1# EAP authentication tests 2# Copyright (c) 2019, Jouni Malinen <j@w1.fi> 3# 4# This software may be distributed under the terms of the BSD license. 5# See README for more details. 6 7import hostapd 8 9from utils import alloc_fail, fail_test, wait_fail_trigger, HwsimSkip 10from test_ap_eap import check_eap_capa, int_eap_server_params, eap_connect, \ 11 eap_reauth 12 13def int_teap_server_params(eap_teap_auth=None, eap_teap_pac_no_inner=None, 14 eap_teap_separate_result=None, eap_teap_id=None, 15 eap_teap_method_sequence=None): 16 params = int_eap_server_params() 17 params['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff00" 18 params['eap_fast_a_id'] = "101112131415161718191a1b1c1dff00" 19 params['eap_fast_a_id_info'] = "test server 0" 20 if eap_teap_auth: 21 params['eap_teap_auth'] = eap_teap_auth 22 if eap_teap_pac_no_inner: 23 params['eap_teap_pac_no_inner'] = eap_teap_pac_no_inner 24 if eap_teap_separate_result: 25 params['eap_teap_separate_result'] = eap_teap_separate_result 26 if eap_teap_id: 27 params['eap_teap_id'] = eap_teap_id 28 if eap_teap_method_sequence: 29 params['eap_teap_method_sequence'] = eap_teap_method_sequence 30 return params 31 32def test_eap_teap_eap_mschapv2(dev, apdev): 33 """EAP-TEAP with inner EAP-MSCHAPv2""" 34 check_eap_capa(dev[0], "TEAP") 35 check_eap_capa(dev[0], "MSCHAPV2") 36 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") 37 hapd = hostapd.add_ap(apdev[0], params) 38 eap_connect(dev[0], hapd, "TEAP", "user", 39 anonymous_identity="TEAP", password="password", 40 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2", 41 pac_file="blob://teap_pac") 42 eap_reauth(dev[0], "TEAP") 43 44def test_eap_teap_eap_pwd(dev, apdev): 45 """EAP-TEAP with inner EAP-PWD""" 46 check_eap_capa(dev[0], "TEAP") 47 check_eap_capa(dev[0], "PWD") 48 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") 49 hapd = hostapd.add_ap(apdev[0], params) 50 eap_connect(dev[0], hapd, "TEAP", "user-pwd-2", 51 anonymous_identity="TEAP", password="password", 52 ca_cert="auth_serv/ca.pem", phase2="auth=PWD", 53 pac_file="blob://teap_pac") 54 55def test_eap_teap_eap_eke(dev, apdev): 56 """EAP-TEAP with inner EAP-EKE""" 57 check_eap_capa(dev[0], "TEAP") 58 check_eap_capa(dev[0], "EKE") 59 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") 60 hapd = hostapd.add_ap(apdev[0], params) 61 eap_connect(dev[0], hapd, "TEAP", "user-eke-2", 62 anonymous_identity="TEAP", password="password", 63 ca_cert="auth_serv/ca.pem", phase2="auth=EKE", 64 pac_file="blob://teap_pac") 65 66def test_eap_teap_basic_password_auth(dev, apdev): 67 """EAP-TEAP with Basic-Password-Auth""" 68 check_eap_capa(dev[0], "TEAP") 69 params = int_teap_server_params(eap_teap_auth="1") 70 hapd = hostapd.add_ap(apdev[0], params) 71 eap_connect(dev[0], hapd, "TEAP", "user", 72 anonymous_identity="TEAP", password="password", 73 ca_cert="auth_serv/ca.pem", 74 pac_file="blob://teap_pac") 75 76def test_eap_teap_basic_password_auth_failure(dev, apdev): 77 """EAP-TEAP with Basic-Password-Auth failure""" 78 check_eap_capa(dev[0], "TEAP") 79 params = int_teap_server_params(eap_teap_auth="1") 80 hapd = hostapd.add_ap(apdev[0], params) 81 eap_connect(dev[0], hapd, "TEAP", "user", 82 anonymous_identity="TEAP", password="incorrect", 83 ca_cert="auth_serv/ca.pem", 84 pac_file="blob://teap_pac", expect_failure=True) 