mirror of
https://git.kernel.org/pub/scm/network/wireless/iwd.git
synced 2025-01-20 17:54:05 +01:00
autotest: EAP-AKA autotest
Implemented milenage algorithm in hlrauc.py. Unlike EAP-SIM, the authentication center must compute several values to give back to the server (hostapd). This was already done by IWD as the peer in EAP-AKA, but was also needed on the server side (HLR AuC).
This commit is contained in:
parent
6aaa917dde
commit
14dcda4d59
61
autotests/testEAP-AKA/connection_test.py
Normal file
61
autotests/testEAP-AKA/connection_test.py
Normal file
@ -0,0 +1,61 @@
|
|||||||
|
#!/usr/bin/python3
|
||||||
|
|
||||||
|
import unittest
|
||||||
|
import sys
|
||||||
|
|
||||||
|
sys.path.append('../util')
|
||||||
|
import iwd
|
||||||
|
from iwd import IWD
|
||||||
|
from iwd import PSKAgent
|
||||||
|
from iwd import NetworkType
|
||||||
|
from hlrauc import AuthCenter
|
||||||
|
|
||||||
|
class Test(unittest.TestCase):
|
||||||
|
|
||||||
|
def test_connection_success(self):
|
||||||
|
auth = AuthCenter('/tmp/hlrauc.sock', '/tmp/sim.db')
|
||||||
|
|
||||||
|
wd = IWD()
|
||||||
|
|
||||||
|
devices = wd.list_devices();
|
||||||
|
self.assertIsNotNone(devices)
|
||||||
|
device = devices[0]
|
||||||
|
|
||||||
|
condition = 'not obj.scanning'
|
||||||
|
wd.wait_for_object_condition(device, condition)
|
||||||
|
|
||||||
|
device.scan()
|
||||||
|
|
||||||
|
condition = 'not obj.scanning'
|
||||||
|
wd.wait_for_object_condition(device, condition)
|
||||||
|
|
||||||
|
ordered_networks = device.get_ordered_networks()
|
||||||
|
ordered_network = ordered_networks[0]
|
||||||
|
|
||||||
|
self.assertEqual(ordered_network.name, "ssidEAP-AKA")
|
||||||
|
self.assertEqual(ordered_network.type, NetworkType.eap)
|
||||||
|
|
||||||
|
condition = 'not obj.connected'
|
||||||
|
wd.wait_for_object_condition(ordered_network.network_object, condition)
|
||||||
|
|
||||||
|
ordered_network.network_object.connect()
|
||||||
|
|
||||||
|
condition = 'obj.connected'
|
||||||
|
wd.wait_for_object_condition(ordered_network.network_object, condition)
|
||||||
|
|
||||||
|
device.disconnect()
|
||||||
|
|
||||||
|
condition = 'not obj.connected'
|
||||||
|
wd.wait_for_object_condition(ordered_network.network_object, condition)
|
||||||
|
|
||||||
|
auth.stop()
|
||||||
|
@classmethod
|
||||||
|
def setUpClass(cls):
|
||||||
|
IWD.copy_to_storage('ssidEAP-AKA.8021x')
|
||||||
|
|
||||||
|
@classmethod
|
||||||
|
def tearDownClass(cls):
|
||||||
|
IWD.clear_storage()
|
||||||
|
|
||||||
|
if __name__ == '__main__':
|
||||||
|
unittest.main(exit=True)
|
7
autotests/testEAP-AKA/hw.conf
Normal file
7
autotests/testEAP-AKA/hw.conf
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
[SETUP]
|
||||||
|
num_radios=2
|
||||||
|
max_test_exec_interval_sec=40
|
||||||
|
