From acc9a635c833b0f8a00ed7276f0298837f433526 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Sat, 29 Nov 2014 20:34:43 +0200 Subject: [PATCH] tests: EAP Re-authentication Protocol (ERP) This tests RP EAP-Initiate/Re-auth-Start transmission, ERP key derivation, and EAP-Initiate/Re-auth + EAP-Finish/Re-auth exchange and rMSK derivation. Signed-off-by: Jouni Malinen --- tests/hwsim/auth_serv/eap_user.conf | 14 ++ tests/hwsim/example-hostapd.config | 1 + tests/hwsim/example-wpa_supplicant.config | 1 + tests/hwsim/test_erp.py | 191 ++++++++++++++++++++++ tests/hwsim/wpasupplicant.py | 3 +- 5 files changed, 209 insertions(+), 1 deletion(-) create mode 100644 tests/hwsim/test_erp.py diff --git a/tests/hwsim/auth_serv/eap_user.conf b/tests/hwsim/auth_serv/eap_user.conf index 0dce2fa51..0ec4c6342 100644 --- a/tests/hwsim/auth_serv/eap_user.conf +++ b/tests/hwsim/auth_serv/eap_user.conf @@ -10,6 +10,20 @@ "osen@example.com" WFA-UNAUTH-TLS "unauth-tls" UNAUTH-TLS +"erp-fast@example.com" FAST +"erp-fast@example.com" GTC "password" [2] +"erp-gpsk@example.com" GPSK "abcdefghijklmnop0123456789abcdef" +"erp-eke@example.com" EKE "hello" +"erp-pax@example.com" PAX 0123456789abcdef0123456789abcdef +"erp-peap@example.com" PEAP +"erp-peap@example.com" MSCHAPV2 "password" [2] +"erp-psk@example.com" PSK 0123456789abcdef0123456789abcdef +"erp-pwd@example.com" PWD "secret password" +"erp-sake@example.com" SAKE 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef +"erp-tls@example.com" TLS +"erp-ttls@example.com" TTLS +"erp-ttls@example.com" TTLS-PAP "password" [2] + "vlan1" PAX 0123456789abcdef0123456789abcdef radius_accept_attr=64:d:13 radius_accept_attr=65:d:6 diff --git a/tests/hwsim/example-hostapd.config b/tests/hwsim/example-hostapd.config index 36cf45696..9c8cea19b 100644 --- a/tests/hwsim/example-hostapd.config +++ b/tests/hwsim/example-hostapd.config @@ -10,6 +10,7 @@ CONFIG_RSN_PREAUTH=y CONFIG_TLS=openssl CONFIG_EAP=y +CONFIG_ERP=y CONFIG_EAP_MD5=y CONFIG_EAP_TLS=y CONFIG_EAP_MSCHAPV2=y diff --git a/tests/hwsim/example-wpa_supplicant.config b/tests/hwsim/example-wpa_supplicant.config index 37f074f81..14a179608 100644 --- a/tests/hwsim/example-wpa_supplicant.config +++ b/tests/hwsim/example-wpa_supplicant.config @@ -7,6 +7,7 @@ CONFIG_TLS=openssl CONFIG_IEEE8021X_EAPOL=y +CONFIG_ERP=y CONFIG_EAP_MD5=y CONFIG_MSCHAPV2=y CONFIG_EAP_TLS=y diff --git a/tests/hwsim/test_erp.py b/tests/hwsim/test_erp.py new file mode 100644 index 000000000..1c2dcd4da --- /dev/null +++ b/tests/hwsim/test_erp.py @@ -0,0 +1,191 @@ +# EAP Re-authentication Protocol (ERP) tests +# Copyright (c) 2014, Jouni Malinen +# +# This software may be distributed under the terms of the BSD license. +# See README for more details. + +import logging +logger = logging.getLogger() + +import hostapd +from test_ap_eap import int_eap_server_params + +def test_erp_initiate_reauth_start(dev, apdev): + """Authenticator sending EAP-Initiate/Re-auth-Start, but ERP disabled on peer""" + params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") + params['erp_send_reauth_start'] = '1' + params['erp_domain'] = 'example.com' + hapd = hostapd.add_ap(apdev[0]['ifname'], params) + + dev[0].request("ERP_FLUSH") + dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", + eap="PAX", identity="pax.user@example.com", + password_hex="0123456789abcdef0123456789abcdef", + scan_freq="2412") + +def test_erp_enabled_on_server(dev, apdev): + """ERP enabled on internal EAP server, but disabled on peer""" + params = int_eap_server_params() + params['erp_send_reauth_start'] = '1' + params['erp_domain'] = 