1# Copyright (c) 2013 The Chromium OS Authors. All rights reserved. 2# Use of this source code is governed by a BSD-style license that can be 3# found in the LICENSE file. 4 5import json 6 7from autotest_lib.client.common_lib.cros import site_eap_certs 8from autotest_lib.client.common_lib.cros.network import xmlrpc_datatypes 9from autotest_lib.client.common_lib.cros.network import xmlrpc_security_types 10from autotest_lib.server.cros.network import hostap_config 11 12 13def __get_altsubject_match_positive_test_cases(outer_auth_type, 14 inner_auth_type): 15 configurations = [] 16 # Pass every subject alternative name included in the alternative subject 17 # match of the server certificate. 18 for subject_alternative_name in ( 19 site_eap_certs.server_cert_3_altsubject_match): 20 eap_config = xmlrpc_security_types.Tunneled1xConfig( 21 site_eap_certs.ca_cert_3, 22 site_eap_certs.server_cert_3, 23 site_eap_certs.server_private_key_3, 24 site_eap_certs.ca_cert_3, 25 'testuser', 26 'password', 27 inner_protocol=inner_auth_type, 28 outer_protocol=outer_auth_type, 29 altsubject_match=[json.dumps(subject_alternative_name)]) 30 ap_config = hostap_config.HostapConfig( 31 frequency=2412, 32 mode=hostap_config.HostapConfig.MODE_11G, 33 security_config=eap_config) 34 assoc_params = xmlrpc_datatypes.AssociationParameters( 35 security_config=eap_config) 36 configurations.append((ap_config, assoc_params)) 37 # Pass multiple DNS subject alternative names (SANs) as altsubject_match. 38 # - One DNS SAN which does not match any of the DNS SANs of the server 39 # certificate. 40 # - Another one which matches one of the DNS SANs of the server certificate. 41 # The connection should be established, i.e. having multiple entries in 42 # 'altsubject_match' is treated as OR, not AND. 43 # For more information about how wpa_supplicant uses altsubject_match field 44 # please refer to: 45 # https://w1.fi/cgit/hostap/plain/wpa_supplicant/wpa_supplicant.conf 46 eap_config = xmlrpc_security_types.Tunneled1xConfig( 47 site_eap_certs.ca_cert_3, 48 site_eap_certs.server_cert_3, 49 site_eap_certs.server_private_key_3, 50 site_eap_certs.ca_cert_3, 51 'testuser', 52 'password', 53 inner_protocol=inner_auth_type, 54 outer_protocol=outer_auth_type, 55 altsubject_match=[ 56 '{"Type":"DNS","Value":"wrong_dns.com"}', 57 '{"Type":"DNS","Value":"www.example.com"}' 58 ]) 59 ap_config = hostap_config.HostapConfig( 60 frequency=2412, 61 mode=hostap_config.HostapConfig.MODE_11G, 62 security_config=eap_config) 63 assoc_params = xmlrpc_datatypes.AssociationParameters( 64 security_config=eap_config) 65 configurations.append((ap_config, assoc_params)) 66 return configurations 67 68 69def get_positive_8021x_test_cases(outer_auth_type, inner_auth_type): 70 """Return a test case asserting that outer/inner auth works. 71 72 @param inner_auth_type one of 73 xmlrpc_security_types.Tunneled1xConfig.LAYER1_TYPE* 74 @param inner_auth_type one of 75 xmlrpc_security_types.Tunneled1xConfig.LAYER2_TYPE* 76 @return list of ap_config, association_params tuples for 77 network_WiFi_SimpleConnect. 78 79 """ 80 configurations = [] 81 eap_config = xmlrpc_security_types.Tunneled1xConfig( 82 site_eap_certs.ca_cert_1, 83 site_eap_certs.server_cert_1, 84 site_eap_certs.server_private_key_1, 85 site_eap_certs.ca_cert_1, 86 'testuser', 87 'password', 88 inner_protocol=inner_auth_type, 89 outer_protocol=outer_auth_type) 90 ap_config = hostap_config.HostapConfig( 91 frequency=2412, 92 mode=hostap_config.HostapConfig.MODE_11G, 93 security_config=eap_config) 94 assoc_params = xmlrpc_datatypes.AssociationParameters( 95 security_config=eap_config) 96 configurations.append((ap_config, assoc_params)) 97 configurations += __get_altsubject_match_positive_test_cases( 98 outer_auth_type, inner_auth_type) 99 return configurations 100 101 102def get_negative_8021x_test_cases(outer_auth_type, inner_auth_type): 103 """Build a set of test cases for TTLS/PEAP authentication. 104 105 @param inner_auth_type one of 106 xmlrpc_security_types.Tunneled1xConfig.LAYER1_TYPE* 107 @param inner_auth_type one of 108 xmlrpc_security_types.Tunneled1xConfig.LAYER2_TYPE* 109 @return list of ap_config, association_params tuples for 110 network_WiFi_SimpleConnect. 111 112 """ 113 configurations = [] 114 # Bad passwords won't work. 115 eap_config = xmlrpc_security_types.Tunneled1xConfig( 116 site_eap_certs.ca_cert_1, 117 site_eap_certs.server_cert_1, 118 site_eap_certs.server_private_key_1, 119 site_eap_certs.ca_cert_1, 120 'testuser', 121 'password', 122 inner_protocol=inner_auth_type, 123 outer_protocol=outer_auth_type, 124 client_password='wrongpassword') 125 ap_config = hostap_config.HostapConfig( 126 frequency=2412, 127 mode=hostap_config.HostapConfig.MODE_11G, 128 security_config=eap_config) 129 assoc_params = xmlrpc_datatypes.AssociationParameters( 130 security_config=eap_config, 131 expect_failure=True) 132 configurations.append((ap_config, assoc_params)) 133 # If use the wrong CA on the client, it won't trust the server credentials. 134 eap_config = xmlrpc_security_types.Tunneled1xConfig( 135 site_eap_certs.ca_cert_1, 136 site_eap_certs.server_cert_1, 137 site_eap_certs.server_private_key_1, 138 site_eap_certs.ca_cert_2, 139 'testuser', 140 'password', 141 inner_protocol=inner_auth_type, 142 outer_protocol=outer_auth_type) 143 ap_config = hostap_config.HostapConfig( 144 frequency=2412, 145 mode=hostap_config.HostapConfig.MODE_11G, 146 security_config=eap_config) 147 assoc_params = xmlrpc_datatypes.AssociationParameters( 148 security_config=eap_config, 149 expect_failure=True) 150 configurations.append((ap_config, assoc_params)) 151 # And if the server's credentials are good but expired, we also reject it. 152 eap_config = xmlrpc_security_types.Tunneled1xConfig( 153 site_eap_certs.ca_cert_1, 154 site_eap_certs.server_expired_cert, 155 site_eap_certs.server_expired_key, 156 site_eap_certs.ca_cert_1, 157 'testuser', 158 'password', 159 inner_protocol=inner_auth_type, 160 outer_protocol=outer_auth_type) 161 ap_config = hostap_config.HostapConfig( 162 frequency=2412, 163 mode=hostap_config.HostapConfig.MODE_11G, 164 security_config=eap_config) 165 assoc_params = xmlrpc_datatypes.AssociationParameters( 166 security_config=eap_config, 167 expect_failure=True) 168 configurations.append((ap_config, assoc_params)) 169 # A subject alternative name (SAN) which does not match any of the server 170 # certificate SANs is used. 171 # The connection should not be established, i.e. if the subject alternative 172 # name match field is set, the server certificate is only accepted if it 173 # contains one of its entries. 174 eap_config = xmlrpc_security_types.Tunneled1xConfig( 175 site_eap_certs.ca_cert_3, 176 site_eap_certs.server_cert_3, 177 site_eap_certs.server_private_key_3, 178 site_eap_certs.ca_cert_3, 179 'testuser', 180 'password', 181 inner_protocol=inner_auth_type, 182 outer_protocol=outer_auth_type, 183 altsubject_match=['{"Type":"DNS","Value":"wrong_dns.com"}']) 184 ap_config = hostap_config.HostapConfig( 185 frequency=2412, 186 mode=hostap_config.HostapConfig.MODE_11G, 187 security_config=eap_config) 188 assoc_params = xmlrpc_datatypes.AssociationParameters( 189 security_config=eap_config, 190 expect_failure=True) 191 configurations.append((ap_config, assoc_params)) 192 return configurations 193