]>
git.ipfire.org Git - thirdparty/hostap.git/blob - tests/hwsim/test_ap_eap.py
07db924bfa6b38ad65470bce7a00f55e28b75ff8
1 # -*- coding: utf-8 -*-
2 # WPA2-Enterprise tests
3 # Copyright (c) 2013-2015, Jouni Malinen <j@w1.fi>
5 # This software may be distributed under the terms of the BSD license.
6 # See README for more details.
13 logger
= logging
.getLogger()
18 from utils
import HwsimSkip
, alloc_fail
19 from test_ap_psk
import check_mib
, find_wpas_process
, read_process_memory
, verify_not_present
, get_key_locations
21 def check_hlr_auc_gw_support():
22 if not os
.path
.exists("/tmp/hlr_auc_gw.sock"):
23 raise HwsimSkip("No hlr_auc_gw available")
25 def check_eap_capa(dev
, method
):
26 res
= dev
.get_capability("eap")
28 raise HwsimSkip("EAP method %s not supported in the build" % method
)
30 def check_subject_match_support(dev
):
31 tls
= dev
.request("GET tls_library")
32 if not tls
.startswith("OpenSSL"):
33 raise HwsimSkip("subject_match not supported with this TLS library: " + tls
)
35 def check_altsubject_match_support(dev
):
36 tls
= dev
.request("GET tls_library")
37 if not tls
.startswith("OpenSSL"):
38 raise HwsimSkip("altsubject_match not supported with this TLS library: " + tls
)
40 def check_domain_match_full(dev
):
41 tls
= dev
.request("GET tls_library")
42 if not tls
.startswith("OpenSSL"):
43 raise HwsimSkip("domain_suffix_match requires full match with this TLS library: " + tls
)
45 def check_cert_probe_support(dev
):
46 tls
= dev
.request("GET tls_library")
47 if not tls
.startswith("OpenSSL"):
48 raise HwsimSkip("Certificate probing not supported with this TLS library: " + tls
)
51 with
open(fname
, "r") as f
:
62 return base64
.b64decode(cert
)
64 def eap_connect(dev
, ap
, method
, identity
,
65 sha256
=False, expect_failure
=False, local_error_report
=False,
67 hapd
= hostapd
.Hostapd(ap
['ifname'])
68 id = dev
.connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
69 eap
=method
, identity
=identity
,
70 wait_connect
=False, scan_freq
="2412", ieee80211w
="1",
72 eap_check_auth(dev
, method
, True, sha256
=sha256
,
73 expect_failure
=expect_failure
,
74 local_error_report
=local_error_report
)
77 ev
= hapd
.wait_event([ "AP-STA-CONNECTED" ], timeout
=5)
79 raise Exception("No connection event received from hostapd")
82 def eap_check_auth(dev
, method
, initial
, rsn
=True, sha256
=False,
83 expect_failure
=False, local_error_report
=False):
84 ev
= dev
.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
86 raise Exception("Association and EAP start timed out")
87 ev
= dev
.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
89 raise Exception("EAP method selection timed out")
91 raise Exception("Unexpected EAP method")
93 ev
= dev
.wait_event(["CTRL-EVENT-EAP-FAILURE"])
95 raise Exception("EAP failure timed out")
96 ev
= dev
.wait_disconnected(timeout
=10)
97 if not local_error_report
:
98 if "reason=23" not in ev
:
99 raise Exception("Proper reason code for disconnection not reported")
101 ev
= dev
.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
103 raise Exception("EAP success timed out")
106 ev
= dev
.wait_event(["CTRL-EVENT-CONNECTED"], timeout
=10)
108 ev
= dev
.wait_event(["WPA: Key negotiation completed"], timeout
=10)
110 raise Exception("Association with the AP timed out")
111 status
= dev
.get_status()
112 if status
["wpa_state"] != "COMPLETED":
113 raise Exception("Connection not completed")
115 if status
["suppPortStatus"] != "Authorized":
116 raise Exception("Port not authorized")
117 if method
not in status
["selectedMethod"]:
118 raise Exception("Incorrect EAP method status")
120 e
= "WPA2-EAP-SHA256"
122 e
= "WPA2/IEEE 802.1X/EAP"
124 e
= "WPA/IEEE 802.1X/EAP"
125 if status
["key_mgmt"] != e
:
126 raise Exception("Unexpected key_mgmt status: " + status
["key_mgmt"])
129 def eap_reauth(dev
, method
, rsn
=True, sha256
=False, expect_failure
=False):
130 dev
.request("REAUTHENTICATE")
131 return eap_check_auth(dev
, method
, False, rsn
=rsn
, sha256
=sha256
,
132 expect_failure
=expect_failure
)
134 def test_ap_wpa2_eap_sim(dev
, apdev
):
135 """WPA2-Enterprise connection using EAP-SIM"""
136 check_hlr_auc_gw_support()
137 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
138 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
139 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
140 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
141 hwsim_utils
.test_connectivity(dev
[0], hapd
)
142 eap_reauth(dev
[0], "SIM")
144 eap_connect(dev
[1], apdev
[0], "SIM", "1232010000000001",
145 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
146 eap_connect(dev
[2], apdev
[0], "SIM", "1232010000000002",
147 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
150 logger
.info("Negative test with incorrect key")
151 dev
[0].request("REMOVE_NETWORK all")
152 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
153 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
156 logger
.info("Invalid GSM-Milenage key")
157 dev
[0].request("REMOVE_NETWORK all")
158 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
159 password
="ffdca4eda45b53cf0f12d7c9c3bc6a",
162 logger
.info("Invalid GSM-Milenage key(2)")
163 dev
[0].request("REMOVE_NETWORK all")
164 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
165 password
="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581",
168 logger
.info("Invalid GSM-Milenage key(3)")
169 dev
[0].request("REMOVE_NETWORK all")
170 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
171 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q",
174 logger
.info("Invalid GSM-Milenage key(4)")
175 dev
[0].request("REMOVE_NETWORK all")
176 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
177 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581",
180 logger
.info("Missing key configuration")
181 dev
[0].request("REMOVE_NETWORK all")
182 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
185 def test_ap_wpa2_eap_sim_sql(dev
, apdev
, params
):
186 """WPA2-Enterprise connection using EAP-SIM (SQL)"""
187 check_hlr_auc_gw_support()
191 raise HwsimSkip("No sqlite3 module available")
192 con
= sqlite3
.connect(os
.path
.join(params
['logdir'], "hostapd.db"))
193 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
194 params
['auth_server_port'] = "1814"
195 hostapd
.add_ap(apdev
[0]['ifname'], params
)
196 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
197 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
199 logger
.info("SIM fast re-authentication")
200 eap_reauth(dev
[0], "SIM")
202 logger
.info("SIM full auth with pseudonym")
205 cur
.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
206 eap_reauth(dev
[0], "SIM")
208 logger
.info("SIM full auth with permanent identity")
211 cur
.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
212 cur
.execute("DELETE FROM pseudonyms WHERE permanent='1232010000000000'")
213 eap_reauth(dev
[0], "SIM")
215 logger
.info("SIM reauth with mismatching MK")
218 cur
.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='1232010000000000'")
219 eap_reauth(dev
[0], "SIM", expect_failure
=True)
220 dev
[0].request("REMOVE_NETWORK all")
222 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
223 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
226 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
227 eap_reauth(dev
[0], "SIM")
230 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
231 logger
.info("SIM reauth with mismatching counter")
232 eap_reauth(dev
[0], "SIM")
233 dev
[0].request("REMOVE_NETWORK all")
235 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
236 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
239 cur
.execute("UPDATE reauth SET counter='1001' WHERE permanent='1232010000000000'")
240 logger
.info("SIM reauth with max reauth count reached")
241 eap_reauth(dev
[0], "SIM")
243 def test_ap_wpa2_eap_sim_config(dev
, apdev
):
244 """EAP-SIM configuration options"""
245 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
246 hostapd
.add_ap(apdev
[0]['ifname'], params
)
247 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="SIM",
248 identity
="1232010000000000",
249 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
250 phase1
="sim_min_num_chal=1",
251 wait_connect
=False, scan_freq
="2412")
252 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout
=10)
254 raise Exception("No EAP error message seen")
255 dev
[0].request("REMOVE_NETWORK all")
257 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="SIM",
258 identity
="1232010000000000",
259 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
260 phase1
="sim_min_num_chal=4",
261 wait_connect
=False, scan_freq
="2412")
262 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout
=10)
264 raise Exception("No EAP error message seen (2)")
265 dev
[0].request("REMOVE_NETWORK all")
267 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
268 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
269 phase1
="sim_min_num_chal=2")
270 eap_connect(dev
[1], apdev
[0], "SIM", "1232010000000000",
271 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
272 anonymous_identity
="345678")
274 def test_ap_wpa2_eap_sim_ext(dev
, apdev
):
275 """WPA2-Enterprise connection using EAP-SIM and external GSM auth"""
277 _test_ap_wpa2_eap_sim_ext(dev
, apdev
)
279 dev
[0].request("SET external_sim 0")
281 def _test_ap_wpa2_eap_sim_ext(dev
, apdev
):
282 check_hlr_auc_gw_support()
283 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
284 hostapd
.add_ap(apdev
[0]['ifname'], params
)
285 dev
[0].request("SET external_sim 1")
286 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
287 identity
="1232010000000000",
288 wait_connect
=False, scan_freq
="2412")
289 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=15)
291 raise Exception("Network connected timed out")
293 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
295 raise Exception("Wait for external SIM processing request timed out")
297 if p
[1] != "GSM-AUTH":
298 raise Exception("Unexpected CTRL-REQ-SIM type")
299 rid
= p
[0].split('-')[3]
302 resp
= "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
303 # This will fail during processing, but the ctrl_iface command succeeds
304 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-AUTH:" + resp
)
305 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
307 raise Exception("EAP failure not reported")
308 dev
[0].request("DISCONNECT")
310 dev
[0].select_network(id, freq
="2412")
311 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
313 raise Exception("Wait for external SIM processing request timed out")
315 if p
[1] != "GSM-AUTH":
316 raise Exception("Unexpected CTRL-REQ-SIM type")
317 rid
= p
[0].split('-')[3]
318 # This will fail during GSM auth validation
319 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:q"):
320 raise Exception("CTRL-RSP-SIM failed")
321 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
323 raise Exception("EAP failure not reported")
324 dev
[0].request("DISCONNECT")
326 dev
[0].select_network(id, freq
="2412")
327 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
329 raise Exception("Wait for external SIM processing request timed out")
331 if p
[1] != "GSM-AUTH":
332 raise Exception("Unexpected CTRL-REQ-SIM type")
333 rid
= p
[0].split('-')[3]
334 # This will fail during GSM auth validation
335 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:34"):
336 raise Exception("CTRL-RSP-SIM failed")
337 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
339 raise Exception("EAP failure not reported")
340 dev
[0].request("DISCONNECT")
342 dev
[0].select_network(id, freq
="2412")
343 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
345 raise Exception("Wait for external SIM processing request timed out")
347 if p
[1] != "GSM-AUTH":
348 raise Exception("Unexpected CTRL-REQ-SIM type")
349 rid
= p
[0].split('-')[3]
350 # This will fail during GSM auth validation
351 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677"):
352 raise Exception("CTRL-RSP-SIM failed")
353 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
355 raise Exception("EAP failure not reported")
356 dev
[0].request("DISCONNECT")
358 dev
[0].select_network(id, freq
="2412")
359 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
361 raise Exception("Wait for external SIM processing request timed out")
363 if p
[1] != "GSM-AUTH":
364 raise Exception("Unexpected CTRL-REQ-SIM type")
365 rid
= p
[0].split('-')[3]
366 # This will fail during GSM auth validation
367 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677:q"):
368 raise Exception("CTRL-RSP-SIM failed")
369 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
371 raise Exception("EAP failure not reported")
372 dev
[0].request("DISCONNECT")
374 dev
[0].select_network(id, freq
="2412")
375 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
377 raise Exception("Wait for external SIM processing request timed out")
379 if p
[1] != "GSM-AUTH":
380 raise Exception("Unexpected CTRL-REQ-SIM type")
381 rid
= p
[0].split('-')[3]
382 # This will fail during GSM auth validation
383 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677:00112233"):
384 raise Exception("CTRL-RSP-SIM failed")
385 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
387 raise Exception("EAP failure not reported")
388 dev
[0].request("DISCONNECT")
390 dev
[0].select_network(id, freq
="2412")
