From 0a3742950e54c701709ef8ea2436cda68765b382 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Thu, 2 Aug 2018 15:36:24 +0300 Subject: [PATCH] tests: Extend eap_proto_aka_prime to cover additional AT_KDF cases Verify that EAP-AKA' client rejects Challenge with an appended AT_KDF and a modified AT_KDF value during KDF negotiation. Signed-off-by: Jouni Malinen --- tests/hwsim/test_eap_proto.py | 83 ++++++++++++++++++++++++++++++++++- tests/hwsim/wpasupplicant.py | 3 ++ 2 files changed, 85 insertions(+), 1 deletion(-) diff --git a/tests/hwsim/test_eap_proto.py b/tests/hwsim/test_eap_proto.py index d920b9206..88ac039cb 100644 --- a/tests/hwsim/test_eap_proto.py +++ b/tests/hwsim/test_eap_proto.py @@ -3717,6 +3717,7 @@ def test_eap_proto_aka_prime(dev, apdev): idx += 1 if ctx['num'] == idx: logger.info("Test: Missing payload") + dev[0].note("Missing payload") return struct.pack(">BBHB", EAP_CODE_REQUEST, ctx['id'], 4 + 1, EAP_TYPE_AKA_PRIME) @@ -3724,6 +3725,7 @@ def test_eap_proto_aka_prime(dev, apdev): idx += 1 if ctx['num'] == idx: logger.info("Test: Challenge with no attributes") + dev[0].note("Challenge with no attributes") return struct.pack(">BBHBBH", EAP_CODE_REQUEST, ctx['id'], 4 + 1 + 3, EAP_TYPE_AKA_PRIME, EAP_AKA_SUBTYPE_CHALLENGE, 0) @@ -3735,6 +3737,7 @@ def test_eap_proto_aka_prime(dev, apdev): idx += 1 if ctx['num'] == idx: logger.info("Test: Challenge with empty AT_KDF_INPUT") + dev[0].note("Challenge with empty AT_KDF_INPUT") return struct.pack(">BBHBBHBBH", EAP_CODE_REQUEST, ctx['id'], 4 + 1 + 3 + 4, EAP_TYPE_AKA_PRIME, EAP_AKA_SUBTYPE_CHALLENGE, 0, @@ -3747,6 +3750,7 @@ def test_eap_proto_aka_prime(dev, apdev): idx += 1 if ctx['num'] == idx: logger.info("Test: Challenge with AT_KDF_INPUT") + dev[0].note("Test: Challenge with AT_KDF_INPUT") return struct.pack(">BBHBBHBBHBBBB", EAP_CODE_REQUEST, ctx['id'], 4 + 1 + 3 + 8, EAP_TYPE_AKA_PRIME, EAP_AKA_SUBTYPE_CHALLENGE, 0, @@ -3760,6 +3764,7 @@ def test_eap_proto_aka_prime(dev, apdev): idx += 1 if ctx['num'] == idx: logger.info("Test: Challenge with duplicated KDF") + dev[0].note("Challenge with duplicated KDF") return struct.pack(">BBHBBHBBHBBBBBBHBBHBBH", EAP_CODE_REQUEST, ctx['id'], 4 + 1 + 3 + 8 + 3 * 4, @@ -3777,6 +3782,7 @@ def test_eap_proto_aka_prime(dev, apdev): idx += 1 if ctx['num'] == idx: logger.info("Test: Challenge with multiple KDF proposals") + dev[0].note("Challenge with multiple KDF proposals (preparation)") return struct.pack(">BBHBBHBBHBBBBBBHBBHBBH", EAP_CODE_REQUEST, ctx['id'], 4 + 1 + 3 + 8 + 3 * 4, @@ -3789,6 +3795,7 @@ def test_eap_proto_aka_prime(dev, apdev): idx += 1 if ctx['num'] == idx: logger.info("Test: Challenge with incorrect KDF selected") + dev[0].note("Challenge with incorrect KDF selected") return struct.pack(">BBHBBHBBHBBBBBBHBBHBBHBBH", EAP_CODE_REQUEST, ctx['id'], 4 + 1 + 3 + 8 + 4 * 4, @@ -3807,6 +3814,7 @@ def test_eap_proto_aka_prime(dev, apdev): idx += 1 if ctx['num'] == idx: logger.info("Test: Challenge with multiple KDF proposals") + dev[0].note("Challenge with multiple KDF proposals (preparation)") return struct.pack(">BBHBBHBBHBBBBBBHBBHBBH", EAP_CODE_REQUEST, ctx['id'], 4 + 1 + 3 + 8 + 3 * 4, @@ -3819,6 +3827,7 @@ def test_eap_proto_aka_prime(dev, apdev): idx += 1 if ctx['num'] == idx: logger.info("Test: Challenge with selected KDF not duplicated") + dev[0].note("Challenge with selected KDF not duplicated") return struct.pack(">BBHBBHBBHBBBBBBHBBHBBH", EAP_CODE_REQUEST, ctx['id'], 4 + 1 + 3 + 8 + 3 * 4, @@ -3836,6 +3845,7 @@ def test_eap_proto_aka_prime(dev, apdev): idx += 1 if ctx['num'] == idx: logger.info("Test: Challenge with multiple KDF proposals") + dev[0].note("Challenge with multiple KDF proposals (preparation)") return struct.pack(">BBHBBHBBHBBBBBBHBBHBBH", EAP_CODE_REQUEST, ctx['id'], 4 + 1 + 3 + 8 + 3 * 4, @@ -3848,6 +3858,7 @@ def test_eap_proto_aka_prime(dev, apdev): idx += 1 if ctx['num'] == idx: logger.info("Test: Challenge with selected KDF duplicated (missing MAC, RAND, AUTN)") + dev[0].note("Challenge with selected KDF duplicated (missing MAC, RAND, AUTN)") return struct.pack(">BBHBBHBBHBBBBBBHBBHBBHBBH", EAP_CODE_REQUEST, ctx['id'], 4 + 1 + 3 + 8 + 4 * 4, @@ -3866,6 +3877,7 @@ def test_eap_proto_aka_prime(dev, apdev): idx += 1 if ctx['num'] == idx: logger.info("Test: Challenge with multiple unsupported KDF proposals") + dev[0].note("Challenge with multiple unsupported KDF proposals") return struct.pack(">BBHBBHBBHBBBBBBHBBH", EAP_CODE_REQUEST, ctx['id'], 4 + 1 + 3 + 8 + 2 * 4, @@ -3882,6 +3894,7 @@ def test_eap_proto_aka_prime(dev, apdev): idx += 1 if ctx['num'] == idx: logger.info("Test: Challenge with multiple KDF proposals") + dev[0].note("Challenge with multiple KDF proposals (preparation)") return struct.pack(">BBHBBHBBHBBBBBBHBBHBBH", EAP_CODE_REQUEST, ctx['id'], 4 + 1 + 3 + 8 + 3 * 4, @@ -3894,6 +3907,7 @@ def test_eap_proto_aka_prime(dev, apdev): idx += 1 if ctx['num'] == idx: logger.info("Test: Challenge with invalid MAC, RAND, AUTN values)") + dev[0].note("Challenge with invalid MAC, RAND, AUTN values)") return struct.pack(">BBHBBHBBHBBBBBBHBBHBBHBBHBBH4LBBH4LBBH4L", EAP_CODE_REQUEST, ctx['id'], 4 + 1 + 3 + 8 + 4 * 4 + 20 + 20 + 20, @@ -3915,6 +3929,7 @@ def test_eap_proto_aka_prime(dev, apdev): idx += 1 if ctx['num'] == idx: logger.info("Test: Challenge - AMF separation bit not set)") + dev[0].note("Challenge - AMF separation bit not set)") return struct.pack(">BBHBBHBBHBBBBBBHBBH4LBBH4LBBH4L", EAP_CODE_REQUEST, ctx['id'], 4 + 1 + 3 + 8 + 4 + 20 + 20 + 20, @@ -3934,6 +3949,7 @@ def test_eap_proto_aka_prime(dev, apdev): idx += 1 if ctx['num'] == idx: logger.info("Test: Challenge - Invalid MAC") + dev[0].note("Challenge - Invalid MAC") return struct.pack(">BBHBBHBBHBBBBBBHBBH4LBBH4LBBH4L", EAP_CODE_REQUEST, ctx['id'], 4 + 1 + 3 + 8 + 4 + 20 + 20 + 20, @@ -3953,6 +3969,7 @@ def test_eap_proto_aka_prime(dev, apdev): idx += 1 if ctx['num'] == idx: logger.info("Test: Challenge - Valid MAC") + dev[0].note("Challenge - Valid MAC") return struct.pack(">BBHBBHBBHBBBBBBHBBH4LBBH4LBBH4L", EAP_CODE_REQUEST, ctx['id'], 4 + 1 + 3 + 8 + 4 + 20 + 20 + 20, @@ -3973,6 +3990,7 @@ def test_eap_proto_aka_prime(dev, apdev): idx += 1 if ctx['num'] == idx: logger.info("Test: Invalid AT_KDF_INPUT length") + dev[0].note("Invalid AT_KDF_INPUT length") return struct.pack(">BBHBBHBBHL", EAP_CODE_REQUEST, ctx['id'], 4 + 1 + 3 + 8, EAP_TYPE_AKA_PRIME, EAP_AKA_SUBTYPE_IDENTITY, 0, @@ -3985,6 +4003,7 @@ def test_eap_proto_aka_prime(dev, apdev): idx += 1 if ctx['num'] == idx: logger.info("Test: Invalid AT_KDF length") + dev[0].note("Invalid AT_KDF length") return struct.pack(">BBHBBHBBHL", EAP_CODE_REQUEST, ctx['id'], 4 + 1 + 3 + 8, EAP_TYPE_AKA_PRIME, EAP_AKA_SUBTYPE_IDENTITY, 0, @@ -3997,6 +4016,7 @@ def test_eap_proto_aka_prime(dev, apdev): idx += 1 if ctx['num'] == idx: logger.info("Test: Challenge with large number of KDF proposals") + dev[0].note("Challenge with large number of KDF proposals") return struct.pack(">BBHBBHBBHBBHBBHBBHBBHBBHBBHBBHBBHBBHBBHBBH", EAP_CODE_REQUEST, ctx['id'], 4 + 1 + 3 + 12 * 4, @@ -4018,6 +4038,67 @@ def test_eap_proto_aka_prime(dev, apdev): logger.info("Test: EAP-Failure") return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4) + idx += 1 + if ctx['num'] == idx: + logger.info("Test: Challenge with multiple KDF proposals") + dev[0].note("Challenge with multiple KDF proposals (preparation)") + return struct.pack(">BBHBBHBBHBBBBBBHBBH", + EAP_CODE_REQUEST, ctx['id'], + 4 + 1 + 3 + 8 + 2 * 4, + EAP_TYPE_AKA_PRIME, EAP_AKA_SUBTYPE_CHALLENGE, 0, + EAP_SIM_AT_KDF_INPUT, 2, 1, ord('a'), ord('b'), + ord('c'), ord('d'), + EAP_SIM_AT_KDF, 1, 2, + EAP_SIM_AT_KDF, 1, 1) + idx += 1 + if ctx['num'] == idx: + logger.info("Test: Challenge with an extra KDF appended") + dev[0].note("Challenge with an extra KDF appended") + return struct.pack(">BBHBBHBBHBBBBBBHBBHBBHBBH", + EAP_CODE_REQUEST, ctx['id'], + 4 + 1 + 3 + 8 + 4 * 4, + EAP_TYPE_AKA_PRIME, EAP_AKA_SUBTYPE_CHALLENGE, 0, + EAP_SIM_AT_KDF_INPUT, 2, 1, ord('a'), ord('b'), + ord('c'), ord('d'), + EAP_SIM_AT_KDF, 1, 1, + EAP_SIM_AT_KDF, 1, 2, + EAP_SIM_AT_KDF, 1, 1, + EAP_SIM_AT_KDF, 1, 0) + idx += 1 + if ctx['num'] == idx: + logger.info("Test: EAP-Failure") + return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4) + + idx += 1 + if ctx['num'] == idx: + logger.info("Test: Challenge with multiple KDF proposals") + dev[0].note("Challenge with multiple KDF proposals (preparation)") + return struct.pack(">BBHBBHBBHBBBBBBHBBH", + EAP_CODE_REQUEST, ctx['id'], + 4 + 1 + 3 + 8 + 2 * 4, + EAP_TYPE_AKA_PRIME, EAP_AKA_SUBTYPE_CHALLENGE, 0, + EAP_SIM_AT_KDF_INPUT, 2, 1, ord('a'), ord('b'), + ord('c'), ord('d'), + EAP_SIM_AT_KDF, 1, 2, + EAP_SIM_AT_KDF, 1, 1) + idx += 1 + if ctx['num'] == idx: + logger.info("Test: Challenge with a modified KDF") + dev[0].note("Challenge with a modified KDF") + return struct.pack(">BBHBBHBBHBBBBBBHBBHBBH", + EAP_CODE_REQUEST, ctx['id'], + 4 + 1 + 3 + 8 + 3 * 4, + EAP_TYPE_AKA_PRIME, EAP_AKA_SUBTYPE_CHALLENGE, 0, + EAP_SIM_AT_KDF_INPUT, 2, 1, ord('a'), ord('b'), + ord('c'), ord('d'), + EAP_SIM_AT_KDF, 1, 1, + EAP_SIM_AT_KDF, 1, 0, + EAP_SIM_AT_KDF, 1, 1) + idx += 1 + if ctx['num'] == idx: + logger.info("Test: EAP-Failure") + return struct.pack(">BBH", EAP_CODE_FAILURE, ctx['id'], 4) + return None srv = start_radius_server(aka_prime_handler) @@ -4025,7 +4106,7 @@ def test_eap_proto_aka_prime(dev, apdev): try: hapd = start_ap(apdev[0]) - for i in range(0, 16): + for i in range(0, 18): dev[0].connect("eap-test", key_mgmt="WPA-EAP", scan_freq="2412", eap="AKA'", identity="6555444333222111", password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123", diff --git a/tests/hwsim/wpasupplicant.py b/tests/hwsim/wpasupplicant.py index 2f2e703a3..78b5f6dc3 100644 --- a/tests/hwsim/wpasupplicant.py +++ b/tests/hwsim/wpasupplicant.py @@ -1315,3 +1315,6 @@ class WpaSupplicant: if "OK" not in self.global_request("%s %s adv_id=%s adv_mac=%s session=%d session_mac=%s %s" % (cmd, peer, adv_id, adv_mac, session_id, session_mac, params)): raise Exception("%s request failed" % cmd) + + def note(self, txt): + self.request("NOTE " + txt)