tests: EAP Re-authentication Protocol (ERP)
This tests RP EAP-Initiate/Re-auth-Start transmission, ERP key derivation, and EAP-Initiate/Re-auth + EAP-Finish/Re-auth exchange and rMSK derivation. Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
parent
65d9a5e254
commit
acc9a635c8
5 changed files with 209 additions and 1 deletions
|
@ -10,6 +10,20 @@
|
||||||
"osen@example.com" WFA-UNAUTH-TLS
|
"osen@example.com" WFA-UNAUTH-TLS
|
||||||
"unauth-tls" UNAUTH-TLS
|
"unauth-tls" UNAUTH-TLS
|
||||||
|
|
||||||
|
"erp-fast@example.com" FAST
|
||||||
|
"erp-fast@example.com" GTC "password" [2]
|
||||||
|
"erp-gpsk@example.com" GPSK "abcdefghijklmnop0123456789abcdef"
|
||||||
|
"erp-eke@example.com" EKE "hello"
|
||||||
|
"erp-pax@example.com" PAX 0123456789abcdef0123456789abcdef
|
||||||
|
"erp-peap@example.com" PEAP
|
||||||
|
"erp-peap@example.com" MSCHAPV2 "password" [2]
|
||||||
|
"erp-psk@example.com" PSK 0123456789abcdef0123456789abcdef
|
||||||
|
"erp-pwd@example.com" PWD "secret password"
|
||||||
|
"erp-sake@example.com" SAKE 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
|
||||||
|
"erp-tls@example.com" TLS
|
||||||
|
"erp-ttls@example.com" TTLS
|
||||||
|
"erp-ttls@example.com" TTLS-PAP "password" [2]
|
||||||
|
|
||||||
"vlan1" PAX 0123456789abcdef0123456789abcdef
|
"vlan1" PAX 0123456789abcdef0123456789abcdef
|
||||||
radius_accept_attr=64:d:13
|
radius_accept_attr=64:d:13
|
||||||
radius_accept_attr=65:d:6
|
radius_accept_attr=65:d:6
|
||||||
|
|
|
@ -10,6 +10,7 @@ CONFIG_RSN_PREAUTH=y
|
||||||
CONFIG_TLS=openssl
|
CONFIG_TLS=openssl
|
||||||
|
|
||||||
CONFIG_EAP=y
|
CONFIG_EAP=y
|
||||||
|
CONFIG_ERP=y
|
||||||
CONFIG_EAP_MD5=y
|
CONFIG_EAP_MD5=y
|
||||||
CONFIG_EAP_TLS=y
|
CONFIG_EAP_TLS=y
|
||||||
CONFIG_EAP_MSCHAPV2=y
|
CONFIG_EAP_MSCHAPV2=y
|
||||||
|
|
|
@ -7,6 +7,7 @@ CONFIG_TLS=openssl
|
||||||
|
|
||||||
CONFIG_IEEE8021X_EAPOL=y
|
CONFIG_IEEE8021X_EAPOL=y
|
||||||
|
|
||||||
|
CONFIG_ERP=y
|
||||||
CONFIG_EAP_MD5=y
|
CONFIG_EAP_MD5=y
|
||||||
CONFIG_MSCHAPV2=y
|
CONFIG_MSCHAPV2=y
|
||||||
CONFIG_EAP_TLS=y
|
CONFIG_EAP_TLS=y
|
||||||
|
|
191
tests/hwsim/test_erp.py
Normal file
191
tests/hwsim/test_erp.py
Normal file
|
@ -0,0 +1,191 @@
|
||||||
|
# EAP Re-authentication Protocol (ERP) tests
|
||||||
|
# Copyright (c) 2014, Jouni Malinen <j@w1.fi>
|
||||||
|
#
|
||||||
|
# This software may be distributed under the terms of the BSD license.
|
||||||
|
# See README for more details.
|
||||||
|
|
||||||
|
import logging
|
||||||
|
logger = logging.getLogger()
|
||||||
|
|
||||||
|
import hostapd
|
||||||
|
from test_ap_eap import int_eap_server_params
|
||||||
|
|
||||||
|
def test_erp_initiate_reauth_start(dev, apdev):
|
||||||
|
"""Authenticator sending EAP-Initiate/Re-auth-Start, but ERP disabled on peer"""
|
||||||
|
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
|
||||||
|
params['erp_send_reauth_start'] = '1'
|
||||||
|
params['erp_domain'] = 'example.com'
|
||||||
|
hapd = hostapd.add_ap(apdev[0]['ifname'], params)
|
||||||
|
|
||||||
|
dev[0].request("ERP_FLUSH")
|
||||||
|
dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
|
||||||
|
eap="PAX", identity="pax.user@example.com",
|
||||||
|
password_hex="0123456789abcdef0123456789abcdef",
|
||||||
|
scan_freq="2412")
|
||||||
|
|
||||||
|
def test_erp_enabled_on_server(dev, apdev):
|
||||||
|
"""ERP enabled on internal EAP server, but disabled on peer"""
|
||||||
|
params = int_eap_server_params()
|
||||||
|
params['erp_send_reauth_start'] = '1'
|
||||||
|
params['erp_domain'] = 'example.com'
|
||||||
|
params['eap_server_erp'] = '1'
|
||||||
|
hapd = hostapd.add_ap(apdev[0]['ifname'], params)
|
||||||
|
|
||||||
|
dev[0].request("ERP_FLUSH")
|
||||||
|
dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
|
||||||
|
eap="PAX", identity="pax.user@example.com",
|
||||||
|
password_hex="0123456789abcdef0123456789abcdef",
|
||||||
|
scan_freq="2412")
|
||||||
|
|
||||||
|
def test_erp(dev, apdev):
|
||||||
|
"""ERP enabled on server and peer"""
|
||||||
|
capab = dev[0].get_capability("erp")
|
||||||
|
if not capab or 'ERP' not in capab:
|
||||||
|
return "skip"
|
||||||
|
params = int_eap_server_params()
|
||||||
|
params['erp_send_reauth_start'] = '1'
|
||||||
|
params['erp_domain'] = 'example.com'
|
||||||
|
params['eap_server_erp'] = '1'
|
||||||
|
params['disable_pmksa_caching'] = '1'
|
||||||
|
hapd = hostapd.add_ap(apdev[0]['ifname'], params)
|
||||||
|
|
||||||
|
dev[0].request("ERP_FLUSH")
|
||||||
|
dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
|
||||||
|
eap="PSK", identity="psk.user@example.com",
|
||||||
|
password_hex="0123456789abcdef0123456789abcdef",
|
||||||
|
erp="1", scan_freq="2412")
|
||||||
|
for i in range(3):
|
||||||
|
dev[0].request("DISCONNECT")
|
||||||
|
ev = dev[0].wait_event(["CTRL-EVENT-DISCONNECTED"], timeout=15)
|
||||||
|
if ev is None:
|
||||||
|
raise Exception("Disconnection timed out")
|
||||||
|
dev[0].request("RECONNECT")
|
||||||
