1 # hostapd authentication server tests 2 # Copyright (c) 2017, Jouni Malinen 3 # 4 # This software may be distributed under the terms of the BSD license. 5 # See README for more details. 6 7 import hostapd 8 from utils import alloc_fail, fail_test, wait_fail_trigger 9 10 def authsrv_params(): 11 params = {"ssid": "as", "beacon_int": "2000", 12 "radius_server_clients": "auth_serv/radius_clients.conf", 13 "radius_server_auth_port": '18128', 14 "eap_server": "1", 15 "eap_user_file": "auth_serv/eap_user.conf", 16 "eap_sim_db": "unix:/tmp/hlr_auc_gw.sock", 17 "ca_cert": "auth_serv/ca.pem", 18 "server_cert": "auth_serv/server.pem", 19 "private_key": "auth_serv/server.key", 20 "eap_message": "hello"} 21 return params 22 23 def test_authsrv_oom(dev, apdev): 24 """Authentication server OOM""" 25 params = authsrv_params() 26 authsrv = hostapd.add_ap(apdev[1], params) 27 28 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") 29 params['auth_server_port'] = "18128" 30 hapd = hostapd.add_ap(apdev[0], params) 31 32 dev[0].scan_for_bss(hapd.own_addr(), 2412) 33 with alloc_fail(authsrv, 1, "hostapd_radius_get_eap_user"): 34 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", 35 eap="TTLS", identity="user", 36 anonymous_identity="ttls", password="password", 37 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC", 38 wait_connect=False, scan_freq="2412") 39 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10) 40 if ev is None: 41 raise Exception("EAP failure not reported") 42 dev[0].request("REMOVE_NETWORK all") 43 dev[0].wait_disconnected() 44 dev[0].dump_monitor() 45 46 with alloc_fail(authsrv, 1, "srv_log"): 47 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", 48 eap="TTLS", identity="user", 49 anonymous_identity="ttls", password="password", 50 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC", 51 scan_freq="2412") 52 dev[0].request("REMOVE_NETWORK all") 53 dev[0].wait_disconnected() 54 dev[0].dump_monitor() 55 56 with alloc_fail(authsrv, 1, "radius_server_new_session"): 57 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", 58 eap="TTLS", identity="user", 59 anonymous_identity="ttls", password="password", 60 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC", 61 wait_connect=False, scan_freq="2412") 62 dev[0].wait_disconnected() 63 dev[0].request("REMOVE_NETWORK all") 64 dev[0].dump_monitor() 65 66 for count in range(1, 3): 67 with alloc_fail(authsrv, count, "=radius_server_get_new_session"): 68 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", 69 eap="TTLS", identity="user", 70 anonymous_identity="ttls", password="password", 71 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC", 72 wait_connect=False, scan_freq="2412") 73 dev[0].wait_disconnected() 74 dev[0].request("REMOVE_NETWORK all") 75 dev[0].dump_monitor() 76 77 with alloc_fail(authsrv, 1, "eap_server_sm_init"): 78 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", 79 eap="TTLS", identity="user", 80 anonymous_identity="ttls", password="password", 81 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC", 82 wait_connect=False, scan_freq="2412") 83 dev[0].wait_disconnected() 84 dev[0].request("REMOVE_NETWORK all") 85 dev[0].dump_monitor() 86 87 tests = ["radius_server_encapsulate_eap", 88 "radius_server_receive_auth"] 89 for t in tests: 90 with alloc_fail(authsrv, 1, t): 91 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", 92 eap="TTLS", identity="user", 93 anonymous_identity="ttls", password="password", 94 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC", 95 wait_connect=False, scan_freq="2412") 96 wait_fail_trigger(authsrv, "GET_ALLOC_FAIL") 97 dev[0].request("REMOVE_NETWORK all") 98 dev[0].wait_disconnected() 99 dev[0].dump_monitor() 100 101 tests = ["radius_msg_add_attr;radius_server_encapsulate_eap", 102 "radius_msg_add_eap;radius_server_encapsulate_eap", 103 "radius_msg_finish_srv;radius_server_encapsulate_eap"] 104 for t in tests: 105 with fail_test(authsrv, 1, t): 106 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", 107 eap="TTLS", identity="user", 108 anonymous_identity="ttls", password="password", 109 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC", 110 wait_connect=False, scan_freq="2412") 111 wait_fail_trigger(authsrv, "GET_FAIL") 112 dev[0].request("REMOVE_NETWORK all") 113 dev[0].wait_disconnected() 114 dev[0].dump_monitor() 115 116 with alloc_fail(authsrv, 1, "radius_server_get_new_session"): 117 with fail_test(authsrv, 1, "radius_msg_add_eap;radius_server_reject"): 118 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", 119 eap="TTLS", identity="user", 120 anonymous_identity="ttls", password="password", 121 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC", 122 wait_connect=False, scan_freq="2412") 123 wait_fail_trigger(authsrv, "GET_FAIL") 124 dev[0].request("REMOVE_NETWORK all") 125 dev[0].wait_disconnected() 126 dev[0].dump_monitor() 127 128 with alloc_fail(authsrv, 1, "radius_server_get_new_session"): 129 with fail_test(authsrv, 1, 130 "radius_msg_finish_srv;radius_server_reject"): 131 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", 132 eap="TTLS", identity="user", 133 anonymous_identity="ttls", password="password", 134 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC", 135 wait_connect=False, scan_freq="2412") 136 wait_fail_trigger(authsrv, "GET_FAIL") 137 dev[0].request("REMOVE_NETWORK all") 138 dev[0].wait_disconnected() 139 dev[0].dump_monitor() 140 141 authsrv.disable() 142 with alloc_fail(authsrv, 1, "radius_server_init;hostapd_setup_radius_srv"): 143 if "FAIL" not in authsrv.request("ENABLE"): 144 raise Exception("ENABLE succeeded during OOM") 145 with alloc_fail(authsrv, 2, "radius_server_init;hostapd_setup_radius_srv"): 146 if "FAIL" not in authsrv.request("ENABLE"): 147 raise Exception("ENABLE succeeded during OOM") 148 149 for count in range(1, 4): 150 with alloc_fail(authsrv, count, 151 "radius_server_read_clients;radius_server_init;hostapd_setup_radius_srv"): 152 if "FAIL" not in authsrv.request("ENABLE"): 153 raise Exception("ENABLE succeeded during OOM") 154 155 with alloc_fail(authsrv, 1, "eloop_sock_table_add_sock;radius_server_init;hostapd_setup_radius_srv"): 156 if "FAIL" not in authsrv.request("ENABLE"): 157 raise Exception("ENABLE succeeded during OOM") 158 159 with alloc_fail(authsrv, 1, "tls_init;authsrv_init"): 160 if "FAIL" not in authsrv.request("ENABLE"): 161 raise Exception("ENABLE succeeded during OOM") 162 163 for count in range(1, 3): 164 with alloc_fail(authsrv, count, "eap_sim_db_init;authsrv_init"): 165 if "FAIL" not in authsrv.request("ENABLE"): 166 raise Exception("ENABLE succeeded during OOM") 167 168 def test_authsrv_errors_1(dev, apdev): 169 """Authentication server errors (1)""" 170 params = authsrv_params() 171 params["eap_user_file"] = "sqlite:auth_serv/does-not-exist/does-not-exist" 172 authsrv = hostapd.add_ap(apdev[1], params, no_enable=True) 173 if "FAIL" not in authsrv.request("ENABLE"): 174 raise Exception("ENABLE succeeded with invalid SQLite EAP user file") 175 176 def test_authsrv_errors_2(dev, apdev): 177 """Authentication server errors (2)""" 178 params = authsrv_params() 179 params["radius_server_clients"] = "auth_serv/does-not-exist" 180 authsrv = hostapd.add_ap(apdev[1], params, no_enable=True) 181 if "FAIL" not in authsrv.request("ENABLE"): 182 raise Exception("ENABLE succeeded with invalid RADIUS client file") 183 184 def test_authsrv_errors_3(dev, apdev): 185 """Authentication server errors (3)""" 186 params = authsrv_params() 187 params["eap_sim_db"] = "unix:/tmp/hlr_auc_gw.sock db=auth_serv/does-not-exist/does-not-exist" 188 authsrv = hostapd.add_ap(apdev[1], params, no_enable=True) 189 if "FAIL" not in authsrv.request("ENABLE"): 190 raise Exception("ENABLE succeeded with invalid RADIUS client file") 191 192 def test_authsrv_testing_options(dev, apdev): 193 """Authentication server and testing options""" 194 params = authsrv_params() 195 authsrv = hostapd.add_ap(apdev[1], params) 196 197 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") 198 params['auth_server_port'] = "18128" 199 hapd = hostapd.add_ap(apdev[0], params) 200 201 dev[0].scan_for_bss(hapd.own_addr(), 2412) 202 # The first two would be fine to run with any server build; the rest are 203 # actually supposed to fail, but they don't fail when using a server build 204 # that does not support the TLS protocol tests. 205 tests = ["foo@test-unknown", 206 "foo@test-tls-unknown", 207 "foo@test-tls-1", 208 "foo@test-tls-2", 209 "foo@test-tls-3", 210 "foo@test-tls-4", 211 "foo@test-tls-5", 212 "foo@test-tls-6", 213 "foo@test-tls-7", 214 "foo@test-tls-8"] 215 for t in tests: 216 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", 217 eap="TTLS", identity="user", 218 anonymous_identity=t, 219 password="password", 220 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC", 221 scan_freq="2412") 222 dev[0].request("REMOVE_NETWORK all") 223 dev[0].wait_disconnected() 224 225 def test_authsrv_unknown_user(dev, apdev): 226 """Authentication server and unknown user""" 227 params = authsrv_params() 228 params["eap_user_file"] = "auth_serv/eap_user_vlan.conf" 229 authsrv = hostapd.add_ap(apdev[1], params) 230 231 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") 232 params['auth_server_port'] = "18128" 233 hapd = hostapd.add_ap(apdev[0], params) 234 235 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", 236 eap="TTLS", identity="user", 237 anonymous_identity="ttls", password="password", 238 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC", 239 wait_connect=False, scan_freq="2412") 240 dev[0].wait_disconnected() 241 dev[0].request("REMOVE_NETWORK all") 242 243 def test_authsrv_unknown_client(dev, apdev): 244 """Authentication server and unknown user""" 245 params = authsrv_params() 246 params["radius_server_clients"] = "auth_serv/radius_clients_none.conf" 247 authsrv = hostapd.add_ap(apdev[1], params) 248 249 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap") 250 params['auth_server_port'] = "18128" 251 hapd = hostapd.add_ap(apdev[0], params) 252 253 # RADIUS SRV: Unknown client 127.0.0.1 - packet ignored 254 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", 255 eap="TTLS", identity="user", 256 anonymous_identity="ttls", password="password", 257 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC", 258 wait_connect=False, scan_freq="2412") 259 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10) 260 if ev is None: 261 raise Exception("EAP not started") 262 dev[0].request("REMOVE_NETWORK all") 263