From 95a15d793ee6c310be8be037b383878e10578a35 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Wed, 28 Jan 2015 15:59:02 +0200 Subject: [PATCH] tests: EAP-GTC server error cases In addition, no-password-configured coverage extended to EAP-MD5 and EAP-MSCHAPv2 as well. Signed-off-by: Jouni Malinen --- tests/hwsim/auth_serv/eap_user.conf | 2 + tests/hwsim/test_ap_eap.py | 80 +++++++++++++++++++++++++++++ 2 files changed, 82 insertions(+) diff --git a/tests/hwsim/auth_serv/eap_user.conf b/tests/hwsim/auth_serv/eap_user.conf index 873cf4862..7d52b6e3a 100644 --- a/tests/hwsim/auth_serv/eap_user.conf +++ b/tests/hwsim/auth_serv/eap_user.conf @@ -84,6 +84,8 @@ radius_accept_attr=27:d:3 "utf8-user-hash" TTLS-MSCHAPV2 hash:bd5844fad2489992da7fe8c5a01559cf [2] "user" MSCHAPV2,MD5,GTC "password" [2] +"user2" MSCHAPV2,MD5,GTC "password" [2] +"user-no-passwd" MSCHAPV2,MD5,GTC [2] "cert user" TLS [2] "hs20-deauth-test" TTLS-MSCHAPV2 "password" [2] diff --git a/tests/hwsim/test_ap_eap.py b/tests/hwsim/test_ap_eap.py index 600fcfae2..6baef7a4e 100644 --- a/tests/hwsim/test_ap_eap.py +++ b/tests/hwsim/test_ap_eap.py @@ -906,6 +906,48 @@ def test_ap_wpa2_eap_ttls_eap_gtc(dev, apdev): hwsim_utils.test_connectivity(dev[0], hapd) eap_reauth(dev[0], "TTLS") +def test_ap_wpa2_eap_ttls_eap_gtc_incorrect_password(dev, apdev): + """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - incorrect password""" + params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") + hapd = hostapd.add_ap(apdev[0]['ifname'], params) + eap_connect(dev[0], apdev[0], "TTLS", "user", + anonymous_identity="ttls", password="wrong", + ca_cert="auth_serv/ca.pem", phase2="autheap=GTC", + expect_failure=True) + +def test_ap_wpa2_eap_ttls_eap_gtc_no_password(dev, apdev): + """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - no password""" + params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") + hapd = hostapd.add_ap(apdev[0]['ifname'], params) + eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd", + anonymous_identity="ttls", password="password", + ca_cert="auth_serv/ca.pem", phase2="autheap=GTC", + expect_failure=True) + +def test_ap_wpa2_eap_ttls_eap_gtc_server_oom(dev, apdev): + """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - server OOM""" + params = int_eap_server_params() + hapd = hostapd.add_ap(apdev[0]['ifname'], params) + with alloc_fail(hapd, 1, "eap_gtc_init"): + eap_connect(dev[0], apdev[0], "TTLS", "user", + anonymous_identity="ttls", password="password", + ca_cert="auth_serv/ca.pem", phase2="autheap=GTC", + expect_failure=True) + dev[0].request("REMOVE_NETWORK all") + + with alloc_fail(hapd, 1, "eap_gtc_buildReq"): + dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256", + eap="TTLS", identity="user", + anonymous_identity="ttls", password="password", + ca_cert="auth_serv/ca.pem", phase2="autheap=GTC", + wait_connect=False, scan_freq="2412") + # This would eventually time out, but we can stop after having reached + # the allocation failure. + for i in range(20): + time.sleep(0.1) + if hapd.request("GET_ALLOC_FAIL").startswith('0'): + break + def test_ap_wpa2_eap_ttls_eap_md5(dev, apdev): """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5""" params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") @@ -925,6 +967,15 @@ def test_ap_wpa2_eap_ttls_eap_md5_incorrect_password(dev, apdev): ca_cert="auth_serv/ca.pem", phase2="autheap=MD5", expect_failure=True) +def test_ap_wpa2_eap_ttls_eap_md5_no_password(dev, apdev): + """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - no password""" + params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") + hapd = hostapd.add_ap(apdev[0]['ifname'], params) + eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd", + anonymous_identity="ttls", password="password", + ca_cert="auth_serv/ca.pem", phase2="autheap=MD5", + expect_failure=True) + def test_ap_wpa2_eap_ttls_eap_md5_server_oom(dev, apdev): """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - server OOM""" params = int_eap_server_params() @@ -966,6 +1017,15 @@ def test_ap_wpa2_eap_ttls_eap_mschapv2(dev, apdev): ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2", expect_failure=True) +def test_ap_wpa2_eap_ttls_eap_mschapv2_no_password(dev, apdev): + """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - no password""" + params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") + hapd = hostapd.add_ap(apdev[0]['ifname'], params) + eap_connect(dev[0], apdev[0], "TTLS", "user-no-passwd", + anonymous_identity="ttls", password="password", + ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2", + expect_failure=True) + def test_ap_wpa2_eap_ttls_eap_aka(dev, apdev): """WPA2-Enterprise connection using EAP-TTLS/EAP-AKA""" params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") @@ -1981,6 +2041,26 @@ def test_ap_wpa2_eap_fast_gtc_auth_prov(dev, apdev): if res['tls_session_reused'] != '1': raise Exception("EAP-FAST could not use PAC session ticket") +def test_ap_wpa2_eap_fast_gtc_identity_change(dev, apdev): + """WPA2-Enterprise connection using EAP-FAST/GTC and identity changing""" + check_eap_capa(dev[0], "FAST") + params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") + hapd = hostapd.add_ap(apdev[0]['ifname'], params) + id = eap_connect(dev[0], apdev[0], "FAST", "user", + anonymous_identity="FAST", password="password", + ca_cert="auth_serv/ca.pem", phase2="auth=GTC", + phase1="fast_provisioning=2", + pac_file="blob://fast_pac_auth") + dev[0].set_network_quoted(id, "identity", "user2") + dev[0].wait_disconnected() + ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15) + if ev is None: + raise Exception("EAP-FAST not started") + ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=5) + if ev is None: + raise Exception("EAP failure not reported") + dev[0].wait_disconnected() + def test_ap_wpa2_eap_tls_ocsp(dev, apdev): """WPA2-Enterprise connection using EAP-TLS and verifying OCSP""" params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")