]>
Commit | Line | Data |
---|---|---|
90270e15 JM |
1 | # EAP authentication tests |
2 | # Copyright (c) 2019, Jouni Malinen <j@w1.fi> | |
3 | # | |
4 | # This software may be distributed under the terms of the BSD license. | |
5 | # See README for more details. | |
6 | ||
7 | import hostapd | |
8 | ||
aeb7ab8e | 9 | from utils import alloc_fail, fail_test, wait_fail_trigger, HwsimSkip |
90270e15 JM |
10 | from test_ap_eap import check_eap_capa, int_eap_server_params, eap_connect, \ |
11 | eap_reauth | |
12 | ||
54291394 | 13 | def int_teap_server_params(eap_teap_auth=None, eap_teap_pac_no_inner=None, |
10e10523 | 14 | eap_teap_separate_result=None, eap_teap_id=None): |
90270e15 JM |
15 | params = int_eap_server_params() |
16 | params['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff00" | |
17 | params['eap_fast_a_id'] = "101112131415161718191a1b1c1dff00" | |
18 | params['eap_fast_a_id_info'] = "test server 0" | |
19 | if eap_teap_auth: | |
20 | params['eap_teap_auth'] = eap_teap_auth | |
21 | if eap_teap_pac_no_inner: | |
22 | params['eap_teap_pac_no_inner'] = eap_teap_pac_no_inner | |
54291394 JM |
23 | if eap_teap_separate_result: |
24 | params['eap_teap_separate_result'] = eap_teap_separate_result | |
10e10523 JM |
25 | if eap_teap_id: |
26 | params['eap_teap_id'] = eap_teap_id | |
90270e15 JM |
27 | return params |
28 | ||
29 | def test_eap_teap_eap_mschapv2(dev, apdev): | |
30 | """EAP-TEAP with inner EAP-MSCHAPv2""" | |
31 | check_eap_capa(dev[0], "TEAP") | |
32 | check_eap_capa(dev[0], "MSCHAPV2") | |
33 | params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") | |
34 | hapd = hostapd.add_ap(apdev[0], params) | |
35 | eap_connect(dev[0], hapd, "TEAP", "user", | |
36 | anonymous_identity="TEAP", password="password", | |
37 | ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2", | |
38 | pac_file="blob://teap_pac") | |
39 | eap_reauth(dev[0], "TEAP") | |
40 | ||
41 | def test_eap_teap_eap_pwd(dev, apdev): | |
42 | """EAP-TEAP with inner EAP-PWD""" | |
43 | check_eap_capa(dev[0], "TEAP") | |
44 | check_eap_capa(dev[0], "PWD") | |
45 | params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") | |
46 | hapd = hostapd.add_ap(apdev[0], params) | |
47 | eap_connect(dev[0], hapd, "TEAP", "user-pwd-2", | |
48 | anonymous_identity="TEAP", password="password", | |
49 | ca_cert="auth_serv/ca.pem", phase2="auth=PWD", | |
50 | pac_file="blob://teap_pac") | |
51 | ||
52 | def test_eap_teap_eap_eke(dev, apdev): | |
53 | """EAP-TEAP with inner EAP-EKE""" | |
54 | check_eap_capa(dev[0], "TEAP") | |
55 | check_eap_capa(dev[0], "EKE") | |
56 | params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") | |
57 | hapd = hostapd.add_ap(apdev[0], params) | |
58 | eap_connect(dev[0], hapd, "TEAP", "user-eke-2", | |
59 | anonymous_identity="TEAP", password="password", | |
60 | ca_cert="auth_serv/ca.pem", phase2="auth=EKE", | |
61 | pac_file="blob://teap_pac") | |
62 | ||
63 | def test_eap_teap_basic_password_auth(dev, apdev): | |
64 | """EAP-TEAP with Basic-Password-Auth""" | |
65 | check_eap_capa(dev[0], "TEAP") | |
66 | params = int_teap_server_params(eap_teap_auth="1") | |
67 | hapd = hostapd.add_ap(apdev[0], params) | |
68 | eap_connect(dev[0], hapd, "TEAP", "user", | |
69 | anonymous_identity="TEAP", password="password", | |
70 | ca_cert="auth_serv/ca.pem", | |
71 | pac_file="blob://teap_pac") | |
72 | ||
73 | def test_eap_teap_basic_password_auth_failure(dev, apdev): | |
74 | """EAP-TEAP with Basic-Password-Auth failure""" | |
75 | check_eap_capa(dev[0], "TEAP") | |
76 | params = int_teap_server_params(eap_teap_auth="1") | |
77 | hapd = hostapd.add_ap(apdev[0], params) | |
78 | eap_connect(dev[0], hapd, "TEAP", "user", | |
79 | anonymous_identity="TEAP", password="incorrect", | |
80 | ca_cert="auth_serv/ca.pem", | |
81 | pac_file="blob://teap_pac", expect_failure=True) | |
82 | ||
83 | def test_eap_teap_basic_password_auth_no_password(dev, apdev): | |
84 | """EAP-TEAP with Basic-Password-Auth and no password configured""" | |
85 | check_eap_capa(dev[0], "TEAP") | |
86 | params = int_teap_server_params(eap_teap_auth="1") | |
87 | hapd = hostapd.add_ap(apdev[0], params) | |
88 | eap_connect(dev[0], hapd, "TEAP", "user", | |
89 | anonymous_identity="TEAP", | |
90 | ca_cert="auth_serv/ca.pem", | |
91 | pac_file="blob://teap_pac", expect_failure=True) | |
92 | ||
10e10523 JM |
93 | def test_eap_teap_basic_password_auth_id0(dev, apdev): |
94 | """EAP-TEAP with Basic-Password-Auth (eap_teap_id=0)""" | |
95 | run_eap_teap_basic_password_auth_id(dev, apdev, 0) | |
96 | ||
97 | def test_eap_teap_basic_password_auth_id1(dev, apdev): | |
98 | """EAP-TEAP with Basic-Password-Auth (eap_teap_id=1)""" | |
99 | run_eap_teap_basic_password_auth_id(dev, apdev, 1) | |
100 | ||
101 | def test_eap_teap_basic_password_auth_id2(dev, apdev): | |
102 | """EAP-TEAP with Basic-Password-Auth (eap_teap_id=2)""" | |
103 | run_eap_teap_basic_password_auth_id(dev, apdev, 2, failure=True) | |
104 | ||
105 | def test_eap_teap_basic_password_auth_id3(dev, apdev): | |
106 | """EAP-TEAP with Basic-Password-Auth (eap_teap_id=3)""" | |
107 | run_eap_teap_basic_password_auth_id(dev, apdev, 3) | |
108 | ||
109 | def test_eap_teap_basic_password_auth_id4(dev, apdev): | |
110 | """EAP-TEAP with Basic-Password-Auth (eap_teap_id=4)""" | |
111 | run_eap_teap_basic_password_auth_id(dev, apdev, 4) | |
112 | ||
113 | def run_eap_teap_basic_password_auth_id(dev, apdev, eap_teap_id, failure=False): | |
114 | check_eap_capa(dev[0], "TEAP") | |
115 | params = int_teap_server_params(eap_teap_auth="1", | |
116 | eap_teap_id=str(eap_teap_id)) | |
117 | hapd = hostapd.add_ap(apdev[0], params) | |
118 | eap_connect(dev[0], hapd, "TEAP", "user", | |
119 | anonymous_identity="TEAP", password="password", | |
120 | ca_cert="auth_serv/ca.pem", | |
121 | pac_file="blob://teap_pac", | |
122 | expect_failure=failure) | |
123 | ||
4619dc06 JM |
124 | def test_eap_teap_basic_password_auth_machine(dev, apdev): |
125 | """EAP-TEAP with Basic-Password-Auth using machine credential""" | |
126 | check_eap_capa(dev[0], "TEAP") | |
127 | params = int_teap_server_params(eap_teap_auth="1", eap_teap_id="2") | |
128 | hapd = hostapd.add_ap(apdev[0], params) | |
129 | eap_connect(dev[0], hapd, "TEAP", "", | |
130 | anonymous_identity="TEAP", | |
131 | machine_identity="machine", machine_password="machine-password", | |
132 | ca_cert="auth_serv/ca.pem", | |
133 | pac_file="blob://teap_pac") | |
134 | ||
818ee96d JM |
135 | def test_eap_teap_basic_password_auth_user_and_machine(dev, apdev): |
136 | """EAP-TEAP with Basic-Password-Auth using user and machine credentials""" | |
137 | check_eap_capa(dev[0], "TEAP") | |
138 | params = int_teap_server_params(eap_teap_auth="1", eap_teap_id="5") | |
139 | hapd = hostapd.add_ap(apdev[0], params) | |
140 | eap_connect(dev[0], hapd, "TEAP", "user", password="password", | |
141 | anonymous_identity="TEAP", | |
142 | machine_identity="machine", machine_password="machine-password", | |
