xref: /freebsd/contrib/wpa/wpa_supplicant/eapol_test.c (revision bb15ca603fa442c72dde3f3cb8b46db6970e3950)
1 /*
2  * WPA Supplicant - test code
3  * Copyright (c) 2003-2007, Jouni Malinen <j@w1.fi>
4  *
5  * This program is free software; you can redistribute it and/or modify
6  * it under the terms of the GNU General Public License version 2 as
7  * published by the Free Software Foundation.
8  *
9  * Alternatively, this software may be distributed under the terms of BSD
10  * license.
11  *
12  * See README and COPYING for more details.
13  *
14  * IEEE 802.1X Supplicant test code (to be used in place of wpa_supplicant.c.
15  * Not used in production version.
16  */
17 
18 #include "includes.h"
19 #include <assert.h>
20 
21 #include "common.h"
22 #include "config.h"
23 #include "eapol_supp/eapol_supp_sm.h"
24 #include "eap_peer/eap.h"
25 #include "eloop.h"
26 #include "rsn_supp/wpa.h"
27 #include "eap_peer/eap_i.h"
28 #include "wpa_supplicant_i.h"
29 #include "radius/radius.h"
30 #include "radius/radius_client.h"
31 #include "ctrl_iface.h"
32 #include "pcsc_funcs.h"
33 
34 
35 extern int wpa_debug_level;
36 extern int wpa_debug_show_keys;
37 
38 struct wpa_driver_ops *wpa_drivers[] = { NULL };
39 
40 
41 struct extra_radius_attr {
42 	u8 type;
43 	char syntax;
44 	char *data;
45 	struct extra_radius_attr *next;
46 };
47 
48 struct eapol_test_data {
49 	struct wpa_supplicant *wpa_s;
50 
51 	int eapol_test_num_reauths;
52 	int no_mppe_keys;
53 	int num_mppe_ok, num_mppe_mismatch;
54 
55 	u8 radius_identifier;
56 	struct radius_msg *last_recv_radius;
57 	struct in_addr own_ip_addr;
58 	struct radius_client_data *radius;
59 	struct hostapd_radius_servers *radius_conf;
60 
61 	u8 *last_eap_radius; /* last received EAP Response from Authentication
62 			      * Server */
63 	size_t last_eap_radius_len;
64 
65 	u8 authenticator_pmk[PMK_LEN];
66 	size_t authenticator_pmk_len;
67 	int radius_access_accept_received;
68 	int radius_access_reject_received;
69 	int auth_timed_out;
70 
71 	u8 *eap_identity;
72 	size_t eap_identity_len;
73 
74 	char *connect_info;
75 	u8 own_addr[ETH_ALEN];
76 	struct extra_radius_attr *extra_attrs;
77 };
78 
79 static struct eapol_test_data eapol_test;
80 
81 
82 static void send_eap_request_identity(void *eloop_ctx, void *timeout_ctx);
83 
84 
85 static void hostapd_logger_cb(void *ctx, const u8 *addr, unsigned int module,
86 			      int level, const char *txt, size_t len)
87 {
88 	if (addr)
89 		wpa_printf(MSG_DEBUG, "STA " MACSTR ": %s\n",
90 			   MAC2STR(addr), txt);
91 	else
92 		wpa_printf(MSG_DEBUG, "%s", txt);
93 }
94 
95 
96 static int add_extra_attr(struct radius_msg *msg,
97 			  struct extra_radius_attr *attr)
98 {
99 	size_t len;
100 	char *pos;
101 	u32 val;
102 	char buf[128];
103 
104 	switch (attr->syntax) {
105 	case 's':
106 		os_snprintf(buf, sizeof(buf), "%s", attr->data);
107 		len = os_strlen(buf);
108 		break;
109 	case 'n':
110 		buf[0] = '\0';
111 		len = 1;
112 		break;
113 	case 'x':
114 		pos = attr->data;
115 		if (pos[0] == '0' && pos[1] == 'x')
116 			pos += 2;
117 		len = os_strlen(pos);
118 		if ((len & 1) || (len / 2) > sizeof(buf)) {
119 			printf("Invalid extra attribute hexstring\n");
120 			return -1;
121 		}
122 		len /= 2;
123 		if (hexstr2bin(pos, (u8 *) buf, len) < 0) {
124 			printf("Invalid extra attribute hexstring\n");
125 			return -1;
126 		}
127 		break;
128 	case 'd':
129 		val = htonl(atoi(attr->data));
130 		os_memcpy(buf, &val, 4);
131 		len = 4;
132 		break;
133 	default:
134 		printf("Incorrect extra attribute syntax specification\n");
135 		return -1;
136 	}
137 
138 	if (!radius_msg_add_attr(msg, attr->type, (u8 *) buf, len)) {
139 		printf("Could not add attribute %d\n", attr->type);
140 		return -1;
141 	}
142 
143 	return 0;
144 }
145 
146 
147 static int add_extra_attrs(struct radius_msg *msg,
148 			   struct extra_radius_attr *attrs)
149 {
150 	struct extra_radius_attr *p;
151 	for (p = attrs; p; p = p->next) {
152 		if (add_extra_attr(msg, p) < 0)
153 			return -1;
154 	}
155 	return 0;
156 }
157 
158 
159 static struct extra_radius_attr *
160 find_extra_attr(struct extra_radius_attr *attrs, u8 type)
161 {
162 	struct extra_radius_attr *p;
163 	for (p = attrs; p; p = p->next) {
164 		if (p->type == type)
165 			return p;
166 	}
167 	return NULL;
168 }
169 
170 
171 static void ieee802_1x_encapsulate_radius(struct eapol_test_data *e,
172 					  const u8 *eap, size_t len)
173 {
174 	struct radius_msg *msg;
175 	char buf[128];
176 	const struct eap_hdr *hdr;
177 	const u8 *pos;
178 
179 	wpa_printf(MSG_DEBUG, "Encapsulating EAP message into a RADIUS "
180 		   "packet");
181 
182 	e->radius_identifier = radius_client_get_id(e->radius);
183 	msg = radius_msg_new(RADIUS_CODE_ACCESS_REQUEST,
184 			     e->radius_identifier);
185 	if (msg == NULL) {
186 		printf("Could not create net RADIUS packet\n");
187 		return;
188 	}
189 
190 	radius_msg_make_authenticator(msg, (u8 *) e, sizeof(*e));
191 
192 	hdr = (const struct eap_hdr *) eap;
193 	pos = (const u8 *) (hdr + 1);
194 	if (len > sizeof(*hdr) && hdr->code == EAP_CODE_RESPONSE &&
195 	    pos[0] == EAP_TYPE_IDENTITY) {
196 		pos++;
197 		os_free(e->eap_identity);
198 		e->eap_identity_len = len - sizeof(*hdr) - 1;
199 		e->eap_identity = os_malloc(e->eap_identity_len);
200 		if (e->eap_identity) {
201 			os_memcpy(e->eap_identity, pos, e->eap_identity_len);
202 			wpa_hexdump(MSG_DEBUG, "Learned identity from "
203 				    "EAP-Response-Identity",
204 				    e->eap_identity, e->eap_identity_len);
205 		}
206 	}
207 
208 	if (e->eap_identity &&
209 	    !radius_msg_add_attr(msg, RADIUS_ATTR_USER_NAME,
210 				 e->eap_identity, e->eap_identity_len)) {
211 		printf("Could not add User-Name\n");
212 		goto fail;
213 	}
214 
215 	if (!find_extra_attr(e->extra_attrs, RADIUS_ATTR_NAS_IP_ADDRESS) &&
216 	    !radius_msg_add_attr(msg, RADIUS_ATTR_NAS_IP_ADDRESS,
217 				 (u8 *) &e->own_ip_addr, 4)) {
218 		printf("Could not add NAS-IP-Address\n");
219 		goto fail;
220 	}
221 
222 	os_snprintf(buf, sizeof(buf), RADIUS_802_1X_ADDR_FORMAT,
223 		    MAC2STR(e->wpa_s->own_addr));
224 	if (!find_extra_attr(e->extra_attrs, RADIUS_ATTR_CALLING_STATION_ID)
225 	    &&
226 	    !radius_msg_add_attr(msg, RADIUS_ATTR_CALLING_STATION_ID,
227 				 (u8 *) buf, os_strlen(buf))) {
228 		printf("Could not add Calling-Station-Id\n");
229 		goto fail;
230 	}
231 
232 	/* TODO: should probably check MTU from driver config; 2304 is max for
233 	 * IEEE 802.11, but use 1400 to avoid problems with too large packets
234 	 */
235 	if (!find_extra_attr(e->extra_attrs, RADIUS_ATTR_FRAMED_MTU) &&
236 	    !radius_msg_add_attr_int32(msg, RADIUS_ATTR_FRAMED_MTU, 1400)) {
237 		printf("Could not add Framed-MTU\n");
238 		goto fail;
239 	}
240 
241 	if (!find_extra_attr(e->extra_attrs, RADIUS_ATTR_NAS_PORT_TYPE) &&
242 	    !radius_msg_add_attr_int32(msg, RADIUS_ATTR_NAS_PORT_TYPE,
243 				       RADIUS_NAS_PORT_TYPE_IEEE_802_11)) {
244 		printf("Could not add NAS-Port-Type\n");
245 		goto fail;
246 	}
247 
248 	os_snprintf(buf, sizeof(buf), "%s", e->connect_info);
249 	if (!find_extra_attr(e->extra_attrs, RADIUS_ATTR_CONNECT_INFO) &&
250 	    !radius_msg_add_attr(msg, RADIUS_ATTR_CONNECT_INFO,
251 				 (u8 *) buf, os_strlen(buf))) {
252 		printf("Could not add Connect-Info\n");
253 		goto fail;
254 	}
255 
256 	if (add_extra_attrs(msg, e->extra_attrs) < 0)
257 		goto fail;
258 
259 	if (eap && !radius_msg_add_eap(msg, eap, len)) {
260 		printf("Could not add EAP-Message\n");
261 		goto fail;
262 	}
263 
264 	/* State attribute must be copied if and only if this packet is
265 	 * Access-Request reply to the previous Access-Challenge */
266 	if (e->last_recv_radius &&
267 	    radius_msg_get_hdr(e->last_recv_radius)->code ==
268 	    RADIUS_CODE_ACCESS_CHALLENGE) {
269 		int res = radius_msg_copy_attr(msg, e->last_recv_radius,
270 					       RADIUS_ATTR_STATE);
271 		if (res < 0) {
272 			printf("Could not copy State attribute from previous "
273 			       "Access-Challenge\n");
274 			goto fail;
275 		}
276 		if (res > 0) {
277 			wpa_printf(MSG_DEBUG, "  Copied RADIUS State "
278 				   "Attribute");
279 		}
280 	}
281 
282 	radius_client_send(e->radius, msg, RADIUS_AUTH, e->wpa_s->own_addr);
283 	return;
284 
285  fail:
286 	radius_msg_free(msg);
287 }
288 
289 
290 static int eapol_test_eapol_send(void *ctx, int type, const u8 *buf,
291 				 size_t len)
292 {
293 	/* struct wpa_supplicant *wpa_s = ctx; */
294 	printf("WPA: eapol_test_eapol_send(type=%d len=%lu)\n",
295 	       type, (unsigned long) len);
296 	if (type == IEEE802_1X_TYPE_EAP_PACKET) {
297 		wpa_hexdump(MSG_DEBUG, "TX EAP -> RADIUS", buf, len);
298 		ieee802_1x_encapsulate_radius(&eapol_test, buf, len);
299 	}
300 	return 0;
301 }
302 
303 
304 static void eapol_test_set_config_blob(void *ctx,
305 				       struct wpa_config_blob *blob)
306 {
307 	struct wpa_supplicant *wpa_s = ctx;
308 	wpa_config_set_blob(wpa_s->conf, blob);
309 }
310 
311 
312 static const struct wpa_config_blob *
313 eapol_test_get_config_blob(void *ctx, const char *name)
314 {
315 	struct wpa_supplicant *wpa_s = ctx;
316 	return wpa_config_get_blob(wpa_s->conf, name);
317 }
318 
319 
320 static void eapol_test_eapol_done_cb(void *ctx)
321 {
322 	printf("WPA: EAPOL processing complete\n");
323 }
324 
325 
326 static void eapol_sm_reauth(void *eloop_ctx, void *timeout_ctx)
327 {
328 	struct eapol_test_data *e = eloop_ctx;
329 	printf("\n\n\n\n\neapol_test: Triggering EAP reauthentication\n\n");
330 	e->radius_access_accept_received = 0;
331 	send_eap_request_identity(e->wpa_s, NULL);
332 }
333 
334 
335 static int eapol_test_compare_pmk(struct eapol_test_data *e)
336 {
337 	u8 pmk[PMK_LEN];
338 	int ret = 1;
339 
340 	if (eapol_sm_get_key(e->wpa_s->eapol, pmk, PMK_LEN) == 0) {
341 		wpa_hexdump(MSG_DEBUG, "PMK from EAPOL", pmk, PMK_LEN);
342 		if (os_memcmp(pmk, e->authenticator_pmk, PMK_LEN) != 0) {
343 			printf("WARNING: PMK mismatch\n");
344 			wpa_hexdump(MSG_DEBUG, "PMK from AS",
345 				    e->authenticator_pmk, PMK_LEN);
346 		} else if (e->radius_access_accept_received)
347 			ret = 0;
348 	} else if (e->authenticator_pmk_len == 16 &&
349 		   eapol_sm_get_key(e->wpa_s->eapol, pmk, 16) == 0) {
350 		wpa_hexdump(MSG_DEBUG, "LEAP PMK from EAPOL", pmk, 16);
351 		if (os_memcmp(pmk, e->authenticator_pmk, 16) != 0) {
352 			printf("WARNING: PMK mismatch\n");
353 			wpa_hexdump(MSG_DEBUG, "PMK from AS",
354 				    e->authenticator_pmk, 16);
355 		} else if (e->radius_access_accept_received)
356 			ret = 0;
357 	} else if (e->radius_access_accept_received && e->no_mppe_keys) {
358 		/* No keying material expected */
359 		ret = 0;
360 	}
361 
362 	if (ret && !e->no_mppe_keys)
363 		e->num_mppe_mismatch++;
364 	else if (!e->no_mppe_keys)
365 		e->num_mppe_ok++;
366 
367 	return ret;
368 }
369 
370 
371 static void eapol_sm_cb(struct eapol_sm *eapol, int success, void *ctx)
372 {
373 	struct eapol_test_data *e = ctx;
374 	printf("eapol_sm_cb: success=%d\n", success);
375 	e->eapol_test_num_reauths--;
376 	if (e->eapol_test_num_reauths < 0)
377 		eloop_terminate();
378 	else {
379 		eapol_test_compare_pmk(e);
380 		eloop_register_timeout(0, 100000, eapol_sm_reauth, e, NULL);
381 	}
382 }
383 
384 
385 static int test_eapol(struct eapol_test_data *e, struct wpa_supplicant *wpa_s,
386 		      struct wpa_ssid *ssid)
387 {
388 	struct eapol_config eapol_conf;
389 	struct eapol_ctx *ctx;
390 
391 	ctx = os_zalloc(sizeof(*ctx));
392 	if (ctx == NULL) {
393 		printf("Failed to allocate EAPOL context.\n");
394 		return -1;
395 	}
396 	ctx->ctx = wpa_s;
397 	ctx->msg_ctx = wpa_s;
398 	ctx->scard_ctx = wpa_s->scard;
399 	ctx->cb = eapol_sm_cb;
400 	ctx->cb_ctx = e;
401 	ctx->eapol_send_ctx = wpa_s;
402 	ctx->preauth = 0;
403 	ctx->eapol_done_cb = eapol_test_eapol_done_cb;
404 	ctx->eapol_send = eapol_test_eapol_send;
405 	ctx->set_config_blob = eapol_test_set_config_blob;
406 	ctx->get_config_blob = eapol_test_get_config_blob;
407 	ctx->opensc_engine_path = wpa_s->conf->opensc_engine_path;
408 	ctx->pkcs11_engine_path = wpa_s->conf->pkcs11_engine_path;
409 	ctx->pkcs11_module_path = wpa_s->conf->pkcs11_module_path;
410 
411 	wpa_s->eapol = eapol_sm_init(ctx);
412 	if (wpa_s->eapol == NULL) {
413 		os_free(ctx);
414 		printf("Failed to initialize EAPOL state machines.\n");
415 		return -1;
416 	}
417 
418 	wpa_s->current_ssid = ssid;
419 	os_memset(&eapol_conf, 0, sizeof(eapol_conf));
420 	eapol_conf.accept_802_1x_keys = 1;
421 	eapol_conf.required_keys = 0;
422 	eapol_conf.fast_reauth = wpa_s->conf->fast_reauth;
423 	eapol_conf.workaround = ssid->eap_workaround;
424 	eapol_sm_notify_config(wpa_s->eapol, &ssid->eap, &eapol_conf);
425 	eapol_sm_register_scard_ctx(wpa_s->eapol, wpa_s->scard);
426 
427 
428 	eapol_sm_notify_portValid(wpa_s->eapol, FALSE);
429 	/* 802.1X::portControl = Auto */
430 	eapol_sm_notify_portEnabled(wpa_s->eapol, TRUE);
431 
432 	return 0;
433 }
434 
435 
436 static void test_eapol_clean(struct eapol_test_data *e,
437 			     struct wpa_supplicant *wpa_s)
438 {
439 	struct extra_radius_attr *p, *prev;
440 
441 	radius_client_deinit(e->radius);
442 	os_free(e->last_eap_radius);
443 	radius_msg_free(e->last_recv_radius);
444 	e->last_recv_radius = NULL;
445 	os_free(e->eap_identity);
446 	e->eap_identity = NULL;
447 	eapol_sm_deinit(wpa_s->eapol);
448 	wpa_s->eapol = NULL;
449 	if (e->radius_conf && e->radius_conf->auth_server) {
450 		os_free(e->radius_conf->auth_server->shared_secret);
451 		os_free(e->radius_conf->auth_server);
452 	}
453 	os_free(e->radius_conf);
454 	e->radius_conf = NULL;
455 	scard_deinit(wpa_s->scard);
456 	if (wpa_s->ctrl_iface) {
457 		wpa_supplicant_ctrl_iface_deinit(wpa_s->ctrl_iface);
458 		wpa_s->ctrl_iface = NULL;
459 	}
460 	wpa_config_free(wpa_s->conf);
461 
462 	p = e->extra_attrs;
463 	while (p) {
464 		prev = p;
465 		p = p->next;
466 		os_free(prev);
467 	}
468 }
469 
470 
471 static void send_eap_request_identity(void *eloop_ctx, void *timeout_ctx)
472 {
473 	struct wpa_supplicant *wpa_s = eloop_ctx;
474 	u8 buf[100], *pos;
475 	struct ieee802_1x_hdr *hdr;
476 	struct eap_hdr *eap;
477 
478 	hdr = (struct ieee802_1x_hdr *) buf;
479 	hdr->version = EAPOL_VERSION;
480 	hdr->type = IEEE802_1X_TYPE_EAP_PACKET;
481 	hdr->length = htons(5);
482 
483 	eap = (struct eap_hdr *) (hdr + 1);
484 	eap->code = EAP_CODE_REQUEST;
485 	eap->identifier = 0;
486 	eap->length = htons(5);
487 	pos = (u8 *) (eap + 1);
488 	*pos = EAP_TYPE_IDENTITY;
489 
490 	printf("Sending fake EAP-Request-Identity\n");
491 	eapol_sm_rx_eapol(wpa_s->eapol, wpa_s->bssid, buf,
492 			  sizeof(*hdr) + 5);
493 }
494 
495 
496 static void eapol_test_timeout(void *eloop_ctx, void *timeout_ctx)
497 {
498 	struct eapol_test_data *e = eloop_ctx;
499 	printf("EAPOL test timed out\n");
500 	e->auth_timed_out = 1;
501 	eloop_terminate();
502 }
503 
504 
505 static char *eap_type_text(u8 type)
506 {
507 	switch (type) {
508 	case EAP_TYPE_IDENTITY: return "Identity";
509 	case EAP_TYPE_NOTIFICATION: return "Notification";
510 	case EAP_TYPE_NAK: return "Nak";
511 	case EAP_TYPE_TLS: return "TLS";
512 	case EAP_TYPE_TTLS: return "TTLS";
513 	case EAP_TYPE_PEAP: return "PEAP";
514 	case EAP_TYPE_SIM: return "SIM";
515 	case EAP_TYPE_GTC: return "GTC";
516 	case EAP_TYPE_MD5: return "MD5";
517 	case EAP_TYPE_OTP: return "OTP";
518 	case EAP_TYPE_FAST: return "FAST";
519 	case EAP_TYPE_SAKE: return "SAKE";
520 	case EAP_TYPE_PSK: return "PSK";
521 	default: return "Unknown";
522 	}
523 }
524 
525 
526 static void ieee802_1x_decapsulate_radius(struct eapol_test_data *e)
527 {
528 	u8 *eap;
529 	size_t len;
530 	struct eap_hdr *hdr;
531 	int eap_type = -1;
532 	char buf[64];
533 	struct radius_msg *msg;
534 
535 	if (e->last_recv_radius == NULL)
536 		return;
537 
538 	msg = e->last_recv_radius;
539 
540 	eap = radius_msg_get_eap(msg, &len);
541 	if (eap == NULL) {
542 		/* draft-aboba-radius-rfc2869bis-20.txt, Chap. 2.6.3:
543 		 * RADIUS server SHOULD NOT send Access-Reject/no EAP-Message
544 		 * attribute */
545 		wpa_printf(MSG_DEBUG, "could not extract "
546 			       "EAP-Message from RADIUS message");
547 		os_free(e->last_eap_radius);
548 		e->last_eap_radius = NULL;
549 		e->last_eap_radius_len = 0;
550 		return;
551 	}
552 
553 	if (len < sizeof(*hdr)) {
554 		wpa_printf(MSG_DEBUG, "too short EAP packet "
555 			       "received from authentication server");
556 		os_free(eap);
557 		return;
558 	}
559 
560 	if (len > sizeof(*hdr))
561 		eap_type = eap[sizeof(*hdr)];
562 
563 	hdr = (struct eap_hdr *) eap;
564 	switch (hdr->code) {
565 	case EAP_CODE_REQUEST:
566 		os_snprintf(buf, sizeof(buf), "EAP-Request-%s (%d)",
567 			    eap_type >= 0 ? eap_type_text(eap_type) : "??",
568 			    eap_type);
569 		break;
570 	case EAP_CODE_RESPONSE:
571 		os_snprintf(buf, sizeof(buf), "EAP Response-%s (%d)",
572 			    eap_type >= 0 ? eap_type_text(eap_type) : "??",
573 			    eap_type);
574 		break;
575 	case EAP_CODE_SUCCESS:
576 		os_strlcpy(buf, "EAP Success", sizeof(buf));
577 		/* LEAP uses EAP Success within an authentication, so must not
578 		 * stop here with eloop_terminate(); */
579 		break;
580 	case EAP_CODE_FAILURE:
581 		os_strlcpy(buf, "EAP Failure", sizeof(buf));
582 		eloop_terminate();
583 		break;
584 	default:
585 		os_strlcpy(buf, "unknown EAP code", sizeof(buf));
586 		wpa_hexdump(MSG_DEBUG, "Decapsulated EAP packet", eap, len);
587 		break;
588 	}
589 	wpa_printf(MSG_DEBUG, "decapsulated EAP packet (code=%d "
590 		       "id=%d len=%d) from RADIUS server: %s",
591 		      hdr->code, hdr->identifier, ntohs(hdr->length), buf);
592 
593 	/* sta->eapol_sm->be_auth.idFromServer = hdr->identifier; */
594 
595 	os_free(e->last_eap_radius);
596 	e->last_eap_radius = eap;
597 	e->last_eap_radius_len = len;
598 
599 	{
600 		struct ieee802_1x_hdr *dot1x;
601 		dot1x = os_malloc(sizeof(*dot1x) + len);
602 		assert(dot1x != NULL);
603 		dot1x->version = EAPOL_VERSION;
604 		dot1x->type = IEEE802_1X_TYPE_EAP_PACKET;
605 		dot1x->length = htons(len);
606 		os_memcpy((u8 *) (dot1x + 1), eap, len);
607 		eapol_sm_rx_eapol(e->wpa_s->eapol, e->wpa_s->bssid,
608 				  (u8 *) dot1x, sizeof(*dot1x) + len);
609 		os_free(dot1x);
610 	}
611 }
612 
613 
614 static void ieee802_1x_get_keys(struct eapol_test_data *e,
615 				struct radius_msg *msg, struct radius_msg *req,
616 				const u8 *shared_secret,
617 				size_t shared_secret_len)
618 {
619 	struct radius_ms_mppe_keys *keys;
620 
621 	keys = radius_msg_get_ms_keys(msg, req, shared_secret,
622 				      shared_secret_len);
623 	if (keys && keys->send == NULL && keys->recv == NULL) {
624 		os_free(keys);
625 		keys = radius_msg_get_cisco_keys(msg, req, shared_secret,
626 						 shared_secret_len);
627 	}
628 
629 	if (keys) {
630 		if (keys->send) {
631 			wpa_hexdump(MSG_DEBUG, "MS-MPPE-Send-Key (sign)",
632 				    keys->send, keys->send_len);
633 		}
634 		if (keys->recv) {
635 			wpa_hexdump(MSG_DEBUG, "MS-MPPE-Recv-Key (crypt)",
636 				    keys->recv, keys->recv_len);
637 			e->authenticator_pmk_len =
638 				keys->recv_len > PMK_LEN ? PMK_LEN :
639 				keys->recv_len;
640 			os_memcpy(e->authenticator_pmk, keys->recv,
641 				  e->authenticator_pmk_len);
642 			if (e->authenticator_pmk_len == 16 && keys->send &&
643 			    keys->send_len == 16) {
644 				/* MS-CHAP-v2 derives 16 octet keys */
645 				wpa_printf(MSG_DEBUG, "Use MS-MPPE-Send-Key "
646 					   "to extend PMK to 32 octets");
647 				os_memcpy(e->authenticator_pmk +
648 					  e->authenticator_pmk_len,
649 					  keys->send, keys->send_len);
650 				e->authenticator_pmk_len += keys->send_len;
651 			}
652 		}
653 
654 		os_free(keys->send);
655 		os_free(keys->recv);
656 		os_free(keys);
657 	}
658 }
659 
660 
661 /* Process the RADIUS frames from Authentication Server */
662 static RadiusRxResult
663 ieee802_1x_receive_auth(struct radius_msg *msg, struct radius_msg *req,
664 			const u8 *shared_secret, size_t shared_secret_len,
665 			void *data)
666 {
667 	struct eapol_test_data *e = data;
668 	struct radius_hdr *hdr = radius_msg_get_hdr(msg);
669 
670 	/* RFC 2869, Ch. 5.13: valid Message-Authenticator attribute MUST be
671 	 * present when packet contains an EAP-Message attribute */
672 	if (hdr->code == RADIUS_CODE_ACCESS_REJECT &&
673 	    radius_msg_get_attr(msg, RADIUS_ATTR_MESSAGE_AUTHENTICATOR, NULL,
674 				0) < 0 &&
675 	    radius_msg_get_attr(msg, RADIUS_ATTR_EAP_MESSAGE, NULL, 0) < 0) {
676 		wpa_printf(MSG_DEBUG, "Allowing RADIUS "
677 			      "Access-Reject without Message-Authenticator "
678 			      "since it does not include EAP-Message\n");
679 	} else if (radius_msg_verify(msg, shared_secret, shared_secret_len,
680 				     req, 1)) {
681 		printf("Incoming RADIUS packet did not have correct "
682 		       "Message-Authenticator - dropped\n");
683 		return RADIUS_RX_UNKNOWN;
684 	}
685 
686 	if (hdr->code != RADIUS_CODE_ACCESS_ACCEPT &&
687 	    hdr->code != RADIUS_CODE_ACCESS_REJECT &&
688 	    hdr->code != RADIUS_CODE_ACCESS_CHALLENGE) {
689 		printf("Unknown RADIUS message code\n");
690 		return RADIUS_RX_UNKNOWN;
691 	}
692 
693 	e->radius_identifier = -1;
694 	wpa_printf(MSG_DEBUG, "RADIUS packet matching with station");
695 
696 	radius_msg_free(e->last_recv_radius);
697 	e->last_recv_radius = msg;
698 
699 	switch (hdr->code) {
700 	case RADIUS_CODE_ACCESS_ACCEPT:
701 		e->radius_access_accept_received = 1;
702 		ieee802_1x_get_keys(e, msg, req, shared_secret,
703 				    shared_secret_len);
704 		break;
705 	case RADIUS_CODE_ACCESS_REJECT:
706 		e->radius_access_reject_received = 1;
707 		break;
708 	}
709 
710 	ieee802_1x_decapsulate_radius(e);
711 
712 	if ((hdr->code == RADIUS_CODE_ACCESS_ACCEPT &&
713 	     e->eapol_test_num_reauths < 0) ||
714 	    hdr->code == RADIUS_CODE_ACCESS_REJECT) {
715 		eloop_terminate();
716 	}
717 
718 	return RADIUS_RX_QUEUED;
719 }
720 
721 
722 static void wpa_init_conf(struct eapol_test_data *e,
723 			  struct wpa_supplicant *wpa_s, const char *authsrv,
724 			  int port, const char *secret,
725 			  const char *cli_addr)
726 {
727 	struct hostapd_radius_server *as;
728 	int res;
729 
730 	wpa_s->bssid[5] = 1;
731 	os_memcpy(wpa_s->own_addr, e->own_addr, ETH_ALEN);
732 	e->own_ip_addr.s_addr = htonl((127 << 24) | 1);
733 	os_strlcpy(wpa_s->ifname, "test", sizeof(wpa_s->ifname));
734 
735 	e->radius_conf = os_zalloc(sizeof(struct hostapd_radius_servers));
736 	assert(e->radius_conf != NULL);
737 	e->radius_conf->num_auth_servers = 1;
738 	as = os_zalloc(sizeof(struct hostapd_radius_server));
739 	assert(as != NULL);
740 #if defined(CONFIG_NATIVE_WINDOWS) || defined(CONFIG_ANSI_C_EXTRA)
741 	{
742 		int a[4];
743 		u8 *pos;
744 		sscanf(authsrv, "%d.%d.%d.%d", &a[0], &a[1], &a[2], &a[3]);
745 		pos = (u8 *) &as->addr.u.v4;
746 		*pos++ = a[0];
747 		*pos++ = a[1];
748 		*pos++ = a[2];
749 		*pos++ = a[3];
750 	}
751 #else /* CONFIG_NATIVE_WINDOWS or CONFIG_ANSI_C_EXTRA */
752 	inet_aton(authsrv, &as->addr.u.v4);
753 #endif /* CONFIG_NATIVE_WINDOWS or CONFIG_ANSI_C_EXTRA */
754 	as->addr.af = AF_INET;
755 	as->port = port;
756 	as->shared_secret = (u8 *) os_strdup(secret);
757 	as->shared_secret_len = os_strlen(secret);
758 	e->radius_conf->auth_server = as;
759 	e->radius_conf->auth_servers = as;
760 	e->radius_conf->msg_dumps = 1;
761 	if (cli_addr) {
762 		if (hostapd_parse_ip_addr(cli_addr,
763 					  &e->radius_conf->client_addr) == 0)
764 			e->radius_conf->force_client_addr = 1;
765 		else {
766 			wpa_printf(MSG_ERROR, "Invalid IP address '%s'",
767 				   cli_addr);
768 			assert(0);
769 		}
770 	}
771 
772 	e->radius = radius_client_init(wpa_s, e->radius_conf);
773 	assert(e->radius != NULL);
774 
775 	res = radius_client_register(e->radius, RADIUS_AUTH,
776 				     ieee802_1x_receive_auth, e);
777 	assert(res == 0);
778 }
779 
780 
781 static int scard_test(void)
782 {
783 	struct scard_data *scard;
784 	size_t len;
785 	char imsi[20];
786 	unsigned char _rand[16];
787 #ifdef PCSC_FUNCS
788 	unsigned char sres[4];
789 	unsigned char kc[8];
790 #endif /* PCSC_FUNCS */
791 #define num_triplets 5
792 	unsigned char rand_[num_triplets][16];
793 	unsigned char sres_[num_triplets][4];
794 	unsigned char kc_[num_triplets][8];
795 	int i, res;
796 	size_t j;
797 
798 #define AKA_RAND_LEN 16
799 #define AKA_AUTN_LEN 16
800 #define AKA_AUTS_LEN 14
801 #define RES_MAX_LEN 16
802 #define IK_LEN 16
803 #define CK_LEN 16
804 	unsigned char aka_rand[AKA_RAND_LEN];
805 	unsigned char aka_autn[AKA_AUTN_LEN];
806 	unsigned char aka_auts[AKA_AUTS_LEN];
807 	unsigned char aka_res[RES_MAX_LEN];
808 	size_t aka_res_len;
809 	unsigned char aka_ik[IK_LEN];
810 	unsigned char aka_ck[CK_LEN];
811 
812 	scard = scard_init(SCARD_TRY_BOTH);
813 	if (scard == NULL)
814 		return -1;
815 	if (scard_set_pin(scard, "1234")) {
816 		wpa_printf(MSG_WARNING, "PIN validation failed");
817 		scard_deinit(scard);
818 		return -1;
819 	}
820 
821 	len = sizeof(imsi);
822 	if (scard_get_imsi(scard, imsi, &len))
823 		goto failed;
824 	wpa_hexdump_ascii(MSG_DEBUG, "SCARD: IMSI", (u8 *) imsi, len);
825 	/* NOTE: Permanent Username: 1 | IMSI */
826 
827 	os_memset(_rand, 0, sizeof(_rand));
828 	if (scard_gsm_auth(scard, _rand, sres, kc))
829 		goto failed;
830 
831 	os_memset(_rand, 0xff, sizeof(_rand));
832 	if (scard_gsm_auth(scard, _rand, sres, kc))
833 		goto failed;
834 
835 	for (i = 0; i < num_triplets; i++) {
836 		os_memset(rand_[i], i, sizeof(rand_[i]));
837 		if (scard_gsm_auth(scard, rand_[i], sres_[i], kc_[i]))
838 			goto failed;
839 	}
840 
841 	for (i = 0; i < num_triplets; i++) {
842 		printf("1");
843 		for (j = 0; j < len; j++)
844 			printf("%c", imsi[j]);
845 		printf(",");
846 		for (j = 0; j < 16; j++)
847 			printf("%02X", rand_[i][j]);
848 		printf(",");
849 		for (j = 0; j < 4; j++)
850 			printf("%02X", sres_[i][j]);
851 		printf(",");
852 		for (j = 0; j < 8; j++)
853 			printf("%02X", kc_[i][j]);
854 		printf("\n");
855 	}
856 
857 	wpa_printf(MSG_DEBUG, "Trying to use UMTS authentication");
858 
859 	/* seq 39 (0x28) */
860 	os_memset(aka_rand, 0xaa, 16);
861 	os_memcpy(aka_autn, "\x86\x71\x31\xcb\xa2\xfc\x61\xdf"
862 		  "\xa3\xb3\x97\x9d\x07\x32\xa2\x12", 16);
863 
864 	res = scard_umts_auth(scard, aka_rand, aka_autn, aka_res, &aka_res_len,
865 			      aka_ik, aka_ck, aka_auts);
866 	if (res == 0) {
867 		wpa_printf(MSG_DEBUG, "UMTS auth completed successfully");
868 		wpa_hexdump(MSG_DEBUG, "RES", aka_res, aka_res_len);
869 		wpa_hexdump(MSG_DEBUG, "IK", aka_ik, IK_LEN);
870 		wpa_hexdump(MSG_DEBUG, "CK", aka_ck, CK_LEN);
871 	} else if (res == -2) {
872 		wpa_printf(MSG_DEBUG, "UMTS auth resulted in synchronization "
873 			   "failure");
874 		wpa_hexdump(MSG_DEBUG, "AUTS", aka_auts, AKA_AUTS_LEN);
875 	} else {
876 		wpa_printf(MSG_DEBUG, "UMTS auth failed");
877 	}
878 
879 failed:
880 	scard_deinit(scard);
881 
882 	return 0;
883 #undef num_triplets
884 }
885 
886 
887 static int scard_get_triplets(int argc, char *argv[])
888 {
889 	struct scard_data *scard;
890 	size_t len;
891 	char imsi[20];
892 	unsigned char _rand[16];
893 	unsigned char sres[4];
894 	unsigned char kc[8];
895 	int num_triplets;
896 	int i;
897 	size_t j;
898 
899 	if (argc < 2 || ((num_triplets = atoi(argv[1])) <= 0)) {
900 		printf("invalid parameters for sim command\n");
901 		return -1;
902 	}
903 
904 	if (argc <= 2 || os_strcmp(argv[2], "debug") != 0) {
905 		/* disable debug output */
