]>
git.ipfire.org Git - thirdparty/hostap.git/blob - tests/hwsim/test_ap_eap.py
1 # -*- coding: utf-8 -*-
2 # WPA2-Enterprise tests
3 # Copyright (c) 2013-2019, Jouni Malinen <j@w1.fi>
5 # This software may be distributed under the terms of the BSD license.
6 # See README for more details.
13 logger
= logging
.getLogger()
20 import socketserver
as SocketServer
25 from hwsim
import HWSimRadio
27 from utils
import HwsimSkip
, alloc_fail
, fail_test
, skip_with_fips
, wait_fail_trigger
, require_under_vm
28 from wpasupplicant
import WpaSupplicant
29 from test_ap_psk
import check_mib
, find_wpas_process
, read_process_memory
, verify_not_present
, get_key_locations
, set_test_assoc_ie
33 openssl_imported
= True
35 openssl_imported
= False
37 def check_hlr_auc_gw_support():
38 if not os
.path
.exists("/tmp/hlr_auc_gw.sock"):
39 raise HwsimSkip("No hlr_auc_gw available")
41 def check_eap_capa(dev
, method
):
42 res
= dev
.get_capability("eap")
44 raise HwsimSkip("EAP method %s not supported in the build" % method
)
46 def check_subject_match_support(dev
):
47 tls
= dev
.request("GET tls_library")
48 if not tls
.startswith("OpenSSL") and not tls
.startswith("wolfSSL"):
49 raise HwsimSkip("subject_match not supported with this TLS library: " + tls
)
51 def check_check_cert_subject_support(dev
):
52 tls
= dev
.request("GET tls_library")
53 if not tls
.startswith("OpenSSL"):
54 raise HwsimSkip("check_cert_subject not supported with this TLS library: " + tls
)
56 def check_altsubject_match_support(dev
):
57 tls
= dev
.request("GET tls_library")
58 if not tls
.startswith("OpenSSL") and not tls
.startswith("wolfSSL"):
59 raise HwsimSkip("altsubject_match not supported with this TLS library: " + tls
)
61 def check_domain_match(dev
):
62 tls
= dev
.request("GET tls_library")
63 if tls
.startswith("internal"):
64 raise HwsimSkip("domain_match not supported with this TLS library: " + tls
)
66 def check_domain_suffix_match(dev
):
67 tls
= dev
.request("GET tls_library")
68 if tls
.startswith("internal"):
69 raise HwsimSkip("domain_suffix_match not supported with this TLS library: " + tls
)
71 def check_domain_match_full(dev
):
72 tls
= dev
.request("GET tls_library")
73 if not tls
.startswith("OpenSSL") and not tls
.startswith("wolfSSL"):
74 raise HwsimSkip("domain_suffix_match requires full match with this TLS library: " + tls
)
76 def check_cert_probe_support(dev
):
77 tls
= dev
.request("GET tls_library")
78 if not tls
.startswith("OpenSSL") and not tls
.startswith("internal"):
79 raise HwsimSkip("Certificate probing not supported with this TLS library: " + tls
)
81 def check_ext_cert_check_support(dev
):
82 tls
= dev
.request("GET tls_library")
83 if not tls
.startswith("OpenSSL"):
84 raise HwsimSkip("ext_cert_check not supported with this TLS library: " + tls
)
86 def check_ocsp_support(dev
):
87 tls
= dev
.request("GET tls_library")
88 #if tls.startswith("internal"):
89 # raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
90 #if "BoringSSL" in tls:
91 # raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
92 if tls
.startswith("wolfSSL"):
93 raise HwsimSkip("OCSP not supported with this TLS library: " + tls
)
95 def check_pkcs5_v15_support(dev
):
96 tls
= dev
.request("GET tls_library")
97 if "BoringSSL" in tls
or "GnuTLS" in tls
:
98 raise HwsimSkip("PKCS#5 v1.5 not supported with this TLS library: " + tls
)
100 def check_ocsp_multi_support(dev
):
101 tls
= dev
.request("GET tls_library")
102 if not tls
.startswith("internal"):
103 raise HwsimSkip("OCSP-multi not supported with this TLS library: " + tls
)
104 as_hapd
= hostapd
.Hostapd("as")
105 res
= as_hapd
.request("GET tls_library")
107 if not res
.startswith("internal"):
108 raise HwsimSkip("Authentication server does not support ocsp_multi")
110 def check_pkcs12_support(dev
):
111 tls
= dev
.request("GET tls_library")
112 #if tls.startswith("internal"):
113 # raise HwsimSkip("PKCS#12 not supported with this TLS library: " + tls)
114 if tls
.startswith("wolfSSL"):
115 raise HwsimSkip("PKCS#12 not supported with this TLS library: " + tls
)
117 def check_dh_dsa_support(dev
):
118 tls
= dev
.request("GET tls_library")
119 if tls
.startswith("internal"):
120 raise HwsimSkip("DH DSA not supported with this TLS library: " + tls
)
122 def check_ec_support(dev
):
123 tls
= dev
.request("GET tls_library")
124 if tls
.startswith("internal"):
125 raise HwsimSkip("EC not supported with this TLS library: " + tls
)
128 with
open(fname
, "r") as f
:
129 lines
= f
.readlines()
137 if "-----BEGIN" in l
:
139 return base64
.b64decode(cert
)
141 def eap_connect(dev
, hapd
, method
, identity
,
142 sha256
=False, expect_failure
=False, local_error_report
=False,
143 maybe_local_error
=False, report_failure
=False,
144 expect_cert_error
=None, **kwargs
):
145 id = dev
.connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
146 eap
=method
, identity
=identity
,
147 wait_connect
=False, scan_freq
="2412", ieee80211w
="1",
149 eap_check_auth(dev
, method
, True, sha256
=sha256
,
150 expect_failure
=expect_failure
,
151 local_error_report
=local_error_report
,
152 maybe_local_error
=maybe_local_error
,
153 report_failure
=report_failure
,
154 expect_cert_error
=expect_cert_error
)
158 ev
= hapd
.wait_event(["AP-STA-CONNECTED"], timeout
=5)
160 raise Exception("No connection event received from hostapd")
163 def eap_check_auth(dev
, method
, initial
, rsn
=True, sha256
=False,
164 expect_failure
=False, local_error_report
=False,
165 maybe_local_error
=False, report_failure
=False,
166 expect_cert_error
=None):
167 ev
= dev
.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
169 raise Exception("Association and EAP start timed out")
170 ev
= dev
.wait_event(["CTRL-EVENT-EAP-METHOD",
171 "CTRL-EVENT-EAP-FAILURE"], timeout
=10)
173 raise Exception("EAP method selection timed out")
174 if "CTRL-EVENT-EAP-FAILURE" in ev
:
175 if maybe_local_error
:
177 raise Exception("Could not select EAP method")
179 raise Exception("Unexpected EAP method")
180 if expect_cert_error
is not None:
181 ev
= dev
.wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
182 "CTRL-EVENT-EAP-FAILURE",
183 "CTRL-EVENT-EAP-SUCCESS"], timeout
=5)
184 if ev
is None or "reason=%d " % expect_cert_error
not in ev
:
185 raise Exception("Expected certificate error not reported")
187 ev
= dev
.wait_event(["CTRL-EVENT-EAP-FAILURE",
188 "CTRL-EVENT-EAP-SUCCESS"], timeout
=5)
190 raise Exception("EAP failure timed out")
191 if "CTRL-EVENT-EAP-SUCCESS" in ev
:
192 raise Exception("Unexpected EAP success")
193 ev
= dev
.wait_disconnected(timeout
=10)
194 if maybe_local_error
and "locally_generated=1" in ev
:
196 if not local_error_report
:
197 if "reason=23" not in ev
:
198 raise Exception("Proper reason code for disconnection not reported")
201 ev
= dev
.wait_event(["CTRL-EVENT-EAP-SUCCESS",
202 "CTRL-EVENT-EAP-FAILURE"], timeout
=10)
204 raise Exception("EAP success timed out")
205 if "CTRL-EVENT-EAP-SUCCESS" not in ev
:
206 raise Exception("EAP failed")
208 ev
= dev
.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
210 raise Exception("EAP success timed out")
213 ev
= dev
.wait_event(["CTRL-EVENT-CONNECTED"], timeout
=10)
215 ev
= dev
.wait_event(["WPA: Key negotiation completed"], timeout
=10)
217 raise Exception("Association with the AP timed out")
218 status
= dev
.get_status()
219 if status
["wpa_state"] != "COMPLETED":
220 raise Exception("Connection not completed")
222 if status
["suppPortStatus"] != "Authorized":
223 raise Exception("Port not authorized")
224 if "selectedMethod" not in status
:
225 logger
.info("Status: " + str(status
))
226 raise Exception("No selectedMethod in status")
227 if method
not in status
["selectedMethod"]:
228 raise Exception("Incorrect EAP method status")
230 e
= "WPA2-EAP-SHA256"
232 e
= "WPA2/IEEE 802.1X/EAP"
234 e
= "WPA/IEEE 802.1X/EAP"
235 if status
["key_mgmt"] != e
:
236 raise Exception("Unexpected key_mgmt status: " + status
["key_mgmt"])
239 def eap_reauth(dev
, method
, rsn
=True, sha256
=False, expect_failure
=False):
240 dev
.request("REAUTHENTICATE")
241 return eap_check_auth(dev
, method
, False, rsn
=rsn
, sha256
=sha256
,
242 expect_failure
=expect_failure
)
244 def test_ap_wpa2_eap_sim(dev
, apdev
):
245 """WPA2-Enterprise connection using EAP-SIM"""
246 check_hlr_auc_gw_support()
247 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
248 hapd
= hostapd
.add_ap(apdev
[0], params
)
249 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
250 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
251 hwsim_utils
.test_connectivity(dev
[0], hapd
)
252 eap_reauth(dev
[0], "SIM")
254 eap_connect(dev
[1], hapd
, "SIM", "1232010000000001",
255 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
256 eap_connect(dev
[2], hapd
, "SIM", "1232010000000002",
257 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
260 logger
.info("Negative test with incorrect key")
261 dev
[0].request("REMOVE_NETWORK all")
262 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
263 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
266 logger
.info("Invalid GSM-Milenage key")
267 dev
[0].request("REMOVE_NETWORK all")
268 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
269 password
="ffdca4eda45b53cf0f12d7c9c3bc6a",
272 logger
.info("Invalid GSM-Milenage key(2)")
273 dev
[0].request("REMOVE_NETWORK all")
274 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
275 password
="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581",
278 logger
.info("Invalid GSM-Milenage key(3)")
279 dev
[0].request("REMOVE_NETWORK all")
280 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
281 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q",
284 logger
.info("Invalid GSM-Milenage key(4)")
285 dev
[0].request("REMOVE_NETWORK all")
286 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
287 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581",
290 logger
.info("Missing key configuration")
291 dev
[0].request("REMOVE_NETWORK all")
292 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
295 def test_ap_wpa2_eap_sim_sql(dev
, apdev
, params
):
296 """WPA2-Enterprise connection using EAP-SIM (SQL)"""
297 check_hlr_auc_gw_support()
301 raise HwsimSkip("No sqlite3 module available")
302 con
= sqlite3
.connect(os
.path
.join(params
['logdir'], "hostapd.db"))
303 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
304 params
['auth_server_port'] = "1814"
305 hapd
= hostapd
.add_ap(apdev
[0], params
)
306 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
307 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
309 logger
.info("SIM fast re-authentication")
310 eap_reauth(dev
[0], "SIM")
312 logger
.info("SIM full auth with pseudonym")
315 cur
.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
316 eap_reauth(dev
[0], "SIM")
318 logger
.info("SIM full auth with permanent identity")
321 cur
.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
322 cur
.execute("DELETE FROM pseudonyms WHERE permanent='1232010000000000'")
323 eap_reauth(dev
[0], "SIM")
325 logger
.info("SIM reauth with mismatching MK")
328 cur
.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='1232010000000000'")
329 eap_reauth(dev
[0], "SIM", expect_failure
=True)
330 dev
[0].request("REMOVE_NETWORK all")
332 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
333 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
336 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
337 eap_reauth(dev
[0], "SIM")
340 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
341 logger
.info("SIM reauth with mismatching counter")
342 eap_reauth(dev
[0], "SIM")
343 dev
[0].request("REMOVE_NETWORK all")
345 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
346 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
349 cur
.execute("UPDATE reauth SET counter='1001' WHERE permanent='1232010000000000'")
350 logger
.info("SIM reauth with max reauth count reached")
351 eap_reauth(dev
[0], "SIM")
353 def test_ap_wpa2_eap_sim_config(dev
, apdev
):
354 """EAP-SIM configuration options"""
355 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
356 hapd
= hostapd
.add_ap(apdev
[0], params
)
357 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="SIM",
358 identity
="1232010000000000",
359 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
360 phase1
="sim_min_num_chal=1",
361 wait_connect
=False, scan_freq
="2412")
362 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout
=10)
364 raise Exception("No EAP error message seen")
365 dev
[0].request("REMOVE_NETWORK all")
367 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="SIM",
368 identity
="1232010000000000",
369 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
370 phase1
="sim_min_num_chal=4",
371 wait_connect
=False, scan_freq
="2412")
372 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout
=10)
374 raise Exception("No EAP error message seen (2)")
375 dev
[0].request("REMOVE_NETWORK all")
377 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
378 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
379 phase1
="sim_min_num_chal=2")
380 eap_connect(dev
[1], hapd
, "SIM", "1232010000000000",
381 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
382 anonymous_identity
="345678")
384 def test_ap_wpa2_eap_sim_id_0(dev
, apdev
):
385 """WPA2-Enterprise connection using EAP-SIM (no pseudonym or reauth)"""
386 run_ap_wpa2_eap_sim_id(dev
, apdev
, 0)
388 def test_ap_wpa2_eap_sim_id_1(dev
, apdev
):
389 """WPA2-Enterprise connection using EAP-SIM (pseudonym, no reauth)"""
390 run_ap_wpa2_eap_sim_id(dev
, apdev
, 1)
392 def test_ap_wpa2_eap_sim_id_2(dev
, apdev
):
393 """WPA2-Enterprise connection using EAP-SIM (no pseudonym, reauth)"""
394 run_ap_wpa2_eap_sim_id(dev
, apdev
, 2)
396 def test_ap_wpa2_eap_sim_id_3(dev
, apdev
):
397 """WPA2-Enterprise connection using EAP-SIM (pseudonym and reauth)"""
398 run_ap_wpa2_eap_sim_id(dev
, apdev
, 3)
400 def run_ap_wpa2_eap_sim_id(dev
, apdev
, eap_sim_id
):
401 check_hlr_auc_gw_support()
402 params
= int_eap_server_params()
403 params
['eap_sim_id'] = str(eap_sim_id
)
404 params
['eap_sim_db'] = 'unix:/tmp/hlr_auc_gw.sock'
405 hapd
= hostapd
.add_ap(apdev
[0], params
)
406 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
407 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
408 eap_reauth(dev
[0], "SIM")
410 def test_ap_wpa2_eap_sim_ext(dev
, apdev
):
411 """WPA2-Enterprise connection using EAP-SIM and external GSM auth"""
413 _test_ap_wpa2_eap_sim_ext(dev
, apdev
)
415 dev
[0].request("SET external_sim 0")
417 def _test_ap_wpa2_eap_sim_ext(dev
, apdev
):
418 check_hlr_auc_gw_support()
419 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
420 hostapd
.add_ap(apdev
[0], params
)
421 dev
[0].request("SET external_sim 1")
422 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
423 identity
="1232010000000000",
424 wait_connect
=False, scan_freq
="2412")
425 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=15)
427 raise Exception("Network connected timed out")
429 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
431 raise Exception("Wait for external SIM processing request timed out")
433 if p
[1] != "GSM-AUTH":
434 raise Exception("Unexpected CTRL-REQ-SIM type")
435 rid
= p
[0].split('-')[3]
438 resp
= "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
439 # This will fail during processing, but the ctrl_iface command succeeds
440 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-AUTH:" + resp
)
441 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
443 raise Exception("EAP failure not reported")
444 dev
[0].request("DISCONNECT")
445 dev
[0].wait_disconnected()
448 dev
[0].select_network(id, freq
="2412")
449 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
451 raise Exception("Wait for external SIM processing request timed out")
453 if p
[1] != "GSM-AUTH":
454 raise Exception("Unexpected CTRL-REQ-SIM type")
455 rid
= p
[0].split('-')[3]
456 # This will fail during GSM auth validation
457 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:q"):
458 raise Exception("CTRL-RSP-SIM failed")
459 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
461 raise Exception("EAP failure not reported")
462 dev
[0].request("DISCONNECT")
463 dev
[0].wait_disconnected()
466 dev
[0].select_network(id, freq
="2412")
467 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
469 raise Exception("Wait for external SIM processing request timed out")
471 if p
[1] != "GSM-AUTH":
472 raise Exception("Unexpected CTRL-REQ-SIM type")
473 rid
= p
[0].split('-')[3]
474 # This will fail during GSM auth validation
475 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:34"):
476 raise Exception("CTRL-RSP-SIM failed")
477 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
479 raise Exception("EAP failure not reported")
480 dev
[0].request("DISCONNECT")
481 dev
[0].wait_disconnected()
484 dev
[0].select_network(id, freq
="2412")
485 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
487 raise Exception("Wait for external SIM processing request timed out")
489 if p
[1] != "GSM-AUTH":
490 raise Exception("Unexpected CTRL-REQ-SIM type")
491 rid
= p
[0].split('-')[3]
492 # This will fail during GSM auth validation
493 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677"):
494 raise Exception("CTRL-RSP-SIM failed")
495 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
497 raise Exception("EAP failure not reported")
498 dev
[0].request("DISCONNECT")
499 dev
[0].wait_disconnected()
502 dev
[0].select_network(id, freq
="2412")
503 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
505 raise Exception("Wait for external SIM processing request timed out")
507 if p
[1] != "GSM-AUTH":
508 raise Exception("Unexpected CTRL-REQ-SIM type")
509 rid
= p
[0].split('-')[3]
510 # This will fail during GSM auth validation
511 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677:q"):
512 raise Exception("CTRL-RSP-SIM failed")
513 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
515 raise Exception("EAP failure not reported")
516 dev
[0].request("DISCONNECT")
517 dev
[0].wait_disconnected()
520 dev
[0].select_network(id, freq
="2412")
521 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
523 raise Exception("Wait for external SIM processing request timed out")
525 if p
[1] != "GSM-AUTH":
526 raise Exception("Unexpected CTRL-REQ-SIM type")
527 rid
= p
[0].split('-')[3]
528 # This will fail during GSM auth validation
529 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677:00112233"):
530 raise Exception("CTRL-RSP-SIM failed")
531 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
533 raise Exception("EAP failure not reported")
534 dev
[0].request("DISCONNECT")
535 dev
[0].wait_disconnected()
538 dev
[0].select_network(id, freq
="2412")
539 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
541 raise Exception("Wait for external SIM processing request timed out")
543 if p
[1] != "GSM-AUTH":
544 raise Exception("Unexpected CTRL-REQ-SIM type")
545 rid
= p
[0].split('-')[3]
546 # This will fail during GSM auth validation
547 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677:00112233:q"):
548 raise Exception("CTRL-RSP-SIM failed")
549 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
551 raise Exception("EAP failure not reported")
553 def test_ap_wpa2_eap_sim_ext_replace_sim(dev
, apdev
):
554 """EAP-SIM with external GSM auth and replacing SIM without clearing pseudonym id"""
556 _test_ap_wpa2_eap_sim_ext_replace_sim(dev
, apdev
)
558 dev
[0].request("SET external_sim 0")
560 def _test_ap_wpa2_eap_sim_ext_replace_sim(dev
, apdev
):
561 check_hlr_auc_gw_support()
562 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
563 hostapd
.add_ap(apdev
[0], params
)
564 dev
[0].request("SET external_sim 1")
565 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
566 identity
="1232010000000000",
567 wait_connect
=False, scan_freq
="2412")
569 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
571 raise Exception("Wait for external SIM processing request timed out")
573 if p
[1] != "GSM-AUTH":
574 raise Exception("Unexpected CTRL-REQ-SIM type")
575 rid
= p
[0].split('-')[3]
576 rand
= p
[2].split(' ')[0]
578 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
580 "auth_serv/hlr_auc_gw.milenage_db",
581 "GSM-AUTH-REQ 232010000000000 " + rand
]).decode()
582 if "GSM-AUTH-RESP" not in res
:
583 raise Exception("Unexpected hlr_auc_gw response")
584 resp
= res
.split(' ')[2].rstrip()
586 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
587 dev
[0].wait_connected(timeout
=15)
588 dev
[0].request("DISCONNECT")
589 dev
[0].wait_disconnected()
591 # Replace SIM, but forget to drop the previous pseudonym identity
592 dev
[0].set_network_quoted(id, "identity", "1232010000000009")
593 dev
[0].select_network(id, freq
="2412")
595 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
597 raise Exception("Wait for external SIM processing request timed out")
599 if p
[1] != "GSM-AUTH":
600 raise Exception("Unexpected CTRL-REQ-SIM type")
601 rid
= p
[0].split('-')[3]
602 rand
= p
[2].split(' ')[0]
604 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
606 "auth_serv/hlr_auc_gw.milenage_db",
607 "GSM-AUTH-REQ 232010000000009 " + rand
]).decode()
608 if "GSM-AUTH-RESP" not in res
:
609 raise Exception("Unexpected hlr_auc_gw response")
610 resp
= res
.split(' ')[2].rstrip()
612 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
613 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
615 raise Exception("EAP-Failure not reported")
616 dev
[0].request("DISCONNECT")
617 dev
[0].wait_disconnected()
619 def test_ap_wpa2_eap_sim_ext_replace_sim2(dev
, apdev
):
620 """EAP-SIM with external GSM auth and replacing SIM and clearing pseudonym identity"""
622 _test_ap_wpa2_eap_sim_ext_replace_sim2(dev
, apdev
)
624 dev
[0].request("SET external_sim 0")
626 def _test_ap_wpa2_eap_sim_ext_replace_sim2(dev
, apdev
):
627 check_hlr_auc_gw_support()
628 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
629 hostapd
.add_ap(apdev
[0], params
)
630 dev
[0].request("SET external_sim 1")
631 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
632 identity
="1232010000000000",
633 wait_connect
=False, scan_freq
="2412")
635 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
637 raise Exception("Wait for external SIM processing request timed out")
639 if p
[1] != "GSM-AUTH":
640 raise Exception("Unexpected CTRL-REQ-SIM type")
641 rid
= p
[0].split('-')[3]
642 rand
= p
[2].split(' ')[0]
644 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
646 "auth_serv/hlr_auc_gw.milenage_db",
647 "GSM-AUTH-REQ 232010000000000 " + rand
]).decode()
648 if "GSM-AUTH-RESP" not in res
:
649 raise Exception("Unexpected hlr_auc_gw response")
650 resp
= res
.split(' ')[2].rstrip()
652 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
653 dev
[0].wait_connected(timeout
=15)
654 dev
[0].request("DISCONNECT")
655 dev
[0].wait_disconnected()
657 # Replace SIM and drop the previous pseudonym identity
658 dev
[0].set_network_quoted(id, "identity", "1232010000000009")
659 dev
[0].set_network(id, "anonymous_identity", "NULL")
660 dev
[0].select_network(id, freq
="2412")
662 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
664 raise Exception("Wait for external SIM processing request timed out")
666 if p
[1] != "GSM-AUTH":
667 raise Exception("Unexpected CTRL-REQ-SIM type")
668 rid
= p
[0].split('-')[3]
669 rand
= p
[2].split(' ')[0]
671 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
673 "auth_serv/hlr_auc_gw.milenage_db",
674 "GSM-AUTH-REQ 232010000000009 " + rand
]).decode()
675 if "GSM-AUTH-RESP" not in res
:
676 raise Exception("Unexpected hlr_auc_gw response")
677 resp
= res
.split(' ')[2].rstrip()
679 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
680 dev
[0].wait_connected()
681 dev
[0].request("DISCONNECT")
682 dev
[0].wait_disconnected()
684 def test_ap_wpa2_eap_sim_ext_replace_sim3(dev
, apdev
):
685 """EAP-SIM with external GSM auth, replacing SIM, and no identity in config"""
687 _test_ap_wpa2_eap_sim_ext_replace_sim3(dev
, apdev
)
689 dev
[0].request("SET external_sim 0")
691 def _test_ap_wpa2_eap_sim_ext_replace_sim3(dev
, apdev
):
692 check_hlr_auc_gw_support()
693 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
694 hostapd
.add_ap(apdev
[0], params
)
695 dev
[0].request("SET external_sim 1")
696 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
697 wait_connect
=False, scan_freq
="2412")
699 ev
= dev
[0].wait_event(["CTRL-REQ-IDENTITY"])
701 raise Exception("Request for identity timed out")
702 rid
= ev
.split(':')[0].split('-')[-1]
703 dev
[0].request("CTRL-RSP-IDENTITY-" + rid
+ ":1232010000000000")
705 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
707 raise Exception("Wait for external SIM processing request timed out")
709 if p
[1] != "GSM-AUTH":
710 raise Exception("Unexpected CTRL-REQ-SIM type")
711 rid
= p
[0].split('-')[3]
712 rand
= p
[2].split(' ')[0]
714 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
716 "auth_serv/hlr_auc_gw.milenage_db",
717 "GSM-AUTH-REQ 232010000000000 " + rand
]).decode()
718 if "GSM-AUTH-RESP" not in res
:
719 raise Exception("Unexpected hlr_auc_gw response")
720 resp
= res
.split(' ')[2].rstrip()
722 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
723 dev
[0].wait_connected(timeout
=15)
724 dev
[0].request("DISCONNECT")
725 dev
[0].wait_disconnected()
727 # Replace SIM and drop the previous permanent and pseudonym identities
728 dev
[0].set_network(id, "identity", "NULL")
729 dev
[0].set_network(id, "anonymous_identity", "NULL")
730 dev
[0].select_network(id, freq
="2412")
732 ev
= dev
[0].wait_event(["CTRL-REQ-IDENTITY"])
734 raise Exception("Request for identity timed out")
735 rid
= ev
.split(':')[0].split('-')[-1]
736 dev
[0].request("CTRL-RSP-IDENTITY-" + rid
+ ":1232010000000009")
738 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
740 raise Exception("Wait for external SIM processing request timed out")
742 if p
[1] != "GSM-AUTH":
743 raise Exception("Unexpected CTRL-REQ-SIM type")
744 rid
= p
[0].split('-')[3]
745 rand
= p
[2].split(' ')[0]
747 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
749 "auth_serv/hlr_auc_gw.milenage_db",
750 "GSM-AUTH-REQ 232010000000009 " + rand
]).decode()
751 if "GSM-AUTH-RESP" not in res
:
752 raise Exception("Unexpected hlr_auc_gw response")
753 resp
= res
.split(' ')[2].rstrip()
755 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
756 dev
[0].wait_connected()
757 dev
[0].request("DISCONNECT")
758 dev
[0].wait_disconnected()
760 def test_ap_wpa2_eap_sim_ext_auth_fail(dev
, apdev
):
761 """EAP-SIM with external GSM auth and auth failing"""
763 _test_ap_wpa2_eap_sim_ext_auth_fail(dev
, apdev
)
765 dev
[0].request("SET external_sim 0")
767 def _test_ap_wpa2_eap_sim_ext_auth_fail(dev
, apdev
):
768 check_hlr_auc_gw_support()
769 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
770 hostapd
.add_ap(apdev
[0], params
)
771 dev
[0].request("SET external_sim 1")
772 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
773 identity
="1232010000000000",
774 wait_connect
=False, scan_freq
="2412")
776 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
778 raise Exception("Wait for external SIM processing request timed out")
780 rid
= p
[0].split('-')[3]
781 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-FAIL")
782 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=5)
784 raise Exception("EAP failure not reported")
785 dev
[0].request("REMOVE_NETWORK all")
786 dev
[0].wait_disconnected()
788 def test_ap_wpa2_eap_sim_change_bssid(dev
, apdev
):
789 """EAP-SIM and external GSM auth to check fast reauth with bssid change"""
791 _test_ap_wpa2_eap_sim_change_bssid(dev
, apdev
)
793 dev
[0].request("SET external_sim 0")
795 def _test_ap_wpa2_eap_sim_change_bssid(dev
, apdev
):
796 check_hlr_auc_gw_support()
797 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
798 hapd
= hostapd
.add_ap(apdev
[0], params
)
799 dev
[0].request("SET external_sim 1")
800 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
801 identity
="1232010000000000",
802 wait_connect
=False, scan_freq
="2412")
804 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
806 raise Exception("Wait for external SIM processing request timed out")
808 if p
[1] != "GSM-AUTH":
809 raise Exception("Unexpected CTRL-REQ-SIM type")
810 rid
= p
[0].split('-')[3]
811 rand
= p
[2].split(' ')[0]
813 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
815 "auth_serv/hlr_auc_gw.milenage_db",
816 "GSM-AUTH-REQ 232010000000000 " + rand
]).decode()
817 if "GSM-AUTH-RESP" not in res
:
818 raise Exception("Unexpected hlr_auc_gw response")
819 resp
= res
.split(' ')[2].rstrip()
821 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
822 dev
[0].wait_connected(timeout
=15)
825 # Verify that EAP-SIM Reauthentication can be used after a profile change
826 # that does not affect EAP parameters.