391 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
393 raise Exception("Wait for external SIM processing request timed out")
395 if p
[1] != "GSM-AUTH":
396 raise Exception("Unexpected CTRL-REQ-SIM type")
397 rid
= p
[0].split('-')[3]
398 # This will fail during GSM auth validation
399 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677:00112233:q"):
400 raise Exception("CTRL-RSP-SIM failed")
401 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
403 raise Exception("EAP failure not reported")
405 def test_ap_wpa2_eap_aka(dev
, apdev
):
406 """WPA2-Enterprise connection using EAP-AKA"""
407 check_hlr_auc_gw_support()
408 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
409 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
410 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
411 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
412 hwsim_utils
.test_connectivity(dev
[0], hapd
)
413 eap_reauth(dev
[0], "AKA")
415 logger
.info("Negative test with incorrect key")
416 dev
[0].request("REMOVE_NETWORK all")
417 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
418 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
421 logger
.info("Invalid Milenage key")
422 dev
[0].request("REMOVE_NETWORK all")
423 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
424 password
="ffdca4eda45b53cf0f12d7c9c3bc6a",
427 logger
.info("Invalid Milenage key(2)")
428 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
429 password
="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581:000000000123",
432 logger
.info("Invalid Milenage key(3)")
433 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
434 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q:000000000123",
437 logger
.info("Invalid Milenage key(4)")
438 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
439 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:00000000012q",
442 logger
.info("Invalid Milenage key(5)")
443 dev
[0].request("REMOVE_NETWORK all")
444 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
445 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581q000000000123",
448 logger
.info("Invalid Milenage key(6)")
449 dev
[0].request("REMOVE_NETWORK all")
450 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
451 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581q000000000123",
454 logger
.info("Missing key configuration")
455 dev
[0].request("REMOVE_NETWORK all")
456 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
459 def test_ap_wpa2_eap_aka_sql(dev
, apdev
, params
):
460 """WPA2-Enterprise connection using EAP-AKA (SQL)"""
461 check_hlr_auc_gw_support()
465 raise HwsimSkip("No sqlite3 module available")
466 con
= sqlite3
.connect(os
.path
.join(params
['logdir'], "hostapd.db"))
467 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
468 params
['auth_server_port'] = "1814"
469 hostapd
.add_ap(apdev
[0]['ifname'], params
)
470 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
471 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
473 logger
.info("AKA fast re-authentication")
474 eap_reauth(dev
[0], "AKA")
476 logger
.info("AKA full auth with pseudonym")
479 cur
.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
480 eap_reauth(dev
[0], "AKA")
482 logger
.info("AKA full auth with permanent identity")
485 cur
.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
486 cur
.execute("DELETE FROM pseudonyms WHERE permanent='0232010000000000'")
487 eap_reauth(dev
[0], "AKA")
489 logger
.info("AKA reauth with mismatching MK")
492 cur
.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='0232010000000000'")
493 eap_reauth(dev
[0], "AKA", expect_failure
=True)
494 dev
[0].request("REMOVE_NETWORK all")
496 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
497 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
500 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
501 eap_reauth(dev
[0], "AKA")
504 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
505 logger
.info("AKA reauth with mismatching counter")
506 eap_reauth(dev
[0], "AKA")
507 dev
[0].request("REMOVE_NETWORK all")
509 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
510 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
513 cur
.execute("UPDATE reauth SET counter='1001' WHERE permanent='0232010000000000'")
514 logger
.info("AKA reauth with max reauth count reached")
515 eap_reauth(dev
[0], "AKA")
517 def test_ap_wpa2_eap_aka_config(dev
, apdev
):
518 """EAP-AKA configuration options"""
519 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
520 hostapd
.add_ap(apdev
[0]['ifname'], params
)
521 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
522 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
523 anonymous_identity
="2345678")
525 def test_ap_wpa2_eap_aka_ext(dev
, apdev
):
526 """WPA2-Enterprise connection using EAP-AKA and external UMTS auth"""
528 _test_ap_wpa2_eap_aka_ext(dev
, apdev
)
530 dev
[0].request("SET external_sim 0")
532 def _test_ap_wpa2_eap_aka_ext(dev
, apdev
):
533 check_hlr_auc_gw_support()
534 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
535 hostapd
.add_ap(apdev
[0]['ifname'], params
)
536 dev
[0].request("SET external_sim 1")
537 id = dev
[0].connect("test-wpa2-eap", eap
="AKA", key_mgmt
="WPA-EAP",
538 identity
="0232010000000000",
539 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
540 wait_connect
=False, scan_freq
="2412")
541 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=15)
543 raise Exception("Network connected timed out")
545 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
547 raise Exception("Wait for external SIM processing request timed out")
549 if p
[1] != "UMTS-AUTH":
550 raise Exception("Unexpected CTRL-REQ-SIM type")
551 rid
= p
[0].split('-')[3]
554 resp
= "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
555 # This will fail during processing, but the ctrl_iface command succeeds
556 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
557 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
559 raise Exception("EAP failure not reported")
560 dev
[0].request("DISCONNECT")
561 dev
[0].wait_disconnected()
563 dev
[0].select_network(id, freq
="2412")
564 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
566 raise Exception("Wait for external SIM processing request timed out")
568 if p
[1] != "UMTS-AUTH":
569 raise Exception("Unexpected CTRL-REQ-SIM type")
570 rid
= p
[0].split('-')[3]
571 # This will fail during UMTS auth validation
572 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-AUTS:112233445566778899aabbccddee"):
573 raise Exception("CTRL-RSP-SIM failed")
574 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
576 raise Exception("Wait for external SIM processing request timed out")
578 if p
[1] != "UMTS-AUTH":
579 raise Exception("Unexpected CTRL-REQ-SIM type")
580 rid
= p
[0].split('-')[3]
581 # This will fail during UMTS auth validation
582 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-AUTS:12"):
583 raise Exception("CTRL-RSP-SIM failed")
584 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
586 raise Exception("EAP failure not reported")
587 dev
[0].request("DISCONNECT")
588 dev
[0].wait_disconnected()
590 tests
= [ ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344",
592 ":UMTS-AUTH:00112233445566778899aabbccddeeff.00112233445566778899aabbccddeeff:0011223344",
593 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddee:0011223344",
594 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff.0011223344",
595 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff0011223344",
596 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:001122334q" ]
598 dev
[0].select_network(id, freq
="2412")
599 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
601 raise Exception("Wait for external SIM processing request timed out")
603 if p
[1] != "UMTS-AUTH":
604 raise Exception("Unexpected CTRL-REQ-SIM type")
605 rid
= p
[0].split('-')[3]
606 # This will fail during UMTS auth validation
607 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ t
):
608 raise Exception("CTRL-RSP-SIM failed")
609 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
611 raise Exception("EAP failure not reported")
612 dev
[0].request("DISCONNECT")
613 dev
[0].wait_disconnected()
615 def test_ap_wpa2_eap_aka_prime(dev
, apdev
):
616 """WPA2-Enterprise connection using EAP-AKA'"""
617 check_hlr_auc_gw_support()
618 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
619 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
620 eap_connect(dev
[0], apdev
[0], "AKA'", "6555444333222111",
621 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
622 hwsim_utils
.test_connectivity(dev
[0], hapd
)
623 eap_reauth(dev
[0], "AKA'")
625 logger
.info("EAP-AKA' bidding protection when EAP-AKA enabled as well")
626 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="AKA' AKA",
627 identity
="6555444333222111@both",
628 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
629 wait_connect
=False, scan_freq
="2412")
630 dev
[1].wait_connected(timeout
=15)
632 logger
.info("Negative test with incorrect key")
633 dev
[0].request("REMOVE_NETWORK all")
634 eap_connect(dev
[0], apdev
[0], "AKA'", "6555444333222111",
635 password
="ff22250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
638 def test_ap_wpa2_eap_aka_prime_sql(dev
, apdev
, params
):
639 """WPA2-Enterprise connection using EAP-AKA' (SQL)"""
640 check_hlr_auc_gw_support()
644 raise HwsimSkip("No sqlite3 module available")
645 con
= sqlite3
.connect(os
.path
.join(params
['logdir'], "hostapd.db"))
646 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
647 params
['auth_server_port'] = "1814"
648 hostapd
.add_ap(apdev
[0]['ifname'], params
)
649 eap_connect(dev
[0], apdev
[0], "AKA'", "6555444333222111",
650 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
652 logger
.info("AKA' fast re-authentication")
653 eap_reauth(dev
[0], "AKA'")
655 logger
.info("AKA' full auth with pseudonym")
658 cur
.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
659 eap_reauth(dev
[0], "AKA'")
661 logger
.info("AKA' full auth with permanent identity")
664 cur
.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
665 cur
.execute("DELETE FROM pseudonyms WHERE permanent='6555444333222111'")
666 eap_reauth(dev
[0], "AKA'")
668 logger
.info("AKA' reauth with mismatching k_aut")
671 cur
.execute("UPDATE reauth SET k_aut='0000000000000000000000000000000000000000000000000000000000000000' WHERE permanent='6555444333222111'")
672 eap_reauth(dev
[0], "AKA'", expect_failure
=True)
673 dev
[0].request("REMOVE_NETWORK all")
675 eap_connect(dev
[0], apdev
[0], "AKA'", "6555444333222111",
676 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
679 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
680 eap_reauth(dev
[0], "AKA'")
683 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
684 logger
.info("AKA' reauth with mismatching counter")
685 eap_reauth(dev
[0], "AKA'")
686 dev
[0].request("REMOVE_NETWORK all")
688 eap_connect(dev
[0], apdev
[0], "AKA'", "6555444333222111",
689 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
692 cur
.execute("UPDATE reauth SET counter='1001' WHERE permanent='6555444333222111'")
693 logger
.info("AKA' reauth with max reauth count reached")
694 eap_reauth(dev
[0], "AKA'")
696 def test_ap_wpa2_eap_ttls_pap(dev
, apdev
):
697 """WPA2-Enterprise connection using EAP-TTLS/PAP"""
698 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
699 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
700 key_mgmt
= hapd
.get_config()['key_mgmt']
701 if key_mgmt
.split(' ')[0] != "WPA-EAP":
702 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt
)
703 eap_connect(dev
[0], apdev
[0], "TTLS", "pap user",
704 anonymous_identity
="ttls", password
="password",
705 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
706 hwsim_utils
.test_connectivity(dev
[0], hapd
)
707 eap_reauth(dev
[0], "TTLS")
708 check_mib(dev
[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-1"),
709 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-1") ])
711 def test_ap_wpa2_eap_ttls_pap_subject_match(dev
, apdev
):
712 """WPA2-Enterprise connection using EAP-TTLS/PAP and (alt)subject_match"""
713 check_subject_match_support(dev
[0])
714 check_altsubject_match_support(dev
[0])
715 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
716 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
717 eap_connect(dev
[0], apdev
[0], "TTLS", "pap user",
718 anonymous_identity
="ttls", password
="password",
719 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
720 subject_match
="/C=FI/O=w1.fi/CN=server.w1.fi",
721 altsubject_match
="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/")
722 eap_reauth(dev
[0], "TTLS")
724 def test_ap_wpa2_eap_ttls_pap_incorrect_password(dev
, apdev
):
725 """WPA2-Enterprise connection using EAP-TTLS/PAP - incorrect password"""
726 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
727 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
728 eap_connect(dev
[0], apdev
[0], "TTLS", "pap user",
729 anonymous_identity
="ttls", password
="wrong",
730 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
732 eap_connect(dev
[1], apdev
[0], "TTLS", "user",
733 anonymous_identity
="ttls", password
="password",
734 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
737 def test_ap_wpa2_eap_ttls_chap(dev
, apdev
):
738 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
