1# hostapd authentication server tests
2# Copyright (c) 2017, Jouni Malinen
3#
4# This software may be distributed under the terms of the BSD license.
5# See README for more details.
6
7import hostapd
8from utils import alloc_fail, fail_test, wait_fail_trigger
9
10def authsrv_params():
11    params = {"ssid": "as", "beacon_int": "2000",
12              "radius_server_clients": "auth_serv/radius_clients.conf",
13              "radius_server_auth_port": '18128',
14              "eap_server": "1",
15              "eap_user_file": "auth_serv/eap_user.conf",
16              "eap_sim_db": "unix:/tmp/hlr_auc_gw.sock",
17              "ca_cert": "auth_serv/ca.pem",
18              "server_cert": "auth_serv/server.pem",
19              "private_key": "auth_serv/server.key",
20              "eap_message": "hello"}
21    return params
22
23def test_authsrv_oom(dev, apdev):
24    """Authentication server OOM"""
25    params = authsrv_params()
26    authsrv = hostapd.add_ap(apdev[1], params)
27
28    params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
29    params['auth_server_port'] = "18128"
30    hapd = hostapd.add_ap(apdev[0], params)
31
32    dev[0].scan_for_bss(hapd.own_addr(), 2412)
33    with alloc_fail(authsrv, 1, "hostapd_radius_get_eap_user"):
34        dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
35                       eap="TTLS", identity="user",
36                       anonymous_identity="ttls", password="password",
37                       ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
38                       wait_connect=False, scan_freq="2412")
39        ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
40        if ev is None:
41            raise Exception("EAP failure not reported")
42    dev[0].request("REMOVE_NETWORK all")
43    dev[0].wait_disconnected()
44    dev[0].dump_monitor()
45
46    with alloc_fail(authsrv, 1, "srv_log"):
47        dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
48                       eap="TTLS", identity="user",
49                       anonymous_identity="ttls", password="password",
50                       ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
51                       scan_freq="2412")
52    dev[0].request("REMOVE_NETWORK all")
53    dev[0].wait_disconnected()
54    dev[0].dump_monitor()
55
56    with alloc_fail(authsrv, 1, "radius_server_new_session"):
57        dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
58                       eap="TTLS", identity="user",
59                       anonymous_identity="ttls", password="password",
60                       ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
61                       wait_connect=False, scan_freq="2412")
62        dev[0].wait_disconnected()
63    dev[0].request("REMOVE_NETWORK all")
64    dev[0].dump_monitor()
65
66    for count in range(1, 3):
67        with alloc_fail(authsrv, count, "=radius_server_get_new_session"):
68            dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
69                           eap="TTLS", identity="user",
70                           anonymous_identity="ttls", password="password",
71                           ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
72                           wait_connect=False, scan_freq="2412")
73            dev[0].wait_disconnected()
74        dev[0].request("REMOVE_NETWORK all")
75        dev[0].dump_monitor()
76
77    with alloc_fail(authsrv, 1, "eap_server_sm_init"):
78        dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
79                       eap="TTLS", identity="user",
80                       anonymous_identity="ttls", password="password",
81                       ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
82                       wait_connect=False, scan_freq="2412")
83        dev[0].wait_disconnected()
84    dev[0].request("REMOVE_NETWORK all")
85    dev[0].dump_monitor()
86
87    tests = ["radius_server_encapsulate_eap",
88             "radius_server_receive_auth"]
89    for t in tests:
90        with alloc_fail(authsrv, 1, t):
91            dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
92                           eap="TTLS", identity="user",
93                           anonymous_identity="ttls", password="password",
94                           ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
95                           wait_connect=False, scan_freq="2412")
96            wait_fail_trigger(authsrv, "GET_ALLOC_FAIL")
97        dev[0].request("REMOVE_NETWORK all")
98        dev[0].wait_disconnected()
99        dev[0].dump_monitor()
100
101    tests = ["radius_msg_add_attr;radius_server_encapsulate_eap",
102             "radius_msg_add_eap;radius_server_encapsulate_eap",
103             "radius_msg_finish_srv;radius_server_encapsulate_eap"]
104    for t in tests:
105        with fail_test(authsrv, 1, t):
106            dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
107                           eap="TTLS", identity="user",
108                           anonymous_identity="ttls", password="password",
109                           ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
110                           wait_connect=False, scan_freq="2412")
111            wait_fail_trigger(authsrv, "GET_FAIL")
112        dev[0].request("REMOVE_NETWORK all")
113        dev[0].wait_disconnected()
114        dev[0].dump_monitor()
115
116    with alloc_fail(authsrv, 1, "radius_server_get_new_session"):
117        with fail_test(authsrv, 1, "radius_msg_add_eap;radius_server_reject"):
118            dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
119                           eap="TTLS", identity="user",
120                           anonymous_identity="ttls", password="password",
121                           ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
122                           wait_connect=False, scan_freq="2412")
123            wait_fail_trigger(authsrv, "GET_FAIL")
124        dev[0].request("REMOVE_NETWORK all")
125        dev[0].wait_disconnected()
126        dev[0].dump_monitor()
127
128    with alloc_fail(authsrv, 1, "radius_server_get_new_session"):
129        with fail_test(authsrv, 1,
130                       "radius_msg_finish_srv;radius_server_reject"):
131            dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
132                           eap="TTLS", identity="user",
133                           anonymous_identity="ttls", password="password",
134                           ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
135                           wait_connect=False, scan_freq="2412")
136            wait_fail_trigger(authsrv, "GET_FAIL")
137        dev[0].request("REMOVE_NETWORK all")
138        dev[0].wait_disconnected()
139        dev[0].dump_monitor()
140
141    authsrv.disable()
142    with alloc_fail(authsrv, 1, "radius_server_init;hostapd_setup_radius_srv"):
143        if "FAIL" not in authsrv.request("ENABLE"):
144            raise Exception("ENABLE succeeded during OOM")
145    with alloc_fail(authsrv, 2, "radius_server_init;hostapd_setup_radius_srv"):
146        if "FAIL" not in authsrv.request("ENABLE"):
147            raise Exception("ENABLE succeeded during OOM")
148
149    for count in range(1, 4):
150        with alloc_fail(authsrv, count,
151                        "radius_server_read_clients;radius_server_init;hostapd_setup_radius_srv"):
152            if "FAIL" not in authsrv.request("ENABLE"):
153                raise Exception("ENABLE succeeded during OOM")
154
155    with alloc_fail(authsrv, 1, "eloop_sock_table_add_sock;radius_server_init;hostapd_setup_radius_srv"):
156        if "FAIL" not in authsrv.request("ENABLE"):
157            raise Exception("ENABLE succeeded during OOM")
158
159    with alloc_fail(authsrv, 1, "tls_init;authsrv_init"):
160        if "FAIL" not in authsrv.request("ENABLE"):
161            raise Exception("ENABLE succeeded during OOM")
162
163    for count in range(1, 3):
164        with alloc_fail(authsrv, count, "eap_sim_db_init;authsrv_init"):
165            if "FAIL" not in authsrv.request("ENABLE"):
166                raise Exception("ENABLE succeeded during OOM")
167
168def test_authsrv_errors_1(dev, apdev):
169    """Authentication server errors (1)"""
170    params = authsrv_params()
171    params["eap_user_file"] = "sqlite:auth_serv/does-not-exist/does-not-exist"
172    authsrv = hostapd.add_ap(apdev[1], params, no_enable=True)
173    if "FAIL" not in authsrv.request("ENABLE"):
174        raise Exception("ENABLE succeeded with invalid SQLite EAP user file")
175
176def test_authsrv_errors_2(dev, apdev):
177    """Authentication server errors (2)"""
178    params = authsrv_params()
179    params["radius_server_clients"] = "auth_serv/does-not-exist"
180    authsrv = hostapd.add_ap(apdev[1], params, no_enable=True)
181    if "FAIL" not in authsrv.request("ENABLE"):
182        raise Exception("ENABLE succeeded with invalid RADIUS client file")
183
184def test_authsrv_errors_3(dev, apdev):
185    """Authentication server errors (3)"""
186    params = authsrv_params()
187    params["eap_sim_db"] = "unix:/tmp/hlr_auc_gw.sock db=auth_serv/does-not-exist/does-not-exist"
188    authsrv = hostapd.add_ap(apdev[1], params, no_enable=True)
189    if "FAIL" not in authsrv.request("ENABLE"):
190        raise Exception("ENABLE succeeded with invalid RADIUS client file")
191
192def test_authsrv_testing_options(dev, apdev):
193    """Authentication server and testing options"""
194    params = authsrv_params()
195    authsrv = hostapd.add_ap(apdev[1], params)
196
197    params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
198    params['auth_server_port'] = "18128"
199    hapd = hostapd.add_ap(apdev[0], params)
200
201    dev[0].scan_for_bss(hapd.own_addr(), 2412)
202    # The first two would be fine to run with any server build; the rest are
203    # actually supposed to fail, but they don't fail when using a server build
204    # that does not support the TLS protocol tests.
205    tests = ["foo@test-unknown",
206             "foo@test-tls-unknown",
207             "foo@test-tls-1",
208             "foo@test-tls-2",
209             "foo@test-tls-3",
210             "foo@test-tls-4",
211             "foo@test-tls-5",
212             "foo@test-tls-6",
213             "foo@test-tls-7",
214             "foo@test-tls-8"]
215    for t in tests:
216        dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
217                       eap="TTLS", identity="user",
218                       anonymous_identity=t,
219                       password="password",
220                       ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
221                       scan_freq="2412")
222        dev[0].request("REMOVE_NETWORK all")
223        dev[0].wait_disconnected()
224
225def test_authsrv_unknown_user(dev, apdev):
226    """Authentication server and unknown user"""
227    params = authsrv_params()
228    params["eap_user_file"] = "auth_serv/eap_user_vlan.conf"
229    authsrv = hostapd.add_ap(apdev[1], params)
230
231    params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
232    params['auth_server_port'] = "18128"
233    hapd = hostapd.add_ap(apdev[0], params)
234
235    dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
236                   eap="TTLS", identity="user",
237                   anonymous_identity="ttls", password="password",
238                   ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
239                   wait_connect=False, scan_freq="2412")
240    dev[0].wait_disconnected()
241    dev[0].request("REMOVE_NETWORK all")
242
243def test_authsrv_unknown_client(dev, apdev):
244    """Authentication server and unknown user"""
245    params = authsrv_params()
246    params["radius_server_clients"] = "auth_serv/radius_clients_none.conf"
247    authsrv = hostapd.add_ap(apdev[1], params)
248
249    params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
250    params['auth_server_port'] = "18128"
251    hapd = hostapd.add_ap(apdev[0], params)
252
253    # RADIUS SRV: Unknown client 127.0.0.1 - packet ignored
254    dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
255                   eap="TTLS", identity="user",
256                   anonymous_identity="ttls", password="password",
257                   ca_cert="auth_serv/ca.pem", phase2="autheap=GTC",
258                   wait_connect=False, scan_freq="2412")
259    ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
260    if ev is None:
261        raise Exception("EAP not started")
262    dev[0].request("REMOVE_NETWORK all")
263