|
ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
|
||||||
|
if ev is None:
|
||||||
|
raise Exception("EAP success timed out")
|
||||||
|
if "EAP re-authentication completed successfully" not in ev:
|
||||||
|
raise Exception("Did not use ERP")
|
||||||
|
ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=15)
|
||||||
|
if ev is None:
|
||||||
|
raise Exception("Reconnection timed out")
|
||||||
|
|
||||||
|
def start_erp_as(apdev):
|
||||||
|
params = { "ssid": "as", "beacon_int": "2000",
|
||||||
|
"radius_server_clients": "auth_serv/radius_clients.conf",
|
||||||
|
"radius_server_auth_port": '18128',
|
||||||
|
"eap_server": "1",
|
||||||
|
"eap_user_file": "auth_serv/eap_user.conf",
|
||||||
|
"ca_cert": "auth_serv/ca.pem",
|
||||||
|
"server_cert": "auth_serv/server.pem",
|
||||||
|
"private_key": "auth_serv/server.key",
|
||||||
|
"eap_sim_db": "unix:/tmp/hlr_auc_gw.sock",
|
||||||
|
"dh_file": "auth_serv/dh.conf",
|
||||||
|
"pac_opaque_encr_key": "000102030405060708090a0b0c0d0e0f",
|
||||||
|
"eap_fast_a_id": "101112131415161718191a1b1c1d1e1f",
|
||||||
|
"eap_fast_a_id_info": "test server",
|
||||||
|
"eap_server_erp": "1",
|
||||||
|
"erp_domain": "example.com" }
|
||||||
|
hostapd.add_ap(apdev['ifname'], params)
|
||||||
|
|
||||||
|
def test_erp_radius(dev, apdev):
|
||||||
|
"""ERP enabled on RADIUS server and peer"""
|
||||||
|
capab = dev[0].get_capability("erp")
|
||||||
|
if not capab or 'ERP' not in capab:
|
||||||
|
return "skip"
|
||||||
|
start_erp_as(apdev[1])
|
||||||
|
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
|
||||||
|
params['auth_server_port'] = "18128"
|
||||||
|
params['erp_send_reauth_start'] = '1'
|
||||||
|
params['erp_domain'] = 'example.com'
|
||||||
|
params['disable_pmksa_caching'] = '1'
|
||||||
|
hapd = hostapd.add_ap(apdev[0]['ifname'], params)
|
||||||
|
|
||||||
|
dev[0].request("ERP_FLUSH")
|
||||||
|
dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
|
||||||
|
eap="PSK", identity="psk.user@example.com",
|
||||||
|
password_hex="0123456789abcdef0123456789abcdef",
|
||||||
|
erp="1", scan_freq="2412")
|
||||||
|
for i in range(3):
|
||||||
|
dev[0].request("DISCONNECT")
|
||||||
|
ev = dev[0].wait_event(["CTRL-EVENT-DISCONNECTED"], timeout=15)
|
||||||
|
if ev is None:
|
||||||
|
raise Exception("Disconnection timed out")
|
||||||
|
dev[0].request("RECONNECT")
|
||||||
|
ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
|
||||||
|
if ev is None:
|
||||||
|
raise Exception("EAP success timed out")
|
||||||
|
if "EAP re-authentication completed successfully" not in ev:
|
||||||
|
raise Exception("Did not use ERP")
|
||||||
|
ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=15)
|
||||||
|
if ev is None:
|
||||||
|
raise Exception("Reconnection timed out")
|
||||||
|
|
||||||
|
def erp_test(dev, hapd, **kwargs):
|
||||||
|
hapd.dump_monitor()
|
||||||
|
dev.dump_monitor()
|
||||||
|
dev.request("ERP_FLUSH")
|
||||||
|
id = dev.connect("test-wpa2-eap", key_mgmt="WPA-EAP", erp="1",
|
||||||
|
scan_freq="2412", **kwargs)
|
||||||
|
dev.request("DISCONNECT")
|
||||||
|
ev = dev.wait_event(["CTRL-EVENT-DISCONNECTED"], timeout=15)
|
||||||
|
if ev is None:
|
||||||
|
raise Exception("Disconnection timed out")
|
||||||
|
hapd.dump_monitor()
|
||||||
|
dev.request("RECONNECT")
|
||||||
|
ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
|
||||||
|
if ev is None:
|
||||||
|
raise Exception("EAP success timed out")
|
||||||
|
if "EAP re-authentication completed successfully" not in ev:
|
||||||
|
raise Exception("Did not use ERP")
|
||||||
|
ev = dev.wait_event(["CTRL-EVENT-CONNECTED"], timeout=15)
|
||||||
|
if ev is None:
|
||||||
|
raise Exception("Reconnection timed out")
|
||||||
|