739 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
740 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
741 eap_connect(dev
[0], apdev
[0], "TTLS", "chap user",
742 anonymous_identity
="ttls", password
="password",
743 ca_cert
="auth_serv/ca.der", phase2
="auth=CHAP")
744 hwsim_utils
.test_connectivity(dev
[0], hapd
)
745 eap_reauth(dev
[0], "TTLS")
747 def test_ap_wpa2_eap_ttls_chap_altsubject_match(dev
, apdev
):
748 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
749 check_altsubject_match_support(dev
[0])
750 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
751 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
752 eap_connect(dev
[0], apdev
[0], "TTLS", "chap user",
753 anonymous_identity
="ttls", password
="password",
754 ca_cert
="auth_serv/ca.der", phase2
="auth=CHAP",
755 altsubject_match
="EMAIL:noone@example.com;URI:http://example.com/;DNS:server.w1.fi")
756 eap_reauth(dev
[0], "TTLS")
758 def test_ap_wpa2_eap_ttls_chap_incorrect_password(dev
, apdev
):
759 """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
760 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
761 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
762 eap_connect(dev
[0], apdev
[0], "TTLS", "chap user",
763 anonymous_identity
="ttls", password
="wrong",
764 ca_cert
="auth_serv/ca.pem", phase2
="auth=CHAP",
766 eap_connect(dev
[1], apdev
[0], "TTLS", "user",
767 anonymous_identity
="ttls", password
="password",
768 ca_cert
="auth_serv/ca.pem", phase2
="auth=CHAP",
771 def test_ap_wpa2_eap_ttls_mschap(dev
, apdev
):
772 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP"""
773 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
774 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
775 eap_connect(dev
[0], apdev
[0], "TTLS", "mschap user",
776 anonymous_identity
="ttls", password
="password",
777 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
778 domain_suffix_match
="server.w1.fi")
779 hwsim_utils
.test_connectivity(dev
[0], hapd
)
780 eap_reauth(dev
[0], "TTLS")
781 dev
[0].request("REMOVE_NETWORK all")
782 eap_connect(dev
[0], apdev
[0], "TTLS", "mschap user",
783 anonymous_identity
="ttls", password
="password",
784 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
787 def test_ap_wpa2_eap_ttls_mschap_incorrect_password(dev
, apdev
):
788 """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
789 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
790 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
791 eap_connect(dev
[0], apdev
[0], "TTLS", "mschap user",
792 anonymous_identity
="ttls", password
="wrong",
793 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
795 eap_connect(dev
[1], apdev
[0], "TTLS", "user",
796 anonymous_identity
="ttls", password
="password",
797 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
799 eap_connect(dev
[2], apdev
[0], "TTLS", "no such user",
800 anonymous_identity
="ttls", password
="password",
801 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
804 def test_ap_wpa2_eap_ttls_mschapv2(dev
, apdev
):
805 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
806 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
807 hostapd
.add_ap(apdev
[0]['ifname'], params
)
808 hapd
= hostapd
.Hostapd(apdev
[0]['ifname'])
809 eap_connect(dev
[0], apdev
[0], "TTLS", "DOMAIN\mschapv2 user",
810 anonymous_identity
="ttls", password
="password",
811 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
812 domain_suffix_match
="server.w1.fi")
813 hwsim_utils
.test_connectivity(dev
[0], hapd
)
814 sta1
= hapd
.get_sta(dev
[0].p2p_interface_addr())
815 eapol1
= hapd
.get_sta(dev
[0].p2p_interface_addr(), info
="eapol")
816 eap_reauth(dev
[0], "TTLS")
817 sta2
= hapd
.get_sta(dev
[0].p2p_interface_addr())
818 eapol2
= hapd
.get_sta(dev
[0].p2p_interface_addr(), info
="eapol")
819 if int(sta2
['dot1xAuthEapolFramesRx']) <= int(sta1
['dot1xAuthEapolFramesRx']):
820 raise Exception("dot1xAuthEapolFramesRx did not increase")
821 if int(eapol2
['authAuthEapStartsWhileAuthenticated']) < 1:
822 raise Exception("authAuthEapStartsWhileAuthenticated did not increase")
823 if int(eapol2
['backendAuthSuccesses']) <= int(eapol1
['backendAuthSuccesses']):
824 raise Exception("backendAuthSuccesses did not increase")
826 logger
.info("Password as hash value")
827 dev
[0].request("REMOVE_NETWORK all")
828 eap_connect(dev
[0], apdev
[0], "TTLS", "DOMAIN\mschapv2 user",
829 anonymous_identity
="ttls",
830 password_hex
="hash:8846f7eaee8fb117ad06bdd830b7586c",
831 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
833 def test_ap_wpa2_eap_ttls_mschapv2_suffix_match(dev
, apdev
):
834 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
835 check_domain_match_full(dev
[0])
836 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
837 hostapd
.add_ap(apdev
[0]['ifname'], params
)
838 hapd
= hostapd
.Hostapd(apdev
[0]['ifname'])
839 eap_connect(dev
[0], apdev
[0], "TTLS", "DOMAIN\mschapv2 user",
840 anonymous_identity
="ttls", password
="password",
841 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
842 domain_suffix_match
="w1.fi")
843 hwsim_utils
.test_connectivity(dev
[0], hapd
)
844 eap_reauth(dev
[0], "TTLS")
846 def test_ap_wpa2_eap_ttls_mschapv2_domain_match(dev
, apdev
):
847 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 (domain_match)"""
848 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
849 hostapd
.add_ap(apdev
[0]['ifname'], params
)
850 hapd
= hostapd
.Hostapd(apdev
[0]['ifname'])
851 eap_connect(dev
[0], apdev
[0], "TTLS", "DOMAIN\mschapv2 user",
852 anonymous_identity
="ttls", password
="password",
853 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
854 domain_match
="Server.w1.fi")
855 hwsim_utils
.test_connectivity(dev
[0], hapd
)
856 eap_reauth(dev
[0], "TTLS")
858 def test_ap_wpa2_eap_ttls_mschapv2_incorrect_password(dev
, apdev
):
859 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 - incorrect password"""
860 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
861 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
862 eap_connect(dev
[0], apdev
[0], "TTLS", "DOMAIN\mschapv2 user",
863 anonymous_identity
="ttls", password
="password1",
864 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
866 eap_connect(dev
[1], apdev
[0], "TTLS", "user",
867 anonymous_identity
="ttls", password
="password",
868 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
871 def test_ap_wpa2_eap_ttls_mschapv2_utf8(dev
, apdev
):
872 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 and UTF-8 password"""
873 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
874 hostapd
.add_ap(apdev
[0]['ifname'], params
)
875 hapd
= hostapd
.Hostapd(apdev
[0]['ifname'])
876 eap_connect(dev
[0], apdev
[0], "TTLS", "utf8-user-hash",
877 anonymous_identity
="ttls", password
="secret-åäö-€-password",
878 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
879 eap_connect(dev
[1], apdev
[0], "TTLS", "utf8-user",
880 anonymous_identity
="ttls",
881 password_hex
="hash:bd5844fad2489992da7fe8c5a01559cf",
882 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
884 def test_ap_wpa2_eap_ttls_eap_gtc(dev
, apdev
):
885 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC"""
886 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
887 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
888 eap_connect(dev
[0], apdev
[0], "TTLS", "user",
889 anonymous_identity
="ttls", password
="password",
890 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC")
891 hwsim_utils
.test_connectivity(dev
[0], hapd
)
892 eap_reauth(dev
[0], "TTLS")
894 def test_ap_wpa2_eap_ttls_eap_md5(dev
, apdev
):
895 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5"""
896 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
897 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
898 eap_connect(dev
[0], apdev
[0], "TTLS", "user",
899 anonymous_identity
="ttls", password
="password",
900 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5")
901 hwsim_utils
.test_connectivity(dev
[0], hapd
)
902 eap_reauth(dev
[0], "TTLS")
904 def test_ap_wpa2_eap_ttls_eap_md5_incorrect_password(dev
, apdev
):
905 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - incorrect password"""
906 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
907 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
908 eap_connect(dev
[0], apdev
[0], "TTLS", "user",
909 anonymous_identity
="ttls", password
="wrong",
910 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5",
913 def test_ap_wpa2_eap_ttls_eap_md5_server_oom(dev
, apdev
):
914 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - server OOM"""
915 params
= int_eap_server_params()
916 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
917 with
alloc_fail(hapd
, 1, "eap_md5_init"):
918 eap_connect(dev
[0], apdev
[0], "TTLS", "user",
919 anonymous_identity
="ttls", password
="password",
920 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5",
922 dev
[0].request("REMOVE_NETWORK all")
924 with
alloc_fail(hapd
, 1, "eap_md5_buildReq"):
925 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
926 eap
="TTLS", identity
="user",
927 anonymous_identity
="ttls", password
="password",
928 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5",
929 wait_connect
=False, scan_freq
="2412")
930 # This would eventually time out, but we can stop after having reached
931 # the allocation failure.
934 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
937 def test_ap_wpa2_eap_ttls_eap_mschapv2(dev
, apdev
):
938 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2"""
939 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
940 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
941 eap_connect(dev
[0], apdev
[0], "TTLS", "user",
942 anonymous_identity
="ttls", password
="password",
943 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2")
944 hwsim_utils
.test_connectivity(dev
[0], hapd
)
945 eap_reauth(dev
[0], "TTLS")
947 logger
.info("Negative test with incorrect password")
948 dev
[0].request("REMOVE_NETWORK all")
949 eap_connect(dev
[0], apdev
[0], "TTLS", "user",
950 anonymous_identity
="ttls", password
="password1",
951 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
954 def test_ap_wpa2_eap_ttls_eap_aka(dev
, apdev
):
955 """WPA2-Enterprise connection using EAP-TTLS/EAP-AKA"""
956 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
957 hostapd
.add_ap(apdev
[0]['ifname'], params
)
958 eap_connect(dev
[0], apdev
[0], "TTLS", "0232010000000000",
959 anonymous_identity
="0232010000000000@ttls",
960 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
961 ca_cert
="auth_serv/ca.pem", phase2
="autheap=AKA")
963 def test_ap_wpa2_eap_peap_eap_aka(dev
, apdev
):
964 """WPA2-Enterprise connection using EAP-PEAP/EAP-AKA"""
965 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
966 hostapd
.add_ap(apdev
[0]['ifname'], params
)
967 eap_connect(dev
[0], apdev
[0], "PEAP", "0232010000000000",
968 anonymous_identity
="0232010000000000@peap",
969 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
970 ca_cert
="auth_serv/ca.pem", phase2
="auth=AKA")
972 def test_ap_wpa2_eap_fast_eap_aka(dev
, apdev
):
973 """WPA2-Enterprise connection using EAP-FAST/EAP-AKA"""
974 check_eap_capa(dev
[0], "FAST")
975 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
976 hostapd
.add_ap(apdev
[0]['ifname'], params
)
977 eap_connect(dev
[0], apdev
[0], "FAST", "0232010000000000",
978 anonymous_identity
="0232010000000000@fast",
979 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
980 phase1
="fast_provisioning=2",
981 pac_file
="blob://fast_pac_auth_aka",
982 ca_cert
="auth_serv/ca.pem", phase2
="auth=AKA")
984 def test_ap_wpa2_eap_peap_eap_mschapv2(dev
, apdev
):
985 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
986 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
987 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
988 eap_connect(dev
[0], apdev
[0], "PEAP", "user",
989 anonymous_identity
="peap", password
="password",
990 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
991 hwsim_utils
.test_connectivity(dev
[0], hapd
)
992 eap_reauth(dev
[0], "PEAP")
993 dev
[0].request("REMOVE_NETWORK all")
994 eap_connect(dev
[0], apdev
[0], "PEAP", "user",
995 anonymous_identity
="peap", password
="password",
996 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
999 logger
.info("Password as hash value")
1000 dev
[0].request("REMOVE_NETWORK all")
1001 eap_connect(dev
[0], apdev
[0], "PEAP", "user",
1002 anonymous_identity
="peap",
1003 password_hex
="hash:8846f7eaee8fb117ad06bdd830b7586c",
1004 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1006 logger
.info("Negative test with incorrect password")
1007 dev
[0].request("REMOVE_NETWORK all")
1008 eap_connect(dev
[0], apdev
[0], "PEAP", "user",
1009 anonymous_identity
="peap", password
="password1",
1010 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1011 expect_failure
=True)
1013 def test_ap_wpa2_eap_peap_crypto_binding(dev
, apdev
):
1014 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding"""
1015 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1016 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1017 eap_connect(dev
[0], apdev
[0], "PEAP", "user", password
="password",
1018 ca_cert
="auth_serv/ca.pem",
1019 phase1
="peapver=0 crypto_binding=2",
1020 phase2
="auth=MSCHAPV2")
1021 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1022 eap_reauth(dev
