tests: Add domain_suffix_match validation
This verifies that domain_suffix_match works correctly both for the matching and mismatching cases. Signed-hostap: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen
parent
c7afc0789c
commit
72c052d525
2 changed files with 64 additions and 4 deletions
|
|
@ -16,11 +16,12 @@ import hwsim_utils
|
||||||
import hostapd
|
import hostapd
|
||||||
|
|
||||||
def eap_connect(dev, method, identity, anonymous_identity=None, password=None,
|
def eap_connect(dev, method, identity, anonymous_identity=None, password=None,
|
||||||
phase1=None, phase2=None, ca_cert=None):
|
phase1=None, phase2=None, ca_cert=None,
|
||||||
|
domain_suffix_match=None):
|
||||||
dev.connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap=method,
|
dev.connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap=method,
|
||||||
identity=identity, anonymous_identity=anonymous_identity,
|
identity=identity, anonymous_identity=anonymous_identity,
|
||||||
password=password, phase1=phase1, phase2=phase2,
|
password=password, phase1=phase1, phase2=phase2,
|
||||||
ca_cert=ca_cert,
|
ca_cert=ca_cert, domain_suffix_match=domain_suffix_match,
|
||||||
wait_connect=False)
|
wait_connect=False)
|
||||||
ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
|
ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
|
||||||
if ev is None:
|
if ev is None:
|
||||||
|
|
@ -104,7 +105,8 @@ def test_ap_wpa2_eap_ttls_mschap(dev, apdev):
|
||||||
hostapd.add_ap(apdev[0]['ifname'], params)
|
hostapd.add_ap(apdev[0]['ifname'], params)
|
||||||
eap_connect(dev[0], "TTLS", "mschap user",
|
eap_connect(dev[0], "TTLS", "mschap user",
|
||||||
anonymous_identity="ttls", password="password",
|
anonymous_identity="ttls", password="password",
|
||||||
ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP")
|
ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
|
||||||
|
domain_suffix_match="server.w1.fi")
|
||||||
hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
|
hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
|
||||||
|
|
||||||
def test_ap_wpa2_eap_ttls_mschapv2(dev, apdev):
|
def test_ap_wpa2_eap_ttls_mschapv2(dev, apdev):
|
||||||
|
|
@ -113,7 +115,8 @@ def test_ap_wpa2_eap_ttls_mschapv2(dev, apdev):
|
||||||
hostapd.add_ap(apdev[0]['ifname'], params)
|
hostapd.add_ap(apdev[0]['ifname'], params)
|
||||||
eap_connect(dev[0], "TTLS", "DOMAIN\mschapv2 user",
|
eap_connect(dev[0], "TTLS", "DOMAIN\mschapv2 user",
|
||||||
anonymous_identity="ttls", password="password",
|
anonymous_identity="ttls", password="password",
|
||||||
ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
|
ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
|
||||||
|
domain_suffix_match="w1.fi")
|
||||||
hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
|
hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
|
||||||
|
|
||||||
def test_ap_wpa2_eap_ttls_eap_gtc(dev, apdev):
|
def test_ap_wpa2_eap_ttls_eap_gtc(dev, apdev):
|
||||||
|
|
@ -201,3 +204,56 @@ def test_ap_wpa2_eap_tls_neg_incorrect_trust_root(dev, apdev):
|
||||||
ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
|
ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
|
||||||
if ev is None:
|
if ev is None:
|
||||||
raise Exception("Network block disabling not reported")
|
raise Exception("Network block disabling not reported")
|
||||||
|
|
||||||
|
def test_ap_wpa2_eap_tls_neg_suffix_match(dev, apdev):
|
||||||
|
"""WPA2-Enterprise negative test - domain suffix mismatch"""
|
||||||
|
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
|
||||||
|
hostapd.add_ap(apdev[0]['ifname'], params)
|
||||||
|
dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
|
||||||
|
identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
|
||||||
|
password="password", phase2="auth=MSCHAPV2",
|
||||||
|
ca_cert="auth_serv/ca.pem",
|
||||||
|
domain_suffix_match="incorrect.example.com",
|
||||||
|
wait_connect=False)
|
||||||
|
|
||||||
|
ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
|
||||||
|
if ev is None:
|
||||||
|
raise Exception("Association and EAP start timed out")
|
||||||
|
|
||||||
|
ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
|
||||||
|
if ev is None:
|
||||||
|
raise Exception("EAP method selection timed out")
|
||||||
|
if "TTLS" not in ev:
|
||||||
|
raise Exception("Unexpected EAP method")
|
||||||
|
|
||||||
|
ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
|
||||||
|
"CTRL-EVENT-EAP-SUCCESS",
|
||||||
|
"CTRL-EVENT-EAP-FAILURE",
|
||||||
|
"CTRL-EVENT-CONNECTED",
|
||||||
|
"CTRL-EVENT-DISCONNECTED"], timeout=10)
|
||||||
|
if ev is None:
|
||||||
|
raise Exception("EAP result timed out")
|
||||||
|
if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
|
||||||
|
raise Exception("TLS certificate error not reported")
|
||||||
|
if "Domain suffix mismatch" not in ev:
|
||||||
|
raise Exception("Domain suffix mismatch not reported")
|
||||||
|
|
||||||
|
ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
|
||||||
|
"CTRL-EVENT-EAP-FAILURE",
|
||||||
|
"CTRL-EVENT-CONNECTED",
|
||||||
|
"CTRL-EVENT-DISCONNECTED"], timeout=10)
|
||||||
|
if ev is None:
|
||||||
|
raise Exception("EAP result(2) timed out")
|
||||||
|
if "CTRL-EVENT-EAP-FAILURE" not in ev:
|
||||||
|
raise Exception("EAP failure not reported")
|
||||||
|
|
||||||
|
ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
|
||||||
|
"CTRL-EVENT-DISCONNECTED"], timeout=10)
|
||||||
|
if ev is None:
|
||||||
|
raise Exception("EAP result(3) timed out")
|
||||||
|
if "CTRL-EVENT-DISCONNECTED" not in ev:
|
||||||
|
raise Exception("Disconnection not reported")
|
||||||
|
|
||||||
|
ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
|
||||||
|
if ev is None:
|
||||||
|
raise Exception("Network block disabling not reported")
|
||||||
|
|
|
||||||
|
|
@ -457,6 +457,7 @@ class WpaSupplicant:
|
||||||
ieee80211w=None, pairwise=None, group=None, scan_freq=None,
|
ieee80211w=None, pairwise=None, group=None, scan_freq=None,
|
||||||
eap=None, identity=None, anonymous_identity=None,
|
eap=None, identity=None, anonymous_identity=None,
|
||||||
password=None, phase1=None, phase2=None, ca_cert=None,
|
password=None, phase1=None, phase2=None, ca_cert=None,
|
||||||
|
domain_suffix_match=None,
|
||||||
wait_connect=True):
|
wait_connect=True):
|
||||||
logger.info("Connect STA " + self.ifname + " to AP")
|
logger.info("Connect STA " + self.ifname + " to AP")
|
||||||
id = self.add_network()
|
id = self.add_network()
|
||||||
|
|
@ -492,6 +493,9 @@ class WpaSupplicant:
|
||||||
self.set_network_quoted(id, "phase1", phase1)
|
self.set_network_quoted(id, "phase1", phase1)
|
||||||
if phase2:
|
if phase2:
|
||||||
self.set_network_quoted(id, "phase2", phase2)
|
self.set_network_quoted(id, "phase2", phase2)
|
||||||
|
if domain_suffix_match:
|
||||||
|
self.set_network_quoted(id, "domain_suffix_match",
|
||||||
|
domain_suffix_match)
|
||||||
if wait_connect:
|
if wait_connect:
|
||||||
self.connect_network(id)
|
self.connect_network(id)
|
||||||
else:
|
else:
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue