test_erp.py 17 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406
  1. # EAP Re-authentication Protocol (ERP) tests
  2. # Copyright (c) 2014-2015, Jouni Malinen <j@w1.fi>
  3. #
  4. # This software may be distributed under the terms of the BSD license.
  5. # See README for more details.
  6. import binascii
  7. import logging
  8. logger = logging.getLogger()
  9. import os
  10. import time
  11. import hostapd
  12. from utils import HwsimSkip
  13. from test_ap_eap import int_eap_server_params
  14. from test_ap_psk import find_wpas_process, read_process_memory, verify_not_present, get_key_locations
  15. def check_erp_capa(dev):
  16. capab = dev.get_capability("erp")
  17. if not capab or 'ERP' not in capab:
  18. raise HwsimSkip("ERP not supported in the build")
  19. def test_erp_initiate_reauth_start(dev, apdev):
  20. """Authenticator sending EAP-Initiate/Re-auth-Start, but ERP disabled on peer"""
  21. params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
  22. params['erp_send_reauth_start'] = '1'
  23. params['erp_domain'] = 'example.com'
  24. hapd = hostapd.add_ap(apdev[0]['ifname'], params)
  25. dev[0].request("ERP_FLUSH")
  26. dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
  27. eap="PAX", identity="pax.user@example.com",
  28. password_hex="0123456789abcdef0123456789abcdef",
  29. scan_freq="2412")
  30. def test_erp_enabled_on_server(dev, apdev):
  31. """ERP enabled on internal EAP server, but disabled on peer"""
  32. params = int_eap_server_params()
  33. params['erp_send_reauth_start'] = '1'
  34. params['erp_domain'] = 'example.com'
  35. params['eap_server_erp'] = '1'
  36. hapd = hostapd.add_ap(apdev[0]['ifname'], params)
  37. dev[0].request("ERP_FLUSH")
  38. dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
  39. eap="PAX", identity="pax.user@example.com",
  40. password_hex="0123456789abcdef0123456789abcdef",
  41. scan_freq="2412")
  42. def test_erp(dev, apdev):
  43. """ERP enabled on server and peer"""
  44. check_erp_capa(dev[0])
  45. params = int_eap_server_params()
  46. params['erp_send_reauth_start'] = '1'
  47. params['erp_domain'] = 'example.com'
  48. params['eap_server_erp'] = '1'
  49. params['disable_pmksa_caching'] = '1'
  50. hapd = hostapd.add_ap(apdev[0]['ifname'], params)
  51. dev[0].request("ERP_FLUSH")
  52. dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
  53. eap="PSK", identity="psk.user@example.com",
  54. password_hex="0123456789abcdef0123456789abcdef",
  55. erp="1", scan_freq="2412")
  56. for i in range(3):
  57. dev[0].request("DISCONNECT")
  58. dev[0].wait_disconnected(timeout=15)
  59. dev[0].request("RECONNECT")
  60. ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
  61. if ev is None:
  62. raise Exception("EAP success timed out")
  63. if "EAP re-authentication completed successfully" not in ev:
  64. raise Exception("Did not use ERP")
  65. dev[0].wait_connected(timeout=15, error="Reconnection timed out")
  66. def test_erp_server_no_match(dev, apdev):
  67. """ERP enabled on server and peer, but server has no key match"""
  68. check_erp_capa(dev[0])
  69. params = int_eap_server_params()
  70. params['erp_send_reauth_start'] = '1'
  71. params['erp_domain'] = 'example.com'
  72. params['eap_server_erp'] = '1'
  73. params['disable_pmksa_caching'] = '1'
  74. hapd = hostapd.add_ap(apdev[0]['ifname'], params)
  75. dev[0].request("ERP_FLUSH")
  76. id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
  77. eap="PSK", identity="psk.user@example.com",
  78. password_hex="0123456789abcdef0123456789abcdef",
  79. erp="1", scan_freq="2412")
  80. dev[0].request("DISCONNECT")
  81. dev[0].wait_disconnected(timeout=15)
  82. hapd.request("ERP_FLUSH")
  83. dev[0].request("RECONNECT")
  84. ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
  85. "CTRL-EVENT-EAP-FAILURE"], timeout=15)
  86. if ev is None:
  87. raise Exception("EAP result timed out")
  88. if "CTRL-EVENT-EAP-SUCCESS" in ev:
  89. raise Exception("Unexpected EAP success")
  90. dev[0].request("DISCONNECT")
  91. dev[0].select_network(id)
  92. ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
  93. if ev is None:
  94. raise Exception("EAP success timed out")
  95. if "EAP re-authentication completed successfully" in ev:
  96. raise Exception("Unexpected use of ERP")
  97. dev[0].wait_connected(timeout=15, error="Reconnection timed out")
  98. def start_erp_as(apdev):
  99. params = { "ssid": "as", "beacon_int": "2000",
  100. "radius_server_clients": "auth_serv/radius_clients.conf",
  101. "radius_server_auth_port": '18128',
  102. "eap_server": "1",
  103. "eap_user_file": "auth_serv/eap_user.conf",
  104. "ca_cert": "auth_serv/ca.pem",
  105. "server_cert": "auth_serv/server.pem",
  106. "private_key": "auth_serv/server.key",
  107. "eap_sim_db": "unix:/tmp/hlr_auc_gw.sock",
  108. "dh_file": "auth_serv/dh.conf",
  109. "pac_opaque_encr_key": "000102030405060708090a0b0c0d0e0f",
  110. "eap_fast_a_id": "101112131415161718191a1b1c1d1e1f",
  111. "eap_fast_a_id_info": "test server",
  112. "eap_server_erp": "1",
  113. "erp_domain": "example.com" }
  114. hostapd.add_ap(apdev['ifname'], params)
  115. def test_erp_radius(dev, apdev):
  116. """ERP enabled on RADIUS server and peer"""
  117. check_erp_capa(dev[0])
  118. start_erp_as(apdev[1])
  119. params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
  120. params['auth_server_port'] = "18128"
  121. params['erp_send_reauth_start'] = '1'
  122. params['erp_domain'] = 'example.com'
  123. params['disable_pmksa_caching'] = '1'
  124. hapd = hostapd.add_ap(apdev[0]['ifname'], params)
  125. dev[0].request("ERP_FLUSH")
  126. dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
  127. eap="PSK", identity="psk.user@example.com",
  128. password_hex="0123456789abcdef0123456789abcdef",
  129. erp="1", scan_freq="2412")
  130. for i in range(3):
  131. dev[0].request("DISCONNECT")
  132. dev[0].wait_disconnected(timeout=15)
  133. dev[0].request("RECONNECT")
  134. ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
  135. if ev is None:
  136. raise Exception("EAP success timed out")
  137. if "EAP re-authentication completed successfully" not in ev:
  138. raise Exception("Did not use ERP")
  139. dev[0].wait_connected(timeout=15, error="Reconnection timed out")
  140. def erp_test(dev, hapd, **kwargs):
  141. hapd.dump_monitor()
  142. dev.dump_monitor()
  143. dev.request("ERP_FLUSH")
  144. id = dev.connect("test-wpa2-eap", key_mgmt="WPA-EAP", erp="1",
  145. scan_freq="2412", **kwargs)
  146. dev.request("DISCONNECT")
  147. dev.wait_disconnected(timeout=15)
  148. hapd.dump_monitor()
  149. dev.request("RECONNECT")
  150. ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
  151. if ev is None:
  152. raise Exception("EAP success timed out")
  153. if "EAP re-authentication completed successfully" not in ev:
  154. raise Exception("Did not use ERP")
  155. dev.wait_connected(timeout=15, error="Reconnection timed out")
  156. ev = hapd.wait_event([ "AP-STA-CONNECTED" ], timeout=5)
  157. if ev is None:
  158. raise Exception("No connection event received from hostapd")
  159. dev.request("DISCONNECT")
  160. def test_erp_radius_eap_methods(dev, apdev):
  161. """ERP enabled on RADIUS server and peer"""
  162. check_erp_capa(dev[0])
  163. start_erp_as(apdev[1])
  164. params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
  165. params['auth_server_port'] = "18128"
  166. params['erp_send_reauth_start'] = '1'
  167. params['erp_domain'] = 'example.com'
  168. params['disable_pmksa_caching'] = '1'
  169. hapd = hostapd.add_ap(apdev[0]['ifname'], params)
  170. erp_test(dev[0], hapd, eap="AKA", identity="0232010000000000@example.com",
  171. password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
  172. erp_test(dev[0], hapd, eap="AKA'", identity="6555444333222111@example.com",
  173. password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
  174. erp_test(dev[0], hapd, eap="EKE", identity="erp-eke@example.com",
  175. password="hello")
  176. if "FAST" in dev[0].get_capability("eap"):
  177. erp_test(dev[0], hapd, eap="FAST", identity="erp-fast@example.com",
  178. password="password", ca_cert="auth_serv/ca.pem",
  179. phase2="auth=GTC",
  180. phase1="fast_provisioning=2",
  181. pac_file="blob://fast_pac_auth_erp")
  182. erp_test(dev[0], hapd, eap="GPSK", identity="erp-gpsk@example.com",
