]> git.ipfire.org Git - thirdparty/hostap.git/blob - tests/hwsim/test_erp.py
projects / thirdparty / hostap.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
tests: Add wait_connected() and wait_disconnected() helpers
[thirdparty/hostap.git] / tests / hwsim / test_erp.py
1 # EAP Re-authentication Protocol (ERP) tests
2 # Copyright (c) 2014, Jouni Malinen <j@w1.fi>
3 #
4 # This software may be distributed under the terms of the BSD license.
5 # See README for more details.
6
7 import logging
8 logger = logging.getLogger()
9
10 import hostapd
11 from test_ap_eap import int_eap_server_params
12
13 def test_erp_initiate_reauth_start(dev, apdev):
14 """Authenticator sending EAP-Initiate/Re-auth-Start, but ERP disabled on peer"""
15 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
16 params['erp_send_reauth_start'] = '1'
17 params['erp_domain'] = 'example.com'
18 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
19
20 dev[0].request("ERP_FLUSH")
21 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
22 eap="PAX", identity="pax.user@example.com",
23 password_hex="0123456789abcdef0123456789abcdef",
24 scan_freq="2412")
25
26 def test_erp_enabled_on_server(dev, apdev):
27 """ERP enabled on internal EAP server, but disabled on peer"""
28 params = int_eap_server_params()
29 params['erp_send_reauth_start'] = '1'
30 params['erp_domain'] = 'example.com'
31 params['eap_server_erp'] = '1'
32 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
33
34 dev[0].request("ERP_FLUSH")
35 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
36 eap="PAX", identity="pax.user@example.com",
37 password_hex="0123456789abcdef0123456789abcdef",
38 scan_freq="2412")
39
40 def test_erp(dev, apdev):
41 """ERP enabled on server and peer"""
42 capab = dev[0].get_capability("erp")
43 if not capab or 'ERP' not in capab:
44 return "skip"
45 params = int_eap_server_params()
46 params['erp_send_reauth_start'] = '1'
47 params['erp_domain'] = 'example.com'
48 params['eap_server_erp'] = '1'
49 params['disable_pmksa_caching'] = '1'
50 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
51
52 dev[0].request("ERP_FLUSH")
53 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
54 eap="PSK", identity="psk.user@example.com",
55 password_hex="0123456789abcdef0123456789abcdef",
56 erp="1", scan_freq="2412")
57 for i in range(3):
58 dev[0].request("DISCONNECT")
59 dev[0].wait_disconnected(timeout=15)
60 dev[0].request("RECONNECT")
61 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
62 if ev is None:
63 raise Exception("EAP success timed out")
64 if "EAP re-authentication completed successfully" not in ev:
65 raise Exception("Did not use ERP")
66 dev[0].wait_connected(timeout=15, error="Reconnection timed out")
67
68 def test_erp_server_no_match(dev, apdev):
69 """ERP enabled on server and peer, but server has no key match"""
70 capab = dev[0].get_capability("erp")
71 if not capab or 'ERP' not in capab:
72 return "skip"
73 params = int_eap_server_params()
74 params['erp_send_reauth_start'] = '1'
75 params['erp_domain'] = 'example.com'
76 params['eap_server_erp'] = '1'
77 params['disable_pmksa_caching'] = '1'
78 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
79
80 dev[0].request("ERP_FLUSH")
81 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
82 eap="PSK", identity="psk.user@example.com",
83 password_hex="0123456789abcdef0123456789abcdef",
84 erp="1", scan_freq="2412")
85 dev[0].request("DISCONNECT")
86 dev[0].wait_disconnected(timeout=15)
87 hapd.request("ERP_FLUSH")
88 dev[0].request("RECONNECT")
89 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
90 "CTRL-EVENT-EAP-FAILURE"], timeout=15)
91 if ev is None:
92 raise Exception("EAP result timed out")
93 if "CTRL-EVENT-EAP-SUCCESS" in ev:
94 raise Exception("Unexpected EAP success")
95 dev[0].request("DISCONNECT")
96 dev[0].select_network(id)
97 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
98 if ev is None:
99 raise Exception("EAP success timed out")
100 if "EAP re-authentication completed successfully" in ev:
101 raise Exception("Unexpected use of ERP")
102 dev[0].wait_connected(timeout=15, error="Reconnection timed out")
103
104 def start_erp_as(apdev):
105 params = { "ssid": "as", "beacon_int": "2000",
106 "radius_server_clients": "auth_serv/radius_clients.conf",
107 "radius_server_auth_port": '18128',
108 "eap_server": "1",
109 "eap_user_file": "auth_serv/eap_user.conf",
110 "ca_cert": "auth_serv/ca.pem",
111 "server_cert": "auth_serv/server.pem",
112 "private_key": "auth_serv/server.key",
113 "eap_sim_db": "unix:/tmp/hlr_auc_gw.sock",
114 "dh_file": "auth_serv/dh.conf",
115 "pac_opaque_encr_key": "000102030405060708090a0b0c0d0e0f",
116 "eap_fast_a_id": "101112131415161718191a1b1c1d1e1f",
117 "eap_fast_a_id_info": "test server",
118 "eap_server_erp": "1",
119 "erp_domain": "example.com" }
120 hostapd.add_ap(apdev['ifname'], params)
121
122 def test_erp_radius(dev, apdev):
123 """ERP enabled on RADIUS server and peer"""
124 capab = dev[0].get_capability("erp")
125 if not capab or 'ERP' not in capab:
126 return "skip"
127 start_erp_as(apdev[1])
128 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
129 params['auth_server_port'] = "18128"
130 params['erp_send_reauth_start'] = '1'
131 params['erp_domain'] = 'example.com'
132 params['disable_pmksa_caching'] = '1'
133 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
134
135 dev[0].request("ERP_FLUSH")
136 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
137 eap="PSK", identity="psk.user@example.com",
138 password_hex="0123456789abcdef0123456789abcdef",
139 erp="1", scan_freq="2412")
140 for i in range(3):
141 dev[0].request("DISCONNECT")
142 dev[0].wait_disconnected(timeout=15)
143 dev[0].request("RECONNECT")
144 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
145 if ev is None:
146 raise Exception("EAP success timed out")
147 if "EAP re-authentication completed successfully" not in ev:
148 raise Exception("Did not use ERP")
149 dev[0].wait_connected(timeout=15, error="Reconnection timed out")
150
151 def erp_test(dev, hapd, **kwargs):
152 hapd.dump_monitor()
153 dev.dump_monitor()
154 dev.request("ERP_FLUSH")
155 id = dev.connect("test-wpa2-eap", key_mgmt="WPA-EAP", erp="1",
156 scan_freq="2412", **kwargs)
157 dev.request("DISCONNECT")
158 dev.wait_disconnected(timeout=15)
159 hapd.dump_monitor()
160 dev.request("RECONNECT")
161 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
162 if ev is None:
163 raise Exception("EAP success timed out")
164 if "EAP re-authentication completed successfully" not in ev:
165 raise Exception("Did not use ERP")
166 dev.wait_connected(timeout=15, error="Reconnection timed out")
167 ev = hapd.wait_event([ "AP-STA-CONNECTED" ], timeout=5)
168 if ev is None:
169 raise Exception("No connection event received from hostapd")
170 dev.request("DISCONNECT")
171
172 def test_erp_radius_eap_methods(dev, apdev):
173 """ERP enabled on RADIUS server and peer"""
174 capab = dev[0].get_capability("erp")
175 if not capab or 'ERP' not in capab:
176 return "skip"
177 start_erp_as(apdev[1])
178 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
179 params['auth_server_port'] = "18128"
180 params['erp_send_reauth_start'] = '1'
181 params['erp_domain'] = 'example.com'
182 params['disable_pmksa_caching'] = '1'
183 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
184
185 erp_test(dev[0], hapd, eap="AKA", identity="0232010000000000@example.com",
186 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
187 erp_test(dev[0], hapd, eap="AKA'", identity="6555444333222111@example.com",
188 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
189 # TODO: EKE getSession
190 #erp_test(dev[0], hapd, eap="EKE", identity="erp-eke@example.com",
191 # password="hello")
192 erp_test(dev[0], hapd, eap="FAST", identity="erp-fast@example.com",
193 password="password", ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
194 phase1="fast_provisioning=2", pac_file="blob://fast_pac_auth_erp")
195 erp_test(dev[0], hapd, eap="GPSK", identity="erp-gpsk@example.com",
196 password="abcdefghijklmnop0123456789abcdef")
197 erp_test(dev[0], hapd, eap="PAX", identity="erp-pax@example.com",
198 password_hex="0123456789abcdef0123456789abcdef")
199 # TODO: PEAP (EMSK)
200 #erp_test(dev[0], hapd, eap="PEAP", identity="erp-peap@example.com",
201 # password="password", ca_cert="auth_serv/ca.pem",
202 # phase2="auth=MSCHAPV2")
203 erp_test(dev[0], hapd, eap="PSK", identity="erp-psk@example.com",
204 password_hex="0123456789abcdef0123456789abcdef")
205 erp_test(dev[0], hapd, eap="PWD", identity="erp-pwd@example.com",
206 password="secret password")
207 erp_test(dev[0], hapd, eap="SAKE", identity="erp-sake@example.com",
208 password_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
209 erp_test(dev[0], hapd, eap="SIM", identity="1232010000000000@example.com",
210 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
211 erp_test(dev[0], hapd, eap="TLS", identity="erp-tls@example.com",
212 ca_cert="auth_serv/ca.pem", client_cert="auth_serv/user.pem",
213 private_key="auth_serv/user.key")
214 erp_test(dev[0], hapd, eap="TTLS", identity="erp-ttls@example.com",
215 password="password", ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
Unnamed repository; edit this file 'description' to name the repository.