]>
Commit | Line | Data |
---|---|---|
acc9a635 JM |
1 | # EAP Re-authentication Protocol (ERP) tests |
2 | # Copyright (c) 2014, Jouni Malinen <j@w1.fi> | |
3 | # | |
4 | # This software may be distributed under the terms of the BSD license. | |
5 | # See README for more details. | |
6 | ||
7 | import logging | |
8 | logger = logging.getLogger() | |
9 | ||
10 | import hostapd | |
11 | from test_ap_eap import int_eap_server_params | |
12 | ||
13 | def test_erp_initiate_reauth_start(dev, apdev): | |
14 | """Authenticator sending EAP-Initiate/Re-auth-Start, but ERP disabled on peer""" | |
15 | params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") | |
16 | params['erp_send_reauth_start'] = '1' | |
17 | params['erp_domain'] = 'example.com' | |
18 | hapd = hostapd.add_ap(apdev[0]['ifname'], params) | |
19 | ||
20 | dev[0].request("ERP_FLUSH") | |
21 | dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", | |
22 | eap="PAX", identity="pax.user@example.com", | |
23 | password_hex="0123456789abcdef0123456789abcdef", | |
24 | scan_freq="2412") | |
25 | ||
26 | def test_erp_enabled_on_server(dev, apdev): | |
27 | """ERP enabled on internal EAP server, but disabled on peer""" | |
28 | params = int_eap_server_params() | |
29 | params['erp_send_reauth_start'] = '1' | |
30 | params['erp_domain'] = 'example.com' | |
31 | params['eap_server_erp'] = '1' | |
32 | hapd = hostapd.add_ap(apdev[0]['ifname'], params) | |
33 | ||
34 | dev[0].request("ERP_FLUSH") | |
35 | dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", | |
36 | eap="PAX", identity="pax.user@example.com", | |
37 | password_hex="0123456789abcdef0123456789abcdef", | |
38 | scan_freq="2412") | |
39 | ||
40 | def test_erp(dev, apdev): | |
41 | """ERP enabled on server and peer""" | |
42 | capab = dev[0].get_capability("erp") | |
43 | if not capab or 'ERP' not in capab: | |
44 | return "skip" | |
45 | params = int_eap_server_params() | |
46 | params['erp_send_reauth_start'] = '1' | |
47 | params['erp_domain'] = 'example.com' | |
48 | params['eap_server_erp'] = '1' | |
49 | params['disable_pmksa_caching'] = '1' | |
50 | hapd = hostapd.add_ap(apdev[0]['ifname'], params) | |
51 | ||
52 | dev[0].request("ERP_FLUSH") | |
53 | dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", | |
54 | eap="PSK", identity="psk.user@example.com", | |
55 | password_hex="0123456789abcdef0123456789abcdef", | |
56 | erp="1", scan_freq="2412") | |
57 | for i in range(3): | |
58 | dev[0].request("DISCONNECT") | |
5f35a5e2 | 59 | dev[0].wait_disconnected(timeout=15) |
acc9a635 JM |
60 | dev[0].request("RECONNECT") |
61 | ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15) | |
62 | if ev is None: | |
63 | raise Exception("EAP success timed out") | |
64 | if "EAP re-authentication completed successfully" not in ev: | |
65 | raise Exception("Did not use ERP") | |
5f35a5e2 | 66 | dev[0].wait_connected(timeout=15, error="Reconnection timed out") |
acc9a635 | 67 | |
0e40d7da JM |
68 | def test_erp_server_no_match(dev, apdev): |
69 | """ERP enabled on server and peer, but server has no key match""" | |
70 | capab = dev[0].get_capability("erp") | |
71 | if not capab or 'ERP' not in capab: | |
72 | return "skip" | |
73 | params = int_eap_server_params() | |
74 | params['erp_send_reauth_start'] = '1' | |
75 | params['erp_domain'] = 'example.com' | |
76 | params['eap_server_erp'] = '1' | |
77 | params['disable_pmksa_caching'] = '1' | |
78 | hapd = hostapd.add_ap(apdev[0]['ifname'], params) | |
79 | ||
