tests: Verify RADIUS Disconnect-Request behavior

This uses pyrad to build and send various Disconnect-Request packets to
hostapd.

Signed-off-by: Jouni Malinen <j@w1.fi>

tests/hwsim/dictionary.radius

@@ -0,0 +1,9 @@
+ATTRIBUTE	User-Name		1	string
+ATTRIBUTE	User-Password		2	string
+ATTRIBUTE	Calling-Station-Id	31	string
+ATTRIBUTE	NAS-Identifier		32	string
+ATTRIBUTE	Acct-Session-Id		44	string
+ATTRIBUTE	Event-Timestamp		55	date
+ATTRIBUTE	Message-Authenticator	80	octets
+ATTRIBUTE	Chargeable-User-Identity 89	string
+ATTRIBUTE	Error-Cause		101	integer

tests/hwsim/radius_das.py

@@ -0,0 +1,29 @@
+#!/usr/bin/python
+#
+# RADIUS DAS extensions to pyrad
+# Copyright (c) 2014, Jouni Malinen <j@w1.fi>
+#
+# This software may be distributed under the terms of the BSD license.
+# See README for more details.
+
+import hashlib
+import random
+import struct
+import pyrad.packet
+
+class DisconnectPacket(pyrad.packet.Packet):
+    def __init__(self, code=pyrad.packet.DisconnectRequest, id=None,
+                 secret=None, authenticator=None, **attributes):
+        pyrad.packet.Packet.__init__(self, code, id, secret, authenticator,
+                                     **attributes)
+
+    def RequestPacket(self):
+        attr = self._PktEncodeAttributes()
+
+        if self.id is None:
+            self.id = random.randrange(0, 256)
+
+        header = struct.pack('!BBH', self.code, self.id, (20 + len(attr)))
+        self.authenticator = hashlib.md5(header[0:4] + 16 * b'\x00' + attr
+            + self.secret).digest()
+        return header + self.authenticator + attr

tests/hwsim/test_radius.py

@@ -1,7 +1,7 @@
 #!/usr/bin/python
 #
 # RADIUS tests
-# Copyright (c) 2013, Jouni Malinen <j@w1.fi>
+# Copyright (c) 2013-2014, Jouni Malinen <j@w1.fi>
 #
 # This software may be distributed under the terms of the BSD license.
 # See README for more details.
@@ -93,3 +93,217 @@ def test_radius_acct(dev, apdev):
     acc_e = int(as_mib_end['radiusAuthServAccessAccepts'])
     if acc_e < acc_s + 1:
         raise Exception("Unexpected RADIUS server auth MIB value")
+
+def test_radius_das_disconnect(dev, apdev):
+    """RADIUS Dynamic Authorization Extensions - Disconnect"""
+    try:
+        import pyrad.client
+        import pyrad.packet
+        import pyrad.dictionary
+        import radius_das
+    except ImportError:
+        return "skip"
+
+    params = hostapd.wpa2_eap_params(ssid="radius-das")
+    params['radius_das_port'] = "3799"
+    params['radius_das_client'] = "127.0.0.1 secret"
+    params['radius_das_require_event_timestamp'] = "1"
+    hapd = hostapd.add_ap(apdev[0]['ifname'], params)
+    connect(dev[0], "radius-das")
+    addr = dev[0].p2p_interface_addr()
+    sta = hapd.get_sta(addr)
+    id = sta['dot1xAuthSessionId']
+
+    dict = pyrad.dictionary.Dictionary("dictionary.radius")
+
+    srv = pyrad.client.Client(server="127.0.0.1", acctport=3799,
+                              secret="secret", dict=dict)
+    srv.retries = 1
+    srv.timeout = 1
+
+    logger.info("Disconnect-Request with incorrect secret")
+    req = radius_das.DisconnectPacket(dict=dict, secret="incorrect",
+                                      User_Name="foo",
+                                      NAS_Identifier="localhost",
+                                      Event_Timestamp=int(time.time()))
+    logger.debug(req)
+    try:
+        reply = srv.SendPacket(req)
+        raise Exception("Unexpected response to Disconnect-Request")
+    except pyrad.client.Timeout:
+        logger.info("Disconnect-Request with incorrect secret properly ignored")
+
+    logger.info("Disconnect-Request without Event-Timestamp")
+    req = radius_das.DisconnectPacket(dict=dict, secret="secret",
+                                      User_Name="psk.user@example.com")
+    logger.debug(req)
+    try:
+        reply = srv.SendPacket(req)
+        raise Exception("Unexpected response to Disconnect-Request")
+    except pyrad.client.Timeout:
+        logger.info("Disconnect-Request without Event-Timestamp properly ignored")
+
+    logger.info("Disconnect-Request with non-matching Event-Timestamp")
+    req = radius_das.DisconnectPacket(dict=dict, secret="secret",
+                                      User_Name="psk.user@example.com",
+                                      Event_Timestamp=123456789)
+    logger.debug(req)
+    try:
+        reply = srv.SendPacket(req)
+        raise Exception("Unexpected response to Disconnect-Request")
+    except pyrad.client.Timeout:
+        logger.info("Disconnect-Request with non-matching Event-Timestamp properly ignored")
+
+    logger.info("Disconnect-Request with unsupported attribute")
+    req = radius_das.DisconnectPacket(dict=dict, secret="secret",
+                                      User_Name="foo",
+                                      User_Password="foo",
+                                      Event_Timestamp=int(time.time()))
+    reply = srv.SendPacket(req)
+    logger.debug("RADIUS response from hostapd")
+    for i in reply.keys():
+        logger.debug("%s: %s" % (i, reply[i]))
+    if reply.code != pyrad.packet.DisconnectNAK:
+        raise Exception("Unexpected response code")
+    if 'Error-Cause' not in reply:
+        raise Exception("Missing Error-Cause")
+    if reply['Error-Cause'][0] != 401:
+        raise Exception("Unexpected Error-Cause: {}".format(reply['Error-Cause']))
+
+    logger.info("Disconnect-Request with invalid Calling-Station-Id")
+    req = radius_das.DisconnectPacket(dict=dict, secret="secret",
+                                      User_Name="foo",
+                                      Calling_Station_Id="foo",
+                                      Event_Timestamp=int(time.time()))
+    reply = srv.SendPacket(req)
+    logger.debug("RADIUS response from hostapd")
+    for i in reply.keys():
+        logger.debug("%s: %s" % (i, reply[i]))
+    if reply.code != pyrad.packet.DisconnectNAK:
+        raise Exception("Unexpected response code")
+    if 'Error-Cause' not in reply:
+        raise Exception("Missing Error-Cause")
+    if reply['Error-Cause'][0] != 407:
+        raise Exception("Unexpected Error-Cause: {}".format(reply['Error-Cause']))
+
+    logger.info("Disconnect-Request with mismatching User-Name")
+    req = radius_das.DisconnectPacket(dict=dict, secret="secret",
+                                      User_Name="foo",
+                                      Event_Timestamp=int(time.time()))
+    reply = srv.SendPacket(req)
+    logger.debug("RADIUS response from hostapd")
+    for i in reply.keys():
+        logger.debug("%s: %s" % (i, reply[i]))
+    if reply.code != pyrad.packet.DisconnectNAK:
+        raise Exception("Unexpected response code")
+    if 'Error-Cause' not in reply:
+        raise Exception("Missing Error-Cause")
+    if reply['Error-Cause'][0] != 503:
+        raise Exception("Unexpected Error-Cause: {}".format(reply['Error-Cause']))
+
+    logger.info("Disconnect-Request with mismatching Calling-Station-Id")
+    req = radius_das.DisconnectPacket(dict=dict, secret="secret",
+                                      Calling_Station_Id="12:34:56:78:90:aa",
+                                      Event_Timestamp=int(time.time()))
+    reply = srv.SendPacket(req)
+    logger.debug("RADIUS response from hostapd")
+    for i in reply.keys():
+        logger.debug("%s: %s" % (i, reply[i]))
+    if reply.code != pyrad.packet.DisconnectNAK:
+        raise Exception("Unexpected response code")
+    if 'Error-Cause' not in reply:
+        raise Exception("Missing Error-Cause")
+    if reply['Error-Cause'][0] != 503:
+        raise Exception("Unexpected Error-Cause: {}".format(reply['Error-Cause']))
+
+    logger.info("Disconnect-Request with mismatching Acct-Session-Id")
+    req = radius_das.DisconnectPacket(dict=dict, secret="secret",
+                                      Acct_Session_Id="12345678-87654321",
+                                      Event_Timestamp=int(time.time()))
+    reply = srv.SendPacket(req)
+    logger.debug("RADIUS response from hostapd")
+    for i in reply.keys():
+        logger.debug("%s: %s" % (i, reply[i]))
+    if reply.code != pyrad.packet.DisconnectNAK:
+        raise Exception("Unexpected response code")
+    if 'Error-Cause' not in reply:
+        raise Exception("Missing Error-Cause")
+    if reply['Error-Cause'][0] != 503:
+        raise Exception("Unexpected Error-Cause: {}".format(reply['Error-Cause']))
+
+    ev = dev[0].wait_event(["CTRL-EVENT-DISCONNECTED"], timeout=1)
+    if ev is not None:
+        raise Exception("Unexpected disconnection")
+
+    logger.info("Disconnect-Request with matching Acct-Session-Id")
+    req = radius_das.DisconnectPacket(dict=dict, secret="secret",
+                                      Acct_Session_Id=id,
+                                      Event_Timestamp=int(time.time()))
+    reply = srv.SendPacket(req)
+    logger.debug("RADIUS response from hostapd")
+    for i in reply.keys():
+        logger.debug("%s: %s" % (i, reply[i]))
+    if reply.code != pyrad.packet.DisconnectACK:
+        raise Exception("Unexpected response code")
+
+    ev = dev[0].wait_event(["CTRL-EVENT-DISCONNECTED"])
+    if ev is None:
+        raise Exception("Timeout while waiting for disconnection")
+    ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"])
+    if ev is None:
+        raise Exception("Timeout while waiting for re-connection")
+
+    logger.info("Disconnect-Request with matching User-Name")
+    req = radius_das.DisconnectPacket(dict=dict, secret="secret",
+                                      User_Name="psk.user@example.com",
+                                      Event_Timestamp=int(time.time()))
+    reply = srv.SendPacket(req)
+    logger.debug("RADIUS response from hostapd")
+    for i in reply.keys():
+        logger.debug("%s: %s" % (i, reply[i]))
+    if reply.code != pyrad.packet.DisconnectACK:
+        raise Exception("Unexpected response code")
+
+    ev = dev[0].wait_event(["CTRL-EVENT-DISCONNECTED"])
+    if ev is None:
+        raise Exception("Timeout while waiting for disconnection")
+    ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"])
+    if ev is None:
+        raise Exception("Timeout while waiting for re-connection")
+
+    logger.info("Disconnect-Request with matching Calling-Station-Id")
+    req = radius_das.DisconnectPacket(dict=dict, secret="secret",
+                                      Calling_Station_Id=addr,
+                                      Event_Timestamp=int(time.time()))
+    reply = srv.SendPacket(req)
+    logger.debug("RADIUS response from hostapd")
+    for i in reply.keys():
+        logger.debug("%s: %s" % (i, reply[i]))
+    if reply.code != pyrad.packet.DisconnectACK:
+        raise Exception("Unexpected response code")
+
+    ev = dev[0].wait_event(["CTRL-EVENT-DISCONNECTED"])
+    if ev is None:
+        raise Exception("Timeout while waiting for disconnection")
+    ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"])
+    if ev is None:
+        raise Exception("Timeout while waiting for re-connection")
+
+    logger.info("Disconnect-Request with matching Calling-Station-Id and non-matching CUI")
+    req = radius_das.DisconnectPacket(dict=dict, secret="secret",
+                                      Calling_Station_Id=addr,
+                                      Chargeable_User_Identity="foo@example.com",
+                                      Event_Timestamp=int(time.time()))
+    reply = srv.SendPacket(req)
+    logger.debug("RADIUS response from hostapd")
+    for i in reply.keys():
+        logger.debug("%s: %s" % (i, reply[i]))
+    if reply.code != pyrad.packet.DisconnectACK:
+        raise Exception("Unexpected response code")
+
+    ev = dev[0].wait_event(["CTRL-EVENT-DISCONNECTED"])
+    if ev is None:
+        raise Exception("Timeout while waiting for disconnection")
+    ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"])
+    if ev is None:
+        raise Exception("Timeout while waiting for re-connection")