]> git.ipfire.org Git - thirdparty/hostap.git/blame - tests/hwsim/test_eap.py
projects / thirdparty / hostap.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
tests: Fix ap_ft_reassoc_replay for case where wlantest has the PSK
[thirdparty/hostap.git] / tests / hwsim / test_eap.py
CommitLineData
90270e15
JM		 1# EAP authentication tests
2# Copyright (c) 2019, Jouni Malinen <j@w1.fi>
3#
4# This software may be distributed under the terms of the BSD license.
5# See README for more details.
6
7import hostapd
8
aeb7ab8e 9from utils import alloc_fail, fail_test, wait_fail_trigger, HwsimSkip
90270e15
JM		 10from test_ap_eap import check_eap_capa, int_eap_server_params, eap_connect, \
11 eap_reauth
12
54291394 13def int_teap_server_params(eap_teap_auth=None, eap_teap_pac_no_inner=None,
10e10523 14 eap_teap_separate_result=None, eap_teap_id=None):
90270e15
JM		 15 params = int_eap_server_params()
16 params['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff00"
17 params['eap_fast_a_id'] = "101112131415161718191a1b1c1dff00"
18 params['eap_fast_a_id_info'] = "test server 0"
19 if eap_teap_auth:
20 params['eap_teap_auth'] = eap_teap_auth
21 if eap_teap_pac_no_inner:
22 params['eap_teap_pac_no_inner'] = eap_teap_pac_no_inner
54291394
JM		 23 if eap_teap_separate_result:
24 params['eap_teap_separate_result'] = eap_teap_separate_result
10e10523
JM		 25 if eap_teap_id:
26 params['eap_teap_id'] = eap_teap_id
90270e15
JM		 27 return params
28
29def test_eap_teap_eap_mschapv2(dev, apdev):
30 """EAP-TEAP with inner EAP-MSCHAPv2"""
31 check_eap_capa(dev[0], "TEAP")
32 check_eap_capa(dev[0], "MSCHAPV2")
33 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
34 hapd = hostapd.add_ap(apdev[0], params)
35 eap_connect(dev[0], hapd, "TEAP", "user",
36 anonymous_identity="TEAP", password="password",
37 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
38 pac_file="blob://teap_pac")
39 eap_reauth(dev[0], "TEAP")
40
41def test_eap_teap_eap_pwd(dev, apdev):
42 """EAP-TEAP with inner EAP-PWD"""
43 check_eap_capa(dev[0], "TEAP")
44 check_eap_capa(dev[0], "PWD")
45 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
46 hapd = hostapd.add_ap(apdev[0], params)
47 eap_connect(dev[0], hapd, "TEAP", "user-pwd-2",
48 anonymous_identity="TEAP", password="password",
49 ca_cert="auth_serv/ca.pem", phase2="auth=PWD",
50 pac_file="blob://teap_pac")
51
52def test_eap_teap_eap_eke(dev, apdev):
53 """EAP-TEAP with inner EAP-EKE"""
54 check_eap_capa(dev[0], "TEAP")
55 check_eap_capa(dev[0], "EKE")
56 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
57 hapd = hostapd.add_ap(apdev[0], params)
58 eap_connect(dev[0], hapd, "TEAP", "user-eke-2",
59 anonymous_identity="TEAP", password="password",
60 ca_cert="auth_serv/ca.pem", phase2="auth=EKE",
61 pac_file="blob://teap_pac")
62
63def test_eap_teap_basic_password_auth(dev, apdev):
64 """EAP-TEAP with Basic-Password-Auth"""
65 check_eap_capa(dev[0], "TEAP")
66 params = int_teap_server_params(eap_teap_auth="1")
67 hapd = hostapd.add_ap(apdev[0], params)
68 eap_connect(dev[0], hapd, "TEAP", "user",
69 anonymous_identity="TEAP", password="password",
70 ca_cert="auth_serv/ca.pem",
71 pac_file="blob://teap_pac")
72
73def test_eap_teap_basic_password_auth_failure(dev, apdev):
74 """EAP-TEAP with Basic-Password-Auth failure"""
75 check_eap_capa(dev[0], "TEAP")
76 params = int_teap_server_params(eap_teap_auth="1")
77 hapd = hostapd.add_ap(apdev[0], params)
78 eap_connect(dev[0], hapd, "TEAP", "user",
79 anonymous_identity="TEAP", password="incorrect",
80 ca_cert="auth_serv/ca.pem",
81 pac_file="blob://teap_pac", expect_failure=True)
82
83def test_eap_teap_basic_password_auth_no_password(dev, apdev):
84 """EAP-TEAP with Basic-Password-Auth and no password configured"""
85 check_eap_capa(dev[0], "TEAP")
86 params = int_teap_server_params(eap_teap_auth="1")
87 hapd = hostapd.add_ap(apdev[0], params)
88 eap_connect(dev[0], hapd, "TEAP", "user",
89 anonymous_identity="TEAP",
90 ca_cert="auth_serv/ca.pem",
91 pac_file="blob://teap_pac", expect_failure=True)
92
10e10523
JM		 93def test_eap_teap_basic_password_auth_id0(dev, apdev):
94 """EAP-TEAP with Basic-Password-Auth (eap_teap_id=0)"""
95 run_eap_teap_basic_password_auth_id(dev, apdev, 0)
96
97def test_eap_teap_basic_password_auth_id1(dev, apdev):
98 """EAP-TEAP with Basic-Password-Auth (eap_teap_id=1)"""
99 run_eap_teap_basic_password_auth_id(dev, apdev, 1)
100
101def test_eap_teap_basic_password_auth_id2(dev, apdev):
102 """EAP-TEAP with Basic-Password-Auth (eap_teap_id=2)"""
103 run_eap_teap_basic_password_auth_id(dev, apdev, 2, failure=True)
104
105def test_eap_teap_basic_password_auth_id3(dev, apdev):
106 """EAP-TEAP with Basic-Password-Auth (eap_teap_id=3)"""
107 run_eap_teap_basic_password_auth_id(dev, apdev, 3)
108
109def test_eap_teap_basic_password_auth_id4(dev, apdev):
110 """EAP-TEAP with Basic-Password-Auth (eap_teap_id=4)"""
111 run_eap_teap_basic_password_auth_id(dev, apdev, 4)
112
113def run_eap_teap_basic_password_auth_id(dev, apdev, eap_teap_id, failure=False):
114 check_eap_capa(dev[0], "TEAP")
115 params = int_teap_server_params(eap_teap_auth="1",
116 eap_teap_id=str(eap_teap_id))
117 hapd = hostapd.add_ap(apdev[0], params)
118 eap_connect(dev[0], hapd, "TEAP", "user",
119 anonymous_identity="TEAP", password="password",
120 ca_cert="auth_serv/ca.pem",
121 pac_file="blob://teap_pac",
122 expect_failure=failure)
123
4619dc06
JM		 124def test_eap_teap_basic_password_auth_machine(dev, apdev):
125 """EAP-TEAP with Basic-Password-Auth using machine credential"""
126 check_eap_capa(dev[0], "TEAP")
127 params = int_teap_server_params(eap_teap_auth="1", eap_teap_id="2")
128 hapd = hostapd.add_ap(apdev[0], params)
129 eap_connect(dev[0], hapd, "TEAP", "",
130 anonymous_identity="TEAP",
131 machine_identity="machine", machine_password="machine-password",
132 ca_cert="auth_serv/ca.pem",
133 pac_file="blob://teap_pac")
134
818ee96d
JM		 135def test_eap_teap_basic_password_auth_user_and_machine(dev, apdev):
136 """EAP-TEAP with Basic-Password-Auth using user and machine credentials"""
137 check_eap_capa(dev[0], "TEAP")
138 params = int_teap_server_params(eap_teap_auth="1", eap_teap_id="5")
139 hapd = hostapd.add_ap(apdev[0], params)
140 eap_connect(dev[0], hapd, "TEAP", "user", password="password",
141 anonymous_identity="TEAP",
142 machine_identity="machine", machine_password="machine-password",
143 ca_cert="auth_serv/ca.pem",
144 pac_file="blob://teap_pac")
145
146def test_eap_teap_basic_password_auth_user_and_machine_fail_user(dev, apdev):
147 """EAP-TEAP with Basic-Password-Auth using user and machine credentials (fail user)"""
148 check_eap_capa(dev[0], "TEAP")
149 params = int_teap_server_params(eap_teap_auth="1", eap_teap_id="5")
150 hapd = hostapd.add_ap(apdev[0], params)
151 eap_connect(dev[0], hapd, "TEAP", "user", password="wrong-password",
152 anonymous_identity="TEAP",
153 machine_identity="machine", machine_password="machine-password",
154 ca_cert="auth_serv/ca.pem",
155 pac_file="blob://teap_pac",
156 expect_failure=True)
157