906 		wpa_debug_level = 99;
907 	}
908 
909 	scard = scard_init(SCARD_GSM_SIM_ONLY);
910 	if (scard == NULL) {
911 		printf("Failed to open smartcard connection\n");
912 		return -1;
913 	}
914 	if (scard_set_pin(scard, argv[0])) {
915 		wpa_printf(MSG_WARNING, "PIN validation failed");
916 		scard_deinit(scard);
917 		return -1;
918 	}
919 
920 	len = sizeof(imsi);
921 	if (scard_get_imsi(scard, imsi, &len)) {
922 		scard_deinit(scard);
923 		return -1;
924 	}
925 
926 	for (i = 0; i < num_triplets; i++) {
927 		os_memset(_rand, i, sizeof(_rand));
928 		if (scard_gsm_auth(scard, _rand, sres, kc))
929 			break;
930 
931 		/* IMSI:Kc:SRES:RAND */
932 		for (j = 0; j < len; j++)
933 			printf("%c", imsi[j]);
934 		printf(":");
935 		for (j = 0; j < 8; j++)
936 			printf("%02X", kc[j]);
937 		printf(":");
938 		for (j = 0; j < 4; j++)
939 			printf("%02X", sres[j]);
940 		printf(":");
941 		for (j = 0; j < 16; j++)
942 			printf("%02X", _rand[j]);
943 		printf("\n");
944 	}
945 
946 	scard_deinit(scard);
947 
948 	return 0;
949 }
950 
951 
952 static void eapol_test_terminate(int sig, void *signal_ctx)
953 {
954 	struct wpa_supplicant *wpa_s = signal_ctx;
955 	wpa_msg(wpa_s, MSG_INFO, "Signal %d received - terminating", sig);
956 	eloop_terminate();
957 }
958 
959 
960 static void usage(void)
961 {
962 	printf("usage:\n"
963 	       "eapol_test [-nWS] -c<conf> [-a<AS IP>] [-p<AS port>] "
964 	       "[-s<AS secret>]\\\n"
965 	       "           [-r<count>] [-t<timeout>] [-C<Connect-Info>] \\\n"
966 	       "           [-M<client MAC address>] \\\n"
967 	       "           [-N<attr spec>] \\\n"
968 	       "           [-A<client IP>]\n"
969 	       "eapol_test scard\n"
970 	       "eapol_test sim <PIN> <num triplets> [debug]\n"
971 	       "\n");
972 	printf("options:\n"
973 	       "  -c<conf> = configuration file\n"
974 	       "  -a<AS IP> = IP address of the authentication server, "
975 	       "default 127.0.0.1\n"
976 	       "  -p<AS port> = UDP port of the authentication server, "
977 	       "default 1812\n"
978 	       "  -s<AS secret> = shared secret with the authentication "
979 	       "server, default 'radius'\n"
980 	       "  -A<client IP> = IP address of the client, default: select "
981 	       "automatically\n"
982 	       "  -r<count> = number of re-authentications\n"
983 	       "  -W = wait for a control interface monitor before starting\n"
984 	       "  -S = save configuration after authentication\n"
985 	       "  -n = no MPPE keys expected\n"
986 	       "  -t<timeout> = sets timeout in seconds (default: 30 s)\n"
987 	       "  -C<Connect-Info> = RADIUS Connect-Info (default: "
988 	       "CONNECT 11Mbps 802.11b)\n"
989 	       "  -M<client MAC address> = Set own MAC address "
990 	       "(Calling-Station-Id,\n"
991 	       "                           default: 02:00:00:00:00:01)\n"
992 	       "  -N<attr spec> = send arbitrary attribute specified by:\n"
993 	       "                  attr_id:syntax:value or attr_id\n"
994 	       "                  attr_id - number id of the attribute\n"
995 	       "                  syntax - one of: s, d, x\n"
996 	       "                     s = string\n"
997 	       "                     d = integer\n"
998 	       "                     x = octet string\n"
999 	       "                  value - attribute value.\n"
1000 	       "       When only attr_id is specified, NULL will be used as "
1001 	       "value.\n"
1002 	       "       Multiple attributes can be specified by using the "
1003 	       "option several times.\n");
1004 }
1005 
1006 
1007 int main(int argc, char *argv[])
1008 {
1009 	struct wpa_supplicant wpa_s;
1010 	int c, ret = 1, wait_for_monitor = 0, save_config = 0;
1011 	char *as_addr = "127.0.0.1";
1012 	int as_port = 1812;
1013 	char *as_secret = "radius";
1014 	char *cli_addr = NULL;
1015 	char *conf = NULL;
1016 	int timeout = 30;
1017 	char *pos;
1018 	struct extra_radius_attr *p = NULL, *p1;
1019 
1020 	if (os_program_init())
1021 		return -1;
1022 
1023 	hostapd_logger_register_cb(hostapd_logger_cb);
1024 
1025 	os_memset(&eapol_test, 0, sizeof(eapol_test));
1026 	eapol_test.connect_info = "CONNECT 11Mbps 802.11b";
1027 	os_memcpy(eapol_test.own_addr, "\x02\x00\x00\x00\x00\x01", ETH_ALEN);
1028 
1029 	wpa_debug_level = 0;
1030 	wpa_debug_show_keys = 1;
1031 
1032 	for (;;) {
1033 		c = getopt(argc, argv, "a:A:c:C:M:nN:p:r:s:St:W");
1034 		if (c < 0)
1035 			break;
1036 		switch (c) {
1037 		case 'a':
1038 			as_addr = optarg;
1039 			break;
1040 		case 'A':
1041 			cli_addr = optarg;
1042 			break;
1043 		case 'c':
1044 			conf = optarg;
1045 			break;
1046 		case 'C':
1047 			eapol_test.connect_info = optarg;
1048 			break;
1049 		case 'M':
1050 			if (hwaddr_aton(optarg, eapol_test.own_addr)) {
1051 				usage();
1052 				return -1;
1053 			}
1054 			break;
1055 		case 'n':
1056 			eapol_test.no_mppe_keys++;
1057 			break;
1058 		case 'p':
1059 			as_port = atoi(optarg);
1060 			break;
1061 		case 'r':
1062 			eapol_test.eapol_test_num_reauths = atoi(optarg);
1063 			break;
1064 		case 's':
1065 			as_secret = optarg;
1066 			break;
1067 		case 'S':
1068 			save_config++;
1069 			break;
1070 		case 't':
1071 			timeout = atoi(optarg);
1072 			break;
1073 		case 'W':
1074 			wait_for_monitor++;
1075 			break;
1076 		case 'N':
1077 			p1 = os_zalloc(sizeof(p1));
1078 			if (p1 == NULL)
1079 				break;
1080 			if (!p)
1081 				eapol_test.extra_attrs = p1;
1082 			else
1083 				p->next = p1;
1084 			p = p1;
1085 
1086 			p->type = atoi(optarg);
1087 			pos = os_strchr(optarg, ':');
1088 			if (pos == NULL) {
1089 				p->syntax = 'n';
1090 				p->data = NULL;
1091 				break;
1092 			}
1093 
1094 			pos++;
1095 			if (pos[0] == '\0' || pos[1] != ':') {
1096 				printf("Incorrect format of attribute "
1097 				       "specification\n");
1098 				break;
1099 			}
1100 
1101 			p->syntax = pos[0];
1102 			p->data = pos + 2;
1103 			break;
1104 		default:
1105 			usage();
1106 			return -1;
1107 		}
1108 	}
1109 
1110 	if (argc > optind && os_strcmp(argv[optind], "scard") == 0) {
1111 		return scard_test();
1112 	}
1113 
1114 	if (argc > optind && os_strcmp(argv[optind], "sim") == 0) {
1115 		return scard_get_triplets(argc - optind - 1,
1116 					  &argv[optind + 1]);
1117 	}
1118 
1119 	if (conf == NULL) {
1120 		usage();
1121 		printf("Configuration file is required.\n");
1122 		return -1;
1123 	}
1124 
1125 	if (eap_register_methods()) {
1126 		wpa_printf(MSG_ERROR, "Failed to register EAP methods");
1127 		return -1;
1128 	}
1129 
1130 	if (eloop_init()) {
1131 		wpa_printf(MSG_ERROR, "Failed to initialize event loop");
1132 		return -1;
1133 	}
1134 
1135 	os_memset(&wpa_s, 0, sizeof(wpa_s));
1136 	eapol_test.wpa_s = &wpa_s;
1137 	wpa_s.conf = wpa_config_read(conf);
1138 	if (wpa_s.conf == NULL) {
1139 		printf("Failed to parse configuration file '%s'.\n", conf);
1140 		return -1;
1141 	}
1142 	if (wpa_s.conf->ssid == NULL) {
1143 		printf("No networks defined.\n");
1144 		return -1;
1145 	}
1146 
1147 	wpa_init_conf(&eapol_test, &wpa_s, as_addr, as_port, as_secret,
1148 		      cli_addr);
1149 	wpa_s.ctrl_iface = wpa_supplicant_ctrl_iface_init(&wpa_s);
1150 	if (wpa_s.ctrl_iface == NULL) {
1151 		printf("Failed to initialize control interface '%s'.\n"
1152 		       "You may have another eapol_test process already "
1153 		       "running or the file was\n"
1154 		       "left by an unclean termination of eapol_test in "
1155 		       "which case you will need\n"
1156 		       "to manually remove this file before starting "
1157 		       "eapol_test again.\n",
1158 		       wpa_s.conf->ctrl_interface);
1159 		return -1;
1160 	}
1161 	if (wpa_supplicant_scard_init(&wpa_s, wpa_s.conf->ssid))
1162 		return -1;
1163 
1164 	if (test_eapol(&eapol_test, &wpa_s, wpa_s.conf->ssid))
1165 		return -1;
1166 
1167 	if (wait_for_monitor)
1168 		wpa_supplicant_ctrl_iface_wait(wpa_s.ctrl_iface);
1169 
1170 	eloop_register_timeout(timeout, 0, eapol_test_timeout, &eapol_test,
1171 			       NULL);
1172 	eloop_register_timeout(0, 0, send_eap_request_identity, &wpa_s, NULL);
1173 	eloop_register_signal_terminate(eapol_test_terminate, &wpa_s);
1174 	eloop_register_signal_reconfig(eapol_test_terminate, &wpa_s);
1175 	eloop_run();
1176 
1177 	eloop_cancel_timeout(eapol_test_timeout, &eapol_test, NULL);
1178 	eloop_cancel_timeout(eapol_sm_reauth, &eapol_test, NULL);
1179 
1180 	if (eapol_test_compare_pmk(&eapol_test) == 0 ||
1181 	    eapol_test.no_mppe_keys)
1182 		ret = 0;
1183 	if (eapol_test.auth_timed_out)
1184 		ret = -2;
1185 	if (eapol_test.radius_access_reject_received)
1186 		ret = -3;
1187 
1188 	if (save_config)
1189 		wpa_config_write(conf, wpa_s.conf);
1190 
1191 	test_eapol_clean(&eapol_test, &wpa_s);
1192 
1193 	eap_peer_unregister_methods();
1194 
1195 	eloop_destroy();
1196 
1197 	printf("MPPE keys OK: %d  mismatch: %d\n",
1198 	       eapol_test.num_mppe_ok, eapol_test.num_mppe_mismatch);
1199 	if (eapol_test.num_mppe_mismatch)
1200 		ret = -4;
1201 	if (ret)
1202 		printf("FAILURE\n");
1203 	else
1204 		printf("SUCCESS\n");
1205 
1206 	os_program_deinit();
1207 
1208 	return ret;
1209 }
1210