827 dev
[0].set_network(id, "bssid", "any")
828 eap_reauth(dev
[0], "SIM")
830 def test_ap_wpa2_eap_sim_no_change_set(dev
, apdev
):
831 """EAP-SIM and external GSM auth to check fast reauth with no-change SET_NETWORK"""
833 _test_ap_wpa2_eap_sim_no_change_set(dev
, apdev
)
835 dev
[0].request("SET external_sim 0")
837 def _test_ap_wpa2_eap_sim_no_change_set(dev
, apdev
):
838 check_hlr_auc_gw_support()
839 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
840 hapd
= hostapd
.add_ap(apdev
[0], params
)
841 dev
[0].request("SET external_sim 1")
842 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
843 identity
="1232010000000000",
844 wait_connect
=False, scan_freq
="2412")
846 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
848 raise Exception("Wait for external SIM processing request timed out")
850 if p
[1] != "GSM-AUTH":
851 raise Exception("Unexpected CTRL-REQ-SIM type")
852 rid
= p
[0].split('-')[3]
853 rand
= p
[2].split(' ')[0]
855 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
857 "auth_serv/hlr_auc_gw.milenage_db",
858 "GSM-AUTH-REQ 232010000000000 " + rand
]).decode()
859 if "GSM-AUTH-RESP" not in res
:
860 raise Exception("Unexpected hlr_auc_gw response")
861 resp
= res
.split(' ')[2].rstrip()
863 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
864 dev
[0].wait_connected(timeout
=15)
867 # Verify that EAP-SIM Reauthentication can be used after network profile
868 # SET_NETWORK commands that do not actually change previously set
870 dev
[0].set_network(id, "key_mgmt", "WPA-EAP")
871 dev
[0].set_network(id, "eap", "SIM")
872 dev
[0].set_network_quoted(id, "identity", "1232010000000000")
873 dev
[0].set_network_quoted(id, "ssid", "test-wpa2-eap")
874 eap_reauth(dev
[0], "SIM")
876 def test_ap_wpa2_eap_sim_ext_anonymous(dev
, apdev
):
877 """EAP-SIM with external GSM auth and anonymous identity"""
878 check_hlr_auc_gw_support()
879 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
880 hostapd
.add_ap(apdev
[0], params
)
882 run_ap_wpa2_eap_sim_ext_anonymous(dev
, "anonymous@example.org")
883 run_ap_wpa2_eap_sim_ext_anonymous(dev
, "@example.org")
885 dev
[0].request("SET external_sim 0")
887 def test_ap_wpa2_eap_sim_ext_anonymous_no_pseudonym(dev
, apdev
):
888 """EAP-SIM with external GSM auth and anonymous identity without pseudonym update"""
889 check_hlr_auc_gw_support()
890 params
= int_eap_server_params()
891 params
['eap_sim_id'] = '0'
892 params
['eap_sim_db'] = 'unix:/tmp/hlr_auc_gw.sock'
893 hostapd
.add_ap(apdev
[0], params
)
895 run_ap_wpa2_eap_sim_ext_anonymous(dev
, "anonymous@example.org",
896 anon_id_change
=False)
897 run_ap_wpa2_eap_sim_ext_anonymous(dev
, "@example.org",
898 anon_id_change
=False)
900 dev
[0].request("SET external_sim 0")
902 def run_ap_wpa2_eap_sim_ext_anonymous(dev
, anon
, anon_id_change
=True):
903 dev
[0].request("SET external_sim 1")
904 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
905 identity
="1232010000000000",
906 anonymous_identity
=anon
,
907 wait_connect
=False, scan_freq
="2412")
909 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
911 raise Exception("Wait for external SIM processing request timed out")
913 if p
[1] != "GSM-AUTH":
914 raise Exception("Unexpected CTRL-REQ-SIM type")
915 rid
= p
[0].split('-')[3]
916 rand
= p
[2].split(' ')[0]
918 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
920 "auth_serv/hlr_auc_gw.milenage_db",
921 "GSM-AUTH-REQ 232010000000000 " + rand
]).decode()
922 if "GSM-AUTH-RESP" not in res
:
923 raise Exception("Unexpected hlr_auc_gw response")
924 resp
= res
.split(' ')[2].rstrip()
926 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
927 dev
[0].wait_connected(timeout
=5)
928 anon_id
= dev
[0].get_network(id, "anonymous_identity").strip('"')
929 if anon_id_change
and anon
== anon_id
:
930 raise Exception("anonymous_identity did not change")
931 if not anon_id_change
and anon
!= anon_id
:
932 raise Exception("anonymous_identity changed")
933 dev
[0].request("REMOVE_NETWORK all")
934 dev
[0].wait_disconnected()
935 dev
[0].dump_monitor()
937 def test_ap_wpa2_eap_sim_oom(dev
, apdev
):
938 """EAP-SIM and OOM"""
939 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
940 hostapd
.add_ap(apdev
[0], params
)
941 tests
= [(1, "milenage_f2345"),
942 (2, "milenage_f2345"),
943 (3, "milenage_f2345"),
944 (4, "milenage_f2345"),
945 (5, "milenage_f2345"),
946 (6, "milenage_f2345"),
947 (7, "milenage_f2345"),
948 (8, "milenage_f2345"),
949 (9, "milenage_f2345"),
950 (10, "milenage_f2345"),
951 (11, "milenage_f2345"),
952 (12, "milenage_f2345")]
953 for count
, func
in tests
:
954 with
fail_test(dev
[0], count
, func
):
955 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="SIM",
956 identity
="1232010000000000",
957 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
958 wait_connect
=False, scan_freq
="2412")
959 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=5)
961 raise Exception("EAP method not selected")
962 dev
[0].wait_disconnected()
963 dev
[0].request("REMOVE_NETWORK all")
965 def test_ap_wpa2_eap_aka(dev
, apdev
):
966 """WPA2-Enterprise connection using EAP-AKA"""
967 check_hlr_auc_gw_support()
968 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
969 hapd
= hostapd
.add_ap(apdev
[0], params
)
970 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
971 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
972 hwsim_utils
.test_connectivity(dev
[0], hapd
)
973 eap_reauth(dev
[0], "AKA")
975 logger
.info("Negative test with incorrect key")
976 dev
[0].request("REMOVE_NETWORK all")
977 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
978 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
981 logger
.info("Invalid Milenage key")
982 dev
[0].request("REMOVE_NETWORK all")
983 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
984 password
="ffdca4eda45b53cf0f12d7c9c3bc6a",
987 logger
.info("Invalid Milenage key(2)")
988 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
989 password
="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581:000000000123",
992 logger
.info("Invalid Milenage key(3)")
993 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
994 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q:000000000123",
997 logger
.info("Invalid Milenage key(4)")
998 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
999 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:00000000012q",
1000 expect_failure
=True)
1002 logger
.info("Invalid Milenage key(5)")
1003 dev
[0].request("REMOVE_NETWORK all")
1004 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
1005 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581q000000000123",
1006 expect_failure
=True)
1008 logger
.info("Invalid Milenage key(6)")
1009 dev
[0].request("REMOVE_NETWORK all")
1010 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
1011 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581q000000000123",
1012 expect_failure
=True)
1014 logger
.info("Missing key configuration")
1015 dev
[0].request("REMOVE_NETWORK all")
1016 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
1017 expect_failure
=True)
1019 def test_ap_wpa2_eap_aka_sql(dev
, apdev
, params
):
1020 """WPA2-Enterprise connection using EAP-AKA (SQL)"""
1021 check_hlr_auc_gw_support()
1025 raise HwsimSkip("No sqlite3 module available")
1026 con
= sqlite3
.connect(os
.path
.join(params
['logdir'], "hostapd.db"))
1027 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1028 params
['auth_server_port'] = "1814"
1029 hapd
= hostapd
.add_ap(apdev
[0], params
)
1030 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
1031 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
1033 logger
.info("AKA fast re-authentication")
1034 eap_reauth(dev
[0], "AKA")
1036 logger
.info("AKA full auth with pseudonym")
1039 cur
.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
1040 eap_reauth(dev
[0], "AKA")
1042 logger
.info("AKA full auth with permanent identity")
1045 cur
.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
1046 cur
.execute("DELETE FROM pseudonyms WHERE permanent='0232010000000000'")
1047 eap_reauth(dev
[0], "AKA")
1049 logger
.info("AKA reauth with mismatching MK")
1052 cur
.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='0232010000000000'")
1053 eap_reauth(dev
[0], "AKA", expect_failure
=True)
1054 dev
[0].request("REMOVE_NETWORK all")
1056 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
1057 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
1060 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
1061 eap_reauth(dev
[0], "AKA")
1064 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
1065 logger
.info("AKA reauth with mismatching counter")
1066 eap_reauth(dev
[0], "AKA")
1067 dev
[0].request("REMOVE_NETWORK all")
1069 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
1070 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
1073 cur
.execute("UPDATE reauth SET counter='1001' WHERE permanent='0232010000000000'")
1074 logger
.info("AKA reauth with max reauth count reached")
1075 eap_reauth(dev
[0], "AKA")
1077 def test_ap_wpa2_eap_aka_config(dev
, apdev
):
1078 """EAP-AKA configuration options"""
1079 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1080 hapd
= hostapd
.add_ap(apdev
[0], params
)
1081 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
1082 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1083 anonymous_identity
="2345678")
1085 def test_ap_wpa2_eap_aka_ext(dev
, apdev
):
1086 """WPA2-Enterprise connection using EAP-AKA and external UMTS auth"""
1088 _test_ap_wpa2_eap_aka_ext(dev
, apdev
)
1090 dev
[0].request("SET external_sim 0")
1092 def _test_ap_wpa2_eap_aka_ext(dev
, apdev
):
1093 check_hlr_auc_gw_support()
1094 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1095 hostapd
.add_ap(apdev
[0], params
)
1096 dev
[0].request("SET external_sim 1")
1097 id = dev
[0].connect("test-wpa2-eap", eap
="AKA", key_mgmt
="WPA-EAP",
1098 identity
="0232010000000000",
1099 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1100 wait_connect
=False, scan_freq
="2412")
1101 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=15)
1103 raise Exception("Network connected timed out")
1105 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1107 raise Exception("Wait for external SIM processing request timed out")
1108 p
= ev
.split(':', 2)
1109 if p
[1] != "UMTS-AUTH":
1110 raise Exception("Unexpected CTRL-REQ-SIM type")
1111 rid
= p
[0].split('-')[3]
1114 resp
= "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
1115 # This will fail during processing, but the ctrl_iface command succeeds
1116 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
1117 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
1119 raise Exception("EAP failure not reported")
1120 dev
[0].request("DISCONNECT")
1121 dev
[0].wait_disconnected()
1123 dev
[0].dump_monitor()
1125 dev
[0].select_network(id, freq
="2412")
1126 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1128 raise Exception("Wait for external SIM processing request timed out")
1129 p
= ev
.split(':', 2)
1130 if p
[1] != "UMTS-AUTH":
1131 raise Exception("Unexpected CTRL-REQ-SIM type")
1132 rid
= p
[0].split('-')[3]
1133 # This will fail during UMTS auth validation
1134 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-AUTS:112233445566778899aabbccddee"):
1135 raise Exception("CTRL-RSP-SIM failed")
1136 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1138 raise Exception("Wait for external SIM processing request timed out")
1139 p
= ev
.split(':', 2)
1140 if p
[1] != "UMTS-AUTH":
1141 raise Exception("Unexpected CTRL-REQ-SIM type")
1142 rid
= p
[0].split('-')[3]
1143 # This will fail during UMTS auth validation
1144 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-AUTS:12"):
1145 raise Exception("CTRL-RSP-SIM failed")
1146 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
1148 raise Exception("EAP failure not reported")
1149 dev
[0].request("DISCONNECT")
1150 dev
[0].wait_disconnected()
1152 dev
[0].dump_monitor()
1154 tests
= [":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344",
1156 ":UMTS-AUTH:00112233445566778899aabbccddeeff.00112233445566778899aabbccddeeff:0011223344",
1157 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddee:0011223344",
1158 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff.0011223344",
1159 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff0011223344",
1160 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:001122334q"]
1162 dev
[0].select_network(id, freq
="2412")
1163 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1165 raise Exception("Wait for external SIM processing request timed out")
1166 p
= ev
.split(':', 2)
1167 if p
[1] != "UMTS-AUTH":
1168 raise Exception("Unexpected CTRL-REQ-SIM type")
1169 rid
= p
[0].split('-')[3]
1170 # This will fail during UMTS auth validation
1171 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ t
):
1172 raise Exception("CTRL-RSP-SIM failed")
1173 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
1175 raise Exception("EAP failure not reported")
1176 dev
[0].request("DISCONNECT")
1177 dev
[0].wait_disconnected()
1179 dev
[0].dump_monitor()
1181 def test_ap_wpa2_eap_aka_ext_auth_fail(dev
, apdev
):
1182 """EAP-AKA with external UMTS auth and auth failing"""
1184 _test_ap_wpa2_eap_aka_ext_auth_fail(dev
, apdev
)
1186 dev
[0].request("SET external_sim 0")
1188 def _test_ap_wpa2_eap_aka_ext_auth_fail(dev
, apdev
):
1189 check_hlr_auc_gw_support()
1190 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1191 hostapd
.add_ap(apdev
[0], params
)
1192 dev
[0].request("SET external_sim 1")
1193 id = dev
[0].connect("test-wpa2-eap", eap
="AKA", key_mgmt
="WPA-EAP",
1194 identity
="0232010000000000",
1195 wait_connect
=False, scan_freq
="2412")
1197 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1199 raise Exception("Wait for external SIM processing request timed out")
1200 p
= ev
.split(':', 2)
1201 rid
= p
[0].split('-')[3]
1202 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-FAIL")
1203 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=5)
1205 raise Exception("EAP failure not reported")
1206 dev
[0].request("REMOVE_NETWORK all")
1207 dev
[0].wait_disconnected()
1209 def test_ap_wpa2_eap_aka_prime(dev
, apdev
):
1210 """WPA2-Enterprise connection using EAP-AKA'"""
1211 check_hlr_auc_gw_support()
1212 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1213 hapd
= hostapd
.add_ap(apdev
[0], params
)
1214 eap_connect(dev
[0], hapd
, "AKA'", "6555444333222111",
1215 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1216 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1217 eap_reauth(dev
[0], "AKA'")
1219 logger
.info("EAP-AKA' bidding protection when EAP-AKA enabled as well")
1220 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="AKA' AKA",
1221 identity
="6555444333222111@both",
1222 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
1223 wait_connect
=False, scan_freq
="2412")
1224 dev
[1].wait_connected(timeout
=15)
1226 logger
.info("Negative test with incorrect key")
1227 dev
[0].request("REMOVE_NETWORK all")
1228 eap_connect(dev
[0], hapd
, "AKA'", "6555444333222111",
1229 password
="ff22250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
1230 expect_failure
=True)
1232 def test_ap_wpa2_eap_aka_prime_sql(dev
, apdev
, params
):
1233 """WPA2-Enterprise connection using EAP-AKA' (SQL)"""
1234 check_hlr_auc_gw_support()
1238 raise HwsimSkip("No sqlite3 module available")
1239 con
= sqlite3
.connect(os
.path
.join(params
['logdir'], "hostapd.db"))
1240 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1241 params
['auth_server_port'] = "1814"
1242 hapd
= hostapd
.add_ap(apdev
[0], params
)
1243 eap_connect(dev
[0], hapd
, "AKA'", "6555444333222111",
1244 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1246 logger
.info("AKA' fast re-authentication")
1247 eap_reauth(dev
[0], "AKA'")
1249 logger
.info("AKA' full auth with pseudonym")
1252 cur
.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
1253 eap_reauth(dev
[0], "AKA'")
1255 logger
.info("AKA' full auth with permanent identity")
1258 cur
.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
1259 cur
.execute("DELETE FROM pseudonyms WHERE permanent='6555444333222111'")
1260 eap_reauth(dev
[0], "AKA'")
1262 logger
.info("AKA' reauth with mismatching k_aut")
1265 cur
.execute("UPDATE reauth SET k_aut='0000000000000000000000000000000000000000000000000000000000000000' WHERE permanent='6555444333222111'")
1266 eap_reauth(dev
[0], "AKA'", expect_failure
=True)
1267 dev
[0].request("REMOVE_NETWORK all")
1269 eap_connect(dev
[0], hapd
, "AKA'", "6555444333222111",
1270 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1273 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
1274 eap_reauth(dev
[0], "AKA'")
1277 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
1278 logger
.info("AKA' reauth with mismatching counter")
1279 eap_reauth(dev
[0], "AKA'")
1280 dev
[0].request("REMOVE_NETWORK all")
1282 eap_connect(dev
[0], hapd
, "AKA'", "6555444333222111",
1283 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1286 cur
.execute("UPDATE reauth SET counter='1001' WHERE permanent='6555444333222111'")
1287 logger
.info("AKA' reauth with max reauth count reached")
1288 eap_reauth(dev
[0], "AKA'")
1290 def test_ap_wpa2_eap_aka_prime_ext_auth_fail(dev
, apdev
):
1291 """EAP-AKA' with external UMTS auth and auth failing"""
1293 _test_ap_wpa2_eap_aka_prime_ext_auth_fail(dev
, apdev
)
1295 dev
[0].request("SET external_sim 0")
1297 def _test_ap_wpa2_eap_aka_prime_ext_auth_fail(dev
, apdev
):
1298 check_hlr_auc_gw_support()
1299 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1300 hostapd
.add_ap(apdev
[0], params
)
1301 dev
[0].request("SET external_sim 1")
1302 id = dev
[0].connect("test-wpa2-eap", eap
="AKA'", key_mgmt
="WPA-EAP",
1303 identity
="6555444333222111",
1304 wait_connect
=False, scan_freq
="2412")
1306 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1308 raise Exception("Wait for external SIM processing request timed out")
1309 p
= ev
.split(':', 2)
1310 rid
= p
[0].split('-')[3]
1311 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-FAIL")
1312 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=5)
1314 raise Exception("EAP failure not reported")
1315 dev
[0].request("REMOVE_NETWORK all")
1316 dev
[0].wait_disconnected()
1318 def test_ap_wpa2_eap_aka_prime_ext(dev
, apdev
):
1319 """EAP-AKA' with external UMTS auth to hit Synchronization-Failure"""
1321 _test_ap_wpa2_eap_aka_prime_ext(dev
, apdev
)
1323 dev
[0].request("SET external_sim 0")
1325 def _test_ap_wpa2_eap_aka_prime_ext(dev
, apdev
):
1326 check_hlr_auc_gw_support()
1327 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1328 hostapd
.add_ap(apdev
[0], params
)
1329 dev
[0].request("SET external_sim 1")
1330 id = dev
[0].connect("test-wpa2-eap", eap
="AKA'", key_mgmt
="WPA-EAP",
1331 identity
="6555444333222111",
1332 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1333 wait_connect
=False, scan_freq
="2412")
1334 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=15)
1336 raise Exception("Network connected timed out")
1338 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1340 raise Exception("Wait for external SIM processing request timed out")
1341 p
= ev
.split(':', 2)
1342 if p
[1] != "UMTS-AUTH":
1343 raise Exception("Unexpected CTRL-REQ-SIM type")
1344 rid
= p
[0].split('-')[3]
1345 # This will fail during UMTS auth validation
1346 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-AUTS:112233445566778899aabbccddee"):
1347 raise Exception("CTRL-RSP-SIM failed")
1348 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1350 raise Exception("Wait for external SIM processing request timed out")
1352 def test_ap_wpa2_eap_ttls_pap(dev
, apdev
):
1353 """WPA2-Enterprise connection using EAP-TTLS/PAP"""
1354 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1355 hapd
= hostapd
.add_ap(apdev
[0], params
)
1356 key_mgmt
= hapd
.get_config()['key_mgmt']
1357 if key_mgmt
.split(' ')[0] != "WPA-EAP":
1358 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt
)
1359 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
1360 anonymous_identity
="ttls", password
="password",
1361 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
1362 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1363 eap_reauth(dev
[0], "TTLS")
1364 check_mib(dev
[0], [("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-1"),
1365 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-1")])
1367 def test_ap_wpa2_eap_ttls_pap_subject_match(dev
, apdev
):
1368 """WPA2-Enterprise connection using EAP-TTLS/PAP and (alt)subject_match"""
1369 check_subject_match_support(dev
[0])
1370 check_altsubject_match_support(dev
[0])
1371 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1372 hapd
= hostapd
.add_ap(apdev
[0], params
)
1373 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
1374 anonymous_identity
="ttls", password
="password",
1375 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
1376 subject_match
="/C=FI/O=w1.fi/CN=server.w1.fi",
1377 altsubject_match
="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/")
1378 eap_reauth(dev
[0], "TTLS")
1380 def test_ap_wpa2_eap_ttls_pap_check_cert_subject(dev
, apdev
):
1381 """EAP-TTLS/PAP and check_cert_subject"""
1382 check_check_cert_subject_support(dev
[0])
1383 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1384 hapd
= hostapd
.add_ap(apdev
[0], params
)
1385 tests
= ["C=FI/O=w1.fi/CN=server.w1.fi",
1387 "C=FI/CN=server.w1.fi",
1388 "O=w1.fi/CN=server.w1.fi",
1395 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
1396 anonymous_identity
="ttls", password
="password",
1397 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
1398 check_cert_subject
=test
)
1399 dev
[0].request("REMOVE_NETWORK all")
1400 dev
[0].wait_disconnected()
1401 dev
[0].dump_monitor()
1403 def test_ap_wpa2_eap_ttls_pap_check_cert_subject_neg(dev
, apdev
):
1404 """EAP-TTLS/PAP and check_cert_subject (negative)"""
1405 check_check_cert_subject_support(dev
[0])
1406 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1407 hapd
= hostapd
.add_ap(apdev
[0], params
)
1417 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
1418 anonymous_identity
="ttls", password
="password",
1419 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
1420 expect_failure
=True, expect_cert_error
=12,
1421 check_cert_subject
=test
)
1422 dev
[0].request("REMOVE_NETWORK all")
1423 dev
[0].dump_monitor()
1425 def test_ap_wpa2_eap_ttls_pap_incorrect_password(dev
, apdev
):
1426 """WPA2-Enterprise connection using EAP-TTLS/PAP - incorrect password"""
1427 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1428 hapd
= hostapd
.add_ap(apdev
[0], params
)
1429 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
1430 anonymous_identity
="ttls", password
="wrong",
1431 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
1432 expect_failure
=True)
1433 eap_connect(dev
[1], hapd
, "TTLS", "user",
1434 anonymous_identity
="ttls", password
="password",
1435 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
1436 expect_failure
=True)
1438 def test_ap_wpa2_eap_ttls_chap(dev
, apdev
):
1439 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
1440 skip_with_fips(dev
[0])
1441 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1442 hapd
= hostapd
.add_ap(apdev
[0], params
)
1443 eap_connect(dev
[0], hapd
, "TTLS", "chap user",
1444 anonymous_identity
="ttls", password
="password",
1445 ca_cert
="auth_serv/ca.der", phase2
="auth=CHAP")
1446 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1447 eap_reauth(dev
[0], "TTLS")
1449 def test_ap_wpa2_eap_ttls_chap_altsubject_match(dev
, apdev
):
1450 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
1451 skip_with_fips(dev
[0])
1452 check_altsubject_match_support(dev
[0])
1453 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1454 hapd
= hostapd
.add_ap(apdev
[0], params
)
1455 eap_connect(dev
[0], hapd
, "TTLS", "chap user",
1456 anonymous_identity
="ttls", password
="password",
1457 ca_cert
="auth_serv/ca.der", phase2
="auth=CHAP",
1458 altsubject_match
="EMAIL:noone@example.com;URI:http://example.com/;DNS:server.w1.fi")
1459 eap_reauth(dev
[0], "TTLS")
1461 def test_ap_wpa2_eap_ttls_chap_incorrect_password(dev
, apdev
):
1462 """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
1463 skip_with_fips(dev
[0])
1464 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1465 hapd
= hostapd
.add_ap(apdev
[0], params
)
1466 eap_connect(dev
[0], hapd
, "TTLS", "chap user",
1467 anonymous_identity
="ttls", password
="wrong",
1468 ca_cert
="auth_serv/ca.pem", phase2
="auth=CHAP",
1469 expect_failure
=True)
1470 eap_connect(dev
[1], hapd
, "TTLS", "user",
1471 anonymous_identity
="ttls", password
="password",
1472 ca_cert
="auth_serv/ca.pem", phase2
="auth=CHAP",
1473 expect_failure
=True)
1475 def test_ap_wpa2_eap_ttls_mschap(dev
, apdev
):
1476 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP"""
1477 skip_with_fips(dev
[0])
1478 check_domain_suffix_match(dev
[0])
1479 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1480 hapd
= hostapd
.add_ap(apdev
[0], params
)
1481 eap_connect(dev
[0], hapd
, "TTLS", "mschap user",
1482 anonymous_identity
="ttls", password
="password",
1483 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
1484 domain_suffix_match
="server.w1.fi")
1485 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1486 eap_reauth(dev
[0], "TTLS")
1487 dev
[0].request("REMOVE_NETWORK all")
1488 eap_connect(dev
[0], hapd
, "TTLS", "mschap user",
1489 anonymous_identity
="ttls", password
="password",
1490 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
1491 fragment_size
="200")
1492 dev
[0].request("REMOVE_NETWORK all")
1493 dev
[0].wait_disconnected()
1494 eap_connect(dev
[0], hapd
, "TTLS", "mschap user",
1495 anonymous_identity
="ttls",
1496 password_hex
="hash:8846f7eaee8fb117ad06bdd830b7586c",
1497 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP")
1499 def test_ap_wpa2_eap_ttls_mschap_incorrect_password(dev
, apdev
):
1500 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP - incorrect password"""
1501 skip_with_fips(dev
[0])
1502 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1503 hapd
= hostapd
.add_ap(apdev
[0], params
)
1504 eap_connect(dev
[0], hapd
, "TTLS", "mschap user",
1505 anonymous_identity
="ttls", password
="wrong",
1506 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
1507 expect_failure
=True)
1508 eap_connect(dev
[1], hapd
, "TTLS", "user",
1509 anonymous_identity
="ttls", password
="password",
1510 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
1511 expect_failure
=True)
1512 eap_connect(dev
[2], hapd
, "TTLS", "no such user",
1513 anonymous_identity
="ttls", password
="password",
1514 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
1515 expect_failure
=True)
1517 def test_ap_wpa2_eap_ttls_mschapv2(dev
, apdev
):
1518 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
1519 check_domain_suffix_match(dev
[0])
1520 check_eap_capa(dev
[0], "MSCHAPV2")
1521 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1522 hapd
= hostapd
.add_ap(apdev
[0], params
)
1523 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
1524 anonymous_identity
="ttls", password
="password",
1525 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1526 domain_suffix_match
="server.w1.fi")
1527 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1528 sta1
= hapd
.get_sta(dev
[0].p2p_interface_addr())
1529 eapol1
= hapd
.get_sta(dev
[0].p2p_interface_addr(), info
="eapol")
1530 eap_reauth(dev
[0], "TTLS")
1531 sta2
= hapd
.get_sta(dev
[0].p2p_interface_addr())
1532 eapol2
= hapd
.get_sta(dev
[0].p2p_interface_addr(), info
="eapol")
1533 if int(sta2
['dot1xAuthEapolFramesRx']) <= int(sta1
['dot1xAuthEapolFramesRx']):
1534 raise Exception("dot1xAuthEapolFramesRx did not increase")
1535 if int(eapol2
['authAuthEapStartsWhileAuthenticated']) < 1:
1536 raise Exception("authAuthEapStartsWhileAuthenticated did not increase")
1537 if int(eapol2
['backendAuthSuccesses']) <= int(eapol1
['backendAuthSuccesses']):
1538 raise Exception("backendAuthSuccesses did not increase")
1540 logger
.info("Password as hash value")
1541 dev
[0].request("REMOVE_NETWORK all")
1542 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
1543 anonymous_identity
="ttls",
1544 password_hex
="hash:8846f7eaee8fb117ad06bdd830b7586c",
1545 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1547 def test_ap_wpa2_eap_ttls_invalid_phase2(dev
, apdev
):
1548 """EAP-TTLS with invalid phase2 parameter values"""
1549 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1550 hostapd
.add_ap(apdev
[0], params
)
1551 tests
= ["auth=MSCHAPv2", "auth=MSCHAPV2 autheap=MD5",
1552 "autheap=MD5 auth=MSCHAPV2", "auth=PAP auth=CHAP",
1553 "autheap=MD5 autheap=FOO autheap=MSCHAPV2"]
1555 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1556 identity
="DOMAIN\mschapv2 user",
1557 anonymous_identity
="ttls", password
="password",
1558 ca_cert
="auth_serv/ca.pem", phase2
=t
,
1559 wait_connect
=False, scan_freq
="2412")
1560 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"], timeout
=10)
1561 if ev
is None or "method=21" not in ev
:
1562 raise Exception("EAP-TTLS not started")
1563 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method",
1564 "CTRL-EVENT-CONNECTED"], timeout
=5)
1565 if ev
is None or "CTRL-EVENT-CONNECTED" in ev
:
1566 raise Exception("No EAP-TTLS failure reported for phase2=" + t
)
1567 dev
[0].request("REMOVE_NETWORK all")
1568 dev
[0].wait_disconnected()
1569 dev
[0].dump_monitor()
1571 def test_ap_wpa2_eap_ttls_mschapv2_suffix_match(dev
, apdev
):
1572 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
1573 check_domain_match_full(dev
[0])
1574 skip_with_fips(dev
[0])
1575 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1576 hapd
= hostapd
.add_ap(apdev
[0], params
)
1577 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
1578 anonymous_identity
="ttls", password
="password",
1579 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1580 domain_suffix_match
="w1.fi")
1581 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1582 eap_reauth(dev
[0], "TTLS")
1584 def test_ap_wpa2_eap_ttls_mschapv2_domain_match(dev
, apdev
):
1585 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 (domain_match)"""
1586 check_domain_match(dev
[0])
1587 skip_with_fips(dev
[0])
1588 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1589 hapd
= hostapd
.add_ap(apdev
[0], params
)
1590 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
1591 anonymous_identity
="ttls", password
="password",
1592 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1593 domain_match
="Server.w1.fi")
1594 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1595 eap_reauth(dev
[0], "TTLS")
1597 def test_ap_wpa2_eap_ttls_mschapv2_incorrect_password(dev
, apdev
):
1598 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 - incorrect password"""
1599 skip_with_fips(dev
[0])
1600 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1601 hapd
= hostapd
.add_ap(apdev
[0], params
)
1602 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
1603 anonymous_identity
="ttls", password
="password1",
1604 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1605 expect_failure
=True)
1606 eap_connect(dev
[1], hapd
, "TTLS", "user",
1607 anonymous_identity
="ttls", password
="password",
1608 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1609 expect_failure
=True)
1611 def test_ap_wpa2_eap_ttls_mschapv2_utf8(dev
, apdev
):
1612 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 and UTF-8 password"""
1613 skip_with_fips(dev
[0])
1614 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1615 hapd
= hostapd
.add_ap(apdev
[0], params
)
1616 eap_connect(dev
[0], hapd
, "TTLS", "utf8-user-hash",
1617 anonymous_identity
="ttls", password
="secret-åäö-€-password",
1618 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1619 eap_connect(dev
[1], hapd
, "TTLS", "utf8-user",
1620 anonymous_identity
="ttls",
1621 password_hex
="hash:bd5844fad2489992da7fe8c5a01559cf",
1622 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1623 for p
in ["80", "41c041e04141e041", 257*"41"]:
1624 dev
[2].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
1625 eap
="TTLS", identity
="utf8-user-hash",
1626 anonymous_identity
="ttls", password_hex
=p
,
1627 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1628 wait_connect
=False, scan_freq
="2412")
1629 ev
= dev
[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=1)
1631 raise Exception("No failure reported")
1632 dev
[2].request("REMOVE_NETWORK all")
1633 dev
[2].wait_disconnected()
1635 def test_ap_wpa2_eap_ttls_eap_gtc(dev
, apdev
):
1636 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC"""
1637 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1638 hapd
= hostapd
.add_ap(apdev
[0], params
)
1639 eap_connect(dev
[0], hapd
, "TTLS", "user",
1640 anonymous_identity
="ttls", password
="password",
1641 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC")
1642 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1643 eap_reauth(dev
[0], "TTLS")
1645 def test_ap_wpa2_eap_ttls_eap_gtc_incorrect_password(dev
, apdev
):
1646 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - incorrect password"""
1647 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1648 hapd
= hostapd
.add_ap(apdev
[0], params
)
1649 eap_connect(dev
[0], hapd
, "TTLS", "user",
1650 anonymous_identity
="ttls", password
="wrong",
1651 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
1652 expect_failure
=True)
1654 def test_ap_wpa2_eap_ttls_eap_gtc_no_password(dev
, apdev
):
1655 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - no password"""
1656 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1657 hapd
= hostapd
.add_ap(apdev
[0], params
)
1658 eap_connect(dev
[0], hapd
, "TTLS", "user-no-passwd",
1659 anonymous_identity
="ttls", password
="password",
1660 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
1661 expect_failure
=True)
1663 def test_ap_wpa2_eap_ttls_eap_gtc_server_oom(dev
, apdev
):
1664 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - server OOM"""
1665 params
= int_eap_server_params()
1666 hapd
= hostapd
.add_ap(apdev
[0], params
)
1667 with
alloc_fail(hapd
, 1, "eap_gtc_init"):
1668 eap_connect(dev
[0], hapd
, "TTLS", "user",
1669 anonymous_identity
="ttls", password
="password",
1670 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
1671 expect_failure
=True)
1672 dev
[0].request("REMOVE_NETWORK all")
1674 with
alloc_fail(hapd
, 1, "eap_gtc_buildReq"):
1675 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1676 eap
="TTLS", identity
="user",
1677 anonymous_identity
="ttls", password
="password",
1678 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
1679 wait_connect
=False, scan_freq
="2412")
1680 # This would eventually time out, but we can stop after having reached
1681 # the allocation failure.
1684 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1687 def test_ap_wpa2_eap_ttls_eap_gtc_oom(dev
, apdev
):
1688 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC (OOM)"""
1689 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1690 hapd
= hostapd
.add_ap(apdev
[0], params
)
1692 tests
= ["eap_gtc_init",
1693 "eap_msg_alloc;eap_gtc_process"]
1695 with
alloc_fail(dev
[0], 1, func
):
1696 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
1698 eap
="TTLS", identity
="user",
1699 anonymous_identity
="ttls", password
="password",
1700 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
1702 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
1703 dev
[0].request("REMOVE_NETWORK all")
1704 dev
[0].wait_disconnected()
1706 def test_ap_wpa2_eap_ttls_eap_md5(dev
, apdev
):
1707 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5"""
1708 check_eap_capa(dev
[0], "MD5")
1709 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1710 hapd
= hostapd
.add_ap(apdev
[0], params
)
1711 eap_connect(dev
[0], hapd
, "TTLS", "user",
1712 anonymous_identity
="ttls", password
="password",
1713 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5")
1714 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1715 eap_reauth(dev
[0], "TTLS")
1717 def test_ap_wpa2_eap_ttls_eap_md5_incorrect_password(dev
, apdev
):
1718 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - incorrect password"""
1719 check_eap_capa(dev
[0], "MD5")
1720 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1721 hapd
= hostapd
.add_ap(apdev
[0], params
)
1722 eap_connect(dev
[0], hapd
, "TTLS", "user",
1723 anonymous_identity
="ttls", password
="wrong",
1724 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5",
1725 expect_failure
=True)
1727 def test_ap_wpa2_eap_ttls_eap_md5_no_password(dev
, apdev
):
1728 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - no password"""
1729 check_eap_capa(dev
[0], "MD5")
1730 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1731 hapd
= hostapd
.add_ap(apdev
[0], params
)
1732 eap_connect(dev
[0], hapd
, "TTLS", "user-no-passwd",
1733 anonymous_identity
="ttls", password
="password",
1734 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5",
1735 expect_failure
=True)
1737 def test_ap_wpa2_eap_ttls_eap_md5_server_oom(dev
, apdev
):
1738 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - server OOM"""
1739 check_eap_capa(dev
[0], "MD5")
1740 params
= int_eap_server_params()
1741 hapd
= hostapd
.add_ap(apdev
[0], params
)
1742 with
alloc_fail(hapd
, 1, "eap_md5_init"):
1743 eap_connect(dev
[0], hapd
, "TTLS", "user",
1744 anonymous_identity
="ttls", password
="password",
1745 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5",
1746 expect_failure
=True)
1747 dev
[0].request("REMOVE_NETWORK all")
1749 with
alloc_fail(hapd
, 1, "eap_md5_buildReq"):
1750 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1751 eap
="TTLS", identity
="user",
1752 anonymous_identity
="ttls", password
="password",
1753 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5",
1754 wait_connect
=False, scan_freq
="2412")
1755 # This would eventually time out, but we can stop after having reached
1756 # the allocation failure.
1759 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1762 def test_ap_wpa2_eap_ttls_eap_mschapv2(dev
, apdev
):
1763 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2"""
1764 check_eap_capa(dev
[0], "MSCHAPV2")
1765 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1766 hapd
= hostapd
.add_ap(apdev
[0], params
)
1767 eap_connect(dev
[0], hapd
, "TTLS", "user",
1768 anonymous_identity
="ttls", password
="password",
1769 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2")
1770 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1771 eap_reauth(dev
[0], "TTLS")
1773 logger
.info("Negative test with incorrect password")
1774 dev
[0].request("REMOVE_NETWORK all")
1775 eap_connect(dev
[0], hapd
, "TTLS", "user",
1776 anonymous_identity
="ttls", password
="password1",
1777 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1778 expect_failure
=True)
1780 def test_ap_wpa2_eap_ttls_eap_mschapv2_no_password(dev
, apdev
):
1781 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - no password"""
1782 check_eap_capa(dev
[0], "MSCHAPV2")
1783 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1784 hapd
= hostapd
.add_ap(apdev
[0], params
)
1785 eap_connect(dev
[0], hapd
, "TTLS", "user-no-passwd",
1786 anonymous_identity
="ttls", password
="password",
1787 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1788 expect_failure
=True)
1790 def test_ap_wpa2_eap_ttls_eap_mschapv2_server_oom(dev
, apdev
):
1791 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - server OOM"""
1792 check_eap_capa(dev
[0], "MSCHAPV2")
1793 params
= int_eap_server_params()
1794 hapd
= hostapd
.add_ap(apdev
[0], params
)
1795 with
alloc_fail(hapd
, 1, "eap_mschapv2_init"):
1796 eap_connect(dev
[0], hapd
, "TTLS", "user",
1797 anonymous_identity
="ttls", password
="password",
1798 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1799 expect_failure
=True)
1800 dev
[0].request("REMOVE_NETWORK all")
1802 with
alloc_fail(hapd
, 1, "eap_mschapv2_build_challenge"):
1803 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1804 eap
="TTLS", identity
="user",
1805 anonymous_identity
="ttls", password
="password",
1806 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1807 wait_connect
=False, scan_freq
="2412")
1808 # This would eventually time out, but we can stop after having reached
1809 # the allocation failure.
1812 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1814 dev
[0].request("REMOVE_NETWORK all")
1816 with
alloc_fail(hapd
, 1, "eap_mschapv2_build_success_req"):
1817 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1818 eap
="TTLS", identity
="user",
1819 anonymous_identity
="ttls", password
="password",
1820 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1821 wait_connect
=False, scan_freq
="2412")
1822 # This would eventually time out, but we can stop after having reached
1823 # the allocation failure.
1826 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1828 dev
[0].request("REMOVE_NETWORK all")
1830 with
alloc_fail(hapd
, 1, "eap_mschapv2_build_failure_req"):
1831 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1832 eap
="TTLS", identity
="user",
1833 anonymous_identity
="ttls", password
="wrong",
1834 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1835 wait_connect
=False, scan_freq
="2412")
1836 # This would eventually time out, but we can stop after having reached
1837 # the allocation failure.
1840 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1842 dev
[0].request("REMOVE_NETWORK all")
1844 def test_ap_wpa2_eap_ttls_eap_sim(dev
, apdev
):
1845 """WPA2-Enterprise connection using EAP-TTLS/EAP-SIM"""
1846 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1847 hapd
= hostapd
.add_ap(apdev
[0], params
)
1848 eap_connect(dev
[0], hapd
, "TTLS", "1232010000000000",
1849 anonymous_identity
="1232010000000000@ttls",
1850 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1851 ca_cert
="auth_serv/ca.pem", phase2
="autheap=SIM")
1852 eap_reauth(dev
[0], "TTLS")
1854 def run_ext_sim_auth(hapd
, dev
):
1855 ev
= dev
.wait_event(["CTRL-REQ-SIM"], timeout
=15)
1857 raise Exception("Wait for external SIM processing request timed out")
1858 p
= ev
.split(':', 2)
1859 if p
[1] != "GSM-AUTH":
1860 raise Exception("Unexpected CTRL-REQ-SIM type")
1861 rid
= p
[0].split('-')[3]
1862 rand
= p
[2].split(' ')[0]
1864 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
1866 "auth_serv/hlr_auc_gw.milenage_db",
1867 "GSM-AUTH-REQ 232010000000000 " + rand
]).decode()
1868 if "GSM-AUTH-RESP" not in res
:
1869 raise Exception("Unexpected hlr_auc_gw response")
1870 resp
= res
.split(' ')[2].rstrip()
1872 dev
.request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
1873 dev
.wait_connected(timeout
=15)
1877 dev
.request("REAUTHENTICATE")
1878 ev
= dev
.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=5)
1880 raise Exception("EAP reauthentication did not succeed")
1881 ev
= dev
.wait_event(["WPA: Key negotiation completed"], timeout
=5)
1883 raise Exception("Key negotiation did not complete")
1886 def test_ap_wpa2_eap_ttls_eap_sim_ext(dev
, apdev
):
1887 """WPA2-Enterprise connection using EAP-TTLS/EAP-SIM and external GSM auth"""
1888 check_hlr_auc_gw_support()
1890 run_ap_wpa2_eap_ttls_eap_sim_ext(dev
, apdev
)
1892 dev
[0].request("SET external_sim 0")
1894 def run_ap_wpa2_eap_ttls_eap_sim_ext(dev
, apdev
):
1895 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1896 hapd
= hostapd
.add_ap(apdev
[0], params
)
1897 dev
[0].request("SET external_sim 1")
1898 dev
[0].connect("test-wpa2-eap", eap
="TTLS", key_mgmt
="WPA-EAP",
1899 identity
="1232010000000000",
1900 anonymous_identity
="1232010000000000@ttls",
1901 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1902 ca_cert
="auth_serv/ca.pem", phase2
="autheap=SIM",
1903 wait_connect
=False, scan_freq
="2412")
1904 run_ext_sim_auth(hapd
, dev
[0])
1906 def test_ap_wpa2_eap_ttls_eap_vendor(dev
, apdev
):
1907 """WPA2-Enterprise connection using EAP-TTLS/EAP-vendor"""
1908 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1909 hapd
= hostapd
.add_ap(apdev
[0], params
)
1910 eap_connect(dev
[0], hapd
, "TTLS", "vendor-test-2",
1911 anonymous_identity
="ttls",
1912 ca_cert
="auth_serv/ca.pem", phase2
="autheap=VENDOR-TEST")
1914 def test_ap_wpa2_eap_peap_eap_sim(dev
, apdev
):
1915 """WPA2-Enterprise connection using EAP-PEAP/EAP-SIM"""
1916 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1917 hapd
= hostapd
.add_ap(apdev
[0], params
)
1918 eap_connect(dev
[0], hapd
, "PEAP", "1232010000000000",
1919 anonymous_identity
="1232010000000000@peap",
1920 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1921 ca_cert
="auth_serv/ca.pem", phase2
="auth=SIM")
1922 eap_reauth(dev
[0], "PEAP")
1924 def test_ap_wpa2_eap_peap_eap_sim_ext(dev
, apdev
):
1925 """WPA2-Enterprise connection using EAP-PEAP/EAP-SIM and external GSM auth"""
1926 check_hlr_auc_gw_support()
1928 run_ap_wpa2_eap_peap_eap_sim_ext(dev
, apdev
)
1930 dev
[0].request("SET external_sim 0")
1932 def run_ap_wpa2_eap_peap_eap_sim_ext(dev
, apdev
):
1933 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1934 hapd
= hostapd
.add_ap(apdev
[0], params
)
1935 dev
[0].request("SET external_sim 1")
1936 dev
[0].connect("test-wpa2-eap", eap
="PEAP", key_mgmt
="WPA-EAP",
1937 identity
="1232010000000000",
1938 anonymous_identity
="1232010000000000@peap",
1939 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1940 ca_cert
="auth_serv/ca.pem", phase2
="auth=SIM",
1941 wait_connect
=False, scan_freq
="2412")
1942 run_ext_sim_auth(hapd
, dev
[0])
1944 def test_ap_wpa2_eap_fast_eap_sim(dev
, apdev
):
1945 """WPA2-Enterprise connection using EAP-FAST/EAP-SIM"""
1946 check_eap_capa(dev
[0], "FAST")
1947 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1948 hapd
= hostapd
.add_ap(apdev
[0], params
)
1949 eap_connect(dev
[0], hapd
, "FAST", "1232010000000000",
1950 anonymous_identity
="1232010000000000@fast",
1951 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1952 phase1
="fast_provisioning=2",
1953 pac_file
="blob://fast_pac_auth_sim",
1954 ca_cert
="auth_serv/ca.pem", phase2
="auth=SIM")
1955 eap_reauth(dev
[0], "FAST")
1957 def test_ap_wpa2_eap_fast_eap_sim_ext(dev
, apdev
):
1958 """WPA2-Enterprise connection using EAP-FAST/EAP-SIM and external GSM auth"""
1959 check_hlr_auc_gw_support()
1961 run_ap_wpa2_eap_fast_eap_sim_ext(dev
, apdev
)
1963 dev
[0].request("SET external_sim 0")
1965 def run_ap_wpa2_eap_fast_eap_sim_ext(dev
, apdev
):
1966 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1967 hapd
= hostapd
.add_ap(apdev
[0], params
)
1968 dev
[0].request("SET external_sim 1")
1969 dev
[0].connect("test-wpa2-eap", eap
="PEAP", key_mgmt
="WPA-EAP",
1970 identity
="1232010000000000",
1971 anonymous_identity
="1232010000000000@peap",
1972 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1973 phase1
="fast_provisioning=2",
1974 pac_file
="blob://fast_pac_auth_sim",
1975 ca_cert
="auth_serv/ca.pem", phase2
="auth=SIM",
1976 wait_connect
=False, scan_freq
="2412")
1977 run_ext_sim_auth(hapd
, dev
[0])
1979 def test_ap_wpa2_eap_ttls_eap_aka(dev
, apdev
):
1980 """WPA2-Enterprise connection using EAP-TTLS/EAP-AKA"""
1981 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1982 hapd
= hostapd
.add_ap(apdev
[0], params
)
1983 eap_connect(dev
[0], hapd
, "TTLS", "0232010000000000",
1984 anonymous_identity
="0232010000000000@ttls",
1985 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1986 ca_cert
="auth_serv/ca.pem", phase2
="autheap=AKA")
1987 eap_reauth(dev
[0], "TTLS")
1989 def test_ap_wpa2_eap_peap_eap_aka(dev
, apdev
):
1990 """WPA2-Enterprise connection using EAP-PEAP/EAP-AKA"""
1991 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1992 hapd
= hostapd
.add_ap(apdev
[0], params
)
1993 eap_connect(dev
[0], hapd
, "PEAP", "0232010000000000",
1994 anonymous_identity
="0232010000000000@peap",
1995 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1996 ca_cert
="auth_serv/ca.pem", phase2
="auth=AKA")
1997 eap_reauth(dev
[0], "PEAP")
1999 def test_ap_wpa2_eap_fast_eap_aka(dev
, apdev
):
2000 """WPA2-Enterprise connection using EAP-FAST/EAP-AKA"""
2001 check_eap_capa(dev
[0], "FAST")
2002 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2003 hapd
= hostapd
.add_ap(apdev
[0], params
)
2004 eap_connect(dev
[0], hapd
, "FAST", "0232010000000000",
2005 anonymous_identity
="0232010000000000@fast",
2006 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
2007 phase1
="fast_provisioning=2",
2008 pac_file
="blob://fast_pac_auth_aka",
2009 ca_cert
="auth_serv/ca.pem", phase2
="auth=AKA")
2010 eap_reauth(dev
[0], "FAST")
2012 def test_ap_wpa2_eap_peap_eap_mschapv2(dev
, apdev
):
2013 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
2014 check_eap_capa(dev
[0], "MSCHAPV2")
2015 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2016 hapd
= hostapd
.add_ap(apdev
[0], params
)
2017 eap_connect(dev
[0], hapd
, "PEAP", "user",
2018 anonymous_identity
="peap", password
="password",
2019 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
2020 hwsim_utils
.test_connectivity(dev
[0], hapd
)
2021 eap_reauth(dev
[0], "PEAP")
2022 dev
[0].request("REMOVE_NETWORK all")
2023 eap_connect(dev
[0], hapd
, "PEAP", "user",
2024 anonymous_identity
="peap", password
="password",
2025 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2026 fragment_size
="200")
2028 logger
.info("Password as hash value")
2029 dev
[0].request("REMOVE_NETWORK all")
2030 eap_connect(dev
[0], hapd
, "PEAP", "user",
2031 anonymous_identity
="peap",
2032 password_hex
="hash:8846f7eaee8fb117ad06bdd830b7586c",
2033 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
2035 logger
.info("Negative test with incorrect password")
2036 dev
[0].request("REMOVE_NETWORK all")
2037 eap_connect(dev
[0], hapd
, "PEAP", "user",
2038 anonymous_identity
="peap", password
="password1",
2039 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2040 expect_failure
=True)
2042 def test_ap_wpa2_eap_peap_eap_mschapv2_domain(dev
, apdev
):
2043 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 with domain"""
2044 check_eap_capa(dev
[0], "MSCHAPV2")
2045 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2046 hapd
= hostapd
.add_ap(apdev
[0], params
)
2047 eap_connect(dev
[0], hapd
, "PEAP", r
"DOMAIN\user3",
2048 anonymous_identity
="peap", password
="password",
2049 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
2050 hwsim_utils
.test_connectivity(dev
[0], hapd
)
2051 eap_reauth(dev
[0], "PEAP")
2053 def test_ap_wpa2_eap_peap_eap_mschapv2_incorrect_password(dev
, apdev
):
2054 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 - incorrect password"""
2055 check_eap_capa(dev
[0], "MSCHAPV2")
2056 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2057 hapd
= hostapd
.add_ap(apdev
[0], params
)
2058 eap_connect(dev
[0], hapd
, "PEAP", "user",
2059 anonymous_identity
="peap", password
="wrong",
2060 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2061 expect_failure
=True)
2063 def test_ap_wpa2_eap_peap_crypto_binding(dev
, apdev
):
2064 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding"""
2065 check_eap_capa(dev
[0], "MSCHAPV2")
2066 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2067 hapd
= hostapd
.add_ap(apdev
[0], params
)
2068 eap_connect(dev
[0], hapd
, "PEAP", "user", password
="password",
2069 ca_cert
="auth_serv/ca.pem",
2070 phase1
="peapver=0 crypto_binding=2",
2071 phase2
="auth=MSCHAPV2")
2072 hwsim_utils
.test_connectivity(dev
[0], hapd
)
2073 eap_reauth(dev
[0], "PEAP")
2075 eap_connect(dev
[1], hapd
, "PEAP", "user", password
="password",
2076 ca_cert
="auth_serv/ca.pem",
2077 phase1
="peapver=0 crypto_binding=1",
2078 phase2
="auth=MSCHAPV2")
2079 eap_connect(dev
[2], hapd
, "PEAP", "user", password
="password",
2080 ca_cert
="auth_serv/ca.pem",
2081 phase1
="peapver=0 crypto_binding=0",
2082 phase2
="auth=MSCHAPV2")
2084 def test_ap_wpa2_eap_peap_crypto_binding_server_oom(dev
, apdev
):
2085 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding with server OOM"""
2086 check_eap_capa(dev
[0], "MSCHAPV2")
2087 params
= int_eap_server_params()
2088 hapd
= hostapd
.add_ap(apdev
[0], params
)
2089 with
alloc_fail(hapd
, 1, "eap_mschapv2_getKey"):
2090 eap_connect(dev
[0], hapd
, "PEAP", "user", password
="password",
2091 ca_cert
="auth_serv/ca.pem",
2092 phase1
="peapver=0 crypto_binding=2",
2093 phase2
="auth=MSCHAPV2",
2094 expect_failure
=True, local_error_report
=True)
2096 def test_ap_wpa2_eap_peap_params(dev
, apdev
):
2097 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and various parameters"""
2098 check_eap_capa(dev
[0], "MSCHAPV2")
2099 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2100 hapd
= hostapd
.add_ap(apdev
[0], params
)
2101 eap_connect(dev
[0], hapd
, "PEAP", "user",
2102 anonymous_identity
="peap", password
="password",
2103 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2104 phase1
="peapver=0 peaplabel=1",
2105 expect_failure
=True)
2106 dev
[0].request("REMOVE_NETWORK all")
2107 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
2109 anonymous_identity
="peap", password
="password",
2110 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2111 phase1
="peap_outer_success=0",
2112 wait_connect
=False, scan_freq
="2412")
2113 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=15)
2115 raise Exception("No EAP success seen")
2116 # This won't succeed to connect with peap_outer_success=0, so stop here.
