From b2a1e7fe7ab9ddcd916e57379bee26496606d45a Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Mon, 17 Jul 2023 21:11:09 +0300 Subject: [PATCH] tests: PEAP and TTLS phase2_auth behavior Signed-off-by: Jouni Malinen --- tests/hwsim/test_ap_eap.py | 31 ++++++++++++++++++++++++---- tests/hwsim/test_ieee8021x.py | 39 +++++++++++++++++++++++++++++++++++ 2 files changed, 66 insertions(+), 4 deletions(-) diff --git a/tests/hwsim/test_ap_eap.py b/tests/hwsim/test_ap_eap.py index c3b854d1b..f5c9ad490 100644 --- a/tests/hwsim/test_ap_eap.py +++ b/tests/hwsim/test_ap_eap.py @@ -6353,14 +6353,22 @@ def check_tls_session_resumption_capa(dev, hapd): def test_eap_ttls_pap_session_resumption(dev, apdev): """EAP-TTLS/PAP session resumption""" + run_eap_ttls_pap_session_resumption(dev, apdev, False) + +def test_eap_ttls_pap_session_resumption_force_phase2(dev, apdev): + """EAP-TTLS/PAP session resumption while forcing Phase 2 authentication""" + run_eap_ttls_pap_session_resumption(dev, apdev, True) + +def run_eap_ttls_pap_session_resumption(dev, apdev, phase2_auth): params = int_eap_server_params() params['tls_session_lifetime'] = '60' hapd = hostapd.add_ap(apdev[0], params) check_tls_session_resumption_capa(dev[0], hapd) + phase1 = "phase2_auth=2" if phase2_auth else "" eap_connect(dev[0], hapd, "TTLS", "pap user", anonymous_identity="ttls", password="password", ca_cert="auth_serv/ca.pem", eap_workaround='0', - phase2="auth=PAP") + phase1=phase1, phase2="auth=PAP") if dev[0].get_status_field("tls_session_reused") != '0': raise Exception("Unexpected session resumption on the first connection") @@ -6371,7 +6379,10 @@ def test_eap_ttls_pap_session_resumption(dev, apdev): ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10) if ev is None: raise Exception("Key handshake with the AP timed out") - if dev[0].get_status_field("tls_session_reused") != '1': + reused = dev[0].get_status_field("tls_session_reused") == '1' + if phase2_auth and reused: + raise Exception("Session resumption used on the second connection") + if not phase2_auth and not reused: raise Exception("Session resumption not used on the second connection") hwsim_utils.test_connectivity(dev[0], hapd) @@ -6492,14 +6503,23 @@ def test_eap_ttls_no_session_resumption(dev, apdev): def test_eap_peap_session_resumption(dev, apdev): """EAP-PEAP session resumption""" + run_eap_peap_session_resumption(dev, apdev, False) + +def test_eap_peap_session_resumption_force_phase2(dev, apdev): + """EAP-PEAP session resumption while forcing Phase 2 authentication""" + run_eap_peap_session_resumption(dev, apdev, True) + +def run_eap_peap_session_resumption(dev, apdev, phase2_auth): check_eap_capa(dev[0], "MSCHAPV2") params = int_eap_server_params() params['tls_session_lifetime'] = '60' hapd = hostapd.add_ap(apdev[0], params) check_tls_session_resumption_capa(dev[0], hapd) + phase1 = "phase2_auth=2" if phase2_auth else "" eap_connect(dev[0], hapd, "PEAP", "user", anonymous_identity="peap", password="password", - ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2") + ca_cert="auth_serv/ca.pem", phase1=phase1, + phase2="auth=MSCHAPV2") if dev[0].get_status_field("tls_session_reused") != '0': raise Exception("Unexpected session resumption on the first connection") @@ -6510,7 +6530,10 @@ def test_eap_peap_session_resumption(dev, apdev): ev = dev[0].wait_event(["WPA: Key negotiation completed"], timeout=10) if ev is None: raise Exception("Key handshake with the AP timed out") - if dev[0].get_status_field("tls_session_reused") != '1': + reused = dev[0].get_status_field("tls_session_reused") == '1' + if phase2_auth and reused: + raise Exception("Session resumption used on the second connection") + if not phase2_auth and not reused: raise Exception("Session resumption not used on the second connection") def test_eap_peap_session_resumption_crypto_binding(dev, apdev): diff --git a/tests/hwsim/test_ieee8021x.py b/tests/hwsim/test_ieee8021x.py index 630d6d0db..db0b69576 100644 --- a/tests/hwsim/test_ieee8021x.py +++ b/tests/hwsim/test_ieee8021x.py @@ -337,6 +337,45 @@ def test_ieee8021x_reauth(dev, apdev): time.sleep(0.1) hwsim_utils.test_connectivity(dev[0], hapd) +def test_ieee8021x_reauth_peap(dev, apdev): + """IEEE 802.1X and EAPOL_REAUTH request (PEAP and session resumption)""" + run_ieee8021x_reauth_peap(dev, apdev, False) + +def test_ieee8021x_reauth_peap2(dev, apdev): + """IEEE 802.1X and EAPOL_REAUTH request (PEAP and session resumption; Phase 2 auth forced)""" + run_ieee8021x_reauth_peap(dev, apdev, True) + +def run_ieee8021x_reauth_peap(dev, apdev, phase2_auth): + params = {"eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf", + "ca_cert": "auth_serv/ca.pem", + "server_cert": "auth_serv/server.pem", + "private_key": "auth_serv/server.key", + "dh_file": "auth_serv/dh.conf", + "tls_session_lifetime": "60"} + params["ssid"] = "ieee8021x-open" + params["ieee8021x"] = "1" + hapd = hostapd.add_ap(apdev[0], params) + + phase1 = "phase2_auth=2" if phase2_auth else "" + dev[0].connect("ieee8021x-open", key_mgmt="IEEE8021X", eapol_flags="0", + eap="PEAP", identity="user", anonymous_identity="peap", + password="password", ca_cert="auth_serv/ca.pem", + phase1=phase1, phase2="auth=MSCHAPV2", + scan_freq="2412") + + hapd.request("EAPOL_REAUTH " + dev[0].own_addr()) + ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=5) + if ev is None: + raise Exception("EAP authentication did not start") + ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=5) + if ev is None: + raise Exception("EAP authentication did not succeed") + reused = dev[0].get_status_field("tls_session_reused") == '1' + if phase2_auth and reused: + raise Exception("Session resumption used on the second connection") + if not phase2_auth and not reused: + raise Exception("Session resumption not used on the second connection") + def test_ieee8021x_reauth_wep(dev, apdev, params): """IEEE 802.1X and EAPOL_REAUTH request with WEP""" check_wep_capa(dev[0])