diff --git a/tests/hwsim/auth_serv/eap_user.conf b/tests/hwsim/auth_serv/eap_user.conf index 142dd4e12..963fff3d0 100644 --- a/tests/hwsim/auth_serv/eap_user.conf +++ b/tests/hwsim/auth_serv/eap_user.conf @@ -108,7 +108,8 @@ radius_accept_attr=56:x:32000011 "6"* AKA' "7"* AKA' "8"* AKA' -* TTLS,TLS,PEAP,FAST,SIM,AKA',AKA +"TEAP" TEAP +* TTLS,TLS,PEAP,FAST,TEAP,SIM,AKA',AKA "0"* AKA [2] "1"* SIM [2] @@ -139,6 +140,8 @@ radius_accept_attr=56:x:32000011 "user-no-passwd" MSCHAPV2,MD5,GTC [2] "cert user" TLS [2] "user-secret" GTC "63d2d21ac3c09ed567ee004a34490f1d16e7fa5835edf17ddba70a63f1a90a25" [2] +"user-pwd-2" PWD "password" [2] +"user-eke-2" EKE "password" [2] "hs20-deauth-test" TTLS-MSCHAPV2 "password" [2] radius_accept_attr=26:x:00009f680405016400 diff --git a/tests/hwsim/example-hostapd.config b/tests/hwsim/example-hostapd.config index ace1dbc14..09d3627dd 100644 --- a/tests/hwsim/example-hostapd.config +++ b/tests/hwsim/example-hostapd.config @@ -27,6 +27,7 @@ CONFIG_EAP_PAX=y CONFIG_EAP_PSK=y CONFIG_EAP_VENDOR_TEST=y CONFIG_EAP_FAST=y +CONFIG_EAP_TEAP=y CONFIG_EAP_IKEV2=y CONFIG_EAP_TNC=y CFLAGS += -DTNC_CONFIG_FILE=\"tnc/tnc_config\" diff --git a/tests/hwsim/example-wpa_supplicant.config b/tests/hwsim/example-wpa_supplicant.config index a7db457fc..846a02e76 100644 --- a/tests/hwsim/example-wpa_supplicant.config +++ b/tests/hwsim/example-wpa_supplicant.config @@ -32,6 +32,7 @@ CONFIG_EAP_TNC=y CFLAGS += -DTNC_CONFIG_FILE=\"tnc/tnc_config\" LIBS += -rdynamic CONFIG_EAP_FAST=y +CONFIG_EAP_TEAP=y CONFIG_EAP_IKEV2=y ifeq ($(CONFIG_TLS), openssl) diff --git a/tests/hwsim/test_eap.py b/tests/hwsim/test_eap.py new file mode 100644 index 000000000..cb1d08d95 --- /dev/null +++ b/tests/hwsim/test_eap.py @@ -0,0 +1,184 @@ +# EAP authentication tests +# Copyright (c) 2019, Jouni Malinen +# +# This software may be distributed under the terms of the BSD license. +# See README for more details. + +import hostapd + +from test_ap_eap import check_eap_capa, int_eap_server_params, eap_connect, \ + eap_reauth + +def int_teap_server_params(eap_teap_auth=None, eap_teap_pac_no_inner=None): + params = int_eap_server_params() + params['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff00" + params['eap_fast_a_id'] = "101112131415161718191a1b1c1dff00" + params['eap_fast_a_id_info'] = "test server 0" + if eap_teap_auth: + params['eap_teap_auth'] = eap_teap_auth + if eap_teap_pac_no_inner: + params['eap_teap_pac_no_inner'] = eap_teap_pac_no_inner + return params + +def test_eap_teap_eap_mschapv2(dev, apdev): + """EAP-TEAP with inner EAP-MSCHAPv2""" + check_eap_capa(dev[0], "TEAP") + check_eap_capa(dev[0], "MSCHAPV2") + params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") + hapd = hostapd.add_ap(apdev[0], params) + eap_connect(dev[0], hapd, "TEAP", "user", + anonymous_identity="TEAP", password="password", + ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2", + pac_file="blob://teap_pac") + eap_reauth(dev[0], "TEAP") + +def test_eap_teap_eap_pwd(dev, apdev): + """EAP-TEAP with inner EAP-PWD""" + check_eap_capa(dev[0], "TEAP") + check_eap_capa(dev[0], "PWD") + params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") + hapd = hostapd.add_ap(apdev[0], params) + eap_connect(dev[0], hapd, "TEAP", "user-pwd-2", + anonymous_identity="TEAP", password="password", + ca_cert="auth_serv/ca.pem", phase2="auth=PWD", + pac_file="blob://teap_pac") + +def test_eap_teap_eap_eke(dev, apdev): + """EAP-TEAP with inner EAP-EKE""" + check_eap_capa(dev[0], "TEAP") + check_eap_capa(dev[0], "EKE") + params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") + hapd = hostapd.add_ap(apdev[0], params) + eap_connect(dev[0], hapd, "TEAP", "user-eke-2", + anonymous_identity="TEAP", password="password", + ca_cert="auth_serv/ca.pem", phase2="auth=EKE", + pac_file="blob://teap_pac") + +def test_eap_teap_basic_password_auth(dev, apdev): + """EAP-TEAP with Basic-Password-Auth""" + check_eap_capa(dev[0], "TEAP") + params = int_teap_server_params(eap_teap_auth="1") + hapd = hostapd.add_ap(apdev[0], params) + eap_connect(dev[0], hapd, "TEAP", "user", + anonymous_identity="TEAP", password="password", + ca_cert="auth_serv/ca.pem", + pac_file="blob://teap_pac") + +def test_eap_teap_basic_password_auth_failure(dev, apdev): + """EAP-TEAP with Basic-Password-Auth failure""" + check_eap_capa(dev[0], "TEAP") + params = int_teap_server_params(eap_teap_auth="1") + hapd = hostapd.add_ap(apdev[0], params) + eap_connect(dev[0], hapd, "TEAP", "user", + anonymous_identity="TEAP", password="incorrect", + ca_cert="auth_serv/ca.pem", + pac_file="blob://teap_pac", expect_failure=True) + +def test_eap_teap_basic_password_auth_no_password(dev, apdev): + """EAP-TEAP with Basic-Password-Auth and no password configured""" + check_eap_capa(dev[0], "TEAP") + params = int_teap_server_params(eap_teap_auth="1") + hapd = hostapd.add_ap(apdev[0], params) + eap_connect(dev[0], hapd, "TEAP", "user", + anonymous_identity="TEAP", + ca_cert="auth_serv/ca.pem", + pac_file="blob://teap_pac", expect_failure=True) + +def test_eap_teap_peer_outer_tlvs(dev, apdev): + """EAP-TEAP with peer Outer TLVs""" + check_eap_capa(dev[0], "TEAP") + check_eap_capa(dev[0], "MSCHAPV2") + params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") + hapd = hostapd.add_ap(apdev[0], params) + eap_connect(dev[0], hapd, "TEAP", "user", + anonymous_identity="TEAP", password="password", + ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2", + pac_file="blob://teap_pac", phase1="teap_test_outer_tlvs=1") + +def test_eap_teap_eap_mschapv2_pac(dev, apdev): + """EAP-TEAP with inner EAP-MSCHAPv2 and PAC provisioning""" + check_eap_capa(dev[0], "TEAP") + check_eap_capa(dev[0], "MSCHAPV2") + params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") + hapd = hostapd.add_ap(apdev[0], params) + eap_connect(dev[0], hapd, "TEAP", "user", + anonymous_identity="TEAP", password="password", + phase1="teap_provisioning=2", + ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2", + pac_file="blob://teap_pac") + res = eap_reauth(dev[0], "TEAP") + if res['tls_session_reused'] != '1': + raise Exception("EAP-TEAP could not use PAC session ticket") + +def test_eap_teap_eap_mschapv2_pac_no_inner_eap(dev, apdev): + """EAP-TEAP with inner EAP-MSCHAPv2 and PAC without inner EAP""" + check_eap_capa(dev[0], "TEAP") + check_eap_capa(dev[0], "MSCHAPV2") + params = int_teap_server_params(eap_teap_pac_no_inner="1") + hapd = hostapd.add_ap(apdev[0], params) + eap_connect(dev[0], hapd, "TEAP", "user", + anonymous_identity="TEAP", password="password", + phase1="teap_provisioning=2", + ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2", + pac_file="blob://teap_pac") + res = eap_reauth(dev[0], "TEAP") + if res['tls_session_reused'] != '1': + raise Exception("EAP-TEAP could not use PAC session ticket") + +def test_eap_teap_eap_mschapv2_pac_no_ca_cert(dev, apdev): + """EAP-TEAP with inner EAP-MSCHAPv2 and PAC provisioning attempt without ca_cert""" + check_eap_capa(dev[0], "TEAP") + check_eap_capa(dev[0], "MSCHAPV2") + params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") + hapd = hostapd.add_ap(apdev[0], params) + eap_connect(dev[0], hapd, "TEAP", "user", + anonymous_identity="TEAP", password="password", + phase1="teap_provisioning=2", + phase2="auth=MSCHAPV2", + pac_file="blob://teap_pac") + res = eap_reauth(dev[0], "TEAP") + if res['tls_session_reused'] == '1': + raise Exception("Unexpected use of PAC session ticket") + +def test_eap_teap_basic_password_auth_pac(dev, apdev): + """EAP-TEAP with Basic-Password-Auth and PAC""" + check_eap_capa(dev[0], "TEAP") + params = int_teap_server_params(eap_teap_auth="1") + hapd = hostapd.add_ap(apdev[0], params) + eap_connect(dev[0], hapd, "TEAP", "user", + anonymous_identity="TEAP", password="password", + phase1="teap_provisioning=2", + ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2", + pac_file="blob://teap_pac") + res = eap_reauth(dev[0], "TEAP") + if res['tls_session_reused'] != '1': + raise Exception("EAP-TEAP could not use PAC session ticket") + +def test_eap_teap_basic_password_auth_pac_no_inner_eap(dev, apdev): + """EAP-TEAP with Basic-Password-Auth and PAC without inner auth""" + check_eap_capa(dev[0], "TEAP") + params = int_teap_server_params(eap_teap_auth="1", + eap_teap_pac_no_inner="1") + hapd = hostapd.add_ap(apdev[0], params) + eap_connect(dev[0], hapd, "TEAP", "user", + anonymous_identity="TEAP", password="password", + phase1="teap_provisioning=2", + ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2", + pac_file="blob://teap_pac") + res = eap_reauth(dev[0], "TEAP") + if res['tls_session_reused'] != '1': + raise Exception("EAP-TEAP could not use PAC session ticket") + +def test_eap_teap_eap_eke_unauth_server_prov(dev, apdev): + """EAP-TEAP with inner EAP-EKE and unauthenticated server provisioning""" + check_eap_capa(dev[0], "TEAP") + check_eap_capa(dev[0], "EKE") + params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") + hapd = hostapd.add_ap(apdev[0], params) + eap_connect(dev[0], hapd, "TEAP", "user-eke-2", + anonymous_identity="TEAP", password="password", + phase1="teap_provisioning=1", + phase2="auth=EKE", pac_file="blob://teap_pac") + res = eap_reauth(dev[0], "TEAP") + if res['tls_session_reused'] != '1': + raise Exception("EAP-TEAP could not use PAC session ticket")