2117 dev
[0].request("REMOVE_NETWORK all")
2118 dev
[0].wait_disconnected()
2119 eap_connect(dev
[1], hapd
, "PEAP", "user", password
="password",
2120 ca_cert
="auth_serv/ca.pem",
2121 phase1
="peap_outer_success=1",
2122 phase2
="auth=MSCHAPV2")
2123 eap_connect(dev
[2], hapd
, "PEAP", "user", password
="password",
2124 ca_cert
="auth_serv/ca.pem",
2125 phase1
="peap_outer_success=2",
2126 phase2
="auth=MSCHAPV2")
2127 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
2129 anonymous_identity
="peap", password
="password",
2130 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2131 phase1
="peapver=1 peaplabel=1",
2132 wait_connect
=False, scan_freq
="2412")
2133 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=15)
2135 raise Exception("No EAP success seen")
2136 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
2137 "CTRL-EVENT-DISCONNECTED"], timeout
=1)
2138 if ev
and "CTRL-EVENT-CONNECTED" in ev
:
2139 raise Exception("Unexpected connection")
2140 dev
[0].request("REMOVE_NETWORK all")
2141 dev
[0].disconnect_and_stop_scan()
2143 tests
= [("peap-ver0", ""),
2145 ("peap-ver0", "peapver=0"),
2146 ("peap-ver1", "peapver=1")]
2147 for anon
, phase1
in tests
:
2148 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
2149 identity
="user", anonymous_identity
=anon
,
2150 password
="password", phase1
=phase1
,
2151 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2153 dev
[0].request("REMOVE_NETWORK all")
2154 dev
[0].wait_disconnected()
2156 tests
= [("peap-ver0", "peapver=1"),
2157 ("peap-ver1", "peapver=0")]
2158 for anon
, phase1
in tests
:
2159 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
2160 identity
="user", anonymous_identity
=anon
,
2161 password
="password", phase1
=phase1
,
2162 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2163 wait_connect
=False, scan_freq
="2412")
2164 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
2166 raise Exception("No EAP-Failure seen")
2167 dev
[0].request("REMOVE_NETWORK all")
2168 dev
[0].wait_disconnected()
2170 eap_connect(dev
[0], hapd
, "PEAP", "user", password
="password",
2171 ca_cert
="auth_serv/ca.pem",
2172 phase1
="tls_allow_md5=1 tls_disable_session_ticket=1 tls_disable_tlsv1_0=0 tls_disable_tlsv1_1=0 tls_disable_tlsv1_2=0 tls_ext_cert_check=0",
2173 phase2
="auth=MSCHAPV2")
2175 def test_ap_wpa2_eap_peap_eap_gtc(dev
, apdev
, params
):
2176 """WPA2-Enterprise connection using EAP-PEAP/EAP-GTC"""
2177 p
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2178 hapd
= hostapd
.add_ap(apdev
[0], p
)
2179 eap_connect(dev
[0], hapd
, "PEAP", "user", phase1
="peapver=1",
2180 anonymous_identity
="peap", password
="password",
2181 ca_cert
="auth_serv/ca.pem", phase2
="auth=GTC")
2183 def test_ap_wpa2_eap_peap_eap_tls(dev
, apdev
):
2184 """WPA2-Enterprise connection using EAP-PEAP/EAP-TLS"""
2185 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2186 hapd
= hostapd
.add_ap(apdev
[0], params
)
2187 eap_connect(dev
[0], hapd
, "PEAP", "cert user",
2188 ca_cert
="auth_serv/ca.pem", phase2
="auth=TLS",
2189 ca_cert2
="auth_serv/ca.pem",
2190 client_cert2
="auth_serv/user.pem",
2191 private_key2
="auth_serv/user.key")
2192 eap_reauth(dev
[0], "PEAP")
2194 def test_ap_wpa2_eap_peap_eap_vendor(dev
, apdev
):
2195 """WPA2-Enterprise connection using EAP-PEAP/EAP-vendor"""
2196 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2197 hapd
= hostapd
.add_ap(apdev
[0], params
)
2198 eap_connect(dev
[0], hapd
, "PEAP", "vendor-test-2",
2199 ca_cert
="auth_serv/ca.pem", phase2
="auth=VENDOR-TEST")
2201 def test_ap_wpa2_eap_tls(dev
, apdev
):
2202 """WPA2-Enterprise connection using EAP-TLS"""
2203 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2204 hapd
= hostapd
.add_ap(apdev
[0], params
)
2205 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
2206 client_cert
="auth_serv/user.pem",
2207 private_key
="auth_serv/user.key")
2208 eap_reauth(dev
[0], "TLS")
2210 def test_eap_tls_pkcs8_pkcs5_v2_des3(dev
, apdev
):
2211 """WPA2-Enterprise connection using EAP-TLS and PKCS #8, PKCS #5 v2 DES3 key"""
2212 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2213 hapd
= hostapd
.add_ap(apdev
[0], params
)
2214 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
2215 client_cert
="auth_serv/user.pem",
2216 private_key
="auth_serv/user.key.pkcs8",
2217 private_key_passwd
="whatever")
2219 def test_eap_tls_pkcs8_pkcs5_v15(dev
, apdev
):
2220 """WPA2-Enterprise connection using EAP-TLS and PKCS #8, PKCS #5 v1.5 key"""
2221 check_pkcs5_v15_support(dev
[0])
2222 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2223 hapd
= hostapd
.add_ap(apdev
[0], params
)
2224 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
2225 client_cert
="auth_serv/user.pem",
2226 private_key
="auth_serv/user.key.pkcs8.pkcs5v15",
2227 private_key_passwd
="whatever")
2229 def test_ap_wpa2_eap_tls_blob(dev
, apdev
):
2230 """WPA2-Enterprise connection using EAP-TLS and config blobs"""
2231 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2232 hapd
= hostapd
.add_ap(apdev
[0], params
)
2233 cert
= read_pem("auth_serv/ca.pem")
2234 if "OK" not in dev
[0].request("SET blob cacert " + binascii
.hexlify(cert
).decode()):
2235 raise Exception("Could not set cacert blob")
2236 cert
= read_pem("auth_serv/user.pem")
2237 if "OK" not in dev
[0].request("SET blob usercert " + binascii
.hexlify(cert
).decode()):
2238 raise Exception("Could not set usercert blob")
2239 key
= read_pem("auth_serv/user.rsa-key")
2240 if "OK" not in dev
[0].request("SET blob userkey " + binascii
.hexlify(key
).decode()):
2241 raise Exception("Could not set cacert blob")
2242 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="blob://cacert",
2243 client_cert
="blob://usercert",
2244 private_key
="blob://userkey")
2246 def test_ap_wpa2_eap_tls_blob_missing(dev
, apdev
):
2247 """EAP-TLS and config blob missing"""
2248 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2249 hostapd
.add_ap(apdev
[0], params
)
2250 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2251 identity
="tls user",
2252 ca_cert
="blob://testing-blob-does-not-exist",
2253 client_cert
="blob://testing-blob-does-not-exist",
2254 private_key
="blob://testing-blob-does-not-exist",
2255 wait_connect
=False, scan_freq
="2412")
2256 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method"], timeout
=10)
2258 raise Exception("EAP failure not reported")
2259 dev
[0].request("REMOVE_NETWORK all")
2260 dev
[0].wait_disconnected()
2262 def test_ap_wpa2_eap_tls_with_tls_len(dev
, apdev
):
2263 """EAP-TLS and TLS Message Length in unfragmented packets"""
2264 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2265 hapd
= hostapd
.add_ap(apdev
[0], params
)
2266 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
2267 phase1
="include_tls_length=1",
2268 client_cert
="auth_serv/user.pem",
2269 private_key
="auth_serv/user.key")
2271 def test_ap_wpa2_eap_tls_pkcs12(dev
, apdev
):
2272 """WPA2-Enterprise connection using EAP-TLS and PKCS#12"""
2273 check_pkcs12_support(dev
[0])
2274 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2275 hapd
= hostapd
.add_ap(apdev
[0], params
)
2276 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
2277 private_key
="auth_serv/user.pkcs12",
2278 private_key_passwd
="whatever")
2279 dev
[0].request("REMOVE_NETWORK all")
2280 dev
[0].wait_disconnected()
2282 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2283 identity
="tls user",
2284 ca_cert
="auth_serv/ca.pem",
2285 private_key
="auth_serv/user.pkcs12",
2286 wait_connect
=False, scan_freq
="2412")
2287 ev
= dev
[0].wait_event(["CTRL-REQ-PASSPHRASE"])
2289 raise Exception("Request for private key passphrase timed out")
2290 id = ev
.split(':')[0].split('-')[-1]
2291 dev
[0].request("CTRL-RSP-PASSPHRASE-" + id + ":whatever")
2292 dev
[0].wait_connected(timeout
=10)
2293 dev
[0].request("REMOVE_NETWORK all")
2294 dev
[0].wait_disconnected()
2296 # Run this twice to verify certificate chain handling with OpenSSL. Use two
2297 # different files to cover both cases of the extra certificate being the
2298 # one that signed the client certificate and it being unrelated to the
2299 # client certificate.
2300 for pkcs12
in "auth_serv/user2.pkcs12", "auth_serv/user3.pkcs12":
2302 eap_connect(dev
[0], hapd
, "TLS", "tls user",
2303 ca_cert
="auth_serv/ca.pem",
2305 private_key_passwd
="whatever")
2306 dev
[0].request("REMOVE_NETWORK all")
2307 dev
[0].wait_disconnected()
2309 def test_ap_wpa2_eap_tls_pkcs12_blob(dev
, apdev
):
2310 """WPA2-Enterprise connection using EAP-TLS and PKCS#12 from configuration blob"""
2311 cert
= read_pem("auth_serv/ca.pem")
2312 cacert
= binascii
.hexlify(cert
).decode()
2313 run_ap_wpa2_eap_tls_pkcs12_blob(dev
, apdev
, cacert
)
2315 def test_ap_wpa2_eap_tls_pkcs12_blob_pem(dev
, apdev
):
2316 """WPA2-Enterprise connection using EAP-TLS and PKCS#12 from configuration blob and PEM ca_cert blob"""
2317 with
open("auth_serv/ca.pem", "r") as f
:
2318 lines
= f
.readlines()
2322 if "-----BEGIN" in l
:
2329 cacert
= binascii
.hexlify(cert
.encode()).decode()
2330 run_ap_wpa2_eap_tls_pkcs12_blob(dev
, apdev
, cacert
)
2332 def run_ap_wpa2_eap_tls_pkcs12_blob(dev
, apdev
, cacert
):
2333 check_pkcs12_support(dev
[0])
2334 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2335 hapd
= hostapd
.add_ap(apdev
[0], params
)
2336 if "OK" not in dev
[0].request("SET blob cacert " + cacert
):
2337 raise Exception("Could not set cacert blob")
2338 with
open("auth_serv/user.pkcs12", "rb") as f
:
2339 if "OK" not in dev
[0].request("SET blob pkcs12 " + binascii
.hexlify(f
.read()).decode()):
2340 raise Exception("Could not set pkcs12 blob")
2341 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="blob://cacert",
2342 private_key
="blob://pkcs12",
2343 private_key_passwd
="whatever")
2345 def test_ap_wpa2_eap_tls_neg_incorrect_trust_root(dev
, apdev
):
2346 """WPA2-Enterprise negative test - incorrect trust root"""
2347 check_eap_capa(dev
[0], "MSCHAPV2")
2348 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2349 hostapd
.add_ap(apdev
[0], params
)
2350 cert
= read_pem("auth_serv/ca-incorrect.pem")
2351 if "OK" not in dev
[0].request("SET blob cacert " + binascii
.hexlify(cert
).decode()):
2352 raise Exception("Could not set cacert blob")
2353 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2354 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2355 password
="password", phase2
="auth=MSCHAPV2",
2356 ca_cert
="blob://cacert",
2357 wait_connect
=False, scan_freq
="2412")
2358 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2359 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2360 password
="password", phase2
="auth=MSCHAPV2",
2361 ca_cert
="auth_serv/ca-incorrect.pem",
2362 wait_connect
=False, scan_freq
="2412")
2364 for dev
in (dev
[0], dev
[1]):
2365 ev
= dev
.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2367 raise Exception("Association and EAP start timed out")
2369 ev
= dev
.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
2371 raise Exception("EAP method selection timed out")
2372 if "TTLS" not in ev
:
2373 raise Exception("Unexpected EAP method")
2375 ev
= dev
.wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2376 "CTRL-EVENT-EAP-SUCCESS",
2377 "CTRL-EVENT-EAP-FAILURE",
2378 "CTRL-EVENT-CONNECTED",
2379 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2381 raise Exception("EAP result timed out")
2382 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
2383 raise Exception("TLS certificate error not reported")
2385 ev
= dev
.wait_event(["CTRL-EVENT-EAP-SUCCESS",
2386 "CTRL-EVENT-EAP-FAILURE",
2387 "CTRL-EVENT-CONNECTED",
2388 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2390 raise Exception("EAP result(2) timed out")
2391 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
2392 raise Exception("EAP failure not reported")
2394 ev
= dev
.wait_event(["CTRL-EVENT-CONNECTED",
2395 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2397 raise Exception("EAP result(3) timed out")
2398 if "CTRL-EVENT-DISCONNECTED" not in ev
:
2399 raise Exception("Disconnection not reported")
2401 ev
= dev
.wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
2403 raise Exception("Network block disabling not reported")
2405 def test_ap_wpa2_eap_tls_diff_ca_trust(dev
, apdev
):
2406 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
2407 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2408 hapd
= hostapd
.add_ap(apdev
[0], params
)
2409 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2410 identity
="pap user", anonymous_identity
="ttls",
2411 password
="password", phase2
="auth=PAP",
2412 ca_cert
="auth_serv/ca.pem",
2413 wait_connect
=True, scan_freq
="2412")
2414 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2415 identity
="pap user", anonymous_identity
="ttls",
2416 password
="password", phase2
="auth=PAP",
2417 ca_cert
="auth_serv/ca-incorrect.pem",
2418 only_add_network
=True, scan_freq
="2412")
2420 dev
[0].request("DISCONNECT")
2421 dev
[0].wait_disconnected()
2422 dev
[0].dump_monitor()
2423 dev
[0].select_network(id, freq
="2412")
2425 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout
=15)
2427 raise Exception("EAP-TTLS not re-started")
2429 ev
= dev
[0].wait_disconnected(timeout
=15)
2430 if "reason=23" not in ev
:
2431 raise Exception("Proper reason code for disconnection not reported")
2433 def test_ap_wpa2_eap_tls_diff_ca_trust2(dev
, apdev
):
2434 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
2435 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2436 hapd
= hostapd
.add_ap(apdev
[0], params
)
2437 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2438 identity
="pap user", anonymous_identity
="ttls",
2439 password
="password", phase2
="auth=PAP",
2440 wait_connect
=True, scan_freq
="2412")
2441 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2442 identity
="pap user", anonymous_identity
="ttls",
2443 password
="password", phase2
="auth=PAP",
2444 ca_cert
="auth_serv/ca-incorrect.pem",
2445 only_add_network
=True, scan_freq
="2412")
2447 dev
[0].request("DISCONNECT")
2448 dev
[0].wait_disconnected()
2449 dev
[0].dump_monitor()
2450 dev
[0].select_network(id, freq
="2412")
2452 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout
=15)
2454 raise Exception("EAP-TTLS not re-started")
2456 ev
= dev
[0].wait_disconnected(timeout
=15)
2457 if "reason=23" not in ev
:
2458 raise Exception("Proper reason code for disconnection not reported")
2460 def test_ap_wpa2_eap_tls_diff_ca_trust3(dev
, apdev
):
2461 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
2462 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2463 hapd
= hostapd
.add_ap(apdev
[0], params
)
2464 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2465 identity
="pap user", anonymous_identity
="ttls",
2466 password
="password", phase2
="auth=PAP",
2467 ca_cert
="auth_serv/ca.pem",
2468 wait_connect
=True, scan_freq
="2412")
2469 dev
[0].request("DISCONNECT")
2470 dev
[0].wait_disconnected()
2471 dev
[0].dump_monitor()
2472 dev
[0].set_network_quoted(id, "ca_cert", "auth_serv/ca-incorrect.pem")
2473 dev
[0].select_network(id, freq
="2412")
2475 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout
=15)
2477 raise Exception("EAP-TTLS not re-started")
2479 ev
= dev
[0].wait_disconnected(timeout
=15)
2480 if "reason=23" not in ev
:
2481 raise Exception("Proper reason code for disconnection not reported")
2483 def test_ap_wpa2_eap_tls_neg_suffix_match(dev
, apdev
):
2484 """WPA2-Enterprise negative test - domain suffix mismatch"""
2485 check_domain_suffix_match(dev
[0])
2486 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2487 hostapd
.add_ap(apdev
[0], params
)
2488 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2489 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2490 password
="password", phase2
="auth=MSCHAPV2",
2491 ca_cert
="auth_serv/ca.pem",
2492 domain_suffix_match
="incorrect.example.com",
2493 wait_connect
=False, scan_freq
="2412")
2495 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2497 raise Exception("Association and EAP start timed out")
2499 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
2501 raise Exception("EAP method selection timed out")
2502 if "TTLS" not in ev
:
2503 raise Exception("Unexpected EAP method")
2505 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2506 "CTRL-EVENT-EAP-SUCCESS",
2507 "CTRL-EVENT-EAP-FAILURE",
2508 "CTRL-EVENT-CONNECTED",
2509 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2511 raise Exception("EAP result timed out")
2512 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
2513 raise Exception("TLS certificate error not reported")
2514 if "Domain suffix mismatch" not in ev
:
2515 raise Exception("Domain suffix mismatch not reported")
2517 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2518 "CTRL-EVENT-EAP-FAILURE",
2519 "CTRL-EVENT-CONNECTED",
2520 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2522 raise Exception("EAP result(2) timed out")
2523 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
2524 raise Exception("EAP failure not reported")
2526 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
2527 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2529 raise Exception("EAP result(3) timed out")
2530 if "CTRL-EVENT-DISCONNECTED" not in ev
:
2531 raise Exception("Disconnection not reported")
2533 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
2535 raise Exception("Network block disabling not reported")
2537 def test_ap_wpa2_eap_tls_neg_domain_match(dev
, apdev
):
2538 """WPA2-Enterprise negative test - domain mismatch"""
2539 check_domain_match(dev
[0])
2540 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2541 hostapd
.add_ap(apdev
[0], params
)
2542 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2543 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2544 password
="password", phase2
="auth=MSCHAPV2",
2545 ca_cert
="auth_serv/ca.pem",
2546 domain_match
="w1.fi",
2547 wait_connect
=False, scan_freq
="2412")
2549 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2551 raise Exception("Association and EAP start timed out")
2553 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
2555 raise Exception("EAP method selection timed out")
2556 if "TTLS" not in ev
:
2557 raise Exception("Unexpected EAP method")
2559 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2560 "CTRL-EVENT-EAP-SUCCESS",
2561 "CTRL-EVENT-EAP-FAILURE",
2562 "CTRL-EVENT-CONNECTED",
2563 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2565 raise Exception("EAP result timed out")
2566 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
2567 raise Exception("TLS certificate error not reported")
2568 if "Domain mismatch" not in ev
:
2569 raise Exception("Domain mismatch not reported")
2571 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2572 "CTRL-EVENT-EAP-FAILURE",
2573 "CTRL-EVENT-CONNECTED",
2574 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2576 raise Exception("EAP result(2) timed out")
2577 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
2578 raise Exception("EAP failure not reported")
2580 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
2581 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2583 raise Exception("EAP result(3) timed out")
2584 if "CTRL-EVENT-DISCONNECTED" not in ev
:
2585 raise Exception("Disconnection not reported")
2587 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
2589 raise Exception("Network block disabling not reported")
2591 def test_ap_wpa2_eap_tls_neg_subject_match(dev
, apdev
):
2592 """WPA2-Enterprise negative test - subject mismatch"""
2593 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2594 hostapd
.add_ap(apdev
[0], params
)
2595 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2596 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2597 password
="password", phase2
="auth=MSCHAPV2",
2598 ca_cert
="auth_serv/ca.pem",
2599 subject_match
="/C=FI/O=w1.fi/CN=example.com",
2600 wait_connect
=False, scan_freq
="2412")
2602 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2604 raise Exception("Association and EAP start timed out")
2606 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD",
2607 "EAP: Failed to initialize EAP method"], timeout
=10)
2609 raise Exception("EAP method selection timed out")
2610 if "EAP: Failed to initialize EAP method" in ev
:
2611 tls
= dev
[0].request("GET tls_library")
2612 if tls
.startswith("OpenSSL"):
2613 raise Exception("Failed to select EAP method")
2614 logger
.info("subject_match not supported - connection failed, so test succeeded")
2616 if "TTLS" not in ev
:
2617 raise Exception("Unexpected EAP method")
2619 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2620 "CTRL-EVENT-EAP-SUCCESS",
2621 "CTRL-EVENT-EAP-FAILURE",
2622 "CTRL-EVENT-CONNECTED",
2623 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2625 raise Exception("EAP result timed out")
2626 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
2627 raise Exception("TLS certificate error not reported")
2628 if "Subject mismatch" not in ev
:
2629 raise Exception("Subject mismatch not reported")
2631 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2632 "CTRL-EVENT-EAP-FAILURE",
2633 "CTRL-EVENT-CONNECTED",
2634 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2636 raise Exception("EAP result(2) timed out")
2637 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
2638 raise Exception("EAP failure not reported")
2640 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
2641 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2643 raise Exception("EAP result(3) timed out")
2644 if "CTRL-EVENT-DISCONNECTED" not in ev
:
2645 raise Exception("Disconnection not reported")
2647 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
2649 raise Exception("Network block disabling not reported")
2651 def test_ap_wpa2_eap_tls_neg_altsubject_match(dev
, apdev
):
2652 """WPA2-Enterprise negative test - altsubject mismatch"""
2653 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2654 hostapd
.add_ap(apdev
[0], params
)
2656 tests
= ["incorrect.example.com",
2657 "DNS:incorrect.example.com",
2661 _test_ap_wpa2_eap_tls_neg_altsubject_match(dev
, apdev
, match
)
2663 def _test_ap_wpa2_eap_tls_neg_altsubject_match(dev
, apdev
, match
):
2664 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2665 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2666 password
="password", phase2
="auth=MSCHAPV2",
2667 ca_cert
="auth_serv/ca.pem",
2668 altsubject_match
=match
,
2669 wait_connect
=False, scan_freq
="2412")
2671 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2673 raise Exception("Association and EAP start timed out")
2675 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD",
2676 "EAP: Failed to initialize EAP method"], timeout
=10)
2678 raise Exception("EAP method selection timed out")
2679 if "EAP: Failed to initialize EAP method" in ev
:
2680 tls
= dev
[0].request("GET tls_library")
2681 if tls
.startswith("OpenSSL"):
2682 raise Exception("Failed to select EAP method")
2683 logger
.info("altsubject_match not supported - connection failed, so test succeeded")
2685 if "TTLS" not in ev
:
2686 raise Exception("Unexpected EAP method")
2688 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2689 "CTRL-EVENT-EAP-SUCCESS",
2690 "CTRL-EVENT-EAP-FAILURE",
2691 "CTRL-EVENT-CONNECTED",
2692 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2694 raise Exception("EAP result timed out")
2695 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
2696 raise Exception("TLS certificate error not reported")
2697 if "AltSubject mismatch" not in ev
:
2698 raise Exception("altsubject mismatch not reported")
2700 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2701 "CTRL-EVENT-EAP-FAILURE",
2702 "CTRL-EVENT-CONNECTED",
2703 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2705 raise Exception("EAP result(2) timed out")
2706 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
2707 raise Exception("EAP failure not reported")
2709 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
2710 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2712 raise Exception("EAP result(3) timed out")
2713 if "CTRL-EVENT-DISCONNECTED" not in ev
:
2714 raise Exception("Disconnection not reported")
2716 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
2718 raise Exception("Network block disabling not reported")
2720 dev
[0].request("REMOVE_NETWORK all")
2722 def test_ap_wpa2_eap_unauth_tls(dev
, apdev
):
2723 """WPA2-Enterprise connection using UNAUTH-TLS"""
2724 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2725 hapd
= hostapd
.add_ap(apdev
[0], params
)
2726 eap_connect(dev
[0], hapd
, "UNAUTH-TLS", "unauth-tls",
2727 ca_cert
="auth_serv/ca.pem")
2728 eap_reauth(dev
[0], "UNAUTH-TLS")
2730 def test_ap_wpa2_eap_ttls_server_cert_hash(dev
, apdev
):
2731 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash"""
2732 check_cert_probe_support(dev
[0])
2733 skip_with_fips(dev
[0])
2734 srv_cert_hash
= "f6b9d0b2bc3f106ff01542161647036992de889267005d93fac1c7274bfca5bb"
2735 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2736 hapd
= hostapd
.add_ap(apdev
[0], params
)
2737 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2738 identity
="probe", ca_cert
="probe://",
2739 wait_connect
=False, scan_freq
="2412")
2740 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2742 raise Exception("Association and EAP start timed out")
2743 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT depth=0"], timeout
=10)
2745 raise Exception("No peer server certificate event seen")
2746 if "hash=" + srv_cert_hash
not in ev
:
2747 raise Exception("Expected server certificate hash not reported")
2748 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout
=10)
2750 raise Exception("EAP result timed out")
2751 if "Server certificate chain probe" not in ev
:
2752 raise Exception("Server certificate probe not reported")
2753 dev
[0].wait_disconnected(timeout
=10)
2754 dev
[0].request("REMOVE_NETWORK all")
2756 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2757 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2758 password
="password", phase2
="auth=MSCHAPV2",
2759 ca_cert
="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
2760 wait_connect
=False, scan_freq
="2412")
2761 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2763 raise Exception("Association and EAP start timed out")
2764 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout
=10)
2766 raise Exception("EAP result timed out")
2767 if "Server certificate mismatch" not in ev
:
2768 raise Exception("Server certificate mismatch not reported")
2769 dev
[0].wait_disconnected(timeout
=10)
2770 dev
[0].request("REMOVE_NETWORK all")
2772 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
2773 anonymous_identity
="ttls", password
="password",
2774 ca_cert
="hash://server/sha256/" + srv_cert_hash
,
2775 phase2
="auth=MSCHAPV2")
2777 def test_ap_wpa2_eap_ttls_server_cert_hash_invalid(dev
, apdev
):
2778 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash (invalid config)"""
2779 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2780 hostapd
.add_ap(apdev
[0], params
)
2781 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2782 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2783 password
="password", phase2
="auth=MSCHAPV2",
2784 ca_cert
="hash://server/md5/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
2785 wait_connect
=False, scan_freq
="2412")
2786 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2787 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2788 password
="password", phase2
="auth=MSCHAPV2",
2789 ca_cert
="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca",
2790 wait_connect
=False, scan_freq
="2412")
2791 dev
[2].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2792 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2793 password
="password", phase2
="auth=MSCHAPV2",
2794 ca_cert
="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6Q",
2795 wait_connect
=False, scan_freq
="2412")
2796 for i
in range(0, 3):
2797 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2799 raise Exception("Association and EAP start timed out")
2800 ev
= dev
[i
].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 21 (TTLS)"], timeout
=5)
2802 raise Exception("Did not report EAP method initialization failure")
2804 def test_ap_wpa2_eap_pwd(dev
, apdev
):
2805 """WPA2-Enterprise connection using EAP-pwd"""
2806 check_eap_capa(dev
[0], "PWD")
2807 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2808 hapd
= hostapd
.add_ap(apdev
[0], params
)
2809 eap_connect(dev
[0], hapd
, "PWD", "pwd user", password
="secret password")
2810 eap_reauth(dev
[0], "PWD")
2811 dev
[0].request("REMOVE_NETWORK all")
2813 eap_connect(dev
[1], hapd
, "PWD",
2814 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
2815 password
="secret password",
2818 logger
.info("Negative test with incorrect password")
2819 eap_connect(dev
[2], hapd
, "PWD", "pwd user", password
="secret-password",
2820 expect_failure
=True, local_error_report
=True)
2822 eap_connect(dev
[0], hapd
, "PWD",
2823 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
2824 password
="secret password",
2827 def test_ap_wpa2_eap_pwd_nthash(dev
, apdev
):
2828 """WPA2-Enterprise connection using EAP-pwd and NTHash"""
2829 check_eap_capa(dev
[0], "PWD")
2830 skip_with_fips(dev
[0])
2831 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2832 hapd
= hostapd
.add_ap(apdev
[0], params
)
2833 eap_connect(dev
[0], hapd
, "PWD", "pwd-hash", password
="secret password")
2834 eap_connect(dev
[1], hapd
, "PWD", "pwd-hash",
2835 password_hex
="hash:e3718ece8ab74792cbbfffd316d2d19a")
2836 eap_connect(dev
[2], hapd
, "PWD", "pwd user",
2837 password_hex
="hash:e3718ece8ab74792cbbfffd316d2d19a",
2838 expect_failure
=True, local_error_report
=True)
2840 def test_ap_wpa2_eap_pwd_salt_sha1(dev
, apdev
):
2841 """WPA2-Enterprise connection using EAP-pwd and salted password SHA-1"""
2842 check_eap_capa(dev
[0], "PWD")
2843 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2844 hapd
= hostapd
.add_ap(apdev
[0], params
)
2845 eap_connect(dev
[0], hapd
, "PWD", "pwd-hash-sha1",
2846 password
="secret password")
2848 def test_ap_wpa2_eap_pwd_salt_sha256(dev
, apdev
):
2849 """WPA2-Enterprise connection using EAP-pwd and salted password SHA256"""
2850 check_eap_capa(dev
[0], "PWD")
2851 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2852 hapd
= hostapd
.add_ap(apdev
[0], params
)
2853 eap_connect(dev
[0], hapd
, "PWD", "pwd-hash-sha256",
2854 password
="secret password")
2856 def test_ap_wpa2_eap_pwd_salt_sha512(dev
, apdev
):
2857 """WPA2-Enterprise connection using EAP-pwd and salted password SHA512"""
2858 check_eap_capa(dev
[0], "PWD")
2859 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2860 hapd
= hostapd
.add_ap(apdev
[0], params
)
2861 eap_connect(dev
[0], hapd
, "PWD", "pwd-hash-sha512",
2862 password
="secret password")
2864 def test_ap_wpa2_eap_pwd_groups(dev
, apdev
):
2865 """WPA2-Enterprise connection using various EAP-pwd groups"""
2866 check_eap_capa(dev
[0], "PWD")
2867 tls
= dev
[0].request("GET tls_library")
2868 params
= {"ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2869 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2870 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf"}
2871 groups
= [19, 20, 21]
2873 logger
.info("Group %d" % i
)
2874 params
['pwd_group'] = str(i
)
2875 hapd
= hostapd
.add_ap(apdev
[0], params
)
2876 eap_connect(dev
[0], hapd
, "PWD", "pwd user",
2877 password
="secret password",
2878 phase1
="eap_pwd_groups=0-65535")
2879 dev
[0].request("REMOVE_NETWORK all")
2880 dev
[0].wait_disconnected()
2881 dev
[0].dump_monitor()
2884 def test_ap_wpa2_eap_pwd_invalid_group(dev
, apdev
):
2885 """WPA2-Enterprise connection using invalid EAP-pwd group"""
2886 check_eap_capa(dev
[0], "PWD")
2887 params
= {"ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2888 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2889 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf"}
2890 for i
in [0, 25, 26, 27]:
2891 logger
.info("Group %d" % i
)
2892 params
['pwd_group'] = str(i
)
2893 hapd
= hostapd
.add_ap(apdev
[0], params
)
2894 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PWD",
2895 identity
="pwd user", password
="secret password",
2896 phase1
="eap_pwd_groups=0-65535",
2897 scan_freq
="2412", wait_connect
=False)
2898 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2900 raise Exception("Timeout on EAP failure report (group %d)" % i
)
2901 dev
[0].request("REMOVE_NETWORK all")
2902 dev
[0].wait_disconnected()
2903 dev
[0].dump_monitor()
2906 def test_ap_wpa2_eap_pwd_disabled_group(dev
, apdev
):
2907 """WPA2-Enterprise connection using disabled EAP-pwd group"""
2908 check_eap_capa(dev
[0], "PWD")
2909 params
= {"ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2910 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2911 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf"}
2913 logger
.info("Group %d" % i
)
2914 params
['pwd_group'] = str(i
)
2915 hapd
= hostapd
.add_ap(apdev
[0], params
)
2916 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PWD",
2917 identity
="pwd user", password
="secret password",
2918 phase1
="eap_pwd_groups=20",
2919 scan_freq
="2412", wait_connect
=False)
2920 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2922 raise Exception("Timeout on EAP failure report (group %d)" % i
)
2923 dev
[0].request("REMOVE_NETWORK all")
2924 dev
[0].wait_disconnected()
2925 dev
[0].dump_monitor()
2928 params
['pwd_group'] = "20"
2929 hapd
= hostapd
.add_ap(apdev
[0], params
)
2930 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PWD",
2931 identity
="pwd user", password
="secret password",
2932 phase1
="eap_pwd_groups=20",
2935 def test_ap_wpa2_eap_pwd_as_frag(dev
, apdev
):
2936 """WPA2-Enterprise connection using EAP-pwd with server fragmentation"""
2937 check_eap_capa(dev
[0], "PWD")
2938 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2939 params
= {"ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2940 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2941 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2942 "pwd_group": "19", "fragment_size": "40"}
2943 hapd
= hostapd
.add_ap(apdev
[0], params
)
2944 eap_connect(dev
[0], hapd
, "PWD", "pwd user", password
="secret password")
2946 def test_ap_wpa2_eap_gpsk(dev
, apdev
):
2947 """WPA2-Enterprise connection using EAP-GPSK"""
2948 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2949 hapd
= hostapd
.add_ap(apdev
[0], params
)
2950 id = eap_connect(dev
[0], hapd
, "GPSK", "gpsk user",
2951 password
="abcdefghijklmnop0123456789abcdef")
2952 eap_reauth(dev
[0], "GPSK")
2954 logger
.info("Test forced algorithm selection")
2955 for phase1
in ["cipher=1", "cipher=2"]:
2956 dev
[0].set_network_quoted(id, "phase1", phase1
)
2957 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
2959 raise Exception("EAP success timed out")
2960 dev
[0].wait_connected(timeout
=10)
2962 logger
.info("Test failed algorithm negotiation")
2963 dev
[0].set_network_quoted(id, "phase1", "cipher=9")
2964 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
2966 raise Exception("EAP failure timed out")
2968 logger
.info("Negative test with incorrect password")
2969 dev
[0].request("REMOVE_NETWORK all")
2970 eap_connect(dev
[0], hapd
, "GPSK", "gpsk user",
2971 password
="ffcdefghijklmnop0123456789abcdef",
2972 expect_failure
=True)
2974 def test_ap_wpa2_eap_sake(dev
, apdev
):
2975 """WPA2-Enterprise connection using EAP-SAKE"""
2976 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2977 hapd
= hostapd
.add_ap(apdev
[0], params
)
2978 eap_connect(dev
[0], hapd
, "SAKE", "sake user",
2979 password_hex
="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
2980 eap_reauth(dev
[0], "SAKE")
2982 logger
.info("Negative test with incorrect password")
2983 dev
[0].request("REMOVE_NETWORK all")
2984 eap_connect(dev
[0], hapd
, "SAKE", "sake user",
2985 password_hex
="ff23456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
2986 expect_failure
=True)
2988 def test_ap_wpa2_eap_eke(dev
, apdev
):
2989 """WPA2-Enterprise connection using EAP-EKE"""
2990 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2991 hapd
= hostapd
.add_ap(apdev
[0], params
)
2992 id = eap_connect(dev
[0], hapd
, "EKE", "eke user", password
="hello")
2993 eap_reauth(dev
[0], "EKE")
2995 logger
.info("Test forced algorithm selection")
2996 for phase1
in ["dhgroup=5 encr=1 prf=2 mac=2",
2997 "dhgroup=4 encr=1 prf=2 mac=2",
2998 "dhgroup=3 encr=1 prf=2 mac=2",
2999 "dhgroup=3 encr=1 prf=1 mac=1"]:
3000 dev
[0].set_network_quoted(id, "phase1", phase1
)
3001 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
3003 raise Exception("EAP success timed out")
3004 dev
[0].wait_connected(timeout
=10)
3005 dev
[0].dump_monitor()
3007 logger
.info("Test failed algorithm negotiation")
3008 dev
[0].set_network_quoted(id, "phase1", "dhgroup=9 encr=9 prf=9 mac=9")
3009 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
3011 raise Exception("EAP failure timed out")
3012 dev
[0].dump_monitor()
3014 logger
.info("Test unsupported algorithm proposals")
3015 dev
[0].request("REMOVE_NETWORK all")
3016 dev
[0].dump_monitor()
3017 eap_connect(dev
[0], hapd
, "EKE", "eke user", password
="hello",
3018 phase1
="dhgroup=2 encr=1 prf=1 mac=1", expect_failure
=True)
3019 dev
[0].request("REMOVE_NETWORK all")
3020 dev
[0].dump_monitor()
3021 eap_connect(dev
[0], hapd
, "EKE", "eke user", password
="hello",
3022 phase1
="dhgroup=1 encr=1 prf=1 mac=1", expect_failure
=True)
3024 logger
.info("Negative test with incorrect password")
3025 dev
[0].request("REMOVE_NETWORK all")
3026 eap_connect(dev
[0], hapd
, "EKE", "eke user", password
="hello1",
3027 expect_failure
=True)
3029 def test_ap_wpa2_eap_eke_many(dev
, apdev
, params
):
3030 """WPA2-Enterprise connection using EAP-EKE (many connections) [long]"""
3031 if not params
['long']:
3032 raise HwsimSkip("Skip test case with long duration due to --long not specified")
3033 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3034 hostapd
.add_ap(apdev
[0], params
)
3037 for i
in range(100):
3039 dev
[j
].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="EKE",
3040 identity
="eke user", password
="hello",
3041 phase1
="dhgroup=3 encr=1 prf=1 mac=1",
3042 scan_freq
="2412", wait_connect
=False)
3044 ev
= dev
[j
].wait_event(["CTRL-EVENT-CONNECTED",
3045 "CTRL-EVENT-DISCONNECTED"], timeout
=15)
3047 raise Exception("No connected/disconnected event")
3048 if "CTRL-EVENT-DISCONNECTED" in ev
:
3050 # The RADIUS server limits on active sessions can be hit when
3051 # going through this test case, so try to give some more time
3052 # for the server to remove sessions.
3053 logger
.info("Failed to connect i=%d j=%d" % (i
, j
))
3054 dev
[j
].request("REMOVE_NETWORK all")
3058 dev
[j
].request("REMOVE_NETWORK all")
3059 dev
[j
].wait_disconnected()
3060 dev
[j
].dump_monitor()
3061 logger
.info("Total success=%d failure=%d" % (success
, fail
))
3063 def test_ap_wpa2_eap_eke_serverid_nai(dev
, apdev
):
3064 """WPA2-Enterprise connection using EAP-EKE with serverid NAI"""
3065 params
= int_eap_server_params()
3066 params
['server_id'] = 'example.server@w1.fi'
3067 hapd
= hostapd
.add_ap(apdev
[0], params
)
3068 eap_connect(dev
[0], hapd
, "EKE", "eke user", password
="hello")
3070 def test_ap_wpa2_eap_eke_server_oom(dev
, apdev
):
3071 """WPA2-Enterprise connection using EAP-EKE with server OOM"""
3072 params
= int_eap_server_params()
3073 hapd
= hostapd
.add_ap(apdev
[0], params
)
3074 dev
[0].scan_for_bss(apdev
[0]['bssid'], freq
=2412)
3076 for count
, func
in [(1, "eap_eke_build_commit"),
3077 (2, "eap_eke_build_commit"),
3078 (3, "eap_eke_build_commit"),
3079 (1, "eap_eke_build_confirm"),
3080 (2, "eap_eke_build_confirm"),
3081 (1, "eap_eke_process_commit"),
3082 (2, "eap_eke_process_commit"),
3083 (1, "eap_eke_process_confirm"),
3084 (1, "eap_eke_process_identity"),
3085 (2, "eap_eke_process_identity"),
3086 (3, "eap_eke_process_identity"),
3087 (4, "eap_eke_process_identity")]:
3088 with
alloc_fail(hapd
, count
, func
):
3089 eap_connect(dev
[0], hapd
, "EKE", "eke user", password
="hello",
3090 expect_failure
=True)
3091 dev
[0].request("REMOVE_NETWORK all")
3093 for count
, func
, pw
in [(1, "eap_eke_init", "hello"),
3094 (1, "eap_eke_get_session_id", "hello"),
3095 (1, "eap_eke_getKey", "hello"),
3096 (1, "eap_eke_build_msg", "hello"),
3097 (1, "eap_eke_build_failure", "wrong"),
3098 (1, "eap_eke_build_identity", "hello"),
3099 (2, "eap_eke_build_identity", "hello")]:
3100 with
alloc_fail(hapd
, count
, func
):
3101 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
3102 eap
="EKE", identity
="eke user", password
=pw
,
3103 wait_connect
=False, scan_freq
="2412")
3104 # This would eventually time out, but we can stop after having
3105 # reached the allocation failure.
3108 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
3110 dev
[0].request("REMOVE_NETWORK all")
3112 for count
in range(1, 1000):
3114 with
alloc_fail(hapd
, count
, "eap_server_sm_step"):
3115 dev
[0].connect("test-wpa2-eap",
3116 key_mgmt
="WPA-EAP WPA-EAP-SHA256",
3117 eap
="EKE", identity
="eke user", password
=pw
,
3118 wait_connect
=False, scan_freq
="2412")
3119 # This would eventually time out, but we can stop after having
3120 # reached the allocation failure.
3123 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
3125 dev
[0].request("REMOVE_NETWORK all")
3126 except Exception as e
:
3127 if str(e
) == "Allocation failure did not trigger":
3129 raise Exception("Too few allocation failures")
3130 logger
.info("%d allocation failures tested" % (count
- 1))
3134 def test_ap_wpa2_eap_ikev2(dev
, apdev
):
3135 """WPA2-Enterprise connection using EAP-IKEv2"""
3136 check_eap_capa(dev
[0], "IKEV2")
3137 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3138 hapd
= hostapd
.add_ap(apdev
[0], params
)
3139 eap_connect(dev
[0], hapd
, "IKEV2", "ikev2 user",
3140 password
="ike password")
3141 eap_reauth(dev
[0], "IKEV2")
3142 dev
[0].request("REMOVE_NETWORK all")
3143 eap_connect(dev
[0], hapd
, "IKEV2", "ikev2 user",
3144 password
="ike password", fragment_size
="50")
3146 logger
.info("Negative test with incorrect password")
3147 dev
[0].request("REMOVE_NETWORK all")
3148 eap_connect(dev
[0], hapd
, "IKEV2", "ikev2 user",
3149 password
="ike-password", expect_failure
=True)
3150 dev
[0].request("REMOVE_NETWORK all")
3152 eap_connect(dev
[0], hapd
, "IKEV2", "ikev2 user",
3153 password
="ike password", fragment_size
="0")
3154 dev
[0].request("REMOVE_NETWORK all")
3155 dev
[0].wait_disconnected()
3157 def test_ap_wpa2_eap_ikev2_as_frag(dev
, apdev
):
3158 """WPA2-Enterprise connection using EAP-IKEv2 with server fragmentation"""
3159 check_eap_capa(dev
[0], "IKEV2")
3160 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3161 params
= {"ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
3162 "rsn_pairwise": "CCMP", "ieee8021x": "1",
3163 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
3164 "fragment_size": "50"}
3165 hapd
= hostapd
.add_ap(apdev
[0], params
)
3166 eap_connect(dev
[0], hapd
, "IKEV2", "ikev2 user",
3167 password
="ike password")
3168 eap_reauth(dev
[0], "IKEV2")
3170 def test_ap_wpa2_eap_ikev2_oom(dev
, apdev
):
3171 """WPA2-Enterprise connection using EAP-IKEv2 and OOM"""
3172 check_eap_capa(dev
[0], "IKEV2")
3173 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3174 hostapd
.add_ap(apdev
[0], params
)
3176 tests
= [(1, "dh_init"),
3178 (1, "dh_derive_shared")]
3179 for count
, func
in tests
:
3180 with
alloc_fail(dev
[0], count
, func
):
3181 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="IKEV2",
3182 identity
="ikev2 user", password
="ike password",
3183 wait_connect
=False, scan_freq
="2412")
3184 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=5)
3186 raise Exception("EAP method not selected")
3188 if "0:" in dev
[0].request("GET_ALLOC_FAIL"):
3191 dev
[0].request("REMOVE_NETWORK all")
3193 tls
= dev
[0].request("GET tls_library")
3194 if not tls
.startswith("wolfSSL"):
3195 tests
= [(1, "os_get_random;dh_init")]
3197 tests
= [(1, "crypto_dh_init;dh_init")]
3198 for count
, func
in tests
:
3199 with
fail_test(dev
[0], count
, func
):
3200 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="IKEV2",
3201 identity
="ikev2 user", password
="ike password",
3202 wait_connect
=False, scan_freq
="2412")
3203 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=5)
3205 raise Exception("EAP method not selected")
3207 if "0:" in dev
[0].request("GET_FAIL"):
3210 dev
[0].request("REMOVE_NETWORK all")
3212 def test_ap_wpa2_eap_pax(dev
, apdev
):
3213 """WPA2-Enterprise connection using EAP-PAX"""
3214 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3215 hapd
= hostapd
.add_ap(apdev
[0], params
)
3216 eap_connect(dev
[0], hapd
, "PAX", "pax.user@example.com",
3217 password_hex
="0123456789abcdef0123456789abcdef")
3218 eap_reauth(dev
[0], "PAX")
3220 logger
.info("Negative test with incorrect password")
3221 dev
[0].request("REMOVE_NETWORK all")
3222 eap_connect(dev
[0], hapd
, "PAX", "pax.user@example.com",
3223 password_hex
="ff23456789abcdef0123456789abcdef",
3224 expect_failure
=True)
3226 def test_ap_wpa2_eap_psk(dev
, apdev
):
3227 """WPA2-Enterprise connection using EAP-PSK"""
3228 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3229 params
["wpa_key_mgmt"] = "WPA-EAP-SHA256"
3230 params
["ieee80211w"] = "2"
3231 hapd
= hostapd
.add_ap(apdev
[0], params
)
3232 eap_connect(dev
[0], hapd
, "PSK", "psk.user@example.com",
3233 password_hex
="0123456789abcdef0123456789abcdef", sha256
=True)
3234 eap_reauth(dev
[0], "PSK", sha256
=True)
3235 check_mib(dev
[0], [("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-5"),
3236 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-5")])
3238 bss
= dev
[0].get_bss(apdev
[0]['bssid'])
3239 if 'flags' not in bss
:
3240 raise Exception("Could not get BSS flags from BSS table")
3241 if "[WPA2-EAP-SHA256-CCMP]" not in bss
['flags']:
3242 raise Exception("Unexpected BSS flags: " + bss
['flags'])
3244 logger
.info("Negative test with incorrect password")
3245 dev
[0].request("REMOVE_NETWORK all")
3246 eap_connect(dev
[0], hapd
, "PSK", "psk.user@example.com",
3247 password_hex
="ff23456789abcdef0123456789abcdef", sha256
=True,
3248 expect_failure
=True)
3250 def test_ap_wpa2_eap_psk_oom(dev
, apdev
):
3251 """WPA2-Enterprise connection using EAP-PSK and OOM"""
3252 skip_with_fips(dev
[0])
3253 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3254 hostapd
.add_ap(apdev
[0], params
)
3255 tests
= [(1, "=aes_128_eax_encrypt"),
3256 (1, "=aes_128_eax_decrypt")]
3257 for count
, func
in tests
:
3258 with
alloc_fail(dev
[0], count
, func
):
3259 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PSK",
3260 identity
="psk.user@example.com",
3261 password_hex
="0123456789abcdef0123456789abcdef",
3262 wait_connect
=False, scan_freq
="2412")
3263 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=5)
3265 raise Exception("EAP method not selected")
3266 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL",
3267 note
="Failure not triggered: %d:%s" % (count
, func
))
3268 dev
[0].request("REMOVE_NETWORK all")
3269 dev
[0].wait_disconnected()
3271 tests
= [(1, "aes_ctr_encrypt;aes_128_eax_encrypt"),
3272 (1, "omac1_aes_128;aes_128_eax_encrypt"),
3273 (2, "omac1_aes_128;aes_128_eax_encrypt"),
3274 (3, "omac1_aes_128;aes_128_eax_encrypt"),
3275 (1, "omac1_aes_vector"),
3276 (1, "omac1_aes_128;aes_128_eax_decrypt"),
3277 (2, "omac1_aes_128;aes_128_eax_decrypt"),
3278 (3, "omac1_aes_128;aes_128_eax_decrypt"),
3279 (1, "aes_ctr_encrypt;aes_128_eax_decrypt")]
3280 for count
, func
in tests
:
3281 with
fail_test(dev
[0], count
, func
):
3282 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PSK",
3283 identity
="psk.user@example.com",
3284 password_hex
="0123456789abcdef0123456789abcdef",
3285 wait_connect
=False, scan_freq
="2412")
3286 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=5)
3288 raise Exception("EAP method not selected")
3289 wait_fail_trigger(dev
[0], "GET_FAIL",
3290 note
="Failure not triggered: %d:%s" % (count
, func
))
3291 dev
[0].request("REMOVE_NETWORK all")
3292 dev
[0].wait_disconnected()
3294 with
fail_test(dev
[0], 1, "aes_128_encrypt_block"):
3295 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PSK",
3296 identity
="psk.user@example.com",
3297 password_hex
="0123456789abcdef0123456789abcdef",
3298 wait_connect
=False, scan_freq
="2412")
3299 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
3301 raise Exception("EAP method failure not reported")
3302 dev
[0].request("REMOVE_NETWORK all")
3303 dev
[0].wait_disconnected()
3305 def test_ap_wpa_eap_peap_eap_mschapv2(dev
, apdev
):
3306 """WPA-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
3307 check_eap_capa(dev
[0], "MSCHAPV2")
3308 params
= hostapd
.wpa_eap_params(ssid
="test-wpa-eap")
3309 hapd
= hostapd
.add_ap(apdev
[0], params
)
3310 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
3311 identity
="user", password
="password", phase2
="auth=MSCHAPV2",
3312 ca_cert
="auth_serv/ca.pem", wait_connect
=False,
3314 eap_check_auth(dev
[0], "PEAP", True, rsn
=False)
3316 hwsim_utils
.test_connectivity(dev
[0], hapd
)
3317 eap_reauth(dev
[0], "PEAP", rsn
=False)
3318 check_mib(dev
[0], [("dot11RSNAAuthenticationSuiteRequested", "00-50-f2-1"),
3319 ("dot11RSNAAuthenticationSuiteSelected", "00-50-f2-1")])
3320 status
= dev
[0].get_status(extra
="VERBOSE")
3321 if 'portControl' not in status
:
3322 raise Exception("portControl missing from STATUS-VERBOSE")
3323 if status
['portControl'] != 'Auto':
3324 raise Exception("Unexpected portControl value: " + status
['portControl'])
3325 if 'eap_session_id' not in status
:
3326 raise Exception("eap_session_id missing from STATUS-VERBOSE")
3327 if not status
['eap_session_id'].startswith("19"):
3328 raise Exception("Unexpected eap_session_id value: " + status
['eap_session_id'])
3330 def test_ap_wpa2_eap_interactive(dev
, apdev
):
3331 """WPA2-Enterprise connection using interactive identity/password entry"""
3332 check_eap_capa(dev
[0], "MSCHAPV2")
3333 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3334 hapd
= hostapd
.add_ap(apdev
[0], params
)
3336 tests
= [("Connection with dynamic TTLS/MSCHAPv2 password entry",
3337 "TTLS", "ttls", "DOMAIN\mschapv2 user", "auth=MSCHAPV2",
3339 ("Connection with dynamic TTLS/MSCHAPv2 identity and password entry",
3340 "TTLS", "ttls", None, "auth=MSCHAPV2",
3341 "DOMAIN\mschapv2 user", "password"),
3342 ("Connection with dynamic TTLS/EAP-MSCHAPv2 password entry",
3343 "TTLS", "ttls", "user", "autheap=MSCHAPV2", None, "password"),
3344 ("Connection with dynamic TTLS/EAP-MD5 password entry",
3345 "TTLS", "ttls", "user", "autheap=MD5", None, "password"),
3346 ("Connection with dynamic PEAP/EAP-MSCHAPv2 password entry",
3347 "PEAP", None, "user", "auth=MSCHAPV2", None, "password"),
3348 ("Connection with dynamic PEAP/EAP-GTC password entry",
3349 "PEAP", None, "user", "auth=GTC", None, "password")]
3350 for [desc
, eap
, anon
, identity
, phase2
, req_id
, req_pw
] in tests
:
3352 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
=eap
,
3353 anonymous_identity
=anon
, identity
=identity
,
3354 ca_cert
="auth_serv/ca.pem", phase2
=phase2
,
3355 wait_connect
=False, scan_freq
="2412")
3357 ev
= dev
[0].wait_event(["CTRL-REQ-IDENTITY"])
3359 raise Exception("Request for identity timed out")
3360 id = ev
.split(':')[0].split('-')[-1]
3361 dev
[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id
)
3362 ev
= dev
[0].wait_event(["CTRL-REQ-PASSWORD", "CTRL-REQ-OTP"])
3364 raise Exception("Request for password timed out")
3365 id = ev
.split(':')[0].split('-')[-1]
3366 type = "OTP" if "CTRL-REQ-OTP" in ev
else "PASSWORD"
3367 dev
[0].request("CTRL-RSP-" + type + "-" + id + ":" + req_pw
)
3368 dev
[0].wait_connected(timeout
=10)
3369 dev
[0].request("REMOVE_NETWORK all")
3371 def test_ap_wpa2_eap_ext_enable_network_while_connected(dev
, apdev
):
3372 """WPA2-Enterprise interactive identity entry and ENABLE_NETWORK"""
3373 check_eap_capa(dev
[0], "MSCHAPV2")
3374 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3375 hapd
= hostapd
.add_ap(apdev
[0], params
)
3377 id_other
= dev
[0].connect("other", key_mgmt
="NONE", scan_freq
="2412",
3378 only_add_network
=True)
3380 req_id
= "DOMAIN\mschapv2 user"
3381 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
3382 anonymous_identity
="ttls", identity
=None,
3383 password
="password",
3384 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3385 wait_connect
=False, scan_freq
="2412")
3386 ev
= dev
[0].wait_event(["CTRL-REQ-IDENTITY"])
3388 raise Exception("Request for identity timed out")
3389 id = ev
.split(':')[0].split('-')[-1]
3390 dev
[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id
)
3391 dev
[0].wait_connected(timeout
=10)
3393 if "OK" not in dev
[0].request("ENABLE_NETWORK " + str(id_other
)):
3394 raise Exception("Failed to enable network")
3395 ev
= dev
[0].wait_event(["SME: Trying to authenticate"], timeout
=1)
3397 raise Exception("Unexpected reconnection attempt on ENABLE_NETWORK")
3398 dev
[0].request("REMOVE_NETWORK all")
3400 def test_ap_wpa2_eap_vendor_test(dev
, apdev
):
3401 """WPA2-Enterprise connection using EAP vendor test"""
3402 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3403 hapd
= hostapd
.add_ap(apdev
[0], params
)
3404 eap_connect(dev
[0], hapd
, "VENDOR-TEST", "vendor-test")
3405 eap_reauth(dev
[0], "VENDOR-TEST")
3406 eap_connect(dev
[1], hapd
, "VENDOR-TEST", "vendor-test",
3409 def test_ap_wpa2_eap_vendor_test_oom(dev
, apdev
):
3410 """WPA2-Enterprise connection using EAP vendor test (OOM)"""
3411 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3412 hostapd
.add_ap(apdev
[0], params
)
3414 tests
= ["eap_vendor_test_init",
3415 "eap_msg_alloc;eap_vendor_test_process",
3416 "eap_vendor_test_getKey"]
3418 with
alloc_fail(dev
[0], 1, func
):
3419 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
3421 eap
="VENDOR-TEST", identity
="vendor-test",
3423 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
3424 dev
[0].request("REMOVE_NETWORK all")
3425 dev
[0].wait_disconnected()
3427 def test_ap_wpa2_eap_fast_mschapv2_unauth_prov(dev
, apdev
):
3428 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and unauthenticated provisioning"""
3429 check_eap_capa(dev
[0], "FAST")
3430 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3431 hapd
= hostapd
.add_ap(apdev
[0], params
)
3432 eap_connect(dev
[0], hapd
, "FAST", "user",
3433 anonymous_identity
="FAST", password
="password",
3434 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3435 phase1
="fast_provisioning=1", pac_file
="blob://fast_pac")
3436 hwsim_utils
.test_connectivity(dev
[0], hapd
)
3437 res
= eap_reauth(dev
[0], "FAST")
3438 if res
['tls_session_reused'] != '1':
3439 raise Exception("EAP-FAST could not use PAC session ticket")
3441 def test_ap_wpa2_eap_fast_pac_file(dev
, apdev
, params
):
3442 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and PAC file"""
3443 check_eap_capa(dev
[0], "FAST")
3444 pac_file
= os
.path
.join(params
['logdir'], "fast.pac")
3445 pac_file2
= os
.path
.join(params
['logdir'], "fast-bin.pac")
3446 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3447 hapd
= hostapd
.add_ap(apdev
[0], params
)
3450 eap_connect(dev
[0], hapd
, "FAST", "user",
3451 anonymous_identity
="FAST", password
="password",
3452 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3453 phase1
="fast_provisioning=1", pac_file
=pac_file
)
3454 with
open(pac_file
, "r") as f
:
3456 if "wpa_supplicant EAP-FAST PAC file - version 1" not in data
:
3457 raise Exception("PAC file header missing")
3458 if "PAC-Key=" not in data
:
3459 raise Exception("PAC-Key missing from PAC file")
3460 dev
[0].request("REMOVE_NETWORK all")
3461 eap_connect(dev
[0], hapd
, "FAST", "user",
3462 anonymous_identity
="FAST", password
="password",
3463 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3466 eap_connect(dev
[1], hapd
, "FAST", "user",
3467 anonymous_identity
="FAST", password
="password",
3468 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3469 phase1
="fast_provisioning=1 fast_pac_format=binary",
3471 dev
[1].request("REMOVE_NETWORK all")
3472 eap_connect(dev
[1], hapd
, "FAST", "user",
3473 anonymous_identity
="FAST", password
="password",
3474 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3475 phase1
="fast_pac_format=binary",
3483 os
.remove(pac_file2
)
3487 def test_ap_wpa2_eap_fast_binary_pac(dev
, apdev
):
3488 """WPA2-Enterprise connection using EAP-FAST and binary PAC format"""
3489 check_eap_capa(dev
[0], "FAST")
3490 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3491 hapd
= hostapd
.add_ap(apdev
[0], params
)
3492 eap_connect(dev
[0], hapd
, "FAST", "user",
3493 anonymous_identity
="FAST", password
="password",
3494 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3495 phase1
="fast_provisioning=1 fast_max_pac_list_len=1 fast_pac_format=binary",
3496 pac_file
="blob://fast_pac_bin")
3497 res
= eap_reauth(dev
[0], "FAST")
3498 if res
['tls_session_reused'] != '1':
3499 raise Exception("EAP-FAST could not use PAC session ticket")
3501 # Verify fast_max_pac_list_len=0 special case
3502 dev
[0].request("REMOVE_NETWORK all")
3503 dev
[0].wait_disconnected()
3504 eap_connect(dev
[0], hapd
, "FAST", "user",
3505 anonymous_identity
="FAST", password
="password",
3506 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3507 phase1
="fast_provisioning=1 fast_max_pac_list_len=0 fast_pac_format=binary",
3508 pac_file
="blob://fast_pac_bin")
3510 def test_ap_wpa2_eap_fast_missing_pac_config(dev
, apdev
):
3511 """WPA2-Enterprise connection using EAP-FAST and missing PAC config"""
3512 check_eap_capa(dev
[0], "FAST")
3513 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3514 hostapd
.add_ap(apdev
[0], params
)
3516 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3517 identity
="user", anonymous_identity
="FAST",
3518 password
="password",
3519 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3520 pac_file
="blob://fast_pac_not_in_use",
3521 wait_connect
=False, scan_freq
="2412")
3522 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3524 raise Exception("Timeout on EAP failure report")
3525 dev
[0].request("REMOVE_NETWORK all")
3527 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3528 identity
="user", anonymous_identity
="FAST",
3529 password
="password",
3530 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3531 wait_connect
=False, scan_freq
="2412")
3532 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3534 raise Exception("Timeout on EAP failure report")
3536 def test_ap_wpa2_eap_fast_binary_pac_errors(dev
, apdev
):
3537 """EAP-FAST and binary PAC errors"""
3538 check_eap_capa(dev
[0], "FAST")
3539 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3540 hapd
= hostapd
.add_ap(apdev
[0], params
)
3542 tests
= [(1, "=eap_fast_save_pac_bin"),
3543 (1, "eap_fast_write_pac"),
3544 (2, "eap_fast_write_pac"),]
3545 for count
, func
in tests
:
3546 if "OK" not in dev
[0].request("SET blob fast_pac_bin_errors "):
3547 raise Exception("Could not set blob")
3549 with
alloc_fail(dev
[0], count
, func
):
3550 eap_connect(dev
[0], hapd
, "FAST", "user",
3551 anonymous_identity
="FAST", password
="password",
3552 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3553 phase1
="fast_provisioning=1 fast_pac_format=binary",
3554 pac_file
="blob://fast_pac_bin_errors")
3555 dev
[0].request("REMOVE_NETWORK all")
3556 dev
[0].wait_disconnected()
3558 tests
= ["00", "000000000000", "6ae4920c0001",
3560 "6ae4920c0000" + "0000" + 32*"00" + "ffff" + "0000",
3561 "6ae4920c0000" + "0000" + 32*"00" + "0001" + "0000",
3562 "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0001",
3563 "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0008" + "00040000" + "0007000100"]
3565 if "OK" not in dev
[0].request("SET blob fast_pac_bin_errors " + t
):
3566 raise Exception("Could not set blob")
3568 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3569 identity
="user", anonymous_identity
="FAST",
3570 password
="password",
3571 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3572 phase1
="fast_provisioning=1 fast_pac_format=binary",
3573 pac_file
="blob://fast_pac_bin_errors",
3574 scan_freq
="2412", wait_connect
=False)
3575 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method"],
3578 raise Exception("Failure not reported")
3579 dev
[0].request("REMOVE_NETWORK all")
3580 dev
[0].wait_disconnected()
3582 pac
= "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0000"
3583 tests
= [(1, "eap_fast_load_pac_bin"),
3584 (2, "eap_fast_load_pac_bin"),
3585 (3, "eap_fast_load_pac_bin")]
3586 for count
, func
in tests
:
3587 if "OK" not in dev
[0].request("SET blob fast_pac_bin_errors " + pac
):
3588 raise Exception("Could not set blob")
3590 with
alloc_fail(dev
[0], count
, func
):
3591 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3592 identity
="user", anonymous_identity
="FAST",
3593 password
="password",
3594 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3595 phase1
="fast_provisioning=1 fast_pac_format=binary",
3596 pac_file
="blob://fast_pac_bin_errors",
3597 scan_freq
="2412", wait_connect
=False)
3598 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method"],
3601 raise Exception("Failure not reported")
3602 dev
[0].request("REMOVE_NETWORK all")
3603 dev
[0].wait_disconnected()
3605 pac
= "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0005" + "0011223344"
3606 if "OK" not in dev
[0].request("SET blob fast_pac_bin_errors " + pac
):
3607 raise Exception("Could not set blob")
3609 eap_connect(dev
[0], hapd
, "FAST", "user",
3610 anonymous_identity
="FAST", password
="password",
3611 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3612 phase1
="fast_provisioning=1 fast_pac_format=binary",
3613 pac_file
="blob://fast_pac_bin_errors")
3614 dev
[0].request("REMOVE_NETWORK all")
3615 dev
[0].wait_disconnected()
3617 pac
= "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0009" + "00040000" + "0007000100"
3618 tests
= [(1, "eap_fast_pac_get_a_id"),
3619 (2, "eap_fast_pac_get_a_id")]
3620 for count
, func
in tests
:
3621 if "OK" not in dev
[0].request("SET blob fast_pac_bin_errors " + pac
):
3622 raise Exception("Could not set blob")
3623 with
alloc_fail(dev
[0], count
, func
):
3624 eap_connect(dev
[0], hapd
, "FAST", "user",
3625 anonymous_identity
="FAST", password
="password",
3626 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3627 phase1
="fast_provisioning=1 fast_pac_format=binary",
3628 pac_file
="blob://fast_pac_bin_errors")
3629 dev
[0].request("REMOVE_NETWORK all")
3630 dev
[0].wait_disconnected()
3632 def test_ap_wpa2_eap_fast_text_pac_errors(dev
, apdev
):
3633 """EAP-FAST and text PAC errors"""
3634 check_eap_capa(dev
[0], "FAST")
3635 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3636 hostapd
.add_ap(apdev
[0], params
)
3638 tests
= [(1, "eap_fast_parse_hex;eap_fast_parse_pac_key"),
3639 (1, "eap_fast_parse_hex;eap_fast_parse_pac_opaque"),
3640 (1, "eap_fast_parse_hex;eap_fast_parse_a_id"),
3641 (1, "eap_fast_parse_start"),
3642 (1, "eap_fast_save_pac")]
3643 for count
, func
in tests
:
3644 dev
[0].request("FLUSH")
3645 if "OK" not in dev
[0].request("SET blob fast_pac_text_errors "):
3646 raise Exception("Could not set blob")
3648 with
alloc_fail(dev
[0], count
, func
):
3649 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3650 identity
="user", anonymous_identity
="FAST",
3651 password
="password",
3652 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3653 phase1
="fast_provisioning=1",
3654 pac_file
="blob://fast_pac_text_errors",
3655 scan_freq
="2412", wait_connect
=False)
3656 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
3657 dev
[0].request("REMOVE_NETWORK all")
3658 dev
[0].wait_disconnected()
3660 pac
= "wpa_supplicant EAP-FAST PAC file - version 1\n"
3664 if "OK" not in dev
[0].request("SET blob fast_pac_text_errors " + binascii
.hexlify(pac
.encode()).decode()):
3665 raise Exception("Could not set blob")
3667 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3668 identity
="user", anonymous_identity
="FAST",
3669 password
="password",
3670 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3671 phase1
="fast_provisioning=1",
3672 pac_file
="blob://fast_pac_text_errors",
3673 scan_freq
="2412", wait_connect
=False)
3674 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method"], timeout
=5)
3676 raise Exception("Failure not reported")
3677 dev
[0].request("REMOVE_NETWORK all")
3678 dev
[0].wait_disconnected()
3680 dev
[0].request("FLUSH")
3681 if "OK" not in dev
[0].request("SET blob fast_pac_text_errors "):
3682 raise Exception("Could not set blob")
3684 with
alloc_fail(dev
[0], 1, "eap_fast_add_pac_data"):
3686 params
= int_eap_server_params()
3687 params
['ssid'] = "test-wpa2-eap-2"
3688 params
['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3689 params
['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3690 params
['eap_fast_a_id_info'] = "test server %d" % i
3692 hapd2
= hostapd
.add_ap(apdev
[1], params
)
3694 dev
[0].connect("test-wpa2-eap-2", key_mgmt
="WPA-EAP", eap
="FAST",
3695 identity
="user", anonymous_identity
="FAST",
3696 password
="password",
3697 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3698 phase1
="fast_provisioning=1",
3699 pac_file
="blob://fast_pac_text_errors",
3700 scan_freq
="2412", wait_connect
=False)
3701 dev
[0].wait_connected()
3702 dev
[0].request("REMOVE_NETWORK all")
3703 dev
[0].wait_disconnected()
3707 def test_ap_wpa2_eap_fast_pac_truncate(dev
, apdev
):
3708 """EAP-FAST and PAC list truncation"""
3709 check_eap_capa(dev
[0], "FAST")
3710 if "OK" not in dev
[0].request("SET blob fast_pac_truncate "):
3711 raise Exception("Could not set blob")
3713 params
= int_eap_server_params()
3714 params
['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3715 params
['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3716 params
['eap_fast_a_id_info'] = "test server %d" % i
3717 hapd
= hostapd
.add_ap(apdev
[0], params
)
3719 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3720 identity
="user", anonymous_identity
="FAST",
3721 password
="password",
3722 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3723 phase1
="fast_provisioning=1 fast_max_pac_list_len=2",
3724 pac_file
="blob://fast_pac_truncate",
3725 scan_freq
="2412", wait_connect
=False)
3726 dev
[0].wait_connected()
3727 dev
[0].request("REMOVE_NETWORK all")
3728 dev
[0].wait_disconnected()
3732 def test_ap_wpa2_eap_fast_pac_refresh(dev
, apdev
):
3733 """EAP-FAST and PAC refresh"""
3734 check_eap_capa(dev
[0], "FAST")
3735 if "OK" not in dev
[0].request("SET blob fast_pac_refresh "):
3736 raise Exception("Could not set blob")
3738 params
= int_eap_server_params()
3739 params
['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3740 params
['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3741 params
['eap_fast_a_id_info'] = "test server %d" % i
3742 params
['pac_key_refresh_time'] = "1"
3743 params
['pac_key_lifetime'] = "10"
3744 hapd
= hostapd
.add_ap(apdev
[0], params
)
3746 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3747 identity
="user", anonymous_identity
="FAST",
3748 password
="password",
3749 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3750 phase1
="fast_provisioning=1",
3751 pac_file
="blob://fast_pac_refresh",
3752 scan_freq
="2412", wait_connect
=False)
3753 dev
[0].wait_connected()
3754 dev
[0].request("REMOVE_NETWORK all")
3755 dev
[0].wait_disconnected()
3760 params
= int_eap_server_params()
3761 params
['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3762 params
['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3763 params
['eap_fast_a_id_info'] = "test server %d" % i
3764 params
['pac_key_refresh_time'] = "10"
3765 params
['pac_key_lifetime'] = "10"
3766 hapd
= hostapd
.add_ap(apdev
[0], params
)
3768 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3769 identity
="user", anonymous_identity
="FAST",
3770 password
="password",
3771 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3772 phase1
="fast_provisioning=1",
3773 pac_file
="blob://fast_pac_refresh",
3774 scan_freq
="2412", wait_connect
=False)
3775 dev
[0].wait_connected()
3776 dev
[0].request("REMOVE_NETWORK all")
3777 dev
[0].wait_disconnected()
3781 def test_ap_wpa2_eap_fast_pac_lifetime(dev
, apdev
):
3782 """EAP-FAST and PAC lifetime"""
3783 check_eap_capa(dev
[0], "FAST")
3784 if "OK" not in dev
[0].request("SET blob fast_pac_refresh "):
3785 raise Exception("Could not set blob")
3788 params
= int_eap_server_params()
3789 params
['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3790 params
['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3791 params
['eap_fast_a_id_info'] = "test server %d" % i
3792 params
['pac_key_refresh_time'] = "0"
3793 params
['pac_key_lifetime'] = "2"
3794 hapd
= hostapd
.add_ap(apdev
[0], params
)
3796 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3797 identity
="user", anonymous_identity
="FAST",
3798 password
="password",
3799 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3800 phase1
="fast_provisioning=2",
3801 pac_file
="blob://fast_pac_refresh",
3802 scan_freq
="2412", wait_connect
=False)
3803 dev
[0].wait_connected()
3804 dev
[0].request("DISCONNECT")
3805 dev
[0].wait_disconnected()
3808 dev
[0].request("PMKSA_FLUSH")
3809 dev
[0].request("RECONNECT")
3810 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
3812 raise Exception("No EAP-Failure seen after expired PAC")
3813 dev
[0].request("DISCONNECT")
3814 dev
[0].wait_disconnected()
3816 dev
[0].select_network(id)
3817 dev
[0].wait_connected()
3818 dev
[0].request("REMOVE_NETWORK all")
3819 dev
[0].wait_disconnected()
3821 def test_ap_wpa2_eap_fast_gtc_auth_prov(dev
, apdev
):
3822 """WPA2-Enterprise connection using EAP-FAST/GTC and authenticated provisioning"""
3823 check_eap_capa(dev
[0], "FAST")
3824 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3825 hapd
= hostapd
.add_ap(apdev
[0], params
)
3826 eap_connect(dev
[0], hapd
, "FAST", "user",
3827 anonymous_identity
="FAST", password
="password",
3828 ca_cert
="auth_serv/ca.pem", phase2
="auth=GTC",
3829 phase1
="fast_provisioning=2", pac_file
="blob://fast_pac_auth")
3830 hwsim_utils
.test_connectivity(dev
[0], hapd
)
3831 res
= eap_reauth(dev
[0], "FAST")
3832 if res
['tls_session_reused'] != '1':
3833 raise Exception("EAP-FAST could not use PAC session ticket")
3835 def test_ap_wpa2_eap_fast_gtc_identity_change(dev
, apdev
):
3836 """WPA2-Enterprise connection using EAP-FAST/GTC and identity changing"""
3837 check_eap_capa(dev
[0], "FAST")
3838 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3839 hapd
= hostapd
.add_ap(apdev
[0], params
)
3840 id = eap_connect(dev
[0], hapd
, "FAST", "user",
3841 anonymous_identity
="FAST", password
="password",
3842 ca_cert
="auth_serv/ca.pem", phase2
="auth=GTC",
3843 phase1
="fast_provisioning=2",
3844 pac_file
="blob://fast_pac_auth")
3845 dev
[0].set_network_quoted(id, "identity", "user2")
3846 dev
[0].wait_disconnected()
3847 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=15)
3849 raise Exception("EAP-FAST not started")
