATION,
271 ord('E'))
272 idx += 1
273 if ctx['num'] == idx:
274 logger.info("Test: EAP-Notification/Request (same id)")
275 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'] - 1,
276 4 + 1 + 1,
277 EAP_TYPE_NOTIFICATION,
278 ord('F'))
279 idx += 1
280 if ctx['num'] == idx:
281 logger.info("Test: Unexpected EAP-Success")
282 return struct.pack(">BBH", EAP_CODE_SUCCESS, ctx['id'] - 2, 4)
283
284 return None
285
286 srv = start_radius_server(eap_handler)
287
288 try:
289 hapd = start_ap(apdev[0]['ifname'])
290
291 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
292 eap="MD5", identity="user", password="password",
293 wait_connect=False)
294 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"], timeout=15)
295 if ev is None:
296 raise Exception("Timeout on EAP start")
297 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
298 if ev is None:
299 raise Exception("Timeout on EAP success")
300 dev[0].request("REMOVE_NETWORK all")
301
302 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
303 eap="MD5", identity="user", password="password",
304 wait_connect=False)
305 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"], timeout=15)
306 if ev is None:
307 raise Exception("Timeout on EAP start")
308 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=1)
309 if ev is not None:
310 raise Exception("Unexpected EAP success")
311 dev[0].request("REMOVE_NETWORK all")
312
313 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
314 eap="MD5", identity="user", password="password",
315 wait_connect=False)
316 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"], timeout=15)
317 if ev is None:
318 raise Exception("Timeout on EAP start")
319 ev = dev[0].wait_event(["CTRL-EVENT-EAP-NOTIFICATION"], timeout=10)
320 if ev is None:
321 raise Exception("Timeout on EAP notification")
322 if ev != "<3>CTRL-EVENT-EAP-NOTIFICATION A":
323 raise Exception("Unexpected notification contents: " + ev)
324 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
325 if ev is None:
326 raise Exception("Timeout on EAP success")
327 dev[0].request("REMOVE_NETWORK all")
328
329 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
330 eap="MD5", identity="user", password="password",
331 wait_connect=False)
332 ev = dev[0].wait_event(["CTRL-EVENT-EAP-NOTIFICATION"], timeout=10)
333 if ev is None:
334 raise Exception("Timeout on EAP notification")
335 if ev != "<3>CTRL-EVENT-EAP-NOTIFICATION B":
336 raise Exception("Unexpected notification contents: " + ev)
337 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"], timeout=15)
338 if ev is None:
339 raise Exception("Timeout on EAP start")
340 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
341 if ev is None:
342 raise Exception("Timeout on EAP success")
343 dev[0].request("REMOVE_NETWORK all")
344
345 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
346 eap="MD5", identity="user", password="password",
347 wait_connect=False)
348 ev = dev[0].wait_event(["CTRL-EVENT-EAP-NOTIFICATION"], timeout=10)
349 if ev is None:
350 raise Exception("Timeout on EAP notification")
351 if ev != "<3>CTRL-EVENT-EAP-NOTIFICATION C":
352 raise Exception("Unexpected notification contents: " + ev)
353 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"], timeout=15)
354 if ev is None:
355 raise Exception("Timeout on EAP start")
356 ev = dev[0].wait_event(["CTRL-EVENT-EAP-NOTIFICATION"], timeout=10)
357 if ev is None:
358 raise Exception("Timeout on EAP notification")
359 if ev != "<3>CTRL-EVENT-EAP-NOTIFICATION D":
360 raise Exception("Unexpected notification contents: " + ev)
361 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
362 if ev is None:
363 raise Exception("Timeout on EAP success")
364 dev[0].request("REMOVE_NETWORK all")
365
366 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
367 eap="MD5", identity="user", password="password",
368 wait_connect=False)
369 ev = dev[0].wait_event(["CTRL-EVENT-EAP-NOTIFICATION"], timeout=10)
370 if ev is None:
371 raise Exception("Timeout on EAP notification")
372 if ev != "<3>CTRL-EVENT-EAP-NOTIFICATION E":
373 raise Exception("Unexpected notification contents: " + ev)
374 ev = dev[0].wait_event(["CTRL-EVENT-EAP-NOTIFICATION"], timeout=10)
375 if ev is None:
376 raise Exception("Timeout on EAP notification")
377 if ev != "<3>CTRL-EVENT-EAP-NOTIFICATION F":
378 raise Exception("Unexpected notification contents: " + ev)
379 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
380 if ev is None:
381 raise Exception("Timeout on EAP failure")
382 dev[0].request("REMOVE_NETWORK all")
383 finally:
384 stop_radius_server(srv)
385
386 EAP_SAKE_VERSION = 2
387
388 EAP_SAKE_SUBTYPE_CHALLENGE = 1
389 EAP_SAKE_SUBTYPE_CONFIRM = 2
390 EAP_SAKE_SUBTYPE_AUTH_REJECT = 3
391 EAP_SAKE_SUBTYPE_IDENTITY = 4
392
393 EAP_SAKE_AT_RAND_S = 1
394 EAP_SAKE_AT_RAND_P = 2
395 EAP_SAKE_AT_MIC_S = 3
396 EAP_SAKE_AT_MIC_P = 4
397 EAP_SAKE_AT_SERVERID = 5
398 EAP_SAKE_AT_PEERID = 6
399 EAP_SAKE_AT_SPI_S = 7
400 EAP_SAKE_AT_SPI_P = 8
401 EAP_SAKE_AT_ANY_ID_REQ = 9
402 EAP_SAKE_AT_PERM_ID_REQ = 10
403 EAP_SAKE_AT_ENCR_DATA = 128
404 EAP_SAKE_AT_IV = 129
405 EAP_SAKE_AT_PADDING = 130
406 EAP_SAKE_AT_NEXT_TMPID = 131
407 EAP_SAKE_AT_MSK_LIFE = 132
408
409 def test_eap_proto_sake(dev, apdev):
410 """EAP-SAKE protocol tests"""
411 global eap_proto_sake_test_done
412 eap_proto_sake_test_done = False
413
414 def sake_challenge(ctx):
415 logger.info("Test: Challenge subtype")
416 return struct.pack(">BBHBBBBBBLLLL", EAP_CODE_REQUEST, ctx['id'],
417 4 + 1 + 3 + 18,
418 EAP_TYPE_SAKE,
419 EAP_SAKE_VERSION, 0, EAP_SAKE_SUBTYPE_CHALLENGE,
420 EAP_SAKE_AT_RAND_S, 18, 0, 0, 0, 0)
421
422 def sake_handler(ctx, req):
423 logger.info("sake_handler - RX " + req.encode("hex"))
424 if 'num' not in ctx:
425 ctx['num'] = 0
426 ctx['num'] += 1
427 if 'id' not in ctx:
428 ctx['id'] = 1
429 ctx['id'] = (ctx['id'] + 1) % 256
430 idx = 0
431
432 idx += 1
433 if ctx['num'] == idx:
434 logger.info("Test: Missing payload")
435 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'], 4 + 1,
436 EAP_TYPE_SAKE)
437
438 idx += 1
439 if ctx['num'] == idx:
440 logger.info("Test: Identity subtype without any attributes")
441 return struct.pack(">BBHBBBB", EAP_CODE_REQUEST, ctx['id'],
442 4 + 1 + 3,
443 EAP_TYPE_SAKE,
444 EAP_SAKE_VERSION, 0, EAP_SAKE_SUBTYPE_IDENTITY)
445
446 idx += 1
447 if ctx['num'] == idx:
448 logger.info("Test: Identity subtype")
449 return struct.pack(">BBHBBBBBBH", EAP_CODE_REQUEST, ctx['id'],
450 4 + 1 + 3 + 4,
451 EAP_TYPE_SAKE,
452 EAP_SAKE_VERSION, 0, EAP_SAKE_SUBTYPE_IDENTITY,
453 EAP_SAKE_AT_ANY_ID_REQ, 4, 0)
454 idx += 1
455 if ctx['num'] == idx:
456 logger.info("Test: Identity subtype (different session id)")
457 return struct.pack(">BBHBBBBBBH", EAP_CODE_REQUEST, ctx['id'],
458 4 + 1 + 3 + 4,
459 EAP_TYPE_SAKE,
460 EAP_SAKE_VERSION, 1, EAP_SAKE_SUBTYPE_IDENTITY,
461 EAP_SAKE_AT_PERM_ID_REQ, 4, 0)
462
463 idx += 1
464 if ctx['num'] == idx:
465 logger.info("Test: Identity subtype with too short attribute")
466 return struct.pack(">BBHBBBBBB", EAP_CODE_REQUEST, ctx['id'],
467 4 + 1 + 3 + 2,
468 EAP_TYPE_SAKE,
469 EAP_SAKE_VERSION, 0, EAP_SAKE_SUBTYPE_IDENTITY,
470 EAP_SAKE_AT_ANY_ID_REQ, 2)
471
472 idx += 1
473 if ctx['num'] == idx:
474 logger.info("Test: Identity subtype with truncated attribute")
475 return struct.pack(">BBHBBBBBB", EAP_CODE_REQUEST, ctx['id'],
476 4 + 1 + 3 + 2,
477 EAP_TYPE_SAKE,
478 EAP_SAKE_VERSION, 0, EAP_SAKE_SUBTYPE_IDENTITY,
479 EAP_SAKE_AT_ANY_ID_REQ, 4)
480
481 idx += 1
482 if ctx['num'] == idx:
483 logger.info("Test: Identity subtype with too short attribute header")
484 payload = struct.pack("B", EAP_SAKE_AT_ANY_ID_REQ)
485 return struct.pack(">BBHBBBB", EAP_CODE_REQUEST, ctx['id'],
486 4 + 1 + 3 + len(payload),
487 EAP_TYPE_SAKE, EAP_SAKE_VERSION, 0,
488 EAP_SAKE_SUBTYPE_IDENTITY) + payload
489
490 idx += 1
491 if ctx['num'] == idx:
492 logger.info("Test: Identity subtype with AT_IV but not AT_ENCR_DATA")
493 payload = struct.pack("BB", EAP_SAKE_AT_IV, 2)
494 return struct.pack(">BBHBBBB", EAP_CODE_REQUEST, ctx['id'],
495 4 + 1 + 3 + len(payload),
496 EAP_TYPE_SAKE, EAP_SAKE_VERSION, 0,
497 EAP_SAKE_SUBTYPE_IDENTITY) + payload
498
499 idx += 1
500 if ctx['num'] == idx:
501 logger.info("Test: Identity subtype with skippable and non-skippable unknown attribute")
502 payload = struct.pack("BBBB", 255, 2, 127, 2)
503 return struct.pack(">BBHBBBB", EAP_CODE_REQUEST, ctx['id'],
504 4 + 1 + 3 + len(payload),
505 EAP_TYPE_SAKE, EAP_SAKE_VERSION, 0,
506 EAP_SAKE_SUBTYPE_IDENTITY) + payload
507
508 idx += 1
509 if ctx['num'] == idx:
510 logger.info("Test: Identity subtype: AT_RAND_P with invalid payload length")
511 payload = struct.pack("BB", EAP_SAKE_AT_RAND_P, 2)
512 return struct.pack(">BBHBBBB", EAP_CODE_REQUEST, ctx['id'],
513 4 + 1 + 3 + len(payload),
514 EAP_TYPE_SAKE, EAP_SAKE_VERSION, 0,
515 EAP_SAKE_SUBTYPE_IDENTITY) + payload
516
517 idx += 1
518 if ctx['num'] == idx:
519 logger.info("Test: Identity subtype: AT_MIC_P with invalid payload length")
520 payload = struct.pack("BB", EAP_SAKE_AT_MIC_P, 2)
521 return struct.pack(">BBHBBBB", EAP_CODE_REQUEST, ctx['id'],
522 4 + 1 + 3 + len(payload),
523 EAP_TYPE_SAKE, EAP_SAKE_VERSION, 0,
524 EAP_SAKE_SUBTYPE_IDENTITY) + payload
525
526 idx += 1
527 if ctx['num'] == idx:
528 logger.info("Test: Identity subtype: AT_PERM_ID_REQ with invalid payload length")
529 payload = struct.pack("BBBBBBBBBBBBBB",
530 EAP_SAKE_AT_SPI_S, 2,
531 EAP_SAKE_AT_SPI_P, 2,
532 EAP_SAKE_AT_ENCR_DATA, 2,
533 EAP_SAKE_AT_NEXT_TMPID, 2,
534 EAP_SAKE_AT_PERM_ID_REQ, 4, 0, 0,
535 EAP_SAKE_AT_PERM_ID_REQ, 2)
536 return struct.pack(">BBHBBBB", EAP_CODE_REQUEST, ctx['id'],
537 4 + 1 + 3 + len(payload),
538 EAP_TYPE_SAKE, EAP_SAKE_VERSION, 0,
539 EAP_SAKE_SUBTYPE_IDENTITY) + payload
540
541 idx += 1
542 if ctx['num'] == idx:
543 logger.info("Test: Identity subtype: AT_PADDING")
544 payload = struct.pack("BBBBBB",
545 EAP_SAKE_AT_PADDING, 3, 0,
546 EAP_SAKE_AT_PADDING, 3, 1)
547 return struct.pack(">BBHBBBB", EAP_CODE_REQUEST, ctx['id'],
548 4 + 1 + 3 + len(payload),
549 EAP_TYPE_SAKE, EAP_SAKE_VERSION, 0,
550 EAP_SAKE_SUBTYPE_IDENTITY) + payload
551
552 idx += 1
553 if ctx['num'] == idx:
554 logger.info("Test: Identity subtype: AT_MSK_LIFE")
555 payload = struct.pack(">BBLBBH",
556 EAP_SAKE_AT_MSK_LIFE, 6, 0,
557 EAP_SAKE_AT_MSK_LIFE, 4, 0)
558 return struct.pack(">BBHBBBB", EAP_CODE_REQUEST, ctx['id'],
559 4 + 1 + 3 + len(payload),
560 EAP_TYPE_SAKE, EAP_SAKE_VERSION, 0,
561 EAP_SAKE_SUBTYPE_IDENTITY) + payload
562
563 idx += 1
564 if ctx['num'] == idx:
565 logger.info("Test: Identity subtype with invalid attribute length")
566 payload = struct.pack("BB", EAP_SAKE_AT_ANY_ID_REQ, 0)
567 return struct.pack(">BBHBBBB", EAP_CODE_REQUEST, ctx['id'],
568 4 + 1 + 3 + len(payload),
569 EAP_TYPE_SAKE, EAP_SAKE_VERSION, 0,
570 EAP_SAKE_SUBTYPE_IDENTITY) + payload
571
572 idx += 1
573 if ctx['num'] == idx:
574 logger.info("Test: Unknown subtype")
575 return struct.pack(">BBHBBBB", EAP_CODE_REQUEST, ctx['id'],
576 4 + 1 + 3,
577 EAP_TYPE_SAKE,
578 EAP_SAKE_VERSION, 0, 123)
579
580 idx += 1
581 if ctx['num'] == idx:
582 logger.info("Test: Challenge subtype without any attributes")
583 return struct.pack(">BBHBBBB", EAP_CODE_REQUEST, ctx['id'],
584 4 + 1 + 3,
585 EAP_TYPE_SAKE,
586 EAP_SAKE_VERSION, 0, EAP_SAKE_SUBTYPE_CHALLENGE)
587
588 idx += 1
589 if ctx['num'] == idx:
590 logger.info("Test: Challenge subtype with too short AT_RAND_S")
591 return struct.pack(">BBHBBBBBB", EAP_CODE_REQUEST, ctx['id'],
592 4 + 1 + 3 + 2,
593 EAP_TYPE_SAKE,
594 EAP_SAKE_VERSION, 0, EAP_SAKE_SUBTYPE_CHALLENGE,
595 EAP_SAKE_AT_RAND_S, 2)
596
597 idx += 1
598 if ctx['num'] == idx:
599 return sake_challenge(ctx)
600 idx += 1
601 if ctx['num'] == idx:
602 logger.info("Test: Unexpected Identity subtype")
603 return struct.pack(">BBHBBBBBBH", EAP_CODE_REQUEST, ctx['id'],
604 4 + 1 + 3 + 4,
605 EAP_TYPE_SAKE,
606 EAP_SAKE_VERSION, 0, EAP_SAKE_SUBTYPE_IDENTITY,
607 EAP_SAKE_AT_ANY_ID_REQ, 4, 0)
608
609 idx += 1
610 if ctx['num'] == idx:
611 return sake_challenge(ctx)
612 idx += 1
613 if ctx['num'] == idx:
614 logger.info("Test: Unexpected Challenge subtype")
615 return struct.pack(">BBHBBBBBBLLLL", EAP_CODE_REQUEST, ctx['id'],
616 4 + 1 + 3 + 18,
617 EAP_TYPE_SAKE,
618 EAP_SAKE_VERSION, 0, EAP_SAKE_SUBTYPE_CHALLENGE,
619 EAP_SAKE_AT_RAND_S, 18, 0, 0, 0, 0)
620
621 idx += 1
622 if ctx['num'] == idx:
623 return sake_challenge(ctx)
624 idx += 1
625 if ctx['num'] == idx:
626 logger.info("Test: Confirm subtype without any attributes")
627 return struct.pack(">BBHBBBB", EAP_CODE_REQUEST, ctx['id'],
628 4 + 1 + 3,
629 EAP_TYPE_SAKE,
630 EAP_SAKE_VERSION, 0, EAP_SAKE_SUBTYPE_CONFIRM)
631
632 idx += 1
633 if ctx['num'] == idx:
634 return sake_challenge(ctx)
635 idx += 1
636 if ctx['num'] == idx:
637 logger.info("Test: Confirm subtype with too short AT_MIC_S")
638 return struct.pack(">BBHBBBBBB", EAP_CODE_REQUEST, ctx['id'],
639 4 + 1 + 3 + 2,
640 EAP_TYPE_SAKE,
641 EAP_SAKE_VERSION, 0, EAP_SAKE_SUBTYPE_CONFIRM,
642 EAP_SAKE_AT_MIC_S, 2)
643
644 idx += 1
645 if ctx['num'] == idx:
646 logger.info("Test: Unexpected Confirm subtype")
647 return struct.pack(">BBHBBBBBBLLLL", EAP_CODE_REQUEST, ctx['id'],
648 4 + 1 + 3 + 18,
649 EAP_TYPE_SAKE,
650 EAP_SAKE_VERSION, 0, EAP_SAKE_SUBTYPE_CONFIRM,
651 EAP_SAKE_AT_MIC_S, 18, 0, 0, 0, 0)
652
653 idx += 1
654 if ctx['num'] == idx:
655 return sake_challenge(ctx)
656 idx += 1
657 if ctx['num'] == idx:
658 logger.info("Test: Confirm subtype with incorrect AT_MIC_S")
659 return struct.pack(">BBHBBBBBBLLLL", EAP_CODE_REQUEST, ctx['id'],
660 4 + 1 + 3 + 18,
661 EAP_TYPE_SAKE,
662 EAP_SAKE_VERSION, 0, EAP_SAKE_SUBTYPE_CONFIRM,
663 EAP_SAKE_AT_MIC_S, 18, 0, 0, 0, 0)
664
665 global eap_proto_sake_test_done
666 if eap_proto_sake_test_done:
667 return sake_challenge(ctx)
668
669 logger.info("No more test responses available - test case completed")
670 eap_proto_sake_test_done = True
671 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
672
673 srv = start_radius_server(sake_handler)
674
675 try:
676 hapd = start_ap(apdev[0]['ifname'])
677
678 while not eap_proto_sake_test_done:
679 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
680 eap="SAKE", identity="sake user",
681 password_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
682 wait_connect=False)
683 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"], timeout=15)
684 if ev is None:
685 raise Exception("Timeout on EAP start")
686 time.sleep(0.1)
687 dev[0].request("REMOVE_NETWORK all")
688
689 logger.info("Too short password")
690 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
691 eap="SAKE", identity="sake user",
692 password_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcd",
693 wait_connect=False)
694 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"], timeout=15)
695 if ev is None:
696 raise Exception("Timeout on EAP start")
697 time.sleep(0.1)
698 finally:
699 stop_radius_server(srv)
700
701 def test_eap_proto_sake_errors(dev, apdev):
702 """EAP-SAKE local error cases"""
703 check_eap_capa(dev[0], "SAKE")
704 params = hostapd.wpa2_eap_params(ssid="eap-test")
705 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
706
707 for i in range(1, 3):
708 with alloc_fail(dev[0], i, "eap_sake_init"):
709 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
710 eap="SAKE", identity="sake user",
711 password_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
712 wait_connect=False)
713 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method"],
714 timeout=15)
715 if ev is None:
716 raise Exception("Timeout on EAP start")
717 dev[0].request("REMOVE_NETWORK all")
718 dev[0].wait_disconnected()
719
720 tests = [ ( 1, "eap_msg_alloc;eap_sake_build_msg;eap_sake_process_challenge" ),
721 ( 1, "=eap_sake_process_challenge" ),
722 ( 1, "eap_sake_compute_mic;eap_sake_process_challenge" ),
723 ( 1, "eap_sake_build_msg;eap_sake_process_confirm" ),
724 ( 2, "eap_sake_compute_mic;eap_sake_process_confirm" ),
725 ( 1, "eap_sake_getKey" ),
726 ( 1, "eap_sake_get_emsk" ),
727 ( 1, "eap_sake_get_session_id" ) ]
728 for count, func in tests:
729 with alloc_fail(dev[0], count, func):
730 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
731 eap="SAKE", identity="sake user",
732 password_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
733 erp="1",
734 wait_connect=False)
735 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
736 timeout=15)
737 if ev is None:
738 raise Exception("Timeout on EAP start")
739 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
740 dev[0].request("REMOVE_NETWORK all")
741 dev[0].wait_disconnected()
742
743 with fail_test(dev[0], 1, "os_get_random;eap_sake_process_challenge"):
744 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
745 eap="SAKE", identity="sake user",
746 password_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
747 wait_connect=False)
748 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"], timeout=15)
749 if ev is None:
750 raise Exception("Timeout on EAP start")
751 wait_fail_trigger(dev[0], "GET_FAIL")
752 dev[0].request("REMOVE_NETWORK all")
753 dev[0].wait_disconnected()
754
755 def test_eap_proto_sake_errors2(dev, apdev):
756 """EAP-SAKE protocol tests (2)"""
757 def sake_handler(ctx, req):
758 logger.info("sake_handler - RX " + req.encode("hex"))
759 if 'num' not in ctx:
760 ctx['num'] = 0
761 ctx['num'] += 1
762 if 'id' not in ctx:
763 ctx['id'] = 1
764 ctx['id'] = (ctx['id'] + 1) % 256
765 idx = 0
766
767 idx += 1
768 if ctx['num'] == idx:
769 logger.info("Test: Identity subtype")
770 return struct.pack(">BBHBBBBBBH", EAP_CODE_REQUEST, ctx['id'],
771 4 + 1 + 3 + 4,
772 EAP_TYPE_SAKE,
773 EAP_SAKE_VERSION, 0, EAP_SAKE_SUBTYPE_IDENTITY,
774 EAP_SAKE_AT_ANY_ID_REQ, 4, 0)
775
776 srv = start_radius_server(sake_handler)
777
778 try:
779 hapd = start_ap(apdev[0]['ifname'])
780
781 with alloc_fail(dev[0], 1, "eap_msg_alloc;eap_sake_build_msg;eap_sake_process_identity"):
782 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
783 eap="SAKE", identity="sake user",
784 password_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
785 wait_connect=False)
786 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
787 timeout=15)
788 if ev is None:
789 raise Exception("Timeout on EAP start")
790 dev[0].request("REMOVE_NETWORK all")
791 dev[0].wait_disconnected()
792
793 finally:
794 stop_radius_server(srv)
795
796 def test_eap_proto_leap(dev, apdev):
797 """EAP-LEAP protocol tests"""
798 check_eap_capa(dev[0], "LEAP")
799 def leap_handler(ctx, req):
800 logger.info("leap_handler - RX " + req.encode("hex"))
801 if 'num' not in ctx:
802 ctx['num'] = 0
803 ctx['num'] = ctx['num'] + 1
804 if 'id' not in ctx:
805 ctx['id'] = 1
806 ctx['id'] = (ctx['id'] + 1) % 256
807
808 if ctx['num'] == 1:
809 logger.info("Test: Missing payload")
810 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
811 4 + 1,
812 EAP_TYPE_LEAP)
813
814 if ctx['num'] == 2:
815 logger.info("Test: Unexpected version")
816 return struct.pack(">BBHBBBB", EAP_CODE_REQUEST, ctx['id'],
817 4 + 1 + 3,
818 EAP_TYPE_LEAP,
819 0, 0, 0)
820
821 if ctx['num'] == 3:
822 logger.info("Test: Invalid challenge length")
823 return struct.pack(">BBHBBBB", EAP_CODE_REQUEST, ctx['id'],
824 4 + 1 + 3,
825 EAP_TYPE_LEAP,
826 1, 0, 0)
827
828 if ctx['num'] == 4:
829 logger.info("Test: Truncated challenge")
830 return struct.pack(">BBHBBBB", EAP_CODE_REQUEST, ctx['id'],
831 4 + 1 + 3,
832 EAP_TYPE_LEAP,
833 1, 0, 8)
834
835 if ctx['num'] == 5:
836 logger.info("Test: Valid challenge")
837 return struct.pack(">BBHBBBBLL", EAP_CODE_REQUEST, ctx['id'],
838 4 + 1 + 3 + 8,
839 EAP_TYPE_LEAP,
840 1, 0, 8, 0, 0)
841 if ctx['num'] == 6:
842 logger.info("Test: Missing payload in Response")
843 return struct.pack(">BBHB", EAP_CODE_RESPONSE, ctx['id'],
844 4 + 1,
845 EAP_TYPE_LEAP)
846
847 if ctx['num'] == 7:
848 logger.info("Test: Valid challenge")
849 return struct.pack(">BBHBBBBLL", EAP_CODE_REQUEST, ctx['id'],
850 4 + 1 + 3 + 8,
851 EAP_TYPE_LEAP,
852 1, 0, 8, 0, 0)
853 if ctx['num'] == 8:
854 logger.info("Test: Unexpected version in Response")
855 return struct.pack(">BBHBBBB", EAP_CODE_RESPONSE, ctx['id'],
856 4 + 1 + 3,
857 EAP_TYPE_LEAP,
858 0, 0, 8)
859
860 if ctx['num'] == 9:
861 logger.info("Test: Valid challenge")
862 return struct.pack(">BBHBBBBLL", EAP_CODE_REQUEST, ctx['id'],
863 4 + 1 + 3 + 8,
864 EAP_TYPE_LEAP,
865 1, 0, 8, 0, 0)
866 if ctx['num'] == 10:
867 logger.info("Test: Invalid challenge length in Response")
868 return struct.pack(">BBHBBBB", EAP_CODE_RESPONSE, ctx['id'],
869 4 + 1 + 3,
870 EAP_TYPE_LEAP,
871 1, 0, 0)
872
873 if ctx['num'] == 11:
874 logger.info("Test: Valid challenge")
875 return struct.pack(">BBHBBBBLL", EAP_CODE_REQUEST, ctx['id'],
876 4 + 1 + 3 + 8,
877 EAP_TYPE_LEAP,
878 1, 0, 8, 0, 0)
879 if ctx['num'] == 12:
880 logger.info("Test: Truncated challenge in Response")
881 return struct.pack(">BBHBBBB", EAP_CODE_RESPONSE, ctx['id'],
882 4 + 1 + 3,
883 EAP_TYPE_LEAP,
884 1, 0, 24)
885
886 if ctx['num'] == 13:
887 logger.info("Test: Valid challenge")
888 return struct.pack(">BBHBBBBLL", EAP_CODE_REQUEST, ctx['id'],
889 4 + 1 + 3 + 8,
890 EAP_TYPE_LEAP,
891 1, 0, 8, 0, 0)
892 if ctx['num'] == 14:
893 logger.info("Test: Invalid challange value in Response")
894 return struct.pack(">BBHBBBB6L", EAP_CODE_RESPONSE, ctx['id'],
895 4 + 1 + 3 + 24,
896 EAP_TYPE_LEAP,
897 1, 0, 24,
898 0, 0, 0, 0, 0, 0)
899
900 if ctx['num'] == 15:
901 logger.info("Test: Valid challenge")
902 return struct.pack(">BBHBBBBLL", EAP_CODE_REQUEST, ctx['id'],
903 4 + 1 + 3 + 8,
904 EAP_TYPE_LEAP,
905 1, 0, 8, 0, 0)
906 if ctx['num'] == 16:
907 logger.info("Test: Valid challange value in Response")
908 return struct.pack(">BBHBBBB24B", EAP_CODE_RESPONSE, ctx['id'],
909 4 + 1 + 3 + 24,
910 EAP_TYPE_LEAP,
911 1, 0, 24,
912 0x48, 0x4e, 0x46, 0xe3, 0x88, 0x49, 0x46, 0xbd,
913 0x28, 0x48, 0xf8, 0x53, 0x82, 0x50, 0x00, 0x04,
914 0x93, 0x50, 0x30, 0xd7, 0x25, 0xea, 0x5f, 0x66)
915
916 if ctx['num'] == 17:
917 logger.info("Test: Valid challenge")
918 return struct.pack(">BBHBBBBLL", EAP_CODE_REQUEST, ctx['id'],
919 4 + 1 + 3 + 8,
920 EAP_TYPE_LEAP,
921 1, 0, 8, 0, 0)
922 if ctx['num'] == 18:
923 logger.info("Test: Success")
924 return struct.pack(">BBHB", EAP_CODE_SUCCESS, ctx['id'],
925 4 + 1,
926 EAP_TYPE_LEAP)
927 # hostapd will drop the next frame in the sequence
928
929 if ctx['num'] == 19:
930 logger.info("Test: Valid challenge")
931 return struct.pack(">BBHBBBBLL", EAP_CODE_REQUEST, ctx['id'],
932 4 + 1 + 3 + 8,
933 EAP_TYPE_LEAP,
934 1, 0, 8, 0, 0)
935 if ctx['num'] == 20:
936 logger.info("Test: Failure")
937 return struct.pack(">BBHB", EAP_CODE_FAILURE, ctx['id'],
938 4 + 1,
939 EAP_TYPE_LEAP)
940
941 return None
942
943 srv = start_radius_server(leap_handler)
944
945 try:
946 hapd = start_ap(apdev[0]['ifname'])
947
948 for i in range(0, 12):
949 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
950 eap="LEAP", identity="user", password="password",
951 wait_connect=False)
952 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"], timeout=15)
953 if ev is None:
954 raise Exception("Timeout on EAP start")
955 time.sleep(0.1)
956 if i == 10:
957 logger.info("Wait for additional roundtrip")
958 time.sleep(1)
959 dev[0].request("REMOVE_NETWORK all")
960 finally:
961 stop_radius_server(srv)
962
963 def test_eap_proto_leap_errors(dev, apdev):
964 """EAP-LEAP protocol tests (error paths)"""
965 check_eap_capa(dev[0], "LEAP")
966
967 def leap_handler2(ctx, req):
968 logger.info("leap_handler2 - RX " + req.encode("hex"))
969 if 'num' not in ctx:
970 ctx['num'] = 0
971 ctx['num'] = ctx['num'] + 1
972 if 'id' not in ctx:
973 ctx['id'] = 1
974 ctx['id'] = (ctx['id'] + 1) % 256
975 idx = 0
976
977 idx += 1
978 if ctx['num'] == idx:
979 logger.info("Test: Valid challenge")
980 return struct.pack(">BBHBBBBLL", EAP_CODE_REQUEST, ctx['id'],
981 4 + 1 + 3 + 8,
982 EAP_TYPE_LEAP,
983 1, 0, 8, 0, 0)
984 idx += 1
985 if ctx['num'] == idx:
986 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
987
988 idx += 1
989 if ctx['num'] == idx:
990 logger.info("Test: Valid challenge")
991 return struct.pack(">BBHBBBBLL", EAP_CODE_REQUEST, ctx['id'],
992 4 + 1 + 3 + 8,
993 EAP_TYPE_LEAP,
994 1, 0, 8, 0, 0)
995
996 idx += 1
997 if ctx['num'] == idx:
998 logger.info("Test: Valid challenge")
999 return struct.pack(">BBHBBBBLL", EAP_CODE_REQUEST, ctx['id'],
1000 4 + 1 + 3 + 8,
1001 EAP_TYPE_LEAP,
1002 1, 0, 8, 0, 0)
1003 idx += 1
1004 if ctx['num'] == idx:
1005 logger.info("Test: Success")
1006 return struct.pack(">BBH", EAP_CODE_SUCCESS, ctx['id'], 4)
1007
1008 idx += 1
1009 if ctx['num'] == idx:
1010 logger.info("Test: Valid challenge")
1011 return struct.pack(">BBHBBBBLL", EAP_CODE_REQUEST, ctx['id'],
1012 4 + 1 + 3 + 8,
1013 EAP_TYPE_LEAP,
1014 1, 0, 8, 0, 0)
1015 idx += 1
1016 if ctx['num'] == idx:
1017 logger.info("Test: Success")
1018 return struct.pack(">BBH", EAP_CODE_SUCCESS, ctx['id'], 4)
1019
1020 idx += 1
1021 if ctx['num'] == idx:
1022 logger.info("Test: Valid challenge")
1023 return struct.pack(">BBHBBBBLL", EAP_CODE_REQUEST, ctx['id'],
1024 4 + 1 + 3 + 8,
1025 EAP_TYPE_LEAP,
1026 1, 0, 8, 0, 0)
1027 idx += 1
1028 if ctx['num'] == idx:
1029 logger.info("Test: Valid challange value in Response")
1030 return struct.pack(">BBHBBBB24B", EAP_CODE_RESPONSE, ctx['id'],
1031 4 + 1 + 3 + 24,
1032 EAP_TYPE_LEAP,
1033 1, 0, 24,
1034 0x48, 0x4e, 0x46, 0xe3, 0x88, 0x49, 0x46, 0xbd,
1035 0x28, 0x48, 0xf8, 0x53, 0x82, 0x50, 0x00, 0x04,
1036 0x93, 0x50, 0x30, 0xd7, 0x25, 0xea, 0x5f, 0x66)
1037
1038 idx += 1
1039 if ctx['num'] == idx:
1040 logger.info("Test: Valid challenge")
1041 return struct.pack(">BBHBBBBLL", EAP_CODE_REQUEST, ctx['id'],
1042 4 + 1 + 3 + 8,
1043 EAP_TYPE_LEAP,
1044 1, 0, 8, 0, 0)
1045 idx += 1
1046 if ctx['num'] == idx:
1047 logger.info("Test: Valid challange value in Response")
1048 return struct.pack(">BBHBBBB24B", EAP_CODE_RESPONSE, ctx['id'],
1049 4 + 1 + 3 + 24,
1050 EAP_TYPE_LEAP,
1051 1, 0, 24,
1052 0x48, 0x4e, 0x46, 0xe3, 0x88, 0x49, 0x46, 0xbd,
1053 0x28, 0x48, 0xf8, 0x53, 0x82, 0x50, 0x00, 0x04,
1054 0x93, 0x50, 0x30, 0xd7, 0x25, 0xea, 0x5f, 0x66)
1055
1056 idx += 1
1057 if ctx['num'] == idx:
1058 logger.info("Test: Valid challenge")
1059 return struct.pack(">BBHBBBBLL", EAP_CODE_REQUEST, ctx['id'],
1060 4 + 1 + 3 + 8,
1061 EAP_TYPE_LEAP,
1062 1, 0, 8, 0, 0)
1063 idx += 1
1064 if ctx['num'] == idx:
1065 logger.info("Test: Valid challange value in Response")
1066 return struct.pack(">BBHBBBB24B", EAP_CODE_RESPONSE, ctx['id'],
1067 4 + 1 + 3 + 24,
1068 EAP_TYPE_LEAP,
1069 1, 0, 24,
1070 0x48, 0x4e, 0x46, 0xe3, 0x88, 0x49, 0x46, 0xbd,
1071 0x28, 0x48, 0xf8, 0x53, 0x82, 0x50, 0x00, 0x04,
1072 0x93, 0x50, 0x30, 0xd7, 0x25, 0xea, 0x5f, 0x66)
1073
1074 idx += 1
1075 if ctx['num'] == idx:
1076 logger.info("Test: Valid challenge")
1077 return struct.pack(">BBHBBBBLL", EAP_CODE_REQUEST, ctx['id'],
1078 4 + 1 + 3 + 8,
1079 EAP_TYPE_LEAP,
1080 1, 0, 8, 0, 0)
1081 idx += 1
1082 if ctx['num'] == idx:
1083 logger.info("Test: Valid challange value in Response")
1084 return struct.pack(">BBHBBBB24B", EAP_CODE_RESPONSE, ctx['id'],
1085 4 + 1 + 3 + 24,
1086 EAP_TYPE_LEAP,
1087 1, 0, 24,
1088 0x48, 0x4e, 0x46, 0xe3, 0x88, 0x49, 0x46, 0xbd,
1089 0x28, 0x48, 0xf8, 0x53, 0x82, 0x50, 0x00, 0x04,
1090 0x93, 0x50, 0x30, 0xd7, 0x25, 0xea, 0x5f, 0x66)
1091
1092 idx += 1
1093 if ctx['num'] == idx:
1094 logger.info("Test: Valid challenge")
1095 return struct.pack(">BBHBBBBLL", EAP_CODE_REQUEST, ctx['id'],
1096 4 + 1 + 3 + 8,
1097 EAP_TYPE_LEAP,
1098 1, 0, 8, 0, 0)
1099 idx += 1
1100 if ctx['num'] == idx:
1101 logger.info("Test: Valid challange value in Response")
1102 return struct.pack(">BBHBBBB24B", EAP_CODE_RESPONSE, ctx['id'],
1103 4 + 1 + 3 + 24,
1104 EAP_TYPE_LEAP,
1105 1, 0, 24,
1106 0x48, 0x4e, 0x46, 0xe3, 0x88, 0x49, 0x46, 0xbd,
1107 0x28, 0x48, 0xf8, 0x53, 0x82, 0x50, 0x00, 0x04,
1108 0x93, 0x50, 0x30, 0xd7, 0x25, 0xea, 0x5f, 0x66)
1109
1110 idx += 1
1111 if ctx['num'] == idx:
1112 logger.info("Test: Valid challenge")
1113 return struct.pack(">BBHBBBBLL", EAP_CODE_REQUEST, ctx['id'],
1114 4 + 1 + 3 + 8,
1115 EAP_TYPE_LEAP,
1116 1, 0, 8, 0, 0)
1117 idx += 1
1118 if ctx['num'] == idx:
1119 logger.info("Test: Valid challange value in Response")
1120 return struct.pack(">BBHBBBB24B", EAP_CODE_RESPONSE, ctx['id'],
1121 4 + 1 + 3 + 24,
1122 EAP_TYPE_LEAP,
1123 1, 0, 24,
1124 0x48, 0x4e, 0x46, 0xe3, 0x88, 0x49, 0x46, 0xbd,
1125 0x28, 0x48, 0xf8, 0x53, 0x82, 0x50, 0x00, 0x04,
1126 0x93, 0x50, 0x30, 0xd7, 0x25, 0xea, 0x5f, 0x66)
1127
1128 idx += 1
1129 if ctx['num'] == idx:
1130 logger.info("Test: Valid challenge")
1131 return struct.pack(">BBHBBBBLL", EAP_CODE_REQUEST, ctx['id'],
1132 4 + 1 + 3 + 8,
1133 EAP_TYPE_LEAP,
1134 1, 0, 8, 0, 0)
1135 idx += 1
1136 if ctx['num'] == idx:
1137 logger.info("Test: Valid challange value in Response")
1138 return struct.pack(">BBHBBBB24B", EAP_CODE_RESPONSE, ctx['id'],
1139 4 + 1 + 3 + 24,
1140 EAP_TYPE_LEAP,
1141 1, 0, 24,
1142 0x48, 0x4e, 0x46, 0xe3, 0x88, 0x49, 0x46, 0xbd,
1143 0x28, 0x48, 0xf8, 0x53, 0x82, 0x50, 0x00, 0x04,
1144 0x93, 0x50, 0x30, 0xd7, 0x25, 0xea, 0x5f, 0x66)
1145
1146 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
1147
1148 srv = start_radius_server(leap_handler2)
1149
1150 try:
1151 hapd = start_ap(apdev[0]['ifname'])
1152
1153 with alloc_fail(dev[0], 1, "eap_leap_init"):
1154 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
1155 eap="LEAP", identity="user", password="password",
1156 wait_connect=False)
1157 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
1158 dev[0].request("REMOVE_NETWORK all")
1159 dev[0].wait_disconnected()
1160
1161 with alloc_fail(dev[0], 1, "eap_msg_alloc;eap_leap_process_request"):
1162 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
1163 eap="LEAP", identity="user",
1164 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
1165 wait_connect=False)
1166 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
1167 dev[0].request("REMOVE_NETWORK all")
1168 dev[0].wait_disconnected()
1169
1170 with alloc_fail(dev[0], 1, "eap_leap_process_success"):
1171 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
1172 eap="LEAP", identity="user", password="password",
1173 wait_connect=False)
1174 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
1175 dev[0].request("REMOVE_NETWORK all")
1176 dev[0].wait_disconnected()
1177
1178 with fail_test(dev[0], 1, "os_get_random;eap_leap_process_success"):
1179 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
1180 eap="LEAP", identity="user", password="password",
1181 wait_connect=False)
1182 wait_fail_trigger(dev[0], "GET_FAIL")
1183 dev[0].request("REMOVE_NETWORK all")
1184 dev[0].wait_disconnected()
1185
1186 with fail_test(dev[0], 1, "eap_leap_process_response"):
1187 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
1188 eap="LEAP", identity="user",
1189 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
1190 wait_connect=False)
1191 wait_fail_trigger(dev[0], "GET_FAIL")
1192 dev[0].request("REMOVE_NETWORK all")
1193 dev[0].wait_disconnected()
1194
1195 with fail_test(dev[0], 1, "nt_password_hash;eap_leap_process_response"):
1196 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
1197 eap="LEAP", identity="user", password="password",
1198 wait_connect=False)
1199 wait_fail_trigger(dev[0], "GET_FAIL")
1200 dev[0].request("REMOVE_NETWORK all")
1201 dev[0].wait_disconnected()
1202
1203 with fail_test(dev[0], 1, "hash_nt_password_hash;eap_leap_process_response"):
1204 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
1205 eap="LEAP", identity="user", password="password",
1206 wait_connect=False)
1207 wait_fail_trigger(dev[0], "GET_FAIL")
1208 dev[0].request("REMOVE_NETWORK all")
1209 dev[0].wait_disconnected()
1210
1211 with alloc_fail(dev[0], 1, "eap_leap_getKey"):
1212 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
1213 eap="LEAP", identity="user",
1214 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
1215 wait_connect=False)
1216 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
1217 dev[0].request("REMOVE_NETWORK all")
1218 dev[0].wait_disconnected()
1219
1220 with fail_test(dev[0], 1, "eap_leap_getKey"):
1221 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
1222 eap="LEAP", identity="user",
1223 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
1224 wait_connect=False)
1225 wait_fail_trigger(dev[0], "GET_FAIL")
1226 dev[0].request("REMOVE_NETWORK all")
1227 dev[0].wait_disconnected()
1228
1229 with fail_test(dev[0], 1, "nt_password_hash;eap_leap_getKey"):
1230 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
1231 eap="LEAP", identity="user", password="password",
1232 wait_connect=False)
1233 wait_fail_trigger(dev[0], "GET_FAIL")
1234 dev[0].request("REMOVE_NETWORK all")
1235 dev[0].wait_disconnected()
1236
1237 with fail_test(dev[0], 1, "hash_nt_password_hash;eap_leap_getKey"):
1238 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
1239 eap="LEAP", identity="user", password="password",
1240 wait_connect=False)
1241 wait_fail_trigger(dev[0], "GET_FAIL")
1242 dev[0].request("REMOVE_NETWORK all")
1243 dev[0].wait_disconnected()
1244 finally:
1245 stop_radius_server(srv)
1246
1247 def test_eap_proto_md5(dev, apdev):
1248 """EAP-MD5 protocol tests"""
1249 check_eap_capa(dev[0], "MD5")
1250
1251 def md5_handler(ctx, req):
1252 logger.info("md5_handler - RX " + req.encode("hex"))
1253 if 'num' not in ctx:
1254 ctx['num'] = 0
1255 ctx['num'] = ctx['num'] + 1
1256 if 'id' not in ctx:
1257 ctx['id'] = 1
1258 ctx['id'] = (ctx['id'] + 1) % 256
1259
1260 if ctx['num'] == 1:
1261 logger.info("Test: Missing payload")
1262 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
1263 4 + 1,
1264 EAP_TYPE_MD5)
1265
1266 if ctx['num'] == 2:
1267 logger.info("Test: Zero-length challenge")
1268 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
1269 4 + 1 + 1,
1270 EAP_TYPE_MD5,
1271 0)
1272
1273 if ctx['num'] == 3:
1274 logger.info("Test: Truncated challenge")
1275 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
1276 4 + 1 + 1,
1277 EAP_TYPE_MD5,
1278 1)
1279
1280 if ctx['num'] == 4:
1281 logger.info("Test: Shortest possible challenge and name")
1282 return struct.pack(">BBHBBBB", EAP_CODE_REQUEST, ctx['id'],
1283 4 + 1 + 3,
1284 EAP_TYPE_MD5,
1285 1, 0xaa, ord('n'))
1286
1287 return None
1288
1289 srv = start_radius_server(md5_handler)
1290
1291 try:
1292 hapd = start_ap(apdev[0]['ifname'])
1293
1294 for i in range(0, 4):
1295 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
1296 eap="MD5", identity="user", password="password",
1297 wait_connect=False)
1298 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"], timeout=15)
1299 if ev is None:
1300 raise Exception("Timeout on EAP start")
1301 time.sleep(0.1)
1302 dev[0].request("REMOVE_NETWORK all")
1303 finally:
1304 stop_radius_server(srv)
1305
1306 def test_eap_proto_md5_errors(dev, apdev):
1307 """EAP-MD5 local error cases"""
1308 check_eap_capa(dev[0], "MD5")
1309 params = hostapd.wpa2_eap_params(ssid="eap-test")
1310 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1311
1312 with fail_test(dev[0], 1, "chap_md5"):
1313 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
1314 eap="MD5", identity="phase1-user", password="password",
1315 wait_connect=False)
1316 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
1317 if ev is None:
1318 raise Exception("Timeout on EAP start")
1319 dev[0].request("REMOVE_NETWORK all")
1320 dev[0].wait_disconnected()
1321
1322 with alloc_fail(dev[0], 1, "eap_msg_alloc;eap_md5_process"):
1323 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
1324 eap="MD5", identity="phase1-user", password="password",
1325 wait_connect=False)
1326 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
1327 if ev is None:
1328 raise Exception("Timeout on EAP start")
1329 time.sleep(0.1)
1330 dev[0].request("REMOVE_NETWORK all")
1331
1332 def test_eap_proto_otp(dev, apdev):
1333 """EAP-OTP protocol tests"""
1334 def otp_handler(ctx, req):
1335 logger.info("otp_handler - RX " + req.encode("hex"))
1336 if 'num' not in ctx:
1337 ctx['num'] = 0
1338 ctx['num'] = ctx['num'] + 1
1339 if 'id' not in ctx:
1340 ctx['id'] = 1
1341 ctx['id'] = (ctx['id'] + 1) % 256
1342
1343 if ctx['num'] == 1:
1344 logger.info("Test: Empty payload")
1345 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
1346 4 + 1,
1347 EAP_TYPE_OTP)
1348 if ctx['num'] == 2:
1349 logger.info("Test: Success")
1350 return struct.pack(">BBH", EAP_CODE_SUCCESS, ctx['id'],
1351 4)
1352
1353 if ctx['num'] == 3:
1354 logger.info("Test: Challenge included")
1355 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
1356 4 + 1 + 1,
1357 EAP_TYPE_OTP,
1358 ord('A'))
1359 if ctx['num'] == 4:
1360 logger.info("Test: Success")
1361 return struct.pack(">BBH", EAP_CODE_SUCCESS, ctx['id'],
1362 4)
1363
1364 return None
1365
1366 srv = start_radius_server(otp_handler)
1367
1368 try:
1369 hapd = start_ap(apdev[0]['ifname'])
1370
1371 for i in range(0, 1):
1372 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
1373 eap="OTP", identity="user", password="password",
1374 wait_connect=False)
1375 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
1376 timeout=15)
1377 if ev is None:
1378 raise Exception("Timeout on EAP start")
1379 time.sleep(0.1)
1380 dev[0].request("REMOVE_NETWORK all")
1381
1382 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
1383 eap="OTP", identity="user", wait_connect=False)
1384 ev = dev[0].wait_event(["CTRL-REQ-OTP"])
1385 if ev is None:
1386 raise Exception("Request for password timed out")
1387 id = ev.split(':')[0].split('-')[-1]
1388 dev[0].request("CTRL-RSP-OTP-" + id + ":password")
1389 ev = dev[0].wait_event("CTRL-EVENT-EAP-SUCCESS")
1390 if ev is None:
1391 raise Exception("Success not reported")
1392 finally:
1393 stop_radius_server(srv)
1394
1395 EAP_GPSK_OPCODE_GPSK_1 = 1
1396 EAP_GPSK_OPCODE_GPSK_2 = 2
1397 EAP_GPSK_OPCODE_GPSK_3 = 3
1398 EAP_GPSK_OPCODE_GPSK_4 = 4
1399 EAP_GPSK_OPCODE_FAIL = 5
1400 EAP_GPSK_OPCODE_PROTECTED_FAIL = 6
1401
1402 def test_eap_proto_gpsk(dev, apdev):
1403 """EAP-GPSK protocol tests"""
1404 def gpsk_handler(ctx, req):
1405 logger.info("gpsk_handler - RX " + req.encode("hex"))
1406 if 'num' not in ctx:
1407 ctx['num'] = 0
1408 ctx['num'] = ctx['num'] + 1
1409 if 'id' not in ctx:
1410 ctx['id'] = 1
1411 ctx['id'] = (ctx['id'] + 1) % 256
1412
1413 idx = 0
1414
1415 idx += 1
1416 if ctx['num'] == idx:
1417 logger.info("Test: Missing payload")
1418 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
1419 4 + 1,
1420 EAP_TYPE_GPSK)
1421
1422 idx += 1
1423 if ctx['num'] == idx:
1424 logger.info("Test: Unknown opcode")
1425 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
1426 4 + 1 + 1,
1427 EAP_TYPE_GPSK,
1428 255)
1429
1430 idx += 1
1431 if ctx['num'] == idx:
1432 logger.info("Test: Unexpected GPSK-3")
1433 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
1434 4 + 1 + 1,
1435 EAP_TYPE_GPSK,
1436 EAP_GPSK_OPCODE_GPSK_3)
1437
1438 idx += 1
1439 if ctx['num'] == idx:
1440 logger.info("Test: GPSK-1 Too short GPSK-1")
1441 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
1442 4 + 1 + 1,
1443 EAP_TYPE_GPSK,
1444 EAP_GPSK_OPCODE_GPSK_1)
1445
1446 idx += 1
1447 if ctx['num'] == idx:
1448 logger.info("Test: GPSK-1 Truncated ID_Server")
1449 return struct.pack(">BBHBBH", EAP_CODE_REQUEST, ctx['id'],
1450 4 + 1 + 1 + 2,
1451 EAP_TYPE_GPSK,
1452 EAP_GPSK_OPCODE_GPSK_1, 1)
1453
1454 idx += 1
1455 if ctx['num'] == idx:
1456 logger.info("Test: GPSK-1 Missing RAND_Server")
1457 return struct.pack(">BBHBBH", EAP_CODE_REQUEST, ctx['id'],
1458 4 + 1 + 1 + 2,
1459 EAP_TYPE_GPSK,
1460 EAP_GPSK_OPCODE_GPSK_1, 0)
1461
1462 idx += 1
1463 if ctx['num'] == idx:
1464 logger.info("Test: GPSK-1 Missing CSuite_List")
1465 return struct.pack(">BBHBBH8L", EAP_CODE_REQUEST, ctx['id'],
1466 4 + 1 + 1 + 2 + 32,
1467 EAP_TYPE_GPSK,
1468 EAP_GPSK_OPCODE_GPSK_1, 0,
1469 0, 0, 0, 0, 0, 0, 0, 0)
1470
1471 idx += 1
1472 if ctx['num'] == idx:
1473 logger.info("Test: GPSK-1 Truncated CSuite_List")
1474 return struct.pack(">BBHBBH8LH", EAP_CODE_REQUEST, ctx['id'],
1475 4 + 1 + 1 + 2 + 32 + 2,
1476 EAP_TYPE_GPSK,
1477 EAP_GPSK_OPCODE_GPSK_1, 0,
1478 0, 0, 0, 0, 0, 0, 0, 0,
1479 1)
1480
1481 idx += 1
1482 if ctx['num'] == idx:
1483 logger.info("Test: GPSK-1 Empty CSuite_List")
1484 return struct.pack(">BBHBBH8LH", EAP_CODE_REQUEST, ctx['id'],
1485 4 + 1 + 1 + 2 + 32 + 2,
1486 EAP_TYPE_GPSK,
1487 EAP_GPSK_OPCODE_GPSK_1, 0,
1488 0, 0, 0, 0, 0, 0, 0, 0,
1489 0)
1490
1491 idx += 1
1492 if ctx['num'] == idx:
1493 logger.info("Test: GPSK-1 Invalid CSuite_List")
1494 return struct.pack(">BBHBBH8LHB", EAP_CODE_REQUEST, ctx['id'],
1495 4 + 1 + 1 + 2 + 32 + 2 + 1,
1496 EAP_TYPE_GPSK,
1497 EAP_GPSK_OPCODE_GPSK_1, 0,
1498 0, 0, 0, 0, 0, 0, 0, 0,
1499 1, 0)
1500
1501 idx += 1
1502 if ctx['num'] == idx:
1503 logger.info("Test: GPSK-1 No supported CSuite")
1504 return struct.pack(">BBHBBH8LHLH", EAP_CODE_REQUEST, ctx['id'],
1505 4 + 1 + 1 + 2 + 32 + 2 + 6,
1506 EAP_TYPE_GPSK,
1507 EAP_GPSK_OPCODE_GPSK_1, 0,
1508 0, 0, 0, 0, 0, 0, 0, 0,
1509 6, 0, 0)
1510
1511 idx += 1
1512 if ctx['num'] == idx:
1513 logger.info("Test: GPSK-1 Supported CSuite")
1514 return struct.pack(">BBHBBH8LHLH", EAP_CODE_REQUEST, ctx['id'],
1515 4 + 1 + 1 + 2 + 32 + 2 + 6,
1516 EAP_TYPE_GPSK,
1517 EAP_GPSK_OPCODE_GPSK_1, 0,
1518 0, 0, 0, 0, 0, 0, 0, 0,
1519 6, 0, 1)
1520 idx += 1
1521 if ctx['num'] == idx:
1522 logger.info("Test: Unexpected GPSK-1")
1523 return struct.pack(">BBHBBH8LHLH", EAP_CODE_REQUEST, ctx['id'],
1524 4 + 1 + 1 + 2 + 32 + 2 + 6,
1525 EAP_TYPE_GPSK,
1526 EAP_GPSK_OPCODE_GPSK_1, 0,
1527 0, 0, 0, 0, 0, 0, 0, 0,
1528 6, 0, 1)
1529
1530 idx += 1
1531 if ctx['num'] == idx:
1532 logger.info("Test: GPSK-1 Supported CSuite but too short key")
1533 return struct.pack(">BBHBBH8LHLH", EAP_CODE_REQUEST, ctx['id'],
1534 4 + 1 + 1 + 2 + 32 + 2 + 6,
1535 EAP_TYPE_GPSK,
1536 EAP_GPSK_OPCODE_GPSK_1, 0,
1537 0, 0, 0, 0, 0, 0, 0, 0,
1538 6, 0, 1)
1539
1540 idx += 1
1541 if ctx['num'] == idx:
1542 logger.info("Test: GPSK-1 Supported CSuite")
1543 return struct.pack(">BBHBBH8LHLH", EAP_CODE_REQUEST, ctx['id'],
1544 4 + 1 + 1 + 2 + 32 + 2 + 6,
1545 EAP_TYPE_GPSK,
1546 EAP_GPSK_OPCODE_GPSK_1, 0,
1547 0, 0, 0, 0, 0, 0, 0, 0,
1548 6, 0, 1)
1549 idx += 1
1550 if ctx['num'] == idx:
1551 logger.info("Test: Too short GPSK-3")
1552 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
1553 4 + 1 + 1,
1554 EAP_TYPE_GPSK,
1555 EAP_GPSK_OPCODE_GPSK_3)
1556
1557 idx += 1
1558 if ctx['num'] == idx:
1559 logger.info("Test: GPSK-1 Supported CSuite")
1560 return struct.pack(">BBHBBH8LHLH", EAP_CODE_REQUEST, ctx['id'],
1561 4 + 1 + 1 + 2 + 32 + 2 + 6,
1562 EAP_TYPE_GPSK,
1563 EAP_GPSK_OPCODE_GPSK_1, 0,
1564 0, 0, 0, 0, 0, 0, 0, 0,
1565 6, 0, 1)
1566 idx += 1
1567 if ctx['num'] == idx:
1568 logger.info("Test: GPSK-3 Mismatch in RAND_Peer")
1569 return struct.pack(">BBHBB8L", EAP_CODE_REQUEST, ctx['id'],
1570 4 + 1 + 1 + 32,
1571 EAP_TYPE_GPSK,
1572 EAP_GPSK_OPCODE_GPSK_3,
1573 0, 0, 0, 0, 0, 0, 0, 0)
1574
1575 idx += 1
1576 if ctx['num'] == idx:
1577 logger.info("Test: GPSK-1 Supported CSuite")
1578 return struct.pack(">BBHBBH8LHLH", EAP_CODE_REQUEST, ctx['id'],
1579 4 + 1 + 1 + 2 + 32 + 2 + 6,
1580 EAP_TYPE_GPSK,
1581 EAP_GPSK_OPCODE_GPSK_1, 0,
1582 0, 0, 0, 0, 0, 0, 0, 0,
1583 6, 0, 1)
1584 idx += 1
1585 if ctx['num'] == idx:
1586 logger.info("Test: GPSK-3 Missing RAND_Server")
1587 msg = struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
1588 4 + 1 + 1 + 32,
1589 EAP_TYPE_GPSK,
1590 EAP_GPSK_OPCODE_GPSK_3)
1591 msg += req[14:46]
1592 return msg
1593
1594 idx += 1
1595 if ctx['num'] == idx:
1596 logger.info("Test: GPSK-1 Supported CSuite")
1597 return struct.pack(">BBHBBH8LHLH", EAP_CODE_REQUEST, ctx['id'],
1598 4 + 1 + 1 + 2 + 32 + 2 + 6,
1599 EAP_TYPE_GPSK,
1600 EAP_GPSK_OPCODE_GPSK_1, 0,
1601 0, 0, 0, 0, 0, 0, 0, 0,
1602 6, 0, 1)
1603 idx += 1
1604 if ctx['num'] == idx:
1605 logger.info("Test: GPSK-3 Mismatch in RAND_Server")
1606 msg = struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
1607 4 + 1 + 1 + 32 + 32,
1608 EAP_TYPE_GPSK,
1609 EAP_GPSK_OPCODE_GPSK_3)
1610 msg += req[14:46]
1611 msg += struct.pack(">8L", 1, 1, 1, 1, 1, 1, 1, 1)
1612 return msg
1613
1614 idx += 1
1615 if ctx['num'] == idx:
1616 logger.info("Test: GPSK-1 Supported CSuite")
1617 return struct.pack(">BBHBBH8LHLH", EAP_CODE_REQUEST, ctx['id'],
1618 4 + 1 + 1 + 2 + 32 + 2 + 6,
1619 EAP_TYPE_GPSK,
1620 EAP_GPSK_OPCODE_GPSK_1, 0,
1621 0, 0, 0, 0, 0, 0, 0, 0,
1622 6, 0, 1)
1623 idx += 1
1624 if ctx['num'] == idx:
1625 logger.info("Test: GPSK-3 Missing ID_Server")
1626 msg = struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
1627 4 + 1 + 1 + 32 + 32,
1628 EAP_TYPE_GPSK,
1629 EAP_GPSK_OPCODE_GPSK_3)
1630 msg += req[14:46]
1631 msg += struct.pack(">8L", 0, 0, 0, 0, 0, 0, 0, 0)
1632 return msg
1633
1634 idx += 1
1635 if ctx['num'] == idx:
1636 logger.info("Test: GPSK-1 Supported CSuite")
1637 return struct.pack(">BBHBBH8LHLH", EAP_CODE_REQUEST, ctx['id'],
1638 4 + 1 + 1 + 2 + 32 + 2 + 6,
1639 EAP_TYPE_GPSK,
1640 EAP_GPSK_OPCODE_GPSK_1, 0,
1641 0, 0, 0, 0, 0, 0, 0, 0,
1642 6, 0, 1)
1643 idx += 1
1644 if ctx['num'] == idx:
1645 logger.info("Test: GPSK-3 Truncated ID_Server")
1646 msg = struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
1647 4 + 1 + 1 + 32 + 32 + 2,
1648 EAP_TYPE_GPSK,
1649 EAP_GPSK_OPCODE_GPSK_3)
1650 msg += req[14:46]
1651 msg += struct.pack(">8LH", 0, 0, 0, 0, 0, 0, 0, 0, 1)
1652 return msg
1653
1654 idx += 1
1655 if ctx['num'] == idx:
1656 logger.info("Test: GPSK-1 Supported CSuite")
1657 return struct.pack(">BBHBBH8LHLH", EAP_CODE_REQUEST, ctx['id'],
1658 4 + 1 + 1 + 2 + 32 + 2 + 6,
1659 EAP_TYPE_GPSK,
1660 EAP_GPSK_OPCODE_GPSK_1, 0,
1661 0, 0, 0, 0, 0, 0, 0, 0,
1662 6, 0, 1)
1663 idx += 1
1664 if ctx['num'] == idx:
1665 logger.info("Test: GPSK-3 Mismatch in ID_Server")
1666 msg = struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
1667 4 + 1 + 1 + 32 + 32 + 3,
1668 EAP_TYPE_GPSK,
1669 EAP_GPSK_OPCODE_GPSK_3)
1670 msg += req[14:46]
1671 msg += struct.pack(">8LHB", 0, 0, 0, 0, 0, 0, 0, 0, 1, ord('B'))
1672 return msg
1673
1674 idx += 1
1675 if ctx['num'] == idx:
1676 logger.info("Test: GPSK-1 Supported CSuite")
1677 return struct.pack(">BBHBBHB8LHLH", EAP_CODE_REQUEST, ctx['id'],
1678 4 + 1 + 1 + 3 + 32 + 2 + 6,
1679 EAP_TYPE_GPSK,
1680 EAP_GPSK_OPCODE_GPSK_1, 1, ord('A'),
1681 0, 0, 0, 0, 0, 0, 0, 0,
1682 6, 0, 1)
1683 idx += 1
1684 if ctx['num'] == idx:
1685 logger.info("Test: GPSK-3 Mismatch in ID_Server (same length)")
1686 msg = struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
1687 4 + 1 + 1 + 32 + 32 + 3,
1688 EAP_TYPE_GPSK,
1689 EAP_GPSK_OPCODE_GPSK_3)
1690 msg += req[15:47]
1691 msg += struct.pack(">8LHB", 0, 0, 0, 0, 0, 0, 0, 0, 1, ord('B'))
1692 return msg
1693
1694 idx += 1
1695 if ctx['num'] == idx:
1696 logger.info("Test: GPSK-1 Supported CSuite")
1697 return struct.pack(">BBHBBH8LHLH", EAP_CODE_REQUEST, ctx['id'],
1698 4 + 1 + 1 + 2 + 32 + 2 + 6,
1699 EAP_TYPE_GPSK,
1700 EAP_GPSK_OPCODE_GPSK_1, 0,
1701 0, 0, 0, 0, 0, 0, 0, 0,
1702 6, 0, 1)
1703 idx += 1
1704 if ctx['num'] == idx:
1705 logger.info("Test: GPSK-3 Missing CSuite_Sel")
1706 msg = struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
1707 4 + 1 + 1 + 32 + 32 + 2,
1708 EAP_TYPE_GPSK,
1709 EAP_GPSK_OPCODE_GPSK_3)
1710 msg += req[14:46]
1711 msg += struct.pack(">8LH", 0, 0, 0, 0, 0, 0, 0, 0, 0)
1712 return msg
1713
1714 idx += 1
1715 if ctx['num'] == idx:
1716 logger.info("Test: GPSK-1 Supported CSuite")
1717 return struct.pack(">BBHBBH8LHLH", EAP_CODE_REQUEST, ctx['id'],
1718 4 + 1 + 1 + 2 + 32 + 2 + 6,
1719 EAP_TYPE_GPSK,
1720 EAP_GPSK_OPCODE_GPSK_1, 0,
1721 0, 0, 0, 0, 0, 0, 0, 0,
1722 6, 0, 1)
1723 idx += 1
1724 if ctx['num'] == idx:
1725 logger.info("Test: GPSK-3 Mismatch in CSuite_Sel")
1726 msg = struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
1727 4 + 1 + 1 + 32 + 32 + 2 + 6,
1728 EAP_TYPE_GPSK,
1729 EAP_GPSK_OPCODE_GPSK_3)
1730 msg += req[14:46]
1731 msg += struct.pack(">8LHLH", 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 2)
1732 return msg
1733
1734 idx += 1
1735 if ctx['num'] == idx:
1736 logger.info("Test: GPSK-1 Supported CSuite")
1737 return struct.pack(">BBHBBH8LHLH", EAP_CODE_REQUEST, ctx['id'],
1738 4 + 1 + 1 + 2 + 32 + 2 + 6,
1739 EAP_TYPE_GPSK,
1740 EAP_GPSK_OPCODE_GPSK_1, 0,
1741 0, 0, 0, 0, 0, 0, 0, 0,
1742 6, 0, 1)
1743 idx += 1
1744 if ctx['num'] == idx:
1745 logger.info("Test: GPSK-3 Missing len(PD_Payload_Block)")
1746 msg = struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
1747 4 + 1 + 1 + 32 + 32 + 2 + 6,
1748 EAP_TYPE_GPSK,
1749 EAP_GPSK_OPCODE_GPSK_3)
1750 msg += req[14:46]
1751 msg += struct.pack(">8LHLH", 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1)
1752 return msg
1753
1754 idx += 1
1755 if ctx['num'] == idx:
1756 logger.info("Test: GPSK-1 Supported CSuite")
1757 return struct.pack(">BBHBBH8LHLH", EAP_CODE_REQUEST, ctx['id'],
1758 4 + 1 + 1 + 2 + 32 + 2 + 6,
1759 EAP_TYPE_GPSK,
1760 EAP_GPSK_OPCODE_GPSK_1, 0,
1761 0, 0, 0, 0, 0, 0, 0, 0,
1762 6, 0, 1)
1763 idx += 1
1764 if ctx['num'] == idx:
1765 logger.info("Test: GPSK-3 Truncated PD_Payload_Block")
1766 msg = struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
1767 4 + 1 + 1 + 32 + 32 + 2 + 6 + 2,
1768 EAP_TYPE_GPSK,
1769 EAP_GPSK_OPCODE_GPSK_3)
1770 msg += req[14:46]
1771 msg += struct.pack(">8LHLHH", 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 1)
1772 return msg
1773
1774 idx += 1
1775 if ctx['num'] == idx:
1776 logger.info("Test: GPSK-1 Supported CSuite")
1777 return struct.pack(">BBHBBH8LHLH", EAP_CODE_REQUEST, ctx['id'],
1778 4 + 1 + 1 + 2 + 32 + 2 + 6,
1779 EAP_TYPE_GPSK,
1780 EAP_GPSK_OPCODE_GPSK_1, 0,
1781 0, 0, 0, 0, 0, 0, 0, 0,
1782 6, 0, 1)
1783 idx += 1
1784 if ctx['num'] == idx:
1785 logger.info("Test: GPSK-3 Missing MAC")
1786 msg = struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
1787 4 + 1 + 1 + 32 + 32 + 2 + 6 + 3,
1788 EAP_TYPE_GPSK,
1789 EAP_GPSK_OPCODE_GPSK_3)
1790 msg += req[14:46]
1791 msg += struct.pack(">8LHLHHB",
1792 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 123)
1793 return msg
1794
1795 idx += 1
1796 if ctx['num'] == idx:
1797 logger.info("Test: GPSK-1 Supported CSuite")
1798 return struct.pack(">BBHBBH8LHLH", EAP_CODE_REQUEST, ctx['id'],
1799 4 + 1 + 1 + 2 + 32 + 2 + 6,
1800 EAP_TYPE_GPSK,
1801 EAP_GPSK_OPCODE_GPSK_1, 0,
1802 0, 0, 0, 0, 0, 0, 0, 0,
1803 6, 0, 1)
1804 idx += 1
1805 if ctx['num'] == idx:
1806 logger.info("Test: GPSK-3 Incorrect MAC")
1807 msg = struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
1808 4 + 1 + 1 + 32 + 32 + 2 + 6 + 3 + 16,
1809 EAP_TYPE_GPSK,
1810 EAP_GPSK_OPCODE_GPSK_3)
1811 msg += req[14:46]
1812 msg += struct.pack(">8LHLHHB4L",
1813 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 123,
1814 0, 0, 0, 0)
1815 return msg
1816
1817 return None
1818
1819 srv = start_radius_server(gpsk_handler)
1820
1821 try:
1822 hapd = start_ap(apdev[0]['ifname'])
1823
1824 for i in range(0, 27):
1825 if i == 12:
1826 pw = "short"
1827 else:
1828 pw = "abcdefghijklmnop0123456789abcdef"
1829 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
1830 eap="GPSK", identity="user", password=pw,
1831 wait_connect=False)
1832 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
1833 timeout=15)
1834 if ev is None:
1835 raise Exception("Timeout on EAP start")
1836 time.sleep(0.05)
1837 dev[0].request("REMOVE_NETWORK all")
1838 finally:
1839 stop_radius_server(srv)
1840
1841 EAP_EKE_ID = 1
1842 EAP_EKE_COMMIT = 2
1843 EAP_EKE_CONFIRM = 3
1844 EAP_EKE_FAILURE = 4
1845
1846 def test_eap_proto_eke(dev, apdev):
1847 """EAP-EKE protocol tests"""
1848 def eke_handler(ctx, req):
1849 logger.info("eke_handler - RX " + req.encode("hex"))
1850 if 'num' not in ctx:
1851 ctx['num'] = 0
1852 ctx['num'] = ctx['num'] + 1
1853 if 'id' not in ctx:
1854 ctx['id'] = 1
1855 ctx['id'] = (ctx['id'] + 1) % 256
1856
1857 idx = 0
1858
1859 idx += 1
1860 if ctx['num'] == idx:
1861 logger.info("Test: Missing payload")
1862 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
1863 4 + 1,
1864 EAP_TYPE_EKE)
1865
1866 idx += 1
1867 if ctx['num'] == idx:
1868 logger.info("Test: Unknown exchange")
1869 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
1870 4 + 1 + 1,
1871 EAP_TYPE_EKE,
1872 255)
1873
1874 idx += 1
1875 if ctx['num'] == idx:
1876 logger.info("Test: No NumProposals in EAP-EKE-ID/Request")
1877 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
1878 4 + 1 + 1,
1879 EAP_TYPE_EKE,
1880 EAP_EKE_ID)
1881 idx += 1
1882 if ctx['num'] == idx:
1883 logger.info("Test: EAP-Failure")
1884 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
1885
1886 idx += 1
1887 if ctx['num'] == idx:
1888 logger.info("Test: NumProposals=0 in EAP-EKE-ID/Request")
1889 return struct.pack(">BBHBBB", EAP_CODE_REQUEST, ctx['id'],
1890 4 + 1 + 1 + 1,
1891 EAP_TYPE_EKE,
1892 EAP_EKE_ID,
1893 0)
1894 idx += 1
1895 if ctx['num'] == idx:
1896 logger.info("Test: EAP-Failure")
1897 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
1898
1899 idx += 1
1900 if ctx['num'] == idx:
1901 logger.info("Test: Truncated Proposals list in EAP-EKE-ID/Request")
1902 return struct.pack(">BBHBBBB4B", EAP_CODE_REQUEST, ctx['id'],
1903 4 + 1 + 1 + 2 + 4,
1904 EAP_TYPE_EKE,
1905 EAP_EKE_ID,
1906 2, 0, 0, 0, 0, 0)
1907 idx += 1
1908 if ctx['num'] == idx:
1909 logger.info("Test: EAP-Failure")
1910 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
1911
1912 idx += 1
1913 if ctx['num'] == idx:
1914 logger.info("Test: Unsupported proposals in EAP-EKE-ID/Request")
1915 return struct.pack(">BBHBBBB4B4B4B4B", EAP_CODE_REQUEST, ctx['id'],
1916 4 + 1 + 1 + 2 + 4 * 4,
1917 EAP_TYPE_EKE,
1918 EAP_EKE_ID,
1919 4, 0,
1920 0, 0, 0, 0,
1921 3, 0, 0, 0,
1922 3, 1, 0, 0,
1923 3, 1, 1, 0)
1924 idx += 1
1925 if ctx['num'] == idx:
1926 logger.info("Test: EAP-Failure")
1927 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
1928
1929 idx += 1
1930 if ctx['num'] == idx:
1931 logger.info("Test: Missing IDType/Identity in EAP-EKE-ID/Request")
1932 return struct.pack(">BBHBBBB4B4B4B4B4B",
1933 EAP_CODE_REQUEST, ctx['id'],
1934 4 + 1 + 1 + 2 + 5 * 4,
1935 EAP_TYPE_EKE,
1936 EAP_EKE_ID,
1937 5, 0,
1938 0, 0, 0, 0,
1939 3, 0, 0, 0,
1940 3, 1, 0, 0,
1941 3, 1, 1, 0,
1942 3, 1, 1, 1)
1943 idx += 1
1944 if ctx['num'] == idx:
1945 logger.info("Test: EAP-Failure")
1946 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
1947
1948 idx += 1
1949 if ctx['num'] == idx:
1950 logger.info("Test: Valid EAP-EKE-ID/Request")
1951 return struct.pack(">BBHBBBB4BB",
1952 EAP_CODE_REQUEST, ctx['id'],
1953 4 + 1 + 1 + 2 + 4 + 1,
1954 EAP_TYPE_EKE,
1955 EAP_EKE_ID,
1956 1, 0,
1957 3, 1, 1, 1,
1958 255)
1959 idx += 1
1960 if ctx['num'] == idx:
1961 logger.info("Test: Unexpected EAP-EKE-ID/Request")
1962 return struct.pack(">BBHBBBB4BB",
1963 EAP_CODE_REQUEST, ctx['id'],
1964 4 + 1 + 1 + 2 + 4 + 1,
1965 EAP_TYPE_EKE,
1966 EAP_EKE_ID,
1967 1, 0,
1968 3, 1, 1, 1,
1969 255)
1970 idx += 1
1971 if ctx['num'] == idx:
1972 logger.info("Test: EAP-Failure")
1973 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
1974
1975 idx += 1
1976 if ctx['num'] == idx:
1977 logger.info("Test: Valid EAP-EKE-ID/Request")
1978 return struct.pack(">BBHBBBB4BB",
1979 EAP_CODE_REQUEST, ctx['id'],
1980 4 + 1 + 1 + 2 + 4 + 1,
1981 EAP_TYPE_EKE,
1982 EAP_EKE_ID,
1983 1, 0,
1984 3, 1, 1, 1,
1985 255)
1986 idx += 1
1987 if ctx['num'] == idx:
1988 logger.info("Test: Unexpected EAP-EKE-Confirm/Request")
1989 return struct.pack(">BBHBB",
1990 EAP_CODE_REQUEST, ctx['id'],
1991 4 + 1 + 1,
1992 EAP_TYPE_EKE,
1993 EAP_EKE_CONFIRM)
1994 idx += 1
1995 if ctx['num'] == idx:
1996 logger.info("Test: EAP-Failure")
1997 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
1998
1999 idx += 1
2000 if ctx['num'] == idx:
2001 logger.info("Test: Too short EAP-EKE-Failure/Request")
2002 return struct.pack(">BBHBB",
2003 EAP_CODE_REQUEST, ctx['id'],
2004 4 + 1 + 1,
2005 EAP_TYPE_EKE,
2006 EAP_EKE_FAILURE)
2007 idx += 1
2008 if ctx['num'] == idx:
2009 logger.info("Test: EAP-Failure")
2010 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
2011
2012 idx += 1
2013 if ctx['num'] == idx:
2014 logger.info("Test: Unexpected EAP-EKE-Commit/Request")
2015 return struct.pack(">BBHBB",
2016 EAP_CODE_REQUEST, ctx['id'],
2017 4 + 1 + 1,
2018 EAP_TYPE_EKE,
2019 EAP_EKE_COMMIT)
2020 idx += 1
2021 if ctx['num'] == idx:
2022 logger.info("Test: EAP-Failure")
2023 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
2024
2025 idx += 1
2026 if ctx['num'] == idx:
2027 logger.info("Test: Valid EAP-EKE-ID/Request")
2028 return struct.pack(">BBHBBBB4BB",
2029 EAP_CODE_REQUEST, ctx['id'],
2030 4 + 1 + 1 + 2 + 4 + 1,
2031 EAP_TYPE_EKE,
2032 EAP_EKE_ID,
2033 1, 0,
2034 3, 1, 1, 1,
2035 255)
2036 idx += 1
2037 if ctx['num'] == idx:
2038 logger.info("Test: Too short EAP-EKE-Commit/Request")
2039 return struct.pack(">BBHBB",
2040 EAP_CODE_REQUEST, ctx['id'],
2041 4 + 1 + 1,
2042 EAP_TYPE_EKE,
2043 EAP_EKE_COMMIT)
2044 idx += 1
2045 if ctx['num'] == idx:
2046 logger.info("Test: EAP-Failure")
2047 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
2048
2049 idx += 1
2050 if ctx['num'] == idx:
2051 logger.info("Test: Valid EAP-EKE-ID/Request")
2052 return struct.pack(">BBHBBBB4BB",
2053 EAP_CODE_REQUEST, ctx['id'],
2054 4 + 1 + 1 + 2 + 4 + 1,
2055 EAP_TYPE_EKE,
2056 EAP_EKE_ID,
2057 1, 0,
2058 1, 1, 1, 1,
2059 255)
2060 idx += 1
2061 if ctx['num'] == idx:
2062 logger.info("Test: All zeroes DHComponent_S and empty CBvalue in EAP-EKE-Commit/Request")
2063 return struct.pack(">BBHBB4L32L",
2064 EAP_CODE_REQUEST, ctx['id'],
2065 4 + 1 + 1 + 16 + 128,
2066 EAP_TYPE_EKE,
2067 EAP_EKE_COMMIT,
2068 0, 0, 0, 0,
2069 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
2070 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0)
2071 idx += 1
2072 if ctx['num'] == idx:
2073 logger.info("Test: Too short EAP-EKE-Confirm/Request")
2074 return struct.pack(">BBHBB",
2075 EAP_CODE_REQUEST, ctx['id'],
2076 4 + 1 + 1,
2077 EAP_TYPE_EKE,
2078 EAP_EKE_CONFIRM)
2079 idx += 1
2080 if ctx['num'] == idx:
2081 logger.info("Test: EAP-Failure")
2082 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
2083
2084 idx += 1
2085 if ctx['num'] == idx:
2086 logger.info("Test: Valid EAP-EKE-ID/Request")
2087 return struct.pack(">BBHBBBB4BB",
2088 EAP_CODE_REQUEST, ctx['id'],
2089 4 + 1 + 1 + 2 + 4 + 1,
2090 EAP_TYPE_EKE,
2091 EAP_EKE_ID,
2092 1, 0,
2093 1, 1, 1, 1,
2094 255)
2095 idx += 1
2096 if ctx['num'] == idx:
2097 logger.info("Test: All zeroes DHComponent_S and empty CBvalue in EAP-EKE-Commit/Request")
2098 return struct.pack(">BBHBB4L32L",
2099 EAP_CODE_REQUEST, ctx['id'],
2100 4 + 1 + 1 + 16 + 128,
2101 EAP_TYPE_EKE,
2102 EAP_EKE_COMMIT,
2103 0, 0, 0, 0,
2104 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
2105 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0)
2106 idx += 1
2107 if ctx['num'] == idx:
2108 logger.info("Test: Invalid PNonce_PS and Auth_S values in EAP-EKE-Confirm/Request")
2109 return struct.pack(">BBHBB4L8L5L5L",
2110 EAP_CODE_REQUEST, ctx['id'],
2111 4 + 1 + 1 + 16 + 2 * 16 + 20 + 20,
2112 EAP_TYPE_EKE,
2113 EAP_EKE_CONFIRM,
2114 0, 0, 0, 0,
2115 0, 0, 0, 0, 0, 0, 0, 0,
2116 0, 0, 0, 0, 0,
2117 0, 0, 0, 0, 0)
2118 idx += 1
2119 if ctx['num'] == idx:
2120 logger.info("Test: EAP-Failure")
2121 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
2122
2123 return None
2124
2125 srv = start_radius_server(eke_handler)
2126
2127 try:
2128 hapd = start_ap(apdev[0]['ifname'])
2129
2130 for i in range(0, 14):
2131 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
2132 eap="EKE", identity="user", password="password",
2133 wait_connect=False)
2134 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
2135 timeout=15)
2136 if ev is None:
2137 raise Exception("Timeout on EAP start")
2138 if i in [ 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13 ]:
2139 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"],
2140 timeout=10)
2141 if ev is None:
2142 raise Exception("Timeout on EAP failure")
2143 else:
2144 time.sleep(0.05)
2145 dev[0].request("REMOVE_NETWORK all")
2146 dev[0].dump_monitor()
2147 finally:
2148 stop_radius_server(srv)
2149
2150 def eap_eke_test_fail(dev, phase1=None, success=False):
2151 dev.connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
2152 eap="EKE", identity="eke user", password="hello",
2153 phase1=phase1, erp="1", wait_connect=False)
2154 ev = dev.wait_event([ "CTRL-EVENT-EAP-FAILURE",
2155 "CTRL-EVENT-EAP-SUCCESS" ], timeout=5)
2156 if ev is None:
2157 raise Exception("Timeout on EAP failure")
2158 if not success and "CTRL-EVENT-EAP-FAILURE" not in ev:
2159 raise Exception("EAP did not fail during failure test")
2160 dev.request("REMOVE_NETWORK all")
2161 dev.wait_disconnected()
2162
2163 def test_eap_proto_eke_errors(dev, apdev):
2164 """EAP-EKE local error cases"""
2165 check_eap_capa(dev[0], "EKE")
2166 params = hostapd.wpa2_eap_params(ssid="eap-test")
2167 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2168
2169 for i in range(1, 3):
2170 with alloc_fail(dev[0], i, "eap_eke_init"):
2171 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
2172 eap="EKE", identity="eke user", password="hello",
2173 wait_connect=False)
2174 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method"],
2175 timeout=15)
2176 if ev is None:
2177 raise Exception("Timeout on EAP start")
2178 dev[0].request("REMOVE_NETWORK all")
2179 dev[0].wait_disconnected()
2180
2181 tests = [ (1, "eap_eke_dh_init", None),
2182 (1, "eap_eke_prf_hmac_sha1", "dhgroup=3 encr=1 prf=1 mac=1"),
2183 (1, "eap_eke_prf_hmac_sha256", "dhgroup=5 encr=1 prf=2 mac=2"),
2184 (1, "eap_eke_prf", None),
2185 (1, "os_get_random;eap_eke_dhcomp", None),
2186 (1, "aes_128_cbc_encrypt;eap_eke_dhcomp", None),
2187 (1, "aes_128_cbc_decrypt;eap_eke_shared_secret", None),
2188 (1, "eap_eke_prf;eap_eke_shared_secret", None),
2189 (1, "eap_eke_prfplus;eap_eke_derive_ke_ki", None),
2190 (1, "eap_eke_prfplus;eap_eke_derive_ka", None),
2191 (1, "eap_eke_prfplus;eap_eke_derive_msk", None),
2192 (1, "os_get_random;eap_eke_prot", None),
2193 (1, "aes_128_cbc_decrypt;eap_eke_decrypt_prot", None),
2194 (1, "eap_eke_derive_key;eap_eke_process_commit", None),
2195 (1, "eap_eke_dh_init;eap_eke_process_commit", None),
2196 (1, "eap_eke_shared_secret;eap_eke_process_commit", None),
2197 (1, "eap_eke_derive_ke_ki;eap_eke_process_commit", None),
2198 (1, "eap_eke_dhcomp;eap_eke_process_commit", None),
2199 (1, "os_get_random;eap_eke_process_commit", None),
2200 (1, "os_get_random;=eap_eke_process_commit", None),
2201 (1, "eap_eke_prot;eap_eke_process_commit", None),
2202 (1, "eap_eke_decrypt_prot;eap_eke_process_confirm", None),
2203 (1, "eap_eke_derive_ka;eap_eke_process_confirm", None),
2204 (1, "eap_eke_auth;eap_eke_process_confirm", None),
2205 (2, "eap_eke_auth;eap_eke_process_confirm", None),
2206 (1, "eap_eke_prot;eap_eke_process_confirm", None),
2207 (1, "eap_eke_derive_msk;eap_eke_process_confirm", None) ]
2208 for count, func, phase1 in tests:
2209 with fail_test(dev[0], count, func):
2210 eap_eke_test_fail(dev[0], phase1)
2211
2212 tests = [ (1, "=eap_eke_derive_ke_ki", None),
2213 (1, "=eap_eke_derive_ka", None),
2214 (1, "=eap_eke_derive_msk", None),
2215 (1, "eap_eke_build_msg;eap_eke_process_id", None),
2216 (1, "wpabuf_alloc;eap_eke_process_id", None),
2217 (1, "=eap_eke_process_id", None),
2218 (1, "wpabuf_alloc;eap_eke_process_id", None),
2219 (1, "eap_eke_build_msg;eap_eke_process_commit", None),
2220 (1, "wpabuf_resize;eap_eke_process_commit", None),
2221 (1, "eap_eke_build_msg;eap_eke_process_confirm", None) ]
2222 for count, func, phase1 in tests:
2223 with alloc_fail(dev[0], count, func):
2224 eap_eke_test_fail(dev[0], phase1)
2225
2226 tests = [ (1, "eap_eke_getKey", None),
2227 (1, "eap_eke_get_emsk", None),
2228 (1, "eap_eke_get_session_id", None) ]
2229 for count, func, phase1 in tests:
2230 with alloc_fail(dev[0], count, func):
2231 eap_eke_test_fail(dev[0], phase1, success=True)
2232
2233 EAP_PAX_OP_STD_1 = 0x01
2234 EAP_PAX_OP_STD_2 = 0x02
2235 EAP_PAX_OP_STD_3 = 0x03
2236 EAP_PAX_OP_SEC_1 = 0x11
2237 EAP_PAX_OP_SEC_2 = 0x12
2238 EAP_PAX_OP_SEC_3 = 0x13
2239 EAP_PAX_OP_SEC_4 = 0x14
2240 EAP_PAX_OP_SEC_5 = 0x15
2241 EAP_PAX_OP_ACK = 0x21
2242
2243 EAP_PAX_FLAGS_MF = 0x01
2244 EAP_PAX_FLAGS_CE = 0x02
2245 EAP_PAX_FLAGS_AI = 0x04
2246
2247 EAP_PAX_MAC_HMAC_SHA1_128 = 0x01
2248 EAP_PAX_HMAC_SHA256_128 = 0x02
2249
2250 EAP_PAX_DH_GROUP_NONE = 0x00
2251 EAP_PAX_DH_GROUP_2048_MODP = 0x01
2252 EAP_PAX_DH_GROUP_3072_MODP = 0x02
2253 EAP_PAX_DH_GROUP_NIST_ECC_P_256 = 0x03
2254
2255 EAP_PAX_PUBLIC_KEY_NONE = 0x00
2256 EAP_PAX_PUBLIC_KEY_RSAES_OAEP = 0x01
2257 EAP_PAX_PUBLIC_KEY_RSA_PKCS1_V1_5 = 0x02
2258 EAP_PAX_PUBLIC_KEY_EL_GAMAL_NIST_ECC = 0x03
2259
2260 EAP_PAX_ADE_VENDOR_SPECIFIC = 0x01
2261 EAP_PAX_ADE_CLIENT_CHANNEL_BINDING = 0x02
2262 EAP_PAX_ADE_SERVER_CHANNEL_BINDING = 0x03
2263
2264 def test_eap_proto_pax(dev, apdev):
2265 """EAP-PAX protocol tests"""
2266 def pax_std_1(ctx):
2267 logger.info("Test: STD-1")
2268 ctx['id'] = 10
2269 return struct.pack(">BBHBBBBBBH8L16B", EAP_CODE_REQUEST, ctx['id'],
2270 4 + 1 + 5 + 2 + 32 + 16,
2271 EAP_TYPE_PAX,
2272 EAP_PAX_OP_STD_1, 0, EAP_PAX_MAC_HMAC_SHA1_128,
2273 EAP_PAX_DH_GROUP_NONE, EAP_PAX_PUBLIC_KEY_NONE,
2274 32, 0, 0, 0, 0, 0, 0, 0, 0,
2275 0x16, 0xc9, 0x08, 0x9d, 0x98, 0xa5, 0x6e, 0x1f,
2276 0xf0, 0xac, 0xcf, 0xc4, 0x66, 0xcd, 0x2d, 0xbf)
2277
2278 def pax_handler(ctx, req):
2279 logger.info("pax_handler - RX " + req.encode("hex"))
2280 if 'num' not in ctx:
2281 ctx['num'] = 0
2282 ctx['num'] = ctx['num'] + 1
2283 if 'id' not in ctx:
2284 ctx['id'] = 1
2285 ctx['id'] = (ctx['id'] + 1) % 256
2286
2287 idx = 0
2288
2289 idx += 1
2290 if ctx['num'] == idx:
2291 logger.info("Test: Missing payload")
2292 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
2293 4 + 1,
2294 EAP_TYPE_PAX)
2295
2296 idx += 1
2297 if ctx['num'] == idx:
2298 logger.info("Test: Minimum length payload")
2299 return struct.pack(">BBHB4L", EAP_CODE_REQUEST, ctx['id'],
2300 4 + 1 + 16,
2301 EAP_TYPE_PAX,
2302 0, 0, 0, 0)
2303
2304 idx += 1
2305 if ctx['num'] == idx:
2306 logger.info("Test: Unsupported MAC ID")
2307 return struct.pack(">BBHBBBBBB4L", EAP_CODE_REQUEST, ctx['id'],
2308 4 + 1 + 5 + 16,
2309 EAP_TYPE_PAX,
2310 EAP_PAX_OP_STD_1, 0, 255, EAP_PAX_DH_GROUP_NONE,
2311 EAP_PAX_PUBLIC_KEY_NONE,
2312 0, 0, 0, 0)
2313
2314 idx += 1
2315 if ctx['num'] == idx:
2316 logger.info("Test: Unsupported DH Group ID")
2317 return struct.pack(">BBHBBBBBB4L", EAP_CODE_REQUEST, ctx['id'],
2318 4 + 1 + 5 + 16,
2319 EAP_TYPE_PAX,
2320 EAP_PAX_OP_STD_1, 0, EAP_PAX_MAC_HMAC_SHA1_128,
2321 255, EAP_PAX_PUBLIC_KEY_NONE,
2322 0, 0, 0, 0)
2323
2324 idx += 1
2325 if ctx['num'] == idx:
2326 logger.info("Test: Unsupported Public Key ID")
2327 return struct.pack(">BBHBBBBBB4L", EAP_CODE_REQUEST, ctx['id'],
2328 4 + 1 + 5 + 16,
2329 EAP_TYPE_PAX,
2330 EAP_PAX_OP_STD_1, 0, EAP_PAX_MAC_HMAC_SHA1_128,
2331 EAP_PAX_DH_GROUP_NONE, 255,
2332 0, 0, 0, 0)
2333
2334 idx += 1
2335 if ctx['num'] == idx:
2336 logger.info("Test: More fragments")
2337 return struct.pack(">BBHBBBBBB4L", EAP_CODE_REQUEST, ctx['id'],
2338 4 + 1 + 5 + 16,
2339 EAP_TYPE_PAX,
2340 EAP_PAX_OP_STD_1, EAP_PAX_FLAGS_MF,
2341 EAP_PAX_MAC_HMAC_SHA1_128,
2342 EAP_PAX_DH_GROUP_NONE, EAP_PAX_PUBLIC_KEY_NONE,
2343 0, 0, 0, 0)
2344
2345 idx += 1
2346 if ctx['num'] == idx:
2347 logger.info("Test: Invalid ICV")
2348 return struct.pack(">BBHBBBBBB4L", EAP_CODE_REQUEST, ctx['id'],
2349 4 + 1 + 5 + 16,
2350 EAP_TYPE_PAX,
2351 EAP_PAX_OP_STD_1, 0, EAP_PAX_MAC_HMAC_SHA1_128,
2352 EAP_PAX_DH_GROUP_NONE, EAP_PAX_PUBLIC_KEY_NONE,
2353 0, 0, 0, 0)
2354
2355 idx += 1
2356 if ctx['num'] == idx:
2357 logger.info("Test: Invalid ICV in short frame")
2358 return struct.pack(">BBHBBBBBB3L", EAP_CODE_REQUEST, ctx['id'],
2359 4 + 1 + 5 + 12,
2360 EAP_TYPE_PAX,
2361 EAP_PAX_OP_STD_1, 0, EAP_PAX_MAC_HMAC_SHA1_128,
2362 EAP_PAX_DH_GROUP_NONE, EAP_PAX_PUBLIC_KEY_NONE,
2363 0, 0, 0)
2364
2365 idx += 1
2366 if ctx['num'] == idx:
2367 logger.info("Test: Correct ICV - unsupported op_code")
2368 ctx['id'] = 10
2369 return struct.pack(">BBHBBBBBB16B", EAP_CODE_REQUEST, ctx['id'],
2370 4 + 1 + 5 + 16,
2371 EAP_TYPE_PAX,
2372 255, 0, EAP_PAX_MAC_HMAC_SHA1_128,
2373 EAP_PAX_DH_GROUP_NONE, EAP_PAX_PUBLIC_KEY_NONE,
2374 0x90, 0x78, 0x97, 0x38, 0x29, 0x94, 0x32, 0xd4,
2375 0x81, 0x27, 0xe0, 0xf6, 0x3b, 0x0d, 0xb2, 0xb2)
2376
2377 idx += 1
2378 if ctx['num'] == idx:
2379 logger.info("Test: Correct ICV - CE flag in STD-1")
2380 ctx['id'] = 10
2381 return struct.pack(">BBHBBBBBB16B", EAP_CODE_REQUEST, ctx['id'],
2382 4 + 1 + 5 + 16,
2383 EAP_TYPE_PAX,
2384 EAP_PAX_OP_STD_1, EAP_PAX_FLAGS_CE,
2385 EAP_PAX_MAC_HMAC_SHA1_128,
2386 EAP_PAX_DH_GROUP_NONE, EAP_PAX_PUBLIC_KEY_NONE,
2387 0x9c, 0x98, 0xb4, 0x0b, 0x94, 0x90, 0xde, 0x88,
2388 0xb7, 0x72, 0x63, 0x44, 0x1d, 0xe3, 0x7c, 0x5c)
2389
2390 idx += 1
2391 if ctx['num'] == idx:
2392 logger.info("Test: Correct ICV - too short STD-1 payload")
2393 ctx['id'] = 10
2394 return struct.pack(">BBHBBBBBB16B", EAP_CODE_REQUEST, ctx['id'],
2395 4 + 1 + 5 + 16,
2396 EAP_TYPE_PAX,
2397 EAP_PAX_OP_STD_1, 0, EAP_PAX_MAC_HMAC_SHA1_128,
2398 EAP_PAX_DH_GROUP_NONE, EAP_PAX_PUBLIC_KEY_NONE,
2399 0xda, 0xab, 0x2c, 0xe7, 0x84, 0x41, 0xb5, 0x5c,
2400 0xee, 0xcf, 0x62, 0x03, 0xc5, 0x69, 0xcb, 0xf4)
2401
2402 idx += 1
2403 if ctx['num'] == idx:
2404 logger.info("Test: Correct ICV - incorrect A length in STD-1")
2405 ctx['id'] = 10
2406 return struct.pack(">BBHBBBBBBH8L16B", EAP_CODE_REQUEST, ctx['id'],
2407 4 + 1 + 5 + 2 + 32 + 16,
2408 EAP_TYPE_PAX,
2409 EAP_PAX_OP_STD_1, 0, EAP_PAX_MAC_HMAC_SHA1_128,
2410 EAP_PAX_DH_GROUP_NONE, EAP_PAX_PUBLIC_KEY_NONE,
2411 0, 0, 0, 0, 0, 0, 0, 0, 0,
2412 0xc4, 0xb0, 0x81, 0xe4, 0x6c, 0x8c, 0x20, 0x23,
2413 0x60, 0x46, 0x89, 0xea, 0x94, 0x60, 0xf3, 0x2a)
2414
2415 idx += 1
2416 if ctx['num'] == idx:
2417 logger.info("Test: Correct ICV - extra data in STD-1")
2418 ctx['id'] = 10
2419 return struct.pack(">BBHBBBBBBH8LB16B", EAP_CODE_REQUEST, ctx['id'],
2420 4 + 1 + 5 + 2 + 32 + 1 + 16,
2421 EAP_TYPE_PAX,
2422 EAP_PAX_OP_STD_1, 0, EAP_PAX_MAC_HMAC_SHA1_128,
2423 EAP_PAX_DH_GROUP_NONE, EAP_PAX_PUBLIC_KEY_NONE,
2424 32, 0, 0, 0, 0, 0, 0, 0, 0,
2425 1,
2426 0x61, 0x49, 0x65, 0x37, 0x21, 0xe8, 0xd8, 0xbf,
2427 0xf3, 0x02, 0x01, 0xe5, 0x42, 0x51, 0xd3, 0x34)
2428 idx += 1
2429 if ctx['num'] == idx:
2430 logger.info("Test: Unexpected STD-1")
2431 return struct.pack(">BBHBBBBBBH8L16B", EAP_CODE_REQUEST, ctx['id'],
2432 4 + 1 + 5 + 2 + 32 + 16,
2433 EAP_TYPE_PAX,
2434 EAP_PAX_OP_STD_1, 0, EAP_PAX_MAC_HMAC_SHA1_128,
2435 EAP_PAX_DH_GROUP_NONE, EAP_PAX_PUBLIC_KEY_NONE,
2436 32, 0, 0, 0, 0, 0, 0, 0, 0,
2437 0xe5, 0x1d, 0xbf, 0xb8, 0x70, 0x20, 0x5c, 0xba,
2438 0x41, 0xbb, 0x34, 0xda, 0x1a, 0x08, 0xe6, 0x8d)
2439
2440 idx += 1
2441 if ctx['num'] == idx:
2442 return pax_std_1(ctx)
2443 idx += 1
2444 if ctx['num'] == idx:
2445 logger.info("Test: MAC ID changed during session")
2446 return struct.pack(">BBHBBBBBBH8L16B", EAP_CODE_REQUEST, ctx['id'],
2447 4 + 1 + 5 + 2 + 32 + 16,
2448 EAP_TYPE_PAX,
2449 EAP_PAX_OP_STD_1, 0, EAP_PAX_HMAC_SHA256_128,
2450 EAP_PAX_DH_GROUP_NONE, EAP_PAX_PUBLIC_KEY_NONE,
2451 32, 0, 0, 0, 0, 0, 0, 0, 0,
2452 0xee, 0x00, 0xbf, 0xb8, 0x70, 0x20, 0x5c, 0xba,
2453 0x41, 0xbb, 0x34, 0xda, 0x1a, 0x08, 0xe6, 0x8d)
2454
2455 idx += 1
2456 if ctx['num'] == idx:
2457 return pax_std_1(ctx)
2458 idx += 1
2459 if ctx['num'] == idx:
2460 logger.info("Test: DH Group ID changed during session")
2461 return struct.pack(">BBHBBBBBBH8L16B", EAP_CODE_REQUEST, ctx['id'],
2462 4 + 1 + 5 + 2 + 32 + 16,
2463 EAP_TYPE_PAX,
2464 EAP_PAX_OP_STD_1, 0, EAP_PAX_MAC_HMAC_SHA1_128,
2465 EAP_PAX_DH_GROUP_2048_MODP,
2466 EAP_PAX_PUBLIC_KEY_NONE,
2467 32, 0, 0, 0, 0, 0, 0, 0, 0,
2468 0xee, 0x01, 0xbf, 0xb8, 0x70, 0x20, 0x5c, 0xba,
2469 0x41, 0xbb, 0x34, 0xda, 0x1a, 0x08, 0xe6, 0x8d)
2470
2471 idx += 1
2472 if ctx['num'] == idx:
2473 return pax_std_1(ctx)
2474 idx += 1
2475 if ctx['num'] == idx:
2476 logger.info("Test: Public Key ID changed during session")
2477 return struct.pack(">BBHBBBBBBH8L16B", EAP_CODE_REQUEST, ctx['id'],
2478 4 + 1 + 5 + 2 + 32 + 16,
2479 EAP_TYPE_PAX,
2480 EAP_PAX_OP_STD_1, 0, EAP_PAX_MAC_HMAC_SHA1_128,
2481 EAP_PAX_DH_GROUP_NONE,
2482 EAP_PAX_PUBLIC_KEY_RSAES_OAEP,
2483 32, 0, 0, 0, 0, 0, 0, 0, 0,
2484 0xee, 0x02, 0xbf, 0xb8, 0x70, 0x20, 0x5c, 0xba,
2485 0x41, 0xbb, 0x34, 0xda, 0x1a, 0x08, 0xe6, 0x8d)
2486
2487 idx += 1
2488 if ctx['num'] == idx:
2489 logger.info("Test: Unexpected STD-3")
2490 ctx['id'] = 10
2491 return struct.pack(">BBHBBBBBBH8L16B", EAP_CODE_REQUEST, ctx['id'],
2492 4 + 1 + 5 + 2 + 32 + 16,
2493 EAP_TYPE_PAX,
2494 EAP_PAX_OP_STD_3, 0, EAP_PAX_MAC_HMAC_SHA1_128,
2495 EAP_PAX_DH_GROUP_NONE, EAP_PAX_PUBLIC_KEY_NONE,
2496 32, 0, 0, 0, 0, 0, 0, 0, 0,
2497 0x47, 0xbb, 0xc0, 0xf9, 0xb9, 0x69, 0xf5, 0xcb,
2498 0x3a, 0xe8, 0xe7, 0xd6, 0x80, 0x28, 0xf2, 0x59)
2499
2500 idx += 1
2501 if ctx['num'] == idx:
2502 return pax_std_1(ctx)
2503 idx += 1
2504 if ctx['num'] == idx:
2505 # TODO: MAC calculation; for now, this gets dropped due to incorrect
2506 # ICV
2507 logger.info("Test: STD-3 with CE flag")
2508 return struct.pack(">BBHBBBBBBH8L16B", EAP_CODE_REQUEST, ctx['id'],
2509 4 + 1 + 5 + 2 + 32 + 16,
2510 EAP_TYPE_PAX,
2511 EAP_PAX_OP_STD_3, EAP_PAX_FLAGS_CE,
2512 EAP_PAX_MAC_HMAC_SHA1_128,
2513 EAP_PAX_DH_GROUP_NONE, EAP_PAX_PUBLIC_KEY_NONE,
2514 32, 0, 0, 0, 0, 0, 0, 0, 0,
2515 0x8a, 0xc2, 0xf9, 0xf4, 0x8b, 0x75, 0x72, 0xa2,
2516 0x4d, 0xd3, 0x1e, 0x54, 0x77, 0x04, 0x05, 0xe2)
2517
2518 idx += 1
2519 if ctx['num'] & 0x1 == idx & 0x1:
2520 logger.info("Test: Default request")
2521 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
2522 4 + 1,
2523 EAP_TYPE_PAX)
2524 else:
2525 logger.info("Test: Default EAP-Failure")
2526 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
2527
2528 srv = start_radius_server(pax_handler)
2529
2530 try:
2531 hapd = start_ap(apdev[0]['ifname'])
2532
2533 for i in range(0, 18):
2534 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
2535 eap="PAX", identity="user",
2536 password_hex="0123456789abcdef0123456789abcdef",
2537 wait_connect=False)
2538 logger.info("Waiting for EAP method to start")
2539 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
2540 timeout=15)
2541 if ev is None:
2542 raise Exception("Timeout on EAP start")
2543 time.sleep(0.05)
2544 dev[0].request("REMOVE_NETWORK all")
2545 dev[0].dump_monitor()
2546
2547 logger.info("Too short password")
2548 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
2549 eap="PAX", identity="user",
2550 password_hex="0123456789abcdef0123456789abcd",
2551 wait_connect=False)
2552 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"], timeout=15)
2553 if ev is None:
2554 raise Exception("Timeout on EAP start")
2555 time.sleep(0.1)
2556 dev[0].request("REMOVE_NETWORK all")
2557 dev[0].dump_monitor()
2558
2559 logger.info("No password")
2560 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
2561 eap="PAX", identity="user",
2562 wait_connect=False)
2563 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"], timeout=15)
2564 if ev is None:
2565 raise Exception("Timeout on EAP start")
2566 time.sleep(0.1)
2567 dev[0].request("REMOVE_NETWORK all")
2568 dev[0].dump_monitor()
2569 finally:
2570 stop_radius_server(srv)
2571
2572 def test_eap_proto_psk(dev, apdev):
2573 """EAP-PSK protocol tests"""
2574 def psk_handler(ctx, req):
2575 logger.info("psk_handler - RX " + req.encode("hex"))
2576 if 'num' not in ctx:
2577 ctx['num'] = 0
2578 ctx['num'] = ctx['num'] + 1
2579 if 'id' not in ctx:
2580 ctx['id'] = 1
2581 ctx['id'] = (ctx['id'] + 1) % 256
2582
2583 idx = 0
2584
2585 idx += 1
2586 if ctx['num'] == idx:
2587 logger.info("Test: Missing payload")
2588 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
2589 4 + 1,
2590 EAP_TYPE_PSK)
2591
2592 idx += 1
2593 if ctx['num'] == idx:
2594 logger.info("Test: Non-zero T in first message")
2595 return struct.pack(">BBHBB4L", EAP_CODE_REQUEST, ctx['id'],
2596 4 + 1 + 1 + 16,
2597 EAP_TYPE_PSK, 0xc0, 0, 0, 0, 0)
2598
2599 idx += 1
2600 if ctx['num'] == idx:
2601 logger.info("Test: Valid first message")
2602 return struct.pack(">BBHBB4L", EAP_CODE_REQUEST, ctx['id'],
2603 4 + 1 + 1 + 16,
2604 EAP_TYPE_PSK, 0, 0, 0, 0, 0)
2605 idx += 1
2606 if ctx['num'] == idx:
2607 logger.info("Test: Too short third message")
2608 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
2609 4 + 1,
2610 EAP_TYPE_PSK)
2611
2612 idx += 1
2613 if ctx['num'] == idx:
2614 logger.info("Test: Valid first message")
2615 return struct.pack(">BBHBB4L", EAP_CODE_REQUEST, ctx['id'],
2616 4 + 1 + 1 + 16,
2617 EAP_TYPE_PSK, 0, 0, 0, 0, 0)
2618 idx += 1
2619 if ctx['num'] == idx:
2620 logger.info("Test: Incorrect T in third message")
2621 return struct.pack(">BBHBB4L4L", EAP_CODE_REQUEST, ctx['id'],
2622 4 + 1 + 1 + 16 + 16,
2623 EAP_TYPE_PSK, 0, 0, 0, 0, 0, 0, 0, 0, 0)
2624
2625 idx += 1
2626 if ctx['num'] == idx:
2627 logger.info("Test: Valid first message")
2628 return struct.pack(">BBHBB4L", EAP_CODE_REQUEST, ctx['id'],
2629 4 + 1 + 1 + 16,
2630 EAP_TYPE_PSK, 0, 0, 0, 0, 0)
2631 idx += 1
2632 if ctx['num'] == idx:
2633 logger.info("Test: Missing PCHANNEL in third message")
2634 return struct.pack(">BBHBB4L4L", EAP_CODE_REQUEST, ctx['id'],
2635 4 + 1 + 1 + 16 + 16,
2636 EAP_TYPE_PSK, 0x80, 0, 0, 0, 0, 0, 0, 0, 0)
2637
2638 idx += 1
2639 if ctx['num'] == idx:
2640 logger.info("Test: Valid first message")
2641 return struct.pack(">BBHBB4L", EAP_CODE_REQUEST, ctx['id'],
2642 4 + 1 + 1 + 16,
2643 EAP_TYPE_PSK, 0, 0, 0, 0, 0)
2644 idx += 1
2645 if ctx['num'] == idx:
2646 logger.info("Test: Invalic MAC_S in third message")
2647 return struct.pack(">BBHBB4L4L5LB", EAP_CODE_REQUEST, ctx['id'],
2648 4 + 1 + 1 + 16 + 16 + 21,
2649 EAP_TYPE_PSK, 0x80, 0, 0, 0, 0, 0, 0, 0, 0,
2650 0, 0, 0, 0, 0, 0)
2651
2652 idx += 1
2653 if ctx['num'] == idx:
2654 logger.info("Test: Valid first message")
2655 return struct.pack(">BBHBB4L", EAP_CODE_REQUEST, ctx['id'],
2656 4 + 1 + 1 + 16,
2657 EAP_TYPE_PSK, 0, 0, 0, 0, 0)
2658 idx += 1
2659 if ctx['num'] == idx:
2660 logger.info("Test: EAP-Failure")
2661 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
2662
2663 return None
2664
2665 srv = start_radius_server(psk_handler)
2666
2667 try:
2668 hapd = start_ap(apdev[0]['ifname'])
2669
2670 for i in range(0, 6):
2671 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
2672 eap="PSK", identity="user",
2673 password_hex="0123456789abcdef0123456789abcdef",
2674 wait_connect=False)
2675 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
2676 timeout=15)
2677 if ev is None:
2678 raise Exception("Timeout on EAP start")
2679 time.sleep(0.1)
2680 dev[0].request("REMOVE_NETWORK all")
2681
2682 logger.info("Test: Invalid PSK length")
2683 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
2684 eap="PSK", identity="user",
2685 password_hex="0123456789abcdef0123456789abcd",
2686 wait_connect=False)
2687 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
2688 timeout=15)
2689 if ev is None:
2690 raise Exception("Timeout on EAP start")
2691 time.sleep(0.1)
2692 dev[0].request("REMOVE_NETWORK all")
2693 finally:
2694 stop_radius_server(srv)
2695
2696 def test_eap_proto_psk_errors(dev, apdev):
2697 """EAP-PSK local error cases"""
2698 check_eap_capa(dev[0], "PSK")
2699 params = hostapd.wpa2_eap_params(ssid="eap-test")
2700 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2701
2702 for i in range(1, 6):
2703 with alloc_fail(dev[0], i, "eap_psk_init"):
2704 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
2705 eap="PSK", identity="psk.user@example.com",
2706 password_hex="0123456789abcdef0123456789abcdef",
2707 wait_connect=False)
2708 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method"],
2709 timeout=15)
2710 if ev is None:
2711 raise Exception("Timeout on EAP start")
2712 dev[0].request("REMOVE_NETWORK all")
2713 dev[0].wait_disconnected()
2714
2715 tests = [ (1, "=eap_psk_process_1"),
2716 (2, "=eap_psk_process_1"),
2717 (1, "eap_msg_alloc;eap_psk_process_1"),
2718 (1, "=eap_psk_process_3"),
2719 (2, "=eap_psk_process_3"),
2720 (1, "eap_msg_alloc;eap_psk_process_3"),
2721 (1, "aes_128_encrypt_block;eap_psk_derive_keys;eap_psk_process_3"),
2722 (2, "aes_128_encrypt_block;eap_psk_derive_keys;eap_psk_process_3"),
2723 (3, "aes_128_encrypt_block;eap_psk_derive_keys;eap_psk_process_3"),
2724 (4, "aes_128_encrypt_block;eap_psk_derive_keys;eap_psk_process_3"),
2725 (5, "aes_128_encrypt_block;eap_psk_derive_keys;eap_psk_process_3"),
2726 (6, "aes_128_encrypt_block;eap_psk_derive_keys;eap_psk_process_3"),
2727 (7, "aes_128_encrypt_block;eap_psk_derive_keys;eap_psk_process_3"),
2728 (8, "aes_128_encrypt_block;eap_psk_derive_keys;eap_psk_process_3"),
2729 (9, "aes_128_encrypt_block;eap_psk_derive_keys;eap_psk_process_3"),
2730 (10, "aes_128_encrypt_block;eap_psk_derive_keys;eap_psk_process_3"),
2731 (1, "aes_128_ctr_encrypt;aes_128_eax_decrypt;eap_psk_process_3"),
2732 (1, "aes_128_ctr_encrypt;aes_128_eax_encrypt;eap_psk_process_3"),
2733 (1, "eap_psk_getKey"),
2734 (1, "eap_psk_get_session_id"),
2735 (1, "eap_psk_get_emsk") ]
2736 for count, func in tests:
2737 with alloc_fail(dev[0], count, func):
2738 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
2739 eap="PSK", identity="psk.user@example.com",
2740 password_hex="0123456789abcdef0123456789abcdef",
2741 erp="1", wait_connect=False)
2742 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
2743 timeout=15)
2744 if ev is None:
2745 raise Exception("Timeout on EAP start")
2746 ok = False
2747 for j in range(10):
2748 state = dev[0].request('GET_ALLOC_FAIL')
2749 if state.startswith('0:'):
2750 ok = True
2751 break
2752 time.sleep(0.1)
2753 if not ok:
2754 raise Exception("No allocation failure seen for %d:%s" % (count, func))
2755 dev[0].request("REMOVE_NETWORK all")
2756 dev[0].wait_disconnected()
2757
2758 tests = [ (1, "os_get_random;eap_psk_process_1"),
2759 (1, "omac1_aes_128;eap_psk_process_3"),
2760 (1, "aes_128_eax_decrypt;eap_psk_process_3"),
2761 (2, "aes_128_eax_decrypt;eap_psk_process_3"),
2762 (3, "aes_128_eax_decrypt;eap_psk_process_3"),
2763 (1, "aes_128_eax_encrypt;eap_psk_process_3"),
2764 (2, "aes_128_eax_encrypt;eap_psk_process_3"),
2765 (3, "aes_128_eax_encrypt;eap_psk_process_3") ]
2766 for count, func in tests:
2767 with fail_test(dev[0], count, func):
2768 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
2769 eap="PSK", identity="psk.user@example.com",
2770 password_hex="0123456789abcdef0123456789abcdef",
2771 wait_connect=False)
2772 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
2773 timeout=15)
2774 if ev is None:
2775 raise Exception("Timeout on EAP start")
2776 ok = False
2777 for j in range(10):
2778 state = dev[0].request('GET_FAIL')
2779 if state.startswith('0:'):
2780 ok = True
2781 break
2782 time.sleep(0.1)
2783 if not ok:
2784 raise Exception("No failure seen for %d:%s" % (count, func))
2785 dev[0].request("REMOVE_NETWORK all")
2786 dev[0].wait_disconnected()
2787
2788 EAP_SIM_SUBTYPE_START = 10
2789 EAP_SIM_SUBTYPE_CHALLENGE = 11
2790 EAP_SIM_SUBTYPE_NOTIFICATION = 12
2791 EAP_SIM_SUBTYPE_REAUTHENTICATION = 13
2792 EAP_SIM_SUBTYPE_CLIENT_ERROR = 14
2793
2794 EAP_AKA_SUBTYPE_CHALLENGE = 1
2795 EAP_AKA_SUBTYPE_AUTHENTICATION_REJECT = 2
2796 EAP_AKA_SUBTYPE_SYNCHRONIZATION_FAILURE = 4
2797 EAP_AKA_SUBTYPE_IDENTITY = 5
2798 EAP_AKA_SUBTYPE_NOTIFICATION = 12
2799 EAP_AKA_SUBTYPE_REAUTHENTICATION = 13
2800 EAP_AKA_SUBTYPE_CLIENT_ERROR = 14
2801
2802 EAP_SIM_AT_RAND = 1
2803 EAP_SIM_AT_AUTN = 2
2804 EAP_SIM_AT_RES = 3
2805 EAP_SIM_AT_AUTS = 4
2806 EAP_SIM_AT_PADDING = 6
2807 EAP_SIM_AT_NONCE_MT = 7
2808 EAP_SIM_AT_PERMANENT_ID_REQ = 10
2809 EAP_SIM_AT_MAC = 11
2810 EAP_SIM_AT_NOTIFICATION = 12
2811 EAP_SIM_AT_ANY_ID_REQ = 13
2812 EAP_SIM_AT_IDENTITY = 14
2813 EAP_SIM_AT_VERSION_LIST = 15
2814 EAP_SIM_AT_SELECTED_VERSION = 16
2815 EAP_SIM_AT_FULLAUTH_ID_REQ = 17
2816 EAP_SIM_AT_COUNTER = 19
2817 EAP_SIM_AT_COUNTER_TOO_SMALL = 20
2818 EAP_SIM_AT_NONCE_S = 21
2819 EAP_SIM_AT_CLIENT_ERROR_CODE = 22
2820 EAP_SIM_AT_KDF_INPUT = 23
2821 EAP_SIM_AT_KDF = 24
2822 EAP_SIM_AT_IV = 129
2823 EAP_SIM_AT_ENCR_DATA = 130
2824 EAP_SIM_AT_NEXT_PSEUDONYM = 132
2825 EAP_SIM_AT_NEXT_REAUTH_ID = 133
2826 EAP_SIM_AT_CHECKCODE = 134
2827 EAP_SIM_AT_RESULT_IND = 135
2828 EAP_SIM_AT_BIDDING = 136
2829
2830 def test_eap_proto_aka(dev, apdev):
2831 """EAP-AKA protocol tests"""
2832 def aka_handler(ctx, req):
2833 logger.info("aka_handler - RX " + req.encode("hex"))
2834 if 'num' not in ctx:
2835 ctx['num'] = 0
2836 ctx['num'] = ctx['num'] + 1
2837 if 'id' not in ctx:
2838 ctx['id'] = 1
2839 ctx['id'] = (ctx['id'] + 1) % 256
2840
2841 idx = 0
2842
2843 idx += 1
2844 if ctx['num'] == idx:
2845 logger.info("Test: Missing payload")
2846 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
2847 4 + 1,
2848 EAP_TYPE_AKA)
2849
2850 idx += 1
2851 if ctx['num'] == idx:
2852 logger.info("Test: Unknown subtype")
2853 return struct.pack(">BBHBBH", EAP_CODE_REQUEST, ctx['id'],
2854 4 + 1 + 3,
2855 EAP_TYPE_AKA, 255, 0)
2856 idx += 1
2857 if ctx['num'] == idx:
2858 logger.info("Test: EAP-Failure")
2859 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
2860
2861 idx += 1
2862 if ctx['num'] == idx:
2863 logger.info("Test: Client Error")
2864 return struct.pack(">BBHBBH", EAP_CODE_REQUEST, ctx['id'],
2865 4 + 1 + 3,
2866 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_CLIENT_ERROR, 0)
2867 idx += 1
2868 if ctx['num'] == idx:
2869 logger.info("Test: EAP-Failure")
2870 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
2871
2872 idx += 1
2873 if ctx['num'] == idx:
2874 logger.info("Test: Too short attribute header")
2875 return struct.pack(">BBHBBHB", EAP_CODE_REQUEST, ctx['id'],
2876 4 + 1 + 1 + 3,
2877 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0, 255)
2878 idx += 1
2879 if ctx['num'] == idx:
2880 logger.info("Test: EAP-Failure")
2881 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
2882
2883 idx += 1
2884 if ctx['num'] == idx:
2885 logger.info("Test: Truncated attribute")
2886 return struct.pack(">BBHBBHBB", EAP_CODE_REQUEST, ctx['id'],
2887 4 + 1 + 1 + 4,
2888 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0, 255,
2889 255)
2890 idx += 1
2891 if ctx['num'] == idx:
2892 logger.info("Test: EAP-Failure")
2893 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
2894
2895 idx += 1
2896 if ctx['num'] == idx:
2897 logger.info("Test: Too short attribute data")
2898 return struct.pack(">BBHBBHBB", EAP_CODE_REQUEST, ctx['id'],
2899 4 + 1 + 1 + 4,
2900 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0, 255,
2901 0)
2902 idx += 1
2903 if ctx['num'] == idx:
2904 logger.info("Test: EAP-Failure")
2905 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
2906
2907 idx += 1
2908 if ctx['num'] == idx:
2909 logger.info("Test: Skippable/non-skippable unrecognzized attribute")
2910 return struct.pack(">BBHBBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
2911 4 + 1 + 1 + 10,
2912 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
2913 255, 1, 0, 127, 1, 0)
2914 idx += 1
2915 if ctx['num'] == idx:
2916 logger.info("Test: EAP-Failure")
2917 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
2918
2919 idx += 1
2920 if ctx['num'] == idx:
2921 logger.info("Test: Identity request without ID type")
2922 return struct.pack(">BBHBBH", EAP_CODE_REQUEST, ctx['id'],
2923 4 + 1 + 3,
2924 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0)
2925 idx += 1
2926 if ctx['num'] == idx:
2927 logger.info("Test: Identity request ANY_ID")
2928 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
2929 4 + 1 + 3 + 4,
2930 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
2931 EAP_SIM_AT_ANY_ID_REQ, 1, 0)
2932 idx += 1
2933 if ctx['num'] == idx:
2934 logger.info("Test: Identity request ANY_ID (duplicate)")
2935 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
2936 4 + 1 + 3 + 4,
2937 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
2938 EAP_SIM_AT_ANY_ID_REQ, 1, 0)
2939 idx += 1
2940 if ctx['num'] == idx:
2941 logger.info("Test: EAP-Failure")
2942 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
2943
2944 idx += 1
2945 if ctx['num'] == idx:
2946 logger.info("Test: Identity request ANY_ID")
2947 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
2948 4 + 1 + 3 + 4,
2949 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
2950 EAP_SIM_AT_ANY_ID_REQ, 1, 0)
2951 idx += 1
2952 if ctx['num'] == idx:
2953 logger.info("Test: Identity request FULLAUTH_ID")
2954 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
2955 4 + 1 + 3 + 4,
2956 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
2957 EAP_SIM_AT_FULLAUTH_ID_REQ, 1, 0)
2958 idx += 1
2959 if ctx['num'] == idx:
2960 logger.info("Test: Identity request FULLAUTH_ID (duplicate)")
2961 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
2962 4 + 1 + 3 + 4,
2963 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
2964 EAP_SIM_AT_FULLAUTH_ID_REQ, 1, 0)
2965 idx += 1
2966 if ctx['num'] == idx:
2967 logger.info("Test: EAP-Failure")
2968 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
2969
2970 idx += 1
2971 if ctx['num'] == idx:
2972 logger.info("Test: Identity request ANY_ID")
2973 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
2974 4 + 1 + 3 + 4,
2975 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
2976 EAP_SIM_AT_ANY_ID_REQ, 1, 0)
2977 idx += 1
2978 if ctx['num'] == idx:
2979 logger.info("Test: Identity request FULLAUTH_ID")
2980 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
2981 4 + 1 + 3 + 4,
2982 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
2983 EAP_SIM_AT_FULLAUTH_ID_REQ, 1, 0)
2984 idx += 1
2985 if ctx['num'] == idx:
2986 logger.info("Test: Identity request PERMANENT_ID")
2987 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
2988 4 + 1 + 3 + 4,
2989 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
2990 EAP_SIM_AT_PERMANENT_ID_REQ, 1, 0)
2991 idx += 1
2992 if ctx['num'] == idx:
2993 logger.info("Test: Identity request PERMANENT_ID (duplicate)")
2994 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
2995 4 + 1 + 3 + 4,
2996 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
2997 EAP_SIM_AT_PERMANENT_ID_REQ, 1, 0)
2998 idx += 1
2999 if ctx['num'] == idx:
3000 logger.info("Test: EAP-Failure")
3001 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3002
3003 idx += 1
3004 if ctx['num'] == idx:
3005 logger.info("Test: Challenge with no attributes")
3006 return struct.pack(">BBHBBH", EAP_CODE_REQUEST, ctx['id'],
3007 4 + 1 + 3,
3008 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_CHALLENGE, 0)
3009 idx += 1
3010 if ctx['num'] == idx:
3011 logger.info("Test: EAP-Failure")
3012 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3013
3014 idx += 1
3015 if ctx['num'] == idx:
3016 logger.info("Test: AKA Challenge with BIDDING")
3017 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
3018 4 + 1 + 3 + 4,
3019 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_CHALLENGE, 0,
3020 EAP_SIM_AT_BIDDING, 1, 0x8000)
3021 idx += 1
3022 if ctx['num'] == idx:
3023 logger.info("Test: EAP-Failure")
3024 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3025
3026 idx += 1
3027 if ctx['num'] == idx:
3028 logger.info("Test: Notification with no attributes")
3029 return struct.pack(">BBHBBH", EAP_CODE_REQUEST, ctx['id'],
3030 4 + 1 + 3,
3031 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_NOTIFICATION, 0)
3032 idx += 1
3033 if ctx['num'] == idx:
3034 logger.info("Test: EAP-Failure")
3035 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3036
3037 idx += 1
3038 if ctx['num'] == idx:
3039 logger.info("Test: Notification indicating success, but no MAC")
3040 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
3041 4 + 1 + 3 + 4,
3042 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_NOTIFICATION, 0,
3043 EAP_SIM_AT_NOTIFICATION, 1, 32768)
3044 idx += 1
3045 if ctx['num'] == idx:
3046 logger.info("Test: EAP-Failure")
3047 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3048
3049 idx += 1
3050 if ctx['num'] == idx:
3051 logger.info("Test: Notification indicating success, but invalid MAC value")
3052 return struct.pack(">BBHBBHBBHBBH4L", EAP_CODE_REQUEST, ctx['id'],
3053 4 + 1 + 3 + 4 + 20,
3054 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_NOTIFICATION, 0,
3055 EAP_SIM_AT_NOTIFICATION, 1, 32768,
3056 EAP_SIM_AT_MAC, 5, 0, 0, 0, 0, 0)
3057 idx += 1
3058 if ctx['num'] == idx:
3059 logger.info("Test: EAP-Failure")
3060 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3061
3062 idx += 1
3063 if ctx['num'] == idx:
3064 logger.info("Test: Notification indicating success with zero-key MAC")
3065 return struct.pack(">BBHBBHBBHBBH16B", EAP_CODE_REQUEST,
3066 ctx['id'] - 2,
3067 4 + 1 + 3 + 4 + 20,
3068 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_NOTIFICATION, 0,
3069 EAP_SIM_AT_NOTIFICATION, 1, 32768,
3070 EAP_SIM_AT_MAC, 5, 0,
3071 0xbe, 0x2e, 0xbb, 0xa9, 0xfa, 0x2e, 0x82, 0x36,
3072 0x37, 0x8c, 0x32, 0x41, 0xb7, 0xc7, 0x58, 0xa3)
3073 idx += 1
3074 if ctx['num'] == idx:
3075 logger.info("Test: EAP-Success")
3076 return struct.pack(">BBH", EAP_CODE_SUCCESS, ctx['id'], 4)
3077
3078 idx += 1
3079 if ctx['num'] == idx:
3080 logger.info("Test: Notification before auth")
3081 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
3082 4 + 1 + 3 + 4,
3083 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_NOTIFICATION, 0,
3084 EAP_SIM_AT_NOTIFICATION, 1, 16384)
3085 idx += 1
3086 if ctx['num'] == idx:
3087 logger.info("Test: EAP-Failure")
3088 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3089
3090 idx += 1
3091 if ctx['num'] == idx:
3092 logger.info("Test: Notification before auth")
3093 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
3094 4 + 1 + 3 + 4,
3095 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_NOTIFICATION, 0,
3096 EAP_SIM_AT_NOTIFICATION, 1, 16385)
3097 idx += 1
3098 if ctx['num'] == idx:
3099 logger.info("Test: EAP-Failure")
3100 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3101
3102 idx += 1
3103 if ctx['num'] == idx:
3104 logger.info("Test: Notification with unrecognized non-failure")
3105 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
3106 4 + 1 + 3 + 4,
3107 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_NOTIFICATION, 0,
3108 EAP_SIM_AT_NOTIFICATION, 1, 0xc000)
3109 idx += 1
3110 if ctx['num'] == idx:
3111 logger.info("Test: Notification before auth (duplicate)")
3112 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
3113 4 + 1 + 3 + 4,
3114 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_NOTIFICATION, 0,
3115 EAP_SIM_AT_NOTIFICATION, 1, 0xc000)
3116 idx += 1
3117 if ctx['num'] == idx:
3118 logger.info("Test: EAP-Failure")
3119 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3120
3121 idx += 1
3122 if ctx['num'] == idx:
3123 logger.info("Test: Re-authentication (unexpected) with no attributes")
3124 return struct.pack(">BBHBBH", EAP_CODE_REQUEST, ctx['id'],
3125 4 + 1 + 3,
3126 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_REAUTHENTICATION,
3127 0)
3128 idx += 1
3129 if ctx['num'] == idx:
3130 logger.info("Test: EAP-Failure")
3131 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3132
3133 idx += 1
3134 if ctx['num'] == idx:
3135 logger.info("Test: AKA Challenge with Checkcode claiming identity round was used")
3136 return struct.pack(">BBHBBHBBH5L", EAP_CODE_REQUEST, ctx['id'],
3137 4 + 1 + 3 + 24,
3138 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_CHALLENGE, 0,
3139 EAP_SIM_AT_CHECKCODE, 6, 0, 0, 0, 0, 0, 0)
3140 idx += 1
3141 if ctx['num'] == idx:
3142 logger.info("Test: EAP-Failure")
3143 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3144
3145 idx += 1
3146 if ctx['num'] == idx:
3147 logger.info("Test: Identity request ANY_ID")
3148 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
3149 4 + 1 + 3 + 4,
3150 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
3151 EAP_SIM_AT_ANY_ID_REQ, 1, 0)
3152 idx += 1
3153 if ctx['num'] == idx:
3154 logger.info("Test: AKA Challenge with Checkcode claiming no identity round was used")
3155 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
3156 4 + 1 + 3 + 4,
3157 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_CHALLENGE, 0,
3158 EAP_SIM_AT_CHECKCODE, 1, 0)
3159 idx += 1
3160 if ctx['num'] == idx:
3161 logger.info("Test: EAP-Failure")
3162 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3163
3164 idx += 1
3165 if ctx['num'] == idx:
3166 logger.info("Test: Identity request ANY_ID")
3167 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
3168 4 + 1 + 3 + 4,
3169 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
3170 EAP_SIM_AT_ANY_ID_REQ, 1, 0)
3171 idx += 1
3172 if ctx['num'] == idx:
3173 logger.info("Test: AKA Challenge with mismatching Checkcode value")
3174 return struct.pack(">BBHBBHBBH5L", EAP_CODE_REQUEST, ctx['id'],
3175 4 + 1 + 3 + 24,
3176 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_CHALLENGE, 0,
3177 EAP_SIM_AT_CHECKCODE, 6, 0, 0, 0, 0, 0, 0)
3178 idx += 1
3179 if ctx['num'] == idx:
3180 logger.info("Test: EAP-Failure")
3181 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3182
3183 idx += 1
3184 if ctx['num'] == idx:
3185 logger.info("Test: Re-authentication (unexpected) with Checkcode claimin identity round was used")
3186 return struct.pack(">BBHBBHBBH5L", EAP_CODE_REQUEST, ctx['id'],
3187 4 + 1 + 3 + 24,
3188 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_REAUTHENTICATION,
3189 0,
3190 EAP_SIM_AT_CHECKCODE, 6, 0, 0, 0, 0, 0, 0)
3191 idx += 1
3192 if ctx['num'] == idx:
3193 logger.info("Test: EAP-Failure")
3194 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3195
3196 idx += 1
3197 if ctx['num'] == idx:
3198 logger.info("Test: Invalid AT_RAND length")
3199 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
3200 4 + 1 + 3 + 4,
3201 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
3202 EAP_SIM_AT_RAND, 1, 0)
3203 idx += 1
3204 if ctx['num'] == idx:
3205 logger.info("Test: EAP-Failure")
3206 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3207
3208 idx += 1
3209 if ctx['num'] == idx:
3210 logger.info("Test: Invalid AT_AUTN length")
3211 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
3212 4 + 1 + 3 + 4,
3213 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
3214 EAP_SIM_AT_AUTN, 1, 0)
3215 idx += 1
3216 if ctx['num'] == idx:
3217 logger.info("Test: EAP-Failure")
3218 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3219
3220 idx += 1
3221 if ctx['num'] == idx:
3222 logger.info("Test: Unencrypted AT_PADDING")
3223 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
3224 4 + 1 + 3 + 4,
3225 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
3226 EAP_SIM_AT_PADDING, 1, 0)
3227 idx += 1
3228 if ctx['num'] == idx:
3229 logger.info("Test: EAP-Failure")
3230 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3231
3232 idx += 1
3233 if ctx['num'] == idx:
3234 logger.info("Test: Invalid AT_NONCE_MT length")
3235 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
3236 4 + 1 + 3 + 4,
3237 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
3238 EAP_SIM_AT_NONCE_MT, 1, 0)
3239 idx += 1
3240 if ctx['num'] == idx:
3241 logger.info("Test: EAP-Failure")
3242 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3243
3244 idx += 1
3245 if ctx['num'] == idx:
3246 logger.info("Test: Invalid AT_MAC length")
3247 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
3248 4 + 1 + 3 + 4,
3249 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
3250 EAP_SIM_AT_MAC, 1, 0)
3251 idx += 1
3252 if ctx['num'] == idx:
3253 logger.info("Test: EAP-Failure")
3254 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3255
3256 idx += 1
3257 if ctx['num'] == idx:
3258 logger.info("Test: Invalid AT_NOTIFICATION length")
3259 return struct.pack(">BBHBBHBBHL", EAP_CODE_REQUEST, ctx['id'],
3260 4 + 1 + 3 + 8,
3261 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
3262 EAP_SIM_AT_NOTIFICATION, 2, 0, 0)
3263 idx += 1
3264 if ctx['num'] == idx:
3265 logger.info("Test: EAP-Failure")
3266 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3267
3268 idx += 1
3269 if ctx['num'] == idx:
3270 logger.info("Test: AT_IDENTITY overflow")
3271 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
3272 4 + 1 + 3 + 4,
3273 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
3274 EAP_SIM_AT_IDENTITY, 1, 0xffff)
3275 idx += 1
3276 if ctx['num'] == idx:
3277 logger.info("Test: EAP-Failure")
3278 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3279
3280 idx += 1
3281 if ctx['num'] == idx:
3282 logger.info("Test: Unexpected AT_VERSION_LIST")
3283 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
3284 4 + 1 + 3 + 4,
3285 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
3286 EAP_SIM_AT_VERSION_LIST, 1, 0)
3287 idx += 1
3288 if ctx['num'] == idx:
3289 logger.info("Test: EAP-Failure")
3290 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3291
3292 idx += 1
3293 if ctx['num'] == idx:
3294 logger.info("Test: Invalid AT_SELECTED_VERSION length")
3295 return struct.pack(">BBHBBHBBHL", EAP_CODE_REQUEST, ctx['id'],
3296 4 + 1 + 3 + 8,
3297 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
3298 EAP_SIM_AT_SELECTED_VERSION, 2, 0, 0)
3299 idx += 1
3300 if ctx['num'] == idx:
3301 logger.info("Test: EAP-Failure")
3302 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3303
3304 idx += 1
3305 if ctx['num'] == idx:
3306 logger.info("Test: Unencrypted AT_COUNTER")
3307 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
3308 4 + 1 + 3 + 4,
3309 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
3310 EAP_SIM_AT_COUNTER, 1, 0)
3311 idx += 1
3312 if ctx['num'] == idx:
3313 logger.info("Test: EAP-Failure")
3314 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3315
3316 idx += 1
3317 if ctx['num'] == idx:
3318 logger.info("Test: Unencrypted AT_COUNTER_TOO_SMALL")
3319 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
3320 4 + 1 + 3 + 4,
3321 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
3322 EAP_SIM_AT_COUNTER_TOO_SMALL, 1, 0)
3323 idx += 1
3324 if ctx['num'] == idx:
3325 logger.info("Test: EAP-Failure")
3326 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3327
3328 idx += 1
3329 if ctx['num'] == idx:
3330 logger.info("Test: Unencrypted AT_NONCE_S")
3331 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
3332 4 + 1 + 3 + 4,
3333 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
3334 EAP_SIM_AT_NONCE_S, 1, 0)
3335 idx += 1
3336 if ctx['num'] == idx:
3337 logger.info("Test: EAP-Failure")
3338 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3339
3340 idx += 1
3341 if ctx['num'] == idx:
3342 logger.info("Test: Invalid AT_CLIENT_ERROR_CODE length")
3343 return struct.pack(">BBHBBHBBHL", EAP_CODE_REQUEST, ctx['id'],
3344 4 + 1 + 3 + 8,
3345 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
3346 EAP_SIM_AT_CLIENT_ERROR_CODE, 2, 0, 0)
3347 idx += 1
3348 if ctx['num'] == idx:
3349 logger.info("Test: EAP-Failure")
3350 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3351
3352 idx += 1
3353 if ctx['num'] == idx:
3354 logger.info("Test: Invalid AT_IV length")
3355 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
3356 4 + 1 + 3 + 4,
3357 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
3358 EAP_SIM_AT_IV, 1, 0)
3359 idx += 1
3360 if ctx['num'] == idx:
3361 logger.info("Test: EAP-Failure")
3362 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3363
3364 idx += 1
3365 if ctx['num'] == idx:
3366 logger.info("Test: Invalid AT_ENCR_DATA length")
3367 return struct.pack(">BBHBBHBBHL", EAP_CODE_REQUEST, ctx['id'],
3368 4 + 1 + 3 + 8,
3369 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
3370 EAP_SIM_AT_ENCR_DATA, 2, 0, 0)
3371 idx += 1
3372 if ctx['num'] == idx:
3373 logger.info("Test: EAP-Failure")
3374 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3375
3376 idx += 1
3377 if ctx['num'] == idx:
3378 logger.info("Test: Unencrypted AT_NEXT_PSEUDONYM")
3379 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
3380 4 + 1 + 3 + 4,
3381 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
3382 EAP_SIM_AT_NEXT_PSEUDONYM, 1, 0)
3383 idx += 1
3384 if ctx['num'] == idx:
3385 logger.info("Test: EAP-Failure")
3386 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3387
3388 idx += 1
3389 if ctx['num'] == idx:
3390 logger.info("Test: Unencrypted AT_NEXT_REAUTH_ID")
3391 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
3392 4 + 1 + 3 + 4,
3393 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
3394 EAP_SIM_AT_NEXT_REAUTH_ID, 1, 0)
3395 idx += 1
3396 if ctx['num'] == idx:
3397 logger.info("Test: EAP-Failure")
3398 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3399
3400 idx += 1
3401 if ctx['num'] == idx:
3402 logger.info("Test: Invalid AT_RES length")
3403 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
3404 4 + 1 + 3 + 4,
3405 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
3406 EAP_SIM_AT_RES, 1, 0)
3407 idx += 1
3408 if ctx['num'] == idx:
3409 logger.info("Test: EAP-Failure")
3410 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3411
3412 idx += 1
3413 if ctx['num'] == idx:
3414 logger.info("Test: Invalid AT_RES length")
3415 return struct.pack(">BBHBBHBBH5L", EAP_CODE_REQUEST, ctx['id'],
3416 4 + 1 + 3 + 24,
3417 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
3418 EAP_SIM_AT_RES, 6, 0xffff, 0, 0, 0, 0, 0)
3419 idx += 1
3420 if ctx['num'] == idx:
3421 logger.info("Test: EAP-Failure")
3422 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3423
3424 idx += 1
3425 if ctx['num'] == idx:
3426 logger.info("Test: Invalid AT_AUTS length")
3427 return struct.pack(">BBHBBHBBHL", EAP_CODE_REQUEST, ctx['id'],
3428 4 + 1 + 3 + 8,
3429 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
3430 EAP_SIM_AT_AUTS, 2, 0, 0)
3431 idx += 1
3432 if ctx['num'] == idx:
3433 logger.info("Test: EAP-Failure")
3434 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3435
3436 idx += 1
3437 if ctx['num'] == idx:
3438 logger.info("Test: Invalid AT_CHECKCODE length")
3439 return struct.pack(">BBHBBHBBHL", EAP_CODE_REQUEST, ctx['id'],
3440 4 + 1 + 3 + 8,
3441 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
3442 EAP_SIM_AT_CHECKCODE, 2, 0, 0)
3443 idx += 1
3444 if ctx['num'] == idx:
3445 logger.info("Test: EAP-Failure")
3446 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3447
3448 idx += 1
3449 if ctx['num'] == idx:
3450 logger.info("Test: Invalid AT_RESULT_IND length")
3451 return struct.pack(">BBHBBHBBHL", EAP_CODE_REQUEST, ctx['id'],
3452 4 + 1 + 3 + 8,
3453 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
3454 EAP_SIM_AT_RESULT_IND, 2, 0, 0)
3455 idx += 1
3456 if ctx['num'] == idx:
3457 logger.info("Test: EAP-Failure")
3458 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3459
3460 idx += 1
3461 if ctx['num'] == idx:
3462 logger.info("Test: Unexpected AT_KDF_INPUT")
3463 return struct.pack(">BBHBBHBBHL", EAP_CODE_REQUEST, ctx['id'],
3464 4 + 1 + 3 + 8,
3465 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
3466 EAP_SIM_AT_KDF_INPUT, 2, 0, 0)
3467 idx += 1
3468 if ctx['num'] == idx:
3469 logger.info("Test: EAP-Failure")
3470 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3471
3472 idx += 1
3473 if ctx['num'] == idx:
3474 logger.info("Test: Unexpected AT_KDF")
3475 return struct.pack(">BBHBBHBBHL", EAP_CODE_REQUEST, ctx['id'],
3476 4 + 1 + 3 + 8,
3477 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
3478 EAP_SIM_AT_KDF, 2, 0, 0)
3479 idx += 1
3480 if ctx['num'] == idx:
3481 logger.info("Test: EAP-Failure")
3482 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3483
3484 idx += 1
3485 if ctx['num'] == idx:
3486 logger.info("Test: Invalid AT_BIDDING length")
3487 return struct.pack(">BBHBBHBBHL", EAP_CODE_REQUEST, ctx['id'],
3488 4 + 1 + 3 + 8,
3489 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
3490 EAP_SIM_AT_BIDDING, 2, 0, 0)
3491 idx += 1
3492 if ctx['num'] == idx:
3493 logger.info("Test: EAP-Failure")
3494 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3495
3496 return None
3497
3498 srv = start_radius_server(aka_handler)
3499
3500 try:
3501 hapd = start_ap(apdev[0]['ifname'])
3502
3503 for i in range(0, 49):
3504 eap = "AKA AKA'" if i == 11 else "AKA"
3505 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
3506 eap=eap, identity="0232010000000000",
3507 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
3508 wait_connect=False)
3509 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
3510 timeout=15)
3511 if ev is None:
3512 raise Exception("Timeout on EAP start")
3513 if i in [ 0, 15 ]:
3514 time.sleep(0.1)
3515 else:
3516 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"],
3517 timeout=10)
3518 if ev is None:
3519 raise Exception("Timeout on EAP failure")
3520 dev[0].request("REMOVE_NETWORK all")
3521 dev[0].dump_monitor()
3522 finally:
3523 stop_radius_server(srv)
3524
3525 def test_eap_proto_aka_prime(dev, apdev):
3526 """EAP-AKA' protocol tests"""
3527 def aka_prime_handler(ctx, req):
3528 logger.info("aka_prime_handler - RX " + req.encode("hex"))
3529 if 'num' not in ctx:
3530 ctx['num'] = 0
3531 ctx['num'] = ctx['num'] + 1
3532 if 'id' not in ctx:
3533 ctx['id'] = 1
3534 ctx['id'] = (ctx['id'] + 1) % 256
3535
3536 idx = 0
3537
3538 idx += 1
3539 if ctx['num'] == idx:
3540 logger.info("Test: Missing payload")
3541 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
3542 4 + 1,
3543 EAP_TYPE_AKA_PRIME)
3544
3545 idx += 1
3546 if ctx['num'] == idx:
3547 logger.info("Test: Challenge with no attributes")
3548 return struct.pack(">BBHBBH", EAP_CODE_REQUEST, ctx['id'],
3549 4 + 1 + 3,
3550 EAP_TYPE_AKA_PRIME, EAP_AKA_SUBTYPE_CHALLENGE, 0)
3551 idx += 1
3552 if ctx['num'] == idx:
3553 logger.info("Test: EAP-Failure")
3554 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3555
3556 idx += 1
3557 if ctx['num'] == idx:
3558 logger.info("Test: Challenge with empty AT_KDF_INPUT")
3559 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
3560 4 + 1 + 3 + 4,
3561 EAP_TYPE_AKA_PRIME, EAP_AKA_SUBTYPE_CHALLENGE, 0,
3562 EAP_SIM_AT_KDF_INPUT, 1, 0)
3563 idx += 1
3564 if ctx['num'] == idx:
3565 logger.info("Test: EAP-Failure")
3566 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3567
3568 idx += 1
3569 if ctx['num'] == idx:
3570 logger.info("Test: Challenge with AT_KDF_INPUT")
3571 return struct.pack(">BBHBBHBBHBBBB", EAP_CODE_REQUEST, ctx['id'],
3572 4 + 1 + 3 + 8,
3573 EAP_TYPE_AKA_PRIME, EAP_AKA_SUBTYPE_CHALLENGE, 0,
3574 EAP_SIM_AT_KDF_INPUT, 2, 1, ord('a'), ord('b'),
3575 ord('c'), ord('d'))
3576 idx += 1
3577 if ctx['num'] == idx:
3578 logger.info("Test: EAP-Failure")
3579 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3580
3581 idx += 1
3582 if ctx['num'] == idx:
3583 logger.info("Test: Challenge with duplicated KDF")
3584 return struct.pack(">BBHBBHBBHBBBBBBHBBHBBH",
3585 EAP_CODE_REQUEST, ctx['id'],
3586 4 + 1 + 3 + 8 + 3 * 4,
3587 EAP_TYPE_AKA_PRIME, EAP_AKA_SUBTYPE_CHALLENGE, 0,
3588 EAP_SIM_AT_KDF_INPUT, 2, 1, ord('a'), ord('b'),
3589 ord('c'), ord('d'),
3590 EAP_SIM_AT_KDF, 1, 1,
3591 EAP_SIM_AT_KDF, 1, 2,
3592 EAP_SIM_AT_KDF, 1, 1)
3593 idx += 1
3594 if ctx['num'] == idx:
3595 logger.info("Test: EAP-Failure")
3596 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3597
3598 idx += 1
3599 if ctx['num'] == idx:
3600 logger.info("Test: Challenge with multiple KDF proposals")
3601 return struct.pack(">BBHBBHBBHBBBBBBHBBHBBH",
3602 EAP_CODE_REQUEST, ctx['id'],
3603 4 + 1 + 3 + 8 + 3 * 4,
3604 EAP_TYPE_AKA_PRIME, EAP_AKA_SUBTYPE_CHALLENGE, 0,
3605 EAP_SIM_AT_KDF_INPUT, 2, 1, ord('a'), ord('b'),
3606 ord('c'), ord('d'),
3607 EAP_SIM_AT_KDF, 1, 255,
3608 EAP_SIM_AT_KDF, 1, 254,
3609 EAP_SIM_AT_KDF, 1, 1)
3610 idx += 1
3611 if ctx['num'] == idx:
3612 logger.info("Test: Challenge with incorrect KDF selected")
3613 return struct.pack(">BBHBBHBBHBBBBBBHBBHBBHBBH",
3614 EAP_CODE_REQUEST, ctx['id'],
3615 4 + 1 + 3 + 8 + 4 * 4,
3616 EAP_TYPE_AKA_PRIME, EAP_AKA_SUBTYPE_CHALLENGE, 0,
3617 EAP_SIM_AT_KDF_INPUT, 2, 1, ord('a'), ord('b'),
3618 ord('c'), ord('d'),
3619 EAP_SIM_AT_KDF, 1, 255,
3620 EAP_SIM_AT_KDF, 1, 255,
3621 EAP_SIM_AT_KDF, 1, 254,
3622 EAP_SIM_AT_KDF, 1, 1)
3623 idx += 1
3624 if ctx['num'] == idx:
3625 logger.info("Test: EAP-Failure")
3626 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3627
3628 idx += 1
3629 if ctx['num'] == idx:
3630 logger.info("Test: Challenge with multiple KDF proposals")
3631 return struct.pack(">BBHBBHBBHBBBBBBHBBHBBH",
3632 EAP_CODE_REQUEST, ctx['id'],
3633 4 + 1 + 3 + 8 + 3 * 4,
3634 EAP_TYPE_AKA_PRIME, EAP_AKA_SUBTYPE_CHALLENGE, 0,
3635 EAP_SIM_AT_KDF_INPUT, 2, 1, ord('a'), ord('b'),
3636 ord('c'), ord('d'),
3637 EAP_SIM_AT_KDF, 1, 255,
3638 EAP_SIM_AT_KDF, 1, 254,
3639 EAP_SIM_AT_KDF, 1, 1)
3640 idx += 1
3641 if ctx['num'] == idx:
3642 logger.info("Test: Challenge with selected KDF not duplicated")
3643 return struct.pack(">BBHBBHBBHBBBBBBHBBHBBH",
3644 EAP_CODE_REQUEST, ctx['id'],
3645 4 + 1 + 3 + 8 + 3 * 4,
3646 EAP_TYPE_AKA_PRIME, EAP_AKA_SUBTYPE_CHALLENGE, 0,
3647 EAP_SIM_AT_KDF_INPUT, 2, 1, ord('a'), ord('b'),
3648 ord('c'), ord('d'),
3649 EAP_SIM_AT_KDF, 1, 1,
3650 EAP_SIM_AT_KDF, 1, 255,
3651 EAP_SIM_AT_KDF, 1, 254)
3652 idx += 1
3653 if ctx['num'] == idx:
3654 logger.info("Test: EAP-Failure")
3655 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3656
3657 idx += 1
3658 if ctx['num'] == idx:
3659 logger.info("Test: Challenge with multiple KDF proposals")
3660 return struct.pack(">BBHBBHBBHBBBBBBHBBHBBH",
3661 EAP_CODE_REQUEST, ctx['id'],
3662 4 + 1 + 3 + 8 + 3 * 4,
3663 EAP_TYPE_AKA_PRIME, EAP_AKA_SUBTYPE_CHALLENGE, 0,
3664 EAP_SIM_AT_KDF_INPUT, 2, 1, ord('a'), ord('b'),
3665 ord('c'), ord('d'),
3666 EAP_SIM_AT_KDF, 1, 255,
3667 EAP_SIM_AT_KDF, 1, 254,
3668 EAP_SIM_AT_KDF, 1, 1)
3669 idx += 1
3670 if ctx['num'] == idx:
3671 logger.info("Test: Challenge with selected KDF duplicated (missing MAC, RAND, AUTN)")
3672 return struct.pack(">BBHBBHBBHBBBBBBHBBHBBHBBH",
3673 EAP_CODE_REQUEST, ctx['id'],
3674 4 + 1 + 3 + 8 + 4 * 4,
3675 EAP_TYPE_AKA_PRIME, EAP_AKA_SUBTYPE_CHALLENGE, 0,
3676 EAP_SIM_AT_KDF_INPUT, 2, 1, ord('a'), ord('b'),
3677 ord('c'), ord('d'),
3678 EAP_SIM_AT_KDF, 1, 1,
3679 EAP_SIM_AT_KDF, 1, 255,
3680 EAP_SIM_AT_KDF, 1, 254,
3681 EAP_SIM_AT_KDF, 1, 1)
3682 idx += 1
3683 if ctx['num'] == idx:
3684 logger.info("Test: EAP-Failure")
3685 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3686
3687 idx += 1
3688 if ctx['num'] == idx:
3689 logger.info("Test: Challenge with multiple unsupported KDF proposals")
3690 return struct.pack(">BBHBBHBBHBBBBBBHBBH",
3691 EAP_CODE_REQUEST, ctx['id'],
3692 4 + 1 + 3 + 8 + 2 * 4,
3693 EAP_TYPE_AKA_PRIME, EAP_AKA_SUBTYPE_CHALLENGE, 0,
3694 EAP_SIM_AT_KDF_INPUT, 2, 1, ord('a'), ord('b'),
3695 ord('c'), ord('d'),
3696 EAP_SIM_AT_KDF, 1, 255,
3697 EAP_SIM_AT_KDF, 1, 254)
3698 idx += 1
3699 if ctx['num'] == idx:
3700 logger.info("Test: EAP-Failure")
3701 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3702
3703 idx += 1
3704 if ctx['num'] == idx:
3705 logger.info("Test: Challenge with multiple KDF proposals")
3706 return struct.pack(">BBHBBHBBHBBBBBBHBBHBBH",
3707 EAP_CODE_REQUEST, ctx['id'],
3708 4 + 1 + 3 + 8 + 3 * 4,
3709 EAP_TYPE_AKA_PRIME, EAP_AKA_SUBTYPE_CHALLENGE, 0,
3710 EAP_SIM_AT_KDF_INPUT, 2, 1, ord('a'), ord('b'),
3711 ord('c'), ord('d'),
3712 EAP_SIM_AT_KDF, 1, 255,
3713 EAP_SIM_AT_KDF, 1, 254,
3714 EAP_SIM_AT_KDF, 1, 1)
3715 idx += 1
3716 if ctx['num'] == idx:
3717 logger.info("Test: Challenge with invalid MAC, RAND, AUTN values)")
3718 return struct.pack(">BBHBBHBBHBBBBBBHBBHBBHBBHBBH4LBBH4LBBH4L",
3719 EAP_CODE_REQUEST, ctx['id'],
3720 4 + 1 + 3 + 8 + 4 * 4 + 20 + 20 + 20,
3721 EAP_TYPE_AKA_PRIME, EAP_AKA_SUBTYPE_CHALLENGE, 0,
3722 EAP_SIM_AT_KDF_INPUT, 2, 1, ord('a'), ord('b'),
3723 ord('c'), ord('d'),
3724 EAP_SIM_AT_KDF, 1, 1,
3725 EAP_SIM_AT_KDF, 1, 255,
3726 EAP_SIM_AT_KDF, 1, 254,
3727 EAP_SIM_AT_KDF, 1, 1,
3728 EAP_SIM_AT_MAC, 5, 0, 0, 0, 0, 0,
3729 EAP_SIM_AT_RAND, 5, 0, 0, 0, 0, 0,
3730 EAP_SIM_AT_AUTN, 5, 0, 0, 0, 0, 0)
3731 idx += 1
3732 if ctx['num'] == idx:
3733 logger.info("Test: EAP-Failure")
3734 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3735
3736 idx += 1
3737 if ctx['num'] == idx:
3738 logger.info("Test: Challenge - AMF separation bit not set)")
3739 return struct.pack(">BBHBBHBBHBBBBBBHBBH4LBBH4LBBH4L",
3740 EAP_CODE_REQUEST, ctx['id'],
3741 4 + 1 + 3 + 8 + 4 + 20 + 20 + 20,
3742 EAP_TYPE_AKA_PRIME, EAP_AKA_SUBTYPE_CHALLENGE, 0,
3743 EAP_SIM_AT_KDF_INPUT, 2, 1, ord('a'), ord('b'),
3744 ord('c'), ord('d'),
3745 EAP_SIM_AT_KDF, 1, 1,
3746 EAP_SIM_AT_MAC, 5, 0, 1, 2, 3, 4,
3747 EAP_SIM_AT_RAND, 5, 0, 5, 6, 7, 8,
3748 EAP_SIM_AT_AUTN, 5, 0, 9, 10,
3749 0x2fda8ef7, 0xbba518cc)
3750 idx += 1
3751 if ctx['num'] == idx:
3752 logger.info("Test: EAP-Failure")
3753 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3754
3755 idx += 1
3756 if ctx['num'] == idx:
3757 logger.info("Test: Challenge - Invalid MAC")
3758 return struct.pack(">BBHBBHBBHBBBBBBHBBH4LBBH4LBBH4L",
3759 EAP_CODE_REQUEST, ctx['id'],
3760 4 + 1 + 3 + 8 + 4 + 20 + 20 + 20,
3761 EAP_TYPE_AKA_PRIME, EAP_AKA_SUBTYPE_CHALLENGE, 0,
3762 EAP_SIM_AT_KDF_INPUT, 2, 1, ord('a'), ord('b'),
3763 ord('c'), ord('d'),
3764 EAP_SIM_AT_KDF, 1, 1,
3765 EAP_SIM_AT_MAC, 5, 0, 1, 2, 3, 4,
3766 EAP_SIM_AT_RAND, 5, 0, 5, 6, 7, 8,
3767 EAP_SIM_AT_AUTN, 5, 0, 0xffffffff, 0xffffffff,
3768 0xd1f90322, 0x40514cb4)
3769 idx += 1
3770 if ctx['num'] == idx:
3771 logger.info("Test: EAP-Failure")
3772 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3773
3774 idx += 1
3775 if ctx['num'] == idx:
3776 logger.info("Test: Challenge - Valid MAC")
3777 return struct.pack(">BBHBBHBBHBBBBBBHBBH4LBBH4LBBH4L",
3778 EAP_CODE_REQUEST, ctx['id'],
3779 4 + 1 + 3 + 8 + 4 + 20 + 20 + 20,
3780 EAP_TYPE_AKA_PRIME, EAP_AKA_SUBTYPE_CHALLENGE, 0,
3781 EAP_SIM_AT_KDF_INPUT, 2, 1, ord('a'), ord('b'),
3782 ord('c'), ord('d'),
3783 EAP_SIM_AT_KDF, 1, 1,
3784 EAP_SIM_AT_MAC, 5, 0,
3785 0xf4a3c1d3, 0x7c901401, 0x34bd8b01, 0x6f7fa32f,
3786 EAP_SIM_AT_RAND, 5, 0, 5, 6, 7, 8,
3787 EAP_SIM_AT_AUTN, 5, 0, 0xffffffff, 0xffffffff,
3788 0xd1f90322, 0x40514cb4)
3789 idx += 1
3790 if ctx['num'] == idx:
3791 logger.info("Test: EAP-Failure")
3792 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3793
3794 idx += 1
3795 if ctx['num'] == idx:
3796 logger.info("Test: Invalid AT_KDF_INPUT length")
3797 return struct.pack(">BBHBBHBBHL", EAP_CODE_REQUEST, ctx['id'],
3798 4 + 1 + 3 + 8,
3799 EAP_TYPE_AKA_PRIME, EAP_AKA_SUBTYPE_IDENTITY, 0,
3800 EAP_SIM_AT_KDF_INPUT, 2, 0xffff, 0)
3801 idx += 1
3802 if ctx['num'] == idx:
3803 logger.info("Test: EAP-Failure")
3804 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3805
3806 idx += 1
3807 if ctx['num'] == idx:
3808 logger.info("Test: Invalid AT_KDF length")
3809 return struct.pack(">BBHBBHBBHL", EAP_CODE_REQUEST, ctx['id'],
3810 4 + 1 + 3 + 8,
3811 EAP_TYPE_AKA_PRIME, EAP_AKA_SUBTYPE_IDENTITY, 0,
3812 EAP_SIM_AT_KDF, 2, 0, 0)
3813 idx += 1
3814 if ctx['num'] == idx:
3815 logger.info("Test: EAP-Failure")
3816 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3817
3818 idx += 1
3819 if ctx['num'] == idx:
3820 logger.info("Test: Challenge with large number of KDF proposals")
3821 return struct.pack(">BBHBBHBBHBBHBBHBBHBBHBBHBBHBBHBBHBBHBBHBBH",
3822 EAP_CODE_REQUEST, ctx['id'],
3823 4 + 1 + 3 + 12 * 4,
3824 EAP_TYPE_AKA_PRIME, EAP_AKA_SUBTYPE_CHALLENGE, 0,
3825 EAP_SIM_AT_KDF, 1, 255,
3826 EAP_SIM_AT_KDF, 1, 254,
3827 EAP_SIM_AT_KDF, 1, 253,
3828 EAP_SIM_AT_KDF, 1, 252,
3829 EAP_SIM_AT_KDF, 1, 251,
3830 EAP_SIM_AT_KDF, 1, 250,
3831 EAP_SIM_AT_KDF, 1, 249,
3832 EAP_SIM_AT_KDF, 1, 248,
3833 EAP_SIM_AT_KDF, 1, 247,
3834 EAP_SIM_AT_KDF, 1, 246,
3835 EAP_SIM_AT_KDF, 1, 245,
3836 EAP_SIM_AT_KDF, 1, 244)
3837 idx += 1
3838 if ctx['num'] == idx:
3839 logger.info("Test: EAP-Failure")
3840 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3841
3842 return None
3843
3844 srv = start_radius_server(aka_prime_handler)
3845
3846 try:
3847 hapd = start_ap(apdev[0]['ifname'])
3848
3849 for i in range(0, 16):
3850 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
3851 eap="AKA'", identity="6555444333222111",
3852 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
3853 wait_connect=False)
3854 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
3855 timeout=15)
3856 if ev is None:
3857 raise Exception("Timeout on EAP start")
3858 if i in [ 0 ]:
3859 time.sleep(0.1)
3860 else:
3861 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"],
3862 timeout=10)
3863 if ev is None:
3864 raise Exception("Timeout on EAP failure")
3865 dev[0].request("REMOVE_NETWORK all")
3866 dev[0].dump_monitor()
3867 finally:
3868 stop_radius_server(srv)
3869
3870 def test_eap_proto_sim(dev, apdev):
3871 """EAP-SIM protocol tests"""
3872 def sim_handler(ctx, req):
3873 logger.info("sim_handler - RX " + req.encode("hex"))
3874 if 'num' not in ctx:
3875 ctx['num'] = 0
3876 ctx['num'] = ctx['num'] + 1
3877 if 'id' not in ctx:
3878 ctx['id'] = 1
3879 ctx['id'] = (ctx['id'] + 1) % 256
3880
3881 idx = 0
3882
3883 idx += 1
3884 if ctx['num'] == idx:
3885 logger.info("Test: Missing payload")
3886 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
3887 4 + 1,
3888 EAP_TYPE_SIM)
3889
3890 idx += 1
3891 if ctx['num'] == idx:
3892 logger.info("Test: Unexpected AT_AUTN")
3893 return struct.pack(">BBHBBHBBHL", EAP_CODE_REQUEST, ctx['id'],
3894 4 + 1 + 3 + 8,
3895 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_START, 0,
3896 EAP_SIM_AT_AUTN, 2, 0, 0)
3897 idx += 1
3898 if ctx['num'] == idx:
3899 logger.info("Test: EAP-Failure")
3900 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3901
3902 idx += 1
3903 if ctx['num'] == idx:
3904 logger.info("Test: Too short AT_VERSION_LIST")
3905 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
3906 4 + 1 + 3 + 4,
3907 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_START, 0,
3908 EAP_SIM_AT_VERSION_LIST, 1, 0)
3909 idx += 1
3910 if ctx['num'] == idx:
3911 logger.info("Test: EAP-Failure")
3912 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3913
3914 idx += 1
3915 if ctx['num'] == idx:
3916 logger.info("Test: AT_VERSION_LIST overflow")
3917 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
3918 4 + 1 + 3 + 4,
3919 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_START, 0,
3920 EAP_SIM_AT_VERSION_LIST, 1, 0xffff)
3921 idx += 1
3922 if ctx['num'] == idx:
3923 logger.info("Test: EAP-Failure")
3924 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3925
3926 idx += 1
3927 if ctx['num'] == idx:
3928 logger.info("Test: Unexpected AT_AUTS")
3929 return struct.pack(">BBHBBHBBHL", EAP_CODE_REQUEST, ctx['id'],
3930 4 + 1 + 3 + 8,
3931 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_START, 0,
3932 EAP_SIM_AT_AUTS, 2, 0, 0)
3933 idx += 1
3934 if ctx['num'] == idx:
3935 logger.info("Test: EAP-Failure")
3936 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3937
3938 idx += 1
3939 if ctx['num'] == idx:
3940 logger.info("Test: Unexpected AT_CHECKCODE")
3941 return struct.pack(">BBHBBHBBHL", EAP_CODE_REQUEST, ctx['id'],
3942 4 + 1 + 3 + 8,
3943 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_START, 0,
3944 EAP_SIM_AT_CHECKCODE, 2, 0, 0)
3945 idx += 1
3946 if ctx['num'] == idx:
3947 logger.info("Test: EAP-Failure")
3948 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3949
3950 idx += 1
3951 if ctx['num'] == idx:
3952 logger.info("Test: No AT_VERSION_LIST in Start")
3953 return struct.pack(">BBHBBH", EAP_CODE_REQUEST, ctx['id'],
3954 4 + 1 + 3,
3955 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_START, 0)
3956 idx += 1
3957 if ctx['num'] == idx:
3958 logger.info("Test: EAP-Failure")
3959 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3960
3961 idx += 1
3962 if ctx['num'] == idx:
3963 logger.info("Test: No support version in AT_VERSION_LIST")
3964 return struct.pack(">BBHBBHBBH4B", EAP_CODE_REQUEST, ctx['id'],
3965 4 + 1 + 3 + 8,
3966 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_START, 0,
3967 EAP_SIM_AT_VERSION_LIST, 2, 3, 2, 3, 4, 5)
3968 idx += 1
3969 if ctx['num'] == idx:
3970 logger.info("Test: EAP-Failure")
3971 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3972
3973
3974 idx += 1
3975 if ctx['num'] == idx:
3976 logger.info("Test: Identity request without ID type")
3977 return struct.pack(">BBHBBHBBH2H", EAP_CODE_REQUEST, ctx['id'],
3978 4 + 1 + 3 + 8,
3979 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_START, 0,
3980 EAP_SIM_AT_VERSION_LIST, 2, 2, 1, 0)
3981 idx += 1
3982 if ctx['num'] == idx:
3983 logger.info("Test: Identity request ANY_ID")
3984 return struct.pack(">BBHBBHBBH2HBBH", EAP_CODE_REQUEST, ctx['id'],
3985 4 + 1 + 3 + 8 + 4,
3986 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_START, 0,
3987 EAP_SIM_AT_VERSION_LIST, 2, 2, 1, 0,
3988 EAP_SIM_AT_ANY_ID_REQ, 1, 0)
3989 idx += 1
3990 if ctx['num'] == idx:
3991 logger.info("Test: Identity request ANY_ID (duplicate)")
3992 return struct.pack(">BBHBBHBBH2HBBH", EAP_CODE_REQUEST, ctx['id'],
3993 4 + 1 + 3 + 8 + 4,
3994 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_START, 0,
3995 EAP_SIM_AT_VERSION_LIST, 2, 2, 1, 0,
3996 EAP_SIM_AT_ANY_ID_REQ, 1, 0)
3997 idx += 1
3998 if ctx['num'] == idx:
3999 logger.info("Test: EAP-Failure")
4000 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
4001
4002 idx += 1
4003 if ctx['num'] == idx:
4004 logger.info("Test: Identity request ANY_ID")
4005 return struct.pack(">BBHBBHBBH2HBBH", EAP_CODE_REQUEST, ctx['id'],
4006 4 + 1 + 3 + 8 + 4,
4007 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_START, 0,
4008 EAP_SIM_AT_VERSION_LIST, 2, 2, 1, 0,
4009 EAP_SIM_AT_ANY_ID_REQ, 1, 0)
4010 idx += 1
4011 if ctx['num'] == idx:
4012 logger.info("Test: Identity request FULLAUTH_ID")
4013 return struct.pack(">BBHBBHBBH2HBBH", EAP_CODE_REQUEST, ctx['id'],
4014 4 + 1 + 3 + 8 + 4,
4015 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_START, 0,
4016 EAP_SIM_AT_VERSION_LIST, 2, 2, 1, 0,
4017 EAP_SIM_AT_FULLAUTH_ID_REQ, 1, 0)
4018 idx += 1
4019 if ctx['num'] == idx:
4020 logger.info("Test: Identity request FULLAUTH_ID (duplicate)")
4021 return struct.pack(">BBHBBHBBH2HBBH", EAP_CODE_REQUEST, ctx['id'],
4022 4 + 1 + 3 + 8 + 4,
4023 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_START, 0,
4024 EAP_SIM_AT_VERSION_LIST, 2, 2, 1, 0,
4025 EAP_SIM_AT_FULLAUTH_ID_REQ, 1, 0)
4026 idx += 1
4027 if ctx['num'] == idx:
4028 logger.info("Test: EAP-Failure")
4029 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
4030
4031 idx += 1
4032 if ctx['num'] == idx:
4033 logger.info("Test: Identity request ANY_ID")
4034 return struct.pack(">BBHBBHBBH2HBBH", EAP_CODE_REQUEST, ctx['id'],
4035 4 + 1 + 3 + 8 + 4,
4036 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_START, 0,
4037 EAP_SIM_AT_VERSION_LIST, 2, 2, 1, 0,
4038 EAP_SIM_AT_ANY_ID_REQ, 1, 0)
4039 idx += 1
4040 if ctx['num'] == idx:
4041 logger.info("Test: Identity request FULLAUTH_ID")
4042 return struct.pack(">BBHBBHBBH2HBBH", EAP_CODE_REQUEST, ctx['id'],
4043 4 + 1 + 3 + 8 + 4,
4044 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_START, 0,
4045 EAP_SIM_AT_VERSION_LIST, 2, 2, 1, 0,
4046 EAP_SIM_AT_FULLAUTH_ID_REQ, 1, 0)
4047 idx += 1
4048 if ctx['num'] == idx:
4049 logger.info("Test: Identity request PERMANENT_ID")
4050 return struct.pack(">BBHBBHBBH2HBBH", EAP_CODE_REQUEST, ctx['id'],
4051 4 + 1 + 3 + 8 + 4,
4052 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_START, 0,
4053 EAP_SIM_AT_VERSION_LIST, 2, 2, 1, 0,
4054 EAP_SIM_AT_PERMANENT_ID_REQ, 1, 0)
4055 idx += 1
4056 if ctx['num'] == idx:
4057 logger.info("Test: Identity request PERMANENT_ID (duplicate)")
4058 return struct.pack(">BBHBBHBBH2HBBH", EAP_CODE_REQUEST, ctx['id'],
4059 4 + 1 + 3 + 8 + 4,
4060 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_START, 0,
4061 EAP_SIM_AT_VERSION_LIST, 2, 2, 1, 0,
4062 EAP_SIM_AT_PERMANENT_ID_REQ, 1, 0)
4063 idx += 1
4064 if ctx['num'] == idx:
4065 logger.info("Test: EAP-Failure")
4066 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
4067
4068 idx += 1
4069 if ctx['num'] == idx:
4070 logger.info("Test: No AT_MAC and AT_RAND in Challenge")
4071 return struct.pack(">BBHBBH", EAP_CODE_REQUEST, ctx['id'],
4072 4 + 1 + 3,
4073 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_CHALLENGE, 0)
4074 idx += 1
4075 if ctx['num'] == idx:
4076 logger.info("Test: EAP-Failure")
4077 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
4078
4079 idx += 1
4080 if ctx['num'] == idx:
4081 logger.info("Test: No AT_RAND in Challenge")
4082 return struct.pack(">BBHBBHBBH4L", EAP_CODE_REQUEST, ctx['id'],
4083 4 + 1 + 3 + 20,
4084 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_CHALLENGE, 0,
4085 EAP_SIM_AT_MAC, 5, 0, 0, 0, 0, 0)
4086 idx += 1
4087 if ctx['num'] == idx:
4088 logger.info("Test: EAP-Failure")
4089 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
4090
4091 idx += 1
4092 if ctx['num'] == idx:
4093 logger.info("Test: Insufficient number of challenges in Challenge")
4094 return struct.pack(">BBHBBHBBH4LBBH4L", EAP_CODE_REQUEST, ctx['id'],
4095 4 + 1 + 3 + 20 + 20,
4096 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_CHALLENGE, 0,
4097 EAP_SIM_AT_RAND, 5, 0, 0, 0, 0, 0,
4098 EAP_SIM_AT_MAC, 5, 0, 0, 0, 0, 0)
4099 idx += 1
4100 if ctx['num'] == idx:
4101 logger.info("Test: EAP-Failure")
4102 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
4103
4104 idx += 1
4105 if ctx['num'] == idx:
4106 logger.info("Test: Too many challenges in Challenge")
4107 return struct.pack(">BBHBBHBBH4L4L4L4LBBH4L", EAP_CODE_REQUEST,
4108 ctx['id'],
4109 4 + 1 + 3 + 4 + 4 * 16 + 20,
4110 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_CHALLENGE, 0,
4111 EAP_SIM_AT_RAND, 17, 0, 0, 0, 0, 0, 0, 0, 0, 0,
4112 0, 0, 0, 0, 0, 0, 0, 0,
4113 EAP_SIM_AT_MAC, 5, 0, 0, 0, 0, 0)
4114 idx += 1
4115 if ctx['num'] == idx:
4116 logger.info("Test: EAP-Failure")
4117 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
4118
4119 idx += 1
4120 if ctx['num'] == idx:
4121 logger.info("Test: Same RAND multiple times in Challenge")
4122 return struct.pack(">BBHBBHBBH4L4L4LBBH4L", EAP_CODE_REQUEST,
4123 ctx['id'],
4124 4 + 1 + 3 + 4 + 3 * 16 + 20,
4125 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_CHALLENGE, 0,
4126 EAP_SIM_AT_RAND, 13, 0, 0, 0, 0, 0, 0, 0, 0, 1,
4127 0, 0, 0, 0,
4128 EAP_SIM_AT_MAC, 5, 0, 0, 0, 0, 0)
4129 idx += 1
4130 if ctx['num'] == idx:
4131 logger.info("Test: EAP-Failure")
4132 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
4133
4134 idx += 1
4135 if ctx['num'] == idx:
4136 logger.info("Test: Notification with no attributes")
4137 return struct.pack(">BBHBBH", EAP_CODE_REQUEST, ctx['id'],
4138 4 + 1 + 3,
4139 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_NOTIFICATION, 0)
4140 idx += 1
4141 if ctx['num'] == idx:
4142 logger.info("Test: EAP-Failure")
4143 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
4144
4145 idx += 1
4146 if ctx['num'] == idx:
4147 logger.info("Test: Notification indicating success, but no MAC")
4148 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
4149 4 + 1 + 3 + 4,
4150 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_NOTIFICATION, 0,
4151 EAP_SIM_AT_NOTIFICATION, 1, 32768)
4152 idx += 1
4153 if ctx['num'] == idx:
4154 logger.info("Test: EAP-Failure")
4155 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
4156
4157 idx += 1
4158 if ctx['num'] == idx:
4159 logger.info("Test: Notification indicating success, but invalid MAC value")
4160 return struct.pack(">BBHBBHBBHBBH4L", EAP_CODE_REQUEST, ctx['id'],
4161 4 + 1 + 3 + 4 + 20,
4162 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_NOTIFICATION, 0,
4163 EAP_SIM_AT_NOTIFICATION, 1, 32768,
4164 EAP_SIM_AT_MAC, 5, 0, 0, 0, 0, 0)
4165 idx += 1
4166 if ctx['num'] == idx:
4167 logger.info("Test: EAP-Failure")
4168 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
4169
4170 idx += 1
4171 if ctx['num'] == idx:
4172 logger.info("Test: Notification before auth")
4173 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
4174 4 + 1 + 3 + 4,
4175 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_NOTIFICATION, 0,
4176 EAP_SIM_AT_NOTIFICATION, 1, 16384)
4177 idx += 1
4178 if ctx['num'] == idx:
4179 logger.info("Test: EAP-Failure")
4180 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
4181
4182 idx += 1
4183 if ctx['num'] == idx:
4184 logger.info("Test: Notification before auth")
4185 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
4186 4 + 1 + 3 + 4,
4187 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_NOTIFICATION, 0,
4188 EAP_SIM_AT_NOTIFICATION, 1, 16385)
4189 idx += 1
4190 if ctx['num'] == idx:
4191 logger.info("Test: EAP-Failure")
4192 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
4193
4194 idx += 1
4195 if ctx['num'] == idx:
4196 logger.info("Test: Notification with unrecognized non-failure")
4197 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
4198 4 + 1 + 3 + 4,
4199 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_NOTIFICATION, 0,
4200 EAP_SIM_AT_NOTIFICATION, 1, 0xc000)
4201 idx += 1
4202 if ctx['num'] == idx:
4203 logger.info("Test: Notification before auth (duplicate)")
4204 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
4205 4 + 1 + 3 + 4,
4206 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_NOTIFICATION, 0,
4207 EAP_SIM_AT_NOTIFICATION, 1, 0xc000)
4208 idx += 1
4209 if ctx['num'] == idx:
4210 logger.info("Test: EAP-Failure")
4211 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
4212
4213 idx += 1
4214 if ctx['num'] == idx:
4215 logger.info("Test: Re-authentication (unexpected) with no attributes")
4216 return struct.pack(">BBHBBH", EAP_CODE_REQUEST, ctx['id'],
4217 4 + 1 + 3,
4218 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_REAUTHENTICATION,
4219 0)
4220 idx += 1
4221 if ctx['num'] == idx:
4222 logger.info("Test: EAP-Failure")
4223 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
4224
4225 idx += 1
4226 if ctx['num'] == idx:
4227 logger.info("Test: Client Error")
4228 return struct.pack(">BBHBBH", EAP_CODE_REQUEST, ctx['id'],
4229 4 + 1 + 3,
4230 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_CLIENT_ERROR, 0)
4231 idx += 1
4232 if ctx['num'] == idx:
4233 logger.info("Test: EAP-Failure")
4234 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
4235
4236 idx += 1
4237 if ctx['num'] == idx:
4238 logger.info("Test: Unknown subtype")
4239 return struct.pack(">BBHBBH", EAP_CODE_REQUEST, ctx['id'],
4240 4 + 1 + 3,
4241 EAP_TYPE_SIM, 255, 0)
4242 idx += 1
4243 if ctx['num'] == idx:
4244 logger.info("Test: EAP-Failure")
4245 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
4246
4247 return None
4248
4249 srv = start_radius_server(sim_handler)
4250
4251 try:
4252 hapd = start_ap(apdev[0]['ifname'])
4253
4254 for i in range(0, 25):
4255 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
4256 eap="SIM", identity="1232010000000000",
4257 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
4258 wait_connect=False)
4259 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
4260 timeout=15)
4261 if ev is None:
4262 raise Exception("Timeout on EAP start")
4263 if i in [ 0 ]:
4264 time.sleep(0.1)
4265 else:
4266 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"],
4267 timeout=10)
4268 if ev is None:
4269 raise Exception("Timeout on EAP failure")
4270 dev[0].request("REMOVE_NETWORK all")
4271 dev[0].dump_monitor()
4272 finally:
4273 stop_radius_server(srv)
4274
4275 def test_eap_proto_sim_errors(dev, apdev):
4276 """EAP-SIM protocol tests (error paths)"""
4277 check_hlr_auc_gw_support()
4278 params = hostapd.wpa2_eap_params(ssid="eap-test")
4279 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4280
4281 with alloc_fail(dev[0], 1, "eap_sim_init"):
4282 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
4283 eap="SIM", identity="1232010000000000",
4284 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
4285 wait_connect=False)
4286 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method"],
4287 timeout=15)
4288 if ev is None:
4289 raise Exception("Timeout on EAP start")
4290 dev[0].request("REMOVE_NETWORK all")
4291 dev[0].wait_disconnected()
4292
4293 with fail_test(dev[0], 1, "os_get_random;eap_sim_init"):
4294 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
4295 eap="SIM", identity="1232010000000000",
4296 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
4297 wait_connect=False)
4298 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method"],
4299 timeout=15)
4300 if ev is None:
4301 raise Exception("Timeout on EAP start")
4302 dev[0].request("REMOVE_NETWORK all")
4303 dev[0].wait_disconnected()
4304
4305 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
4306 eap="SIM", identity="1232010000000000",
4307 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
4308
4309 with fail_test(dev[0], 1, "aes_128_cbc_encrypt;eap_sim_response_reauth"):
4310 hapd.request("EAPOL_REAUTH " + dev[0].own_addr())
4311 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=5)
4312 if ev is None:
4313 raise Exception("EAP re-authentication did not start")
4314 wait_fail_trigger(dev[0], "GET_FAIL")
4315 dev[0].request("REMOVE_NETWORK all")
4316 dev[0].dump_monitor()
4317
4318 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
4319 eap="SIM", identity="1232010000000000",
4320 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
4321
4322 with fail_test(dev[0], 1, "os_get_random;eap_sim_msg_add_encr_start"):
4323 hapd.request("EAPOL_REAUTH " + dev[0].own_addr())
4324 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=5)
4325 if ev is None:
4326 raise Exception("EAP re-authentication did not start")
4327 wait_fail_trigger(dev[0], "GET_FAIL")
4328 dev[0].request("REMOVE_NETWORK all")
4329 dev[0].dump_monitor()
4330
4331 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
4332 eap="SIM", identity="1232010000000000",
4333 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
4334
4335 with fail_test(dev[0], 1, "os_get_random;eap_sim_init_for_reauth"):
4336 hapd.request("EAPOL_REAUTH " + dev[0].own_addr())
4337 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=5)
4338 if ev is None:
4339 raise Exception("EAP re-authentication did not start")
4340 wait_fail_trigger(dev[0], "GET_FAIL")
4341 dev[0].request("REMOVE_NETWORK all")
4342 dev[0].dump_monitor()
4343
4344 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
4345 eap="SIM", identity="1232010000000000",
4346 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
4347
4348 with alloc_fail(dev[0], 1, "eap_sim_parse_encr;eap_sim_process_reauthentication"):
4349 hapd.request("EAPOL_REAUTH " + dev[0].own_addr())
4350 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=5)
4351 if ev is None:
4352 raise Exception("EAP re-authentication did not start")
4353 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
4354 dev[0].request("REMOVE_NETWORK all")
4355 dev[0].dump_monitor()
4356
4357 tests = [ (1, "eap_sim_verify_mac;eap_sim_process_challenge"),
4358 (1, "eap_sim_parse_encr;eap_sim_process_challenge"),
4359 (1, "eap_sim_msg_init;eap_sim_response_start"),
4360 (1, "wpabuf_alloc;eap_sim_msg_init;eap_sim_response_start"),
4361 (1, "=eap_sim_learn_ids"),
4362 (2, "=eap_sim_learn_ids"),
4363 (2, "eap_sim_learn_ids"),
4364 (3, "eap_sim_learn_ids"),
4365 (1, "eap_sim_process_start"),
4366 (1, "eap_sim_getKey"),
4367 (1, "eap_sim_get_emsk"),
4368 (1, "eap_sim_get_session_id") ]
4369 for count, func in tests:
4370 with alloc_fail(dev[0], count, func):
4371 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
4372 eap="SIM", identity="1232010000000000",
4373 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
4374 erp="1", wait_connect=False)
4375 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
4376 dev[0].request("REMOVE_NETWORK all")
4377 dev[0].dump_monitor()
4378
4379 tests = [ (1, "aes_128_cbc_decrypt;eap_sim_parse_encr") ]
4380 for count, func in tests:
4381 with fail_test(dev[0], count, func):
4382 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
4383 eap="SIM", identity="1232010000000000",
4384 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
4385 wait_connect=False)
4386 wait_fail_trigger(dev[0], "GET_FAIL")
4387 dev[0].request("REMOVE_NETWORK all")
4388 dev[0].dump_monitor()
4389
4390 def test_eap_proto_aka_errors(dev, apdev):
4391 """EAP-AKA protocol tests (error paths)"""
4392 check_hlr_auc_gw_support()
4393 params = hostapd.wpa2_eap_params(ssid="eap-test")
4394 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4395
4396 with alloc_fail(dev[0], 1, "eap_aka_init"):
4397 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
4398 eap="AKA", identity="0232010000000000",
4399 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
4400 wait_connect=False)
4401 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method"],
4402 timeout=15)
4403 if ev is None:
4404 raise Exception("Timeout on EAP start")
4405 dev[0].request("REMOVE_NETWORK all")
4406 dev[0].wait_disconnected()
4407
4408 tests = [ (1, "=eap_aka_learn_ids"),
4409 (2, "=eap_aka_learn_ids"),
4410 (1, "eap_sim_parse_encr;eap_aka_process_challenge"),
4411 (1, "eap_aka_getKey"),
4412 (1, "eap_aka_get_emsk"),
4413 (1, "eap_aka_get_session_id") ]
4414 for count, func in tests:
4415 with alloc_fail(dev[0], count, func):
4416 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
4417 eap="AKA", identity="0232010000000000",
4418 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
4419 erp="1", wait_connect=False)
4420 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
4421 dev[0].request("REMOVE_NETWORK all")
4422 dev[0].dump_monitor()
4423
4424 def test_eap_proto_aka_prime_errors(dev, apdev):
4425 """EAP-AKA' protocol tests (error paths)"""
4426 check_hlr_auc_gw_support()
4427 params = hostapd.wpa2_eap_params(ssid="eap-test")
4428 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4429
4430 with alloc_fail(dev[0], 1, "eap_aka_init"):
4431 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
4432 eap="AKA'", identity="6555444333222111",
4433 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
4434 wait_connect=False)
4435 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method"],
4436 timeout=15)
4437 if ev is None:
4438 raise Exception("Timeout on EAP start")
4439 dev[0].request("REMOVE_NETWORK all")
4440 dev[0].wait_disconnected()
4441
4442 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
4443 eap="AKA'", identity="6555444333222111",
4444 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
4445
4446 with fail_test(dev[0], 1, "aes_128_cbc_encrypt;eap_aka_response_reauth"):
4447 hapd.request("EAPOL_REAUTH " + dev[0].own_addr())
4448 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=5)
4449 if ev is None:
4450 raise Exception("EAP re-authentication did not start")
4451 wait_fail_trigger(dev[0], "GET_FAIL")
4452 dev[0].request("REMOVE_NETWORK all")
4453 dev[0].dump_monitor()
4454
4455 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
4456 eap="AKA'", identity="6555444333222111",
4457 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
4458
4459 with alloc_fail(dev[0], 1, "eap_sim_parse_encr;eap_aka_process_reauthentication"):
4460 hapd.request("EAPOL_REAUTH " + dev[0].own_addr())
4461 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=5)
4462 if ev is None:
4463 raise Exception("EAP re-authentication did not start")
4464 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
4465 dev[0].request("REMOVE_NETWORK all")
4466 dev[0].dump_monitor()
4467
4468 tests = [ (1, "eap_sim_verify_mac_sha256"),
4469 (1, "=eap_aka_process_challenge") ]
4470 for count, func in tests:
4471 with alloc_fail(dev[0], count, func):
4472 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
4473 eap="AKA'", identity="6555444333222111",
4474 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
4475 erp="1", wait_connect=False)
4476 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
4477 dev[0].request("REMOVE_NETWORK all")
4478 dev[0].dump_monitor()
4479
4480 def test_eap_proto_ikev2(dev, apdev):
4481 """EAP-IKEv2 protocol tests"""
4482 check_eap_capa(dev[0], "IKEV2")
4483 def ikev2_handler(ctx, req):
4484 logger.info("ikev2_handler - RX " + req.encode("hex"))
4485 if 'num' not in ctx:
4486 ctx['num'] = 0
4487 ctx['num'] = ctx['num'] + 1
4488 if 'id' not in ctx:
4489 ctx['id'] = 1
4490 ctx['id'] = (ctx['id'] + 1) % 256
4491
4492 idx = 0
4493
4494 idx += 1
4495 if ctx['num'] == idx:
4496 logger.info("Test: Missing payload")
4497 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
4498 4 + 1,
4499 EAP_TYPE_IKEV2)
4500
4501 idx += 1
4502 if ctx['num'] == idx:
4503 logger.info("Test: Truncated Message Length field")
4504 return struct.pack(">BBHBB3B", EAP_CODE_REQUEST, ctx['id'],
4505 4 + 1 + 1 + 3,
4506 EAP_TYPE_IKEV2, 0x80, 0, 0, 0)
4507
4508 idx += 1
4509 if ctx['num'] == idx:
4510 logger.info("Test: Too short Message Length value")
4511 return struct.pack(">BBHBBLB", EAP_CODE_REQUEST, ctx['id'],
4512 4 + 1 + 1 + 4 + 1,
4513 EAP_TYPE_IKEV2, 0x80, 0, 1)
4514
4515 idx += 1
4516 if ctx['num'] == idx:
4517 logger.info("Test: Truncated message")
4518 return struct.pack(">BBHBBL", EAP_CODE_REQUEST, ctx['id'],
4519 4 + 1 + 1 + 4,
4520 EAP_TYPE_IKEV2, 0x80, 1)
4521
4522 idx += 1
4523 if ctx['num'] == idx:
4524 logger.info("Test: Truncated message(2)")
4525 return struct.pack(">BBHBBL", EAP_CODE_REQUEST, ctx['id'],
4526 4 + 1 + 1 + 4,
4527 EAP_TYPE_IKEV2, 0x80, 0xffffffff)
4528
4529 idx += 1
4530 if ctx['num'] == idx:
4531 logger.info("Test: Truncated message(3)")
4532 return struct.pack(">BBHBBL", EAP_CODE_REQUEST, ctx['id'],
4533 4 + 1 + 1 + 4,
4534 EAP_TYPE_IKEV2, 0xc0, 0xffffffff)
4535
4536 idx += 1
4537 if ctx['num'] == idx:
4538 logger.info("Test: Truncated message(4)")
4539 return struct.pack(">BBHBBL", EAP_CODE_REQUEST, ctx['id'],
4540 4 + 1 + 1 + 4,
4541 EAP_TYPE_IKEV2, 0xc0, 10000000)
4542
4543 idx += 1
4544 if ctx['num'] == idx:
4545 logger.info("Test: Too long fragments (first fragment)")
4546 return struct.pack(">BBHBBLB", EAP_CODE_REQUEST, ctx['id'],
4547 4 + 1 + 1 + 4 + 1,
4548 EAP_TYPE_IKEV2, 0xc0, 2, 1)
4549
4550 idx += 1
4551 if ctx['num'] == idx:
4552 logger.info("Test: Too long fragments (second fragment)")
4553 return struct.pack(">BBHBB2B", EAP_CODE_REQUEST, ctx['id'],
4554 4 + 1 + 1 + 2,
4555 EAP_TYPE_IKEV2, 0x00, 2, 3)
4556
4557 idx += 1
4558 if ctx['num'] == idx:
4559 logger.info("Test: No Message Length field in first fragment")
4560 return struct.pack(">BBHBBB", EAP_CODE_REQUEST, ctx['id'],
4561 4 + 1 + 1 + 1,
4562 EAP_TYPE_IKEV2, 0x40, 1)
4563
4564 idx += 1
4565 if ctx['num'] == idx:
4566 logger.info("Test: ICV before keys")
4567 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
4568 4 + 1 + 1,
4569 EAP_TYPE_IKEV2, 0x20)
4570
4571 idx += 1
4572 if ctx['num'] == idx:
4573 logger.info("Test: Unsupported IKEv2 header version")
4574 return struct.pack(">BBHBB2L2LBBBBLL", EAP_CODE_REQUEST, ctx['id'],
4575 4 + 1 + 1 + 28,
4576 EAP_TYPE_IKEV2, 0x00,
4577 0, 0, 0, 0,
4578 0, 0, 0, 0, 0, 0)
4579
4580 idx += 1
4581 if ctx['num'] == idx:
4582 logger.info("Test: Incorrect IKEv2 header Length")
4583 return struct.pack(">BBHBB2L2LBBBBLL", EAP_CODE_REQUEST, ctx['id'],
4584 4 + 1 + 1 + 28,
4585 EAP_TYPE_IKEV2, 0x00,
4586 0, 0, 0, 0,
4587 0, 0x20, 0, 0, 0, 0)
4588
4589 idx += 1
4590 if ctx['num'] == idx:
4591 logger.info("Test: Unexpected IKEv2 Exchange Type in SA_INIT state")
4592 return struct.pack(">BBHBB2L2LBBBBLL", EAP_CODE_REQUEST, ctx['id'],
4593 4 + 1 + 1 + 28,
4594 EAP_TYPE_IKEV2, 0x00,
4595 0, 0, 0, 0,
4596 0, 0x20, 0, 0, 0, 28)
4597
4598 idx += 1
4599 if ctx['num'] == idx:
4600 logger.info("Test: Unexpected IKEv2 Message ID in SA_INIT state")
4601 return struct.pack(">BBHBB2L2LBBBBLL", EAP_CODE_REQUEST, ctx['id'],
4602 4 + 1 + 1 + 28,
4603 EAP_TYPE_IKEV2, 0x00,
4604 0, 0, 0, 0,
4605 0, 0x20, 34, 0, 1, 28)
4606
4607 idx += 1
4608 if ctx['num'] == idx:
4609 logger.info("Test: Unexpected IKEv2 Flags value")
4610 return struct.pack(">BBHBB2L2LBBBBLL", EAP_CODE_REQUEST, ctx['id'],
4611 4 + 1 + 1 + 28,
4612 EAP_TYPE_IKEV2, 0x00,
4613 0, 0, 0, 0,
4614 0, 0x20, 34, 0, 0, 28)
4615
4616 idx += 1
4617 if ctx['num'] == idx:
4618 logger.info("Test: Unexpected IKEv2 Flags value(2)")
4619 return struct.pack(">BBHBB2L2LBBBBLL", EAP_CODE_REQUEST, ctx['id'],
4620 4 + 1 + 1 + 28,
4621 EAP_TYPE_IKEV2, 0x00,
4622 0, 0, 0, 0,
4623 0, 0x20, 34, 0x20, 0, 28)
4624
4625 idx += 1
4626 if ctx['num'] == idx:
4627 logger.info("Test: No SAi1 in SA_INIT")
4628 return struct.pack(">BBHBB2L2LBBBBLL", EAP_CODE_REQUEST, ctx['id'],
4629 4 + 1 + 1 + 28,
4630 EAP_TYPE_IKEV2, 0x00,
4631 0, 0, 0, 0,
4632 0, 0x20, 34, 0x08, 0, 28)
4633
4634 def build_ike(id, next=0, exch_type=34, flags=0x00, ike=''):
4635 return struct.pack(">BBHBB2L2LBBBBLL", EAP_CODE_REQUEST, id,
4636 4 + 1 + 1 + 28 + len(ike),
4637 EAP_TYPE_IKEV2, flags,
4638 0, 0, 0, 0,
4639 next, 0x20, exch_type, 0x08, 0,
4640 28 + len(ike)) + ike
4641
4642 idx += 1
4643 if ctx['num'] == idx:
4644 logger.info("Test: Unexpected extra data after payloads")
4645 return build_ike(ctx['id'], ike=struct.pack(">B", 1))
4646
4647 idx += 1
4648 if ctx['num'] == idx:
4649 logger.info("Test: Truncated payload header")
4650 return build_ike(ctx['id'], next=128, ike=struct.pack(">B", 1))
4651
4652 idx += 1
4653 if ctx['num'] == idx:
4654 logger.info("Test: Too small payload header length")
4655 ike = struct.pack(">BBH", 0, 0, 3)
4656 return build_ike(ctx['id'], next=128, ike=ike)
4657
4658 idx += 1
4659 if ctx['num'] == idx:
4660 logger.info("Test: Too large payload header length")
4661 ike = struct.pack(">BBH", 0, 0, 5)
4662 return build_ike(ctx['id'], next=128, ike=ike)
4663
4664 idx += 1
4665 if ctx['num'] == idx:
4666 logger.info("Test: Unsupported payload (non-critical and critical)")
4667 ike = struct.pack(">BBHBBH", 129, 0, 4, 0, 0x01, 4)
4668 return build_ike(ctx['id'], next=128, ike=ike)
4669
4670 idx += 1
4671 if ctx['num'] == idx:
4672 logger.info("Test: Certificate and empty SAi1")
4673 ike = struct.pack(">BBHBBH", 33, 0, 4, 0, 0, 4)
4674 return build_ike(ctx['id'], next=37, ike=ike)
4675
4676 idx += 1
4677 if ctx['num'] == idx:
4678 logger.info("Test: Too short proposal")
4679 ike = struct.pack(">BBHBBHBBB", 0, 0, 4 + 7,
4680 0, 0, 7, 0, 0, 0)
4681 return build_ike(ctx['id'], next=33, ike=ike)
4682
4683 idx += 1
4684 if ctx['num'] == idx:
4685 logger.info("Test: Too small proposal length in SAi1")
4686 ike = struct.pack(">BBHBBHBBBB", 0, 0, 4 + 8,
4687 0, 0, 7, 0, 0, 0, 0)
4688 return build_ike(ctx['id'], next=33, ike=ike)
4689
4690 idx += 1
4691 if ctx['num'] == idx:
4692 logger.info("Test: Too large proposal length in SAi1")
4693 ike = struct.pack(">BBHBBHBBBB", 0, 0, 4 + 8,
4694 0, 0, 9, 0, 0, 0, 0)
4695 return build_ike(ctx['id'], next=33, ike=ike)
4696
4697 idx += 1
4698 if ctx['num'] == idx:
4699 logger.info("Test: Unexpected proposal type in SAi1")
4700 ike = struct.pack(">BBHBBHBBBB", 0, 0, 4 + 8,
4701 1, 0, 8, 0, 0, 0, 0)
4702 return build_ike(ctx['id'], next=33, ike=ike)
4703
4704 idx += 1
4705 if ctx['num'] == idx:
4706 logger.info("Test: Unexpected Protocol ID in SAi1")
4707 ike = struct.pack(">BBHBBHBBBB", 0, 0, 4 + 8,
4708 0, 0, 8, 0, 0, 0, 0)
4709 return build_ike(ctx['id'], next=33, ike=ike)
4710
4711 idx += 1
4712 if ctx['num'] == idx:
4713 logger.info("Test: Unexpected proposal number in SAi1")
4714 ike = struct.pack(">BBHBBHBBBB", 0, 0, 4 + 8,
4715 0, 0, 8, 0, 1, 0, 0)
4716 return build_ike(ctx['id'], next=33, ike=ike)
4717
4718 idx += 1
4719 if ctx['num'] == idx:
4720 logger.info("Test: Not enough room for SPI in SAi1")
4721 ike = struct.pack(">BBHBBHBBBB", 0, 0, 4 + 8,
4722 0, 0, 8, 1, 1, 1, 0)
4723 return build_ike(ctx['id'], next=33, ike=ike)
4724
4725 idx += 1
4726 if ctx['num'] == idx:
4727 logger.info("Test: Unexpected SPI in SAi1")
4728 ike = struct.pack(">BBHBBHBBBBB", 0, 0, 4 + 9,
4729 0, 0, 9, 1, 1, 1, 0, 1)
4730 return build_ike(ctx['id'], next=33, ike=ike)
4731
4732 idx += 1
4733 if ctx['num'] == idx:
4734 logger.info("Test: No transforms in SAi1")
4735 ike = struct.pack(">BBHBBHBBBB", 0, 0, 4 + 8,
4736 0, 0, 8, 1, 1, 0, 0)
4737 return build_ike(ctx['id'], next=33, ike=ike)
4738
4739 idx += 1
4740 if ctx['num'] == idx:
4741 logger.info("Test: Too short transform in SAi1")
4742 ike = struct.pack(">BBHBBHBBBB", 0, 0, 4 + 8,
4743 0, 0, 8, 1, 1, 0, 1)
4744 return build_ike(ctx['id'], next=33, ike=ike)
4745
4746 idx += 1
4747 if ctx['num'] == idx:
4748 logger.info("Test: Too small transform length in SAi1")
4749 ike = struct.pack(">BBHBBHBBBBBBHBBH", 0, 0, 4 + 8 + 8,
4750 0, 0, 8 + 8, 1, 1, 0, 1,
4751 0, 0, 7, 0, 0, 0)
4752 return build_ike(ctx['id'], next=33, ike=ike)
4753
4754 idx += 1
4755 if ctx['num'] == idx:
4756 logger.info("Test: Too large transform length in SAi1")
4757 ike = struct.pack(">BBHBBHBBBBBBHBBH", 0, 0, 4 + 8 + 8,
4758 0, 0, 8 + 8, 1, 1, 0, 1,
4759 0, 0, 9, 0, 0, 0)
4760 return build_ike(ctx['id'], next=33, ike=ike)
4761
4762 idx += 1
4763 if ctx['num'] == idx:
4764 logger.info("Test: Unexpected Transform type in SAi1")
4765 ike = struct.pack(">BBHBBHBBBBBBHBBH", 0, 0, 4 + 8 + 8,
4766 0, 0, 8 + 8, 1, 1, 0, 1,
4767 1, 0, 8, 0, 0, 0)
4768 return build_ike(ctx['id'], next=33, ike=ike)
4769
4770 idx += 1
4771 if ctx['num'] == idx:
4772 logger.info("Test: No transform attributes in SAi1")
4773 ike = struct.pack(">BBHBBHBBBBBBHBBH", 0, 0, 4 + 8 + 8,
4774 0, 0, 8 + 8, 1, 1, 0, 1,
4775 0, 0, 8, 0, 0, 0)
4776 return build_ike(ctx['id'], next=33, ike=ike)
4777
4778 idx += 1
4779 if ctx['num'] == idx:
4780 logger.info("Test: No transform attr for AES and unexpected data after transforms in SAi1")
4781 tlen1 = 8 + 3
4782 tlen2 = 8 + 4
4783 tlen3 = 8 + 4
4784 tlen = tlen1 + tlen2 + tlen3
4785 ike = struct.pack(">BBHBBHBBBBBBHBBH3BBBHBBHHHBBHBBHHHB",
4786 0, 0, 4 + 8 + tlen + 1,
4787 0, 0, 8 + tlen + 1, 1, 1, 0, 3,
4788 3, 0, tlen1, 1, 0, 12, 1, 2, 3,
4789 3, 0, tlen2, 1, 0, 12, 0, 128,
4790 0, 0, tlen3, 1, 0, 12, 0x8000 | 14, 127,
4791 1)
4792 return build_ike(ctx['id'], next=33, ike=ike)
4793
4794 def build_sa(next=0):
4795 tlen = 5 * 8
4796 return struct.pack(">BBHBBHBBBBBBHBBHBBHBBHBBHBBHBBHBBHBBHBBH",
4797 next, 0, 4 + 8 + tlen,
4798 0, 0, 8 + tlen, 1, 1, 0, 5,
4799 3, 0, 8, 1, 0, 3,
4800 3, 0, 8, 2, 0, 1,
4801 3, 0, 8, 3, 0, 1,
4802 3, 0, 8, 4, 0, 5,
4803 0, 0, 8, 241, 0, 0)
4804
4805 idx += 1
4806 if ctx['num'] == idx:
4807 logger.info("Test: Valid proposal, but no KEi in SAi1")
4808 ike = build_sa()
4809 return build_ike(ctx['id'], next=33, ike=ike)
4810
4811 idx += 1
4812 if ctx['num'] == idx:
4813 logger.info("Test: Empty KEi in SAi1")
4814 ike = build_sa(next=34) + struct.pack(">BBH", 0, 0, 4)
4815 return build_ike(ctx['id'], next=33, ike=ike)
4816
4817 idx += 1
4818 if ctx['num'] == idx:
4819 logger.info("Test: Mismatch in DH Group in SAi1")
4820 ike = build_sa(next=34)
4821 ike += struct.pack(">BBHHH", 0, 0, 4 + 4 + 96, 12345, 0)
4822 ike += 96*'\x00'
4823 return build_ike(ctx['id'], next=33, ike=ike)
4824 idx += 1
4825 if ctx['num'] == idx:
4826 logger.info("Test: EAP-Failure")
4827 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
4828
4829 idx += 1
4830 if ctx['num'] == idx:
4831 logger.info("Test: Invalid DH public value length in SAi1")
4832 ike = build_sa(next=34)
4833 ike += struct.pack(">BBHHH", 0, 0, 4 + 4 + 96, 5, 0)
4834 ike += 96*'\x00'
4835 return build_ike(ctx['id'], next=33, ike=ike)
4836
4837 def build_ke(next=0):
4838 ke = struct.pack(">BBHHH", next, 0, 4 + 4 + 192, 5, 0)
4839 ke += 192*'\x00'
4840 return ke
4841
4842 idx += 1
4843 if ctx['num'] == idx:
4844 logger.info("Test: Valid proposal and KEi, but no Ni in SAi1")
4845 ike = build_sa(next=34)
4846 ike += build_ke()
4847 return build_ike(ctx['id'], next=33, ike=ike)
4848
4849 idx += 1
4850 if ctx['num'] == idx:
4851 logger.info("Test: Too short Ni in SAi1")
4852 ike = build_sa(next=34)
4853 ike += build_ke(next=40)
4854 ike += struct.pack(">BBH", 0, 0, 4)
4855 return build_ike(ctx['id'], next=33, ike=ike)
4856
4857 idx += 1
4858 if ctx['num'] == idx:
4859 logger.info("Test: Too long Ni in SAi1")
4860 ike = build_sa(next=34)
4861 ike += build_ke(next=40)
4862 ike += struct.pack(">BBH", 0, 0, 4 + 257) + 257*'\x00'
4863 return build_ike(ctx['id'], next=33, ike=ike)
4864
4865 def build_ni(next=0):
4866 return struct.pack(">BBH", next, 0, 4 + 256) + 256*'\x00'
4867
4868 def build_sai1(id):
4869 ike = build_sa(next=34)
4870 ike += build_ke(next=40)
4871 ike += build_ni()
4872 return build_ike(ctx['id'], next=33, ike=ike)
4873
4874 idx += 1
4875 if ctx['num'] == idx:
4876 logger.info("Test: Valid proposal, KEi, and Ni in SAi1")
4877 return build_sai1(ctx['id'])
4878 idx += 1
4879 if ctx['num'] == idx:
4880 logger.info("Test: EAP-Failure")
4881 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
4882
4883 idx += 1
4884 if ctx['num'] == idx:
4885 logger.info("Test: Valid proposal, KEi, and Ni in SAi1")
4886 return build_sai1(ctx['id'])
4887 idx += 1
4888 if ctx['num'] == idx:
4889 logger.info("Test: No integrity checksum")
4890 ike = ''
4891 return build_ike(ctx['id'], next=37, ike=ike)
4892
4893 idx += 1
4894 if ctx['num'] == idx:
4895 logger.info("Test: Valid proposal, KEi, and Ni in SAi1")
4896 return build_sai1(ctx['id'])
4897 idx += 1
4898 if ctx['num'] == idx:
4899 logger.info("Test: Truncated integrity checksum")
4900 return struct.pack(">BBHBB",
4901 EAP_CODE_REQUEST, ctx['id'],
4902 4 + 1 + 1,
4903 EAP_TYPE_IKEV2, 0x20)
4904
4905 idx += 1
4906 if ctx['num'] == idx:
4907 logger.info("Test: Valid proposal, KEi, and Ni in SAi1")
4908 return build_sai1(ctx['id'])
4909 idx += 1
4910 if ctx['num'] == idx:
4911 logger.info("Test: Invalid integrity checksum")
4912 ike = ''
4913 return build_ike(ctx['id'], next=37, flags=0x20, ike=ike)
4914
4915 return None
4916
4917 srv = start_radius_server(ikev2_handler)
4918
4919 try:
4920 hapd = start_ap(apdev[0]['ifname'])
4921
4922 for i in range(49):
4923 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
4924 eap="IKEV2", identity="user",
4925 password="password",
4926 wait_connect=False)
4927 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
4928 timeout=15)
4929 if ev is None:
4930 raise Exception("Timeout on EAP start")
4931 if i in [ 40, 45 ]:
4932 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"],
4933 timeout=10)
4934 if ev is None:
4935 raise Exception("Timeout on EAP failure")
4936 else:
4937 time.sleep(0.05)
4938 dev[0].request("REMOVE_NETWORK all")
4939 finally:
4940 stop_radius_server(srv)
4941
4942 def NtPasswordHash(password):
4943 pw = password.encode('utf_16_le')
4944 return hashlib.new('md4', pw).digest()
4945
4946 def HashNtPasswordHash(password_hash):
4947 return hashlib.new('md4', password_hash).digest()
4948
4949 def ChallengeHash(peer_challenge, auth_challenge, username):
4950 data = peer_challenge + auth_challenge + username
4951 return hashlib.sha1(data).digest()[0:8]
4952
4953 def GenerateAuthenticatorResponse(password, nt_response, peer_challenge,
4954 auth_challenge, username):
4955 magic1 = binascii.unhexlify("4D616769632073657276657220746F20636C69656E74207369676E696E6720636F6E7374616E74")
4956 magic2 = binascii.unhexlify("50616420746F206D616B6520697420646F206D6F7265207468616E206F6E6520697465726174696F6E")
4957
4958 password_hash = NtPasswordHash(password)
4959 password_hash_hash = HashNtPasswordHash(password_hash)
4960 data = password_hash_hash + nt_response + magic1
4961 digest = hashlib.sha1(data).digest()
4962
4963 challenge = ChallengeHash(peer_challenge, auth_challenge, username)
4964
4965 data = digest + challenge + magic2
4966 resp = hashlib.sha1(data).digest()
4967 return resp
4968
4969 def test_eap_proto_ikev2_errors(dev, apdev):
4970 """EAP-IKEv2 local error cases"""
4971 check_eap_capa(dev[0], "IKEV2")
4972 params = hostapd.wpa2_eap_params(ssid="eap-test")
4973 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4974
4975 for i in range(1, 5):
4976 with alloc_fail(dev[0], i, "eap_ikev2_init"):
4977 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
4978 eap="IKEV2", identity="ikev2 user",
4979 password="ike password",
4980 wait_connect=False)
4981 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method"],
4982 timeout=15)
4983 if ev is None:
4984 raise Exception("Timeout on EAP start")
4985 dev[0].request("REMOVE_NETWORK all")
4986 dev[0].wait_disconnected()
4987
4988 tests = [ (1, "ikev2_encr_encrypt"),
4989 (1, "ikev2_encr_decrypt"),
4990 (1, "ikev2_derive_auth_data"),
4991 (2, "ikev2_derive_auth_data"),
4992 (1, "=ikev2_decrypt_payload"),
4993 (1, "ikev2_encr_decrypt;ikev2_decrypt_payload"),
4994 (1, "ikev2_encr_encrypt;ikev2_build_encrypted"),
4995 (1, "ikev2_derive_sk_keys"),
4996 (2, "ikev2_derive_sk_keys"),
4997 (3, "ikev2_derive_sk_keys"),
4998 (4, "ikev2_derive_sk_keys"),
4999 (5, "ikev2_derive_sk_keys"),
5000 (6, "ikev2_derive_sk_keys"),
5001 (7, "ikev2_derive_sk_keys"),
5002 (8, "ikev2_derive_sk_keys"),
5003 (1, "eap_ikev2_derive_keymat;eap_ikev2_peer_keymat"),
5004 (1, "eap_msg_alloc;eap_ikev2_build_msg"),
5005 (1, "eap_ikev2_getKey"),
5006 (1, "eap_ikev2_get_emsk"),
5007 (1, "eap_ikev2_get_session_id"),
5008 (1, "=ikev2_derive_keys"),
5009 (2, "=ikev2_derive_keys"),
5010 (1, "wpabuf_alloc;ikev2_process_kei"),
5011 (1, "=ikev2_process_idi"),
5012 (1, "ikev2_derive_auth_data;ikev2_build_auth"),
5013 (1, "wpabuf_alloc;ikev2_build_sa_init"),
5014 (2, "wpabuf_alloc;ikev2_build_sa_init"),
5015 (3, "wpabuf_alloc;ikev2_build_sa_init"),
5016 (4, "wpabuf_alloc;ikev2_build_sa_init"),
5017 (5, "wpabuf_alloc;ikev2_build_sa_init"),
5018 (6, "wpabuf_alloc;ikev2_build_sa_init"),
5019 (1, "wpabuf_alloc;ikev2_build_sa_auth"),
5020 (2, "wpabuf_alloc;ikev2_build_sa_auth"),
5021 (1, "ikev2_build_auth;ikev2_build_sa_auth") ]
5022 for count, func in tests:
5023 with alloc_fail(dev[0], count, func):
5024 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
5025 eap="IKEV2", identity="ikev2 user",
5026 password="ike password", erp="1", wait_connect=False)
5027 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
5028 timeout=15)
5029 if ev is None:
5030 raise Exception("Timeout on EAP start")
5031 ok = False
5032 for j in range(10):
5033 state = dev[0].request('GET_ALLOC_FAIL')
5034 if state.startswith('0:'):
5035 ok = True
5036 break
5037 time.sleep(0.1)
5038 if not ok:
5039 raise Exception("No allocation failure seen for %d:%s" % (count, func))
5040 dev[0].request("REMOVE_NETWORK all")
5041 dev[0].wait_disconnected()
5042
5043 tests = [ (1, "wpabuf_alloc;ikev2_build_notify"),
5044 (2, "wpabuf_alloc;ikev2_build_notify"),
5045 (1, "ikev2_build_encrypted;ikev2_build_notify") ]
5046 for count, func in tests:
5047 with alloc_fail(dev[0], count, func):
5048 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
5049 eap="IKEV2", identity="ikev2 user",
5050 password="wrong password", erp="1",
5051 wait_connect=False)
5052 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
5053 timeout=15)
5054 if ev is None:
5055 raise Exception("Timeout on EAP start")
5056 ok = False
5057 for j in range(10):
5058 state = dev[0].request('GET_ALLOC_FAIL')
5059 if state.startswith('0:'):
5060 ok = True
5061 break
5062 time.sleep(0.1)
5063 if not ok:
5064 raise Exception("No allocation failure seen for %d:%s" % (count, func))
5065 dev[0].request("REMOVE_NETWORK all")
5066 dev[0].wait_disconnected()
5067
5068 tests = [ (1, "ikev2_integ_hash"),
5069 (1, "ikev2_integ_hash;ikev2_decrypt_payload"),
5070 (1, "os_get_random;ikev2_build_encrypted"),
5071 (1, "ikev2_prf_plus;ikev2_derive_sk_keys"),
5072 (1, "eap_ikev2_derive_keymat;eap_ikev2_peer_keymat"),
5073 (1, "os_get_random;ikev2_build_sa_init"),
5074 (2, "os_get_random;ikev2_build_sa_init"),
5075 (1, "ikev2_integ_hash;eap_ikev2_validate_icv"),
5076 (1, "hmac_sha1_vector;?ikev2_prf_hash;ikev2_derive_keys"),
5077 (1, "hmac_sha1_vector;?ikev2_prf_hash;ikev2_derive_auth_data"),
5078 (2, "hmac_sha1_vector;?ikev2_prf_hash;ikev2_derive_auth_data"),
5079 (3, "hmac_sha1_vector;?ikev2_prf_hash;ikev2_derive_auth_data") ]
5080 for count, func in tests:
5081 with fail_test(dev[0], count, func):
5082 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
5083 eap="IKEV2", identity="ikev2 user",
5084 password="ike password", wait_connect=False)
5085 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
5086 timeout=15)
5087 if ev is None:
5088 raise Exception("Timeout on EAP start")
5089 ok = False
5090 for j in range(10):
5091 state = dev[0].request('GET_FAIL')
5092 if state.startswith('0:'):
5093 ok = True
5094 break
5095 time.sleep(0.1)
5096 if not ok:
5097 raise Exception("No failure seen for %d:%s" % (count, func))
5098 dev[0].request("REMOVE_NETWORK all")
5099 dev[0].wait_disconnected()
5100
5101 params = { "ssid": "eap-test2", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
5102 "rsn_pairwise": "CCMP", "ieee8021x": "1",
5103 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
5104 "fragment_size": "50" }
5105 hostapd.add_ap(apdev[1]['ifname'], params)
5106
5107 tests = [ (1, "eap_ikev2_build_frag_ack"),
5108 (1, "wpabuf_alloc;eap_ikev2_process_fragment") ]
5109 for count, func in tests:
5110 with alloc_fail(dev[0], count, func):
5111 dev[0].connect("eap-test2", key_mgmt="WPA-EAP", scan_freq="2412",
5112 eap="IKEV2", identity="ikev2 user",
5113 password="ike password", erp="1", wait_connect=False)
5114 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
5115 timeout=15)
5116 if ev is None:
5117 raise Exception("Timeout on EAP start")
5118 ok = False
5119 for j in range(10):
5120 state = dev[0].request('GET_ALLOC_FAIL')
5121 if state.startswith('0:'):
5122 ok = True
5123 break
5124 time.sleep(0.1)
5125 if not ok:
5126 raise Exception("No allocation failure seen for %d:%s" % (count, func))
5127 dev[0].request("REMOVE_NETWORK all")
5128 dev[0].wait_disconnected()
5129
5130 def test_eap_proto_mschapv2(dev, apdev):
5131 """EAP-MSCHAPv2 protocol tests"""
5132 check_eap_capa(dev[0], "MSCHAPV2")
5133
5134 def mschapv2_handler(ctx, req):
5135 logger.info("mschapv2_handler - RX " + req.encode("hex"))
5136 if 'num' not in ctx:
5137 ctx['num'] = 0
5138 ctx['num'] = ctx['num'] + 1
5139 if 'id' not in ctx:
5140 ctx['id'] = 1
5141 ctx['id'] = (ctx['id'] + 1) % 256
5142 idx = 0
5143
5144 idx += 1
5145 if ctx['num'] == idx:
5146 logger.info("Test: Missing payload")
5147 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
5148 4 + 1,
5149 EAP_TYPE_MSCHAPV2)
5150
5151 idx += 1
5152 if ctx['num'] == idx:
5153 logger.info("Test: Unknown MSCHAPv2 op_code")
5154 return struct.pack(">BBHBBBHB", EAP_CODE_REQUEST, ctx['id'],
5155 4 + 1 + 4 + 1,
5156 EAP_TYPE_MSCHAPV2,
5157 0, 0, 5, 0)
5158
5159 idx += 1
5160 if ctx['num'] == idx:
5161 logger.info("Test: Invalid ms_len and unknown MSCHAPv2 op_code")
5162 return struct.pack(">BBHBBBHB", EAP_CODE_REQUEST, ctx['id'],
5163 4 + 1 + 4 + 1,
5164 EAP_TYPE_MSCHAPV2,
5165 255, 0, 0, 0)
5166
5167 idx += 1
5168 if ctx['num'] == idx:
5169 logger.info("Test: Success before challenge")
5170 return struct.pack(">BBHBBBHB", EAP_CODE_REQUEST, ctx['id'],
5171 4 + 1 + 4 + 1,
5172 EAP_TYPE_MSCHAPV2,
5173 3, 0, 5, 0)
5174
5175 idx += 1
5176 if ctx['num'] == idx:
5177 logger.info("Test: Failure before challenge - required challenge field not present")
5178 return struct.pack(">BBHBBBHB", EAP_CODE_REQUEST, ctx['id'],
5179 4 + 1 + 4 + 1,
5180 EAP_TYPE_MSCHAPV2,
5181 4, 0, 5, 0)
5182 idx += 1
5183 if ctx['num'] == idx:
5184 logger.info("Test: Failure")
5185 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
5186
5187 idx += 1
5188 if ctx['num'] == idx:
5189 logger.info("Test: Failure before challenge - invalid failure challenge len")
5190 payload = 'C=12'
5191 return struct.pack(">BBHBBBH", EAP_CODE_REQUEST, ctx['id'],
5192 4 + 1 + 4 + len(payload),
5193 EAP_TYPE_MSCHAPV2,
5194 4, 0, 4 + len(payload)) + payload
5195 idx += 1
5196 if ctx['num'] == idx:
5197 logger.info("Test: Failure")
5198 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
5199
5200 idx += 1
5201 if ctx['num'] == idx:
5202 logger.info("Test: Failure before challenge - invalid failure challenge len")
5203 payload = 'C=12 V=3'
5204 return struct.pack(">BBHBBBH", EAP_CODE_REQUEST, ctx['id'],
5205 4 + 1 + 4 + len(payload),
5206 EAP_TYPE_MSCHAPV2,
5207 4, 0, 4 + len(payload)) + payload
5208 idx += 1
5209 if ctx['num'] == idx:
5210 logger.info("Test: Failure")
5211 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
5212
5213 idx += 1
5214 if ctx['num'] == idx:
5215 logger.info("Test: Failure before challenge - invalid failure challenge")
5216 payload = 'C=00112233445566778899aabbccddeefQ '
5217 return struct.pack(">BBHBBBH", EAP_CODE_REQUEST, ctx['id'],
5218 4 + 1 + 4 + len(payload),
5219 EAP_TYPE_MSCHAPV2,
5220 4, 0, 4 + len(payload)) + payload
5221 idx += 1
5222 if ctx['num'] == idx:
5223 logger.info("Test: Failure")
5224 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
5225
5226 idx += 1
5227 if ctx['num'] == idx:
5228 logger.info("Test: Failure before challenge - password expired")
5229 payload = 'E=648 R=1 C=00112233445566778899aabbccddeeff V=3 M=Password expired'
5230 return struct.pack(">BBHBBBH", EAP_CODE_REQUEST, ctx['id'],
5231 4 + 1 + 4 + len(payload),
5232 EAP_TYPE_MSCHAPV2,
5233 4, 0, 4 + len(payload)) + payload
5234 idx += 1
5235 if ctx['num'] == idx:
5236 logger.info("Test: Success after password change")
5237 payload = "S=1122334455667788990011223344556677889900"
5238 return struct.pack(">BBHBBBH", EAP_CODE_REQUEST, ctx['id'],
5239 4 + 1 + 4 + len(payload),
5240 EAP_TYPE_MSCHAPV2,
5241 3, 0, 4 + len(payload)) + payload
5242
5243 idx += 1
5244 if ctx['num'] == idx:
5245 logger.info("Test: Invalid challenge length")
5246 return struct.pack(">BBHBBBHB", EAP_CODE_REQUEST, ctx['id'],
5247 4 + 1 + 4 + 1,
5248 EAP_TYPE_MSCHAPV2,
5249 1, 0, 4 + 1, 0)
5250
5251 idx += 1
5252 if ctx['num'] == idx:
5253 logger.info("Test: Too short challenge packet")
5254 return struct.pack(">BBHBBBHB", EAP_CODE_REQUEST, ctx['id'],
5255 4 + 1 + 4 + 1,
5256 EAP_TYPE_MSCHAPV2,
5257 1, 0, 4 + 1, 16)
5258
5259 idx += 1
5260 if ctx['num'] == idx:
5261 logger.info("Test: Challenge")
5262 return struct.pack(">BBHBBBHB", EAP_CODE_REQUEST, ctx['id'],
5263 4 + 1 + 4 + 1 + 16 + 6,
5264 EAP_TYPE_MSCHAPV2,
5265 1, 0, 4 + 1 + 16 + 6, 16) + 16*'A' + 'foobar'
5266 idx += 1
5267 if ctx['num'] == idx:
5268 logger.info("Test: Failure - password expired")
5269 payload = 'E=648 R=1 C=00112233445566778899aabbccddeeff V=3 M=Password expired'
5270 return struct.pack(">BBHBBBH", EAP_CODE_REQUEST, ctx['id'],
5271 4 + 1 + 4 + len(payload),
5272 EAP_TYPE_MSCHAPV2,
5273 4, 0, 4 + len(payload)) + payload
5274 idx += 1
5275 if ctx['num'] == idx:
5276 logger.info("Test: Success after password change")
5277 if len(req) != 591:
5278 logger.info("Unexpected Change-Password packet length: %s" % len(req))
5279 return None
5280 data = req[9:]
5281 enc_pw = data[0:516]
5282 data = data[516:]
5283 enc_hash = data[0:16]
5284 data = data[16:]
5285 peer_challenge = data[0:16]
5286 data = data[16:]
5287 # Reserved
5288 data = data[8:]
5289 nt_response = data[0:24]
5290 data = data[24:]
5291 flags = data
5292 logger.info("enc_hash: " + enc_hash.encode("hex"))
5293 logger.info("peer_challenge: " + peer_challenge.encode("hex"))
5294 logger.info("nt_response: " + nt_response.encode("hex"))
5295 logger.info("flags: " + flags.encode("hex"))
5296
5297 auth_challenge = binascii.unhexlify("00112233445566778899aabbccddeeff")
5298 logger.info("auth_challenge: " + auth_challenge.encode("hex"))
5299
5300 auth_resp = GenerateAuthenticatorResponse("new-pw", nt_response,
5301 peer_challenge,
5302 auth_challenge, "user")
5303 payload = "S=" + auth_resp.encode('hex').upper()
5304 logger.info("Success message payload: " + payload)
5305 return struct.pack(">BBHBBBH", EAP_CODE_REQUEST, ctx['id'],
5306 4 + 1 + 4 + len(payload),
5307 EAP_TYPE_MSCHAPV2,
5308 3, 0, 4 + len(payload)) + payload
5309 idx += 1
5310 if ctx['num'] == idx:
5311 logger.info("Test: EAP-Success")
5312 return struct.pack(">BBH", EAP_CODE_SUCCESS, ctx['id'], 4)
5313
5314 idx += 1
5315 if ctx['num'] == idx:
5316 logger.info("Test: Failure - password expired")
5317 payload = 'E=648 R=1 C=00112233445566778899aabbccddeeff V=3 M=Password expired'
5318 return struct.pack(">BBHBBBH", EAP_CODE_REQUEST, ctx['id'],
5319 4 + 1 + 4 + len(payload),
5320 EAP_TYPE_MSCHAPV2,
5321 4, 0, 4 + len(payload)) + payload
5322 idx += 1
5323 if ctx['num'] == idx:
5324 logger.info("Test: Success after password change")
5325 if len(req) != 591:
5326 logger.info("Unexpected Change-Password packet length: %s" % len(req))
5327 return None
5328 data = req[9:]
5329 enc_pw = data[0:516]
5330 data = data[516:]
5331 enc_hash = data[0:16]
5332 data = data[16:]
5333 peer_challenge = data[0:16]
5334 data = data[16:]
5335 # Reserved
5336 data = data[8:]
5337 nt_response = data[0:24]
5338 data = data[24:]
5339 flags = data
5340 logger.info("enc_hash: " + enc_hash.encode("hex"))
5341 logger.info("peer_challenge: " + peer_challenge.encode("hex"))
5342 logger.info("nt_response: " + nt_response.encode("hex"))
5343 logger.info("flags: " + flags.encode("hex"))
5344
5345 auth_challenge = binascii.unhexlify("00112233445566778899aabbccddeeff")
5346 logger.info("auth_challenge: " + auth_challenge.encode("hex"))
5347
5348 auth_resp = GenerateAuthenticatorResponse("new-pw", nt_response,
5349 peer_challenge,
5350 auth_challenge, "user")
5351 payload = "S=" + auth_resp.encode('hex').upper()
5352 logger.info("Success message payload: " + payload)
5353 return struct.pack(">BBHBBBH", EAP_CODE_REQUEST, ctx['id'],
5354 4 + 1 + 4 + len(payload),
5355 EAP_TYPE_MSCHAPV2,
5356 3, 0, 4 + len(payload)) + payload
5357 idx += 1
5358 if ctx['num'] == idx:
5359 logger.info("Test: EAP-Success")
5360 return struct.pack(">BBH", EAP_CODE_SUCCESS, ctx['id'], 4)
5361
5362 idx += 1
5363 if ctx['num'] == idx:
5364 logger.info("Test: Challenge")
5365 return struct.pack(">BBHBBBHB", EAP_CODE_REQUEST, ctx['id'],
5366 4 + 1 + 4 + 1 + 16 + 6,
5367 EAP_TYPE_MSCHAPV2,
5368 1, 0, 4 + 1 + 16 + 6, 16) + 16*'A' + 'foobar'
5369 idx += 1
5370 if ctx['num'] == idx:
5371 logger.info("Test: Failure - authentication failure")
5372 payload = 'E=691 R=1 C=00112233445566778899aabbccddeeff V=3 M=Authentication failed'
5373 return struct.pack(">BBHBBBH", EAP_CODE_REQUEST, ctx['id'],
5374 4 + 1 + 4 + len(payload),
5375 EAP_TYPE_MSCHAPV2,
5376 4, 0, 4 + len(payload)) + payload
5377
5378 idx += 1
5379 if ctx['num'] == idx:
5380 logger.info("Test: Challenge")
5381 return struct.pack(">BBHBBBHB", EAP_CODE_REQUEST, ctx['id'],
5382 4 + 1 + 4 + 1 + 16 + 6,
5383 EAP_TYPE_MSCHAPV2,
5384 1, 0, 4 + 1 + 16 + 6, 16) + 16*'A' + 'foobar'
5385 idx += 1
5386 if ctx['num'] == idx:
5387 logger.info("Test: Failure - authentication failure")
5388 payload = 'E=691 R=1 C=00112233445566778899aabbccddeeff V=3 M=Authentication failed (2)'
5389 return struct.pack(">BBHBBBH", EAP_CODE_REQUEST, ctx['id'],
5390 4 + 1 + 4 + len(payload),
5391 EAP_TYPE_MSCHAPV2,
5392 4, 0, 4 + len(payload)) + payload
5393 idx += 1
5394 if ctx['num'] == idx:
5395 logger.info("Test: Failure")
5396 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
5397
5398 return None
5399
5400 srv = start_radius_server(mschapv2_handler)
5401
5402 try:
5403 hapd = start_ap(apdev[0]['ifname'])
5404
5405 for i in range(0, 15):
5406 logger.info("RUN: %d" % i)
5407 if i == 12:
5408 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
5409 eap="MSCHAPV2", identity="user",
5410 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
5411 wait_connect=False)
5412 elif i == 14:
5413 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
5414 eap="MSCHAPV2", identity="user",
5415 phase2="mschapv2_retry=0",
5416 password="password", wait_connect=False)
5417 else:
5418 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
5419 eap="MSCHAPV2", identity="user",
5420 password="password", wait_connect=False)
5421 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"], timeout=15)
5422 if ev is None:
5423 raise Exception("Timeout on EAP start")
5424
5425 if i in [ 8, 11, 12 ]:
5426 ev = dev[0].wait_event(["CTRL-REQ-NEW_PASSWORD"],
5427 timeout=10)
5428 if ev is None:
5429 raise Exception("Timeout on new password request")
5430 id = ev.split(':')[0].split('-')[-1]
5431 dev[0].request("CTRL-RSP-NEW_PASSWORD-" + id + ":new-pw")
5432 if i in [ 11, 12 ]:
5433 ev = dev[0].wait_event(["CTRL-EVENT-PASSWORD-CHANGED"],
5434 timeout=10)
5435 if ev is None:
5436 raise Exception("Timeout on password change")
5437 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"],
5438 timeout=10)
5439 if ev is None:
5440 raise Exception("Timeout on EAP success")
5441 else:
5442 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"],
5443 timeout=10)
5444 if ev is None:
5445 raise Exception("Timeout on EAP failure")
5446
5447 if i in [ 13 ]:
5448 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"],
5449 timeout=10)
5450 if ev is None:
5451 raise Exception("Timeout on identity request")
5452 id = ev.split(':')[0].split('-')[-1]
5453 dev[0].request("CTRL-RSP-IDENTITY-" + id + ":user")
5454
5455 ev = dev[0].wait_event(["CTRL-REQ-PASSWORD"],
5456 timeout=10)
5457 if ev is None:
5458 raise Exception("Timeout on password request")
5459 id = ev.split(':')[0].split('-')[-1]
5460 dev[0].request("CTRL-RSP-PASSWORD-" + id + ":password")
5461
5462 # TODO: Does this work correctly?
