tests: Split subject_match and altsubject_match to separate test cases
These parameters are supported only with OpenSSL, so split any test case that used those for a successful connection into two test cases. Skip all test cases where these are used without the selected TLS library supporting them to avoid reporting failures incorrectly. Though, verify that subject_match and altsubject_match get rejected properly if TLS library does not support these. Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
parent
79b1dd9aad
commit
506b2f05f2
1 changed files with 51 additions and 6 deletions
|
@ -27,6 +27,16 @@ def check_eap_capa(dev, method):
|
||||||
if method not in res:
|
if method not in res:
|
||||||
raise HwsimSkip("EAP method %s not supported in the build" % method)
|
raise HwsimSkip("EAP method %s not supported in the build" % method)
|
||||||
|
|
||||||
|
def check_subject_match_support(dev):
|
||||||
|
tls = dev.request("GET tls_library")
|
||||||
|
if not tls.startswith("OpenSSL"):
|
||||||
|
raise HwsimSkip("subject_match not supported with this TLS library: " + tls)
|
||||||
|
|
||||||
|
def check_altsubject_match_support(dev):
|
||||||
|
tls = dev.request("GET tls_library")
|
||||||
|
if not tls.startswith("OpenSSL"):
|
||||||
|
raise HwsimSkip("altsubject_match not supported with this TLS library: " + tls)
|
||||||
|
|
||||||
def read_pem(fname):
|
def read_pem(fname):
|
||||||
with open(fname, "r") as f:
|
with open(fname, "r") as f:
|
||||||
lines = f.readlines()
|
lines = f.readlines()
|
||||||
|
@ -766,14 +776,25 @@ def test_ap_wpa2_eap_ttls_pap(dev, apdev):
|
||||||
raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
|
raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
|
||||||
eap_connect(dev[0], apdev[0], "TTLS", "pap user",
|
eap_connect(dev[0], apdev[0], "TTLS", "pap user",
|
||||||
anonymous_identity="ttls", password="password",
|
anonymous_identity="ttls", password="password",
|
||||||
ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
|
ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
|
||||||
subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
|
|
||||||
altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/")
|
|
||||||
hwsim_utils.test_connectivity(dev[0], hapd)
|
hwsim_utils.test_connectivity(dev[0], hapd)
|
||||||
eap_reauth(dev[0], "TTLS")
|
eap_reauth(dev[0], "TTLS")
|
||||||
check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-1"),
|
check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-1"),
|
||||||
("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-1") ])
|
("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-1") ])
|
||||||
|
|
||||||
|
def test_ap_wpa2_eap_ttls_pap_subject_match(dev, apdev):
|
||||||
|
"""WPA2-Enterprise connection using EAP-TTLS/PAP and (alt)subject_match"""
|
||||||
|
check_subject_match_support(dev[0])
|
||||||
|
check_altsubject_match_support(dev[0])
|
||||||
|
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
|
||||||
|
hapd = hostapd.add_ap(apdev[0]['ifname'], params)
|
||||||
|
eap_connect(dev[0], apdev[0], "TTLS", "pap user",
|
||||||
|
anonymous_identity="ttls", password="password",
|
||||||
|
ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
|
||||||
|
subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
|
||||||
|
altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/")
|
||||||
|
eap_reauth(dev[0], "TTLS")
|
||||||
|
|
||||||
def test_ap_wpa2_eap_ttls_pap_incorrect_password(dev, apdev):
|
def test_ap_wpa2_eap_ttls_pap_incorrect_password(dev, apdev):
|
||||||
"""WPA2-Enterprise connection using EAP-TTLS/PAP - incorrect password"""
|
"""WPA2-Enterprise connection using EAP-TTLS/PAP - incorrect password"""
|
||||||
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
|
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
|
||||||
|
@ -791,11 +812,21 @@ def test_ap_wpa2_eap_ttls_chap(dev, apdev):
|
||||||
"""WPA2-Enterprise connection using EAP-TTLS/CHAP"""
|
"""WPA2-Enterprise connection using EAP-TTLS/CHAP"""
|
||||||
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
|
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
|
||||||
hapd = hostapd.add_ap(apdev[0]['ifname'], params)
|
hapd = hostapd.add_ap(apdev[0]['ifname'], params)
|
||||||
|
eap_connect(dev[0], apdev[0], "TTLS", "chap user",
|
||||||
|
anonymous_identity="ttls", password="password",
|
||||||
|
ca_cert="auth_serv/ca.der", phase2="auth=CHAP")
|
||||||
|
hwsim_utils.test_connectivity(dev[0], hapd)
|
||||||
|
eap_reauth(dev[0], "TTLS")
|
||||||
|
|
||||||
|
def test_ap_wpa2_eap_ttls_chap_altsubject_match(dev, apdev):
|
||||||
|
"""WPA2-Enterprise connection using EAP-TTLS/CHAP"""
|
||||||
|
check_altsubject_match_support(dev[0])
|
||||||
|
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
|
||||||
|
hapd = hostapd.add_ap(apdev[0]['ifname'], params)
|
||||||
eap_connect(dev[0], apdev[0], "TTLS", "chap user",
|
eap_connect(dev[0], apdev[0], "TTLS", "chap user",
|
||||||
anonymous_identity="ttls", password="password",
|
anonymous_identity="ttls", password="password",
|
||||||
ca_cert="auth_serv/ca.der", phase2="auth=CHAP",
|
ca_cert="auth_serv/ca.der", phase2="auth=CHAP",
|
||||||
altsubject_match="EMAIL:noone@example.com;URI:http://example.com/;DNS:server.w1.fi")
|
altsubject_match="EMAIL:noone@example.com;URI:http://example.com/;DNS:server.w1.fi")
|
||||||
hwsim_utils.test_connectivity(dev[0], hapd)
|
|
||||||
eap_reauth(dev[0], "TTLS")
|
eap_reauth(dev[0], "TTLS")
|
||||||
|
|
||||||
def test_ap_wpa2_eap_ttls_chap_incorrect_password(dev, apdev):
|
def test_ap_wpa2_eap_ttls_chap_incorrect_password(dev, apdev):
|
||||||
|
@ -1319,9 +1350,16 @@ def test_ap_wpa2_eap_tls_neg_subject_match(dev, apdev):
|
||||||
if ev is None:
|
if ev is None:
|
||||||
raise Exception("Association and EAP start timed out")
|
raise Exception("Association and EAP start timed out")
|
||||||
|
|
||||||
ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
|
ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
|
||||||
|
"EAP: Failed to initialize EAP method"], timeout=10)
|
||||||
if ev is None:
|
if ev is None:
|
||||||
raise Exception("EAP method selection timed out")
|
raise Exception("EAP method selection timed out")
|
||||||
|
if "EAP: Failed to initialize EAP method" in ev:
|
||||||
|
tls = dev[0].request("GET tls_library")
|
||||||
|
if tls.startswith("OpenSSL"):
|
||||||
|
raise Exception("Failed to select EAP method")
|
||||||
|
logger.info("subject_match not supported - connection failed, so test succeeded")
|
||||||
|
return
|
||||||
if "TTLS" not in ev:
|
if "TTLS" not in ev:
|
||||||
raise Exception("Unexpected EAP method")
|
raise Exception("Unexpected EAP method")
|
||||||
|
|
||||||
|
@ -1381,9 +1419,16 @@ def _test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev, match):
|
||||||
if ev is None:
|
if ev is None:
|
||||||
raise Exception("Association and EAP start timed out")
|
raise Exception("Association and EAP start timed out")
|
||||||
|
|
||||||
ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
|
ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
|
||||||
|
"EAP: Failed to initialize EAP method"], timeout=10)
|
||||||
if ev is None:
|
if ev is None:
|
||||||
raise Exception("EAP method selection timed out")
|
raise Exception("EAP method selection timed out")
|
||||||
|
if "EAP: Failed to initialize EAP method" in ev:
|
||||||
|
tls = dev[0].request("GET tls_library")
|
||||||
|
if tls.startswith("OpenSSL"):
|
||||||
|
raise Exception("Failed to select EAP method")
|
||||||
|
logger.info("altsubject_match not supported - connection failed, so test succeeded")
|
||||||
|
return
|
||||||
if "TTLS" not in ev:
|
if "TTLS" not in ev:
|
||||||
raise Exception("Unexpected EAP method")
|
raise Exception("Unexpected EAP method")
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue