]>
git.ipfire.org Git - thirdparty/hostap.git/blob - tests/hwsim/test_authsrv.py
1 # hostapd authentication server tests
2 # Copyright (c) 2017, Jouni Malinen
4 # This software may be distributed under the terms of the BSD license.
5 # See README for more details.
8 from utils
import alloc_fail
, fail_test
, wait_fail_trigger
11 params
= {"ssid": "as", "beacon_int": "2000",
12 "radius_server_clients": "auth_serv/radius_clients.conf",
13 "radius_server_auth_port": '18128',
15 "eap_user_file": "auth_serv/eap_user.conf",
16 "eap_sim_db": "unix:/tmp/hlr_auc_gw.sock",
17 "ca_cert": "auth_serv/ca.pem",
18 "server_cert": "auth_serv/server.pem",
19 "private_key": "auth_serv/server.key",
20 "eap_message": "hello"}
23 def test_authsrv_oom(dev
, apdev
):
24 """Authentication server OOM"""
25 params
= authsrv_params()
26 authsrv
= hostapd
.add_ap(apdev
[1], params
)
28 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
29 params
['auth_server_port'] = "18128"
30 hapd
= hostapd
.add_ap(apdev
[0], params
)
32 dev
[0].scan_for_bss(hapd
.own_addr(), 2412)
33 with
alloc_fail(authsrv
, 1, "hostapd_radius_get_eap_user"):
34 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
35 eap
="TTLS", identity
="user",
36 anonymous_identity
="ttls", password
="password",
37 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
38 wait_connect
=False, scan_freq
="2412")
39 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
41 raise Exception("EAP failure not reported")
42 dev
[0].request("REMOVE_NETWORK all")
43 dev
[0].wait_disconnected()
46 with
alloc_fail(authsrv
, 1, "srv_log"):
47 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
48 eap
="TTLS", identity
="user",
49 anonymous_identity
="ttls", password
="password",
50 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
52 dev
[0].request("REMOVE_NETWORK all")
53 dev
[0].wait_disconnected()
56 with
alloc_fail(authsrv
, 1, "radius_server_new_session"):
57 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
58 eap
="TTLS", identity
="user",
59 anonymous_identity
="ttls", password
="password",
60 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
61 wait_connect
=False, scan_freq
="2412")
62 dev
[0].wait_disconnected()
63 dev
[0].request("REMOVE_NETWORK all")
66 for count
in range(1, 3):
67 with
alloc_fail(authsrv
, count
, "=radius_server_get_new_session"):
68 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
69 eap
="TTLS", identity
="user",
70 anonymous_identity
="ttls", password
="password",
71 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
72 wait_connect
=False, scan_freq
="2412")
73 dev
[0].wait_disconnected()
74 dev
[0].request("REMOVE_NETWORK all")
77 with
alloc_fail(authsrv
, 1, "eap_server_sm_init"):
78 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
79 eap
="TTLS", identity
="user",
80 anonymous_identity
="ttls", password
="password",
81 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
82 wait_connect
=False, scan_freq
="2412")
83 dev
[0].wait_disconnected()
84 dev
[0].request("REMOVE_NETWORK all")
87 tests
= ["radius_server_encapsulate_eap",
88 "radius_server_receive_auth"]
90 with
alloc_fail(authsrv
, 1, t
):
91 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
92 eap
="TTLS", identity
="user",
93 anonymous_identity
="ttls", password
="password",
94 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
95 wait_connect
=False, scan_freq
="2412")
96 wait_fail_trigger(authsrv
, "GET_ALLOC_FAIL")
97 dev
[0].request("REMOVE_NETWORK all")
98 dev
[0].wait_disconnected()
101 tests
= ["radius_msg_add_attr;radius_server_encapsulate_eap",
102 "radius_msg_add_eap;radius_server_encapsulate_eap",
103 "radius_msg_finish_srv;radius_server_encapsulate_eap"]
105 with
fail_test(authsrv
, 1, t
):
106 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
107 eap
="TTLS", identity
="user",
108 anonymous_identity
="ttls", password
="password",
109 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
110 wait_connect
=False, scan_freq
="2412")
111 wait_fail_trigger(authsrv
, "GET_FAIL")
112 dev
[0].request("REMOVE_NETWORK all")
113 dev
[0].wait_disconnected()
114 dev
[0].dump_monitor()
116 with
alloc_fail(authsrv
, 1, "radius_server_get_new_session"):
117 with
fail_test(authsrv
, 1, "radius_msg_add_eap;radius_server_reject"):
118 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
119 eap
="TTLS", identity
="user",
120 anonymous_identity
="ttls", password
="password",
121 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
122 wait_connect
=False, scan_freq
="2412")
123 wait_fail_trigger(authsrv
, "GET_FAIL")
124 dev
[0].request("REMOVE_NETWORK all")
125 dev
[0].wait_disconnected()
126 dev
[0].dump_monitor()
128 with
alloc_fail(authsrv
, 1, "radius_server_get_new_session"):
129 with
fail_test(authsrv
, 1,
130 "radius_msg_finish_srv;radius_server_reject"):
131 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
132 eap
="TTLS", identity
="user",
133 anonymous_identity
="ttls", password
="password",
134 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
135 wait_connect
=False, scan_freq
="2412")
136 wait_fail_trigger(authsrv
, "GET_FAIL")
137 dev
[0].request("REMOVE_NETWORK all")
138 dev
[0].wait_disconnected()
139 dev
[0].dump_monitor()
142 with
alloc_fail(authsrv
, 1, "radius_server_init;hostapd_setup_radius_srv"):
143 if "FAIL" not in authsrv
.request("ENABLE"):
144 raise Exception("ENABLE succeeded during OOM")
145 with
alloc_fail(authsrv
, 2, "radius_server_init;hostapd_setup_radius_srv"):
146 if "FAIL" not in authsrv
.request("ENABLE"):
147 raise Exception("ENABLE succeeded during OOM")
149 for count
in range(1, 4):
150 with
alloc_fail(authsrv
, count
,
151 "radius_server_read_clients;radius_server_init;hostapd_setup_radius_srv"):
152 if "FAIL" not in authsrv
.request("ENABLE"):
153 raise Exception("ENABLE succeeded during OOM")
155 with
alloc_fail(authsrv
, 1, "eloop_sock_table_add_sock;radius_server_init;hostapd_setup_radius_srv"):
156 if "FAIL" not in authsrv
.request("ENABLE"):
157 raise Exception("ENABLE succeeded during OOM")
159 with
alloc_fail(authsrv
, 1, "tls_init;authsrv_init"):
160 if "FAIL" not in authsrv
.request("ENABLE"):
161 raise Exception("ENABLE succeeded during OOM")
163 for count
in range(1, 3):
164 with
alloc_fail(authsrv
, count
, "eap_sim_db_init;authsrv_init"):
165 if "FAIL" not in authsrv
.request("ENABLE"):
166 raise Exception("ENABLE succeeded during OOM")
168 def test_authsrv_errors_1(dev
, apdev
):
169 """Authentication server errors (1)"""
170 params
= authsrv_params()
171 params
["eap_user_file"] = "sqlite:auth_serv/does-not-exist/does-not-exist"
172 authsrv
= hostapd
.add_ap(apdev
[1], params
, no_enable
=True)
173 if "FAIL" not in authsrv
.request("ENABLE"):
174 raise Exception("ENABLE succeeded with invalid SQLite EAP user file")
176 def test_authsrv_errors_2(dev
, apdev
):
177 """Authentication server errors (2)"""
178 params
= authsrv_params()
179 params
["radius_server_clients"] = "auth_serv/does-not-exist"
180 authsrv
= hostapd
.add_ap(apdev
[1], params
, no_enable
=True)
181 if "FAIL" not in authsrv
.request("ENABLE"):
182 raise Exception("ENABLE succeeded with invalid RADIUS client file")
184 def test_authsrv_errors_3(dev
, apdev
):
185 """Authentication server errors (3)"""
186 params
= authsrv_params()
187 params
["eap_sim_db"] = "unix:/tmp/hlr_auc_gw.sock db=auth_serv/does-not-exist/does-not-exist"
188 authsrv
= hostapd
.add_ap(apdev
[1], params
, no_enable
=True)
189 if "FAIL" not in authsrv
.request("ENABLE"):
190 raise Exception("ENABLE succeeded with invalid RADIUS client file")
192 def test_authsrv_testing_options(dev
, apdev
):
193 """Authentication server and testing options"""
194 params
= authsrv_params()
195 authsrv
= hostapd
.add_ap(apdev
[1], params
)
197 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
198 params
['auth_server_port'] = "18128"
199 hapd
= hostapd
.add_ap(apdev
[0], params
)
201 dev
[0].scan_for_bss(hapd
.own_addr(), 2412)
202 # The first two would be fine to run with any server build; the rest are
203 # actually supposed to fail, but they don't fail when using a server build
204 # that does not support the TLS protocol tests.
205 tests
= ["foo@test-unknown",
206 "foo@test-tls-unknown",
216 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
217 eap
="TTLS", identity
="user",
218 anonymous_identity
=t
,
220 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
222 dev
[0].request("REMOVE_NETWORK all")
223 dev
[0].wait_disconnected()
225 def test_authsrv_unknown_user(dev
, apdev
):
226 """Authentication server and unknown user"""
227 params
= authsrv_params()
228 params
["eap_user_file"] = "auth_serv/eap_user_vlan.conf"
229 authsrv
= hostapd
.add_ap(apdev
[1], params
)
231 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
232 params
['auth_server_port'] = "18128"
233 hapd
= hostapd
.add_ap(apdev
[0], params
)
235 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
236 eap
="TTLS", identity
="user",
237 anonymous_identity
="ttls", password
="password",
238 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
239 wait_connect
=False, scan_freq
="2412")
240 dev
[0].wait_disconnected()
241 dev
[0].request("REMOVE_NETWORK all")
243 def test_authsrv_unknown_client(dev
, apdev
):
244 """Authentication server and unknown user"""
245 params
= authsrv_params()
246 params
["radius_server_clients"] = "auth_serv/radius_clients_none.conf"
247 authsrv
= hostapd
.add_ap(apdev
[1], params
)
249 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
250 params
['auth_server_port'] = "18128"
251 hapd
= hostapd
.add_ap(apdev
[0], params
)
253 # RADIUS SRV: Unknown client 127.0.0.1 - packet ignored
254 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
255 eap
="TTLS", identity
="user",
256 anonymous_identity
="ttls", password
="password",
257 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
258 wait_connect
=False, scan_freq
="2412")
259 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
261 raise Exception("EAP not started")
262 dev
[0].request("REMOVE_NETWORK all")