5463
5464 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"],
5465 timeout=10)
5466 if ev is None:
5467 raise Exception("Timeout on EAP failure")
5468
5469 if i in [ 4, 5, 6, 7, 14 ]:
5470 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"],
5471 timeout=10)
5472 if ev is None:
5473 raise Exception("Timeout on EAP failure")
5474 else:
5475 time.sleep(0.05)
5476 dev[0].request("REMOVE_NETWORK all")
5477 dev[0].wait_disconnected(timeout=1)
5478 finally:
5479 stop_radius_server(srv)
5480
5481 def test_eap_proto_mschapv2_errors(dev, apdev):
5482 """EAP-MSCHAPv2 protocol tests (error paths)"""
5483 check_eap_capa(dev[0], "MSCHAPV2")
5484
5485 def mschapv2_handler(ctx, req):
5486 logger.info("mschapv2_handler - RX " + req.encode("hex"))
5487 if 'num' not in ctx:
5488 ctx['num'] = 0
5489 ctx['num'] = ctx['num'] + 1
5490 if 'id' not in ctx:
5491 ctx['id'] = 1
5492 ctx['id'] = (ctx['id'] + 1) % 256
5493 idx = 0
5494
5495 idx += 1
5496 if ctx['num'] == idx:
5497 logger.info("Test: Failure before challenge - password expired")
5498 payload = 'E=648 R=1 C=00112233445566778899aabbccddeeff V=3 M=Password expired'
5499 return struct.pack(">BBHBBBH", EAP_CODE_REQUEST, ctx['id'],
5500 4 + 1 + 4 + len(payload),
5501 EAP_TYPE_MSCHAPV2,
5502 4, 0, 4 + len(payload)) + payload
5503 idx += 1
5504 if ctx['num'] == idx:
5505 logger.info("Test: Success after password change")
5506 payload = "S=1122334455667788990011223344556677889900"
5507 return struct.pack(">BBHBBBH", EAP_CODE_REQUEST, ctx['id'],
5508 4 + 1 + 4 + len(payload),
5509 EAP_TYPE_MSCHAPV2,
5510 3, 0, 4 + len(payload)) + payload
5511
5512 idx += 1
5513 if ctx['num'] == idx:
5514 logger.info("Test: Failure before challenge - password expired")
5515 payload = 'E=648 R=1 C=00112233445566778899aabbccddeeff V=3 M=Password expired'
5516 return struct.pack(">BBHBBBH", EAP_CODE_REQUEST, ctx['id'],
5517 4 + 1 + 4 + len(payload),
5518 EAP_TYPE_MSCHAPV2,
5519 4, 0, 4 + len(payload)) + payload
5520 idx += 1
5521 if ctx['num'] == idx:
5522 logger.info("Test: Success after password change")
5523 payload = "S=1122334455667788990011223344556677889900"
5524 return struct.pack(">BBHBBBH", EAP_CODE_REQUEST, ctx['id'],
5525 4 + 1 + 4 + len(payload),
5526 EAP_TYPE_MSCHAPV2,
5527 3, 0, 4 + len(payload)) + payload
5528
5529 return None
5530
5531 srv = start_radius_server(mschapv2_handler)
5532
5533 try:
5534 hapd = start_ap(apdev[0]['ifname'])
5535
5536 with fail_test(dev[0], 1, "eap_mschapv2_change_password"):
5537 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
5538 eap="MSCHAPV2", identity="user",
5539 password="password", wait_connect=False)
5540 ev = dev[0].wait_event(["CTRL-REQ-NEW_PASSWORD"], timeout=10)
5541 if ev is None:
5542 raise Exception("Timeout on new password request")
5543 id = ev.split(':')[0].split('-')[-1]
5544 dev[0].request("CTRL-RSP-NEW_PASSWORD-" + id + ":new-pw")
5545 wait_fail_trigger(dev[0], "GET_FAIL")
5546 dev[0].request("REMOVE_NETWORK all")
5547 dev[0].wait_disconnected(timeout=1)
5548
5549 with fail_test(dev[0], 1, "get_master_key;eap_mschapv2_change_password"):
5550 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
5551 eap="MSCHAPV2", identity="user",
5552 password="password", wait_connect=False)
5553 ev = dev[0].wait_event(["CTRL-REQ-NEW_PASSWORD"], timeout=10)
5554 if ev is None:
5555 raise Exception("Timeout on new password request")
5556 id = ev.split(':')[0].split('-')[-1]
5557 dev[0].request("CTRL-RSP-NEW_PASSWORD-" + id + ":new-pw")
5558 wait_fail_trigger(dev[0], "GET_FAIL")
5559 dev[0].request("REMOVE_NETWORK all")
5560 dev[0].wait_disconnected(timeout=1)
5561 finally:
5562 stop_radius_server(srv)
5563
5564 def test_eap_proto_pwd(dev, apdev):
5565 """EAP-pwd protocol tests"""
5566 check_eap_capa(dev[0], "PWD")
5567
5568 global eap_proto_pwd_test_done, eap_proto_pwd_test_wait
5569 eap_proto_pwd_test_done = False
5570 eap_proto_pwd_test_wait = False
5571
5572 def pwd_handler(ctx, req):
5573 logger.info("pwd_handler - RX " + req.encode("hex"))
5574 if 'num' not in ctx:
5575 ctx['num'] = 0
5576 ctx['num'] = ctx['num'] + 1
5577 if 'id' not in ctx:
5578 ctx['id'] = 1
5579 ctx['id'] = (ctx['id'] + 1) % 256
5580 idx = 0
5581
5582 global eap_proto_pwd_test_wait
5583 eap_proto_pwd_test_wait = False
5584
5585 idx += 1
5586 if ctx['num'] == idx:
5587 logger.info("Test: Missing payload")
5588 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'], 4 + 1,
5589 EAP_TYPE_PWD)
5590
5591 idx += 1
5592 if ctx['num'] == idx:
5593 logger.info("Test: Missing Total-Length field")
5594 payload = struct.pack("B", 0x80)
5595 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
5596 4 + 1 + len(payload), EAP_TYPE_PWD) + payload
5597
5598 idx += 1
5599 if ctx['num'] == idx:
5600 logger.info("Test: Too large Total-Length")
5601 payload = struct.pack(">BH", 0x80, 65535)
5602 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
5603 4 + 1 + len(payload), EAP_TYPE_PWD) + payload
5604
5605 idx += 1
5606 if ctx['num'] == idx:
5607 eap_proto_pwd_test_wait = True
5608 logger.info("Test: First fragment")
5609 payload = struct.pack(">BH", 0xc0, 10)
5610 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
5611 4 + 1 + len(payload), EAP_TYPE_PWD) + payload
5612 idx += 1
5613 if ctx['num'] == idx:
5614 logger.info("Test: Unexpected Total-Length value in the second fragment")
5615 payload = struct.pack(">BH", 0x80, 0)
5616 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
5617 4 + 1 + len(payload), EAP_TYPE_PWD) + payload
5618
5619 idx += 1
5620 if ctx['num'] == idx:
5621 logger.info("Test: First and only fragment")
5622 payload = struct.pack(">BH", 0x80, 0)
5623 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
5624 4 + 1 + len(payload), EAP_TYPE_PWD) + payload
5625
5626 idx += 1
5627 if ctx['num'] == idx:
5628 logger.info("Test: First and only fragment with extra data")
5629 payload = struct.pack(">BHB", 0x80, 0, 0)
5630 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
5631 4 + 1 + len(payload), EAP_TYPE_PWD) + payload
5632
5633 idx += 1
5634 if ctx['num'] == idx:
5635 eap_proto_pwd_test_wait = True
5636 logger.info("Test: First fragment")
5637 payload = struct.pack(">BHB", 0xc0, 2, 1)
5638 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
5639 4 + 1 + len(payload), EAP_TYPE_PWD) + payload
5640 idx += 1
5641 if ctx['num'] == idx:
5642 logger.info("Test: Extra data in the second fragment")
5643 payload = struct.pack(">BBB", 0x0, 2, 3)
5644 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
5645 4 + 1 + len(payload), EAP_TYPE_PWD) + payload
5646
5647 idx += 1
5648 if ctx['num'] == idx:
5649 logger.info("Test: Too short id exchange")
5650 payload = struct.pack(">B", 0x01)
5651 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
5652 4 + 1 + len(payload), EAP_TYPE_PWD) + payload
5653
5654 idx += 1
5655 if ctx['num'] == idx:
5656 logger.info("Test: Unsupported rand func in id exchange")
5657 payload = struct.pack(">BHBBLB", 0x01, 0, 0, 0, 0, 0)
5658 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
5659 4 + 1 + len(payload), EAP_TYPE_PWD) + payload
5660
5661 idx += 1
5662 if ctx['num'] == idx:
5663 logger.info("Test: Unsupported prf in id exchange")
5664 payload = struct.pack(">BHBBLB", 0x01, 19, 1, 0, 0, 0)
5665 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
5666 4 + 1 + len(payload), EAP_TYPE_PWD) + payload
5667
5668 idx += 1
5669 if ctx['num'] == idx:
5670 logger.info("Test: Unsupported password pre-processing technique in id exchange")
5671 payload = struct.pack(">BHBBLB", 0x01, 19, 1, 1, 0, 255)
5672 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
5673 4 + 1 + len(payload), EAP_TYPE_PWD) + payload
5674
5675 idx += 1
5676 if ctx['num'] == idx:
5677 eap_proto_pwd_test_wait = True
5678 logger.info("Test: Valid id exchange")
5679 payload = struct.pack(">BHBBLB", 0x01, 19, 1, 1, 0, 0)
5680 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
5681 4 + 1 + len(payload), EAP_TYPE_PWD) + payload
5682 idx += 1
5683 if ctx['num'] == idx:
5684 logger.info("Test: Unexpected id exchange")
5685 payload = struct.pack(">BHBBLB", 0x01, 19, 1, 1, 0, 0)
5686 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
5687 4 + 1 + len(payload), EAP_TYPE_PWD) + payload
5688
5689 idx += 1
5690 if ctx['num'] == idx:
5691 logger.info("Test: Unexpected commit exchange")
5692 payload = struct.pack(">B", 0x02)
5693 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
5694 4 + 1 + len(payload), EAP_TYPE_PWD) + payload
5695
5696 idx += 1
5697 if ctx['num'] == idx:
5698 eap_proto_pwd_test_wait = True
5699 logger.info("Test: Valid id exchange")
5700 payload = struct.pack(">BHBBLB", 0x01, 19, 1, 1, 0, 0)
5701 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
5702 4 + 1 + len(payload), EAP_TYPE_PWD) + payload
5703 idx += 1
5704 if ctx['num'] == idx:
5705 logger.info("Test: Unexpected Commit payload length")
5706 payload = struct.pack(">B", 0x02)
5707 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
5708 4 + 1 + len(payload), EAP_TYPE_PWD) + payload
5709
5710 idx += 1
5711 if ctx['num'] == idx:
5712 eap_proto_pwd_test_wait = True
5713 logger.info("Test: Valid id exchange")
5714 payload = struct.pack(">BHBBLB", 0x01, 19, 1, 1, 0, 0)
5715 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
5716 4 + 1 + len(payload), EAP_TYPE_PWD) + payload
5717 idx += 1
5718 if ctx['num'] == idx:
5719 logger.info("Test: Commit payload with all zeros values --> Shared key at infinity")
5720 payload = struct.pack(">B", 0x02) + 96*'\0'
5721 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
5722 4 + 1 + len(payload), EAP_TYPE_PWD) + payload
5723
5724 idx += 1
5725 if ctx['num'] == idx:
5726 eap_proto_pwd_test_wait = True
5727 logger.info("Test: Valid id exchange")
5728 payload = struct.pack(">BHBBLB", 0x01, 19, 1, 1, 0, 0)
5729 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
5730 4 + 1 + len(payload), EAP_TYPE_PWD) + payload
5731 idx += 1
5732 if ctx['num'] == idx:
5733 eap_proto_pwd_test_wait = True
5734 logger.info("Test: Commit payload with valid values")
5735 element = binascii.unhexlify("8dcab2862c5396839a6bac0c689ff03d962863108e7c275bbf1d6eedf634ee832a214db99f0d0a1a6317733eecdd97f0fc4cda19f57e1bb9bb9c8dcf8c60ba6f")
5736 scalar = binascii.unhexlify("450f31e058cf2ac2636a5d6e2b3c70b1fcc301957f0716e77f13aa69f9a2e5bd")
5737 payload = struct.pack(">B", 0x02) + element + scalar
5738 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
5739 4 + 1 + len(payload), EAP_TYPE_PWD) + payload
5740 idx += 1
5741 if ctx['num'] == idx:
5742 logger.info("Test: Unexpected Confirm payload length 0")
5743 payload = struct.pack(">B", 0x03)
5744 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
5745 4 + 1 + len(payload), EAP_TYPE_PWD) + payload
5746
5747 idx += 1
5748 if ctx['num'] == idx:
5749 eap_proto_pwd_test_wait = True
5750 logger.info("Test: Valid id exchange")
5751 payload = struct.pack(">BHBBLB", 0x01, 19, 1, 1, 0, 0)
5752 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
5753 4 + 1 + len(payload), EAP_TYPE_PWD) + payload
5754 idx += 1
5755 if ctx['num'] == idx:
5756 eap_proto_pwd_test_wait = True
5757 logger.info("Test: Commit payload with valid values")
5758 element = binascii.unhexlify("8dcab2862c5396839a6bac0c689ff03d962863108e7c275bbf1d6eedf634ee832a214db99f0d0a1a6317733eecdd97f0fc4cda19f57e1bb9bb9c8dcf8c60ba6f")
5759 scalar = binascii.unhexlify("450f31e058cf2ac2636a5d6e2b3c70b1fcc301957f0716e77f13aa69f9a2e5bd")
5760 payload = struct.pack(">B", 0x02) + element + scalar
5761 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
5762 4 + 1 + len(payload), EAP_TYPE_PWD) + payload
5763 idx += 1
5764 if ctx['num'] == idx:
5765 logger.info("Test: Confirm payload with incorrect value")
5766 payload = struct.pack(">B", 0x03) + 32*'\0'
5767 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
5768 4 + 1 + len(payload), EAP_TYPE_PWD) + payload
5769
5770 idx += 1
5771 if ctx['num'] == idx:
5772 logger.info("Test: Unexpected confirm exchange")
5773 payload = struct.pack(">B", 0x03)
5774 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
5775 4 + 1 + len(payload), EAP_TYPE_PWD) + payload
5776
5777 logger.info("No more test responses available - test case completed")
5778 global eap_proto_pwd_test_done
5779 eap_proto_pwd_test_done = True
5780 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
5781
5782 srv = start_radius_server(pwd_handler)
5783
5784 try:
5785 hapd = start_ap(apdev[0]['ifname'])
5786
5787 i = 0
5788 while not eap_proto_pwd_test_done:
5789 i += 1
5790 logger.info("Running connection iteration %d" % i)
5791 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
5792 eap="PWD", identity="pwd user",
5793 password="secret password",
5794 wait_connect=False)
5795 ok = False
5796 for j in range(5):
5797 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS",
5798 "CTRL-EVENT-EAP-PROPOSED-METHOD"],
5799 timeout=5)
5800 if ev is None:
5801 raise Exception("Timeout on EAP start")
5802 if "CTRL-EVENT-EAP-PROPOSED-METHOD" in ev:
5803 ok = True
5804 break
5805 if "CTRL-EVENT-EAP-STATUS" in ev and "status='completion' parameter='failure'" in ev:
5806 ok = True
5807 break
5808 if not ok:
5809 raise Exception("Expected EAP event not seen")
5810 if eap_proto_pwd_test_wait:
5811 for k in range(10):
5812 time.sleep(0.1)
5813 if not eap_proto_pwd_test_wait:
5814 break
5815 dev[0].request("REMOVE_NETWORK all")
5816 dev[0].wait_disconnected(timeout=1)
5817 dev[0].dump_monitor()
5818 finally:
5819 stop_radius_server(srv)
5820
5821 def test_eap_proto_pwd_errors(dev, apdev):
5822 """EAP-pwd local error cases"""
5823 check_eap_capa(dev[0], "PWD")
5824 params = hostapd.wpa2_eap_params(ssid="eap-test")
5825 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
5826
5827 for i in range(1, 4):
5828 with alloc_fail(dev[0], i, "eap_pwd_init"):
5829 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
5830 eap="PWD", identity="pwd user",
5831 password="secret password",
5832 wait_connect=False)
5833 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method"],
5834 timeout=15)
5835 if ev is None:
5836 raise Exception("Timeout on EAP start")
5837 dev[0].request("REMOVE_NETWORK all")
5838 dev[0].wait_disconnected()
5839
5840 with alloc_fail(dev[0], 1, "eap_pwd_get_session_id"):
5841 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
5842 eap="PWD", identity="pwd user",
5843 password="secret password")
5844 dev[0].request("REMOVE_NETWORK all")
5845 dev[0].wait_disconnected()
5846
5847 for i in range(1, 7):
5848 with alloc_fail(dev[0], i, "eap_pwd_perform_id_exchange"):
5849 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
5850 eap="PWD", identity="pwd user",
5851 password="secret password",
5852 wait_connect=False)
5853 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
5854 timeout=15)
5855 if ev is None:
5856 raise Exception("Timeout on EAP start")
5857 ok = False
5858 for j in range(10):
5859 state = dev[0].request('GET_ALLOC_FAIL')
5860 if state.startswith('0:'):
5861 ok = True
5862 break
5863 time.sleep(0.1)
5864 if not ok:
5865 raise Exception("No allocation failure seen")
5866 dev[0].request("REMOVE_NETWORK all")
5867 dev[0].wait_disconnected()
5868
5869 with alloc_fail(dev[0], 1, "wpabuf_alloc;eap_pwd_perform_id_exchange"):
5870 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
5871 eap="PWD", identity="pwd user",
5872 password="secret password",
5873 wait_connect=False)
5874 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
5875 timeout=15)
5876 if ev is None:
5877 raise Exception("Timeout on EAP start")
5878 dev[0].request("REMOVE_NETWORK all")
5879 dev[0].wait_disconnected()
5880
5881 for i in range(1, 4):
5882 with alloc_fail(dev[0], i, "eap_pwd_perform_commit_exchange"):
5883 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
5884 eap="PWD", identity="pwd user",
5885 password="secret password",
5886 wait_connect=False)
5887 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
5888 timeout=15)
5889 if ev is None:
5890 raise Exception("Timeout on EAP start")
5891 ok = False
5892 for j in range(10):
5893 state = dev[0].request('GET_ALLOC_FAIL')
5894 if state.startswith('0:'):
5895 ok = True
5896 break
5897 time.sleep(0.1)
5898 if not ok:
5899 raise Exception("No allocation failure seen")
5900 dev[0].request("REMOVE_NETWORK all")
5901 dev[0].wait_disconnected()
5902
5903 for i in range(1, 12):
5904 with alloc_fail(dev[0], i, "eap_pwd_perform_confirm_exchange"):
5905 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
5906 eap="PWD", identity="pwd user",
5907 password="secret password",
5908 wait_connect=False)
5909 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
5910 timeout=15)
5911 if ev is None:
5912 raise Exception("Timeout on EAP start")
5913 ok = False
5914 for j in range(10):
5915 state = dev[0].request('GET_ALLOC_FAIL')
5916 if state.startswith('0:'):
5917 ok = True
5918 break
5919 time.sleep(0.1)
5920 if not ok:
5921 raise Exception("No allocation failure seen")
5922 dev[0].request("REMOVE_NETWORK all")
5923 dev[0].wait_disconnected()
5924
5925 for i in range(1, 4):
5926 with alloc_fail(dev[0], i, "eap_msg_alloc;=eap_pwd_process"):
5927 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
5928 eap="PWD", identity="pwd user",
5929 password="secret password",
5930 wait_connect=False)
5931 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
5932 timeout=15)
5933 if ev is None:
5934 raise Exception("Timeout on EAP start")
5935 ok = False
5936 for j in range(10):
5937 state = dev[0].request('GET_ALLOC_FAIL')
5938 if state.startswith('0:'):
5939 ok = True
5940 break
5941 time.sleep(0.1)
5942 if not ok:
5943 raise Exception("No allocation failure seen")
5944 dev[0].request("REMOVE_NETWORK all")
5945 dev[0].wait_disconnected()
5946
5947 # No password configured
5948 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
5949 eap="PWD", identity="pwd user",
5950 wait_connect=False)
5951 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=52"],
5952 timeout=15)
5953 if ev is None:
5954 raise Exception("EAP-pwd not started")
5955 dev[0].request("REMOVE_NETWORK all")
5956 dev[0].wait_disconnected()
5957
5958 def test_eap_proto_erp(dev, apdev):
5959 """ERP protocol tests"""
5960 check_erp_capa(dev[0])
5961
5962 global eap_proto_erp_test_done
5963 eap_proto_erp_test_done = False
5964
5965 def erp_handler(ctx, req):
5966 logger.info("erp_handler - RX " + req.encode("hex"))
5967 if 'num' not in ctx:
5968 ctx['num'] = 0
5969 ctx['num'] += 1
5970 if 'id' not in ctx:
5971 ctx['id'] = 1
5972 ctx['id'] = (ctx['id'] + 1) % 256
5973 idx = 0
5974
5975 idx += 1
5976 if ctx['num'] == idx:
5977 logger.info("Test: Missing type")
5978 return struct.pack(">BBH", EAP_CODE_INITIATE, ctx['id'], 4)
5979
5980 idx += 1
5981 if ctx['num'] == idx:
5982 logger.info("Test: Unexpected type")
5983 return struct.pack(">BBHB", EAP_CODE_INITIATE, ctx['id'], 4 + 1,
5984 255)
5985
5986 idx += 1
5987 if ctx['num'] == idx:
5988 logger.info("Test: Missing Reserved field")
5989 return struct.pack(">BBHB", EAP_CODE_INITIATE, ctx['id'], 4 + 1,
5990 EAP_ERP_TYPE_REAUTH_START)
5991
5992 idx += 1
5993 if ctx['num'] == idx:
5994 logger.info("Test: Zero-length TVs/TLVs")
5995 payload = ""
5996 return struct.pack(">BBHBB", EAP_CODE_INITIATE, ctx['id'],
5997 4 + 1 + 1 + len(payload),
5998 EAP_ERP_TYPE_REAUTH_START, 0) + payload
5999
6000 idx += 1
6001 if ctx['num'] == idx:
6002 logger.info("Test: Too short TLV")
6003 payload = struct.pack("B", 191)
6004 return struct.pack(">BBHBB", EAP_CODE_INITIATE, ctx['id'],
6005 4 + 1 + 1 + len(payload),
6006 EAP_ERP_TYPE_REAUTH_START, 0) + payload
6007
6008 idx += 1
6009 if ctx['num'] == idx:
6010 logger.info("Test: Truncated TLV")
6011 payload = struct.pack("BB", 191, 1)
6012 return struct.pack(">BBHBB", EAP_CODE_INITIATE, ctx['id'],
6013 4 + 1 + 1 + len(payload),
6014 EAP_ERP_TYPE_REAUTH_START, 0) + payload
6015
6016 idx += 1
6017 if ctx['num'] == idx:
6018 logger.info("Test: Ignored unknown TLV and unknown TV/TLV terminating parsing")
6019 payload = struct.pack("BBB", 191, 0, 192)
6020 return struct.pack(">BBHBB", EAP_CODE_INITIATE, ctx['id'],
6021 4 + 1 + 1 + len(payload),
6022 EAP_ERP_TYPE_REAUTH_START, 0) + payload
6023
6024 idx += 1
6025 if ctx['num'] == idx:
6026 logger.info("Test: More than one keyName-NAI")
6027 payload = struct.pack("BBBB", EAP_ERP_TLV_KEYNAME_NAI, 0,
6028 EAP_ERP_TLV_KEYNAME_NAI, 0)
6029 return struct.pack(">BBHBB", EAP_CODE_INITIATE, ctx['id'],
6030 4 + 1 + 1 + len(payload),
6031 EAP_ERP_TYPE_REAUTH_START, 0) + payload
6032
6033 idx += 1
6034 if ctx['num'] == idx:
6035 logger.info("Test: Too short TLV keyName-NAI")
6036 payload = struct.pack("B", EAP_ERP_TLV_KEYNAME_NAI)
6037 return struct.pack(">BBHBB", EAP_CODE_INITIATE, ctx['id'],
6038 4 + 1 + 1 + len(payload),
6039 EAP_ERP_TYPE_REAUTH_START, 0) + payload
6040
6041 idx += 1
6042 if ctx['num'] == idx:
6043 logger.info("Test: Truncated TLV keyName-NAI")
6044 payload = struct.pack("BB", EAP_ERP_TLV_KEYNAME_NAI, 1)
6045 return struct.pack(">BBHBB", EAP_CODE_INITIATE, ctx['id'],
6046 4 + 1 + 1 + len(payload),
6047 EAP_ERP_TYPE_REAUTH_START, 0) + payload
6048
6049 idx += 1
6050 if ctx['num'] == idx:
6051 logger.info("Test: Valid rRK lifetime TV followed by too short rMSK lifetime TV")
6052 payload = struct.pack(">BLBH", EAP_ERP_TV_RRK_LIFETIME, 0,
6053 EAP_ERP_TV_RMSK_LIFETIME, 0)
6054 return struct.pack(">BBHBB", EAP_CODE_INITIATE, ctx['id'],
6055 4 + 1 + 1 + len(payload),
6056 EAP_ERP_TYPE_REAUTH_START, 0) + payload
6057
6058 idx += 1
6059 if ctx['num'] == idx:
6060 logger.info("Test: Missing type (Finish)")
6061 return struct.pack(">BBH", EAP_CODE_FINISH, ctx['id'], 4)
6062
6063 idx += 1
6064 if ctx['num'] == idx:
6065 logger.info("Test: Unexpected type (Finish)")
6066 return struct.pack(">BBHB", EAP_CODE_FINISH, ctx['id'], 4 + 1,
6067 255)
6068
6069 idx += 1
6070 if ctx['num'] == idx:
6071 logger.info("Test: Missing fields (Finish)")
6072 return struct.pack(">BBHB", EAP_CODE_FINISH, ctx['id'], 4 + 1,
6073 EAP_ERP_TYPE_REAUTH)
6074
6075 idx += 1
6076 if ctx['num'] == idx:
6077 logger.info("Test: Unexpected SEQ (Finish)")
6078 return struct.pack(">BBHBBHB", EAP_CODE_FINISH, ctx['id'],
6079 4 + 1 + 4,
6080 EAP_ERP_TYPE_REAUTH, 0, 0xffff, 0)
6081
6082 logger.info("No more test responses available - test case completed")
6083 global eap_proto_erp_test_done
6084 eap_proto_erp_test_done = True
6085 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
6086
6087 srv = start_radius_server(erp_handler)
6088
6089 try:
6090 hapd = start_ap(apdev[0]['ifname'])
6091
6092 i = 0
6093 while not eap_proto_erp_test_done:
6094 i += 1
6095 logger.info("Running connection iteration %d" % i)
6096 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
6097 eap="PAX", identity="pax.user@example.com",
6098 password_hex="0123456789abcdef0123456789abcdef",
6099 wait_connect=False)
6100 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=5)
6101 if ev is None:
6102 raise Exception("Timeout on EAP start")
6103 time.sleep(0.1)
6104 dev[0].request("REMOVE_NETWORK all")
6105 dev[0].wait_disconnected(timeout=1)
6106 dev[0].dump_monitor()
6107 finally:
6108 stop_radius_server(srv)
6109
6110 def test_eap_proto_fast_errors(dev, apdev):
6111 """EAP-FAST local error cases"""
6112 check_eap_capa(dev[0], "FAST")
6113 params = hostapd.wpa2_eap_params(ssid="eap-test")
6114 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
6115
6116 for i in range(1, 5):
6117 with alloc_fail(dev[0], i, "eap_fast_init"):
6118 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
6119 eap="FAST", anonymous_identity="FAST",
6120 identity="user", password="password",
6121 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
6122 phase1="fast_provisioning=2",
6123 pac_file="blob://fast_pac_auth",
6124 wait_connect=False)
6125 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method"],
6126 timeout=5)
6127 if ev is None:
6128 raise Exception("Timeout on EAP start")
6129 dev[0].request("REMOVE_NETWORK all")
6130 dev[0].wait_disconnected()
6131
6132 tests = [ (1, "wpabuf_alloc;eap_fast_tlv_eap_payload"),
6133 (1, "eap_fast_derive_key;eap_fast_derive_key_auth"),
6134 (1, "eap_msg_alloc;eap_peer_tls_phase2_nak"),
6135 (1, "wpabuf_alloc;eap_fast_tlv_result"),
6136 (1, "wpabuf_alloc;eap_fast_tlv_pac_ack"),
6137 (1, "=eap_peer_tls_derive_session_id;eap_fast_process_crypto_binding"),
6138 (1, "eap_peer_tls_decrypt;eap_fast_decrypt"),
6139 (1, "eap_fast_getKey"),
6140 (1, "eap_fast_get_session_id"),
6141 (1, "eap_fast_get_emsk") ]
6142 for count, func in tests:
6143 dev[0].request("SET blob fast_pac_auth_errors ")
6144 with alloc_fail(dev[0], count, func):
6145 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
6146 eap="FAST", anonymous_identity="FAST",
6147 identity="user", password="password",
6148 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
6149 phase1="fast_provisioning=2",
6150 pac_file="blob://fast_pac_auth_errors",
6151 erp="1",
6152 wait_connect=False)
6153 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
6154 timeout=15)
6155 if ev is None:
6156 raise Exception("Timeout on EAP start")
6157 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
6158 dev[0].request("REMOVE_NETWORK all")
6159 dev[0].wait_disconnected()
6160
6161 tests = [ (1, "eap_fast_derive_key;eap_fast_derive_key_provisioning"),
6162 (1, "eap_mschapv2_getKey;eap_fast_get_phase2_key"),
6163 (1, "=eap_fast_use_pac_opaque"),
6164 (1, "eap_fast_copy_buf"),
6165 (1, "=eap_fast_add_pac"),
6166 (1, "=eap_fast_init_pac_data"),
6167 (1, "=eap_fast_write_pac"),
6168 (2, "=eap_fast_write_pac") ]
6169 for count, func in tests:
6170 dev[0].request("SET blob fast_pac_errors ")
6171 with alloc_fail(dev[0], count, func):
6172 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
6173 eap="FAST", anonymous_identity="FAST",
6174 identity="user", password="password",
6175 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
6176 phase1="fast_provisioning=1",
6177 pac_file="blob://fast_pac_errors",
6178 erp="1",
6179 wait_connect=False)
6180 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
6181 timeout=15)
6182 if ev is None:
6183 raise Exception("Timeout on EAP start")
6184 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
6185 dev[0].request("REMOVE_NETWORK all")
6186 dev[0].wait_disconnected()
6187
6188 tests = [ (1, "eap_fast_get_cmk;eap_fast_process_crypto_binding"),
6189 (1, "eap_fast_derive_eap_msk;eap_fast_process_crypto_binding"),
6190 (1, "eap_fast_derive_eap_emsk;eap_fast_process_crypto_binding") ]
6191 for count, func in tests:
6192 dev[0].request("SET blob fast_pac_auth_errors ")
6193 with fail_test(dev[0], count, func):
6194 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
6195 eap="FAST", anonymous_identity="FAST",
6196 identity="user", password="password",
6197 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
6198 phase1="fast_provisioning=2",
6199 pac_file="blob://fast_pac_auth_errors",
6200 erp="1",
6201 wait_connect=False)
6202 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
6203 timeout=15)
6204 if ev is None:
6205 raise Exception("Timeout on EAP start")
6206 wait_fail_trigger(dev[0], "GET_FAIL")
6207 dev[0].request("REMOVE_NETWORK all")
6208 dev[0].wait_disconnected()
6209
6210 dev[0].request("SET blob fast_pac_errors ")
6211 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
6212 eap="FAST", anonymous_identity="FAST",
6213 identity="user", password="password",
6214 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
6215 phase1="fast_provisioning=1",
6216 pac_file="blob://fast_pac_errors",
6217 wait_connect=False)
6218 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
6219 if ev is None:
6220 raise Exception("Timeout on EAP start")
6221 # EAP-FAST: Only EAP-MSCHAPv2 is allowed during unauthenticated
6222 # provisioning; reject phase2 type 6
6223 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
6224 if ev is None:
6225 raise Exception("Timeout on EAP failure")
6226 dev[0].request("REMOVE_NETWORK all")
6227 dev[0].wait_disconnected()
6228
6229 logger.info("Wrong password in Phase 2")
6230 dev[0].request("SET blob fast_pac_errors ")
6231 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
6232 eap="FAST", anonymous_identity="FAST",
6233 identity="user", password="wrong password",
6234 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
6235 phase1="fast_provisioning=1",
6236 pac_file="blob://fast_pac_errors",
6237 wait_connect=False)
6238 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
6239 if ev is None:
6240 raise Exception("Timeout on EAP start")
6241 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
6242 if ev is None:
6243 raise Exception("Timeout on EAP failure")
6244 dev[0].request("REMOVE_NETWORK all")
6245 dev[0].wait_disconnected()
6246
6247 tests = [ "FOOBAR\n",
6248 "wpa_supplicant EAP-FAST PAC file - version 1\nFOOBAR\n",
6249 "wpa_supplicant EAP-FAST PAC file - version 1\nSTART\n",
6250 "wpa_supplicant EAP-FAST PAC file - version 1\nSTART\nSTART\n",
6251 "wpa_supplicant EAP-FAST PAC file - version 1\nEND\n",
6252 "wpa_supplicant EAP-FAST PAC file - version 1\nSTART\nPAC-Type=12345\nEND\n"
6253 "wpa_supplicant EAP-FAST PAC file - version 1\nSTART\nPAC-Key=12\nEND\n",
6254 "wpa_supplicant EAP-FAST PAC file - version 1\nSTART\nPAC-Key=1\nEND\n",
6255 "wpa_supplicant EAP-FAST PAC file - version 1\nSTART\nPAC-Key=1q\nEND\n",
6256 "wpa_supplicant EAP-FAST PAC file - version 1\nSTART\nPAC-Opaque=1\nEND\n",
6257 "wpa_supplicant EAP-FAST PAC file - version 1\nSTART\nA-ID=1\nEND\n",
6258 "wpa_supplicant EAP-FAST PAC file - version 1\nSTART\nI-ID=1\nEND\n",
6259 "wpa_supplicant EAP-FAST PAC file - version 1\nSTART\nA-ID-Info=1\nEND\n" ]
6260 for pac in tests:
6261 blob = binascii.hexlify(pac)
6262 dev[0].request("SET blob fast_pac_errors " + blob)
6263 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
6264 eap="FAST", anonymous_identity="FAST",
6265 identity="user", password="password",
6266 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
6267 phase1="fast_provisioning=2",
6268 pac_file="blob://fast_pac_errors",
6269 wait_connect=False)
6270 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method"],
6271 timeout=5)
6272 if ev is None:
6273 raise Exception("Timeout on EAP start")
6274 dev[0].request("REMOVE_NETWORK all")
6275 dev[0].wait_disconnected()
6276
6277 tests = [ "wpa_supplicant EAP-FAST PAC file - version 1\nSTART\nEND\n",
6278 "wpa_supplicant EAP-FAST PAC file - version 1\nSTART\nEND\nSTART\nEND\nSTART\nEND\n" ]
6279 for pac in tests:
6280 blob = binascii.hexlify(pac)
6281 dev[0].request("SET blob fast_pac_errors " + blob)
6282 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
6283 eap="FAST", anonymous_identity="FAST",
6284 identity="user", password="password",
6285 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
6286 phase1="fast_provisioning=2",
6287 pac_file="blob://fast_pac_errors")
6288 dev[0].request("REMOVE_NETWORK all")
6289 dev[0].wait_disconnected()
6290
6291 dev[0].request("SET blob fast_pac_errors ")
6292
6293 def test_eap_proto_peap_errors(dev, apdev):
6294 """EAP-PEAP local error cases"""
6295 check_eap_capa(dev[0], "PEAP")
6296 check_eap_capa(dev[0], "MSCHAPV2")
6297 params = hostapd.wpa2_eap_params(ssid="eap-test")
6298 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
6299
6300 for i in range(1, 5):
6301 with alloc_fail(dev[0], i, "eap_peap_init"):
6302 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
6303 eap="PEAP", anonymous_identity="peap",
6304 identity="user", password="password",
6305 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
6306 wait_connect=False)
6307 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method"],
6308 timeout=5)
6309 if ev is None:
6310 raise Exception("Timeout on EAP start")
6311 dev[0].request("REMOVE_NETWORK all")
6312 dev[0].wait_disconnected()
6313
6314 tests = [ (1, "eap_mschapv2_getKey;eap_peap_get_isk;eap_peap_derive_cmk"),
6315 (1, "eap_msg_alloc;eap_tlv_build_result"),
6316 (1, "eap_mschapv2_init;eap_peap_phase2_request"),
6317 (1, "eap_peer_tls_decrypt;eap_peap_decrypt"),
6318 (1, "wpabuf_alloc;=eap_peap_decrypt"),
6319 (1, "eap_peer_tls_encrypt;eap_peap_decrypt"),
6320 (1, "eap_peer_tls_process_helper;eap_peap_process"),
6321 (1, "eap_peer_tls_derive_key;eap_peap_process"),
6322 (1, "eap_peer_tls_derive_session_id;eap_peap_process"),
6323 (1, "eap_peap_getKey"),
6324 (1, "eap_peap_get_session_id") ]
6325 for count, func in tests:
6326 with alloc_fail(dev[0], count, func):
6327 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
6328 eap="PEAP", anonymous_identity="peap",
6329 identity="user", password="password",
6330 phase1="peapver=0 crypto_binding=2",
6331 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
6332 erp="1", wait_connect=False)
6333 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
6334 timeout=15)
6335 if ev is None:
6336 raise Exception("Timeout on EAP start")
6337 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
6338 dev[0].request("REMOVE_NETWORK all")
6339 dev[0].wait_disconnected()
6340
6341 tests = [ (1, "peap_prfplus;eap_peap_derive_cmk"),
6342 (1, "eap_tlv_add_cryptobinding;eap_tlv_build_result"),
6343 (1, "peap_prfplus;eap_peap_getKey") ]
6344 for count, func in tests:
6345 with fail_test(dev[0], count, func):
6346 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
6347 eap="PEAP", anonymous_identity="peap",
6348 identity="user", password="password",
6349 phase1="peapver=0 crypto_binding=2",
6350 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
6351 erp="1", wait_connect=False)
6352 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
6353 timeout=15)
6354 if ev is None:
6355 raise Exception("Timeout on EAP start")
6356 wait_fail_trigger(dev[0], "GET_FAIL")
6357 dev[0].request("REMOVE_NETWORK all")
6358 dev[0].wait_disconnected()
6359
6360 with alloc_fail(dev[0], 1,
6361 "eap_peer_tls_phase2_nak;eap_peap_phase2_request"):
6362 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
6363 eap="PEAP", anonymous_identity="peap",
6364 identity="cert user", password="password",
6365 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
6366 wait_connect=False)
6367 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
6368 dev[0].request("REMOVE_NETWORK all")
6369 dev[0].wait_disconnected()
6370
6371 def test_eap_proto_ttls_errors(dev, apdev):
6372 """EAP-TTLS local error cases"""
6373 check_eap_capa(dev[0], "TTLS")
6374 check_eap_capa(dev[0], "MSCHAPV2")
6375 params = hostapd.wpa2_eap_params(ssid="eap-test")
6376 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
6377
6378 for i in range(1, 5):
6379 with alloc_fail(dev[0], i, "eap_ttls_init"):
6380 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
6381 eap="TTLS", anonymous_identity="ttls",
6382 identity="user", password="password",
6383 ca_cert="auth_serv/ca.pem",
6384 phase2="autheap=MSCHAPV2",
6385 wait_connect=False)
6386 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method"],
6387 timeout=5)
6388 if ev is None:
6389 raise Exception("Timeout on EAP start")
6390 dev[0].request("REMOVE_NETWORK all")
6391 dev[0].wait_disconnected()
6392
6393 tests = [ (1, "eap_peer_tls_derive_key;eap_ttls_v0_derive_key",
6394 "DOMAIN\mschapv2 user", "auth=MSCHAPV2"),
6395 (1, "eap_peer_tls_derive_session_id;eap_ttls_v0_derive_key",
6396 "DOMAIN\mschapv2 user", "auth=MSCHAPV2"),
6397 (1, "wpabuf_alloc;eap_ttls_phase2_request_mschapv2",
6398 "DOMAIN\mschapv2 user", "auth=MSCHAPV2"),
6399 (1, "eap_peer_tls_derive_key;eap_ttls_phase2_request_mschapv2",
6400 "DOMAIN\mschapv2 user", "auth=MSCHAPV2"),
6401 (1, "eap_peer_tls_encrypt;eap_ttls_encrypt_response;eap_ttls_implicit_identity_request",
6402 "DOMAIN\mschapv2 user", "auth=MSCHAPV2"),
6403 (1, "eap_peer_tls_decrypt;eap_ttls_decrypt",
6404 "DOMAIN\mschapv2 user", "auth=MSCHAPV2"),
6405 (1, "eap_ttls_getKey",
6406 "DOMAIN\mschapv2 user", "auth=MSCHAPV2"),
6407 (1, "eap_ttls_get_session_id",
6408 "DOMAIN\mschapv2 user", "auth=MSCHAPV2"),
6409 (1, "eap_ttls_get_emsk",
6410 "DOMAIN\mschapv2 user", "auth=MSCHAPV2"),
6411 (1, "wpabuf_alloc;eap_ttls_phase2_request_mschap",
6412 "mschap user", "auth=MSCHAP"),
6413 (1, "eap_peer_tls_derive_key;eap_ttls_phase2_request_mschap",
6414 "mschap user", "auth=MSCHAP"),
6415 (1, "wpabuf_alloc;eap_ttls_phase2_request_chap",
6416 "chap user", "auth=CHAP"),
6417 (1, "eap_peer_tls_derive_key;eap_ttls_phase2_request_chap",
6418 "chap user", "auth=CHAP"),
6419 (1, "wpabuf_alloc;eap_ttls_phase2_request_pap",
6420 "pap user", "auth=PAP"),
6421 (1, "wpabuf_alloc;eap_ttls_avp_encapsulate",
6422 "user", "autheap=MSCHAPV2"),
6423 (1, "eap_mschapv2_init;eap_ttls_phase2_request_eap_method",
6424 "user", "autheap=MSCHAPV2"),
6425 (1, "eap_sm_buildIdentity;eap_ttls_phase2_request_eap",
6426 "user", "autheap=MSCHAPV2"),
6427 (1, "eap_ttls_avp_encapsulate;eap_ttls_phase2_request_eap",
6428 "user", "autheap=MSCHAPV2"),
6429 (1, "eap_ttls_parse_attr_eap",
6430 "user", "autheap=MSCHAPV2"),
6431 (1, "eap_peer_tls_encrypt;eap_ttls_encrypt_response;eap_ttls_process_decrypted",
6432 "user", "autheap=MSCHAPV2"),
6433 (1, "eap_ttls_fake_identity_request",
6434 "user", "autheap=MSCHAPV2"),
6435 (1, "eap_msg_alloc;eap_tls_process_output",
6436 "user", "autheap=MSCHAPV2"),
6437 (1, "eap_msg_alloc;eap_peer_tls_build_ack",
6438 "user", "autheap=MSCHAPV2"),
6439 (1, "tls_connection_decrypt;eap_peer_tls_decrypt",
6440 "user", "autheap=MSCHAPV2"),
6441 (1, "eap_peer_tls_phase2_nak;eap_ttls_phase2_request_eap_method",
6442 "cert user", "autheap=MSCHAPV2") ]
6443 for count, func, identity, phase2 in tests:
6444 with alloc_fail(dev[0], count, func):
6445 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
6446 eap="TTLS", anonymous_identity="ttls",
6447 identity=identity, password="password",
6448 ca_cert="auth_serv/ca.pem", phase2=phase2,
6449 erp="1", wait_connect=False)
6450 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
6451 timeout=15)
6452 if ev is None:
6453 raise Exception("Timeout on EAP start")
6454 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL",
6455 note="Allocation failure not triggered for: %d:%s" % (count, func))
6456 dev[0].request("REMOVE_NETWORK all")
6457 dev[0].wait_disconnected()
6458
6459 tests = [ (1, "os_get_random;eap_ttls_phase2_request_mschapv2"),
6460 (1, "mschapv2_derive_response;eap_ttls_phase2_request_mschapv2") ]
6461 for count, func in tests:
6462 with fail_test(dev[0], count, func):
6463 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
6464 eap="TTLS", anonymous_identity="ttls",
6465 identity="DOMAIN\mschapv2 user", password="password",
6466 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
6467 erp="1", wait_connect=False)
6468 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
6469 timeout=15)
6470 if ev is None:
6471 raise Exception("Timeout on EAP start")
6472 wait_fail_trigger(dev[0], "GET_FAIL",
6473 note="Test failure not triggered for: %d:%s" % (count, func))
6474 dev[0].request("REMOVE_NETWORK all")
6475 dev[0].wait_disconnected()
6476
6477 def test_eap_proto_expanded(dev, apdev):
6478 """EAP protocol tests with expanded header"""
6479 global eap_proto_expanded_test_done
6480 eap_proto_expanded_test_done = False
6481
6482 def expanded_handler(ctx, req):
6483 logger.info("expanded_handler - RX " + req.encode("hex"))
6484 if 'num' not in ctx:
6485 ctx['num'] = 0
6486 ctx['num'] += 1
6487 if 'id' not in ctx:
6488 ctx['id'] = 1
6489 ctx['id'] = (ctx['id'] + 1) % 256
6490 idx = 0
6491
6492 idx += 1
6493 if ctx['num'] == idx:
6494 logger.info("Test: MD5 challenge in expanded header")
6495 return struct.pack(">BBHB3BLBBB", EAP_CODE_REQUEST, ctx['id'],
6496 4 + 1 + 3 + 4 + 3,
6497 EAP_TYPE_EXPANDED, 0, 0, 0, EAP_TYPE_MD5,
6498 1, 0xaa, ord('n'))
6499 idx += 1
6500 if ctx['num'] == idx:
6501 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
6502
6503 idx += 1
6504 if ctx['num'] == idx:
6505 logger.info("Test: Invalid expanded EAP length")
6506 return struct.pack(">BBHB3BH", EAP_CODE_REQUEST, ctx['id'],
6507 4 + 1 + 3 + 2,
6508 EAP_TYPE_EXPANDED, 0, 0, 0, EAP_TYPE_MD5)
6509 idx += 1
6510 if ctx['num'] == idx:
6511 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
6512
6513 idx += 1
6514 if ctx['num'] == idx:
6515 logger.info("Test: Invalid expanded frame type")
6516 return struct.pack(">BBHB3BL", EAP_CODE_REQUEST, ctx['id'],
6517 4 + 1 + 3 + 4,
6518 EAP_TYPE_EXPANDED, 0, 0, 1, EAP_TYPE_MD5)
6519 idx += 1
6520 if ctx['num'] == idx:
6521 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
6522
6523 idx += 1
6524 if ctx['num'] == idx:
6525 logger.info("Test: MSCHAPv2 Challenge")
6526 return struct.pack(">BBHBBBHB", EAP_CODE_REQUEST, ctx['id'],
6527 4 + 1 + 4 + 1 + 16 + 6,
6528 EAP_TYPE_MSCHAPV2,
6529 1, 0, 4 + 1 + 16 + 6, 16) + 16*'A' + 'foobar'
6530 idx += 1
6531 if ctx['num'] == idx:
6532 logger.info("Test: Invalid expanded frame type")
6533 return struct.pack(">BBHB3BL", EAP_CODE_REQUEST, ctx['id'],
6534 4 + 1 + 3 + 4,
6535 EAP_TYPE_EXPANDED, 0, 0, 1, EAP_TYPE_MSCHAPV2)
6536
6537 logger.info("No more test responses available - test case completed")
6538 global eap_proto_expanded_test_done
6539 eap_proto_expanded_test_done = True
6540 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
6541
6542 srv = start_radius_server(expanded_handler)
6543
6544 try:
6545 hapd = start_ap(apdev[0]['ifname'])
6546
6547 i = 0
6548 while not eap_proto_expanded_test_done:
6549 i += 1
6550 logger.info("Running connection iteration %d" % i)
6551 if i == 4:
6552 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
6553 eap="MSCHAPV2", identity="user",
6554 password="password",
6555 wait_connect=False)
6556 else:
6557 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
6558 eap="MD5", identity="user", password="password",
6559 wait_connect=False)
6560 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=5)
6561 if ev is None:
6562 raise Exception("Timeout on EAP start")
6563 if i in [ 1 ]:
6564 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
6565 if ev is None:
6566 raise Exception("Timeout on EAP method start")
6567 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
6568 if ev is None:
6569 raise Exception("Timeout on EAP failure")
6570 elif i in [ 2, 3 ]:
6571 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
6572 timeout=5)
6573 if ev is None:
6574 raise Exception("Timeout on EAP proposed method")
6575 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
6576 if ev is None:
6577 raise Exception("Timeout on EAP failure")
6578 else:
6579 time.sleep(0.1)
6580 dev[0].request("REMOVE_NETWORK all")
6581 dev[0].wait_disconnected(timeout=1)
6582 dev[0].dump_monitor()
6583 finally:
6584 stop_radius_server(srv)
6585
6586 def test_eap_proto_tnc(dev, apdev):
6587 """EAP-TNC protocol tests"""
6588 check_eap_capa(dev[0], "TNC")
6589 global eap_proto_tnc_test_done
6590 eap_proto_tnc_test_done = False
6591
6592 def tnc_handler(ctx, req):
6593 logger.info("tnc_handler - RX " + req.encode("hex"))
6594 if 'num' not in ctx:
6595 ctx['num'] = 0
6596 ctx['num'] += 1
6597 if 'id' not in ctx:
6598 ctx['id'] = 1
6599 ctx['id'] = (ctx['id'] + 1) % 256
6600 idx = 0
6601
6602 idx += 1
6603 if ctx['num'] == idx:
6604 logger.info("Test: TNC start with unsupported version")
6605 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
6606 4 + 1 + 1,
6607 EAP_TYPE_TNC, 0x20)
6608
6609 idx += 1
6610 if ctx['num'] == idx:
6611 logger.info("Test: TNC without Flags field")
6612 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
6613 4 + 1,
6614 EAP_TYPE_TNC)
6615
6616 idx += 1
6617 if ctx['num'] == idx:
6618 logger.info("Test: Message underflow due to missing Message Length")
6619 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
6620 4 + 1 + 1,
6621 EAP_TYPE_TNC, 0xa1)
6622
6623 idx += 1
6624 if ctx['num'] == idx:
6625 logger.info("Test: Invalid Message Length")
6626 return struct.pack(">BBHBBLB", EAP_CODE_REQUEST, ctx['id'],
6627 4 + 1 + 1 + 4 + 1,
6628 EAP_TYPE_TNC, 0xa1, 0, 0)
6629
6630 idx += 1
6631 if ctx['num'] == idx:
6632 logger.info("Test: Invalid Message Length")
6633 return struct.pack(">BBHBBL", EAP_CODE_REQUEST, ctx['id'],
6634 4 + 1 + 1 + 4,
6635 EAP_TYPE_TNC, 0xe1, 75001)
6636
6637 idx += 1
6638 if ctx['num'] == idx:
6639 logger.info("Test: Start with Message Length")
6640 return struct.pack(">BBHBBL", EAP_CODE_REQUEST, ctx['id'],
6641 4 + 1 + 1 + 4,
6642 EAP_TYPE_TNC, 0xa1, 1)
6643 idx += 1
6644 if ctx['num'] == idx:
6645 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
6646
6647 idx += 1
6648 if ctx['num'] == idx:
6649 logger.info("Test: Server used start flag again")
6650 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
6651 4 + 1 + 1,
6652 EAP_TYPE_TNC, 0x21)
6653 idx += 1
6654 if ctx['num'] == idx:
6655 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
6656 4 + 1 + 1,
6657 EAP_TYPE_TNC, 0x21)
6658
6659 idx += 1
6660 if ctx['num'] == idx:
6661 logger.info("Test: Fragmentation and unexpected payload in ack")
6662 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
6663 4 + 1 + 1,
6664 EAP_TYPE_TNC, 0x21)
6665 idx += 1
6666 if ctx['num'] == idx:
6667 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
6668 4 + 1 + 1,
6669 EAP_TYPE_TNC, 0x01)
6670 idx += 1
6671 if ctx['num'] == idx:
6672 return struct.pack(">BBHBBB", EAP_CODE_REQUEST, ctx['id'],
6673 4 + 1 + 1 + 1,
6674 EAP_TYPE_TNC, 0x01, 0)
6675
6676 idx += 1
6677 if ctx['num'] == idx:
6678 logger.info("Test: Server fragmenting and fragment overflow")
6679 return struct.pack(">BBHBBLB", EAP_CODE_REQUEST, ctx['id'],
6680 4 + 1 + 1 + 4 + 1,
6681 EAP_TYPE_TNC, 0xe1, 2, 1)
6682 idx += 1
6683 if ctx['num'] == idx:
6684 return struct.pack(">BBHBBBB", EAP_CODE_REQUEST, ctx['id'],
6685 4 + 1 + 1 + 2,
6686 EAP_TYPE_TNC, 0x01, 2, 3)
6687
6688 idx += 1
6689 if ctx['num'] == idx:
6690 logger.info("Test: Server fragmenting and no message length in a fragment")
6691 return struct.pack(">BBHBBB", EAP_CODE_REQUEST, ctx['id'],
6692 4 + 1 + 1 + 1,
6693 EAP_TYPE_TNC, 0x61, 2)
6694
6695 idx += 1
6696 if ctx['num'] == idx:
6697 logger.info("Test: TNC start followed by invalid TNCCS-Batch")
6698 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
6699 4 + 1 + 1,
6700 EAP_TYPE_TNC, 0x21)
6701 idx += 1
6702 if ctx['num'] == idx:
6703 logger.info("Received TNCCS-Batch: " + req[6:])
6704 resp = "FOO"
6705 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
6706 4 + 1 + 1 + len(resp),
6707 EAP_TYPE_TNC, 0x01) + resp
6708
6709 idx += 1
6710 if ctx['num'] == idx:
6711 logger.info("Test: TNC start followed by invalid TNCCS-Batch (2)")
6712 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
6713 4 + 1 + 1,
6714 EAP_TYPE_TNC, 0x21)
6715 idx += 1
6716 if ctx['num'] == idx:
6717 logger.info("Received TNCCS-Batch: " + req[6:])
6718 resp = "</TNCCS-Batch><TNCCS-Batch>"
6719 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
6720 4 + 1 + 1 + len(resp),
6721 EAP_TYPE_TNC, 0x01) + resp
6722
6723 idx += 1
6724 if ctx['num'] == idx:
6725 logger.info("Test: TNCCS-Batch missing BatchId attribute")
6726 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
6727 4 + 1 + 1,
6728 EAP_TYPE_TNC, 0x21)
6729 idx += 1
6730 if ctx['num'] == idx:
6731 logger.info("Received TNCCS-Batch: " + req[6:])
6732 resp = "<TNCCS-Batch foo=3></TNCCS-Batch>"
6733 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
6734 4 + 1 + 1 + len(resp),
6735 EAP_TYPE_TNC, 0x01) + resp
6736
6737 idx += 1
6738 if ctx['num'] == idx:
6739 logger.info("Test: Unexpected IF-TNCCS BatchId")
6740 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
6741 4 + 1 + 1,
6742 EAP_TYPE_TNC, 0x21)
6743 idx += 1
6744 if ctx['num'] == idx:
6745 logger.info("Received TNCCS-Batch: " + req[6:])
6746 resp = "<TNCCS-Batch BatchId=123456789></TNCCS-Batch>"
6747 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
6748 4 + 1 + 1 + len(resp),
6749 EAP_TYPE_TNC, 0x01) + resp
6750
6751 idx += 1
6752 if ctx['num'] == idx:
6753 logger.info("Test: Missing IMC-IMV-Message and TNCC-TNCS-Message end tags")
6754 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
6755 4 + 1 + 1,
6756 EAP_TYPE_TNC, 0x21)
6757 idx += 1
6758 if ctx['num'] == idx:
6759 logger.info("Received TNCCS-Batch: " + req[6:])
6760 resp = "<TNCCS-Batch BatchId=2><IMC-IMV-Message><TNCC-TNCS-Message></TNCCS-Batch>"
6761 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
6762 4 + 1 + 1 + len(resp),
6763 EAP_TYPE_TNC, 0x01) + resp
6764 idx += 1
6765 if ctx['num'] == idx:
6766 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
6767
6768 idx += 1
6769 if ctx['num'] == idx:
6770 logger.info("Test: Missing IMC-IMV-Message and TNCC-TNCS-Message Type")
6771 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
6772 4 + 1 + 1,
6773 EAP_TYPE_TNC, 0x21)
6774 idx += 1
6775 if ctx['num'] == idx:
6776 logger.info("Received TNCCS-Batch: " + req[6:])
6777 resp = "<TNCCS-Batch BatchId=2><IMC-IMV-Message></IMC-IMV-Message><TNCC-TNCS-Message></TNCC-TNCS-Message></TNCCS-Batch>"
6778 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
6779 4 + 1 + 1 + len(resp),
6780 EAP_TYPE_TNC, 0x01) + resp
6781 idx += 1
6782 if ctx['num'] == idx:
6783 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
6784
6785 idx += 1
6786 if ctx['num'] == idx:
6787 logger.info("Test: Missing TNCC-TNCS-Message XML end tag")
6788 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
6789 4 + 1 + 1,
6790 EAP_TYPE_TNC, 0x21)
6791 idx += 1
6792 if ctx['num'] == idx:
6793 logger.info("Received TNCCS-Batch: " + req[6:])
6794 resp = "<TNCCS-Batch BatchId=2><TNCC-TNCS-Message><Type>00000001</Type><XML></TNCC-TNCS-Message></TNCCS-Batch>"
6795 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
6796 4 + 1 + 1 + len(resp),
6797 EAP_TYPE_TNC, 0x01) + resp
6798 idx += 1
6799 if ctx['num'] == idx:
6800 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
6801
6802 idx += 1
6803 if ctx['num'] == idx:
6804 logger.info("Test: Missing TNCC-TNCS-Message Base64 start tag")
6805 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
6806 4 + 1 + 1,
6807 EAP_TYPE_TNC, 0x21)
6808 idx += 1
6809 if ctx['num'] == idx:
6810 logger.info("Received TNCCS-Batch: " + req[6:])
6811 resp = "<TNCCS-Batch BatchId=2><TNCC-TNCS-Message><Type>00000001</Type></TNCC-TNCS-Message></TNCCS-Batch>"
6812 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
6813 4 + 1 + 1 + len(resp),
6814 EAP_TYPE_TNC, 0x01) + resp
6815 idx += 1
6816 if ctx['num'] == idx:
6817 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
6818
6819 idx += 1
6820 if ctx['num'] == idx:
6821 logger.info("Test: Missing TNCC-TNCS-Message Base64 end tag")
6822 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
6823 4 + 1 + 1,
6824 EAP_TYPE_TNC, 0x21)
6825 idx += 1
6826 if ctx['num'] == idx:
6827 logger.info("Received TNCCS-Batch: " + req[6:])
6828 resp = "<TNCCS-Batch BatchId=2><TNCC-TNCS-Message><Type>00000001</Type><Base64>abc</TNCC-TNCS-Message></TNCCS-Batch>"
6829 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
6830 4 + 1 + 1 + len(resp),
6831 EAP_TYPE_TNC, 0x01) + resp
6832 idx += 1
6833 if ctx['num'] == idx:
6834 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
6835
6836 idx += 1
6837 if ctx['num'] == idx:
6838 logger.info("Test: TNCC-TNCS-Message Base64 message")
6839 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
6840 4 + 1 + 1,
6841 EAP_TYPE_TNC, 0x21)
6842 idx += 1
6843 if ctx['num'] == idx:
6844 logger.info("Received TNCCS-Batch: " + req[6:])
6845 resp = "<TNCCS-Batch BatchId=2><TNCC-TNCS-Message><Type>00000001</Type><Base64>aGVsbG8=</Base64></TNCC-TNCS-Message></TNCCS-Batch>"
6846 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
6847 4 + 1 + 1 + len(resp),
6848 EAP_TYPE_TNC, 0x01) + resp
6849 idx += 1
6850 if ctx['num'] == idx:
6851 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
6852
6853 idx += 1
6854 if ctx['num'] == idx:
6855 logger.info("Test: Invalid TNCC-TNCS-Message XML message")
6856 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
6857 4 + 1 + 1,
6858 EAP_TYPE_TNC, 0x21)
6859 idx += 1
6860 if ctx['num'] == idx:
6861 logger.info("Received TNCCS-Batch: " + req[6:])
6862 resp = "<TNCCS-Batch BatchId=2><TNCC-TNCS-Message><Type>00000001</Type><XML>hello</XML></TNCC-TNCS-Message></TNCCS-Batch>"
6863 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
6864 4 + 1 + 1 + len(resp),
6865 EAP_TYPE_TNC, 0x01) + resp
6866 idx += 1
6867 if ctx['num'] == idx:
6868 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
6869
6870 idx += 1
6871 if ctx['num'] == idx:
6872 logger.info("Test: Missing TNCCS-Recommendation type")
6873 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
6874 4 + 1 + 1,
6875 EAP_TYPE_TNC, 0x21)
6876 idx += 1
6877 if ctx['num'] == idx:
6878 logger.info("Received TNCCS-Batch: " + req[6:])
6879 resp = '<TNCCS-Batch BatchId=2><TNCC-TNCS-Message><Type>00000001</Type><XML><TNCCS-Recommendation foo=1></TNCCS-Recommendation></XML></TNCC-TNCS-Message></TNCCS-Batch>'
6880 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
6881 4 + 1 + 1 + len(resp),
6882 EAP_TYPE_TNC, 0x01) + resp
6883 idx += 1
6884 if ctx['num'] == idx:
6885 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
6886
6887 idx += 1
6888 if ctx['num'] == idx:
6889 logger.info("Test: TNCCS-Recommendation type=none")
6890 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
6891 4 + 1 + 1,
6892 EAP_TYPE_TNC, 0x21)
6893 idx += 1
6894 if ctx['num'] == idx:
6895 logger.info("Received TNCCS-Batch: " + req[6:])
6896 resp = '<TNCCS-Batch BatchId=2><TNCC-TNCS-Message><Type>00000001</Type><XML><TNCCS-Recommendation type="none"></TNCCS-Recommendation></XML></TNCC-TNCS-Message></TNCCS-Batch>'
6897 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
6898 4 + 1 + 1 + len(resp),
6899 EAP_TYPE_TNC, 0x01) + resp
6900 idx += 1
6901 if ctx['num'] == idx:
6902 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
6903
6904 idx += 1
6905 if ctx['num'] == idx:
6906 logger.info("Test: TNCCS-Recommendation type=isolate")
6907 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
6908 4 + 1 + 1,
6909 EAP_TYPE_TNC, 0x21)
6910 idx += 1
6911 if ctx['num'] == idx:
6912 logger.info("Received TNCCS-Batch: " + req[6:])
6913 resp = '<TNCCS-Batch BatchId=2><TNCC-TNCS-Message><Type>00000001</Type><XML><TNCCS-Recommendation type="isolate"></TNCCS-Recommendation></XML></TNCC-TNCS-Message></TNCCS-Batch>'
6914 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
6915 4 + 1 + 1 + len(resp),
6916 EAP_TYPE_TNC, 0x01) + resp
6917 idx += 1
6918 if ctx['num'] == idx:
6919 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
6920
6921 logger.info("No more test responses available - test case completed")
6922 global eap_proto_tnc_test_done
6923 eap_proto_tnc_test_done = True
6924 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
6925
6926 srv = start_radius_server(tnc_handler)
6927
6928 try:
6929 hapd = start_ap(apdev[0]['ifname'])
6930
6931 i = 0
6932 while not eap_proto_tnc_test_done:
6933 i += 1
6934 logger.info("Running connection iteration %d" % i)
6935 frag = 1400
6936 if i == 8:
6937 frag = 150
6938 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
6939 eap="TNC", identity="tnc", fragment_size=str(frag),
6940 wait_connect=False)
6941 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=5)
6942 if ev is None:
6943 raise Exception("Timeout on EAP start")
6944 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
6945 "CTRL-EVENT-EAP-STATUS"], timeout=5)
6946 if ev is None:
6947 raise Exception("Timeout on EAP method start")
6948 time.sleep(0.1)
6949 dev[0].request("REMOVE_NETWORK all")
6950 dev[0].wait_disconnected(timeout=1)
6951 dev[0].dump_monitor()
6952 finally:
6953 stop_radius_server(srv)
Unnamed repository; edit this file 'description' to name the repository.