18dbcf02cSchristos /*
28dbcf02cSchristos * WPA Supplicant - test code
336d97821Schristos * Copyright (c) 2003-2013, Jouni Malinen <j@w1.fi>
48dbcf02cSchristos *
562a52023Schristos * This software may be distributed under the terms of the BSD license.
662a52023Schristos * See README for more details.
78dbcf02cSchristos *
88dbcf02cSchristos * IEEE 802.1X Supplicant test code (to be used in place of wpa_supplicant.c.
98dbcf02cSchristos * Not used in production version.
108dbcf02cSchristos */
118dbcf02cSchristos
128dbcf02cSchristos #include "includes.h"
138dbcf02cSchristos #include <assert.h>
148dbcf02cSchristos
158dbcf02cSchristos #include "common.h"
1662a52023Schristos #include "utils/ext_password.h"
17928750b6Schristos #include "common/version.h"
18*0d69f216Schristos #include "crypto/tls.h"
198dbcf02cSchristos #include "config.h"
208dbcf02cSchristos #include "eapol_supp/eapol_supp_sm.h"
218dbcf02cSchristos #include "eap_peer/eap.h"
2242669be3Schristos #include "eap_server/eap_methods.h"
238dbcf02cSchristos #include "eloop.h"
2442669be3Schristos #include "utils/base64.h"
258dbcf02cSchristos #include "rsn_supp/wpa.h"
268dbcf02cSchristos #include "wpa_supplicant_i.h"
278dbcf02cSchristos #include "radius/radius.h"
288dbcf02cSchristos #include "radius/radius_client.h"
2942669be3Schristos #include "common/wpa_ctrl.h"
308dbcf02cSchristos #include "ctrl_iface.h"
318dbcf02cSchristos #include "pcsc_funcs.h"
3236d97821Schristos #include "wpas_glue.h"
338dbcf02cSchristos
348dbcf02cSchristos
35928750b6Schristos const struct wpa_driver_ops *const wpa_drivers[] = { NULL };
368dbcf02cSchristos
378dbcf02cSchristos
388dbcf02cSchristos struct extra_radius_attr {
398dbcf02cSchristos u8 type;
408dbcf02cSchristos char syntax;
418dbcf02cSchristos char *data;
428dbcf02cSchristos struct extra_radius_attr *next;
438dbcf02cSchristos };
448dbcf02cSchristos
458dbcf02cSchristos struct eapol_test_data {
468dbcf02cSchristos struct wpa_supplicant *wpa_s;
478dbcf02cSchristos
488dbcf02cSchristos int eapol_test_num_reauths;
498dbcf02cSchristos int no_mppe_keys;
508dbcf02cSchristos int num_mppe_ok, num_mppe_mismatch;
5136d97821Schristos int req_eap_key_name;
528dbcf02cSchristos
538dbcf02cSchristos u8 radius_identifier;
548dbcf02cSchristos struct radius_msg *last_recv_radius;
558dbcf02cSchristos struct in_addr own_ip_addr;
568dbcf02cSchristos struct radius_client_data *radius;
578dbcf02cSchristos struct hostapd_radius_servers *radius_conf;
588dbcf02cSchristos
5962a52023Schristos /* last received EAP Response from Authentication Server */
6062a52023Schristos struct wpabuf *last_eap_radius;
618dbcf02cSchristos
628dbcf02cSchristos u8 authenticator_pmk[PMK_LEN];
638dbcf02cSchristos size_t authenticator_pmk_len;
6436d97821Schristos u8 authenticator_eap_key_name[256];
6536d97821Schristos size_t authenticator_eap_key_name_len;
668dbcf02cSchristos int radius_access_accept_received;
678dbcf02cSchristos int radius_access_reject_received;
688dbcf02cSchristos int auth_timed_out;
698dbcf02cSchristos
708dbcf02cSchristos u8 *eap_identity;
718dbcf02cSchristos size_t eap_identity_len;
728dbcf02cSchristos
738dbcf02cSchristos char *connect_info;
748dbcf02cSchristos u8 own_addr[ETH_ALEN];
758dbcf02cSchristos struct extra_radius_attr *extra_attrs;
7642669be3Schristos
7742669be3Schristos FILE *server_cert_file;
7836d97821Schristos
7936d97821Schristos const char *pcsc_reader;
8036d97821Schristos const char *pcsc_pin;
81928750b6Schristos
82928750b6Schristos unsigned int ctrl_iface:1;
83928750b6Schristos unsigned int id_req_sent:1;
848dbcf02cSchristos };
858dbcf02cSchristos
868dbcf02cSchristos static struct eapol_test_data eapol_test;
878dbcf02cSchristos
888dbcf02cSchristos
898dbcf02cSchristos static void send_eap_request_identity(void *eloop_ctx, void *timeout_ctx);
908dbcf02cSchristos
918dbcf02cSchristos
hostapd_logger_cb(void * ctx,const u8 * addr,unsigned int module,int level,const char * txt,size_t len)928dbcf02cSchristos static void hostapd_logger_cb(void *ctx, const u8 *addr, unsigned int module,
938dbcf02cSchristos int level, const char *txt, size_t len)
948dbcf02cSchristos {
958dbcf02cSchristos if (addr)
968dbcf02cSchristos wpa_printf(MSG_DEBUG, "STA " MACSTR ": %s\n",
978dbcf02cSchristos MAC2STR(addr), txt);
988dbcf02cSchristos else
998dbcf02cSchristos wpa_printf(MSG_DEBUG, "%s", txt);
1008dbcf02cSchristos }
1018dbcf02cSchristos
1028dbcf02cSchristos
add_extra_attr(struct radius_msg * msg,struct extra_radius_attr * attr)1038dbcf02cSchristos static int add_extra_attr(struct radius_msg *msg,
1048dbcf02cSchristos struct extra_radius_attr *attr)
1058dbcf02cSchristos {
1068dbcf02cSchristos size_t len;
1078dbcf02cSchristos char *pos;
1088dbcf02cSchristos u32 val;
10962a52023Schristos char buf[RADIUS_MAX_ATTR_LEN + 1];
1108dbcf02cSchristos
1118dbcf02cSchristos switch (attr->syntax) {
1128dbcf02cSchristos case 's':
1138dbcf02cSchristos os_snprintf(buf, sizeof(buf), "%s", attr->data);
1148dbcf02cSchristos len = os_strlen(buf);
1158dbcf02cSchristos break;
1168dbcf02cSchristos case 'n':
1178dbcf02cSchristos buf[0] = '\0';
1188dbcf02cSchristos len = 1;
1198dbcf02cSchristos break;
1208dbcf02cSchristos case 'x':
1218dbcf02cSchristos pos = attr->data;
1228dbcf02cSchristos if (pos[0] == '0' && pos[1] == 'x')
1238dbcf02cSchristos pos += 2;
1248dbcf02cSchristos len = os_strlen(pos);
12562a52023Schristos if ((len & 1) || (len / 2) > RADIUS_MAX_ATTR_LEN) {
1268dbcf02cSchristos printf("Invalid extra attribute hexstring\n");
1278dbcf02cSchristos return -1;
1288dbcf02cSchristos }
1298dbcf02cSchristos len /= 2;
1308dbcf02cSchristos if (hexstr2bin(pos, (u8 *) buf, len) < 0) {
1318dbcf02cSchristos printf("Invalid extra attribute hexstring\n");
1328dbcf02cSchristos return -1;
1338dbcf02cSchristos }
1348dbcf02cSchristos break;
1358dbcf02cSchristos case 'd':
1368dbcf02cSchristos val = htonl(atoi(attr->data));
1378dbcf02cSchristos os_memcpy(buf, &val, 4);
1388dbcf02cSchristos len = 4;
1398dbcf02cSchristos break;
1408dbcf02cSchristos default:
1418dbcf02cSchristos printf("Incorrect extra attribute syntax specification\n");
1428dbcf02cSchristos return -1;
1438dbcf02cSchristos }
1448dbcf02cSchristos
1458dbcf02cSchristos if (!radius_msg_add_attr(msg, attr->type, (u8 *) buf, len)) {
1468dbcf02cSchristos printf("Could not add attribute %d\n", attr->type);
1478dbcf02cSchristos return -1;
1488dbcf02cSchristos }
1498dbcf02cSchristos
1508dbcf02cSchristos return 0;
1518dbcf02cSchristos }
1528dbcf02cSchristos
1538dbcf02cSchristos
add_extra_attrs(struct radius_msg * msg,struct extra_radius_attr * attrs)1548dbcf02cSchristos static int add_extra_attrs(struct radius_msg *msg,
1558dbcf02cSchristos struct extra_radius_attr *attrs)
1568dbcf02cSchristos {
1578dbcf02cSchristos struct extra_radius_attr *p;
1588dbcf02cSchristos for (p = attrs; p; p = p->next) {
1598dbcf02cSchristos if (add_extra_attr(msg, p) < 0)
1608dbcf02cSchristos return -1;
1618dbcf02cSchristos }
1628dbcf02cSchristos return 0;
1638dbcf02cSchristos }
1648dbcf02cSchristos
1658dbcf02cSchristos
1668dbcf02cSchristos static struct extra_radius_attr *
find_extra_attr(struct extra_radius_attr * attrs,u8 type)1678dbcf02cSchristos find_extra_attr(struct extra_radius_attr *attrs, u8 type)
1688dbcf02cSchristos {
1698dbcf02cSchristos struct extra_radius_attr *p;
1708dbcf02cSchristos for (p = attrs; p; p = p->next) {
1718dbcf02cSchristos if (p->type == type)
1728dbcf02cSchristos return p;
1738dbcf02cSchristos }
1748dbcf02cSchristos return NULL;
1758dbcf02cSchristos }
1768dbcf02cSchristos
1778dbcf02cSchristos
ieee802_1x_encapsulate_radius(struct eapol_test_data * e,const u8 * eap,size_t len)1788dbcf02cSchristos static void ieee802_1x_encapsulate_radius(struct eapol_test_data *e,
1798dbcf02cSchristos const u8 *eap, size_t len)
1808dbcf02cSchristos {
1818dbcf02cSchristos struct radius_msg *msg;
18262a52023Schristos char buf[RADIUS_MAX_ATTR_LEN + 1];
1838dbcf02cSchristos const struct eap_hdr *hdr;
1848dbcf02cSchristos const u8 *pos;
1858dbcf02cSchristos
1868dbcf02cSchristos wpa_printf(MSG_DEBUG, "Encapsulating EAP message into a RADIUS "
1878dbcf02cSchristos "packet");
1888dbcf02cSchristos
1898dbcf02cSchristos e->radius_identifier = radius_client_get_id(e->radius);
1908dbcf02cSchristos msg = radius_msg_new(RADIUS_CODE_ACCESS_REQUEST,
1918dbcf02cSchristos e->radius_identifier);
1928dbcf02cSchristos if (msg == NULL) {
1938dbcf02cSchristos printf("Could not create net RADIUS packet\n");
1948dbcf02cSchristos return;
1958dbcf02cSchristos }
1968dbcf02cSchristos
197928750b6Schristos radius_msg_make_authenticator(msg);
1988dbcf02cSchristos
1998dbcf02cSchristos hdr = (const struct eap_hdr *) eap;
2008dbcf02cSchristos pos = (const u8 *) (hdr + 1);
2018dbcf02cSchristos if (len > sizeof(*hdr) && hdr->code == EAP_CODE_RESPONSE &&
2028dbcf02cSchristos pos[0] == EAP_TYPE_IDENTITY) {
2038dbcf02cSchristos pos++;
2048dbcf02cSchristos os_free(e->eap_identity);
2058dbcf02cSchristos e->eap_identity_len = len - sizeof(*hdr) - 1;
2068dbcf02cSchristos e->eap_identity = os_malloc(e->eap_identity_len);
2078dbcf02cSchristos if (e->eap_identity) {