80 | dev[0].request("ERP_FLUSH") | |
81 | id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", | |
82 | eap="PSK", identity="psk.user@example.com", | |
83 | password_hex="0123456789abcdef0123456789abcdef", | |
84 | erp="1", scan_freq="2412") | |
85 | dev[0].request("DISCONNECT") | |
5f35a5e2 | 86 | dev[0].wait_disconnected(timeout=15) |
0e40d7da JM |
87 | hapd.request("ERP_FLUSH") |
88 | dev[0].request("RECONNECT") | |
89 | ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS", | |
90 | "CTRL-EVENT-EAP-FAILURE"], timeout=15) | |
91 | if ev is None: | |
92 | raise Exception("EAP result timed out") | |
93 | if "CTRL-EVENT-EAP-SUCCESS" in ev: | |
94 | raise Exception("Unexpected EAP success") | |
95 | dev[0].request("DISCONNECT") | |
96 | dev[0].select_network(id) | |
97 | ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15) | |
98 | if ev is None: | |
99 | raise Exception("EAP success timed out") | |
100 | if "EAP re-authentication completed successfully" in ev: | |
101 | raise Exception("Unexpected use of ERP") | |
5f35a5e2 | 102 | dev[0].wait_connected(timeout=15, error="Reconnection timed out") |
0e40d7da | 103 | |
acc9a635 JM |
104 | def start_erp_as(apdev): |
105 | params = { "ssid": "as", "beacon_int": "2000", | |
106 | "radius_server_clients": "auth_serv/radius_clients.conf", | |
107 | "radius_server_auth_port": '18128', | |
108 | "eap_server": "1", | |
109 | "eap_user_file": "auth_serv/eap_user.conf", | |
110 | "ca_cert": "auth_serv/ca.pem", | |
111 | "server_cert": "auth_serv/server.pem", | |
112 | "private_key": "auth_serv/server.key", | |
113 | "eap_sim_db": "unix:/tmp/hlr_auc_gw.sock", | |
114 | "dh_file": "auth_serv/dh.conf", | |
115 | "pac_opaque_encr_key": "000102030405060708090a0b0c0d0e0f", | |
116 | "eap_fast_a_id": "101112131415161718191a1b1c1d1e1f", | |
117 | "eap_fast_a_id_info": "test server", | |
118 | "eap_server_erp": "1", | |
119 | "erp_domain": "example.com" } | |
120 | hostapd.add_ap(apdev['ifname'], params) | |
121 | ||
122 | def test_erp_radius(dev, apdev): | |
123 | """ERP enabled on RADIUS server and peer""" | |
124 | capab = dev[0].get_capability("erp") | |
125 | if not capab or 'ERP' not in capab: | |
126 | return "skip" | |
127 | start_erp_as(apdev[1]) | |
128 | params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") | |
129 | params['auth_server_port'] = "18128" | |
130 | params['erp_send_reauth_start'] = '1' | |
131 | params['erp_domain'] = 'example.com' | |
132 | params['disable_pmksa_caching'] = '1' | |
133 | hapd = hostapd.add_ap(apdev[0]['ifname'], params) | |
134 | ||
135 | dev[0].request("ERP_FLUSH") | |
136 | dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", | |
137 | eap="PSK", identity="psk.user@example.com", | |
138 | password_hex="0123456789abcdef0123456789abcdef", | |
139 | erp="1", scan_freq="2412") | |
140 | for i in range(3): | |
141 | dev[0].request("DISCONNECT") | |
5f35a5e2 | 142 | dev[0].wait_disconnected(timeout=15) |
acc9a635 JM |
143 | dev[0].request("RECONNECT") |
144 | ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15) | |
145 | if ev is None: | |
146 | raise Exception("EAP success timed out") | |
147 | if "EAP re-authentication completed successfully" not in ev: | |
148 | raise Exception("Did not use ERP") | |
5f35a5e2 | 149 | dev[0].wait_connected(timeout=15, error="Reconnection timed out") |
acc9a635 JM |
150 | |
151 | def erp_test(dev, hapd, **kwargs): | |
152 | hapd.dump_monitor() | |
153 | dev.dump_monitor() | |
154 | dev.request("ERP_FLUSH") | |
155 | id = dev.connect("test-wpa2-eap", key_mgmt="WPA-EAP", erp="1", | |
156 | scan_freq="2412", **kwargs) | |
157 | dev.request("DISCONNECT") | |
5f35a5e2 | 158 | dev.wait_disconnected(timeout=15) |
acc9a635 JM |
159 | hapd.dump_monitor() |
160 | dev.request("RECONNECT") | |
161 | ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15) | |
162 | if ev is None: | |
163 | raise Exception("EAP success timed out") | |
164 | if "EAP re-authentication completed successfully" not in ev: | |
165 | raise Exception("Did not use ERP") | |
5f35a5e2 | 166 | dev.wait_connected(timeout=15, error="Reconnection timed out") |
acc9a635 JM |
167 | ev = hapd.wait_event([ "AP-STA-CONNECTED" ], timeout=5) |
168 | if ev is None: | |
169 | raise Exception("No connection event received from hostapd") | |
170 | dev.request("DISCONNECT") | |
171 | ||
172 | def test_erp_radius_eap_methods(dev, apdev): | |
173 | """ERP enabled on RADIUS server and peer""" | |
174 | capab = dev[0].get_capability("erp") | |
175 | if not capab or 'ERP' not in capab: | |
176 | return "skip" | |
177 | start_erp_as(apdev[1]) | |
178 | params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") | |
179 | params['auth_server_port'] = "18128" | |
180 | params['erp_send_reauth_start'] = '1' | |
181 | params['erp_domain'] = 'example.com' | |
182 | params['disable_pmksa_caching'] = '1' | |
183 | hapd = hostapd.add_ap(apdev[0]['ifname'], params) | |
184 | ||
185 | erp_test(dev[0], hapd, eap="AKA", identity="0232010000000000@example.com", | |
186 | password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123") | |
187 | erp_test(dev[0], hapd, eap="AKA'", identity="6555444333222111@example.com", | |
188 | password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123") | |
189 | # TODO: EKE getSession | |
190 | #erp_test(dev[0], hapd, eap="EKE", identity="erp-eke@example.com", | |
191 | # password="hello") | |
192 | erp_test(dev[0], hapd, eap="FAST", identity="erp-fast@example.com", | |
193 | password="password", ca_cert="auth_serv/ca.pem", phase2="auth=GTC", | |
194 | phase1="fast_provisioning=2", pac_file="blob://fast_pac_auth_erp") | |
195 | erp_test(dev[0], hapd, eap="GPSK", identity="erp-gpsk@example.com", | |
196 | password="abcdefghijklmnop0123456789abcdef") | |
197 | erp_test(dev[0], hapd, eap="PAX", identity="erp-pax@example.com", | |
198 | password_hex="0123456789abcdef0123456789abcdef") | |
199 | # TODO: PEAP (EMSK) | |
200 | #erp_test(dev[0], hapd, eap="PEAP", identity="erp-peap@example.com", | |
201 | # password="password", ca_cert="auth_serv/ca.pem", | |
202 | # phase2="auth=MSCHAPV2") | |
203 | erp_test(dev[0], hapd, eap="PSK", identity="erp-psk@example.com", | |
204 | password_hex="0123456789abcdef0123456789abcdef") | |
205 | erp_test(dev[0], hapd, eap="PWD", identity="erp-pwd@example.com", | |
206 | password="secret password") | |
207 | erp_test(dev[0], hapd, eap="SAKE", identity="erp-sake@example.com", | |
208 | password_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef") | |
209 | erp_test(dev[0], hapd, eap="SIM", identity="1232010000000000@example.com", | |
210 | password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581") | |
211 | erp_test(dev[0], hapd, eap="TLS", identity="erp-tls@example.com", | |
212 | ca_cert="auth_serv/ca.pem", client_cert="auth_serv/user.pem", | |
213 | private_key="auth_serv/user.key") | |
214 | erp_test(dev[0], hapd, eap="TTLS", identity="erp-ttls@example.com", | |
215 | password="password", ca_cert="auth_serv/ca.pem", phase2="auth=PAP") |