158def test_eap_teap_basic_password_auth_user_and_machine_fail_machine(dev, apdev):
159 """EAP-TEAP with Basic-Password-Auth using user and machine credentials (fail machine)"""
160 check_eap_capa(dev[0], "TEAP")
161 params = int_teap_server_params(eap_teap_auth="1", eap_teap_id="5")
162 hapd = hostapd.add_ap(apdev[0], params)
163 eap_connect(dev[0], hapd, "TEAP", "user", password="password",
164 anonymous_identity="TEAP",
165 machine_identity="machine",
166 machine_password="wrong-machine-password",
167 ca_cert="auth_serv/ca.pem",
168 pac_file="blob://teap_pac",
169 expect_failure=True)
170
171def test_eap_teap_basic_password_auth_user_and_machine_no_machine(dev, apdev):
172 """EAP-TEAP with Basic-Password-Auth using user and machine credentials (no machine)"""
173 check_eap_capa(dev[0], "TEAP")
174 params = int_teap_server_params(eap_teap_auth="1", eap_teap_id="5")
175 hapd = hostapd.add_ap(apdev[0], params)
176 eap_connect(dev[0], hapd, "TEAP", "user", password="password",
177 anonymous_identity="TEAP",
178 ca_cert="auth_serv/ca.pem",
179 pac_file="blob://teap_pac",
180 expect_failure=True)
181
90270e15
JM		 182def test_eap_teap_peer_outer_tlvs(dev, apdev):
183 """EAP-TEAP with peer Outer TLVs"""
184 check_eap_capa(dev[0], "TEAP")
185 check_eap_capa(dev[0], "MSCHAPV2")
186 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
187 hapd = hostapd.add_ap(apdev[0], params)
188 eap_connect(dev[0], hapd, "TEAP", "user",
189 anonymous_identity="TEAP", password="password",
190 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
191 pac_file="blob://teap_pac", phase1="teap_test_outer_tlvs=1")
192
193def test_eap_teap_eap_mschapv2_pac(dev, apdev):
194 """EAP-TEAP with inner EAP-MSCHAPv2 and PAC provisioning"""
195 check_eap_capa(dev[0], "TEAP")
196 check_eap_capa(dev[0], "MSCHAPV2")
197 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
198 hapd = hostapd.add_ap(apdev[0], params)
199 eap_connect(dev[0], hapd, "TEAP", "user",
200 anonymous_identity="TEAP", password="password",
201 phase1="teap_provisioning=2",
202 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
203 pac_file="blob://teap_pac")
204 res = eap_reauth(dev[0], "TEAP")
205 if res['tls_session_reused'] != '1':
206 raise Exception("EAP-TEAP could not use PAC session ticket")
207
208def test_eap_teap_eap_mschapv2_pac_no_inner_eap(dev, apdev):
209 """EAP-TEAP with inner EAP-MSCHAPv2 and PAC without inner EAP"""
210 check_eap_capa(dev[0], "TEAP")
211 check_eap_capa(dev[0], "MSCHAPV2")
212 params = int_teap_server_params(eap_teap_pac_no_inner="1")
213 hapd = hostapd.add_ap(apdev[0], params)
214 eap_connect(dev[0], hapd, "TEAP", "user",
215 anonymous_identity="TEAP", password="password",
216 phase1="teap_provisioning=2",
217 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
218 pac_file="blob://teap_pac")
219 res = eap_reauth(dev[0], "TEAP")
220 if res['tls_session_reused'] != '1':
221 raise Exception("EAP-TEAP could not use PAC session ticket")
222
54291394
JM		 223def test_eap_teap_eap_mschapv2_separate_result(dev, apdev):
224 """EAP-TEAP with inner EAP-MSCHAPv2 and separate message for Result TLV"""
225 check_eap_capa(dev[0], "TEAP")
226 check_eap_capa(dev[0], "MSCHAPV2")
227 params = int_teap_server_params(eap_teap_separate_result="1")
228 hapd = hostapd.add_ap(apdev[0], params)
229 eap_connect(dev[0], hapd, "TEAP", "user",
230 anonymous_identity="TEAP", password="password",
231 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
232 pac_file="blob://teap_pac")
233
90270e15
JM		 234def test_eap_teap_eap_mschapv2_pac_no_ca_cert(dev, apdev):
