]> git.ipfire.org Git - thirdparty/hostap.git/blob - tests/hwsim/test_ap_eap.py
projects / thirdparty / hostap.git / blob
? search:


07db924bfa6b38ad65470bce7a00f55e28b75ff8
[thirdparty/hostap.git] / tests / hwsim / test_ap_eap.py
1 # -*- coding: utf-8 -*-
2 # WPA2-Enterprise tests
3 # Copyright (c) 2013-2015, Jouni Malinen <j@w1.fi>
4 #
5 # This software may be distributed under the terms of the BSD license.
6 # See README for more details.
7
8 import base64
9 import binascii
10 import time
11 import subprocess
12 import logging
13 logger = logging.getLogger()
14 import os
15
16 import hwsim_utils
17 import hostapd
18 from utils import HwsimSkip, alloc_fail
19 from test_ap_psk import check_mib, find_wpas_process, read_process_memory, verify_not_present, get_key_locations
20
21 def check_hlr_auc_gw_support():
22 if not os.path.exists("/tmp/hlr_auc_gw.sock"):
23 raise HwsimSkip("No hlr_auc_gw available")
24
25 def check_eap_capa(dev, method):
26 res = dev.get_capability("eap")
27 if method not in res:
28 raise HwsimSkip("EAP method %s not supported in the build" % method)
29
30 def check_subject_match_support(dev):
31 tls = dev.request("GET tls_library")
32 if not tls.startswith("OpenSSL"):
33 raise HwsimSkip("subject_match not supported with this TLS library: " + tls)
34
35 def check_altsubject_match_support(dev):
36 tls = dev.request("GET tls_library")
37 if not tls.startswith("OpenSSL"):
38 raise HwsimSkip("altsubject_match not supported with this TLS library: " + tls)
39
40 def check_domain_match_full(dev):
41 tls = dev.request("GET tls_library")
42 if not tls.startswith("OpenSSL"):
43 raise HwsimSkip("domain_suffix_match requires full match with this TLS library: " + tls)
44
45 def check_cert_probe_support(dev):
46 tls = dev.request("GET tls_library")
47 if not tls.startswith("OpenSSL"):
48 raise HwsimSkip("Certificate probing not supported with this TLS library: " + tls)
49
50 def read_pem(fname):
51 with open(fname, "r") as f:
52 lines = f.readlines()
53 copy = False
54 cert = ""
55 for l in lines:
56 if "-----END" in l:
57 break
58 if copy:
59 cert = cert + l
60 if "-----BEGIN" in l:
61 copy = True
62 return base64.b64decode(cert)
63
64 def eap_connect(dev, ap, method, identity,
65 sha256=False, expect_failure=False, local_error_report=False,
66 **kwargs):
67 hapd = hostapd.Hostapd(ap['ifname'])
68 id = dev.connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
69 eap=method, identity=identity,
70 wait_connect=False, scan_freq="2412", ieee80211w="1",
71 **kwargs)
72 eap_check_auth(dev, method, True, sha256=sha256,
73 expect_failure=expect_failure,
74 local_error_report=local_error_report)
75 if expect_failure:
76 return id
77 ev = hapd.wait_event([ "AP-STA-CONNECTED" ], timeout=5)
78 if ev is None:
79 raise Exception("No connection event received from hostapd")
80 return id
81
82 def eap_check_auth(dev, method, initial, rsn=True, sha256=False,
83 expect_failure=False, local_error_report=False):
84 ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
85 if ev is None:
86 raise Exception("Association and EAP start timed out")
87 ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
88 if ev is None:
89 raise Exception("EAP method selection timed out")
90 if method not in ev:
91 raise Exception("Unexpected EAP method")
92 if expect_failure:
93 ev = dev.wait_event(["CTRL-EVENT-EAP-FAILURE"])
94 if ev is None:
95 raise Exception("EAP failure timed out")
96 ev = dev.wait_disconnected(timeout=10)
97 if not local_error_report:
98 if "reason=23" not in ev:
99 raise Exception("Proper reason code for disconnection not reported")
100 return
101 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
102 if ev is None:
103 raise Exception("EAP success timed out")
104
105 if initial:
106 ev = dev.wait_event(["CTRL-EVENT-CONNECTED"], timeout=10)
107 else:
108 ev = dev.wait_event(["WPA: Key negotiation completed"], timeout=10)
109 if ev is None:
110 raise Exception("Association with the AP timed out")
111 status = dev.get_status()
112 if status["wpa_state"] != "COMPLETED":
113 raise Exception("Connection not completed")
114
115 if status["suppPortStatus"] != "Authorized":
116 raise Exception("Port not authorized")
117 if method not in status["selectedMethod"]:
118 raise Exception("Incorrect EAP method status")
119 if sha256:
120 e = "WPA2-EAP-SHA256"
121 elif rsn:
122 e = "WPA2/IEEE 802.1X/EAP"
123 else:
124 e = "WPA/IEEE 802.1X/EAP"
125 if status["key_mgmt"] != e:
126 raise Exception("Unexpected key_mgmt status: " + status["key_mgmt"])
127 return status
128
129 def eap_reauth(dev, method, rsn=True, sha256=False, expect_failure=False):
130 dev.request("REAUTHENTICATE")
131 return eap_check_auth(dev, method, False, rsn=rsn, sha256=sha256,
132 expect_failure=expect_failure)
133
134 def test_ap_wpa2_eap_sim(dev, apdev):
135 """WPA2-Enterprise connection using EAP-SIM"""
136 check_hlr_auc_gw_support()
137 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
138 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
139 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
140 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
141 hwsim_utils.test_connectivity(dev[0], hapd)
142 eap_reauth(dev[0], "SIM")
143
144 eap_connect(dev[1], apdev[0], "SIM", "1232010000000001",
145 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
146 eap_connect(dev[2], apdev[0], "SIM", "1232010000000002",
147 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
148 expect_failure=True)
149
150 logger.info("Negative test with incorrect key")
151 dev[0].request("REMOVE_NETWORK all")
152 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
153 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
154 expect_failure=True)
155
156 logger.info("Invalid GSM-Milenage key")
157 dev[0].request("REMOVE_NETWORK all")
158 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
159 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
160 expect_failure=True)
161
162 logger.info("Invalid GSM-Milenage key(2)")
163 dev[0].request("REMOVE_NETWORK all")
164 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
165 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581",
166 expect_failure=True)
167
168 logger.info("Invalid GSM-Milenage key(3)")
169 dev[0].request("REMOVE_NETWORK all")
170 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
171 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q",
172 expect_failure=True)
173
174 logger.info("Invalid GSM-Milenage key(4)")
175 dev[0].request("REMOVE_NETWORK all")
176 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
177 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581",
178 expect_failure=True)
179
180 logger.info("Missing key configuration")
181 dev[0].request("REMOVE_NETWORK all")
182 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
183 expect_failure=True)
184
185 def test_ap_wpa2_eap_sim_sql(dev, apdev, params):
186 """WPA2-Enterprise connection using EAP-SIM (SQL)"""
187 check_hlr_auc_gw_support()
188 try:
189 import sqlite3
190 except ImportError:
191 raise HwsimSkip("No sqlite3 module available")
192 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
193 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
194 params['auth_server_port'] = "1814"
195 hostapd.add_ap(apdev[0]['ifname'], params)
196 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
197 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
198
199 logger.info("SIM fast re-authentication")
200 eap_reauth(dev[0], "SIM")
201
202 logger.info("SIM full auth with pseudonym")
203 with con:
204 cur = con.cursor()
205 cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
206 eap_reauth(dev[0], "SIM")
207
208 logger.info("SIM full auth with permanent identity")
209 with con:
210 cur = con.cursor()
211 cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
212 cur.execute("DELETE FROM pseudonyms WHERE permanent='1232010000000000'")
213 eap_reauth(dev[0], "SIM")
214
215 logger.info("SIM reauth with mismatching MK")
216 with con:
217 cur = con.cursor()
218 cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='1232010000000000'")
219 eap_reauth(dev[0], "SIM", expect_failure=True)
220 dev[0].request("REMOVE_NETWORK all")
221
222 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
223 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
224 with con:
225 cur = con.cursor()
226 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
227 eap_reauth(dev[0], "SIM")
228 with con:
229 cur = con.cursor()
230 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
231 logger.info("SIM reauth with mismatching counter")
232 eap_reauth(dev[0], "SIM")
233 dev[0].request("REMOVE_NETWORK all")
234
235 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
236 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
237 with con:
238 cur = con.cursor()
239 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='1232010000000000'")
240 logger.info("SIM reauth with max reauth count reached")
241 eap_reauth(dev[0], "SIM")
242
243 def test_ap_wpa2_eap_sim_config(dev, apdev):
244 """EAP-SIM configuration options"""
245 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
246 hostapd.add_ap(apdev[0]['ifname'], params)
247 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
248 identity="1232010000000000",
249 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
250 phase1="sim_min_num_chal=1",
251 wait_connect=False, scan_freq="2412")
252 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
253 if ev is None:
254 raise Exception("No EAP error message seen")
255 dev[0].request("REMOVE_NETWORK all")
256
257 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
258 identity="1232010000000000",
259 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
260 phase1="sim_min_num_chal=4",
261 wait_connect=False, scan_freq="2412")
262 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
263 if ev is None:
264 raise Exception("No EAP error message seen (2)")
265 dev[0].request("REMOVE_NETWORK all")
266
267 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
268 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
269 phase1="sim_min_num_chal=2")
270 eap_connect(dev[1], apdev[0], "SIM", "1232010000000000",
271 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
272 anonymous_identity="345678")
273
274 def test_ap_wpa2_eap_sim_ext(dev, apdev):
275 """WPA2-Enterprise connection using EAP-SIM and external GSM auth"""
276 try:
277 _test_ap_wpa2_eap_sim_ext(dev, apdev)
278 finally:
279 dev[0].request("SET external_sim 0")
280
281 def _test_ap_wpa2_eap_sim_ext(dev, apdev):
282 check_hlr_auc_gw_support()
283 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
284 hostapd.add_ap(apdev[0]['ifname'], params)
285 dev[0].request("SET external_sim 1")
286 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
287 identity="1232010000000000",
288 wait_connect=False, scan_freq="2412")
289 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
290 if ev is None:
291 raise Exception("Network connected timed out")
292
293 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
294 if ev is None:
295 raise Exception("Wait for external SIM processing request timed out")
296 p = ev.split(':', 2)
297 if p[1] != "GSM-AUTH":
298 raise Exception("Unexpected CTRL-REQ-SIM type")
299 rid = p[0].split('-')[3]
300
301 # IK:CK:RES
302 resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
303 # This will fail during processing, but the ctrl_iface command succeeds
304 dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTH:" + resp)
305 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
306 if ev is None:
307 raise Exception("EAP failure not reported")
308 dev[0].request("DISCONNECT")
309
310 dev[0].select_network(id, freq="2412")
311 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
312 if ev is None:
313 raise Exception("Wait for external SIM processing request timed out")
314 p = ev.split(':', 2)
315 if p[1] != "GSM-AUTH":
316 raise Exception("Unexpected CTRL-REQ-SIM type")
317 rid = p[0].split('-')[3]
318 # This will fail during GSM auth validation
319 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:q"):
320 raise Exception("CTRL-RSP-SIM failed")
321 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
322 if ev is None:
323 raise Exception("EAP failure not reported")
324 dev[0].request("DISCONNECT")
325
326 dev[0].select_network(id, freq="2412")
327 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
328 if ev is None:
329 raise Exception("Wait for external SIM processing request timed out")
330 p = ev.split(':', 2)
331 if p[1] != "GSM-AUTH":
332 raise Exception("Unexpected CTRL-REQ-SIM type")
333 rid = p[0].split('-')[3]
334 # This will fail during GSM auth validation
335 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:34"):
336 raise Exception("CTRL-RSP-SIM failed")
337 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
338 if ev is None:
339 raise Exception("EAP failure not reported")
340 dev[0].request("DISCONNECT")
341
342 dev[0].select_network(id, freq="2412")
343 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
344 if ev is None:
345 raise Exception("Wait for external SIM processing request timed out")
346 p = ev.split(':', 2)
347 if p[1] != "GSM-AUTH":
348 raise Exception("Unexpected CTRL-REQ-SIM type")
349 rid = p[0].split('-')[3]
350 # This will fail during GSM auth validation
351 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677"):
352 raise Exception("CTRL-RSP-SIM failed")
353 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
354 if ev is None:
355 raise Exception("EAP failure not reported")
356 dev[0].request("DISCONNECT")
357
358 dev[0].select_network(id, freq="2412")
359 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
360 if ev is None:
361 raise Exception("Wait for external SIM processing request timed out")
362 p = ev.split(':', 2)
363 if p[1] != "GSM-AUTH":
364 raise Exception("Unexpected CTRL-REQ-SIM type")
365 rid = p[0].split('-')[3]
366 # This will fail during GSM auth validation
367 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:q"):
368 raise Exception("CTRL-RSP-SIM failed")
369 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
370 if ev is None:
371 raise Exception("EAP failure not reported")
372 dev[0].request("DISCONNECT")
373
374 dev[0].select_network(id, freq="2412")
375 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
376 if ev is None:
377 raise Exception("Wait for external SIM processing request timed out")
378 p = ev.split(':', 2)
379 if p[1] != "GSM-AUTH":
380 raise Exception("Unexpected CTRL-REQ-SIM type")
381 rid = p[0].split('-')[3]
382 # This will fail during GSM auth validation
383 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233"):
384 raise Exception("CTRL-RSP-SIM failed")
385 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
386 if ev is None:
387 raise Exception("EAP failure not reported")
388 dev[0].request("DISCONNECT")
389
390 dev[0].select_network(id, freq="2412")
391 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
392 if ev is None:
393 raise Exception("Wait for external SIM processing request timed out")
394 p = ev.split(':', 2)
395 if p[1] != "GSM-AUTH":
396 raise Exception("Unexpected CTRL-REQ-SIM type")
397 rid = p[0].split('-')[3]
398 # This will fail during GSM auth validation
399 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233:q"):
400 raise Exception("CTRL-RSP-SIM failed")
401 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
402 if ev is None:
403 raise Exception("EAP failure not reported")
404
405 def test_ap_wpa2_eap_aka(dev, apdev):
406 """WPA2-Enterprise connection using EAP-AKA"""
407 check_hlr_auc_gw_support()
408 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
409 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
410 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
411 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
412 hwsim_utils.test_connectivity(dev[0], hapd)
413 eap_reauth(dev[0], "AKA")
414
415 logger.info("Negative test with incorrect key")
416 dev[0].request("REMOVE_NETWORK all")
417 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
418 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
419 expect_failure=True)
420
421 logger.info("Invalid Milenage key")
422 dev[0].request("REMOVE_NETWORK all")
423 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
424 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
425 expect_failure=True)
426
427 logger.info("Invalid Milenage key(2)")
428 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
429 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581:000000000123",
430 expect_failure=True)
431
432 logger.info("Invalid Milenage key(3)")
433 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
434 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q:000000000123",
435 expect_failure=True)
436
437 logger.info("Invalid Milenage key(4)")
438 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
439 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:00000000012q",
440 expect_failure=True)
441
442 logger.info("Invalid Milenage key(5)")
443 dev[0].request("REMOVE_NETWORK all")
444 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
445 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581q000000000123",
446 expect_failure=True)
447
448 logger.info("Invalid Milenage key(6)")
449 dev[0].request("REMOVE_NETWORK all")
450 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
451 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581q000000000123",
452 expect_failure=True)
453
454 logger.info("Missing key configuration")
455 dev[0].request("REMOVE_NETWORK all")
456 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
457 expect_failure=True)
458
459 def test_ap_wpa2_eap_aka_sql(dev, apdev, params):
460 """WPA2-Enterprise connection using EAP-AKA (SQL)"""
461 check_hlr_auc_gw_support()
462 try:
463 import sqlite3
464 except ImportError:
465 raise HwsimSkip("No sqlite3 module available")
466 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
467 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
468 params['auth_server_port'] = "1814"
469 hostapd.add_ap(apdev[0]['ifname'], params)
470 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
471 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
472
473 logger.info("AKA fast re-authentication")
474 eap_reauth(dev[0], "AKA")
475
476 logger.info("AKA full auth with pseudonym")
477 with con:
478 cur = con.cursor()
479 cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
480 eap_reauth(dev[0], "AKA")
481
482 logger.info("AKA full auth with permanent identity")
483 with con:
484 cur = con.cursor()
485 cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
486 cur.execute("DELETE FROM pseudonyms WHERE permanent='0232010000000000'")
487 eap_reauth(dev[0], "AKA")
488
489 logger.info("AKA reauth with mismatching MK")
490 with con:
491 cur = con.cursor()
492 cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='0232010000000000'")
493 eap_reauth(dev[0], "AKA", expect_failure=True)
494 dev[0].request("REMOVE_NETWORK all")
495
496 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
497 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
498 with con:
499 cur = con.cursor()
500 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
501 eap_reauth(dev[0], "AKA")
502 with con:
503 cur = con.cursor()
504 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
505 logger.info("AKA reauth with mismatching counter")
