diff --git a/tests/hwsim/dictionary.radius b/tests/hwsim/dictionary.radius new file mode 100644 index 000000000..dfd3d42a5 --- /dev/null +++ b/tests/hwsim/dictionary.radius @@ -0,0 +1,9 @@ +ATTRIBUTE User-Name 1 string +ATTRIBUTE User-Password 2 string +ATTRIBUTE Calling-Station-Id 31 string +ATTRIBUTE NAS-Identifier 32 string +ATTRIBUTE Acct-Session-Id 44 string +ATTRIBUTE Event-Timestamp 55 date +ATTRIBUTE Message-Authenticator 80 octets +ATTRIBUTE Chargeable-User-Identity 89 string +ATTRIBUTE Error-Cause 101 integer diff --git a/tests/hwsim/radius_das.py b/tests/hwsim/radius_das.py new file mode 100644 index 000000000..b22f02cbf --- /dev/null +++ b/tests/hwsim/radius_das.py @@ -0,0 +1,29 @@ +#!/usr/bin/python +# +# RADIUS DAS extensions to pyrad +# Copyright (c) 2014, Jouni Malinen +# +# This software may be distributed under the terms of the BSD license. +# See README for more details. + +import hashlib +import random +import struct +import pyrad.packet + +class DisconnectPacket(pyrad.packet.Packet): + def __init__(self, code=pyrad.packet.DisconnectRequest, id=None, + secret=None, authenticator=None, **attributes): + pyrad.packet.Packet.__init__(self, code, id, secret, authenticator, + **attributes) + + def RequestPacket(self): + attr = self._PktEncodeAttributes() + + if self.id is None: + self.id = random.randrange(0, 256) + + header = struct.pack('!BBH', self.code, self.id, (20 + len(attr))) + self.authenticator = hashlib.md5(header[0:4] + 16 * b'\x00' + attr + + self.secret).digest() + return header + self.authenticator + attr diff --git a/tests/hwsim/test_radius.py b/tests/hwsim/test_radius.py index 70f85ffd0..e177549e8 100644 --- a/tests/hwsim/test_radius.py +++ b/tests/hwsim/test_radius.py @@ -1,7 +1,7 @@ #!/usr/bin/python # # RADIUS tests -# Copyright (c) 2013, Jouni Malinen +# Copyright (c) 2013-2014, Jouni Malinen # # This software may be distributed under the terms of the BSD license. # See README for more details. @@ -93,3 +93,217 @@ def test_radius_acct(dev, apdev): acc_e = int(as_mib_end['radiusAuthServAccessAccepts']) if acc_e < acc_s + 1: raise Exception("Unexpected RADIUS server auth MIB value") + +def test_radius_das_disconnect(dev, apdev): + """RADIUS Dynamic Authorization Extensions - Disconnect""" + try: + import pyrad.client + import pyrad.packet + import pyrad.dictionary + import radius_das + except ImportError: + return "skip" + + params = hostapd.wpa2_eap_params(ssid="radius-das") + params['radius_das_port'] = "3799" + params['radius_das_client'] = "127.0.0.1 secret" + params['radius_das_require_event_timestamp'] = "1" + hapd = hostapd.add_ap(apdev[0]['ifname'], params) + connect(dev[0], "radius-das") + addr = dev[0].p2p_interface_addr() + sta = hapd.get_sta(addr) + id = sta['dot1xAuthSessionId'] + + dict = pyrad.dictionary.Dictionary("dictionary.radius") + + srv = pyrad.client.Client(server="127.0.0.1", acctport=3799, + secret="secret", dict=dict) + srv.retries = 1 + srv.timeout = 1 + + logger.info("Disconnect-Request with incorrect secret") + req = radius_das.DisconnectPacket(dict=dict, secret="incorrect", + User_Name="foo", + NAS_Identifier="localhost", + Event_Timestamp=int(time.time())) + logger.debug(req) + try: + reply = srv.SendPacket(req) + raise Exception("Unexpected response to Disconnect-Request") + except pyrad.client.Timeout: + logger.info("Disconnect-Request with incorrect secret properly ignored") + + logger.info("Disconnect-Request without Event-Timestamp") + req = radius_das.DisconnectPacket(dict=dict, secret="secret", + User_Name="psk.user@example.com") + logger.debug(req) + try: + reply = srv.SendPacket(req) + raise Exception("Unexpected response to Disconnect-Request") + except pyrad.client.Timeout: + logger.info("Disconnect-Request without Event-Timestamp properly ignored") + + logger.info("Disconnect-Request with non-matching Event-Timestamp") + req = radius_das.DisconnectPacket(dict=dict, secret="secret", + User_Name="psk.user@example.com", + Event_Timestamp=123456789) + logger.debug(req) + try: + reply = srv.SendPacket(req) + raise Exception("Unexpected response to Disconnect-Request") + except pyrad.client.Timeout: + logger.info("Disconnect-Request with non-matching Event-Timestamp properly ignored") + + logger.info("Disconnect-Request with unsupported attribute") + req = radius_das.DisconnectPacket(dict=dict, secret="secret", + User_Name="foo", + User_Password="foo", + Event_Timestamp=int(time.time())) + reply = srv.SendPacket(req) + logger.debug("RADIUS response from hostapd") + for i in reply.keys(): + logger.debug("%s: %s" % (i, reply[i])) + if reply.code != pyrad.packet.DisconnectNAK: + raise Exception("Unexpected response code") + if 'Error-Cause' not in reply: + raise Exception("Missing Error-Cause") + if reply['Error-Cause'][0] != 401: + raise Exception("Unexpected Error-Cause: {}".format(reply['Error-Cause'])) + + logger.info("Disconnect-Request with invalid Calling-Station-Id") + req = radius_das.DisconnectPacket(dict=dict, secret="secret", + User_Name="foo", + Calling_Station_Id="foo", + Event_Timestamp=int(time.time())) + reply = srv.SendPacket(req) + logger.debug("RADIUS response from hostapd") + for i in reply.keys(): + logger.debug("%s: %s" % (i, reply[i])) + if reply.code != pyrad.packet.DisconnectNAK: + raise Exception("Unexpected response code") + if 'Error-Cause' not in reply: + raise Exception("Missing Error-Cause") + if reply['Error-Cause'][0] != 407: + raise Exception("Unexpected Error-Cause: {}".format(reply['Error-Cause'])) + + logger.info("Disconnect-Request with mismatching User-Name") + req = radius_das.DisconnectPacket(dict=dict, secret="secret", + User_Name="foo", + Event_Timestamp=int(time.time())) + reply = srv.SendPacket(req) + logger.debug("RADIUS response from hostapd") + for i in reply.keys(): + logger.debug("%s: %s" % (i, reply[i])) + if reply.code != pyrad.packet.DisconnectNAK: + raise Exception("Unexpected response code") + if 'Error-Cause' not in reply: + raise Exception("Missing Error-Cause") + if reply['Error-Cause'][0] != 503: + raise Exception("Unexpected Error-Cause: {}".format(reply['Error-Cause'])) + + logger.info("Disconnect-Request with mismatching Calling-Station-Id") + req = radius_das.DisconnectPacket(dict=dict, secret="secret", + Calling_Station_Id="12:34:56:78:90:aa", + Event_Timestamp=int(time.time())) + reply = srv.SendPacket(req) + logger.debug("RADIUS response from hostapd") + for i in reply.keys(): + logger.debug("%s: %s" % (i, reply[i])) + if reply.code != pyrad.packet.DisconnectNAK: + raise Exception("Unexpected response code") + if 'Error-Cause' not in reply: + raise Exception("Missing Error-Cause") + if reply['Error-Cause'][0] != 503: + raise Exception("Unexpected Error-Cause: {}".format(reply['Error-Cause'])) + + logger.info("Disconnect-Request with mismatching Acct-Session-Id") + req = radius_das.DisconnectPacket(dict=dict, secret="secret", + Acct_Session_Id="12345678-87654321", + Event_Timestamp=int(time.time())) + reply = srv.SendPacket(req) + logger.debug("RADIUS response from hostapd") + for i in reply.keys(): + logger.debug("%s: %s" % (i, reply[i])) + if reply.code != pyrad.packet.DisconnectNAK: + raise Exception("Unexpected response code") + if 'Error-Cause' not in reply: + raise Exception("Missing Error-Cause") + if reply['Error-Cause'][0] != 503: + raise Exception("Unexpected Error-Cause: {}".format(reply['Error-Cause'])) + + ev = dev[0].wait_event(["CTRL-EVENT-DISCONNECTED"], timeout=1) + if ev is not None: + raise Exception("Unexpected disconnection") + + logger.info("Disconnect-Request with matching Acct-Session-Id") + req = radius_das.DisconnectPacket(dict=dict, secret="secret", + Acct_Session_Id=id, + Event_Timestamp=int(time.time())) + reply = srv.SendPacket(req) + logger.debug("RADIUS response from hostapd") + for i in reply.keys(): + logger.debug("%s: %s" % (i, reply[i])) + if reply.code != pyrad.packet.DisconnectACK: + raise Exception("Unexpected response code") + + ev = dev[0].wait_event(["CTRL-EVENT-DISCONNECTED"]) + if ev is None: + raise Exception("Timeout while waiting for disconnection") + ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"]) + if ev is None: + raise Exception("Timeout while waiting for re-connection") + + logger.info("Disconnect-Request with matching User-Name") + req = radius_das.DisconnectPacket(dict=dict, secret="secret", + User_Name="psk.user@example.com", + Event_Timestamp=int(time.time())) + reply = srv.SendPacket(req) + logger.debug("RADIUS response from hostapd") + for i in reply.keys(): + logger.debug("%s: %s" % (i, reply[i])) + if reply.code != pyrad.packet.DisconnectACK: + raise Exception("Unexpected response code") + + ev = dev[0].wait_event(["CTRL-EVENT-DISCONNECTED"]) + if ev is None: + raise Exception("Timeout while waiting for disconnection") + ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"]) + if ev is None: + raise Exception("Timeout while waiting for re-connection") + + logger.info("Disconnect-Request with matching Calling-Station-Id") + req = radius_das.DisconnectPacket(dict=dict, secret="secret", + Calling_Station_Id=addr, + Event_Timestamp=int(time.time())) + reply = srv.SendPacket(req) + logger.debug("RADIUS response from hostapd") + for i in reply.keys(): + logger.debug("%s: %s" % (i, reply[i])) + if reply.code != pyrad.packet.DisconnectACK: + raise Exception("Unexpected response code") + + ev = dev[0].wait_event(["CTRL-EVENT-DISCONNECTED"]) + if ev is None: + raise Exception("Timeout while waiting for disconnection") + ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"]) + if ev is None: + raise Exception("Timeout while waiting for re-connection") + + logger.info("Disconnect-Request with matching Calling-Station-Id and non-matching CUI") + req = radius_das.DisconnectPacket(dict=dict, secret="secret", + Calling_Station_Id=addr, + Chargeable_User_Identity="foo@example.com", + Event_Timestamp=int(time.time())) + reply = srv.SendPacket(req) + logger.debug("RADIUS response from hostapd") + for i in reply.keys(): + logger.debug("%s: %s" % (i, reply[i])) + if reply.code != pyrad.packet.DisconnectACK: + raise Exception("Unexpected response code") + + ev = dev[0].wait_event(["CTRL-EVENT-DISCONNECTED"]) + if ev is None: + raise Exception("Timeout while waiting for disconnection") + ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"]) + if ev is None: + raise Exception("Timeout while waiting for re-connection")