]> git.ipfire.org Git - thirdparty/hostap.git/blame - tests/hwsim/test_eap_proto.py
projects / thirdparty / hostap.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Document previously missing key_mgmt values
[thirdparty/hostap.git] / tests / hwsim / test_eap_proto.py
CommitLineData
d81731e6 1# EAP protocol tests
e7ac04ce 2# Copyright (c) 2014-2015, Jouni Malinen <j@w1.fi>
d81731e6
JM		 3#
4# This software may be distributed under the terms of the BSD license.
5# See README for more details.
6
37211e15
JM		 7import binascii
8import hashlib
d81731e6
JM		 9import hmac
10import logging
11logger = logging.getLogger()
12import select
13import struct
14import threading
15import time
16
17import hostapd
d5482411 18from utils import HwsimSkip, alloc_fail, fail_test, wait_fail_trigger
d36ae376 19from test_ap_eap import check_eap_capa, check_hlr_auc_gw_support
b6f17f2f 20from test_erp import check_erp_capa
d81731e6
JM		 21
22EAP_CODE_REQUEST = 1
23EAP_CODE_RESPONSE = 2
24EAP_CODE_SUCCESS = 3
25EAP_CODE_FAILURE = 4
b6f17f2f
JM		 26EAP_CODE_INITIATE = 5
27EAP_CODE_FINISH = 6
d81731e6
JM		 28
29EAP_TYPE_IDENTITY = 1
30EAP_TYPE_NOTIFICATION = 2
31EAP_TYPE_NAK = 3
32EAP_TYPE_MD5 = 4
33EAP_TYPE_OTP = 5
34EAP_TYPE_GTC = 6
35EAP_TYPE_TLS = 13
36EAP_TYPE_LEAP = 17
37EAP_TYPE_SIM = 18
38EAP_TYPE_TTLS = 21
39EAP_TYPE_AKA = 23
40EAP_TYPE_PEAP = 25
41EAP_TYPE_MSCHAPV2 = 26
42EAP_TYPE_TLV = 33
43EAP_TYPE_TNC = 38
44EAP_TYPE_FAST = 43
45EAP_TYPE_PAX = 46
46EAP_TYPE_PSK = 47
47EAP_TYPE_SAKE = 48
48EAP_TYPE_IKEV2 = 49
49EAP_TYPE_AKA_PRIME = 50
50EAP_TYPE_GPSK = 51
51EAP_TYPE_PWD = 52
52EAP_TYPE_EKE = 53
53
b6f17f2f
JM		 54# Type field in EAP-Initiate and EAP-Finish messages
55EAP_ERP_TYPE_REAUTH_START = 1
56EAP_ERP_TYPE_REAUTH = 2
57
58EAP_ERP_TLV_KEYNAME_NAI = 1
59EAP_ERP_TV_RRK_LIFETIME = 2
60EAP_ERP_TV_RMSK_LIFETIME = 3
61EAP_ERP_TLV_DOMAIN_NAME = 4
62EAP_ERP_TLV_CRYPTOSUITES = 5
63EAP_ERP_TLV_AUTHORIZATION_INDICATION = 6
64EAP_ERP_TLV_CALLED_STATION_ID = 128
65EAP_ERP_TLV_CALLING_STATION_ID = 129
66EAP_ERP_TLV_NAS_IDENTIFIER = 130
67EAP_ERP_TLV_NAS_IP_ADDRESS = 131
68EAP_ERP_TLV_NAS_IPV6_ADDRESS = 132
69
d81731e6
JM		 70def run_pyrad_server(srv, t_stop, eap_handler):
71 srv.RunWithStop(t_stop, eap_handler)
72
73def start_radius_server(eap_handler):
74 try:
75 import pyrad.server
76 import pyrad.packet
77 import pyrad.dictionary
78 except ImportError:
81e787b7 79 raise HwsimSkip("No pyrad modules available")
d81731e6
JM		 80
81 class TestServer(pyrad.server.Server):
82 def _HandleAuthPacket(self, pkt):
83 pyrad.server.Server._HandleAuthPacket(self, pkt)
37211e15
JM		 84 eap = ""
85 for p in pkt[79]:
86 eap += p
d81731e6
JM		 87 eap_req = self.eap_handler(self.ctx, eap)
88 reply = self.CreateReplyPacket(pkt)
89 if eap_req:
cb0555f7
JM		 90 while True:
91 if len(eap_req) > 253:
92 reply.AddAttribute("EAP-Message", eap_req[0:253])
93 eap_req = eap_req[253:]
94 else:
95 reply.AddAttribute("EAP-Message", eap_req)
96 break
18fc8f40
JM		 97 else:
98 logger.info("No EAP request available")
d81731e6
JM		 99 reply.code = pyrad.packet.AccessChallenge
100
101 hmac_obj = hmac.new(reply.secret)
102 hmac_obj.update(struct.pack("B", reply.code))
103 hmac_obj.update(struct.pack("B", reply.id))
104
105 # reply attributes
106 reply.AddAttribute("Message-Authenticator",
107 "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00")
108 attrs = reply._PktEncodeAttributes()
109
110 # Length
111 flen = 4 + 16 + len(attrs)
112 hmac_obj.update(struct.pack(">H", flen))
113 hmac_obj.update(pkt.authenticator)
114 hmac_obj.update(attrs)
115 del reply[80]
116 reply.AddAttribute("Message-Authenticator", hmac_obj.digest())
117
118 self.SendReplyPacket(pkt.fd, reply)
119
120 def RunWithStop(self, t_stop, eap_handler):
121 self._poll = select.poll()
122 self._fdmap = {}
123 self._PrepareSockets()
124 self.t_stop = t_stop
125 self.eap_handler = eap_handler
126 self.ctx = {}
127
128 while not t_stop.is_set():
8a848fae 129 for (fd, event) in self._poll.poll(200):
d81731e6
JM		 130 if event == select.POLLIN:
131 try:
132 fdo = self._fdmap[fd]
133 self._ProcessInput(fdo)
134 except pyrad.server.ServerPacketError as err:
135 logger.info("pyrad server dropping packet: " + str(err))
136 except pyrad.packet.PacketError as err:
137 logger.info("pyrad server received invalid packet: " + str(err))
138 else:
139 logger.error("Unexpected event in pyrad server main loop")
140
141 srv = TestServer(dict=pyrad.dictionary.Dictionary("dictionary.radius"),
142 authport=18138, acctport=18139)
143 srv.hosts["127.0.0.1"] = pyrad.server.RemoteHost("127.0.0.1",
144 "radius",
145 "localhost")
146 srv.BindToAddress("")
147 t_stop = threading.Event()
148 t = threading.Thread(target=run_pyrad_server, args=(srv, t_stop, eap_handler))
149 t.start()
150
151 return { 'srv': srv, 'stop': t_stop, 'thread': t }
152
153def stop_radius_server(srv):
154 srv['stop'].set()
155 srv['thread'].join()
156
157def start_ap(ifname):
158 params = hostapd.wpa2_eap_params(ssid="eap-test")
159 params['auth_server_port'] = "18138"
160 hapd = hostapd.add_ap(ifname, params)
161 return hapd
162
2eae05f7
JM		 163def test_eap_proto(dev, apdev):
164 """EAP protocol tests"""
e7ac04ce 165 check_eap_capa(dev[0], "MD5")
2eae05f7
JM		 166 def eap_handler(ctx, req):
167 logger.info("eap_handler - RX " + req.encode("hex"))
168 if 'num' not in ctx:
169 ctx['num'] = 0
170 ctx['num'] = ctx['num'] + 1
171 if 'id' not in ctx:
172 ctx['id'] = 1
173 ctx['id'] = (ctx['id'] + 1) % 256
174 idx = 0
175
176 idx += 1
177 if ctx['num'] == idx:
178 logger.info("Test: MD5 challenge")
179 return struct.pack(">BBHBBBB", EAP_CODE_REQUEST, ctx['id'],
180 4 + 1 + 3,
181 EAP_TYPE_MD5,
182 1, 0xaa, ord('n'))
183 idx += 1
184 if ctx['num'] == idx:
185 logger.info("Test: EAP-Success - id off by 2")
186 return struct.pack(">BBH", EAP_CODE_SUCCESS, ctx['id'] + 1, 4)
187
188 idx += 1
189 if ctx['num'] == idx:
190 logger.info("Test: MD5 challenge")
191 return struct.pack(">BBHBBBB", EAP_CODE_REQUEST, ctx['id'],
192 4 + 1 + 3,
193 EAP_TYPE_MD5,
194 1, 0xaa, ord('n'))
195 idx += 1
196 if ctx['num'] == idx:
197 logger.info("Test: EAP-Success - id off by 3")
198 return struct.pack(">BBH", EAP_CODE_SUCCESS, ctx['id'] + 2, 4)
199
200 idx += 1
201 if ctx['num'] == idx:
202 logger.info("Test: MD5 challenge")
203 return struct.pack(">BBHBBBB", EAP_CODE_REQUEST, ctx['id'],
204 4 + 1 + 3,
205 EAP_TYPE_MD5,
206 1, 0xaa, ord('n'))
207 idx += 1
208 if ctx['num'] == idx:
209 logger.info("Test: EAP-Notification/Request")
210 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
211 4 + 1 + 1,
212 EAP_TYPE_NOTIFICATION,
213 ord('A'))
214 idx += 1
215 if ctx['num'] == idx:
216 logger.info("Test: EAP-Success")
217 return struct.pack(">BBH", EAP_CODE_SUCCESS, ctx['id'] - 1, 4)
218
219 idx += 1
220 if ctx['num'] == idx:
221 logger.info("Test: EAP-Notification/Request")
222 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
223 4 + 1 + 1,
224 EAP_TYPE_NOTIFICATION,
225 ord('B'))
226 idx += 1
227 if ctx['num'] == idx:
228 logger.info("Test: MD5 challenge")
229 return struct.pack(">BBHBBBB", EAP_CODE_REQUEST, ctx['id'],
230 4 + 1 + 3,
231 EAP_TYPE_MD5,
232 1, 0xaa, ord('n'))
233 idx += 1
234 if ctx['num'] == idx:
235 logger.info("Test: EAP-Success")
236 return struct.pack(">BBH", EAP_CODE_SUCCESS, ctx['id'] - 1, 4)
237
238 idx += 1
239 if ctx['num'] == idx:
240 logger.info("Test: EAP-Notification/Request")
241 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
242 4 + 1 + 1,
243 EAP_TYPE_NOTIFICATION,
244 ord('C'))
245 idx += 1
246 if ctx['num'] == idx:
247 logger.info("Test: MD5 challenge")
248 return struct.pack(">BBHBBBB", EAP_CODE_REQUEST, ctx['id'],
249 4 + 1 + 3,
250 EAP_TYPE_MD5,
251 1, 0xaa, ord('n'))
252 idx += 1
253 if ctx['num'] == idx:
254 logger.info("Test: EAP-Notification/Request")
255 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
256 4 + 1 + 1,
257 EAP_TYPE_NOTIFICATION,
258 ord('D'))
259 idx += 1
260 if ctx['num'] == idx:
261 logger.info("Test: EAP-Success")
262 return struct.pack(">BBH", EAP_CODE_SUCCESS, ctx['id'] - 1, 4)
263
264 idx += 1
265 if ctx['num'] == idx:
266 logger.info("Test: EAP-Notification/Request")
267 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
268 4 + 1 + 1,
269 EAP_TYPE_NOTIFICATION,
270 ord('E'))
271 idx += 1
272 if ctx['num'] == idx:
273 logger.info("Test: EAP-Notification/Request (same id)")
274 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'] - 1,
275 4 + 1 + 1,
276 EAP_TYPE_NOTIFICATION,
277 ord('F'))
278 idx += 1
279 if ctx['num'] == idx:
280 logger.info("Test: Unexpected EAP-Success")
281 return struct.pack(">BBH", EAP_CODE_SUCCESS, ctx['id'] - 2, 4)
282
283 return None
284
285 srv = start_radius_server(eap_handler)
2eae05f7
JM		 286
287 try:
288 hapd = start_ap(apdev[0]['ifname'])
289
290 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
291 eap="MD5", identity="user", password="password",
292 wait_connect=False)
293 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"], timeout=15)
294 if ev is None:
295 raise Exception("Timeout on EAP start")
296 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
297 if ev is None:
298 raise Exception("Timeout on EAP success")
299 dev[0].request("REMOVE_NETWORK all")
300
301 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
302 eap="MD5", identity="user", password="password",
303 wait_connect=False)
304 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"], timeout=15)
305 if ev is None:
306 raise Exception("Timeout on EAP start")
307 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=1)
308 if ev is not None:
309 raise Exception("Unexpected EAP success")
310 dev[0].request("REMOVE_NETWORK all")
311
312 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
313 eap="MD5", identity="user", password="password",
314 wait_connect=False)
315 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"], timeout=15)
316 if ev is None:
317 raise Exception("Timeout on EAP start")
318 ev = dev[0].wait_event(["CTRL-EVENT-EAP-NOTIFICATION"], timeout=10)
319 if ev is None:
320 raise Exception("Timeout on EAP notification")
321 if ev != "<3>CTRL-EVENT-EAP-NOTIFICATION A":
322 raise Exception("Unexpected notification contents: " + ev)
323 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
324 if ev is None:
325 raise Exception("Timeout on EAP success")
326 dev[0].request("REMOVE_NETWORK all")
327
328 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
329 eap="MD5", identity="user", password="password",
330 wait_connect=False)
331 ev = dev[0].wait_event(["CTRL-EVENT-EAP-NOTIFICATION"], timeout=10)
332 if ev is None:
333 raise Exception("Timeout on EAP notification")
334 if ev != "<3>CTRL-EVENT-EAP-NOTIFICATION B":
335 raise Exception("Unexpected notification contents: " + ev)
336 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"], timeout=15)
337 if ev is None:
338 raise Exception("Timeout on EAP start")
339 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
340 if ev is None:
341 raise Exception("Timeout on EAP success")
342 dev[0].request("REMOVE_NETWORK all")
343
344 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
345 eap="MD5", identity="user", password="password",
346 wait_connect=False)
347 ev = dev[0].wait_event(["CTRL-EVENT-EAP-NOTIFICATION"], timeout=10)
348 if ev is None:
349 raise Exception("Timeout on EAP notification")
350 if ev != "<3>CTRL-EVENT-EAP-NOTIFICATION C":
351 raise Exception("Unexpected notification contents: " + ev)
352 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"], timeout=15)
353 if ev is None:
354 raise Exception("Timeout on EAP start")
355 ev = dev[0].wait_event(["CTRL-EVENT-EAP-NOTIFICATION"], timeout=10)
356 if ev is None:
357 raise Exception("Timeout on EAP notification")
358 if ev != "<3>CTRL-EVENT-EAP-NOTIFICATION D":
359 raise Exception("Unexpected notification contents: " + ev)
360 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
361 if ev is None:
362 raise Exception("Timeout on EAP success")
363 dev[0].request("REMOVE_NETWORK all")
364
365 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
366 eap="MD5", identity="user", password="password",
367 wait_connect=False)
368 ev = dev[0].wait_event(["CTRL-EVENT-EAP-NOTIFICATION"], timeout=10)
369 if ev is None:
370 raise Exception("Timeout on EAP notification")
371 if ev != "<3>CTRL-EVENT-EAP-NOTIFICATION E":
372 raise Exception("Unexpected notification contents: " + ev)
373 ev = dev[0].wait_event(["CTRL-EVENT-EAP-NOTIFICATION"], timeout=10)
374 if ev is None:
375 raise Exception("Timeout on EAP notification")
376 if ev != "<3>CTRL-EVENT-EAP-NOTIFICATION F":
377 raise Exception("Unexpected notification contents: " + ev)
378 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
379 if ev is None:
380 raise Exception("Timeout on EAP failure")
381 dev[0].request("REMOVE_NETWORK all")
382 finally:
383 stop_radius_server(srv)
384
d81731e6
JM		 385EAP_SAKE_VERSION = 2
386
387EAP_SAKE_SUBTYPE_CHALLENGE = 1
388EAP_SAKE_SUBTYPE_CONFIRM = 2
389EAP_SAKE_SUBTYPE_AUTH_REJECT = 3
390EAP_SAKE_SUBTYPE_IDENTITY = 4
391
392EAP_SAKE_AT_RAND_S = 1
393EAP_SAKE_AT_RAND_P = 2
394EAP_SAKE_AT_MIC_S = 3
395EAP_SAKE_AT_MIC_P = 4
396EAP_SAKE_AT_SERVERID = 5
397EAP_SAKE_AT_PEERID = 6
398EAP_SAKE_AT_SPI_S = 7
399EAP_SAKE_AT_SPI_P = 8
400EAP_SAKE_AT_ANY_ID_REQ = 9
401EAP_SAKE_AT_PERM_ID_REQ = 10
402EAP_SAKE_AT_ENCR_DATA = 128
403EAP_SAKE_AT_IV = 129
404EAP_SAKE_AT_PADDING = 130
405EAP_SAKE_AT_NEXT_TMPID = 131
406EAP_SAKE_AT_MSK_LIFE = 132
407
408def test_eap_proto_sake(dev, apdev):
409 """EAP-SAKE protocol tests"""
c49b383f
JM		 410 global eap_proto_sake_test_done
411 eap_proto_sake_test_done = False
412
d81731e6
JM		 413 def sake_challenge(ctx):
414 logger.info("Test: Challenge subtype")
415 return struct.pack(">BBHBBBBBBLLLL", EAP_CODE_REQUEST, ctx['id'],
416 4 + 1 + 3 + 18,
417 EAP_TYPE_SAKE,
418 EAP_SAKE_VERSION, 0, EAP_SAKE_SUBTYPE_CHALLENGE,
419 EAP_SAKE_AT_RAND_S, 18, 0, 0, 0, 0)
420
421 def sake_handler(ctx, req):
422 logger.info("sake_handler - RX " + req.encode("hex"))
423 if 'num' not in ctx:
424 ctx['num'] = 0
c49b383f 425 ctx['num'] += 1
d81731e6
JM		 426 if 'id' not in ctx:
427 ctx['id'] = 1
428 ctx['id'] = (ctx['id'] + 1) % 256
c49b383f 429 idx = 0
d81731e6 430
c49b383f
JM		 431 idx += 1
432 if ctx['num'] == idx:
d81731e6
JM		 433 logger.info("Test: Missing payload")
434 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'], 4 + 1,
435 EAP_TYPE_SAKE)
436
c49b383f
JM		 437 idx += 1
438 if ctx['num'] == idx:
d81731e6
JM		 439 logger.info("Test: Identity subtype without any attributes")
440 return struct.pack(">BBHBBBB", EAP_CODE_REQUEST, ctx['id'],
441 4 + 1 + 3,
442 EAP_TYPE_SAKE,
443 EAP_SAKE_VERSION, 0, EAP_SAKE_SUBTYPE_IDENTITY)
444
c49b383f
JM		 445 idx += 1
446 if ctx['num'] == idx:
d81731e6
JM		 447 logger.info("Test: Identity subtype")
448 return struct.pack(">BBHBBBBBBH", EAP_CODE_REQUEST, ctx['id'],
449 4 + 1 + 3 + 4,
450 EAP_TYPE_SAKE,
451 EAP_SAKE_VERSION, 0, EAP_SAKE_SUBTYPE_IDENTITY,
452 EAP_SAKE_AT_ANY_ID_REQ, 4, 0)
c49b383f
JM		 453 idx += 1
454 if ctx['num'] == idx:
d81731e6
JM		 455 logger.info("Test: Identity subtype (different session id)")
456 return struct.pack(">BBHBBBBBBH", EAP_CODE_REQUEST, ctx['id'],
457 4 + 1 + 3 + 4,
458 EAP_TYPE_SAKE,
459 EAP_SAKE_VERSION, 1, EAP_SAKE_SUBTYPE_IDENTITY,
460 EAP_SAKE_AT_PERM_ID_REQ, 4, 0)
461
c49b383f
JM		 462 idx += 1
463 if ctx['num'] == idx:
d81731e6
JM		 464 logger.info("Test: Identity subtype with too short attribute")
465 return struct.pack(">BBHBBBBBB", EAP_CODE_REQUEST, ctx['id'],
466 4 + 1 + 3 + 2,
467 EAP_TYPE_SAKE,
468 EAP_SAKE_VERSION, 0, EAP_SAKE_SUBTYPE_IDENTITY,
469 EAP_SAKE_AT_ANY_ID_REQ, 2)
470
c49b383f
JM		 471 idx += 1
472 if ctx['num'] == idx:
d81731e6
JM		 473 logger.info("Test: Identity subtype with truncated attribute")
474 return struct.pack(">BBHBBBBBB", EAP_CODE_REQUEST, ctx['id'],
475 4 + 1 + 3 + 2,
476 EAP_TYPE_SAKE,
477 EAP_SAKE_VERSION, 0, EAP_SAKE_SUBTYPE_IDENTITY,
478 EAP_SAKE_AT_ANY_ID_REQ, 4)
479
288b6f8b
JM		 480 idx += 1
481 if ctx['num'] == idx:
482 logger.info("Test: Identity subtype with too short attribute header")
483 payload = struct.pack("B", EAP_SAKE_AT_ANY_ID_REQ)
484 return struct.pack(">BBHBBBB", EAP_CODE_REQUEST, ctx['id'],
485 4 + 1 + 3 + len(payload),
486 EAP_TYPE_SAKE, EAP_SAKE_VERSION, 0,
487 EAP_SAKE_SUBTYPE_IDENTITY) + payload
488
489 idx += 1
490 if ctx['num'] == idx:
491 logger.info("Test: Identity subtype with AT_IV but not AT_ENCR_DATA")
492 payload = struct.pack("BB", EAP_SAKE_AT_IV, 2)
493 return struct.pack(">BBHBBBB", EAP_CODE_REQUEST, ctx['id'],
494 4 + 1 + 3 + len(payload),
495 EAP_TYPE_SAKE, EAP_SAKE_VERSION, 0,
496 EAP_SAKE_SUBTYPE_IDENTITY) + payload
497
498 idx += 1
499 if ctx['num'] == idx:
500 logger.info("Test: Identity subtype with skippable and non-skippable unknown attribute")
501 payload = struct.pack("BBBB", 255, 2, 127, 2)
502 return struct.pack(">BBHBBBB", EAP_CODE_REQUEST, ctx['id'],
503 4 + 1 + 3 + len(payload),
504 EAP_TYPE_SAKE, EAP_SAKE_VERSION, 0,
505 EAP_SAKE_SUBTYPE_IDENTITY) + payload
506
507 idx += 1
508 if ctx['num'] == idx:
509 logger.info("Test: Identity subtype: AT_RAND_P with invalid payload length")
510 payload = struct.pack("BB", EAP_SAKE_AT_RAND_P, 2)
511 return struct.pack(">BBHBBBB", EAP_CODE_REQUEST, ctx['id'],
512 4 + 1 + 3 + len(payload),
513 EAP_TYPE_SAKE, EAP_SAKE_VERSION, 0,
514 EAP_SAKE_SUBTYPE_IDENTITY) + payload
515
516 idx += 1
517 if ctx['num'] == idx:
518 logger.info("Test: Identity subtype: AT_MIC_P with invalid payload length")
519 payload = struct.pack("BB", EAP_SAKE_AT_MIC_P, 2)
520 return struct.pack(">BBHBBBB", EAP_CODE_REQUEST, ctx['id'],
521 4 + 1 + 3 + len(payload),
522 EAP_TYPE_SAKE, EAP_SAKE_VERSION, 0,
523 EAP_SAKE_SUBTYPE_IDENTITY) + payload
524
525 idx += 1
526 if ctx['num'] == idx:
527 logger.info("Test: Identity subtype: AT_PERM_ID_REQ with invalid payload length")
528 payload = struct.pack("BBBBBBBBBBBBBB",
529 EAP_SAKE_AT_SPI_S, 2,
530 EAP_SAKE_AT_SPI_P, 2,
531 EAP_SAKE_AT_ENCR_DATA, 2,
532 EAP_SAKE_AT_NEXT_TMPID, 2,
533 EAP_SAKE_AT_PERM_ID_REQ, 4, 0, 0,
534 EAP_SAKE_AT_PERM_ID_REQ, 2)
535 return struct.pack(">BBHBBBB", EAP_CODE_REQUEST, ctx['id'],
536 4 + 1 + 3 + len(payload),
537 EAP_TYPE_SAKE, EAP_SAKE_VERSION, 0,
538 EAP_SAKE_SUBTYPE_IDENTITY) + payload
539
540 idx += 1
541 if ctx['num'] == idx:
542 logger.info("Test: Identity subtype: AT_PADDING")
543 payload = struct.pack("BBBBBB",
544 EAP_SAKE_AT_PADDING, 3, 0,
545 EAP_SAKE_AT_PADDING, 3, 1)
546 return struct.pack(">BBHBBBB", EAP_CODE_REQUEST, ctx['id'],
547 4 + 1 + 3 + len(payload),
548 EAP_TYPE_SAKE, EAP_SAKE_VERSION, 0,
549 EAP_SAKE_SUBTYPE_IDENTITY) + payload
550
551 idx += 1
552 if ctx['num'] == idx:
553 logger.info("Test: Identity subtype: AT_MSK_LIFE")
554 payload = struct.pack(">BBLBBH",
555 EAP_SAKE_AT_MSK_LIFE, 6, 0,
556 EAP_SAKE_AT_MSK_LIFE, 4, 0)
557 return struct.pack(">BBHBBBB", EAP_CODE_REQUEST, ctx['id'],
558 4 + 1 + 3 + len(payload),
559 EAP_TYPE_SAKE, EAP_SAKE_VERSION, 0,
560 EAP_SAKE_SUBTYPE_IDENTITY) + payload
561
562 idx += 1
563 if ctx['num'] == idx:
564 logger.info("Test: Identity subtype with invalid attribute length")
565 payload = struct.pack("BB", EAP_SAKE_AT_ANY_ID_REQ, 0)
566 return struct.pack(">BBHBBBB", EAP_CODE_REQUEST, ctx['id'],
567 4 + 1 + 3 + len(payload),
568 EAP_TYPE_SAKE, EAP_SAKE_VERSION, 0,
569 EAP_SAKE_SUBTYPE_IDENTITY) + payload
570
c49b383f
JM		 571 idx += 1
572 if ctx['num'] == idx:
d81731e6
JM		 573 logger.info("Test: Unknown subtype")
574 return struct.pack(">BBHBBBB", EAP_CODE_REQUEST, ctx['id'],
575 4 + 1 + 3,
576 EAP_TYPE_SAKE,
577 EAP_SAKE_VERSION, 0, 123)
578
c49b383f
JM		 579 idx += 1
580 if ctx['num'] == idx:
d81731e6
JM		 581 logger.info("Test: Challenge subtype without any attributes")
582 return struct.pack(">BBHBBBB", EAP_CODE_REQUEST, ctx['id'],
583 4 + 1 + 3,
584 EAP_TYPE_SAKE,
585 EAP_SAKE_VERSION, 0, EAP_SAKE_SUBTYPE_CHALLENGE)
586
c49b383f
JM		 587 idx += 1
588 if ctx['num'] == idx:
d81731e6
JM		 589 logger.info("Test: Challenge subtype with too short AT_RAND_S")
590 return struct.pack(">BBHBBBBBB", EAP_CODE_REQUEST, ctx['id'],
591 4 + 1 + 3 + 2,
592 EAP_TYPE_SAKE,
593 EAP_SAKE_VERSION, 0, EAP_SAKE_SUBTYPE_CHALLENGE,
594 EAP_SAKE_AT_RAND_S, 2)
595
c49b383f
JM		 596 idx += 1
597 if ctx['num'] == idx:
d81731e6 598 return sake_challenge(ctx)
c49b383f
JM		 599 idx += 1
600 if ctx['num'] == idx:
d81731e6
JM		 601 logger.info("Test: Unexpected Identity subtype")
602 return struct.pack(">BBHBBBBBBH", EAP_CODE_REQUEST, ctx['id'],
603 4 + 1 + 3 + 4,
604 EAP_TYPE_SAKE,
605 EAP_SAKE_VERSION, 0, EAP_SAKE_SUBTYPE_IDENTITY,
606 EAP_SAKE_AT_ANY_ID_REQ, 4, 0)
607
c49b383f
JM		 608 idx += 1
609 if ctx['num'] == idx:
d81731e6 610 return sake_challenge(ctx)
c49b383f
JM		 611 idx += 1
612 if ctx['num'] == idx:
d81731e6
JM		 613 logger.info("Test: Unexpected Challenge subtype")
614 return struct.pack(">BBHBBBBBBLLLL", EAP_CODE_REQUEST, ctx['id'],
615 4 + 1 + 3 + 18,
616 EAP_TYPE_SAKE,
617 EAP_SAKE_VERSION, 0, EAP_SAKE_SUBTYPE_CHALLENGE,
618 EAP_SAKE_AT_RAND_S, 18, 0, 0, 0, 0)
619
c49b383f
JM		 620 idx += 1
621 if ctx['num'] == idx:
d81731e6 622 return sake_challenge(ctx)
c49b383f
JM		 623 idx += 1
624 if ctx['num'] == idx:
d81731e6
JM		 625 logger.info("Test: Confirm subtype without any attributes")
626 return struct.pack(">BBHBBBB", EAP_CODE_REQUEST, ctx['id'],
627 4 + 1 + 3,
628 EAP_TYPE_SAKE,
629 EAP_SAKE_VERSION, 0, EAP_SAKE_SUBTYPE_CONFIRM)
630
c49b383f
JM		 631 idx += 1
632 if ctx['num'] == idx:
d81731e6 633 return sake_challenge(ctx)
c49b383f
JM		 634 idx += 1
635 if ctx['num'] == idx:
d81731e6
JM		 636 logger.info("Test: Confirm subtype with too short AT_MIC_S")
637 return struct.pack(">BBHBBBBBB", EAP_CODE_REQUEST, ctx['id'],
638 4 + 1 + 3 + 2,
639 EAP_TYPE_SAKE,
640 EAP_SAKE_VERSION, 0, EAP_SAKE_SUBTYPE_CONFIRM,
641 EAP_SAKE_AT_MIC_S, 2)
642
c49b383f
JM		 643 idx += 1
644 if ctx['num'] == idx:
d81731e6
JM		 645 logger.info("Test: Unexpected Confirm subtype")
646 return struct.pack(">BBHBBBBBBLLLL", EAP_CODE_REQUEST, ctx['id'],
647 4 + 1 + 3 + 18,
648 EAP_TYPE_SAKE,
649 EAP_SAKE_VERSION, 0, EAP_SAKE_SUBTYPE_CONFIRM,
650 EAP_SAKE_AT_MIC_S, 18, 0, 0, 0, 0)
651
c49b383f
JM		 652 idx += 1
653 if ctx['num'] == idx:
d81731e6 654 return sake_challenge(ctx)
c49b383f
JM		 655 idx += 1
656 if ctx['num'] == idx:
d81731e6
JM		 657 logger.info("Test: Confirm subtype with incorrect AT_MIC_S")
658 return struct.pack(">BBHBBBBBBLLLL", EAP_CODE_REQUEST, ctx['id'],
659 4 + 1 + 3 + 18,
660 EAP_TYPE_SAKE,
661 EAP_SAKE_VERSION, 0, EAP_SAKE_SUBTYPE_CONFIRM,
662 EAP_SAKE_AT_MIC_S, 18, 0, 0, 0, 0)
663
c49b383f
JM		 664 global eap_proto_sake_test_done
665 if eap_proto_sake_test_done:
666 return sake_challenge(ctx)
667
668 logger.info("No more test responses available - test case completed")
669 eap_proto_sake_test_done = True
670 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
d81731e6
JM		 671
672 srv = start_radius_server(sake_handler)
d81731e6
JM		 673
674 try:
675 hapd = start_ap(apdev[0]['ifname'])
676
c49b383f 677 while not eap_proto_sake_test_done:
d81731e6
JM		 678 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
679 eap="SAKE", identity="sake user",
680 password_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
681 wait_connect=False)
682 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"], timeout=15)
683 if ev is None:
684 raise Exception("Timeout on EAP start")
685 time.sleep(0.1)
686 dev[0].request("REMOVE_NETWORK all")
687
688 logger.info("Too short password")
689 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
690 eap="SAKE", identity="sake user",
691 password_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcd",
692 wait_connect=False)
693 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"], timeout=15)
694 if ev is None:
695 raise Exception("Timeout on EAP start")
696 time.sleep(0.1)
697 finally:
698 stop_radius_server(srv)
18fc8f40 699
ab4ea0e9
JM		 700def test_eap_proto_sake_errors(dev, apdev):
701 """EAP-SAKE local error cases"""
702 check_eap_capa(dev[0], "SAKE")
703 params = hostapd.wpa2_eap_params(ssid="eap-test")
704 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
705
706 for i in range(1, 3):
707 with alloc_fail(dev[0], i, "eap_sake_init"):
708 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
709 eap="SAKE", identity="sake user",
710 password_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
711 wait_connect=False)
712 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method"],
713 timeout=15)
714 if ev is None:
715 raise Exception("Timeout on EAP start")
716 dev[0].request("REMOVE_NETWORK all")
717 dev[0].wait_disconnected()
718
719 tests = [ ( 1, "eap_msg_alloc;eap_sake_build_msg;eap_sake_process_challenge" ),
720 ( 1, "=eap_sake_process_challenge" ),
721 ( 1, "eap_sake_compute_mic;eap_sake_process_challenge" ),
722 ( 1, "eap_sake_build_msg;eap_sake_process_confirm" ),
723 ( 2, "eap_sake_compute_mic;eap_sake_process_confirm" ),
724 ( 1, "eap_sake_getKey" ),
725 ( 1, "eap_sake_get_emsk" ),
726 ( 1, "eap_sake_get_session_id" ) ]
727 for count, func in tests:
728 with alloc_fail(dev[0], count, func):
729 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
730 eap="SAKE", identity="sake user",
731 password_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
732 erp="1",
733 wait_connect=False)
734 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
735 timeout=15)
736 if ev is None:
737 raise Exception("Timeout on EAP start")
738 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
739 dev[0].request("REMOVE_NETWORK all")
740 dev[0].wait_disconnected()
741
742 with fail_test(dev[0], 1, "os_get_random;eap_sake_process_challenge"):
743 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
744 eap="SAKE", identity="sake user",
745 password_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
746 wait_connect=False)
747 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"], timeout=15)
748 if ev is None:
749 raise Exception("Timeout on EAP start")
750 wait_fail_trigger(dev[0], "GET_FAIL")
751 dev[0].request("REMOVE_NETWORK all")
752 dev[0].wait_disconnected()
753
754def test_eap_proto_sake_errors2(dev, apdev):
755 """EAP-SAKE protocol tests (2)"""
756 def sake_handler(ctx, req):
757 logger.info("sake_handler - RX " + req.encode("hex"))
758 if 'num' not in ctx:
759 ctx['num'] = 0
760 ctx['num'] += 1
761 if 'id' not in ctx:
762 ctx['id'] = 1
763 ctx['id'] = (ctx['id'] + 1) % 256
764 idx = 0
765
766 idx += 1
767 if ctx['num'] == idx:
768 logger.info("Test: Identity subtype")
769 return struct.pack(">BBHBBBBBBH", EAP_CODE_REQUEST, ctx['id'],
770 4 + 1 + 3 + 4,
771 EAP_TYPE_SAKE,
772 EAP_SAKE_VERSION, 0, EAP_SAKE_SUBTYPE_IDENTITY,
773 EAP_SAKE_AT_ANY_ID_REQ, 4, 0)
774
775 srv = start_radius_server(sake_handler)
776
777 try:
778 hapd = start_ap(apdev[0]['ifname'])
779
780 with alloc_fail(dev[0], 1, "eap_msg_alloc;eap_sake_build_msg;eap_sake_process_identity"):
781 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
782 eap="SAKE", identity="sake user",
783 password_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
784 wait_connect=False)
785 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
786 timeout=15)
787 if ev is None:
788 raise Exception("Timeout on EAP start")
789 dev[0].request("REMOVE_NETWORK all")
790 dev[0].wait_disconnected()
791
792 finally:
793 stop_radius_server(srv)
794
18fc8f40
JM		 795def test_eap_proto_leap(dev, apdev):
796 """EAP-LEAP protocol tests"""
597516df 797 check_eap_capa(dev[0], "LEAP")
18fc8f40
JM		 798 def leap_handler(ctx, req):
799 logger.info("leap_handler - RX " + req.encode("hex"))
800 if 'num' not in ctx:
801 ctx['num'] = 0
802 ctx['num'] = ctx['num'] + 1
803 if 'id' not in ctx:
804 ctx['id'] = 1
805 ctx['id'] = (ctx['id'] + 1) % 256
806
807 if ctx['num'] == 1:
808 logger.info("Test: Missing payload")
809 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
810 4 + 1,
811 EAP_TYPE_LEAP)
812
813 if ctx['num'] == 2:
814 logger.info("Test: Unexpected version")
815 return struct.pack(">BBHBBBB", EAP_CODE_REQUEST, ctx['id'],
816 4 + 1 + 3,
817 EAP_TYPE_LEAP,
818 0, 0, 0)
819
820 if ctx['num'] == 3:
821 logger.info("Test: Invalid challenge length")
822 return struct.pack(">BBHBBBB", EAP_CODE_REQUEST, ctx['id'],
823 4 + 1 + 3,
824 EAP_TYPE_LEAP,
825 1, 0, 0)
826
827 if ctx['num'] == 4:
828 logger.info("Test: Truncated challenge")
829 return struct.pack(">BBHBBBB", EAP_CODE_REQUEST, ctx['id'],
830 4 + 1 + 3,
831 EAP_TYPE_LEAP,
832 1, 0, 8)
833
834 if ctx['num'] == 5:
835 logger.info("Test: Valid challenge")
836 return struct.pack(">BBHBBBBLL", EAP_CODE_REQUEST, ctx['id'],
837 4 + 1 + 3 + 8,
838 EAP_TYPE_LEAP,
839 1, 0, 8, 0, 0)
840 if ctx['num'] == 6:
841 logger.info("Test: Missing payload in Response")
842 return struct.pack(">BBHB", EAP_CODE_RESPONSE, ctx['id'],
843 4 + 1,
844 EAP_TYPE_LEAP)
845
846 if ctx['num'] == 7:
847 logger.info("Test: Valid challenge")
848 return struct.pack(">BBHBBBBLL", EAP_CODE_REQUEST, ctx['id'],
849 4 + 1 + 3 + 8,
850 EAP_TYPE_LEAP,
851 1, 0, 8, 0, 0)
852 if ctx['num'] == 8:
853 logger.info("Test: Unexpected version in Response")
854 return struct.pack(">BBHBBBB", EAP_CODE_RESPONSE, ctx['id'],
855 4 + 1 + 3,
856 EAP_TYPE_LEAP,
857 0, 0, 8)
858
859 if ctx['num'] == 9:
860 logger.info("Test: Valid challenge")
861 return struct.pack(">BBHBBBBLL", EAP_CODE_REQUEST, ctx['id'],
862 4 + 1 + 3 + 8,
863 EAP_TYPE_LEAP,
864 1, 0, 8, 0, 0)
865 if ctx['num'] == 10:
866 logger.info("Test: Invalid challenge length in Response")
867 return struct.pack(">BBHBBBB", EAP_CODE_RESPONSE, ctx['id'],
868 4 + 1 + 3,
869 EAP_TYPE_LEAP,
870 1, 0, 0)
871
872 if ctx['num'] == 11:
873 logger.info("Test: Valid challenge")
874 return struct.pack(">BBHBBBBLL", EAP_CODE_REQUEST, ctx['id'],
875 4 + 1 + 3 + 8,
876 EAP_TYPE_LEAP,
877 1, 0, 8, 0, 0)
878 if ctx['num'] == 12:
879 logger.info("Test: Truncated challenge in Response")
880 return struct.pack(">BBHBBBB", EAP_CODE_RESPONSE, ctx['id'],
881 4 + 1 + 3,
882 EAP_TYPE_LEAP,
883 1, 0, 24)
884
885 if ctx['num'] == 13:
886 logger.info("Test: Valid challenge")
887 return struct.pack(">BBHBBBBLL", EAP_CODE_REQUEST, ctx['id'],
888 4 + 1 + 3 + 8,
889 EAP_TYPE_LEAP,
890 1, 0, 8, 0, 0)
891 if ctx['num'] == 14:
892 logger.info("Test: Invalid challange value in Response")
893 return struct.pack(">BBHBBBB6L", EAP_CODE_RESPONSE, ctx['id'],
894 4 + 1 + 3 + 24,
895 EAP_TYPE_LEAP,
896 1, 0, 24,
897 0, 0, 0, 0, 0, 0)
898
899 if ctx['num'] == 15:
900 logger.info("Test: Valid challenge")
901 return struct.pack(">BBHBBBBLL", EAP_CODE_REQUEST, ctx['id'],
902 4 + 1 + 3 + 8,
903 EAP_TYPE_LEAP,
904 1, 0, 8, 0, 0)
905 if ctx['num'] == 16:
906 logger.info("Test: Valid challange value in Response")
907 return struct.pack(">BBHBBBB24B", EAP_CODE_RESPONSE, ctx['id'],
908 4 + 1 + 3 + 24,
909 EAP_TYPE_LEAP,
910 1, 0, 24,
911 0x48, 0x4e, 0x46, 0xe3, 0x88, 0x49, 0x46, 0xbd,
912 0x28, 0x48, 0xf8, 0x53, 0x82, 0x50, 0x00, 0x04,
913 0x93, 0x50, 0x30, 0xd7, 0x25, 0xea, 0x5f, 0x66)
914
915 if ctx['num'] == 17:
916 logger.info("Test: Valid challenge")
917 return struct.pack(">BBHBBBBLL", EAP_CODE_REQUEST, ctx['id'],
918 4 + 1 + 3 + 8,
919 EAP_TYPE_LEAP,
920 1, 0, 8, 0, 0)
921 if ctx['num'] == 18:
922 logger.info("Test: Success")
923 return struct.pack(">BBHB", EAP_CODE_SUCCESS, ctx['id'],
924 4 + 1,
925 EAP_TYPE_LEAP)
926 # hostapd will drop the next frame in the sequence
927
928 if ctx['num'] == 19:
929 logger.info("Test: Valid challenge")
930 return struct.pack(">BBHBBBBLL", EAP_CODE_REQUEST, ctx['id'],
931 4 + 1 + 3 + 8,
932 EAP_TYPE_LEAP,
933 1, 0, 8, 0, 0)
934 if ctx['num'] == 20:
935 logger.info("Test: Failure")
936 return struct.pack(">BBHB", EAP_CODE_FAILURE, ctx['id'],
937 4 + 1,
938 EAP_TYPE_LEAP)
939
940 return None
941
942 srv = start_radius_server(leap_handler)
18fc8f40
JM		 943
944 try:
945 hapd = start_ap(apdev[0]['ifname'])
946
947 for i in range(0, 12):
948 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
949 eap="LEAP", identity="user", password="password",
950 wait_connect=False)
951 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"], timeout=15)
952 if ev is None:
953 raise Exception("Timeout on EAP start")
954 time.sleep(0.1)
955 if i == 10:
956 logger.info("Wait for additional roundtrip")
957 time.sleep(1)
958 dev[0].request("REMOVE_NETWORK all")
959 finally:
960 stop_radius_server(srv)
8604a68e
JM		 961
962def test_eap_proto_md5(dev, apdev):
963 """EAP-MD5 protocol tests"""
e7ac04ce
JM		 964 check_eap_capa(dev[0], "MD5")
965
8604a68e
JM		 966 def md5_handler(ctx, req):
967 logger.info("md5_handler - RX " + req.encode("hex"))
968 if 'num' not in ctx:
969 ctx['num'] = 0
970 ctx['num'] = ctx['num'] + 1
971 if 'id' not in ctx:
972 ctx['id'] = 1
973 ctx['id'] = (ctx['id'] + 1) % 256
974
975 if ctx['num'] == 1:
976 logger.info("Test: Missing payload")
977 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
978 4 + 1,
979 EAP_TYPE_MD5)
980
981 if ctx['num'] == 2:
982 logger.info("Test: Zero-length challenge")
983 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
984 4 + 1 + 1,
985 EAP_TYPE_MD5,
986 0)
987
988 if ctx['num'] == 3:
989 logger.info("Test: Truncated challenge")
990 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
991 4 + 1 + 1,
992 EAP_TYPE_MD5,
993 1)
994
995 if ctx['num'] == 4:
996 logger.info("Test: Shortest possible challenge and name")
997 return struct.pack(">BBHBBBB", EAP_CODE_REQUEST, ctx['id'],
998 4 + 1 + 3,
999 EAP_TYPE_MD5,
1000 1, 0xaa, ord('n'))
1001
1002 return None
1003
1004 srv = start_radius_server(md5_handler)
8604a68e
JM		 1005
1006 try:
1007 hapd = start_ap(apdev[0]['ifname'])
1008
1009 for i in range(0, 4):
1010 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
1011 eap="MD5", identity="user", password="password",
1012 wait_connect=False)
1013 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"], timeout=15)
1014 if ev is None:
1015 raise Exception("Timeout on EAP start")
1016 time.sleep(0.1)
1017 dev[0].request("REMOVE_NETWORK all")
1018 finally:
1019 stop_radius_server(srv)
d5c14b25 1020
d5482411
JM		 1021def test_eap_proto_md5_errors(dev, apdev):
1022 """EAP-MD5 local error cases"""
1023 check_eap_capa(dev[0], "MD5")
1024 params = hostapd.wpa2_eap_params(ssid="eap-test")
1025 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1026
1027 with fail_test(dev[0], 1, "chap_md5"):
1028 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
1029 eap="MD5", identity="phase1-user", password="password",
1030 wait_connect=False)
1031 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
1032 if ev is None:
1033 raise Exception("Timeout on EAP start")
1034 dev[0].request("REMOVE_NETWORK all")
1035 dev[0].wait_disconnected()
1036
1037 with alloc_fail(dev[0], 1, "eap_msg_alloc;eap_md5_process"):
1038 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
1039 eap="MD5", identity="phase1-user", password="password",
1040 wait_connect=False)
1041 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
1042 if ev is None:
1043 raise Exception("Timeout on EAP start")
1044 time.sleep(0.1)
1045 dev[0].request("REMOVE_NETWORK all")
1046
d5c14b25
JM		 1047def test_eap_proto_otp(dev, apdev):
1048 """EAP-OTP protocol tests"""
1049 def otp_handler(ctx, req):
1050 logger.info("otp_handler - RX " + req.encode("hex"))
1051 if 'num' not in ctx:
1052 ctx['num'] = 0
1053 ctx['num'] = ctx['num'] + 1
1054 if 'id' not in ctx:
1055 ctx['id'] = 1
1056 ctx['id'] = (ctx['id'] + 1) % 256
1057
1058 if ctx['num'] == 1:
1059 logger.info("Test: Empty payload")
1060 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
1061 4 + 1,
1062 EAP_TYPE_OTP)
1063 if ctx['num'] == 2:
1064 logger.info("Test: Success")
1065 return struct.pack(">BBH", EAP_CODE_SUCCESS, ctx['id'],
1066 4)
1067
1068 if ctx['num'] == 3:
1069 logger.info("Test: Challenge included")
1070 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
1071 4 + 1 + 1,
1072 EAP_TYPE_OTP,
1073 ord('A'))
1074 if ctx['num'] == 4:
1075 logger.info("Test: Success")
1076 return struct.pack(">BBH", EAP_CODE_SUCCESS, ctx['id'],
1077 4)
1078
1079 return None
1080
1081 srv = start_radius_server(otp_handler)
d5c14b25
JM		 1082
1083 try:
1084 hapd = start_ap(apdev[0]['ifname'])
1085
1086 for i in range(0, 1):
1087 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
1088 eap="OTP", identity="user", password="password",
1089 wait_connect=False)
1090 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
1091 timeout=15)
1092 if ev is None:
1093 raise Exception("Timeout on EAP start")
1094 time.sleep(0.1)
1095 dev[0].request("REMOVE_NETWORK all")
1096
1097 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
1098 eap="OTP", identity="user", wait_connect=False)
1099 ev = dev[0].wait_event(["CTRL-REQ-OTP"])
1100 if ev is None:
1101 raise Exception("Request for password timed out")
1102 id = ev.split(':')[0].split('-')[-1]
1103 dev[0].request("CTRL-RSP-OTP-" + id + ":password")
1104 ev = dev[0].wait_event("CTRL-EVENT-EAP-SUCCESS")
1105 if ev is None:
1106 raise Exception("Success not reported")
1107 finally:
1108 stop_radius_server(srv)
2e9f8ee7
JM		 1109
1110EAP_GPSK_OPCODE_GPSK_1 = 1
1111EAP_GPSK_OPCODE_GPSK_2 = 2
1112EAP_GPSK_OPCODE_GPSK_3 = 3
1113EAP_GPSK_OPCODE_GPSK_4 = 4
1114EAP_GPSK_OPCODE_FAIL = 5
1115EAP_GPSK_OPCODE_PROTECTED_FAIL = 6
1116
1117def test_eap_proto_gpsk(dev, apdev):
1118 """EAP-GPSK protocol tests"""
1119 def gpsk_handler(ctx, req):
1120 logger.info("gpsk_handler - RX " + req.encode("hex"))
1121 if 'num' not in ctx:
1122 ctx['num'] = 0
1123 ctx['num'] = ctx['num'] + 1
1124 if 'id' not in ctx:
1125 ctx['id'] = 1
1126 ctx['id'] = (ctx['id'] + 1) % 256
1127
1128 idx = 0
1129
1130 idx += 1
1131 if ctx['num'] == idx:
1132 logger.info("Test: Missing payload")
1133 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
1134 4 + 1,
1135 EAP_TYPE_GPSK)
1136
1137 idx += 1
1138 if ctx['num'] == idx:
1139 logger.info("Test: Unknown opcode")
1140 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
1141 4 + 1 + 1,
1142 EAP_TYPE_GPSK,
1143 255)
1144
1145 idx += 1
1146 if ctx['num'] == idx:
1147 logger.info("Test: Unexpected GPSK-3")
1148 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
1149 4 + 1 + 1,
1150 EAP_TYPE_GPSK,
1151 EAP_GPSK_OPCODE_GPSK_3)
1152
1153 idx += 1
1154 if ctx['num'] == idx:
1155 logger.info("Test: GPSK-1 Too short GPSK-1")
1156 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
1157 4 + 1 + 1,
1158 EAP_TYPE_GPSK,
1159 EAP_GPSK_OPCODE_GPSK_1)
1160
1161 idx += 1
1162 if ctx['num'] == idx:
1163 logger.info("Test: GPSK-1 Truncated ID_Server")
1164 return struct.pack(">BBHBBH", EAP_CODE_REQUEST, ctx['id'],
1165 4 + 1 + 1 + 2,
1166 EAP_TYPE_GPSK,
1167 EAP_GPSK_OPCODE_GPSK_1, 1)
1168
1169 idx += 1
1170 if ctx['num'] == idx:
1171 logger.info("Test: GPSK-1 Missing RAND_Server")
1172 return struct.pack(">BBHBBH", EAP_CODE_REQUEST, ctx['id'],
1173 4 + 1 + 1 + 2,
1174 EAP_TYPE_GPSK,
1175 EAP_GPSK_OPCODE_GPSK_1, 0)
1176
1177 idx += 1
1178 if ctx['num'] == idx:
1179 logger.info("Test: GPSK-1 Missing CSuite_List")
1180 return struct.pack(">BBHBBH8L", EAP_CODE_REQUEST, ctx['id'],
1181 4 + 1 + 1 + 2 + 32,
1182 EAP_TYPE_GPSK,
1183 EAP_GPSK_OPCODE_GPSK_1, 0,
1184 0, 0, 0, 0, 0, 0, 0, 0)
1185
1186 idx += 1
1187 if ctx['num'] == idx:
1188 logger.info("Test: GPSK-1 Truncated CSuite_List")
1189 return struct.pack(">BBHBBH8LH", EAP_CODE_REQUEST, ctx['id'],
1190 4 + 1 + 1 + 2 + 32 + 2,
1191 EAP_TYPE_GPSK,
1192 EAP_GPSK_OPCODE_GPSK_1, 0,
1193 0, 0, 0, 0, 0, 0, 0, 0,
1194 1)
1195
1196 idx += 1
1197 if ctx['num'] == idx:
1198 logger.info("Test: GPSK-1 Empty CSuite_List")
1199 return struct.pack(">BBHBBH8LH", EAP_CODE_REQUEST, ctx['id'],
1200 4 + 1 + 1 + 2 + 32 + 2,
1201 EAP_TYPE_GPSK,
1202 EAP_GPSK_OPCODE_GPSK_1, 0,
1203 0, 0, 0, 0, 0, 0, 0, 0,
1204 0)
1205
1206 idx += 1
1207 if ctx['num'] == idx:
1208 logger.info("Test: GPSK-1 Invalid CSuite_List")
1209 return struct.pack(">BBHBBH8LHB", EAP_CODE_REQUEST, ctx['id'],
1210 4 + 1 + 1 + 2 + 32 + 2 + 1,
1211 EAP_TYPE_GPSK,
1212 EAP_GPSK_OPCODE_GPSK_1, 0,
1213 0, 0, 0, 0, 0, 0, 0, 0,
1214 1, 0)
1215
1216 idx += 1
1217 if ctx['num'] == idx:
1218 logger.info("Test: GPSK-1 No supported CSuite")
1219 return struct.pack(">BBHBBH8LHLH", EAP_CODE_REQUEST, ctx['id'],
1220 4 + 1 + 1 + 2 + 32 + 2 + 6,
1221 EAP_TYPE_GPSK,
1222 EAP_GPSK_OPCODE_GPSK_1, 0,
1223 0, 0, 0, 0, 0, 0, 0, 0,
1224 6, 0, 0)
1225
1226 idx += 1
1227 if ctx['num'] == idx:
1228 logger.info("Test: GPSK-1 Supported CSuite")
1229 return struct.pack(">BBHBBH8LHLH", EAP_CODE_REQUEST, ctx['id'],
1230 4 + 1 + 1 + 2 + 32 + 2 + 6,
1231 EAP_TYPE_GPSK,
1232 EAP_GPSK_OPCODE_GPSK_1, 0,
1233 0, 0, 0, 0, 0, 0, 0, 0,
1234 6, 0, 1)
1235 idx += 1
1236 if ctx['num'] == idx:
1237 logger.info("Test: Unexpected GPSK-1")
1238 return struct.pack(">BBHBBH8LHLH", EAP_CODE_REQUEST, ctx['id'],
1239 4 + 1 + 1 + 2 + 32 + 2 + 6,
1240 EAP_TYPE_GPSK,
1241 EAP_GPSK_OPCODE_GPSK_1, 0,
1242 0, 0, 0, 0, 0, 0, 0, 0,
1243 6, 0, 1)
1244
1245 idx += 1
1246 if ctx['num'] == idx:
1247 logger.info("Test: GPSK-1 Supported CSuite but too short key")
1248 return struct.pack(">BBHBBH8LHLH", EAP_CODE_REQUEST, ctx['id'],
1249 4 + 1 + 1 + 2 + 32 + 2 + 6,
1250 EAP_TYPE_GPSK,
1251 EAP_GPSK_OPCODE_GPSK_1, 0,
1252 0, 0, 0, 0, 0, 0, 0, 0,
1253 6, 0, 1)
1254
1255 idx += 1
1256 if ctx['num'] == idx:
1257 logger.info("Test: GPSK-1 Supported CSuite")
1258 return struct.pack(">BBHBBH8LHLH", EAP_CODE_REQUEST, ctx['id'],
1259 4 + 1 + 1 + 2 + 32 + 2 + 6,
1260 EAP_TYPE_GPSK,
1261 EAP_GPSK_OPCODE_GPSK_1, 0,
1262 0, 0, 0, 0, 0, 0, 0, 0,
1263 6, 0, 1)
1264 idx += 1
1265 if ctx['num'] == idx:
1266 logger.info("Test: Too short GPSK-3")
1267 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
1268 4 + 1 + 1,
1269 EAP_TYPE_GPSK,
1270 EAP_GPSK_OPCODE_GPSK_3)
1271
1272 idx += 1
1273 if ctx['num'] == idx:
1274 logger.info("Test: GPSK-1 Supported CSuite")
1275 return struct.pack(">BBHBBH8LHLH", EAP_CODE_REQUEST, ctx['id'],
1276 4 + 1 + 1 + 2 + 32 + 2 + 6,
1277 EAP_TYPE_GPSK,
1278 EAP_GPSK_OPCODE_GPSK_1, 0,
1279 0, 0, 0, 0, 0, 0, 0, 0,
1280 6, 0, 1)
1281 idx += 1
1282 if ctx['num'] == idx:
1283 logger.info("Test: GPSK-3 Mismatch in RAND_Peer")
1284 return struct.pack(">BBHBB8L", EAP_CODE_REQUEST, ctx['id'],
1285 4 + 1 + 1 + 32,
1286 EAP_TYPE_GPSK,
1287 EAP_GPSK_OPCODE_GPSK_3,
1288 0, 0, 0, 0, 0, 0, 0, 0)
1289
1290 idx += 1
1291 if ctx['num'] == idx:
1292 logger.info("Test: GPSK-1 Supported CSuite")
1293 return struct.pack(">BBHBBH8LHLH", EAP_CODE_REQUEST, ctx['id'],
1294 4 + 1 + 1 + 2 + 32 + 2 + 6,
1295 EAP_TYPE_GPSK,
1296 EAP_GPSK_OPCODE_GPSK_1, 0,
1297 0, 0, 0, 0, 0, 0, 0, 0,
1298 6, 0, 1)
1299 idx += 1
1300 if ctx['num'] == idx:
1301 logger.info("Test: GPSK-3 Missing RAND_Server")
1302 msg = struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
1303 4 + 1 + 1 + 32,
1304 EAP_TYPE_GPSK,
1305 EAP_GPSK_OPCODE_GPSK_3)
1306 msg += req[14:46]
1307 return msg
1308
1309 idx += 1
1310 if ctx['num'] == idx:
1311 logger.info("Test: GPSK-1 Supported CSuite")
1312 return struct.pack(">BBHBBH8LHLH", EAP_CODE_REQUEST, ctx['id'],
1313 4 + 1 + 1 + 2 + 32 + 2 + 6,
1314 EAP_TYPE_GPSK,
1315 EAP_GPSK_OPCODE_GPSK_1, 0,
1316 0, 0, 0, 0, 0, 0, 0, 0,
1317 6, 0, 1)
1318 idx += 1
1319 if ctx['num'] == idx:
1320 logger.info("Test: GPSK-3 Mismatch in RAND_Server")
1321 msg = struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
1322 4 + 1 + 1 + 32 + 32,
1323 EAP_TYPE_GPSK,
1324 EAP_GPSK_OPCODE_GPSK_3)
1325 msg += req[14:46]
1326 msg += struct.pack(">8L", 1, 1, 1, 1, 1, 1, 1, 1)
1327 return msg
1328
1329 idx += 1
1330 if ctx['num'] == idx:
1331 logger.info("Test: GPSK-1 Supported CSuite")
1332 return struct.pack(">BBHBBH8LHLH", EAP_CODE_REQUEST, ctx['id'],
1333 4 + 1 + 1 + 2 + 32 + 2 + 6,
1334 EAP_TYPE_GPSK,
1335 EAP_GPSK_OPCODE_GPSK_1, 0,
1336 0, 0, 0, 0, 0, 0, 0, 0,
1337 6, 0, 1)
1338 idx += 1
1339 if ctx['num'] == idx:
1340 logger.info("Test: GPSK-3 Missing ID_Server")
1341 msg = struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
1342 4 + 1 + 1 + 32 + 32,
1343 EAP_TYPE_GPSK,
1344 EAP_GPSK_OPCODE_GPSK_3)
1345 msg += req[14:46]
1346 msg += struct.pack(">8L", 0, 0, 0, 0, 0, 0, 0, 0)
1347 return msg
1348
1349 idx += 1
1350 if ctx['num'] == idx:
1351 logger.info("Test: GPSK-1 Supported CSuite")
1352 return struct.pack(">BBHBBH8LHLH", EAP_CODE_REQUEST, ctx['id'],
1353 4 + 1 + 1 + 2 + 32 + 2 + 6,
1354 EAP_TYPE_GPSK,
1355 EAP_GPSK_OPCODE_GPSK_1, 0,
1356 0, 0, 0, 0, 0, 0, 0, 0,
1357 6, 0, 1)
1358 idx += 1
1359 if ctx['num'] == idx:
1360 logger.info("Test: GPSK-3 Truncated ID_Server")
1361 msg = struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
1362 4 + 1 + 1 + 32 + 32 + 2,
1363 EAP_TYPE_GPSK,
1364 EAP_GPSK_OPCODE_GPSK_3)
1365 msg += req[14:46]
1366 msg += struct.pack(">8LH", 0, 0, 0, 0, 0, 0, 0, 0, 1)
1367 return msg
1368
1369 idx += 1
1370 if ctx['num'] == idx:
1371 logger.info("Test: GPSK-1 Supported CSuite")
1372 return struct.pack(">BBHBBH8LHLH", EAP_CODE_REQUEST, ctx['id'],
1373 4 + 1 + 1 + 2 + 32 + 2 + 6,
1374 EAP_TYPE_GPSK,
1375 EAP_GPSK_OPCODE_GPSK_1, 0,
1376 0, 0, 0, 0, 0, 0, 0, 0,
1377 6, 0, 1)
1378 idx += 1
1379 if ctx['num'] == idx:
1380 logger.info("Test: GPSK-3 Mismatch in ID_Server")
1381 msg = struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
1382 4 + 1 + 1 + 32 + 32 + 3,
1383 EAP_TYPE_GPSK,
1384 EAP_GPSK_OPCODE_GPSK_3)
1385 msg += req[14:46]
1386 msg += struct.pack(">8LHB", 0, 0, 0, 0, 0, 0, 0, 0, 1, ord('B'))
1387 return msg
1388
1389 idx += 1
1390 if ctx['num'] == idx:
1391 logger.info("Test: GPSK-1 Supported CSuite")
1392 return struct.pack(">BBHBBHB8LHLH", EAP_CODE_REQUEST, ctx['id'],
1393 4 + 1 + 1 + 3 + 32 + 2 + 6,
1394 EAP_TYPE_GPSK,
1395 EAP_GPSK_OPCODE_GPSK_1, 1, ord('A'),
1396 0, 0, 0, 0, 0, 0, 0, 0,
1397 6, 0, 1)
1398 idx += 1
1399 if ctx['num'] == idx:
1400 logger.info("Test: GPSK-3 Mismatch in ID_Server (same length)")
1401 msg = struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
1402 4 + 1 + 1 + 32 + 32 + 3,
1403 EAP_TYPE_GPSK,
1404 EAP_GPSK_OPCODE_GPSK_3)
1405 msg += req[15:47]
1406 msg += struct.pack(">8LHB", 0, 0, 0, 0, 0, 0, 0, 0, 1, ord('B'))
1407 return msg
1408
1409 idx += 1
1410 if ctx['num'] == idx:
1411 logger.info("Test: GPSK-1 Supported CSuite")
1412 return struct.pack(">BBHBBH8LHLH", EAP_CODE_REQUEST, ctx['id'],
1413 4 + 1 + 1 + 2 + 32 + 2 + 6,
1414 EAP_TYPE_GPSK,
1415 EAP_GPSK_OPCODE_GPSK_1, 0,
1416 0, 0, 0, 0, 0, 0, 0, 0,
1417 6, 0, 1)
1418 idx += 1
1419 if ctx['num'] == idx:
1420 logger.info("Test: GPSK-3 Missing CSuite_Sel")
1421 msg = struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
1422 4 + 1 + 1 + 32 + 32 + 2,
1423 EAP_TYPE_GPSK,
1424 EAP_GPSK_OPCODE_GPSK_3)
1425 msg += req[14:46]
1426 msg += struct.pack(">8LH", 0, 0, 0, 0, 0, 0, 0, 0, 0)
1427 return msg
1428
1429 idx += 1
1430 if ctx['num'] == idx:
1431 logger.info("Test: GPSK-1 Supported CSuite")
1432 return struct.pack(">BBHBBH8LHLH", EAP_CODE_REQUEST, ctx['id'],
1433 4 + 1 + 1 + 2 + 32 + 2 + 6,
1434 EAP_TYPE_GPSK,
1435 EAP_GPSK_OPCODE_GPSK_1, 0,
1436 0, 0, 0, 0, 0, 0, 0, 0,
1437 6, 0, 1)
1438 idx += 1
1439 if ctx['num'] == idx:
1440 logger.info("Test: GPSK-3 Mismatch in CSuite_Sel")
1441 msg = struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
1442 4 + 1 + 1 + 32 + 32 + 2 + 6,
1443 EAP_TYPE_GPSK,
1444 EAP_GPSK_OPCODE_GPSK_3)
1445 msg += req[14:46]
1446 msg += struct.pack(">8LHLH", 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 2)
1447 return msg
1448
1449 idx += 1
1450 if ctx['num'] == idx:
1451 logger.info("Test: GPSK-1 Supported CSuite")
1452 return struct.pack(">BBHBBH8LHLH", EAP_CODE_REQUEST, ctx['id'],
1453 4 + 1 + 1 + 2 + 32 + 2 + 6,
1454 EAP_TYPE_GPSK,
1455 EAP_GPSK_OPCODE_GPSK_1, 0,
1456 0, 0, 0, 0, 0, 0, 0, 0,
1457 6, 0, 1)
1458 idx += 1
1459 if ctx['num'] == idx:
1460 logger.info("Test: GPSK-3 Missing len(PD_Payload_Block)")
1461 msg = struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
1462 4 + 1 + 1 + 32 + 32 + 2 + 6,
1463 EAP_TYPE_GPSK,
1464 EAP_GPSK_OPCODE_GPSK_3)
1465 msg += req[14:46]
1466 msg += struct.pack(">8LHLH", 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1)
1467 return msg
1468
1469 idx += 1
1470 if ctx['num'] == idx:
1471 logger.info("Test: GPSK-1 Supported CSuite")
1472 return struct.pack(">BBHBBH8LHLH", EAP_CODE_REQUEST, ctx['id'],
1473 4 + 1 + 1 + 2 + 32 + 2 + 6,
1474 EAP_TYPE_GPSK,
1475 EAP_GPSK_OPCODE_GPSK_1, 0,
1476 0, 0, 0, 0, 0, 0, 0, 0,
1477 6, 0, 1)
1478 idx += 1
1479 if ctx['num'] == idx:
1480 logger.info("Test: GPSK-3 Truncated PD_Payload_Block")
1481 msg = struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
1482 4 + 1 + 1 + 32 + 32 + 2 + 6 + 2,
1483 EAP_TYPE_GPSK,
1484 EAP_GPSK_OPCODE_GPSK_3)
1485 msg += req[14:46]
1486 msg += struct.pack(">8LHLHH", 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 1)
1487 return msg
1488
1489 idx += 1
1490 if ctx['num'] == idx:
1491 logger.info("Test: GPSK-1 Supported CSuite")
1492 return struct.pack(">BBHBBH8LHLH", EAP_CODE_REQUEST, ctx['id'],
1493 4 + 1 + 1 + 2 + 32 + 2 + 6,
1494 EAP_TYPE_GPSK,
1495 EAP_GPSK_OPCODE_GPSK_1, 0,
1496 0, 0, 0, 0, 0, 0, 0, 0,
1497 6, 0, 1)
1498 idx += 1
1499 if ctx['num'] == idx:
1500 logger.info("Test: GPSK-3 Missing MAC")
1501 msg = struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
1502 4 + 1 + 1 + 32 + 32 + 2 + 6 + 3,
1503 EAP_TYPE_GPSK,
1504 EAP_GPSK_OPCODE_GPSK_3)
1505 msg += req[14:46]
1506 msg += struct.pack(">8LHLHHB",
1507 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 123)
1508 return msg
1509
1510 idx += 1
1511 if ctx['num'] == idx:
1512 logger.info("Test: GPSK-1 Supported CSuite")
1513 return struct.pack(">BBHBBH8LHLH", EAP_CODE_REQUEST, ctx['id'],
1514 4 + 1 + 1 + 2 + 32 + 2 + 6,
1515 EAP_TYPE_GPSK,
1516 EAP_GPSK_OPCODE_GPSK_1, 0,
1517 0, 0, 0, 0, 0, 0, 0, 0,
1518 6, 0, 1)
1519 idx += 1
1520 if ctx['num'] == idx:
1521 logger.info("Test: GPSK-3 Incorrect MAC")
1522 msg = struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
1523 4 + 1 + 1 + 32 + 32 + 2 + 6 + 3 + 16,
1524 EAP_TYPE_GPSK,
1525 EAP_GPSK_OPCODE_GPSK_3)
1526 msg += req[14:46]
1527 msg += struct.pack(">8LHLHHB4L",
1528 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 123,
1529 0, 0, 0, 0)
1530 return msg
1531
1532 return None
1533
1534 srv = start_radius_server(gpsk_handler)
2e9f8ee7
JM		 1535
1536 try:
1537 hapd = start_ap(apdev[0]['ifname'])
1538
1539 for i in range(0, 27):
1540 if i == 12:
1541 pw = "short"
1542 else:
1543 pw = "abcdefghijklmnop0123456789abcdef"
1544 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
1545 eap="GPSK", identity="user", password=pw,
1546 wait_connect=False)
1547 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
1548 timeout=15)
1549 if ev is None:
1550 raise Exception("Timeout on EAP start")
1551 time.sleep(0.05)
1552 dev[0].request("REMOVE_NETWORK all")
1553 finally:
1554 stop_radius_server(srv)
30d62b7a
JM		 1555
1556EAP_EKE_ID = 1
1557EAP_EKE_COMMIT = 2
1558EAP_EKE_CONFIRM = 3
1559EAP_EKE_FAILURE = 4
1560
1561def test_eap_proto_eke(dev, apdev):
1562 """EAP-EKE protocol tests"""
1563 def eke_handler(ctx, req):
1564 logger.info("eke_handler - RX " + req.encode("hex"))
1565 if 'num' not in ctx:
1566 ctx['num'] = 0
1567 ctx['num'] = ctx['num'] + 1
1568 if 'id' not in ctx:
1569 ctx['id'] = 1
1570 ctx['id'] = (ctx['id'] + 1) % 256
1571
1572 idx = 0
1573
1574 idx += 1
1575 if ctx['num'] == idx:
1576 logger.info("Test: Missing payload")
1577 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
1578 4 + 1,
1579 EAP_TYPE_EKE)
1580
1581 idx += 1
1582 if ctx['num'] == idx:
1583 logger.info("Test: Unknown exchange")
1584 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
1585 4 + 1 + 1,
1586 EAP_TYPE_EKE,
1587 255)
1588
1589 idx += 1
1590 if ctx['num'] == idx:
1591 logger.info("Test: No NumProposals in EAP-EKE-ID/Request")
1592 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
1593 4 + 1 + 1,
1594 EAP_TYPE_EKE,
1595 EAP_EKE_ID)
1596 idx += 1
1597 if ctx['num'] == idx:
1598 logger.info("Test: EAP-Failure")
1599 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
1600
1601 idx += 1
1602 if ctx['num'] == idx:
1603 logger.info("Test: NumProposals=0 in EAP-EKE-ID/Request")
1604 return struct.pack(">BBHBBB", EAP_CODE_REQUEST, ctx['id'],
1605 4 + 1 + 1 + 1,
1606 EAP_TYPE_EKE,
1607 EAP_EKE_ID,
1608 0)
1609 idx += 1
1610 if ctx['num'] == idx:
1611 logger.info("Test: EAP-Failure")
1612 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
1613
1614 idx += 1
1615 if ctx['num'] == idx:
1616 logger.info("Test: Truncated Proposals list in EAP-EKE-ID/Request")
1617 return struct.pack(">BBHBBBB4B", EAP_CODE_REQUEST, ctx['id'],
1618 4 + 1 + 1 + 2 + 4,
1619 EAP_TYPE_EKE,
1620 EAP_EKE_ID,
1621 2, 0, 0, 0, 0, 0)
1622 idx += 1
1623 if ctx['num'] == idx:
1624 logger.info("Test: EAP-Failure")
1625 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
1626
1627 idx += 1
1628 if ctx['num'] == idx:
1629 logger.info("Test: Unsupported proposals in EAP-EKE-ID/Request")
1630 return struct.pack(">BBHBBBB4B4B4B4B", EAP_CODE_REQUEST, ctx['id'],
1631 4 + 1 + 1 + 2 + 4 * 4,
1632 EAP_TYPE_EKE,
1633 EAP_EKE_ID,
1634 4, 0,
1635 0, 0, 0, 0,
1636 3, 0, 0, 0,
1637 3, 1, 0, 0,
1638 3, 1, 1, 0)
1639 idx += 1
1640 if ctx['num'] == idx:
1641 logger.info("Test: EAP-Failure")
1642 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
1643
1644 idx += 1
1645 if ctx['num'] == idx:
1646 logger.info("Test: Missing IDType/Identity in EAP-EKE-ID/Request")
1647 return struct.pack(">BBHBBBB4B4B4B4B4B",
1648 EAP_CODE_REQUEST, ctx['id'],
1649 4 + 1 + 1 + 2 + 5 * 4,
1650 EAP_TYPE_EKE,
1651 EAP_EKE_ID,
1652 5, 0,
1653 0, 0, 0, 0,
1654 3, 0, 0, 0,
1655 3, 1, 0, 0,
1656 3, 1, 1, 0,
1657 3, 1, 1, 1)
1658 idx += 1
1659 if ctx['num'] == idx:
1660 logger.info("Test: EAP-Failure")
1661 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
1662
1663 idx += 1
1664 if ctx['num'] == idx:
1665 logger.info("Test: Valid EAP-EKE-ID/Request")
1666 return struct.pack(">BBHBBBB4BB",
1667 EAP_CODE_REQUEST, ctx['id'],
1668 4 + 1 + 1 + 2 + 4 + 1,
1669 EAP_TYPE_EKE,
1670 EAP_EKE_ID,
1671 1, 0,
1672 3, 1, 1, 1,
1673 255)
1674 idx += 1
1675 if ctx['num'] == idx:
1676 logger.info("Test: Unexpected EAP-EKE-ID/Request")
1677 return struct.pack(">BBHBBBB4BB",
1678 EAP_CODE_REQUEST, ctx['id'],
1679 4 + 1 + 1 + 2 + 4 + 1,
1680 EAP_TYPE_EKE,
1681 EAP_EKE_ID,
1682 1, 0,
1683 3, 1, 1, 1,
1684 255)
1685 idx += 1
1686 if ctx['num'] == idx:
1687 logger.info("Test: EAP-Failure")
1688 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
1689
1690 idx += 1
1691 if ctx['num'] == idx:
1692 logger.info("Test: Valid EAP-EKE-ID/Request")
1693 return struct.pack(">BBHBBBB4BB",
1694 EAP_CODE_REQUEST, ctx['id'],
1695 4 + 1 + 1 + 2 + 4 + 1,
1696 EAP_TYPE_EKE,
1697 EAP_EKE_ID,
1698 1, 0,
1699 3, 1, 1, 1,
1700 255)
1701 idx += 1
1702 if ctx['num'] == idx:
1703 logger.info("Test: Unexpected EAP-EKE-Confirm/Request")
1704 return struct.pack(">BBHBB",
1705 EAP_CODE_REQUEST, ctx['id'],
1706 4 + 1 + 1,
1707 EAP_TYPE_EKE,
1708 EAP_EKE_CONFIRM)
1709 idx += 1
1710 if ctx['num'] == idx:
1711 logger.info("Test: EAP-Failure")
1712 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
1713
1714 idx += 1
1715 if ctx['num'] == idx:
1716 logger.info("Test: Too short EAP-EKE-Failure/Request")
1717 return struct.pack(">BBHBB",
1718 EAP_CODE_REQUEST, ctx['id'],
1719 4 + 1 + 1,
1720 EAP_TYPE_EKE,
1721 EAP_EKE_FAILURE)
1722 idx += 1
1723 if ctx['num'] == idx:
1724 logger.info("Test: EAP-Failure")
1725 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
1726
1727 idx += 1
1728 if ctx['num'] == idx:
1729 logger.info("Test: Unexpected EAP-EKE-Commit/Request")
1730 return struct.pack(">BBHBB",
1731 EAP_CODE_REQUEST, ctx['id'],
1732 4 + 1 + 1,
1733 EAP_TYPE_EKE,
1734 EAP_EKE_COMMIT)
1735 idx += 1
1736 if ctx['num'] == idx:
1737 logger.info("Test: EAP-Failure")
1738 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
1739
1740 idx += 1
1741 if ctx['num'] == idx:
1742 logger.info("Test: Valid EAP-EKE-ID/Request")
1743 return struct.pack(">BBHBBBB4BB",
1744 EAP_CODE_REQUEST, ctx['id'],
1745 4 + 1 + 1 + 2 + 4 + 1,
1746 EAP_TYPE_EKE,
1747 EAP_EKE_ID,
1748 1, 0,
1749 3, 1, 1, 1,
1750 255)
1751 idx += 1
1752 if ctx['num'] == idx:
1753 logger.info("Test: Too short EAP-EKE-Commit/Request")
1754 return struct.pack(">BBHBB",
1755 EAP_CODE_REQUEST, ctx['id'],
1756 4 + 1 + 1,
1757 EAP_TYPE_EKE,
1758 EAP_EKE_COMMIT)
1759 idx += 1
1760 if ctx['num'] == idx:
1761 logger.info("Test: EAP-Failure")
1762 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
1763
1764 idx += 1
1765 if ctx['num'] == idx:
1766 logger.info("Test: Valid EAP-EKE-ID/Request")
1767 return struct.pack(">BBHBBBB4BB",
1768 EAP_CODE_REQUEST, ctx['id'],
1769 4 + 1 + 1 + 2 + 4 + 1,
1770 EAP_TYPE_EKE,
1771 EAP_EKE_ID,
1772 1, 0,
1773 1, 1, 1, 1,
1774 255)
1775 idx += 1
1776 if ctx['num'] == idx:
1777 logger.info("Test: All zeroes DHComponent_S and empty CBvalue in EAP-EKE-Commit/Request")
1778 return struct.pack(">BBHBB4L32L",
1779 EAP_CODE_REQUEST, ctx['id'],
1780 4 + 1 + 1 + 16 + 128,
1781 EAP_TYPE_EKE,
1782 EAP_EKE_COMMIT,
1783 0, 0, 0, 0,
1784 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
1785 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0)
1786 idx += 1
1787 if ctx['num'] == idx:
1788 logger.info("Test: Too short EAP-EKE-Confirm/Request")
1789 return struct.pack(">BBHBB",
1790 EAP_CODE_REQUEST, ctx['id'],
1791 4 + 1 + 1,
1792 EAP_TYPE_EKE,
1793 EAP_EKE_CONFIRM)
1794 idx += 1
1795 if ctx['num'] == idx:
1796 logger.info("Test: EAP-Failure")
1797 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
1798
1799 idx += 1
1800 if ctx['num'] == idx:
1801 logger.info("Test: Valid EAP-EKE-ID/Request")
1802 return struct.pack(">BBHBBBB4BB",
1803 EAP_CODE_REQUEST, ctx['id'],
1804 4 + 1 + 1 + 2 + 4 + 1,
1805 EAP_TYPE_EKE,
1806 EAP_EKE_ID,
1807 1, 0,
1808 1, 1, 1, 1,
1809 255)
1810 idx += 1
1811 if ctx['num'] == idx:
1812 logger.info("Test: All zeroes DHComponent_S and empty CBvalue in EAP-EKE-Commit/Request")
1813 return struct.pack(">BBHBB4L32L",
1814 EAP_CODE_REQUEST, ctx['id'],
1815 4 + 1 + 1 + 16 + 128,
1816 EAP_TYPE_EKE,
1817 EAP_EKE_COMMIT,
1818 0, 0, 0, 0,
1819 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
1820 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0)
1821 idx += 1
1822 if ctx['num'] == idx:
1823 logger.info("Test: Invalid PNonce_PS and Auth_S values in EAP-EKE-Confirm/Request")
1824 return struct.pack(">BBHBB4L8L5L5L",
1825 EAP_CODE_REQUEST, ctx['id'],
1826 4 + 1 + 1 + 16 + 2 * 16 + 20 + 20,
1827 EAP_TYPE_EKE,
1828 EAP_EKE_CONFIRM,
1829 0, 0, 0, 0,
1830 0, 0, 0, 0, 0, 0, 0, 0,
1831 0, 0, 0, 0, 0,
1832 0, 0, 0, 0, 0)
1833 idx += 1
1834 if ctx['num'] == idx:
1835 logger.info("Test: EAP-Failure")
1836 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
1837
1838 return None
1839
1840 srv = start_radius_server(eke_handler)
30d62b7a
JM		 1841
1842 try:
1843 hapd = start_ap(apdev[0]['ifname'])
1844
1845 for i in range(0, 14):
1846 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
1847 eap="EKE", identity="user", password="password",
1848 wait_connect=False)
1849 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
1850 timeout=15)
1851 if ev is None:
1852 raise Exception("Timeout on EAP start")
1853 if i in [ 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13 ]:
1854 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"],
1855 timeout=10)
1856 if ev is None:
1857 raise Exception("Timeout on EAP failure")
1858 else:
1859 time.sleep(0.05)
1860 dev[0].request("REMOVE_NETWORK all")
1861 dev[0].dump_monitor()
1862 finally:
1863 stop_radius_server(srv)
09544316 1864
850e054c
JM		 1865def eap_eke_test_fail(dev, phase1=None, success=False):
1866 dev.connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
1867 eap="EKE", identity="eke user", password="hello",
1868 phase1=phase1, erp="1", wait_connect=False)
1869 ev = dev.wait_event([ "CTRL-EVENT-EAP-FAILURE",
1870 "CTRL-EVENT-EAP-SUCCESS" ], timeout=5)
1871 if ev is None:
1872 raise Exception("Timeout on EAP failure")
1873 if not success and "CTRL-EVENT-EAP-FAILURE" not in ev:
1874 raise Exception("EAP did not fail during failure test")
1875 dev.request("REMOVE_NETWORK all")
1876 dev.wait_disconnected()
1877
1878def test_eap_proto_eke_errors(dev, apdev):
1879 """EAP-EKE local error cases"""
1880 check_eap_capa(dev[0], "EKE")
1881 params = hostapd.wpa2_eap_params(ssid="eap-test")
1882 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1883
1884 for i in range(1, 3):
1885 with alloc_fail(dev[0], i, "eap_eke_init"):
1886 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
1887 eap="EKE", identity="eke user", password="hello",
1888 wait_connect=False)
1889 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method"],
1890 timeout=15)
1891 if ev is None:
1892 raise Exception("Timeout on EAP start")
1893 dev[0].request("REMOVE_NETWORK all")
1894 dev[0].wait_disconnected()
1895
1896 tests = [ (1, "eap_eke_dh_init", None),
1897 (1, "eap_eke_prf_hmac_sha1", "dhgroup=3 encr=1 prf=1 mac=1"),
1898 (1, "eap_eke_prf_hmac_sha256", "dhgroup=5 encr=1 prf=2 mac=2"),
1899 (1, "eap_eke_prf", None),
1900 (1, "os_get_random;eap_eke_dhcomp", None),
1901 (1, "aes_128_cbc_encrypt;eap_eke_dhcomp", None),
1902 (1, "aes_128_cbc_decrypt;eap_eke_shared_secret", None),
1903 (1, "eap_eke_prf;eap_eke_shared_secret", None),
1904 (1, "eap_eke_prfplus;eap_eke_derive_ke_ki", None),
1905 (1, "eap_eke_prfplus;eap_eke_derive_ka", None),
1906 (1, "eap_eke_prfplus;eap_eke_derive_msk", None),
1907 (1, "os_get_random;eap_eke_prot", None),
1908 (1, "aes_128_cbc_decrypt;eap_eke_decrypt_prot", None),
1909 (1, "eap_eke_derive_key;eap_eke_process_commit", None),
1910 (1, "eap_eke_dh_init;eap_eke_process_commit", None),
1911 (1, "eap_eke_shared_secret;eap_eke_process_commit", None),
1912 (1, "eap_eke_derive_ke_ki;eap_eke_process_commit", None),
1913 (1, "eap_eke_dhcomp;eap_eke_process_commit", None),
1914 (1, "os_get_random;eap_eke_process_commit", None),
1915 (1, "os_get_random;=eap_eke_process_commit", None),
1916 (1, "eap_eke_prot;eap_eke_process_commit", None),
1917 (1, "eap_eke_decrypt_prot;eap_eke_process_confirm", None),
1918 (1, "eap_eke_derive_ka;eap_eke_process_confirm", None),
1919 (1, "eap_eke_auth;eap_eke_process_confirm", None),
1920 (2, "eap_eke_auth;eap_eke_process_confirm", None),
1921 (1, "eap_eke_prot;eap_eke_process_confirm", None),
1922 (1, "eap_eke_derive_msk;eap_eke_process_confirm", None) ]
1923 for count, func, phase1 in tests:
1924 with fail_test(dev[0], count, func):
1925 eap_eke_test_fail(dev[0], phase1)
1926
1927 tests = [ (1, "=eap_eke_derive_ke_ki", None),
1928 (1, "=eap_eke_derive_ka", None),
1929 (1, "=eap_eke_derive_msk", None),
1930 (1, "eap_eke_build_msg;eap_eke_process_id", None),
1931 (1, "wpabuf_alloc;eap_eke_process_id", None),
1932 (1, "=eap_eke_process_id", None),
1933 (1, "wpabuf_alloc;eap_eke_process_id", None),
1934 (1, "eap_eke_build_msg;eap_eke_process_commit", None),
1935 (1, "wpabuf_resize;eap_eke_process_commit", None),
1936 (1, "eap_eke_build_msg;eap_eke_process_confirm", None) ]
1937 for count, func, phase1 in tests:
1938 with alloc_fail(dev[0], count, func):
1939 eap_eke_test_fail(dev[0], phase1)
1940
1941 tests = [ (1, "eap_eke_getKey", None),
1942 (1, "eap_eke_get_emsk", None),
1943 (1, "eap_eke_get_session_id", None) ]
1944 for count, func, phase1 in tests:
1945 with alloc_fail(dev[0], count, func):
1946 eap_eke_test_fail(dev[0], phase1, success=True)
1947
09544316
JM		 1948EAP_PAX_OP_STD_1 = 0x01
1949EAP_PAX_OP_STD_2 = 0x02
1950EAP_PAX_OP_STD_3 = 0x03
1951EAP_PAX_OP_SEC_1 = 0x11
1952EAP_PAX_OP_SEC_2 = 0x12
1953EAP_PAX_OP_SEC_3 = 0x13
1954EAP_PAX_OP_SEC_4 = 0x14
1955EAP_PAX_OP_SEC_5 = 0x15
1956EAP_PAX_OP_ACK = 0x21
1957
1958EAP_PAX_FLAGS_MF = 0x01
1959EAP_PAX_FLAGS_CE = 0x02
1960EAP_PAX_FLAGS_AI = 0x04
1961
1962EAP_PAX_MAC_HMAC_SHA1_128 = 0x01
1963EAP_PAX_HMAC_SHA256_128 = 0x02
1964
1965EAP_PAX_DH_GROUP_NONE = 0x00
1966EAP_PAX_DH_GROUP_2048_MODP = 0x01
1967EAP_PAX_DH_GROUP_3072_MODP = 0x02
1968EAP_PAX_DH_GROUP_NIST_ECC_P_256 = 0x03
1969
1970EAP_PAX_PUBLIC_KEY_NONE = 0x00
1971EAP_PAX_PUBLIC_KEY_RSAES_OAEP = 0x01
1972EAP_PAX_PUBLIC_KEY_RSA_PKCS1_V1_5 = 0x02
1973EAP_PAX_PUBLIC_KEY_EL_GAMAL_NIST_ECC = 0x03
1974
1975EAP_PAX_ADE_VENDOR_SPECIFIC = 0x01
1976EAP_PAX_ADE_CLIENT_CHANNEL_BINDING = 0x02
1977EAP_PAX_ADE_SERVER_CHANNEL_BINDING = 0x03
1978
1979def test_eap_proto_pax(dev, apdev):
1980 """EAP-PAX protocol tests"""
1981 def pax_std_1(ctx):
1982 logger.info("Test: STD-1")
1983 ctx['id'] = 10
1984 return struct.pack(">BBHBBBBBBH8L16B", EAP_CODE_REQUEST, ctx['id'],
1985 4 + 1 + 5 + 2 + 32 + 16,
1986 EAP_TYPE_PAX,
1987 EAP_PAX_OP_STD_1, 0, EAP_PAX_MAC_HMAC_SHA1_128,
1988 EAP_PAX_DH_GROUP_NONE, EAP_PAX_PUBLIC_KEY_NONE,
1989 32, 0, 0, 0, 0, 0, 0, 0, 0,
1990 0x16, 0xc9, 0x08, 0x9d, 0x98, 0xa5, 0x6e, 0x1f,
1991 0xf0, 0xac, 0xcf, 0xc4, 0x66, 0xcd, 0x2d, 0xbf)
1992
1993 def pax_handler(ctx, req):
1994 logger.info("pax_handler - RX " + req.encode("hex"))
1995 if 'num' not in ctx:
1996 ctx['num'] = 0
1997 ctx['num'] = ctx['num'] + 1
1998 if 'id' not in ctx:
1999 ctx['id'] = 1
2000 ctx['id'] = (ctx['id'] + 1) % 256
2001
2002 idx = 0
2003
2004 idx += 1
2005 if ctx['num'] == idx:
2006 logger.info("Test: Missing payload")
2007 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
2008 4 + 1,
2009 EAP_TYPE_PAX)
2010
2011 idx += 1
2012 if ctx['num'] == idx:
2013 logger.info("Test: Minimum length payload")
2014 return struct.pack(">BBHB4L", EAP_CODE_REQUEST, ctx['id'],
2015 4 + 1 + 16,
2016 EAP_TYPE_PAX,
2017 0, 0, 0, 0)
2018
2019 idx += 1
2020 if ctx['num'] == idx:
2021 logger.info("Test: Unsupported MAC ID")
2022 return struct.pack(">BBHBBBBBB4L", EAP_CODE_REQUEST, ctx['id'],
2023 4 + 1 + 5 + 16,
2024 EAP_TYPE_PAX,
2025 EAP_PAX_OP_STD_1, 0, 255, EAP_PAX_DH_GROUP_NONE,
2026 EAP_PAX_PUBLIC_KEY_NONE,
2027 0, 0, 0, 0)
2028
2029 idx += 1
2030 if ctx['num'] == idx:
2031 logger.info("Test: Unsupported DH Group ID")
2032 return struct.pack(">BBHBBBBBB4L", EAP_CODE_REQUEST, ctx['id'],
2033 4 + 1 + 5 + 16,
2034 EAP_TYPE_PAX,
2035 EAP_PAX_OP_STD_1, 0, EAP_PAX_MAC_HMAC_SHA1_128,
2036 255, EAP_PAX_PUBLIC_KEY_NONE,
2037 0, 0, 0, 0)
2038
2039 idx += 1
2040 if ctx['num'] == idx:
2041 logger.info("Test: Unsupported Public Key ID")
2042 return struct.pack(">BBHBBBBBB4L", EAP_CODE_REQUEST, ctx['id'],
2043 4 + 1 + 5 + 16,
2044 EAP_TYPE_PAX,
2045 EAP_PAX_OP_STD_1, 0, EAP_PAX_MAC_HMAC_SHA1_128,
2046 EAP_PAX_DH_GROUP_NONE, 255,
2047 0, 0, 0, 0)
2048
2049 idx += 1
2050 if ctx['num'] == idx:
2051 logger.info("Test: More fragments")
2052 return struct.pack(">BBHBBBBBB4L", EAP_CODE_REQUEST, ctx['id'],
2053 4 + 1 + 5 + 16,
2054 EAP_TYPE_PAX,
2055 EAP_PAX_OP_STD_1, EAP_PAX_FLAGS_MF,
2056 EAP_PAX_MAC_HMAC_SHA1_128,
2057 EAP_PAX_DH_GROUP_NONE, EAP_PAX_PUBLIC_KEY_NONE,
2058 0, 0, 0, 0)
2059
2060 idx += 1
2061 if ctx['num'] == idx:
2062 logger.info("Test: Invalid ICV")
2063 return struct.pack(">BBHBBBBBB4L", EAP_CODE_REQUEST, ctx['id'],
2064 4 + 1 + 5 + 16,
2065 EAP_TYPE_PAX,
2066 EAP_PAX_OP_STD_1, 0, EAP_PAX_MAC_HMAC_SHA1_128,
2067 EAP_PAX_DH_GROUP_NONE, EAP_PAX_PUBLIC_KEY_NONE,
2068 0, 0, 0, 0)
2069
2070 idx += 1
2071 if ctx['num'] == idx:
2072 logger.info("Test: Invalid ICV in short frame")
2073 return struct.pack(">BBHBBBBBB3L", EAP_CODE_REQUEST, ctx['id'],
2074 4 + 1 + 5 + 12,
2075 EAP_TYPE_PAX,
2076 EAP_PAX_OP_STD_1, 0, EAP_PAX_MAC_HMAC_SHA1_128,
2077 EAP_PAX_DH_GROUP_NONE, EAP_PAX_PUBLIC_KEY_NONE,
2078 0, 0, 0)
2079
2080 idx += 1
2081 if ctx['num'] == idx:
2082 logger.info("Test: Correct ICV - unsupported op_code")
2083 ctx['id'] = 10
2084 return struct.pack(">BBHBBBBBB16B", EAP_CODE_REQUEST, ctx['id'],
2085 4 + 1 + 5 + 16,
2086 EAP_TYPE_PAX,
2087 255, 0, EAP_PAX_MAC_HMAC_SHA1_128,
2088 EAP_PAX_DH_GROUP_NONE, EAP_PAX_PUBLIC_KEY_NONE,
2089 0x90, 0x78, 0x97, 0x38, 0x29, 0x94, 0x32, 0xd4,
2090 0x81, 0x27, 0xe0, 0xf6, 0x3b, 0x0d, 0xb2, 0xb2)
2091
2092 idx += 1
2093 if ctx['num'] == idx:
2094 logger.info("Test: Correct ICV - CE flag in STD-1")
2095 ctx['id'] = 10
2096 return struct.pack(">BBHBBBBBB16B", EAP_CODE_REQUEST, ctx['id'],
2097 4 + 1 + 5 + 16,
2098 EAP_TYPE_PAX,
2099 EAP_PAX_OP_STD_1, EAP_PAX_FLAGS_CE,
2100 EAP_PAX_MAC_HMAC_SHA1_128,
2101 EAP_PAX_DH_GROUP_NONE, EAP_PAX_PUBLIC_KEY_NONE,
2102 0x9c, 0x98, 0xb4, 0x0b, 0x94, 0x90, 0xde, 0x88,
2103 0xb7, 0x72, 0x63, 0x44, 0x1d, 0xe3, 0x7c, 0x5c)
2104
2105 idx += 1
2106 if ctx['num'] == idx:
2107 logger.info("Test: Correct ICV - too short STD-1 payload")
2108 ctx['id'] = 10
2109 return struct.pack(">BBHBBBBBB16B", EAP_CODE_REQUEST, ctx['id'],
2110 4 + 1 + 5 + 16,
2111 EAP_TYPE_PAX,
2112 EAP_PAX_OP_STD_1, 0, EAP_PAX_MAC_HMAC_SHA1_128,
2113 EAP_PAX_DH_GROUP_NONE, EAP_PAX_PUBLIC_KEY_NONE,
2114 0xda, 0xab, 0x2c, 0xe7, 0x84, 0x41, 0xb5, 0x5c,
2115 0xee, 0xcf, 0x62, 0x03, 0xc5, 0x69, 0xcb, 0xf4)
2116
2117 idx += 1
2118 if ctx['num'] == idx:
2119 logger.info("Test: Correct ICV - incorrect A length in STD-1")
2120 ctx['id'] = 10
2121 return struct.pack(">BBHBBBBBBH8L16B", EAP_CODE_REQUEST, ctx['id'],
2122 4 + 1 + 5 + 2 + 32 + 16,
2123 EAP_TYPE_PAX,
2124 EAP_PAX_OP_STD_1, 0, EAP_PAX_MAC_HMAC_SHA1_128,
2125 EAP_PAX_DH_GROUP_NONE, EAP_PAX_PUBLIC_KEY_NONE,
2126 0, 0, 0, 0, 0, 0, 0, 0, 0,
2127 0xc4, 0xb0, 0x81, 0xe4, 0x6c, 0x8c, 0x20, 0x23,
2128 0x60, 0x46, 0x89, 0xea, 0x94, 0x60, 0xf3, 0x2a)
2129
2130 idx += 1
2131 if ctx['num'] == idx:
2132 logger.info("Test: Correct ICV - extra data in STD-1")
2133 ctx['id'] = 10
2134 return struct.pack(">BBHBBBBBBH8LB16B", EAP_CODE_REQUEST, ctx['id'],
2135 4 + 1 + 5 + 2 + 32 + 1 + 16,
2136 EAP_TYPE_PAX,
2137 EAP_PAX_OP_STD_1, 0, EAP_PAX_MAC_HMAC_SHA1_128,
2138 EAP_PAX_DH_GROUP_NONE, EAP_PAX_PUBLIC_KEY_NONE,
2139 32, 0, 0, 0, 0, 0, 0, 0, 0,
2140 1,
2141 0x61, 0x49, 0x65, 0x37, 0x21, 0xe8, 0xd8, 0xbf,
2142 0xf3, 0x02, 0x01, 0xe5, 0x42, 0x51, 0xd3, 0x34)
2143 idx += 1
2144 if ctx['num'] == idx:
2145 logger.info("Test: Unexpected STD-1")
2146 return struct.pack(">BBHBBBBBBH8L16B", EAP_CODE_REQUEST, ctx['id'],
2147 4 + 1 + 5 + 2 + 32 + 16,
2148 EAP_TYPE_PAX,
2149 EAP_PAX_OP_STD_1, 0, EAP_PAX_MAC_HMAC_SHA1_128,
2150 EAP_PAX_DH_GROUP_NONE, EAP_PAX_PUBLIC_KEY_NONE,
2151 32, 0, 0, 0, 0, 0, 0, 0, 0,
2152 0xe5, 0x1d, 0xbf, 0xb8, 0x70, 0x20, 0x5c, 0xba,
2153 0x41, 0xbb, 0x34, 0xda, 0x1a, 0x08, 0xe6, 0x8d)
2154
2155 idx += 1
2156 if ctx['num'] == idx:
2157 return pax_std_1(ctx)
2158 idx += 1
2159 if ctx['num'] == idx:
2160 logger.info("Test: MAC ID changed during session")
2161 return struct.pack(">BBHBBBBBBH8L16B", EAP_CODE_REQUEST, ctx['id'],
2162 4 + 1 + 5 + 2 + 32 + 16,
2163 EAP_TYPE_PAX,
2164 EAP_PAX_OP_STD_1, 0, EAP_PAX_HMAC_SHA256_128,
2165 EAP_PAX_DH_GROUP_NONE, EAP_PAX_PUBLIC_KEY_NONE,
2166 32, 0, 0, 0, 0, 0, 0, 0, 0,
2167 0xee, 0x00, 0xbf, 0xb8, 0x70, 0x20, 0x5c, 0xba,
2168 0x41, 0xbb, 0x34, 0xda, 0x1a, 0x08, 0xe6, 0x8d)
2169
2170 idx += 1
2171 if ctx['num'] == idx:
2172 return pax_std_1(ctx)
2173 idx += 1
2174 if ctx['num'] == idx:
2175 logger.info("Test: DH Group ID changed during session")
2176 return struct.pack(">BBHBBBBBBH8L16B", EAP_CODE_REQUEST, ctx['id'],
2177 4 + 1 + 5 + 2 + 32 + 16,
2178 EAP_TYPE_PAX,
2179 EAP_PAX_OP_STD_1, 0, EAP_PAX_MAC_HMAC_SHA1_128,
2180 EAP_PAX_DH_GROUP_2048_MODP,
2181 EAP_PAX_PUBLIC_KEY_NONE,
2182 32, 0, 0, 0, 0, 0, 0, 0, 0,
2183 0xee, 0x01, 0xbf, 0xb8, 0x70, 0x20, 0x5c, 0xba,
2184 0x41, 0xbb, 0x34, 0xda, 0x1a, 0x08, 0xe6, 0x8d)
2185
2186 idx += 1
2187 if ctx['num'] == idx:
2188 return pax_std_1(ctx)
2189 idx += 1
2190 if ctx['num'] == idx:
2191 logger.info("Test: Public Key ID changed during session")
2192 return struct.pack(">BBHBBBBBBH8L16B", EAP_CODE_REQUEST, ctx['id'],
2193 4 + 1 + 5 + 2 + 32 + 16,
2194 EAP_TYPE_PAX,
2195 EAP_PAX_OP_STD_1, 0, EAP_PAX_MAC_HMAC_SHA1_128,
2196 EAP_PAX_DH_GROUP_NONE,
2197 EAP_PAX_PUBLIC_KEY_RSAES_OAEP,
2198 32, 0, 0, 0, 0, 0, 0, 0, 0,
2199 0xee, 0x02, 0xbf, 0xb8, 0x70, 0x20, 0x5c, 0xba,
2200 0x41, 0xbb, 0x34, 0xda, 0x1a, 0x08, 0xe6, 0x8d)
2201
2202 idx += 1
2203 if ctx['num'] == idx:
2204 logger.info("Test: Unexpected STD-3")
2205 ctx['id'] = 10
2206 return struct.pack(">BBHBBBBBBH8L16B", EAP_CODE_REQUEST, ctx['id'],
2207 4 + 1 + 5 + 2 + 32 + 16,
2208 EAP_TYPE_PAX,
2209 EAP_PAX_OP_STD_3, 0, EAP_PAX_MAC_HMAC_SHA1_128,
2210 EAP_PAX_DH_GROUP_NONE, EAP_PAX_PUBLIC_KEY_NONE,
2211 32, 0, 0, 0, 0, 0, 0, 0, 0,
2212 0x47, 0xbb, 0xc0, 0xf9, 0xb9, 0x69, 0xf5, 0xcb,
2213 0x3a, 0xe8, 0xe7, 0xd6, 0x80, 0x28, 0xf2, 0x59)
2214
2215 idx += 1
2216 if ctx['num'] == idx:
2217 return pax_std_1(ctx)
2218 idx += 1
2219 if ctx['num'] == idx:
2220 # TODO: MAC calculation; for now, this gets dropped due to incorrect
2221 # ICV
2222 logger.info("Test: STD-3 with CE flag")
2223 return struct.pack(">BBHBBBBBBH8L16B", EAP_CODE_REQUEST, ctx['id'],
2224 4 + 1 + 5 + 2 + 32 + 16,
2225 EAP_TYPE_PAX,
2226 EAP_PAX_OP_STD_3, EAP_PAX_FLAGS_CE,
2227 EAP_PAX_MAC_HMAC_SHA1_128,
2228 EAP_PAX_DH_GROUP_NONE, EAP_PAX_PUBLIC_KEY_NONE,
2229 32, 0, 0, 0, 0, 0, 0, 0, 0,
2230 0x8a, 0xc2, 0xf9, 0xf4, 0x8b, 0x75, 0x72, 0xa2,
2231 0x4d, 0xd3, 0x1e, 0x54, 0x77, 0x04, 0x05, 0xe2)
2232
2233 idx += 1
2234 if ctx['num'] & 0x1 == idx & 0x1:
2235 logger.info("Test: Default request")
2236 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
2237 4 + 1,
2238 EAP_TYPE_PAX)
2239 else:
2240 logger.info("Test: Default EAP-Failure")
2241 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
2242
2243 srv = start_radius_server(pax_handler)
09544316
JM		 2244
2245 try:
2246 hapd = start_ap(apdev[0]['ifname'])
2247
2248 for i in range(0, 18):
2249 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
2250 eap="PAX", identity="user",
2251 password_hex="0123456789abcdef0123456789abcdef",
2252 wait_connect=False)
2253 logger.info("Waiting for EAP method to start")
2254 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
2255 timeout=15)
2256 if ev is None:
2257 raise Exception("Timeout on EAP start")
2258 time.sleep(0.05)
2259 dev[0].request("REMOVE_NETWORK all")
2260 dev[0].dump_monitor()
2261
2262 logger.info("Too short password")
2263 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
2264 eap="PAX", identity="user",
2265 password_hex="0123456789abcdef0123456789abcd",
2266 wait_connect=False)
2267 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"], timeout=15)
2268 if ev is None:
2269 raise Exception("Timeout on EAP start")
2270 time.sleep(0.1)
2271 dev[0].request("REMOVE_NETWORK all")
2272 dev[0].dump_monitor()
2273
2274 logger.info("No password")
2275 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
2276 eap="PAX", identity="user",
2277 wait_connect=False)
2278 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"], timeout=15)
2279 if ev is None:
2280 raise Exception("Timeout on EAP start")
2281 time.sleep(0.1)
2282 dev[0].request("REMOVE_NETWORK all")
2283 dev[0].dump_monitor()
2284 finally:
2285 stop_radius_server(srv)
e0534ecf
JM		 2286
2287def test_eap_proto_psk(dev, apdev):
2288 """EAP-PSK protocol tests"""
2289 def psk_handler(ctx, req):
2290 logger.info("psk_handler - RX " + req.encode("hex"))
2291 if 'num' not in ctx:
2292 ctx['num'] = 0
2293 ctx['num'] = ctx['num'] + 1
2294 if 'id' not in ctx:
2295 ctx['id'] = 1
2296 ctx['id'] = (ctx['id'] + 1) % 256
2297
2298 idx = 0
2299
2300 idx += 1
2301 if ctx['num'] == idx:
2302 logger.info("Test: Missing payload")
2303 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
2304 4 + 1,
2305 EAP_TYPE_PSK)
2306
2307 idx += 1
2308 if ctx['num'] == idx:
2309 logger.info("Test: Non-zero T in first message")
2310 return struct.pack(">BBHBB4L", EAP_CODE_REQUEST, ctx['id'],
2311 4 + 1 + 1 + 16,
2312 EAP_TYPE_PSK, 0xc0, 0, 0, 0, 0)
2313
2314 idx += 1
2315 if ctx['num'] == idx:
2316 logger.info("Test: Valid first message")
2317 return struct.pack(">BBHBB4L", EAP_CODE_REQUEST, ctx['id'],
2318 4 + 1 + 1 + 16,
2319 EAP_TYPE_PSK, 0, 0, 0, 0, 0)
2320 idx += 1
2321 if ctx['num'] == idx:
2322 logger.info("Test: Too short third message")
2323 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
2324 4 + 1,
2325 EAP_TYPE_PSK)
2326
2327 idx += 1
2328 if ctx['num'] == idx:
2329 logger.info("Test: Valid first message")
2330 return struct.pack(">BBHBB4L", EAP_CODE_REQUEST, ctx['id'],
2331 4 + 1 + 1 + 16,
2332 EAP_TYPE_PSK, 0, 0, 0, 0, 0)
2333 idx += 1
2334 if ctx['num'] == idx:
2335 logger.info("Test: Incorrect T in third message")
2336 return struct.pack(">BBHBB4L4L", EAP_CODE_REQUEST, ctx['id'],
2337 4 + 1 + 1 + 16 + 16,
2338 EAP_TYPE_PSK, 0, 0, 0, 0, 0, 0, 0, 0, 0)
2339
2340 idx += 1
2341 if ctx['num'] == idx:
2342 logger.info("Test: Valid first message")
2343 return struct.pack(">BBHBB4L", EAP_CODE_REQUEST, ctx['id'],
2344 4 + 1 + 1 + 16,
2345 EAP_TYPE_PSK, 0, 0, 0, 0, 0)
2346 idx += 1
2347 if ctx['num'] == idx:
2348 logger.info("Test: Missing PCHANNEL in third message")
2349 return struct.pack(">BBHBB4L4L", EAP_CODE_REQUEST, ctx['id'],
2350 4 + 1 + 1 + 16 + 16,
2351 EAP_TYPE_PSK, 0x80, 0, 0, 0, 0, 0, 0, 0, 0)
2352
2353 idx += 1
2354 if ctx['num'] == idx:
2355 logger.info("Test: Valid first message")
2356 return struct.pack(">BBHBB4L", EAP_CODE_REQUEST, ctx['id'],
2357 4 + 1 + 1 + 16,
2358 EAP_TYPE_PSK, 0, 0, 0, 0, 0)
2359 idx += 1
2360 if ctx['num'] == idx:
2361 logger.info("Test: Invalic MAC_S in third message")
2362 return struct.pack(">BBHBB4L4L5LB", EAP_CODE_REQUEST, ctx['id'],
2363 4 + 1 + 1 + 16 + 16 + 21,
2364 EAP_TYPE_PSK, 0x80, 0, 0, 0, 0, 0, 0, 0, 0,
2365 0, 0, 0, 0, 0, 0)
2366
2367 idx += 1
2368 if ctx['num'] == idx:
2369 logger.info("Test: Valid first message")
2370 return struct.pack(">BBHBB4L", EAP_CODE_REQUEST, ctx['id'],
2371 4 + 1 + 1 + 16,
2372 EAP_TYPE_PSK, 0, 0, 0, 0, 0)
2373 idx += 1
2374 if ctx['num'] == idx:
2375 logger.info("Test: EAP-Failure")
2376 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
2377
2378 return None
2379
2380 srv = start_radius_server(psk_handler)
e0534ecf
JM		 2381
2382 try:
2383 hapd = start_ap(apdev[0]['ifname'])
2384
2385 for i in range(0, 6):
2386 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
2387 eap="PSK", identity="user",
2388 password_hex="0123456789abcdef0123456789abcdef",
2389 wait_connect=False)
2390 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
2391 timeout=15)
2392 if ev is None:
2393 raise Exception("Timeout on EAP start")
2394 time.sleep(0.1)
2395 dev[0].request("REMOVE_NETWORK all")
2396
2397 logger.info("Test: Invalid PSK length")
2398 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
2399 eap="PSK", identity="user",
2400 password_hex="0123456789abcdef0123456789abcd",
2401 wait_connect=False)
2402 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
2403 timeout=15)
2404 if ev is None:
2405 raise Exception("Timeout on EAP start")
2406 time.sleep(0.1)
2407 dev[0].request("REMOVE_NETWORK all")
2408 finally:
2409 stop_radius_server(srv)
6c080dfa 2410
b4e1e995
JM		 2411def test_eap_proto_psk_errors(dev, apdev):
2412 """EAP-PSK local error cases"""
2413 check_eap_capa(dev[0], "PSK")
2414 params = hostapd.wpa2_eap_params(ssid="eap-test")
2415 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2416
2417 for i in range(1, 6):
2418 with alloc_fail(dev[0], i, "eap_psk_init"):
2419 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
2420 eap="PSK", identity="psk.user@example.com",
2421 password_hex="0123456789abcdef0123456789abcdef",
2422 wait_connect=False)
2423 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method"],
2424 timeout=15)
2425 if ev is None:
2426 raise Exception("Timeout on EAP start")
2427 dev[0].request("REMOVE_NETWORK all")
2428 dev[0].wait_disconnected()
2429
2430 tests = [ (1, "=eap_psk_process_1"),
2431 (2, "=eap_psk_process_1"),
2432 (1, "eap_msg_alloc;eap_psk_process_1"),
2433 (1, "=eap_psk_process_3"),
2434 (2, "=eap_psk_process_3"),
2435 (1, "eap_msg_alloc;eap_psk_process_3"),
2436 (1, "aes_128_encrypt_block;eap_psk_derive_keys;eap_psk_process_3"),
2437 (2, "aes_128_encrypt_block;eap_psk_derive_keys;eap_psk_process_3"),
2438 (3, "aes_128_encrypt_block;eap_psk_derive_keys;eap_psk_process_3"),
2439 (4, "aes_128_encrypt_block;eap_psk_derive_keys;eap_psk_process_3"),
2440 (5, "aes_128_encrypt_block;eap_psk_derive_keys;eap_psk_process_3"),
2441 (6, "aes_128_encrypt_block;eap_psk_derive_keys;eap_psk_process_3"),
2442 (7, "aes_128_encrypt_block;eap_psk_derive_keys;eap_psk_process_3"),
2443 (8, "aes_128_encrypt_block;eap_psk_derive_keys;eap_psk_process_3"),
2444 (9, "aes_128_encrypt_block;eap_psk_derive_keys;eap_psk_process_3"),
2445 (10, "aes_128_encrypt_block;eap_psk_derive_keys;eap_psk_process_3"),
2446 (1, "aes_128_ctr_encrypt;aes_128_eax_decrypt;eap_psk_process_3"),
2447 (1, "aes_128_ctr_encrypt;aes_128_eax_encrypt;eap_psk_process_3"),
2448 (1, "eap_psk_getKey"),
2449 (1, "eap_psk_get_session_id"),
2450 (1, "eap_psk_get_emsk") ]
2451 for count, func in tests:
2452 with alloc_fail(dev[0], count, func):
2453 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
2454 eap="PSK", identity="psk.user@example.com",
2455 password_hex="0123456789abcdef0123456789abcdef",
2456 erp="1", wait_connect=False)
2457 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
2458 timeout=15)
2459 if ev is None:
2460 raise Exception("Timeout on EAP start")
2461 ok = False
