Home Explore Help
Register Sign In
wareck
/
krackattacks
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

tests: Incorrect/missing password with TTLS non-EAP methods

Incorrect password was already tested with TTLS/MSCHAPv2, but the other
non-EAP inner methods in TTLS use their own implementation of password
validation, so check each and also verify the case of no matching EAP
user entry for the specific method.

Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen 11 years ago
parent
dbd1e184e3
commit
82a8f5b533
1 changed files with 51 additions and 2 deletions
Split View Show Diff Stats
  1. 51 2
      tests/hwsim/test_ap_eap.py

+ 51 - 2
tests/hwsim/test_ap_eap.py
View File 

@@ -445,6 +445,19 @@ def test_ap_wpa2_eap_ttls_pap(dev, apdev):
 
     check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-1"),
 
                         ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-1") ])
 
 
+def test_ap_wpa2_eap_ttls_pap_incorrect_password(dev, apdev):
 
+    """WPA2-Enterprise connection using EAP-TTLS/PAP - incorrect password"""
 
+    params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
 
+    hapd = hostapd.add_ap(apdev[0]['ifname'], params)
 
+    eap_connect(dev[0], apdev[0], "TTLS", "pap user",
 
+                anonymous_identity="ttls", password="wrong",
 
+                ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
 
+                expect_failure=True)
 
+    eap_connect(dev[1], apdev[0], "TTLS", "user",
 
+                anonymous_identity="ttls", password="password",
 
+                ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
 
+                expect_failure=True)
 
+
 
 def test_ap_wpa2_eap_ttls_chap(dev, apdev):
 
     """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
 
     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
 
@@ -456,6 +469,19 @@ def test_ap_wpa2_eap_ttls_chap(dev, apdev):
 
     hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
 
     eap_reauth(dev[0], "TTLS")
 
 
+def test_ap_wpa2_eap_ttls_chap_incorrect_password(dev, apdev):
 
+    """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
 
+    params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
 
+    hapd = hostapd.add_ap(apdev[0]['ifname'], params)
 
+    eap_connect(dev[0], apdev[0], "TTLS", "chap user",
 
+                anonymous_identity="ttls", password="wrong",
 
+                ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
 
+                expect_failure=True)
 
+    eap_connect(dev[1], apdev[0], "TTLS", "user",
 
+                anonymous_identity="ttls", password="password",
 
+                ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
 
+                expect_failure=True)
 
+
 
 def test_ap_wpa2_eap_ttls_mschap(dev, apdev):
 
     """WPA2-Enterprise connection using EAP-TTLS/MSCHAP"""
 
     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
 
@@ -472,6 +498,23 @@ def test_ap_wpa2_eap_ttls_mschap(dev, apdev):
 
                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
 
                 fragment_size="200")
 
 
+def test_ap_wpa2_eap_ttls_mschap_incorrect_password(dev, apdev):
 
+    """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
 
+    params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
 
+    hapd = hostapd.add_ap(apdev[0]['ifname'], params)
 
+    eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
 
+                anonymous_identity="ttls", password="wrong",
 
+                ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
 
+                expect_failure=True)
 
+    eap_connect(dev[1], apdev[0], "TTLS", "user",
 
+                anonymous_identity="ttls", password="password",
 
+                ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
 
+                expect_failure=True)
 
+    eap_connect(dev[2], apdev[0], "TTLS", "no such user",
 
+                anonymous_identity="ttls", password="password",
 
+                ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
 
+                expect_failure=True)
 
+
 
 def test_ap_wpa2_eap_ttls_mschapv2(dev, apdev):
 
     """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
 
     params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
 
@@ -501,12 +544,18 @@ def test_ap_wpa2_eap_ttls_mschapv2(dev, apdev):
 
                 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
 
                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
 
 
-    logger.info("Negative test with incorrect password")
 
-    dev[0].request("REMOVE_NETWORK all")
 
+def test_ap_wpa2_eap_ttls_mschapv2_incorrect_password(dev, apdev):
 
+    """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 - incorrect password"""
 
+    params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
 
+    hapd = hostapd.add_ap(apdev[0]['ifname'], params)
 
     eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
 
                 anonymous_identity="ttls", password="password1",
 
                 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
 
                 expect_failure=True)
 
+    eap_connect(dev[1], apdev[0], "TTLS", "user",
 
+                anonymous_identity="ttls", password="password",
 
+                ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
 
+                expect_failure=True)
 
 
 def test_ap_wpa2_eap_ttls_mschapv2_utf8(dev, apdev):
 
     """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 and UTF-8 password"""