tests: hostapd authentication server test cases

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/tests/hwsim/auth_serv/radius_clients_none.conf b/tests/hwsim/auth_serv/radius_clients_none.conf
new file mode 100644 (file)
index 0000000..f671e59
--- /dev/null
+++ b/tests/hwsim/auth_serv/radius_clients_none.conf
@@ -0,0 +1,4 @@
+1.2.3.4        foo
+#
+
+2.3.4.5/32     bar

diff --git a/tests/hwsim/test_authsrv.py b/tests/hwsim/test_authsrv.py
new file mode 100644 (file)
index 0000000..84ad4aa
--- /dev/null
+++ b/tests/hwsim/test_authsrv.py
@@ -0,0 +1,264 @@
+# hostapd authentication server tests
+# Copyright (c) 2017, Jouni Malinen
+#
+# This software may be distributed under the terms of the BSD license.
+# See README for more details.
+
+import hostapd
+from utils import alloc_fail, fail_test, wait_fail_trigger
+
+def authsrv_params():
+    params = { "ssid": "as", "beacon_int": "2000",
+               "radius_server_clients": "auth_serv/radius_clients.conf",
+               "radius_server_auth_port": '18128',
+               "eap_server": "1",
+               "eap_user_file": "auth_serv/eap_user.conf",
+               "eap_sim_db": "unix:/tmp/hlr_auc_gw.sock",
+               "ca_cert": "auth_serv/ca.pem",
+               "server_cert": "auth_serv/server.pem",
+               "private_key": "auth_serv/server.key",
+               "eap_message": "hello" }
+    return params;
+
+def test_authsrv_oom(dev, apdev):
+    """Authentication server OOM"""
+    params = authsrv_params()
+    authsrv = hostapd.add_ap(apdev[1], params)
+
+    params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
+    params['auth_server_port'] = "18128"
+    hapd = hostapd.add_ap(apdev[0], params)
+
+    dev[0].scan_for_bss(hapd.own_addr(), 2412)
+    with alloc_fail(authsrv, 1, "hostapd_radius_get_eap_user"):
+        dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
+                       eap="TTLS", identity="user",
+                       anonymous_identity="ttls", password="password",
+                       ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
+                       wait_connect=False, scan_freq="2412")
+        ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
+        if ev is None:
+            raise Exception("EAP failure not reported")
+    dev[0].request("REMOVE_NETWORK all")
+    dev[0].wait_disconnected()
+    dev[0].dump_monitor()
+
+    with alloc_fail(authsrv, 1, "srv_log"):
+        dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
+                       eap="TTLS", identity="user",
+                       anonymous_identity="ttls", password="password",
+                       ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
+                       scan_freq="2412")
+    dev[0].request("REMOVE_NETWORK all")
+    dev[0].wait_disconnected()
+    dev[0].dump_monitor()
+
+    with alloc_fail(authsrv, 1, "radius_server_new_session"):
+        dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
+                       eap="TTLS", identity="user",
+                       anonymous_identity="ttls", password="password",
+                       ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
+                       wait_connect=False, scan_freq="2412")
+        dev[0].wait_disconnected()
+    dev[0].request("REMOVE_NETWORK all")
+    dev[0].dump_monitor()
+
+    for count in range(1, 3):
+        with alloc_fail(authsrv, count, "=radius_server_get_new_session"):
+            dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
+                           eap="TTLS", identity="user",
+                           anonymous_identity="ttls", password="password",
+                           ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
+                           wait_connect=False, scan_freq="2412")
+            dev[0].wait_disconnected()
