]> git.ipfire.org Git - thirdparty/hostap.git/blob - tests/hwsim/test_eap.py
projects / thirdparty / hostap.git / blob
? search:


dfa5833cde7776789e1dc4b8a412316286ccd5cd
[thirdparty/hostap.git] / tests / hwsim / test_eap.py
1 # EAP authentication tests
2 # Copyright (c) 2019, Jouni Malinen <j@w1.fi>
3 #
4 # This software may be distributed under the terms of the BSD license.
5 # See README for more details.
6
7 import hostapd
8
9 from utils import alloc_fail, fail_test, wait_fail_trigger, HwsimSkip
10 from test_ap_eap import check_eap_capa, int_eap_server_params, eap_connect, \
11 eap_reauth
12
13 def int_teap_server_params(eap_teap_auth=None, eap_teap_pac_no_inner=None,
14 eap_teap_separate_result=None):
15 params = int_eap_server_params()
16 params['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff00"
17 params['eap_fast_a_id'] = "101112131415161718191a1b1c1dff00"
18 params['eap_fast_a_id_info'] = "test server 0"
19 if eap_teap_auth:
20 params['eap_teap_auth'] = eap_teap_auth
21 if eap_teap_pac_no_inner:
22 params['eap_teap_pac_no_inner'] = eap_teap_pac_no_inner
23 if eap_teap_separate_result:
24 params['eap_teap_separate_result'] = eap_teap_separate_result
25 return params
26
27 def test_eap_teap_eap_mschapv2(dev, apdev):
28 """EAP-TEAP with inner EAP-MSCHAPv2"""
29 check_eap_capa(dev[0], "TEAP")
30 check_eap_capa(dev[0], "MSCHAPV2")
31 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
32 hapd = hostapd.add_ap(apdev[0], params)
33 eap_connect(dev[0], hapd, "TEAP", "user",
34 anonymous_identity="TEAP", password="password",
35 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
36 pac_file="blob://teap_pac")
37 eap_reauth(dev[0], "TEAP")
38
39 def test_eap_teap_eap_pwd(dev, apdev):
40 """EAP-TEAP with inner EAP-PWD"""
41 check_eap_capa(dev[0], "TEAP")
42 check_eap_capa(dev[0], "PWD")
43 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
44 hapd = hostapd.add_ap(apdev[0], params)
45 eap_connect(dev[0], hapd, "TEAP", "user-pwd-2",
46 anonymous_identity="TEAP", password="password",
47 ca_cert="auth_serv/ca.pem", phase2="auth=PWD",
48 pac_file="blob://teap_pac")
49
50 def test_eap_teap_eap_eke(dev, apdev):
51 """EAP-TEAP with inner EAP-EKE"""
52 check_eap_capa(dev[0], "TEAP")
53 check_eap_capa(dev[0], "EKE")
54 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
55 hapd = hostapd.add_ap(apdev[0], params)
56 eap_connect(dev[0], hapd, "TEAP", "user-eke-2",
57 anonymous_identity="TEAP", password="password",
58 ca_cert="auth_serv/ca.pem", phase2="auth=EKE",
59 pac_file="blob://teap_pac")
60
61 def test_eap_teap_basic_password_auth(dev, apdev):
62 """EAP-TEAP with Basic-Password-Auth"""
63 check_eap_capa(dev[0], "TEAP")
64 params = int_teap_server_params(eap_teap_auth="1")
65 hapd = hostapd.add_ap(apdev[0], params)
66 eap_connect(dev[0], hapd, "TEAP", "user",
67 anonymous_identity="TEAP", password="password",
68 ca_cert="auth_serv/ca.pem",
69 pac_file="blob://teap_pac")
70
71 def test_eap_teap_basic_password_auth_failure(dev, apdev):
72 """EAP-TEAP with Basic-Password-Auth failure"""
73 check_eap_capa(dev[0], "TEAP")
74 params = int_teap_server_params(eap_teap_auth="1")
75 hapd = hostapd.add_ap(apdev[0], params)
76 eap_connect(dev[0], hapd, "TEAP", "user",
77 anonymous_identity="TEAP", password="incorrect",
78 ca_cert="auth_serv/ca.pem",
79 pac_file="blob://teap_pac", expect_failure=True)
80
81 def test_eap_teap_basic_password_auth_no_password(dev, apdev):
82 """EAP-TEAP with Basic-Password-Auth and no password configured"""
83 check_eap_capa(dev[0], "TEAP")
84 params = int_teap_server_params(eap_teap_auth="1")
85 hapd = hostapd.add_ap(apdev[0], params)
86 eap_connect(dev[0], hapd, "TEAP", "user",
87 anonymous_identity="TEAP",
88 ca_cert="auth_serv/ca.pem",
89 pac_file="blob://teap_pac", expect_failure=True)
90
91 def test_eap_teap_peer_outer_tlvs(dev, apdev):
92 """EAP-TEAP with peer Outer TLVs"""
93 check_eap_capa(dev[0], "TEAP")
94 check_eap_capa(dev[0], "MSCHAPV2")
95 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
96 hapd = hostapd.add_ap(apdev[0], params)
97 eap_connect(dev[0], hapd, "TEAP", "user",
98 anonymous_identity="TEAP", password="password",
99 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
100 pac_file="blob://teap_pac", phase1="teap_test_outer_tlvs=1")
101
102 def test_eap_teap_eap_mschapv2_pac(dev, apdev):
103 """EAP-TEAP with inner EAP-MSCHAPv2 and PAC provisioning"""
104 check_eap_capa(dev[0], "TEAP")
105 check_eap_capa(dev[0], "MSCHAPV2")
106 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
107 hapd = hostapd.add_ap(apdev[0], params)
108 eap_connect(dev[0], hapd, "TEAP", "user",
109 anonymous_identity="TEAP", password="password",
110 phase1="teap_provisioning=2",
111 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
112 pac_file="blob://teap_pac")
113 res = eap_reauth(dev[0], "TEAP")
114 if res['tls_session_reused'] != '1':
115 raise Exception("EAP-TEAP could not use PAC session ticket")
116
117 def test_eap_teap_eap_mschapv2_pac_no_inner_eap(dev, apdev):
118 """EAP-TEAP with inner EAP-MSCHAPv2 and PAC without inner EAP"""
119 check_eap_capa(dev[0], "TEAP")
120 check_eap_capa(dev[0], "MSCHAPV2")
121 params = int_teap_server_params(eap_teap_pac_no_inner="1")
122 hapd = hostapd.add_ap(apdev[0], params)
123 eap_connect(dev[0], hapd, "TEAP", "user",
124 anonymous_identity="TEAP", password="password",
125 phase1="teap_provisioning=2",
126 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
127 pac_file="blob://teap_pac")
128 res = eap_reauth(dev[0], "TEAP")
129 if res['tls_session_reused'] != '1':
130 raise Exception("EAP-TEAP could not use PAC session ticket")
131
132 def test_eap_teap_eap_mschapv2_separate_result(dev, apdev):
133 """EAP-TEAP with inner EAP-MSCHAPv2 and separate message for Result TLV"""
134 check_eap_capa(dev[0], "TEAP")
135 check_eap_capa(dev[0], "MSCHAPV2")
136 params = int_teap_server_params(eap_teap_separate_result="1")
137 hapd = hostapd.add_ap(apdev[0], params)
138 eap_connect(dev[0], hapd, "TEAP", "user",
139 anonymous_identity="TEAP", password="password",
140 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
141 pac_file="blob://teap_pac")
142
143 def test_eap_teap_eap_mschapv2_pac_no_ca_cert(dev, apdev):
144 """EAP-TEAP with inner EAP-MSCHAPv2 and PAC provisioning attempt without ca_cert"""
145 check_eap_capa(dev[0], "TEAP")
146 check_eap_capa(dev[0], "MSCHAPV2")
147 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
148 hapd = hostapd.add_ap(apdev[0], params)
149 eap_connect(dev[0], hapd, "TEAP", "user",
150 anonymous_identity="TEAP", password="password",
151 phase1="teap_provisioning=2",
152 phase2="auth=MSCHAPV2",
153 pac_file="blob://teap_pac")
154 res = eap_reauth(dev[0], "TEAP")
155 if res['tls_session_reused'] == '1':
156 raise Exception("Unexpected use of PAC session ticket")
157
158 def test_eap_teap_basic_password_auth_pac(dev, apdev):
159 """EAP-TEAP with Basic-Password-Auth and PAC"""
160 check_eap_capa(dev[0], "TEAP")
161 params = int_teap_server_params(eap_teap_auth="1")
162 hapd = hostapd.add_ap(apdev[0], params)
163 eap_connect(dev[0], hapd, "TEAP", "user",
164 anonymous_identity="TEAP", password="password",
165 phase1="teap_provisioning=2",
166 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
167 pac_file="blob://teap_pac")
168 res = eap_reauth(dev[0], "TEAP")
169 if res['tls_session_reused'] != '1':
170 raise Exception("EAP-TEAP could not use PAC session ticket")
171
172 def test_eap_teap_basic_password_auth_pac_binary(dev, apdev):
173 """EAP-TEAP with Basic-Password-Auth and PAC (binary)"""
174 check_eap_capa(dev[0], "TEAP")
175 params = int_teap_server_params(eap_teap_auth="1")
176 hapd = hostapd.add_ap(apdev[0], params)
177 eap_connect(dev[0], hapd, "TEAP", "user",
178 anonymous_identity="TEAP", password="password",
179 phase1="teap_provisioning=2 teap_max_pac_list_len=2 teap_pac_format=binary",
180 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
181 pac_file="blob://teap_pac_bin")
182 res = eap_reauth(dev[0], "TEAP")
183 if res['tls_session_reused'] != '1':
184 raise Exception("EAP-TEAP could not use PAC session ticket")
185
186 def test_eap_teap_basic_password_auth_pac_no_inner_eap(dev, apdev):
187 """EAP-TEAP with Basic-Password-Auth and PAC without inner auth"""
188 check_eap_capa(dev[0], "TEAP")
189 params = int_teap_server_params(eap_teap_auth="1",
190 eap_teap_pac_no_inner="1")
191 hapd = hostapd.add_ap(apdev[0], params)
192 eap_connect(dev[0], hapd, "TEAP", "user",
193 anonymous_identity="TEAP", password="password",
194 phase1="teap_provisioning=2",
195 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
196 pac_file="blob://teap_pac")
197 res = eap_reauth(dev[0], "TEAP")
198 if res['tls_session_reused'] != '1':
199 raise Exception("EAP-TEAP could not use PAC session ticket")
200
201 def test_eap_teap_eap_eke_unauth_server_prov(dev, apdev):
202 """EAP-TEAP with inner EAP-EKE and unauthenticated server provisioning"""
203 check_eap_capa(dev[0], "TEAP")
204 check_eap_capa(dev[0], "EKE")
205 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
206 hapd = hostapd.add_ap(apdev[0], params)
207 eap_connect(dev[0], hapd, "TEAP", "user-eke-2",
208 anonymous_identity="TEAP", password="password",
209 phase1="teap_provisioning=1",
210 phase2="auth=EKE", pac_file="blob://teap_pac")
211 res = eap_reauth(dev[0], "TEAP")
212 if res['tls_session_reused'] != '1':
213 raise Exception("EAP-TEAP could not use PAC session ticket")
214
215 def test_eap_teap_fragmentation(dev, apdev):
216 """EAP-TEAP with fragmentation"""
217 check_eap_capa(dev[0], "TEAP")
218 check_eap_capa(dev[0], "MSCHAPV2")
219 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
220 hapd = hostapd.add_ap(apdev[0], params)
221 eap_connect(dev[0], hapd, "TEAP", "user",
222 anonymous_identity="TEAP", password="password",
223 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
224 pac_file="blob://teap_pac", fragment_size="100")
225
226 def test_eap_teap_tls_cs_sha1(dev, apdev):
227 """EAP-TEAP with TLS cipher suite that uses SHA-1"""
228 run_eap_teap_tls_cs(dev, apdev, "AES128-SHA")
229
230 def test_eap_teap_tls_cs_sha256(dev, apdev):
231 """EAP-TEAP with TLS cipher suite that uses SHA-256"""
232 run_eap_teap_tls_cs(dev, apdev, "AES128-SHA256")
233
234 def test_eap_teap_tls_cs_sha384(dev, apdev):
235 """EAP-TEAP with TLS cipher suite that uses SHA-384"""
236 run_eap_teap_tls_cs(dev, apdev, "AES256-GCM-SHA384")
237
238 def run_eap_teap_tls_cs(dev, apdev, cipher):
239 check_eap_capa(dev[0], "TEAP")
240 tls = dev[0].request("GET tls_library")
241 if not tls.startswith("OpenSSL"):
242 raise HwsimSkip("TLS library not supported for TLS CS configuration: " + tls)
243 params = int_teap_server_params(eap_teap_auth="1")
244 params['openssl_ciphers'] = cipher
245 hapd = hostapd.add_ap(apdev[0], params)
246 eap_connect(dev[0], hapd, "TEAP", "user",
247 anonymous_identity="TEAP", password="password",
248 ca_cert="auth_serv/ca.pem",
249 pac_file="blob://teap_pac")
250
251 def wait_eap_proposed(dev, wait_trigger=None):
252 ev = dev.wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"], timeout=10)
253 if ev is None:
254 raise Exception("Timeout on EAP start")
255 if wait_trigger:
256 wait_fail_trigger(dev, wait_trigger)
257 dev.request("REMOVE_NETWORK all")
258 dev.wait_disconnected()
259 dev.dump_monitor()
260
261 def test_eap_teap_errors(dev, apdev):
262 """EAP-TEAP local errors"""
263 check_eap_capa(dev[0], "TEAP")
264 check_eap_capa(dev[0], "MSCHAPV2")
265 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
266 hapd = hostapd.add_ap(apdev[0], params)
267
268 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
269 scan_freq="2412",
270 eap="TEAP", identity="user", password="password",
271 anonymous_identity="TEAP",
272 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
273 wait_connect=False)
274 wait_eap_proposed(dev[0])
275
276 dev[0].set("blob", "teap_broken_pac 11")
277 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
278 scan_freq="2412",
279 eap="TEAP", identity="user", password="password",
