tests: Add domain_suffix_match validation

This verifies that domain_suffix_match works correctly both for the
matching and mismatching cases.

Signed-hostap: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2013-10-20 19:47:39 +03:00
parent c7afc0789c
commit 72c052d525
2 changed files with 64 additions and 4 deletions

View file

@ -16,11 +16,12 @@ import hwsim_utils
import hostapd import hostapd
def eap_connect(dev, method, identity, anonymous_identity=None, password=None, def eap_connect(dev, method, identity, anonymous_identity=None, password=None,
phase1=None, phase2=None, ca_cert=None): phase1=None, phase2=None, ca_cert=None,
domain_suffix_match=None):
dev.connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap=method, dev.connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap=method,
identity=identity, anonymous_identity=anonymous_identity, identity=identity, anonymous_identity=anonymous_identity,
password=password, phase1=phase1, phase2=phase2, password=password, phase1=phase1, phase2=phase2,
ca_cert=ca_cert, ca_cert=ca_cert, domain_suffix_match=domain_suffix_match,
wait_connect=False) wait_connect=False)
ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10) ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
if ev is None: if ev is None:
@ -104,7 +105,8 @@ def test_ap_wpa2_eap_ttls_mschap(dev, apdev):
hostapd.add_ap(apdev[0]['ifname'], params) hostapd.add_ap(apdev[0]['ifname'], params)
eap_connect(dev[0], "TTLS", "mschap user", eap_connect(dev[0], "TTLS", "mschap user",
anonymous_identity="ttls", password="password", anonymous_identity="ttls", password="password",
ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP") ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
domain_suffix_match="server.w1.fi")
hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname']) hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
def test_ap_wpa2_eap_ttls_mschapv2(dev, apdev): def test_ap_wpa2_eap_ttls_mschapv2(dev, apdev):
@ -113,7 +115,8 @@ def test_ap_wpa2_eap_ttls_mschapv2(dev, apdev):
hostapd.add_ap(apdev[0]['ifname'], params) hostapd.add_ap(apdev[0]['ifname'], params)
eap_connect(dev[0], "TTLS", "DOMAIN\mschapv2 user", eap_connect(dev[0], "TTLS", "DOMAIN\mschapv2 user",
anonymous_identity="ttls", password="password", anonymous_identity="ttls", password="password",
ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2") ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
domain_suffix_match="w1.fi")
hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname']) hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
def test_ap_wpa2_eap_ttls_eap_gtc(dev, apdev): def test_ap_wpa2_eap_ttls_eap_gtc(dev, apdev):
@ -201,3 +204,56 @@ def test_ap_wpa2_eap_tls_neg_incorrect_trust_root(dev, apdev):
ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10) ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
if ev is None: if ev is None:
raise Exception("Network block disabling not reported") raise Exception("Network block disabling not reported")
def test_ap_wpa2_eap_tls_neg_suffix_match(dev, apdev):
"""WPA2-Enterprise negative test - domain suffix mismatch"""
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
hostapd.add_ap(apdev[0]['ifname'], params)
dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
password="password", phase2="auth=MSCHAPV2",
ca_cert="auth_serv/ca.pem",
domain_suffix_match="incorrect.example.com",
wait_connect=False)
ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
if ev is None:
raise Exception("Association and EAP start timed out")
ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
if ev is None:
raise Exception("EAP method selection timed out")
if "TTLS" not in ev:
raise Exception("Unexpected EAP method")
ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
"CTRL-EVENT-EAP-SUCCESS",
"CTRL-EVENT-EAP-FAILURE",
"CTRL-EVENT-CONNECTED",
"CTRL-EVENT-DISCONNECTED"], timeout=10)
if ev is None:
raise Exception("EAP result timed out")
if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
raise Exception("TLS certificate error not reported")
if "Domain suffix mismatch" not in ev:
raise Exception("Domain suffix mismatch not reported")
ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
"CTRL-EVENT-EAP-FAILURE",
"CTRL-EVENT-CONNECTED",
"CTRL-EVENT-DISCONNECTED"], timeout=10)
if ev is None:
raise Exception("EAP result(2) timed out")
if "CTRL-EVENT-EAP-FAILURE" not in ev:
raise Exception("EAP failure not reported")
ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
"CTRL-EVENT-DISCONNECTED"], timeout=10)
if ev is None:
raise Exception("EAP result(3) timed out")
if "CTRL-EVENT-DISCONNECTED" not in ev:
raise Exception("Disconnection not reported")
ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
if ev is None:
raise Exception("Network block disabling not reported")

View file

@ -457,6 +457,7 @@ class WpaSupplicant:
ieee80211w=None, pairwise=None, group=None, scan_freq=None, ieee80211w=None, pairwise=None, group=None, scan_freq=None,
eap=None, identity=None, anonymous_identity=None, eap=None, identity=None, anonymous_identity=None,
password=None, phase1=None, phase2=None, ca_cert=None, password=None, phase1=None, phase2=None, ca_cert=None,
domain_suffix_match=None,
wait_connect=True): wait_connect=True):
logger.info("Connect STA " + self.ifname + " to AP") logger.info("Connect STA " + self.ifname + " to AP")
id = self.add_network() id = self.add_network()
@ -492,6 +493,9 @@ class WpaSupplicant:
self.set_network_quoted(id, "phase1", phase1) self.set_network_quoted(id, "phase1", phase1)
if phase2: if phase2:
self.set_network_quoted(id, "phase2", phase2) self.set_network_quoted(id, "phase2", phase2)
if domain_suffix_match:
self.set_network_quoted(id, "domain_suffix_match",
domain_suffix_match)
if wait_connect: if wait_connect:
self.connect_network(id) self.connect_network(id)
else: else: