]>
git.ipfire.org Git - thirdparty/hostap.git/blob - tests/hwsim/test_eap.py
dfa5833cde7776789e1dc4b8a412316286ccd5cd
1 # EAP authentication tests
2 # Copyright (c) 2019, Jouni Malinen <j@w1.fi>
4 # This software may be distributed under the terms of the BSD license.
5 # See README for more details.
9 from utils
import alloc_fail
, fail_test
, wait_fail_trigger
, HwsimSkip
10 from test_ap_eap
import check_eap_capa
, int_eap_server_params
, eap_connect
, \
13 def int_teap_server_params(eap_teap_auth
=None, eap_teap_pac_no_inner
=None,
14 eap_teap_separate_result
=None):
15 params
= int_eap_server_params()
16 params
['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff00"
17 params
['eap_fast_a_id'] = "101112131415161718191a1b1c1dff00"
18 params
['eap_fast_a_id_info'] = "test server 0"
20 params
['eap_teap_auth'] = eap_teap_auth
21 if eap_teap_pac_no_inner
:
22 params
['eap_teap_pac_no_inner'] = eap_teap_pac_no_inner
23 if eap_teap_separate_result
:
24 params
['eap_teap_separate_result'] = eap_teap_separate_result
27 def test_eap_teap_eap_mschapv2(dev
, apdev
):
28 """EAP-TEAP with inner EAP-MSCHAPv2"""
29 check_eap_capa(dev
[0], "TEAP")
30 check_eap_capa(dev
[0], "MSCHAPV2")
31 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
32 hapd
= hostapd
.add_ap(apdev
[0], params
)
33 eap_connect(dev
[0], hapd
, "TEAP", "user",
34 anonymous_identity
="TEAP", password
="password",
35 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
36 pac_file
="blob://teap_pac")
37 eap_reauth(dev
[0], "TEAP")
39 def test_eap_teap_eap_pwd(dev
, apdev
):
40 """EAP-TEAP with inner EAP-PWD"""
41 check_eap_capa(dev
[0], "TEAP")
42 check_eap_capa(dev
[0], "PWD")
43 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
44 hapd
= hostapd
.add_ap(apdev
[0], params
)
45 eap_connect(dev
[0], hapd
, "TEAP", "user-pwd-2",
46 anonymous_identity
="TEAP", password
="password",
47 ca_cert
="auth_serv/ca.pem", phase2
="auth=PWD",
48 pac_file
="blob://teap_pac")
50 def test_eap_teap_eap_eke(dev
, apdev
):
51 """EAP-TEAP with inner EAP-EKE"""
52 check_eap_capa(dev
[0], "TEAP")
53 check_eap_capa(dev
[0], "EKE")
54 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
55 hapd
= hostapd
.add_ap(apdev
[0], params
)
56 eap_connect(dev
[0], hapd
, "TEAP", "user-eke-2",
57 anonymous_identity
="TEAP", password
="password",
58 ca_cert
="auth_serv/ca.pem", phase2
="auth=EKE",
59 pac_file
="blob://teap_pac")
61 def test_eap_teap_basic_password_auth(dev
, apdev
):
62 """EAP-TEAP with Basic-Password-Auth"""
63 check_eap_capa(dev
[0], "TEAP")
64 params
= int_teap_server_params(eap_teap_auth
="1")
65 hapd
= hostapd
.add_ap(apdev
[0], params
)
66 eap_connect(dev
[0], hapd
, "TEAP", "user",
67 anonymous_identity
="TEAP", password
="password",
68 ca_cert
="auth_serv/ca.pem",
69 pac_file
="blob://teap_pac")
71 def test_eap_teap_basic_password_auth_failure(dev
, apdev
):
72 """EAP-TEAP with Basic-Password-Auth failure"""
73 check_eap_capa(dev
[0], "TEAP")
74 params
= int_teap_server_params(eap_teap_auth
="1")
75 hapd
= hostapd
.add_ap(apdev
[0], params
)
76 eap_connect(dev
[0], hapd
, "TEAP", "user",
77 anonymous_identity
="TEAP", password
="incorrect",
78 ca_cert
="auth_serv/ca.pem",
79 pac_file
="blob://teap_pac", expect_failure
=True)
81 def test_eap_teap_basic_password_auth_no_password(dev
, apdev
):
82 """EAP-TEAP with Basic-Password-Auth and no password configured"""
83 check_eap_capa(dev
[0], "TEAP")
84 params
= int_teap_server_params(eap_teap_auth
="1")
85 hapd
= hostapd
.add_ap(apdev
[0], params
)
86 eap_connect(dev
[0], hapd
, "TEAP", "user",
87 anonymous_identity
="TEAP",
88 ca_cert
="auth_serv/ca.pem",
89 pac_file
="blob://teap_pac", expect_failure
=True)
91 def test_eap_teap_peer_outer_tlvs(dev
, apdev
):
92 """EAP-TEAP with peer Outer TLVs"""
93 check_eap_capa(dev
[0], "TEAP")
94 check_eap_capa(dev
[0], "MSCHAPV2")
95 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
96 hapd
= hostapd
.add_ap(apdev
[0], params
)
97 eap_connect(dev
[0], hapd
, "TEAP", "user",
98 anonymous_identity
="TEAP", password
="password",
99 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
100 pac_file
="blob://teap_pac", phase1
="teap_test_outer_tlvs=1")
102 def test_eap_teap_eap_mschapv2_pac(dev
, apdev
):
103 """EAP-TEAP with inner EAP-MSCHAPv2 and PAC provisioning"""
104 check_eap_capa(dev
[0], "TEAP")
105 check_eap_capa(dev
[0], "MSCHAPV2")
106 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
107 hapd
= hostapd
.add_ap(apdev
[0], params
)
108 eap_connect(dev
[0], hapd
, "TEAP", "user",
109 anonymous_identity
="TEAP", password
="password",
110 phase1
="teap_provisioning=2",
111 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
112 pac_file
="blob://teap_pac")
113 res
= eap_reauth(dev
[0], "TEAP")
114 if res
['tls_session_reused'] != '1':
115 raise Exception("EAP-TEAP could not use PAC session ticket")
117 def test_eap_teap_eap_mschapv2_pac_no_inner_eap(dev
, apdev
):
118 """EAP-TEAP with inner EAP-MSCHAPv2 and PAC without inner EAP"""
119 check_eap_capa(dev
[0], "TEAP")
120 check_eap_capa(dev
[0], "MSCHAPV2")
121 params
= int_teap_server_params(eap_teap_pac_no_inner
="1")
122 hapd
= hostapd
.add_ap(apdev
[0], params
)
123 eap_connect(dev
[0], hapd
, "TEAP", "user",
124 anonymous_identity
="TEAP", password
="password",
125 phase1
="teap_provisioning=2",
126 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
127 pac_file
="blob://teap_pac")
128 res
= eap_reauth(dev
[0], "TEAP")
129 if res
['tls_session_reused'] != '1':
130 raise Exception("EAP-TEAP could not use PAC session ticket")
132 def test_eap_teap_eap_mschapv2_separate_result(dev
, apdev
):
133 """EAP-TEAP with inner EAP-MSCHAPv2 and separate message for Result TLV"""
134 check_eap_capa(dev
[0], "TEAP")
135 check_eap_capa(dev
[0], "MSCHAPV2")
136 params
= int_teap_server_params(eap_teap_separate_result
="1")
137 hapd
= hostapd
.add_ap(apdev
[0], params
)
138 eap_connect(dev
[0], hapd
, "TEAP", "user",
139 anonymous_identity
="TEAP", password
="password",
140 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
141 pac_file
="blob://teap_pac")
143 def test_eap_teap_eap_mschapv2_pac_no_ca_cert(dev
, apdev
):
144 """EAP-TEAP with inner EAP-MSCHAPv2 and PAC provisioning attempt without ca_cert"""
145 check_eap_capa(dev
[0], "TEAP")
146 check_eap_capa(dev
[0], "MSCHAPV2")
147 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
148 hapd
= hostapd
.add_ap(apdev
[0], params
)
149 eap_connect(dev
[0], hapd
, "TEAP", "user",
150 anonymous_identity
="TEAP", password
="password",
151 phase1
="teap_provisioning=2",
152 phase2
="auth=MSCHAPV2",
153 pac_file
="blob://teap_pac")
154 res
= eap_reauth(dev
[0], "TEAP")
155 if res
['tls_session_reused'] == '1':
156 raise Exception("Unexpected use of PAC session ticket")
158 def test_eap_teap_basic_password_auth_pac(dev
, apdev
):
159 """EAP-TEAP with Basic-Password-Auth and PAC"""
160 check_eap_capa(dev
[0], "TEAP")
161 params
= int_teap_server_params(eap_teap_auth
="1")
162 hapd
= hostapd
.add_ap(apdev
[0], params
)
163 eap_connect(dev
[0], hapd
, "TEAP", "user",
164 anonymous_identity
="TEAP", password
="password",
165 phase1
="teap_provisioning=2",
166 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
167 pac_file
="blob://teap_pac")
168 res
= eap_reauth(dev
[0], "TEAP")
169 if res
['tls_session_reused'] != '1':
170 raise Exception("EAP-TEAP could not use PAC session ticket")
172 def test_eap_teap_basic_password_auth_pac_binary(dev
, apdev
):
173 """EAP-TEAP with Basic-Password-Auth and PAC (binary)"""
174 check_eap_capa(dev
[0], "TEAP")
175 params
= int_teap_server_params(eap_teap_auth
="1")
176 hapd
= hostapd
.add_ap(apdev
[0], params
)
177 eap_connect(dev
[0], hapd
, "TEAP", "user",
178 anonymous_identity
="TEAP", password
="password",
179 phase1
="teap_provisioning=2 teap_max_pac_list_len=2 teap_pac_format=binary",
180 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
181 pac_file
="blob://teap_pac_bin")
182 res
= eap_reauth(dev
[0], "TEAP")
183 if res
['tls_session_reused'] != '1':
184 raise Exception("EAP-TEAP could not use PAC session ticket")
186 def test_eap_teap_basic_password_auth_pac_no_inner_eap(dev
, apdev
):
187 """EAP-TEAP with Basic-Password-Auth and PAC without inner auth"""
188 check_eap_capa(dev
[0], "TEAP")
189 params
= int_teap_server_params(eap_teap_auth
="1",
190 eap_teap_pac_no_inner
="1")
191 hapd
= hostapd
.add_ap(apdev
[0], params
)
192 eap_connect(dev
[0], hapd
, "TEAP", "user",
193 anonymous_identity
="TEAP", password
="password",
194 phase1
="teap_provisioning=2",
195 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
196 pac_file
="blob://teap_pac")
197 res
= eap_reauth(dev
[0], "TEAP")
198 if res
['tls_session_reused'] != '1':
199 raise Exception("EAP-TEAP could not use PAC session ticket")
201 def test_eap_teap_eap_eke_unauth_server_prov(dev
, apdev
):
202 """EAP-TEAP with inner EAP-EKE and unauthenticated server provisioning"""
203 check_eap_capa(dev
[0], "TEAP")
204 check_eap_capa(dev
[0], "EKE")
205 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
206 hapd
= hostapd
.add_ap(apdev
[0], params
)
207 eap_connect(dev
[0], hapd
, "TEAP", "user-eke-2",
208 anonymous_identity
="TEAP", password
="password",
209 phase1
="teap_provisioning=1",
210 phase2
="auth=EKE", pac_file
="blob://teap_pac")
211 res
= eap_reauth(dev
[0], "TEAP")
212 if res
['tls_session_reused'] != '1':
213 raise Exception("EAP-TEAP could not use PAC session ticket")
215 def test_eap_teap_fragmentation(dev
, apdev
