mirror of
https://github.com/vanhoefm/fragattacks.git
synced 2024-11-29 02:38:22 -05:00
732b57acb4
Use a non-existing directory in the path to avoid SQLite from being able to create a new database file. The previous design worked in the VM case due to the host file system being read-only, but a bit more is needed for the case when this is running on the host. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
265 lines
12 KiB
Python
265 lines
12 KiB
Python
# hostapd authentication server tests
|
|
# Copyright (c) 2017, Jouni Malinen
|
|
#
|
|
# This software may be distributed under the terms of the BSD license.
|
|
# See README for more details.
|
|
|
|
import hostapd
|
|
from utils import alloc_fail, fail_test, wait_fail_trigger
|
|
|
|
def authsrv_params():
|
|
params = { "ssid": "as", "beacon_int": "2000",
|
|
"radius_server_clients": "auth_serv/radius_clients.conf",
|
|
"radius_server_auth_port": '18128',
|
|
"eap_server": "1",
|
|
"eap_user_file": "auth_serv/eap_user.conf",
|
|
"eap_sim_db": "unix:/tmp/hlr_auc_gw.sock",
|
|
"ca_cert": "auth_serv/ca.pem",
|
|
"server_cert": "auth_serv/server.pem",
|
|
"private_key": "auth_serv/server.key",
|
|
"eap_message": "hello" }
|
|
return params;
|
|
|
|
def test_authsrv_oom(dev, apdev):
|
|
"""Authentication server OOM"""
|
|
params = authsrv_params()
|
|
authsrv = hostapd.add_ap(apdev[1], params)
|
|
|
|
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
|
|
params['auth_server_port'] = "18128"
|
|
hapd = hostapd.add_ap(apdev[0], params)
|
|
|
|
dev[0].scan_for_bss(hapd.own_addr(), 2412)
|
|
with alloc_fail(authsrv, 1, "hostapd_radius_get_eap_user"):
|
|
dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
|
|
eap="TTLS", identity="user",
|
|
anonymous_identity="ttls", password="password",
|
|
ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
|
|
wait_connect=False, scan_freq="2412")
|
|
ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
|
|
if ev is None:
|
|
raise Exception("EAP failure not reported")
|
|
dev[0].request("REMOVE_NETWORK all")
|
|
dev[0].wait_disconnected()
|
|
dev[0].dump_monitor()
|
|
|
|
with alloc_fail(authsrv, 1, "srv_log"):
|
|
dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
|
|
eap="TTLS", identity="user",
|
|
anonymous_identity="ttls", password="password",
|
|
ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
|
|
scan_freq="2412")
|
|
dev[0].request("REMOVE_NETWORK all")
|
|
dev[0].wait_disconnected()
|
|
dev[0].dump_monitor()
|
|
|
|
with alloc_fail(authsrv, 1, "radius_server_new_session"):
|
|
dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
|
|
eap="TTLS", identity="user",
|
|
anonymous_identity="ttls", password="password",
|
|
ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
|
|
wait_connect=False, scan_freq="2412")
|
|
dev[0].wait_disconnected()
|
|
dev[0].request("REMOVE_NETWORK all")
|
|
dev[0].dump_monitor()
|
|
|
|
for count in range(1, 3):
|
|
with alloc_fail(authsrv, count, "=radius_server_get_new_session"):
|
|
dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
|
|
eap="TTLS", identity="user",
|
|
anonymous_identity="ttls", password="password",
|
|
ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
|
|
wait_connect=False, scan_freq="2412")
|
|
dev[0].wait_disconnected()
|
|
dev[0].request("REMOVE_NETWORK all")
|
|
dev[0].dump_monitor()
|
|
|
|
with alloc_fail(authsrv, 1, "eap_server_sm_init"):
|
|
dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
|
|
eap="TTLS", identity="user",
|
|
anonymous_identity="ttls", password="password",
|
|
ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
|
|
wait_connect=False, scan_freq="2412")
|
|
dev[0].wait_disconnected()
|
|
dev[0].request("REMOVE_NETWORK all")
|
|
dev[0].dump_monitor()
|
|
|
|
tests = [ "radius_server_encapsulate_eap",
|
|
"radius_server_receive_auth" ]
|
|
for t in tests:
|
|
with alloc_fail(authsrv, 1, t):
|
|
dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
|
|
eap="TTLS", identity="user",
|
|
anonymous_identity="ttls", password="password",
|
|
ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
|
|
wait_connect=False, scan_freq="2412")
|
|
wait_fail_trigger(authsrv, "GET_ALLOC_FAIL")
|
|
dev[0].request("REMOVE_NETWORK all")
|
|
dev[0].wait_disconnected()
|
|
dev[0].dump_monitor()
|
|
|
|
tests = [ "radius_msg_add_attr;radius_server_encapsulate_eap",
|
|
"radius_msg_add_eap;radius_server_encapsulate_eap",
|
|
"radius_msg_finish_srv;radius_server_encapsulate_eap" ]
|
|
for t in tests:
|
|
with fail_test(authsrv, 1, t):
|
|
dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
|
|
eap="TTLS", identity="user",
|
|
anonymous_identity="ttls", password="password",
|
|
ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
|
|
wait_connect=False, scan_freq="2412")
|
|
wait_fail_trigger(authsrv, "GET_FAIL")
|
|
dev[0].request("REMOVE_NETWORK all")
|
|
dev[0].wait_disconnected()
|
|
dev[0].dump_monitor()
|
|
|
|
with alloc_fail(authsrv, 1, "radius_server_get_new_session"):
|
|
with fail_test(authsrv, 1, "radius_msg_add_eap;radius_server_reject"):
|
|
dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
|
|
eap="TTLS", identity="user",
|
|
anonymous_identity="ttls", password="password",
|
|
ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
|
|
wait_connect=False, scan_freq="2412")
|
|
wait_fail_trigger(authsrv, "GET_FAIL")
|
|
dev[0].request("REMOVE_NETWORK all")
|
|
dev[0].wait_disconnected()
|
|
dev[0].dump_monitor()
|
|
|
|
with alloc_fail(authsrv, 1, "radius_server_get_new_session"):
|
|
with fail_test(authsrv, 1,
|
|
"radius_msg_finish_srv;radius_server_reject"):
|
|
dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
|
|
eap="TTLS", identity="user",
|
|
anonymous_identity="ttls", password="password",
|
|
ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
|
|
wait_connect=False, scan_freq="2412")
|
|
wait_fail_trigger(authsrv, "GET_FAIL")
|
|
dev[0].request("REMOVE_NETWORK all")
|
|
dev[0].wait_disconnected()
|
|
dev[0].dump_monitor()
|
|
|
|
authsrv.disable()
|
|
with alloc_fail(authsrv, 1, "radius_server_init;hostapd_setup_radius_srv"):
|
|
if "FAIL" not in authsrv.request("ENABLE"):
|
|
raise Exception("ENABLE succeeded during OOM")
|
|
with alloc_fail(authsrv, 2, "radius_server_init;hostapd_setup_radius_srv"):
|
|
authsrv.request("ENABLE")
|
|
# This is actually allowed to continue even though memory allocation
|
|
# fails.
|
|
authsrv.disable()
|
|
|
|
for count in range(1, 4):
|
|
with alloc_fail(authsrv, count,
|
|
"radius_server_read_clients;radius_server_init;hostapd_setup_radius_srv"):
|
|
if "FAIL" not in authsrv.request("ENABLE"):
|
|
raise Exception("ENABLE succeeded during OOM")
|
|
|
|
with alloc_fail(authsrv, 1, "eloop_sock_table_add_sock;radius_server_init;hostapd_setup_radius_srv"):
|
|
if "FAIL" not in authsrv.request("ENABLE"):
|
|
raise Exception("ENABLE succeeded during OOM")
|
|
|
|
with alloc_fail(authsrv, 1, "tls_init;authsrv_init"):
|
|
if "FAIL" not in authsrv.request("ENABLE"):
|
|
raise Exception("ENABLE succeeded during OOM")
|
|
|
|
for count in range(1, 3):
|
|
with alloc_fail(authsrv, count, "eap_sim_db_init;authsrv_init"):
|
|
if "FAIL" not in authsrv.request("ENABLE"):
|
|
raise Exception("ENABLE succeeded during OOM")
|
|
|
|
def test_authsrv_errors_1(dev, apdev):
|
|
"""Authentication server errors (1)"""
|
|
params = authsrv_params()
|
|
params["eap_user_file"] = "sqlite:auth_serv/does-not-exist/does-not-exist"
|
|
authsrv = hostapd.add_ap(apdev[1], params, no_enable=True)
|
|
if "FAIL" not in authsrv.request("ENABLE"):
|
|
raise Exception("ENABLE succeeded with invalid SQLite EAP user file")
|
|
|
|
def test_authsrv_errors_2(dev, apdev):
|
|
"""Authentication server errors (2)"""
|
|
params = authsrv_params()
|
|
params["radius_server_clients"] = "auth_serv/does-not-exist"
|
|
authsrv = hostapd.add_ap(apdev[1], params, no_enable=True)
|
|
if "FAIL" not in authsrv.request("ENABLE"):
|
|
raise Exception("ENABLE succeeded with invalid RADIUS client file")
|
|
|
|
def test_authsrv_errors_3(dev, apdev):
|
|
"""Authentication server errors (3)"""
|
|
params = authsrv_params()
|
|
params["eap_sim_db"] = "unix:/tmp/hlr_auc_gw.sock db=auth_serv/does-not-exist/does-not-exist"
|
|
authsrv = hostapd.add_ap(apdev[1], params, no_enable=True)
|
|
if "FAIL" not in authsrv.request("ENABLE"):
|
|
raise Exception("ENABLE succeeded with invalid RADIUS client file")
|
|
|
|
def test_authsrv_testing_options(dev, apdev):
|
|
"""Authentication server and testing options"""
|
|
params = authsrv_params()
|
|
authsrv = hostapd.add_ap(apdev[1], params)
|
|
|
|
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
|
|
params['auth_server_port'] = "18128"
|
|
hapd = hostapd.add_ap(apdev[0], params)
|
|
|
|
dev[0].scan_for_bss(hapd.own_addr(), 2412)
|
|
# The first two would be fine to run with any server build; the rest are
|
|
# actually supposed to fail, but they don't fail when using a server build
|
|
# that does not support the TLS protocol tests.
|
|
tests = [ "foo@test-unknown",
|
|
"foo@test-tls-unknown",
|
|
"foo@test-tls-1",
|
|
"foo@test-tls-2",
|
|
"foo@test-tls-3",
|
|
"foo@test-tls-4",
|
|
"foo@test-tls-5",
|
|
"foo@test-tls-6",
|
|
"foo@test-tls-7",
|
|
"foo@test-tls-8" ]
|
|
for t in tests:
|
|
dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
|
|
eap="TTLS", identity="user",
|
|
anonymous_identity=t,
|
|
password="password",
|
|
ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
|
|
scan_freq="2412")
|
|
dev[0].request("REMOVE_NETWORK all")
|
|
dev[0].wait_disconnected()
|
|
|
|
def test_authsrv_unknown_user(dev, apdev):
|
|
"""Authentication server and unknown user"""
|
|
params = authsrv_params()
|
|
params["eap_user_file"] = "auth_serv/eap_user_vlan.conf"
|
|
authsrv = hostapd.add_ap(apdev[1], params)
|
|
|
|
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
|
|
params['auth_server_port'] = "18128"
|
|
hapd = hostapd.add_ap(apdev[0], params)
|
|
|
|
dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
|
|
eap="TTLS", identity="user",
|
|
anonymous_identity="ttls", password="password",
|
|
ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
|
|
wait_connect=False, scan_freq="2412")
|
|
dev[0].wait_disconnected()
|
|
dev[0].request("REMOVE_NETWORK all")
|
|
|
|
def test_authsrv_unknown_client(dev, apdev):
|
|
"""Authentication server and unknown user"""
|
|
params = authsrv_params()
|
|
params["radius_server_clients"] = "auth_serv/radius_clients_none.conf"
|
|
authsrv = hostapd.add_ap(apdev[1], params)
|
|
|
|
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
|
|
params['auth_server_port'] = "18128"
|
|
hapd = hostapd.add_ap(apdev[0], params)
|
|
|
|
# RADIUS SRV: Unknown client 127.0.0.1 - packet ignored
|
|
dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
|
|
eap="TTLS", identity="user",
|
|
anonymous_identity="ttls", password="password",
|
|
ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
|
|
wait_connect=False, scan_freq="2412")
|
|
ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
|
|
if ev is None:
|
|
raise Exception("EAP not started")
|
|
dev[0].request("REMOVE_NETWORK all")
|