tmpfs_extra_stuff=sim.eap_user:sim.db
|
||||||
|
|
||||||
|
[HOSTAPD]
|
||||||
|
rad0=ssidEAP-AKA.conf
|
1
autotests/testEAP-AKA/sim.db
Normal file
1
autotests/testEAP-AKA/sim.db
Normal file
@ -0,0 +1 @@
|
|||||||
|
32010000000000:90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:61df:000000000021
|
1
autotests/testEAP-AKA/sim.eap_user
Normal file
1
autotests/testEAP-AKA/sim.eap_user
Normal file
@ -0,0 +1 @@
|
|||||||
|
"abc@example.com" AKA
|
8
autotests/testEAP-AKA/ssidEAP-AKA.8021x
Normal file
8
autotests/testEAP-AKA/ssidEAP-AKA.8021x
Normal file
@ -0,0 +1,8 @@
|
|||||||
|
[Security]
|
||||||
|
EAP-Method=AKA
|
||||||
|
EAP-Identity=abc@example.com
|
||||||
|
EAP-AKA-IMSI=032010000000000@example.com
|
||||||
|
EAP-AKA-KI=90dca4eda45b53cf0f12d7c9c3bc6a89
|
||||||
|
EAP-AKA-OPC=cb9cccc4b9258e6dca4760379fb82581
|
||||||
|
EAP-AKA-AMF=61df
|
||||||
|
EAP-AKA-SQN=000000000021
|
16
autotests/testEAP-AKA/ssidEAP-AKA.conf
Normal file
16
autotests/testEAP-AKA/ssidEAP-AKA.conf
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
hw_mode=g
|
||||||
|
channel=1
|
||||||
|
|
||||||
|
driver=nl80211
|
||||||
|
ieee8021x=1
|
||||||
|
eap_server=1
|
||||||
|
ssid=ssidEAP-AKA
|
||||||
|
eap_user_file=/tmp/sim.eap_user
|
||||||
|
eap_sim_db=unix:/tmp/hlrauc.sock
|
||||||
|
wpa=2
|
||||||
|
wpa_key_mgmt=WPA-EAP
|
||||||
|
wpa_pairwise=TKIP CCMP
|
||||||
|
rsn_pairwise=CCMP TKIP
|
||||||
|
wpa_passphrase=secret123
|
||||||
|
channel=1
|
||||||
|
eap_sim_aka_result_ind=1
|
@ -54,6 +54,116 @@ class AuthCenter:
|
|||||||
response += (' ' + data)*int(num_chals)
|
response += (' ' + data)*int(num_chals)
|
||||||
|
|
||||||
return response
|
return response
|
||||||
|
elif data[:12] == "AKA-REQ-AUTH":
|
||||||
|
# AKA requests must compute the milenage parameters for the IMSI
|
||||||
|
imsi = data.split(' ')[1]
|
||||||
|
data = self._database[imsi]
|
||||||
|
|
||||||
|
k, opc, amf, sqn = data.split(':')
|
||||||
|
|
||||||
|
rand = self._bytetostring(os.urandom(16))
|
||||||
|
|
||||||
|
response = "AKA-RESP-AUTH %s " % imsi
|
||||||
|
|
||||||
|
return response + self._get_milenage(opc, k, rand, sqn, amf)
|
||||||
|
|
||||||
|
def _bytetostring(self, b):
|
||||||
|
return ''.join(format(x, '02x') for x in b)
|
||||||
|
|
||||||
|
def _xor(self, a, b):
|
||||||
|
ret = bytearray(16)
|
||||||
|
for i in range(len(a)):
|
||||||
|
ret[i] = a[i] ^ b[i]
|
||||||
|
return ret
|
||||||
|
|
||||||
|
def _get_milenage(self, opc, k, rand, sqn, amf):
|
||||||
|
'''
|
||||||
|
Computes milenage values from OPc, K, RAND, SQN and AMF
|
||||||
|
Returns a concatenated list (RAND + AUTN + IK + CK + RES) that
|
||||||
|
will be sent back as the response to the client (hostapd). This
|
||||||
|
is a python re-write of the function eap_aka_get_milenage() from
|
||||||
|
src/simutil.c
|
||||||
|
'''
|
||||||
|
opc = bytearray.fromhex(opc)
|
||||||
|
k = bytearray.fromhex(k)
|
||||||
|
# rand gets returned, so it should be left as a hex string
|
||||||
|
_rand = bytearray.fromhex(rand)
|
||||||
|
sqn = bytearray.fromhex(sqn)
|
||||||
|
amf = bytearray.fromhex(amf)
|
||||||
|
|
||||||
|
aes1 = AES.new(bytes(k), AES.MODE_ECB)
|
||||||
|
tmp1 = self._xor(_rand, opc)
|
||||||
|
tmp1 = aes1.encrypt(bytes(tmp1))
|
||||||
|
tmp1 = bytearray(tmp1)
|
||||||
|
|
||||||
|
tmp2 = bytearray()
|
||||||
|
tmp2[0:6] = sqn
|
||||||
|
tmp2[6:2] = amf
|
||||||
|
tmp2[9:6] = sqn
|
||||||
|
tmp2[15:2] = amf
|
||||||
|
|
||||||
|
tmp3 = bytearray(16)
|
||||||
|
for i in range(len(tmp1)):
|
||||||
|
tmp3[(i + 8) % 16] = tmp2[i] ^ opc[i]
|
||||||
|
|
||||||
|
tmp3 = self._xor(tmp3, tmp1)
|
||||||
|
|
||||||
|
aes2 = AES.new(bytes(k), AES.MODE_ECB)
|
||||||
|
tmp1 = aes2.encrypt(bytes(tmp3))
|
||||||
|
tmp1 = bytearray(tmp1)
|
||||||
|
|
||||||
|
tmp1 = self._xor(tmp1, opc)
|
||||||
|
maca = self._bytetostring(tmp1)
|
||||||
|
|
||||||
|
tmp1 = self._xor(_rand, opc)
|
||||||
|
aes3 = AES.new(bytes(k), AES.MODE_ECB)
|
||||||
|
tmp2 = aes3.encrypt(bytes(tmp1))
|
||||||
|
tmp2 = bytearray(tmp2)
|
||||||
|
|
||||||
|
tmp1 = self._xor(tmp2, opc)
|
||||||
|
tmp1[15] ^= 1
|
||||||
|
|
||||||
|
aes4 = AES.new(bytes(k), AES.MODE_ECB)
|
||||||
|
tmp3 = aes4.encrypt(bytes(tmp1))
|
||||||
|
tmp3 = bytearray(tmp3)
|
||||||
|
|
||||||
|
tmp3 = self._xor(tmp3, opc)
|
||||||
|
|
||||||
|
res = self._bytetostring(tmp3[8:16])
|
||||||
|
ak = self._bytetostring(tmp3[0:6])
|
||||||
|
|
||||||
|
for i in range(len(tmp1)):
|
||||||
|
tmp1[(i + 12) % 16] = tmp2[i] ^ opc[i]
|
||||||
|
|
||||||
|
tmp1[15] ^= 1 << 1
|
||||||
|
aes5 = AES.new(bytes(k), AES.MODE_ECB)
|
||||||
|
tmp1 = aes5.encrypt(bytes(tmp1))
|
||||||
|
tmp1 = bytearray(tmp1)
|
||||||
|
|
||||||
|
tmp1 = self._xor(tmp1, opc)
|
||||||
|
ck = self._bytetostring(tmp1)
|
||||||
|
|
||||||
|
for i in range(len(tmp1)):
|
||||||
|
tmp1[(i + 8) % 16] = tmp2[i] ^ opc[i]
|
||||||
|
|
||||||
|
tmp1[15] ^= 1 << 2
|
||||||
|
aes6 = AES.new(bytes(k), AES.MODE_ECB)
|
||||||
|
tmp1 = aes6.encrypt(bytes(tmp1))
|
||||||
|
tmp1 = bytearray(tmp1)
|
||||||
|
tmp1 = self._xor(tmp1, opc)
|
||||||
|
ik = self._bytetostring(tmp1)
|
||||||
|
|
||||||
|
tmp1 = bytearray.fromhex(ak)
|
||||||
|
autn = bytearray(6)
|
||||||
|
for i in range(0, 6):
|
||||||
|
autn[i] = sqn[i] ^ tmp1[i]
|
||||||
|
|
||||||
|
autn[6:2] = amf
|
||||||
|
autn[8:8] = bytearray.fromhex(maca)[0:8]
|
||||||
|
|
||||||
|
autn = self._bytetostring(autn)
|
||||||
|
|
||||||
|
return rand + ' ' + autn + ' ' + ik + ' ' + ck + ' ' + res
|
||||||
|
|
||||||
def stop(self):
|
def stop(self):
|
||||||
'''
|
'''
|
||||||
|
Loading…
Reference in New Issue
Block a user