2462 for j in range(10):
2463 state = dev[0].request('GET_ALLOC_FAIL')
2464 if state.startswith('0:'):
2465 ok = True
2466 break
2467 time.sleep(0.1)
2468 if not ok:
2469 raise Exception("No allocation failure seen for %d:%s" % (count, func))
2470 dev[0].request("REMOVE_NETWORK all")
2471 dev[0].wait_disconnected()
2472
2473 tests = [ (1, "os_get_random;eap_psk_process_1"),
2474 (1, "omac1_aes_128;eap_psk_process_3"),
2475 (1, "aes_128_eax_decrypt;eap_psk_process_3"),
2476 (2, "aes_128_eax_decrypt;eap_psk_process_3"),
2477 (3, "aes_128_eax_decrypt;eap_psk_process_3"),
2478 (1, "aes_128_eax_encrypt;eap_psk_process_3"),
2479 (2, "aes_128_eax_encrypt;eap_psk_process_3"),
2480 (3, "aes_128_eax_encrypt;eap_psk_process_3") ]
2481 for count, func in tests:
2482 with fail_test(dev[0], count, func):
2483 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
2484 eap="PSK", identity="psk.user@example.com",
2485 password_hex="0123456789abcdef0123456789abcdef",
2486 wait_connect=False)
2487 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
2488 timeout=15)
2489 if ev is None:
2490 raise Exception("Timeout on EAP start")
2491 ok = False
2492 for j in range(10):
2493 state = dev[0].request('GET_FAIL')
2494 if state.startswith('0:'):
2495 ok = True
2496 break
2497 time.sleep(0.1)
2498 if not ok:
2499 raise Exception("No failure seen for %d:%s" % (count, func))
2500 dev[0].request("REMOVE_NETWORK all")
2501 dev[0].wait_disconnected()
2502
6c080dfa
JM		 2503EAP_SIM_SUBTYPE_START = 10
2504EAP_SIM_SUBTYPE_CHALLENGE = 11
2505EAP_SIM_SUBTYPE_NOTIFICATION = 12
2506EAP_SIM_SUBTYPE_REAUTHENTICATION = 13
2507EAP_SIM_SUBTYPE_CLIENT_ERROR = 14
2508
2509EAP_AKA_SUBTYPE_CHALLENGE = 1
2510EAP_AKA_SUBTYPE_AUTHENTICATION_REJECT = 2
2511EAP_AKA_SUBTYPE_SYNCHRONIZATION_FAILURE = 4
2512EAP_AKA_SUBTYPE_IDENTITY = 5
2513EAP_AKA_SUBTYPE_NOTIFICATION = 12
2514EAP_AKA_SUBTYPE_REAUTHENTICATION = 13
2515EAP_AKA_SUBTYPE_CLIENT_ERROR = 14
2516
2517EAP_SIM_AT_RAND = 1
2518EAP_SIM_AT_AUTN = 2
2519EAP_SIM_AT_RES = 3
2520EAP_SIM_AT_AUTS = 4
2521EAP_SIM_AT_PADDING = 6
2522EAP_SIM_AT_NONCE_MT = 7
2523EAP_SIM_AT_PERMANENT_ID_REQ = 10
2524EAP_SIM_AT_MAC = 11
2525EAP_SIM_AT_NOTIFICATION = 12
2526EAP_SIM_AT_ANY_ID_REQ = 13
2527EAP_SIM_AT_IDENTITY = 14
2528EAP_SIM_AT_VERSION_LIST = 15
2529EAP_SIM_AT_SELECTED_VERSION = 16
2530EAP_SIM_AT_FULLAUTH_ID_REQ = 17
2531EAP_SIM_AT_COUNTER = 19
2532EAP_SIM_AT_COUNTER_TOO_SMALL = 20
2533EAP_SIM_AT_NONCE_S = 21
2534EAP_SIM_AT_CLIENT_ERROR_CODE = 22
2535EAP_SIM_AT_KDF_INPUT = 23
2536EAP_SIM_AT_KDF = 24
2537EAP_SIM_AT_IV = 129
2538EAP_SIM_AT_ENCR_DATA = 130
2539EAP_SIM_AT_NEXT_PSEUDONYM = 132
2540EAP_SIM_AT_NEXT_REAUTH_ID = 133
2541EAP_SIM_AT_CHECKCODE = 134
2542EAP_SIM_AT_RESULT_IND = 135
2543EAP_SIM_AT_BIDDING = 136
2544
2545def test_eap_proto_aka(dev, apdev):
2546 """EAP-AKA protocol tests"""
2547 def aka_handler(ctx, req):
2548 logger.info("aka_handler - RX " + req.encode("hex"))
2549 if 'num' not in ctx:
2550 ctx['num'] = 0
2551 ctx['num'] = ctx['num'] + 1
2552 if 'id' not in ctx:
2553 ctx['id'] = 1
2554 ctx['id'] = (ctx['id'] + 1) % 256
2555
2556 idx = 0
2557
2558 idx += 1
2559 if ctx['num'] == idx:
2560 logger.info("Test: Missing payload")
2561 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
2562 4 + 1,
2563 EAP_TYPE_AKA)
2564
2565 idx += 1
2566 if ctx['num'] == idx:
2567 logger.info("Test: Unknown subtype")
f0174bff
JM		 2568 return struct.pack(">BBHBBH", EAP_CODE_REQUEST, ctx['id'],
2569 4 + 1 + 3,
2570 EAP_TYPE_AKA, 255, 0)
6c080dfa
JM		 2571 idx += 1
2572 if ctx['num'] == idx:
2573 logger.info("Test: EAP-Failure")
2574 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
2575
2576 idx += 1
2577 if ctx['num'] == idx:
2578 logger.info("Test: Client Error")
f0174bff
JM		 2579 return struct.pack(">BBHBBH", EAP_CODE_REQUEST, ctx['id'],
2580 4 + 1 + 3,
2581 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_CLIENT_ERROR, 0)
6c080dfa
JM		 2582 idx += 1
2583 if ctx['num'] == idx:
2584 logger.info("Test: EAP-Failure")
2585 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
2586
2587 idx += 1
2588 if ctx['num'] == idx:
2589 logger.info("Test: Too short attribute header")
2590 return struct.pack(">BBHBBHB", EAP_CODE_REQUEST, ctx['id'],
2591 4 + 1 + 1 + 3,
2592 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0, 255)
2593 idx += 1
2594 if ctx['num'] == idx:
2595 logger.info("Test: EAP-Failure")
2596 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
2597
2598 idx += 1
2599 if ctx['num'] == idx:
2600 logger.info("Test: Truncated attribute")
2601 return struct.pack(">BBHBBHBB", EAP_CODE_REQUEST, ctx['id'],
2602 4 + 1 + 1 + 4,
2603 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0, 255,
2604 255)
2605 idx += 1
2606 if ctx['num'] == idx:
2607 logger.info("Test: EAP-Failure")
2608 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
2609
2610 idx += 1
2611 if ctx['num'] == idx:
2612 logger.info("Test: Too short attribute data")
2613 return struct.pack(">BBHBBHBB", EAP_CODE_REQUEST, ctx['id'],
2614 4 + 1 + 1 + 4,
2615 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0, 255,
2616 0)
2617 idx += 1
2618 if ctx['num'] == idx:
2619 logger.info("Test: EAP-Failure")
2620 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
2621
2622 idx += 1
2623 if ctx['num'] == idx:
2624 logger.info("Test: Skippable/non-skippable unrecognzized attribute")
2625 return struct.pack(">BBHBBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
2626 4 + 1 + 1 + 10,
2627 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
2628 255, 1, 0, 127, 1, 0)
2629 idx += 1
2630 if ctx['num'] == idx:
2631 logger.info("Test: EAP-Failure")
2632 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
2633
2634 idx += 1
2635 if ctx['num'] == idx:
2636 logger.info("Test: Identity request without ID type")
2637 return struct.pack(">BBHBBH", EAP_CODE_REQUEST, ctx['id'],
2638 4 + 1 + 3,
2639 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0)
2640 idx += 1
2641 if ctx['num'] == idx:
2642 logger.info("Test: Identity request ANY_ID")
2643 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
2644 4 + 1 + 3 + 4,
2645 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
2646 EAP_SIM_AT_ANY_ID_REQ, 1, 0)
2647 idx += 1
2648 if ctx['num'] == idx:
2649 logger.info("Test: Identity request ANY_ID (duplicate)")
2650 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
2651 4 + 1 + 3 + 4,
2652 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
2653 EAP_SIM_AT_ANY_ID_REQ, 1, 0)
2654 idx += 1
2655 if ctx['num'] == idx:
2656 logger.info("Test: EAP-Failure")
2657 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
2658
2659 idx += 1
2660 if ctx['num'] == idx:
2661 logger.info("Test: Identity request ANY_ID")
2662 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
2663 4 + 1 + 3 + 4,
2664 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
2665 EAP_SIM_AT_ANY_ID_REQ, 1, 0)
2666 idx += 1
2667 if ctx['num'] == idx:
2668 logger.info("Test: Identity request FULLAUTH_ID")
2669 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
2670 4 + 1 + 3 + 4,
2671 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
2672 EAP_SIM_AT_FULLAUTH_ID_REQ, 1, 0)
2673 idx += 1
2674 if ctx['num'] == idx:
2675 logger.info("Test: Identity request FULLAUTH_ID (duplicate)")
2676 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
2677 4 + 1 + 3 + 4,
2678 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
2679 EAP_SIM_AT_FULLAUTH_ID_REQ, 1, 0)
2680 idx += 1
2681 if ctx['num'] == idx:
2682 logger.info("Test: EAP-Failure")
2683 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
2684
2685 idx += 1
2686 if ctx['num'] == idx:
2687 logger.info("Test: Identity request ANY_ID")
2688 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
2689 4 + 1 + 3 + 4,
2690 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
2691 EAP_SIM_AT_ANY_ID_REQ, 1, 0)
2692 idx += 1
2693 if ctx['num'] == idx:
2694 logger.info("Test: Identity request FULLAUTH_ID")
2695 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
2696 4 + 1 + 3 + 4,
2697 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
2698 EAP_SIM_AT_FULLAUTH_ID_REQ, 1, 0)
2699 idx += 1
2700 if ctx['num'] == idx:
2701 logger.info("Test: Identity request PERMANENT_ID")
2702 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
2703 4 + 1 + 3 + 4,
2704 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
2705 EAP_SIM_AT_PERMANENT_ID_REQ, 1, 0)
2706 idx += 1
2707 if ctx['num'] == idx:
2708 logger.info("Test: Identity request PERMANENT_ID (duplicate)")
2709 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
2710 4 + 1 + 3 + 4,
2711 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
2712 EAP_SIM_AT_PERMANENT_ID_REQ, 1, 0)
2713 idx += 1
2714 if ctx['num'] == idx:
2715 logger.info("Test: EAP-Failure")
2716 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
2717
2718 idx += 1
2719 if ctx['num'] == idx:
2720 logger.info("Test: Challenge with no attributes")
2721 return struct.pack(">BBHBBH", EAP_CODE_REQUEST, ctx['id'],
2722 4 + 1 + 3,
2723 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_CHALLENGE, 0)
2724 idx += 1
2725 if ctx['num'] == idx:
2726 logger.info("Test: EAP-Failure")
2727 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
2728
2729 idx += 1
2730 if ctx['num'] == idx:
2731 logger.info("Test: AKA Challenge with BIDDING")
2732 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
2733 4 + 1 + 3 + 4,
2734 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_CHALLENGE, 0,
2735 EAP_SIM_AT_BIDDING, 1, 0x8000)
2736 idx += 1
2737 if ctx['num'] == idx:
2738 logger.info("Test: EAP-Failure")
2739 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
2740
2741 idx += 1
2742 if ctx['num'] == idx:
2743 logger.info("Test: Notification with no attributes")
2744 return struct.pack(">BBHBBH", EAP_CODE_REQUEST, ctx['id'],
2745 4 + 1 + 3,
2746 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_NOTIFICATION, 0)
2747 idx += 1
2748 if ctx['num'] == idx:
2749 logger.info("Test: EAP-Failure")
2750 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
2751
2752 idx += 1
2753 if ctx['num'] == idx:
2754 logger.info("Test: Notification indicating success, but no MAC")
2755 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
2756 4 + 1 + 3 + 4,
2757 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_NOTIFICATION, 0,
2758 EAP_SIM_AT_NOTIFICATION, 1, 32768)
2759 idx += 1
2760 if ctx['num'] == idx:
2761 logger.info("Test: EAP-Failure")
2762 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
2763
2764 idx += 1
2765 if ctx['num'] == idx:
2766 logger.info("Test: Notification indicating success, but invalid MAC value")
2767 return struct.pack(">BBHBBHBBHBBH4L", EAP_CODE_REQUEST, ctx['id'],
2768 4 + 1 + 3 + 4 + 20,
2769 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_NOTIFICATION, 0,
2770 EAP_SIM_AT_NOTIFICATION, 1, 32768,
2771 EAP_SIM_AT_MAC, 5, 0, 0, 0, 0, 0)
2772 idx += 1
2773 if ctx['num'] == idx:
2774 logger.info("Test: EAP-Failure")
2775 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
2776
2777 idx += 1
2778 if ctx['num'] == idx:
2779 logger.info("Test: Notification indicating success with zero-key MAC")
2780 return struct.pack(">BBHBBHBBHBBH16B", EAP_CODE_REQUEST,
2781 ctx['id'] - 2,
2782 4 + 1 + 3 + 4 + 20,
2783 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_NOTIFICATION, 0,
2784 EAP_SIM_AT_NOTIFICATION, 1, 32768,
2785 EAP_SIM_AT_MAC, 5, 0,
2786 0xbe, 0x2e, 0xbb, 0xa9, 0xfa, 0x2e, 0x82, 0x36,
2787 0x37, 0x8c, 0x32, 0x41, 0xb7, 0xc7, 0x58, 0xa3)
2788 idx += 1
2789 if ctx['num'] == idx:
2790 logger.info("Test: EAP-Success")
2791 return struct.pack(">BBH", EAP_CODE_SUCCESS, ctx['id'], 4)
2792
2793 idx += 1
2794 if ctx['num'] == idx:
2795 logger.info("Test: Notification before auth")
2796 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
2797 4 + 1 + 3 + 4,
2798 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_NOTIFICATION, 0,
2799 EAP_SIM_AT_NOTIFICATION, 1, 16384)
2800 idx += 1
2801 if ctx['num'] == idx:
2802 logger.info("Test: EAP-Failure")
2803 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
2804
2805 idx += 1
2806 if ctx['num'] == idx:
2807 logger.info("Test: Notification before auth")
2808 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
2809 4 + 1 + 3 + 4,
2810 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_NOTIFICATION, 0,
2811 EAP_SIM_AT_NOTIFICATION, 1, 16385)
2812 idx += 1
2813 if ctx['num'] == idx:
2814 logger.info("Test: EAP-Failure")
2815 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
2816
2817 idx += 1
2818 if ctx['num'] == idx:
2819 logger.info("Test: Notification with unrecognized non-failure")
2820 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
2821 4 + 1 + 3 + 4,
2822 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_NOTIFICATION, 0,
2823 EAP_SIM_AT_NOTIFICATION, 1, 0xc000)
2824 idx += 1
2825 if ctx['num'] == idx:
2826 logger.info("Test: Notification before auth (duplicate)")
2827 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
2828 4 + 1 + 3 + 4,
2829 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_NOTIFICATION, 0,
2830 EAP_SIM_AT_NOTIFICATION, 1, 0xc000)
2831 idx += 1
2832 if ctx['num'] == idx:
2833 logger.info("Test: EAP-Failure")
2834 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
2835
2836 idx += 1
2837 if ctx['num'] == idx:
2838 logger.info("Test: Re-authentication (unexpected) with no attributes")
2839 return struct.pack(">BBHBBH", EAP_CODE_REQUEST, ctx['id'],
2840 4 + 1 + 3,
2841 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_REAUTHENTICATION,
2842 0)
2843 idx += 1
2844 if ctx['num'] == idx:
2845 logger.info("Test: EAP-Failure")
2846 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
2847
2848 idx += 1
2849 if ctx['num'] == idx:
2850 logger.info("Test: AKA Challenge with Checkcode claiming identity round was used")
2851 return struct.pack(">BBHBBHBBH5L", EAP_CODE_REQUEST, ctx['id'],
2852 4 + 1 + 3 + 24,
2853 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_CHALLENGE, 0,
2854 EAP_SIM_AT_CHECKCODE, 6, 0, 0, 0, 0, 0, 0)
2855 idx += 1
2856 if ctx['num'] == idx:
2857 logger.info("Test: EAP-Failure")
2858 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
2859
2860 idx += 1
2861 if ctx['num'] == idx:
2862 logger.info("Test: Identity request ANY_ID")
2863 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
2864 4 + 1 + 3 + 4,
2865 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
2866 EAP_SIM_AT_ANY_ID_REQ, 1, 0)
2867 idx += 1
2868 if ctx['num'] == idx:
2869 logger.info("Test: AKA Challenge with Checkcode claiming no identity round was used")
2870 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
2871 4 + 1 + 3 + 4,
2872 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_CHALLENGE, 0,
2873 EAP_SIM_AT_CHECKCODE, 1, 0)
2874 idx += 1
2875 if ctx['num'] == idx:
2876 logger.info("Test: EAP-Failure")
2877 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
2878
2879 idx += 1
2880 if ctx['num'] == idx:
2881 logger.info("Test: Identity request ANY_ID")
2882 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
2883 4 + 1 + 3 + 4,
2884 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
2885 EAP_SIM_AT_ANY_ID_REQ, 1, 0)
2886 idx += 1
2887 if ctx['num'] == idx:
2888 logger.info("Test: AKA Challenge with mismatching Checkcode value")
2889 return struct.pack(">BBHBBHBBH5L", EAP_CODE_REQUEST, ctx['id'],
2890 4 + 1 + 3 + 24,
2891 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_CHALLENGE, 0,
2892 EAP_SIM_AT_CHECKCODE, 6, 0, 0, 0, 0, 0, 0)
2893 idx += 1
2894 if ctx['num'] == idx:
2895 logger.info("Test: EAP-Failure")
2896 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
2897
2898 idx += 1
2899 if ctx['num'] == idx:
2900 logger.info("Test: Re-authentication (unexpected) with Checkcode claimin identity round was used")
2901 return struct.pack(">BBHBBHBBH5L", EAP_CODE_REQUEST, ctx['id'],
2902 4 + 1 + 3 + 24,
2903 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_REAUTHENTICATION,
2904 0,
2905 EAP_SIM_AT_CHECKCODE, 6, 0, 0, 0, 0, 0, 0)
2906 idx += 1
2907 if ctx['num'] == idx:
2908 logger.info("Test: EAP-Failure")
2909 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
2910
2911 idx += 1
2912 if ctx['num'] == idx:
2913 logger.info("Test: Invalid AT_RAND length")
2914 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
2915 4 + 1 + 3 + 4,
2916 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
2917 EAP_SIM_AT_RAND, 1, 0)
2918 idx += 1
2919 if ctx['num'] == idx:
2920 logger.info("Test: EAP-Failure")
2921 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
2922
2923 idx += 1
2924 if ctx['num'] == idx:
2925 logger.info("Test: Invalid AT_AUTN length")
2926 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
2927 4 + 1 + 3 + 4,
2928 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
2929 EAP_SIM_AT_AUTN, 1, 0)
2930 idx += 1
2931 if ctx['num'] == idx:
2932 logger.info("Test: EAP-Failure")
2933 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
2934
2935 idx += 1
2936 if ctx['num'] == idx:
2937 logger.info("Test: Unencrypted AT_PADDING")
2938 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
2939 4 + 1 + 3 + 4,
2940 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
2941 EAP_SIM_AT_PADDING, 1, 0)
2942 idx += 1
2943 if ctx['num'] == idx:
2944 logger.info("Test: EAP-Failure")
2945 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
2946
2947 idx += 1
2948 if ctx['num'] == idx:
2949 logger.info("Test: Invalid AT_NONCE_MT length")
2950 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
2951 4 + 1 + 3 + 4,
2952 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
2953 EAP_SIM_AT_NONCE_MT, 1, 0)
2954 idx += 1
2955 if ctx['num'] == idx:
2956 logger.info("Test: EAP-Failure")
2957 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
2958
2959 idx += 1
2960 if ctx['num'] == idx:
2961 logger.info("Test: Invalid AT_MAC length")
2962 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
2963 4 + 1 + 3 + 4,
2964 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
2965 EAP_SIM_AT_MAC, 1, 0)
2966 idx += 1
2967 if ctx['num'] == idx:
2968 logger.info("Test: EAP-Failure")
2969 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
2970
2971 idx += 1
2972 if ctx['num'] == idx:
2973 logger.info("Test: Invalid AT_NOTIFICATION length")
2974 return struct.pack(">BBHBBHBBHL", EAP_CODE_REQUEST, ctx['id'],
2975 4 + 1 + 3 + 8,
2976 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
2977 EAP_SIM_AT_NOTIFICATION, 2, 0, 0)
2978 idx += 1
2979 if ctx['num'] == idx:
2980 logger.info("Test: EAP-Failure")
2981 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
2982
2983 idx += 1
2984 if ctx['num'] == idx:
2985 logger.info("Test: AT_IDENTITY overflow")
2986 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
2987 4 + 1 + 3 + 4,
2988 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
2989 EAP_SIM_AT_IDENTITY, 1, 0xffff)
2990 idx += 1
2991 if ctx['num'] == idx:
2992 logger.info("Test: EAP-Failure")
2993 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
2994
2995 idx += 1
2996 if ctx['num'] == idx:
2997 logger.info("Test: Unexpected AT_VERSION_LIST")
2998 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
2999 4 + 1 + 3 + 4,
3000 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
3001 EAP_SIM_AT_VERSION_LIST, 1, 0)
3002 idx += 1
3003 if ctx['num'] == idx:
3004 logger.info("Test: EAP-Failure")
3005 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3006
3007 idx += 1
3008 if ctx['num'] == idx:
3009 logger.info("Test: Invalid AT_SELECTED_VERSION length")
3010 return struct.pack(">BBHBBHBBHL", EAP_CODE_REQUEST, ctx['id'],
3011 4 + 1 + 3 + 8,
3012 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
3013 EAP_SIM_AT_SELECTED_VERSION, 2, 0, 0)
3014 idx += 1
3015 if ctx['num'] == idx:
3016 logger.info("Test: EAP-Failure")
3017 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3018
3019 idx += 1
3020 if ctx['num'] == idx:
3021 logger.info("Test: Unencrypted AT_COUNTER")
3022 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
3023 4 + 1 + 3 + 4,
3024 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
3025 EAP_SIM_AT_COUNTER, 1, 0)
3026 idx += 1
3027 if ctx['num'] == idx:
3028 logger.info("Test: EAP-Failure")
3029 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3030
3031 idx += 1
3032 if ctx['num'] == idx:
3033 logger.info("Test: Unencrypted AT_COUNTER_TOO_SMALL")
3034 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
3035 4 + 1 + 3 + 4,
3036 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
3037 EAP_SIM_AT_COUNTER_TOO_SMALL, 1, 0)
3038 idx += 1
3039 if ctx['num'] == idx:
3040 logger.info("Test: EAP-Failure")
3041 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3042
3043 idx += 1
3044 if ctx['num'] == idx:
3045 logger.info("Test: Unencrypted AT_NONCE_S")
3046 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
3047 4 + 1 + 3 + 4,
3048 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
3049 EAP_SIM_AT_NONCE_S, 1, 0)
3050 idx += 1
3051 if ctx['num'] == idx:
3052 logger.info("Test: EAP-Failure")
3053 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3054
3055 idx += 1
3056 if ctx['num'] == idx:
3057 logger.info("Test: Invalid AT_CLIENT_ERROR_CODE length")
3058 return struct.pack(">BBHBBHBBHL", EAP_CODE_REQUEST, ctx['id'],
3059 4 + 1 + 3 + 8,
3060 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
3061 EAP_SIM_AT_CLIENT_ERROR_CODE, 2, 0, 0)
3062 idx += 1
3063 if ctx['num'] == idx:
3064 logger.info("Test: EAP-Failure")
3065 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3066
3067 idx += 1
3068 if ctx['num'] == idx:
3069 logger.info("Test: Invalid AT_IV length")
3070 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
3071 4 + 1 + 3 + 4,
3072 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
3073 EAP_SIM_AT_IV, 1, 0)
3074 idx += 1
3075 if ctx['num'] == idx:
3076 logger.info("Test: EAP-Failure")
3077 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3078
3079 idx += 1
3080 if ctx['num'] == idx:
3081 logger.info("Test: Invalid AT_ENCR_DATA length")
3082 return struct.pack(">BBHBBHBBHL", EAP_CODE_REQUEST, ctx['id'],
3083 4 + 1 + 3 + 8,
3084 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
3085 EAP_SIM_AT_ENCR_DATA, 2, 0, 0)
3086 idx += 1
3087 if ctx['num'] == idx:
3088 logger.info("Test: EAP-Failure")
3089 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3090
3091 idx += 1
3092 if ctx['num'] == idx:
3093 logger.info("Test: Unencrypted AT_NEXT_PSEUDONYM")
3094 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
3095 4 + 1 + 3 + 4,
3096 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
3097 EAP_SIM_AT_NEXT_PSEUDONYM, 1, 0)
3098 idx += 1
3099 if ctx['num'] == idx:
3100 logger.info("Test: EAP-Failure")
3101 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3102
3103 idx += 1
3104 if ctx['num'] == idx:
3105 logger.info("Test: Unencrypted AT_NEXT_REAUTH_ID")
3106 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
3107 4 + 1 + 3 + 4,
3108 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
3109 EAP_SIM_AT_NEXT_REAUTH_ID, 1, 0)
3110 idx += 1
3111 if ctx['num'] == idx:
3112 logger.info("Test: EAP-Failure")
3113 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3114
3115 idx += 1
3116 if ctx['num'] == idx:
3117 logger.info("Test: Invalid AT_RES length")
3118 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
3119 4 + 1 + 3 + 4,
3120 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
3121 EAP_SIM_AT_RES, 1, 0)
3122 idx += 1
3123 if ctx['num'] == idx:
3124 logger.info("Test: EAP-Failure")
3125 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3126
3127 idx += 1
3128 if ctx['num'] == idx:
3129 logger.info("Test: Invalid AT_RES length")
3130 return struct.pack(">BBHBBHBBH5L", EAP_CODE_REQUEST, ctx['id'],
3131 4 + 1 + 3 + 24,
3132 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
3133 EAP_SIM_AT_RES, 6, 0xffff, 0, 0, 0, 0, 0)
3134 idx += 1
3135 if ctx['num'] == idx:
3136 logger.info("Test: EAP-Failure")
3137 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3138
3139 idx += 1
3140 if ctx['num'] == idx:
3141 logger.info("Test: Invalid AT_AUTS length")
3142 return struct.pack(">BBHBBHBBHL", EAP_CODE_REQUEST, ctx['id'],
3143 4 + 1 + 3 + 8,
3144 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
3145 EAP_SIM_AT_AUTS, 2, 0, 0)
3146 idx += 1
3147 if ctx['num'] == idx:
3148 logger.info("Test: EAP-Failure")
3149 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3150
3151 idx += 1
3152 if ctx['num'] == idx:
3153 logger.info("Test: Invalid AT_CHECKCODE length")
3154 return struct.pack(">BBHBBHBBHL", EAP_CODE_REQUEST, ctx['id'],
3155 4 + 1 + 3 + 8,
3156 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
3157 EAP_SIM_AT_CHECKCODE, 2, 0, 0)
3158 idx += 1
3159 if ctx['num'] == idx:
3160 logger.info("Test: EAP-Failure")
3161 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3162
3163 idx += 1
3164 if ctx['num'] == idx:
3165 logger.info("Test: Invalid AT_RESULT_IND length")
3166 return struct.pack(">BBHBBHBBHL", EAP_CODE_REQUEST, ctx['id'],
3167 4 + 1 + 3 + 8,
3168 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
3169 EAP_SIM_AT_RESULT_IND, 2, 0, 0)
3170 idx += 1
3171 if ctx['num'] == idx:
3172 logger.info("Test: EAP-Failure")
3173 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3174
3175 idx += 1
3176 if ctx['num'] == idx:
3177 logger.info("Test: Unexpected AT_KDF_INPUT")
3178 return struct.pack(">BBHBBHBBHL", EAP_CODE_REQUEST, ctx['id'],
3179 4 + 1 + 3 + 8,
3180 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
3181 EAP_SIM_AT_KDF_INPUT, 2, 0, 0)
3182 idx += 1
3183 if ctx['num'] == idx:
3184 logger.info("Test: EAP-Failure")
3185 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3186
3187 idx += 1
3188 if ctx['num'] == idx:
3189 logger.info("Test: Unexpected AT_KDF")
3190 return struct.pack(">BBHBBHBBHL", EAP_CODE_REQUEST, ctx['id'],
3191 4 + 1 + 3 + 8,
3192 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
3193 EAP_SIM_AT_KDF, 2, 0, 0)
3194 idx += 1
3195 if ctx['num'] == idx:
3196 logger.info("Test: EAP-Failure")
3197 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3198
3199 idx += 1
3200 if ctx['num'] == idx:
3201 logger.info("Test: Invalid AT_BIDDING length")
3202 return struct.pack(">BBHBBHBBHL", EAP_CODE_REQUEST, ctx['id'],
3203 4 + 1 + 3 + 8,
3204 EAP_TYPE_AKA, EAP_AKA_SUBTYPE_IDENTITY, 0,
3205 EAP_SIM_AT_BIDDING, 2, 0, 0)
3206 idx += 1
3207 if ctx['num'] == idx:
3208 logger.info("Test: EAP-Failure")
3209 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3210
3211 return None
3212
3213 srv = start_radius_server(aka_handler)
6c080dfa
JM		 3214
3215 try:
3216 hapd = start_ap(apdev[0]['ifname'])
3217
3218 for i in range(0, 49):
3219 eap = "AKA AKA'" if i == 11 else "AKA"
3220 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
3221 eap=eap, identity="0232010000000000",
3222 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
3223 wait_connect=False)
3224 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
3225 timeout=15)
3226 if ev is None:
3227 raise Exception("Timeout on EAP start")
3228 if i in [ 0, 15 ]:
3229 time.sleep(0.1)
3230 else:
3231 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"],
3232 timeout=10)
3233 if ev is None:
3234 raise Exception("Timeout on EAP failure")
3235 dev[0].request("REMOVE_NETWORK all")
f0174bff 3236 dev[0].dump_monitor()
6c080dfa
JM		 3237 finally:
3238 stop_radius_server(srv)
3239
3240def test_eap_proto_aka_prime(dev, apdev):
3241 """EAP-AKA' protocol tests"""
3242 def aka_prime_handler(ctx, req):
3243 logger.info("aka_prime_handler - RX " + req.encode("hex"))
3244 if 'num' not in ctx:
3245 ctx['num'] = 0
3246 ctx['num'] = ctx['num'] + 1
3247 if 'id' not in ctx:
3248 ctx['id'] = 1
3249 ctx['id'] = (ctx['id'] + 1) % 256
3250
3251 idx = 0
3252
3253 idx += 1
3254 if ctx['num'] == idx:
3255 logger.info("Test: Missing payload")
3256 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
3257 4 + 1,
3258 EAP_TYPE_AKA_PRIME)
3259
3260 idx += 1
3261 if ctx['num'] == idx:
3262 logger.info("Test: Challenge with no attributes")
3263 return struct.pack(">BBHBBH", EAP_CODE_REQUEST, ctx['id'],
3264 4 + 1 + 3,
3265 EAP_TYPE_AKA_PRIME, EAP_AKA_SUBTYPE_CHALLENGE, 0)
3266 idx += 1
3267 if ctx['num'] == idx:
3268 logger.info("Test: EAP-Failure")
3269 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3270
3271 idx += 1
3272 if ctx['num'] == idx:
3273 logger.info("Test: Challenge with empty AT_KDF_INPUT")
3274 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
3275 4 + 1 + 3 + 4,
3276 EAP_TYPE_AKA_PRIME, EAP_AKA_SUBTYPE_CHALLENGE, 0,
3277 EAP_SIM_AT_KDF_INPUT, 1, 0)
3278 idx += 1
3279 if ctx['num'] == idx:
3280 logger.info("Test: EAP-Failure")
3281 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3282
3283 idx += 1
3284 if ctx['num'] == idx:
3285 logger.info("Test: Challenge with AT_KDF_INPUT")
3286 return struct.pack(">BBHBBHBBHBBBB", EAP_CODE_REQUEST, ctx['id'],
3287 4 + 1 + 3 + 8,
3288 EAP_TYPE_AKA_PRIME, EAP_AKA_SUBTYPE_CHALLENGE, 0,
3289 EAP_SIM_AT_KDF_INPUT, 2, 1, ord('a'), ord('b'),
3290 ord('c'), ord('d'))
3291 idx += 1
3292 if ctx['num'] == idx:
3293 logger.info("Test: EAP-Failure")
3294 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3295
3296 idx += 1
3297 if ctx['num'] == idx:
3298 logger.info("Test: Challenge with duplicated KDF")
3299 return struct.pack(">BBHBBHBBHBBBBBBHBBHBBH",
3300 EAP_CODE_REQUEST, ctx['id'],
3301 4 + 1 + 3 + 8 + 3 * 4,
3302 EAP_TYPE_AKA_PRIME, EAP_AKA_SUBTYPE_CHALLENGE, 0,
3303 EAP_SIM_AT_KDF_INPUT, 2, 1, ord('a'), ord('b'),
3304 ord('c'), ord('d'),
3305 EAP_SIM_AT_KDF, 1, 1,
3306 EAP_SIM_AT_KDF, 1, 2,
3307 EAP_SIM_AT_KDF, 1, 1)
3308 idx += 1
3309 if ctx['num'] == idx:
3310 logger.info("Test: EAP-Failure")
3311 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3312
3313 idx += 1
3314 if ctx['num'] == idx:
3315 logger.info("Test: Challenge with multiple KDF proposals")
3316 return struct.pack(">BBHBBHBBHBBBBBBHBBHBBH",
3317 EAP_CODE_REQUEST, ctx['id'],
3318 4 + 1 + 3 + 8 + 3 * 4,
3319 EAP_TYPE_AKA_PRIME, EAP_AKA_SUBTYPE_CHALLENGE, 0,
3320 EAP_SIM_AT_KDF_INPUT, 2, 1, ord('a'), ord('b'),
3321 ord('c'), ord('d'),
3322 EAP_SIM_AT_KDF, 1, 255,
3323 EAP_SIM_AT_KDF, 1, 254,
3324 EAP_SIM_AT_KDF, 1, 1)
3325 idx += 1
3326 if ctx['num'] == idx:
3327 logger.info("Test: Challenge with incorrect KDF selected")
3328 return struct.pack(">BBHBBHBBHBBBBBBHBBHBBHBBH",
3329 EAP_CODE_REQUEST, ctx['id'],
3330 4 + 1 + 3 + 8 + 4 * 4,
3331 EAP_TYPE_AKA_PRIME, EAP_AKA_SUBTYPE_CHALLENGE, 0,
3332 EAP_SIM_AT_KDF_INPUT, 2, 1, ord('a'), ord('b'),
3333 ord('c'), ord('d'),
3334 EAP_SIM_AT_KDF, 1, 255,
3335 EAP_SIM_AT_KDF, 1, 255,
3336 EAP_SIM_AT_KDF, 1, 254,
3337 EAP_SIM_AT_KDF, 1, 1)
3338 idx += 1
3339 if ctx['num'] == idx:
3340 logger.info("Test: EAP-Failure")
3341 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3342
3343 idx += 1
3344 if ctx['num'] == idx:
3345 logger.info("Test: Challenge with multiple KDF proposals")
3346 return struct.pack(">BBHBBHBBHBBBBBBHBBHBBH",
3347 EAP_CODE_REQUEST, ctx['id'],
3348 4 + 1 + 3 + 8 + 3 * 4,
3349 EAP_TYPE_AKA_PRIME, EAP_AKA_SUBTYPE_CHALLENGE, 0,
3350 EAP_SIM_AT_KDF_INPUT, 2, 1, ord('a'), ord('b'),
3351 ord('c'), ord('d'),
3352 EAP_SIM_AT_KDF, 1, 255,
3353 EAP_SIM_AT_KDF, 1, 254,
3354 EAP_SIM_AT_KDF, 1, 1)
3355 idx += 1
3356 if ctx['num'] == idx:
3357 logger.info("Test: Challenge with selected KDF not duplicated")
3358 return struct.pack(">BBHBBHBBHBBBBBBHBBHBBH",
3359 EAP_CODE_REQUEST, ctx['id'],
3360 4 + 1 + 3 + 8 + 3 * 4,
3361 EAP_TYPE_AKA_PRIME, EAP_AKA_SUBTYPE_CHALLENGE, 0,
3362 EAP_SIM_AT_KDF_INPUT, 2, 1, ord('a'), ord('b'),
3363 ord('c'), ord('d'),
3364 EAP_SIM_AT_KDF, 1, 1,
3365 EAP_SIM_AT_KDF, 1, 255,
3366 EAP_SIM_AT_KDF, 1, 254)
3367 idx += 1
3368 if ctx['num'] == idx:
3369 logger.info("Test: EAP-Failure")
3370 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3371
3372 idx += 1
3373 if ctx['num'] == idx:
3374 logger.info("Test: Challenge with multiple KDF proposals")
3375 return struct.pack(">BBHBBHBBHBBBBBBHBBHBBH",
3376 EAP_CODE_REQUEST, ctx['id'],
3377 4 + 1 + 3 + 8 + 3 * 4,
3378 EAP_TYPE_AKA_PRIME, EAP_AKA_SUBTYPE_CHALLENGE, 0,
3379 EAP_SIM_AT_KDF_INPUT, 2, 1, ord('a'), ord('b'),
3380 ord('c'), ord('d'),
3381 EAP_SIM_AT_KDF, 1, 255,
3382 EAP_SIM_AT_KDF, 1, 254,
3383 EAP_SIM_AT_KDF, 1, 1)
3384 idx += 1
3385 if ctx['num'] == idx:
3386 logger.info("Test: Challenge with selected KDF duplicated (missing MAC, RAND, AUTN)")
3387 return struct.pack(">BBHBBHBBHBBBBBBHBBHBBHBBH",
3388 EAP_CODE_REQUEST, ctx['id'],
3389 4 + 1 + 3 + 8 + 4 * 4,
3390 EAP_TYPE_AKA_PRIME, EAP_AKA_SUBTYPE_CHALLENGE, 0,
3391 EAP_SIM_AT_KDF_INPUT, 2, 1, ord('a'), ord('b'),
3392 ord('c'), ord('d'),
3393 EAP_SIM_AT_KDF, 1, 1,
3394 EAP_SIM_AT_KDF, 1, 255,
3395 EAP_SIM_AT_KDF, 1, 254,
3396 EAP_SIM_AT_KDF, 1, 1)
3397 idx += 1
3398 if ctx['num'] == idx:
3399 logger.info("Test: EAP-Failure")
3400 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3401
3402 idx += 1
3403 if ctx['num'] == idx:
3404 logger.info("Test: Challenge with multiple unsupported KDF proposals")
3405 return struct.pack(">BBHBBHBBHBBBBBBHBBH",
3406 EAP_CODE_REQUEST, ctx['id'],
3407 4 + 1 + 3 + 8 + 2 * 4,
3408 EAP_TYPE_AKA_PRIME, EAP_AKA_SUBTYPE_CHALLENGE, 0,
3409 EAP_SIM_AT_KDF_INPUT, 2, 1, ord('a'), ord('b'),
3410 ord('c'), ord('d'),
3411 EAP_SIM_AT_KDF, 1, 255,
3412 EAP_SIM_AT_KDF, 1, 254)
3413 idx += 1
3414 if ctx['num'] == idx:
3415 logger.info("Test: EAP-Failure")
3416 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3417
3418 idx += 1
3419 if ctx['num'] == idx:
3420 logger.info("Test: Challenge with multiple KDF proposals")
3421 return struct.pack(">BBHBBHBBHBBBBBBHBBHBBH",
3422 EAP_CODE_REQUEST, ctx['id'],
3423 4 + 1 + 3 + 8 + 3 * 4,
3424 EAP_TYPE_AKA_PRIME, EAP_AKA_SUBTYPE_CHALLENGE, 0,
3425 EAP_SIM_AT_KDF_INPUT, 2, 1, ord('a'), ord('b'),
3426 ord('c'), ord('d'),
3427 EAP_SIM_AT_KDF, 1, 255,
3428 EAP_SIM_AT_KDF, 1, 254,
3429 EAP_SIM_AT_KDF, 1, 1)
3430 idx += 1
3431 if ctx['num'] == idx:
3432 logger.info("Test: Challenge with invalid MAC, RAND, AUTN values)")
3433 return struct.pack(">BBHBBHBBHBBBBBBHBBHBBHBBHBBH4LBBH4LBBH4L",
3434 EAP_CODE_REQUEST, ctx['id'],
3435 4 + 1 + 3 + 8 + 4 * 4 + 20 + 20 + 20,
3436 EAP_TYPE_AKA_PRIME, EAP_AKA_SUBTYPE_CHALLENGE, 0,
3437 EAP_SIM_AT_KDF_INPUT, 2, 1, ord('a'), ord('b'),
3438 ord('c'), ord('d'),
3439 EAP_SIM_AT_KDF, 1, 1,
3440 EAP_SIM_AT_KDF, 1, 255,
3441 EAP_SIM_AT_KDF, 1, 254,
3442 EAP_SIM_AT_KDF, 1, 1,
3443 EAP_SIM_AT_MAC, 5, 0, 0, 0, 0, 0,
3444 EAP_SIM_AT_RAND, 5, 0, 0, 0, 0, 0,
3445 EAP_SIM_AT_AUTN, 5, 0, 0, 0, 0, 0)
3446 idx += 1
3447 if ctx['num'] == idx:
3448 logger.info("Test: EAP-Failure")
3449 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3450
3451 idx += 1
3452 if ctx['num'] == idx:
3453 logger.info("Test: Challenge - AMF separation bit not set)")
3454 return struct.pack(">BBHBBHBBHBBBBBBHBBH4LBBH4LBBH4L",
3455 EAP_CODE_REQUEST, ctx['id'],
3456 4 + 1 + 3 + 8 + 4 + 20 + 20 + 20,
3457 EAP_TYPE_AKA_PRIME, EAP_AKA_SUBTYPE_CHALLENGE, 0,
3458 EAP_SIM_AT_KDF_INPUT, 2, 1, ord('a'), ord('b'),
3459 ord('c'), ord('d'),
3460 EAP_SIM_AT_KDF, 1, 1,
3461 EAP_SIM_AT_MAC, 5, 0, 1, 2, 3, 4,
3462 EAP_SIM_AT_RAND, 5, 0, 5, 6, 7, 8,
3463 EAP_SIM_AT_AUTN, 5, 0, 9, 10,
3464 0x2fda8ef7, 0xbba518cc)
3465 idx += 1
3466 if ctx['num'] == idx:
3467 logger.info("Test: EAP-Failure")
3468 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3469
3470 idx += 1
3471 if ctx['num'] == idx:
3472 logger.info("Test: Challenge - Invalid MAC")
3473 return struct.pack(">BBHBBHBBHBBBBBBHBBH4LBBH4LBBH4L",
3474 EAP_CODE_REQUEST, ctx['id'],
3475 4 + 1 + 3 + 8 + 4 + 20 + 20 + 20,
3476 EAP_TYPE_AKA_PRIME, EAP_AKA_SUBTYPE_CHALLENGE, 0,
3477 EAP_SIM_AT_KDF_INPUT, 2, 1, ord('a'), ord('b'),
3478 ord('c'), ord('d'),
3479 EAP_SIM_AT_KDF, 1, 1,
3480 EAP_SIM_AT_MAC, 5, 0, 1, 2, 3, 4,
3481 EAP_SIM_AT_RAND, 5, 0, 5, 6, 7, 8,
3482 EAP_SIM_AT_AUTN, 5, 0, 0xffffffff, 0xffffffff,
3483 0xd1f90322, 0x40514cb4)
3484 idx += 1
3485 if ctx['num'] == idx:
3486 logger.info("Test: EAP-Failure")
3487 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3488
3489 idx += 1
3490 if ctx['num'] == idx:
3491 logger.info("Test: Challenge - Valid MAC")
3492 return struct.pack(">BBHBBHBBHBBBBBBHBBH4LBBH4LBBH4L",
3493 EAP_CODE_REQUEST, ctx['id'],
3494 4 + 1 + 3 + 8 + 4 + 20 + 20 + 20,
3495 EAP_TYPE_AKA_PRIME, EAP_AKA_SUBTYPE_CHALLENGE, 0,
3496 EAP_SIM_AT_KDF_INPUT, 2, 1, ord('a'), ord('b'),
3497 ord('c'), ord('d'),
3498 EAP_SIM_AT_KDF, 1, 1,
3499 EAP_SIM_AT_MAC, 5, 0,
3500 0xf4a3c1d3, 0x7c901401, 0x34bd8b01, 0x6f7fa32f,
3501 EAP_SIM_AT_RAND, 5, 0, 5, 6, 7, 8,
3502 EAP_SIM_AT_AUTN, 5, 0, 0xffffffff, 0xffffffff,
3503 0xd1f90322, 0x40514cb4)
3504 idx += 1
3505 if ctx['num'] == idx:
3506 logger.info("Test: EAP-Failure")
3507 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3508
3509 idx += 1
3510 if ctx['num'] == idx:
3511 logger.info("Test: Invalid AT_KDF_INPUT length")
3512 return struct.pack(">BBHBBHBBHL", EAP_CODE_REQUEST, ctx['id'],
3513 4 + 1 + 3 + 8,
3514 EAP_TYPE_AKA_PRIME, EAP_AKA_SUBTYPE_IDENTITY, 0,
3515 EAP_SIM_AT_KDF_INPUT, 2, 0xffff, 0)
3516 idx += 1
3517 if ctx['num'] == idx:
3518 logger.info("Test: EAP-Failure")
3519 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3520
3521 idx += 1
3522 if ctx['num'] == idx:
3523 logger.info("Test: Invalid AT_KDF length")
3524 return struct.pack(">BBHBBHBBHL", EAP_CODE_REQUEST, ctx['id'],
3525 4 + 1 + 3 + 8,
3526 EAP_TYPE_AKA_PRIME, EAP_AKA_SUBTYPE_IDENTITY, 0,
3527 EAP_SIM_AT_KDF, 2, 0, 0)
3528 idx += 1
3529 if ctx['num'] == idx:
3530 logger.info("Test: EAP-Failure")
3531 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3532
3533 idx += 1
3534 if ctx['num'] == idx:
3535 logger.info("Test: Challenge with large number of KDF proposals")
3536 return struct.pack(">BBHBBHBBHBBHBBHBBHBBHBBHBBHBBHBBHBBHBBHBBH",
3537 EAP_CODE_REQUEST, ctx['id'],
3538 4 + 1 + 3 + 12 * 4,
3539 EAP_TYPE_AKA_PRIME, EAP_AKA_SUBTYPE_CHALLENGE, 0,
3540 EAP_SIM_AT_KDF, 1, 255,
3541 EAP_SIM_AT_KDF, 1, 254,
3542 EAP_SIM_AT_KDF, 1, 253,
3543 EAP_SIM_AT_KDF, 1, 252,
3544 EAP_SIM_AT_KDF, 1, 251,
3545 EAP_SIM_AT_KDF, 1, 250,
3546 EAP_SIM_AT_KDF, 1, 249,
3547 EAP_SIM_AT_KDF, 1, 248,
3548 EAP_SIM_AT_KDF, 1, 247,
3549 EAP_SIM_AT_KDF, 1, 246,
3550 EAP_SIM_AT_KDF, 1, 245,
3551 EAP_SIM_AT_KDF, 1, 244)
3552 idx += 1
3553 if ctx['num'] == idx:
3554 logger.info("Test: EAP-Failure")
3555 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3556
3557 return None
3558
3559 srv = start_radius_server(aka_prime_handler)
6c080dfa
JM		 3560
3561 try:
3562 hapd = start_ap(apdev[0]['ifname'])
3563
3564 for i in range(0, 16):
3565 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
3566 eap="AKA'", identity="6555444333222111",
3567 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
3568 wait_connect=False)
3569 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
3570 timeout=15)
3571 if ev is None:
3572 raise Exception("Timeout on EAP start")
3573 if i in [ 0 ]:
3574 time.sleep(0.1)
3575 else:
3576 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"],
3577 timeout=10)
3578 if ev is None:
3579 raise Exception("Timeout on EAP failure")
3580 dev[0].request("REMOVE_NETWORK all")
f0174bff 3581 dev[0].dump_monitor()
6c080dfa
JM		 3582 finally:
3583 stop_radius_server(srv)
3584
3585def test_eap_proto_sim(dev, apdev):
3586 """EAP-SIM protocol tests"""
3587 def sim_handler(ctx, req):
3588 logger.info("sim_handler - RX " + req.encode("hex"))
3589 if 'num' not in ctx:
3590 ctx['num'] = 0
3591 ctx['num'] = ctx['num'] + 1
3592 if 'id' not in ctx:
3593 ctx['id'] = 1
3594 ctx['id'] = (ctx['id'] + 1) % 256
3595
3596 idx = 0
3597
3598 idx += 1
3599 if ctx['num'] == idx:
3600 logger.info("Test: Missing payload")
3601 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
3602 4 + 1,
3603 EAP_TYPE_SIM)
3604
3605 idx += 1
3606 if ctx['num'] == idx:
3607 logger.info("Test: Unexpected AT_AUTN")
3608 return struct.pack(">BBHBBHBBHL", EAP_CODE_REQUEST, ctx['id'],
3609 4 + 1 + 3 + 8,
3610 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_START, 0,
3611 EAP_SIM_AT_AUTN, 2, 0, 0)
3612 idx += 1
3613 if ctx['num'] == idx:
3614 logger.info("Test: EAP-Failure")
3615 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3616
3617 idx += 1
3618 if ctx['num'] == idx:
3619 logger.info("Test: Too short AT_VERSION_LIST")
3620 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
3621 4 + 1 + 3 + 4,
3622 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_START, 0,
3623 EAP_SIM_AT_VERSION_LIST, 1, 0)
3624 idx += 1
3625 if ctx['num'] == idx:
3626 logger.info("Test: EAP-Failure")
3627 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3628
3629 idx += 1
3630 if ctx['num'] == idx:
3631 logger.info("Test: AT_VERSION_LIST overflow")
3632 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
3633 4 + 1 + 3 + 4,
3634 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_START, 0,
3635 EAP_SIM_AT_VERSION_LIST, 1, 0xffff)
3636 idx += 1
3637 if ctx['num'] == idx:
3638 logger.info("Test: EAP-Failure")
3639 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3640
3641 idx += 1
3642 if ctx['num'] == idx:
3643 logger.info("Test: Unexpected AT_AUTS")
3644 return struct.pack(">BBHBBHBBHL", EAP_CODE_REQUEST, ctx['id'],
3645 4 + 1 + 3 + 8,
3646 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_START, 0,
3647 EAP_SIM_AT_AUTS, 2, 0, 0)
3648 idx += 1
3649 if ctx['num'] == idx:
3650 logger.info("Test: EAP-Failure")
3651 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3652
3653 idx += 1
3654 if ctx['num'] == idx:
3655 logger.info("Test: Unexpected AT_CHECKCODE")
3656 return struct.pack(">BBHBBHBBHL", EAP_CODE_REQUEST, ctx['id'],
3657 4 + 1 + 3 + 8,
3658 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_START, 0,
3659 EAP_SIM_AT_CHECKCODE, 2, 0, 0)
3660 idx += 1
3661 if ctx['num'] == idx:
3662 logger.info("Test: EAP-Failure")
3663 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3664
3665 idx += 1
3666 if ctx['num'] == idx:
3667 logger.info("Test: No AT_VERSION_LIST in Start")
3668 return struct.pack(">BBHBBH", EAP_CODE_REQUEST, ctx['id'],
3669 4 + 1 + 3,
3670 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_START, 0)
3671 idx += 1
3672 if ctx['num'] == idx:
3673 logger.info("Test: EAP-Failure")
3674 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3675
3676 idx += 1
3677 if ctx['num'] == idx:
3678 logger.info("Test: No support version in AT_VERSION_LIST")
3679 return struct.pack(">BBHBBHBBH4B", EAP_CODE_REQUEST, ctx['id'],
3680 4 + 1 + 3 + 8,
3681 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_START, 0,
3682 EAP_SIM_AT_VERSION_LIST, 2, 3, 2, 3, 4, 5)
3683 idx += 1
3684 if ctx['num'] == idx:
3685 logger.info("Test: EAP-Failure")
3686 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3687
3688
3689 idx += 1
3690 if ctx['num'] == idx:
3691 logger.info("Test: Identity request without ID type")
3692 return struct.pack(">BBHBBHBBH2H", EAP_CODE_REQUEST, ctx['id'],
3693 4 + 1 + 3 + 8,
3694 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_START, 0,
3695 EAP_SIM_AT_VERSION_LIST, 2, 2, 1, 0)
3696 idx += 1
3697 if ctx['num'] == idx:
3698 logger.info("Test: Identity request ANY_ID")
3699 return struct.pack(">BBHBBHBBH2HBBH", EAP_CODE_REQUEST, ctx['id'],
3700 4 + 1 + 3 + 8 + 4,
3701 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_START, 0,
3702 EAP_SIM_AT_VERSION_LIST, 2, 2, 1, 0,
3703 EAP_SIM_AT_ANY_ID_REQ, 1, 0)
3704 idx += 1
3705 if ctx['num'] == idx:
3706 logger.info("Test: Identity request ANY_ID (duplicate)")
3707 return struct.pack(">BBHBBHBBH2HBBH", EAP_CODE_REQUEST, ctx['id'],
3708 4 + 1 + 3 + 8 + 4,
3709 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_START, 0,
3710 EAP_SIM_AT_VERSION_LIST, 2, 2, 1, 0,
3711 EAP_SIM_AT_ANY_ID_REQ, 1, 0)
3712 idx += 1
3713 if ctx['num'] == idx:
3714 logger.info("Test: EAP-Failure")
3715 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3716
3717 idx += 1
3718 if ctx['num'] == idx:
3719 logger.info("Test: Identity request ANY_ID")
3720 return struct.pack(">BBHBBHBBH2HBBH", EAP_CODE_REQUEST, ctx['id'],
3721 4 + 1 + 3 + 8 + 4,
3722 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_START, 0,
3723 EAP_SIM_AT_VERSION_LIST, 2, 2, 1, 0,
3724 EAP_SIM_AT_ANY_ID_REQ, 1, 0)
3725 idx += 1
3726 if ctx['num'] == idx:
3727 logger.info("Test: Identity request FULLAUTH_ID")
3728 return struct.pack(">BBHBBHBBH2HBBH", EAP_CODE_REQUEST, ctx['id'],
3729 4 + 1 + 3 + 8 + 4,
3730 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_START, 0,
3731 EAP_SIM_AT_VERSION_LIST, 2, 2, 1, 0,
3732 EAP_SIM_AT_FULLAUTH_ID_REQ, 1, 0)
3733 idx += 1
3734 if ctx['num'] == idx:
3735 logger.info("Test: Identity request FULLAUTH_ID (duplicate)")
3736 return struct.pack(">BBHBBHBBH2HBBH", EAP_CODE_REQUEST, ctx['id'],
3737 4 + 1 + 3 + 8 + 4,
3738 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_START, 0,
3739 EAP_SIM_AT_VERSION_LIST, 2, 2, 1, 0,
3740 EAP_SIM_AT_FULLAUTH_ID_REQ, 1, 0)
3741 idx += 1
3742 if ctx['num'] == idx:
3743 logger.info("Test: EAP-Failure")
3744 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3745
3746 idx += 1
3747 if ctx['num'] == idx:
3748 logger.info("Test: Identity request ANY_ID")
3749 return struct.pack(">BBHBBHBBH2HBBH", EAP_CODE_REQUEST, ctx['id'],
3750 4 + 1 + 3 + 8 + 4,
3751 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_START, 0,
3752 EAP_SIM_AT_VERSION_LIST, 2, 2, 1, 0,
3753 EAP_SIM_AT_ANY_ID_REQ, 1, 0)
3754 idx += 1
3755 if ctx['num'] == idx:
3756 logger.info("Test: Identity request FULLAUTH_ID")
3757 return struct.pack(">BBHBBHBBH2HBBH", EAP_CODE_REQUEST, ctx['id'],
3758 4 + 1 + 3 + 8 + 4,
3759 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_START, 0,
3760 EAP_SIM_AT_VERSION_LIST, 2, 2, 1, 0,
3761 EAP_SIM_AT_FULLAUTH_ID_REQ, 1, 0)
3762 idx += 1
3763 if ctx['num'] == idx:
3764 logger.info("Test: Identity request PERMANENT_ID")
3765 return struct.pack(">BBHBBHBBH2HBBH", EAP_CODE_REQUEST, ctx['id'],
3766 4 + 1 + 3 + 8 + 4,
3767 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_START, 0,
3768 EAP_SIM_AT_VERSION_LIST, 2, 2, 1, 0,
3769 EAP_SIM_AT_PERMANENT_ID_REQ, 1, 0)
3770 idx += 1
3771 if ctx['num'] == idx:
3772 logger.info("Test: Identity request PERMANENT_ID (duplicate)")
3773 return struct.pack(">BBHBBHBBH2HBBH", EAP_CODE_REQUEST, ctx['id'],
3774 4 + 1 + 3 + 8 + 4,
3775 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_START, 0,
3776 EAP_SIM_AT_VERSION_LIST, 2, 2, 1, 0,
3777 EAP_SIM_AT_PERMANENT_ID_REQ, 1, 0)
3778 idx += 1
3779 if ctx['num'] == idx:
3780 logger.info("Test: EAP-Failure")
3781 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3782
3783 idx += 1
3784 if ctx['num'] == idx:
3785 logger.info("Test: No AT_MAC and AT_RAND in Challenge")
3786 return struct.pack(">BBHBBH", EAP_CODE_REQUEST, ctx['id'],
3787 4 + 1 + 3,
3788 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_CHALLENGE, 0)
3789 idx += 1
3790 if ctx['num'] == idx:
3791 logger.info("Test: EAP-Failure")
3792 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3793
3794 idx += 1
3795 if ctx['num'] == idx:
3796 logger.info("Test: No AT_RAND in Challenge")
3797 return struct.pack(">BBHBBHBBH4L", EAP_CODE_REQUEST, ctx['id'],
3798 4 + 1 + 3 + 20,
3799 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_CHALLENGE, 0,
3800 EAP_SIM_AT_MAC, 5, 0, 0, 0, 0, 0)
3801 idx += 1
3802 if ctx['num'] == idx:
3803 logger.info("Test: EAP-Failure")
3804 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3805
3806 idx += 1
3807 if ctx['num'] == idx:
3808 logger.info("Test: Insufficient number of challenges in Challenge")
3809 return struct.pack(">BBHBBHBBH4LBBH4L", EAP_CODE_REQUEST, ctx['id'],
3810 4 + 1 + 3 + 20 + 20,
3811 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_CHALLENGE, 0,
3812 EAP_SIM_AT_RAND, 5, 0, 0, 0, 0, 0,
3813 EAP_SIM_AT_MAC, 5, 0, 0, 0, 0, 0)
3814 idx += 1
3815 if ctx['num'] == idx:
3816 logger.info("Test: EAP-Failure")
3817 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3818
3819 idx += 1
3820 if ctx['num'] == idx:
3821 logger.info("Test: Too many challenges in Challenge")
3822 return struct.pack(">BBHBBHBBH4L4L4L4LBBH4L", EAP_CODE_REQUEST,
3823 ctx['id'],
3824 4 + 1 + 3 + 4 + 4 * 16 + 20,
3825 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_CHALLENGE, 0,
3826 EAP_SIM_AT_RAND, 17, 0, 0, 0, 0, 0, 0, 0, 0, 0,
3827 0, 0, 0, 0, 0, 0, 0, 0,
3828 EAP_SIM_AT_MAC, 5, 0, 0, 0, 0, 0)
3829 idx += 1
3830 if ctx['num'] == idx:
3831 logger.info("Test: EAP-Failure")
3832 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3833
3834 idx += 1
3835 if ctx['num'] == idx:
3836 logger.info("Test: Same RAND multiple times in Challenge")
3837 return struct.pack(">BBHBBHBBH4L4L4LBBH4L", EAP_CODE_REQUEST,
3838 ctx['id'],
3839 4 + 1 + 3 + 4 + 3 * 16 + 20,
3840 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_CHALLENGE, 0,
3841 EAP_SIM_AT_RAND, 13, 0, 0, 0, 0, 0, 0, 0, 0, 1,
3842 0, 0, 0, 0,
3843 EAP_SIM_AT_MAC, 5, 0, 0, 0, 0, 0)
3844 idx += 1
3845 if ctx['num'] == idx:
3846 logger.info("Test: EAP-Failure")
3847 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3848
3849 idx += 1
3850 if ctx['num'] == idx:
3851 logger.info("Test: Notification with no attributes")
3852 return struct.pack(">BBHBBH", EAP_CODE_REQUEST, ctx['id'],
3853 4 + 1 + 3,
3854 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_NOTIFICATION, 0)
3855 idx += 1
3856 if ctx['num'] == idx:
3857 logger.info("Test: EAP-Failure")
3858 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3859
3860 idx += 1
3861 if ctx['num'] == idx:
3862 logger.info("Test: Notification indicating success, but no MAC")
3863 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
3864 4 + 1 + 3 + 4,
3865 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_NOTIFICATION, 0,
3866 EAP_SIM_AT_NOTIFICATION, 1, 32768)
3867 idx += 1
3868 if ctx['num'] == idx:
3869 logger.info("Test: EAP-Failure")
3870 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3871
3872 idx += 1
3873 if ctx['num'] == idx:
3874 logger.info("Test: Notification indicating success, but invalid MAC value")
3875 return struct.pack(">BBHBBHBBHBBH4L", EAP_CODE_REQUEST, ctx['id'],
3876 4 + 1 + 3 + 4 + 20,
3877 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_NOTIFICATION, 0,
3878 EAP_SIM_AT_NOTIFICATION, 1, 32768,
3879 EAP_SIM_AT_MAC, 5, 0, 0, 0, 0, 0)
3880 idx += 1
3881 if ctx['num'] == idx:
3882 logger.info("Test: EAP-Failure")
3883 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3884
3885 idx += 1
3886 if ctx['num'] == idx:
3887 logger.info("Test: Notification before auth")
3888 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
3889 4 + 1 + 3 + 4,
3890 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_NOTIFICATION, 0,
3891 EAP_SIM_AT_NOTIFICATION, 1, 16384)
3892 idx += 1
3893 if ctx['num'] == idx:
3894 logger.info("Test: EAP-Failure")
3895 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3896
3897 idx += 1
3898 if ctx['num'] == idx:
3899 logger.info("Test: Notification before auth")
3900 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
3901 4 + 1 + 3 + 4,
3902 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_NOTIFICATION, 0,
3903 EAP_SIM_AT_NOTIFICATION, 1, 16385)
3904 idx += 1
3905 if ctx['num'] == idx:
3906 logger.info("Test: EAP-Failure")
3907 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3908
3909 idx += 1
3910 if ctx['num'] == idx:
3911 logger.info("Test: Notification with unrecognized non-failure")
3912 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
3913 4 + 1 + 3 + 4,
3914 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_NOTIFICATION, 0,
3915 EAP_SIM_AT_NOTIFICATION, 1, 0xc000)
3916 idx += 1
3917 if ctx['num'] == idx:
3918 logger.info("Test: Notification before auth (duplicate)")
3919 return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'],
3920 4 + 1 + 3 + 4,
3921 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_NOTIFICATION, 0,
3922 EAP_SIM_AT_NOTIFICATION, 1, 0xc000)
3923 idx += 1
3924 if ctx['num'] == idx:
3925 logger.info("Test: EAP-Failure")
3926 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3927
3928 idx += 1
3929 if ctx['num'] == idx:
3930 logger.info("Test: Re-authentication (unexpected) with no attributes")
3931 return struct.pack(">BBHBBH", EAP_CODE_REQUEST, ctx['id'],
3932 4 + 1 + 3,
3933 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_REAUTHENTICATION,
3934 0)
3935 idx += 1
3936 if ctx['num'] == idx:
3937 logger.info("Test: EAP-Failure")
3938 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3939
3940 idx += 1
3941 if ctx['num'] == idx:
3942 logger.info("Test: Client Error")
f0174bff
JM		 3943 return struct.pack(">BBHBBH", EAP_CODE_REQUEST, ctx['id'],
3944 4 + 1 + 3,
3945 EAP_TYPE_SIM, EAP_SIM_SUBTYPE_CLIENT_ERROR, 0)
6c080dfa
JM		 3946 idx += 1
3947 if ctx['num'] == idx:
3948 logger.info("Test: EAP-Failure")
3949 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3950
3951 idx += 1
3952 if ctx['num'] == idx:
3953 logger.info("Test: Unknown subtype")
f0174bff
JM		 3954 return struct.pack(">BBHBBH", EAP_CODE_REQUEST, ctx['id'],
3955 4 + 1 + 3,
3956 EAP_TYPE_SIM, 255, 0)
6c080dfa
JM		 3957 idx += 1
3958 if ctx['num'] == idx:
3959 logger.info("Test: EAP-Failure")
3960 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
3961
3962 return None
3963
3964 srv = start_radius_server(sim_handler)
6c080dfa
JM		 3965
3966 try:
3967 hapd = start_ap(apdev[0]['ifname'])
3968
3969 for i in range(0, 25):
3970 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
3971 eap="SIM", identity="1232010000000000",
3972 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
3973 wait_connect=False)
3974 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
3975 timeout=15)
3976 if ev is None:
3977 raise Exception("Timeout on EAP start")
3978 if i in [ 0 ]:
3979 time.sleep(0.1)
3980 else:
3981 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"],
3982 timeout=10)
3983 if ev is None:
3984 raise Exception("Timeout on EAP failure")
3985 dev[0].request("REMOVE_NETWORK all")
f0174bff 3986 dev[0].dump_monitor()
6c080dfa
JM		 3987 finally:
3988 stop_radius_server(srv)
cb0555f7 3989
d36ae376
JM		 3990def test_eap_proto_sim_errors(dev, apdev):
3991 """EAP-SIM protocol tests (error paths)"""
3992 check_hlr_auc_gw_support()
3993 params = hostapd.wpa2_eap_params(ssid="eap-test")
3994 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
3995
3996 with alloc_fail(dev[0], 1, "eap_sim_init"):
3997 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
3998 eap="SIM", identity="1232010000000000",
3999 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
4000 wait_connect=False)
4001 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method"],
4002 timeout=15)
4003 if ev is None:
4004 raise Exception("Timeout on EAP start")
4005 dev[0].request("REMOVE_NETWORK all")
4006 dev[0].wait_disconnected()
4007
4008 with fail_test(dev[0], 1, "os_get_random;eap_sim_init"):
4009 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
4010 eap="SIM", identity="1232010000000000",
4011 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
4012 wait_connect=False)
4013 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method"],
4014 timeout=15)
4015 if ev is None:
4016 raise Exception("Timeout on EAP start")
4017 dev[0].request("REMOVE_NETWORK all")
4018 dev[0].wait_disconnected()
4019
4020 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
4021 eap="SIM", identity="1232010000000000",
4022 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
4023
4024 with fail_test(dev[0], 1, "aes_128_cbc_encrypt;eap_sim_response_reauth"):
4025 hapd.request("EAPOL_REAUTH " + dev[0].own_addr())
4026 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=5)
4027 if ev is None:
4028 raise Exception("EAP re-authentication did not start")
4029 wait_fail_trigger(dev[0], "GET_FAIL")
4030 dev[0].request("REMOVE_NETWORK all")
4031 dev[0].dump_monitor()
4032
4033 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
4034 eap="SIM", identity="1232010000000000",
4035 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
4036
4037 with fail_test(dev[0], 1, "os_get_random;eap_sim_msg_add_encr_start"):
4038 hapd.request("EAPOL_REAUTH " + dev[0].own_addr())
4039 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=5)
4040 if ev is None:
4041 raise Exception("EAP re-authentication did not start")
4042 wait_fail_trigger(dev[0], "GET_FAIL")
4043 dev[0].request("REMOVE_NETWORK all")
4044 dev[0].dump_monitor()
4045
4046 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
4047 eap="SIM", identity="1232010000000000",
4048 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
4049
4050 with fail_test(dev[0], 1, "os_get_random;eap_sim_init_for_reauth"):
4051 hapd.request("EAPOL_REAUTH " + dev[0].own_addr())
4052 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=5)
4053 if ev is None:
4054 raise Exception("EAP re-authentication did not start")
4055 wait_fail_trigger(dev[0], "GET_FAIL")
4056 dev[0].request("REMOVE_NETWORK all")
4057 dev[0].dump_monitor()
4058
4059 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
4060 eap="SIM", identity="1232010000000000",
4061 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
4062
4063 with alloc_fail(dev[0], 1, "eap_sim_parse_encr;eap_sim_process_reauthentication"):
4064 hapd.request("EAPOL_REAUTH " + dev[0].own_addr())
4065 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=5)
4066 if ev is None:
4067 raise Exception("EAP re-authentication did not start")
4068 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
4069 dev[0].request("REMOVE_NETWORK all")
4070 dev[0].dump_monitor()
4071
4072 tests = [ (1, "eap_sim_verify_mac;eap_sim_process_challenge"),
4073 (1, "eap_sim_parse_encr;eap_sim_process_challenge"),
4074 (1, "eap_sim_msg_init;eap_sim_response_start"),
4075 (1, "wpabuf_alloc;eap_sim_msg_init;eap_sim_response_start"),
4076 (1, "=eap_sim_learn_ids"),
4077 (2, "=eap_sim_learn_ids"),
4078 (2, "eap_sim_learn_ids"),
4079 (3, "eap_sim_learn_ids"),
4080 (1, "eap_sim_process_start"),
4081 (1, "eap_sim_getKey"),
4082 (1, "eap_sim_get_emsk"),
4083 (1, "eap_sim_get_session_id") ]
4084 for count, func in tests:
4085 with alloc_fail(dev[0], count, func):
4086 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
4087 eap="SIM", identity="1232010000000000",
4088 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
4089 erp="1", wait_connect=False)
4090 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
4091 dev[0].request("REMOVE_NETWORK all")
4092 dev[0].dump_monitor()
4093
4094 tests = [ (1, "aes_128_cbc_decrypt;eap_sim_parse_encr") ]
4095 for count, func in tests:
4096 with fail_test(dev[0], count, func):
4097 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
4098 eap="SIM", identity="1232010000000000",
4099 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
4100 wait_connect=False)
4101 wait_fail_trigger(dev[0], "GET_FAIL")
4102 dev[0].request("REMOVE_NETWORK all")
4103 dev[0].dump_monitor()
4104
4105def test_eap_proto_aka_errors(dev, apdev):
4106 """EAP-AKA protocol tests (error paths)"""
4107 check_hlr_auc_gw_support()
4108 params = hostapd.wpa2_eap_params(ssid="eap-test")
4109 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4110
4111 with alloc_fail(dev[0], 1, "eap_aka_init"):
4112 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
4113 eap="AKA", identity="0232010000000000",
4114 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
4115 wait_connect=False)
4116 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method"],
4117 timeout=15)
4118 if ev is None:
4119 raise Exception("Timeout on EAP start")
4120 dev[0].request("REMOVE_NETWORK all")
4121 dev[0].wait_disconnected()
4122
4123 tests = [ (1, "=eap_aka_learn_ids"),
4124 (2, "=eap_aka_learn_ids"),
4125 (1, "eap_sim_parse_encr;eap_aka_process_challenge"),
4126 (1, "eap_aka_getKey"),
4127 (1, "eap_aka_get_emsk"),
4128 (1, "eap_aka_get_session_id") ]
4129 for count, func in tests:
4130 with alloc_fail(dev[0], count, func):
4131 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
4132 eap="AKA", identity="0232010000000000",
4133 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
4134 erp="1", wait_connect=False)
4135 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
4136 dev[0].request("REMOVE_NETWORK all")
4137 dev[0].dump_monitor()
4138
4139def test_eap_proto_aka_prime_errors(dev, apdev):
4140 """EAP-AKA' protocol tests (error paths)"""
4141 check_hlr_auc_gw_support()
4142 params = hostapd.wpa2_eap_params(ssid="eap-test")
4143 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4144
4145 with alloc_fail(dev[0], 1, "eap_aka_init"):
4146 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
4147 eap="AKA'", identity="6555444333222111",
4148 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
4149 wait_connect=False)
4150 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method"],
4151 timeout=15)
4152 if ev is None:
4153 raise Exception("Timeout on EAP start")
4154 dev[0].request("REMOVE_NETWORK all")
4155 dev[0].wait_disconnected()
4156
4157 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
4158 eap="AKA'", identity="6555444333222111",
4159 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
4160
4161 with fail_test(dev[0], 1, "aes_128_cbc_encrypt;eap_aka_response_reauth"):
4162 hapd.request("EAPOL_REAUTH " + dev[0].own_addr())
4163 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=5)
4164 if ev is None:
4165 raise Exception("EAP re-authentication did not start")
4166 wait_fail_trigger(dev[0], "GET_FAIL")
4167 dev[0].request("REMOVE_NETWORK all")
4168 dev[0].dump_monitor()
4169
4170 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
4171 eap="AKA'", identity="6555444333222111",
4172 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
4173
4174 with alloc_fail(dev[0], 1, "eap_sim_parse_encr;eap_aka_process_reauthentication"):
4175 hapd.request("EAPOL_REAUTH " + dev[0].own_addr())
4176 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=5)
4177 if ev is None:
4178 raise Exception("EAP re-authentication did not start")
4179 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
4180 dev[0].request("REMOVE_NETWORK all")
4181 dev[0].dump_monitor()
4182
4183 tests = [ (1, "eap_sim_verify_mac_sha256"),
4184 (1, "=eap_aka_process_challenge") ]
4185 for count, func in tests:
4186 with alloc_fail(dev[0], count, func):
4187 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
4188 eap="AKA'", identity="6555444333222111",
4189 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
4190 erp="1", wait_connect=False)
4191 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
4192 dev[0].request("REMOVE_NETWORK all")
4193 dev[0].dump_monitor()
4194
cb0555f7
JM		 4195def test_eap_proto_ikev2(dev, apdev):
4196 """EAP-IKEv2 protocol tests"""
c8e82c94 4197 check_eap_capa(dev[0], "IKEV2")
cb0555f7
JM		 4198 def ikev2_handler(ctx, req):
4199 logger.info("ikev2_handler - RX " + req.encode("hex"))
4200 if 'num' not in ctx:
4201 ctx['num'] = 0
4202 ctx['num'] = ctx['num'] + 1
4203 if 'id' not in ctx:
4204 ctx['id'] = 1
4205 ctx['id'] = (ctx['id'] + 1) % 256
4206
4207 idx = 0
4208
4209 idx += 1
4210 if ctx['num'] == idx:
4211 logger.info("Test: Missing payload")
4212 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
4213 4 + 1,
4214 EAP_TYPE_IKEV2)
4215
4216 idx += 1
4217 if ctx['num'] == idx:
4218 logger.info("Test: Truncated Message Length field")
4219 return struct.pack(">BBHBB3B", EAP_CODE_REQUEST, ctx['id'],
4220 4 + 1 + 1 + 3,
4221 EAP_TYPE_IKEV2, 0x80, 0, 0, 0)
4222
4223 idx += 1
4224 if ctx['num'] == idx:
4225 logger.info("Test: Too short Message Length value")
4226 return struct.pack(">BBHBBLB", EAP_CODE_REQUEST, ctx['id'],
4227 4 + 1 + 1 + 4 + 1,
4228 EAP_TYPE_IKEV2, 0x80, 0, 1)
4229
4230 idx += 1
4231 if ctx['num'] == idx:
4232 logger.info("Test: Truncated message")
4233 return struct.pack(">BBHBBL", EAP_CODE_REQUEST, ctx['id'],
4234 4 + 1 + 1 + 4,
4235 EAP_TYPE_IKEV2, 0x80, 1)
4236
4237 idx += 1
4238 if ctx['num'] == idx:
4239 logger.info("Test: Truncated message(2)")
4240 return struct.pack(">BBHBBL", EAP_CODE_REQUEST, ctx['id'],
4241 4 + 1 + 1 + 4,
4242 EAP_TYPE_IKEV2, 0x80, 0xffffffff)
4243
4244 idx += 1
4245 if ctx['num'] == idx:
4246 logger.info("Test: Truncated message(3)")
4247 return struct.pack(">BBHBBL", EAP_CODE_REQUEST, ctx['id'],
4248 4 + 1 + 1 + 4,
4249 EAP_TYPE_IKEV2, 0xc0, 0xffffffff)
4250
4251 idx += 1
4252 if ctx['num'] == idx:
4253 logger.info("Test: Truncated message(4)")
4254 return struct.pack(">BBHBBL", EAP_CODE_REQUEST, ctx['id'],
4255 4 + 1 + 1 + 4,
4256 EAP_TYPE_IKEV2, 0xc0, 10000000)
4257
4258 idx += 1
4259 if ctx['num'] == idx:
4260 logger.info("Test: Too long fragments (first fragment)")
4261 return struct.pack(">BBHBBLB", EAP_CODE_REQUEST, ctx['id'],
4262 4 + 1 + 1 + 4 + 1,
4263 EAP_TYPE_IKEV2, 0xc0, 2, 1)
4264
4265 idx += 1
4266 if ctx['num'] == idx:
4267 logger.info("Test: Too long fragments (second fragment)")
4268 return struct.pack(">BBHBB2B", EAP_CODE_REQUEST, ctx['id'],
4269 4 + 1 + 1 + 2,
4270 EAP_TYPE_IKEV2, 0x00, 2, 3)
4271
4272 idx += 1
4273 if ctx['num'] == idx:
4274 logger.info("Test: No Message Length field in first fragment")
4275 return struct.pack(">BBHBBB", EAP_CODE_REQUEST, ctx['id'],
4276 4 + 1 + 1 + 1,
4277 EAP_TYPE_IKEV2, 0x40, 1)
4278
4279 idx += 1
4280 if ctx['num'] == idx:
4281 logger.info("Test: ICV before keys")
4282 return struct.pack(">BBHBB", EAP_CODE_REQUEST, ctx['id'],
4283 4 + 1 + 1,
4284 EAP_TYPE_IKEV2, 0x20)
4285
4286 idx += 1
4287 if ctx['num'] == idx:
4288 logger.info("Test: Unsupported IKEv2 header version")
4289 return struct.pack(">BBHBB2L2LBBBBLL", EAP_CODE_REQUEST, ctx['id'],
4290 4 + 1 + 1 + 28,
4291 EAP_TYPE_IKEV2, 0x00,
4292 0, 0, 0, 0,
4293 0, 0, 0, 0, 0, 0)
4294
4295 idx += 1
4296 if ctx['num'] == idx:
4297 logger.info("Test: Incorrect IKEv2 header Length")
4298 return struct.pack(">BBHBB2L2LBBBBLL", EAP_CODE_REQUEST, ctx['id'],
4299 4 + 1 + 1 + 28,
4300 EAP_TYPE_IKEV2, 0x00,
4301 0, 0, 0, 0,
4302 0, 0x20, 0, 0, 0, 0)
4303
4304 idx += 1
4305 if ctx['num'] == idx:
4306 logger.info("Test: Unexpected IKEv2 Exchange Type in SA_INIT state")
4307 return struct.pack(">BBHBB2L2LBBBBLL", EAP_CODE_REQUEST, ctx['id'],
4308 4 + 1 + 1 + 28,
4309 EAP_TYPE_IKEV2, 0x00,
4310 0, 0, 0, 0,
4311 0, 0x20, 0, 0, 0, 28)
4312
4313 idx += 1
4314 if ctx['num'] == idx:
4315 logger.info("Test: Unexpected IKEv2 Message ID in SA_INIT state")
4316 return struct.pack(">BBHBB2L2LBBBBLL", EAP_CODE_REQUEST, ctx['id'],
4317 4 + 1 + 1 + 28,
4318 EAP_TYPE_IKEV2, 0x00,
4319 0, 0, 0, 0,
4320 0, 0x20, 34, 0, 1, 28)
4321
4322 idx += 1
4323 if ctx['num'] == idx:
4324 logger.info("Test: Unexpected IKEv2 Flags value")
4325 return struct.pack(">BBHBB2L2LBBBBLL", EAP_CODE_REQUEST, ctx['id'],
4326 4 + 1 + 1 + 28,
4327 EAP_TYPE_IKEV2, 0x00,
4328 0, 0, 0, 0,
4329 0, 0x20, 34, 0, 0, 28)
4330
4331 idx += 1
4332 if ctx['num'] == idx:
4333 logger.info("Test: Unexpected IKEv2 Flags value(2)")
4334 return struct.pack(">BBHBB2L2LBBBBLL", EAP_CODE_REQUEST, ctx['id'],
4335 4 + 1 + 1 + 28,
4336 EAP_TYPE_IKEV2, 0x00,
4337 0, 0, 0, 0,
4338 0, 0x20, 34, 0x20, 0, 28)
4339
4340 idx += 1
4341 if ctx['num'] == idx:
4342 logger.info("Test: No SAi1 in SA_INIT")
4343 return struct.pack(">BBHBB2L2LBBBBLL", EAP_CODE_REQUEST, ctx['id'],
4344 4 + 1 + 1 + 28,
4345 EAP_TYPE_IKEV2, 0x00,
4346 0, 0, 0, 0,
4347 0, 0x20, 34, 0x08, 0, 28)
4348
4349 def build_ike(id, next=0, exch_type=34, flags=0x00, ike=''):
4350 return struct.pack(">BBHBB2L2LBBBBLL", EAP_CODE_REQUEST, id,
4351 4 + 1 + 1 + 28 + len(ike),
4352 EAP_TYPE_IKEV2, flags,
4353 0, 0, 0, 0,
4354 next, 0x20, exch_type, 0x08, 0,
4355 28 + len(ike)) + ike
4356
4357 idx += 1
4358 if ctx['num'] == idx:
4359 logger.info("Test: Unexpected extra data after payloads")
4360 return build_ike(ctx['id'], ike=struct.pack(">B", 1))
4361
4362 idx += 1
4363 if ctx['num'] == idx:
4364 logger.info("Test: Truncated payload header")
4365 return build_ike(ctx['id'], next=128, ike=struct.pack(">B", 1))
4366
4367 idx += 1
4368 if ctx['num'] == idx:
4369 logger.info("Test: Too small payload header length")
4370 ike = struct.pack(">BBH", 0, 0, 3)
4371 return build_ike(ctx['id'], next=128, ike=ike)
4372
4373 idx += 1
4374 if ctx['num'] == idx:
4375 logger.info("Test: Too large payload header length")
4376 ike = struct.pack(">BBH", 0, 0, 5)
4377 return build_ike(ctx['id'], next=128, ike=ike)
4378
4379 idx += 1
4380 if ctx['num'] == idx:
4381 logger.info("Test: Unsupported payload (non-critical and critical)")
4382 ike = struct.pack(">BBHBBH", 129, 0, 4, 0, 0x01, 4)
4383 return build_ike(ctx['id'], next=128, ike=ike)
4384
4385 idx += 1
4386 if ctx['num'] == idx:
4387 logger.info("Test: Certificate and empty SAi1")
4388 ike = struct.pack(">BBHBBH", 33, 0, 4, 0, 0, 4)
4389 return build_ike(ctx['id'], next=37, ike=ike)
4390
4391 idx += 1
4392 if ctx['num'] == idx:
4393 logger.info("Test: Too short proposal")
4394 ike = struct.pack(">BBHBBHBBB", 0, 0, 4 + 7,
4395 0, 0, 7, 0, 0, 0)
4396 return build_ike(ctx['id'], next=33, ike=ike)
4397
4398 idx += 1
4399 if ctx['num'] == idx:
4400 logger.info("Test: Too small proposal length in SAi1")
4401 ike = struct.pack(">BBHBBHBBBB", 0, 0, 4 + 8,
4402 0, 0, 7, 0, 0, 0, 0)
4403 return build_ike(ctx['id'], next=33, ike=ike)
4404
4405 idx += 1
4406 if ctx['num'] == idx:
4407 logger.info("Test: Too large proposal length in SAi1")
4408 ike = struct.pack(">BBHBBHBBBB", 0, 0, 4 + 8,
4409 0, 0, 9, 0, 0, 0, 0)
4410 return build_ike(ctx['id'], next=33, ike=ike)
4411
4412 idx += 1
4413 if ctx['num'] == idx:
4414 logger.info("Test: Unexpected proposal type in SAi1")
4415 ike = struct.pack(">BBHBBHBBBB", 0, 0, 4 + 8,
4416 1, 0, 8, 0, 0, 0, 0)
4417 return build_ike(ctx['id'], next=33, ike=ike)
4418
4419 idx += 1
4420 if ctx['num'] == idx:
4421 logger.info("Test: Unexpected Protocol ID in SAi1")
4422 ike = struct.pack(">BBHBBHBBBB", 0, 0, 4 + 8,
4423 0, 0, 8, 0, 0, 0, 0)
4424 return build_ike(ctx['id'], next=33, ike=ike)
4425
4426 idx += 1
4427 if ctx['num'] == idx:
4428 logger.info("Test: Unexpected proposal number in SAi1")
4429 ike = struct.pack(">BBHBBHBBBB", 0, 0, 4 + 8,
4430 0, 0, 8, 0, 1, 0, 0)
4431 return build_ike(ctx['id'], next=33, ike=ike)
4432
4433 idx += 1
4434 if ctx['num'] == idx:
4435 logger.info("Test: Not enough room for SPI in SAi1")
4436 ike = struct.pack(">BBHBBHBBBB", 0, 0, 4 + 8,
4437 0, 0, 8, 1, 1, 1, 0)
4438 return build_ike(ctx['id'], next=33, ike=ike)
4439
4440 idx += 1
4441 if ctx['num'] == idx:
4442 logger.info("Test: Unexpected SPI in SAi1")
4443 ike = struct.pack(">BBHBBHBBBBB", 0, 0, 4 + 9,
4444 0, 0, 9, 1, 1, 1, 0, 1)
4445 return build_ike(ctx['id'], next=33, ike=ike)
4446
4447 idx += 1
4448 if ctx['num'] == idx:
4449 logger.info("Test: No transforms in SAi1")
4450 ike = struct.pack(">BBHBBHBBBB", 0, 0, 4 + 8,
4451 0, 0, 8, 1, 1, 0, 0)
4452 return build_ike(ctx['id'], next=33, ike=ike)
4453
4454 idx += 1
4455 if ctx['num'] == idx:
4456 logger.info("Test: Too short transform in SAi1")
4457 ike = struct.pack(">BBHBBHBBBB", 0, 0, 4 + 8,
4458 0, 0, 8, 1, 1, 0, 1)
4459 return build_ike(ctx['id'], next=33, ike=ike)
4460
4461 idx += 1
4462 if ctx['num'] == idx:
4463 logger.info("Test: Too small transform length in SAi1")
4464 ike = struct.pack(">BBHBBHBBBBBBHBBH", 0, 0, 4 + 8 + 8,
4465 0, 0, 8 + 8, 1, 1, 0, 1,
4466 0, 0, 7, 0, 0, 0)
4467 return build_ike(ctx['id'], next=33, ike=ike)
4468
4469 idx += 1
4470 if ctx['num'] == idx:
4471 logger.info("Test: Too large transform length in SAi1")
4472 ike = struct.pack(">BBHBBHBBBBBBHBBH", 0, 0, 4 + 8 + 8,
4473 0, 0, 8 + 8, 1, 1, 0, 1,
4474 0, 0, 9, 0, 0, 0)
4475 return build_ike(ctx['id'], next=33, ike=ike)
4476
4477 idx += 1
4478 if ctx['num'] == idx:
4479 logger.info("Test: Unexpected Transform type in SAi1")
4480 ike = struct.pack(">BBHBBHBBBBBBHBBH", 0, 0, 4 + 8 + 8,
4481 0, 0, 8 + 8, 1, 1, 0, 1,
4482 1, 0, 8, 0, 0, 0)
4483 return build_ike(ctx['id'], next=33, ike=ike)
4484
4485 idx += 1
4486 if ctx['num'] == idx:
4487 logger.info("Test: No transform attributes in SAi1")
4488 ike = struct.pack(">BBHBBHBBBBBBHBBH", 0, 0, 4 + 8 + 8,
4489 0, 0, 8 + 8, 1, 1, 0, 1,
4490 0, 0, 8, 0, 0, 0)
4491 return build_ike(ctx['id'], next=33, ike=ike)
4492
4493 idx += 1
4494 if ctx['num'] == idx:
4495 logger.info("Test: No transform attr for AES and unexpected data after transforms in SAi1")
4496 tlen1 = 8 + 3
4497 tlen2 = 8 + 4
4498 tlen3 = 8 + 4
4499 tlen = tlen1 + tlen2 + tlen3
4500 ike = struct.pack(">BBHBBHBBBBBBHBBH3BBBHBBHHHBBHBBHHHB",
4501 0, 0, 4 + 8 + tlen + 1,
4502 0, 0, 8 + tlen + 1, 1, 1, 0, 3,
4503 3, 0, tlen1, 1, 0, 12, 1, 2, 3,
4504 3, 0, tlen2, 1, 0, 12, 0, 128,
4505 0, 0, tlen3, 1, 0, 12, 0x8000 | 14, 127,
4506 1)
4507 return build_ike(ctx['id'], next=33, ike=ike)
4508
4509 def build_sa(next=0):
4510 tlen = 5 * 8
4511 return struct.pack(">BBHBBHBBBBBBHBBHBBHBBHBBHBBHBBHBBHBBHBBH",
4512 next, 0, 4 + 8 + tlen,
4513 0, 0, 8 + tlen, 1, 1, 0, 5,
4514 3, 0, 8, 1, 0, 3,
4515 3, 0, 8, 2, 0, 1,
4516 3, 0, 8, 3, 0, 1,
4517 3, 0, 8, 4, 0, 5,
4518 0, 0, 8, 241, 0, 0)
4519
4520 idx += 1
4521 if ctx['num'] == idx:
4522 logger.info("Test: Valid proposal, but no KEi in SAi1")
4523 ike = build_sa()
4524 return build_ike(ctx['id'], next=33, ike=ike)
4525
4526 idx += 1
4527 if ctx['num'] == idx:
4528 logger.info("Test: Empty KEi in SAi1")
4529 ike = build_sa(next=34) + struct.pack(">BBH", 0, 0, 4)
4530 return build_ike(ctx['id'], next=33, ike=ike)
4531
4532 idx += 1
4533 if ctx['num'] == idx:
4534 logger.info("Test: Mismatch in DH Group in SAi1")
4535 ike = build_sa(next=34)
4536 ike += struct.pack(">BBHHH", 0, 0, 4 + 4 + 96, 12345, 0)
4537 ike += 96*'\x00'
4538 return build_ike(ctx['id'], next=33, ike=ike)
4539 idx += 1
4540 if ctx['num'] == idx:
4541 logger.info("Test: EAP-Failure")
4542 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
4543
4544 idx += 1
4545 if ctx['num'] == idx:
4546 logger.info("Test: Invalid DH public value length in SAi1")
4547 ike = build_sa(next=34)
4548 ike += struct.pack(">BBHHH", 0, 0, 4 + 4 + 96, 5, 0)
4549 ike += 96*'\x00'
4550 return build_ike(ctx['id'], next=33, ike=ike)
4551
4552 def build_ke(next=0):
4553 ke = struct.pack(">BBHHH", next, 0, 4 + 4 + 192, 5, 0)
4554 ke += 192*'\x00'
4555 return ke
4556
4557 idx += 1
4558 if ctx['num'] == idx:
4559 logger.info("Test: Valid proposal and KEi, but no Ni in SAi1")
4560 ike = build_sa(next=34)
4561 ike += build_ke()
4562 return build_ike(ctx['id'], next=33, ike=ike)
4563
4564 idx += 1
4565 if ctx['num'] == idx:
4566 logger.info("Test: Too short Ni in SAi1")
4567 ike = build_sa(next=34)
4568 ike += build_ke(next=40)
4569 ike += struct.pack(">BBH", 0, 0, 4)
4570 return build_ike(ctx['id'], next=33, ike=ike)
4571
4572 idx += 1
4573 if ctx['num'] == idx:
4574 logger.info("Test: Too long Ni in SAi1")
4575 ike = build_sa(next=34)
4576 ike += build_ke(next=40)
4577 ike += struct.pack(">BBH", 0, 0, 4 + 257) + 257*'\x00'
4578 return build_ike(ctx['id'], next=33, ike=ike)
4579
4580 def build_ni(next=0):
4581 return struct.pack(">BBH", next, 0, 4 + 256) + 256*'\x00'
4582
4583 def build_sai1(id):
4584 ike = build_sa(next=34)
4585 ike += build_ke(next=40)
4586 ike += build_ni()
4587 return build_ike(ctx['id'], next=33, ike=ike)
4588
4589 idx += 1
4590 if ctx['num'] == idx:
4591 logger.info("Test: Valid proposal, KEi, and Ni in SAi1")
4592 return build_sai1(ctx['id'])
4593 idx += 1
4594 if ctx['num'] == idx:
4595 logger.info("Test: EAP-Failure")
4596 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
4597
4598 idx += 1
4599 if ctx['num'] == idx:
4600 logger.info("Test: Valid proposal, KEi, and Ni in SAi1")
4601 return build_sai1(ctx['id'])
4602 idx += 1
4603 if ctx['num'] == idx:
4604 logger.info("Test: No integrity checksum")
4605 ike = ''
4606 return build_ike(ctx['id'], next=37, ike=ike)
4607
4608 idx += 1
4609 if ctx['num'] == idx:
4610 logger.info("Test: Valid proposal, KEi, and Ni in SAi1")
4611 return build_sai1(ctx['id'])
4612 idx += 1
4613 if ctx['num'] == idx:
4614 logger.info("Test: Truncated integrity checksum")
4615 return struct.pack(">BBHBB",
4616 EAP_CODE_REQUEST, ctx['id'],
4617 4 + 1 + 1,
4618 EAP_TYPE_IKEV2, 0x20)
4619
4620 idx += 1
4621 if ctx['num'] == idx:
4622 logger.info("Test: Valid proposal, KEi, and Ni in SAi1")
4623 return build_sai1(ctx['id'])
4624 idx += 1
4625 if ctx['num'] == idx:
4626 logger.info("Test: Invalid integrity checksum")
4627 ike = ''
4628 return build_ike(ctx['id'], next=37, flags=0x20, ike=ike)
4629
4630 return None
4631
4632 srv = start_radius_server(ikev2_handler)
cb0555f7
JM		 4633
4634 try:
4635 hapd = start_ap(apdev[0]['ifname'])
4636
4637 for i in range(49):
4638 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
4639 eap="IKEV2", identity="user",
4640 password="password",
4641 wait_connect=False)
4642 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
4643 timeout=15)
4644 if ev is None:
4645 raise Exception("Timeout on EAP start")
4646 if i in [ 40, 45 ]:
4647 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"],
4648 timeout=10)
4649 if ev is None:
4650 raise Exception("Timeout on EAP failure")
4651 else:
4652 time.sleep(0.05)
4653 dev[0].request("REMOVE_NETWORK all")
4654 finally:
4655 stop_radius_server(srv)
37211e15
JM		 4656
4657def NtPasswordHash(password):
4658 pw = password.encode('utf_16_le')
4659 return hashlib.new('md4', pw).digest()
4660
4661def HashNtPasswordHash(password_hash):
4662 return hashlib.new('md4', password_hash).digest()
4663
4664def ChallengeHash(peer_challenge, auth_challenge, username):
4665 data = peer_challenge + auth_challenge + username
4666 return hashlib.sha1(data).digest()[0:8]
4667
4668def GenerateAuthenticatorResponse(password, nt_response, peer_challenge,
4669 auth_challenge, username):
4670 magic1 = binascii.unhexlify("4D616769632073657276657220746F20636C69656E74207369676E696E6720636F6E7374616E74")
4671 magic2 = binascii.unhexlify("50616420746F206D616B6520697420646F206D6F7265207468616E206F6E6520697465726174696F6E")
4672
4673 password_hash = NtPasswordHash(password)
4674 password_hash_hash = HashNtPasswordHash(password_hash)
4675 data = password_hash_hash + nt_response + magic1
4676 digest = hashlib.sha1(data).digest()
4677
4678 challenge = ChallengeHash(peer_challenge, auth_challenge, username)
4679
4680 data = digest + challenge + magic2
4681 resp = hashlib.sha1(data).digest()
4682 return resp
4683
4073ef22
JM		 4684def test_eap_proto_ikev2_errors(dev, apdev):
4685 """EAP-IKEv2 local error cases"""
4686 check_eap_capa(dev[0], "IKEV2")
4687 params = hostapd.wpa2_eap_params(ssid="eap-test")
4688 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
4689
4690 for i in range(1, 5):
4691 with alloc_fail(dev[0], i, "eap_ikev2_init"):
4692 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
4693 eap="IKEV2", identity="ikev2 user",
4694 password="ike password",
4695 wait_connect=False)
4696 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method"],
4697 timeout=15)
4698 if ev is None:
4699 raise Exception("Timeout on EAP start")
4700 dev[0].request("REMOVE_NETWORK all")
4701 dev[0].wait_disconnected()
4702
4703 tests = [ (1, "ikev2_encr_encrypt"),
4704 (1, "ikev2_encr_decrypt"),
4705 (1, "ikev2_derive_auth_data"),
4706 (2, "ikev2_derive_auth_data"),
4707 (1, "=ikev2_decrypt_payload"),
4708 (1, "ikev2_encr_decrypt;ikev2_decrypt_payload"),
4709 (1, "ikev2_encr_encrypt;ikev2_build_encrypted"),
4710 (1, "ikev2_derive_sk_keys"),
4711 (2, "ikev2_derive_sk_keys"),
4712 (3, "ikev2_derive_sk_keys"),
4713 (4, "ikev2_derive_sk_keys"),
4714 (5, "ikev2_derive_sk_keys"),
4715 (6, "ikev2_derive_sk_keys"),
4716 (7, "ikev2_derive_sk_keys"),
4717 (8, "ikev2_derive_sk_keys"),
4718 (1, "eap_ikev2_derive_keymat;eap_ikev2_peer_keymat"),
4719 (1, "eap_msg_alloc;eap_ikev2_build_msg"),
4720 (1, "eap_ikev2_getKey"),
4721 (1, "eap_ikev2_get_emsk"),
4722 (1, "eap_ikev2_get_session_id"),
4723 (1, "=ikev2_derive_keys"),
4724 (2, "=ikev2_derive_keys"),
4725 (1, "wpabuf_alloc;ikev2_process_kei"),
4726 (1, "=ikev2_process_idi"),
4727 (1, "ikev2_derive_auth_data;ikev2_build_auth"),
4728 (1, "wpabuf_alloc;ikev2_build_sa_init"),
4729 (2, "wpabuf_alloc;ikev2_build_sa_init"),
4730 (3, "wpabuf_alloc;ikev2_build_sa_init"),
4731 (4, "wpabuf_alloc;ikev2_build_sa_init"),
4732 (5, "wpabuf_alloc;ikev2_build_sa_init"),
4733 (6, "wpabuf_alloc;ikev2_build_sa_init"),
4734 (1, "wpabuf_alloc;ikev2_build_sa_auth"),
4735 (2, "wpabuf_alloc;ikev2_build_sa_auth"),
4736 (1, "ikev2_build_auth;ikev2_build_sa_auth") ]
4737 for count, func in tests:
4738 with alloc_fail(dev[0], count, func):
4739 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
4740 eap="IKEV2", identity="ikev2 user",
4741 password="ike password", erp="1", wait_connect=False)
4742 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
4743 timeout=15)
4744 if ev is None:
4745 raise Exception("Timeout on EAP start")
4746 ok = False
4747 for j in range(10):
4748 state = dev[0].request('GET_ALLOC_FAIL')
4749 if state.startswith('0:'):
4750 ok = True
4751 break
4752 time.sleep(0.1)
4753 if not ok:
4754 raise Exception("No allocation failure seen for %d:%s" % (count, func))
4755 dev[0].request("REMOVE_NETWORK all")
4756 dev[0].wait_disconnected()
4757