'example.com' + params['eap_server_erp'] = '1' + hapd = hostapd.add_ap(apdev[0]['ifname'], params) + + dev[0].request("ERP_FLUSH") + dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", + eap="PAX", identity="pax.user@example.com", + password_hex="0123456789abcdef0123456789abcdef", + scan_freq="2412") + +def test_erp(dev, apdev): + """ERP enabled on server and peer""" + capab = dev[0].get_capability("erp") + if not capab or 'ERP' not in capab: + return "skip" + params = int_eap_server_params() + params['erp_send_reauth_start'] = '1' + params['erp_domain'] = 'example.com' + params['eap_server_erp'] = '1' + params['disable_pmksa_caching'] = '1' + hapd = hostapd.add_ap(apdev[0]['ifname'], params) + + dev[0].request("ERP_FLUSH") + dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", + eap="PSK", identity="psk.user@example.com", + password_hex="0123456789abcdef0123456789abcdef", + erp="1", scan_freq="2412") + for i in range(3): + dev[0].request("DISCONNECT") + ev = dev[0].wait_event(["CTRL-EVENT-DISCONNECTED"], timeout=15) + if ev is None: + raise Exception("Disconnection timed out") + dev[0].request("RECONNECT") + ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15) + if ev is None: + raise Exception("EAP success timed out") + if "EAP re-authentication completed successfully" not in ev: + raise Exception("Did not use ERP") + ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=15) + if ev is None: + raise Exception("Reconnection timed out") + +def start_erp_as(apdev): + params = { "ssid": "as", "beacon_int": "2000", + "radius_server_clients": "auth_serv/radius_clients.conf", + "radius_server_auth_port": '18128', + "eap_server": "1", + "eap_user_file": "auth_serv/eap_user.conf", + "ca_cert": "auth_serv/ca.pem", + "server_cert": "auth_serv/server.pem", + "private_key": "auth_serv/server.key", + "eap_sim_db": "unix:/tmp/hlr_auc_gw.sock", + "dh_file": "auth_serv/dh.conf", + "pac_opaque_encr_key": "000102030405060708090a0b0c0d0e0f", + "eap_fast_a_id": "101112131415161718191a1b1c1d1e1f", + "eap_fast_a_id_info": "test server", + "eap_server_erp": "1", + "erp_domain": "example.com" } + hostapd.add_ap(apdev['ifname'], params) + +def test_erp_radius(dev, apdev): + """ERP enabled on RADIUS server and peer""" + capab = dev[0].get_capability("erp") + if not capab or 'ERP' not in capab: + return "skip" + start_erp_as(apdev[1]) + params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") + params['auth_server_port'] = "18128" + params['erp_send_reauth_start'] = '1' + params['erp_domain'] = 'example.com' + params['disable_pmksa_caching'] = '1' + hapd = hostapd.add_ap(apdev[0]['ifname'], params) + + dev[0].request("ERP_FLUSH") + dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", + eap="PSK", identity="psk.user@example.com", + password_hex="0123456789abcdef0123456789abcdef", + erp="1", scan_freq="2412") + for i in range(3): + dev[0].request("DISCONNECT") + ev = dev[0].wait_event(["CTRL-EVENT-DISCONNECTED"], timeout=15) + if ev is None: + raise Exception("Disconnection timed out") + dev[0].request("RECONNECT") + ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15) + if ev is None: + raise Exception("EAP success timed out") + if "EAP re-authentication completed successfully" not in ev: + raise Exception("Did not use ERP") + ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=15) + if ev is None: + raise Exception("Reconnection timed out") + +def erp_test(dev, hapd, **kwargs): + hapd.dump_monitor() + dev.dump_monitor() + dev.request("ERP_FLUSH") + id = dev.connect("test-wpa2-eap", key_mgmt="WPA-EAP", erp="1", + scan_freq="2412", **kwargs) + dev.request("DISCONNECT") + ev = dev.wait_event(["CTRL-EVENT-DISCONNECTED"], timeout=15) + if ev is None: + raise Exception("Disconnection timed out") + hapd.dump_monitor() + dev.request("RECONNECT") + ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15) + if ev is None: + raise Exception("EAP success timed out") + if "EAP re-authentication completed successfully" not in ev: + raise Exception("Did not use ERP") + ev = dev.wait_event(["CTRL-EVENT-CONNECTED"], timeout=15) + if ev is None: + raise Exception("Reconnection timed out") + ev = hapd.wait_event([ "AP-STA-CONNECTED" ], timeout=5) + if ev is None: + raise Exception("No connection event received from hostapd") + dev.request("DISCONNECT") + +def test_erp_radius_eap_methods(dev, apdev): + """ERP enabled on RADIUS server and peer""" + capab = dev[0].get_capability("erp") + if not capab or 'ERP' not in capab: + return "skip" + start_erp_as(apdev[1]) + params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") + params['auth_server_port'] = "18128" + params['erp_send_reauth_start'] = '1' + params['erp_domain'] = 'example.com' + params['disable_pmksa_caching'] = '1' + hapd = hostapd.add_ap(apdev[0]['ifname'], params) + + erp_test(dev[0], hapd, eap="AKA", identity="0232010000000000@example.com", + password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123") + erp_test(dev[0], hapd, eap="AKA'", identity="6555444333222111@example.com", + password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123") + # TODO: EKE getSession + #erp_test(dev[0], hapd, eap="EKE", identity="erp-eke@example.com", + # password="hello") + erp_test(dev[0], hapd, eap="FAST", identity="erp-fast@example.com", + password="password", ca_cert="auth_serv/ca.pem", phase2="auth=GTC", + phase1="fast_provisioning=2", pac_file="blob://fast_pac_auth_erp") + erp_test(dev[0], hapd, eap="GPSK", identity="erp-gpsk@example.com", + password="abcdefghijklmnop0123456789abcdef") + erp_test(dev[0], hapd, eap="PAX", identity="erp-pax@example.com", + password_hex="0123456789abcdef0123456789abcdef") + # TODO: PEAP (EMSK) + #erp_test(dev[0], hapd, eap="PEAP", identity="erp-peap@example.com", + # password="password", ca_cert="auth_serv/ca.pem", + # phase2="auth=MSCHAPV2") + erp_test(dev[0], hapd, eap="PSK", identity="erp-psk@example.com", + password_hex="0123456789abcdef0123456789abcdef") + erp_test(dev[0], hapd, eap="PWD", identity="erp-pwd@example.com", + password="secret password") + erp_test(dev[0], hapd, eap="SAKE", identity="erp-sake@example.com", + password_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef") + erp_test(dev[0], hapd, eap="SIM", identity="1232010000000000@example.com", + password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581") + erp_test(dev[0], hapd, eap="TLS", identity="erp-tls@example.com", + ca_cert="auth_serv/ca.pem", client_cert="auth_serv/user.pem", + private_key="auth_serv/user.key") + erp_test(dev[0], hapd, eap="TTLS", identity="erp-ttls@example.com", + password="password", ca_cert="auth_serv/ca.pem", phase2="auth=PAP") diff --git a/tests/hwsim/wpasupplicant.py b/tests/hwsim/wpasupplicant.py index 6d809d81d..71ec09260 100644 --- a/tests/hwsim/wpasupplicant.py +++ b/tests/hwsim/wpasupplicant.py @@ -776,7 +776,8 @@ class WpaSupplicant: "wpa_ptk_rekey", "disable_ht", "disable_vht", "bssid", "disable_max_amsdu", "ampdu_factor", "ampdu_density", "disable_ht40", "disable_sgi", "disable_ldpc", - "ht40_intolerant", "update_identifier", "mac_addr" ] + "ht40_intolerant", "update_identifier", "mac_addr", + "erp" ] for field in not_quoted: if field in kwargs and kwargs[field]: self.set_network(id, field, kwargs[field])