193 lines
8.0 KiB
Python
193 lines
8.0 KiB
Python
# Copyright (c) 2013 The Chromium OS Authors. All rights reserved.
|
|
# Use of this source code is governed by a BSD-style license that can be
|
|
# found in the LICENSE file.
|
|
|
|
import json
|
|
|
|
from autotest_lib.client.common_lib.cros import site_eap_certs
|
|
from autotest_lib.client.common_lib.cros.network import xmlrpc_datatypes
|
|
from autotest_lib.client.common_lib.cros.network import xmlrpc_security_types
|
|
from autotest_lib.server.cros.network import hostap_config
|
|
|
|
|
|
def __get_altsubject_match_positive_test_cases(outer_auth_type,
|
|
inner_auth_type):
|
|
configurations = []
|
|
# Pass every subject alternative name included in the alternative subject
|
|
# match of the server certificate.
|
|
for subject_alternative_name in (
|
|
site_eap_certs.server_cert_3_altsubject_match):
|
|
eap_config = xmlrpc_security_types.Tunneled1xConfig(
|
|
site_eap_certs.ca_cert_3,
|
|
site_eap_certs.server_cert_3,
|
|
site_eap_certs.server_private_key_3,
|
|
site_eap_certs.ca_cert_3,
|
|
'testuser',
|
|
'password',
|
|
inner_protocol=inner_auth_type,
|
|
outer_protocol=outer_auth_type,
|
|
altsubject_match=[json.dumps(subject_alternative_name)])
|
|
ap_config = hostap_config.HostapConfig(
|
|
frequency=2412,
|
|
mode=hostap_config.HostapConfig.MODE_11G,
|
|
security_config=eap_config)
|
|
assoc_params = xmlrpc_datatypes.AssociationParameters(
|
|
security_config=eap_config)
|
|
configurations.append((ap_config, assoc_params))
|
|
# Pass multiple DNS subject alternative names (SANs) as altsubject_match.
|
|
# - One DNS SAN which does not match any of the DNS SANs of the server
|
|
# certificate.
|
|
# - Another one which matches one of the DNS SANs of the server certificate.
|
|
# The connection should be established, i.e. having multiple entries in
|
|
# 'altsubject_match' is treated as OR, not AND.
|
|
# For more information about how wpa_supplicant uses altsubject_match field
|
|
# please refer to:
|
|
# https://w1.fi/cgit/hostap/plain/wpa_supplicant/wpa_supplicant.conf
|
|
eap_config = xmlrpc_security_types.Tunneled1xConfig(
|
|
site_eap_certs.ca_cert_3,
|
|
site_eap_certs.server_cert_3,
|
|
site_eap_certs.server_private_key_3,
|
|
site_eap_certs.ca_cert_3,
|
|
'testuser',
|
|
'password',
|
|
inner_protocol=inner_auth_type,
|
|
outer_protocol=outer_auth_type,
|
|
altsubject_match=[
|
|
'{"Type":"DNS","Value":"wrong_dns.com"}',
|
|
'{"Type":"DNS","Value":"www.example.com"}'
|
|
])
|
|
ap_config = hostap_config.HostapConfig(
|
|
frequency=2412,
|
|
mode=hostap_config.HostapConfig.MODE_11G,
|
|
security_config=eap_config)
|
|
assoc_params = xmlrpc_datatypes.AssociationParameters(
|
|
security_config=eap_config)
|
|
configurations.append((ap_config, assoc_params))
|
|
return configurations
|
|
|
|
|
|
def get_positive_8021x_test_cases(outer_auth_type, inner_auth_type):
|
|
"""Return a test case asserting that outer/inner auth works.
|
|
|
|
@param inner_auth_type one of
|
|
xmlrpc_security_types.Tunneled1xConfig.LAYER1_TYPE*
|
|
@param inner_auth_type one of
|
|
xmlrpc_security_types.Tunneled1xConfig.LAYER2_TYPE*
|
|
@return list of ap_config, association_params tuples for
|
|
network_WiFi_SimpleConnect.
|
|
|
|
"""
|
|
configurations = []
|
|
eap_config = xmlrpc_security_types.Tunneled1xConfig(
|
|
site_eap_certs.ca_cert_1,
|
|
site_eap_certs.server_cert_1,
|
|
site_eap_certs.server_private_key_1,
|
|
site_eap_certs.ca_cert_1,
|
|
'testuser',
|
|
'password',
|
|
inner_protocol=inner_auth_type,
|
|
outer_protocol=outer_auth_type)
|
|
ap_config = hostap_config.HostapConfig(
|
|
frequency=2412,
|
|
mode=hostap_config.HostapConfig.MODE_11G,
|
|
security_config=eap_config)
|
|
assoc_params = xmlrpc_datatypes.AssociationParameters(
|
|
security_config=eap_config)
|
|
configurations.append((ap_config, assoc_params))
|
|
configurations += __get_altsubject_match_positive_test_cases(
|
|
outer_auth_type, inner_auth_type)
|
|
return configurations
|
|
|
|
|
|
def get_negative_8021x_test_cases(outer_auth_type, inner_auth_type):
|
|
"""Build a set of test cases for TTLS/PEAP authentication.
|
|
|
|
@param inner_auth_type one of
|
|
xmlrpc_security_types.Tunneled1xConfig.LAYER1_TYPE*
|
|
@param inner_auth_type one of
|
|
xmlrpc_security_types.Tunneled1xConfig.LAYER2_TYPE*
|
|
@return list of ap_config, association_params tuples for
|
|
network_WiFi_SimpleConnect.
|
|
|
|
"""
|
|
configurations = []
|
|
# Bad passwords won't work.
|
|
eap_config = xmlrpc_security_types.Tunneled1xConfig(
|
|
site_eap_certs.ca_cert_1,
|
|
site_eap_certs.server_cert_1,
|
|
site_eap_certs.server_private_key_1,
|
|
site_eap_certs.ca_cert_1,
|
|
'testuser',
|
|
'password',
|
|
inner_protocol=inner_auth_type,
|
|
outer_protocol=outer_auth_type,
|
|
client_password='wrongpassword')
|
|
ap_config = hostap_config.HostapConfig(
|
|
frequency=2412,
|
|
mode=hostap_config.HostapConfig.MODE_11G,
|
|
security_config=eap_config)
|
|
assoc_params = xmlrpc_datatypes.AssociationParameters(
|
|
security_config=eap_config,
|
|
expect_failure=True)
|
|
configurations.append((ap_config, assoc_params))
|
|
# If use the wrong CA on the client, it won't trust the server credentials.
|
|
eap_config = xmlrpc_security_types.Tunneled1xConfig(
|
|
site_eap_certs.ca_cert_1,
|
|
site_eap_certs.server_cert_1,
|
|
site_eap_certs.server_private_key_1,
|
|
site_eap_certs.ca_cert_2,
|
|
'testuser',
|
|
'password',
|
|
inner_protocol=inner_auth_type,
|
|
outer_protocol=outer_auth_type)
|
|
ap_config = hostap_config.HostapConfig(
|
|
frequency=2412,
|
|
mode=hostap_config.HostapConfig.MODE_11G,
|
|
security_config=eap_config)
|
|
assoc_params = xmlrpc_datatypes.AssociationParameters(
|
|
security_config=eap_config,
|
|
expect_failure=True)
|
|
configurations.append((ap_config, assoc_params))
|
|
# And if the server's credentials are good but expired, we also reject it.
|
|
eap_config = xmlrpc_security_types.Tunneled1xConfig(
|
|
site_eap_certs.ca_cert_1,
|
|
site_eap_certs.server_expired_cert,
|
|
site_eap_certs.server_expired_key,
|
|
site_eap_certs.ca_cert_1,
|
|
'testuser',
|
|
'password',
|
|
inner_protocol=inner_auth_type,
|
|
outer_protocol=outer_auth_type)
|
|
ap_config = hostap_config.HostapConfig(
|
|
frequency=2412,
|
|
mode=hostap_config.HostapConfig.MODE_11G,
|
|
security_config=eap_config)
|
|
assoc_params = xmlrpc_datatypes.AssociationParameters(
|
|
security_config=eap_config,
|
|
expect_failure=True)
|
|
configurations.append((ap_config, assoc_params))
|
|
# A subject alternative name (SAN) which does not match any of the server
|
|
# certificate SANs is used.
|
|
# The connection should not be established, i.e. if the subject alternative
|
|
# name match field is set, the server certificate is only accepted if it
|
|
# contains one of its entries.
|
|
eap_config = xmlrpc_security_types.Tunneled1xConfig(
|
|
site_eap_certs.ca_cert_3,
|
|
site_eap_certs.server_cert_3,
|
|
site_eap_certs.server_private_key_3,
|
|
site_eap_certs.ca_cert_3,
|
|
'testuser',
|
|
'password',
|
|
inner_protocol=inner_auth_type,
|
|
outer_protocol=outer_auth_type,
|
|
altsubject_match=['{"Type":"DNS","Value":"wrong_dns.com"}'])
|
|
ap_config = hostap_config.HostapConfig(
|
|
frequency=2412,
|
|
mode=hostap_config.HostapConfig.MODE_11G,
|
|
security_config=eap_config)
|
|
assoc_params = xmlrpc_datatypes.AssociationParameters(
|
|
security_config=eap_config,
|
|
expect_failure=True)
|
|
configurations.append((ap_config, assoc_params))
|
|
return configurations
|