tests: EAP-pwd protocol testing for the server

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>

diff --git a/tests/hwsim/test_eap_proto.py b/tests/hwsim/test_eap_proto.py
index 9cf4f0a65d5c495a4525b945640ef4bd34f281ff..a88d837e9fa6950806e3c0d235d261c9c6fcd02c 100644 (file)
--- a/tests/hwsim/test_eap_proto.py
+++ b/tests/hwsim/test_eap_proto.py
@@ -7196,6 +7196,155 @@ def test_eap_proto_pwd_errors_server(dev, apdev):
         with fail_test(hapd, count, func):
             run_eap_pwd_connect(dev[0], hash=True)
 
+def start_pwd_assoc(dev, hapd):
+    dev.connect("test-wpa2-eap", key_mgmt="WPA-EAP",
+                eap="PWD", identity="pwd user", password="secret password",
+                wait_connect=False, scan_freq="2412")
+    proxy_msg(hapd, dev) # EAP-Identity/Request
+    proxy_msg(dev, hapd) # EAP-Identity/Response
+    proxy_msg(hapd, dev) # EAP-pwd-Identity/Request
+
+def stop_pwd_assoc(dev, hapd):
+    dev.request("REMOVE_NETWORK all")
+    dev.wait_disconnected()
+    dev.dump_monitor()
+    hapd.dump_monitor()
+
+def test_eap_proto_pwd_server(dev, apdev):
+    """EAP-pwd protocol testing for the server"""
+    check_eap_capa(dev[0], "PWD")
+    params = int_eap_server_params()
+    hapd = hostapd.add_ap(apdev[0], params)
+    dev[0].scan_for_bss(hapd.own_addr(), freq=2412)
+    hapd.request("SET ext_eapol_frame_io 1")
+    dev[0].request("SET ext_eapol_frame_io 1")
+
+    start_pwd_assoc(dev[0], hapd)
+    resp = rx_msg(dev[0])
+    # Replace exch field with unexpected value
+    # --> EAP-pwd: Unexpected opcode=4 in state=0
+    msg = resp[0:18] + "04" + resp[20:]
+    tx_msg(dev[0], hapd, msg)
+
+    # Too short EAP-pwd header (no flags/exch field)
+    # --> EAP-pwd: Invalid frame
+    msg = resp[0:4] + "0005" + resp[8:12] + "0005" + "34"
+    tx_msg(dev[0], hapd, msg)
+
+    # Too short EAP-pwd header (L=1 but only one octet of total length field)
+    # --> EAP-pwd: Frame too short to contain Total-Length field
+    msg = resp[0:4] + "0007" + resp[8:12] + "0007" + "34" + "81ff"
+    tx_msg(dev[0], hapd, msg)
+    # server continues exchange, so start from scratch for the next step
+    rx_msg(hapd)
+    stop_pwd_assoc(dev[0], hapd)
+
+    start_pwd_assoc(dev[0], hapd)
+    resp = rx_msg(dev[0])
+    # Too large total length
+    msg = resp[0:4] + "0008" + resp[8:12] + "0008" + "34" + "c1ffff"
+    tx_msg(dev[0], hapd, msg)
+    # server continues exchange, so start from scratch for the next step
+    rx_msg(hapd)
+    stop_pwd_assoc(dev[0], hapd)
+
+    start_pwd_assoc(dev[0], hapd)
+    resp = rx_msg(dev[0])
+    # First fragment
+    msg = resp[0:4] + "0009" + resp[8:12] + "0009" + "34" + "c100ff" + "aa"
+    tx_msg(dev[0], hapd, msg)
+    # Ack
+    req = rx_msg(hapd)
+    # Unexpected first fragment
+    # --> EAP-pwd: Unexpected new fragment start when previous fragment is still in use
+    msg = resp[0:4] + "0009" + resp[8:10] + req[10:12] + "0009" + "34" + "c100ee" + "bb"
+    tx_msg(dev[0], hapd, msg)