  183. password="abcdefghijklmnop0123456789abcdef")
  184. erp_test(dev[0], hapd, eap="IKEV2", identity="erp-ikev2@example.com",
  185. password="password")
  186. erp_test(dev[0], hapd, eap="PAX", identity="erp-pax@example.com",
  187. password_hex="0123456789abcdef0123456789abcdef")
  188. # TODO: PEAP (EMSK)
  189. #erp_test(dev[0], hapd, eap="PEAP", identity="erp-peap@example.com",
  190. # password="password", ca_cert="auth_serv/ca.pem",
  191. # phase2="auth=MSCHAPV2")
  192. erp_test(dev[0], hapd, eap="PSK", identity="erp-psk@example.com",
  193. password_hex="0123456789abcdef0123456789abcdef")
  194. if "PWD" in dev[0].get_capability("eap"):
  195. erp_test(dev[0], hapd, eap="PWD", identity="erp-pwd@example.com",
  196. password="secret password")
  197. erp_test(dev[0], hapd, eap="SAKE", identity="erp-sake@example.com",
  198. password_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
  199. erp_test(dev[0], hapd, eap="SIM", identity="1232010000000000@example.com",
  200. password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
  201. erp_test(dev[0], hapd, eap="TLS", identity="erp-tls@example.com",
  202. ca_cert="auth_serv/ca.pem", client_cert="auth_serv/user.pem",
  203. private_key="auth_serv/user.key")
  204. erp_test(dev[0], hapd, eap="TTLS", identity="erp-ttls@example.com",
  205. password="password", ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
  206. def test_erp_key_lifetime_in_memory(dev, apdev, params):
  207. """ERP and key lifetime in memory"""
  208. check_erp_capa(dev[0])
  209. p = int_eap_server_params()
  210. p['erp_send_reauth_start'] = '1'
  211. p['erp_domain'] = 'example.com'
  212. p['eap_server_erp'] = '1'
  213. p['disable_pmksa_caching'] = '1'
  214. hapd = hostapd.add_ap(apdev[0]['ifname'], p)
  215. password = "63d2d21ac3c09ed567ee004a34490f1d16e7fa5835edf17ddba70a63f1a90a25"
  216. pid = find_wpas_process(dev[0])
  217. dev[0].request("ERP_FLUSH")
  218. dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
  219. identity="pap-secret@example.com", password=password,
  220. ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
  221. erp="1", scan_freq="2412")
  222. time.sleep(1)
  223. buf = read_process_memory(pid, password)
  224. dev[0].request("DISCONNECT")
  225. dev[0].wait_disconnected(timeout=15)
  226. dev[0].relog()
  227. msk = None
  228. emsk = None
  229. rRK = None
  230. rIK = None
  231. pmk = None
  232. ptk = None
  233. gtk = None
  234. with open(os.path.join(params['logdir'], 'log0'), 'r') as f:
  235. for l in f.readlines():
  236. if "EAP-TTLS: Derived key - hexdump" in l:
  237. val = l.strip().split(':')[3].replace(' ', '')
  238. msk = binascii.unhexlify(val)
  239. if "EAP-TTLS: Derived EMSK - hexdump" in l:
  240. val = l.strip().split(':')[3].replace(' ', '')
  241. emsk = binascii.unhexlify(val)
  242. if "EAP: ERP rRK - hexdump" in l:
  243. val = l.strip().split(':')[3].replace(' ', '')
  244. rRK = binascii.unhexlify(val)
  245. if "EAP: ERP rIK - hexdump" in l:
  246. val = l.strip().split(':')[3].replace(' ', '')
  247. rIK = binascii.unhexlify(val)
  248. if "WPA: PMK - hexdump" in l:
  249. val = l.strip().split(':')[3].replace(' ', '')
  250. pmk = binascii.unhexlify(val)
  251. if "WPA: PTK - hexdump" in l:
  252. val = l.strip().split(':')[3].replace(' ', '')
  253. ptk = binascii.unhexlify(val)
  254. if "WPA: Group Key - hexdump" in l:
  255. val = l.strip().split(':')[3].replace(' ', '')
  256. gtk = binascii.unhexlify(val)
  257. if not msk or not emsk or not rIK or not rRK or not pmk or not ptk or not gtk:
  258. raise Exception("Could not find keys from debug log")
  259. if len(gtk) != 16:
  260. raise Exception("Unexpected GTK length")
  261. kck = ptk[0:16]
  262. kek = ptk[16:32]
  263. tk = ptk[32:48]
  264. fname = os.path.join(params['logdir'],
  265. 'erp_key_lifetime_in_memory.memctx-')
  266. logger.info("Checking keys in memory while associated")
  267. get_key_locations(buf, password, "Password")
  268. get_key_locations(buf, pmk, "PMK")
  269. get_key_locations(buf, msk, "MSK")
  270. get_key_locations(buf, emsk, "EMSK")
  271. get_key_locations(buf, rRK, "rRK")
  272. get_key_locations(buf, rIK, "rIK")
  273. if password not in buf:
  274. raise HwsimSkip("Password not found while associated")
  275. if pmk not in buf:
  276. raise HwsimSkip("PMK not found while associated")
  277. if kck not in buf:
  278. raise Exception("KCK not found while associated")
  279. if kek not in buf:
  280. raise Exception("KEK not found while associated")
  281. if tk in buf:
  282. raise Exception("TK found from memory")
  283. if gtk in buf:
  284. raise Exception("GTK found from memory")
  285. logger.info("Checking keys in memory after disassociation")
  286. buf = read_process_memory(pid, password)
  287. # Note: Password is still present in network configuration
  288. # Note: PMK is in EAP fast re-auth data
  289. get_key_locations(buf, password, "Password")
  290. get_key_locations(buf, pmk, "PMK")
  291. get_key_locations(buf, msk, "MSK")
  292. get_key_locations(buf, emsk, "EMSK")
  293. get_key_locations(buf, rRK, "rRK")
  294. get_key_locations(buf, rIK, "rIK")
  295. verify_not_present(buf, kck, fname, "KCK")
  296. verify_not_present(buf, kek, fname, "KEK")
  297. verify_not_present(buf, tk, fname, "TK")
  298. verify_not_present(buf, gtk, fname, "GTK")
  299. dev[0].request("RECONNECT")
  300. ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
  301. if ev is None:
  302. raise Exception("EAP success timed out")
  303. if "EAP re-authentication completed successfully" not in ev:
  304. raise Exception("Did not use ERP")
  305. dev[0].wait_connected(timeout=15, error="Reconnection timed out")
  306. dev[0].request("DISCONNECT")
  307. dev[0].wait_disconnected(timeout=15)
  308. dev[0].relog()
  309. pmk = None
  310. ptk = None
  311. gtk = None
  312. with open(os.path.join(params['logdir'], 'log0'), 'r') as f:
  313. for l in f.readlines():
  314. if "WPA: PMK - hexdump" in l:
  315. val = l.strip().split(':')[3].replace(' ', '')
  316. pmk = binascii.unhexlify(val)
  317. if "WPA: PTK - hexdump" in l:
  318. val = l.strip().split(':')[3].replace(' ', '')
  319. ptk = binascii.unhexlify(val)
  320. if "WPA: GTK in EAPOL-Key - hexdump" in l:
  321. val = l.strip().split(':')[3].replace(' ', '')
  322. gtk = binascii.unhexlify(val)
  323. if not pmk or not ptk or not gtk:
  324. raise Exception("Could not find keys from debug log")
  325. kck = ptk[0:16]
  326. kek = ptk[16:32]
  327. tk = ptk[32:48]
  328. logger.info("Checking keys in memory after ERP and disassociation")
  329. buf = read_process_memory(pid, password)
  330. # Note: Password is still present in network configuration
  331. get_key_locations(buf, password, "Password")
  332. get_key_locations(buf, pmk, "PMK")
  333. get_key_locations(buf, msk, "MSK")
  334. get_key_locations(buf, emsk, "EMSK")
  335. get_key_locations(buf, rRK, "rRK")
  336. get_key_locations(buf, rIK, "rIK")
  337. verify_not_present(buf, kck, fname, "KCK")
  338. verify_not_present(buf, kek, fname, "KEK")
  339. verify_not_present(buf, tk, fname, "TK")
  340. verify_not_present(buf, gtk, fname, "GTK")
  341. dev[0].request("REMOVE_NETWORK all")
  342. logger.info("Checking keys in memory after network profile removal")
  343. buf = read_process_memory(pid, password)
  344. # Note: rRK and rIK are still in memory
  345. get_key_locations(buf, password, "Password")
  346. get_key_locations(buf, pmk, "PMK")
  347. get_key_locations(buf, msk, "MSK")
  348. get_key_locations(buf, emsk, "EMSK")
  349. get_key_locations(buf, rRK, "rRK")
  350. get_key_locations(buf, rIK, "rIK")
  351. verify_not_present(buf, password, fname, "password")
  352. verify_not_present(buf, pmk, fname, "PMK")
  353. verify_not_present(buf, kck, fname, "KCK")
  354. verify_not_present(buf, kek, fname, "KEK")
  355. verify_not_present(buf, tk, fname, "TK")
  356. verify_not_present(buf, gtk, fname, "GTK")
  357. verify_not_present(buf, msk, fname, "MSK")
  358. verify_not_present(buf, emsk, fname, "EMSK")
  359. dev[0].request("ERP_FLUSH")
  360. logger.info("Checking keys in memory after ERP_FLUSH")
  361. buf = read_process_memory(pid, password)
  362. get_key_locations(buf, rRK, "rRK")
  363. get_key_locations(buf, rIK, "rIK")
  364. verify_not_present(buf, rRK, fname, "rRK")
  365. verify_not_present(buf, rIK, fname, "rIK")