3850 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=5)
3852 raise Exception("EAP failure not reported")
3853 dev
[0].wait_disconnected()
3855 def test_ap_wpa2_eap_fast_prf_oom(dev
, apdev
):
3856 """WPA2-Enterprise connection using EAP-FAST and OOM in PRF"""
3857 check_eap_capa(dev
[0], "FAST")
3858 tls
= dev
[0].request("GET tls_library")
3859 if tls
.startswith("OpenSSL"):
3860 func
= "tls_connection_get_eap_fast_key"
3862 elif tls
.startswith("internal"):
3863 func
= "tls_connection_prf"
3866 raise HwsimSkip("Unsupported TLS library")
3867 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3868 hapd
= hostapd
.add_ap(apdev
[0], params
)
3869 with
alloc_fail(dev
[0], count
, func
):
3870 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3871 identity
="user", anonymous_identity
="FAST",
3872 password
="password", ca_cert
="auth_serv/ca.pem",
3874 phase1
="fast_provisioning=2",
3875 pac_file
="blob://fast_pac_auth",
3876 wait_connect
=False, scan_freq
="2412")
3877 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
3879 raise Exception("EAP failure not reported")
3880 dev
[0].request("DISCONNECT")
3882 def test_ap_wpa2_eap_fast_server_oom(dev
, apdev
):
3883 """EAP-FAST/MSCHAPv2 and server OOM"""
3884 check_eap_capa(dev
[0], "FAST")
3886 params
= int_eap_server_params()
3887 params
['dh_file'] = 'auth_serv/dh.conf'
3888 params
['pac_opaque_encr_key'] = '000102030405060708090a0b0c0d0e0f'
3889 params
['eap_fast_a_id'] = '1011'
3890 params
['eap_fast_a_id_info'] = 'another test server'
3891 hapd
= hostapd
.add_ap(apdev
[0], params
)
3893 with
alloc_fail(hapd
, 1, "tls_session_ticket_ext_cb"):
3894 id = eap_connect(dev
[0], hapd
, "FAST", "user",
3895 anonymous_identity
="FAST", password
="password",
3896 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3897 phase1
="fast_provisioning=1",
3898 pac_file
="blob://fast_pac",
3899 expect_failure
=True)
3900 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
3902 raise Exception("No EAP failure reported")
3903 dev
[0].wait_disconnected()
3904 dev
[0].request("DISCONNECT")
3906 dev
[0].select_network(id, freq
="2412")
3908 def test_ap_wpa2_eap_fast_cipher_suites(dev
, apdev
):
3909 """EAP-FAST and different TLS cipher suites"""
3910 check_eap_capa(dev
[0], "FAST")
3911 tls
= dev
[0].request("GET tls_library")
3912 if not tls
.startswith("OpenSSL") and not tls
.startswith("wolfSSL"):
3913 raise HwsimSkip("TLS library is not OpenSSL or wolfSSL: " + tls
)
3915 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3916 hapd
= hostapd
.add_ap(apdev
[0], params
)
3918 dev
[0].request("SET blob fast_pac_ciphers ")
3919 eap_connect(dev
[0], hapd
, "FAST", "user",
3920 anonymous_identity
="FAST", password
="password",
3921 ca_cert
="auth_serv/ca.pem", phase2
="auth=GTC",
3922 phase1
="fast_provisioning=2",
3923 pac_file
="blob://fast_pac_ciphers")
3924 res
= dev
[0].get_status_field('EAP TLS cipher')
3925 dev
[0].request("REMOVE_NETWORK all")
3926 dev
[0].wait_disconnected()
3927 if res
!= "DHE-RSA-AES256-SHA":
3928 raise Exception("Unexpected cipher suite for provisioning: " + res
)
3930 tests
= ["DHE-RSA-AES128-SHA",
3934 "DHE-RSA-AES256-SHA"]
3935 for cipher
in tests
:
3936 dev
[0].dump_monitor()
3937 logger
.info("Testing " + cipher
)
3939 eap_connect(dev
[0], hapd
, "FAST", "user",
3940 openssl_ciphers
=cipher
,
3941 anonymous_identity
="FAST", password
="password",
3942 ca_cert
="auth_serv/ca.pem", phase2
="auth=GTC",
3943 pac_file
="blob://fast_pac_ciphers",
3944 report_failure
=True)
3945 except Exception as e
:
3946 if cipher
== "RC4-SHA" and \
3947 ("Could not select EAP method" in str(e
) or \
3948 "EAP failed" in str(e
)):
3949 if "run=OpenSSL 1.1" in tls
:
3950 logger
.info("Allow failure due to missing TLS library support")
3951 dev
[0].request("REMOVE_NETWORK all")
3952 dev
[0].wait_disconnected()
3955 res
= dev
[0].get_status_field('EAP TLS cipher')
3956 dev
[0].request("REMOVE_NETWORK all")
3957 dev
[0].wait_disconnected()
3959 raise Exception("Unexpected TLS cipher info (configured %s): %s" % (cipher
, res
))
3961 def test_ap_wpa2_eap_fast_prov(dev
, apdev
):
3962 """EAP-FAST and provisioning options"""
3963 check_eap_capa(dev
[0], "FAST")
3964 if "OK" not in dev
[0].request("SET blob fast_pac_prov "):
3965 raise Exception("Could not set blob")
3968 params
= int_eap_server_params()
3969 params
['disable_pmksa_caching'] = '1'
3970 params
['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3971 params
['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3972 params
['eap_fast_a_id_info'] = "test server %d" % i
3973 params
['eap_fast_prov'] = "0"
3974 hapd
= hostapd
.add_ap(apdev
[0], params
)
3976 logger
.info("Provisioning attempt while server has provisioning disabled")
3977 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3978 identity
="user", anonymous_identity
="FAST",
3979 password
="password",
3980 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3981 phase1
="fast_provisioning=2",
3982 pac_file
="blob://fast_pac_prov",
3983 scan_freq
="2412", wait_connect
=False)
3984 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3987 raise Exception("EAP result not reported")
3988 if "parameter='failure'" not in ev
:
3989 raise Exception("Unexpected EAP result: " + ev
)
3990 dev
[0].wait_disconnected()
3991 dev
[0].request("DISCONNECT")
3992 dev
[0].dump_monitor()
3995 logger
.info("Authenticated provisioning")
3996 hapd
.set("eap_fast_prov", "2")
3999 dev
[0].select_network(id, freq
="2412")
4000 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
4003 raise Exception("EAP result not reported")
4004 if "parameter='success'" not in ev
:
4005 raise Exception("Unexpected EAP result: " + ev
)
4006 dev
[0].wait_connected()
4007 dev
[0].request("DISCONNECT")
4008 dev
[0].wait_disconnected()
4009 dev
[0].dump_monitor()
4012 logger
.info("Provisioning disabled - using previously provisioned PAC")
4013 hapd
.set("eap_fast_prov", "0")
4016 dev
[0].select_network(id, freq
="2412")
4017 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
4020 raise Exception("EAP result not reported")
4021 if "parameter='success'" not in ev
:
4022 raise Exception("Unexpected EAP result: " + ev
)
4023 dev
[0].wait_connected()
4024 dev
[0].request("DISCONNECT")
4025 dev
[0].wait_disconnected()
4026 dev
[0].dump_monitor()
4028 logger
.info("Drop PAC and verify connection failure")
4029 if "OK" not in dev
[0].request("SET blob fast_pac_prov "):
4030 raise Exception("Could not set blob")
4032 dev
[0].select_network(id, freq
="2412")
4033 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
4036 raise Exception("EAP result not reported")
4037 if "parameter='failure'" not in ev
:
4038 raise Exception("Unexpected EAP result: " + ev
)
4039 dev
[0].wait_disconnected()
4040 dev
[0].request("DISCONNECT")
4041 dev
[0].dump_monitor()
4044 logger
.info("Anonymous provisioning")
4045 hapd
.set("eap_fast_prov", "1")
4047 dev
[0].set_network_quoted(id, "phase1", "fast_provisioning=1")
4048 dev
[0].select_network(id, freq
="2412")
4049 # Anonymous provisioning results in EAP-Failure first
4050 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
4053 raise Exception("EAP result not reported")
4054 if "parameter='failure'" not in ev
:
4055 raise Exception("Unexpected EAP result: " + ev
)
4056 dev
[0].wait_disconnected()
4057 # And then the actual data connection
4058 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
4061 raise Exception("EAP result not reported")
4062 if "parameter='success'" not in ev
:
4063 raise Exception("Unexpected EAP result: " + ev
)
4064 dev
[0].wait_connected()
4065 dev
[0].request("DISCONNECT")
4066 dev
[0].wait_disconnected()
4067 dev
[0].dump_monitor()
4070 logger
.info("Provisioning disabled - using previously provisioned PAC")
4071 hapd
.set("eap_fast_prov", "0")
4074 dev
[0].select_network(id, freq
="2412")
4075 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
4078 raise Exception("EAP result not reported")
4079 if "parameter='success'" not in ev
:
4080 raise Exception("Unexpected EAP result: " + ev
)
4081 dev
[0].wait_connected()
4082 dev
[0].request("DISCONNECT")
4083 dev
[0].wait_disconnected()
4084 dev
[0].dump_monitor()
4086 def test_ap_wpa2_eap_fast_eap_vendor(dev
, apdev
):
4087 """WPA2-Enterprise connection using EAP-FAST/EAP-vendor"""
4088 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4089 hapd
= hostapd
.add_ap(apdev
[0], params
)
4090 eap_connect(dev
[0], hapd
, "FAST", "vendor-test-2",
4091 anonymous_identity
="FAST",
4092 phase1
="fast_provisioning=2", pac_file
="blob://fast_pac",
4093 ca_cert
="auth_serv/ca.pem", phase2
="auth=VENDOR-TEST")
4095 def test_ap_wpa2_eap_tls_ocsp(dev
, apdev
):
4096 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP"""
4097 check_ocsp_support(dev
[0])
4098 check_pkcs12_support(dev
[0])
4099 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4100 hapd
= hostapd
.add_ap(apdev
[0], params
)
4101 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
4102 private_key
="auth_serv/user.pkcs12",
4103 private_key_passwd
="whatever", ocsp
=2)
4105 def test_ap_wpa2_eap_tls_ocsp_multi(dev
, apdev
):
4106 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP-multi"""
4107 check_ocsp_multi_support(dev
[0])
4108 check_pkcs12_support(dev
[0])
4110 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4111 hapd
= hostapd
.add_ap(apdev
[0], params
)
4112 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
4113 private_key
="auth_serv/user.pkcs12",
4114 private_key_passwd
="whatever", ocsp
=2)
4116 def int_eap_server_params():
4117 params
= {"ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
4118 "rsn_pairwise": "CCMP", "ieee8021x": "1",
4119 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
4120 "ca_cert": "auth_serv/ca.pem",
4121 "server_cert": "auth_serv/server.pem",
4122 "private_key": "auth_serv/server.key",
4123 "dh_file": "auth_serv/dh.conf"}
4126 def run_openssl(arg
):
4127 logger
.info(' '.join(arg
))
4128 cmd
= subprocess
.Popen(arg
, stdout
=subprocess
.PIPE
,
4129 stderr
=subprocess
.PIPE
)
4130 res
= cmd
.stdout
.read().decode() + "\n" + cmd
.stderr
.read().decode()
4134 if cmd
.returncode
!= 0:
4135 raise Exception("bad return code from openssl\n\n" + res
)
4136 logger
.info("openssl result:\n" + res
)
4138 def ocsp_cache_key_id(outfile
):
4139 if os
.path
.exists(outfile
):
4141 arg
= ["openssl", "ocsp", "-index", "auth_serv/index.txt",
4142 '-rsigner', 'auth_serv/ocsp-responder.pem',
4143 '-rkey', 'auth_serv/ocsp-responder.key',
4145 '-CA', 'auth_serv/ca.pem',
4146 '-issuer', 'auth_serv/ca.pem',
4147 '-verify_other', 'auth_serv/ca.pem',
4150 '-reqin', 'auth_serv/ocsp-req.der',
4151 '-respout', outfile
]
4154 def test_ap_wpa2_eap_tls_ocsp_key_id(dev
, apdev
, params
):
4155 """EAP-TLS and OCSP certificate signed OCSP response using key ID"""
4156 check_ocsp_support(dev
[0])
4157 check_pkcs12_support(dev
[0])
4158 ocsp
= os
.path
.join(params
['logdir'], "ocsp-server-cache-key-id.der")
4159 ocsp_cache_key_id(ocsp
)
4160 if not os
.path
.exists(ocsp
):
4161 raise HwsimSkip("No OCSP response available")
4162 params
= int_eap_server_params()
4163 params
["ocsp_stapling_response"] = ocsp
4164 hostapd
.add_ap(apdev
[0], params
)
4165 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4166 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4167 private_key
="auth_serv/user.pkcs12",
4168 private_key_passwd
="whatever", ocsp
=2,
4171 def ocsp_req(outfile
):
4172 if os
.path
.exists(outfile
):
4174 arg
= ["openssl", "ocsp",
4176 '-issuer', 'auth_serv/ca.pem',
4178 '-serial', '0xD8D3E3A6CBE3CD1F',
4181 if not os
.path
.exists(outfile
):
4182 raise HwsimSkip("Failed to generate OCSP request")
4184 def ocsp_resp_ca_signed(reqfile
, outfile
, status
):
4186 if os
.path
.exists(outfile
):
4188 arg
= ["openssl", "ocsp",
4189 "-index", "auth_serv/index%s.txt" % status
,
4190 "-rsigner", "auth_serv/ca.pem",
4191 "-rkey", "auth_serv/ca-key.pem",
4192 "-CA", "auth_serv/ca.pem",
4196 "-respout", outfile
]
4198 if not os
.path
.exists(outfile
):
4199 raise HwsimSkip("No OCSP response available")
4201 def ocsp_resp_server_signed(reqfile
, outfile
):
4203 if os
.path
.exists(outfile
):
4205 arg
= ["openssl", "ocsp",
4206 "-index", "auth_serv/index.txt",
4207 "-rsigner", "auth_serv/server.pem",
4208 "-rkey", "auth_serv/server.key",
4209 "-CA", "auth_serv/ca.pem",
4212 "-respout", outfile
]
4214 if not os
.path
.exists(outfile
):
4215 raise HwsimSkip("No OCSP response available")
4217 def test_ap_wpa2_eap_tls_ocsp_ca_signed_good(dev
, apdev
, params
):
4218 """EAP-TLS and CA signed OCSP response (good)"""
4219 check_ocsp_support(dev
[0])
4220 check_pkcs12_support(dev
[0])
4221 req
= os
.path
.join(params
['logdir'], "ocsp-req.der")
4222 ocsp
= os
.path
.join(params
['logdir'], "ocsp-resp-ca-signed.der")
4223 ocsp_resp_ca_signed(req
, ocsp
, "")
4224 params
= int_eap_server_params()
4225 params
["ocsp_stapling_response"] = ocsp
4226 hostapd
.add_ap(apdev
[0], params
)
4227 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4228 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4229 private_key
="auth_serv/user.pkcs12",
4230 private_key_passwd
="whatever", ocsp
=2,
4233 def test_ap_wpa2_eap_tls_ocsp_ca_signed_revoked(dev
, apdev
, params
):
4234 """EAP-TLS and CA signed OCSP response (revoked)"""
4235 check_ocsp_support(dev
[0])
4236 check_pkcs12_support(dev
[0])
4237 req
= os
.path
.join(params
['logdir'], "ocsp-req.der")
4238 ocsp
= os
.path
.join(params
['logdir'], "ocsp-resp-ca-signed-revoked.der")
4239 ocsp_resp_ca_signed(req
, ocsp
, "-revoked")
4240 params
= int_eap_server_params()
4241 params
["ocsp_stapling_response"] = ocsp
4242 hostapd
.add_ap(apdev
[0], params
)
4243 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4244 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4245 private_key
="auth_serv/user.pkcs12",
4246 private_key_passwd
="whatever", ocsp
=2,
4247 wait_connect
=False, scan_freq
="2412")
4250 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4252 raise Exception("Timeout on EAP status")
4253 if 'bad certificate status response' in ev
:
4255 if 'certificate revoked' in ev
:
4259 raise Exception("Unexpected number of EAP status messages")
4261 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4263 raise Exception("Timeout on EAP failure report")
4265 def test_ap_wpa2_eap_tls_ocsp_ca_signed_unknown(dev
, apdev
, params
):
4266 """EAP-TLS and CA signed OCSP response (unknown)"""
4267 check_ocsp_support(dev
[0])
4268 check_pkcs12_support(dev
[0])
4269 req
= os
.path
.join(params
['logdir'], "ocsp-req.der")
4270 ocsp
= os
.path
.join(params
['logdir'], "ocsp-resp-ca-signed-unknown.der")
4271 ocsp_resp_ca_signed(req
, ocsp
, "-unknown")
4272 params
= int_eap_server_params()
4273 params
["ocsp_stapling_response"] = ocsp
4274 hostapd
.add_ap(apdev
[0], params
)
4275 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4276 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4277 private_key
="auth_serv/user.pkcs12",
4278 private_key_passwd
="whatever", ocsp
=2,
4279 wait_connect
=False, scan_freq
="2412")
4282 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4284 raise Exception("Timeout on EAP status")
4285 if 'bad certificate status response' in ev
:
4289 raise Exception("Unexpected number of EAP status messages")
4291 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4293 raise Exception("Timeout on EAP failure report")
4295 def test_ap_wpa2_eap_tls_ocsp_server_signed(dev
, apdev
, params
):
4296 """EAP-TLS and server signed OCSP response"""
4297 check_ocsp_support(dev
[0])
4298 check_pkcs12_support(dev
[0])
4299 req
= os
.path
.join(params
['logdir'], "ocsp-req.der")
4300 ocsp
= os
.path
.join(params
['logdir'], "ocsp-resp-server-signed.der")
4301 ocsp_resp_server_signed(req
, ocsp
)
4302 params
= int_eap_server_params()
4303 params
["ocsp_stapling_response"] = ocsp
4304 hostapd
.add_ap(apdev
[0], params
)
4305 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4306 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4307 private_key
="auth_serv/user.pkcs12",
4308 private_key_passwd
="whatever", ocsp
=2,
4309 wait_connect
=False, scan_freq
="2412")
4312 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4314 raise Exception("Timeout on EAP status")
4315 if 'bad certificate status response' in ev
:
4319 raise Exception("Unexpected number of EAP status messages")
4321 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4323 raise Exception("Timeout on EAP failure report")
4325 def test_ap_wpa2_eap_tls_ocsp_invalid_data(dev
, apdev
):
4326 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP data"""
4327 check_ocsp_support(dev
[0])
4328 check_pkcs12_support(dev
[0])
4329 params
= int_eap_server_params()
4330 params
["ocsp_stapling_response"] = "auth_serv/ocsp-req.der"
4331 hostapd
.add_ap(apdev
[0], params
)
4332 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4333 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4334 private_key
="auth_serv/user.pkcs12",
4335 private_key_passwd
="whatever", ocsp
=2,
4336 wait_connect
=False, scan_freq
="2412")
4339 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4341 raise Exception("Timeout on EAP status")
4342 if 'bad certificate status response' in ev
:
4346 raise Exception("Unexpected number of EAP status messages")
4348 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4350 raise Exception("Timeout on EAP failure report")
4352 def test_ap_wpa2_eap_tls_ocsp_invalid(dev
, apdev
):
4353 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP response"""
4354 check_ocsp_support(dev
[0])
4355 check_pkcs12_support(dev
[0])
4356 params
= int_eap_server_params()
4357 params
["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-invalid"
4358 hostapd
.add_ap(apdev
[0], params
)
4359 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4360 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4361 private_key
="auth_serv/user.pkcs12",
4362 private_key_passwd
="whatever", ocsp
=2,
4363 wait_connect
=False, scan_freq
="2412")
4366 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4368 raise Exception("Timeout on EAP status")
4369 if 'bad certificate status response' in ev
:
4373 raise Exception("Unexpected number of EAP status messages")
4375 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4377 raise Exception("Timeout on EAP failure report")
4379 def test_ap_wpa2_eap_tls_ocsp_unknown_sign(dev
, apdev
):
4380 """WPA2-Enterprise connection using EAP-TLS and unknown OCSP signer"""
4381 check_ocsp_support(dev
[0])
4382 check_pkcs12_support(dev
[0])
4383 params
= int_eap_server_params()
4384 params
["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-unknown-sign"
4385 hostapd
.add_ap(apdev
[0], params
)
4386 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4387 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4388 private_key
="auth_serv/user.pkcs12",
4389 private_key_passwd
="whatever", ocsp
=2,
4390 wait_connect
=False, scan_freq
="2412")
4393 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4395 raise Exception("Timeout on EAP status")
4396 if 'bad certificate status response' in ev
:
4400 raise Exception("Unexpected number of EAP status messages")
4402 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4404 raise Exception("Timeout on EAP failure report")
4406 def ocsp_resp_status(outfile
, status
):
4407 if os
.path
.exists(outfile
):
4409 arg
= ["openssl", "ocsp", "-index", "auth_serv/index-%s.txt" % status
,
4410 '-rsigner', 'auth_serv/ocsp-responder.pem',
4411 '-rkey', 'auth_serv/ocsp-responder.key',
4412 '-CA', 'auth_serv/ca.pem',
4413 '-issuer', 'auth_serv/ca.pem',
4414 '-verify_other', 'auth_serv/ca.pem',
4417 '-reqin', 'auth_serv/ocsp-req.der',
4418 '-respout', outfile
]
4421 def test_ap_wpa2_eap_ttls_ocsp_revoked(dev
, apdev
, params
):
4422 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
4423 check_ocsp_support(dev
[0])
4424 ocsp
= os
.path
.join(params
['logdir'], "ocsp-server-cache-revoked.der")
4425 ocsp_resp_status(ocsp
, "revoked")
4426 if not os
.path
.exists(ocsp
):
4427 raise HwsimSkip("No OCSP response available")
4428 params
= int_eap_server_params()
4429 params
["ocsp_stapling_response"] = ocsp
4430 hostapd
.add_ap(apdev
[0], params
)
4431 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4432 identity
="pap user", ca_cert
="auth_serv/ca.pem",
4433 anonymous_identity
="ttls", password
="password",
4434 phase2
="auth=PAP", ocsp
=2,
4435 wait_connect
=False, scan_freq
="2412")
4438 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4440 raise Exception("Timeout on EAP status")
4441 if 'bad certificate status response' in ev
:
4443 if 'certificate revoked' in ev
:
4447 raise Exception("Unexpected number of EAP status messages")
4449 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4451 raise Exception("Timeout on EAP failure report")
4453 def test_ap_wpa2_eap_ttls_ocsp_unknown(dev
, apdev
, params
):
4454 """WPA2-Enterprise connection using EAP-TTLS and OCSP status unknown"""
4455 check_ocsp_support(dev
[0])
4456 ocsp
= os
.path
.join(params
['logdir'], "ocsp-server-cache-unknown.der")
4457 ocsp_resp_status(ocsp
, "unknown")
4458 if not os
.path
.exists(ocsp
):
4459 raise HwsimSkip("No OCSP response available")
4460 params
= int_eap_server_params()
4461 params
["ocsp_stapling_response"] = ocsp
4462 hostapd
.add_ap(apdev
[0], params
)
4463 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4464 identity
="pap user", ca_cert
="auth_serv/ca.pem",
4465 anonymous_identity
="ttls", password
="password",
4466 phase2
="auth=PAP", ocsp
=2,
4467 wait_connect
=False, scan_freq
="2412")
4470 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4472 raise Exception("Timeout on EAP status")
4473 if 'bad certificate status response' in ev
:
4477 raise Exception("Unexpected number of EAP status messages")
4479 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4481 raise Exception("Timeout on EAP failure report")
4483 def test_ap_wpa2_eap_ttls_optional_ocsp_unknown(dev
, apdev
, params
):
4484 """WPA2-Enterprise connection using EAP-TTLS and OCSP status unknown"""
4485 check_ocsp_support(dev
[0])
4486 ocsp
= os
.path
.join(params
['logdir'], "ocsp-server-cache-unknown.der")
4487 ocsp_resp_status(ocsp
, "unknown")
4488 if not os
.path
.exists(ocsp
):
4489 raise HwsimSkip("No OCSP response available")
4490 params
= int_eap_server_params()
4491 params
["ocsp_stapling_response"] = ocsp
4492 hostapd
.add_ap(apdev
[0], params
)
4493 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4494 identity
="pap user", ca_cert
="auth_serv/ca.pem",
4495 anonymous_identity
="ttls", password
="password",
4496 phase2
="auth=PAP", ocsp
=1, scan_freq
="2412")
4498 def test_ap_wpa2_eap_tls_intermediate_ca(dev
, apdev
, params
):
4499 """EAP-TLS with intermediate server/user CA"""
4500 params
= int_eap_server_params()
4501 params
["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
4502 params
["server_cert"] = "auth_serv/iCA-server/server.pem"
4503 params
["private_key"] = "auth_serv/iCA-server/server.key"
4504 hostapd
.add_ap(apdev
[0], params
)
4505 tls
= dev
[0].request("GET tls_library")
4506 if "GnuTLS" in tls
or "wolfSSL" in tls
:
4507 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4508 client_cert
= "auth_serv/iCA-user/user_and_ica.pem"
4510 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4511 client_cert
= "auth_serv/iCA-user/user.pem"
4512 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4513 identity
="tls user",
4515 client_cert
=client_cert
,
4516 private_key
="auth_serv/iCA-user/user.key",
4519 def root_ocsp(cert
):
4520 ca
= "auth_serv/ca.pem"
4522 fd2
, fn2
= tempfile
.mkstemp()
4525 arg
= ["openssl", "ocsp", "-reqout", fn2
, "-issuer", ca
, "-sha256",
4526 "-cert", cert
, "-no_nonce", "-text"]
4529 fd
, fn
= tempfile
.mkstemp()
4531 arg
= ["openssl", "ocsp", "-index", "auth_serv/rootCA/index.txt",
4532 "-rsigner", ca
, "-rkey", "auth_serv/ca-key.pem",
4533 "-CA", ca
, "-issuer", ca
, "-verify_other", ca
, "-trust_other",
4534 "-ndays", "7", "-reqin", fn2
, "-resp_no_certs", "-respout", fn
,
4540 def ica_ocsp(cert
, md
="-sha256"):
4541 prefix
= "auth_serv/iCA-server/"
4542 ca
= prefix
+ "cacert.pem"
4543 cert
= prefix
+ cert
4545 fd2
, fn2
= tempfile
.mkstemp()
4548 arg
= ["openssl", "ocsp", "-reqout", fn2
, "-issuer", ca
, md
,
4549 "-cert", cert
, "-no_nonce", "-text"]
4552 fd
, fn
= tempfile
.mkstemp()
4554 arg
= ["openssl", "ocsp", "-index", prefix
+ "index.txt",
4555 "-rsigner", ca
, "-rkey", prefix
+ "private/cakey.pem",
4556 "-CA", ca
, "-issuer", ca
, "-verify_other", ca
, "-trust_other",
4557 "-ndays", "7", "-reqin", fn2
, "-resp_no_certs", "-respout", fn
,
4563 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev
, apdev
, params
):
4564 """EAP-TLS with intermediate server/user CA and OCSP on server certificate"""
4565 run_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev
, apdev
, params
, "-sha256")
4567 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_sha1(dev
, apdev
, params
):
4568 """EAP-TLS with intermediate server/user CA and OCSP on server certificate )SHA1)"""
4569 run_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev
, apdev
, params
, "-sha1")
4571 def run_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev
, apdev
, params
, md
):
4572 params
= int_eap_server_params()
4573 params
["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
4574 params
["server_cert"] = "auth_serv/iCA-server/server.pem"
4575 params
["private_key"] = "auth_serv/iCA-server/server.key"
4576 fn
= ica_ocsp("server.pem", md
)
4577 params
["ocsp_stapling_response"] = fn
4579 hostapd
.add_ap(apdev
[0], params
)
4580 tls
= dev
[0].request("GET tls_library")
4581 if "GnuTLS" in tls
or "wolfSSL" in tls
:
4582 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4583 client_cert
= "auth_serv/iCA-user/user_and_ica.pem"
4585 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4586 client_cert
= "auth_serv/iCA-user/user.pem"
4587 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4588 identity
="tls user",
4590 client_cert
=client_cert
,
4591 private_key
="auth_serv/iCA-user/user.key",
4592 scan_freq
="2412", ocsp
=2)
4596 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked(dev
, apdev
, params
):
4597 """EAP-TLS with intermediate server/user CA and OCSP on revoked server certificate"""
4598 run_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked(dev
, apdev
, params
,
4601 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked_sha1(dev
, apdev
, params
):
4602 """EAP-TLS with intermediate server/user CA and OCSP on revoked server certificate (SHA1)"""
4603 run_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked(dev
, apdev
, params
,
4606 def run_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked(dev
, apdev
, params
, md
):
4607 check_ocsp_support(dev
[0])
4608 params
= int_eap_server_params()
4609 params
["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
4610 params
["server_cert"] = "auth_serv/iCA-server/server-revoked.pem"
4611 params
["private_key"] = "auth_serv/iCA-server/server-revoked.key"
4612 fn
= ica_ocsp("server-revoked.pem", md
)
4613 params
["ocsp_stapling_response"] = fn
4615 hostapd
.add_ap(apdev
[0], params
)
4616 tls
= dev
[0].request("GET tls_library")
4617 if "GnuTLS" in tls
or "wolfSSL" in tls
:
4618 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4619 client_cert
= "auth_serv/iCA-user/user_and_ica.pem"
4621 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4622 client_cert
= "auth_serv/iCA-user/user.pem"
4623 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4624 identity
="tls user",
4626 client_cert
=client_cert
,
4627 private_key
="auth_serv/iCA-user/user.key",
4628 scan_freq
="2412", ocsp
=1, wait_connect
=False)
4631 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS",
4632 "CTRL-EVENT-EAP-SUCCESS"])
4634 raise Exception("Timeout on EAP status")
4635 if "CTRL-EVENT-EAP-SUCCESS" in ev
:
4636 raise Exception("Unexpected EAP-Success")
4637 if 'bad certificate status response' in ev
:
4639 if 'certificate revoked' in ev
:
4643 raise Exception("Unexpected number of EAP status messages")
4645 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4647 raise Exception("Timeout on EAP failure report")
4648 dev
[0].request("REMOVE_NETWORK all")
4649 dev
[0].wait_disconnected()
4653 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_multi_missing_resp(dev
, apdev
, params
):
4654 """EAP-TLS with intermediate server/user CA and OCSP multi missing response"""
4655 check_ocsp_support(dev
[0])
4656 check_ocsp_multi_support(dev
[0])
4658 params
= int_eap_server_params()
4659 params
["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
4660 params
["server_cert"] = "auth_serv/iCA-server/server.pem"
4661 params
["private_key"] = "auth_serv/iCA-server/server.key"
4662 fn
= ica_ocsp("server.pem")
4663 params
["ocsp_stapling_response"] = fn
4665 hostapd
.add_ap(apdev
[0], params
)
4666 tls
= dev
[0].request("GET tls_library")
4667 if "GnuTLS" in tls
or "wolfSSL" in tls
:
4668 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4669 client_cert
= "auth_serv/iCA-user/user_and_ica.pem"
4671 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4672 client_cert
= "auth_serv/iCA-user/user.pem"
4673 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4674 identity
="tls user",
4676 client_cert
=client_cert
,
4677 private_key
="auth_serv/iCA-user/user.key",
4678 scan_freq
="2412", ocsp
=3, wait_connect
=False)
4681 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS",
4682 "CTRL-EVENT-EAP-SUCCESS"])
4684 raise Exception("Timeout on EAP status")
4685 if "CTRL-EVENT-EAP-SUCCESS" in ev
:
4686 raise Exception("Unexpected EAP-Success")
4687 if 'bad certificate status response' in ev
:
4689 if 'certificate revoked' in ev
:
4693 raise Exception("Unexpected number of EAP status messages")
4695 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4697 raise Exception("Timeout on EAP failure report")
4698 dev
[0].request("REMOVE_NETWORK all")
4699 dev
[0].wait_disconnected()
4703 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_multi(dev
, apdev
, params
):
4704 """EAP-TLS with intermediate server/user CA and OCSP multi OK"""
4705 check_ocsp_support(dev
[0])
4706 check_ocsp_multi_support(dev
[0])
4708 params
= int_eap_server_params()
4709 params
["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
4710 params
["server_cert"] = "auth_serv/iCA-server/server.pem"
4711 params
["private_key"] = "auth_serv/iCA-server/server.key"
4712 fn
= ica_ocsp("server.pem")
4713 fn2
= root_ocsp("auth_serv/iCA-server/cacert.pem")
4714 params
["ocsp_stapling_response"] = fn
4716 with
open(fn
, "rb") as f
:
4717 resp_server
= f
.read()
4718 with
open(fn2
, "rb") as f
:
4721 fd3
, fn3
= tempfile
.mkstemp()
4723 f
= os
.fdopen(fd3
, 'wb')
4724 f
.write(struct
.pack(">L", len(resp_server
))[1:4])
4725 f
.write(resp_server
)
4726 f
.write(struct
.pack(">L", len(resp_ica
))[1:4])
4730 params
["ocsp_stapling_response_multi"] = fn3
4732 hostapd
.add_ap(apdev
[0], params
)
4733 tls
= dev
[0].request("GET tls_library")
4734 if "GnuTLS" in tls
or "wolfSSL" in tls
:
4735 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4736 client_cert
= "auth_serv/iCA-user/user_and_ica.pem"
4738 ca_cert
= "auth_serv/iCA-user/ca-and-root.pem"
4739 client_cert
= "auth_serv/iCA-user/user.pem"
4740 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4741 identity
="tls user",
4743 client_cert
=client_cert
,
4744 private_key
="auth_serv/iCA-user/user.key",
4745 scan_freq
="2412", ocsp
=3)
4746 dev
[0].request("REMOVE_NETWORK all")
4747 dev
[0].wait_disconnected()
4753 def test_ap_wpa2_eap_tls_ocsp_multi_revoked(dev
, apdev
, params
):
4754 """EAP-TLS and CA signed OCSP multi response (revoked)"""
4755 check_ocsp_support(dev
[0])
4756 check_ocsp_multi_support(dev
[0])
4757 check_pkcs12_support(dev
[0])
4759 req
= os
.path
.join(params
['logdir'], "ocsp-req.der")
4760 ocsp_revoked
= os
.path
.join(params
['logdir'],
4761 "ocsp-resp-ca-signed-revoked.der")
4762 ocsp_unknown
= os
.path
.join(params
['logdir'],
4763 "ocsp-resp-ca-signed-unknown.der")
4764 ocsp_resp_ca_signed(req
, ocsp_revoked
, "-revoked")
4765 ocsp_resp_ca_signed(req
, ocsp_unknown
, "-unknown")
4767 with
open(ocsp_revoked
, "rb") as f
:
4768 resp_revoked
= f
.read()
4769 with
open(ocsp_unknown
, "rb") as f
:
4770 resp_unknown
= f
.read()
4772 fd
, fn
= tempfile
.mkstemp()
4774 # This is not really a valid order of the OCSPResponse items in the
4775 # list, but this works for now to verify parsing and processing of
4776 # multiple responses.
4777 f
= os
.fdopen(fd
, 'wb')
4778 f
.write(struct
.pack(">L", len(resp_unknown
))[1:4])
4779 f
.write(resp_unknown
)
4780 f
.write(struct
.pack(">L", len(resp_revoked
))[1:4])
4781 f
.write(resp_revoked
)
4782 f
.write(struct
.pack(">L", 0)[1:4])
4783 f
.write(struct
.pack(">L", len(resp_unknown
))[1:4])
4784 f
.write(resp_unknown
)
4787 params
= int_eap_server_params()
4788 params
["ocsp_stapling_response_multi"] = fn
4789 hostapd
.add_ap(apdev
[0], params
)
4790 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4791 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4792 private_key
="auth_serv/user.pkcs12",
4793 private_key_passwd
="whatever", ocsp
=1,
4794 wait_connect
=False, scan_freq
="2412")
4797 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS",
4798 "CTRL-EVENT-EAP-SUCCESS"])
4800 raise Exception("Timeout on EAP status")
4801 if "CTRL-EVENT-EAP-SUCCESS" in ev
:
4802 raise Exception("Unexpected EAP-Success")
4803 if 'bad certificate status response' in ev
:
4805 if 'certificate revoked' in ev
:
4809 raise Exception("Unexpected number of EAP status messages")
4813 def test_ap_wpa2_eap_tls_domain_suffix_match_cn_full(dev
, apdev
):
4814 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
4815 check_domain_match_full(dev
[0])
4816 check_pkcs12_support(dev
[0])
4817 params
= int_eap_server_params()
4818 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
4819 params
["private_key"] = "auth_serv/server-no-dnsname.key"
4820 hostapd
.add_ap(apdev
[0], params
)
4821 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4822 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4823 private_key
="auth_serv/user.pkcs12",
4824 private_key_passwd
="whatever",
4825 domain_suffix_match
="server3.w1.fi",
4828 def test_ap_wpa2_eap_tls_domain_match_cn(dev
, apdev
):
4829 """WPA2-Enterprise using EAP-TLS and domainmatch (CN)"""
4830 check_domain_match(dev
[0])
4831 check_pkcs12_support(dev
[0])
4832 params
= int_eap_server_params()
4833 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
4834 params
["private_key"] = "auth_serv/server-no-dnsname.key"
4835 hostapd
.add_ap(apdev
[0], params
)
4836 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4837 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4838 private_key
="auth_serv/user.pkcs12",
4839 private_key_passwd
="whatever",
4840 domain_match
="server3.w1.fi",
4843 def test_ap_wpa2_eap_tls_domain_suffix_match_cn(dev
, apdev
):
4844 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
4845 check_domain_match_full(dev
[0])
4846 check_pkcs12_support(dev
[0])
4847 params
= int_eap_server_params()
4848 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
4849 params
["private_key"] = "auth_serv/server-no-dnsname.key"
4850 hostapd
.add_ap(apdev
[0], params
)
4851 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4852 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4853 private_key
="auth_serv/user.pkcs12",
4854 private_key_passwd
="whatever",
4855 domain_suffix_match
="w1.fi",
4858 def test_ap_wpa2_eap_tls_domain_suffix_mismatch_cn(dev
, apdev
):
4859 """WPA2-Enterprise using EAP-TLS and domain suffix mismatch (CN)"""
4860 check_domain_suffix_match(dev
[0])
4861 check_pkcs12_support(dev
[0])
4862 params
= int_eap_server_params()
4863 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
4864 params
["private_key"] = "auth_serv/server-no-dnsname.key"
4865 hostapd
.add_ap(apdev
[0], params
)
4866 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4867 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4868 private_key
="auth_serv/user.pkcs12",
4869 private_key_passwd
="whatever",
4870 domain_suffix_match
="example.com",
4873 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4874 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4875 private_key
="auth_serv/user.pkcs12",
4876 private_key_passwd
="whatever",
4877 domain_suffix_match
="erver3.w1.fi",
4880 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4882 raise Exception("Timeout on EAP failure report")
4883 ev
= dev
[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4885 raise Exception("Timeout on EAP failure report (2)")
4887 def test_ap_wpa2_eap_tls_domain_mismatch_cn(dev
, apdev
):
4888 """WPA2-Enterprise using EAP-TLS and domain mismatch (CN)"""
4889 check_domain_match(dev
[0])
4890 check_pkcs12_support(dev
[0])
4891 params
= int_eap_server_params()
4892 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
4893 params
["private_key"] = "auth_serv/server-no-dnsname.key"
4894 hostapd
.add_ap(apdev
[0], params
)
4895 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4896 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4897 private_key
="auth_serv/user.pkcs12",
4898 private_key_passwd
="whatever",
4899 domain_match
="example.com",
4902 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4903 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4904 private_key
="auth_serv/user.pkcs12",
4905 private_key_passwd
="whatever",
4906 domain_match
="w1.fi",
4909 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4911 raise Exception("Timeout on EAP failure report")
4912 ev
= dev
[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4914 raise Exception("Timeout on EAP failure report (2)")
4916 def test_ap_wpa2_eap_ttls_expired_cert(dev
, apdev
):
4917 """WPA2-Enterprise using EAP-TTLS and expired certificate"""
4918 skip_with_fips(dev
[0])
4919 params
= int_eap_server_params()
4920 params
["server_cert"] = "auth_serv/server-expired.pem"
4921 params
["private_key"] = "auth_serv/server-expired.key"
4922 hostapd
.add_ap(apdev
[0], params
)
4923 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4924 identity
="mschap user", password
="password",
4925 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4928 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"])
4930 raise Exception("Timeout on EAP certificate error report")
4931 if "reason=4" not in ev
or "certificate has expired" not in ev
:
4932 raise Exception("Unexpected failure reason: " + ev
)
4933 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4935 raise Exception("Timeout on EAP failure report")
4937 def test_ap_wpa2_eap_ttls_ignore_expired_cert(dev
, apdev
):
4938 """WPA2-Enterprise using EAP-TTLS and ignore certificate expiration"""
4939 skip_with_fips(dev
[0])
4940 params
= int_eap_server_params()
4941 params
["server_cert"] = "auth_serv/server-expired.pem"
4942 params
["private_key"] = "auth_serv/server-expired.key"
4943 hostapd
.add_ap(apdev
[0], params
)
4944 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4945 identity
="mschap user", password
="password",
4946 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4947 phase1
="tls_disable_time_checks=1",
4950 def test_ap_wpa2_eap_ttls_long_duration(dev
, apdev
):
4951 """WPA2-Enterprise using EAP-TTLS and long certificate duration"""
4952 skip_with_fips(dev
[0])
4953 params
= int_eap_server_params()
4954 params
["server_cert"] = "auth_serv/server-long-duration.pem"
4955 params
["private_key"] = "auth_serv/server-long-duration.key"
4956 hostapd
.add_ap(apdev
[0], params
)
4957 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4958 identity
="mschap user", password
="password",
4959 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4962 def test_ap_wpa2_eap_ttls_server_cert_eku_client(dev
, apdev
):
4963 """WPA2-Enterprise using EAP-TTLS and server cert with client EKU"""
4964 skip_with_fips(dev
[0])
4965 params
= int_eap_server_params()
4966 params
["server_cert"] = "auth_serv/server-eku-client.pem"
4967 params
["private_key"] = "auth_serv/server-eku-client.key"
4968 hostapd
.add_ap(apdev
[0], params
)
4969 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4970 identity
="mschap user", password
="password",
4971 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4974 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4976 raise Exception("Timeout on EAP failure report")
4978 def test_ap_wpa2_eap_ttls_server_cert_eku_client_server(dev
, apdev
):
4979 """WPA2-Enterprise using EAP-TTLS and server cert with client and server EKU"""
4980 skip_with_fips(dev
[0])
4981 params
= int_eap_server_params()
4982 params
["server_cert"] = "auth_serv/server-eku-client-server.pem"
4983 params
["private_key"] = "auth_serv/server-eku-client-server.key"
4984 hostapd
.add_ap(apdev
[0], params
)
4985 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4986 identity
="mschap user", password
="password",
4987 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4990 def test_ap_wpa2_eap_ttls_server_pkcs12(dev
, apdev
):
4991 """WPA2-Enterprise using EAP-TTLS and server PKCS#12 file"""
4992 skip_with_fips(dev
[0])
4993 params
= int_eap_server_params()
4994 del params
["server_cert"]
4995 params
["private_key"] = "auth_serv/server.pkcs12"
4996 hostapd
.add_ap(apdev
[0], params
)
4997 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4998 identity
="mschap user", password
="password",
4999 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
5002 def test_ap_wpa2_eap_ttls_server_pkcs12_extra(dev
, apdev
):
5003 """EAP-TTLS and server PKCS#12 file with extra certs"""
5004 skip_with_fips(dev
[0])
5005 params
= int_eap_server_params()
5006 del params
["server_cert"]
5007 params
["private_key"] = "auth_serv/server-extra.pkcs12"
5008 params
["private_key_passwd"] = "whatever"
5009 hostapd
.add_ap(apdev
[0], params
)
5010 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
5011 identity
="mschap user", password
="password",
5012 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
5015 def test_ap_wpa2_eap_ttls_dh_params(dev
, apdev
):
5016 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params"""
5017 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5018 hapd
= hostapd
.add_ap(apdev
[0], params
)
5019 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
5020 anonymous_identity
="ttls", password
="password",
5021 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP",
5022 dh_file
="auth_serv/dh.conf")
5024 def test_ap_wpa2_eap_ttls_dh_params_dsa(dev
, apdev
):
5025 """WPA2-Enterprise connection using EAP-TTLS and setting DH params (DSA)"""
5026 check_dh_dsa_support(dev
[0])
5027 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5028 hapd
= hostapd
.add_ap(apdev
[0], params
)
5029 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
5030 anonymous_identity
="ttls", password
="password",
5031 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP",
5032 dh_file
="auth_serv/dsaparam.pem")
5034 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev
, apdev
):
5035 """EAP-TTLS and DH params file not found"""
5036 skip_with_fips(dev
[0])
5037 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5038 hostapd
.add_ap(apdev
[0], params
)
5039 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
5040 identity
="mschap user", password
="password",
5041 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
5042 dh_file
="auth_serv/dh-no-such-file.conf",
5043 scan_freq
="2412", wait_connect
=False)
5044 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
5046 raise Exception("EAP failure timed out")
5047 dev
[0].request("REMOVE_NETWORK all")
5048 dev
[0].wait_disconnected()
5050 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev
, apdev
):
5051 """EAP-TTLS and invalid DH params file"""
5052 skip_with_fips(dev
[0])
5053 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5054 hostapd
.add_ap(apdev
[0], params
)
5055 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
5056 identity
="mschap user", password
="password",
5057 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
5058 dh_file
="auth_serv/ca.pem",
5059 scan_freq
="2412", wait_connect
=False)
5060 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
5062 raise Exception("EAP failure timed out")
5063 dev
[0].request("REMOVE_NETWORK all")
5064 dev
[0].wait_disconnected()
5066 def test_ap_wpa2_eap_ttls_dh_params_blob(dev
, apdev
):
5067 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params from blob"""
5068 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5069 hapd
= hostapd
.add_ap(apdev
[0], params
)
5070 dh
= read_pem("auth_serv/dh2.conf")
5071 if "OK" not in dev
[0].request("SET blob dhparams " + binascii
.hexlify(dh
).decode()):
5072 raise Exception("Could not set dhparams blob")
5073 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
5074 anonymous_identity
="ttls", password
="password",
5075 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP",
5076 dh_file
="blob://dhparams")
5078 def test_ap_wpa2_eap_ttls_dh_params_server(dev
, apdev
):
5079 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams"""
5080 params
= int_eap_server_params()
5081 params
["dh_file"] = "auth_serv/dh2.conf"
5082 hapd
= hostapd
.add_ap(apdev
[0], params
)
5083 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
5084 anonymous_identity
="ttls", password
="password",
5085 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP")
5087 def test_ap_wpa2_eap_ttls_dh_params_dsa_server(dev
, apdev
):
5088 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams (DSA)"""
5089 params
= int_eap_server_params()
5090 params
["dh_file"] = "auth_serv/dsaparam.pem"
5091 hapd
= hostapd
.add_ap(apdev
[0], params
)
5092 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
5093 anonymous_identity
="ttls", password
="password",
5094 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP")
5096 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev
, apdev
):
5097 """EAP-TLS server and dhparams file not found"""
5098 params
= int_eap_server_params()
5099 params
["dh_file"] = "auth_serv/dh-no-such-file.conf"
5100 hapd
= hostapd
.add_ap(apdev
[0], params
, no_enable
=True)
5101 if "FAIL" not in hapd
.request("ENABLE"):
5102 raise Exception("Invalid configuration accepted")
5104 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev
, apdev
):
5105 """EAP-TLS server and invalid dhparams file"""
5106 params
= int_eap_server_params()
5107 params
["dh_file"] = "auth_serv/ca.pem"
5108 hapd
= hostapd
.add_ap(apdev
[0], params
, no_enable
=True)
5109 if "FAIL" not in hapd
.request("ENABLE"):
5110 raise Exception("Invalid configuration accepted")
5112 def test_ap_wpa2_eap_reauth(dev
, apdev
):
5113 """WPA2-Enterprise and Authenticator forcing reauthentication"""
5114 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5115 params
['eap_reauth_period'] = '2'
5116 hapd
= hostapd
.add_ap(apdev
[0], params
)
5117 eap_connect(dev
[0], hapd
, "PAX", "pax.user@example.com",
5118 password_hex
="0123456789abcdef0123456789abcdef")
5119 logger
.info("Wait for reauthentication")
5120 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
5122 raise Exception("Timeout on reauthentication")
5123 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5125 raise Exception("Timeout on reauthentication")
5126 for i
in range(0, 20):
5127 state
= dev
[0].get_status_field("wpa_state")
5128 if state
== "COMPLETED":
5131 if state
!= "COMPLETED":
5132 raise Exception("Reauthentication did not complete")
5134 def test_ap_wpa2_eap_reauth_ptk_rekey_blocked_ap(dev
, apdev
):
5135 """WPA2-Enterprise and Authenticator forcing reauthentication with PTK rekey blocked on AP"""
5136 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5137 params
['eap_reauth_period'] = '2'
5138 params
['wpa_deny_ptk0_rekey'] = '2'
5139 hapd
= hostapd
.add_ap(apdev
[0], params
)
5140 eap_connect(dev
[0], hapd
, "PAX", "pax.user@example.com",
5141 password_hex
="0123456789abcdef0123456789abcdef")
5142 logger
.info("Wait for disconnect due to reauth")
5143 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED",
5144 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
5146 raise Exception("Timeout on reauthentication")
5147 if "CTRL-EVENT-EAP-STARTED" in ev
:
5148 raise Exception("Reauthentication without disconnect")
5150 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=1)
5152 raise Exception("Timeout on reconnect")
5154 def test_ap_wpa2_eap_reauth_ptk_rekey_blocked_sta(dev
, apdev
):
5155 """WPA2-Enterprise and Authenticator forcing reauthentication with PTK rekey blocked on station"""
5156 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5157 params
['eap_reauth_period'] = '2'
5158 hapd
= hostapd
.add_ap(apdev
[0], params
)
5159 eap_connect(dev
[0], hapd
, "PAX", "pax.user@example.com",
5160 password_hex
="0123456789abcdef0123456789abcdef",
5161 wpa_deny_ptk0_rekey
="2")
5162 logger
.info("Wait for disconnect due to reauth")
5163 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED",
5164 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
5166 raise Exception("Timeout on reauthentication")
5167 if "CTRL-EVENT-EAP-STARTED" in ev
:
5168 raise Exception("Reauthentication without disconnect")
5170 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=1)
5172 raise Exception("Timeout on reconnect")
5174 def test_ap_wpa2_eap_request_identity_message(dev
, apdev
):
5175 """Optional displayable message in EAP Request-Identity"""
5176 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5177 params
['eap_message'] = 'hello\\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com'
5178 hapd
= hostapd
.add_ap(apdev
[0], params
)
5179 eap_connect(dev
[0], hapd
, "PAX", "pax.user@example.com",
5180 password_hex
="0123456789abcdef0123456789abcdef")
5182 def test_ap_wpa2_eap_sim_aka_result_ind(dev
, apdev
):
5183 """WPA2-Enterprise using EAP-SIM/AKA and protected result indication"""
5184 check_hlr_auc_gw_support()
5185 params
= int_eap_server_params()
5186 params
['eap_sim_db'] = "unix:/tmp/hlr_auc_gw.sock"
5187 params
['eap_sim_aka_result_ind'] = "1"
5188 hapd
= hostapd
.add_ap(apdev
[0], params
)
5190 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
5191 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
5192 phase1
="result_ind=1")
5193 eap_reauth(dev
[0], "SIM")
5194 eap_connect(dev
[1], hapd
, "SIM", "1232010000000000",
5195 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
5197 dev
[0].request("REMOVE_NETWORK all")
5198 dev
[1].request("REMOVE_NETWORK all")
5200 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
5201 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
5202 phase1
="result_ind=1")
5203 eap_reauth(dev
[0], "AKA")
5204 eap_connect(dev
[1], hapd
, "AKA", "0232010000000000",
5205 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
5207 dev
[0].request("REMOVE_NETWORK all")
5208 dev
[1].request("REMOVE_NETWORK all")
5210 eap_connect(dev
[0], hapd
, "AKA'", "6555444333222111",
5211 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
5212 phase1
="result_ind=1")
5213 eap_reauth(dev
[0], "AKA'")
5214 eap_connect(dev
[1], hapd
, "AKA'", "6555444333222111",
5215 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
5217 def test_ap_wpa2_eap_sim_zero_db_timeout(dev
, apdev
):
5218 """WPA2-Enterprise using EAP-SIM with zero database timeout"""
5219 check_hlr_auc_gw_support()
5220 params
= int_eap_server_params()
5221 params
['eap_sim_db'] = "unix:/tmp/hlr_auc_gw.sock"
5222 params
['eap_sim_db_timeout'] = "0"
5223 params
['disable_pmksa_caching'] = '1'
5224 hapd
= hostapd
.add_ap(apdev
[0], params
)
5226 # Run multiple iterations to make it more likely to hit the case where the
5227 # DB request times out and response is lost.
5229 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="SIM",
5230 identity
="1232010000000000",
5231 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
5232 wait_connect
=False, scan_freq
="2412")
5233 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
5234 "CTRL-EVENT-DISCONNECTED"],
5237 raise Exception("No connection result")
5238 dev
[0].request("REMOVE_NETWORK all")
5239 if "CTRL-EVENT-DISCONNECTED" in ev
:
5241 dev
[0].wait_disconnected()
5244 def test_ap_wpa2_eap_too_many_roundtrips(dev
, apdev
):
5245 """WPA2-Enterprise connection resulting in too many EAP roundtrips"""
5246 skip_with_fips(dev
[0])
5247 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5248 hostapd
.add_ap(apdev
[0], params
)
5249 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
5250 eap
="TTLS", identity
="mschap user",
5251 wait_connect
=False, scan_freq
="2412", ieee80211w
="1",
5252 anonymous_identity
="ttls", password
="password",
5253 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
5255 ev
= dev
[0].wait_event(["EAP: more than",
5256 "CTRL-EVENT-EAP-SUCCESS"], timeout
=20)
5257 if ev
is None or "EAP: more than" not in ev
:
5258 raise Exception("EAP roundtrip limit not reached")
5260 def test_ap_wpa2_eap_too_many_roundtrips_server(dev
, apdev
):
5261 """WPA2-Enterprise connection resulting in too many EAP roundtrips (server)"""
5262 run_ap_wpa2_eap_too_many_roundtrips_server(dev
, apdev
, 10, 10)
5264 def test_ap_wpa2_eap_too_many_roundtrips_server2(dev
, apdev
):
5265 """WPA2-Enterprise connection resulting in too many EAP roundtrips (server)"""
5266 run_ap_wpa2_eap_too_many_roundtrips_server(dev
, apdev
, 10, 1)
5268 def run_ap_wpa2_eap_too_many_roundtrips_server(dev
, apdev
, max_rounds
,
5270 skip_with_fips(dev
[0])
5271 params
= int_eap_server_params()
5272 params
["max_auth_rounds"] = str(max_rounds
)
5273 params
["max_auth_rounds_short"] = str(max_rounds_short
)
5274 hostapd
.add_ap(apdev
[0], params
)
5275 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
5276 eap
="TTLS", identity
="mschap user",
5277 wait_connect
=False, scan_freq
="2412", ieee80211w
="1",
5278 anonymous_identity
="ttls", password
="password",
5279 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
5281 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE",
5282 "CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5283 dev
[0].request("DISCONNECT")
5284 if ev
is None or "SUCCESS" in ev
:
5285 raise Exception("EAP roundtrip limit not reported")
5287 def test_ap_wpa2_eap_expanded_nak(dev
, apdev
):
5288 """WPA2-Enterprise connection with EAP resulting in expanded NAK"""
5289 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5290 hostapd
.add_ap(apdev
[0], params
)
5291 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
5292 eap
="PSK", identity
="vendor-test",
5293 password_hex
="ff23456789abcdef0123456789abcdef",
5297 for i
in range(0, 5):
5298 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"], timeout
=16)
5300 raise Exception("Association and EAP start timed out")
5301 if "refuse proposed method" in ev
:
5305 raise Exception("Unexpected EAP status: " + ev
)
5307 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
5309 raise Exception("EAP failure timed out")
5311 def test_ap_wpa2_eap_sql(dev
, apdev
, params
):
5312 """WPA2-Enterprise connection using SQLite for user DB"""
5313 skip_with_fips(dev
[0])
5317 raise HwsimSkip("No sqlite3 module available")
5318 dbfile
= os
.path
.join(params
['logdir'], "eap-user.db")
5323 con
= sqlite3
.connect(dbfile
)
5326 cur
.execute("CREATE TABLE users(identity TEXT PRIMARY KEY, methods TEXT, password TEXT, remediation TEXT, phase2 INTEGER)")
5327 cur
.execute("CREATE TABLE wildcards(identity TEXT PRIMARY KEY, methods TEXT)")
5328 cur
.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-pap','TTLS-PAP','password',1)")
5329 cur
.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-chap','TTLS-CHAP','password',1)")
5330 cur
.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschap','TTLS-MSCHAP','password',1)")
5331 cur
.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschapv2','TTLS-MSCHAPV2','password',1)")
5332 cur
.execute("INSERT INTO wildcards(identity,methods) VALUES ('','TTLS,TLS')")
5333 cur
.execute("CREATE TABLE authlog(timestamp TEXT, session TEXT, nas_ip TEXT, username TEXT, note TEXT)")
5336 params
= int_eap_server_params()
5337 params
["eap_user_file"] = "sqlite:" + dbfile
5338 hapd
= hostapd
.add_ap(apdev
[0], params
)
5339 eap_connect(dev
[0], hapd
, "TTLS", "user-mschapv2",
5340 anonymous_identity
="ttls", password
="password",
5341 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
5342 dev
[0].request("REMOVE_NETWORK all")
5343 eap_connect(dev
[1], hapd
, "TTLS", "user-mschap",
5344 anonymous_identity
="ttls", password
="password",
5345 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP")
5346 dev
[1].request("REMOVE_NETWORK all")
5347 eap_connect(dev
[0], hapd
, "TTLS", "user-chap",
5348 anonymous_identity
="ttls", password
="password",
5349 ca_cert
="auth_serv/ca.pem", phase2
="auth=CHAP")
5350 eap_connect(dev
[1], hapd
, "TTLS", "user-pap",
5351 anonymous_identity
="ttls", password
="password",
5352 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
5356 def test_ap_wpa2_eap_non_ascii_identity(dev
, apdev
):
5357 """WPA2-Enterprise connection attempt using non-ASCII identity"""
5358 params
= int_eap_server_params()
5359 hostapd
.add_ap(apdev
[0], params
)
5360 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
5361 identity
="\x80", password
="password", wait_connect
=False)
5362 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
5363 identity
="a\x80", password
="password", wait_connect
=False)
5364 for i
in range(0, 2):
5365 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
5367 raise Exception("Association and EAP start timed out")
5368 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
5370 raise Exception("EAP method selection timed out")
5372 def test_ap_wpa2_eap_non_ascii_identity2(dev
, apdev
):
5373 """WPA2-Enterprise connection attempt using non-ASCII identity"""
5374 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5375 hostapd
.add_ap(apdev
[0], params
)
5376 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
5377 identity
="\x80", password
="password", wait_connect
=False)
5378 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
5379 identity
="a\x80", password
="password", wait_connect
=False)
5380 for i
in range(0, 2):
5381 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
5383 raise Exception("Association and EAP start timed out")
5384 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
5386 raise Exception("EAP method selection timed out")
5388 def test_openssl_cipher_suite_config_wpas(dev
, apdev
):
5389 """OpenSSL cipher suite configuration on wpa_supplicant"""
5390 tls
= dev
[0].request("GET tls_library")
5391 if not tls
.startswith("OpenSSL"):
5392 raise HwsimSkip("TLS library is not OpenSSL: " + tls
)
5393 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5394 hapd
= hostapd
.add_ap(apdev
[0], params
)
5395 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
5396 anonymous_identity
="ttls", password
="password",
5397 openssl_ciphers
="AES128",
5398 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
5399 eap_connect(dev
[1], hapd
, "TTLS", "pap user",
5400 anonymous_identity
="ttls", password
="password",
5401 openssl_ciphers
="EXPORT",
5402 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
5403 expect_failure
=True, maybe_local_error
=True)
5404 dev
[2].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
5405 identity
="pap user", anonymous_identity
="ttls",
5406 password
="password",
5407 openssl_ciphers
="FOO",
5408 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
5410 ev
= dev
[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
5412 raise Exception("EAP failure after invalid openssl_ciphers not reported")
5413 dev
[2].request("DISCONNECT")
5415 def test_openssl_cipher_suite_config_hapd(dev
, apdev
):
5416 """OpenSSL cipher suite configuration on hostapd"""
5417 tls
= dev
[0].request("GET tls_library")
5418 if not tls
.startswith("OpenSSL"):
5419 raise HwsimSkip("wpa_supplicant TLS library is not OpenSSL: " + tls
)
5420 params
= int_eap_server_params()
5421 params
['openssl_ciphers'] = "AES256"
5422 hapd
= hostapd
.add_ap(apdev
[0], params
)
5423 tls
= hapd
.request("GET tls_library")
5424 if not tls
.startswith("OpenSSL"):
5425 raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls
)
5426 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
5427 anonymous_identity
="ttls", password
="password",
5428 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
5429 eap_connect(dev
[1], hapd
, "TTLS", "pap user",
5430 anonymous_identity
="ttls", password
="password",
5431 openssl_ciphers
="AES128",
5432 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
5433 expect_failure
=True)
5434 eap_connect(dev
[2], hapd
, "TTLS", "pap user",
5435 anonymous_identity
="ttls", password
="password",
5436 openssl_ciphers
="HIGH:!ADH",
5437 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
5439 params
['openssl_ciphers'] = "FOO"
5440 hapd2
= hostapd
.add_ap(apdev
[1], params
, no_enable
=True)
5441 if "FAIL" not in hapd2
.request("ENABLE"):
5442 if "run=OpenSSL 1.1.1" in tls
:
5443 logger
.info("Ignore acceptance of an invalid openssl_ciphers value with OpenSSL 1.1.1")
5445 raise Exception("Invalid openssl_ciphers value accepted")
5447 def test_wpa2_eap_ttls_pap_key_lifetime_in_memory(dev
, apdev
, params
):
5448 """Key lifetime in memory with WPA2-Enterprise using EAP-TTLS/PAP"""
5449 p
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5450 hapd
= hostapd
.add_ap(apdev
[0], p
)
5451 password
= "63d2d21ac3c09ed567ee004a34490f1d16e7fa5835edf17ddba70a63f1a90a25"
5452 id = eap_connect(dev
[0], hapd
, "TTLS", "pap-secret",
5453 anonymous_identity
="ttls", password
=password
,
5454 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
5455 run_eap_key_lifetime_in_memory(dev
, params
, id, password
)
5457 def test_wpa2_eap_peap_gtc_key_lifetime_in_memory(dev
, apdev
, params
):
5458 """Key lifetime in memory with WPA2-Enterprise using PEAP/GTC"""
5459 p
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5460 hapd
= hostapd
.add_ap(apdev
[0], p
)
5461 password
= "63d2d21ac3c09ed567ee004a34490f1d16e7fa5835edf17ddba70a63f1a90a25"
5462 id = eap_connect(dev
[0], hapd
, "PEAP", "user-secret",
5463 anonymous_identity
="peap", password
=password
,
5464 ca_cert
="auth_serv/ca.pem", phase2
="auth=GTC")
5465 run_eap_key_lifetime_in_memory(dev
, params
, id, password
)
5467 def run_eap_key_lifetime_in_memory(dev
, params
, id, password
):
5468 pid
= find_wpas_process(dev
[0])
5470 # The decrypted copy of GTK is freed only after the CTRL-EVENT-CONNECTED
5471 # event has been delivered, so verify that wpa_supplicant has returned to
5472 # eloop before reading process memory.