[0], "PEAP")
1024 eap_connect(dev
[1], apdev
[0], "PEAP", "user", password
="password",
1025 ca_cert
="auth_serv/ca.pem",
1026 phase1
="peapver=0 crypto_binding=1",
1027 phase2
="auth=MSCHAPV2")
1028 eap_connect(dev
[2], apdev
[0], "PEAP", "user", password
="password",
1029 ca_cert
="auth_serv/ca.pem",
1030 phase1
="peapver=0 crypto_binding=0",
1031 phase2
="auth=MSCHAPV2")
1033 def test_ap_wpa2_eap_peap_params(dev
, apdev
):
1034 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and various parameters"""
1035 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1036 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1037 eap_connect(dev
[0], apdev
[0], "PEAP", "user",
1038 anonymous_identity
="peap", password
="password",
1039 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1040 phase1
="peapver=0 peaplabel=1",
1041 expect_failure
=True)
1042 dev
[0].request("REMOVE_NETWORK all")
1043 eap_connect(dev
[1], apdev
[0], "PEAP", "user", password
="password",
1044 ca_cert
="auth_serv/ca.pem",
1045 phase1
="peap_outer_success=1",
1046 phase2
="auth=MSCHAPV2")
1047 eap_connect(dev
[2], apdev
[0], "PEAP", "user", password
="password",
1048 ca_cert
="auth_serv/ca.pem",
1049 phase1
="peap_outer_success=2",
1050 phase2
="auth=MSCHAPV2")
1051 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
1053 anonymous_identity
="peap", password
="password",
1054 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1055 phase1
="peapver=1 peaplabel=1",
1056 wait_connect
=False, scan_freq
="2412")
1057 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=15)
1059 raise Exception("No EAP success seen")
1060 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout
=1)
1062 raise Exception("Unexpected connection")
1064 def test_ap_wpa2_eap_peap_eap_tls(dev
, apdev
):
1065 """WPA2-Enterprise connection using EAP-PEAP/EAP-TLS"""
1066 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1067 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1068 eap_connect(dev
[0], apdev
[0], "PEAP", "cert user",
1069 ca_cert
="auth_serv/ca.pem", phase2
="auth=TLS",
1070 ca_cert2
="auth_serv/ca.pem",
1071 client_cert2
="auth_serv/user.pem",
1072 private_key2
="auth_serv/user.key")
1073 eap_reauth(dev
[0], "PEAP")
1075 def test_ap_wpa2_eap_tls(dev
, apdev
):
1076 """WPA2-Enterprise connection using EAP-TLS"""
1077 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1078 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1079 eap_connect(dev
[0], apdev
[0], "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
1080 client_cert
="auth_serv/user.pem",
1081 private_key
="auth_serv/user.key")
1082 eap_reauth(dev
[0], "TLS")
1084 def test_ap_wpa2_eap_tls_blob(dev
, apdev
):
1085 """WPA2-Enterprise connection using EAP-TLS and config blobs"""
1086 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1087 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1088 cert
= read_pem("auth_serv/ca.pem")
1089 if "OK" not in dev
[0].request("SET blob cacert " + cert
.encode("hex")):
1090 raise Exception("Could not set cacert blob")
1091 cert
= read_pem("auth_serv/user.pem")
1092 if "OK" not in dev
[0].request("SET blob usercert " + cert
.encode("hex")):
1093 raise Exception("Could not set usercert blob")
1094 key
= read_pem("auth_serv/user.rsa-key")
1095 if "OK" not in dev
[0].request("SET blob userkey " + key
.encode("hex")):
1096 raise Exception("Could not set cacert blob")
1097 eap_connect(dev
[0], apdev
[0], "TLS", "tls user", ca_cert
="blob://cacert",
1098 client_cert
="blob://usercert",
1099 private_key
="blob://userkey")
1101 def test_ap_wpa2_eap_tls_pkcs12(dev
, apdev
):
1102 """WPA2-Enterprise connection using EAP-TLS and PKCS#12"""
1103 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1104 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1105 eap_connect(dev
[0], apdev
[0], "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
1106 private_key
="auth_serv/user.pkcs12",
1107 private_key_passwd
="whatever")
1108 dev
[0].request("REMOVE_NETWORK all")
1109 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
1110 identity
="tls user",
1111 ca_cert
="auth_serv/ca.pem",
1112 private_key
="auth_serv/user.pkcs12",
1113 wait_connect
=False, scan_freq
="2412")
1114 ev
= dev
[0].wait_event(["CTRL-REQ-PASSPHRASE"])
1116 raise Exception("Request for private key passphrase timed out")
1117 id = ev
.split(':')[0].split('-')[-1]
1118 dev
[0].request("CTRL-RSP-PASSPHRASE-" + id + ":whatever")
1119 dev
[0].wait_connected(timeout
=10)
1121 def test_ap_wpa2_eap_tls_pkcs12_blob(dev
, apdev
):
1122 """WPA2-Enterprise connection using EAP-TLS and PKCS#12 from configuration blob"""
1123 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1124 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1125 cert
= read_pem("auth_serv/ca.pem")
1126 if "OK" not in dev
[0].request("SET blob cacert " + cert
.encode("hex")):
1127 raise Exception("Could not set cacert blob")
1128 with
open("auth_serv/user.pkcs12", "rb") as f
:
1129 if "OK" not in dev
[0].request("SET blob pkcs12 " + f
.read().encode("hex")):
1130 raise Exception("Could not set pkcs12 blob")
1131 eap_connect(dev
[0], apdev
[0], "TLS", "tls user", ca_cert
="blob://cacert",
1132 private_key
="blob://pkcs12",
1133 private_key_passwd
="whatever")
1135 def test_ap_wpa2_eap_tls_neg_incorrect_trust_root(dev
, apdev
):
1136 """WPA2-Enterprise negative test - incorrect trust root"""
1137 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1138 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1139 cert
= read_pem("auth_serv/ca-incorrect.pem")
1140 if "OK" not in dev
[0].request("SET blob cacert " + cert
.encode("hex")):
1141 raise Exception("Could not set cacert blob")
1142 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1143 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
1144 password
="password", phase2
="auth=MSCHAPV2",
1145 ca_cert
="blob://cacert",
1146 wait_connect
=False, scan_freq
="2412")
1147 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1148 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
1149 password
="password", phase2
="auth=MSCHAPV2",
1150 ca_cert
="auth_serv/ca-incorrect.pem",
1151 wait_connect
=False, scan_freq
="2412")
1153 for dev
in (dev
[0], dev
[1]):
1154 ev
= dev
.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
1156 raise Exception("Association and EAP start timed out")
1158 ev
= dev
.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
1160 raise Exception("EAP method selection timed out")
1161 if "TTLS" not in ev
:
1162 raise Exception("Unexpected EAP method")
1164 ev
= dev
.wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1165 "CTRL-EVENT-EAP-SUCCESS",
1166 "CTRL-EVENT-EAP-FAILURE",
1167 "CTRL-EVENT-CONNECTED",
1168 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1170 raise Exception("EAP result timed out")
1171 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
1172 raise Exception("TLS certificate error not reported")
1174 ev
= dev
.wait_event(["CTRL-EVENT-EAP-SUCCESS",
1175 "CTRL-EVENT-EAP-FAILURE",
1176 "CTRL-EVENT-CONNECTED",
1177 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1179 raise Exception("EAP result(2) timed out")
1180 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
1181 raise Exception("EAP failure not reported")
1183 ev
= dev
.wait_event(["CTRL-EVENT-CONNECTED",
1184 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1186 raise Exception("EAP result(3) timed out")
1187 if "CTRL-EVENT-DISCONNECTED" not in ev
:
1188 raise Exception("Disconnection not reported")
1190 ev
= dev
.wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
1192 raise Exception("Network block disabling not reported")
1194 def test_ap_wpa2_eap_tls_diff_ca_trust(dev
, apdev
):
1195 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1196 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1197 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1198 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1199 identity
="pap user", anonymous_identity
="ttls",
1200 password
="password", phase2
="auth=PAP",
1201 ca_cert
="auth_serv/ca.pem",
1202 wait_connect
=True, scan_freq
="2412")
1203 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1204 identity
="pap user", anonymous_identity
="ttls",
1205 password
="password", phase2
="auth=PAP",
1206 ca_cert
="auth_serv/ca-incorrect.pem",
1207 only_add_network
=True, scan_freq
="2412")
1209 dev
[0].request("DISCONNECT")
1210 dev
[0].dump_monitor()
1211 dev
[0].select_network(id, freq
="2412")
1213 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout
=15)
1215 raise Exception("EAP-TTLS not re-started")
1217 ev
= dev
[0].wait_disconnected(timeout
=15)
1218 if "reason=23" not in ev
:
1219 raise Exception("Proper reason code for disconnection not reported")
1221 def test_ap_wpa2_eap_tls_diff_ca_trust2(dev
, apdev
):
1222 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1223 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1224 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1225 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1226 identity
="pap user", anonymous_identity
="ttls",
1227 password
="password", phase2
="auth=PAP",
1228 wait_connect
=True, scan_freq
="2412")
1229 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1230 identity
="pap user", anonymous_identity
="ttls",
1231 password
="password", phase2
="auth=PAP",
1232 ca_cert
="auth_serv/ca-incorrect.pem",
1233 only_add_network
=True, scan_freq
="2412")
1235 dev
[0].request("DISCONNECT")
1236 dev
[0].dump_monitor()
1237 dev
[0].select_network(id, freq
="2412")
1239 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout
=15)
1241 raise Exception("EAP-TTLS not re-started")
1243 ev
= dev
[0].wait_disconnected(timeout
=15)
1244 if "reason=23" not in ev
:
1245 raise Exception("Proper reason code for disconnection not reported")
1247 def test_ap_wpa2_eap_tls_diff_ca_trust3(dev
, apdev
):
1248 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1249 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1250 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1251 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1252 identity
="pap user", anonymous_identity
="ttls",
1253 password
="password", phase2
="auth=PAP",
1254 ca_cert
="auth_serv/ca.pem",
1255 wait_connect
=True, scan_freq
="2412")
1256 dev
[0].request("DISCONNECT")
1257 dev
[0].dump_monitor()
1258 dev
[0].set_network_quoted(id, "ca_cert", "auth_serv/ca-incorrect.pem")
1259 dev
[0].select_network(id, freq
="2412")
1261 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout
=15)
1263 raise Exception("EAP-TTLS not re-started")
1265 ev
= dev
[0].wait_disconnected(timeout
=15)
1266 if "reason=23" not in ev
:
1267 raise Exception("Proper reason code for disconnection not reported")
1269 def test_ap_wpa2_eap_tls_neg_suffix_match(dev
, apdev
):
1270 """WPA2-Enterprise negative test - domain suffix mismatch"""
1271 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1272 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1273 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1274 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
1275 password
="password", phase2
="auth=MSCHAPV2",
1276 ca_cert
="auth_serv/ca.pem",
1277 domain_suffix_match
="incorrect.example.com",
1278 wait_connect
=False, scan_freq
="2412")
1280 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
1282 raise Exception("Association and EAP start timed out")
1284 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
1286 raise Exception("EAP method selection timed out")
1287 if "TTLS" not in ev
:
1288 raise Exception("Unexpected EAP method")
1290 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1291 "CTRL-EVENT-EAP-SUCCESS",
1292 "CTRL-EVENT-EAP-FAILURE",
1293 "CTRL-EVENT-CONNECTED",
1294 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1296 raise Exception("EAP result timed out")
1297 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
1298 raise Exception("TLS certificate error not reported")
1299 if "Domain suffix mismatch" not in ev
:
1300 raise Exception("Domain suffix mismatch not reported")
1302 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1303 "CTRL-EVENT-EAP-FAILURE",
1304 "CTRL-EVENT-CONNECTED",
1305 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1307 raise Exception("EAP result(2) timed out")
1308 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
1309 raise Exception("EAP failure not reported")
1311 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
1312 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1314 raise Exception("EAP result(3) timed out")
1315 if "CTRL-EVENT-DISCONNECTED" not in ev
:
1316 raise Exception("Disconnection not reported")
1318 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
1320 raise Exception("Network block disabling not reported")
1322 def test_ap_wpa2_eap_tls_neg_domain_match(dev
, apdev
):
1323 """WPA2-Enterprise negative test - domain mismatch"""
1324 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1325 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1326 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1327 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
1328 password
="password", phase2
="auth=MSCHAPV2",
1329 ca_cert
="auth_serv/ca.pem",
1330 domain_match
="w1.fi",
1331 wait_connect
=False, scan_freq
="2412")
1333 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
