tests: Add domain_suffix_match validation

This verifies that domain_suffix_match works correctly both for the matching and mismatching cases. Signed-hostap: Jouni Malinen <j@w1.fi>
2013-10-20 19:47:39 +03:00 · 2013-10-20 19:47:39 +03:00 · 72c052d525
commit 72c052d525
parent c7afc0789c
2 changed files with 64 additions and 4 deletions
--- a/tests/hwsim/test_ap_eap.py
+++ b/tests/hwsim/test_ap_eap.py
@ -16,11 +16,12 @@ import hwsim_utils
 import hostapd

 def eap_connect(dev, method, identity, anonymous_identity=None, password=None,
-                phase1=None, phase2=None, ca_cert=None):
+                phase1=None, phase2=None, ca_cert=None,
+                domain_suffix_match=None):
    dev.connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap=method,
                identity=identity, anonymous_identity=anonymous_identity,
                password=password, phase1=phase1, phase2=phase2,
-                ca_cert=ca_cert,
+                ca_cert=ca_cert, domain_suffix_match=domain_suffix_match,
                wait_connect=False)
    ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
    if ev is None:
@ -104,7 +105,8 @@ def test_ap_wpa2_eap_ttls_mschap(dev, apdev):
    hostapd.add_ap(apdev[0]['ifname'], params)
    eap_connect(dev[0], "TTLS", "mschap user",
                anonymous_identity="ttls", password="password",
-                ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP")
+                ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
+                domain_suffix_match="server.w1.fi")
    hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])

 def test_ap_wpa2_eap_ttls_mschapv2(dev, apdev):
@ -113,7 +115,8 @@ def test_ap_wpa2_eap_ttls_mschapv2(dev, apdev):
    hostapd.add_ap(apdev[0]['ifname'], params)
    eap_connect(dev[0], "TTLS", "DOMAIN\mschapv2 user",
                anonymous_identity="ttls", password="password",
-                ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
+                ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
+                domain_suffix_match="w1.fi")
    hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])

 def test_ap_wpa2_eap_ttls_eap_gtc(dev, apdev):
@ -201,3 +204,56 @@ def test_ap_wpa2_eap_tls_neg_incorrect_trust_root(dev, apdev):
    ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
    if ev is None:
        raise Exception("Network block disabling not reported")
+
+def test_ap_wpa2_eap_tls_neg_suffix_match(dev, apdev):
+    """WPA2-Enterprise negative test - domain suffix mismatch"""
+    params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
+    hostapd.add_ap(apdev[0]['ifname'], params)
+    dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
+                   identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
+                   password="password", phase2="auth=MSCHAPV2",
+                   ca_cert="auth_serv/ca.pem",
+                   domain_suffix_match="incorrect.example.com",
+                   wait_connect=False)
+
+    ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
+    if ev is None:
+        raise Exception("Association and EAP start timed out")
+
+    ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
+    if ev is None:
+        raise Exception("EAP method selection timed out")
+    if "TTLS" not in ev:
+        raise Exception("Unexpected EAP method")
+
+    ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
+                            "CTRL-EVENT-EAP-SUCCESS",
+                            "CTRL-EVENT-EAP-FAILURE",
+                            "CTRL-EVENT-CONNECTED",
+                            "CTRL-EVENT-DISCONNECTED"], timeout=10)
+    if ev is None:
+        raise Exception("EAP result timed out")
+    if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
+        raise Exception("TLS certificate error not reported")
+    if "Domain suffix mismatch" not in ev:
+        raise Exception("Domain suffix mismatch not reported")
+
+    ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
+                            "CTRL-EVENT-EAP-FAILURE",
+                            "CTRL-EVENT-CONNECTED",
+                            "CTRL-EVENT-DISCONNECTED"], timeout=10)
+    if ev is None:
+        raise Exception("EAP result(2) timed out")
+    if "CTRL-EVENT-EAP-FAILURE" not in ev:
+        raise Exception("EAP failure not reported")
+
+    ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
+                            "CTRL-EVENT-DISCONNECTED"], timeout=10)
+    if ev is None:
+        raise Exception("EAP result(3) timed out")
+    if "CTRL-EVENT-DISCONNECTED" not in ev:
+        raise Exception("Disconnection not reported")
+
+    ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
+    if ev is None:
+        raise Exception("Network block disabling not reported")
--- a/tests/hwsim/wpasupplicant.py
+++ b/tests/hwsim/wpasupplicant.py
@ -457,6 +457,7 @@ class WpaSupplicant:
                ieee80211w=None, pairwise=None, group=None, scan_freq=None,
                eap=None, identity=None, anonymous_identity=None,
                password=None, phase1=None, phase2=None, ca_cert=None,
+                domain_suffix_match=None,
                wait_connect=True):
        logger.info("Connect STA " + self.ifname + " to AP")
        id = self.add_network()
@ -492,6 +493,9 @@ class WpaSupplicant:
            self.set_network_quoted(id, "phase1", phase1)
        if phase2:
            self.set_network_quoted(id, "phase2", phase2)
+        if domain_suffix_match:
+            self.set_network_quoted(id, "domain_suffix_match",
+                                    domain_suffix_match)
        if wait_connect:
            self.connect_network(id)
        else: