[PATCH 2/2] test: SAE password with Tunnel-Password

michael-dev at fami-braun.de michael-dev at fami-braun.de
Fri Apr 16 07:13:32 BST 2021


From: Michael Braun <michael-dev at fami-braun.de>

Signed-off-by: Michael Braun <michael-dev at fami-braun.de>
---
 tests/hwsim/dictionary.radius |   1 +
 tests/hwsim/test_radius.py    | 119 +++++++++++++++++++++++++++++++++-
 2 files changed, 119 insertions(+), 1 deletion(-)

diff --git a/tests/hwsim/dictionary.radius b/tests/hwsim/dictionary.radius
index d2112dad3..923c1220e 100644
--- a/tests/hwsim/dictionary.radius
+++ b/tests/hwsim/dictionary.radius
@@ -17,4 +17,5 @@ ATTRIBUTE	Message-Authenticator	80	octets
 ATTRIBUTE	Tunnel-Private-Group-ID	81	string
 ATTRIBUTE	Acct-Interim-Interval	85	integer
 ATTRIBUTE	Chargeable-User-Identity 89	string
+ATTRIBUTE	Tunnel-Client-Auth-ID	90	octets
 ATTRIBUTE	Error-Cause		101	integer
diff --git a/tests/hwsim/test_radius.py b/tests/hwsim/test_radius.py
index ca96c979e..ec359bd0e 100644
--- a/tests/hwsim/test_radius.py
+++ b/tests/hwsim/test_radius.py
@@ -1167,8 +1167,12 @@ def build_tunnel_password(secret, authenticator, psk):
     data = b'\x00' + a + bytes(cc_all)
     return data
 
+def build_tunnel_identity(id):
+   return b'\x00' + id.encode()
+
 def start_radius_psk_server(psk, invalid_code=False, acct_interim_interval=0,
-                            session_timeout=0, reject=False):
+                            session_timeout=0, reject=False, sae_identity=None,
+                            sae_identity2=None):
     try:
         import pyrad.server
         import pyrad.packet
@@ -1195,6 +1199,13 @@ def start_radius_psk_server(psk, invalid_code=False, acct_interim_interval=0,
             if self.t_events['session_timeout']:
                 reply.AddAttribute("Session-Timeout",
                                    self.t_events['session_timeout'])
+            if self.t_events['sae_identity']:
+                data = build_tunnel_identity(self.t_events['sae_identity'])
+                reply.AddAttribute("Tunnel-Client-Auth-ID", data)
+            if self.t_events['sae_identity2']:
+                data = build_tunnel_identity(self.t_events['sae_identity2'])
+                reply.AddAttribute("Tunnel-Client-Auth-ID", data)
+
             self.SendReplyPacket(pkt.fd, reply)
 
         def RunWithStop(self, t_events):
@@ -1231,6 +1242,8 @@ def start_radius_psk_server(psk, invalid_code=False, acct_interim_interval=0,
     t_events['invalid_code'] = invalid_code
     t_events['acct_interim_interval'] = acct_interim_interval
     t_events['session_timeout'] = session_timeout
+    t_events['sae_identity'] = sae_identity
+    t_events['sae_identity2'] = sae_identity2
     t_events['reject'] = reject
     t = threading.Thread(target=run_pyrad_server, args=(srv, t_events))
     t.start()
@@ -1247,6 +1260,28 @@ def hostapd_radius_psk_test_params():
     params['auth_server_port'] = "18138"
     return params
 
+def hostapd_radius_sae_test_params():
+    params = hostapd.radius_params()
+    params['ssid'] = "test-wpa3-sae"
+    params["wpa"] = "2"
+    params["wpa_key_mgmt"] = "SAE"
+    params["rsn_pairwise"] = "CCMP"
+    params['macaddr_acl'] = '2'
+    params['wpa_psk_radius'] = '2'
+    params['auth_server_port'] = "18138"
+    return params
+
+def hostapd_radius_sae_ft_test_params():
+    params = hostapd.radius_params()
+    params['ssid'] = "test-wpa3-sae-ft"
+    params["wpa"] = "2"
+    params["wpa_key_mgmt"] = "FT-SAE"
+    params["rsn_pairwise"] = "CCMP"
+    params['macaddr_acl'] = '2'
+    params['wpa_psk_radius'] = '2'
+    params['auth_server_port'] = "18138"
+    return params
+
 def test_radius_psk(dev, apdev):
     """WPA2 with PSK from RADIUS"""
     t, t_events = start_radius_psk_server("12345678")
@@ -1708,3 +1743,85 @@ def test_radius_acct_failure_sta_data(dev, apdev):
         dev[0].request("DISCONNECT")
         dev[0].wait_disconnected()
         hapd.wait_event(["AP-STA-DISCONNECTED"], timeout=1)
+
+def test_radius_sae(dev, apdev):
+    """WPA3 with SAE from RADIUS"""
+    t, t_events = start_radius_psk_server("12345678")
+
+    try:
+        params = hostapd_radius_sae_test_params()
+        hapd = hostapd.add_ap(apdev[0], params)
+        dev[0].connect("test-wpa3-sae", sae_password="12345678", key_mgmt="SAE",
+                       scan_freq="2412")
+        t_events['psk'] = "0123456789abcdef"
+        dev[1].connect("test-wpa3-sae", sae_password="0123456789abcdef", key_mgmt="SAE",
+                       scan_freq="2412")
+    finally:
+        t_events['stop'].set()
+        t.join()
+
+def test_radius_sae_ft(dev, apdev):
+    """WPA3 with FT-SAE from RADIUS"""
+    t, t_events = start_radius_psk_server("12345678")
+
+    try:
+        params = hostapd_radius_sae_ft_test_params()
+        hapd = hostapd.add_ap(apdev[0], params)
+        dev[0].connect("test-wpa3-sae-ft", sae_password="12345678", key_mgmt="FT-SAE",
+                       scan_freq="2412")
+        t_events['psk'] = "0123456789abcdef"
+        dev[1].connect("test-wpa3-sae-ft", sae_password="0123456789abcdef", key_mgmt="FT-SAE",
+                       scan_freq="2412")
+    finally:
+        t_events['stop'].set()
+        t.join()
+
+def test_radius_sae_id(dev, apdev):
+    """WPA3 with SAE from RADIUS with SAE password identity"""
+    t, t_events = start_radius_psk_server("12345678", sae_identity="user0")
+
+    try:
+        params = hostapd_radius_sae_test_params()
+        hapd = hostapd.add_ap(apdev[0], params)
+        dev[0].connect("test-wpa3-sae", sae_password="12345678", key_mgmt="SAE",
+                       scan_freq="2412", sae_password_id="user0")
+        t_events['psk'] = "0123456789abcdef"
+        t_events['sae_identity'] = "user1"
+        dev[1].connect("test-wpa3-sae", sae_password="0123456789abcdef", key_mgmt="SAE",
+                       scan_freq="2412", sae_password_id="user1")
+    finally:
+        t_events['stop'].set()
+        t.join()
+
+def test_radius_sae_id_ft(dev, apdev):
+    """WPA3 with FT-SAE from RADIUS with SAE password identity"""
+    t, t_events = start_radius_psk_server("12345678", sae_identity="user0")
+
+    try:
+        params = hostapd_radius_sae_ft_test_params()
+        hapd = hostapd.add_ap(apdev[0], params)
+        dev[0].connect("test-wpa3-sae-ft", sae_password="12345678", key_mgmt="FT-SAE",
+                       scan_freq="2412", sae_password_id="user0")
+        t_events['psk'] = "0123456789abcdef"
+        t_events['sae_identity'] = "user1"
+        dev[1].connect("test-wpa3-sae-ft", sae_password="0123456789abcdef", key_mgmt="FT-SAE",
+                       scan_freq="2412", sae_password_id="user1")
+    finally:
+        t_events['stop'].set()
+        t.join()
+
+def test_radius_sae_multi_id(dev, apdev):
+    """WPA3 with SAE from RADIUS with multiple SAE password identity"""
+    t, t_events = start_radius_psk_server("12345678", sae_identity="user0", sae_identity2="user1")
+
+    try:
+        params = hostapd_radius_sae_test_params()
+        hapd = hostapd.add_ap(apdev[0], params)
+        dev[0].connect("test-wpa3-sae", sae_password="12345678", key_mgmt="SAE",
+                       scan_freq="2412", sae_password_id="user0")
+        dev[1].connect("test-wpa3-sae", sae_password="12345678", key_mgmt="SAE",
+                       scan_freq="2412", sae_password_id="user1")
+    finally:
+        t_events['stop'].set()
+        t.join()
+
-- 
2.20.1




More information about the Hostap mailing list