From 82a8f5b533096c37142b45df991dcbcc415a74b7 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Sat, 17 May 2014 22:52:40 +0300
Subject: [PATCH] tests: Incorrect/missing password with TTLS non-EAP methods

Incorrect password was already tested with TTLS/MSCHAPv2, but the other
non-EAP inner methods in TTLS use their own implementation of password
validation, so check each and also verify the case of no matching EAP
user entry for the specific method.

Signed-off-by: Jouni Malinen <j@w1.fi>
---
 tests/hwsim/test_ap_eap.py | 53 ++++++++++++++++++++++++++++++++++++--
 1 file changed, 51 insertions(+), 2 deletions(-)

diff --git a/tests/hwsim/test_ap_eap.py b/tests/hwsim/test_ap_eap.py
index 25b6720c4..e9ecefb9a 100644
--- a/tests/hwsim/test_ap_eap.py
+++ b/tests/hwsim/test_ap_eap.py
@@ -445,6 +445,19 @@ def test_ap_wpa2_eap_ttls_pap(dev, apdev):
     check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-1"),
                         ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-1") ])
 
+def test_ap_wpa2_eap_ttls_pap_incorrect_password(dev, apdev):
+    """WPA2-Enterprise connection using EAP-TTLS/PAP - incorrect password"""
+    params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
+    hapd = hostapd.add_ap(apdev[0]['ifname'], params)
+    eap_connect(dev[0], apdev[0], "TTLS", "pap user",
+                anonymous_identity="ttls", password="wrong",
+                ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
+                expect_failure=True)
+    eap_connect(dev[1], apdev[0], "TTLS", "user",
+                anonymous_identity="ttls", password="password",
+                ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
+                expect_failure=True)
+
 def test_ap_wpa2_eap_ttls_chap(dev, apdev):
     """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
@@ -456,6 +469,19 @@ def test_ap_wpa2_eap_ttls_chap(dev, apdev):
     hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
     eap_reauth(dev[0], "TTLS")
 
+def test_ap_wpa2_eap_ttls_chap_incorrect_password(dev, apdev):
+    """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
+    params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
+    hapd = hostapd.add_ap(apdev[0]['ifname'], params)
+    eap_connect(dev[0], apdev[0], "TTLS", "chap user",
+                anonymous_identity="ttls", password="wrong",
+                ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
+                expect_failure=True)
+    eap_connect(dev[1], apdev[0], "TTLS", "user",
+                anonymous_identity="ttls", password="password",
+                ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
+                expect_failure=True)
+
 def test_ap_wpa2_eap_ttls_mschap(dev, apdev):
     """WPA2-Enterprise connection using EAP-TTLS/MSCHAP"""
     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
@@ -472,6 +498,23 @@ def test_ap_wpa2_eap_ttls_mschap(dev, apdev):
                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
                 fragment_size="200")
 
+def test_ap_wpa2_eap_ttls_mschap_incorrect_password(dev, apdev):
+    """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
+    params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
+    hapd = hostapd.add_ap(apdev[0]['ifname'], params)
+    eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
+                anonymous_identity="ttls", password="wrong",
+                ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
+                expect_failure=True)
+    eap_connect(dev[1], apdev[0], "TTLS", "user",
+                anonymous_identity="ttls", password="password",
+                ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
+                expect_failure=True)
+    eap_connect(dev[2], apdev[0], "TTLS", "no such user",
+                anonymous_identity="ttls", password="password",
+                ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
+                expect_failure=True)
+
 def test_ap_wpa2_eap_ttls_mschapv2(dev, apdev):
     """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
@@ -501,12 +544,18 @@ def test_ap_wpa2_eap_ttls_mschapv2(dev, apdev):
                 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
 
-    logger.info("Negative test with incorrect password")
-    dev[0].request("REMOVE_NETWORK all")
+def test_ap_wpa2_eap_ttls_mschapv2_incorrect_password(dev, apdev):
+    """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 - incorrect password"""
+    params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
+    hapd = hostapd.add_ap(apdev[0]['ifname'], params)
     eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
                 anonymous_identity="ttls", password="password1",
                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
                 expect_failure=True)
+    eap_connect(dev[1], apdev[0], "TTLS", "user",
+                anonymous_identity="ttls", password="password",
+                ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
+                expect_failure=True)
 
 def test_ap_wpa2_eap_ttls_mschapv2_utf8(dev, apdev):
     """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 and UTF-8 password"""