+        dev[0].request("REMOVE_NETWORK all")
+        dev[0].dump_monitor()
+
+    with alloc_fail(authsrv, 1, "eap_server_sm_init"):
+        dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
+                       eap="TTLS", identity="user",
+                       anonymous_identity="ttls", password="password",
+                       ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
+                       wait_connect=False, scan_freq="2412")
+        dev[0].wait_disconnected()
+    dev[0].request("REMOVE_NETWORK all")
+    dev[0].dump_monitor()
+
+    tests = [ "radius_server_encapsulate_eap",
+              "radius_server_receive_auth" ]
+    for t in tests:
+        with alloc_fail(authsrv, 1, t):
+            dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
+                           eap="TTLS", identity="user",
+                           anonymous_identity="ttls", password="password",
+                           ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
+                           wait_connect=False, scan_freq="2412")
+            wait_fail_trigger(authsrv, "GET_ALLOC_FAIL")
+        dev[0].request("REMOVE_NETWORK all")
+        dev[0].wait_disconnected()
+        dev[0].dump_monitor()
+
+    tests = [ "radius_msg_add_attr;radius_server_encapsulate_eap",
+              "radius_msg_add_eap;radius_server_encapsulate_eap",
+              "radius_msg_finish_srv;radius_server_encapsulate_eap" ]
+    for t in tests:
+        with fail_test(authsrv, 1, t):
+            dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
+                           eap="TTLS", identity="user",
+                           anonymous_identity="ttls", password="password",
+                           ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
+                           wait_connect=False, scan_freq="2412")
+            wait_fail_trigger(authsrv, "GET_FAIL")
+        dev[0].request("REMOVE_NETWORK all")
+        dev[0].wait_disconnected()
+        dev[0].dump_monitor()
+
+    with alloc_fail(authsrv, 1, "radius_server_get_new_session"):
+        with fail_test(authsrv, 1, "radius_msg_add_eap;radius_server_reject"):
+            dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
+                           eap="TTLS", identity="user",
+                           anonymous_identity="ttls", password="password",
+                           ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
+                           wait_connect=False, scan_freq="2412")
+            wait_fail_trigger(authsrv, "GET_FAIL")
+        dev[0].request("REMOVE_NETWORK all")
+        dev[0].wait_disconnected()
+        dev[0].dump_monitor()
+
+    with alloc_fail(authsrv, 1, "radius_server_get_new_session"):
+        with fail_test(authsrv, 1,
+                       "radius_msg_finish_srv;radius_server_reject"):
+            dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
+                           eap="TTLS", identity="user",
+                           anonymous_identity="ttls", password="password",
+                           ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
+                           wait_connect=False, scan_freq="2412")
+            wait_fail_trigger(authsrv, "GET_FAIL")
+        dev[0].request("REMOVE_NETWORK all")
+        dev[0].wait_disconnected()
+        dev[0].dump_monitor()
+
+    authsrv.disable()
+    with alloc_fail(authsrv, 1, "radius_server_init;hostapd_setup_radius_srv"):
+        if "FAIL" not in authsrv.request("ENABLE"):
+            raise Exception("ENABLE succeeded during OOM")
+    with alloc_fail(authsrv, 2, "radius_server_init;hostapd_setup_radius_srv"):
+        authsrv.request("ENABLE")
+        # This is actually allowed to continue even though memory allocation
+        # fails.