5475 password
= password
.encode()
5476 buf
= read_process_memory(pid
, password
)
5478 dev
[0].request("DISCONNECT")
5479 dev
[0].wait_disconnected()
5487 with
open(os
.path
.join(params
['logdir'], 'log0'), 'r') as f
:
5488 for l
in f
.readlines():
5489 if "EAP-TTLS: Derived key - hexdump" in l
or \
5490 "EAP-PEAP: Derived key - hexdump" in l
:
5491 val
= l
.strip().split(':')[3].replace(' ', '')
5492 msk
= binascii
.unhexlify(val
)
5493 if "EAP-TTLS: Derived EMSK - hexdump" in l
or \
5494 "EAP-PEAP: Derived EMSK - hexdump" in l
:
5495 val
= l
.strip().split(':')[3].replace(' ', '')
5496 emsk
= binascii
.unhexlify(val
)
5497 if "WPA: PMK - hexdump" in l
:
5498 val
= l
.strip().split(':')[3].replace(' ', '')
5499 pmk
= binascii
.unhexlify(val
)
5500 if "WPA: PTK - hexdump" in l
:
5501 val
= l
.strip().split(':')[3].replace(' ', '')
5502 ptk
= binascii
.unhexlify(val
)
5503 if "WPA: Group Key - hexdump" in l
:
5504 val
= l
.strip().split(':')[3].replace(' ', '')
5505 gtk
= binascii
.unhexlify(val
)
5506 if not msk
or not emsk
or not pmk
or not ptk
or not gtk
:
5507 raise Exception("Could not find keys from debug log")
5509 raise Exception("Unexpected GTK length")
5515 fname
= os
.path
.join(params
['logdir'],
5516 'wpa2_eap_ttls_pap_key_lifetime_in_memory.memctx-')
5518 logger
.info("Checking keys in memory while associated")
5519 get_key_locations(buf
, password
, "Password")
5520 get_key_locations(buf
, pmk
, "PMK")
5521 get_key_locations(buf
, msk
, "MSK")
5522 get_key_locations(buf
, emsk
, "EMSK")
5523 if password
not in buf
:
5524 raise HwsimSkip("Password not found while associated")
5526 raise HwsimSkip("PMK not found while associated")
5528 raise Exception("KCK not found while associated")
5530 raise Exception("KEK not found while associated")
5532 # raise Exception("TK found from memory")
5534 logger
.info("Checking keys in memory after disassociation")
5535 buf
= read_process_memory(pid
, password
)
5537 # Note: Password is still present in network configuration
5538 # Note: PMK is in PMKSA cache and EAP fast re-auth data
5540 get_key_locations(buf
, password
, "Password")
5541 get_key_locations(buf
, pmk
, "PMK")
5542 get_key_locations(buf
, msk
, "MSK")
5543 get_key_locations(buf
, emsk
, "EMSK")
5544 verify_not_present(buf
, kck
, fname
, "KCK")
5545 verify_not_present(buf
, kek
, fname
, "KEK")
5546 verify_not_present(buf
, tk
, fname
, "TK")
5548 get_key_locations(buf
, gtk
, "GTK")
5549 verify_not_present(buf
, gtk
, fname
, "GTK")
5551 dev
[0].request("PMKSA_FLUSH")
5552 dev
[0].set_network_quoted(id, "identity", "foo")
5553 logger
.info("Checking keys in memory after PMKSA cache and EAP fast reauth flush")
5554 buf
= read_process_memory(pid
, password
)
5555 get_key_locations(buf
, password
, "Password")
5556 get_key_locations(buf
, pmk
, "PMK")
5557 get_key_locations(buf
, msk
, "MSK")
5558 get_key_locations(buf
, emsk
, "EMSK")
5559 verify_not_present(buf
, pmk
, fname
, "PMK")
5561 dev
[0].request("REMOVE_NETWORK all")
5563 logger
.info("Checking keys in memory after network profile removal")
5564 buf
= read_process_memory(pid
, password
)
5566 get_key_locations(buf
, password
, "Password")
5567 get_key_locations(buf
, pmk
, "PMK")
5568 get_key_locations(buf
, msk
, "MSK")
5569 get_key_locations(buf
, emsk
, "EMSK")
5570 verify_not_present(buf
, password
, fname
, "password")
5571 verify_not_present(buf
, pmk
, fname
, "PMK")
5572 verify_not_present(buf
, kck
, fname
, "KCK")
5573 verify_not_present(buf
, kek
, fname
, "KEK")
5574 verify_not_present(buf
, tk
, fname
, "TK")
5575 verify_not_present(buf
, gtk
, fname
, "GTK")
5576 verify_not_present(buf
, msk
, fname
, "MSK")
5577 verify_not_present(buf
, emsk
, fname
, "EMSK")
5579 def test_ap_wpa2_eap_unexpected_wep_eapol_key(dev
, apdev
):
5580 """WPA2-Enterprise connection and unexpected WEP EAPOL-Key"""
5581 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5582 hapd
= hostapd
.add_ap(apdev
[0], params
)
5583 bssid
= apdev
[0]['bssid']
5584 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
5585 anonymous_identity
="ttls", password
="password",
5586 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
5588 # Send unexpected WEP EAPOL-Key; this gets dropped
5589 res
= dev
[0].request("EAPOL_RX " + bssid
+ " 0203002c0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
5591 raise Exception("EAPOL_RX to wpa_supplicant failed")
5593 def test_ap_wpa2_eap_in_bridge(dev
, apdev
):
5594 """WPA2-EAP and wpas interface in a bridge"""
5595 br_ifname
= 'sta-br0'
5598 _test_ap_wpa2_eap_in_bridge(dev
, apdev
)
5600 subprocess
.call(['ip', 'link', 'set', 'dev', br_ifname
, 'down'])
5601 subprocess
.call(['brctl', 'delif', br_ifname
, ifname
])
5602 subprocess
.call(['brctl', 'delbr', br_ifname
])
5603 subprocess
.call(['iw', ifname
, 'set', '4addr', 'off'])
5605 def _test_ap_wpa2_eap_in_bridge(dev
, apdev
):
5606 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5607 hapd
= hostapd
.add_ap(apdev
[0], params
)
5609 br_ifname
= 'sta-br0'
5611 wpas
= WpaSupplicant(global_iface
='/tmp/wpas-wlan5')
5612 subprocess
.call(['brctl', 'addbr', br_ifname
])
5613 subprocess
.call(['brctl', 'setfd', br_ifname
, '0'])
5614 subprocess
.call(['ip', 'link', 'set', 'dev', br_ifname
, 'up'])
5615 subprocess
.call(['iw', ifname
, 'set', '4addr', 'on'])
5616 subprocess
.check_call(['brctl', 'addif', br_ifname
, ifname
])
5617 wpas
.interface_add(ifname
, br_ifname
=br_ifname
)
5620 id = eap_connect(wpas
, hapd
, "PAX", "pax.user@example.com",
5621 password_hex
="0123456789abcdef0123456789abcdef")
5623 eap_reauth(wpas
, "PAX")
5625 # Try again as a regression test for packet socket workaround
5626 eap_reauth(wpas
, "PAX")
5628 wpas
.request("DISCONNECT")
5629 wpas
.wait_disconnected()
5631 wpas
.request("RECONNECT")
5632 wpas
.wait_connected()
5635 def test_ap_wpa2_eap_session_ticket(dev
, apdev
):
5636 """WPA2-Enterprise connection using EAP-TTLS and TLS session ticket enabled"""
5637 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5638 hapd
= hostapd
.add_ap(apdev
[0], params
)
5639 key_mgmt
= hapd
.get_config()['key_mgmt']
5640 if key_mgmt
.split(' ')[0] != "WPA-EAP":
5641 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt
)
5642 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
5643 anonymous_identity
="ttls", password
="password",
5644 ca_cert
="auth_serv/ca.pem",
5645 phase1
="tls_disable_session_ticket=0", phase2
="auth=PAP")
5646 eap_reauth(dev
[0], "TTLS")
5648 def test_ap_wpa2_eap_no_workaround(dev
, apdev
):
5649 """WPA2-Enterprise connection using EAP-TTLS and eap_workaround=0"""
5650 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5651 hapd
= hostapd
.add_ap(apdev
[0], params
)
5652 key_mgmt
= hapd
.get_config()['key_mgmt']
5653 if key_mgmt
.split(' ')[0] != "WPA-EAP":
5654 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt
)
5655 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
5656 anonymous_identity
="ttls", password
="password",
5657 ca_cert
="auth_serv/ca.pem", eap_workaround
='0',
5659 eap_reauth(dev
[0], "TTLS")
5661 def test_ap_wpa2_eap_tls_check_crl(dev
, apdev
):
5662 """EAP-TLS and server checking CRL"""
5663 params
= int_eap_server_params()
5664 params
['check_crl'] = '1'
5665 hapd
= hostapd
.add_ap(apdev
[0], params
)
5667 # check_crl=1 and no CRL available --> reject connection
5668 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5669 client_cert
="auth_serv/user.pem",
5670 private_key
="auth_serv/user.key", expect_failure
=True)
5671 dev
[0].request("REMOVE_NETWORK all")
5674 hapd
.set("ca_cert", "auth_serv/ca-and-crl.pem")
5677 # check_crl=1 and valid CRL --> accept
5678 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5679 client_cert
="auth_serv/user.pem",
5680 private_key
="auth_serv/user.key")
5681 dev
[0].request("REMOVE_NETWORK all")
5684 hapd
.set("check_crl", "2")
5687 # check_crl=2 and valid CRL --> accept
5688 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5689 client_cert
="auth_serv/user.pem",
5690 private_key
="auth_serv/user.key")
5691 dev
[0].request("REMOVE_NETWORK all")
5693 def test_ap_wpa2_eap_tls_check_crl_not_strict(dev
, apdev
):
5694 """EAP-TLS and server checking CRL with check_crl_strict=0"""
5695 params
= int_eap_server_params()
5696 params
['check_crl'] = '1'
5697 params
['ca_cert'] = "auth_serv/ca-and-crl-expired.pem"
5698 hapd
= hostapd
.add_ap(apdev
[0], params
)
5700 # check_crl_strict=1 and expired CRL --> reject connection
5701 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5702 client_cert
="auth_serv/user.pem",
5703 private_key
="auth_serv/user.key", expect_failure
=True)
5704 dev
[0].request("REMOVE_NETWORK all")
5707 hapd
.set("check_crl_strict", "0")
5710 # check_crl_strict=0 --> accept
5711 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5712 client_cert
="auth_serv/user.pem",
5713 private_key
="auth_serv/user.key")
5714 dev
[0].request("REMOVE_NETWORK all")
5716 def test_ap_wpa2_eap_tls_crl_reload(dev
, apdev
, params
):
5717 """EAP-TLS and server reloading CRL from ca_cert"""
5718 ca_cert
= os
.path
.join(params
['logdir'],
5719 "ap_wpa2_eap_tls_crl_reload.ca_cert")
5720 with
open('auth_serv/ca.pem', 'r') as f
:
5721 only_cert
= f
.read()
5722 with
open('auth_serv/ca-and-crl.pem', 'r') as f
:
5723 cert_and_crl
= f
.read()
5724 with
open(ca_cert
, 'w') as f
:
5726 params
= int_eap_server_params()
5727 params
['ca_cert'] = ca_cert
5728 params
['check_crl'] = '1'
5729 params
['crl_reload_interval'] = '1'
5730 hapd
= hostapd
.add_ap(apdev
[0], params
)
5732 # check_crl=1 and no CRL available --> reject connection
5733 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5734 client_cert
="auth_serv/user.pem",
5735 private_key
="auth_serv/user.key", expect_failure
=True)
5736 dev
[0].request("REMOVE_NETWORK all")
5737 dev
[0].dump_monitor()
5739 with
open(ca_cert
, 'w') as f
:
5740 f
.write(cert_and_crl
)
5743 # check_crl=1 and valid CRL --> accept
5744 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5745 client_cert
="auth_serv/user.pem",
5746 private_key
="auth_serv/user.key")
5747 dev
[0].request("REMOVE_NETWORK all")
5748 dev
[0].wait_disconnected()
5750 def test_ap_wpa2_eap_tls_check_cert_subject(dev
, apdev
):
5751 """EAP-TLS and server checking client subject name"""
5752 params
= int_eap_server_params()
5753 params
['check_cert_subject'] = 'C=FI/O=w1.fi/CN=Test User'
5754 hapd
= hostapd
.add_ap(apdev
[0], params
)
5755 check_check_cert_subject_support(hapd
)
5757 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5758 client_cert
="auth_serv/user.pem",
5759 private_key
="auth_serv/user.key")
5761 def test_ap_wpa2_eap_tls_check_cert_subject_neg(dev
, apdev
):
5762 """EAP-TLS and server checking client subject name (negative)"""
5763 params
= int_eap_server_params()
5764 params
['check_cert_subject'] = 'C=FI/O=example'
5765 hapd
= hostapd
.add_ap(apdev
[0], params
)
5766 check_check_cert_subject_support(hapd
)
5768 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5769 client_cert
="auth_serv/user.pem",
5770 private_key
="auth_serv/user.key", expect_failure
=True)
5772 def test_ap_wpa2_eap_tls_oom(dev
, apdev
):
5773 """EAP-TLS and OOM"""
5774 check_subject_match_support(dev
[0])
5775 check_altsubject_match_support(dev
[0])
5776 check_domain_match(dev
[0])
5777 check_domain_match_full(dev
[0])
5779 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5780 hostapd
.add_ap(apdev
[0], params
)
5782 tests
= [(1, "tls_connection_set_subject_match"),
5783 (2, "tls_connection_set_subject_match"),
5784 (3, "tls_connection_set_subject_match"),
5785 (4, "tls_connection_set_subject_match")]
5786 for count
, func
in tests
:
5787 with
alloc_fail(dev
[0], count
, func
):
5788 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
5789 identity
="tls user", ca_cert
="auth_serv/ca.pem",
5790 client_cert
="auth_serv/user.pem",
5791 private_key
="auth_serv/user.key",
5792 subject_match
="/C=FI/O=w1.fi/CN=server.w1.fi",
5793 altsubject_match
="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/",
5794 domain_suffix_match
="server.w1.fi",
5795 domain_match
="server.w1.fi",
5796 wait_connect
=False, scan_freq
="2412")
5797 # TLS parameter configuration error results in CTRL-REQ-PASSPHRASE
5798 ev
= dev
[0].wait_event(["CTRL-REQ-PASSPHRASE"], timeout
=5)
5800 raise Exception("No passphrase request")
5801 dev
[0].request("REMOVE_NETWORK all")
5802 dev
[0].wait_disconnected()
5804 def test_ap_wpa2_eap_tls_macacl(dev
, apdev
):
5805 """WPA2-Enterprise connection using MAC ACL"""
5806 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5807 params
["macaddr_acl"] = "2"
5808 hapd
= hostapd
.add_ap(apdev
[0], params
)
5809 eap_connect(dev
[1], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5810 client_cert
="auth_serv/user.pem",
5811 private_key
="auth_serv/user.key")
5813 def test_ap_wpa2_eap_oom(dev
, apdev
):
5814 """EAP server and OOM"""
5815 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5816 hapd
= hostapd
.add_ap(apdev
[0], params
)
5817 dev
[0].scan_for_bss(apdev
[0]['bssid'], freq
=2412)
5819 with
alloc_fail(hapd
, 1, "eapol_auth_alloc"):
5820 # The first attempt fails, but STA will send EAPOL-Start to retry and
5822 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
5823 identity
="tls user", ca_cert
="auth_serv/ca.pem",
5824 client_cert
="auth_serv/user.pem",
5825 private_key
="auth_serv/user.key",
5828 def check_tls_ver(dev
, hapd
, phase1
, expected
):
5829 eap_connect(dev
, hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5830 client_cert
="auth_serv/user.pem",
5831 private_key
="auth_serv/user.key",
5833 ver
= dev
.get_status_field("eap_tls_version")
5835 raise Exception("Unexpected TLS version (expected %s): %s" % (expected
, ver
))
5836 dev
.request("REMOVE_NETWORK all")
5837 dev
.wait_disconnected()
5840 def test_ap_wpa2_eap_tls_versions(dev
, apdev
):
5841 """EAP-TLS and TLS version configuration"""
5842 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5843 hapd
= hostapd
.add_ap(apdev
[0], params
)
5845 tls
= dev
[0].request("GET tls_library")
5846 if tls
.startswith("OpenSSL"):
5847 if "build=OpenSSL 1.0.1" not in tls
and "run=OpenSSL 1.0.1" not in tls
:
5848 check_tls_ver(dev
[0], hapd
,
5849 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1",
5851 if tls
.startswith("wolfSSL"):
5852 if ("build=3.10.0" in tls
and "run=3.10.0" in tls
) or \
5853 ("build=3.13.0" in tls
and "run=3.13.0" in tls
):
5854 check_tls_ver(dev
[0], hapd
,
5855 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1",
5857 elif tls
.startswith("internal"):
5858 check_tls_ver(dev
[0], hapd
,
5859 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1", "TLSv1.2")
5860 check_tls_ver(dev
[1], hapd
,
5861 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_2=1", "TLSv1.1")
5862 check_tls_ver(dev
[2], hapd
,
5863 "tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1", "TLSv1")
5864 if "run=OpenSSL 1.1.1" in tls
:
5865 check_tls_ver(dev
[0], hapd
,
5866 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1 tls_disable_tlsv1_3=0", "TLSv1.3")
5868 def test_ap_wpa2_eap_tls_versions_server(dev
, apdev
):
5869 """EAP-TLS and TLS version configuration on server side"""
5870 params
= {"ssid": "test-wpa2-eap",
5872 "wpa_key_mgmt": "WPA-EAP",
5873 "rsn_pairwise": "CCMP",
5876 "eap_user_file": "auth_serv/eap_user.conf",
5877 "ca_cert": "auth_serv/ca.pem",
5878 "server_cert": "auth_serv/server.pem",
5879 "private_key": "auth_serv/server.key"}
5880 hapd
= hostapd
.add_ap(apdev
[0], params
)
5882 tests
= [("TLSv1", "[ENABLE-TLSv1.0][DISABLE-TLSv1.1][DISABLE-TLSv1.2][DISABLE-TLSv1.3]"),
5883 ("TLSv1.1", "[ENABLE-TLSv1.0][ENABLE-TLSv1.1][DISABLE-TLSv1.2][DISABLE-TLSv1.3]"),
5884 ("TLSv1.2", "[ENABLE-TLSv1.0][ENABLE-TLSv1.1][ENABLE-TLSv1.2][DISABLE-TLSv1.3]")]
5885 for exp
, flags
in tests
:
5887 hapd
.set("tls_flags", flags
)
5889 check_tls_ver(dev
[0], hapd
, "", exp
)
5891 def test_ap_wpa2_eap_tls_13(dev
, apdev
):
5892 """EAP-TLS and TLS 1.3"""
5893 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5894 hapd
= hostapd
.add_ap(apdev
[0], params
)
5896 tls
= dev
[0].request("GET tls_library")
5897 if "run=OpenSSL 1.1.1" not in tls
:
5898 raise HwsimSkip("TLS v1.3 not supported")
5899 id = eap_connect(dev
[0], hapd
, "TLS", "tls user",
5900 ca_cert
="auth_serv/ca.pem",
5901 client_cert
="auth_serv/user.pem",
5902 private_key
="auth_serv/user.key",
5903 phase1
="tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1 tls_disable_tlsv1_3=0")
5904 ver
= dev
[0].get_status_field("eap_tls_version")
5905 if ver
!= "TLSv1.3":
5906 raise Exception("Unexpected TLS version")
5908 eap_reauth(dev
[0], "TLS")
5909 dev
[0].request("DISCONNECT")
5910 dev
[0].wait_disconnected()
5911 dev
[0].request("PMKSA_FLUSH")
5912 dev
[0].request("RECONNECT")
5913 dev
[0].wait_connected()
5915 def test_ap_wpa2_eap_tls_13_ec(dev
, apdev
):
5916 """EAP-TLS and TLS 1.3 (EC certificates)"""
5917 params
= {"ssid": "test-wpa2-eap",
5919 "wpa_key_mgmt": "WPA-EAP",
5920 "rsn_pairwise": "CCMP",
5923 "eap_user_file": "auth_serv/eap_user.conf",
5924 "ca_cert": "auth_serv/ec-ca.pem",
5925 "server_cert": "auth_serv/ec-server.pem",
5926 "private_key": "auth_serv/ec-server.key",
5927 "tls_flags": "[ENABLE-TLSv1.3]"}
5928 hapd
= hostapd
.add_ap(apdev
[0], params
)
5929 tls
= hapd
.request("GET tls_library")
5930 if "run=OpenSSL 1.1.1" not in tls
:
5931 raise HwsimSkip("TLS v1.3 not supported")
5933 tls
= dev
[0].request("GET tls_library")
5934 if "run=OpenSSL 1.1.1" not in tls
:
5935 raise HwsimSkip("TLS v1.3 not supported")
5936 id = eap_connect(dev
[0], hapd
, "TLS", "tls user",
5937 ca_cert
="auth_serv/ec-ca.pem",
5938 client_cert
="auth_serv/ec-user.pem",
5939 private_key
="auth_serv/ec-user.key",
5940 phase1
="tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1 tls_disable_tlsv1_3=0")
5941 ver
= dev
[0].get_status_field("eap_tls_version")
5942 if ver
!= "TLSv1.3":
5943 raise Exception("Unexpected TLS version")
5945 def test_ap_wpa2_eap_tls_rsa_and_ec(dev
, apdev
, params
):
5946 """EAP-TLS and both RSA and EC sertificates certificates"""
5947 check_ec_support(dev
[0])
5948 ca
= os
.path
.join(params
['logdir'], "ap_wpa2_eap_tls_rsa_and_ec.ca.pem")
5949 with
open(ca
, "w") as f
:
5950 with
open("auth_serv/ca.pem", "r") as f2
:
5952 with
open("auth_serv/ec-ca.pem", "r") as f2
:
5954 params
= {"ssid": "test-wpa2-eap",
5956 "wpa_key_mgmt": "WPA-EAP",
5957 "rsn_pairwise": "CCMP",
5960 "eap_user_file": "auth_serv/eap_user.conf",
5962 "server_cert": "auth_serv/server.pem",
5963 "private_key": "auth_serv/server.key",
5964 "server_cert2": "auth_serv/ec-server.pem",
5965 "private_key2": "auth_serv/ec-server.key"}
5966 hapd
= hostapd
.add_ap(apdev
[0], params
)
5968 eap_connect(dev
[0], hapd
, "TLS", "tls user",
5969 ca_cert
="auth_serv/ec-ca.pem",
5970 client_cert
="auth_serv/ec-user.pem",
5971 private_key
="auth_serv/ec-user.key")
5972 dev
[0].request("REMOVE_NETWORK all")
5973 dev
[0].wait_disconnected()
5975 # TODO: Make wpa_supplicant automatically filter out cipher suites that
5976 # would require ECDH/ECDSA keys when those are not configured in the
5977 # selected client certificate. And for no-client-cert case, deprioritize
5978 # those cipher suites based on configured ca_cert value so that the most
5979 # likely to work cipher suites are selected by the server. Only do these
5980 # when an explicit openssl_ciphers parameter is not set.
5981 eap_connect(dev
[1], hapd
, "TLS", "tls user",
5982 openssl_ciphers
="DEFAULT:-aECDH:-aECDSA",
5983 ca_cert
="auth_serv/ca.pem",
5984 client_cert
="auth_serv/user.pem",
5985 private_key
="auth_serv/user.key")
5986 dev
[1].request("REMOVE_NETWORK all")
5987 dev
[1].wait_disconnected()
5989 def test_ap_wpa2_eap_tls_ec_and_rsa(dev
, apdev
, params
):
5990 """EAP-TLS and both EC and RSA sertificates certificates"""
5991 check_ec_support(dev
[0])
5992 ca
= os
.path
.join(params
['logdir'], "ap_wpa2_eap_tls_ec_and_rsa.ca.pem")
5993 with
open(ca
, "w") as f
:
5994 with
open("auth_serv/ca.pem", "r") as f2
:
5996 with
open("auth_serv/ec-ca.pem", "r") as f2
:
5998 params
= {"ssid": "test-wpa2-eap",
6000 "wpa_key_mgmt": "WPA-EAP",
6001 "rsn_pairwise": "CCMP",
6004 "eap_user_file": "auth_serv/eap_user.conf",
6006 "private_key2": "auth_serv/server-extra.pkcs12",
6007 "private_key_passwd2": "whatever",
6008 "server_cert": "auth_serv/ec-server.pem",
6009 "private_key": "auth_serv/ec-server.key"}
6010 hapd
= hostapd
.add_ap(apdev
[0], params
)
6012 eap_connect(dev
[0], hapd
, "TLS", "tls user",
6013 ca_cert
="auth_serv/ec-ca.pem",
6014 client_cert
="auth_serv/ec-user.pem",
6015 private_key
="auth_serv/ec-user.key")
6016 dev
[0].request("REMOVE_NETWORK all")
6017 dev
[0].wait_disconnected()
6019 # TODO: Make wpa_supplicant automatically filter out cipher suites that
6020 # would require ECDH/ECDSA keys when those are not configured in the
6021 # selected client certificate. And for no-client-cert case, deprioritize
6022 # those cipher suites based on configured ca_cert value so that the most
6023 # likely to work cipher suites are selected by the server. Only do these
6024 # when an explicit openssl_ciphers parameter is not set.
6025 eap_connect(dev
[1], hapd
, "TLS", "tls user",
6026 openssl_ciphers
="DEFAULT:-aECDH:-aECDSA",
6027 ca_cert
="auth_serv/ca.pem",
6028 client_cert
="auth_serv/user.pem",
6029 private_key
="auth_serv/user.key")
6030 dev
[1].request("REMOVE_NETWORK all")
6031 dev
[1].wait_disconnected()
6033 def test_rsn_ie_proto_eap_sta(dev
, apdev
):
6034 """RSN element protocol testing for EAP cases on STA side"""
6035 bssid
= apdev
[0]['bssid']
6036 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
6037 # This is the RSN element used normally by hostapd
6038 params
['own_ie_override'] = '30140100000fac040100000fac040100000fac010c00'
6039 hapd
= hostapd
.add_ap(apdev
[0], params
)
6040 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
6041 identity
="gpsk user",
6042 password
="abcdefghijklmnop0123456789abcdef",
6045 tests
= [('No RSN Capabilities field',
6046 '30120100000fac040100000fac040100000fac01'),
6047 ('No AKM Suite fields',
6048 '300c0100000fac040100000fac04'),
6049 ('No Pairwise Cipher Suite fields',
6050 '30060100000fac04'),
6051 ('No Group Data Cipher Suite field',
6053 for txt
, ie
in tests
:
6054 dev
[0].request("DISCONNECT")
6055 dev
[0].wait_disconnected()
6058 hapd
.set('own_ie_override', ie
)
6060 dev
[0].request("BSS_FLUSH 0")
6061 dev
[0].scan_for_bss(bssid
, 2412, force_scan
=True, only_new
=True)
6062 dev
[0].select_network(id, freq
=2412)
6063 dev
[0].wait_connected()
6065 dev
[0].request("DISCONNECT")
6066 dev
[0].wait_disconnected()
6067 dev
[0].flush_scan_cache()
6069 def check_tls_session_resumption_capa(dev
, hapd
):
6070 tls
= hapd
.request("GET tls_library")
6071 if not tls
.startswith("OpenSSL"):
6072 raise HwsimSkip("hostapd TLS library is not OpenSSL or wolfSSL: " + tls
)
6074 tls
= dev
.request("GET tls_library")
6075 if not tls
.startswith("OpenSSL"):
6076 raise HwsimSkip("Session resumption not supported with this TLS library: " + tls
)
6078 def test_eap_ttls_pap_session_resumption(dev
, apdev
):
6079 """EAP-TTLS/PAP session resumption"""
6080 params
= int_eap_server_params()
6081 params
['tls_session_lifetime'] = '60'
6082 hapd
= hostapd
.add_ap(apdev
[0], params
)
6083 check_tls_session_resumption_capa(dev
[0], hapd
)
6084 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
6085 anonymous_identity
="ttls", password
="password",
6086 ca_cert
="auth_serv/ca.pem", eap_workaround
='0',
6088 if dev
[0].get_status_field("tls_session_reused") != '0':
6089 raise Exception("Unexpected session resumption on the first connection")
6091 dev
[0].request("REAUTHENTICATE")
6092 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
6094 raise Exception("EAP success timed out")
6095 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
6097 raise Exception("Key handshake with the AP timed out")
6098 if dev
[0].get_status_field("tls_session_reused") != '1':
6099 raise Exception("Session resumption not used on the second connection")
6100 hwsim_utils
.test_connectivity(dev
[0], hapd
)
6102 def test_eap_ttls_chap_session_resumption(dev
, apdev
):
6103 """EAP-TTLS/CHAP session resumption"""
6104 params
= int_eap_server_params()
6105 params
['tls_session_lifetime'] = '60'
6106 hapd
= hostapd
.add_ap(apdev
[0], params
)
6107 check_tls_session_resumption_capa(dev
[0], hapd
)
6108 eap_connect(dev
[0], hapd
, "TTLS", "chap user",
6109 anonymous_identity
="ttls", password
="password",
6110 ca_cert
="auth_serv/ca.der", phase2
="auth=CHAP")
6111 if dev
[0].get_status_field("tls_session_reused") != '0':
6112 raise Exception("Unexpected session resumption on the first connection")
6114 dev
[0].request("REAUTHENTICATE")
6115 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
6117 raise Exception("EAP success timed out")
6118 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
6120 raise Exception("Key handshake with the AP timed out")
6121 if dev
[0].get_status_field("tls_session_reused") != '1':
6122 raise Exception("Session resumption not used on the second connection")
6124 def test_eap_ttls_mschap_session_resumption(dev
, apdev
):
6125 """EAP-TTLS/MSCHAP session resumption"""
6126 check_domain_suffix_match(dev
[0])
6127 params
= int_eap_server_params()
6128 params
['tls_session_lifetime'] = '60'
6129 hapd
= hostapd
.add_ap(apdev
[0], params
)
6130 check_tls_session_resumption_capa(dev
[0], hapd
)
6131 eap_connect(dev
[0], hapd
, "TTLS", "mschap user",
6132 anonymous_identity
="ttls", password
="password",
6133 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
6134 domain_suffix_match
="server.w1.fi")
6135 if dev
[0].get_status_field("tls_session_reused") != '0':
6136 raise Exception("Unexpected session resumption on the first connection")
6138 dev
[0].request("REAUTHENTICATE")
6139 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
6141 raise Exception("EAP success timed out")
6142 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
6144 raise Exception("Key handshake with the AP timed out")
6145 if dev
[0].get_status_field("tls_session_reused") != '1':
6146 raise Exception("Session resumption not used on the second connection")
6148 def test_eap_ttls_mschapv2_session_resumption(dev
, apdev
):
6149 """EAP-TTLS/MSCHAPv2 session resumption"""
6150 check_domain_suffix_match(dev
[0])
6151 check_eap_capa(dev
[0], "MSCHAPV2")
6152 params
= int_eap_server_params()
6153 params
['tls_session_lifetime'] = '60'
6154 hapd
= hostapd
.add_ap(apdev
[0], params
)
6155 check_tls_session_resumption_capa(dev
[0], hapd
)
6156 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
6157 anonymous_identity
="ttls", password
="password",
6158 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
6159 domain_suffix_match
="server.w1.fi")
6160 if dev
[0].get_status_field("tls_session_reused") != '0':
6161 raise Exception("Unexpected session resumption on the first connection")
6163 dev
[0].request("REAUTHENTICATE")
6164 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
6166 raise Exception("EAP success timed out")
6167 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
6169 raise Exception("Key handshake with the AP timed out")
6170 if dev
[0].get_status_field("tls_session_reused") != '1':
6171 raise Exception("Session resumption not used on the second connection")
6173 def test_eap_ttls_eap_gtc_session_resumption(dev
, apdev
):
6174 """EAP-TTLS/EAP-GTC session resumption"""
6175 params
= int_eap_server_params()
6176 params
['tls_session_lifetime'] = '60'
6177 hapd
= hostapd
.add_ap(apdev
[0], params
)
6178 check_tls_session_resumption_capa(dev
[0], hapd
)
6179 eap_connect(dev
[0], hapd
, "TTLS", "user",
6180 anonymous_identity
="ttls", password
="password",
6181 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC")
6182 if dev
[0].get_status_field("tls_session_reused") != '0':
6183 raise Exception("Unexpected session resumption on the first connection")
6185 dev
[0].request("REAUTHENTICATE")
6186 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
6188 raise Exception("EAP success timed out")
6189 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
6191 raise Exception("Key handshake with the AP timed out")
6192 if dev
[0].get_status_field("tls_session_reused") != '1':
6193 raise Exception("Session resumption not used on the second connection")
6195 def test_eap_ttls_no_session_resumption(dev
, apdev
):
6196 """EAP-TTLS session resumption disabled on server"""
6197 params
= int_eap_server_params()
6198 params
['tls_session_lifetime'] = '0'
6199 hapd
= hostapd
.add_ap(apdev
[0], params
)
6200 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
6201 anonymous_identity
="ttls", password
="password",
6202 ca_cert
="auth_serv/ca.pem", eap_workaround
='0',
6204 if dev
[0].get_status_field("tls_session_reused") != '0':
6205 raise Exception("Unexpected session resumption on the first connection")
6207 dev
[0].request("REAUTHENTICATE")
6208 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
6210 raise Exception("EAP success timed out")
6211 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
6213 raise Exception("Key handshake with the AP timed out")
6214 if dev
[0].get_status_field("tls_session_reused") != '0':
6215 raise Exception("Unexpected session resumption on the second connection")
6217 def test_eap_peap_session_resumption(dev
, apdev
):
6218 """EAP-PEAP session resumption"""
6219 check_eap_capa(dev
[0], "MSCHAPV2")
6220 params
= int_eap_server_params()
6221 params
['tls_session_lifetime'] = '60'
6222 hapd
= hostapd
.add_ap(apdev
[0], params
)
6223 check_tls_session_resumption_capa(dev
[0], hapd
)
6224 eap_connect(dev
[0], hapd
, "PEAP", "user",
6225 anonymous_identity
="peap", password
="password",
6226 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
6227 if dev
[0].get_status_field("tls_session_reused") != '0':
6228 raise Exception("Unexpected session resumption on the first connection")
6230 dev
[0].request("REAUTHENTICATE")
6231 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
6233 raise Exception("EAP success timed out")
6234 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
6236 raise Exception("Key handshake with the AP timed out")
6237 if dev
[0].get_status_field("tls_session_reused") != '1':
6238 raise Exception("Session resumption not used on the second connection")
6240 def test_eap_peap_session_resumption_crypto_binding(dev
, apdev
):
6241 """EAP-PEAP session resumption with crypto binding"""
6242 params
= int_eap_server_params()
6243 params
['tls_session_lifetime'] = '60'
6244 hapd
= hostapd
.add_ap(apdev
[0], params
)
6245 check_tls_session_resumption_capa(dev
[0], hapd
)
6246 eap_connect(dev
[0], hapd
, "PEAP", "user",
6247 anonymous_identity
="peap", password
="password",
6248 phase1
="peapver=0 crypto_binding=2",
6249 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
6250 if dev
[0].get_status_field("tls_session_reused") != '0':
6251 raise Exception("Unexpected session resumption on the first connection")
6253 dev
[0].request("REAUTHENTICATE")
6254 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
6256 raise Exception("EAP success timed out")
6257 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
6259 raise Exception("Key handshake with the AP timed out")
6260 if dev
[0].get_status_field("tls_session_reused") != '1':
6261 raise Exception("Session resumption not used on the second connection")
6263 def test_eap_peap_no_session_resumption(dev
, apdev
):
6264 """EAP-PEAP session resumption disabled on server"""
6265 params
= int_eap_server_params()
6266 hapd
= hostapd
.add_ap(apdev
[0], params
)
6267 eap_connect(dev
[0], hapd
, "PEAP", "user",
6268 anonymous_identity
="peap", password
="password",
6269 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
6270 if dev
[0].get_status_field("tls_session_reused") != '0':
6271 raise Exception("Unexpected session resumption on the first connection")
6273 dev
[0].request("REAUTHENTICATE")
6274 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
6276 raise Exception("EAP success timed out")
6277 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
6279 raise Exception("Key handshake with the AP timed out")
6280 if dev
[0].get_status_field("tls_session_reused") != '0':
6281 raise Exception("Unexpected session resumption on the second connection")
6283 def test_eap_tls_session_resumption(dev
, apdev
):
6284 """EAP-TLS session resumption"""
6285 params
= int_eap_server_params()
6286 params
['tls_session_lifetime'] = '60'
6287 hapd
= hostapd
.add_ap(apdev
[0], params
)
6288 check_tls_session_resumption_capa(dev
[0], hapd
)
6289 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
6290 client_cert
="auth_serv/user.pem",
6291 private_key
="auth_serv/user.key")
6292 if dev
[0].get_status_field("tls_session_reused") != '0':
6293 raise Exception("Unexpected session resumption on the first connection")
6295 dev
[0].request("REAUTHENTICATE")
6296 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
6298 raise Exception("EAP success timed out")
6299 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
6301 raise Exception("Key handshake with the AP timed out")
6302 if dev
[0].get_status_field("tls_session_reused") != '1':
6303 raise Exception("Session resumption not used on the second connection")
6305 dev
[0].request("REAUTHENTICATE")
6306 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
6308 raise Exception("EAP success timed out")
6309 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
6311 raise Exception("Key handshake with the AP timed out")
6312 if dev
[0].get_status_field("tls_session_reused") != '1':
6313 raise Exception("Session resumption not used on the third connection")
6315 def test_eap_tls_session_resumption_expiration(dev
, apdev
):
6316 """EAP-TLS session resumption"""
6317 params
= int_eap_server_params()
6318 params
['tls_session_lifetime'] = '1'
6319 hapd
= hostapd
.add_ap(apdev
[0], params
)
6320 check_tls_session_resumption_capa(dev
[0], hapd
)
6321 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
6322 client_cert
="auth_serv/user.pem",
6323 private_key
="auth_serv/user.key")
6324 if dev
[0].get_status_field("tls_session_reused") != '0':
6325 raise Exception("Unexpected session resumption on the first connection")
6327 # Allow multiple attempts since OpenSSL may not expire the cached entry
6332 dev
[0].request("REAUTHENTICATE")
6333 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
6335 raise Exception("EAP success timed out")
6336 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
6338 raise Exception("Key handshake with the AP timed out")
6339 if dev
[0].get_status_field("tls_session_reused") == '0':
6341 if dev
[0].get_status_field("tls_session_reused") != '0':
6342 raise Exception("Session resumption used after lifetime expiration")
6344 def test_eap_tls_no_session_resumption(dev
, apdev
):
6345 """EAP-TLS session resumption disabled on server"""
6346 params
= int_eap_server_params()
6347 hapd
= hostapd
.add_ap(apdev
[0], params
)
6348 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
6349 client_cert
="auth_serv/user.pem",
6350 private_key
="auth_serv/user.key")
6351 if dev
[0].get_status_field("tls_session_reused") != '0':
6352 raise Exception("Unexpected session resumption on the first connection")
6354 dev
[0].request("REAUTHENTICATE")
6355 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
6357 raise Exception("EAP success timed out")
6358 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
6360 raise Exception("Key handshake with the AP timed out")
6361 if dev
[0].get_status_field("tls_session_reused") != '0':
6362 raise Exception("Unexpected session resumption on the second connection")
6364 def test_eap_tls_session_resumption_radius(dev
, apdev
):
6365 """EAP-TLS session resumption (RADIUS)"""
6366 params
= {"ssid": "as", "beacon_int": "2000",
6367 "radius_server_clients": "auth_serv/radius_clients.conf",
6368 "radius_server_auth_port": '18128',
6370 "eap_user_file": "auth_serv/eap_user.conf",
6371 "ca_cert": "auth_serv/ca.pem",
6372 "server_cert": "auth_serv/server.pem",
6373 "private_key": "auth_serv/server.key",
6374 "tls_session_lifetime": "60"}
6375 authsrv
= hostapd
.add_ap(apdev
[1], params
)
6376 check_tls_session_resumption_capa(dev
[0], authsrv
)
6378 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
6379 params
['auth_server_port'] = "18128"
6380 hapd
= hostapd
.add_ap(apdev
[0], params
)
6381 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
6382 client_cert
="auth_serv/user.pem",
6383 private_key
="auth_serv/user.key")
6384 if dev
[0].get_status_field("tls_session_reused") != '0':
6385 raise Exception("Unexpected session resumption on the first connection")
6387 dev
[0].request("REAUTHENTICATE")
6388 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
6390 raise Exception("EAP success timed out")
6391 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
6393 raise Exception("Key handshake with the AP timed out")
6394 if dev
[0].get_status_field("tls_session_reused") != '1':
6395 raise Exception("Session resumption not used on the second connection")
6397 def test_eap_tls_no_session_resumption_radius(dev
, apdev
):
6398 """EAP-TLS session resumption disabled (RADIUS)"""
6399 params
= {"ssid": "as", "beacon_int": "2000",
6400 "radius_server_clients": "auth_serv/radius_clients.conf",
6401 "radius_server_auth_port": '18128',
6403 "eap_user_file": "auth_serv/eap_user.conf",
6404 "ca_cert": "auth_serv/ca.pem",
6405 "server_cert": "auth_serv/server.pem",
6406 "private_key": "auth_serv/server.key",
6407 "tls_session_lifetime": "0"}
6408 hostapd
.add_ap(apdev
[1], params
)
6410 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
6411 params
['auth_server_port'] = "18128"
6412 hapd
= hostapd
.add_ap(apdev
[0], params
)
6413 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
6414 client_cert
="auth_serv/user.pem",
6415 private_key
="auth_serv/user.key")
6416 if dev
[0].get_status_field("tls_session_reused") != '0':
6417 raise Exception("Unexpected session resumption on the first connection")
6419 dev
[0].request("REAUTHENTICATE")
6420 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
6422 raise Exception("EAP success timed out")
6423 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
6425 raise Exception("Key handshake with the AP timed out")
6426 if dev
[0].get_status_field("tls_session_reused") != '0':
6427 raise Exception("Unexpected session resumption on the second connection")
6429 def test_eap_mschapv2_errors(dev
, apdev
):
6430 """EAP-MSCHAPv2 error cases"""
6431 check_eap_capa(dev
[0], "MSCHAPV2")
6432 check_eap_capa(dev
[0], "FAST")
6434 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa-eap")
6435 hapd
= hostapd
.add_ap(apdev
[0], params
)
6436 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
6437 identity
="phase1-user", password
="password",
6439 dev
[0].request("REMOVE_NETWORK all")
6440 dev
[0].wait_disconnected()
6442 tests
= [(1, "hash_nt_password_hash;mschapv2_derive_response"),
6443 (1, "nt_password_hash;mschapv2_derive_response"),
6444 (1, "nt_password_hash;=mschapv2_derive_response"),
6445 (1, "generate_nt_response;mschapv2_derive_response"),
6446 (1, "generate_authenticator_response;mschapv2_derive_response"),
6447 (1, "nt_password_hash;=mschapv2_derive_response"),
6448 (1, "get_master_key;mschapv2_derive_response"),
6449 (1, "os_get_random;eap_mschapv2_challenge_reply")]
6450 for count
, func
in tests
:
6451 with
fail_test(dev
[0], count
, func
):
6452 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
6453 identity
="phase1-user", password
="password",
6454 wait_connect
=False, scan_freq
="2412")
6455 wait_fail_trigger(dev
[0], "GET_FAIL")
6456 dev
[0].request("REMOVE_NETWORK all")
6457 dev
[0].wait_disconnected()
6459 tests
= [(1, "hash_nt_password_hash;mschapv2_derive_response"),
6460 (1, "hash_nt_password_hash;=mschapv2_derive_response"),
6461 (1, "generate_nt_response_pwhash;mschapv2_derive_response"),
6462 (1, "generate_authenticator_response_pwhash;mschapv2_derive_response")]
6463 for count
, func
in tests
:
6464 with
fail_test(dev
[0], count
, func
):
6465 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
6466 identity
="phase1-user",
6467 password_hex
="hash:8846f7eaee8fb117ad06bdd830b7586c",
6468 wait_connect
=False, scan_freq
="2412")
6469 wait_fail_trigger(dev
[0], "GET_FAIL")
6470 dev
[0].request("REMOVE_NETWORK all")
6471 dev
[0].wait_disconnected()
6473 tests
= [(1, "eap_mschapv2_init"),
6474 (1, "eap_msg_alloc;eap_mschapv2_challenge_reply"),
6475 (1, "eap_msg_alloc;eap_mschapv2_success"),
6476 (1, "eap_mschapv2_getKey")]
6477 for count
, func
in tests
:
6478 with
alloc_fail(dev
[0], count
, func
):
6479 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
6480 identity
="phase1-user", password
="password",
6481 wait_connect
=False, scan_freq
="2412")
6482 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6483 dev
[0].request("REMOVE_NETWORK all")
6484 dev
[0].wait_disconnected()
6486 tests
= [(1, "eap_msg_alloc;eap_mschapv2_failure")]
6487 for count
, func
in tests
:
6488 with
alloc_fail(dev
[0], count
, func
):
6489 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
6490 identity
="phase1-user", password
="wrong password",
6491 wait_connect
=False, scan_freq
="2412")
6492 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6493 dev
[0].request("REMOVE_NETWORK all")
6494 dev
[0].wait_disconnected()
6496 tests
= [(2, "eap_mschapv2_init"),
6497 (3, "eap_mschapv2_init")]
6498 for count
, func
in tests
:
6499 with
alloc_fail(dev
[0], count
, func
):
6500 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="FAST",
6501 anonymous_identity
="FAST", identity
="user",
6502 password
="password",
6503 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
6504 phase1
="fast_provisioning=1",
6505 pac_file
="blob://fast_pac",
6506 wait_connect
=False, scan_freq
="2412")
6507 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6508 dev
[0].request("REMOVE_NETWORK all")
6509 dev
[0].wait_disconnected()
6511 def test_eap_gpsk_errors(dev
, apdev
):
6512 """EAP-GPSK error cases"""
6513 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa-eap")
6514 hapd
= hostapd
.add_ap(apdev
[0], params
)
6515 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
6516 identity
="gpsk user",
6517 password
="abcdefghijklmnop0123456789abcdef",
6519 dev
[0].request("REMOVE_NETWORK all")
6520 dev
[0].wait_disconnected()
6522 tests
= [(1, "os_get_random;eap_gpsk_send_gpsk_2", None),
6523 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2",
6525 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2",
6527 (1, "eap_gpsk_derive_keys_helper", None),
6528 (2, "eap_gpsk_derive_keys_helper", None),
6529 (3, "eap_gpsk_derive_keys_helper", None),
6530 (1, "eap_gpsk_compute_mic_aes;eap_gpsk_compute_mic;eap_gpsk_send_gpsk_2",
6532 (1, "hmac_sha256;eap_gpsk_compute_mic;eap_gpsk_send_gpsk_2",
6534 (1, "eap_gpsk_compute_mic;eap_gpsk_validate_gpsk_3_mic", None),
6535 (1, "eap_gpsk_compute_mic;eap_gpsk_send_gpsk_4", None),
6536 (1, "eap_gpsk_derive_mid_helper", None)]
6537 for count
, func
, phase1
in tests
:
6538 with
fail_test(dev
[0], count
, func
):
6539 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
6540 identity
="gpsk user",
6541 password
="abcdefghijklmnop0123456789abcdef",
6543 wait_connect
=False, scan_freq
="2412")
6544 wait_fail_trigger(dev
[0], "GET_FAIL")
6545 dev
[0].request("REMOVE_NETWORK all")
6546 dev
[0].wait_disconnected()
6548 tests
= [(1, "eap_gpsk_init"),
6549 (2, "eap_gpsk_init"),
6550 (3, "eap_gpsk_init"),
6551 (1, "eap_gpsk_process_id_server"),
6552 (1, "eap_msg_alloc;eap_gpsk_send_gpsk_2"),
6553 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2"),
6554 (1, "eap_gpsk_derive_mid_helper;eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2"),
6555 (1, "eap_gpsk_derive_keys"),
6556 (1, "eap_gpsk_derive_keys_helper"),
6557 (1, "eap_msg_alloc;eap_gpsk_send_gpsk_4"),
6558 (1, "eap_gpsk_getKey"),
6559 (1, "eap_gpsk_get_emsk"),
6560 (1, "eap_gpsk_get_session_id")]
6561 for count
, func
in tests
:
6562 with
alloc_fail(dev
[0], count
, func
):
6563 dev
[0].request("ERP_FLUSH")
6564 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
6565 identity
="gpsk user@domain", erp
="1",
6566 password
="abcdefghijklmnop0123456789abcdef",
6567 wait_connect
=False, scan_freq
="2412")
6568 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6569 dev
[0].request("REMOVE_NETWORK all")
6570 dev
[0].wait_disconnected()
6572 def test_ap_wpa2_eap_sim_db(dev
, apdev
, params
):
6573 """EAP-SIM DB error cases"""
6574 sockpath
= '/tmp/hlr_auc_gw.sock-test'
6579 hparams
= int_eap_server_params()
6580 hparams
['eap_sim_db'] = 'unix:' + sockpath
6581 hapd
= hostapd
.add_ap(apdev
[0], hparams
)
6583 # Initial test with hlr_auc_gw socket not available
6584 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
6585 eap
="SIM", identity
="1232010000000000",
6586 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
6587 scan_freq
="2412", wait_connect
=False)
6588 ev
= dev
[0].wait_event(["EAP-ERROR-CODE"], timeout
=10)
6590 raise Exception("EAP method specific error code not reported")
6591 if int(ev
.split()[1]) != 16384:
6592 raise Exception("Unexpected EAP method specific error code: " + ev
)
6593 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
6595 raise Exception("EAP-Failure not reported")
6596 dev
[0].wait_disconnected()
6597 dev
[0].request("DISCONNECT")
6599 # Test with invalid responses and response timeout
6601 class test_handler(SocketServer
.DatagramRequestHandler
):
6603 data
= self
.request
[0].decode().strip()
6604 socket
= self
.request
[1]
6605 logger
.debug("Received hlr_auc_gw request: " + data
)
6606 # EAP-SIM DB: Failed to parse response string
6607 socket
.sendto(b
"FOO", self
.client_address
)
6608 # EAP-SIM DB: Failed to parse response string
6609 socket
.sendto(b
"FOO 1", self
.client_address
)
6610 # EAP-SIM DB: Unknown external response
6611 socket
.sendto(b
"FOO 1 2", self
.client_address
)
6612 logger
.info("No proper response - wait for pending eap_sim_db request timeout")
6614 server
= SocketServer
.UnixDatagramServer(sockpath
, test_handler
)
6617 dev
[0].select_network(id)
6618 server
.handle_request()
6619 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
6621 raise Exception("EAP-Failure not reported")
6622 dev
[0].wait_disconnected()
6623 dev
[0].request("DISCONNECT")
6625 # Test with a valid response
6627 class test_handler2(SocketServer
.DatagramRequestHandler
):
6629 data
= self
.request
[0].decode().strip()
6630 socket
= self
.request
[1]
6631 logger
.debug("Received hlr_auc_gw request: " + data
)
6632 fname
= os
.path
.join(params
['logdir'],
6633 'hlr_auc_gw.milenage_db')
6634 cmd
= subprocess
.Popen(['../../hostapd/hlr_auc_gw',
6636 stdout
=subprocess
.PIPE
)
6637 res
= cmd
.stdout
.read().decode().strip()
6639 logger
.debug("hlr_auc_gw response: " + res
)
6640 socket
.sendto(res
.encode(), self
.client_address
)
6642 server
.RequestHandlerClass
= test_handler2
6644 dev
[0].select_network(id)
6645 server
.handle_request()
6646 dev
[0].wait_connected()
6647 dev
[0].request("DISCONNECT")
6648 dev
[0].wait_disconnected()
6650 def test_eap_tls_sha512(dev
, apdev
, params
):
6651 """EAP-TLS with SHA512 signature"""
6652 params
= int_eap_server_params()
6653 params
["ca_cert"] = "auth_serv/sha512-ca.pem"
6654 params
["server_cert"] = "auth_serv/sha512-server.pem"
6655 params
["private_key"] = "auth_serv/sha512-server.key"
6656 hostapd
.add_ap(apdev
[0], params
)
6658 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6659 identity
="tls user sha512",
6660 ca_cert
="auth_serv/sha512-ca.pem",
6661 client_cert
="auth_serv/sha512-user.pem",
6662 private_key
="auth_serv/sha512-user.key",
6664 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6665 identity
="tls user sha512",
6666 ca_cert
="auth_serv/sha512-ca.pem",
6667 client_cert
="auth_serv/sha384-user.pem",
6668 private_key
="auth_serv/sha384-user.key",
6671 def test_eap_tls_sha384(dev
, apdev
, params
):
6672 """EAP-TLS with SHA384 signature"""
6673 params
= int_eap_server_params()
6674 params
["ca_cert"] = "auth_serv/sha512-ca.pem"
6675 params
["server_cert"] = "auth_serv/sha384-server.pem"
6676 params
["private_key"] = "auth_serv/sha384-server.key"
6677 hostapd
.add_ap(apdev
[0], params
)
6679 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6680 identity
="tls user sha512",
6681 ca_cert
="auth_serv/sha512-ca.pem",
6682 client_cert
="auth_serv/sha512-user.pem",
6683 private_key
="auth_serv/sha512-user.key",
6685 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6686 identity
="tls user sha512",
6687 ca_cert
="auth_serv/sha512-ca.pem",
6688 client_cert
="auth_serv/sha384-user.pem",
6689 private_key
="auth_serv/sha384-user.key",
6692 def test_ap_wpa2_eap_assoc_rsn(dev
, apdev
):
6693 """WPA2-Enterprise AP and association request RSN IE differences"""
6694 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
6695 hostapd
.add_ap(apdev
[0], params
)
6697 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap-11w")
6698 params
["ieee80211w"] = "2"
6699 hostapd
.add_ap(apdev
[1], params
)
6701 # Success cases with optional RSN IE fields removed one by one
6702 tests
= [("Normal wpa_supplicant assoc req RSN IE",
6703 "30140100000fac040100000fac040100000fac010000"),
6704 ("Extra PMKIDCount field in RSN IE",
6705 "30160100000fac040100000fac040100000fac0100000000"),
6706 ("Extra Group Management Cipher Suite in RSN IE",
6707 "301a0100000fac040100000fac040100000fac0100000000000fac06"),
6708 ("Extra undefined extension field in RSN IE",
6709 "301c0100000fac040100000fac040100000fac0100000000000fac061122"),
6710 ("RSN IE without RSN Capabilities",
6711 "30120100000fac040100000fac040100000fac01"),
6712 ("RSN IE without AKM", "300c0100000fac040100000fac04"),
6713 ("RSN IE without pairwise", "30060100000fac04"),
6714 ("RSN IE without group", "30020100")]
6715 for title
, ie
in tests
:
6717 set_test_assoc_ie(dev
[0], ie
)
6718 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
6719 identity
="gpsk user",
6720 password
="abcdefghijklmnop0123456789abcdef",
6722 dev
[0].request("REMOVE_NETWORK all")
6723 dev
[0].wait_disconnected()
6725 tests
= [("Normal wpa_supplicant assoc req RSN IE",
6726 "30140100000fac040100000fac040100000fac01cc00"),
6727 ("Group management cipher included in assoc req RSN IE",
6728 "301a0100000fac040100000fac040100000fac01cc000000000fac06")]
6729 for title
, ie
in tests
:
6731 set_test_assoc_ie(dev
[0], ie
)
6732 dev
[0].connect("test-wpa2-eap-11w", key_mgmt
="WPA-EAP", ieee80211w
="1",
6733 eap
="GPSK", identity
="gpsk user",
6734 password
="abcdefghijklmnop0123456789abcdef",
6736 dev
[0].request("REMOVE_NETWORK all")
6737 dev
[0].wait_disconnected()
6739 tests
= [("Invalid group cipher", "30060100000fac02", 41),
6740 ("Invalid pairwise cipher", "300c0100000fac040100000fac02", 42)]
6741 for title
, ie
, status
in tests
:
6743 set_test_assoc_ie(dev
[0], ie
)
6744 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
6745 identity
="gpsk user",
6746 password
="abcdefghijklmnop0123456789abcdef",
6747 scan_freq
="2412", wait_connect
=False)
6748 ev
= dev
[0].wait_event(["CTRL-EVENT-ASSOC-REJECT"])
6750 raise Exception("Association rejection not reported")
6751 if "status_code=" + str(status
) not in ev
:
6752 raise Exception("Unexpected status code: " + ev
)
6753 dev
[0].request("REMOVE_NETWORK all")
6754 dev
[0].dump_monitor()
6756 tests
= [("Management frame protection not enabled",
6757 "30140100000fac040100000fac040100000fac010000", 31),
6758 ("Unsupported management group cipher",
6759 "301a0100000fac040100000fac040100000fac01cc000000000fac0b", 46)]
6760 for title
, ie
, status
in tests
:
6762 set_test_assoc_ie(dev
[0], ie
)
6763 dev
[0].connect("test-wpa2-eap-11w", key_mgmt
="WPA-EAP", ieee80211w
="1",
6764 eap
="GPSK", identity
="gpsk user",
6765 password
="abcdefghijklmnop0123456789abcdef",
6766 scan_freq
="2412", wait_connect
=False)
6767 ev
= dev
[0].wait_event(["CTRL-EVENT-ASSOC-REJECT"])
6769 raise Exception("Association rejection not reported")
6770 if "status_code=" + str(status
) not in ev
:
6771 raise Exception("Unexpected status code: " + ev
)
6772 dev
[0].request("REMOVE_NETWORK all")
6773 dev
[0].dump_monitor()
6775 def test_eap_tls_ext_cert_check(dev
, apdev
):
6776 """EAP-TLS and external server certification validation"""
6777 # With internal server certificate chain validation
6778 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6779 identity
="tls user",
6780 ca_cert
="auth_serv/ca.pem",
6781 client_cert
="auth_serv/user.pem",
6782 private_key
="auth_serv/user.key",
6783 phase1
="tls_ext_cert_check=1", scan_freq
="2412",
6784 only_add_network
=True)
6785 run_ext_cert_check(dev
, apdev
, id)
6787 def test_eap_ttls_ext_cert_check(dev
, apdev
):
6788 """EAP-TTLS and external server certification validation"""
6789 # Without internal server certificate chain validation
6790 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
6791 identity
="pap user", anonymous_identity
="ttls",
6792 password
="password", phase2
="auth=PAP",
6793 phase1
="tls_ext_cert_check=1", scan_freq
="2412",
6794 only_add_network
=True)
6795 run_ext_cert_check(dev
, apdev
, id)
6797 def test_eap_peap_ext_cert_check(dev
, apdev
):
6798 """EAP-PEAP and external server certification validation"""
6799 # With internal server certificate chain validation
6800 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
6801 identity
="user", anonymous_identity
="peap",
6802 ca_cert
="auth_serv/ca.pem",
6803 password
="password", phase2
="auth=MSCHAPV2",
6804 phase1
="tls_ext_cert_check=1", scan_freq
="2412",
6805 only_add_network
=True)
6806 run_ext_cert_check(dev
, apdev
, id)
6808 def test_eap_fast_ext_cert_check(dev
, apdev
):
6809 """EAP-FAST and external server certification validation"""
6810 check_eap_capa(dev
[0], "FAST")
6811 # With internal server certificate chain validation
6812 dev
[0].request("SET blob fast_pac_auth_ext ")
6813 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
6814 identity
="user", anonymous_identity
="FAST",
6815 ca_cert
="auth_serv/ca.pem",
6816 password
="password", phase2
="auth=GTC",
6817 phase1
="tls_ext_cert_check=1 fast_provisioning=2",
6818 pac_file
="blob://fast_pac_auth_ext",
6820 only_add_network
=True)
6821 run_ext_cert_check(dev
, apdev
, id)
6823 def run_ext_cert_check(dev
, apdev
, net_id
):
6824 check_ext_cert_check_support(dev
[0])
6825 if not openssl_imported
:
6826 raise HwsimSkip("OpenSSL python method not available")
6828 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
6829 hapd
= hostapd
.add_ap(apdev
[0], params
)
6831 dev
[0].select_network(net_id
)
6834 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT",
6835 "CTRL-REQ-EXT_CERT_CHECK",
6836 "CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
6838 raise Exception("No peer server certificate event seen")
6839 if "CTRL-EVENT-EAP-PEER-CERT" in ev
:
6842 vals
= ev
.split(' ')
6844 if v
.startswith("depth="):
6845 depth
= int(v
.split('=')[1])
6846 elif v
.startswith("cert="):
6847 cert
= v
.split('=')[1]
6848 if depth
is not None and cert
:
6849 certs
[depth
] = binascii
.unhexlify(cert
)
6850 elif "CTRL-EVENT-EAP-SUCCESS" in ev
:
6851 raise Exception("Unexpected EAP-Success")
6852 elif "CTRL-REQ-EXT_CERT_CHECK" in ev
:
6853 id = ev
.split(':')[0].split('-')[-1]
6856 raise Exception("Server certificate not received")
6858 raise Exception("Server certificate issuer not received")
6860 cert
= OpenSSL
.crypto
.load_certificate(OpenSSL
.crypto
.FILETYPE_ASN1
,
6862 cn
= cert
.get_subject().commonName
6863 logger
.info("Server certificate CN=" + cn
)
6865 issuer
= OpenSSL
.crypto
.load_certificate(OpenSSL
.crypto
.FILETYPE_ASN1
,
6867 icn
= issuer
.get_subject().commonName
6868 logger
.info("Issuer certificate CN=" + icn
)
6870 if cn
!= "server.w1.fi":
6871 raise Exception("Unexpected server certificate CN: " + cn
)
6872 if icn
!= "Root CA":
6873 raise Exception("Unexpected server certificate issuer CN: " + icn
)
6875 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=0.1)
6877 raise Exception("Unexpected EAP-Success before external check result indication")
6879 dev
[0].request("CTRL-RSP-EXT_CERT_CHECK-" + id + ":good")
6880 dev
[0].wait_connected()
6882 dev
[0].request("DISCONNECT")
6883 dev
[0].wait_disconnected()
6884 if "FAIL" in dev
[0].request("PMKSA_FLUSH"):
6885 raise Exception("PMKSA_FLUSH failed")
6886 dev
[0].request("SET blob fast_pac_auth_ext ")
6887 dev
[0].request("RECONNECT")
6889 ev
= dev
[0].wait_event(["CTRL-REQ-EXT_CERT_CHECK"], timeout
=10)
6891 raise Exception("No peer server certificate event seen (2)")
6892 id = ev
.split(':')[0].split('-')[-1]
6893 dev
[0].request("CTRL-RSP-EXT_CERT_CHECK-" + id + ":bad")
6894 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=5)
6896 raise Exception("EAP-Failure not reported")
6897 dev
[0].request("REMOVE_NETWORK all")
6898 dev
[0].wait_disconnected()
6900 def test_eap_tls_errors(dev
, apdev
):
6901 """EAP-TLS error cases"""
6902 params
= int_eap_server_params()
6903 params
['fragment_size'] = '100'
6904 hostapd
.add_ap(apdev
[0], params
)
6905 with
alloc_fail(dev
[0], 1,
6906 "eap_peer_tls_reassemble_fragment"):
6907 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6908 identity
="tls user", ca_cert
="auth_serv/ca.pem",
6909 client_cert
="auth_serv/user.pem",
6910 private_key
="auth_serv/user.key",
6911 wait_connect
=False, scan_freq
="2412")
6912 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6913 dev
[0].request("REMOVE_NETWORK all")
6914 dev
[0].wait_disconnected()
6916 with
alloc_fail(dev
[0], 1, "eap_tls_init"):
6917 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6918 identity
="tls user", ca_cert
="auth_serv/ca.pem",
6919 client_cert
="auth_serv/user.pem",
6920 private_key
="auth_serv/user.key",
6921 wait_connect
=False, scan_freq
="2412")
6922 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6923 dev
[0].request("REMOVE_NETWORK all")
6924 dev
[0].wait_disconnected()
6926 with
alloc_fail(dev
[0], 1, "eap_peer_tls_ssl_init"):
6927 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6928 identity
="tls user", ca_cert
="auth_serv/ca.pem",
6929 client_cert
="auth_serv/user.pem",
6930 private_key
="auth_serv/user.key",
6932 wait_connect
=False, scan_freq
="2412")
6933 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6934 ev
= dev
[0].wait_event(["CTRL-REQ-PIN"], timeout
=5)
6936 raise Exception("No CTRL-REQ-PIN seen")
6937 dev
[0].request("REMOVE_NETWORK all")
6938 dev
[0].wait_disconnected()
6940 tests
= ["eap_peer_tls_derive_key;eap_tls_success",
6941 "eap_peer_tls_derive_session_id;eap_tls_success",
6944 "eap_tls_get_session_id"]
6946 with
alloc_fail(dev
[0], 1, func
):
6947 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6948 identity
="tls user@domain",
6949 ca_cert
="auth_serv/ca.pem",
6950 client_cert
="auth_serv/user.pem",
6951 private_key
="auth_serv/user.key",
6953 wait_connect
=False, scan_freq
="2412")
6954 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6955 dev
[0].request("REMOVE_NETWORK all")
6956 dev
[0].wait_disconnected()
6958 with
alloc_fail(dev
[0], 1, "eap_unauth_tls_init"):
6959 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="UNAUTH-TLS",
6960 identity
="unauth-tls", ca_cert
="auth_serv/ca.pem",
6961 wait_connect
=False, scan_freq
="2412")
6962 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6963 dev
[0].request("REMOVE_NETWORK all")
6964 dev
[0].wait_disconnected()
6966 with
alloc_fail(dev
[0], 1, "eap_peer_tls_ssl_init;eap_unauth_tls_init"):
6967 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="UNAUTH-TLS",
6968 identity
="unauth-tls", ca_cert
="auth_serv/ca.pem",
6969 wait_connect
=False, scan_freq
="2412")
6970 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6971 dev
[0].request("REMOVE_NETWORK all")
6972 dev
[0].wait_disconnected()
6974 with
alloc_fail(dev
[0], 1, "eap_wfa_unauth_tls_init"):
6975 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
6976 eap
="WFA-UNAUTH-TLS",
6977 identity
="osen@example.com", ca_cert
="auth_serv/ca.pem",
6978 wait_connect
=False, scan_freq
="2412")
6979 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6980 dev
[0].request("REMOVE_NETWORK all")
6981 dev
[0].wait_disconnected()
6983 with
alloc_fail(dev
[0], 1, "eap_peer_tls_ssl_init;eap_wfa_unauth_tls_init"):
6984 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
6985 eap
="WFA-UNAUTH-TLS",
6986 identity
="osen@example.com", ca_cert
="auth_serv/ca.pem",
6987 wait_connect
=False, scan_freq
="2412")
6988 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6989 dev
[0].request("REMOVE_NETWORK all")
6990 dev
[0].wait_disconnected()
6992 def test_ap_wpa2_eap_status(dev
, apdev
):
6993 """EAP state machine status information"""
6994 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
6995 hostapd
.add_ap(apdev
[0], params
)
6996 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
6997 identity
="cert user",
6998 ca_cert
="auth_serv/ca.pem", phase2
="auth=TLS",
6999 ca_cert2
="auth_serv/ca.pem",
7000 client_cert2
="auth_serv/user.pem",
7001 private_key2
="auth_serv/user.key",
7002 scan_freq
="2412", wait_connect
=False)
7008 selected_methods
= []
7010 for i
in range(100000):
7011 if not connected
and i
% 10 == 9:
7012 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout
=0.0001)
7015 s
= dev
[0].get_status(extra
="VERBOSE")
7016 if 'EAP state' in s
:
7017 state
= s
['EAP state']
7019 if state
not in states
:
7020 states
.append(state
)
7021 if state
== "SUCCESS":
7024 if 'methodState' in s
:
7025 val
= s
['methodState']
7026 if val
not in method_states
:
7027 method_states
.append(val
)
7030 if val
not in decisions
:
7031 decisions
.append(val
)
7032 if 'reqMethod' in s
:
7033 val
= s
['reqMethod']
7034 if val
not in req_methods
:
7035 req_methods
.append(val
)
7036 if 'selectedMethod' in s
:
7037 val
= s
['selectedMethod']
7038 if val
not in selected_methods
:
7039 selected_methods
.append(val
)
7040 logger
.info("Iterations: %d" % i
)
7041 logger
.info("EAP states: " + str(states
))
7042 logger
.info("methodStates: " + str(method_states
))
7043 logger
.info("decisions: " + str(decisions
))
7044 logger
.info("reqMethods: " + str(req_methods
))
7045 logger
.info("selectedMethods: " + str(selected_methods
))
7047 raise Exception("EAP did not succeed")
7049 dev
[0].wait_connected()
7050 dev
[0].request("REMOVE_NETWORK all")
7051 dev
[0].wait_disconnected()
7053 def test_ap_wpa2_eap_gpsk_ptk_rekey_ap(dev
, apdev
):
7054 """WPA2-Enterprise with EAP-GPSK and PTK rekey enforced by AP"""
7055 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
7056 params
['wpa_ptk_rekey'] = '2'
7057 hapd
= hostapd
.add_ap(apdev
[0], params
)
7058 id = eap_connect(dev
[0], hapd
, "GPSK", "gpsk user",
7059 password
="abcdefghijklmnop0123456789abcdef")
7060 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"])
7062 raise Exception("PTK rekey timed out")
7064 hwsim_utils
.test_connectivity(dev
[0], hapd
)
7066 def test_ap_wpa2_eap_wildcard_ssid(dev
, apdev
):
7067 """WPA2-Enterprise connection using EAP-GPSK and wildcard SSID"""
7068 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
7069 hapd
= hostapd
.add_ap(apdev
[0], params
)
7070 dev
[0].connect(bssid
=apdev
[0]['bssid'], key_mgmt
="WPA-EAP", eap
="GPSK",
7071 identity
="gpsk user",
7072 password
="abcdefghijklmnop0123456789abcdef",
7075 def test_ap_wpa2_eap_psk_mac_addr_change(dev
, apdev
):
7076 """WPA2-Enterprise connection using EAP-PSK after MAC address change"""
7077 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
7078 hapd
= hostapd
.add_ap(apdev
[0], params
)
7080 cmd
= subprocess
.Popen(['ps', '-eo', 'pid,command'], stdout
=subprocess
.PIPE
)
7081 res
= cmd
.stdout
.read().decode()
7084 for p
in res
.splitlines():
7085 if "wpa_supplicant" not in p
:
7087 if dev
[0].ifname
not in p
:
7089 pid
= int(p
.strip().split(' ')[0])
7091 logger
.info("Could not find wpa_supplicant PID")
7093 logger
.info("wpa_supplicant PID %d" % pid
)
7095 addr
= dev
[0].get_status_field("address")
7096 subprocess
.call(['ip', 'link', 'set', 'dev', dev
[0].ifname
, 'down'])
7097 subprocess
.call(['ip', 'link', 'set', 'dev', dev
[0].ifname
, 'address',
7098 '02:11:22:33:44:55'])
7099 subprocess
.call(['ip', 'link', 'set', 'dev', dev
[0].ifname
, 'up'])
7100 addr1
= dev
[0].get_status_field("address")
7101 if addr1
!= '02:11:22:33:44:55':
7102 raise Exception("Failed to change MAC address")
7104 # Scan using the externally set MAC address, stop the wpa_supplicant
7105 # process to avoid it from processing the ifdown event before the interface
7106 # is already UP, change the MAC address back, allow the wpa_supplicant
7107 # process to continue. This will result in the ifdown + ifup sequence of
7108 # RTM_NEWLINK events to be processed while the interface is already UP.
7110 dev
[0].scan_for_bss(apdev
[0]['bssid'], freq
=2412)
7111 os
.kill(pid
, signal
.SIGSTOP
)
7114 subprocess
.call(['ip', 'link', 'set', 'dev', dev
[0].ifname
, 'down'])
7115 subprocess
.call(['ip', 'link', 'set', 'dev', dev
[0].ifname
, 'address',
7117 subprocess
.call(['ip', 'link', 'set', 'dev', dev
[0].ifname
, 'up'])
7119 os
.kill(pid
, signal
.SIGCONT
)
7121 eap_connect(dev
[0], hapd
, "PSK", "psk.user@example.com",
7122 password_hex
="0123456789abcdef0123456789abcdef")
7124 addr2
= dev
[0].get_status_field("address")
7126 raise Exception("Failed to restore MAC address")
7128 def test_ap_wpa2_eap_server_get_id(dev
, apdev
):
7129 """Internal EAP server and dot1xAuthSessionUserName"""
7130 params
= int_eap_server_params()
7131 hapd
= hostapd
.add_ap(apdev
[0], params
)
7132 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
7133 client_cert
="auth_serv/user.pem",
7134 private_key
="auth_serv/user.key")
7135 sta
= hapd
.get_sta(dev
[0].own_addr())
7136 if 'dot1xAuthSessionUserName' not in sta
:
7137 raise Exception("No dot1xAuthSessionUserName included")
7138 user
= sta
['dot1xAuthSessionUserName']
7139 if user
!= "tls user":
7140 raise Exception("Unexpected dot1xAuthSessionUserName value: " + user
)
7142 def test_ap_wpa2_radius_server_get_id(dev
, apdev
):
7143 """External RADIUS server and dot1xAuthSessionUserName"""
7144 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
7145 hapd
= hostapd
.add_ap(apdev
[0], params
)
7146 eap_connect(dev
[0], hapd
, "TTLS", "test-user",
7147 anonymous_identity
="ttls", password
="password",
7148 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
7149 sta
= hapd
.get_sta(dev
[0].own_addr())
7150 if 'dot1xAuthSessionUserName' not in sta
:
7151 raise Exception("No dot1xAuthSessionUserName included")
7152 user
= sta
['dot1xAuthSessionUserName']
7153 if user
!= "real-user":
7154 raise Exception("Unexpected dot1xAuthSessionUserName value: " + user
)
7156 def test_openssl_systemwide_policy(dev
, apdev
, test_params
):
7157 """OpenSSL systemwide policy and overrides"""
7158 prefix
= "openssl_systemwide_policy"
7159 pidfile
= os
.path
.join(test_params
['logdir'], prefix
+ '.pid-wpas')
7161 with
HWSimRadio() as (radio
, iface
):
7162 run_openssl_systemwide_policy(iface
, apdev
, test_params
)
7164 if os
.path
.exists(pidfile
):
7165 with
open(pidfile
, 'r') as f
:
7166 pid
= int(f
.read().strip())
7167 os
.kill(pid
, signal
.SIGTERM
)
7169 def write_openssl_cnf(cnf
, MinProtocol
=None, CipherString
=None):
7170 with
open(cnf
, "w") as f
:
7171 f
.write("""openssl_conf = default_conf
7175 system_default = system_default_sect
7176 [system_default_sect]
7179 f
.write("MinProtocol = %s\n" % MinProtocol
)
7181 f
.write("CipherString = %s\n" % CipherString
)
7183 def run_openssl_systemwide_policy(iface
, apdev
, test_params
):
7184 prefix
= "openssl_systemwide_policy"
7185 logfile
= os
.path
.join(test_params
['logdir'], prefix
+ '.log-wpas')
7186 pidfile
= os
.path
.join(test_params
['logdir'], prefix
+ '.pid-wpas')
7187 conffile
= os
.path
.join(test_params
['logdir'], prefix
+ '.conf')
7188 openssl_cnf
= os
.path
.join(test_params
['logdir'], prefix
+ '.openssl.cnf')
7190 write_openssl_cnf(openssl_cnf
, "TLSv1.2", "DEFAULT@SECLEVEL=2")
7192 with
open(conffile
, 'w') as f
:
7193 f
.write("ctrl_interface=DIR=/var/run/wpa_supplicant\n")
7195 params
= int_eap_server_params()
7196 params
['tls_flags'] = "[DISABLE-TLSv1.1][DISABLE-TLSv1.2][DISABLE-TLSv1.3]"
7198 hapd
= hostapd
.add_ap(apdev
[0], params
)
7200 prg
= os
.path
.join(test_params
['logdir'],
7201 'alt-wpa_supplicant/wpa_supplicant/wpa_supplicant')
7202 if not os
.path
.exists(prg
):
7203 prg
= '../../wpa_supplicant/wpa_supplicant'
7204 arg
= [prg
, '-BddtK', '-P', pidfile
, '-f', logfile
,
7205 '-Dnl80211', '-c', conffile
, '-i', iface
]
7206 logger
.info("Start wpa_supplicant: " + str(arg
))
7207 subprocess
.call(arg
, env
={'OPENSSL_CONF': openssl_cnf
})
7208 wpas
= WpaSupplicant(ifname
=iface
)
7209 if "PONG" not in wpas
.request("PING"):
7210 raise Exception("Could not PING wpa_supplicant")
7211 tls
= wpas
.request("GET tls_library")
7212 if not tls
.startswith("OpenSSL"):
7213 raise HwsimSkip("Not using OpenSSL")
7215 # Use default configuration without any TLS version overrides. This should
7216 # end up using OpenSSL systemwide policy and result in failure to find a
7217 # compatible protocol version.
7218 ca_file
= os
.path
.join(os
.getcwd(), "auth_serv/ca.pem")
7219 id = wpas
.connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
7220 identity
="pap user", anonymous_identity
="ttls",
7221 password
="password", phase2
="auth=PAP",
7223 scan_freq
="2412", wait_connect
=False)
7224 ev
= wpas
.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
7226 raise Exception("EAP not started")
7227 ev
= wpas
.wait_event(["CTRL-EVENT-EAP-STATUS status='local TLS alert'"],
7230 raise HwsimSkip("OpenSSL systemwide policy not supported")
7231 wpas
.request("DISCONNECT")
7232 wpas
.wait_disconnected()
7235 # Explicitly allow TLSv1.0 to be used to override OpenSSL systemwide policy
7236 wpas
.set_network_quoted(id, "openssl_ciphers", "DEFAULT@SECLEVEL=1")
7237 wpas
.set_network_quoted(id, "phase1", "tls_disable_tlsv1_0=0")
7238 wpas
.select_network(id, freq
="2412")
7239 wpas
.wait_connected()
7241 wpas
.request("TERMINATE")
7243 def test_ap_wpa2_eap_tls_tod(dev
, apdev
):
7244 """EAP-TLS server certificate validation and TOD-STRICT"""
7245 params
= int_eap_server_params()
7246 params
["server_cert"] = "auth_serv/server-certpol.pem"
7247 params
["private_key"] = "auth_serv/server-certpol.key"
7248 hapd
= hostapd
.add_ap(apdev
[0], params
)
7250 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
7251 eap
="TLS", identity
="tls user",
7252 wait_connect
=False, scan_freq
="2412",
7253 ca_cert
="auth_serv/ca.pem",
7254 client_cert
="auth_serv/user.pem",
7255 private_key
="auth_serv/user.key")
7258 while tod0
is None or tod1
is None:
7259 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT"], timeout
=10)
7261 raise Exception("Peer certificate not reported")
7262 if "depth=1 " in ev
and "hash=" in ev
:
7263 tod1
= " tod=1" in ev
7264 if "depth=0 " in ev
and "hash=" in ev
:
7265 tod0
= " tod=1" in ev
7266 dev
[0].wait_connected()
7268 raise Exception("TOD-STRICT policy not reported for server certificate")
7270 raise Exception("TOD-STRICT policy unexpectedly reported for CA certificate")
7272 def test_ap_wpa2_eap_tls_tod_tofu(dev
, apdev
):
7273 """EAP-TLS server certificate validation and TOD-TOFU"""
7274 params
= int_eap_server_params()
7275 params
["server_cert"] = "auth_serv/server-certpol2.pem"
7276 params
["private_key"] = "auth_serv/server-certpol2.key"
7277 hapd
= hostapd
.add_ap(apdev
[0], params
)
7279 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
7280 eap
="TLS", identity
="tls user",
7281 wait_connect
=False, scan_freq
="2412",
7282 ca_cert
="auth_serv/ca.pem",
7283 client_cert
="auth_serv/user.pem",
7284 private_key
="auth_serv/user.key")
7287 while tod0
is None or tod1
is None:
7288 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT"], timeout
=10)
7290 raise Exception("Peer certificate not reported")
7291 if "depth=1 " in ev
and "hash=" in ev
:
7292 tod1
= " tod=2" in ev
7293 if "depth=0 " in ev
and "hash=" in ev
:
7294 tod0
= " tod=2" in ev
7295 dev
[0].wait_connected()
7297 raise Exception("TOD-TOFU policy not reported for server certificate")
7299 raise Exception("TOD-TOFU policy unexpectedly reported for CA certificate")
7301 def test_ap_wpa2_eap_sake_no_control_port(dev
, apdev
):
7302 """WPA2-Enterprise connection using EAP-SAKE without nl80211 control port"""
7303 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
7304 params
['driver_params'] = "control_port=0"
7305 hapd
= hostapd
.add_ap(apdev
[0], params
)
7306 wpas
= WpaSupplicant(global_iface
='/tmp/wpas-wlan5')
7307 wpas
.interface_add("wlan5", drv_params
="control_port=0")
7308 eap_connect(wpas
, hapd
, "SAKE", "sake user",
7309 password_hex
="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
7310 eap_reauth(wpas
, "SAKE")
7312 logger
.info("Negative test with incorrect password")
7313 wpas
.request("REMOVE_NETWORK all")
7314 eap_connect(wpas
, hapd
, "SAKE", "sake user",
7315 password_hex
="ff23456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
7316 expect_failure
=True)
7318 def test_ap_wpa3_eap_transition_disable(dev
, apdev
):
7319 """WPA3-Enterprise transition disable indication"""
7320 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa3-eap")
7321 params
["ieee80211w"] = "1"
7322 params
['transition_disable'] = '0x04'
7323 hapd
= hostapd
.add_ap(apdev
[0], params
)
7324 id = dev
[0].connect("test-wpa3-eap", key_mgmt
="WPA-EAP", ieee80211w
="1",
7325 proto
="WPA WPA2", pairwise
="CCMP", group
="TKIP CCMP",
7326 eap
="GPSK", identity
="gpsk user",
7327 password
="abcdefghijklmnop0123456789abcdef",
7329 ev
= dev
[0].wait_event(["TRANSITION-DISABLE"], timeout
=1)
7331 raise Exception("Transition disable not indicated")
7332 if ev
.split(' ')[1] != "04":
7333 raise Exception("Unexpected transition disable bitmap: " + ev
)
7335 val
= dev
[0].get_network(id, "ieee80211w")
7337 raise Exception("Unexpected ieee80211w value: " + val
)
7338 val
= dev
[0].get_network(id, "key_mgmt")
7339 if val
!= "WPA-EAP":
7340 raise Exception("Unexpected key_mgmt value: " + val
)
7341 val
= dev
[0].get_network(id, "group")
7343 raise Exception("Unexpected group value: " + val
)
7344 val
= dev
[0].get_network(id, "proto")
7346 raise Exception("Unexpected proto value: " + val
)
7348 dev
[0].request("DISCONNECT")
7349 dev
[0].wait_disconnected()
7350 dev
[0].request("RECONNECT")
7351 dev
[0].wait_connected()