85 86def test_eap_teap_basic_password_auth_no_password(dev, apdev): 87 """EAP-TEAP with Basic-Password-Auth and no password configured""" 88 check_eap_capa(dev[0], "TEAP") 89 params = int_teap_server_params(eap_teap_auth="1") 90 hapd = hostapd.add_ap(apdev[0], params) 91 eap_connect(dev[0], hapd, "TEAP", "user", 92 anonymous_identity="TEAP", 93 ca_cert="auth_serv/ca.pem", 94 pac_file="blob://teap_pac", expect_failure=True) 95 96def test_eap_teap_basic_password_auth_id0(dev, apdev): 97 """EAP-TEAP with Basic-Password-Auth (eap_teap_id=0)""" 98 run_eap_teap_basic_password_auth_id(dev, apdev, 0) 99 100def test_eap_teap_basic_password_auth_id1(dev, apdev): 101 """EAP-TEAP with Basic-Password-Auth (eap_teap_id=1)""" 102 run_eap_teap_basic_password_auth_id(dev, apdev, 1) 103 104def test_eap_teap_basic_password_auth_id2(dev, apdev): 105 """EAP-TEAP with Basic-Password-Auth (eap_teap_id=2)""" 106 run_eap_teap_basic_password_auth_id(dev, apdev, 2, failure=True) 107 108def test_eap_teap_basic_password_auth_id3(dev, apdev): 109 """EAP-TEAP with Basic-Password-Auth (eap_teap_id=3)""" 110 run_eap_teap_basic_password_auth_id(dev, apdev, 3) 111 112def test_eap_teap_basic_password_auth_id4(dev, apdev): 113 """EAP-TEAP with Basic-Password-Auth (eap_teap_id=4)""" 114 run_eap_teap_basic_password_auth_id(dev, apdev, 4) 115 116def run_eap_teap_basic_password_auth_id(dev, apdev, eap_teap_id, failure=False): 117 check_eap_capa(dev[0], "TEAP") 118 params = int_teap_server_params(eap_teap_auth="1", 119 eap_teap_id=str(eap_teap_id)) 120 hapd = hostapd.add_ap(apdev[0], params) 121 eap_connect(dev[0], hapd, "TEAP", "user", 122 anonymous_identity="TEAP", password="password", 123 ca_cert="auth_serv/ca.pem", 124 pac_file="blob://teap_pac", 125 expect_failure=failure) 126 127def test_eap_teap_basic_password_auth_machine(dev, apdev): 128 """EAP-TEAP with Basic-Password-Auth using machine credential""" 129 check_eap_capa(dev[0], "TEAP") 130 params = int_teap_server_params(eap_teap_auth="1", eap_teap_id="2") 131 hapd = hostapd.add_ap(apdev[0], params) 132 eap_connect(dev[0], hapd, "TEAP", "", 133 anonymous_identity="TEAP", 134 machine_identity="machine", machine_password="machine-password", 135 ca_cert="auth_serv/ca.pem", 136 pac_file="blob://teap_pac") 137 138def test_eap_teap_basic_password_auth_user_and_machine(dev, apdev): 139 """EAP-TEAP with Basic-Password-Auth using user and machine credentials""" 140 check_eap_capa(dev[0], "TEAP") 141 params = int_teap_server_params(eap_teap_auth="1", eap_teap_id="5") 142 hapd = hostapd.add_ap(apdev[0], params) 143 eap_connect(dev[0], hapd, "TEAP", "user", password="password", 144 anonymous_identity="TEAP", 145 machine_identity="machine", machine_password="machine-password", 146 ca_cert="auth_serv/ca.pem", 147 pac_file="blob://teap_pac") 148 149def test_eap_teap_basic_password_auth_user_and_machine_fail_user(dev, apdev): 150 """EAP-TEAP with Basic-Password-Auth using user and machine credentials (fail user)""" 151 check_eap_capa(dev[0], "TEAP") 152 params = int_teap_server_params(eap_teap_auth="1", eap_teap_id="5") 153 hapd = hostapd.add_ap(apdev[0], params) 154 eap_connect(dev[0], hapd, "TEAP", "user", password="wrong-password", 155 anonymous_identity="TEAP", 156 machine_identity="machine", machine_password="machine-password", 157 ca_cert="auth_serv/ca.pem", 158 pac_file="blob://teap_pac", 159 expect_failure=True) 160 161def test_eap_teap_basic_password_auth_user_and_machine_fail_machine(dev, apdev): 162 """EAP-TEAP with Basic-Password-Auth using user and machine credentials (fail machine)""" 163 check_eap_capa(dev[0], "TEAP") 164 params = int_teap_server_params(eap_teap_auth="1", eap_teap_id="5") 165 hapd = hostapd.add_ap(apdev[0], params) 166 eap_connect(dev[0], hapd, "TEAP", "user", password="password", 167 anonymous_identity="TEAP", 168 machine_identity="machine", 169 machine_password="wrong-machine-password", 170 ca_cert="auth_serv/ca.pem", 171 pac_file="blob://teap_pac", 172 expect_failure=True) 173 174def test_eap_teap_basic_password_auth_user_and_machine_no_machine(dev, apdev): 175 """EAP-TEAP with Basic-Password-Auth using user and machine credentials (no machine)""" 176 check_eap_capa(dev[0], "TEAP") 177 params = int_teap_server_params(eap_teap_auth="1", eap_teap_id="5") 178 hapd = hostapd.add_ap(apdev[0], params) 179 eap_connect(dev[0], hapd, "TEAP", "user", password="password", 180 anonymous_identity="TEAP", 181 ca_cert="auth_serv/ca.pem", 182 pac_file="blob://teap_pac", 183 expect_failure=True) 184 185def test_eap_teap_peer_outer_tlvs(dev, apdev): 186 """EAP-TEAP with peer Outer TLVs""" 187 check_eap_capa(dev[0], "TEAP") 188 check_eap_capa(dev[0], "MSCHAPV2") 189 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") 190 hapd = hostapd.add_ap(apdev[0], params) 191 eap_connect(dev[0], hapd, "TEAP", "user", 192 anonymous_identity="TEAP", password="password", 193 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2", 194 pac_file="blob://teap_pac", phase1="teap_test_outer_tlvs=1") 195 196def test_eap_teap_eap_mschapv2_pac(dev, apdev): 197 """EAP-TEAP with inner EAP-MSCHAPv2 and PAC provisioning""" 198 check_eap_capa(dev[0], "TEAP") 199 check_eap_capa(dev[0], "MSCHAPV2") 200 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") 201 hapd = hostapd.add_ap(apdev[0], params) 202 eap_connect(dev[0], hapd, "TEAP", "user", 203 anonymous_identity="TEAP", password="password", 204 phase1="teap_provisioning=2", 205 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2", 206 pac_file="blob://teap_pac") 207 res = eap_reauth(dev[0], "TEAP") 208 if res['tls_session_reused'] != '1': 209 raise Exception("EAP-TEAP could not use PAC session ticket") 210 211def test_eap_teap_eap_mschapv2_pac_no_inner_eap(dev, apdev): 212 """EAP-TEAP with inner EAP-MSCHAPv2 and PAC without inner EAP""" 213 check_eap_capa(dev[0], "TEAP") 214 check_eap_capa(dev[0], "MSCHAPV2") 215 params = int_teap_server_params(eap_teap_pac_no_inner="1") 216 hapd = hostapd.add_ap(apdev[0], params) 217 eap_connect(dev[0], hapd, "TEAP", "user", 218 anonymous_identity="TEAP", password="password", 219 phase1="teap_provisioning=2", 220 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2", 221 pac_file="blob://teap_pac") 222 res = eap_reauth(dev[0], "TEAP") 223 if res['tls_session_reused'] != '1': 224 raise Exception("EAP-TEAP could not use PAC session ticket") 225 226def test_eap_teap_eap_mschapv2_separate_result(dev, apdev): 227 """EAP-TEAP with inner EAP-MSCHAPv2 and separate message for Result TLV""" 228 check_eap_capa(dev[0], "TEAP") 229 check_eap_capa(dev[0], "MSCHAPV2") 230 params = int_teap_server_params(eap_teap_separate_result="1") 231 hapd = hostapd.add_ap(apdev[0], params) 232 eap_connect(dev[0], hapd, "TEAP", "user", 233 anonymous_identity="TEAP", password="password", 234 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2", 235 pac_file="blob://teap_pac") 236 237def test_eap_teap_eap_mschapv2_pac_no_ca_cert(dev, apdev): 238 """EAP-TEAP with inner EAP-MSCHAPv2 and PAC provisioning attempt without ca_cert""" 239 check_eap_capa(dev[0], "TEAP") 240 check_eap_capa(dev[0], "MSCHAPV2") 241 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") 242 hapd = hostapd.add_ap(apdev[0], params) 243 eap_connect(dev[0], hapd, "TEAP", "user", 244 anonymous_identity="TEAP", password="password", 245 phase1="teap_provisioning=2", 246 phase2="auth=MSCHAPV2", 247 pac_file="blob://teap_pac") 248 res = eap_reauth(dev[0], "TEAP") 249 if res['tls_session_reused'] == '1': 250 raise Exception("Unexpected use of PAC session ticket") 251 252def test_eap_teap_eap_mschapv2_id0(dev, apdev): 253 """EAP-TEAP with inner EAP-MSCHAPv2 (eap_teap_id=0)""" 254 run_eap_teap_eap_mschapv2_id(dev, apdev, 0) 255 256def test_eap_teap_eap_mschapv2_id1(dev, apdev): 257 """EAP-TEAP with inner EAP-MSCHAPv2 (eap_teap_id=1)""" 258 run_eap_teap_eap_mschapv2_id(dev, apdev, 1) 259 260def test_eap_teap_eap_mschapv2_id2(dev, apdev): 261 """EAP-TEAP with inner EAP-MSCHAPv2 (eap_teap_id=2)""" 262 run_eap_teap_eap_mschapv2_id(dev, apdev, 2, failure=True) 263 264def test_eap_teap_eap_mschapv2_id3(dev, apdev): 265 """EAP-TEAP with inner EAP-MSCHAPv2 (eap_teap_id=3)""" 266 run_eap_teap_eap_mschapv2_id(dev, apdev, 3) 267 268def test_eap_teap_eap_mschapv2_id4(dev, apdev): 269 """EAP-TEAP with inner EAP-MSCHAPv2 (eap_teap_id=4)""" 270 run_eap_teap_eap_mschapv2_id(dev, apdev, 4) 271 272def run_eap_teap_eap_mschapv2_id(dev, apdev, eap_teap_id, failure=False): 273 check_eap_capa(dev[0], "TEAP") 274 check_eap_capa(dev[0], "MSCHAPV2") 275 params = int_teap_server_params(eap_teap_id=str(eap_teap_id)) 276 hapd = hostapd.add_ap(apdev[0], params) 277 eap_connect(dev[0], hapd, "TEAP", "user", 278 anonymous_identity="TEAP", password="password", 279 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2", 280 pac_file="blob://teap_pac", 281 expect_failure=failure) 282 283def test_eap_teap_eap_mschapv2_machine(dev, apdev): 284 """EAP-TEAP with inner EAP-MSCHAPv2 using machine credential""" 285 check_eap_capa(dev[0], "TEAP") 286 check_eap_capa(dev[0], "MSCHAPV2") 287 params = int_teap_server_params(eap_teap_id="2") 288 hapd = hostapd.add_ap(apdev[0], params) 289 eap_connect(dev[0], hapd, "TEAP", "", 290 anonymous_identity="TEAP", 291 machine_identity="machine", machine_password="machine-password", 292 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2", 293 pac_file="blob://teap_pac") 294 295def test_eap_teap_eap_mschapv2_user_and_machine(dev, apdev): 296 """EAP-TEAP with inner EAP-MSCHAPv2 using user and machine credentials""" 297 check_eap_capa(dev[0], "TEAP") 298 check_eap_capa(dev[0], "MSCHAPV2") 299 params = int_teap_server_params(eap_teap_id="5") 300 hapd = hostapd.add_ap(apdev[0], params) 301 eap_connect(dev[0], hapd, "TEAP", "user", password="password", 302 anonymous_identity="TEAP", 303 machine_identity="machine", machine_password="machine-password", 304 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2", 305 pac_file="blob://teap_pac") 306 307def test_eap_teap_eap_mschapv2_user_and_machine_seq1(dev, apdev): 308 """EAP-TEAP with inner EAP-MSCHAPv2 using user and machine credentials (seq1)""" 309 check_eap_capa(dev[0], "TEAP") 310 check_eap_capa(dev[0], "MSCHAPV2") 311 params = int_teap_server_params(eap_teap_id="5", 312 eap_teap_method_sequence="1") 313 hapd = hostapd.add_ap(apdev[0], params) 314 eap_connect(dev[0], hapd, "TEAP", "user", password="password", 315 anonymous_identity="TEAP", 316 machine_identity="machine", machine_password="machine-password", 317 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2", 318 pac_file="blob://teap_pac") 319 320def test_eap_teap_eap_mschapv2_user_and_machine_fail_user(dev, apdev): 321 """EAP-TEAP with inner EAP-MSCHAPv2 using user and machine credentials (fail user)""" 322 check_eap_capa(dev[0], "TEAP") 323 check_eap_capa(dev[0], "MSCHAPV2") 324 params = int_teap_server_params(eap_teap_id="5") 325 hapd = hostapd.add_ap(apdev[0], params) 326 eap_connect(dev[0], hapd, "TEAP", "user", password="wrong-password", 327 anonymous_identity="TEAP", 328 machine_identity="machine", machine_password="machine-password", 329 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2", 330 pac_file="blob://teap_pac", 331 expect_failure=True) 332 333def test_eap_teap_eap_mschapv2_user_and_machine_fail_machine(dev, apdev): 334 """EAP-TEAP with inner EAP-MSCHAPv2 using user and machine credentials (fail machine)""" 335 check_eap_capa(dev[0], "TEAP") 336 check_eap_capa(dev[0], "MSCHAPV2") 337 params = int_teap_server_params(eap_teap_id="5") 338 hapd = hostapd.add_ap(apdev[0], params) 339 eap_connect(dev[0], hapd, "TEAP", "user", password="password", 340 anonymous_identity="TEAP", 341 machine_identity="machine", 342 machine_password="wrong-machine-password", 343 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2", 344 pac_file="blob://teap_pac", 345 expect_failure=True) 346 347def test_eap_teap_eap_mschapv2_user_and_machine_no_machine(dev, apdev): 348 """EAP-TEAP with inner EAP-MSCHAPv2 using user and machine credentials (no machine)""" 349 check_eap_capa(dev[0], "TEAP") 350 check_eap_capa(dev[0], "MSCHAPV2") 351 params = int_teap_server_params(eap_teap_id="5") 352 hapd = hostapd.add_ap(apdev[0], params) 353 eap_connect(dev[0], hapd, "TEAP", "user", password="password", 354 anonymous_identity="TEAP", 355 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2", 356 pac_file="blob://teap_pac", 357 expect_failure=True) 358 359def test_eap_teap_eap_mschapv2_user_and_eap_tls_machine(dev, apdev): 360 """EAP-TEAP with inner EAP-MSCHAPv2 user and EAP-TLS machine credentials""" 361 check_eap_capa(dev[0], "TEAP") 362 check_eap_capa(dev[0], "MSCHAPV2") 363 check_eap_capa(dev[0], "TLS") 364 params = int_teap_server_params(eap_teap_id="5") 365 hapd = hostapd.add_ap(apdev[0], params) 366 eap_connect(dev[0], hapd, "TEAP", "user", password="password", 367 anonymous_identity="TEAP", 368 machine_identity="cert user", 369 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2", 370 machine_phase2="auth=TLS", 371 machine_ca_cert="auth_serv/ca.pem", 372 machine_client_cert="auth_serv/user.pem", 373 machine_private_key="auth_serv/user.key", 374 pac_file="blob://teap_pac") 375 376def test_eap_teap_basic_password_auth_pac(dev, apdev): 377 """EAP-TEAP with Basic-Password-Auth and PAC""" 378 check_eap_capa(dev[0], "TEAP") 379 params = int_teap_server_params(eap_teap_auth="1") 380 hapd = hostapd.add_ap(apdev[0], params) 381 eap_connect(dev[0], hapd, "TEAP", "user", 382 anonymous_identity="TEAP", password="password", 383 phase1="teap_provisioning=2", 384 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2", 385 pac_file="blob://teap_pac") 386 res = eap_reauth(dev[0], "TEAP") 387 if res['tls_session_reused'] != '1': 388 raise Exception("EAP-TEAP could not use PAC session ticket") 389 390def test_eap_teap_basic_password_auth_pac_binary(dev, apdev): 391 """EAP-TEAP with Basic-Password-Auth and PAC (binary)""" 392 check_eap_capa(dev[0], "TEAP") 393 params = int_teap_server_params(eap_teap_auth="1") 394 hapd = hostapd.add_ap(apdev[0], params) 395 eap_connect(dev[0], hapd, "TEAP", "user", 396 anonymous_identity="TEAP", password="password", 397 phase1="teap_provisioning=2 teap_max_pac_list_len=2 teap_pac_format=binary", 398 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2", 399 pac_file="blob://teap_pac_bin") 400 res = eap_reauth(dev[0], "TEAP") 401 if res['tls_session_reused'] != '1': 402 raise Exception("EAP-TEAP could not use PAC session ticket") 403 404def test_eap_teap_basic_password_auth_pac_no_inner_eap(dev, apdev): 405 """EAP-TEAP with Basic-Password-Auth and PAC without inner auth""" 406 check_eap_capa(dev[0], "TEAP") 407 params = int_teap_server_params(eap_teap_auth="1", 408 eap_teap_pac_no_inner="1") 409 hapd = hostapd.add_ap(apdev[0], params) 410 eap_connect(dev[0], hapd, "TEAP", "user", 411 anonymous_identity="TEAP", password="password", 412 phase1="teap_provisioning=2", 413 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2", 414 pac_file="blob://teap_pac") 415 res = eap_reauth(dev[0], "TEAP") 416 if res['tls_session_reused'] != '1': 417 raise Exception("EAP-TEAP could not use PAC session ticket") 418 419def test_eap_teap_eap_eke_unauth_server_prov(dev, apdev): 420 """EAP-TEAP with inner EAP-EKE and unauthenticated server provisioning""" 421 check_eap_capa(dev[0], "TEAP") 422 check_eap_capa(dev[0], "EKE") 423 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") 424 hapd = hostapd.add_ap(apdev[0], params) 425 eap_connect(dev[0], hapd, "TEAP", "user-eke-2", 426 anonymous_identity="TEAP", password="password", 427 phase1="teap_provisioning=1", 428 phase2="auth=EKE", pac_file="blob://teap_pac") 429 res = eap_reauth(dev[0], "TEAP") 430 if res['tls_session_reused'] != '1': 431 raise Exception("EAP-TEAP could not use PAC session ticket") 432 433def test_eap_teap_fragmentation(dev, apdev): 434 """EAP-TEAP with fragmentation""" 435 check_eap_capa(dev[0], "TEAP") 436 check_eap_capa(dev[0], "MSCHAPV2") 437 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") 438 hapd = hostapd.add_ap(apdev[0], params) 439 eap_connect(dev[0], hapd, "TEAP", "user", 440 anonymous_identity="TEAP", password="password", 441 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2", 442 pac_file="blob://teap_pac", fragment_size="100") 443 444def test_eap_teap_tls_cs_sha1(dev, apdev): 445 """EAP-TEAP with TLS cipher suite that uses SHA-1""" 446 run_eap_teap_tls_cs(dev, apdev, "AES128-SHA") 447 448def test_eap_teap_tls_cs_sha256(dev, apdev): 449 """EAP-TEAP with TLS cipher suite that uses SHA-256""" 450 run_eap_teap_tls_cs(dev, apdev, "AES128-SHA256") 451 452def test_eap_teap_tls_cs_sha384(dev, apdev): 453 """EAP-TEAP with TLS cipher suite that uses SHA-384""" 454 run_eap_teap_tls_cs(dev, apdev, "AES256-GCM-SHA384") 455 456def run_eap_teap_tls_cs(dev, apdev, cipher): 457 check_eap_capa(dev[0], "TEAP") 458 tls = dev[0].request("GET tls_library") 459 if not tls.startswith("OpenSSL") and not tls.startswith("wolfSSL"): 460 raise HwsimSkip("TLS library not supported for TLS CS configuration: " + tls) 461 params = int_teap_server_params(eap_teap_auth="1") 462 params['openssl_ciphers'] = cipher 463 hapd = hostapd.add_ap(apdev[0], params) 464 eap_connect(dev[0], hapd, "TEAP", "user", 465 anonymous_identity="TEAP", password="password", 466 ca_cert="auth_serv/ca.pem", 467 pac_file="blob://teap_pac") 468 469def wait_eap_proposed(dev, wait_trigger=None): 470 ev = dev.wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"], timeout=10) 471 if ev is None: 472 raise Exception("Timeout on EAP start") 473 if wait_trigger: 474 wait_fail_trigger(dev, wait_trigger) 475 dev.request("REMOVE_NETWORK all") 476 dev.wait_disconnected() 477 dev.dump_monitor() 478 479def test_eap_teap_errors(dev, apdev): 480 """EAP-TEAP local errors""" 481 check_eap_capa(dev[0], "TEAP") 482 check_eap_capa(dev[0], "MSCHAPV2") 483 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") 484 hapd = hostapd.add_ap(apdev[0], params) 485 486 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", 487 scan_freq="2412", 488 eap="TEAP", identity="user", password="password", 489 anonymous_identity="TEAP", 490 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2", 491 wait_connect=False) 492 wait_eap_proposed(dev[0]) 493 494 dev[0].set("blob", "teap_broken_pac 11") 495 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", 496 scan_freq="2412", 497 eap="TEAP", identity="user", password="password", 498 anonymous_identity="TEAP", 499 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2", 500 pac_file="blob://teap_broken_pac", wait_connect=False) 501 wait_eap_proposed(dev[0]) 502 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", 503 scan_freq="2412", 504 eap="TEAP", identity="user", password="password", 505 anonymous_identity="TEAP", 506 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2", 507 phase1="teap_pac_format=binary", 508 pac_file="blob://teap_broken_pac", wait_connect=False) 509 wait_eap_proposed(dev[0]) 510 511 tests = [(1, "eap_teap_tlv_eap_payload"), 512 (1, "eap_teap_process_eap_payload_tlv"), 513 (1, "eap_teap_compound_mac"), 514 (1, "eap_teap_tlv_result"), 515 (1, "eap_peer_select_phase2_methods"), 516 (1, "eap_peer_tls_ssl_init"), 517 (1, "eap_teap_session_id"), 518 (1, "wpabuf_alloc;=eap_teap_process_crypto_binding"), 519 (1, "eap_peer_tls_encrypt"), 520 (1, "eap_peer_tls_decrypt"), 521 (1, "eap_teap_getKey"), 522 (1, "eap_teap_session_id"), 523 (1, "eap_teap_init")] 524 for count, func in tests: 525 with alloc_fail(dev[0], count, func): 526 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", 527 scan_freq="2412", 528 eap="TEAP", identity="user", password="password", 529 anonymous_identity="TEAP", 530 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2", 531 pac_file="blob://teap_pac", wait_connect=False) 532 wait_eap_proposed(dev[0], wait_trigger="GET_ALLOC_FAIL") 533 534 tests = [(1, "eap_teap_derive_eap_msk"), 535 (1, "eap_teap_derive_eap_emsk"), 536 (1, "eap_teap_write_crypto_binding"), 537 (1, "eap_teap_process_crypto_binding"), 538 (1, "eap_teap_derive_msk;eap_teap_process_crypto_binding"), 539 (1, "eap_teap_compound_mac;eap_teap_process_crypto_binding"), 540 (1, "eap_teap_derive_imck")] 541 for count, func in tests: 542 with fail_test(dev[0], count, func): 543 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", 544 scan_freq="2412", 545 eap="TEAP", identity="user", password="password", 546 anonymous_identity="TEAP", 547 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2", 548 pac_file="blob://teap_pac", wait_connect=False) 549 wait_eap_proposed(dev[0], wait_trigger="GET_FAIL") 550 551def test_eap_teap_errors2(dev, apdev): 552 """EAP-TEAP local errors 2 (Basic-Password-Auth specific)""" 553 check_eap_capa(dev[0], "TEAP") 554 check_eap_capa(dev[0], "MSCHAPV2") 555 params = int_teap_server_params(eap_teap_auth="1") 556 hapd = hostapd.add_ap(apdev[0], params) 557 558 tests = [(1, "eap_teap_tlv_pac_ack"), 559 (1, "eap_teap_process_basic_auth_req")] 560 for count, func in tests: 561 with alloc_fail(dev[0], count, func): 562 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", 563 scan_freq="2412", 564 eap="TEAP", identity="user", password="password", 565 anonymous_identity="TEAP", 566 phase1="teap_provisioning=2", 567 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2", 568 pac_file="blob://teap_pac", wait_connect=False) 569 wait_eap_proposed(dev[0], wait_trigger="GET_ALLOC_FAIL") 570 571 tests = [(1, "eap_teap_derive_cmk_basic_pw_auth")] 572 for count, func in tests: 573 with fail_test(dev[0], count, func): 574 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", 575 scan_freq="2412", 576 eap="TEAP", identity="user", password="password", 577 anonymous_identity="TEAP", 578 phase1="teap_provisioning=2", 579 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2", 580 pac_file="blob://teap_pac", wait_connect=False) 581 wait_eap_proposed(dev[0], wait_trigger="GET_FAIL") 582 583def test_eap_teap_eap_vendor(dev, apdev): 584 """EAP-TEAP with inner EAP-vendor""" 585 check_eap_capa(dev[0], "TEAP") 586 check_eap_capa(dev[0], "VENDOR-TEST") 587 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") 588 hapd = hostapd.add_ap(apdev[0], params) 589 eap_connect(dev[0], hapd, "TEAP", "vendor-test-2", 590 anonymous_identity="TEAP", 591 ca_cert="auth_serv/ca.pem", phase2="auth=VENDOR-TEST", 592 pac_file="blob://teap_pac") 593 594def test_eap_teap_client_cert(dev, apdev): 595 """EAP-TEAP with client certificate in Phase 1""" 596 check_eap_capa(dev[0], "TEAP") 597 params = int_teap_server_params(eap_teap_auth="2") 598 hapd = hostapd.add_ap(apdev[0], params) 599 600 # verify server accept a client with certificate, but no Phase 2 601 # configuration 602 eap_connect(dev[0], hapd, "TEAP", "user", 603 anonymous_identity="TEAP", 604 phase1="teap_provisioning=2", 605 client_cert="auth_serv/user.pem", 606 private_key="auth_serv/user.key", 607 ca_cert="auth_serv/ca.pem", 608 pac_file="blob://teap_pac") 609 dev[0].dump_monitor() 610 res = eap_reauth(dev[0], "TEAP") 611 if res['tls_session_reused'] != '1': 612 raise Exception("EAP-TEAP could not use PAC session ticket") 613 614 # verify server accepts a client without certificate 615 eap_connect(dev[1], hapd, "TEAP", "user", 616 anonymous_identity="TEAP", password="password", 617 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2", 618 pac_file="blob://teap_pac") 619
