tests: EAP-SIM/AKA/AKA' with SQLite
Extend EAP-SIM/AKA/AKA' test coverage by setting up another authentication server instance to store dynamic SIM/AKA/AKA' information into an SQLite database. This allows the stored reauth/pseudonym data to be modified on the server side and by doing so, allows testing fallback from reauth to pseudonym/permanent identity. Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
parent
04cad507e1
commit
5b1aaf6cfb
4 changed files with 208 additions and 4 deletions
21
tests/hwsim/auth_serv/as2.conf
Normal file
21
tests/hwsim/auth_serv/as2.conf
Normal file
|
@ -0,0 +1,21 @@
|
||||||
|
driver=none
|
||||||
|
radius_server_clients=auth_serv/radius_clients.conf
|
||||||
|
radius_server_auth_port=1814
|
||||||
|
eap_server=1
|
||||||
|
eap_user_file=auth_serv/eap_user.conf
|
||||||
|
|
||||||
|
interface=as2
|
||||||
|
ctrl_interface=/var/run/hostapd
|
||||||
|
ctrl_interface_group=admin
|
||||||
|
|
||||||
|
ca_cert=auth_serv/ca.pem
|
||||||
|
server_cert=auth_serv/server.pem
|
||||||
|
private_key=auth_serv/server.key
|
||||||
|
ocsp_stapling_response=auth_serv/ocsp-server-cache.der
|
||||||
|
server_id=server2.w1.fi
|
||||||
|
eap_sim_db=unix:/tmp/hlr_auc_gw.sock db=LOGDIR/hostapd.db
|
||||||
|
dh_file=auth_serv/dh.conf
|
||||||
|
pac_opaque_encr_key=000102030405060708090a0b0c0d0e0f
|
||||||
|
eap_fast_a_id=101112131415161718191a1b1c1d1e1f
|
||||||
|
eap_fast_a_id_info=test server2
|
||||||
|
eap_sim_aka_result_ind=1
|
|
@ -64,7 +64,7 @@ CONFIG_NO_RANDOM_POOL=y
|
||||||
CONFIG_WNM=y
|
CONFIG_WNM=y
|
||||||
CONFIG_INTERWORKING=y
|
CONFIG_INTERWORKING=y
|
||||||
CONFIG_HS20=y
|
CONFIG_HS20=y
|
||||||
#CONFIG_SQLITE=y
|
CONFIG_SQLITE=y
|
||||||
CONFIG_SAE=y
|
CONFIG_SAE=y
|
||||||
CFLAGS += -DALL_DH_GROUPS
|
CFLAGS += -DALL_DH_GROUPS
|
||||||
|
|
||||||
|
|
|
@ -43,6 +43,7 @@ for i in 0 1 2; do
|
||||||
done
|
done
|
||||||
|
|
||||||
sed "s/group=admin/group=$GROUP/" "$DIR/auth_serv/as.conf" > "$LOGDIR/as.conf"
|
sed "s/group=admin/group=$GROUP/" "$DIR/auth_serv/as.conf" > "$LOGDIR/as.conf"
|
||||||
|
sed "s/group=admin/group=$GROUP/;s%LOGDIR%$LOGDIR%" "$DIR/auth_serv/as2.conf" > "$LOGDIR/as2.conf"
|
||||||
|
|
||||||
if [ "$1" = "valgrind" ]; then
|
if [ "$1" = "valgrind" ]; then
|
||||||
VALGRIND=y
|
VALGRIND=y
|
||||||
|
@ -87,7 +88,8 @@ if [ -x $HLR_AUC_GW ]; then
|
||||||
sudo $HLR_AUC_GW -u -m $LOGDIR/hlr_auc_gw.milenage_db -g $DIR/auth_serv/hlr_auc_gw.gsm > $LOGDIR/hlr_auc_gw &
|
sudo $HLR_AUC_GW -u -m $LOGDIR/hlr_auc_gw.milenage_db -g $DIR/auth_serv/hlr_auc_gw.gsm > $LOGDIR/hlr_auc_gw &
|
||||||
fi
|
fi
|
||||||
|
|
||||||
sudo $HAPD_AS -ddKt $LOGDIR/as.conf > $LOGDIR/auth_serv &
|
touch $LOGDIR/hostapd.db
|
||||||
|
sudo $HAPD_AS -ddKt $LOGDIR/as.conf $LOGDIR/as2.conf > $LOGDIR/auth_serv &
|
||||||
|
|
||||||
# wait for programs to be fully initialized
|
# wait for programs to be fully initialized
|
||||||
for i in 0 1 2; do
|
for i in 0 1 2; do
|
||||||
|
|
|
@ -96,9 +96,10 @@ def eap_check_auth(dev, method, initial, rsn=True, sha256=False,
|
||||||
if status["key_mgmt"] != e:
|
if status["key_mgmt"] != e:
|
||||||
raise Exception("Unexpected key_mgmt status: " + status["key_mgmt"])
|
raise Exception("Unexpected key_mgmt status: " + status["key_mgmt"])
|
||||||
|
|
||||||
def eap_reauth(dev, method, rsn=True, sha256=False):
|
def eap_reauth(dev, method, rsn=True, sha256=False, expect_failure=False):
|
||||||
dev.request("REAUTHENTICATE")
|
dev.request("REAUTHENTICATE")
|
||||||
eap_check_auth(dev, method, False, rsn=rsn, sha256=sha256)
|
eap_check_auth(dev, method, False, rsn=rsn, sha256=sha256,
|
||||||
|
expect_failure=expect_failure)
|
||||||
|
|
||||||
def test_ap_wpa2_eap_sim(dev, apdev):
|
def test_ap_wpa2_eap_sim(dev, apdev):
|
||||||
"""WPA2-Enterprise connection using EAP-SIM"""
|
"""WPA2-Enterprise connection using EAP-SIM"""
|
||||||
|
@ -124,6 +125,66 @@ def test_ap_wpa2_eap_sim(dev, apdev):
|
||||||
password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
|
password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
|
||||||
expect_failure=True)
|
expect_failure=True)
|
||||||
|
|
||||||
|
def test_ap_wpa2_eap_sim_sql(dev, apdev, params):
|
||||||
|
"""WPA2-Enterprise connection using EAP-SIM (SQL)"""
|
||||||
|
if not os.path.exists("/tmp/hlr_auc_gw.sock"):
|
||||||
|
logger.info("No hlr_auc_gw available");
|
||||||
|
return "skip"
|
||||||
|
try:
|
||||||
|
import sqlite3
|
||||||
|
except ImportError:
|
||||||
|
return "skip"
|
||||||
|
con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
|
||||||
|
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
|
||||||
|
params['auth_server_port'] = "1814"
|
||||||
|
hostapd.add_ap(apdev[0]['ifname'], params)
|
||||||
|
eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
|
||||||
|
password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
|
||||||
|
|
||||||
|
logger.info("SIM fast re-authentication")
|
||||||
|
eap_reauth(dev[0], "SIM")
|
||||||
|
|
||||||
|
logger.info("SIM full auth with pseudonym")
|
||||||
|
with con:
|
||||||
|
cur = con.cursor()
|
||||||
|
cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
|
||||||
|
eap_reauth(dev[0], "SIM")
|
||||||
|
|
||||||
|
logger.info("SIM full auth with permanent identity")
|
||||||
|
with con:
|
||||||
|
cur = con.cursor()
|
||||||
|
cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
|
||||||
|
cur.execute("DELETE FROM pseudonyms WHERE permanent='1232010000000000'")
|
||||||
|
eap_reauth(dev[0], "SIM")
|
||||||
|
|
||||||
|
logger.info("SIM reauth with mismatching MK")
|
||||||
|
with con:
|
||||||
|
cur = con.cursor()
|
||||||
|
cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='1232010000000000'")
|
||||||
|
eap_reauth(dev[0], "SIM", expect_failure=True)
|
||||||
|
dev[0].request("REMOVE_NETWORK all")
|
||||||
|
|
||||||
|
eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
|
||||||
|
password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
|
||||||
|
with con:
|
||||||
|
cur = con.cursor()
|
||||||
|
cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
|
||||||
|
eap_reauth(dev[0], "SIM")
|
||||||
|
with con:
|
||||||
|
cur = con.cursor()
|
||||||
|
cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
|
||||||
|
logger.info("SIM reauth with mismatching counter")
|
||||||
|
eap_reauth(dev[0], "SIM")
|
||||||
|
dev[0].request("REMOVE_NETWORK all")
|
||||||
|
|
||||||
|
eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
|
||||||
|
password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
|
||||||
|
with con:
|
||||||
|
cur = con.cursor()
|
||||||
|
cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='1232010000000000'")
|
||||||
|
logger.info("SIM reauth with max reauth count reached")
|
||||||
|
eap_reauth(dev[0], "SIM")
|
||||||
|
|
||||||
def test_ap_wpa2_eap_aka(dev, apdev):
|
def test_ap_wpa2_eap_aka(dev, apdev):
|
||||||
"""WPA2-Enterprise connection using EAP-AKA"""
|
"""WPA2-Enterprise connection using EAP-AKA"""
|
||||||
if not os.path.exists("/tmp/hlr_auc_gw.sock"):
|
if not os.path.exists("/tmp/hlr_auc_gw.sock"):
|
||||||
|
@ -142,6 +203,66 @@ def test_ap_wpa2_eap_aka(dev, apdev):
|
||||||
password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
|
password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
|
||||||
expect_failure=True)
|
expect_failure=True)
|
||||||
|
|
||||||
|
def test_ap_wpa2_eap_aka_sql(dev, apdev, params):
|
||||||
|
"""WPA2-Enterprise connection using EAP-AKA (SQL)"""
|
||||||
|
if not os.path.exists("/tmp/hlr_auc_gw.sock"):
|
||||||
|
logger.info("No hlr_auc_gw available");
|
||||||
|
return "skip"
|
||||||
|
try:
|
||||||
|
import sqlite3
|
||||||
|
except ImportError:
|
||||||
|
return "skip"
|
||||||
|
con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
|
||||||
|
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
|
||||||
|
params['auth_server_port'] = "1814"
|
||||||
|
hostapd.add_ap(apdev[0]['ifname'], params)
|
||||||
|
eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
|
||||||
|
password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
|
||||||
|
|
||||||
|
logger.info("AKA fast re-authentication")
|
||||||
|
eap_reauth(dev[0], "AKA")
|
||||||
|
|
||||||
|
logger.info("AKA full auth with pseudonym")
|
||||||
|
with con:
|
||||||
|
cur = con.cursor()
|
||||||
|
cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
|
||||||
|
eap_reauth(dev[0], "AKA")
|
||||||
|
|
||||||
|
logger.info("AKA full auth with permanent identity")
|
||||||
|
with con:
|
||||||
|
cur = con.cursor()
|
||||||
|
cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
|
||||||
|
cur.execute("DELETE FROM pseudonyms WHERE permanent='0232010000000000'")
|
||||||
|
eap_reauth(dev[0], "AKA")
|
||||||
|
|
||||||
|
logger.info("AKA reauth with mismatching MK")
|
||||||
|
with con:
|
||||||
|
cur = con.cursor()
|
||||||
|
cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='0232010000000000'")
|
||||||
|
eap_reauth(dev[0], "AKA", expect_failure=True)
|
||||||
|
dev[0].request("REMOVE_NETWORK all")
|
||||||
|
|
||||||
|
eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
|
||||||
|
password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
|
||||||
|
with con:
|
||||||
|
cur = con.cursor()
|
||||||
|
cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
|
||||||
|
eap_reauth(dev[0], "AKA")
|
||||||
|
with con:
|
||||||
|
cur = con.cursor()
|
||||||
|
cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
|
||||||
|
logger.info("AKA reauth with mismatching counter")
|
||||||
|
eap_reauth(dev[0], "AKA")
|
||||||
|
dev[0].request("REMOVE_NETWORK all")
|
||||||
|
|
||||||
|
eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
|
||||||
|
password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
|
||||||
|
with con:
|
||||||
|
cur = con.cursor()
|
||||||
|
cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='0232010000000000'")
|
||||||
|
logger.info("AKA reauth with max reauth count reached")
|
||||||
|
eap_reauth(dev[0], "AKA")
|
||||||
|
|
||||||
def test_ap_wpa2_eap_aka_prime(dev, apdev):
|
def test_ap_wpa2_eap_aka_prime(dev, apdev):
|
||||||
"""WPA2-Enterprise connection using EAP-AKA'"""
|
"""WPA2-Enterprise connection using EAP-AKA'"""
|
||||||
if not os.path.exists("/tmp/hlr_auc_gw.sock"):
|
if not os.path.exists("/tmp/hlr_auc_gw.sock"):