143 | ca_cert="auth_serv/ca.pem", | |
144 | pac_file="blob://teap_pac") | |
145 | ||
146 | def test_eap_teap_basic_password_auth_user_and_machine_fail_user(dev, apdev): | |
147 | """EAP-TEAP with Basic-Password-Auth using user and machine credentials (fail user)""" | |
148 | check_eap_capa(dev[0], "TEAP") | |
149 | params = int_teap_server_params(eap_teap_auth="1", eap_teap_id="5") | |
150 | hapd = hostapd.add_ap(apdev[0], params) | |
151 | eap_connect(dev[0], hapd, "TEAP", "user", password="wrong-password", | |
152 | anonymous_identity="TEAP", | |
153 | machine_identity="machine", machine_password="machine-password", | |
154 | ca_cert="auth_serv/ca.pem", | |
155 | pac_file="blob://teap_pac", | |
156 | expect_failure=True) | |
157 | ||
158 | def test_eap_teap_basic_password_auth_user_and_machine_fail_machine(dev, apdev): | |
159 | """EAP-TEAP with Basic-Password-Auth using user and machine credentials (fail machine)""" | |
160 | check_eap_capa(dev[0], "TEAP") | |
161 | params = int_teap_server_params(eap_teap_auth="1", eap_teap_id="5") | |
162 | hapd = hostapd.add_ap(apdev[0], params) | |
163 | eap_connect(dev[0], hapd, "TEAP", "user", password="password", | |
164 | anonymous_identity="TEAP", | |
165 | machine_identity="machine", | |
166 | machine_password="wrong-machine-password", | |
167 | ca_cert="auth_serv/ca.pem", | |
168 | pac_file="blob://teap_pac", | |
169 | expect_failure=True) | |
170 | ||
171 | def test_eap_teap_basic_password_auth_user_and_machine_no_machine(dev, apdev): | |
172 | """EAP-TEAP with Basic-Password-Auth using user and machine credentials (no machine)""" | |
173 | check_eap_capa(dev[0], "TEAP") | |
174 | params = int_teap_server_params(eap_teap_auth="1", eap_teap_id="5") | |
175 | hapd = hostapd.add_ap(apdev[0], params) | |
176 | eap_connect(dev[0], hapd, "TEAP", "user", password="password", | |
177 | anonymous_identity="TEAP", | |
178 | ca_cert="auth_serv/ca.pem", | |
179 | pac_file="blob://teap_pac", | |
180 | expect_failure=True) | |
181 | ||
90270e15 JM |
182 | def test_eap_teap_peer_outer_tlvs(dev, apdev): |
183 | """EAP-TEAP with peer Outer TLVs""" | |
184 | check_eap_capa(dev[0], "TEAP") | |
185 | check_eap_capa(dev[0], "MSCHAPV2") | |
186 | params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") | |
187 | hapd = hostapd.add_ap(apdev[0], params) | |
188 | eap_connect(dev[0], hapd, "TEAP", "user", | |
189 | anonymous_identity="TEAP", password="password", | |
190 | ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2", | |
191 | pac_file="blob://teap_pac", phase1="teap_test_outer_tlvs=1") | |
192 | ||
193 | def test_eap_teap_eap_mschapv2_pac(dev, apdev): | |
194 | """EAP-TEAP with inner EAP-MSCHAPv2 and PAC provisioning""" | |
195 | check_eap_capa(dev[0], "TEAP") | |
196 | check_eap_capa(dev[0], "MSCHAPV2") | |
197 | params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") | |
198 | hapd = hostapd.add_ap(apdev[0], params) | |
199 | eap_connect(dev[0], hapd, "TEAP", "user", | |
200 | anonymous_identity="TEAP", password="password", | |
201 | phase1="teap_provisioning=2", | |
202 | ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2", | |
203 | pac_file="blob://teap_pac") | |
204 | res = eap_reauth(dev[0], "TEAP") | |
205 | if res['tls_session_reused'] != '1': | |
206 | raise Exception("EAP-TEAP could not use PAC session ticket") | |
207 | ||
208 | def test_eap_teap_eap_mschapv2_pac_no_inner_eap(dev, apdev): | |
209 | """EAP-TEAP with inner EAP-MSCHAPv2 and PAC without inner EAP""" | |