):
216 """EAP-TEAP with fragmentation"""
217 check_eap_capa(dev
[0], "TEAP")
218 check_eap_capa(dev
[0], "MSCHAPV2")
219 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
220 hapd
= hostapd
.add_ap(apdev
[0], params
)
221 eap_connect(dev
[0], hapd
, "TEAP", "user",
222 anonymous_identity
="TEAP", password
="password",
223 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
224 pac_file
="blob://teap_pac", fragment_size
="100")
226 def test_eap_teap_tls_cs_sha1(dev
, apdev
):
227 """EAP-TEAP with TLS cipher suite that uses SHA-1"""
228 run_eap_teap_tls_cs(dev
, apdev
, "AES128-SHA")
230 def test_eap_teap_tls_cs_sha256(dev
, apdev
):
231 """EAP-TEAP with TLS cipher suite that uses SHA-256"""
232 run_eap_teap_tls_cs(dev
, apdev
, "AES128-SHA256")
234 def test_eap_teap_tls_cs_sha384(dev
, apdev
):
235 """EAP-TEAP with TLS cipher suite that uses SHA-384"""
236 run_eap_teap_tls_cs(dev
, apdev
, "AES256-GCM-SHA384")
238 def run_eap_teap_tls_cs(dev
, apdev
, cipher
):
239 check_eap_capa(dev
[0], "TEAP")
240 tls
= dev
[0].request("GET tls_library")
241 if not tls
.startswith("OpenSSL"):
242 raise HwsimSkip("TLS library not supported for TLS CS configuration: " + tls
)
243 params
= int_teap_server_params(eap_teap_auth
="1")
244 params
['openssl_ciphers'] = cipher
245 hapd
= hostapd
.add_ap(apdev
[0], params
)
246 eap_connect(dev
[0], hapd
, "TEAP", "user",
247 anonymous_identity
="TEAP", password
="password",
248 ca_cert
="auth_serv/ca.pem",
249 pac_file
="blob://teap_pac")
251 def wait_eap_proposed(dev
, wait_trigger
=None):
252 ev
= dev
.wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"], timeout
=10)
254 raise Exception("Timeout on EAP start")
256 wait_fail_trigger(dev
, wait_trigger
)
257 dev
.request("REMOVE_NETWORK all")
258 dev
.wait_disconnected()
261 def test_eap_teap_errors(dev
, apdev
):
262 """EAP-TEAP local errors"""
263 check_eap_capa(dev
[0], "TEAP")
264 check_eap_capa(dev
[0], "MSCHAPV2")
265 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
266 hapd
= hostapd
.add_ap(apdev
[0], params
)
268 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
270 eap
="TEAP", identity
="user", password
="password",
271 anonymous_identity
="TEAP",
272 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
274 wait_eap_proposed(dev
[0])
276 dev
[0].set("blob", "teap_broken_pac 11")
277 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
279 eap
="TEAP", identity
="user", password
="password",
280 anonymous_identity
="TEAP",
281 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
282 pac_file
="blob://teap_broken_pac", wait_connect
=False)
283 wait_eap_proposed(dev
[0])
284 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
286 eap
="TEAP", identity
="user", password
="password",
287 anonymous_identity
="TEAP",
288 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
289 phase1
="teap_pac_format=binary",
290 pac_file
="blob://teap_broken_pac", wait_connect
=False)
291 wait_eap_proposed(dev
[0])
293 tests
= [(1, "eap_teap_tlv_eap_payload"),
294 (1, "eap_teap_process_eap_payload_tlv"),
295 (1, "eap_teap_compound_mac"),
296 (1, "eap_teap_tlv_result"),
297 (1, "eap_peer_select_phase2_methods"),
298 (1, "eap_peer_tls_ssl_init"),
299 (1, "eap_teap_session_id"),
300 (1, "wpabuf_alloc;=eap_teap_process_crypto_binding"),
301 (1, "eap_peer_tls_encrypt"),
302 (1, "eap_peer_tls_decrypt"),
303 (1, "eap_teap_getKey"),
304 (1, "eap_teap_session_id"),
305 (1, "eap_teap_init")]
306 for count
, func
in tests
:
307 with
alloc_fail(dev
[0], count
, func
):
308 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
310 eap
="TEAP", identity
="user", password
="password",
311 anonymous_identity
="TEAP",
312 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
313 pac_file
="blob://teap_pac", wait_connect
=False)
314 wait_eap_proposed(dev
[0], wait_trigger
="GET_ALLOC_FAIL")
316 tests
= [(1, "eap_teap_derive_eap_msk"),
317 (1, "eap_teap_derive_eap_emsk"),
318 (1, "eap_teap_write_crypto_binding"),
319 (1, "eap_teap_process_crypto_binding"),
320 (1, "eap_teap_derive_msk;eap_teap_process_crypto_binding"),
321 (1, "eap_teap_compound_mac;eap_teap_process_crypto_binding"),
322 (1, "eap_teap_derive_imck")]
323 for count
, func
in tests
:
324 with
fail_test(dev
[0], count
, func
):
325 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
327 eap
="TEAP", identity
="user", password
="password",
328 anonymous_identity
="TEAP",
329 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
330 pac_file
="blob://teap_pac", wait_connect
=False)
331 wait_eap_proposed(dev
[0], wait_trigger
="GET_FAIL")
333 def test_eap_teap_errors2(dev
, apdev
):
334 """EAP-TEAP local errors 2 (Basic-Password-Auth specific)"""
335 check_eap_capa(dev
[0], "TEAP")
336 check_eap_capa(dev
[0], "MSCHAPV2")
337 params
= int_teap_server_params(eap_teap_auth
="1")
338 hapd
= hostapd
.add_ap(apdev
[0], params
)
340 tests
= [(1, "eap_teap_tlv_pac_ack"),
341 (1, "eap_teap_process_basic_auth_req")]
342 for count
, func
in tests
:
343 with
alloc_fail(dev
[0], count
, func
):
344 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
346 eap
="TEAP", identity
="user", password
="password",
347 anonymous_identity
="TEAP",
348 phase1
="teap_provisioning=2",
349 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
350 pac_file
="blob://teap_pac", wait_connect
=False)
351 wait_eap_proposed(dev
[0], wait_trigger
="GET_ALLOC_FAIL")
353 tests
= [(1, "eap_teap_derive_cmk_basic_pw_auth")]
354 for count
, func
in tests
:
355 with
fail_test(dev
[0], count
, func
):
356 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
358 eap
="TEAP", identity
="user", password
="password",
359 anonymous_identity
="TEAP",
360 phase1
="teap_provisioning=2",
361 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
362 pac_file
="blob://teap_pac", wait_connect
=False)
363 wait_eap_proposed(dev
[0], wait_trigger
="GET_FAIL")
365 def test_eap_teap_eap_vendor(dev
, apdev
):
366 """EAP-TEAP with inner EAP-vendor"""
367 check_eap_capa(dev
[0], "TEAP")
368 check_eap_capa(dev
[0], "VENDOR-TEST")
369 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
370 hapd
= hostapd
.add_ap(apdev
[0], params
)
371 eap_connect(dev
[0], hapd
, "TEAP", "vendor-test-2",
372 anonymous_identity
="TEAP",
373 ca_cert
="auth_serv/ca.pem", phase2
="auth=VENDOR-TEST",
374 pac_file
="blob://teap_pac")