tests: EAP-SIM/AKA/AKA' with SQLite

Extend EAP-SIM/AKA/AKA' test coverage by setting up another
authentication server instance to store dynamic SIM/AKA/AKA' information
into an SQLite database. This allows the stored reauth/pseudonym data to
be modified on the server side and by doing so, allows testing fallback
from reauth to pseudonym/permanent identity.

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2014-05-11 01:06:00 +03:00
parent 04cad507e1
commit 5b1aaf6cfb
4 changed files with 208 additions and 4 deletions

View file

@ -0,0 +1,21 @@
driver=none
radius_server_clients=auth_serv/radius_clients.conf
radius_server_auth_port=1814
eap_server=1
eap_user_file=auth_serv/eap_user.conf
interface=as2
ctrl_interface=/var/run/hostapd
ctrl_interface_group=admin
ca_cert=auth_serv/ca.pem
server_cert=auth_serv/server.pem
private_key=auth_serv/server.key
ocsp_stapling_response=auth_serv/ocsp-server-cache.der
server_id=server2.w1.fi
eap_sim_db=unix:/tmp/hlr_auc_gw.sock db=LOGDIR/hostapd.db
dh_file=auth_serv/dh.conf
pac_opaque_encr_key=000102030405060708090a0b0c0d0e0f
eap_fast_a_id=101112131415161718191a1b1c1d1e1f
eap_fast_a_id_info=test server2
eap_sim_aka_result_ind=1

View file

@ -64,7 +64,7 @@ CONFIG_NO_RANDOM_POOL=y
CONFIG_WNM=y CONFIG_WNM=y
CONFIG_INTERWORKING=y CONFIG_INTERWORKING=y
CONFIG_HS20=y CONFIG_HS20=y
#CONFIG_SQLITE=y CONFIG_SQLITE=y
CONFIG_SAE=y CONFIG_SAE=y
CFLAGS += -DALL_DH_GROUPS CFLAGS += -DALL_DH_GROUPS

View file

@ -43,6 +43,7 @@ for i in 0 1 2; do
done done
sed "s/group=admin/group=$GROUP/" "$DIR/auth_serv/as.conf" > "$LOGDIR/as.conf" sed "s/group=admin/group=$GROUP/" "$DIR/auth_serv/as.conf" > "$LOGDIR/as.conf"
sed "s/group=admin/group=$GROUP/;s%LOGDIR%$LOGDIR%" "$DIR/auth_serv/as2.conf" > "$LOGDIR/as2.conf"
if [ "$1" = "valgrind" ]; then if [ "$1" = "valgrind" ]; then
VALGRIND=y VALGRIND=y
@ -87,7 +88,8 @@ if [ -x $HLR_AUC_GW ]; then
sudo $HLR_AUC_GW -u -m $LOGDIR/hlr_auc_gw.milenage_db -g $DIR/auth_serv/hlr_auc_gw.gsm > $LOGDIR/hlr_auc_gw & sudo $HLR_AUC_GW -u -m $LOGDIR/hlr_auc_gw.milenage_db -g $DIR/auth_serv/hlr_auc_gw.gsm > $LOGDIR/hlr_auc_gw &
fi fi
sudo $HAPD_AS -ddKt $LOGDIR/as.conf > $LOGDIR/auth_serv & touch $LOGDIR/hostapd.db
sudo $HAPD_AS -ddKt $LOGDIR/as.conf $LOGDIR/as2.conf > $LOGDIR/auth_serv &
# wait for programs to be fully initialized # wait for programs to be fully initialized
for i in 0 1 2; do for i in 0 1 2; do

View file

@ -96,9 +96,10 @@ def eap_check_auth(dev, method, initial, rsn=True, sha256=False,
if status["key_mgmt"] != e: if status["key_mgmt"] != e:
raise Exception("Unexpected key_mgmt status: " + status["key_mgmt"]) raise Exception("Unexpected key_mgmt status: " + status["key_mgmt"])
def eap_reauth(dev, method, rsn=True, sha256=False): def eap_reauth(dev, method, rsn=True, sha256=False, expect_failure=False):
dev.request("REAUTHENTICATE") dev.request("REAUTHENTICATE")
eap_check_auth(dev, method, False, rsn=rsn, sha256=sha256) eap_check_auth(dev, method, False, rsn=rsn, sha256=sha256,
expect_failure=expect_failure)
def test_ap_wpa2_eap_sim(dev, apdev): def test_ap_wpa2_eap_sim(dev, apdev):
"""WPA2-Enterprise connection using EAP-SIM""" """WPA2-Enterprise connection using EAP-SIM"""
@ -124,6 +125,66 @@ def test_ap_wpa2_eap_sim(dev, apdev):
password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581", password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
expect_failure=True) expect_failure=True)
def test_ap_wpa2_eap_sim_sql(dev, apdev, params):
"""WPA2-Enterprise connection using EAP-SIM (SQL)"""
if not os.path.exists("/tmp/hlr_auc_gw.sock"):
logger.info("No hlr_auc_gw available");
return "skip"
try:
import sqlite3
except ImportError:
return "skip"
con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
params['auth_server_port'] = "1814"
hostapd.add_ap(apdev[0]['ifname'], params)
eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
logger.info("SIM fast re-authentication")
eap_reauth(dev[0], "SIM")
logger.info("SIM full auth with pseudonym")
with con:
cur = con.cursor()
cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
eap_reauth(dev[0], "SIM")
logger.info("SIM full auth with permanent identity")
with con:
cur = con.cursor()
cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
cur.execute("DELETE FROM pseudonyms WHERE permanent='1232010000000000'")
eap_reauth(dev[0], "SIM")
logger.info("SIM reauth with mismatching MK")
with con:
cur = con.cursor()
cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='1232010000000000'")
eap_reauth(dev[0], "SIM", expect_failure=True)
dev[0].request("REMOVE_NETWORK all")
eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
with con:
cur = con.cursor()
cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
eap_reauth(dev[0], "SIM")
with con:
cur = con.cursor()
cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
logger.info("SIM reauth with mismatching counter")
eap_reauth(dev[0], "SIM")
dev[0].request("REMOVE_NETWORK all")
eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
with con:
cur = con.cursor()
cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='1232010000000000'")
logger.info("SIM reauth with max reauth count reached")
eap_reauth(dev[0], "SIM")
def test_ap_wpa2_eap_aka(dev, apdev): def test_ap_wpa2_eap_aka(dev, apdev):
"""WPA2-Enterprise connection using EAP-AKA""" """WPA2-Enterprise connection using EAP-AKA"""
if not os.path.exists("/tmp/hlr_auc_gw.sock"): if not os.path.exists("/tmp/hlr_auc_gw.sock"):
@ -142,6 +203,66 @@ def test_ap_wpa2_eap_aka(dev, apdev):
password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123", password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
expect_failure=True) expect_failure=True)
def test_ap_wpa2_eap_aka_sql(dev, apdev, params):
"""WPA2-Enterprise connection using EAP-AKA (SQL)"""
if not os.path.exists("/tmp/hlr_auc_gw.sock"):
logger.info("No hlr_auc_gw available");
return "skip"
try:
import sqlite3
except ImportError:
return "skip"
con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
params['auth_server_port'] = "1814"
hostapd.add_ap(apdev[0]['ifname'], params)
eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
logger.info("AKA fast re-authentication")
eap_reauth(dev[0], "AKA")
logger.info("AKA full auth with pseudonym")
with con:
cur = con.cursor()
cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
eap_reauth(dev[0], "AKA")
logger.info("AKA full auth with permanent identity")
with con:
cur = con.cursor()
cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
cur.execute("DELETE FROM pseudonyms WHERE permanent='0232010000000000'")
eap_reauth(dev[0], "AKA")
logger.info("AKA reauth with mismatching MK")
with con:
cur = con.cursor()
cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='0232010000000000'")
eap_reauth(dev[0], "AKA", expect_failure=True)
dev[0].request("REMOVE_NETWORK all")
eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
with con:
cur = con.cursor()
cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
eap_reauth(dev[0], "AKA")
with con:
cur = con.cursor()
cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
logger.info("AKA reauth with mismatching counter")
eap_reauth(dev[0], "AKA")
dev[0].request("REMOVE_NETWORK all")
eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
with con:
cur = con.cursor()
cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='0232010000000000'")
logger.info("AKA reauth with max reauth count reached")
eap_reauth(dev[0], "AKA")
def test_ap_wpa2_eap_aka_prime(dev, apdev): def test_ap_wpa2_eap_aka_prime(dev, apdev):
"""WPA2-Enterprise connection using EAP-AKA'""" """WPA2-Enterprise connection using EAP-AKA'"""
if not os.path.exists("/tmp/hlr_auc_gw.sock"): if not os.path.exists("/tmp/hlr_auc_gw.sock"):
@ -160,6 +281,66 @@ def test_ap_wpa2_eap_aka_prime(dev, apdev):
password="ff22250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123", password="ff22250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
expect_failure=True) expect_failure=True)
def test_ap_wpa2_eap_aka_prime_sql(dev, apdev, params):
"""WPA2-Enterprise connection using EAP-AKA' (SQL)"""
if not os.path.exists("/tmp/hlr_auc_gw.sock"):
logger.info("No hlr_auc_gw available");
return "skip"
try:
import sqlite3
except ImportError:
return "skip"
con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
params['auth_server_port'] = "1814"
hostapd.add_ap(apdev[0]['ifname'], params)
eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
logger.info("AKA' fast re-authentication")
eap_reauth(dev[0], "AKA'")
logger.info("AKA' full auth with pseudonym")
with con:
cur = con.cursor()
cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
eap_reauth(dev[0], "AKA'")
logger.info("AKA' full auth with permanent identity")
with con:
cur = con.cursor()
cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
cur.execute("DELETE FROM pseudonyms WHERE permanent='6555444333222111'")
eap_reauth(dev[0], "AKA'")
logger.info("AKA' reauth with mismatching k_aut")
with con:
cur = con.cursor()
cur.execute("UPDATE reauth SET k_aut='0000000000000000000000000000000000000000000000000000000000000000' WHERE permanent='6555444333222111'")
eap_reauth(dev[0], "AKA'", expect_failure=True)
dev[0].request("REMOVE_NETWORK all")
eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
with con:
cur = con.cursor()
cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
eap_reauth(dev[0], "AKA'")
with con:
cur = con.cursor()
cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
logger.info("AKA' reauth with mismatching counter")
eap_reauth(dev[0], "AKA'")
dev[0].request("REMOVE_NETWORK all")
eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
with con:
cur = con.cursor()
cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='6555444333222111'")
logger.info("AKA' reauth with max reauth count reached")
eap_reauth(dev[0], "AKA'")
def test_ap_wpa2_eap_ttls_pap(dev, apdev): def test_ap_wpa2_eap_ttls_pap(dev, apdev):
"""WPA2-Enterprise connection using EAP-TTLS/PAP""" """WPA2-Enterprise connection using EAP-TTLS/PAP"""
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")