210 | check_eap_capa(dev[0], "TEAP") | |
211 | check_eap_capa(dev[0], "MSCHAPV2") | |
212 | params = int_teap_server_params(eap_teap_pac_no_inner="1") | |
213 | hapd = hostapd.add_ap(apdev[0], params) | |
214 | eap_connect(dev[0], hapd, "TEAP", "user", | |
215 | anonymous_identity="TEAP", password="password", | |
216 | phase1="teap_provisioning=2", | |
217 | ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2", | |
218 | pac_file="blob://teap_pac") | |
219 | res = eap_reauth(dev[0], "TEAP") | |
220 | if res['tls_session_reused'] != '1': | |
221 | raise Exception("EAP-TEAP could not use PAC session ticket") | |
222 | ||
54291394 JM |
223 | def test_eap_teap_eap_mschapv2_separate_result(dev, apdev): |
224 | """EAP-TEAP with inner EAP-MSCHAPv2 and separate message for Result TLV""" | |
225 | check_eap_capa(dev[0], "TEAP") | |
226 | check_eap_capa(dev[0], "MSCHAPV2") | |
227 | params = int_teap_server_params(eap_teap_separate_result="1") | |
228 | hapd = hostapd.add_ap(apdev[0], params) | |
229 | eap_connect(dev[0], hapd, "TEAP", "user", | |
230 | anonymous_identity="TEAP", password="password", | |
231 | ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2", | |
232 | pac_file="blob://teap_pac") | |
233 | ||
90270e15 JM |
234 | def test_eap_teap_eap_mschapv2_pac_no_ca_cert(dev, apdev): |
235 | """EAP-TEAP with inner EAP-MSCHAPv2 and PAC provisioning attempt without ca_cert""" | |
236 | check_eap_capa(dev[0], "TEAP") | |
237 | check_eap_capa(dev[0], "MSCHAPV2") | |
238 | params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") | |
239 | hapd = hostapd.add_ap(apdev[0], params) | |
240 | eap_connect(dev[0], hapd, "TEAP", "user", | |
241 | anonymous_identity="TEAP", password="password", | |
242 | phase1="teap_provisioning=2", | |
243 | phase2="auth=MSCHAPV2", | |
244 | pac_file="blob://teap_pac") | |
245 | res = eap_reauth(dev[0], "TEAP") | |
246 | if res['tls_session_reused'] == '1': | |
247 | raise Exception("Unexpected use of PAC session ticket") | |
248 | ||
10e10523 JM |
249 | def test_eap_teap_eap_mschapv2_id0(dev, apdev): |
250 | """EAP-TEAP with inner EAP-MSCHAPv2 (eap_teap_id=0)""" | |
251 | run_eap_teap_eap_mschapv2_id(dev, apdev, 0) | |
252 | ||
253 | def test_eap_teap_eap_mschapv2_id1(dev, apdev): | |
254 | """EAP-TEAP with inner EAP-MSCHAPv2 (eap_teap_id=1)""" | |
255 | run_eap_teap_eap_mschapv2_id(dev, apdev, 1) | |
256 | ||
257 | def test_eap_teap_eap_mschapv2_id2(dev, apdev): | |
258 | """EAP-TEAP with inner EAP-MSCHAPv2 (eap_teap_id=2)""" | |
259 | run_eap_teap_eap_mschapv2_id(dev, apdev, 2, failure=True) | |
260 | ||
261 | def test_eap_teap_eap_mschapv2_id3(dev, apdev): | |
262 | """EAP-TEAP with inner EAP-MSCHAPv2 (eap_teap_id=3)""" | |
263 | run_eap_teap_eap_mschapv2_id(dev, apdev, 3) | |
264 | ||
265 | def test_eap_teap_eap_mschapv2_id4(dev, apdev): | |
266 | """EAP-TEAP with inner EAP-MSCHAPv2 (eap_teap_id=4)""" | |
267 | run_eap_teap_eap_mschapv2_id(dev, apdev, 4) | |
268 | ||
269 | def run_eap_teap_eap_mschapv2_id(dev, apdev, eap_teap_id, failure=False): | |
270 | check_eap_capa(dev[0], "TEAP") | |
271 | check_eap_capa(dev[0], "MSCHAPV2") | |
272 | params = int_teap_server_params(eap_teap_id=str(eap_teap_id)) | |
273 | hapd = hostapd.add_ap(apdev[0], params) | |
274 | eap_connect(dev[0], hapd, "TEAP", "user", | |
275 | anonymous_identity="TEAP", password="password", | |
276 | ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2", | |
277 | pac_file="blob://teap_pac", | |