4758 tests = [ (1, "wpabuf_alloc;ikev2_build_notify"),
4759 (2, "wpabuf_alloc;ikev2_build_notify"),
4760 (1, "ikev2_build_encrypted;ikev2_build_notify") ]
4761 for count, func in tests:
4762 with alloc_fail(dev[0], count, func):
4763 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
4764 eap="IKEV2", identity="ikev2 user",
4765 password="wrong password", erp="1",
4766 wait_connect=False)
4767 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
4768 timeout=15)
4769 if ev is None:
4770 raise Exception("Timeout on EAP start")
4771 ok = False
4772 for j in range(10):
4773 state = dev[0].request('GET_ALLOC_FAIL')
4774 if state.startswith('0:'):
4775 ok = True
4776 break
4777 time.sleep(0.1)
4778 if not ok:
4779 raise Exception("No allocation failure seen for %d:%s" % (count, func))
4780 dev[0].request("REMOVE_NETWORK all")
4781 dev[0].wait_disconnected()
4782
4783 tests = [ (1, "ikev2_integ_hash"),
4784 (1, "ikev2_integ_hash;ikev2_decrypt_payload"),
4785 (1, "os_get_random;ikev2_build_encrypted"),
4786 (1, "ikev2_prf_plus;ikev2_derive_sk_keys"),
4787 (1, "eap_ikev2_derive_keymat;eap_ikev2_peer_keymat"),
4788 (1, "os_get_random;ikev2_build_sa_init"),
4789 (2, "os_get_random;ikev2_build_sa_init"),
4790 (1, "ikev2_integ_hash;eap_ikev2_validate_icv"),
4791 (1, "hmac_sha1_vector;?ikev2_prf_hash;ikev2_derive_keys"),
4792 (1, "hmac_sha1_vector;?ikev2_prf_hash;ikev2_derive_auth_data"),
4793 (2, "hmac_sha1_vector;?ikev2_prf_hash;ikev2_derive_auth_data"),
4794 (3, "hmac_sha1_vector;?ikev2_prf_hash;ikev2_derive_auth_data") ]
4795 for count, func in tests:
4796 with fail_test(dev[0], count, func):
4797 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
4798 eap="IKEV2", identity="ikev2 user",
4799 password="ike password", wait_connect=False)
4800 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
4801 timeout=15)
4802 if ev is None:
4803 raise Exception("Timeout on EAP start")
4804 ok = False
4805 for j in range(10):
4806 state = dev[0].request('GET_FAIL')
4807 if state.startswith('0:'):
4808 ok = True
4809 break
4810 time.sleep(0.1)
4811 if not ok:
4812 raise Exception("No failure seen for %d:%s" % (count, func))
4813 dev[0].request("REMOVE_NETWORK all")
4814 dev[0].wait_disconnected()
4815
4816 params = { "ssid": "eap-test2", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
4817 "rsn_pairwise": "CCMP", "ieee8021x": "1",
4818 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
4819 "fragment_size": "50" }
4820 hostapd.add_ap(apdev[1]['ifname'], params)
4821
4822 tests = [ (1, "eap_ikev2_build_frag_ack"),
4823 (1, "wpabuf_alloc;eap_ikev2_process_fragment") ]
4824 for count, func in tests:
4825 with alloc_fail(dev[0], count, func):
4826 dev[0].connect("eap-test2", key_mgmt="WPA-EAP", scan_freq="2412",
4827 eap="IKEV2", identity="ikev2 user",
4828 password="ike password", erp="1", wait_connect=False)
4829 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
4830 timeout=15)
4831 if ev is None:
4832 raise Exception("Timeout on EAP start")
4833 ok = False
4834 for j in range(10):
4835 state = dev[0].request('GET_ALLOC_FAIL')
4836 if state.startswith('0:'):
4837 ok = True
4838 break
4839 time.sleep(0.1)
4840 if not ok:
4841 raise Exception("No allocation failure seen for %d:%s" % (count, func))
4842 dev[0].request("REMOVE_NETWORK all")
4843 dev[0].wait_disconnected()
4844
37211e15
JM		 4845def test_eap_proto_mschapv2(dev, apdev):
4846 """EAP-MSCHAPv2 protocol tests"""
4847 check_eap_capa(dev[0], "MSCHAPV2")
4848
4849 def mschapv2_handler(ctx, req):
4850 logger.info("mschapv2_handler - RX " + req.encode("hex"))
4851 if 'num' not in ctx:
4852 ctx['num'] = 0
4853 ctx['num'] = ctx['num'] + 1
4854 if 'id' not in ctx:
4855 ctx['id'] = 1
4856 ctx['id'] = (ctx['id'] + 1) % 256
4857 idx = 0
4858
4859 idx += 1
4860 if ctx['num'] == idx:
4861 logger.info("Test: Missing payload")
4862 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
4863 4 + 1,
4864 EAP_TYPE_MSCHAPV2)
4865
4866 idx += 1
4867 if ctx['num'] == idx:
4868 logger.info("Test: Unknown MSCHAPv2 op_code")
4869 return struct.pack(">BBHBBBHB", EAP_CODE_REQUEST, ctx['id'],
4870 4 + 1 + 4 + 1,
4871 EAP_TYPE_MSCHAPV2,
4872 0, 0, 5, 0)
4873
4874 idx += 1
4875 if ctx['num'] == idx:
4876 logger.info("Test: Invalid ms_len and unknown MSCHAPv2 op_code")
4877 return struct.pack(">BBHBBBHB", EAP_CODE_REQUEST, ctx['id'],
4878 4 + 1 + 4 + 1,
4879 EAP_TYPE_MSCHAPV2,
4880 255, 0, 0, 0)
4881
4882 idx += 1
4883 if ctx['num'] == idx:
4884 logger.info("Test: Success before challenge")
4885 return struct.pack(">BBHBBBHB", EAP_CODE_REQUEST, ctx['id'],
4886 4 + 1 + 4 + 1,
4887 EAP_TYPE_MSCHAPV2,
4888 3, 0, 5, 0)
4889
4890 idx += 1
4891 if ctx['num'] == idx:
4892 logger.info("Test: Failure before challenge - required challenge field not present")
4893 return struct.pack(">BBHBBBHB", EAP_CODE_REQUEST, ctx['id'],
4894 4 + 1 + 4 + 1,
4895 EAP_TYPE_MSCHAPV2,
4896 4, 0, 5, 0)
4897 idx += 1
4898 if ctx['num'] == idx:
4899 logger.info("Test: Failure")
4900 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
4901
4902 idx += 1
4903 if ctx['num'] == idx:
4904 logger.info("Test: Failure before challenge - invalid failure challenge len")
4905 payload = 'C=12'
4906 return struct.pack(">BBHBBBH", EAP_CODE_REQUEST, ctx['id'],
4907 4 + 1 + 4 + len(payload),
4908 EAP_TYPE_MSCHAPV2,
4909 4, 0, 4 + len(payload)) + payload
4910 idx += 1
4911 if ctx['num'] == idx:
4912 logger.info("Test: Failure")
4913 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
4914
4915 idx += 1
4916 if ctx['num'] == idx:
4917 logger.info("Test: Failure before challenge - invalid failure challenge len")
4918 payload = 'C=12 V=3'
4919 return struct.pack(">BBHBBBH", EAP_CODE_REQUEST, ctx['id'],
4920 4 + 1 + 4 + len(payload),
4921 EAP_TYPE_MSCHAPV2,
4922 4, 0, 4 + len(payload)) + payload
4923 idx += 1
4924 if ctx['num'] == idx:
4925 logger.info("Test: Failure")
4926 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
4927
4928 idx += 1
4929 if ctx['num'] == idx:
4930 logger.info("Test: Failure before challenge - invalid failure challenge")
4931 payload = 'C=00112233445566778899aabbccddeefQ '
4932 return struct.pack(">BBHBBBH", EAP_CODE_REQUEST, ctx['id'],
4933 4 + 1 + 4 + len(payload),
4934 EAP_TYPE_MSCHAPV2,
4935 4, 0, 4 + len(payload)) + payload
4936 idx += 1
4937 if ctx['num'] == idx:
4938 logger.info("Test: Failure")
4939 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
4940
4941 idx += 1
4942 if ctx['num'] == idx:
4943 logger.info("Test: Failure before challenge - password expired")
4944 payload = 'E=648 R=1 C=00112233445566778899aabbccddeeff V=3 M=Password expired'
4945 return struct.pack(">BBHBBBH", EAP_CODE_REQUEST, ctx['id'],
4946 4 + 1 + 4 + len(payload),
4947 EAP_TYPE_MSCHAPV2,
4948 4, 0, 4 + len(payload)) + payload
4949 idx += 1
4950 if ctx['num'] == idx:
4951 logger.info("Test: Success after password change")
4952 payload = "S=1122334455667788990011223344556677889900"
4953 return struct.pack(">BBHBBBH", EAP_CODE_REQUEST, ctx['id'],
4954 4 + 1 + 4 + len(payload),
4955 EAP_TYPE_MSCHAPV2,
4956 3, 0, 4 + len(payload)) + payload
4957
4958 idx += 1
4959 if ctx['num'] == idx:
4960 logger.info("Test: Invalid challenge length")
4961 return struct.pack(">BBHBBBHB", EAP_CODE_REQUEST, ctx['id'],
4962 4 + 1 + 4 + 1,
4963 EAP_TYPE_MSCHAPV2,
4964 1, 0, 4 + 1, 0)
4965
4966 idx += 1
4967 if ctx['num'] == idx:
4968 logger.info("Test: Too short challenge packet")
4969 return struct.pack(">BBHBBBHB", EAP_CODE_REQUEST, ctx['id'],
4970 4 + 1 + 4 + 1,
4971 EAP_TYPE_MSCHAPV2,
4972 1, 0, 4 + 1, 16)
4973
4974 idx += 1
4975 if ctx['num'] == idx:
4976 logger.info("Test: Challenge")
4977 return struct.pack(">BBHBBBHB", EAP_CODE_REQUEST, ctx['id'],
4978 4 + 1 + 4 + 1 + 16 + 6,
4979 EAP_TYPE_MSCHAPV2,
4980 1, 0, 4 + 1 + 16 + 6, 16) + 16*'A' + 'foobar'
4981 idx += 1
4982 if ctx['num'] == idx:
4983 logger.info("Test: Failure - password expired")
4984 payload = 'E=648 R=1 C=00112233445566778899aabbccddeeff V=3 M=Password expired'
4985 return struct.pack(">BBHBBBH", EAP_CODE_REQUEST, ctx['id'],
4986 4 + 1 + 4 + len(payload),
4987 EAP_TYPE_MSCHAPV2,
4988 4, 0, 4 + len(payload)) + payload
4989 idx += 1
4990 if ctx['num'] == idx:
4991 logger.info("Test: Success after password change")
4992 if len(req) != 591:
4993 logger.info("Unexpected Change-Password packet length: %s" % len(req))
4994 return None
4995 data = req[9:]
4996 enc_pw = data[0:516]
4997 data = data[516:]
4998 enc_hash = data[0:16]
4999 data = data[16:]
5000 peer_challenge = data[0:16]
5001 data = data[16:]
5002 # Reserved
5003 data = data[8:]
5004 nt_response = data[0:24]
5005 data = data[24:]
5006 flags = data
5007 logger.info("enc_hash: " + enc_hash.encode("hex"))
5008 logger.info("peer_challenge: " + peer_challenge.encode("hex"))
5009 logger.info("nt_response: " + nt_response.encode("hex"))
5010 logger.info("flags: " + flags.encode("hex"))
5011
5012 auth_challenge = binascii.unhexlify("00112233445566778899aabbccddeeff")
5013 logger.info("auth_challenge: " + auth_challenge.encode("hex"))
5014
5015 auth_resp = GenerateAuthenticatorResponse("new-pw", nt_response,
5016 peer_challenge,
5017 auth_challenge, "user")
5018 payload = "S=" + auth_resp.encode('hex').upper()
5019 logger.info("Success message payload: " + payload)
5020 return struct.pack(">BBHBBBH", EAP_CODE_REQUEST, ctx['id'],
5021 4 + 1 + 4 + len(payload),
5022 EAP_TYPE_MSCHAPV2,
5023 3, 0, 4 + len(payload)) + payload
5024 idx += 1
5025 if ctx['num'] == idx:
5026 logger.info("Test: EAP-Success")
5027 return struct.pack(">BBH", EAP_CODE_SUCCESS, ctx['id'], 4)
5028
5029 idx += 1
5030 if ctx['num'] == idx:
5031 logger.info("Test: Failure - password expired")
5032 payload = 'E=648 R=1 C=00112233445566778899aabbccddeeff V=3 M=Password expired'
5033 return struct.pack(">BBHBBBH", EAP_CODE_REQUEST, ctx['id'],
5034 4 + 1 + 4 + len(payload),
5035 EAP_TYPE_MSCHAPV2,
5036 4, 0, 4 + len(payload)) + payload
5037 idx += 1
5038 if ctx['num'] == idx:
5039 logger.info("Test: Success after password change")
5040 if len(req) != 591:
5041 logger.info("Unexpected Change-Password packet length: %s" % len(req))
5042 return None
5043 data = req[9:]
5044 enc_pw = data[0:516]
5045 data = data[516:]
5046 enc_hash = data[0:16]
5047 data = data[16:]
5048 peer_challenge = data[0:16]
5049 data = data[16:]
5050 # Reserved
5051 data = data[8:]
5052 nt_response = data[0:24]
5053 data = data[24:]
5054 flags = data
5055 logger.info("enc_hash: " + enc_hash.encode("hex"))
5056 logger.info("peer_challenge: " + peer_challenge.encode("hex"))
5057 logger.info("nt_response: " + nt_response.encode("hex"))
5058 logger.info("flags: " + flags.encode("hex"))
5059
5060 auth_challenge = binascii.unhexlify("00112233445566778899aabbccddeeff")
5061 logger.info("auth_challenge: " + auth_challenge.encode("hex"))
5062
5063 auth_resp = GenerateAuthenticatorResponse("new-pw", nt_response,
5064 peer_challenge,
5065 auth_challenge, "user")
5066 payload = "S=" + auth_resp.encode('hex').upper()
5067 logger.info("Success message payload: " + payload)
5068 return struct.pack(">BBHBBBH", EAP_CODE_REQUEST, ctx['id'],
5069 4 + 1 + 4 + len(payload),
5070 EAP_TYPE_MSCHAPV2,
5071 3, 0, 4 + len(payload)) + payload
5072 idx += 1
5073 if ctx['num'] == idx:
5074 logger.info("Test: EAP-Success")
5075 return struct.pack(">BBH", EAP_CODE_SUCCESS, ctx['id'], 4)
5076
5077 idx += 1
5078 if ctx['num'] == idx:
5079 logger.info("Test: Challenge")
5080 return struct.pack(">BBHBBBHB", EAP_CODE_REQUEST, ctx['id'],
5081 4 + 1 + 4 + 1 + 16 + 6,
5082 EAP_TYPE_MSCHAPV2,
5083 1, 0, 4 + 1 + 16 + 6, 16) + 16*'A' + 'foobar'
5084 idx += 1
5085 if ctx['num'] == idx:
5086 logger.info("Test: Failure - authentication failure")
5087 payload = 'E=691 R=1 C=00112233445566778899aabbccddeeff V=3 M=Authentication failed'
5088 return struct.pack(">BBHBBBH", EAP_CODE_REQUEST, ctx['id'],
5089 4 + 1 + 4 + len(payload),
5090 EAP_TYPE_MSCHAPV2,
5091 4, 0, 4 + len(payload)) + payload
5092
5093 idx += 1
5094 if ctx['num'] == idx:
5095 logger.info("Test: Challenge")
5096 return struct.pack(">BBHBBBHB", EAP_CODE_REQUEST, ctx['id'],
5097 4 + 1 + 4 + 1 + 16 + 6,
5098 EAP_TYPE_MSCHAPV2,
5099 1, 0, 4 + 1 + 16 + 6, 16) + 16*'A' + 'foobar'
5100 idx += 1
5101 if ctx['num'] == idx:
5102 logger.info("Test: Failure - authentication failure")
5103 payload = 'E=691 R=1 C=00112233445566778899aabbccddeeff V=3 M=Authentication failed (2)'
5104 return struct.pack(">BBHBBBH", EAP_CODE_REQUEST, ctx['id'],
5105 4 + 1 + 4 + len(payload),
5106 EAP_TYPE_MSCHAPV2,
5107 4, 0, 4 + len(payload)) + payload
5108 idx += 1
5109 if ctx['num'] == idx:
5110 logger.info("Test: Failure")
5111 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
5112
5113 return None
5114
5115 srv = start_radius_server(mschapv2_handler)
5116
5117 try:
5118 hapd = start_ap(apdev[0]['ifname'])
5119
5120 for i in range(0, 15):
5121 logger.info("RUN: %d" % i)
5122 if i == 12:
5123 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
5124 eap="MSCHAPV2", identity="user",
5125 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
5126 wait_connect=False)
5127 elif i == 14:
5128 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
5129 eap="MSCHAPV2", identity="user",
5130 phase2="mschapv2_retry=0",
5131 password="password", wait_connect=False)
5132 else:
5133 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
5134 eap="MSCHAPV2", identity="user",
5135 password="password", wait_connect=False)
5136 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"], timeout=15)
5137 if ev is None:
5138 raise Exception("Timeout on EAP start")
5139
5140 if i in [ 8, 11, 12 ]:
5141 ev = dev[0].wait_event(["CTRL-REQ-NEW_PASSWORD"],
5142 timeout=10)
5143 if ev is None:
5144 raise Exception("Timeout on new password request")
5145 id = ev.split(':')[0].split('-')[-1]
5146 dev[0].request("CTRL-RSP-NEW_PASSWORD-" + id + ":new-pw")
5147 if i in [ 11, 12 ]:
5148 ev = dev[0].wait_event(["CTRL-EVENT-PASSWORD-CHANGED"],
5149 timeout=10)
5150 if ev is None:
5151 raise Exception("Timeout on password change")
5152 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"],
5153 timeout=10)
5154 if ev is None:
5155 raise Exception("Timeout on EAP success")
5156 else:
5157 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"],
5158 timeout=10)
5159 if ev is None:
5160 raise Exception("Timeout on EAP failure")
5161
5162 if i in [ 13 ]:
5163 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"],
5164 timeout=10)
5165 if ev is None:
5166 raise Exception("Timeout on identity request")
5167 id = ev.split(':')[0].split('-')[-1]
5168 dev[0].request("CTRL-RSP-IDENTITY-" + id + ":user")
5169
5170 ev = dev[0].wait_event(["CTRL-REQ-PASSWORD"],
5171 timeout=10)
5172 if ev is None:
5173 raise Exception("Timeout on password request")
5174 id = ev.split(':')[0].split('-')[-1]
5175 dev[0].request("CTRL-RSP-PASSWORD-" + id + ":password")
5176
5177 # TODO: Does this work correctly?
5178
5179 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"],
5180 timeout=10)
5181 if ev is None:
5182 raise Exception("Timeout on EAP failure")
5183
5184 if i in [ 4, 5, 6, 7, 14 ]:
5185 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"],
5186 timeout=10)
5187 if ev is None:
5188 raise Exception("Timeout on EAP failure")
5189 else:
5190 time.sleep(0.05)
5191 dev[0].request("REMOVE_NETWORK all")
5192 dev[0].wait_disconnected(timeout=1)
5193 finally:
5194 stop_radius_server(srv)
7c0d66cf
JM		 5195
5196def test_eap_proto_mschapv2_errors(dev, apdev):
5197 """EAP-MSCHAPv2 protocol tests (error paths)"""
5198 check_eap_capa(dev[0], "MSCHAPV2")
5199
5200 def mschapv2_handler(ctx, req):
5201 logger.info("mschapv2_handler - RX " + req.encode("hex"))
5202 if 'num' not in ctx:
5203 ctx['num'] = 0
5204 ctx['num'] = ctx['num'] + 1
5205 if 'id' not in ctx:
5206 ctx['id'] = 1
5207 ctx['id'] = (ctx['id'] + 1) % 256
5208 idx = 0
5209
5210 idx += 1
5211 if ctx['num'] == idx:
5212 logger.info("Test: Failure before challenge - password expired")
5213 payload = 'E=648 R=1 C=00112233445566778899aabbccddeeff V=3 M=Password expired'
5214 return struct.pack(">BBHBBBH", EAP_CODE_REQUEST, ctx['id'],
5215 4 + 1 + 4 + len(payload),
5216 EAP_TYPE_MSCHAPV2,
5217 4, 0, 4 + len(payload)) + payload
5218 idx += 1
5219 if ctx['num'] == idx:
5220 logger.info("Test: Success after password change")
5221 payload = "S=1122334455667788990011223344556677889900"
5222 return struct.pack(">BBHBBBH", EAP_CODE_REQUEST, ctx['id'],
5223 4 + 1 + 4 + len(payload),
5224 EAP_TYPE_MSCHAPV2,
5225 3, 0, 4 + len(payload)) + payload
5226
5227 idx += 1
5228 if ctx['num'] == idx:
5229 logger.info("Test: Failure before challenge - password expired")
5230 payload = 'E=648 R=1 C=00112233445566778899aabbccddeeff V=3 M=Password expired'
5231 return struct.pack(">BBHBBBH", EAP_CODE_REQUEST, ctx['id'],
5232 4 + 1 + 4 + len(payload),
5233 EAP_TYPE_MSCHAPV2,
5234 4, 0, 4 + len(payload)) + payload
5235 idx += 1
5236 if ctx['num'] == idx:
5237 logger.info("Test: Success after password change")
5238 payload = "S=1122334455667788990011223344556677889900"
5239 return struct.pack(">BBHBBBH", EAP_CODE_REQUEST, ctx['id'],
5240 4 + 1 + 4 + len(payload),
5241 EAP_TYPE_MSCHAPV2,
5242 3, 0, 4 + len(payload)) + payload
5243
5244 return None
5245
5246 srv = start_radius_server(mschapv2_handler)
5247
5248 try:
5249 hapd = start_ap(apdev[0]['ifname'])
5250
5251 with fail_test(dev[0], 1, "eap_mschapv2_change_password"):
5252 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
5253 eap="MSCHAPV2", identity="user",
5254 password="password", wait_connect=False)
5255 ev = dev[0].wait_event(["CTRL-REQ-NEW_PASSWORD"], timeout=10)
5256 if ev is None:
5257 raise Exception("Timeout on new password request")
5258 id = ev.split(':')[0].split('-')[-1]
5259 dev[0].request("CTRL-RSP-NEW_PASSWORD-" + id + ":new-pw")
5260 wait_fail_trigger(dev[0], "GET_FAIL")
5261 dev[0].request("REMOVE_NETWORK all")
5262 dev[0].wait_disconnected(timeout=1)
5263
5264 with fail_test(dev[0], 1, "get_master_key;eap_mschapv2_change_password"):
5265 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
5266 eap="MSCHAPV2", identity="user",
5267 password="password", wait_connect=False)
5268 ev = dev[0].wait_event(["CTRL-REQ-NEW_PASSWORD"], timeout=10)
5269 if ev is None:
5270 raise Exception("Timeout on new password request")
5271 id = ev.split(':')[0].split('-')[-1]
5272 dev[0].request("CTRL-RSP-NEW_PASSWORD-" + id + ":new-pw")
5273 wait_fail_trigger(dev[0], "GET_FAIL")
5274 dev[0].request("REMOVE_NETWORK all")
5275 dev[0].wait_disconnected(timeout=1)
5276 finally:
5277 stop_radius_server(srv)
8a848fae
JM		 5278
5279def test_eap_proto_pwd(dev, apdev):
5280 """EAP-pwd protocol tests"""
5281 check_eap_capa(dev[0], "PWD")
5282
5283 global eap_proto_pwd_test_done, eap_proto_pwd_test_wait
5284 eap_proto_pwd_test_done = False
5285 eap_proto_pwd_test_wait = False
5286
5287 def pwd_handler(ctx, req):
5288 logger.info("pwd_handler - RX " + req.encode("hex"))
5289 if 'num' not in ctx:
5290 ctx['num'] = 0
5291 ctx['num'] = ctx['num'] + 1
5292 if 'id' not in ctx:
5293 ctx['id'] = 1
5294 ctx['id'] = (ctx['id'] + 1) % 256
5295 idx = 0
5296
5297 global eap_proto_pwd_test_wait
5298 eap_proto_pwd_test_wait = False
5299
5300 idx += 1
5301 if ctx['num'] == idx:
5302 logger.info("Test: Missing payload")
5303 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'], 4 + 1,
5304 EAP_TYPE_PWD)
5305
5306 idx += 1
5307 if ctx['num'] == idx:
5308 logger.info("Test: Missing Total-Length field")
5309 payload = struct.pack("B", 0x80)
5310 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
5311 4 + 1 + len(payload), EAP_TYPE_PWD) + payload
5312
5313 idx += 1
5314 if ctx['num'] == idx:
5315 logger.info("Test: Too large Total-Length")
5316 payload = struct.pack(">BH", 0x80, 65535)
5317 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
5318 4 + 1 + len(payload), EAP_TYPE_PWD) + payload
5319
5320 idx += 1
5321 if ctx['num'] == idx:
5322 eap_proto_pwd_test_wait = True
5323 logger.info("Test: First fragment")
5324 payload = struct.pack(">BH", 0xc0, 10)
5325 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
5326 4 + 1 + len(payload), EAP_TYPE_PWD) + payload
5327 idx += 1
5328 if ctx['num'] == idx:
5329 logger.info("Test: Unexpected Total-Length value in the second fragment")
5330 payload = struct.pack(">BH", 0x80, 0)
5331 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
5332 4 + 1 + len(payload), EAP_TYPE_PWD) + payload
5333
5334 idx += 1
5335 if ctx['num'] == idx:
5336 logger.info("Test: First and only fragment")
5337 payload = struct.pack(">BH", 0x80, 0)
5338 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
5339 4 + 1 + len(payload), EAP_TYPE_PWD) + payload
5340
5341 idx += 1
5342 if ctx['num'] == idx:
5343 logger.info("Test: First and only fragment with extra data")
5344 payload = struct.pack(">BHB", 0x80, 0, 0)
5345 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
5346 4 + 1 + len(payload), EAP_TYPE_PWD) + payload
5347
5348 idx += 1
5349 if ctx['num'] == idx:
5350 eap_proto_pwd_test_wait = True
5351 logger.info("Test: First fragment")
5352 payload = struct.pack(">BHB", 0xc0, 2, 1)
5353 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
5354 4 + 1 + len(payload), EAP_TYPE_PWD) + payload
5355 idx += 1
5356 if ctx['num'] == idx:
5357 logger.info("Test: Extra data in the second fragment")
5358 payload = struct.pack(">BBB", 0x0, 2, 3)
5359 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
5360 4 + 1 + len(payload), EAP_TYPE_PWD) + payload
5361
5362 idx += 1
5363 if ctx['num'] == idx:
5364 logger.info("Test: Too short id exchange")
5365 payload = struct.pack(">B", 0x01)
5366 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
5367 4 + 1 + len(payload), EAP_TYPE_PWD) + payload
5368
5369 idx += 1
5370 if ctx['num'] == idx:
5371 logger.info("Test: Unsupported rand func in id exchange")
5372 payload = struct.pack(">BHBBLB", 0x01, 0, 0, 0, 0, 0)
5373 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
5374 4 + 1 + len(payload), EAP_TYPE_PWD) + payload
5375
5376 idx += 1
5377 if ctx['num'] == idx:
5378 logger.info("Test: Unsupported prf in id exchange")
5379 payload = struct.pack(">BHBBLB", 0x01, 19, 1, 0, 0, 0)
5380 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
5381 4 + 1 + len(payload), EAP_TYPE_PWD) + payload
5382
5383 idx += 1
5384 if ctx['num'] == idx:
5385 logger.info("Test: Unsupported password pre-processing technique in id exchange")
5386 payload = struct.pack(">BHBBLB", 0x01, 19, 1, 1, 0, 255)
5387 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
5388 4 + 1 + len(payload), EAP_TYPE_PWD) + payload
5389
5390 idx += 1
5391 if ctx['num'] == idx:
5392 eap_proto_pwd_test_wait = True
5393 logger.info("Test: Valid id exchange")
5394 payload = struct.pack(">BHBBLB", 0x01, 19, 1, 1, 0, 0)
5395 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
5396 4 + 1 + len(payload), EAP_TYPE_PWD) + payload
5397 idx += 1
5398 if ctx['num'] == idx:
5399 logger.info("Test: Unexpected id exchange")
5400 payload = struct.pack(">BHBBLB", 0x01, 19, 1, 1, 0, 0)
5401 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
5402 4 + 1 + len(payload), EAP_TYPE_PWD) + payload
5403
5404 idx += 1
5405 if ctx['num'] == idx:
5406 logger.info("Test: Unexpected commit exchange")
5407 payload = struct.pack(">B", 0x02)
5408 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
5409 4 + 1 + len(payload), EAP_TYPE_PWD) + payload
5410
5411 idx += 1
5412 if ctx['num'] == idx:
5413 eap_proto_pwd_test_wait = True
5414 logger.info("Test: Valid id exchange")
5415 payload = struct.pack(">BHBBLB", 0x01, 19, 1, 1, 0, 0)
5416 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
5417 4 + 1 + len(payload), EAP_TYPE_PWD) + payload
5418 idx += 1
5419 if ctx['num'] == idx:
5420 logger.info("Test: Unexpected Commit payload length")
5421 payload = struct.pack(">B", 0x02)
5422 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
5423 4 + 1 + len(payload), EAP_TYPE_PWD) + payload
5424
5425 idx += 1
5426 if ctx['num'] == idx:
5427 eap_proto_pwd_test_wait = True
5428 logger.info("Test: Valid id exchange")
5429 payload = struct.pack(">BHBBLB", 0x01, 19, 1, 1, 0, 0)
5430 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
5431 4 + 1 + len(payload), EAP_TYPE_PWD) + payload
5432 idx += 1
5433 if ctx['num'] == idx:
5434 logger.info("Test: Commit payload with all zeros values --> Shared key at infinity")
5435 payload = struct.pack(">B", 0x02) + 96*'\0'
5436 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
5437 4 + 1 + len(payload), EAP_TYPE_PWD) + payload
5438
5439 idx += 1
5440 if ctx['num'] == idx:
5441 eap_proto_pwd_test_wait = True
5442 logger.info("Test: Valid id exchange")
5443 payload = struct.pack(">BHBBLB", 0x01, 19, 1, 1, 0, 0)
5444 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
5445 4 + 1 + len(payload), EAP_TYPE_PWD) + payload
5446 idx += 1
5447 if ctx['num'] == idx:
5448 eap_proto_pwd_test_wait = True
5449 logger.info("Test: Commit payload with valid values")
5450 element = binascii.unhexlify("8dcab2862c5396839a6bac0c689ff03d962863108e7c275bbf1d6eedf634ee832a214db99f0d0a1a6317733eecdd97f0fc4cda19f57e1bb9bb9c8dcf8c60ba6f")
5451 scalar = binascii.unhexlify("450f31e058cf2ac2636a5d6e2b3c70b1fcc301957f0716e77f13aa69f9a2e5bd")
5452 payload = struct.pack(">B", 0x02) + element + scalar
5453 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
5454 4 + 1 + len(payload), EAP_TYPE_PWD) + payload
5455 idx += 1
5456 if ctx['num'] == idx:
5457 logger.info("Test: Unexpected Confirm payload length 0")
5458 payload = struct.pack(">B", 0x03)
5459 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
5460 4 + 1 + len(payload), EAP_TYPE_PWD) + payload
5461
5462 idx += 1
5463 if ctx['num'] == idx:
5464 eap_proto_pwd_test_wait = True
5465 logger.info("Test: Valid id exchange")
5466 payload = struct.pack(">BHBBLB", 0x01, 19, 1, 1, 0, 0)
5467 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
5468 4 + 1 + len(payload), EAP_TYPE_PWD) + payload
5469 idx += 1
5470 if ctx['num'] == idx:
5471 eap_proto_pwd_test_wait = True
5472 logger.info("Test: Commit payload with valid values")
5473 element = binascii.unhexlify("8dcab2862c5396839a6bac0c689ff03d962863108e7c275bbf1d6eedf634ee832a214db99f0d0a1a6317733eecdd97f0fc4cda19f57e1bb9bb9c8dcf8c60ba6f")
5474 scalar = binascii.unhexlify("450f31e058cf2ac2636a5d6e2b3c70b1fcc301957f0716e77f13aa69f9a2e5bd")
5475 payload = struct.pack(">B", 0x02) + element + scalar
5476 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
5477 4 + 1 + len(payload), EAP_TYPE_PWD) + payload
5478 idx += 1
5479 if ctx['num'] == idx:
5480 logger.info("Test: Confirm payload with incorrect value")
5481 payload = struct.pack(">B", 0x03) + 32*'\0'
5482 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
5483 4 + 1 + len(payload), EAP_TYPE_PWD) + payload
5484
5485 idx += 1
5486 if ctx['num'] == idx:
5487 logger.info("Test: Unexpected confirm exchange")
5488 payload = struct.pack(">B", 0x03)
5489 return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'],
5490 4 + 1 + len(payload), EAP_TYPE_PWD) + payload