506 eap_reauth(dev[0], "AKA")
507 dev[0].request("REMOVE_NETWORK all")
508
509 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
510 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
511 with con:
512 cur = con.cursor()
513 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='0232010000000000'")
514 logger.info("AKA reauth with max reauth count reached")
515 eap_reauth(dev[0], "AKA")
516
517 def test_ap_wpa2_eap_aka_config(dev, apdev):
518 """EAP-AKA configuration options"""
519 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
520 hostapd.add_ap(apdev[0]['ifname'], params)
521 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
522 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
523 anonymous_identity="2345678")
524
525 def test_ap_wpa2_eap_aka_ext(dev, apdev):
526 """WPA2-Enterprise connection using EAP-AKA and external UMTS auth"""
527 try:
528 _test_ap_wpa2_eap_aka_ext(dev, apdev)
529 finally:
530 dev[0].request("SET external_sim 0")
531
532 def _test_ap_wpa2_eap_aka_ext(dev, apdev):
533 check_hlr_auc_gw_support()
534 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
535 hostapd.add_ap(apdev[0]['ifname'], params)
536 dev[0].request("SET external_sim 1")
537 id = dev[0].connect("test-wpa2-eap", eap="AKA", key_mgmt="WPA-EAP",
538 identity="0232010000000000",
539 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
540 wait_connect=False, scan_freq="2412")
541 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
542 if ev is None:
543 raise Exception("Network connected timed out")
544
545 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
546 if ev is None:
547 raise Exception("Wait for external SIM processing request timed out")
548 p = ev.split(':', 2)
549 if p[1] != "UMTS-AUTH":
550 raise Exception("Unexpected CTRL-REQ-SIM type")
551 rid = p[0].split('-')[3]
552
553 # IK:CK:RES
554 resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
555 # This will fail during processing, but the ctrl_iface command succeeds
556 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
557 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
558 if ev is None:
559 raise Exception("EAP failure not reported")
560 dev[0].request("DISCONNECT")
561 dev[0].wait_disconnected()
562
563 dev[0].select_network(id, freq="2412")
564 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
565 if ev is None:
566 raise Exception("Wait for external SIM processing request timed out")
567 p = ev.split(':', 2)
568 if p[1] != "UMTS-AUTH":
569 raise Exception("Unexpected CTRL-REQ-SIM type")
570 rid = p[0].split('-')[3]
571 # This will fail during UMTS auth validation
572 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:112233445566778899aabbccddee"):
573 raise Exception("CTRL-RSP-SIM failed")
574 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
575 if ev is None:
576 raise Exception("Wait for external SIM processing request timed out")
577 p = ev.split(':', 2)
578 if p[1] != "UMTS-AUTH":
579 raise Exception("Unexpected CTRL-REQ-SIM type")
580 rid = p[0].split('-')[3]
581 # This will fail during UMTS auth validation
582 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:12"):
583 raise Exception("CTRL-RSP-SIM failed")
584 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
585 if ev is None:
586 raise Exception("EAP failure not reported")
587 dev[0].request("DISCONNECT")
588 dev[0].wait_disconnected()
589
590 tests = [ ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344",
591 ":UMTS-AUTH:34",
592 ":UMTS-AUTH:00112233445566778899aabbccddeeff.00112233445566778899aabbccddeeff:0011223344",
593 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddee:0011223344",
594 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff.0011223344",
595 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff0011223344",
596 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:001122334q" ]
597 for t in tests:
598 dev[0].select_network(id, freq="2412")
599 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
600 if ev is None:
601 raise Exception("Wait for external SIM processing request timed out")
602 p = ev.split(':', 2)
603 if p[1] != "UMTS-AUTH":
604 raise Exception("Unexpected CTRL-REQ-SIM type")
605 rid = p[0].split('-')[3]
606 # This will fail during UMTS auth validation
607 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + t):
608 raise Exception("CTRL-RSP-SIM failed")
609 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
610 if ev is None:
611 raise Exception("EAP failure not reported")
612 dev[0].request("DISCONNECT")
613 dev[0].wait_disconnected()
614
615 def test_ap_wpa2_eap_aka_prime(dev, apdev):
616 """WPA2-Enterprise connection using EAP-AKA'"""
617 check_hlr_auc_gw_support()
618 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
619 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
620 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
621 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
622 hwsim_utils.test_connectivity(dev[0], hapd)
623 eap_reauth(dev[0], "AKA'")
624
625 logger.info("EAP-AKA' bidding protection when EAP-AKA enabled as well")
626 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="AKA' AKA",
627 identity="6555444333222111@both",
628 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
629 wait_connect=False, scan_freq="2412")
630 dev[1].wait_connected(timeout=15)
631
632 logger.info("Negative test with incorrect key")
633 dev[0].request("REMOVE_NETWORK all")
634 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
635 password="ff22250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
636 expect_failure=True)
637
638 def test_ap_wpa2_eap_aka_prime_sql(dev, apdev, params):
639 """WPA2-Enterprise connection using EAP-AKA' (SQL)"""
640 check_hlr_auc_gw_support()
641 try:
642 import sqlite3
643 except ImportError:
644 raise HwsimSkip("No sqlite3 module available")
645 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
646 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
647 params['auth_server_port'] = "1814"
648 hostapd.add_ap(apdev[0]['ifname'], params)
649 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
650 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
651
652 logger.info("AKA' fast re-authentication")
653 eap_reauth(dev[0], "AKA'")
654
655 logger.info("AKA' full auth with pseudonym")
656 with con:
657 cur = con.cursor()
658 cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
659 eap_reauth(dev[0], "AKA'")
660
661 logger.info("AKA' full auth with permanent identity")
662 with con:
663 cur = con.cursor()
664 cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
665 cur.execute("DELETE FROM pseudonyms WHERE permanent='6555444333222111'")
666 eap_reauth(dev[0], "AKA'")
667
668 logger.info("AKA' reauth with mismatching k_aut")
669 with con:
670 cur = con.cursor()
671 cur.execute("UPDATE reauth SET k_aut='0000000000000000000000000000000000000000000000000000000000000000' WHERE permanent='6555444333222111'")
672 eap_reauth(dev[0], "AKA'", expect_failure=True)
673 dev[0].request("REMOVE_NETWORK all")
674
675 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
676 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
677 with con:
678 cur = con.cursor()
679 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
680 eap_reauth(dev[0], "AKA'")
681 with con:
682 cur = con.cursor()
683 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
684 logger.info("AKA' reauth with mismatching counter")
685 eap_reauth(dev[0], "AKA'")
686 dev[0].request("REMOVE_NETWORK all")
687
688 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
689 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
690 with con:
691 cur = con.cursor()
692 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='6555444333222111'")
693 logger.info("AKA' reauth with max reauth count reached")
694 eap_reauth(dev[0], "AKA'")
695
696 def test_ap_wpa2_eap_ttls_pap(dev, apdev):
697 """WPA2-Enterprise connection using EAP-TTLS/PAP"""
698 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
699 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
700 key_mgmt = hapd.get_config()['key_mgmt']
701 if key_mgmt.split(' ')[0] != "WPA-EAP":
702 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
703 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
704 anonymous_identity="ttls", password="password",
705 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
706 hwsim_utils.test_connectivity(dev[0], hapd)
707 eap_reauth(dev[0], "TTLS")
708 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-1"),
709 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-1") ])
710
711 def test_ap_wpa2_eap_ttls_pap_subject_match(dev, apdev):
712 """WPA2-Enterprise connection using EAP-TTLS/PAP and (alt)subject_match"""
713 check_subject_match_support(dev[0])
714 check_altsubject_match_support(dev[0])
715 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
716 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
717 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
718 anonymous_identity="ttls", password="password",
719 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
720 subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
721 altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/")
722 eap_reauth(dev[0], "TTLS")
723
724 def test_ap_wpa2_eap_ttls_pap_incorrect_password(dev, apdev):
725 """WPA2-Enterprise connection using EAP-TTLS/PAP - incorrect password"""
726 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
727 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
728 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
729 anonymous_identity="ttls", password="wrong",
730 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
731 expect_failure=True)
732 eap_connect(dev[1], apdev[0], "TTLS", "user",
733 anonymous_identity="ttls", password="password",
734 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
735 expect_failure=True)
736
737 def test_ap_wpa2_eap_ttls_chap(dev, apdev):
738 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
739 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
740 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
741 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
742 anonymous_identity="ttls", password="password",
743 ca_cert="auth_serv/ca.der", phase2="auth=CHAP")
744 hwsim_utils.test_connectivity(dev[0], hapd)
745 eap_reauth(dev[0], "TTLS")
746
747 def test_ap_wpa2_eap_ttls_chap_altsubject_match(dev, apdev):
748 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
749 check_altsubject_match_support(dev[0])
750 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
751 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
752 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
753 anonymous_identity="ttls", password="password",
754 ca_cert="auth_serv/ca.der", phase2="auth=CHAP",
755 altsubject_match="EMAIL:noone@example.com;URI:http://example.com/;DNS:server.w1.fi")
756 eap_reauth(dev[0], "TTLS")
757
758 def test_ap_wpa2_eap_ttls_chap_incorrect_password(dev, apdev):
759 """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
760 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
761 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
762 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
763 anonymous_identity="ttls", password="wrong",
764 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
765 expect_failure=True)
766 eap_connect(dev[1], apdev[0], "TTLS", "user",
767 anonymous_identity="ttls", password="password",
768 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
769 expect_failure=True)
770
771 def test_ap_wpa2_eap_ttls_mschap(dev, apdev):
772 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP"""
773 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
774 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
775 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
776 anonymous_identity="ttls", password="password",
777 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
778 domain_suffix_match="server.w1.fi")
779 hwsim_utils.test_connectivity(dev[0], hapd)
780 eap_reauth(dev[0], "TTLS")
781 dev[0].request("REMOVE_NETWORK all")
782 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
783 anonymous_identity="ttls", password="password",
784 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
785 fragment_size="200")
786
787 def test_ap_wpa2_eap_ttls_mschap_incorrect_password(dev, apdev):
788 """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
789 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
790 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
791 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
792 anonymous_identity="ttls", password="wrong",
793 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
794 expect_failure=True)
795 eap_connect(dev[1], apdev[0], "TTLS", "user",
796 anonymous_identity="ttls", password="password",
797 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
798 expect_failure=True)
799 eap_connect(dev[2], apdev[0], "TTLS", "no such user",
800 anonymous_identity="ttls", password="password",
801 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
802 expect_failure=True)
803
804 def test_ap_wpa2_eap_ttls_mschapv2(dev, apdev):
805 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
806 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
807 hostapd.add_ap(apdev[0]['ifname'], params)
808 hapd = hostapd.Hostapd(apdev[0]['ifname'])
809 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
810 anonymous_identity="ttls", password="password",
811 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
812 domain_suffix_match="server.w1.fi")
813 hwsim_utils.test_connectivity(dev[0], hapd)
814 sta1 = hapd.get_sta(dev[0].p2p_interface_addr())
815 eapol1 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
816 eap_reauth(dev[0], "TTLS")
817 sta2 = hapd.get_sta(dev[0].p2p_interface_addr())
818 eapol2 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
819 if int(sta2['dot1xAuthEapolFramesRx']) <= int(sta1['dot1xAuthEapolFramesRx']):
820 raise Exception("dot1xAuthEapolFramesRx did not increase")
821 if int(eapol2['authAuthEapStartsWhileAuthenticated']) < 1:
822 raise Exception("authAuthEapStartsWhileAuthenticated did not increase")
823 if int(eapol2['backendAuthSuccesses']) <= int(eapol1['backendAuthSuccesses']):
824 raise Exception("backendAuthSuccesses did not increase")
825
826 logger.info("Password as hash value")
827 dev[0].request("REMOVE_NETWORK all")
828 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
829 anonymous_identity="ttls",
830 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
831 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
832
833 def test_ap_wpa2_eap_ttls_mschapv2_suffix_match(dev, apdev):
834 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
835 check_domain_match_full(dev[0])
836 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
837 hostapd.add_ap(apdev[0]['ifname'], params)
838 hapd = hostapd.Hostapd(apdev[0]['ifname'])
839 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
840 anonymous_identity="ttls", password="password",
841 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
842 domain_suffix_match="w1.fi")
843 hwsim_utils.test_connectivity(dev[0], hapd)
844 eap_reauth(dev[0], "TTLS")
845
846 def test_ap_wpa2_eap_ttls_mschapv2_domain_match(dev, apdev):
847 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 (domain_match)"""
848 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
849 hostapd.add_ap(apdev[0]['ifname'], params)
850 hapd = hostapd.Hostapd(apdev[0]['ifname'])
851 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
852 anonymous_identity="ttls", password="password",
853 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
854 domain_match="Server.w1.fi")
855 hwsim_utils.test_connectivity(dev[0], hapd)
856 eap_reauth(dev[0], "TTLS")
857
858 def test_ap_wpa2_eap_ttls_mschapv2_incorrect_password(dev, apdev):
859 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 - incorrect password"""
860 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
861 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
862 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
863 anonymous_identity="ttls", password="password1",
864 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
865 expect_failure=True)
866 eap_connect(dev[1], apdev[0], "TTLS", "user",
867 anonymous_identity="ttls", password="password",
868 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
869 expect_failure=True)
870
871 def test_ap_wpa2_eap_ttls_mschapv2_utf8(dev, apdev):
872 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 and UTF-8 password"""
873 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
874 hostapd.add_ap(apdev[0]['ifname'], params)
875 hapd = hostapd.Hostapd(apdev[0]['ifname'])
876 eap_connect(dev[0], apdev[0], "TTLS", "utf8-user-hash",
877 anonymous_identity="ttls", password="secret-åäö-€-password",
878 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
879 eap_connect(dev[1], apdev[0], "TTLS", "utf8-user",
880 anonymous_identity="ttls",
881 password_hex="hash:bd5844fad2489992da7fe8c5a01559cf",
882 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
883
884 def test_ap_wpa2_eap_ttls_eap_gtc(dev, apdev):
885 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC"""
886 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
887 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
888 eap_connect(dev[0], apdev[0], "TTLS", "user",
889 anonymous_identity="ttls", password="password",
890 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC")
891 hwsim_utils.test_connectivity(dev[0], hapd)
892 eap_reauth(dev[0], "TTLS")
893
894 def test_ap_wpa2_eap_ttls_eap_md5(dev, apdev):
895 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5"""
896 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
897 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
898 eap_connect(dev[0], apdev[0], "TTLS", "user",
899 anonymous_identity="ttls", password="password",
900 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5")
901 hwsim_utils.test_connectivity(dev[0], hapd)
902 eap_reauth(dev[0], "TTLS")
903
904 def test_ap_wpa2_eap_ttls_eap_md5_incorrect_password(dev, apdev):
905 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - incorrect password"""
906 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
907 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
908 eap_connect(dev[0], apdev[0], "TTLS", "user",
909 anonymous_identity="ttls", password="wrong",
910 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
911 expect_failure=True)
912
913 def test_ap_wpa2_eap_ttls_eap_md5_server_oom(dev, apdev):
914 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - server OOM"""
915 params = int_eap_server_params()
916 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
917 with alloc_fail(hapd, 1, "eap_md5_init"):
918 eap_connect(dev[0], apdev[0], "TTLS", "user",
919 anonymous_identity="ttls", password="password",
920 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
921 expect_failure=True)
922 dev[0].request("REMOVE_NETWORK all")
923
924 with alloc_fail(hapd, 1, "eap_md5_buildReq"):
925 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
926 eap="TTLS", identity="user",
927 anonymous_identity="ttls", password="password",
928 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5",
929 wait_connect=False, scan_freq="2412")
930 # This would eventually time out, but we can stop after having reached
931 # the allocation failure.
932 for i in range(20):
933 time.sleep(0.1)
934 if hapd.request("GET_ALLOC_FAIL").startswith('0'):
935 break
936
937 def test_ap_wpa2_eap_ttls_eap_mschapv2(dev, apdev):
938 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2"""
939 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
940 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
941 eap_connect(dev[0], apdev[0], "TTLS", "user",
942 anonymous_identity="ttls", password="password",
943 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2")
944 hwsim_utils.test_connectivity(dev[0], hapd)
945 eap_reauth(dev[0], "TTLS")
946
947 logger.info("Negative test with incorrect password")
948 dev[0].request("REMOVE_NETWORK all")
949 eap_connect(dev[0], apdev[0], "TTLS", "user",
950 anonymous_identity="ttls", password="password1",
951 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
952 expect_failure=True)
953
954 def test_ap_wpa2_eap_ttls_eap_aka(dev, apdev):
955 """WPA2-Enterprise connection using EAP-TTLS/EAP-AKA"""
956 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
957 hostapd.add_ap(apdev[0]['ifname'], params)
958 eap_connect(dev[0], apdev[0], "TTLS", "0232010000000000",
959 anonymous_identity="0232010000000000@ttls",
960 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
961 ca_cert="auth_serv/ca.pem", phase2="autheap=AKA")
962
963 def test_ap_wpa2_eap_peap_eap_aka(dev, apdev):
964 """WPA2-Enterprise connection using EAP-PEAP/EAP-AKA"""
965 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
966 hostapd.add_ap(apdev[0]['ifname'], params)
967 eap_connect(dev[0], apdev[0], "PEAP", "0232010000000000",
968 anonymous_identity="0232010000000000@peap",
969 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
970 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
971
972 def test_ap_wpa2_eap_fast_eap_aka(dev, apdev):
973 """WPA2-Enterprise connection using EAP-FAST/EAP-AKA"""
974 check_eap_capa(dev[0], "FAST")
975 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
976 hostapd.add_ap(apdev[0]['ifname'], params)
977 eap_connect(dev[0], apdev[0], "FAST", "0232010000000000",
978 anonymous_identity="0232010000000000@fast",
979 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
980 phase1="fast_provisioning=2",
981 pac_file="blob://fast_pac_auth_aka",
982 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
983
984 def test_ap_wpa2_eap_peap_eap_mschapv2(dev, apdev):
985 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
986 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
987 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
988 eap_connect(dev[0], apdev[0], "PEAP", "user",
989 anonymous_identity="peap", password="password",
990 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
991 hwsim_utils.test_connectivity(dev[0], hapd)
992 eap_reauth(dev[0], "PEAP")
993 dev[0].request("REMOVE_NETWORK all")
994 eap_connect(dev[0], apdev[0], "PEAP", "user",
995 anonymous_identity="peap", password="password",
996 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
997 fragment_size="200")
998
999 logger.info("Password as hash value")
1000 dev[0].request("REMOVE_NETWORK all")
1001 eap_connect(dev[0], apdev[0], "PEAP", "user",
1002 anonymous_identity="peap",
1003 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
1004 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
1005
1006 logger.info("Negative test with incorrect password")
1007 dev[0].request("REMOVE_NETWORK all")
1008 eap_connect(dev[0], apdev[0], "PEAP", "user",
1009 anonymous_identity="peap", password="password1",
1010 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1011 expect_failure=True)
1012
1013 def test_ap_wpa2_eap_peap_crypto_binding(dev, apdev):
1014 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding"""
1015 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1016 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1017 eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
1018 ca_cert="auth_serv/ca.pem",
1019 phase1="peapver=0 crypto_binding=2",
1020 phase2="auth=MSCHAPV2")
1021 hwsim_utils.test_connectivity(dev[0], hapd)
1022 eap_reauth(dev[0], "PEAP")
1023
1024 eap_connect(dev[1], apdev[0], "PEAP", "user", password="password",
1025 ca_cert="auth_serv/ca.pem",
1026 phase1="peapver=0 crypto_binding=1",
1027 phase2="auth=MSCHAPV2")
1028 eap_connect(dev[2], apdev[0], "PEAP", "user", password="password",
1029 ca_cert="auth_serv/ca.pem",
1030 phase1="peapver=0 crypto_binding=0",
1031 phase2="auth=MSCHAPV2")
1032
1033 def test_ap_wpa2_eap_peap_params(dev, apdev):
1034 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and various parameters"""
1035 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1036 hostapd.add_ap(apdev[0]['ifname'], params)
1037 eap_connect(dev[0], apdev[0], "PEAP", "user",
1038 anonymous_identity="peap", password="password",
1039 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1040 phase1="peapver=0 peaplabel=1",
1041 expect_failure=True)
1042 dev[0].request("REMOVE_NETWORK all")
1043 eap_connect(dev[1], apdev[0], "PEAP", "user", password="password",
1044 ca_cert="auth_serv/ca.pem",
1045 phase1="peap_outer_success=1",
1046 phase2="auth=MSCHAPV2")
1047 eap_connect(dev[2], apdev[0], "PEAP", "user", password="password",
1048 ca_cert="auth_serv/ca.pem",
1049 phase1="peap_outer_success=2",
1050 phase2="auth=MSCHAPV2")
1051 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1052 identity="user",
1053 anonymous_identity="peap", password="password",
1054 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1055 phase1="peapver=1 peaplabel=1",
1056 wait_connect=False, scan_freq="2412")
1057 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
1058 if ev is None:
1059 raise Exception("No EAP success seen")
1060 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=1)
1061 if ev is not None:
1062 raise Exception("Unexpected connection")
1063
1064 def test_ap_wpa2_eap_peap_eap_tls(dev, apdev):
1065 """WPA2-Enterprise connection using EAP-PEAP/EAP-TLS"""
1066 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1067 hostapd.add_ap(apdev[0]['ifname'], params)