278 | expect_failure=failure) | |
279 | ||
4619dc06 JM |
280 | def test_eap_teap_eap_mschapv2_machine(dev, apdev): |
281 | """EAP-TEAP with inner EAP-MSCHAPv2 using machine credential""" | |
282 | check_eap_capa(dev[0], "TEAP") | |
283 | check_eap_capa(dev[0], "MSCHAPV2") | |
284 | params = int_teap_server_params(eap_teap_id="2") | |
285 | hapd = hostapd.add_ap(apdev[0], params) | |
286 | eap_connect(dev[0], hapd, "TEAP", "", | |
287 | anonymous_identity="TEAP", | |
288 | machine_identity="machine", machine_password="machine-password", | |
289 | ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2", | |
290 | pac_file="blob://teap_pac") | |
291 | ||
818ee96d JM |
292 | def test_eap_teap_eap_mschapv2_user_and_machine(dev, apdev): |
293 | """EAP-TEAP with inner EAP-MSCHAPv2 using user and machine credentials""" | |
294 | check_eap_capa(dev[0], "TEAP") | |
295 | check_eap_capa(dev[0], "MSCHAPV2") | |
296 | params = int_teap_server_params(eap_teap_id="5") | |
297 | hapd = hostapd.add_ap(apdev[0], params) | |
298 | eap_connect(dev[0], hapd, "TEAP", "user", password="password", | |
299 | anonymous_identity="TEAP", | |
300 | machine_identity="machine", machine_password="machine-password", | |
301 | ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2", | |
302 | pac_file="blob://teap_pac") | |
303 | ||
304 | def test_eap_teap_eap_mschapv2_user_and_machine_fail_user(dev, apdev): | |
305 | """EAP-TEAP with inner EAP-MSCHAPv2 using user and machine credentials (fail user)""" | |
306 | check_eap_capa(dev[0], "TEAP") | |
307 | check_eap_capa(dev[0], "MSCHAPV2") | |
308 | params = int_teap_server_params(eap_teap_id="5") | |
309 | hapd = hostapd.add_ap(apdev[0], params) | |
310 | eap_connect(dev[0], hapd, "TEAP", "user", password="wrong-password", | |
311 | anonymous_identity="TEAP", | |
312 | machine_identity="machine", machine_password="machine-password", | |
313 | ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2", | |
314 | pac_file="blob://teap_pac", | |
315 | expect_failure=True) | |
316 | ||
317 | def test_eap_teap_eap_mschapv2_user_and_machine_fail_machine(dev, apdev): | |
318 | """EAP-TEAP with inner EAP-MSCHAPv2 using user and machine credentials (fail machine)""" | |
319 | check_eap_capa(dev[0], "TEAP") | |
320 | check_eap_capa(dev[0], "MSCHAPV2") | |
321 | params = int_teap_server_params(eap_teap_id="5") | |
322 | hapd = hostapd.add_ap(apdev[0], params) | |
323 | eap_connect(dev[0], hapd, "TEAP", "user", password="password", | |
324 | anonymous_identity="TEAP", | |
325 | machine_identity="machine", | |
326 | machine_password="wrong-machine-password", | |
327 | ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2", | |
328 | pac_file="blob://teap_pac", | |
329 | expect_failure=True) | |
330 | ||
331 | def test_eap_teap_eap_mschapv2_user_and_machine_no_machine(dev, apdev): | |
332 | """EAP-TEAP with inner EAP-MSCHAPv2 using user and machine credentials (no machine)""" | |
333 | check_eap_capa(dev[0], "TEAP") | |
334 | check_eap_capa(dev[0], "MSCHAPV2") | |
335 | params = int_teap_server_params(eap_teap_id="5") | |
336 | hapd = hostapd.add_ap(apdev[0], params) | |
337 | eap_connect(dev[0], hapd, "TEAP", "user", password="password", | |
338 | anonymous_identity="TEAP", | |
339 | ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2", | |
340 | pac_file="blob://teap_pac", | |
341 | expect_failure=True) | |
342 | ||
90270e15 JM |
343 | def test_eap_teap_basic_password_auth_pac(dev, apdev): |
344 | """EAP-TEAP with Basic-Password-Auth and PAC""" | |
345 | check_eap_capa(dev[0], "TEAP") | |
346 | params = int_teap_server_params(eap_teap_auth="1") | |
347 | hapd = hostapd.add_ap(apdev[0], params) | |
348 | eap_connect(dev[0], hapd, "TEAP", "user", | |
349 | anonymous_identity="TEAP", password="password", | |
350 | phase1="teap_provisioning=2", | |
351 | ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2", | |
352 | pac_file="blob://teap_pac") | |
353 | res = eap_reauth(dev[0], "TEAP") | |
354 | if res['tls_session_reused'] != '1': | |
355 | raise Exception("EAP-TEAP could not use PAC session ticket") | |
356 | ||
aeb7ab8e JM |
357 | def test_eap_teap_basic_password_auth_pac_binary(dev, apdev): |
358 | """EAP-TEAP with Basic-Password-Auth and PAC (binary)""" | |
359 | check_eap_capa(dev[0], "TEAP") | |
360 | params = int_teap_server_params(eap_teap_auth="1") | |
361 | hapd = hostapd.add_ap(apdev[0], params) | |
362 | eap_connect(dev[0], hapd, "TEAP", "user", | |
363 | anonymous_identity="TEAP", password="password", | |
364 | phase1="teap_provisioning=2 teap_max_pac_list_len=2 teap_pac_format=binary", | |
365 | ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2", | |
366 | pac_file="blob://teap_pac_bin") | |
367 | res = eap_reauth(dev[0], "TEAP") | |
368 | if res['tls_session_reused'] != '1': | |
369 | raise Exception("EAP-TEAP could not use PAC session ticket") | |
370 | ||
90270e15 JM |
371 | def test_eap_teap_basic_password_auth_pac_no_inner_eap(dev, apdev): |
372 | """EAP-TEAP with Basic-Password-Auth and PAC without inner auth""" | |
373 | check_eap_capa(dev[0], "TEAP") | |
374 | params = int_teap_server_params(eap_teap_auth="1", | |
375 | eap_teap_pac_no_inner="1") | |
376 | hapd = hostapd.add_ap(apdev[0], params) | |
377 | eap_connect(dev[0], hapd, "TEAP", "user", | |
378 | anonymous_identity="TEAP", password="password", | |
379 | phase1="teap_provisioning=2", | |
380 | ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2", | |
381 | pac_file="blob://teap_pac") | |
382 | res = eap_reauth(dev[0], "TEAP") | |
383 | if res['tls_session_reused'] != '1': | |
384 | raise Exception("EAP-TEAP could not use PAC session ticket") | |
385 | ||
386 | def test_eap_teap_eap_eke_unauth_server_prov(dev, apdev): | |
387 | """EAP-TEAP with inner EAP-EKE and unauthenticated server provisioning""" | |
388 | check_eap_capa(dev[0], "TEAP") | |
389 | check_eap_capa(dev[0], "EKE") | |
390 | params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") | |
391 | hapd = hostapd.add_ap(apdev[0], params) | |
392 | eap_connect(dev[0], hapd, "TEAP", "user-eke-2", | |
393 | anonymous_identity="TEAP", password="password", | |
394 | phase1="teap_provisioning=1", | |
395 | phase2="auth=EKE", pac_file="blob://teap_pac") | |
396 | res = eap_reauth(dev[0], "TEAP") | |
397 | if res['tls_session_reused'] != '1': | |
398 | raise Exception("EAP-TEAP could not use PAC session ticket") | |
aeb7ab8e JM |
399 | |
400 | def test_eap_teap_fragmentation(dev, apdev): | |
401 | """EAP-TEAP with fragmentation""" | |
402 | check_eap_capa(dev[0], "TEAP") | |
403 | check_eap_capa(dev[0], "MSCHAPV2") | |
404 | params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") | |
405 | hapd = hostapd.add_ap(apdev[0], params) | |
406 | eap_connect(dev[0], hapd, "TEAP", "user", | |
407 | anonymous_identity="TEAP", password="password", | |
408 | ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2", | |
409 | pac_file="blob://teap_pac", fragment_size="100") | |
410 | ||