2088dbcf02cSchristos os_memcpy(e->eap_identity, pos, e->eap_identity_len);
2098dbcf02cSchristos wpa_hexdump(MSG_DEBUG, "Learned identity from "
2108dbcf02cSchristos "EAP-Response-Identity",
2118dbcf02cSchristos e->eap_identity, e->eap_identity_len);
2128dbcf02cSchristos }
2138dbcf02cSchristos }
2148dbcf02cSchristos
2158dbcf02cSchristos if (e->eap_identity &&
2168dbcf02cSchristos !radius_msg_add_attr(msg, RADIUS_ATTR_USER_NAME,
2178dbcf02cSchristos e->eap_identity, e->eap_identity_len)) {
2188dbcf02cSchristos printf("Could not add User-Name\n");
2198dbcf02cSchristos goto fail;
2208dbcf02cSchristos }
2218dbcf02cSchristos
22236d97821Schristos if (e->req_eap_key_name &&
22336d97821Schristos !radius_msg_add_attr(msg, RADIUS_ATTR_EAP_KEY_NAME, (u8 *) "\0",
22436d97821Schristos 1)) {
22536d97821Schristos printf("Could not add EAP-Key-Name\n");
22636d97821Schristos goto fail;
22736d97821Schristos }
22836d97821Schristos
2298dbcf02cSchristos if (!find_extra_attr(e->extra_attrs, RADIUS_ATTR_NAS_IP_ADDRESS) &&
2308dbcf02cSchristos !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IP_ADDRESS,
2318dbcf02cSchristos (u8 *) &e->own_ip_addr, 4)) {
2328dbcf02cSchristos printf("Could not add NAS-IP-Address\n");
2338dbcf02cSchristos goto fail;
2348dbcf02cSchristos }
2358dbcf02cSchristos
2368dbcf02cSchristos os_snprintf(buf, sizeof(buf), RADIUS_802_1X_ADDR_FORMAT,
2378dbcf02cSchristos MAC2STR(e->wpa_s->own_addr));
2388dbcf02cSchristos if (!find_extra_attr(e->extra_attrs, RADIUS_ATTR_CALLING_STATION_ID)
2398dbcf02cSchristos &&
2408dbcf02cSchristos !radius_msg_add_attr(msg, RADIUS_ATTR_CALLING_STATION_ID,
2418dbcf02cSchristos (u8 *) buf, os_strlen(buf))) {
2428dbcf02cSchristos printf("Could not add Calling-Station-Id\n");
2438dbcf02cSchristos goto fail;
2448dbcf02cSchristos }
2458dbcf02cSchristos
2468dbcf02cSchristos /* TODO: should probably check MTU from driver config; 2304 is max for
2478dbcf02cSchristos * IEEE 802.11, but use 1400 to avoid problems with too large packets
2488dbcf02cSchristos */
2498dbcf02cSchristos if (!find_extra_attr(e->extra_attrs, RADIUS_ATTR_FRAMED_MTU) &&
2508dbcf02cSchristos !radius_msg_add_attr_int32(msg, RADIUS_ATTR_FRAMED_MTU, 1400)) {
2518dbcf02cSchristos printf("Could not add Framed-MTU\n");
2528dbcf02cSchristos goto fail;
2538dbcf02cSchristos }
2548dbcf02cSchristos
2558dbcf02cSchristos if (!find_extra_attr(e->extra_attrs, RADIUS_ATTR_NAS_PORT_TYPE) &&
2568dbcf02cSchristos !radius_msg_add_attr_int32(msg, RADIUS_ATTR_NAS_PORT_TYPE,
2578dbcf02cSchristos RADIUS_NAS_PORT_TYPE_IEEE_802_11)) {
2588dbcf02cSchristos printf("Could not add NAS-Port-Type\n");
2598dbcf02cSchristos goto fail;
2608dbcf02cSchristos }
2618dbcf02cSchristos
262928750b6Schristos if (!find_extra_attr(e->extra_attrs, RADIUS_ATTR_SERVICE_TYPE) &&
263928750b6Schristos !radius_msg_add_attr_int32(msg, RADIUS_ATTR_SERVICE_TYPE,
264928750b6Schristos RADIUS_SERVICE_TYPE_FRAMED)) {
265928750b6Schristos printf("Could not add Service-Type\n");
266928750b6Schristos goto fail;
267928750b6Schristos }
268928750b6Schristos
2698dbcf02cSchristos os_snprintf(buf, sizeof(buf), "%s", e->connect_info);
2708dbcf02cSchristos if (!find_extra_attr(e->extra_attrs, RADIUS_ATTR_CONNECT_INFO) &&
2718dbcf02cSchristos !radius_msg_add_attr(msg, RADIUS_ATTR_CONNECT_INFO,
2728dbcf02cSchristos (u8 *) buf, os_strlen(buf))) {
2738dbcf02cSchristos printf("Could not add Connect-Info\n");
2748dbcf02cSchristos goto fail;
2758dbcf02cSchristos }
2768dbcf02cSchristos
2778dbcf02cSchristos if (add_extra_attrs(msg, e->extra_attrs) < 0)
2788dbcf02cSchristos goto fail;
2798dbcf02cSchristos
2808dbcf02cSchristos if (eap && !radius_msg_add_eap(msg, eap, len)) {
2818dbcf02cSchristos printf("Could not add EAP-Message\n");
2828dbcf02cSchristos goto fail;
2838dbcf02cSchristos }
2848dbcf02cSchristos
2858dbcf02cSchristos /* State attribute must be copied if and only if this packet is
2868dbcf02cSchristos * Access-Request reply to the previous Access-Challenge */
2878dbcf02cSchristos if (e->last_recv_radius &&
2888dbcf02cSchristos radius_msg_get_hdr(e->last_recv_radius)->code ==
2898dbcf02cSchristos RADIUS_CODE_ACCESS_CHALLENGE) {
2908dbcf02cSchristos int res = radius_msg_copy_attr(msg, e->last_recv_radius,
2918dbcf02cSchristos RADIUS_ATTR_STATE);
2928dbcf02cSchristos if (res < 0) {
2938dbcf02cSchristos printf("Could not copy State attribute from previous "
2948dbcf02cSchristos "Access-Challenge\n");
2958dbcf02cSchristos goto fail;
2968dbcf02cSchristos }
2978dbcf02cSchristos if (res > 0) {
2988dbcf02cSchristos wpa_printf(MSG_DEBUG, " Copied RADIUS State "
2998dbcf02cSchristos "Attribute");
3008dbcf02cSchristos }
3018dbcf02cSchristos }
3028dbcf02cSchristos
30342669be3Schristos if (radius_client_send(e->radius, msg, RADIUS_AUTH, e->wpa_s->own_addr)
30442669be3Schristos < 0)
30542669be3Schristos goto fail;
3068dbcf02cSchristos return;
3078dbcf02cSchristos
3088dbcf02cSchristos fail:
3098dbcf02cSchristos radius_msg_free(msg);
3108dbcf02cSchristos }
3118dbcf02cSchristos
3128dbcf02cSchristos
eapol_test_eapol_send(void * ctx,int type,const u8 * buf,size_t len)3138dbcf02cSchristos static int eapol_test_eapol_send(void *ctx, int type, const u8 *buf,
3148dbcf02cSchristos size_t len)
3158dbcf02cSchristos {
3168dbcf02cSchristos printf("WPA: eapol_test_eapol_send(type=%d len=%lu)\n",
3178dbcf02cSchristos type, (unsigned long) len);
3188dbcf02cSchristos if (type == IEEE802_1X_TYPE_EAP_PACKET) {
3198dbcf02cSchristos wpa_hexdump(MSG_DEBUG, "TX EAP -> RADIUS", buf, len);
3208dbcf02cSchristos ieee802_1x_encapsulate_radius(&eapol_test, buf, len);
3218dbcf02cSchristos }
3228dbcf02cSchristos return 0;
3238dbcf02cSchristos }
3248dbcf02cSchristos
3258dbcf02cSchristos
eapol_test_set_config_blob(void * ctx,struct wpa_config_blob * blob)3268dbcf02cSchristos static void eapol_test_set_config_blob(void *ctx,
3278dbcf02cSchristos struct wpa_config_blob *blob)
3288dbcf02cSchristos {
32942669be3Schristos struct eapol_test_data *e = ctx;
33042669be3Schristos wpa_config_set_blob(e->wpa_s->conf, blob);
3318dbcf02cSchristos }
3328dbcf02cSchristos
3338dbcf02cSchristos
3348dbcf02cSchristos static const struct wpa_config_blob *
eapol_test_get_config_blob(void * ctx,const char * name)3358dbcf02cSchristos eapol_test_get_config_blob(void *ctx, const char *name)
3368dbcf02cSchristos {
33742669be3Schristos struct eapol_test_data *e = ctx;
33842669be3Schristos return wpa_config_get_blob(e->wpa_s->conf, name);
3398dbcf02cSchristos }
3408dbcf02cSchristos
3418dbcf02cSchristos
eapol_test_eapol_done_cb(void * ctx)3428dbcf02cSchristos static void eapol_test_eapol_done_cb(void *ctx)
3438dbcf02cSchristos {
344928750b6Schristos struct eapol_test_data *e = ctx;
345928750b6Schristos
3468dbcf02cSchristos printf("WPA: EAPOL processing complete\n");
347928750b6Schristos wpa_supplicant_cancel_auth_timeout(e->wpa_s);
348928750b6Schristos wpa_supplicant_set_state(e->wpa_s, WPA_COMPLETED);
3498dbcf02cSchristos }
3508dbcf02cSchristos
3518dbcf02cSchristos
eapol_sm_reauth(void * eloop_ctx,void * timeout_ctx)3528dbcf02cSchristos static void eapol_sm_reauth(void *eloop_ctx, void *timeout_ctx)
3538dbcf02cSchristos {
3548dbcf02cSchristos struct eapol_test_data *e = eloop_ctx;
3558dbcf02cSchristos printf("\n\n\n\n\neapol_test: Triggering EAP reauthentication\n\n");
3568dbcf02cSchristos e->radius_access_accept_received = 0;
3578dbcf02cSchristos send_eap_request_identity(e->wpa_s, NULL);
3588dbcf02cSchristos }
3598dbcf02cSchristos
3608dbcf02cSchristos
eapol_test_compare_pmk(struct eapol_test_data * e)3618dbcf02cSchristos static int eapol_test_compare_pmk(struct eapol_test_data *e)
3628dbcf02cSchristos {
3638dbcf02cSchristos u8 pmk[PMK_LEN];
3648dbcf02cSchristos int ret = 1;
36536d97821Schristos const u8 *sess_id;
36636d97821Schristos size_t sess_id_len;
3678dbcf02cSchristos
3688dbcf02cSchristos if (eapol_sm_get_key(e->wpa_s->eapol, pmk, PMK_LEN) == 0) {
3698dbcf02cSchristos wpa_hexdump(MSG_DEBUG, "PMK from EAPOL", pmk, PMK_LEN);
3708dbcf02cSchristos if (os_memcmp(pmk, e->authenticator_pmk, PMK_LEN) != 0) {
3718dbcf02cSchristos printf("WARNING: PMK mismatch\n");
3728dbcf02cSchristos wpa_hexdump(MSG_DEBUG, "PMK from AS",
3738dbcf02cSchristos e->authenticator_pmk, PMK_LEN);
3748dbcf02cSchristos } else if (e->radius_access_accept_received)
3758dbcf02cSchristos ret = 0;
3768dbcf02cSchristos } else if (e->authenticator_pmk_len == 16 &&
3778dbcf02cSchristos eapol_sm_get_key(e->wpa_s->eapol, pmk, 16) == 0) {
3788dbcf02cSchristos wpa_hexdump(MSG_DEBUG, "LEAP PMK from EAPOL", pmk, 16);
3798dbcf02cSchristos if (os_memcmp(pmk, e->authenticator_pmk, 16) != 0) {
3808dbcf02cSchristos printf("WARNING: PMK mismatch\n");
3818dbcf02cSchristos wpa_hexdump(MSG_DEBUG, "PMK from AS",
3828dbcf02cSchristos e->authenticator_pmk, 16);
3838dbcf02cSchristos } else if (e->radius_access_accept_received)
3848dbcf02cSchristos ret = 0;
3858dbcf02cSchristos } else if (e->radius_access_accept_received && e->no_mppe_keys) {
3868dbcf02cSchristos /* No keying material expected */
3878dbcf02cSchristos ret = 0;
3888dbcf02cSchristos }
3898dbcf02cSchristos
3908dbcf02cSchristos if (ret && !e->no_mppe_keys)
3918dbcf02cSchristos e->num_mppe_mismatch++;
3928dbcf02cSchristos else if (!e->no_mppe_keys)
3938dbcf02cSchristos e->num_mppe_ok++;
3948dbcf02cSchristos
39536d97821Schristos sess_id = eapol_sm_get_session_id(e->wpa_s->eapol, &sess_id_len);
39636d97821Schristos if (!sess_id)
39736d97821Schristos return ret;
39836d97821Schristos if (e->authenticator_eap_key_name_len == 0) {
39936d97821Schristos wpa_printf(MSG_INFO, "No EAP-Key-Name received from server");
40036d97821Schristos return ret;
40136d97821Schristos }
40236d97821Schristos
40336d97821Schristos if (e->authenticator_eap_key_name_len != sess_id_len ||
40436d97821Schristos os_memcmp(e->authenticator_eap_key_name, sess_id, sess_id_len) != 0)
40536d97821Schristos {
40636d97821Schristos wpa_printf(MSG_INFO,
40736d97821Schristos "Locally derived EAP Session-Id does not match EAP-Key-Name from server");
40836d97821Schristos wpa_hexdump(MSG_DEBUG, "EAP Session-Id", sess_id, sess_id_len);
40936d97821Schristos wpa_hexdump(MSG_DEBUG, "EAP-Key-Name from server",
41036d97821Schristos e->authenticator_eap_key_name,
41136d97821Schristos e->authenticator_eap_key_name_len);
41236d97821Schristos } else {
41336d97821Schristos wpa_printf(MSG_INFO,
41436d97821Schristos "Locally derived EAP Session-Id matches EAP-Key-Name from server");
41536d97821Schristos }
41636d97821Schristos
4178dbcf02cSchristos return ret;
4188dbcf02cSchristos }
4198dbcf02cSchristos
4208dbcf02cSchristos
eapol_sm_cb(struct eapol_sm * eapol,enum eapol_supp_result result,void * ctx)42136d97821Schristos static void eapol_sm_cb(struct eapol_sm *eapol, enum eapol_supp_result result,
42236d97821Schristos void *ctx)
4238dbcf02cSchristos {
4248dbcf02cSchristos struct eapol_test_data *e = ctx;
42536d97821Schristos printf("eapol_sm_cb: result=%d\n", result);
426928750b6Schristos e->id_req_sent = 0;
427928750b6Schristos if (e->ctrl_iface)
428928750b6Schristos return;
4298dbcf02cSchristos e->eapol_test_num_reauths--;
4308dbcf02cSchristos if (e->eapol_test_num_reauths < 0)
4318dbcf02cSchristos eloop_terminate();
4328dbcf02cSchristos else {
4338dbcf02cSchristos eapol_test_compare_pmk(e);
4348dbcf02cSchristos eloop_register_timeout(0, 100000, eapol_sm_reauth, e, NULL);
4358dbcf02cSchristos }
4368dbcf02cSchristos }
4378dbcf02cSchristos
4388dbcf02cSchristos
eapol_test_write_cert(FILE * f,const char * subject,const struct wpabuf * cert)43942669be3Schristos static void eapol_test_write_cert(FILE *f, const char *subject,
44042669be3Schristos const struct wpabuf *cert)
44142669be3Schristos {
44242669be3Schristos unsigned char *encoded;
44342669be3Schristos
44442669be3Schristos encoded = base64_encode(wpabuf_head(cert), wpabuf_len(cert), NULL);
44542669be3Schristos if (encoded == NULL)
44642669be3Schristos return;
44742669be3Schristos fprintf(f, "%s\n-----BEGIN CERTIFICATE-----\n%s"
44842669be3Schristos "-----END CERTIFICATE-----\n\n", subject, encoded);
44942669be3Schristos os_free(encoded);
45042669be3Schristos }
45142669be3Schristos
45242669be3Schristos
45336d97821Schristos #if defined(CONFIG_CTRL_IFACE) || !defined(CONFIG_NO_STDOUT_DEBUG)
eapol_test_eap_param_needed(void * ctx,enum wpa_ctrl_req_type field,const char * default_txt)45436d97821Schristos static void eapol_test_eap_param_needed(void *ctx, enum wpa_ctrl_req_type field,
45536d97821Schristos const char *default_txt)
45636d97821Schristos {
45736d97821Schristos struct eapol_test_data *e = ctx;
45836d97821Schristos struct wpa_supplicant *wpa_s = e->wpa_s;
45936d97821Schristos struct wpa_ssid *ssid = wpa_s->current_ssid;
46036d97821Schristos const char *field_name, *txt = NULL;
46136d97821Schristos char *buf;
46236d97821Schristos size_t buflen;
46336d97821Schristos int len;
46436d97821Schristos
46536d97821Schristos if (ssid == NULL)
46636d97821Schristos return;
46736d97821Schristos
46836d97821Schristos field_name = wpa_supplicant_ctrl_req_to_string(field, default_txt,
46936d97821Schristos &txt);
47036d97821Schristos if (field_name == NULL) {
47136d97821Schristos wpa_printf(MSG_WARNING, "Unhandled EAP param %d needed",
47236d97821Schristos field);
47336d97821Schristos return;
47436d97821Schristos }
47536d97821Schristos
47636d97821Schristos buflen = 100 + os_strlen(txt) + ssid->ssid_len;
47736d97821Schristos buf = os_malloc(buflen);
47836d97821Schristos if (buf == NULL)
47936d97821Schristos return;
48036d97821Schristos len = os_snprintf(buf, buflen,
48136d97821Schristos WPA_CTRL_REQ "%s-%d:%s needed for SSID ",
48236d97821Schristos field_name, ssid->id, txt);
4839a53cbbeSchristos if (os_snprintf_error(buflen, len)) {
48436d97821Schristos os_free(buf);
48536d97821Schristos return;
48636d97821Schristos }
48736d97821Schristos if (ssid->ssid && buflen > len + ssid->ssid_len) {
48836d97821Schristos os_memcpy(buf + len, ssid->ssid, ssid->ssid_len);
48936d97821Schristos len += ssid->ssid_len;
49036d97821Schristos buf[len] = '\0';
49136d97821Schristos }
49236d97821Schristos buf[buflen - 1] = '\0';
49336d97821Schristos wpa_msg(wpa_s, MSG_INFO, "%s", buf);
49436d97821Schristos os_free(buf);
49536d97821Schristos }
49636d97821Schristos #else /* CONFIG_CTRL_IFACE || !CONFIG_NO_STDOUT_DEBUG */
49736d97821Schristos #define eapol_test_eap_param_needed NULL
49836d97821Schristos #endif /* CONFIG_CTRL_IFACE || !CONFIG_NO_STDOUT_DEBUG */
49936d97821Schristos
50036d97821Schristos
eapol_test_cert_cb(void * ctx,struct tls_cert_data * cert,const char * cert_hash)501*0d69f216Schristos static void eapol_test_cert_cb(void *ctx, struct tls_cert_data *cert,
502*0d69f216Schristos const char *cert_hash)
50342669be3Schristos {
50442669be3Schristos struct eapol_test_data *e = ctx;
505*0d69f216Schristos int i;
50642669be3Schristos
50742669be3Schristos wpa_msg(e->wpa_s, MSG_INFO, WPA_EVENT_EAP_PEER_CERT
50842669be3Schristos "depth=%d subject='%s'%s%s",
509*0d69f216Schristos cert->depth, cert->subject,
51042669be3Schristos cert_hash ? " hash=" : "",
51142669be3Schristos cert_hash ? cert_hash : "");
51242669be3Schristos
513*0d69f216Schristos if (cert->cert) {
51442669be3Schristos char *cert_hex;
515*0d69f216Schristos size_t len = wpabuf_len(cert->cert) * 2 + 1;
51642669be3Schristos cert_hex = os_malloc(len);
51742669be3Schristos if (cert_hex) {
518*0d69f216Schristos wpa_snprintf_hex(cert_hex, len, wpabuf_head(cert->cert),
519*0d69f216Schristos wpabuf_len(cert->cert));
52042669be3Schristos wpa_msg_ctrl(e->wpa_s, MSG_INFO,
52142669be3Schristos WPA_EVENT_EAP_PEER_CERT
52242669be3Schristos "depth=%d subject='%s' cert=%s",
523*0d69f216Schristos cert->depth, cert->subject, cert_hex);
52442669be3Schristos os_free(cert_hex);
52542669be3Schristos }
52642669be3Schristos
52742669be3Schristos if (e->server_cert_file)
52842669be3Schristos eapol_test_write_cert(e->server_cert_file,
529*0d69f216Schristos cert->subject, cert->cert);
53042669be3Schristos }
5319a53cbbeSchristos
532*0d69f216Schristos for (i = 0; i < cert->num_altsubject; i++)
5339a53cbbeSchristos wpa_msg(e->wpa_s, MSG_INFO, WPA_EVENT_EAP_PEER_ALT
534*0d69f216Schristos "depth=%d %s", cert->depth, cert->altsubject[i]);
53542669be3Schristos }
53642669be3Schristos
53742669be3Schristos
eapol_test_set_anon_id(void * ctx,const u8 * id,size_t len)53862a52023Schristos static void eapol_test_set_anon_id(void *ctx, const u8 *id, size_t len)
53962a52023Schristos {
54062a52023Schristos struct eapol_test_data *e = ctx;
54162a52023Schristos struct wpa_supplicant *wpa_s = e->wpa_s;
54262a52023Schristos char *str;
54362a52023Schristos int res;
54462a52023Schristos
54562a52023Schristos wpa_hexdump_ascii(MSG_DEBUG, "EAP method updated anonymous_identity",
54662a52023Schristos id, len);
54762a52023Schristos
54862a52023Schristos if (wpa_s->current_ssid == NULL)
54962a52023Schristos return;
55062a52023Schristos
55162a52023Schristos if (id == NULL) {
55262a52023Schristos if (wpa_config_set(wpa_s->current_ssid, "anonymous_identity",
55362a52023Schristos "NULL", 0) < 0)
55462a52023Schristos return;
55562a52023Schristos } else {
55662a52023Schristos str = os_malloc(len * 2 + 1);
55762a52023Schristos if (str == NULL)
55862a52023Schristos return;
55962a52023Schristos wpa_snprintf_hex(str, len * 2 + 1, id, len);
56062a52023Schristos res = wpa_config_set(wpa_s->current_ssid, "anonymous_identity",
56162a52023Schristos str, 0);
56262a52023Schristos os_free(str);
56362a52023Schristos if (res < 0)
56462a52023Schristos return;
56562a52023Schristos }
56662a52023Schristos }
56762a52023Schristos
56862a52023Schristos
eapol_test_get_state(void * ctx)569928750b6Schristos static enum wpa_states eapol_test_get_state(void *ctx)
570928750b6Schristos {
571928750b6Schristos struct eapol_test_data *e = ctx;
572928750b6Schristos struct wpa_supplicant *wpa_s = e->wpa_s;
573928750b6Schristos
574928750b6Schristos return wpa_s->wpa_state;
575928750b6Schristos }
576928750b6Schristos
577928750b6Schristos
test_eapol(struct eapol_test_data * e,struct wpa_supplicant * wpa_s,struct wpa_ssid * ssid)5788dbcf02cSchristos static int test_eapol(struct eapol_test_data *e, struct wpa_supplicant *wpa_s,
5798dbcf02cSchristos struct wpa_ssid *ssid)
5808dbcf02cSchristos {
5818dbcf02cSchristos struct eapol_config eapol_conf;
5828dbcf02cSchristos struct eapol_ctx *ctx;
583928750b6Schristos struct wpa_sm_ctx *wctx;
5848dbcf02cSchristos
5858dbcf02cSchristos ctx = os_zalloc(sizeof(*ctx));
5868dbcf02cSchristos if (ctx == NULL) {
5878dbcf02cSchristos printf("Failed to allocate EAPOL context.\n");
5888dbcf02cSchristos return -1;
5898dbcf02cSchristos }
59042669be3Schristos ctx->ctx = e;
5918dbcf02cSchristos ctx->msg_ctx = wpa_s;
5928dbcf02cSchristos ctx->scard_ctx = wpa_s->scard;
5938dbcf02cSchristos ctx->cb = eapol_sm_cb;
5948dbcf02cSchristos ctx->cb_ctx = e;
5958dbcf02cSchristos ctx->eapol_send_ctx = wpa_s;
5968dbcf02cSchristos ctx->preauth = 0;
5978dbcf02cSchristos ctx->eapol_done_cb = eapol_test_eapol_done_cb;
5988dbcf02cSchristos ctx->eapol_send = eapol_test_eapol_send;
5998dbcf02cSchristos ctx->set_config_blob = eapol_test_set_config_blob;
6008dbcf02cSchristos ctx->get_config_blob = eapol_test_get_config_blob;
6018dbcf02cSchristos ctx->opensc_engine_path = wpa_s->conf->opensc_engine_path;
6028dbcf02cSchristos ctx->pkcs11_engine_path = wpa_s->conf->pkcs11_engine_path;
6038dbcf02cSchristos ctx->pkcs11_module_path = wpa_s->conf->pkcs11_module_path;
6049a53cbbeSchristos ctx->openssl_ciphers = wpa_s->conf->openssl_ciphers;
60536d97821Schristos ctx->eap_param_needed = eapol_test_eap_param_needed;
60642669be3Schristos ctx->cert_cb = eapol_test_cert_cb;
60742669be3Schristos ctx->cert_in_cb = 1;
60862a52023Schristos ctx->set_anon_id = eapol_test_set_anon_id;
6098dbcf02cSchristos
6108dbcf02cSchristos wpa_s->eapol = eapol_sm_init(ctx);
6118dbcf02cSchristos if (wpa_s->eapol == NULL) {
6128dbcf02cSchristos os_free(ctx);
6138dbcf02cSchristos printf("Failed to initialize EAPOL state machines.\n");
6148dbcf02cSchristos return -1;
6158dbcf02cSchristos }
6168dbcf02cSchristos
617928750b6Schristos wpa_s->key_mgmt = WPA_KEY_MGMT_IEEE8021X_NO_WPA;
618928750b6Schristos wctx = os_zalloc(sizeof(*wctx));
619928750b6Schristos if (wctx == NULL) {
620928750b6Schristos os_free(ctx);
621928750b6Schristos return -1;
622928750b6Schristos }
623928750b6Schristos wctx->ctx = e;
624928750b6Schristos wctx->msg_ctx = wpa_s;
625928750b6Schristos wctx->get_state = eapol_test_get_state;
626928750b6Schristos wpa_s->wpa = wpa_sm_init(wctx);
627928750b6Schristos if (!wpa_s->wpa) {
628928750b6Schristos os_free(ctx);
629928750b6Schristos os_free(wctx);
630928750b6Schristos return -1;
631928750b6Schristos }
632928750b6Schristos
633928750b6Schristos if (!ssid)
634928750b6Schristos return 0;
635928750b6Schristos
6368dbcf02cSchristos wpa_s->current_ssid = ssid;
6378dbcf02cSchristos os_memset(&eapol_conf, 0, sizeof(eapol_conf));
6388dbcf02cSchristos eapol_conf.accept_802_1x_keys = 1;
6398dbcf02cSchristos eapol_conf.required_keys = 0;
6408dbcf02cSchristos eapol_conf.fast_reauth = wpa_s->conf->fast_reauth;
6418dbcf02cSchristos eapol_conf.workaround = ssid->eap_workaround;
64236d97821Schristos eapol_conf.external_sim = wpa_s->conf->external_sim;
6438dbcf02cSchristos eapol_sm_notify_config(wpa_s->eapol, &ssid->eap, &eapol_conf);
6448dbcf02cSchristos eapol_sm_register_scard_ctx(wpa_s->eapol, wpa_s->scard);
6458dbcf02cSchristos
6468dbcf02cSchristos
6478dbcf02cSchristos eapol_sm_notify_portValid(wpa_s->eapol, FALSE);
6488dbcf02cSchristos /* 802.1X::portControl = Auto */
6498dbcf02cSchristos eapol_sm_notify_portEnabled(wpa_s->eapol, TRUE);
6508dbcf02cSchristos
6518dbcf02cSchristos return 0;
6528dbcf02cSchristos }
6538dbcf02cSchristos
6548dbcf02cSchristos
test_eapol_clean(struct eapol_test_data * e,struct wpa_supplicant * wpa_s)6558dbcf02cSchristos static void test_eapol_clean(struct eapol_test_data *e,
6568dbcf02cSchristos struct wpa_supplicant *wpa_s)
6578dbcf02cSchristos {
6588dbcf02cSchristos struct extra_radius_attr *p, *prev;
6598dbcf02cSchristos
660928750b6Schristos wpa_sm_deinit(wpa_s->wpa);
661928750b6Schristos wpa_s->wpa = NULL;
6628dbcf02cSchristos radius_client_deinit(e->radius);
66362a52023Schristos wpabuf_free(e->last_eap_radius);
6648dbcf02cSchristos radius_msg_free(e->last_recv_radius);
6658dbcf02cSchristos e->last_recv_radius = NULL;
6668dbcf02cSchristos os_free(e->eap_identity);
6678dbcf02cSchristos e->eap_identity = NULL;
6688dbcf02cSchristos eapol_sm_deinit(wpa_s->eapol);
6698dbcf02cSchristos wpa_s->eapol = NULL;
6708dbcf02cSchristos if (e->radius_conf && e->radius_conf->auth_server) {
6718dbcf02cSchristos os_free(e->radius_conf->auth_server->shared_secret);
6728dbcf02cSchristos os_free(e->radius_conf->auth_server);
6738dbcf02cSchristos }
6748dbcf02cSchristos os_free(e->radius_conf);
6758dbcf02cSchristos e->radius_conf = NULL;
6768dbcf02cSchristos scard_deinit(wpa_s->scard);
6778dbcf02cSchristos if (wpa_s->ctrl_iface) {
6788dbcf02cSchristos wpa_supplicant_ctrl_iface_deinit(wpa_s->ctrl_iface);
6798dbcf02cSchristos wpa_s->ctrl_iface = NULL;
6808dbcf02cSchristos }
68162a52023Schristos
68262a52023Schristos ext_password_deinit(wpa_s->ext_pw);
68362a52023Schristos wpa_s->ext_pw = NULL;
68462a52023Schristos
6858dbcf02cSchristos wpa_config_free(wpa_s->conf);
6868dbcf02cSchristos
6878dbcf02cSchristos p = e->extra_attrs;
6888dbcf02cSchristos while (p) {
6898dbcf02cSchristos prev = p;
6908dbcf02cSchristos p = p->next;
6918dbcf02cSchristos os_free(prev);
6928dbcf02cSchristos }
6938dbcf02cSchristos }
6948dbcf02cSchristos
6958dbcf02cSchristos
send_eap_request_identity(void * eloop_ctx,void * timeout_ctx)6968dbcf02cSchristos static void send_eap_request_identity(void *eloop_ctx, void *timeout_ctx)
6978dbcf02cSchristos {
6988dbcf02cSchristos struct wpa_supplicant *wpa_s = eloop_ctx;
6998dbcf02cSchristos u8 buf[100], *pos;
7008dbcf02cSchristos struct ieee802_1x_hdr *hdr;
7018dbcf02cSchristos struct eap_hdr *eap;
7028dbcf02cSchristos
7038dbcf02cSchristos hdr = (struct ieee802_1x_hdr *) buf;
7048dbcf02cSchristos hdr->version = EAPOL_VERSION;
7058dbcf02cSchristos hdr->type = IEEE802_1X_TYPE_EAP_PACKET;
7068dbcf02cSchristos hdr->length = htons(5);
7078dbcf02cSchristos
7088dbcf02cSchristos eap = (struct eap_hdr *) (hdr + 1);
7098dbcf02cSchristos eap->code = EAP_CODE_REQUEST;
710*0d69f216Schristos if (os_get_random((u8 *) &eap->identifier, sizeof(eap->identifier)) < 0)
711*0d69f216Schristos eap->identifier = os_random() & 0xff;
7128dbcf02cSchristos eap->length = htons(5);
7138dbcf02cSchristos pos = (u8 *) (eap + 1);
7148dbcf02cSchristos *pos = EAP_TYPE_IDENTITY;
7158dbcf02cSchristos
7168dbcf02cSchristos printf("Sending fake EAP-Request-Identity\n");
7178dbcf02cSchristos eapol_sm_rx_eapol(wpa_s->eapol, wpa_s->bssid, buf,
7188dbcf02cSchristos sizeof(*hdr) + 5);
7198dbcf02cSchristos }
7208dbcf02cSchristos
7218dbcf02cSchristos
eapol_test_timeout(void * eloop_ctx,void * timeout_ctx)7228dbcf02cSchristos static void eapol_test_timeout(void *eloop_ctx, void *timeout_ctx)
7238dbcf02cSchristos {
7248dbcf02cSchristos struct eapol_test_data *e = eloop_ctx;
7258dbcf02cSchristos printf("EAPOL test timed out\n");
7268dbcf02cSchristos e->auth_timed_out = 1;
7278dbcf02cSchristos eloop_terminate();
7288dbcf02cSchristos }
7298dbcf02cSchristos
7308dbcf02cSchristos
eap_type_text(u8 type)7318dbcf02cSchristos static char *eap_type_text(u8 type)
7328dbcf02cSchristos {
7338dbcf02cSchristos switch (type) {
7348dbcf02cSchristos case EAP_TYPE_IDENTITY: return "Identity";
7358dbcf02cSchristos case EAP_TYPE_NOTIFICATION: return "Notification";
7368dbcf02cSchristos case EAP_TYPE_NAK: return "Nak";
7378dbcf02cSchristos case EAP_TYPE_TLS: return "TLS";
7388dbcf02cSchristos case EAP_TYPE_TTLS: return "TTLS";
7398dbcf02cSchristos case EAP_TYPE_PEAP: return "PEAP";
7408dbcf02cSchristos case EAP_TYPE_SIM: return "SIM";
7418dbcf02cSchristos case EAP_TYPE_GTC: return "GTC";
7428dbcf02cSchristos case EAP_TYPE_MD5: return "MD5";
7438dbcf02cSchristos case EAP_TYPE_OTP: return "OTP";
7448dbcf02cSchristos case EAP_TYPE_FAST: return "FAST";
7458dbcf02cSchristos case EAP_TYPE_SAKE: return "SAKE";
7468dbcf02cSchristos case EAP_TYPE_PSK: return "PSK";
7478dbcf02cSchristos default: return "Unknown";
7488dbcf02cSchristos }
7498dbcf02cSchristos }
7508dbcf02cSchristos
7518dbcf02cSchristos
ieee802_1x_decapsulate_radius(struct eapol_test_data * e)7528dbcf02cSchristos static void ieee802_1x_decapsulate_radius(struct eapol_test_data *e)
7538dbcf02cSchristos {
75462a52023Schristos struct wpabuf *eap;
75562a52023Schristos const struct eap_hdr *hdr;
7568dbcf02cSchristos int eap_type = -1;
7578dbcf02cSchristos char buf[64];
7588dbcf02cSchristos struct radius_msg *msg;
7598dbcf02cSchristos
7608dbcf02cSchristos if (e->last_recv_radius == NULL)
7618dbcf02cSchristos return;
7628dbcf02cSchristos
7638dbcf02cSchristos msg = e->last_recv_radius;
7648dbcf02cSchristos
76562a52023Schristos eap = radius_msg_get_eap(msg);
7668dbcf02cSchristos if (eap == NULL) {
7678dbcf02cSchristos /* draft-aboba-radius-rfc2869bis-20.txt, Chap. 2.6.3:
7688dbcf02cSchristos * RADIUS server SHOULD NOT send Access-Reject/no EAP-Message
7698dbcf02cSchristos * attribute */
7708dbcf02cSchristos wpa_printf(MSG_DEBUG, "could not extract "
7718dbcf02cSchristos "EAP-Message from RADIUS message");
77262a52023Schristos wpabuf_free(e->last_eap_radius);
7738dbcf02cSchristos e->last_eap_radius = NULL;
7748dbcf02cSchristos return;
7758dbcf02cSchristos }
7768dbcf02cSchristos
77762a52023Schristos if (wpabuf_len(eap) < sizeof(*hdr)) {
7788dbcf02cSchristos wpa_printf(MSG_DEBUG, "too short EAP packet "
7798dbcf02cSchristos "received from authentication server");
78062a52023Schristos wpabuf_free(eap);
7818dbcf02cSchristos return;
7828dbcf02cSchristos }
7838dbcf02cSchristos
78462a52023Schristos if (wpabuf_len(eap) > sizeof(*hdr))
78562a52023Schristos eap_type = (wpabuf_head_u8(eap))[sizeof(*hdr)];
7868dbcf02cSchristos
78762a52023Schristos hdr = wpabuf_head(eap);
7888dbcf02cSchristos switch (hdr->code) {
7898dbcf02cSchristos case EAP_CODE_REQUEST:
7908dbcf02cSchristos os_snprintf(buf, sizeof(buf), "EAP-Request-%s (%d)",
7918dbcf02cSchristos eap_type >= 0 ? eap_type_text(eap_type) : "??",
7928dbcf02cSchristos eap_type);
7938dbcf02cSchristos break;
7948dbcf02cSchristos case EAP_CODE_RESPONSE:
7958dbcf02cSchristos os_snprintf(buf, sizeof(buf), "EAP Response-%s (%d)",
7968dbcf02cSchristos eap_type >= 0 ? eap_type_text(eap_type) : "??",
7978dbcf02cSchristos eap_type);
7988dbcf02cSchristos break;
7998dbcf02cSchristos case EAP_CODE_SUCCESS:
8008dbcf02cSchristos os_strlcpy(buf, "EAP Success", sizeof(buf));
8018dbcf02cSchristos /* LEAP uses EAP Success within an authentication, so must not
8028dbcf02cSchristos * stop here with eloop_terminate(); */
8038dbcf02cSchristos break;
8048dbcf02cSchristos case EAP_CODE_FAILURE:
8058dbcf02cSchristos os_strlcpy(buf, "EAP Failure", sizeof(buf));
806928750b6Schristos if (e->ctrl_iface)
807928750b6Schristos break;
8088dbcf02cSchristos eloop_terminate();
8098dbcf02cSchristos break;
8108dbcf02cSchristos default:
8118dbcf02cSchristos os_strlcpy(buf, "unknown EAP code", sizeof(buf));
81262a52023Schristos wpa_hexdump_buf(MSG_DEBUG, "Decapsulated EAP packet", eap);
8138dbcf02cSchristos break;
8148dbcf02cSchristos }
8158dbcf02cSchristos wpa_printf(MSG_DEBUG, "decapsulated EAP packet (code=%d "
8168dbcf02cSchristos "id=%d len=%d) from RADIUS server: %s",
8178dbcf02cSchristos hdr->code, hdr->identifier, ntohs(hdr->length), buf);
8188dbcf02cSchristos
8198dbcf02cSchristos /* sta->eapol_sm->be_auth.idFromServer = hdr->identifier; */
8208dbcf02cSchristos
82162a52023Schristos wpabuf_free(e->last_eap_radius);
8228dbcf02cSchristos e->last_eap_radius = eap;
8238dbcf02cSchristos
8248dbcf02cSchristos {
8258dbcf02cSchristos struct ieee802_1x_hdr *dot1x;
82662a52023Schristos dot1x = os_malloc(sizeof(*dot1x) + wpabuf_len(eap));
8278dbcf02cSchristos assert(dot1x != NULL);
8288dbcf02cSchristos dot1x->version = EAPOL_VERSION;
8298dbcf02cSchristos dot1x->type = IEEE802_1X_TYPE_EAP_PACKET;
83062a52023Schristos dot1x->length = htons(wpabuf_len(eap));
83162a52023Schristos os_memcpy((u8 *) (dot1x + 1), wpabuf_head(eap),
83262a52023Schristos wpabuf_len(eap));
8338dbcf02cSchristos eapol_sm_rx_eapol(e->wpa_s->eapol, e->wpa_s->bssid,
83462a52023Schristos (u8 *) dot1x,
83562a52023Schristos sizeof(*dot1x) + wpabuf_len(eap));
8368dbcf02cSchristos os_free(dot1x);
8378dbcf02cSchristos }
8388dbcf02cSchristos }
8398dbcf02cSchristos
8408dbcf02cSchristos
ieee802_1x_get_keys(struct eapol_test_data * e,struct radius_msg * msg,struct radius_msg * req,const u8 * shared_secret,size_t shared_secret_len)8418dbcf02cSchristos static void ieee802_1x_get_keys(struct eapol_test_data *e,
8428dbcf02cSchristos struct radius_msg *msg, struct radius_msg *req,
8438dbcf02cSchristos const u8 *shared_secret,
8448dbcf02cSchristos size_t shared_secret_len)
8458dbcf02cSchristos {
8468dbcf02cSchristos struct radius_ms_mppe_keys *keys;
84736d97821Schristos u8 *buf;
84836d97821Schristos size_t len;
8498dbcf02cSchristos
8508dbcf02cSchristos keys = radius_msg_get_ms_keys(msg, req, shared_secret,
8518dbcf02cSchristos shared_secret_len);
8528dbcf02cSchristos if (keys && keys->send == NULL && keys->recv == NULL) {
8538dbcf02cSchristos os_free(keys);
8548dbcf02cSchristos keys = radius_msg_get_cisco_keys(msg, req, shared_secret,
8558dbcf02cSchristos shared_secret_len);
8568dbcf02cSchristos }
8578dbcf02cSchristos
8588dbcf02cSchristos if (keys) {
8598dbcf02cSchristos if (keys->send) {
8608dbcf02cSchristos wpa_hexdump(MSG_DEBUG, "MS-MPPE-Send-Key (sign)",
8618dbcf02cSchristos keys->send, keys->send_len);
8628dbcf02cSchristos }
8638dbcf02cSchristos if (keys->recv) {
8648dbcf02cSchristos wpa_hexdump(MSG_DEBUG, "MS-MPPE-Recv-Key (crypt)",
8658dbcf02cSchristos keys->recv, keys->recv_len);
8668dbcf02cSchristos e->authenticator_pmk_len =
8678dbcf02cSchristos keys->recv_len > PMK_LEN ? PMK_LEN :
8688dbcf02cSchristos keys->recv_len;
8698dbcf02cSchristos os_memcpy(e->authenticator_pmk, keys->recv,
8708dbcf02cSchristos e->authenticator_pmk_len);
8718dbcf02cSchristos if (e->authenticator_pmk_len == 16 && keys->send &&
8728dbcf02cSchristos keys->send_len == 16) {
8738dbcf02cSchristos /* MS-CHAP-v2 derives 16 octet keys */
8748dbcf02cSchristos wpa_printf(MSG_DEBUG, "Use MS-MPPE-Send-Key "
8758dbcf02cSchristos "to extend PMK to 32 octets");
8768dbcf02cSchristos os_memcpy(e->authenticator_pmk +
8778dbcf02cSchristos e->authenticator_pmk_len,
8788dbcf02cSchristos keys->send, keys->send_len);
8798dbcf02cSchristos e->authenticator_pmk_len += keys->send_len;
8808dbcf02cSchristos }
8818dbcf02cSchristos }
8828dbcf02cSchristos
8838dbcf02cSchristos os_free(keys->send);
8848dbcf02cSchristos os_free(keys->recv);
8858dbcf02cSchristos os_free(keys);
8868dbcf02cSchristos }
88736d97821Schristos
88836d97821Schristos if (radius_msg_get_attr_ptr(msg, RADIUS_ATTR_EAP_KEY_NAME, &buf, &len,
88936d97821Schristos NULL) == 0) {
89036d97821Schristos os_memcpy(e->authenticator_eap_key_name, buf, len);
89136d97821Schristos e->authenticator_eap_key_name_len = len;
89236d97821Schristos } else {
89336d97821Schristos e->authenticator_eap_key_name_len = 0;
89436d97821Schristos }
8958dbcf02cSchristos }
8968dbcf02cSchristos
8978dbcf02cSchristos
8988dbcf02cSchristos /* Process the RADIUS frames from Authentication Server */
8998dbcf02cSchristos static RadiusRxResult
ieee802_1x_receive_auth(struct radius_msg * msg,struct radius_msg * req,const u8 * shared_secret,size_t shared_secret_len,void * data)9008dbcf02cSchristos ieee802_1x_receive_auth(struct radius_msg *msg, struct radius_msg *req,
9018dbcf02cSchristos const u8 *shared_secret, size_t shared_secret_len,
9028dbcf02cSchristos void *data)
9038dbcf02cSchristos {
9048dbcf02cSchristos struct eapol_test_data *e = data;
9058dbcf02cSchristos struct radius_hdr *hdr = radius_msg_get_hdr(msg);
9068dbcf02cSchristos
9078dbcf02cSchristos /* RFC 2869, Ch. 5.13: valid Message-Authenticator attribute MUST be
9088dbcf02cSchristos * present when packet contains an EAP-Message attribute */
9098dbcf02cSchristos if (hdr->code == RADIUS_CODE_ACCESS_REJECT &&
9108dbcf02cSchristos radius_msg_get_attr(msg, RADIUS_ATTR_MESSAGE_AUTHENTICATOR, NULL,
9118dbcf02cSchristos 0) < 0 &&
9128dbcf02cSchristos radius_msg_get_attr(msg, RADIUS_ATTR_EAP_MESSAGE, NULL, 0) < 0) {
9138dbcf02cSchristos wpa_printf(MSG_DEBUG, "Allowing RADIUS "
9148dbcf02cSchristos "Access-Reject without Message-Authenticator "
9158dbcf02cSchristos "since it does not include EAP-Message\n");
9168dbcf02cSchristos } else if (radius_msg_verify(msg, shared_secret, shared_secret_len,
9178dbcf02cSchristos req, 1)) {
9188dbcf02cSchristos printf("Incoming RADIUS packet did not have correct "
9198dbcf02cSchristos "Message-Authenticator - dropped\n");
9208dbcf02cSchristos return RADIUS_RX_UNKNOWN;
9218dbcf02cSchristos }
9228dbcf02cSchristos
9238dbcf02cSchristos if (hdr->code != RADIUS_CODE_ACCESS_ACCEPT &&
9248dbcf02cSchristos hdr->code != RADIUS_CODE_ACCESS_REJECT &&
9258dbcf02cSchristos hdr->code != RADIUS_CODE_ACCESS_CHALLENGE) {
9268dbcf02cSchristos printf("Unknown RADIUS message code\n");
9278dbcf02cSchristos return RADIUS_RX_UNKNOWN;
9288dbcf02cSchristos }
9298dbcf02cSchristos
9308dbcf02cSchristos e->radius_identifier = -1;
9318dbcf02cSchristos wpa_printf(MSG_DEBUG, "RADIUS packet matching with station");
9328dbcf02cSchristos
9338dbcf02cSchristos radius_msg_free(e->last_recv_radius);
9348dbcf02cSchristos e->last_recv_radius = msg;
9358dbcf02cSchristos
9368dbcf02cSchristos switch (hdr->code) {
9378dbcf02cSchristos case RADIUS_CODE_ACCESS_ACCEPT:
9388dbcf02cSchristos e->radius_access_accept_received = 1;
9398dbcf02cSchristos ieee802_1x_get_keys(e, msg, req, shared_secret,
9408dbcf02cSchristos shared_secret_len);
9418dbcf02cSchristos break;
9428dbcf02cSchristos case RADIUS_CODE_ACCESS_REJECT:
9438dbcf02cSchristos e->radius_access_reject_received = 1;
9448dbcf02cSchristos break;
9458dbcf02cSchristos }
9468dbcf02cSchristos
9478dbcf02cSchristos ieee802_1x_decapsulate_radius(e);
9488dbcf02cSchristos
9498dbcf02cSchristos if ((hdr->code == RADIUS_CODE_ACCESS_ACCEPT &&
9508dbcf02cSchristos e->eapol_test_num_reauths < 0) ||
9518dbcf02cSchristos hdr->code == RADIUS_CODE_ACCESS_REJECT) {
952928750b6Schristos if (!e->ctrl_iface)
9538dbcf02cSchristos eloop_terminate();
9548dbcf02cSchristos }
9558dbcf02cSchristos
9568dbcf02cSchristos return RADIUS_RX_QUEUED;
9578dbcf02cSchristos }
9588dbcf02cSchristos
9598dbcf02cSchristos