+    authsrv.disable()
+
+    for count in range(1, 4):
+        with alloc_fail(authsrv, count,
+                        "radius_server_read_clients;radius_server_init;hostapd_setup_radius_srv"):
+            if "FAIL" not in authsrv.request("ENABLE"):
+                raise Exception("ENABLE succeeded during OOM")
+
+    with alloc_fail(authsrv, 1, "eloop_sock_table_add_sock;radius_server_init;hostapd_setup_radius_srv"):
+        if "FAIL" not in authsrv.request("ENABLE"):
+            raise Exception("ENABLE succeeded during OOM")
+
+    with alloc_fail(authsrv, 1, "tls_init;authsrv_init"):
+        if "FAIL" not in authsrv.request("ENABLE"):
+            raise Exception("ENABLE succeeded during OOM")
+
+    for count in range(1, 3):
+        with alloc_fail(authsrv, count, "eap_sim_db_init;authsrv_init"):
+            if "FAIL" not in authsrv.request("ENABLE"):
+                raise Exception("ENABLE succeeded during OOM")
+
+def test_authsrv_errors_1(dev, apdev):
+    """Authentication server errors (1)"""
+    params = authsrv_params()
+    params["eap_user_file"] = "sqlite:auth_serv/does-not-exist"
+    authsrv = hostapd.add_ap(apdev[1], params, no_enable=True)
+    if "FAIL" not in authsrv.request("ENABLE"):
+        raise Exception("ENABLE succeeded with invalid SQLite EAP user file")
+
+def test_authsrv_errors_2(dev, apdev):
+    """Authentication server errors (2)"""
+    params = authsrv_params()
+    params["radius_server_clients"] = "auth_serv/does-not-exist"
+    authsrv = hostapd.add_ap(apdev[1], params, no_enable=True)
+    if "FAIL" not in authsrv.request("ENABLE"):
+        raise Exception("ENABLE succeeded with invalid RADIUS client file")
+
+def test_authsrv_errors_3(dev, apdev):
+    """Authentication server errors (3)"""
+    params = authsrv_params()
+    params["eap_sim_db"] = "unix:/tmp/hlr_auc_gw.sock db=auth_serv/does-not-exist"
+    authsrv = hostapd.add_ap(apdev[1], params, no_enable=True)
+    if "FAIL" not in authsrv.request("ENABLE"):
+        raise Exception("ENABLE succeeded with invalid RADIUS client file")
+
+def test_authsrv_testing_options(dev, apdev):
+    """Authentication server and testing options"""
+    params = authsrv_params()
+    authsrv = hostapd.add_ap(apdev[1], params)
+
+    params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
+    params['auth_server_port'] = "18128"
+    hapd = hostapd.add_ap(apdev[0], params)
+
+    dev[0].scan_for_bss(hapd.own_addr(), 2412)
+    # The first two would be fine to run with any server build; the rest are
+    # actually supposed to fail, but they don't fail when using a server build
+    # that does not support the TLS protocol tests.
+    tests = [ "foo@test-unknown",
+              "foo@test-tls-unknown",
+              "foo@test-tls-1",
+              "foo@test-tls-2",
+              "foo@test-tls-3",
+              "foo@test-tls-4",
+              "foo@test-tls-5",
+              "foo@test-tls-6",
+              "foo@test-tls-7",
+              "foo@test-tls-8" ]
+    for t in tests:
+        dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
+                       eap="TTLS", identity="user",
+                       anonymous_identity=t,
+                       password="password",
+                       ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
+                       scan_freq="2412")
+        dev[0].request("REMOVE_NETWORK all")
+        dev[0].wait_disconnected()
+
+def test_authsrv_unknown_user(dev, apdev):
+    """Authentication server and unknown user"""
+    params = authsrv_params()
+    params["eap_user_file"] = "auth_serv/eap_user_vlan.conf"
+    authsrv = hostapd.add_ap(apdev[1], params)
+
+    params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
+    params['auth_server_port'] = "18128"
+    hapd = hostapd.add_ap(apdev[0], params)
+
+    dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
+                   eap="TTLS", identity="user",
+                   anonymous_identity="ttls", password="password",
+                   ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
+                   wait_connect=False, scan_freq="2412")
+    dev[0].wait_disconnected()
+    dev[0].request("REMOVE_NETWORK all")
+
+def test_authsrv_unknown_client(dev, apdev):
+    """Authentication server and unknown user"""
+    params = authsrv_params()
+    params["radius_server_clients"] = "auth_serv/radius_clients_none.conf"
+    authsrv = hostapd.add_ap(apdev[1], params)
+
+    params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
+    params['auth_server_port'] = "18128"
+    hapd = hostapd.add_ap(apdev[0], params)
+
+    # RADIUS SRV: Unknown client 127.0.0.1 - packet ignored
+    dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
+                   eap="TTLS", identity="user",
+                   anonymous_identity="ttls", password="password",
+                   ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
+                   wait_connect=False, scan_freq="2412")
+    ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
+    if ev is None:
+        raise Exception("EAP not started")
+    dev[0].request("REMOVE_NETWORK all")