411 | def test_eap_teap_tls_cs_sha1(dev, apdev): | |
412 | """EAP-TEAP with TLS cipher suite that uses SHA-1""" | |
413 | run_eap_teap_tls_cs(dev, apdev, "AES128-SHA") | |
414 | ||
415 | def test_eap_teap_tls_cs_sha256(dev, apdev): | |
416 | """EAP-TEAP with TLS cipher suite that uses SHA-256""" | |
417 | run_eap_teap_tls_cs(dev, apdev, "AES128-SHA256") | |
418 | ||
419 | def test_eap_teap_tls_cs_sha384(dev, apdev): | |
420 | """EAP-TEAP with TLS cipher suite that uses SHA-384""" | |
421 | run_eap_teap_tls_cs(dev, apdev, "AES256-GCM-SHA384") | |
422 | ||
423 | def run_eap_teap_tls_cs(dev, apdev, cipher): | |
424 | check_eap_capa(dev[0], "TEAP") | |
425 | tls = dev[0].request("GET tls_library") | |
426 | if not tls.startswith("OpenSSL"): | |
427 | raise HwsimSkip("TLS library not supported for TLS CS configuration: " + tls) | |
428 | params = int_teap_server_params(eap_teap_auth="1") | |
429 | params['openssl_ciphers'] = cipher | |
430 | hapd = hostapd.add_ap(apdev[0], params) | |
431 | eap_connect(dev[0], hapd, "TEAP", "user", | |
432 | anonymous_identity="TEAP", password="password", | |
433 | ca_cert="auth_serv/ca.pem", | |
434 | pac_file="blob://teap_pac") | |
435 | ||
436 | def wait_eap_proposed(dev, wait_trigger=None): | |
437 | ev = dev.wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"], timeout=10) | |
438 | if ev is None: | |
439 | raise Exception("Timeout on EAP start") | |
440 | if wait_trigger: | |
441 | wait_fail_trigger(dev, wait_trigger) | |
442 | dev.request("REMOVE_NETWORK all") | |
443 | dev.wait_disconnected() | |
444 | dev.dump_monitor() | |
445 | ||
446 | def test_eap_teap_errors(dev, apdev): | |
447 | """EAP-TEAP local errors""" | |
448 | check_eap_capa(dev[0], "TEAP") | |
449 | check_eap_capa(dev[0], "MSCHAPV2") | |
450 | params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") | |
451 | hapd = hostapd.add_ap(apdev[0], params) | |
452 | ||
453 | dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", | |
454 | scan_freq="2412", | |
455 | eap="TEAP", identity="user", password="password", | |
456 | anonymous_identity="TEAP", | |
457 | ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2", | |
458 | wait_connect=False) | |
459 | wait_eap_proposed(dev[0]) | |
460 | ||
461 | dev[0].set("blob", "teap_broken_pac 11") | |
462 | dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", | |
463 | scan_freq="2412", | |
464 | eap="TEAP", identity="user", password="password", | |
465 | anonymous_identity="TEAP", | |
466 | ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2", | |
467 | pac_file="blob://teap_broken_pac", wait_connect=False) | |
468 | wait_eap_proposed(dev[0]) | |
469 | dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", | |
470 | scan_freq="2412", | |
471 | eap="TEAP", identity="user", password="password", | |
472 | anonymous_identity="TEAP", | |
473 | ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2", | |
474 | phase1="teap_pac_format=binary", | |
475 | pac_file="blob://teap_broken_pac", wait_connect=False) | |
476 | wait_eap_proposed(dev[0]) | |
477 | ||
478 | tests = [(1, "eap_teap_tlv_eap_payload"), | |
479 | (1, "eap_teap_process_eap_payload_tlv"), | |
480 | (1, "eap_teap_compound_mac"), | |
481 | (1, "eap_teap_tlv_result"), | |
482 | (1, "eap_peer_select_phase2_methods"), | |
483 | (1, "eap_peer_tls_ssl_init"), | |
484 | (1, "eap_teap_session_id"), | |
485 | (1, "wpabuf_alloc;=eap_teap_process_crypto_binding"), | |
486 | (1, "eap_peer_tls_encrypt"), | |
