diff options
author | Cody Kesting <ckesting@google.com> | 2019-10-21 09:31:11 -0700 |
---|---|---|
committer | Cody Kesting <ckesting@google.com> | 2019-10-29 12:33:41 -0700 |
commit | e93bb5e45e3f543efd42043775b2042b8278631e (patch) | |
tree | 71da3411a8bf374e341dff3f216749b73225719a /tests/iketests/src/java | |
parent | fb79a8ce8966969beeb402b54c03504743b1d0a7 (diff) | |
download | ike-e93bb5e45e3f543efd42043775b2042b8278631e.tar.gz |
Implement attribute checking for EAP-AKA'.
EAP-AKA' requires additional attribute checking on top of that done by
EAP-AKA. EAP-AKA' also requires AT_KDF and AT_KDF_INPUT attributes. The
AT_KDF_INPUT attribute must contain a network name that matches the
peer's known network name. The KDF specified by the server must be
supported by the peer.
Bug: 142668075
Test: added test cases to EapAkaPrimeChallengeStateTest.
Test: atest FrameworksIkeTests
Change-Id: I4ca1a803cae81dd821ef259dbebedc9f4b5b363e
Diffstat (limited to 'tests/iketests/src/java')
-rw-r--r-- | tests/iketests/src/java/com/android/ike/eap/message/EapTestMessageDefinitions.java | 6 | ||||
-rw-r--r-- | tests/iketests/src/java/com/android/ike/eap/statemachine/EapAkaPrimeChallengeStateTest.java | 163 |
2 files changed, 167 insertions, 2 deletions
diff --git a/tests/iketests/src/java/com/android/ike/eap/message/EapTestMessageDefinitions.java b/tests/iketests/src/java/com/android/ike/eap/message/EapTestMessageDefinitions.java index 3ddbe549..30ca917f 100644 --- a/tests/iketests/src/java/com/android/ike/eap/message/EapTestMessageDefinitions.java +++ b/tests/iketests/src/java/com/android/ike/eap/message/EapTestMessageDefinitions.java @@ -318,6 +318,10 @@ public class EapTestMessageDefinitions { public static final byte[] EAP_AKA_PRIME_IDENTITY_RESPONSE = hexStringToByteArray( "02" + ID + "001C" // EAP-Response | ID | length in bytes - + "32050000" // EAP-AKA | Identity | 2B padding + + "32050000" // EAP-AKA' | Identity | 2B padding + "0E050010" + EAP_AKA_PRIME_IDENTITY); // AT_IDENTITY ("6" + IMSI) + public static final byte[] EAP_AKA_PRIME_AUTHENTICATION_REJECT = + hexStringToByteArray( + "02" + ID + "0008" // EAP-Response | ID | length in bytes + + "32020000"); // EAP-AKA' | Authentication Reject | 2B padding } diff --git a/tests/iketests/src/java/com/android/ike/eap/statemachine/EapAkaPrimeChallengeStateTest.java b/tests/iketests/src/java/com/android/ike/eap/statemachine/EapAkaPrimeChallengeStateTest.java index 8eac86b9..43fbf41c 100644 --- a/tests/iketests/src/java/com/android/ike/eap/statemachine/EapAkaPrimeChallengeStateTest.java +++ b/tests/iketests/src/java/com/android/ike/eap/statemachine/EapAkaPrimeChallengeStateTest.java @@ -16,42 +16,69 @@ package com.android.ike.eap.statemachine; +import static android.telephony.TelephonyManager.APPTYPE_USIM; + import static com.android.ike.eap.message.EapData.EAP_TYPE_AKA_PRIME; import static com.android.ike.eap.message.EapMessage.EAP_CODE_REQUEST; +import static com.android.ike.eap.message.EapTestMessageDefinitions.EAP_AKA_PRIME_AUTHENTICATION_REJECT; import static com.android.ike.eap.message.EapTestMessageDefinitions.EAP_AKA_PRIME_IDENTITY_BYTES; import static com.android.ike.eap.message.EapTestMessageDefinitions.EAP_AKA_PRIME_IDENTITY_RESPONSE; import static com.android.ike.eap.message.EapTestMessageDefinitions.ID_INT; import static com.android.ike.eap.message.EapTestMessageDefinitions.IMSI; import static com.android.ike.eap.message.simaka.EapAkaTypeData.EAP_AKA_CHALLENGE; import static com.android.ike.eap.message.simaka.EapAkaTypeData.EAP_AKA_IDENTITY; +import static com.android.ike.eap.message.simaka.attributes.EapTestAttributeDefinitions.AUTN_BYTES; +import static com.android.ike.eap.message.simaka.attributes.EapTestAttributeDefinitions.MAC_BYTES; +import static com.android.ike.eap.message.simaka.attributes.EapTestAttributeDefinitions.RAND_1_BYTES; import static org.junit.Assert.assertArrayEquals; +import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertTrue; import static org.mockito.ArgumentMatchers.eq; import static org.mockito.Mockito.times; import static org.mockito.Mockito.verify; import static org.mockito.Mockito.when; import com.android.ike.eap.EapResult.EapResponse; +import com.android.ike.eap.EapSessionConfig; import com.android.ike.eap.message.EapData; import com.android.ike.eap.message.EapMessage; import com.android.ike.eap.message.simaka.EapAkaPrimeTypeData; import com.android.ike.eap.message.simaka.EapAkaTypeData; import com.android.ike.eap.message.simaka.EapSimAkaAttribute.AtAnyIdReq; +import com.android.ike.eap.message.simaka.EapSimAkaAttribute.AtAutn; +import com.android.ike.eap.message.simaka.EapSimAkaAttribute.AtKdf; +import com.android.ike.eap.message.simaka.EapSimAkaAttribute.AtKdfInput; +import com.android.ike.eap.message.simaka.EapSimAkaAttribute.AtMac; +import com.android.ike.eap.message.simaka.EapSimAkaAttribute.AtRandAka; import com.android.ike.eap.message.simaka.EapSimAkaTypeData.DecodeResult; import com.android.ike.eap.statemachine.EapAkaPrimeMethodStateMachine.ChallengeState; import org.junit.Before; import org.junit.Test; +import java.nio.charset.StandardCharsets; import java.util.ArrayList; import java.util.Arrays; public class EapAkaPrimeChallengeStateTest extends EapAkaPrimeStateTest { + private static final String SERVER_NETWORK_NAME_STRING = "foo:bar:buzz"; + private static final byte[] SERVER_NETWORK_NAME = + SERVER_NETWORK_NAME_STRING.getBytes(StandardCharsets.UTF_8); + private static final String INCORRECT_NETWORK_NAME = "foo:buzz"; + private static final byte[] INCORRECT_SERVER_NETWORK_NAME = + INCORRECT_NETWORK_NAME.getBytes(StandardCharsets.UTF_8); + private static final int VALID_KDF = 1; + private static final int INVALID_KDF = 10; + + private ChallengeState mState; + @Before public void setUp() { super.setUp(); - mStateMachine.transitionTo(mStateMachine.new ChallengeState()); + mState = mStateMachine.new ChallengeState(); + mStateMachine.transitionTo(mState); } @Test @@ -108,4 +135,138 @@ public class EapAkaPrimeChallengeStateTest extends EapAkaPrimeStateTest { // decode() called again in IdentityState and ChallengeState verify(mMockTypeDataDecoder, times(4)).decode(eq(DUMMY_EAP_TYPE_DATA)); } + + @Test + public void testProcessMissingAtKdf() throws Exception { + EapData eapData = new EapData(EAP_TYPE_AKA_PRIME, DUMMY_EAP_TYPE_DATA); + EapMessage eapMessage = new EapMessage(EAP_CODE_REQUEST, ID_INT, eapData); + + AtRandAka atRandAka = new AtRandAka(RAND_1_BYTES); + AtAutn atAutn = new AtAutn(AUTN_BYTES); + AtMac atMac = new AtMac(MAC_BYTES); + AtKdfInput atKdfInput = new AtKdfInput(0, SERVER_NETWORK_NAME); + + DecodeResult<EapAkaTypeData> decodeResult = + new DecodeResult<>( + new EapAkaPrimeTypeData( + EAP_AKA_CHALLENGE, + Arrays.asList(atRandAka, atAutn, atMac, atKdfInput))); + when(mMockTypeDataDecoder.decode(eq(DUMMY_EAP_TYPE_DATA))).thenReturn(decodeResult); + + EapResponse eapResponse = (EapResponse) mStateMachine.process(eapMessage); + assertArrayEquals(EAP_AKA_PRIME_AUTHENTICATION_REJECT, eapResponse.packet); + verify(mMockTypeDataDecoder).decode(eq(DUMMY_EAP_TYPE_DATA)); + } + + @Test + public void testProcessMissingAtKdfInput() throws Exception { + EapData eapData = new EapData(EAP_TYPE_AKA_PRIME, DUMMY_EAP_TYPE_DATA); + EapMessage eapMessage = new EapMessage(EAP_CODE_REQUEST, ID_INT, eapData); + + AtRandAka atRandAka = new AtRandAka(RAND_1_BYTES); + AtAutn atAutn = new AtAutn(AUTN_BYTES); + AtMac atMac = new AtMac(MAC_BYTES); + AtKdf atKdf = new AtKdf(VALID_KDF); + + DecodeResult<EapAkaTypeData> decodeResult = + new DecodeResult<>( + new EapAkaPrimeTypeData( + EAP_AKA_CHALLENGE, Arrays.asList(atRandAka, atAutn, atMac, atKdf))); + when(mMockTypeDataDecoder.decode(eq(DUMMY_EAP_TYPE_DATA))).thenReturn(decodeResult); + + EapResponse eapResponse = (EapResponse) mStateMachine.process(eapMessage); + assertArrayEquals(EAP_AKA_PRIME_AUTHENTICATION_REJECT, eapResponse.packet); + verify(mMockTypeDataDecoder).decode(eq(DUMMY_EAP_TYPE_DATA)); + } + + @Test + public void testProcessUnsupportedKdf() throws Exception { + EapData eapData = new EapData(EAP_TYPE_AKA_PRIME, DUMMY_EAP_TYPE_DATA); + EapMessage eapMessage = new EapMessage(EAP_CODE_REQUEST, ID_INT, eapData); + + AtRandAka atRandAka = new AtRandAka(RAND_1_BYTES); + AtAutn atAutn = new AtAutn(AUTN_BYTES); + AtMac atMac = new AtMac(MAC_BYTES); + AtKdfInput atKdfInput = new AtKdfInput(0, SERVER_NETWORK_NAME); + AtKdf atKdf = new AtKdf(INVALID_KDF); + + DecodeResult<EapAkaTypeData> decodeResult = + new DecodeResult<>( + new EapAkaPrimeTypeData( + EAP_AKA_CHALLENGE, + Arrays.asList(atRandAka, atAutn, atMac, atKdfInput, atKdf))); + when(mMockTypeDataDecoder.decode(eq(DUMMY_EAP_TYPE_DATA))).thenReturn(decodeResult); + + EapResponse eapResponse = (EapResponse) mStateMachine.process(eapMessage); + assertArrayEquals(EAP_AKA_PRIME_AUTHENTICATION_REJECT, eapResponse.packet); + verify(mMockTypeDataDecoder).decode(eq(DUMMY_EAP_TYPE_DATA)); + } + + @Test + public void testProcessIncorrectNetworkName() throws Exception { + EapData eapData = new EapData(EAP_TYPE_AKA_PRIME, DUMMY_EAP_TYPE_DATA); + EapMessage eapMessage = new EapMessage(EAP_CODE_REQUEST, ID_INT, eapData); + + AtRandAka atRandAka = new AtRandAka(RAND_1_BYTES); + AtAutn atAutn = new AtAutn(AUTN_BYTES); + AtMac atMac = new AtMac(MAC_BYTES); + AtKdfInput atKdfInput = new AtKdfInput(0, INCORRECT_SERVER_NETWORK_NAME); + AtKdf atKdf = new AtKdf(VALID_KDF); + + DecodeResult<EapAkaTypeData> decodeResult = + new DecodeResult<>( + new EapAkaPrimeTypeData( + EAP_AKA_CHALLENGE, + Arrays.asList(atRandAka, atAutn, atMac, atKdfInput, atKdf))); + when(mMockTypeDataDecoder.decode(eq(DUMMY_EAP_TYPE_DATA))).thenReturn(decodeResult); + + EapResponse eapResponse = (EapResponse) mStateMachine.process(eapMessage); + assertArrayEquals(EAP_AKA_PRIME_AUTHENTICATION_REJECT, eapResponse.packet); + verify(mMockTypeDataDecoder).decode(eq(DUMMY_EAP_TYPE_DATA)); + } + + @Test + public void testProcessIncorrectNetworkNameIsIgnored() throws Exception { + // Create state machine with configs allowing invalid network name to be ignored + mStateMachine = + new EapAkaPrimeMethodStateMachine( + mMockContext, + EAP_IDENTITY_BYTES, + new EapSessionConfig.EapAkaPrimeConfig( + SUB_ID, APPTYPE_USIM, PEER_NETWORK_NAME, true), + mMockTypeDataDecoder); + mState = mStateMachine.new ChallengeState(); + mStateMachine.transitionTo(mState); + + AtRandAka atRandAka = new AtRandAka(RAND_1_BYTES); + AtAutn atAutn = new AtAutn(AUTN_BYTES); + AtMac atMac = new AtMac(MAC_BYTES); + AtKdfInput atKdfInput = new AtKdfInput(0, INCORRECT_SERVER_NETWORK_NAME); + AtKdf atKdf = new AtKdf(VALID_KDF); + + EapAkaPrimeTypeData eapAkaPrimeTypeData = + new EapAkaPrimeTypeData( + EAP_AKA_CHALLENGE, + Arrays.asList(atRandAka, atAutn, atMac, atKdfInput, atKdf)); + assertTrue( + "Incorrect network names should be ignored", + mState.isValidChallengeAttributes(eapAkaPrimeTypeData)); + } + + @Test + public void testHasMatchingNetworkNames() { + // "" should match anything + assertTrue(mState.hasMatchingNetworkNames("", SERVER_NETWORK_NAME_STRING)); + assertTrue(mState.hasMatchingNetworkNames(SERVER_NETWORK_NAME_STRING, "")); + + // "foo:bar" should match "foo:bar:buzz" + assertTrue(mState.hasMatchingNetworkNames(PEER_NETWORK_NAME, SERVER_NETWORK_NAME_STRING)); + assertTrue(mState.hasMatchingNetworkNames(SERVER_NETWORK_NAME_STRING, PEER_NETWORK_NAME)); + + // "foo:buzz" shouldn't match "foo:bar:buzz" + assertFalse( + mState.hasMatchingNetworkNames(SERVER_NETWORK_NAME_STRING, INCORRECT_NETWORK_NAME)); + assertFalse( + mState.hasMatchingNetworkNames(INCORRECT_NETWORK_NAME, SERVER_NETWORK_NAME_STRING)); + } } |