tests: EAP TLS parameters using configuration blobs
Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
parent
1120e45232
commit
6ea231e6d4
1 changed files with 101 additions and 34 deletions
|
@ -5,6 +5,7 @@
|
||||||
# This software may be distributed under the terms of the BSD license.
|
# This software may be distributed under the terms of the BSD license.
|
||||||
# See README for more details.
|
# See README for more details.
|
||||||
|
|
||||||
|
import base64
|
||||||
import time
|
import time
|
||||||
import subprocess
|
import subprocess
|
||||||
import logging
|
import logging
|
||||||
|
@ -14,6 +15,20 @@ import os.path
|
||||||
import hwsim_utils
|
import hwsim_utils
|
||||||
import hostapd
|
import hostapd
|
||||||
|
|
||||||
|
def read_pem(fname):
|
||||||
|
with open(fname, "r") as f:
|
||||||
|
lines = f.readlines()
|
||||||
|
copy = False
|
||||||
|
cert = ""
|
||||||
|
for l in lines:
|
||||||
|
if "-----END" in l:
|
||||||
|
break
|
||||||
|
if copy:
|
||||||
|
cert = cert + l
|
||||||
|
if "-----BEGIN" in l:
|
||||||
|
copy = True
|
||||||
|
return base64.b64decode(cert)
|
||||||
|
|
||||||
def eap_connect(dev, ap, method, identity,
|
def eap_connect(dev, ap, method, identity,
|
||||||
sha256=False, expect_failure=False, local_error_report=False,
|
sha256=False, expect_failure=False, local_error_report=False,
|
||||||
**kwargs):
|
**kwargs):
|
||||||
|
@ -322,6 +337,23 @@ def test_ap_wpa2_eap_tls(dev, apdev):
|
||||||
private_key="auth_serv/user.key")
|
private_key="auth_serv/user.key")
|
||||||
eap_reauth(dev[0], "TLS")
|
eap_reauth(dev[0], "TLS")
|
||||||
|
|
||||||
|
def test_ap_wpa2_eap_tls_blob(dev, apdev):
|
||||||
|
"""WPA2-Enterprise connection using EAP-TLS and config blobs"""
|
||||||
|
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
|
||||||
|
hostapd.add_ap(apdev[0]['ifname'], params)
|
||||||
|
cert = read_pem("auth_serv/ca.pem")
|
||||||
|
if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
|
||||||
|
raise Exception("Could not set cacert blob")
|
||||||
|
cert = read_pem("auth_serv/user.pem")
|
||||||
|
if "OK" not in dev[0].request("SET blob usercert " + cert.encode("hex")):
|
||||||
|
raise Exception("Could not set usercert blob")
|
||||||
|
key = read_pem("auth_serv/user.key")
|
||||||
|
if "OK" not in dev[0].request("SET blob userkey " + key.encode("hex")):
|
||||||
|
raise Exception("Could not set cacert blob")
|
||||||
|
eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="blob://cacert",
|
||||||
|
client_cert="blob://usercert",
|
||||||
|
private_key="blob://userkey")
|
||||||
|
|
||||||
def test_ap_wpa2_eap_tls_pkcs12(dev, apdev):
|
def test_ap_wpa2_eap_tls_pkcs12(dev, apdev):
|
||||||
"""WPA2-Enterprise connection using EAP-TLS and PKCS#12"""
|
"""WPA2-Enterprise connection using EAP-TLS and PKCS#12"""
|
||||||
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
|
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
|
||||||
|
@ -344,27 +376,50 @@ def test_ap_wpa2_eap_tls_pkcs12(dev, apdev):
|
||||||
if ev is None:
|
if ev is None:
|
||||||
raise Exception("Connection timed out")
|
raise Exception("Connection timed out")
|
||||||
|
|
||||||
|
def test_ap_wpa2_eap_tls_pkcs12_blob(dev, apdev):
|
||||||
|
"""WPA2-Enterprise connection using EAP-TLS and PKCS#12 from configuration blob"""
|
||||||
|
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
|
||||||
|
hostapd.add_ap(apdev[0]['ifname'], params)
|
||||||
|
cert = read_pem("auth_serv/ca.pem")
|
||||||
|
if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
|
||||||
|
raise Exception("Could not set cacert blob")
|
||||||
|
with open("auth_serv/user.pkcs12", "rb") as f:
|
||||||
|
if "OK" not in dev[0].request("SET blob pkcs12 " + f.read().encode("hex")):
|
||||||
|
raise Exception("Could not set pkcs12 blob")
|
||||||
|
eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="blob://cacert",
|
||||||
|
private_key="blob://pkcs12",
|
||||||
|
private_key_passwd="whatever")
|
||||||
|
|
||||||
def test_ap_wpa2_eap_tls_neg_incorrect_trust_root(dev, apdev):
|
def test_ap_wpa2_eap_tls_neg_incorrect_trust_root(dev, apdev):
|
||||||
"""WPA2-Enterprise negative test - incorrect trust root"""
|
"""WPA2-Enterprise negative test - incorrect trust root"""
|
||||||
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
|
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
|
||||||
hostapd.add_ap(apdev[0]['ifname'], params)
|
hostapd.add_ap(apdev[0]['ifname'], params)
|
||||||
|
cert = read_pem("auth_serv/ca-incorrect.pem")
|
||||||
|
if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
|
||||||
|
raise Exception("Could not set cacert blob")
|
||||||
dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
|
dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
|
||||||
|
identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
|
||||||
|
password="password", phase2="auth=MSCHAPV2",
|
||||||
|
ca_cert="blob://cacert",
|
||||||
|
wait_connect=False, scan_freq="2412")
|
||||||
|
dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
|
||||||
identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
|
identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
|
||||||
password="password", phase2="auth=MSCHAPV2",
|
password="password", phase2="auth=MSCHAPV2",
|
||||||
ca_cert="auth_serv/ca-incorrect.pem",
|
ca_cert="auth_serv/ca-incorrect.pem",
|
||||||
wait_connect=False, scan_freq="2412")
|
wait_connect=False, scan_freq="2412")
|
||||||
|
|
||||||
ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
|
for dev in (dev[0], dev[1]):
|
||||||
|
ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
|
||||||
if ev is None:
|
if ev is None:
|
||||||
raise Exception("Association and EAP start timed out")
|
raise Exception("Association and EAP start timed out")
|
||||||
|
|
||||||
ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
|
ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
|
||||||
if ev is None:
|
if ev is None:
|
||||||
raise Exception("EAP method selection timed out")
|
raise Exception("EAP method selection timed out")
|
||||||
if "TTLS" not in ev:
|
if "TTLS" not in ev:
|
||||||
raise Exception("Unexpected EAP method")
|
raise Exception("Unexpected EAP method")
|
||||||
|
|
||||||
ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
|
ev = dev.wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
|
||||||
"CTRL-EVENT-EAP-SUCCESS",
|
"CTRL-EVENT-EAP-SUCCESS",
|
||||||
"CTRL-EVENT-EAP-FAILURE",
|
"CTRL-EVENT-EAP-FAILURE",
|
||||||
"CTRL-EVENT-CONNECTED",
|
"CTRL-EVENT-CONNECTED",
|
||||||
|
@ -374,7 +429,7 @@ def test_ap_wpa2_eap_tls_neg_incorrect_trust_root(dev, apdev):
|
||||||
if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
|
if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
|
||||||
raise Exception("TLS certificate error not reported")
|
raise Exception("TLS certificate error not reported")
|
||||||
|
|
||||||
ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
|
ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS",
|
||||||
"CTRL-EVENT-EAP-FAILURE",
|
"CTRL-EVENT-EAP-FAILURE",
|
||||||
"CTRL-EVENT-CONNECTED",
|
"CTRL-EVENT-CONNECTED",
|
||||||
"CTRL-EVENT-DISCONNECTED"], timeout=10)
|
"CTRL-EVENT-DISCONNECTED"], timeout=10)
|
||||||
|
@ -383,14 +438,14 @@ def test_ap_wpa2_eap_tls_neg_incorrect_trust_root(dev, apdev):
|
||||||
if "CTRL-EVENT-EAP-FAILURE" not in ev:
|
if "CTRL-EVENT-EAP-FAILURE" not in ev:
|
||||||
raise Exception("EAP failure not reported")
|
raise Exception("EAP failure not reported")
|
||||||
|
|
||||||
ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
|
ev = dev.wait_event(["CTRL-EVENT-CONNECTED",
|
||||||
"CTRL-EVENT-DISCONNECTED"], timeout=10)
|
"CTRL-EVENT-DISCONNECTED"], timeout=10)
|
||||||
if ev is None:
|
if ev is None:
|
||||||
raise Exception("EAP result(3) timed out")
|
raise Exception("EAP result(3) timed out")
|
||||||
if "CTRL-EVENT-DISCONNECTED" not in ev:
|
if "CTRL-EVENT-DISCONNECTED" not in ev:
|
||||||
raise Exception("Disconnection not reported")
|
raise Exception("Disconnection not reported")
|
||||||
|
|
||||||
ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
|
ev = dev.wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
|
||||||
if ev is None:
|
if ev is None:
|
||||||
raise Exception("Network block disabling not reported")
|
raise Exception("Network block disabling not reported")
|
||||||
|
|
||||||
|
@ -979,6 +1034,18 @@ def test_ap_wpa2_eap_ttls_dh_params(dev, apdev):
|
||||||
ca_cert="auth_serv/ca.der", phase2="auth=CHAP",
|
ca_cert="auth_serv/ca.der", phase2="auth=CHAP",
|
||||||
dh_file="auth_serv/dh.conf")
|
dh_file="auth_serv/dh.conf")
|
||||||
|
|
||||||
|
def test_ap_wpa2_eap_ttls_dh_params_blob(dev, apdev):
|
||||||
|
"""WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params from blob"""
|
||||||
|
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
|
||||||
|
hostapd.add_ap(apdev[0]['ifname'], params)
|
||||||
|
dh = read_pem("auth_serv/dh.conf")
|
||||||
|
if "OK" not in dev[0].request("SET blob dhparams " + dh.encode("hex")):
|
||||||
|
raise Exception("Could not set dhparams blob")
|
||||||
|
eap_connect(dev[0], apdev[0], "TTLS", "chap user",
|
||||||
|
anonymous_identity="ttls", password="password",
|
||||||
|
ca_cert="auth_serv/ca.der", phase2="auth=CHAP",
|
||||||
|
dh_file="blob://dhparams")
|
||||||
|
|
||||||
def test_ap_wpa2_eap_reauth(dev, apdev):
|
def test_ap_wpa2_eap_reauth(dev, apdev):
|
||||||
"""WPA2-Enterprise and Authenticator forcing reauthentication"""
|
"""WPA2-Enterprise and Authenticator forcing reauthentication"""
|
||||||
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
|
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
|
||||||
|
|
Loading…
Reference in a new issue