1335 raise Exception("Association and EAP start timed out")
1337 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
1339 raise Exception("EAP method selection timed out")
1340 if "TTLS" not in ev
:
1341 raise Exception("Unexpected EAP method")
1343 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1344 "CTRL-EVENT-EAP-SUCCESS",
1345 "CTRL-EVENT-EAP-FAILURE",
1346 "CTRL-EVENT-CONNECTED",
1347 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1349 raise Exception("EAP result timed out")
1350 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
1351 raise Exception("TLS certificate error not reported")
1352 if "Domain mismatch" not in ev
:
1353 raise Exception("Domain mismatch not reported")
1355 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1356 "CTRL-EVENT-EAP-FAILURE",
1357 "CTRL-EVENT-CONNECTED",
1358 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1360 raise Exception("EAP result(2) timed out")
1361 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
1362 raise Exception("EAP failure not reported")
1364 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
1365 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1367 raise Exception("EAP result(3) timed out")
1368 if "CTRL-EVENT-DISCONNECTED" not in ev
:
1369 raise Exception("Disconnection not reported")
1371 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
1373 raise Exception("Network block disabling not reported")
1375 def test_ap_wpa2_eap_tls_neg_subject_match(dev
, apdev
):
1376 """WPA2-Enterprise negative test - subject mismatch"""
1377 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1378 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1379 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1380 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
1381 password
="password", phase2
="auth=MSCHAPV2",
1382 ca_cert
="auth_serv/ca.pem",
1383 subject_match
="/C=FI/O=w1.fi/CN=example.com",
1384 wait_connect
=False, scan_freq
="2412")
1386 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
1388 raise Exception("Association and EAP start timed out")
1390 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD",
1391 "EAP: Failed to initialize EAP method"], timeout
=10)
1393 raise Exception("EAP method selection timed out")
1394 if "EAP: Failed to initialize EAP method" in ev
:
1395 tls
= dev
[0].request("GET tls_library")
1396 if tls
.startswith("OpenSSL"):
1397 raise Exception("Failed to select EAP method")
1398 logger
.info("subject_match not supported - connection failed, so test succeeded")
1400 if "TTLS" not in ev
:
1401 raise Exception("Unexpected EAP method")
1403 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1404 "CTRL-EVENT-EAP-SUCCESS",
1405 "CTRL-EVENT-EAP-FAILURE",
1406 "CTRL-EVENT-CONNECTED",
1407 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1409 raise Exception("EAP result timed out")
1410 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
1411 raise Exception("TLS certificate error not reported")
1412 if "Subject mismatch" not in ev
:
1413 raise Exception("Subject mismatch not reported")
1415 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1416 "CTRL-EVENT-EAP-FAILURE",
1417 "CTRL-EVENT-CONNECTED",
1418 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1420 raise Exception("EAP result(2) timed out")
1421 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
1422 raise Exception("EAP failure not reported")
1424 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
1425 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1427 raise Exception("EAP result(3) timed out")
1428 if "CTRL-EVENT-DISCONNECTED" not in ev
:
1429 raise Exception("Disconnection not reported")
1431 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
1433 raise Exception("Network block disabling not reported")
1435 def test_ap_wpa2_eap_tls_neg_altsubject_match(dev
, apdev
):
1436 """WPA2-Enterprise negative test - altsubject mismatch"""
1437 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1438 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1440 tests
= [ "incorrect.example.com",
1441 "DNS:incorrect.example.com",
1445 _test_ap_wpa2_eap_tls_neg_altsubject_match(dev
, apdev
, match
)
1447 def _test_ap_wpa2_eap_tls_neg_altsubject_match(dev
, apdev
, match
):
1448 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1449 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
1450 password
="password", phase2
="auth=MSCHAPV2",
1451 ca_cert
="auth_serv/ca.pem",
1452 altsubject_match
=match
,
1453 wait_connect
=False, scan_freq
="2412")
1455 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
1457 raise Exception("Association and EAP start timed out")
1459 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD",
1460 "EAP: Failed to initialize EAP method"], timeout
=10)
1462 raise Exception("EAP method selection timed out")
1463 if "EAP: Failed to initialize EAP method" in ev
:
1464 tls
= dev
[0].request("GET tls_library")
1465 if tls
.startswith("OpenSSL"):
1466 raise Exception("Failed to select EAP method")
1467 logger
.info("altsubject_match not supported - connection failed, so test succeeded")
1469 if "TTLS" not in ev
:
1470 raise Exception("Unexpected EAP method")
1472 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1473 "CTRL-EVENT-EAP-SUCCESS",
1474 "CTRL-EVENT-EAP-FAILURE",
1475 "CTRL-EVENT-CONNECTED",
1476 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1478 raise Exception("EAP result timed out")
1479 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
1480 raise Exception("TLS certificate error not reported")
1481 if "AltSubject mismatch" not in ev
:
1482 raise Exception("altsubject mismatch not reported")
1484 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1485 "CTRL-EVENT-EAP-FAILURE",
1486 "CTRL-EVENT-CONNECTED",
1487 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1489 raise Exception("EAP result(2) timed out")
1490 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
1491 raise Exception("EAP failure not reported")
1493 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
1494 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1496 raise Exception("EAP result(3) timed out")
1497 if "CTRL-EVENT-DISCONNECTED" not in ev
:
1498 raise Exception("Disconnection not reported")
1500 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
1502 raise Exception("Network block disabling not reported")
1504 dev
[0].request("REMOVE_NETWORK all")
1506 def test_ap_wpa2_eap_unauth_tls(dev
, apdev
):
1507 """WPA2-Enterprise connection using UNAUTH-TLS"""
1508 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1509 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1510 eap_connect(dev
[0], apdev
[0], "UNAUTH-TLS", "unauth-tls",
1511 ca_cert
="auth_serv/ca.pem")
1512 eap_reauth(dev
[0], "UNAUTH-TLS")
1514 def test_ap_wpa2_eap_ttls_server_cert_hash(dev
, apdev
):
1515 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash"""
1516 check_cert_probe_support(dev
[0])
1517 srv_cert_hash
= "1477c9cd88391609444b83eca45c4f9f324e3051c5c31fc233ac6aede30ce7cd"
1518 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1519 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1520 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1521 identity
="probe", ca_cert
="probe://",
1522 wait_connect
=False, scan_freq
="2412")
1523 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
1525 raise Exception("Association and EAP start timed out")
1526 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT depth=0"], timeout
=10)
1528 raise Exception("No peer server certificate event seen")
1529 if "hash=" + srv_cert_hash
not in ev
:
1530 raise Exception("Expected server certificate hash not reported")
1531 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout
=10)
1533 raise Exception("EAP result timed out")
1534 if "Server certificate chain probe" not in ev
:
1535 raise Exception("Server certificate probe not reported")
1536 dev
[0].wait_disconnected(timeout
=10)
1537 dev
[0].request("REMOVE_NETWORK all")
1539 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1540 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
1541 password
="password", phase2
="auth=MSCHAPV2",
1542 ca_cert
="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
1543 wait_connect
=False, scan_freq
="2412")
1544 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
1546 raise Exception("Association and EAP start timed out")
1547 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout
=10)
1549 raise Exception("EAP result timed out")
1550 if "Server certificate mismatch" not in ev
:
1551 raise Exception("Server certificate mismatch not reported")
1552 dev
[0].wait_disconnected(timeout
=10)
1553 dev
[0].request("REMOVE_NETWORK all")
1555 eap_connect(dev
[0], apdev
[0], "TTLS", "DOMAIN\mschapv2 user",
1556 anonymous_identity
="ttls", password
="password",
1557 ca_cert
="hash://server/sha256/" + srv_cert_hash
,
1558 phase2
="auth=MSCHAPV2")
1560 def test_ap_wpa2_eap_ttls_server_cert_hash_invalid(dev
, apdev
):
1561 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash (invalid config)"""
1562 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1563 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1564 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1565 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
1566 password
="password", phase2
="auth=MSCHAPV2",
1567 ca_cert
="hash://server/md5/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
1568 wait_connect
=False, scan_freq
="2412")
1569 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1570 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
1571 password
="password", phase2
="auth=MSCHAPV2",
1572 ca_cert
="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca",
1573 wait_connect
=False, scan_freq
="2412")
1574 dev
[2].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1575 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
1576 password
="password", phase2
="auth=MSCHAPV2",
1577 ca_cert
="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6Q",
1578 wait_connect
=False, scan_freq
="2412")
1579 for i
in range(0, 3):
1580 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
1582 raise Exception("Association and EAP start timed out")
1583 ev
= dev
[i
].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 21 (TTLS)"], timeout
=5)
1585 raise Exception("Did not report EAP method initialization failure")
1587 def test_ap_wpa2_eap_pwd(dev
, apdev
):
1588 """WPA2-Enterprise connection using EAP-pwd"""
1589 check_eap_capa(dev
[0], "PWD")
1590 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1591 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1592 eap_connect(dev
[0], apdev
[0], "PWD", "pwd user", password
="secret password")
1593 eap_reauth(dev
[0], "PWD")
1594 dev
[0].request("REMOVE_NETWORK all")
1596 eap_connect(dev
[1], apdev
[0], "PWD",
1597 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
1598 password
="secret password",
1601 logger
.info("Negative test with incorrect password")
1602 eap_connect(dev
[2], apdev
[0], "PWD", "pwd user", password
="secret-password",
1603 expect_failure
=True, local_error_report
=True)
1605 eap_connect(dev
[0], apdev
[0], "PWD",
1606 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
1607 password
="secret password",
1610 def test_ap_wpa2_eap_pwd_groups(dev
, apdev
):
1611 """WPA2-Enterprise connection using various EAP-pwd groups"""
1612 check_eap_capa(dev
[0], "PWD")
1613 params
= { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1614 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1615 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
1616 for i
in [ 19, 20, 21, 25, 26 ]:
1617 params
['pwd_group'] = str(i
)
1618 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1619 dev
[0].request("REMOVE_NETWORK all")
1620 eap_connect(dev
[0], apdev
[0], "PWD", "pwd user", password
="secret password")
1622 def test_ap_wpa2_eap_pwd_invalid_group(dev
, apdev
):
1623 """WPA2-Enterprise connection using invalid EAP-pwd group"""
1624 check_eap_capa(dev
[0], "PWD")
1625 params
= { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1626 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1627 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
1628 params
['pwd_group'] = "0"
1629 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1630 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PWD",
1631 identity
="pwd user", password
="secret password",
1632 scan_freq
="2412", wait_connect
=False)
1633 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
1635 raise Exception("Timeout on EAP failure report")
1637 def test_ap_wpa2_eap_pwd_as_frag(dev
, apdev
):
1638 """WPA2-Enterprise connection using EAP-pwd with server fragmentation"""
1639 check_eap_capa(dev
[0], "PWD")
1640 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1641 params
= { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1642 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1643 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
1644 "pwd_group": "19", "fragment_size": "40" }
1645 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1646 eap_connect(dev
[0], apdev
[0], "PWD", "pwd user", password
="secret password")
1648 def test_ap_wpa2_eap_gpsk(dev
, apdev
):
1649 """WPA2-Enterprise connection using EAP-GPSK"""
1650 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1651 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1652 id = eap_connect(dev