280 anonymous_identity="TEAP",
281 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
282 pac_file="blob://teap_broken_pac", wait_connect=False)
283 wait_eap_proposed(dev[0])
284 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
285 scan_freq="2412",
286 eap="TEAP", identity="user", password="password",
287 anonymous_identity="TEAP",
288 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
289 phase1="teap_pac_format=binary",
290 pac_file="blob://teap_broken_pac", wait_connect=False)
291 wait_eap_proposed(dev[0])
292
293 tests = [(1, "eap_teap_tlv_eap_payload"),
294 (1, "eap_teap_process_eap_payload_tlv"),
295 (1, "eap_teap_compound_mac"),
296 (1, "eap_teap_tlv_result"),
297 (1, "eap_peer_select_phase2_methods"),
298 (1, "eap_peer_tls_ssl_init"),
299 (1, "eap_teap_session_id"),
300 (1, "wpabuf_alloc;=eap_teap_process_crypto_binding"),
301 (1, "eap_peer_tls_encrypt"),
302 (1, "eap_peer_tls_decrypt"),
303 (1, "eap_teap_getKey"),
304 (1, "eap_teap_session_id"),
305 (1, "eap_teap_init")]
306 for count, func in tests:
307 with alloc_fail(dev[0], count, func):
308 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
309 scan_freq="2412",
310 eap="TEAP", identity="user", password="password",
311 anonymous_identity="TEAP",
312 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
313 pac_file="blob://teap_pac", wait_connect=False)
314 wait_eap_proposed(dev[0], wait_trigger="GET_ALLOC_FAIL")
315
316 tests = [(1, "eap_teap_derive_eap_msk"),
317 (1, "eap_teap_derive_eap_emsk"),
318 (1, "eap_teap_write_crypto_binding"),
319 (1, "eap_teap_process_crypto_binding"),
320 (1, "eap_teap_derive_msk;eap_teap_process_crypto_binding"),
321 (1, "eap_teap_compound_mac;eap_teap_process_crypto_binding"),
322 (1, "eap_teap_derive_imck")]
323 for count, func in tests:
324 with fail_test(dev[0], count, func):
325 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
326 scan_freq="2412",
327 eap="TEAP", identity="user", password="password",
328 anonymous_identity="TEAP",
329 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
330 pac_file="blob://teap_pac", wait_connect=False)
331 wait_eap_proposed(dev[0], wait_trigger="GET_FAIL")
332
333 def test_eap_teap_errors2(dev, apdev):
334 """EAP-TEAP local errors 2 (Basic-Password-Auth specific)"""
335 check_eap_capa(dev[0], "TEAP")
336 check_eap_capa(dev[0], "MSCHAPV2")
337 params = int_teap_server_params(eap_teap_auth="1")
338 hapd = hostapd.add_ap(apdev[0], params)
339
340 tests = [(1, "eap_teap_tlv_pac_ack"),
341 (1, "eap_teap_process_basic_auth_req")]
342 for count, func in tests:
343 with alloc_fail(dev[0], count, func):
344 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
345 scan_freq="2412",
346 eap="TEAP", identity="user", password="password",
347 anonymous_identity="TEAP",
348 phase1="teap_provisioning=2",
349 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
350 pac_file="blob://teap_pac", wait_connect=False)
351 wait_eap_proposed(dev[0], wait_trigger="GET_ALLOC_FAIL")
352
353 tests = [(1, "eap_teap_derive_cmk_basic_pw_auth")]
354 for count, func in tests:
355 with fail_test(dev[0], count, func):
356 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
357 scan_freq="2412",
358 eap="TEAP", identity="user", password="password",
359 anonymous_identity="TEAP",
360 phase1="teap_provisioning=2",
361 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
362 pac_file="blob://teap_pac", wait_connect=False)
363 wait_eap_proposed(dev[0], wait_trigger="GET_FAIL")
364
365 def test_eap_teap_eap_vendor(dev, apdev):
366 """EAP-TEAP with inner EAP-vendor"""
367 check_eap_capa(dev[0], "TEAP")
368 check_eap_capa(dev[0], "VENDOR-TEST")
369 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
370 hapd = hostapd.add_ap(apdev[0], params)
371 eap_connect(dev[0], hapd, "TEAP", "vendor-test-2",
372 anonymous_identity="TEAP",
373 ca_cert="auth_serv/ca.pem", phase2="auth=VENDOR-TEST",
374 pac_file="blob://teap_pac")
Unnamed repository; edit this file 'description' to name the repository.