|
||||||
|
@ -160,6 +281,66 @@ def test_ap_wpa2_eap_aka_prime(dev, apdev):
|
||||||
password="ff22250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
|
password="ff22250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
|
||||||
expect_failure=True)
|
expect_failure=True)
|
||||||
|
|
||||||
|
def test_ap_wpa2_eap_aka_prime_sql(dev, apdev, params):
|
||||||
|
"""WPA2-Enterprise connection using EAP-AKA' (SQL)"""
|
||||||
|
if not os.path.exists("/tmp/hlr_auc_gw.sock"):
|
||||||
|
logger.info("No hlr_auc_gw available");
|
||||||
|
return "skip"
|
||||||
|
try:
|
||||||
|
import sqlite3
|
||||||
|
except ImportError:
|
||||||
|
return "skip"
|
||||||
|
con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
|
||||||
|
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
|
||||||
|
params['auth_server_port'] = "1814"
|
||||||
|
hostapd.add_ap(apdev[0]['ifname'], params)
|
||||||
|
eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
|
||||||
|
password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
|
||||||
|
|
||||||
|
logger.info("AKA' fast re-authentication")
|
||||||
|
eap_reauth(dev[0], "AKA'")
|
||||||
|
|
||||||
|
logger.info("AKA' full auth with pseudonym")
|
||||||
|
with con:
|
||||||
|
cur = con.cursor()
|
||||||
|
cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
|
||||||
|
eap_reauth(dev[0], "AKA'")
|
||||||
|
|
||||||
|
logger.info("AKA' full auth with permanent identity")
|
||||||
|
with con:
|
||||||
|
cur = con.cursor()
|
||||||
|
cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
|
||||||
|
cur.execute("DELETE FROM pseudonyms WHERE permanent='6555444333222111'")
|
||||||
|
eap_reauth(dev[0], "AKA'")
|
||||||
|
|
||||||
|
logger.info("AKA' reauth with mismatching k_aut")
|
||||||
|
with con:
|
||||||
|
cur = con.cursor()
|
||||||
|
cur.execute("UPDATE reauth SET k_aut='0000000000000000000000000000000000000000000000000000000000000000' WHERE permanent='6555444333222111'")
|
||||||
|
eap_reauth(dev[0], "AKA'", expect_failure=True)
|
||||||
|
dev[0].request("REMOVE_NETWORK all")
|
||||||
|
|
||||||
|
eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
|
||||||
|
password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
|
||||||
|
with con:
|
||||||
|
cur = con.cursor()
|
||||||
|
cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
|
||||||
|
eap_reauth(dev[0], "AKA'")
|
||||||
|
with con:
|
||||||
|
cur = con.cursor()
|
||||||
|
cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
|
||||||
|
logger.info("AKA' reauth with mismatching counter")
|
||||||
|
eap_reauth(dev[0], "AKA'")
|
||||||
|
dev[0].request("REMOVE_NETWORK all")
|
||||||
|
|
||||||
|
eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
|
||||||
|
password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
|
||||||
|
with con:
|
||||||
|
cur = con.cursor()
|
||||||
|
cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='6555444333222111'")
|
||||||
|
logger.info("AKA' reauth with max reauth count reached")
|
||||||
|
eap_reauth(dev[0], "AKA'")
|
||||||
|
|
||||||
def test_ap_wpa2_eap_ttls_pap(dev, apdev):
|
def test_ap_wpa2_eap_ttls_pap(dev, apdev):
|
||||||
"""WPA2-Enterprise connection using EAP-TTLS/PAP"""
|
"""WPA2-Enterprise connection using EAP-TTLS/PAP"""
|
||||||
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
|
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
|
||||||
|
|
Loading…
Reference in a new issue