235 """EAP-TEAP with inner EAP-MSCHAPv2 and PAC provisioning attempt without ca_cert"""
236 check_eap_capa(dev[0], "TEAP")
237 check_eap_capa(dev[0], "MSCHAPV2")
238 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
239 hapd = hostapd.add_ap(apdev[0], params)
240 eap_connect(dev[0], hapd, "TEAP", "user",
241 anonymous_identity="TEAP", password="password",
242 phase1="teap_provisioning=2",
243 phase2="auth=MSCHAPV2",
244 pac_file="blob://teap_pac")
245 res = eap_reauth(dev[0], "TEAP")
246 if res['tls_session_reused'] == '1':
247 raise Exception("Unexpected use of PAC session ticket")
248
10e10523
JM		 249def test_eap_teap_eap_mschapv2_id0(dev, apdev):
250 """EAP-TEAP with inner EAP-MSCHAPv2 (eap_teap_id=0)"""
251 run_eap_teap_eap_mschapv2_id(dev, apdev, 0)
252
253def test_eap_teap_eap_mschapv2_id1(dev, apdev):
254 """EAP-TEAP with inner EAP-MSCHAPv2 (eap_teap_id=1)"""
255 run_eap_teap_eap_mschapv2_id(dev, apdev, 1)
256
257def test_eap_teap_eap_mschapv2_id2(dev, apdev):
258 """EAP-TEAP with inner EAP-MSCHAPv2 (eap_teap_id=2)"""
259 run_eap_teap_eap_mschapv2_id(dev, apdev, 2, failure=True)
260
261def test_eap_teap_eap_mschapv2_id3(dev, apdev):
262 """EAP-TEAP with inner EAP-MSCHAPv2 (eap_teap_id=3)"""
263 run_eap_teap_eap_mschapv2_id(dev, apdev, 3)
264
265def test_eap_teap_eap_mschapv2_id4(dev, apdev):
266 """EAP-TEAP with inner EAP-MSCHAPv2 (eap_teap_id=4)"""
267 run_eap_teap_eap_mschapv2_id(dev, apdev, 4)
268
269def run_eap_teap_eap_mschapv2_id(dev, apdev, eap_teap_id, failure=False):
270 check_eap_capa(dev[0], "TEAP")
271 check_eap_capa(dev[0], "MSCHAPV2")
272 params = int_teap_server_params(eap_teap_id=str(eap_teap_id))
273 hapd = hostapd.add_ap(apdev[0], params)
274 eap_connect(dev[0], hapd, "TEAP", "user",
275 anonymous_identity="TEAP", password="password",
276 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
277 pac_file="blob://teap_pac",
278 expect_failure=failure)
279
4619dc06
JM		 280def test_eap_teap_eap_mschapv2_machine(dev, apdev):
281 """EAP-TEAP with inner EAP-MSCHAPv2 using machine credential"""
282 check_eap_capa(dev[0], "TEAP")
283 check_eap_capa(dev[0], "MSCHAPV2")
284 params = int_teap_server_params(eap_teap_id="2")
285 hapd = hostapd.add_ap(apdev[0], params)
286 eap_connect(dev[0], hapd, "TEAP", "",
287 anonymous_identity="TEAP",
288 machine_identity="machine", machine_password="machine-password",
289 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
290 pac_file="blob://teap_pac")
291
818ee96d
JM		 292def test_eap_teap_eap_mschapv2_user_and_machine(dev, apdev):
293 """EAP-TEAP with inner EAP-MSCHAPv2 using user and machine credentials"""
294 check_eap_capa(dev[0], "TEAP")
295 check_eap_capa(dev[0], "MSCHAPV2")
296 params = int_teap_server_params(eap_teap_id="5")
297 hapd = hostapd.add_ap(apdev[0], params)
298 eap_connect(dev[0], hapd, "TEAP", "user", password="password",
299 anonymous_identity="TEAP",
300 machine_identity="machine", machine_password="machine-password",
301 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
302 pac_file="blob://teap_pac")
303
304def test_eap_teap_eap_mschapv2_user_and_machine_fail_user(dev, apdev):
305 """EAP-TEAP with inner EAP-MSCHAPv2 using user and machine credentials (fail user)"""
306 check_eap_capa(dev[0], "TEAP")
307 check_eap_capa(dev[0], "MSCHAPV2")
308 params = int_teap_server_params(eap_teap_id="5")
309 hapd = hostapd.add_ap(apdev[0], params)
310 eap_connect(dev[0], hapd, "TEAP", "user", password="wrong-password",
311 anonymous_identity="TEAP",
312 machine_identity="machine", machine_password="machine-password",
313 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
314 pac_file="blob://teap_pac",
315 expect_failure=True)
316
317def test_eap_teap_eap_mschapv2_user_and_machine_fail_machine(dev, apdev):
318 """EAP-TEAP with inner EAP-MSCHAPv2 using user and machine credentials (fail machine)"""
319 check_eap_capa(dev[0], "TEAP")
320 check_eap_capa(dev[0], "MSCHAPV2")
321 params = int_teap_server_params(eap_teap_id="5")
322 hapd = hostapd.add_ap(apdev[0], params)
323 eap_connect(dev[0], hapd, "TEAP", "user", password="password",
324 anonymous_identity="TEAP",
325 machine_identity="machine",
326 machine_password="wrong-machine-password",
327 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
328 pac_file="blob://teap_pac",
329 expect_failure=True)
330
331def test_eap_teap_eap_mschapv2_user_and_machine_no_machine(dev, apdev):
332 """EAP-TEAP with inner EAP-MSCHAPv2 using user and machine credentials (no machine)"""
333 check_eap_capa(dev[0], "TEAP")
334 check_eap_capa(dev[0], "MSCHAPV2")
335 params = int_teap_server_params(eap_teap_id="5")
336 hapd = hostapd.add_ap(apdev[0], params)
337 eap_connect(dev[0], hapd, "TEAP", "user", password="password",
338 anonymous_identity="TEAP",
339 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
340 pac_file="blob://teap_pac",
341 expect_failure=True)
342
90270e15
JM		 343def test_eap_teap_basic_password_auth_pac(dev, apdev):
344 """EAP-TEAP with Basic-Password-Auth and PAC"""
345 check_eap_capa(dev[0], "TEAP")
346 params = int_teap_server_params(eap_teap_auth="1")
347 hapd = hostapd.add_ap(apdev[0], params)
348 eap_connect(dev[0], hapd, "TEAP", "user",
349 anonymous_identity="TEAP", password="password",
350 phase1="teap_provisioning=2",
351 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
352 pac_file="blob://teap_pac")
353 res = eap_reauth(dev[0], "TEAP")
354 if res['tls_session_reused'] != '1':
355 raise Exception("EAP-TEAP could not use PAC session ticket")
356
aeb7ab8e
JM		 357def test_eap_teap_basic_password_auth_pac_binary(dev, apdev):
358 """EAP-TEAP with Basic-Password-Auth and PAC (binary)"""
359 check_eap_capa(dev[0], "TEAP")
360 params = int_teap_server_params(eap_teap_auth="1")
361 hapd = hostapd.add_ap(apdev[0], params)
362 eap_connect(dev[0], hapd, "TEAP", "user",
363 anonymous_identity="TEAP", password="password",
364 phase1="teap_provisioning=2 teap_max_pac_list_len=2 teap_pac_format=binary",
365 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
366 pac_file="blob://teap_pac_bin")
367 res = eap_reauth(dev[0], "TEAP")
368 if res['tls_session_reused'] != '1':
369 raise Exception("EAP-TEAP could not use PAC session ticket")
370
90270e15
JM		 371def test_eap_teap_basic_password_auth_pac_no_inner_eap(dev, apdev):
372 """EAP-TEAP with Basic-Password-Auth and PAC without inner auth"""
373 check_eap_capa(dev[0], "TEAP")
374 params = int_teap_server_params(eap_teap_auth="1",
375 eap_teap_pac_no_inner="1")
376 hapd = hostapd.add_ap(apdev[0], params)
377 eap_connect(dev[0], hapd, "TEAP", "user",
378 anonymous_identity="TEAP", password="password",
379 phase1="teap_provisioning=2",
380 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
381 pac_file="blob://teap_pac")
382 res = eap_reauth(dev[0], "TEAP")
383 if res['tls_session_reused'] != '1':
384 raise Exception("EAP-TEAP could not use PAC session ticket")
385
386def test_eap_teap_eap_eke_unauth_server_prov(dev, apdev):
387 """EAP-TEAP with inner EAP-EKE and unauthenticated server provisioning"""
388 check_eap_capa(dev[0], "TEAP")
389 check_eap_capa(dev[0], "EKE")
390 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
391 hapd = hostapd.add_ap(apdev[0], params)
392 eap_connect(dev[0], hapd, "TEAP", "user-eke-2",
393 anonymous_identity="TEAP", password="password",
394 phase1="teap_provisioning=1",
395 phase2="auth=EKE", pac_file="blob://teap_pac")
396 res = eap_reauth(dev[0], "TEAP")
397 if res['tls_session_reused'] != '1':
398 raise Exception("EAP-TEAP could not use PAC session ticket")
aeb7ab8e
JM		 399
400def test_eap_teap_fragmentation(dev, apdev):
401 """EAP-TEAP with fragmentation"""
402 check_eap_capa(dev[0], "TEAP")
403 check_eap_capa(dev[0], "MSCHAPV2")
404 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
405 hapd = hostapd.add_ap(apdev[0], params)
406 eap_connect(dev[0], hapd, "TEAP", "user",
407 anonymous_identity="TEAP", password="password",
408 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
409 pac_file="blob://teap_pac", fragment_size="100")
410
411def test_eap_teap_tls_cs_sha1(dev, apdev):
412 """EAP-TEAP with TLS cipher suite that uses SHA-1"""
413 run_eap_teap_tls_cs(dev, apdev, "AES128-SHA")
414
415def test_eap_teap_tls_cs_sha256(dev, apdev):
416 """EAP-TEAP with TLS cipher suite that uses SHA-256"""
417 run_eap_teap_tls_cs(dev, apdev, "AES128-SHA256")
418
419def test_eap_teap_tls_cs_sha384(dev, apdev):
420 """EAP-TEAP with TLS cipher suite that uses SHA-384"""
421 run_eap_teap_tls_cs(dev, apdev, "AES256-GCM-SHA384")
422
423def run_eap_teap_tls_cs(dev, apdev, cipher):
424 check_eap_capa(dev[0], "TEAP")
425 tls = dev[0].request("GET tls_library")
426 if not tls.startswith("OpenSSL"):
427 raise HwsimSkip("TLS library not supported for TLS CS configuration: " + tls)
428 params = int_teap_server_params(eap_teap_auth="1")
429 params['openssl_ciphers'] = cipher
430 hapd = hostapd.add_ap(apdev[0], params)
431 eap_connect(dev[0], hapd, "TEAP", "user",
432 anonymous_identity="TEAP", password="password",
433 ca_cert="auth_serv/ca.pem",
434 pac_file="blob://teap_pac")
435
436def wait_eap_proposed(dev, wait_trigger=None):
437 ev = dev.wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"], timeout=10)
438 if ev is None:
439 raise Exception("Timeout on EAP start")
440 if wait_trigger:
441 wait_fail_trigger(dev, wait_trigger)
442 dev.request("REMOVE_NETWORK all")
443 dev.wait_disconnected()
444 dev.dump_monitor()
445
446def test_eap_teap_errors(dev, apdev):
447 """EAP-TEAP local errors"""
448 check_eap_capa(dev[0], "TEAP")
449 check_eap_capa(dev[0], "MSCHAPV2")
450 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
451 hapd = hostapd.add_ap(apdev[0], params)
452
453 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
454 scan_freq="2412",
455 eap="TEAP", identity="user", password="password",
456 anonymous_identity="TEAP",
457 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
458 wait_connect=False)
459 wait_eap_proposed(dev[0])
460
461 dev[0].set("blob", "teap_broken_pac 11")
462 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
463 scan_freq="2412",
464 eap="TEAP", identity="user", password="password",
465 anonymous_identity="TEAP",
466 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
467 pac_file="blob://teap_broken_pac", wait_connect=False)
468 wait_eap_proposed(dev[0])
469 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
470 scan_freq="2412",
471 eap="TEAP", identity="user", password="password",
472 anonymous_identity="TEAP",
473 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
474 phase1="teap_pac_format=binary",
475 pac_file="blob://teap_broken_pac", wait_connect=False)
476 wait_eap_proposed(dev[0])
477
478 tests = [(1, "eap_teap_tlv_eap_payload"),
479 (1, "eap_teap_process_eap_payload_tlv"),
480 (1, "eap_teap_compound_mac"),
481 (1, "eap_teap_tlv_result"),
482 (1, "eap_peer_select_phase2_methods"),
483 (1, "eap_peer_tls_ssl_init"),
484 (1, "eap_teap_session_id"),
485 (1, "wpabuf_alloc;=eap_teap_process_crypto_binding"),
486 (1, "eap_peer_tls_encrypt"),
487 (1, "eap_peer_tls_decrypt"),
488 (1, "eap_teap_getKey"),
489 (1, "eap_teap_session_id"),
490 (1, "eap_teap_init")]
491 for count, func in tests:
492 with alloc_fail(dev[0], count, func):
493 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
494 scan_freq="2412",
495 eap="TEAP", identity="user", password="password",
496 anonymous_identity="TEAP",
497 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
498 pac_file="blob://teap_pac", wait_connect=False)
499 wait_eap_proposed(dev[0], wait_trigger="GET_ALLOC_FAIL")
500
501 tests = [(1, "eap_teap_derive_eap_msk"),
502 (1, "eap_teap_derive_eap_emsk"),
503 (1, "eap_teap_write_crypto_binding"),
504 (1, "eap_teap_process_crypto_binding"),
505 (1, "eap_teap_derive_msk;eap_teap_process_crypto_binding"),
506 (1, "eap_teap_compound_mac;eap_teap_process_crypto_binding"),
507 (1, "eap_teap_derive_imck")]
508 for count, func in tests:
509 with fail_test(dev[0], count, func):
510 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
511 scan_freq="2412",
512 eap="TEAP", identity="user", password="password",
513 anonymous_identity="TEAP",
514 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
515 pac_file="blob://teap_pac", wait_connect=False)
516 wait_eap_proposed(dev[0], wait_trigger="GET_FAIL")
517
518def test_eap_teap_errors2(dev, apdev):
519 """EAP-TEAP local errors 2 (Basic-Password-Auth specific)"""
520 check_eap_capa(dev[0], "TEAP")
521 check_eap_capa(dev[0], "MSCHAPV2")
522 params = int_teap_server_params(eap_teap_auth="1")
523 hapd = hostapd.add_ap(apdev[0], params)
524
525 tests = [(1, "eap_teap_tlv_pac_ack"),
526 (1, "eap_teap_process_basic_auth_req")]
527 for count, func in tests:
528 with alloc_fail(dev[0], count, func):
529 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
530 scan_freq="2412",
531 eap="TEAP", identity="user", password="password",
532 anonymous_identity="TEAP",
533 phase1="teap_provisioning=2",
534 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
535 pac_file="blob://teap_pac", wait_connect=False)
536 wait_eap_proposed(dev[0], wait_trigger="GET_ALLOC_FAIL")
537
538 tests = [(1, "eap_teap_derive_cmk_basic_pw_auth")]
539 for count, func in tests:
540 with fail_test(dev[0], count, func):
541 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
542 scan_freq="2412",
543 eap="TEAP", identity="user", password="password",
544 anonymous_identity="TEAP",
545 phase1="teap_provisioning=2",
546 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
547 pac_file="blob://teap_pac", wait_connect=False)
548 wait_eap_proposed(dev[0], wait_trigger="GET_FAIL")
8315c1ef
JM		 549
550def test_eap_teap_eap_vendor(dev, apdev):
551 """EAP-TEAP with inner EAP-vendor"""
552 check_eap_capa(dev[0], "TEAP")
553 check_eap_capa(dev[0], "VENDOR-TEST")
554 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
555 hapd = hostapd.add_ap(apdev[0], params)
556 eap_connect(dev[0], hapd, "TEAP", "vendor-test-2",
557 anonymous_identity="TEAP",
558 ca_cert="auth_serv/ca.pem", phase2="auth=VENDOR-TEST",
559 pac_file="blob://teap_pac")
Unnamed repository; edit this file 'description' to name the repository.