+    # server continues exchange, so start from scratch for the next step
+    rx_msg(hapd)
+    stop_pwd_assoc(dev[0], hapd)
+
+    start_pwd_assoc(dev[0], hapd)
+    resp = rx_msg(dev[0])
+    # Too much data in first fragment
+    # --> EAP-pwd: Buffer overflow attack detected! (0+2 > 1)
+    msg = resp[0:4] + "000a" + resp[8:12] + "000a" + "34" + "c10001" + "aabb"
+    tx_msg(dev[0], hapd, msg)
+    # EAP-Failure
+    rx_msg(hapd)
+    stop_pwd_assoc(dev[0], hapd)
+
+    start_pwd_assoc(dev[0], hapd)
+    resp = rx_msg(dev[0])
+    # Change parameters
+    # --> EAP-pwd: peer changed parameters
+    msg = resp[0:20] + "ff" + resp[22:]
+    tx_msg(dev[0], hapd, msg)
+    # EAP-Failure
+    rx_msg(hapd)
+    stop_pwd_assoc(dev[0], hapd)
+
+    start_pwd_assoc(dev[0], hapd)
+    resp = rx_msg(dev[0])
+    # Too short ID response
+    # --> EAP-pwd: Invalid ID response
+    msg = resp[0:4] + "000a" + resp[8:12] + "000a" + "34" + "01ffeeddcc"
+    tx_msg(dev[0], hapd, msg)
+    # server continues exchange, so start from scratch for the next step
+    rx_msg(hapd)
+    stop_pwd_assoc(dev[0], hapd)
+
+    start_pwd_assoc(dev[0], hapd)
+    # EAP-pwd-Identity/Response
+    resp = rx_msg(dev[0])
+    tx_msg(dev[0], hapd, resp)
+    # EAP-pwd-Commit/Request
+    req = rx_msg(hapd)
+    # Unexpected EAP-pwd-Identity/Response
+    # --> EAP-pwd: Unexpected opcode=1 in state=1
+    msg = resp[0:10] + req[10:12] + resp[12:]
+    tx_msg(dev[0], hapd, msg)
+    # server continues exchange, so start from scratch for the next step
+    rx_msg(hapd)
+    stop_pwd_assoc(dev[0], hapd)
+
+    start_pwd_assoc(dev[0], hapd)
+    proxy_msg(dev[0], hapd) # EAP-pwd-Identity/Response
+    proxy_msg(hapd, dev[0]) # EAP-pwd-Commit/Request
+    # EAP-pwd-Commit/Response
+    resp = rx_msg(dev[0])
+    # Too short Commit response
+    # --> EAP-pwd: Unexpected Commit payload length 4 (expected 96)
+    msg = resp[0:4] + "000a" + resp[8:12] + "000a" + "34" + "02ffeeddcc"
+    tx_msg(dev[0], hapd, msg)
+    # EAP-Failure
+    rx_msg(hapd)
+    stop_pwd_assoc(dev[0], hapd)
+
+    start_pwd_assoc(dev[0], hapd)
+    proxy_msg(dev[0], hapd) # EAP-pwd-Identity/Response
+    proxy_msg(hapd, dev[0]) # EAP-pwd-Commit/Request
+    proxy_msg(dev[0], hapd) # EAP-pwd-Commit/Response
+    proxy_msg(hapd, dev[0]) # EAP-pwd-Confirm/Request
+    # EAP-pwd-Confirm/Response
+    resp = rx_msg(dev[0])
+    # Too short Confirm response
+    # --> EAP-pwd: Unexpected Confirm payload length 4 (expected 32)
+    msg = resp[0:4] + "000a" + resp[8:12] + "000a" + "34" + "03ffeeddcc"
+    tx_msg(dev[0], hapd, msg)
+    # EAP-Failure
+    rx_msg(hapd)
+    stop_pwd_assoc(dev[0], hapd)
+
+    start_pwd_assoc(dev[0], hapd)
+    resp = rx_msg(dev[0])
+    # Set M=1
+    # --> EAP-pwd: No buffer for reassembly
+    msg = resp[0:18] + "41" + resp[20:]
+    tx_msg(dev[0], hapd, msg)
+    # EAP-Failure
+    rx_msg(hapd)
+    stop_pwd_assoc(dev[0], hapd)
+
 def test_eap_proto_erp(dev, apdev):
     """ERP protocol tests"""
     check_erp_capa(dev[0])