487 | (1, "eap_peer_tls_decrypt"), | |
488 | (1, "eap_teap_getKey"), | |
489 | (1, "eap_teap_session_id"), | |
490 | (1, "eap_teap_init")] | |
491 | for count, func in tests: | |
492 | with alloc_fail(dev[0], count, func): | |
493 | dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", | |
494 | scan_freq="2412", | |
495 | eap="TEAP", identity="user", password="password", | |
496 | anonymous_identity="TEAP", | |
497 | ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2", | |
498 | pac_file="blob://teap_pac", wait_connect=False) | |
499 | wait_eap_proposed(dev[0], wait_trigger="GET_ALLOC_FAIL") | |
500 | ||
501 | tests = [(1, "eap_teap_derive_eap_msk"), | |
502 | (1, "eap_teap_derive_eap_emsk"), | |
503 | (1, "eap_teap_write_crypto_binding"), | |
504 | (1, "eap_teap_process_crypto_binding"), | |
505 | (1, "eap_teap_derive_msk;eap_teap_process_crypto_binding"), | |
506 | (1, "eap_teap_compound_mac;eap_teap_process_crypto_binding"), | |
507 | (1, "eap_teap_derive_imck")] | |
508 | for count, func in tests: | |
509 | with fail_test(dev[0], count, func): | |
510 | dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", | |
511 | scan_freq="2412", | |
512 | eap="TEAP", identity="user", password="password", | |
513 | anonymous_identity="TEAP", | |
514 | ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2", | |
515 | pac_file="blob://teap_pac", wait_connect=False) | |
516 | wait_eap_proposed(dev[0], wait_trigger="GET_FAIL") | |
517 | ||
518 | def test_eap_teap_errors2(dev, apdev): | |
519 | """EAP-TEAP local errors 2 (Basic-Password-Auth specific)""" | |
520 | check_eap_capa(dev[0], "TEAP") | |
521 | check_eap_capa(dev[0], "MSCHAPV2") | |
522 | params = int_teap_server_params(eap_teap_auth="1") | |
523 | hapd = hostapd.add_ap(apdev[0], params) | |
524 | ||
525 | tests = [(1, "eap_teap_tlv_pac_ack"), | |
526 | (1, "eap_teap_process_basic_auth_req")] | |
527 | for count, func in tests: | |
528 | with alloc_fail(dev[0], count, func): | |
529 | dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", | |
530 | scan_freq="2412", | |
531 | eap="TEAP", identity="user", password="password", | |
532 | anonymous_identity="TEAP", | |
533 | phase1="teap_provisioning=2", | |
534 | ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2", | |
535 | pac_file="blob://teap_pac", wait_connect=False) | |
536 | wait_eap_proposed(dev[0], wait_trigger="GET_ALLOC_FAIL") | |
537 | ||
538 | tests = [(1, "eap_teap_derive_cmk_basic_pw_auth")] | |
539 | for count, func in tests: | |
540 | with fail_test(dev[0], count, func): | |
541 | dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", | |
542 | scan_freq="2412", | |
543 | eap="TEAP", identity="user", password="password", | |
544 | anonymous_identity="TEAP", | |
545 | phase1="teap_provisioning=2", | |
546 | ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2", | |
547 | pac_file="blob://teap_pac", wait_connect=False) | |
548 | wait_eap_proposed(dev[0], wait_trigger="GET_FAIL") | |
8315c1ef JM |
549 | |
550 | def test_eap_teap_eap_vendor(dev, apdev): | |
551 | """EAP-TEAP with inner EAP-vendor""" | |
552 | check_eap_capa(dev[0], "TEAP") | |
553 | check_eap_capa(dev[0], "VENDOR-TEST") | |
554 | params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") | |
555 | hapd = hostapd.add_ap(apdev[0], params) | |
556 | eap_connect(dev[0], hapd, "TEAP", "vendor-test-2", | |
557 | anonymous_identity="TEAP", | |
558 | ca_cert="auth_serv/ca.pem", phase2="auth=VENDOR-TEST", | |
559 | pac_file="blob://teap_pac") |