[0], apdev
[0], "GPSK", "gpsk user",
1653 password
="abcdefghijklmnop0123456789abcdef")
1654 eap_reauth(dev
[0], "GPSK")
1656 logger
.info("Test forced algorithm selection")
1657 for phase1
in [ "cipher=1", "cipher=2" ]:
1658 dev
[0].set_network_quoted(id, "phase1", phase1
)
1659 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
1661 raise Exception("EAP success timed out")
1662 dev
[0].wait_connected(timeout
=10)
1664 logger
.info("Test failed algorithm negotiation")
1665 dev
[0].set_network_quoted(id, "phase1", "cipher=9")
1666 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
1668 raise Exception("EAP failure timed out")
1670 logger
.info("Negative test with incorrect password")
1671 dev
[0].request("REMOVE_NETWORK all")
1672 eap_connect(dev
[0], apdev
[0], "GPSK", "gpsk user",
1673 password
="ffcdefghijklmnop0123456789abcdef",
1674 expect_failure
=True)
1676 def test_ap_wpa2_eap_sake(dev
, apdev
):
1677 """WPA2-Enterprise connection using EAP-SAKE"""
1678 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1679 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1680 eap_connect(dev
[0], apdev
[0], "SAKE", "sake user",
1681 password_hex
="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
1682 eap_reauth(dev
[0], "SAKE")
1684 logger
.info("Negative test with incorrect password")
1685 dev
[0].request("REMOVE_NETWORK all")
1686 eap_connect(dev
[0], apdev
[0], "SAKE", "sake user",
1687 password_hex
="ff23456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
1688 expect_failure
=True)
1690 def test_ap_wpa2_eap_eke(dev
, apdev
):
1691 """WPA2-Enterprise connection using EAP-EKE"""
1692 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1693 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1694 id = eap_connect(dev
[0], apdev
[0], "EKE", "eke user", password
="hello")
1695 eap_reauth(dev
[0], "EKE")
1697 logger
.info("Test forced algorithm selection")
1698 for phase1
in [ "dhgroup=5 encr=1 prf=2 mac=2",
1699 "dhgroup=4 encr=1 prf=2 mac=2",
1700 "dhgroup=3 encr=1 prf=2 mac=2",
1701 "dhgroup=3 encr=1 prf=1 mac=1" ]:
1702 dev
[0].set_network_quoted(id, "phase1", phase1
)
1703 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
1705 raise Exception("EAP success timed out")
1706 dev
[0].wait_connected(timeout
=10)
1708 logger
.info("Test failed algorithm negotiation")
1709 dev
[0].set_network_quoted(id, "phase1", "dhgroup=9 encr=9 prf=9 mac=9")
1710 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
1712 raise Exception("EAP failure timed out")
1714 logger
.info("Negative test with incorrect password")
1715 dev
[0].request("REMOVE_NETWORK all")
1716 eap_connect(dev
[0], apdev
[0], "EKE", "eke user", password
="hello1",
1717 expect_failure
=True)
1719 def test_ap_wpa2_eap_ikev2(dev
, apdev
):
1720 """WPA2-Enterprise connection using EAP-IKEv2"""
1721 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1722 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1723 eap_connect(dev
[0], apdev
[0], "IKEV2", "ikev2 user",
1724 password
="ike password")
1725 eap_reauth(dev
[0], "IKEV2")
1726 dev
[0].request("REMOVE_NETWORK all")
1727 eap_connect(dev
[0], apdev
[0], "IKEV2", "ikev2 user",
1728 password
="ike password", fragment_size
="50")
1730 logger
.info("Negative test with incorrect password")
1731 dev
[0].request("REMOVE_NETWORK all")
1732 eap_connect(dev
[0], apdev
[0], "IKEV2", "ikev2 user",
1733 password
="ike-password", expect_failure
=True)
1735 def test_ap_wpa2_eap_ikev2_as_frag(dev
, apdev
):
1736 """WPA2-Enterprise connection using EAP-IKEv2 with server fragmentation"""
1737 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1738 params
= { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1739 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1740 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
1741 "fragment_size": "50" }
1742 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1743 eap_connect(dev
[0], apdev
[0], "IKEV2", "ikev2 user",
1744 password
="ike password")
1745 eap_reauth(dev
[0], "IKEV2")
1747 def test_ap_wpa2_eap_pax(dev
, apdev
):
1748 """WPA2-Enterprise connection using EAP-PAX"""
1749 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1750 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1751 eap_connect(dev
[0], apdev
[0], "PAX", "pax.user@example.com",
1752 password_hex
="0123456789abcdef0123456789abcdef")
1753 eap_reauth(dev
[0], "PAX")
1755 logger
.info("Negative test with incorrect password")
1756 dev
[0].request("REMOVE_NETWORK all")
1757 eap_connect(dev
[0], apdev
[0], "PAX", "pax.user@example.com",
1758 password_hex
="ff23456789abcdef0123456789abcdef",
1759 expect_failure
=True)
1761 def test_ap_wpa2_eap_psk(dev
, apdev
):
1762 """WPA2-Enterprise connection using EAP-PSK"""
1763 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1764 params
["wpa_key_mgmt"] = "WPA-EAP-SHA256"
1765 params
["ieee80211w"] = "2"
1766 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1767 eap_connect(dev
[0], apdev
[0], "PSK", "psk.user@example.com",
1768 password_hex
="0123456789abcdef0123456789abcdef", sha256
=True)
1769 eap_reauth(dev
[0], "PSK", sha256
=True)
1770 check_mib(dev
[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-5"),
1771 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-5") ])
1773 bss
= dev
[0].get_bss(apdev
[0]['bssid'])
1774 if 'flags' not in bss
:
1775 raise Exception("Could not get BSS flags from BSS table")
1776 if "[WPA2-EAP-SHA256-CCMP]" not in bss
['flags']:
1777 raise Exception("Unexpected BSS flags: " + bss
['flags'])
1779 logger
.info("Negative test with incorrect password")
1780 dev
[0].request("REMOVE_NETWORK all")
1781 eap_connect(dev
[0], apdev
[0], "PSK", "psk.user@example.com",
1782 password_hex
="ff23456789abcdef0123456789abcdef", sha256
=True,
1783 expect_failure
=True)
1785 def test_ap_wpa_eap_peap_eap_mschapv2(dev
, apdev
):
1786 """WPA-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
1787 params
= hostapd
.wpa_eap_params(ssid
="test-wpa-eap")
1788 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1789 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
1790 identity
="user", password
="password", phase2
="auth=MSCHAPV2",
1791 ca_cert
="auth_serv/ca.pem", wait_connect
=False,
1793 eap_check_auth(dev
[0], "PEAP", True, rsn
=False)
1794 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1795 eap_reauth(dev
[0], "PEAP", rsn
=False)
1796 check_mib(dev
[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-50-f2-1"),
1797 ("dot11RSNAAuthenticationSuiteSelected", "00-50-f2-1") ])
1799 def test_ap_wpa2_eap_interactive(dev
, apdev
):
1800 """WPA2-Enterprise connection using interactive identity/password entry"""
1801 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1802 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1803 hapd
= hostapd
.Hostapd(apdev
[0]['ifname'])
1805 tests
= [ ("Connection with dynamic TTLS/MSCHAPv2 password entry",
1806 "TTLS", "ttls", "DOMAIN\mschapv2 user", "auth=MSCHAPV2",
1808 ("Connection with dynamic TTLS/MSCHAPv2 identity and password entry",
1809 "TTLS", "ttls", None, "auth=MSCHAPV2",
1810 "DOMAIN\mschapv2 user", "password"),
1811 ("Connection with dynamic TTLS/EAP-MSCHAPv2 password entry",
1812 "TTLS", "ttls", "user", "autheap=MSCHAPV2", None, "password"),
1813 ("Connection with dynamic TTLS/EAP-MD5 password entry",
1814 "TTLS", "ttls", "user", "autheap=MD5", None, "password"),
1815 ("Connection with dynamic PEAP/EAP-MSCHAPv2 password entry",
1816 "PEAP", None, "user", "auth=MSCHAPV2", None, "password"),
1817 ("Connection with dynamic PEAP/EAP-GTC password entry",
1818 "PEAP", None, "user", "auth=GTC", None, "password") ]
1819 for [desc
,eap
,anon
,identity
,phase2
,req_id
,req_pw
] in tests
:
1821 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
=eap
,
1822 anonymous_identity
=anon
, identity
=identity
,
1823 ca_cert
="auth_serv/ca.pem", phase2
=phase2
,
1824 wait_connect
=False, scan_freq
="2412")
1826 ev
= dev
[0].wait_event(["CTRL-REQ-IDENTITY"])
1828 raise Exception("Request for identity timed out")
1829 id = ev
.split(':')[0].split('-')[-1]
1830 dev
[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id
)
1831 ev
= dev
[0].wait_event(["CTRL-REQ-PASSWORD","CTRL-REQ-OTP"])
1833 raise Exception("Request for password timed out")
1834 id = ev
.split(':')[0].split('-')[-1]
1835 type = "OTP" if "CTRL-REQ-OTP" in ev
else "PASSWORD"
1836 dev
[0].request("CTRL-RSP-" + type + "-" + id + ":" + req_pw
)
1837 dev
[0].wait_connected(timeout
=10)
1838 dev
[0].request("REMOVE_NETWORK all")
1840 def test_ap_wpa2_eap_vendor_test(dev
, apdev
):
1841 """WPA2-Enterprise connection using EAP vendor test"""
1842 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1843 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1844 eap_connect(dev
[0], apdev
[0], "VENDOR-TEST", "vendor-test")
1845 eap_reauth(dev
[0], "VENDOR-TEST")
1847 def test_ap_wpa2_eap_fast_mschapv2_unauth_prov(dev
, apdev
):
1848 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and unauthenticated provisioning"""
1849 check_eap_capa(dev
[0], "FAST")
1850 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1851 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1852 eap_connect(dev
[0], apdev
[0], "FAST", "user",
1853 anonymous_identity
="FAST", password
="password",
1854 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1855 phase1
="fast_provisioning=1", pac_file
="blob://fast_pac")
1856 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1857 res
= eap_reauth(dev
[0], "FAST")
1858 if res
['tls_session_reused'] != '1':
1859 raise Exception("EAP-FAST could not use PAC session ticket")
1861 def test_ap_wpa2_eap_fast_pac_file(dev
, apdev
, params
):
1862 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and PAC file"""
1863 check_eap_capa(dev
[0], "FAST")
1864 pac_file
= os
.path
.join(params
['logdir'], "fast.pac")
1865 pac_file2
= os
.path
.join(params
['logdir'], "fast-bin.pac")
1866 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1867 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1870 eap_connect(dev
[0], apdev
[0], "FAST", "user",
1871 anonymous_identity
="FAST", password
="password",
1872 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1873 phase1
="fast_provisioning=1", pac_file
=pac_file
)
1874 with
open(pac_file
, "r") as f
:
1876 if "wpa_supplicant EAP-FAST PAC file - version 1" not in data
:
1877 raise Exception("PAC file header missing")
1878 if "PAC-Key=" not in data
:
1879 raise Exception("PAC-Key missing from PAC file")
1880 dev
[0].request("REMOVE_NETWORK all")
1881 eap_connect(dev
[0], apdev
[0], "FAST", "user",
1882 anonymous_identity
="FAST", password
="password",
1883 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1886 eap_connect(dev
[1], apdev
[0], "FAST", "user",
1887 anonymous_identity
="FAST", password
="password",
1888 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1889 phase1
="fast_provisioning=1 fast_pac_format=binary",
1891 dev
[1].request("REMOVE_NETWORK all")
1892 eap_connect(dev
[1], apdev
[0], "FAST", "user",
1893 anonymous_identity
="FAST", password
="password",
1894 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1895 phase1
="fast_pac_format=binary",
1898 subprocess
.call(['sudo', 'rm', pac_file
])
1899 subprocess
.call(['sudo', 'rm', pac_file2
])
1901 def test_ap_wpa2_eap_fast_binary_pac(dev
, apdev
):
1902 """WPA2-Enterprise connection using EAP-FAST and binary PAC format"""
1903 check_eap_capa(dev
[0], "FAST")
1904 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1905 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1906 eap_connect(dev
[0], apdev
[0], "FAST", "user",
1907 anonymous_identity
="FAST", password
="password",
1908 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1909 phase1
="fast_provisioning=1 fast_max_pac_list_len=1 fast_pac_format=binary",
1910 pac_file
="blob://fast_pac_bin")
1911 res
= eap_reauth(dev
[0], "FAST")
1912 if res
['tls_session_reused'] != '1':
1913 raise Exception("EAP-FAST could not use PAC session ticket")
1915 def test_ap_wpa2_eap_fast_missing_pac_config(dev
, apdev
):
1916 """WPA2-Enterprise connection using EAP-FAST and missing PAC config"""
1917 check_eap_capa(dev
[0], "FAST")
1918 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1919 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1921 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
1922 identity
="user", anonymous_identity
="FAST",
1923 password
="password",
1924 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1925 pac_file
="blob://fast_pac_not_in_use",
1926 wait_connect
=False, scan_freq
="2412")
1927 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
1929 raise Exception("Timeout on EAP failure report")
1930 dev
[0].request("REMOVE_NETWORK all")
1932 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
1933 identity
="user", anonymous_identity
="FAST",
1934 password
="password",
1935 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1936 wait_connect
=False, scan_freq
="2412")
1937 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
1939 raise Exception("Timeout on EAP failure report")
1941 def test_ap_wpa2_eap_fast_gtc_auth_prov(dev
, apdev
):
1942 """WPA2-Enterprise connection using EAP-FAST/GTC and authenticated provisioning"""
1943 check_eap_capa(dev
[0], "FAST")
1944 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1945 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1946 eap_connect(dev
[0], apdev
[0], "FAST", "user",
1947 anonymous_identity
="FAST", password
="password",
1948 ca_cert
="auth_serv/ca.pem", phase2
="auth=GTC",
1949 phase1
="fast_provisioning=2", pac_file
="blob://fast_pac_auth")
1950 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1951 res
= eap_reauth(dev
[0], "FAST")
1952 if res
['tls_session_reused'] != '1':
1953 raise Exception("EAP-FAST could not use PAC session ticket")
1955 def test_ap_wpa2_eap_tls_ocsp(dev
, apdev
):
1956 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP"""
1957 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1958 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1959 eap_connect(dev
[0], apdev
[0], "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
1960 private_key
="auth_serv/user.pkcs12",
1961 private_key_passwd
="whatever", ocsp
=2)
1963 def int_eap_server_params():
1964 params
= { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1965 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1966 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
1967 "ca_cert": "auth_serv/ca.pem",
1968 "server_cert": "auth_serv/server.pem",
1969 "private_key": "auth_serv/server.key" }
1972 def test_ap_wpa2_eap_tls_ocsp_invalid(dev
, apdev
):
1973 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP response"""
1974 params
= int_eap_server_params()
1975 params
["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-invalid"
1976 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1977 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
1978 identity
="tls user", ca_cert
="auth_serv/ca.pem",
1979 private_key
="auth_serv/user.pkcs12",
1980 private_key_passwd
="whatever", ocsp
=2,
1981 wait_connect
=False, scan_freq
="2412")
1984 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
1986 raise Exception("Timeout on EAP status")
1987 if 'bad certificate status response' in ev
:
1991 raise Exception("Unexpected number of EAP status messages")
1993 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
1995 raise Exception("Timeout on EAP failure report")
1997 def test_ap_wpa2_eap_ttls_ocsp_revoked(dev
, apdev
, params
):
1998 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
1999 ocsp
= os
.path
.join(params
['logdir'], "ocsp-server-cache-revoked.der")
2000 if not os
.path
.exists(ocsp
):
2001 raise HwsimSkip("No OCSP response available")
2002 params
= int_eap_server_params()
2003 params
["ocsp_stapling_response"] = ocsp
2004 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2005 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2006 identity
="pap user", ca_cert
="auth_serv/ca.pem",
2007 anonymous_identity
="ttls", password
="password",
2008 phase2
="auth=PAP", ocsp
=2,
2009 wait_connect
=False, scan_freq
="2412")
2012 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2014 raise Exception("Timeout on EAP status")
2015 if 'bad certificate status response' in ev
:
2017 if 'certificate revoked' in ev
:
2021 raise Exception("Unexpected number of EAP status messages")
2023 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2025 raise Exception("Timeout on EAP failure report")
2027 def test_ap_wpa2_eap_ttls_ocsp_unknown(dev
, apdev
, params
):
2028 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2029 ocsp
= os
.path
.join(params
['logdir'], "ocsp-server-cache-unknown.der")
2030 if not os
.path
.exists(ocsp
):
2031 raise HwsimSkip("No OCSP response available")
2032 params
= int_eap_server_params()
2033 params
["ocsp_stapling_response"] = ocsp
2034 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2035 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2036 identity
="pap user", ca_cert
="auth_serv/ca.pem",
2037 anonymous_identity
="ttls", password
="password",
2038 phase2
="auth=PAP", ocsp
=2,
2039 wait_connect
=False, scan_freq
="2412")
2042 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2044 raise Exception("Timeout on EAP status")
2045 if 'bad certificate status response' in ev
:
2049 raise Exception("Unexpected number of EAP status messages")
2051 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2053 raise Exception("Timeout on EAP failure report")
2055 def test_ap_wpa2_eap_ttls_optional_ocsp_unknown(dev
, apdev
, params
):
2056 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2057 ocsp
= os
.path
.join(params
['logdir'], "ocsp-server-cache-unknown.der")
2058 if not os
.path
.exists(ocsp
):
2059 raise HwsimSkip("No OCSP response available")
2060 params
= int_eap_server_params()
2061 params
["ocsp_stapling_response"] = ocsp
2062 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2063 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2064 identity
="pap user", ca_cert
="auth_serv/ca.pem",
2065 anonymous_identity
="ttls", password
="password",
2066 phase2
="auth=PAP", ocsp
=1, scan_freq
="2412")
2068 def test_ap_wpa2_eap_tls_domain_suffix_match_cn_full(dev
, apdev
):
2069 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
2070 params
= int_eap_server_params()
2071 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
2072 params
["private_key"] = "auth_serv/server-no-dnsname.key"
2073 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2074 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2075 identity
="tls user", ca_cert
="auth_serv/ca.pem",
2076 private_key
="auth_serv/user.pkcs12",
2077 private_key_passwd
="whatever",
2078 domain_suffix_match
="server3.w1.fi",
2081 def test_ap_wpa2_eap_tls_domain_match_cn(dev
, apdev
):
2082 """WPA2-Enterprise using EAP-TLS and domainmatch (CN)"""
2083 params
= int_eap_server_params()
2084 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
2085 params
["private_key"] = "auth_serv/server-no-dnsname.key"
2086 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2087 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2088 identity
="tls user", ca_cert
="auth_serv/ca.pem",
2089 private_key
="auth_serv/user.pkcs12",
2090 private_key_passwd
="whatever",
2091 domain_match
="server3.w1.fi",
2094 def test_ap_wpa2_eap_tls_domain_suffix_match_cn(dev
, apdev
):
2095 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
2096 check_domain_match_full(dev
[0])
2097 params
= int_eap_server_params()
2098 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
2099 params
["private_key"] = "auth_serv/server-no-dnsname.key"
2100 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2101 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2102 identity
="tls user", ca_cert
="auth_serv/ca.pem",
2103 private_key
="auth_serv/user.pkcs12",
2104 private_key_passwd
="whatever",
2105 domain_suffix_match
="w1.fi",
2108 def test_ap_wpa2_eap_tls_domain_suffix_mismatch_cn(dev
, apdev
):
2109 """WPA2-Enterprise using EAP-TLS and domain suffix mismatch (CN)"""
2110 params
= int_eap_server_params()
2111 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
2112 params
["private_key"] = "auth_serv/server-no-dnsname.key"
2113 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2114 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2115 identity
="tls user", ca_cert
="auth_serv/ca.pem",
2116 private_key
="auth_serv/user.pkcs12",
2117 private_key_passwd
="whatever",
2118 domain_suffix_match
="example.com",
2121 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2122 identity
="tls user", ca_cert
="auth_serv/ca.pem",
2123 private_key
="auth_serv/user.pkcs12",
2124 private_key_passwd
="whatever",
2125 domain_suffix_match
="erver3.w1.fi",
2128 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2130 raise Exception("Timeout on EAP failure report")
2131 ev
= dev
[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2133 raise Exception("Timeout on EAP failure report (2)")
2135 def test_ap_wpa2_eap_tls_domain_mismatch_cn(dev
, apdev
):
2136 """WPA2-Enterprise using EAP-TLS and domain mismatch (CN)"""
2137 params
= int_eap_server_params()
2138 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
2139 params
["private_key"] = "auth_serv/server-no-dnsname.key"
2140 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2141 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2142 identity
="tls user", ca_cert
="auth_serv/ca.pem",
2143 private_key
="auth_serv/user.pkcs12",
2144 private_key_passwd
="whatever",
2145 domain_match
="example.com",
2148 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2149 identity
="tls user", ca_cert
="auth_serv/ca.pem",
2150 private_key
="auth_serv/user.pkcs12",
2151 private_key_passwd
="whatever",
2152 domain_match
="w1.fi",
2155 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2157 raise Exception("Timeout on EAP failure report")
2158 ev
= dev
[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2160 raise Exception("Timeout on EAP failure report (2)")
2162 def test_ap_wpa2_eap_ttls_expired_cert(dev
, apdev
):
2163 """WPA2-Enterprise using EAP-TTLS and expired certificate"""
2164 params
= int_eap_server_params()
2165 params
["server_cert"] = "auth_serv/server-expired.pem"
2166 params
["private_key"] = "auth_serv/server-expired.key"
2167 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2168 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2169 identity
="mschap user", password
="password",
2170 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
2173 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"])
2175 raise Exception("Timeout on EAP certificate error report")
2176 if "reason=4" not in ev
or "certificate has expired" not in ev
:
2177 raise Exception("Unexpected failure reason: " + ev
)
2178 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2180 raise Exception("Timeout on EAP failure report")
2182 def test_ap_wpa2_eap_ttls_ignore_expired_cert(dev
, apdev
):
2183 """WPA2-Enterprise using EAP-TTLS and ignore certificate expiration"""
2184 params
= int_eap_server_params()
2185 params
["server_cert"] = "auth_serv/server-expired.pem"
2186 params
["private_key"] = "auth_serv/server-expired.key"
2187 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2188 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2189 identity
="mschap user", password
="password",
2190 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
2191 phase1
="tls_disable_time_checks=1",
2194 def test_ap_wpa2_eap_ttls_server_cert_eku_client(dev
, apdev
):
2195 """WPA2-Enterprise using EAP-TTLS and server cert with client EKU"""
2196 params
= int_eap_server_params()
2197 params
["server_cert"] = "auth_serv/server-eku-client.pem"
2198 params
["private_key"] = "auth_serv/server-eku-client.key"
2199 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2200 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2201 identity
="mschap user", password
="password",
2202 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
2205 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2207 raise Exception("Timeout on EAP failure report")
2209 def test_ap_wpa2_eap_ttls_server_cert_eku_client_server(dev
, apdev
):
2210 """WPA2-Enterprise using EAP-TTLS and server cert with client and server EKU"""
2211 params
= int_eap_server_params()
2212 params
["server_cert"] = "auth_serv/server-eku-client-server.pem"
2213 params
["private_key"] = "auth_serv/server-eku-client-server.key"
2214 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2215 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2216 identity
="mschap user", password
="password",
2217 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
2220 def test_ap_wpa2_eap_ttls_server_pkcs12(dev
, apdev
):
2221 """WPA2-Enterprise using EAP-TTLS and server PKCS#12 file"""
2222 params
= int_eap_server_params()
2223 del params
["server_cert"]
2224 params
["private_key"] = "auth_serv/server.pkcs12"
2225 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2226 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2227 identity
="mschap user", password
="password",
2228 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
2231 def test_ap_wpa2_eap_ttls_dh_params(dev
, apdev
):
2232 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params"""
2233 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2234 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2235 eap_connect(dev
[0], apdev
[0], "TTLS", "chap user",
2236 anonymous_identity
="ttls", password
="password",
2237 ca_cert
="auth_serv/ca.der", phase2
="auth=CHAP",
2238 dh_file
="auth_serv/dh.conf")
2240 def test_ap_wpa2_eap_ttls_dh_params_blob(dev
, apdev
):
2241 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params from blob"""
2242 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2243 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2244 dh
= read_pem("auth_serv/dh.conf")
2245 if "OK" not in dev
[0].request("SET blob dhparams " + dh
.encode("hex")):
2246 raise Exception("Could not set dhparams blob")
2247 eap_connect(dev
[0], apdev
[0], "TTLS", "chap user",
2248 anonymous_identity
="ttls", password
="password",
2249 ca_cert
="auth_serv/ca.der", phase2
="auth=CHAP",
2250 dh_file
="blob://dhparams")
2252 def test_ap_wpa2_eap_reauth(dev
, apdev
):
2253 """WPA2-Enterprise and Authenticator forcing reauthentication"""
2254 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2255 params
['eap_reauth_period'] = '2'
2256 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2257 eap_connect(dev
[0], apdev
[0], "PAX", "pax.user@example.com",
2258 password_hex
="0123456789abcdef0123456789abcdef")
2259 logger
.info("Wait for reauthentication")
2260 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
2262 raise Exception("Timeout on reauthentication")
2263 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
2265 raise Exception("Timeout on reauthentication")
2266 for i
in range(0, 20):
2267 state
= dev
[0].get_status_field("wpa_state")
2268 if state
== "COMPLETED":
2271 if state
!= "COMPLETED":
2272 raise Exception("Reauthentication did not complete")
2274 def test_ap_wpa2_eap_request_identity_message(dev
, apdev
):
2275 """Optional displayable message in EAP Request-Identity"""
2276 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2277 params
['eap_message'] = 'hello\\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com'
2278 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2279 eap_connect(dev
[0], apdev
[0], "PAX", "pax.user@example.com",
2280 password_hex
="0123456789abcdef0123456789abcdef")
2282 def test_ap_wpa2_eap_sim_aka_result_ind(dev
, apdev
):
2283 """WPA2-Enterprise using EAP-SIM/AKA and protected result indication"""
2284 check_hlr_auc_gw_support()
2285 params
= int_eap_server_params()
2286 params
['eap_sim_db'] = "unix:/tmp/hlr_auc_gw.sock"
2287 params
['eap_sim_aka_result_ind'] = "1"
2288 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2290 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
2291 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
2292 phase1
="result_ind=1")
2293 eap_reauth(dev
[0], "SIM")
2294 eap_connect(dev
[1], apdev
[0], "SIM", "1232010000000000",
2295 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
2297 dev
[0].request("REMOVE_NETWORK all")
2298 dev
[1].request("REMOVE_NETWORK all")
2300 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
2301 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
2302 phase1
="result_ind=1")
2303 eap_reauth(dev
[0], "AKA")
2304 eap_connect(dev
[1], apdev
[0], "AKA", "0232010000000000",
2305 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
2307 dev
[0].request("REMOVE_NETWORK all")
2308 dev
[1].request("REMOVE_NETWORK all")
2310 eap_connect(dev
[0], apdev
[0], "AKA'", "6555444333222111",
2311 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
2312 phase1
="result_ind=1")
2313 eap_reauth(dev
[0], "AKA'")
2314 eap_connect(dev
[1], apdev
[0], "AKA'", "6555444333222111",
2315 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
2317 def test_ap_wpa2_eap_too_many_roundtrips(dev
, apdev
):
2318 """WPA2-Enterprise connection resulting in too many EAP roundtrips"""
2319 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2320 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2321 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
2322 eap
="TTLS", identity
="mschap user",
2323 wait_connect
=False, scan_freq
="2412", ieee80211w
="1",
2324 anonymous_identity
="ttls", password
="password",
2325 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
2327 ev
= dev
[0].wait_event(["EAP: more than"], timeout
=20)
2329 raise Exception("EAP roundtrip limit not reached")
2331 def test_ap_wpa2_eap_expanded_nak(dev
, apdev
):
2332 """WPA2-Enterprise connection with EAP resulting in expanded NAK"""
2333 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2334 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2335 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
2336 eap
="PSK", identity
="vendor-test",
2337 password_hex
="ff23456789abcdef0123456789abcdef",
2341 for i
in range(0, 5):
2342 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"], timeout
=10)
2344 raise Exception("Association and EAP start timed out")
2345 if "refuse proposed method" in ev
:
2349 raise Exception("Unexpected EAP status: " + ev
)
2351 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2353 raise Exception("EAP failure timed out")
2355 def test_ap_wpa2_eap_sql(dev
, apdev
, params
):
2356 """WPA2-Enterprise connection using SQLite for user DB"""
2360 raise HwsimSkip("No sqlite3 module available")
2361 dbfile
= os
.path
.join(params
['logdir'], "eap-user.db")
2366 con
= sqlite3
.connect(dbfile
)
2369 cur
.execute("CREATE TABLE users(identity TEXT PRIMARY KEY, methods TEXT, password TEXT, remediation TEXT, phase2 INTEGER)")
2370 cur
.execute("CREATE TABLE wildcards(identity TEXT PRIMARY KEY, methods TEXT)")
2371 cur
.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-pap','TTLS-PAP','password',1)")
2372 cur
.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-chap','TTLS-CHAP','password',1)")
2373 cur
.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschap','TTLS-MSCHAP','password',1)")
2374 cur
.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschapv2','TTLS-MSCHAPV2','password',1)")
2375 cur
.execute("INSERT INTO wildcards(identity,methods) VALUES ('','TTLS,TLS')")
2376 cur
.execute("CREATE TABLE authlog(timestamp TEXT, session TEXT, nas_ip TEXT, username TEXT, note TEXT)")
2379 params
= int_eap_server_params()
2380 params
["eap_user_file"] = "sqlite:" + dbfile
2381 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2382 eap_connect(dev
[0], apdev
[0], "TTLS", "user-mschapv2",
2383 anonymous_identity
="ttls", password
="password",
2384 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
2385 dev
[0].request("REMOVE_NETWORK all")
2386 eap_connect(dev
[1], apdev
[0], "TTLS", "user-mschap",
2387 anonymous_identity
="ttls", password
="password",
2388 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP")
2389 dev
[1].request("REMOVE_NETWORK all")
2390 eap_connect(dev
[0], apdev
[0], "TTLS", "user-chap",
2391 anonymous_identity
="ttls", password
="password",
2392 ca_cert
="auth_serv/ca.pem", phase2
="auth=CHAP")
2393 eap_connect(dev
[1], apdev
[0], "TTLS", "user-pap",
2394 anonymous_identity
="ttls", password
="password",
2395 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
2399 def test_ap_wpa2_eap_non_ascii_identity(dev
, apdev
):
2400 """WPA2-Enterprise connection attempt using non-ASCII identity"""
2401 params
= int_eap_server_params()
2402 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2403 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2404 identity
="\x80", password
="password", wait_connect
=False)
2405 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2406 identity
="a\x80", password
="password", wait_connect
=False)
2407 for i
in range(0, 2):
2408 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
2410 raise Exception("Association and EAP start timed out")
2411 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
2413 raise Exception("EAP method selection timed out")
2415 def test_ap_wpa2_eap_non_ascii_identity2(dev
, apdev
):
2416 """WPA2-Enterprise connection attempt using non-ASCII identity"""
2417 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2418 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2419 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2420 identity
="\x80", password
="password", wait_connect
=False)
2421 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2422 identity
="a\x80", password
="password", wait_connect
=False)
2423 for i
in range(0, 2):
2424 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
2426 raise Exception("Association and EAP start timed out")
2427 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
2429 raise Exception("EAP method selection timed out")
2431 def test_openssl_cipher_suite_config_wpas(dev
, apdev
):
2432 """OpenSSL cipher suite configuration on wpa_supplicant"""
2433 tls
= dev
[0].request("GET tls_library")
2434 if not tls
.startswith("OpenSSL"):
2435 raise HwsimSkip("TLS library is not OpenSSL: " + tls
)
2436 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2437 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
2438 eap_connect(dev
[0], apdev
[0], "TTLS", "pap user",
2439 anonymous_identity
="ttls", password
="password",
2440 openssl_ciphers
="AES128",
2441 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
2442 eap_connect(dev
[1], apdev
[0], "TTLS", "pap user",
2443 anonymous_identity
="ttls", password
="password",
2444 openssl_ciphers
="EXPORT",
2445 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
2446 expect_failure
=True)
2448 def test_openssl_cipher_suite_config_hapd(dev
, apdev
):
2449 """OpenSSL cipher suite configuration on hostapd"""
2450 tls
= dev
[0].request("GET tls_library")
2451 if not tls
.startswith("OpenSSL"):
2452 raise HwsimSkip("wpa_supplicant TLS library is not OpenSSL: " + tls
)
2453 params
= int_eap_server_params()
2454 params
['openssl_ciphers'] = "AES256"
2455 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
2456 tls
= hapd
.request("GET tls_library")
2457 if not tls
.startswith("OpenSSL"):
2458 raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls
)
2459 eap_connect(dev
[0], apdev
[0], "TTLS", "pap user",
2460 anonymous_identity
="ttls", password
="password",
2461 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
2462 eap_connect(dev
[1], apdev
[0], "TTLS", "pap user",
2463 anonymous_identity
="ttls", password
="password",
2464 openssl_ciphers
="AES128",
2465 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
2466 expect_failure
=True)
2467 eap_connect(dev
[2], apdev
[0], "TTLS", "pap user",
2468 anonymous_identity
="ttls", password
="password",
2469 openssl_ciphers
="HIGH:!ADH",
2470 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
2472 def test_wpa2_eap_ttls_pap_key_lifetime_in_memory(dev
, apdev
, params
):
2473 """Key lifetime in memory with WPA2-Enterprise using EAP-TTLS/PAP"""
2474 p
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2475 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], p
)
2476 password
= "63d2d21ac3c09ed567ee004a34490f1d16e7fa5835edf17ddba70a63f1a90a25"
2477 pid
= find_wpas_process(dev
[0])
2478 id = eap_connect(dev
[0], apdev
[0], "TTLS", "pap-secret",
2479 anonymous_identity
="ttls", password
=password
,
2480 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
2482 buf
= read_process_memory(pid
, password
)
2484 dev
[0].request("DISCONNECT")
2485 dev
[0].wait_disconnected()
2493 with
open(os
.path
.join(params
['logdir'], 'log0'), 'r') as f
:
2494 for l
in f
.readlines():
2495 if "EAP-TTLS: Derived key - hexdump" in l
:
2496 val
= l
.strip().split(':')[3].replace(' ', '')
2497 msk
= binascii
.unhexlify(val
)
2498 if "EAP-TTLS: Derived EMSK - hexdump" in l
:
2499 val
= l
.strip().split(':')[3].replace(' ', '')
2500 emsk
= binascii
.unhexlify(val
)
2501 if "WPA: PMK - hexdump" in l
:
2502 val
= l
.strip().split(':')[3].replace(' ', '')
2503 pmk
= binascii
.unhexlify(val
)
2504 if "WPA: PTK - hexdump" in l
:
2505 val
= l
.strip().split(':')[3].replace(' ', '')
2506 ptk
= binascii
.unhexlify(val
)
2507 if "WPA: Group Key - hexdump" in l
:
2508 val
= l
.strip().split(':')[3].replace(' ', '')
2509 gtk
= binascii
.unhexlify(val
)
2510 if not msk
or not emsk
or not pmk
or not ptk
or not gtk
:
2511 raise Exception("Could not find keys from debug log")
2513 raise Exception("Unexpected GTK length")
2519 fname
= os
.path
.join(params
['logdir'],
2520 'wpa2_eap_ttls_pap_key_lifetime_in_memory.memctx-')
2522 logger
.info("Checking keys in memory while associated")
2523 get_key_locations(buf
, password
, "Password")
2524 get_key_locations(buf
, pmk
, "PMK")
2525 get_key_locations(buf
, msk
, "MSK")
2526 get_key_locations(buf
, emsk
, "EMSK")
2527 if password
not in buf
:
2528 raise HwsimSkip("Password not found while associated")
2530 raise HwsimSkip("PMK not found while associated")
2532 raise Exception("KCK not found while associated")
2534 raise Exception("KEK not found while associated")
2536 raise Exception("TK found from memory")
2538 raise Exception("GTK found from memory")
2540 logger
.info("Checking keys in memory after disassociation")
2541 buf
= read_process_memory(pid
, password
)
2543 # Note: Password is still present in network configuration
2544 # Note: PMK is in PMKSA cache and EAP fast re-auth data
2546 get_key_locations(buf
, password
, "Password")
2547 get_key_locations(buf
, pmk
, "PMK")
2548 get_key_locations(buf
, msk
, "MSK")
2549 get_key_locations(buf
, emsk
, "EMSK")
2550 verify_not_present(buf
, kck
, fname
, "KCK")
2551 verify_not_present(buf
, kek
, fname
, "KEK")
2552 verify_not_present(buf
, tk
, fname
, "TK")
2553 verify_not_present(buf
, gtk
, fname
, "GTK")
2555 dev
[0].request("PMKSA_FLUSH")
2556 dev
[0].set_network_quoted(id, "identity", "foo")
2557 logger
.info("Checking keys in memory after PMKSA cache and EAP fast reauth flush")
2558 buf
= read_process_memory(pid
, password
)
2559 get_key_locations(buf
, password
, "Password")
2560 get_key_locations(buf
, pmk
, "PMK")
2561 get_key_locations(buf
, msk
, "MSK")
2562 get_key_locations(buf
, emsk
, "EMSK")
2563 verify_not_present(buf
, pmk
, fname
, "PMK")
2565 dev
[0].request("REMOVE_NETWORK all")
2567 logger
.info("Checking keys in memory after network profile removal")
2568 buf
= read_process_memory(pid
, password
)
2570 get_key_locations(buf
, password
, "Password")
2571 get_key_locations(buf
, pmk
, "PMK")
2572 get_key_locations(buf
, msk
, "MSK")
2573 get_key_locations(buf
, emsk
, "EMSK")
2574 verify_not_present(buf
, password
, fname
, "password")
2575 verify_not_present(buf
, pmk
, fname
, "PMK")
2576 verify_not_present(buf
, kck
, fname
, "KCK")
2577 verify_not_present(buf
, kek
, fname
, "KEK")
2578 verify_not_present(buf
, tk
, fname
, "TK")
2579 verify_not_present(buf
, gtk
, fname
, "GTK")
2580 verify_not_present(buf
, msk
, fname
, "MSK")
2581 verify_not_present(buf
, emsk
, fname
, "EMSK")