diff options
author | Cody Kesting <ckesting@google.com> | 2019-10-11 12:26:52 -0700 |
---|---|---|
committer | Cody Kesting <ckesting@google.com> | 2019-10-16 13:48:02 -0700 |
commit | 0f78100cd1b05a95a5e8922e6828c3044eb2e90c (patch) | |
tree | 37e355080055bd884434452f05ae071b682dc6c9 /tests/iketests/src | |
parent | 25512dba23e5365a422a869a6fd7706c0cba03db (diff) | |
download | ike-0f78100cd1b05a95a5e8922e6828c3044eb2e90c.tar.gz |
EAP-AKA should return Auth Reject for AUTN reject.
When running the EAP-AKA authentication algorithm on the UICC, the AUTN
value may be rejected by the UICC. The peer needs to return an
EAP-Response/AKA-Authentication-Reject message to the server. When this
situation occurs, TelephonyManager#getIccAuthentication will return
null, which triggers an EapSimAkaAuthenticationFailureException to be
thrown in EapSimAkaMethodStateMachine#processUiccAuthentication.
Bug: 142552679
Test: tests added in EapAkaTest and EapAkaChallengeStateTest.
Test: atest FrameworksIkeTests
Change-Id: I93b97ba11473380f882b1d3ab57ac0bdd6f4001b
Diffstat (limited to 'tests/iketests/src')
3 files changed, 28 insertions, 14 deletions
diff --git a/tests/iketests/src/java/com/android/ike/eap/EapAkaTest.java b/tests/iketests/src/java/com/android/ike/eap/EapAkaTest.java index f64f507b..b1744e17 100644 --- a/tests/iketests/src/java/com/android/ike/eap/EapAkaTest.java +++ b/tests/iketests/src/java/com/android/ike/eap/EapAkaTest.java @@ -161,9 +161,14 @@ public class EapAkaTest extends EapMethodEndToEndTest { private static final byte[] EAP_AKA_SYNC_FAIL_RESPONSE = hexStringToByteArray( "02CE0018" // EAP-Response | ID | length in bytes - + "17040000" // EAP-AKA | Challenge | 2B padding + + "17040000" // EAP-AKA | Synchronization-Failure | 2B padding + "0404" + AUTS); // AT_AUTS attribute + private static final byte[] EAP_AKA_AUTHENTICATION_REJECT = + hexStringToByteArray( + "02CE0008" // EAP-Response | ID | length in bytes + + "17020000"); // EAP-AKA | Authentication-Reject | 2B padding + private static final byte[] EAP_RESPONSE_NAK_PACKET = hexStringToByteArray("021000060317"); // NAK with EAP-AKA listed @@ -198,7 +203,7 @@ public class EapAkaTest extends EapMethodEndToEndTest { @Test public void testEapAkaEndToEnd() { verifyEapAkaIdentity(); - verifyEapAkaChallenge(); + verifyEapAkaChallenge(BASE_64_RESPONSE_SUCCESS, EAP_AKA_CHALLENGE_RESPONSE); verifyEapSuccess(MSK, EMSK); } @@ -214,7 +219,7 @@ public class EapAkaTest extends EapMethodEndToEndTest { verifyEapAkaIdentity(); verifyEapNotification(2); - verifyEapAkaChallenge(); + verifyEapAkaChallenge(BASE_64_RESPONSE_SUCCESS, EAP_AKA_CHALLENGE_RESPONSE); verifyEapNotification(3); verifyEapSuccess(MSK, EMSK); @@ -225,7 +230,7 @@ public class EapAkaTest extends EapMethodEndToEndTest { verifyUnsupportedType(EAP_REQUEST_SIM_START_PACKET, EAP_RESPONSE_NAK_PACKET); verifyEapAkaIdentity(); - verifyEapAkaChallenge(); + verifyEapAkaChallenge(BASE_64_RESPONSE_SUCCESS, EAP_AKA_CHALLENGE_RESPONSE); verifyEapSuccess(MSK, EMSK); } @@ -233,10 +238,19 @@ public class EapAkaTest extends EapMethodEndToEndTest { public void testEapAkaSynchronizationFailure() { verifyEapAkaIdentity(); verifyEapAkaSynchronizationFailure(); - verifyEapAkaChallenge(); + verifyEapAkaChallenge(BASE_64_RESPONSE_SUCCESS, EAP_AKA_CHALLENGE_RESPONSE); verifyEapSuccess(MSK, EMSK); } + @Test + public void testEapAkaAuthenticationReject() { + verifyEapAkaIdentity(); + + // return null from TelephonyManager to simluate rejection of AUTN + verifyEapAkaChallenge(null, EAP_AKA_AUTHENTICATION_REJECT); + verifyEapFailure(); + } + private void verifyEapAkaIdentity() { // EAP-AKA/Identity request when(mMockTelephonyManager.getSubscriberId()).thenReturn(UNFORMATTED_IDENTITY); @@ -277,12 +291,9 @@ public class EapAkaTest extends EapMethodEndToEndTest { verify(mMockCallback).onResponse(eq(outgoingEapPacket)); } - private void verifyEapAkaChallenge() { + private void verifyEapAkaChallenge(String responseBase64, byte[] outgoingPacket) { verifyEapAkaChallenge( - BASE64_CHALLENGE_1, - BASE_64_RESPONSE_SUCCESS, - EAP_AKA_CHALLENGE_REQUEST, - EAP_AKA_CHALLENGE_RESPONSE); + BASE64_CHALLENGE_1, responseBase64, EAP_AKA_CHALLENGE_REQUEST, outgoingPacket); verifyNoMoreInteractions( mMockContext, mMockTelephonyManager, mMockSecureRandom, mMockCallback); } diff --git a/tests/iketests/src/java/com/android/ike/eap/message/EapTestMessageDefinitions.java b/tests/iketests/src/java/com/android/ike/eap/message/EapTestMessageDefinitions.java index 960cd34c..2e937332 100644 --- a/tests/iketests/src/java/com/android/ike/eap/message/EapTestMessageDefinitions.java +++ b/tests/iketests/src/java/com/android/ike/eap/message/EapTestMessageDefinitions.java @@ -225,6 +225,8 @@ public class EapTestMessageDefinitions { public static final String EAP_AKA_UICC_RESP_SUCCESS_BASE_64 = "2wURIjNEVRAAESIzRFVmd4iZqrvM3e7/EP/u3cy7qpmId2ZVRDMiEQA="; + public static final byte[] EAP_AKA_AUTHENTICATION_REJECT = + hexStringToByteArray("02" + ID + "000817020000"); public static final String EAP_AKA_CHALLENGE_RESPONSE_MAC = "C70366512D9C5EBA8E3484509A25DCE4"; public static final byte[] EAP_AKA_CHALLENGE_RESPONSE_MAC_BYTES = hexStringToByteArray(EAP_AKA_CHALLENGE_RESPONSE_MAC); diff --git a/tests/iketests/src/java/com/android/ike/eap/statemachine/EapAkaChallengeStateTest.java b/tests/iketests/src/java/com/android/ike/eap/statemachine/EapAkaChallengeStateTest.java index 5d9a5e68..4deecf30 100644 --- a/tests/iketests/src/java/com/android/ike/eap/statemachine/EapAkaChallengeStateTest.java +++ b/tests/iketests/src/java/com/android/ike/eap/statemachine/EapAkaChallengeStateTest.java @@ -23,6 +23,7 @@ import static com.android.ike.eap.message.EapMessage.EAP_CODE_FAILURE; import static com.android.ike.eap.message.EapMessage.EAP_CODE_REQUEST; import static com.android.ike.eap.message.EapMessage.EAP_CODE_SUCCESS; import static com.android.ike.eap.message.EapTestMessageDefinitions.CK_BYTES; +import static com.android.ike.eap.message.EapTestMessageDefinitions.EAP_AKA_AUTHENTICATION_REJECT; import static com.android.ike.eap.message.EapTestMessageDefinitions.EAP_AKA_CHALLENGE_RESPONSE; import static com.android.ike.eap.message.EapTestMessageDefinitions.EAP_AKA_CLIENT_ERROR_UNABLE_TO_PROCESS; import static com.android.ike.eap.message.EapTestMessageDefinitions.EAP_AKA_SYNCHRONIZATION_FAILURE; @@ -57,7 +58,7 @@ import com.android.ike.eap.EapResult.EapFailure; import com.android.ike.eap.EapResult.EapResponse; import com.android.ike.eap.EapResult.EapSuccess; import com.android.ike.eap.exceptions.EapInvalidRequestException; -import com.android.ike.eap.exceptions.simaka.EapSimAkaAuthenticationFailureException; +import com.android.ike.eap.exceptions.simaka.EapAkaInvalidAuthenticationResponse; import com.android.ike.eap.exceptions.simaka.EapSimAkaInvalidLengthException; import com.android.ike.eap.message.EapData; import com.android.ike.eap.message.EapMessage; @@ -269,8 +270,8 @@ public class EapAkaChallengeStateTest extends EapAkaStateTest { BASE_64_CHALLENGE)) .thenReturn(null); - EapError eapError = (EapError) mEapAkaMethodStateMachine.process(eapMessage); - assertTrue(eapError.cause instanceof EapSimAkaAuthenticationFailureException); + EapResponse eapResponse = (EapResponse) mEapAkaMethodStateMachine.process(eapMessage); + assertArrayEquals(EAP_AKA_AUTHENTICATION_REJECT, eapResponse.packet); verify(mMockEapAkaTypeDataDecoder).decode(eq(DUMMY_EAP_TYPE_DATA)); verify(mMockTelephonyManager) @@ -304,7 +305,7 @@ public class EapAkaChallengeStateTest extends EapAkaStateTest { .thenReturn(EAP_AKA_UICC_RESP_INVALID_TAG); EapError eapError = (EapError) mEapAkaMethodStateMachine.process(eapMessage); - assertTrue(eapError.cause instanceof EapSimAkaAuthenticationFailureException); + assertTrue(eapError.cause instanceof EapAkaInvalidAuthenticationResponse); verify(mMockEapAkaTypeDataDecoder).decode(eq(DUMMY_EAP_TYPE_DATA)); verify(mMockTelephonyManager) |