ev = hapd.wait_event([ "AP-STA-CONNECTED" ], timeout=5)
|
||||||
|
if ev is None:
|
||||||
|
raise Exception("No connection event received from hostapd")
|
||||||
|
dev.request("DISCONNECT")
|
||||||
|
|
||||||
|
def test_erp_radius_eap_methods(dev, apdev):
|
||||||
|
"""ERP enabled on RADIUS server and peer"""
|
||||||
|
capab = dev[0].get_capability("erp")
|
||||||
|
if not capab or 'ERP' not in capab:
|
||||||
|
return "skip"
|
||||||
|
start_erp_as(apdev[1])
|
||||||
|
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
|
||||||
|
params['auth_server_port'] = "18128"
|
||||||
|
params['erp_send_reauth_start'] = '1'
|
||||||
|
params['erp_domain'] = 'example.com'
|
||||||
|
params['disable_pmksa_caching'] = '1'
|
||||||
|
hapd = hostapd.add_ap(apdev[0]['ifname'], params)
|
||||||
|
|
||||||
|
erp_test(dev[0], hapd, eap="AKA", identity="0232010000000000@example.com",
|
||||||
|
password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
|
||||||
|
erp_test(dev[0], hapd, eap="AKA'", identity="6555444333222111@example.com",
|
||||||
|
password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
|
||||||
|
# TODO: EKE getSession
|
||||||
|
#erp_test(dev[0], hapd, eap="EKE", identity="erp-eke@example.com",
|
||||||
|
# password="hello")
|
||||||
|
erp_test(dev[0], hapd, eap="FAST", identity="erp-fast@example.com",
|
||||||
|
password="password", ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
|
||||||
|
phase1="fast_provisioning=2", pac_file="blob://fast_pac_auth_erp")
|
||||||
|
erp_test(dev[0], hapd, eap="GPSK", identity="erp-gpsk@example.com",
|
||||||
|
password="abcdefghijklmnop0123456789abcdef")
|
||||||
|
erp_test(dev[0], hapd, eap="PAX", identity="erp-pax@example.com",
|
||||||
|
password_hex="0123456789abcdef0123456789abcdef")
|
||||||
|
# TODO: PEAP (EMSK)
|
||||||
|
#erp_test(dev[0], hapd, eap="PEAP", identity="erp-peap@example.com",
|
||||||
|
# password="password", ca_cert="auth_serv/ca.pem",
|
||||||
|
# phase2="auth=MSCHAPV2")
|
||||||
|
erp_test(dev[0], hapd, eap="PSK", identity="erp-psk@example.com",
|
||||||
|
password_hex="0123456789abcdef0123456789abcdef")
|
||||||
|
erp_test(dev[0], hapd, eap="PWD", identity="erp-pwd@example.com",
|
||||||
|
password="secret password")
|
||||||
|
erp_test(dev[0], hapd, eap="SAKE", identity="erp-sake@example.com",
|
||||||
|
password_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
|
||||||
|
erp_test(dev[0], hapd, eap="SIM", identity="1232010000000000@example.com",
|
||||||
|
password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
|
||||||
|
erp_test(dev[0], hapd, eap="TLS", identity="erp-tls@example.com",
|
||||||
|
ca_cert="auth_serv/ca.pem", client_cert="auth_serv/user.pem",
|
||||||
|
private_key="auth_serv/user.key")
|
||||||
|
erp_test(dev[0], hapd, eap="TTLS", identity="erp-ttls@example.com",
|
||||||
|
password="password", ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
|
|
@ -776,7 +776,8 @@ class WpaSupplicant:
|
||||||
"wpa_ptk_rekey", "disable_ht", "disable_vht", "bssid",
|
"wpa_ptk_rekey", "disable_ht", "disable_vht", "bssid",
|
||||||
"disable_max_amsdu", "ampdu_factor", "ampdu_density",
|
"disable_max_amsdu", "ampdu_factor", "ampdu_density",
|
||||||
"disable_ht40", "disable_sgi", "disable_ldpc",
|
"disable_ht40", "disable_sgi", "disable_ldpc",
|
||||||
"ht40_intolerant", "update_identifier", "mac_addr" ]
|
"ht40_intolerant", "update_identifier", "mac_addr",
|
||||||
|
"erp" ]
|
||||||
for field in not_quoted:
|
for field in not_quoted:
|
||||||
if field in kwargs and kwargs[field]:
|
if field in kwargs and kwargs[field]:
|
||||||
self.set_network(id, field, kwargs[field])
|
self.set_network(id, field, kwargs[field])
|
||||||
|
|
Loading…
Reference in a new issue