5491
5492 logger.info("No more test responses available - test case completed")
5493 global eap_proto_pwd_test_done
5494 eap_proto_pwd_test_done = True
5495 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
5496
5497 srv = start_radius_server(pwd_handler)
5498
5499 try:
5500 hapd = start_ap(apdev[0]['ifname'])
5501
5502 i = 0
5503 while not eap_proto_pwd_test_done:
5504 i += 1
5505 logger.info("Running connection iteration %d" % i)
5506 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
5507 eap="PWD", identity="pwd user",
5508 password="secret password",
5509 wait_connect=False)
5510 ok = False
5511 for j in range(5):
5512 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS",
5513 "CTRL-EVENT-EAP-PROPOSED-METHOD"],
5514 timeout=5)
5515 if ev is None:
5516 raise Exception("Timeout on EAP start")
5517 if "CTRL-EVENT-EAP-PROPOSED-METHOD" in ev:
5518 ok = True
5519 break
5520 if "CTRL-EVENT-EAP-STATUS" in ev and "status='completion' parameter='failure'" in ev:
5521 ok = True
5522 break
5523 if not ok:
5524 raise Exception("Expected EAP event not seen")
5525 if eap_proto_pwd_test_wait:
5526 for k in range(10):
5527 time.sleep(0.1)
5528 if not eap_proto_pwd_test_wait:
5529 break
5530 dev[0].request("REMOVE_NETWORK all")
5531 dev[0].wait_disconnected(timeout=1)
5532 dev[0].dump_monitor()
5533 finally:
5534 stop_radius_server(srv)
fe5aa8cb
JM		 5535
5536def test_eap_proto_pwd_errors(dev, apdev):
5537 """EAP-pwd local error cases"""
5538 check_eap_capa(dev[0], "PWD")
5539 params = hostapd.wpa2_eap_params(ssid="eap-test")
5540 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
5541
5542 for i in range(1, 4):
5543 with alloc_fail(dev[0], i, "eap_pwd_init"):
5544 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
5545 eap="PWD", identity="pwd user",
5546 password="secret password",
5547 wait_connect=False)
5548 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method"],
5549 timeout=15)
5550 if ev is None:
5551 raise Exception("Timeout on EAP start")
5552 dev[0].request("REMOVE_NETWORK all")
5553 dev[0].wait_disconnected()
5554
5555 with alloc_fail(dev[0], 1, "eap_pwd_get_session_id"):
5556 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
5557 eap="PWD", identity="pwd user",
5558 password="secret password")
5559 dev[0].request("REMOVE_NETWORK all")
5560 dev[0].wait_disconnected()
5561
5562 for i in range(1, 7):
5563 with alloc_fail(dev[0], i, "eap_pwd_perform_id_exchange"):
5564 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
5565 eap="PWD", identity="pwd user",
5566 password="secret password",
5567 wait_connect=False)
5568 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
5569 timeout=15)
5570 if ev is None:
5571 raise Exception("Timeout on EAP start")
5572 ok = False
5573 for j in range(10):
5574 state = dev[0].request('GET_ALLOC_FAIL')
5575 if state.startswith('0:'):
5576 ok = True
5577 break
5578 time.sleep(0.1)
5579 if not ok:
5580 raise Exception("No allocation failure seen")
5581 dev[0].request("REMOVE_NETWORK all")
5582 dev[0].wait_disconnected()
5583
5584 with alloc_fail(dev[0], 1, "wpabuf_alloc;eap_pwd_perform_id_exchange"):
5585 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
5586 eap="PWD", identity="pwd user",
5587 password="secret password",
5588 wait_connect=False)
5589 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
5590 timeout=15)
5591 if ev is None:
5592 raise Exception("Timeout on EAP start")
5593 dev[0].request("REMOVE_NETWORK all")
5594 dev[0].wait_disconnected()
5595
5596 for i in range(1, 4):
5597 with alloc_fail(dev[0], i, "eap_pwd_perform_commit_exchange"):
5598 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
5599 eap="PWD", identity="pwd user",
5600 password="secret password",
5601 wait_connect=False)
5602 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
5603 timeout=15)
5604 if ev is None:
5605 raise Exception("Timeout on EAP start")
5606 ok = False
5607 for j in range(10):
5608 state = dev[0].request('GET_ALLOC_FAIL')
5609 if state.startswith('0:'):
5610 ok = True
5611 break
5612 time.sleep(0.1)
5613 if not ok:
5614 raise Exception("No allocation failure seen")
5615 dev[0].request("REMOVE_NETWORK all")
5616 dev[0].wait_disconnected()
5617
5618 for i in range(1, 12):
5619 with alloc_fail(dev[0], i, "eap_pwd_perform_confirm_exchange"):
5620 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
5621 eap="PWD", identity="pwd user",
5622 password="secret password",
5623 wait_connect=False)
5624 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
5625 timeout=15)
5626 if ev is None:
5627 raise Exception("Timeout on EAP start")
5628 ok = False
5629 for j in range(10):
5630 state = dev[0].request('GET_ALLOC_FAIL')
5631 if state.startswith('0:'):
5632 ok = True
5633 break
5634 time.sleep(0.1)
5635 if not ok:
5636 raise Exception("No allocation failure seen")
5637 dev[0].request("REMOVE_NETWORK all")
5638 dev[0].wait_disconnected()
5639
5640 for i in range(1, 4):
5641 with alloc_fail(dev[0], i, "eap_msg_alloc;=eap_pwd_process"):
5642 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
5643 eap="PWD", identity="pwd user",
5644 password="secret password",
5645 wait_connect=False)
5646 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
5647 timeout=15)
5648 if ev is None:
5649 raise Exception("Timeout on EAP start")
5650 ok = False
5651 for j in range(10):
5652 state = dev[0].request('GET_ALLOC_FAIL')
5653 if state.startswith('0:'):
5654 ok = True
5655 break
5656 time.sleep(0.1)
5657 if not ok:
5658 raise Exception("No allocation failure seen")
5659 dev[0].request("REMOVE_NETWORK all")
5660 dev[0].wait_disconnected()
5661
5662 # No password configured
5663 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
5664 eap="PWD", identity="pwd user",
5665 wait_connect=False)
5666 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=52"],
5667 timeout=15)
5668 if ev is None:
5669 raise Exception("EAP-pwd not started")
5670 dev[0].request("REMOVE_NETWORK all")
5671 dev[0].wait_disconnected()
b6f17f2f
JM		 5672
5673def test_eap_proto_erp(dev, apdev):
5674 """ERP protocol tests"""
5675 check_erp_capa(dev[0])
5676
5677 global eap_proto_erp_test_done
5678 eap_proto_erp_test_done = False
5679
5680 def erp_handler(ctx, req):
5681 logger.info("erp_handler - RX " + req.encode("hex"))
5682 if 'num' not in ctx:
5683 ctx['num'] = 0
5684 ctx['num'] += 1
5685 if 'id' not in ctx:
5686 ctx['id'] = 1
5687 ctx['id'] = (ctx['id'] + 1) % 256
5688 idx = 0
5689
5690 idx += 1
5691 if ctx['num'] == idx:
5692 logger.info("Test: Missing type")
5693 return struct.pack(">BBH", EAP_CODE_INITIATE, ctx['id'], 4)
5694
5695 idx += 1
5696 if ctx['num'] == idx:
5697 logger.info("Test: Unexpected type")
5698 return struct.pack(">BBHB", EAP_CODE_INITIATE, ctx['id'], 4 + 1,
5699 255)
5700
5701 idx += 1
5702 if ctx['num'] == idx:
5703 logger.info("Test: Missing Reserved field")
5704 return struct.pack(">BBHB", EAP_CODE_INITIATE, ctx['id'], 4 + 1,
5705 EAP_ERP_TYPE_REAUTH_START)
5706
5707 idx += 1
5708 if ctx['num'] == idx:
5709 logger.info("Test: Zero-length TVs/TLVs")
5710 payload = ""
5711 return struct.pack(">BBHBB", EAP_CODE_INITIATE, ctx['id'],
5712 4 + 1 + 1 + len(payload),
5713 EAP_ERP_TYPE_REAUTH_START, 0) + payload
5714
5715 idx += 1
5716 if ctx['num'] == idx:
5717 logger.info("Test: Too short TLV")
5718 payload = struct.pack("B", 191)
5719 return struct.pack(">BBHBB", EAP_CODE_INITIATE, ctx['id'],
5720 4 + 1 + 1 + len(payload),
5721 EAP_ERP_TYPE_REAUTH_START, 0) + payload
5722
5723 idx += 1
5724 if ctx['num'] == idx:
5725 logger.info("Test: Truncated TLV")
5726 payload = struct.pack("BB", 191, 1)
5727 return struct.pack(">BBHBB", EAP_CODE_INITIATE, ctx['id'],
5728 4 + 1 + 1 + len(payload),
5729 EAP_ERP_TYPE_REAUTH_START, 0) + payload
5730
5731 idx += 1
5732 if ctx['num'] == idx:
5733 logger.info("Test: Ignored unknown TLV and unknown TV/TLV terminating parsing")
5734 payload = struct.pack("BBB", 191, 0, 192)
5735 return struct.pack(">BBHBB", EAP_CODE_INITIATE, ctx['id'],
5736 4 + 1 + 1 + len(payload),
5737 EAP_ERP_TYPE_REAUTH_START, 0) + payload
5738
5739 idx += 1
5740 if ctx['num'] == idx:
5741 logger.info("Test: More than one keyName-NAI")
5742 payload = struct.pack("BBBB", EAP_ERP_TLV_KEYNAME_NAI, 0,
5743 EAP_ERP_TLV_KEYNAME_NAI, 0)
5744 return struct.pack(">BBHBB", EAP_CODE_INITIATE, ctx['id'],
5745 4 + 1 + 1 + len(payload),
5746 EAP_ERP_TYPE_REAUTH_START, 0) + payload
5747
5748 idx += 1
5749 if ctx['num'] == idx:
5750 logger.info("Test: Too short TLV keyName-NAI")
5751 payload = struct.pack("B", EAP_ERP_TLV_KEYNAME_NAI)
5752 return struct.pack(">BBHBB", EAP_CODE_INITIATE, ctx['id'],
5753 4 + 1 + 1 + len(payload),
5754 EAP_ERP_TYPE_REAUTH_START, 0) + payload
5755
5756 idx += 1
5757 if ctx['num'] == idx:
5758 logger.info("Test: Truncated TLV keyName-NAI")
5759 payload = struct.pack("BB", EAP_ERP_TLV_KEYNAME_NAI, 1)
5760 return struct.pack(">BBHBB", EAP_CODE_INITIATE, ctx['id'],
5761 4 + 1 + 1 + len(payload),
5762 EAP_ERP_TYPE_REAUTH_START, 0) + payload
5763
5764 idx += 1
5765 if ctx['num'] == idx:
5766 logger.info("Test: Valid rRK lifetime TV followed by too short rMSK lifetime TV")
5767 payload = struct.pack(">BLBH", EAP_ERP_TV_RRK_LIFETIME, 0,
5768 EAP_ERP_TV_RMSK_LIFETIME, 0)
5769 return struct.pack(">BBHBB", EAP_CODE_INITIATE, ctx['id'],
5770 4 + 1 + 1 + len(payload),
5771 EAP_ERP_TYPE_REAUTH_START, 0) + payload
5772
5773 idx += 1
5774 if ctx['num'] == idx:
5775 logger.info("Test: Missing type (Finish)")
5776 return struct.pack(">BBH", EAP_CODE_FINISH, ctx['id'], 4)
5777
5778 idx += 1
5779 if ctx['num'] == idx:
5780 logger.info("Test: Unexpected type (Finish)")
5781 return struct.pack(">BBHB", EAP_CODE_FINISH, ctx['id'], 4 + 1,
5782 255)
5783
5784 idx += 1
5785 if ctx['num'] == idx:
5786 logger.info("Test: Missing fields (Finish)")
5787 return struct.pack(">BBHB", EAP_CODE_FINISH, ctx['id'], 4 + 1,
5788 EAP_ERP_TYPE_REAUTH)
5789
5790 idx += 1
5791 if ctx['num'] == idx:
5792 logger.info("Test: Unexpected SEQ (Finish)")
5793 return struct.pack(">BBHBBHB", EAP_CODE_FINISH, ctx['id'],
5794 4 + 1 + 4,
5795 EAP_ERP_TYPE_REAUTH, 0, 0xffff, 0)
5796
5797 logger.info("No more test responses available - test case completed")
5798 global eap_proto_erp_test_done
5799 eap_proto_erp_test_done = True
5800 return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4)
5801
5802 srv = start_radius_server(erp_handler)
5803
5804 try:
5805 hapd = start_ap(apdev[0]['ifname'])
5806
5807 i = 0
5808 while not eap_proto_erp_test_done:
5809 i += 1
5810 logger.info("Running connection iteration %d" % i)
5811 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
5812 eap="PAX", identity="pax.user@example.com",
5813 password_hex="0123456789abcdef0123456789abcdef",
5814 wait_connect=False)
5815 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=5)
5816 if ev is None:
5817 raise Exception("Timeout on EAP start")
5818 time.sleep(0.1)
5819 dev[0].request("REMOVE_NETWORK all")
5820 dev[0].wait_disconnected(timeout=1)
5821 dev[0].dump_monitor()
5822 finally:
5823 stop_radius_server(srv)
5b7784a8
JM		 5824
5825def test_eap_proto_fast_errors(dev, apdev):
5826 """EAP-FAST local error cases"""
5827 check_eap_capa(dev[0], "FAST")
5828 params = hostapd.wpa2_eap_params(ssid="eap-test")
5829 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
5830
5831 for i in range(1, 5):
5832 with alloc_fail(dev[0], i, "eap_fast_init"):
5833 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
5834 eap="FAST", anonymous_identity="FAST",
5835 identity="user", password="password",
5836 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
5837 phase1="fast_provisioning=2",
5838 pac_file="blob://fast_pac_auth",
5839 wait_connect=False)
5840 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method"],
5841 timeout=5)
5842 if ev is None:
5843 raise Exception("Timeout on EAP start")
5844 dev[0].request("REMOVE_NETWORK all")
5845 dev[0].wait_disconnected()
5846
5847 tests = [ (1, "wpabuf_alloc;eap_fast_tlv_eap_payload"),
5848 (1, "eap_fast_derive_key;eap_fast_derive_key_auth"),
5849 (1, "eap_msg_alloc;eap_peer_tls_phase2_nak"),
5850 (1, "wpabuf_alloc;eap_fast_tlv_result"),
5851 (1, "wpabuf_alloc;eap_fast_tlv_pac_ack"),
5852 (1, "=eap_peer_tls_derive_session_id;eap_fast_process_crypto_binding"),
5853 (1, "eap_peer_tls_decrypt;eap_fast_decrypt"),
5854 (1, "eap_fast_getKey"),
5855 (1, "eap_fast_get_session_id"),
5856 (1, "eap_fast_get_emsk") ]
5857 for count, func in tests:
5858 dev[0].request("SET blob fast_pac_auth_errors ")
5859 with alloc_fail(dev[0], count, func):
5860 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
5861 eap="FAST", anonymous_identity="FAST",
5862 identity="user", password="password",
5863 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
5864 phase1="fast_provisioning=2",
5865 pac_file="blob://fast_pac_auth_errors",
5866 erp="1",
5867 wait_connect=False)
5868 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
5869 timeout=15)
5870 if ev is None:
5871 raise Exception("Timeout on EAP start")
5872 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5873 dev[0].request("REMOVE_NETWORK all")
5874 dev[0].wait_disconnected()
5875
5876 tests = [ (1, "eap_fast_derive_key;eap_fast_derive_key_provisioning"),
5877 (1, "eap_mschapv2_getKey;eap_fast_get_phase2_key"),
5878 (1, "=eap_fast_use_pac_opaque"),
5879 (1, "eap_fast_copy_buf"),
5880 (1, "=eap_fast_add_pac"),
5881 (1, "=eap_fast_init_pac_data"),
5882 (1, "=eap_fast_write_pac"),
5883 (2, "=eap_fast_write_pac") ]
5884 for count, func in tests:
5885 dev[0].request("SET blob fast_pac_errors ")
5886 with alloc_fail(dev[0], count, func):
5887 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
5888 eap="FAST", anonymous_identity="FAST",
5889 identity="user", password="password",
5890 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
5891 phase1="fast_provisioning=1",
5892 pac_file="blob://fast_pac_errors",
5893 erp="1",
5894 wait_connect=False)
5895 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
5896 timeout=15)
5897 if ev is None:
5898 raise Exception("Timeout on EAP start")
5899 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
5900 dev[0].request("REMOVE_NETWORK all")
5901 dev[0].wait_disconnected()
5902
5903 tests = [ (1, "eap_fast_get_cmk;eap_fast_process_crypto_binding"),
5904 (1, "eap_fast_derive_eap_msk;eap_fast_process_crypto_binding"),
5905 (1, "eap_fast_derive_eap_emsk;eap_fast_process_crypto_binding") ]
5906 for count, func in tests:
5907 dev[0].request("SET blob fast_pac_auth_errors ")
5908 with fail_test(dev[0], count, func):
5909 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
5910 eap="FAST", anonymous_identity="FAST",
5911 identity="user", password="password",
5912 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
5913 phase1="fast_provisioning=2",
5914 pac_file="blob://fast_pac_auth_errors",
5915 erp="1",
5916 wait_connect=False)
5917 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
5918 timeout=15)
5919 if ev is None:
5920 raise Exception("Timeout on EAP start")
5921 wait_fail_trigger(dev[0], "GET_FAIL")
5922 dev[0].request("REMOVE_NETWORK all")
5923 dev[0].wait_disconnected()
5924
5925 dev[0].request("SET blob fast_pac_errors ")
5926 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
5927 eap="FAST", anonymous_identity="FAST",
5928 identity="user", password="password",
5929 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
5930 phase1="fast_provisioning=1",
5931 pac_file="blob://fast_pac_errors",
5932 wait_connect=False)
5933 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
5934 if ev is None:
5935 raise Exception("Timeout on EAP start")
5936 # EAP-FAST: Only EAP-MSCHAPv2 is allowed during unauthenticated
5937 # provisioning; reject phase2 type 6
5938 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
5939 if ev is None:
5940 raise Exception("Timeout on EAP failure")
5941 dev[0].request("REMOVE_NETWORK all")
5942 dev[0].wait_disconnected()
5943
5944 logger.info("Wrong password in Phase 2")
5945 dev[0].request("SET blob fast_pac_errors ")
5946 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
5947 eap="FAST", anonymous_identity="FAST",
5948 identity="user", password="wrong password",
5949 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
5950 phase1="fast_provisioning=1",
5951 pac_file="blob://fast_pac_errors",
5952 wait_connect=False)
5953 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=5)
5954 if ev is None:
5955 raise Exception("Timeout on EAP start")
5956 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5)
5957 if ev is None:
5958 raise Exception("Timeout on EAP failure")
5959 dev[0].request("REMOVE_NETWORK all")
5960 dev[0].wait_disconnected()
5961
5962 tests = [ "FOOBAR\n",
5963 "wpa_supplicant EAP-FAST PAC file - version 1\nFOOBAR\n",
5964 "wpa_supplicant EAP-FAST PAC file - version 1\nSTART\n",
5965 "wpa_supplicant EAP-FAST PAC file - version 1\nSTART\nSTART\n",
5966 "wpa_supplicant EAP-FAST PAC file - version 1\nEND\n",
5967 "wpa_supplicant EAP-FAST PAC file - version 1\nSTART\nPAC-Type=12345\nEND\n"
5968 "wpa_supplicant EAP-FAST PAC file - version 1\nSTART\nPAC-Key=12\nEND\n",
5969 "wpa_supplicant EAP-FAST PAC file - version 1\nSTART\nPAC-Key=1\nEND\n",
5970 "wpa_supplicant EAP-FAST PAC file - version 1\nSTART\nPAC-Key=1q\nEND\n",
5971 "wpa_supplicant EAP-FAST PAC file - version 1\nSTART\nPAC-Opaque=1\nEND\n",
5972 "wpa_supplicant EAP-FAST PAC file - version 1\nSTART\nA-ID=1\nEND\n",
5973 "wpa_supplicant EAP-FAST PAC file - version 1\nSTART\nI-ID=1\nEND\n",
5974 "wpa_supplicant EAP-FAST PAC file - version 1\nSTART\nA-ID-Info=1\nEND\n" ]
5975 for pac in tests:
5976 blob = binascii.hexlify(pac)
5977 dev[0].request("SET blob fast_pac_errors " + blob)
5978 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
5979 eap="FAST", anonymous_identity="FAST",
5980 identity="user", password="password",
5981 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
5982 phase1="fast_provisioning=2",
5983 pac_file="blob://fast_pac_errors",
5984 wait_connect=False)
5985 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method"],
5986 timeout=5)
5987 if ev is None:
5988 raise Exception("Timeout on EAP start")
5989 dev[0].request("REMOVE_NETWORK all")
5990 dev[0].wait_disconnected()
5991
5992 tests = [ "wpa_supplicant EAP-FAST PAC file - version 1\nSTART\nEND\n",
5993 "wpa_supplicant EAP-FAST PAC file - version 1\nSTART\nEND\nSTART\nEND\nSTART\nEND\n" ]
5994 for pac in tests:
5995 blob = binascii.hexlify(pac)
5996 dev[0].request("SET blob fast_pac_errors " + blob)
5997 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
5998 eap="FAST", anonymous_identity="FAST",
5999 identity="user", password="password",
6000 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
6001 phase1="fast_provisioning=2",
6002 pac_file="blob://fast_pac_errors")
6003 dev[0].request("REMOVE_NETWORK all")
6004 dev[0].wait_disconnected()
6005
6006 dev[0].request("SET blob fast_pac_errors ")
a551da6a
JM		 6007
6008def test_eap_proto_peap_errors(dev, apdev):
6009 """EAP-PEAP local error cases"""
6010 check_eap_capa(dev[0], "PEAP")
6011 check_eap_capa(dev[0], "MSCHAPV2")
6012 params = hostapd.wpa2_eap_params(ssid="eap-test")
6013 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
6014
6015 for i in range(1, 5):
6016 with alloc_fail(dev[0], i, "eap_peap_init"):
6017 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
6018 eap="PEAP", anonymous_identity="peap",
6019 identity="user", password="password",
6020 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
6021 wait_connect=False)
6022 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method"],
6023 timeout=5)
6024 if ev is None:
6025 raise Exception("Timeout on EAP start")
6026 dev[0].request("REMOVE_NETWORK all")
6027 dev[0].wait_disconnected()
6028
6029 tests = [ (1, "eap_mschapv2_getKey;eap_peap_get_isk;eap_peap_derive_cmk"),
6030 (1, "eap_msg_alloc;eap_tlv_build_result"),
6031 (1, "eap_mschapv2_init;eap_peap_phase2_request"),
6032 (1, "eap_peer_tls_decrypt;eap_peap_decrypt"),
6033 (1, "wpabuf_alloc;=eap_peap_decrypt"),
6034 (1, "eap_peer_tls_encrypt;eap_peap_decrypt"),
6035 (1, "eap_peer_tls_process_helper;eap_peap_process"),
6036 (1, "eap_peer_tls_derive_key;eap_peap_process"),
6037 (1, "eap_peer_tls_derive_session_id;eap_peap_process"),
6038 (1, "eap_peap_getKey"),
6039 (1, "eap_peap_get_session_id") ]
6040 for count, func in tests:
6041 with alloc_fail(dev[0], count, func):
6042 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
6043 eap="PEAP", anonymous_identity="peap",
6044 identity="user", password="password",
6045 phase1="peapver=0 crypto_binding=2",
6046 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
6047 erp="1", wait_connect=False)
6048 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
6049 timeout=15)
6050 if ev is None:
6051 raise Exception("Timeout on EAP start")
6052 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
6053 dev[0].request("REMOVE_NETWORK all")
6054 dev[0].wait_disconnected()
6055
6056 tests = [ (1, "peap_prfplus;eap_peap_derive_cmk"),
6057 (1, "eap_tlv_add_cryptobinding;eap_tlv_build_result"),
6058 (1, "peap_prfplus;eap_peap_getKey") ]
6059 for count, func in tests:
6060 with fail_test(dev[0], count, func):
6061 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
6062 eap="PEAP", anonymous_identity="peap",
6063 identity="user", password="password",
6064 phase1="peapver=0 crypto_binding=2",
6065 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
6066 erp="1", wait_connect=False)
6067 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
6068 timeout=15)
6069 if ev is None:
6070 raise Exception("Timeout on EAP start")
6071 wait_fail_trigger(dev[0], "GET_FAIL")
6072 dev[0].request("REMOVE_NETWORK all")
6073 dev[0].wait_disconnected()
6074
6075 with alloc_fail(dev[0], 1,
6076 "eap_peer_tls_phase2_nak;eap_peap_phase2_request"):
6077 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
6078 eap="PEAP", anonymous_identity="peap",
6079 identity="cert user", password="password",
6080 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
6081 wait_connect=False)
6082 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
6083 dev[0].request("REMOVE_NETWORK all")
6084 dev[0].wait_disconnected()
c44e4994
JM		 6085
6086def test_eap_proto_ttls_errors(dev, apdev):
6087 """EAP-TTLS local error cases"""
6088 check_eap_capa(dev[0], "TTLS")
6089 check_eap_capa(dev[0], "MSCHAPV2")
6090 params = hostapd.wpa2_eap_params(ssid="eap-test")
6091 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
6092
6093 for i in range(1, 5):
6094 with alloc_fail(dev[0], i, "eap_ttls_init"):
6095 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
6096 eap="TTLS", anonymous_identity="ttls",
6097 identity="user", password="password",
6098 ca_cert="auth_serv/ca.pem",
6099 phase2="autheap=MSCHAPV2",
6100 wait_connect=False)
6101 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method"],
6102 timeout=5)
6103 if ev is None:
6104 raise Exception("Timeout on EAP start")
6105 dev[0].request("REMOVE_NETWORK all")
6106 dev[0].wait_disconnected()
6107
6108 tests = [ (1, "eap_peer_tls_derive_key;eap_ttls_v0_derive_key",
6109 "DOMAIN\mschapv2 user", "auth=MSCHAPV2"),
6110 (1, "eap_peer_tls_derive_session_id;eap_ttls_v0_derive_key",
6111 "DOMAIN\mschapv2 user", "auth=MSCHAPV2"),
6112 (1, "wpabuf_alloc;eap_ttls_phase2_request_mschapv2",
6113 "DOMAIN\mschapv2 user", "auth=MSCHAPV2"),
6114 (1, "eap_peer_tls_derive_key;eap_ttls_phase2_request_mschapv2",
6115 "DOMAIN\mschapv2 user", "auth=MSCHAPV2"),
6116 (1, "eap_peer_tls_encrypt;eap_ttls_encrypt_response;eap_ttls_implicit_identity_request",
6117 "DOMAIN\mschapv2 user", "auth=MSCHAPV2"),
6118 (1, "eap_peer_tls_decrypt;eap_ttls_decrypt",
6119 "DOMAIN\mschapv2 user", "auth=MSCHAPV2"),
6120 (1, "eap_ttls_getKey",
6121 "DOMAIN\mschapv2 user", "auth=MSCHAPV2"),
6122 (1, "eap_ttls_get_session_id",
6123 "DOMAIN\mschapv2 user", "auth=MSCHAPV2"),
6124 (1, "eap_ttls_get_emsk",
6125 "DOMAIN\mschapv2 user", "auth=MSCHAPV2"),
6126 (1, "wpabuf_alloc;eap_ttls_phase2_request_mschap",
6127 "mschap user", "auth=MSCHAP"),
6128 (1, "eap_peer_tls_derive_key;eap_ttls_phase2_request_mschap",
6129 "mschap user", "auth=MSCHAP"),
6130 (1, "wpabuf_alloc;eap_ttls_phase2_request_chap",
6131 "chap user", "auth=CHAP"),
6132 (1, "eap_peer_tls_derive_key;eap_ttls_phase2_request_chap",
6133 "chap user", "auth=CHAP"),
6134 (1, "wpabuf_alloc;eap_ttls_phase2_request_pap",
6135 "pap user", "auth=PAP"),
6136 (1, "wpabuf_alloc;eap_ttls_avp_encapsulate",
6137 "user", "autheap=MSCHAPV2"),
6138 (1, "eap_mschapv2_init;eap_ttls_phase2_request_eap_method",
6139 "user", "autheap=MSCHAPV2"),
6140 (1, "eap_sm_buildIdentity;eap_ttls_phase2_request_eap",
6141 "user", "autheap=MSCHAPV2"),
6142 (1, "eap_ttls_avp_encapsulate;eap_ttls_phase2_request_eap",
6143 "user", "autheap=MSCHAPV2"),
6144 (1, "eap_ttls_parse_attr_eap",
6145 "user", "autheap=MSCHAPV2"),
6146 (1, "eap_peer_tls_encrypt;eap_ttls_encrypt_response;eap_ttls_process_decrypted",
6147 "user", "autheap=MSCHAPV2"),
6148 (1, "eap_ttls_fake_identity_request",
6149 "user", "autheap=MSCHAPV2"),
6150 (1, "eap_msg_alloc;eap_tls_process_output",
6151 "user", "autheap=MSCHAPV2"),
6152 (1, "eap_msg_alloc;eap_peer_tls_build_ack",
6153 "user", "autheap=MSCHAPV2"),
6154 (1, "tls_connection_decrypt;eap_peer_tls_decrypt",
6155 "user", "autheap=MSCHAPV2"),
6156 (1, "eap_peer_tls_phase2_nak;eap_ttls_phase2_request_eap_method",
6157 "cert user", "autheap=MSCHAPV2") ]
6158 for count, func, identity, phase2 in tests:
6159 with alloc_fail(dev[0], count, func):
6160 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
6161 eap="TTLS", anonymous_identity="ttls",
6162 identity=identity, password="password",
6163 ca_cert="auth_serv/ca.pem", phase2=phase2,
6164 erp="1", wait_connect=False)
6165 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
6166 timeout=15)
6167 if ev is None:
6168 raise Exception("Timeout on EAP start")
6169 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL",
6170 note="Allocation failure not triggered for: %d:%s" % (count, func))
6171 dev[0].request("REMOVE_NETWORK all")
6172 dev[0].wait_disconnected()
6173
6174 tests = [ (1, "os_get_random;eap_ttls_phase2_request_mschapv2"),
6175 (1, "mschapv2_derive_response;eap_ttls_phase2_request_mschapv2") ]
6176 for count, func in tests:
6177 with fail_test(dev[0], count, func):
6178 dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412",
6179 eap="TTLS", anonymous_identity="ttls",
6180 identity="DOMAIN\mschapv2 user", password="password",
6181 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
6182 erp="1", wait_connect=False)
6183 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"],
6184 timeout=15)
6185 if ev is None:
6186 raise Exception("Timeout on EAP start")
6187 wait_fail_trigger(dev[0], "GET_FAIL",
6188 note="Test failure not triggered for: %d:%s" % (count, func))
6189 dev[0].request("REMOVE_NETWORK all")
6190 dev[0].wait_disconnected()
Unnamed repository; edit this file 'description' to name the repository.