DGNum/hostapd
6
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

eapol_test: Check EAP-Key-Name

Browse source 
The new command line argument -e can be used to request the server to
send EAP-Key-Name in Access-Accept. If both the local EAP peer
implementation and server provide the EAP Session-Id, compare those
values and indicate in debug log whether a match was seen.

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2014-05-11 12:43:09 +03:00
parent 251c53e084
commit cfdb32e88f
1 changed files with 50 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

52
wpa_supplicant/eapol_test.c
View file

@ -46,6 +46,7 @@ struct eapol_test_data {
int eapol_test_num_reauths; int eapol_test_num_reauths;
int no_mppe_keys; int no_mppe_keys;
int num_mppe_ok, num_mppe_mismatch; int num_mppe_ok, num_mppe_mismatch;
int req_eap_key_name;
u8 radius_identifier; u8 radius_identifier;
struct radius_msg *last_recv_radius; struct radius_msg *last_recv_radius;
@ -58,6 +59,8 @@ struct eapol_test_data {
u8 authenticator_pmk[PMK_LEN]; u8 authenticator_pmk[PMK_LEN];
size_t authenticator_pmk_len; size_t authenticator_pmk_len;
u8 authenticator_eap_key_name[256];
size_t authenticator_eap_key_name_len;
int radius_access_accept_received; int radius_access_accept_received;
int radius_access_reject_received; int radius_access_reject_received;
int auth_timed_out; int auth_timed_out;
@ -208,6 +211,13 @@ static void ieee802_1x_encapsulate_radius(struct eapol_test_data *e,
goto fail; goto fail;
} }
if (e->req_eap_key_name &&
!radius_msg_add_attr(msg, RADIUS_ATTR_EAP_KEY_NAME, (u8 *) "\0",
1)) {
printf("Could not add EAP-Key-Name\n");
goto fail;
}
if (!find_extra_attr(e->extra_attrs, RADIUS_ATTR_NAS_IP_ADDRESS) && if (!find_extra_attr(e->extra_attrs, RADIUS_ATTR_NAS_IP_ADDRESS) &&
!radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IP_ADDRESS, !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IP_ADDRESS,
(u8 *) &e->own_ip_addr, 4)) { (u8 *) &e->own_ip_addr, 4)) {
@ -333,6 +343,8 @@ static int eapol_test_compare_pmk(struct eapol_test_data *e)
{ {
u8 pmk[PMK_LEN]; u8 pmk[PMK_LEN];
int ret = 1; int ret = 1;
const u8 *sess_id;
size_t sess_id_len;
if (eapol_sm_get_key(e->wpa_s->eapol, pmk, PMK_LEN) == 0) { if (eapol_sm_get_key(e->wpa_s->eapol, pmk, PMK_LEN) == 0) {
wpa_hexdump(MSG_DEBUG, "PMK from EAPOL", pmk, PMK_LEN); wpa_hexdump(MSG_DEBUG, "PMK from EAPOL", pmk, PMK_LEN);
@ -361,6 +373,28 @@ static int eapol_test_compare_pmk(struct eapol_test_data *e)
else if (!e->no_mppe_keys) else if (!e->no_mppe_keys)
e->num_mppe_ok++; e->num_mppe_ok++;
sess_id = eapol_sm_get_session_id(e->wpa_s->eapol, &sess_id_len);
if (!sess_id)
return ret;
if (e->authenticator_eap_key_name_len == 0) {
wpa_printf(MSG_INFO, "No EAP-Key-Name received from server");
return ret;
}
if (e->authenticator_eap_key_name_len != sess_id_len ||
os_memcmp(e->authenticator_eap_key_name, sess_id, sess_id_len) != 0)
{
wpa_printf(MSG_INFO,
"Locally derived EAP Session-Id does not match EAP-Key-Name from server");
wpa_hexdump(MSG_DEBUG, "EAP Session-Id", sess_id, sess_id_len);
wpa_hexdump(MSG_DEBUG, "EAP-Key-Name from server",
e->authenticator_eap_key_name,
e->authenticator_eap_key_name_len);
} else {
wpa_printf(MSG_INFO,
"Locally derived EAP Session-Id matches EAP-Key-Name from server");
}
return ret; return ret;
} }
@ -749,6 +783,8 @@ static void ieee802_1x_get_keys(struct eapol_test_data *e,
size_t shared_secret_len) size_t shared_secret_len)
{ {
struct radius_ms_mppe_keys *keys; struct radius_ms_mppe_keys *keys;
u8 *buf;
size_t len;
keys = radius_msg_get_ms_keys(msg, req, shared_secret, keys = radius_msg_get_ms_keys(msg, req, shared_secret,
shared_secret_len); shared_secret_len);
@ -787,6 +823,14 @@ static void ieee802_1x_get_keys(struct eapol_test_data *e,
os_free(keys->recv); os_free(keys->recv);
os_free(keys); os_free(keys);
} }
if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_EAP_KEY_NAME, &buf, &len,
NULL) == 0) {
os_memcpy(e->authenticator_eap_key_name, buf, len);
e->authenticator_eap_key_name_len = len;
} else {
e->authenticator_eap_key_name_len = 0;
}
} }
@ -1095,7 +1139,7 @@ static void eapol_test_terminate(int sig, void *signal_ctx)
static void usage(void) static void usage(void)
{ {
printf("usage:\n" printf("usage:\n"
"eapol_test [-nWS] -c<conf> [-a<AS IP>] [-p<AS port>] " "eapol_test [-enWS] -c<conf> [-a<AS IP>] [-p<AS port>] "
"[-s<AS secret>]\\\n" "[-s<AS secret>]\\\n"
" [-r<count>] [-t<timeout>] [-C<Connect-Info>] \\\n" " [-r<count>] [-t<timeout>] [-C<Connect-Info>] \\\n"
" [-M<client MAC address>] [-o<server cert file] \\\n" " [-M<client MAC address>] [-o<server cert file] \\\n"
@ -1115,6 +1159,7 @@ static void usage(void)
" -A<client IP> = IP address of the client, default: select " " -A<client IP> = IP address of the client, default: select "
"automatically\n" "automatically\n"
" -r<count> = number of re-authentications\n" " -r<count> = number of re-authentications\n"
" -e = Request EAP-Key-Name\n"
" -W = wait for a control interface monitor before starting\n" " -W = wait for a control interface monitor before starting\n"
" -S = save configuration after authentication\n" " -S = save configuration after authentication\n"
" -n = no MPPE keys expected\n" " -n = no MPPE keys expected\n"
@ -1168,7 +1213,7 @@ int main(int argc, char *argv[])
wpa_debug_show_keys = 1; wpa_debug_show_keys = 1;
for (;;) { for (;;) {
c = getopt(argc, argv, "a:A:c:C:M:nN:o:p:r:s:St:W"); c = getopt(argc, argv, "a:A:c:C:eM:nN:o:p:r:s:St:W");
if (c < 0) if (c < 0)
break; break;
switch (c) { switch (c) {
@ -1184,6 +1229,9 @@ int main(int argc, char *argv[])
case 'C': case 'C':
eapol_test.connect_info = optarg; eapol_test.connect_info = optarg;
break; break;
case 'e':
eapol_test.req_eap_key_name = 1;
break;
case 'M': case 'M':
if (hwaddr_aton(optarg, eapol_test.own_addr)) { if (hwaddr_aton(optarg, eapol_test.own_addr)) {
usage(); usage();