driver_get_ssid(void * priv,u8 * ssid)960928750b6Schristos static int driver_get_ssid(void *priv, u8 *ssid)
961928750b6Schristos {
962928750b6Schristos ssid[0] = 0;
963928750b6Schristos return 0;
964928750b6Schristos }
965928750b6Schristos
966928750b6Schristos
driver_get_bssid(void * priv,u8 * bssid)967928750b6Schristos static int driver_get_bssid(void *priv, u8 *bssid)
968928750b6Schristos {
969928750b6Schristos struct eapol_test_data *e = priv;
970928750b6Schristos
971928750b6Schristos if (e->ctrl_iface && !e->id_req_sent) {
972928750b6Schristos eloop_register_timeout(0, 0, send_eap_request_identity,
973928750b6Schristos e->wpa_s, NULL);
974928750b6Schristos e->id_req_sent = 1;
975928750b6Schristos }
976928750b6Schristos
977928750b6Schristos os_memset(bssid, 0, ETH_ALEN);
978928750b6Schristos bssid[5] = 1;
979928750b6Schristos return 0;
980928750b6Schristos }
981928750b6Schristos
982928750b6Schristos
driver_get_capa(void * priv,struct wpa_driver_capa * capa)983928750b6Schristos static int driver_get_capa(void *priv, struct wpa_driver_capa *capa)
984928750b6Schristos {
985928750b6Schristos os_memset(capa, 0, sizeof(*capa));
986928750b6Schristos capa->flags = WPA_DRIVER_FLAGS_WIRED;
987928750b6Schristos return 0;
988928750b6Schristos }
989928750b6Schristos
990928750b6Schristos
991928750b6Schristos struct wpa_driver_ops eapol_test_drv_ops = {
992928750b6Schristos .name = "test",
993928750b6Schristos .get_ssid = driver_get_ssid,
994928750b6Schristos .get_bssid = driver_get_bssid,
995928750b6Schristos .get_capa = driver_get_capa,
996928750b6Schristos };
997928750b6Schristos
wpa_init_conf(struct eapol_test_data * e,struct wpa_supplicant * wpa_s,const char * authsrv,int port,const char * secret,const char * cli_addr,const char * ifname)9988dbcf02cSchristos static void wpa_init_conf(struct eapol_test_data *e,
9998dbcf02cSchristos struct wpa_supplicant *wpa_s, const char *authsrv,
10008dbcf02cSchristos int port, const char *secret,
1001928750b6Schristos const char *cli_addr, const char *ifname)
10028dbcf02cSchristos {
10038dbcf02cSchristos struct hostapd_radius_server *as;
10048dbcf02cSchristos int res;
10058dbcf02cSchristos
1006928750b6Schristos wpa_s->driver = &eapol_test_drv_ops;
1007928750b6Schristos wpa_s->drv_priv = e;
10088dbcf02cSchristos wpa_s->bssid[5] = 1;
10098dbcf02cSchristos os_memcpy(wpa_s->own_addr, e->own_addr, ETH_ALEN);
10108dbcf02cSchristos e->own_ip_addr.s_addr = htonl((127 << 24) | 1);
1011928750b6Schristos os_strlcpy(wpa_s->ifname, ifname, sizeof(wpa_s->ifname));
10128dbcf02cSchristos
10138dbcf02cSchristos e->radius_conf = os_zalloc(sizeof(struct hostapd_radius_servers));
10148dbcf02cSchristos assert(e->radius_conf != NULL);
10158dbcf02cSchristos e->radius_conf->num_auth_servers = 1;
10168dbcf02cSchristos as = os_zalloc(sizeof(struct hostapd_radius_server));
10178dbcf02cSchristos assert(as != NULL);
10188dbcf02cSchristos #if defined(CONFIG_NATIVE_WINDOWS) || defined(CONFIG_ANSI_C_EXTRA)
10198dbcf02cSchristos {
10208dbcf02cSchristos int a[4];
10218dbcf02cSchristos u8 *pos;
10228dbcf02cSchristos sscanf(authsrv, "%d.%d.%d.%d", &a[0], &a[1], &a[2], &a[3]);
10238dbcf02cSchristos pos = (u8 *) &as->addr.u.v4;
10248dbcf02cSchristos *pos++ = a[0];
10258dbcf02cSchristos *pos++ = a[1];
10268dbcf02cSchristos *pos++ = a[2];
10278dbcf02cSchristos *pos++ = a[3];
10288dbcf02cSchristos }
10298dbcf02cSchristos #else /* CONFIG_NATIVE_WINDOWS or CONFIG_ANSI_C_EXTRA */
1030928750b6Schristos if (hostapd_parse_ip_addr(authsrv, &as->addr) < 0) {
10319a53cbbeSchristos wpa_printf(MSG_ERROR, "Invalid IP address '%s'",
10329a53cbbeSchristos authsrv);
10339a53cbbeSchristos assert(0);
10349a53cbbeSchristos }
10358dbcf02cSchristos #endif /* CONFIG_NATIVE_WINDOWS or CONFIG_ANSI_C_EXTRA */
10368dbcf02cSchristos as->port = port;
10378dbcf02cSchristos as->shared_secret = (u8 *) os_strdup(secret);
10388dbcf02cSchristos as->shared_secret_len = os_strlen(secret);
10398dbcf02cSchristos e->radius_conf->auth_server = as;
10408dbcf02cSchristos e->radius_conf->auth_servers = as;
10418dbcf02cSchristos e->radius_conf->msg_dumps = 1;
10428dbcf02cSchristos if (cli_addr) {
10438dbcf02cSchristos if (hostapd_parse_ip_addr(cli_addr,
10448dbcf02cSchristos &e->radius_conf->client_addr) == 0)
10458dbcf02cSchristos e->radius_conf->force_client_addr = 1;
10468dbcf02cSchristos else {
10478dbcf02cSchristos wpa_printf(MSG_ERROR, "Invalid IP address '%s'",
10488dbcf02cSchristos cli_addr);
10498dbcf02cSchristos assert(0);
10508dbcf02cSchristos }
10518dbcf02cSchristos }
10528dbcf02cSchristos
10538dbcf02cSchristos e->radius = radius_client_init(wpa_s, e->radius_conf);
10548dbcf02cSchristos assert(e->radius != NULL);
10558dbcf02cSchristos
10568dbcf02cSchristos res = radius_client_register(e->radius, RADIUS_AUTH,
10578dbcf02cSchristos ieee802_1x_receive_auth, e);
10588dbcf02cSchristos assert(res == 0);
10598dbcf02cSchristos }
10608dbcf02cSchristos
10618dbcf02cSchristos
scard_test(struct eapol_test_data * e)106236d97821Schristos static int scard_test(struct eapol_test_data *e)
10638dbcf02cSchristos {
10648dbcf02cSchristos struct scard_data *scard;
10658dbcf02cSchristos size_t len;
10668dbcf02cSchristos char imsi[20];
10678dbcf02cSchristos unsigned char _rand[16];
10688dbcf02cSchristos #ifdef PCSC_FUNCS
10698dbcf02cSchristos unsigned char sres[4];
10708dbcf02cSchristos unsigned char kc[8];
10718dbcf02cSchristos #endif /* PCSC_FUNCS */
10728dbcf02cSchristos #define num_triplets 5
10738dbcf02cSchristos unsigned char rand_[num_triplets][16];
10748dbcf02cSchristos unsigned char sres_[num_triplets][4];
10758dbcf02cSchristos unsigned char kc_[num_triplets][8];
10768dbcf02cSchristos int i, res;
10778dbcf02cSchristos size_t j;
10788dbcf02cSchristos
10798dbcf02cSchristos #define AKA_RAND_LEN 16
10808dbcf02cSchristos #define AKA_AUTN_LEN 16
10818dbcf02cSchristos #define AKA_AUTS_LEN 14
10828dbcf02cSchristos #define RES_MAX_LEN 16
10838dbcf02cSchristos #define IK_LEN 16
10848dbcf02cSchristos #define CK_LEN 16
10858dbcf02cSchristos unsigned char aka_rand[AKA_RAND_LEN];
10868dbcf02cSchristos unsigned char aka_autn[AKA_AUTN_LEN];
10878dbcf02cSchristos unsigned char aka_auts[AKA_AUTS_LEN];
10888dbcf02cSchristos unsigned char aka_res[RES_MAX_LEN];
10898dbcf02cSchristos size_t aka_res_len;
10908dbcf02cSchristos unsigned char aka_ik[IK_LEN];
10918dbcf02cSchristos unsigned char aka_ck[CK_LEN];
10928dbcf02cSchristos
109336d97821Schristos scard = scard_init(e->pcsc_reader);
10948dbcf02cSchristos if (scard == NULL)
10958dbcf02cSchristos return -1;
109636d97821Schristos if (scard_set_pin(scard, e->pcsc_pin)) {
10978dbcf02cSchristos wpa_printf(MSG_WARNING, "PIN validation failed");
10988dbcf02cSchristos scard_deinit(scard);
10998dbcf02cSchristos return -1;
11008dbcf02cSchristos }
11018dbcf02cSchristos
11028dbcf02cSchristos len = sizeof(imsi);
11038dbcf02cSchristos if (scard_get_imsi(scard, imsi, &len))
11048dbcf02cSchristos goto failed;
11058dbcf02cSchristos wpa_hexdump_ascii(MSG_DEBUG, "SCARD: IMSI", (u8 *) imsi, len);
11068dbcf02cSchristos /* NOTE: Permanent Username: 1 | IMSI */
11078dbcf02cSchristos
110862a52023Schristos wpa_printf(MSG_DEBUG, "SCARD: MNC length %d",
110962a52023Schristos scard_get_mnc_len(scard));
111062a52023Schristos
11118dbcf02cSchristos os_memset(_rand, 0, sizeof(_rand));
11128dbcf02cSchristos if (scard_gsm_auth(scard, _rand, sres, kc))
11138dbcf02cSchristos goto failed;
11148dbcf02cSchristos
11158dbcf02cSchristos os_memset(_rand, 0xff, sizeof(_rand));
11168dbcf02cSchristos if (scard_gsm_auth(scard, _rand, sres, kc))
11178dbcf02cSchristos goto failed;
11188dbcf02cSchristos
11198dbcf02cSchristos for (i = 0; i < num_triplets; i++) {
11208dbcf02cSchristos os_memset(rand_[i], i, sizeof(rand_[i]));
11218dbcf02cSchristos if (scard_gsm_auth(scard, rand_[i], sres_[i], kc_[i]))
11228dbcf02cSchristos goto failed;
11238dbcf02cSchristos }
11248dbcf02cSchristos
11258dbcf02cSchristos for (i = 0; i < num_triplets; i++) {
11268dbcf02cSchristos printf("1");
11278dbcf02cSchristos for (j = 0; j < len; j++)
11288dbcf02cSchristos printf("%c", imsi[j]);
11298dbcf02cSchristos printf(",");
11308dbcf02cSchristos for (j = 0; j < 16; j++)
11318dbcf02cSchristos printf("%02X", rand_[i][j]);
11328dbcf02cSchristos printf(",");
11338dbcf02cSchristos for (j = 0; j < 4; j++)
11348dbcf02cSchristos printf("%02X", sres_[i][j]);
11358dbcf02cSchristos printf(",");
11368dbcf02cSchristos for (j = 0; j < 8; j++)
11378dbcf02cSchristos printf("%02X", kc_[i][j]);
11388dbcf02cSchristos printf("\n");
11398dbcf02cSchristos }
11408dbcf02cSchristos
11418dbcf02cSchristos wpa_printf(MSG_DEBUG, "Trying to use UMTS authentication");
11428dbcf02cSchristos
11438dbcf02cSchristos /* seq 39 (0x28) */
11448dbcf02cSchristos os_memset(aka_rand, 0xaa, 16);
11458dbcf02cSchristos os_memcpy(aka_autn, "\x86\x71\x31\xcb\xa2\xfc\x61\xdf"
11468dbcf02cSchristos "\xa3\xb3\x97\x9d\x07\x32\xa2\x12", 16);
11478dbcf02cSchristos
11488dbcf02cSchristos res = scard_umts_auth(scard, aka_rand, aka_autn, aka_res, &aka_res_len,
11498dbcf02cSchristos aka_ik, aka_ck, aka_auts);
11508dbcf02cSchristos if (res == 0) {
11518dbcf02cSchristos wpa_printf(MSG_DEBUG, "UMTS auth completed successfully");
11528dbcf02cSchristos wpa_hexdump(MSG_DEBUG, "RES", aka_res, aka_res_len);
11538dbcf02cSchristos wpa_hexdump(MSG_DEBUG, "IK", aka_ik, IK_LEN);
11548dbcf02cSchristos wpa_hexdump(MSG_DEBUG, "CK", aka_ck, CK_LEN);
11558dbcf02cSchristos } else if (res == -2) {
11568dbcf02cSchristos wpa_printf(MSG_DEBUG, "UMTS auth resulted in synchronization "
11578dbcf02cSchristos "failure");
11588dbcf02cSchristos wpa_hexdump(MSG_DEBUG, "AUTS", aka_auts, AKA_AUTS_LEN);
11598dbcf02cSchristos } else {
11608dbcf02cSchristos wpa_printf(MSG_DEBUG, "UMTS auth failed");
11618dbcf02cSchristos }
11628dbcf02cSchristos
11638dbcf02cSchristos failed:
11648dbcf02cSchristos scard_deinit(scard);
11658dbcf02cSchristos
11668dbcf02cSchristos return 0;
11678dbcf02cSchristos #undef num_triplets
11688dbcf02cSchristos }
11698dbcf02cSchristos
11708dbcf02cSchristos
scard_get_triplets(struct eapol_test_data * e,int argc,char * argv[])117136d97821Schristos static int scard_get_triplets(struct eapol_test_data *e, int argc, char *argv[])
11728dbcf02cSchristos {
11738dbcf02cSchristos struct scard_data *scard;
11748dbcf02cSchristos size_t len;
11758dbcf02cSchristos char imsi[20];
11768dbcf02cSchristos unsigned char _rand[16];
11778dbcf02cSchristos unsigned char sres[4];
11788dbcf02cSchristos unsigned char kc[8];
11798dbcf02cSchristos int num_triplets;
11808dbcf02cSchristos int i;
11818dbcf02cSchristos size_t j;
11828dbcf02cSchristos
11838dbcf02cSchristos if (argc < 2 || ((num_triplets = atoi(argv[1])) <= 0)) {
11848dbcf02cSchristos printf("invalid parameters for sim command\n");
11858dbcf02cSchristos return -1;
11868dbcf02cSchristos }
11878dbcf02cSchristos
11888dbcf02cSchristos if (argc <= 2 || os_strcmp(argv[2], "debug") != 0) {
11898dbcf02cSchristos /* disable debug output */
11908dbcf02cSchristos wpa_debug_level = 99;
11918dbcf02cSchristos }
11928dbcf02cSchristos
119336d97821Schristos scard = scard_init(e->pcsc_reader);
11948dbcf02cSchristos if (scard == NULL) {
11958dbcf02cSchristos printf("Failed to open smartcard connection\n");
11968dbcf02cSchristos return -1;
11978dbcf02cSchristos }
11988dbcf02cSchristos if (scard_set_pin(scard, argv[0])) {
11998dbcf02cSchristos wpa_printf(MSG_WARNING, "PIN validation failed");
12008dbcf02cSchristos scard_deinit(scard);
12018dbcf02cSchristos return -1;
12028dbcf02cSchristos }
12038dbcf02cSchristos
12048dbcf02cSchristos len = sizeof(imsi);
12058dbcf02cSchristos if (scard_get_imsi(scard, imsi, &len)) {
12068dbcf02cSchristos scard_deinit(scard);
12078dbcf02cSchristos return -1;
12088dbcf02cSchristos }
12098dbcf02cSchristos
12108dbcf02cSchristos for (i = 0; i < num_triplets; i++) {
12118dbcf02cSchristos os_memset(_rand, i, sizeof(_rand));
12128dbcf02cSchristos if (scard_gsm_auth(scard, _rand, sres, kc))
12138dbcf02cSchristos break;
12148dbcf02cSchristos
12158dbcf02cSchristos /* IMSI:Kc:SRES:RAND */
12168dbcf02cSchristos for (j = 0; j < len; j++)
12178dbcf02cSchristos printf("%c", imsi[j]);
12188dbcf02cSchristos printf(":");
12198dbcf02cSchristos for (j = 0; j < 8; j++)
12208dbcf02cSchristos printf("%02X", kc[j]);
12218dbcf02cSchristos printf(":");
12228dbcf02cSchristos for (j = 0; j < 4; j++)
12238dbcf02cSchristos printf("%02X", sres[j]);
12248dbcf02cSchristos printf(":");
12258dbcf02cSchristos for (j = 0; j < 16; j++)
12268dbcf02cSchristos printf("%02X", _rand[j]);
12278dbcf02cSchristos printf("\n");
12288dbcf02cSchristos }
12298dbcf02cSchristos
12308dbcf02cSchristos scard_deinit(scard);
12318dbcf02cSchristos
12328dbcf02cSchristos return 0;
12338dbcf02cSchristos }
12348dbcf02cSchristos
12358dbcf02cSchristos
eapol_test_terminate(int sig,void * signal_ctx)12368dbcf02cSchristos static void eapol_test_terminate(int sig, void *signal_ctx)
12378dbcf02cSchristos {
12388dbcf02cSchristos struct wpa_supplicant *wpa_s = signal_ctx;
12398dbcf02cSchristos wpa_msg(wpa_s, MSG_INFO, "Signal %d received - terminating", sig);
12408dbcf02cSchristos eloop_terminate();
12418dbcf02cSchristos }
12428dbcf02cSchristos
12438dbcf02cSchristos
usage(void)12448dbcf02cSchristos static void usage(void)
12458dbcf02cSchristos {
12468dbcf02cSchristos printf("usage:\n"
1247928750b6Schristos "eapol_test [-enWSv] -c<conf> [-a<AS IP>] [-p<AS port>] "
12488dbcf02cSchristos "[-s<AS secret>]\\\n"
12498dbcf02cSchristos " [-r<count>] [-t<timeout>] [-C<Connect-Info>] \\\n"
125042669be3Schristos " [-M<client MAC address>] [-o<server cert file] \\\n"
125136d97821Schristos " [-N<attr spec>] [-R<PC/SC reader>] "
125236d97821Schristos "[-P<PC/SC PIN>] \\\n"
1253928750b6Schristos " [-A<client IP>] [-i<ifname>] [-T<ctrl_iface>]\n"
12548dbcf02cSchristos "eapol_test scard\n"
12558dbcf02cSchristos "eapol_test sim <PIN> <num triplets> [debug]\n"
12568dbcf02cSchristos "\n");
12578dbcf02cSchristos printf("options:\n"
12588dbcf02cSchristos " -c<conf> = configuration file\n"
12598dbcf02cSchristos " -a<AS IP> = IP address of the authentication server, "
12608dbcf02cSchristos "default 127.0.0.1\n"
12618dbcf02cSchristos " -p<AS port> = UDP port of the authentication server, "
12628dbcf02cSchristos "default 1812\n"
12638dbcf02cSchristos " -s<AS secret> = shared secret with the authentication "
12648dbcf02cSchristos "server, default 'radius'\n"
12658dbcf02cSchristos " -A<client IP> = IP address of the client, default: select "
12668dbcf02cSchristos "automatically\n"
12678dbcf02cSchristos " -r<count> = number of re-authentications\n"
126836d97821Schristos " -e = Request EAP-Key-Name\n"
12698dbcf02cSchristos " -W = wait for a control interface monitor before starting\n"
12708dbcf02cSchristos " -S = save configuration after authentication\n"
12718dbcf02cSchristos " -n = no MPPE keys expected\n"
1272928750b6Schristos " -v = show version\n"
12738dbcf02cSchristos " -t<timeout> = sets timeout in seconds (default: 30 s)\n"
12748dbcf02cSchristos " -C<Connect-Info> = RADIUS Connect-Info (default: "
12758dbcf02cSchristos "CONNECT 11Mbps 802.11b)\n"
12768dbcf02cSchristos " -M<client MAC address> = Set own MAC address "
12778dbcf02cSchristos "(Calling-Station-Id,\n"
12788dbcf02cSchristos " default: 02:00:00:00:00:01)\n"
127942669be3Schristos " -o<server cert file> = Write received server certificate\n"
128042669be3Schristos " chain to the specified file\n"
12818dbcf02cSchristos " -N<attr spec> = send arbitrary attribute specified by:\n"
12828dbcf02cSchristos " attr_id:syntax:value or attr_id\n"
12838dbcf02cSchristos " attr_id - number id of the attribute\n"
12848dbcf02cSchristos " syntax - one of: s, d, x\n"
12858dbcf02cSchristos " s = string\n"
12868dbcf02cSchristos " d = integer\n"
12878dbcf02cSchristos " x = octet string\n"
12888dbcf02cSchristos " value - attribute value.\n"
12898dbcf02cSchristos " When only attr_id is specified, NULL will be used as "
12908dbcf02cSchristos "value.\n"
12918dbcf02cSchristos " Multiple attributes can be specified by using the "
12928dbcf02cSchristos "option several times.\n");
12938dbcf02cSchristos }
12948dbcf02cSchristos
12958dbcf02cSchristos
main(int argc,char * argv[])12968dbcf02cSchristos int main(int argc, char *argv[])
12978dbcf02cSchristos {
129836d97821Schristos struct wpa_global global;
12998dbcf02cSchristos struct wpa_supplicant wpa_s;
13008dbcf02cSchristos int c, ret = 1, wait_for_monitor = 0, save_config = 0;
13018dbcf02cSchristos char *as_addr = "127.0.0.1";
13028dbcf02cSchristos int as_port = 1812;
13038dbcf02cSchristos char *as_secret = "radius";
13048dbcf02cSchristos char *cli_addr = NULL;
13058dbcf02cSchristos char *conf = NULL;
13068dbcf02cSchristos int timeout = 30;
13078dbcf02cSchristos char *pos;
13088dbcf02cSchristos struct extra_radius_attr *p = NULL, *p1;
1309928750b6Schristos const char *ifname = "test";
1310928750b6Schristos const char *ctrl_iface = NULL;
13118dbcf02cSchristos
13128dbcf02cSchristos if (os_program_init())
13138dbcf02cSchristos return -1;
13148dbcf02cSchristos
13158dbcf02cSchristos hostapd_logger_register_cb(hostapd_logger_cb);
13168dbcf02cSchristos
13178dbcf02cSchristos os_memset(&eapol_test, 0, sizeof(eapol_test));
13188dbcf02cSchristos eapol_test.connect_info = "CONNECT 11Mbps 802.11b";
13198dbcf02cSchristos os_memcpy(eapol_test.own_addr, "\x02\x00\x00\x00\x00\x01", ETH_ALEN);
132036d97821Schristos eapol_test.pcsc_pin = "1234";
13218dbcf02cSchristos
13228dbcf02cSchristos wpa_debug_level = 0;
13238dbcf02cSchristos wpa_debug_show_keys = 1;
13248dbcf02cSchristos
13258dbcf02cSchristos for (;;) {
1326928750b6Schristos c = getopt(argc, argv, "a:A:c:C:ei:M:nN:o:p:P:r:R:s:St:T:vW");
13278dbcf02cSchristos if (c < 0)
13288dbcf02cSchristos break;
13298dbcf02cSchristos switch (c) {
13308dbcf02cSchristos case 'a':
13318dbcf02cSchristos as_addr = optarg;
13328dbcf02cSchristos break;
13338dbcf02cSchristos case 'A':
13348dbcf02cSchristos cli_addr = optarg;
13358dbcf02cSchristos break;
13368dbcf02cSchristos case 'c':
13378dbcf02cSchristos conf = optarg;
13388dbcf02cSchristos break;
13398dbcf02cSchristos case 'C':
13408dbcf02cSchristos eapol_test.connect_info = optarg;
13418dbcf02cSchristos break;
134236d97821Schristos case 'e':
134336d97821Schristos eapol_test.req_eap_key_name = 1;
134436d97821Schristos break;
1345928750b6Schristos case 'i':
1346928750b6Schristos ifname = optarg;
1347928750b6Schristos break;
13488dbcf02cSchristos case 'M':
13498dbcf02cSchristos if (hwaddr_aton(optarg, eapol_test.own_addr)) {
13508dbcf02cSchristos usage();
13518dbcf02cSchristos return -1;
13528dbcf02cSchristos }
13538dbcf02cSchristos break;
13548dbcf02cSchristos case 'n':
13558dbcf02cSchristos eapol_test.no_mppe_keys++;
13568dbcf02cSchristos break;
135742669be3Schristos case 'o':
135842669be3Schristos if (eapol_test.server_cert_file)
135942669be3Schristos fclose(eapol_test.server_cert_file);
136042669be3Schristos eapol_test.server_cert_file = fopen(optarg, "w");
136142669be3Schristos if (eapol_test.server_cert_file == NULL) {
136242669be3Schristos printf("Could not open '%s' for writing\n",
136342669be3Schristos optarg);
136442669be3Schristos return -1;
136542669be3Schristos }
136642669be3Schristos break;
13678dbcf02cSchristos case 'p':
13688dbcf02cSchristos as_port = atoi(optarg);
13698dbcf02cSchristos break;
137036d97821Schristos case 'P':
137136d97821Schristos eapol_test.pcsc_pin = optarg;
137236d97821Schristos break;
13738dbcf02cSchristos case 'r':
13748dbcf02cSchristos eapol_test.eapol_test_num_reauths = atoi(optarg);
13758dbcf02cSchristos break;
137636d97821Schristos case 'R':
137736d97821Schristos eapol_test.pcsc_reader = optarg;
137836d97821Schristos break;
13798dbcf02cSchristos case 's':
13808dbcf02cSchristos as_secret = optarg;
13818dbcf02cSchristos break;
13828dbcf02cSchristos case 'S':
13838dbcf02cSchristos save_config++;
13848dbcf02cSchristos break;
13858dbcf02cSchristos case 't':
13868dbcf02cSchristos timeout = atoi(optarg);
13878dbcf02cSchristos break;
1388928750b6Schristos case 'T':
1389928750b6Schristos ctrl_iface = optarg;
1390928750b6Schristos eapol_test.ctrl_iface = 1;
1391928750b6Schristos break;
1392928750b6Schristos case 'v':
1393928750b6Schristos printf("eapol_test v" VERSION_STR "\n");
1394928750b6Schristos return 0;
13958dbcf02cSchristos case 'W':
13968dbcf02cSchristos wait_for_monitor++;
13978dbcf02cSchristos break;
13988dbcf02cSchristos case 'N':
139962a52023Schristos p1 = os_zalloc(sizeof(*p1));
14008dbcf02cSchristos if (p1 == NULL)
14018dbcf02cSchristos break;
14028dbcf02cSchristos if (!p)
14038dbcf02cSchristos eapol_test.extra_attrs = p1;
14048dbcf02cSchristos else
14058dbcf02cSchristos p->next = p1;
14068dbcf02cSchristos p = p1;
14078dbcf02cSchristos
14088dbcf02cSchristos p->type = atoi(optarg);
14098dbcf02cSchristos pos = os_strchr(optarg, ':');
14108dbcf02cSchristos if (pos == NULL) {
14118dbcf02cSchristos p->syntax = 'n';
14128dbcf02cSchristos p->data = NULL;
14138dbcf02cSchristos break;
14148dbcf02cSchristos }
14158dbcf02cSchristos
14168dbcf02cSchristos pos++;
14178dbcf02cSchristos if (pos[0] == '\0' || pos[1] != ':') {
14188dbcf02cSchristos printf("Incorrect format of attribute "
14198dbcf02cSchristos "specification\n");
14208dbcf02cSchristos break;
14218dbcf02cSchristos }
14228dbcf02cSchristos
14238dbcf02cSchristos p->syntax = pos[0];
14248dbcf02cSchristos p->data = pos + 2;
14258dbcf02cSchristos break;
14268dbcf02cSchristos default:
14278dbcf02cSchristos usage();
14288dbcf02cSchristos return -1;
14298dbcf02cSchristos }
14308dbcf02cSchristos }
14318dbcf02cSchristos
14328dbcf02cSchristos if (argc > optind && os_strcmp(argv[optind], "scard") == 0) {
143336d97821Schristos return scard_test(&eapol_test);
14348dbcf02cSchristos }
14358dbcf02cSchristos
14368dbcf02cSchristos if (argc > optind && os_strcmp(argv[optind], "sim") == 0) {
143736d97821Schristos return scard_get_triplets(&eapol_test, argc - optind - 1,
14388dbcf02cSchristos &argv[optind + 1]);
14398dbcf02cSchristos }
14408dbcf02cSchristos
1441928750b6Schristos if (conf == NULL && !ctrl_iface) {
14428dbcf02cSchristos usage();
14438dbcf02cSchristos printf("Configuration file is required.\n");
14448dbcf02cSchristos return -1;
14458dbcf02cSchristos }
14468dbcf02cSchristos
14478dbcf02cSchristos if (eap_register_methods()) {
14488dbcf02cSchristos wpa_printf(MSG_ERROR, "Failed to register EAP methods");
14498dbcf02cSchristos return -1;
14508dbcf02cSchristos }
14518dbcf02cSchristos
14528dbcf02cSchristos if (eloop_init()) {
14538dbcf02cSchristos wpa_printf(MSG_ERROR, "Failed to initialize event loop");
14548dbcf02cSchristos return -1;
14558dbcf02cSchristos }
14568dbcf02cSchristos
145736d97821Schristos os_memset(&global, 0, sizeof(global));
14588dbcf02cSchristos os_memset(&wpa_s, 0, sizeof(wpa_s));
145936d97821Schristos wpa_s.global = &global;
14608dbcf02cSchristos eapol_test.wpa_s = &wpa_s;
146136d97821Schristos dl_list_init(&wpa_s.bss);
146236d97821Schristos dl_list_init(&wpa_s.bss_id);
1463928750b6Schristos if (conf)
146436d97821Schristos wpa_s.conf = wpa_config_read(conf, NULL);
1465928750b6Schristos else
1466928750b6Schristos wpa_s.conf = wpa_config_alloc_empty(ctrl_iface, NULL);
14678dbcf02cSchristos if (wpa_s.conf == NULL) {
14688dbcf02cSchristos printf("Failed to parse configuration file '%s'.\n", conf);
14698dbcf02cSchristos return -1;
14708dbcf02cSchristos }
1471928750b6Schristos if (!ctrl_iface && wpa_s.conf->ssid == NULL) {
14728dbcf02cSchristos printf("No networks defined.\n");
14738dbcf02cSchristos return -1;
14748dbcf02cSchristos }
14758dbcf02cSchristos
147636d97821Schristos if (eapol_test.pcsc_reader) {
147736d97821Schristos os_free(wpa_s.conf->pcsc_reader);
147836d97821Schristos wpa_s.conf->pcsc_reader = os_strdup(eapol_test.pcsc_reader);
147936d97821Schristos }
148036d97821Schristos
14818dbcf02cSchristos wpa_init_conf(&eapol_test, &wpa_s, as_addr, as_port, as_secret,
1482928750b6Schristos cli_addr, ifname);
14838dbcf02cSchristos wpa_s.ctrl_iface = wpa_supplicant_ctrl_iface_init(&wpa_s);
14848dbcf02cSchristos if (wpa_s.ctrl_iface == NULL) {
14858dbcf02cSchristos printf("Failed to initialize control interface '%s'.\n"
14868dbcf02cSchristos "You may have another eapol_test process already "
14878dbcf02cSchristos "running or the file was\n"
14888dbcf02cSchristos "left by an unclean termination of eapol_test in "
14898dbcf02cSchristos "which case you will need\n"
14908dbcf02cSchristos "to manually remove this file before starting "
14918dbcf02cSchristos "eapol_test again.\n",
14928dbcf02cSchristos wpa_s.conf->ctrl_interface);
14938dbcf02cSchristos return -1;
14948dbcf02cSchristos }
1495928750b6Schristos if (wpa_s.conf->ssid &&
1496928750b6Schristos wpa_supplicant_scard_init(&wpa_s, wpa_s.conf->ssid))
14978dbcf02cSchristos return -1;
14988dbcf02cSchristos
14998dbcf02cSchristos if (test_eapol(&eapol_test, &wpa_s, wpa_s.conf->ssid))
15008dbcf02cSchristos return -1;
15018dbcf02cSchristos
150262a52023Schristos if (wpas_init_ext_pw(&wpa_s) < 0)
150362a52023Schristos return -1;
150462a52023Schristos
15058dbcf02cSchristos if (wait_for_monitor)
15068dbcf02cSchristos wpa_supplicant_ctrl_iface_wait(wpa_s.ctrl_iface);
15078dbcf02cSchristos
1508928750b6Schristos if (!ctrl_iface) {
1509928750b6Schristos eloop_register_timeout(timeout, 0, eapol_test_timeout,
1510928750b6Schristos &eapol_test, NULL);
1511928750b6Schristos eloop_register_timeout(0, 0, send_eap_request_identity, &wpa_s,
15128dbcf02cSchristos NULL);
1513928750b6Schristos }
15148dbcf02cSchristos eloop_register_signal_terminate(eapol_test_terminate, &wpa_s);
15158dbcf02cSchristos eloop_register_signal_reconfig(eapol_test_terminate, &wpa_s);
15168dbcf02cSchristos eloop_run();
15178dbcf02cSchristos
15188dbcf02cSchristos eloop_cancel_timeout(eapol_test_timeout, &eapol_test, NULL);
15198dbcf02cSchristos eloop_cancel_timeout(eapol_sm_reauth, &eapol_test, NULL);
15208dbcf02cSchristos
15218dbcf02cSchristos if (eapol_test_compare_pmk(&eapol_test) == 0 ||
15228dbcf02cSchristos eapol_test.no_mppe_keys)
15238dbcf02cSchristos ret = 0;
15248dbcf02cSchristos if (eapol_test.auth_timed_out)
15258dbcf02cSchristos ret = -2;
15268dbcf02cSchristos if (eapol_test.radius_access_reject_received)
15278dbcf02cSchristos ret = -3;
15288dbcf02cSchristos
15298dbcf02cSchristos if (save_config)
15308dbcf02cSchristos wpa_config_write(conf, wpa_s.conf);
15318dbcf02cSchristos
15328dbcf02cSchristos test_eapol_clean(&eapol_test, &wpa_s);
15338dbcf02cSchristos
15348dbcf02cSchristos eap_peer_unregister_methods();
153542669be3Schristos #ifdef CONFIG_AP
153642669be3Schristos eap_server_unregister_methods();
153742669be3Schristos #endif /* CONFIG_AP */
15388dbcf02cSchristos
15398dbcf02cSchristos eloop_destroy();
15408dbcf02cSchristos
154142669be3Schristos if (eapol_test.server_cert_file)
154242669be3Schristos fclose(eapol_test.server_cert_file);
154342669be3Schristos
15448dbcf02cSchristos printf("MPPE keys OK: %d mismatch: %d\n",
15458dbcf02cSchristos eapol_test.num_mppe_ok, eapol_test.num_mppe_mismatch);
15468dbcf02cSchristos if (eapol_test.num_mppe_mismatch)
15478dbcf02cSchristos ret = -4;
15488dbcf02cSchristos if (ret)
15498dbcf02cSchristos printf("FAILURE\n");
15508dbcf02cSchristos else
15518dbcf02cSchristos printf("SUCCESS\n");
15528dbcf02cSchristos
15538dbcf02cSchristos os_program_deinit();
15548dbcf02cSchristos
15558dbcf02cSchristos return ret;
15568dbcf02cSchristos }
1557