[thirdparty/hostap.git] / tests / hwsim / test_erp.py

# EAP Re-authentication Protocol (ERP) tests
# Copyright (c) 2014, Jouni Malinen <j@w1.fi>
#
# This software may be distributed under the terms of the BSD license.
# See README for more details.

import logging
logger = logging.getLogger()

import hostapd
from test_ap_eap import int_eap_server_params

def test_erp_initiate_reauth_start(dev, apdev):
    """Authenticator sending EAP-Initiate/Re-auth-Start, but ERP disabled on peer"""
    params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
    params['erp_send_reauth_start'] = '1'
    params['erp_domain'] = 'example.com'
    hapd = hostapd.add_ap(apdev[0]['ifname'], params)

    dev[0].request("ERP_FLUSH")
    dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
                   eap="PAX", identity="pax.user@example.com",
                   password_hex="0123456789abcdef0123456789abcdef",
                   scan_freq="2412")

def test_erp_enabled_on_server(dev, apdev):
    """ERP enabled on internal EAP server, but disabled on peer"""
    params = int_eap_server_params()
    params['erp_send_reauth_start'] = '1'
    params['erp_domain'] = 'example.com'
    params['eap_server_erp'] = '1'
    hapd = hostapd.add_ap(apdev[0]['ifname'], params)

    dev[0].request("ERP_FLUSH")
    dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
                   eap="PAX", identity="pax.user@example.com",
                   password_hex="0123456789abcdef0123456789abcdef",
                   scan_freq="2412")

def test_erp(dev, apdev):
    """ERP enabled on server and peer"""
    capab = dev[0].get_capability("erp")
    if not capab or 'ERP' not in capab:
        return "skip"
    params = int_eap_server_params()
    params['erp_send_reauth_start'] = '1'
    params['erp_domain'] = 'example.com'
    params['eap_server_erp'] = '1'
    params['disable_pmksa_caching'] = '1'
    hapd = hostapd.add_ap(apdev[0]['ifname'], params)

    dev[0].request("ERP_FLUSH")
    dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
                   eap="PSK", identity="psk.user@example.com",
                   password_hex="0123456789abcdef0123456789abcdef",
                   erp="1", scan_freq="2412")
    for i in range(3):
        dev[0].request("DISCONNECT")
        ev = dev[0].wait_event(["CTRL-EVENT-DISCONNECTED"], timeout=15)
        if ev is None:
            raise Exception("Disconnection timed out")
        dev[0].request("RECONNECT")
        ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
        if ev is None:
            raise Exception("EAP success timed out")
        if "EAP re-authentication completed successfully" not in ev:
            raise Exception("Did not use ERP")
        ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=15)
        if ev is None:
            raise Exception("Reconnection timed out")

def start_erp_as(apdev):
    params = { "ssid": "as", "beacon_int": "2000",
               "radius_server_clients": "auth_serv/radius_clients.conf",
               "radius_server_auth_port": '18128',
               "eap_server": "1",
               "eap_user_file": "auth_serv/eap_user.conf",
               "ca_cert": "auth_serv/ca.pem",
               "server_cert": "auth_serv/server.pem",
               "private_key": "auth_serv/server.key",
               "eap_sim_db": "unix:/tmp/hlr_auc_gw.sock",
               "dh_file": "auth_serv/dh.conf",
               "pac_opaque_encr_key": "000102030405060708090a0b0c0d0e0f",
               "eap_fast_a_id": "101112131415161718191a1b1c1d1e1f",
               "eap_fast_a_id_info": "test server",
               "eap_server_erp": "1",
               "erp_domain": "example.com" }
    hostapd.add_ap(apdev['ifname'], params)

def test_erp_radius(dev, apdev):
    """ERP enabled on RADIUS server and peer"""
    capab = dev[0].get_capability("erp")
    if not capab or 'ERP' not in capab:
        return "skip"
    start_erp_as(apdev[1])
    params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
    params['auth_server_port'] = "18128"
    params['erp_send_reauth_start'] = '1'
    params['erp_domain'] = 'example.com'
    params['disable_pmksa_caching'] = '1'
    hapd = hostapd.add_ap(apdev[0]['ifname'], params)

    dev[0].request("ERP_FLUSH")
    dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
                   eap="PSK", identity="psk.user@example.com",
                   password_hex="0123456789abcdef0123456789abcdef",
                   erp="1", scan_freq="2412")
    for i in range(3):
        dev[0].request("DISCONNECT")
        ev = dev[0].wait_event(["CTRL-EVENT-DISCONNECTED"], timeout=15)
        if ev is None:
            raise Exception("Disconnection timed out")
        dev[0].request("RECONNECT")
        ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
        if ev is None:
            raise Exception("EAP success timed out")
        if "EAP re-authentication completed successfully" not in ev:
            raise Exception("Did not use ERP")
        ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=15)
        if ev is None:
            raise Exception("Reconnection timed out")

def erp_test(dev, hapd, **kwargs):
    hapd.dump_monitor()
    dev.dump_monitor()
    dev.request("ERP_FLUSH")
    id = dev.connect("test-wpa2-eap", key_mgmt="WPA-EAP", erp="1",
                     scan_freq="2412", **kwargs)
    dev.request("DISCONNECT")
    ev = dev.wait_event(["CTRL-EVENT-DISCONNECTED"], timeout=15)
    if ev is None:
        raise Exception("Disconnection timed out")
    hapd.dump_monitor()
    dev.request("RECONNECT")
    ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
    if ev is None:
        raise Exception("EAP success timed out")
    if "EAP re-authentication completed successfully" not in ev:
        raise Exception("Did not use ERP")
    ev = dev.wait_event(["CTRL-EVENT-CONNECTED"], timeout=15)
    if ev is None:
        raise Exception("Reconnection timed out")
    ev = hapd.wait_event([ "AP-STA-CONNECTED" ], timeout=5)
    if ev is None:
        raise Exception("No connection event received from hostapd")
    dev.request("DISCONNECT")

def test_erp_radius_eap_methods(dev, apdev):
    """ERP enabled on RADIUS server and peer"""
    capab = dev[0].get_capability("erp")
    if not capab or 'ERP' not in capab:
        return "skip"
    start_erp_as(apdev[1])
    params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
    params['auth_server_port'] = "18128"
    params['erp_send_reauth_start'] = '1'
    params['erp_domain'] = 'example.com'
    params['disable_pmksa_caching'] = '1'
    hapd = hostapd.add_ap(apdev[0]['ifname'], params)

    erp_test(dev[0], hapd, eap="AKA", identity="0232010000000000@example.com",
             password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
    erp_test(dev[0], hapd, eap="AKA'", identity="6555444333222111@example.com",
             password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
    # TODO: EKE getSession
    #erp_test(dev[0], hapd, eap="EKE", identity="erp-eke@example.com",
    #         password="hello")
    erp_test(dev[0], hapd, eap="FAST", identity="erp-fast@example.com",
             password="password", ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
             phase1="fast_provisioning=2", pac_file="blob://fast_pac_auth_erp")
    erp_test(dev[0], hapd, eap="GPSK", identity="erp-gpsk@example.com",
             password="abcdefghijklmnop0123456789abcdef")
    erp_test(dev[0], hapd, eap="PAX", identity="erp-pax@example.com",
             password_hex="0123456789abcdef0123456789abcdef")
    # TODO: PEAP (EMSK)
    #erp_test(dev[0], hapd, eap="PEAP", identity="erp-peap@example.com",
    #         password="password", ca_cert="auth_serv/ca.pem",
    #         phase2="auth=MSCHAPV2")
    erp_test(dev[0], hapd, eap="PSK", identity="erp-psk@example.com",
             password_hex="0123456789abcdef0123456789abcdef")
    erp_test(dev[0], hapd, eap="PWD", identity="erp-pwd@example.com",
             password="secret password")
    erp_test(dev[0], hapd, eap="SAKE", identity="erp-sake@example.com",
             password_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
    erp_test(dev[0], hapd, eap="SIM", identity="1232010000000000@example.com",
             password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
    erp_test(dev[0], hapd, eap="TLS", identity="erp-tls@example.com",
             ca_cert="auth_serv/ca.pem", client_cert="auth_serv/user.pem",
             private_key="auth_serv/user.key")
    erp_test(dev[0], hapd, eap="TTLS", identity="erp-ttls@example.com",
             password="password", ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
Commit	Line	Data
acc9a635 JM	1	# EAP Re-authentication Protocol (ERP) tests
	2	# Copyright (c) 2014, Jouni Malinen <j@w1.fi>
	3	#
	4	# This software may be distributed under the terms of the BSD license.
	5	# See README for more details.
	6
	7	import logging
	8	logger = logging.getLogger()
	9
	10	import hostapd
	11	from test_ap_eap import int_eap_server_params
	12
	13	def test_erp_initiate_reauth_start(dev, apdev):
	14	"""Authenticator sending EAP-Initiate/Re-auth-Start, but ERP disabled on peer"""
	15	params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
	16	params['erp_send_reauth_start'] = '1'
	17	params['erp_domain'] = 'example.com'
	18	hapd = hostapd.add_ap(apdev[0]['ifname'], params)
	19
	20	dev[0].request("ERP_FLUSH")
	21	dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
	22	eap="PAX", identity="pax.user@example.com",
	23	password_hex="0123456789abcdef0123456789abcdef",
	24	scan_freq="2412")
	25
	26	def test_erp_enabled_on_server(dev, apdev):
	27	"""ERP enabled on internal EAP server, but disabled on peer"""
	28	params = int_eap_server_params()
	29	params['erp_send_reauth_start'] = '1'
	30	params['erp_domain'] = 'example.com'
	31	params['eap_server_erp'] = '1'
	32	hapd = hostapd.add_ap(apdev[0]['ifname'], params)
	33
	34	dev[0].request("ERP_FLUSH")
	35	dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
	36	eap="PAX", identity="pax.user@example.com",
	37	password_hex="0123456789abcdef0123456789abcdef",
	38	scan_freq="2412")
	39
	40	def test_erp(dev, apdev):
	41	"""ERP enabled on server and peer"""
	42	capab = dev[0].get_capability("erp")
	43	if not capab or 'ERP' not in capab:
	44	return "skip"
	45	params = int_eap_server_params()
	46	params['erp_send_reauth_start'] = '1'
	47	params['erp_domain'] = 'example.com'
	48	params['eap_server_erp'] = '1'
	49	params['disable_pmksa_caching'] = '1'
	50	hapd = hostapd.add_ap(apdev[0]['ifname'], params)
	51
	52	dev[0].request("ERP_FLUSH")
	53	dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
	54	eap="PSK", identity="psk.user@example.com",
	55	password_hex="0123456789abcdef0123456789abcdef",
	56	erp="1", scan_freq="2412")
	57	for i in range(3):
	58	dev[0].request("DISCONNECT")
	59	ev = dev[0].wait_event(["CTRL-EVENT-DISCONNECTED"], timeout=15)
	60	if ev is None:
	61	raise Exception("Disconnection timed out")
	62	dev[0].request("RECONNECT")
	63	ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
	64	if ev is None:
65	raise Exception("EAP success timed out")
66	if "EAP re-authentication completed successfully" not in ev:
67	raise Exception("Did not use ERP")
68	ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=15)
69	if ev is None:
70	raise Exception("Reconnection timed out")
71
72	def start_erp_as(apdev):
73	params = { "ssid": "as", "beacon_int": "2000",
74	"radius_server_clients": "auth_serv/radius_clients.conf",
75	"radius_server_auth_port": '18128',
76	"eap_server": "1",
77	"eap_user_file": "auth_serv/eap_user.conf",
78	"ca_cert": "auth_serv/ca.pem",
79	"server_cert": "auth_serv/server.pem",
80	"private_key": "auth_serv/server.key",
81	"eap_sim_db": "unix:/tmp/hlr_auc_gw.sock",
82	"dh_file": "auth_serv/dh.conf",
83	"pac_opaque_encr_key": "000102030405060708090a0b0c0d0e0f",
84	"eap_fast_a_id": "101112131415161718191a1b1c1d1e1f",
85	"eap_fast_a_id_info": "test server",
86	"eap_server_erp": "1",
87	"erp_domain": "example.com" }
88	hostapd.add_ap(apdev['ifname'], params)
89
90	def test_erp_radius(dev, apdev):
91	"""ERP enabled on RADIUS server and peer"""
92	capab = dev[0].get_capability("erp")
93	if not capab or 'ERP' not in capab:
94	return "skip"
95	start_erp_as(apdev[1])
96	params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
97	params['auth_server_port'] = "18128"
98	params['erp_send_reauth_start'] = '1'
99	params['erp_domain'] = 'example.com'
100	params['disable_pmksa_caching'] = '1'
101	hapd = hostapd.add_ap(apdev[0]['ifname'], params)
102
103	dev[0].request("ERP_FLUSH")
104	dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
105	eap="PSK", identity="psk.user@example.com",
106	password_hex="0123456789abcdef0123456789abcdef",
107	erp="1", scan_freq="2412")
108	for i in range(3):
109	dev[0].request("DISCONNECT")
110	ev = dev[0].wait_event(["CTRL-EVENT-DISCONNECTED"], timeout=15)
111	if ev is None:
112	raise Exception("Disconnection timed out")
113	dev[0].request("RECONNECT")
114	ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
115	if ev is None:
116	raise Exception("EAP success timed out")
117	if "EAP re-authentication completed successfully" not in ev:
118	raise Exception("Did not use ERP")
119	ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=15)
120	if ev is None:
121	raise Exception("Reconnection timed out")
122
123	def erp_test(dev, hapd, **kwargs):
124	hapd.dump_monitor()
125	dev.dump_monitor()
126	dev.request("ERP_FLUSH")
127	id = dev.connect("test-wpa2-eap", key_mgmt="WPA-EAP", erp="1",
128	scan_freq="2412", **kwargs)
129	dev.request("DISCONNECT")
130	ev = dev.wait_event(["CTRL-EVENT-DISCONNECTED"], timeout=15)
131	if ev is None:
132	raise Exception("Disconnection timed out")
133	hapd.dump_monitor()
134	dev.request("RECONNECT")
135	ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
136	if ev is None:
137	raise Exception("EAP success timed out")
138	if "EAP re-authentication completed successfully" not in ev:
139	raise Exception("Did not use ERP")
140	ev = dev.wait_event(["CTRL-EVENT-CONNECTED"], timeout=15)
141	if ev is None:
142	raise Exception("Reconnection timed out")
143	ev = hapd.wait_event([ "AP-STA-CONNECTED" ], timeout=5)
144	if ev is None:
145	raise Exception("No connection event received from hostapd")
146	dev.request("DISCONNECT")
147
148	def test_erp_radius_eap_methods(dev, apdev):
149	"""ERP enabled on RADIUS server and peer"""
150	capab = dev[0].get_capability("erp")
151	if not capab or 'ERP' not in capab:
152	return "skip"
153	start_erp_as(apdev[1])
154	params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
155	params['auth_server_port'] = "18128"
156	params['erp_send_reauth_start'] = '1'
157	params['erp_domain'] = 'example.com'
158	params['disable_pmksa_caching'] = '1'
159	hapd = hostapd.add_ap(apdev[0]['ifname'], params)
160
161	erp_test(dev[0], hapd, eap="AKA", identity="0232010000000000@example.com",
162	password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
163	erp_test(dev[0], hapd, eap="AKA'", identity="6555444333222111@example.com",
164	password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
165	# TODO: EKE getSession
166	#erp_test(dev[0], hapd, eap="EKE", identity="erp-eke@example.com",
167	# password="hello")
168	erp_test(dev[0], hapd, eap="FAST", identity="erp-fast@example.com",
169	password="password", ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
170	phase1="fast_provisioning=2", pac_file="blob://fast_pac_auth_erp")
171	erp_test(dev[0], hapd, eap="GPSK", identity="erp-gpsk@example.com",
172	password="abcdefghijklmnop0123456789abcdef")
173	erp_test(dev[0], hapd, eap="PAX", identity="erp-pax@example.com",
174	password_hex="0123456789abcdef0123456789abcdef")
175	# TODO: PEAP (EMSK)
176	#erp_test(dev[0], hapd, eap="PEAP", identity="erp-peap@example.com",
177	# password="password", ca_cert="auth_serv/ca.pem",
178	# phase2="auth=MSCHAPV2")
179	erp_test(dev[0], hapd, eap="PSK", identity="erp-psk@example.com",
180	password_hex="0123456789abcdef0123456789abcdef")
181	erp_test(dev[0], hapd, eap="PWD", identity="erp-pwd@example.com",
182	password="secret password")
183	erp_test(dev[0], hapd, eap="SAKE", identity="erp-sake@example.com",
184	password_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
185	erp_test(dev[0], hapd, eap="SIM", identity="1232010000000000@example.com",
186	password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
187	erp_test(dev[0], hapd, eap="TLS", identity="erp-tls@example.com",
188	ca_cert="auth_serv/ca.pem", client_cert="auth_serv/user.pem",
189	private_key="auth_serv/user.key")
190	erp_test(dev[0], hapd, eap="TTLS", identity="erp-ttls@example.com",
191	password="password", ca_cert="auth_serv/ca.pem", phase2="auth=PAP")