1068 eap_connect(dev[0], apdev[0], "PEAP", "cert user",
1069 ca_cert="auth_serv/ca.pem", phase2="auth=TLS",
1070 ca_cert2="auth_serv/ca.pem",
1071 client_cert2="auth_serv/user.pem",
1072 private_key2="auth_serv/user.key")
1073 eap_reauth(dev[0], "PEAP")
1074
1075 def test_ap_wpa2_eap_tls(dev, apdev):
1076 """WPA2-Enterprise connection using EAP-TLS"""
1077 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1078 hostapd.add_ap(apdev[0]['ifname'], params)
1079 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1080 client_cert="auth_serv/user.pem",
1081 private_key="auth_serv/user.key")
1082 eap_reauth(dev[0], "TLS")
1083
1084 def test_ap_wpa2_eap_tls_blob(dev, apdev):
1085 """WPA2-Enterprise connection using EAP-TLS and config blobs"""
1086 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1087 hostapd.add_ap(apdev[0]['ifname'], params)
1088 cert = read_pem("auth_serv/ca.pem")
1089 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1090 raise Exception("Could not set cacert blob")
1091 cert = read_pem("auth_serv/user.pem")
1092 if "OK" not in dev[0].request("SET blob usercert " + cert.encode("hex")):
1093 raise Exception("Could not set usercert blob")
1094 key = read_pem("auth_serv/user.rsa-key")
1095 if "OK" not in dev[0].request("SET blob userkey " + key.encode("hex")):
1096 raise Exception("Could not set cacert blob")
1097 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="blob://cacert",
1098 client_cert="blob://usercert",
1099 private_key="blob://userkey")
1100
1101 def test_ap_wpa2_eap_tls_pkcs12(dev, apdev):
1102 """WPA2-Enterprise connection using EAP-TLS and PKCS#12"""
1103 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1104 hostapd.add_ap(apdev[0]['ifname'], params)
1105 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1106 private_key="auth_serv/user.pkcs12",
1107 private_key_passwd="whatever")
1108 dev[0].request("REMOVE_NETWORK all")
1109 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
1110 identity="tls user",
1111 ca_cert="auth_serv/ca.pem",
1112 private_key="auth_serv/user.pkcs12",
1113 wait_connect=False, scan_freq="2412")
1114 ev = dev[0].wait_event(["CTRL-REQ-PASSPHRASE"])
1115 if ev is None:
1116 raise Exception("Request for private key passphrase timed out")
1117 id = ev.split(':')[0].split('-')[-1]
1118 dev[0].request("CTRL-RSP-PASSPHRASE-" + id + ":whatever")
1119 dev[0].wait_connected(timeout=10)
1120
1121 def test_ap_wpa2_eap_tls_pkcs12_blob(dev, apdev):
1122 """WPA2-Enterprise connection using EAP-TLS and PKCS#12 from configuration blob"""
1123 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1124 hostapd.add_ap(apdev[0]['ifname'], params)
1125 cert = read_pem("auth_serv/ca.pem")
1126 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1127 raise Exception("Could not set cacert blob")
1128 with open("auth_serv/user.pkcs12", "rb") as f:
1129 if "OK" not in dev[0].request("SET blob pkcs12 " + f.read().encode("hex")):
1130 raise Exception("Could not set pkcs12 blob")
1131 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="blob://cacert",
1132 private_key="blob://pkcs12",
1133 private_key_passwd="whatever")
1134
1135 def test_ap_wpa2_eap_tls_neg_incorrect_trust_root(dev, apdev):
1136 """WPA2-Enterprise negative test - incorrect trust root"""
1137 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1138 hostapd.add_ap(apdev[0]['ifname'], params)
1139 cert = read_pem("auth_serv/ca-incorrect.pem")
1140 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1141 raise Exception("Could not set cacert blob")
1142 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1143 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1144 password="password", phase2="auth=MSCHAPV2",
1145 ca_cert="blob://cacert",
1146 wait_connect=False, scan_freq="2412")
1147 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1148 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1149 password="password", phase2="auth=MSCHAPV2",
1150 ca_cert="auth_serv/ca-incorrect.pem",
1151 wait_connect=False, scan_freq="2412")
1152
1153 for dev in (dev[0], dev[1]):
1154 ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1155 if ev is None:
1156 raise Exception("Association and EAP start timed out")
1157
1158 ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1159 if ev is None:
1160 raise Exception("EAP method selection timed out")
1161 if "TTLS" not in ev:
1162 raise Exception("Unexpected EAP method")
1163
1164 ev = dev.wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1165 "CTRL-EVENT-EAP-SUCCESS",
1166 "CTRL-EVENT-EAP-FAILURE",
1167 "CTRL-EVENT-CONNECTED",
1168 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1169 if ev is None:
1170 raise Exception("EAP result timed out")
1171 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1172 raise Exception("TLS certificate error not reported")
1173
1174 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS",
1175 "CTRL-EVENT-EAP-FAILURE",
1176 "CTRL-EVENT-CONNECTED",
1177 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1178 if ev is None:
1179 raise Exception("EAP result(2) timed out")
1180 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1181 raise Exception("EAP failure not reported")
1182
1183 ev = dev.wait_event(["CTRL-EVENT-CONNECTED",
1184 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1185 if ev is None:
1186 raise Exception("EAP result(3) timed out")
1187 if "CTRL-EVENT-DISCONNECTED" not in ev:
1188 raise Exception("Disconnection not reported")
1189
1190 ev = dev.wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1191 if ev is None:
1192 raise Exception("Network block disabling not reported")
1193
1194 def test_ap_wpa2_eap_tls_diff_ca_trust(dev, apdev):
1195 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1196 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1197 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1198 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1199 identity="pap user", anonymous_identity="ttls",
1200 password="password", phase2="auth=PAP",
1201 ca_cert="auth_serv/ca.pem",
1202 wait_connect=True, scan_freq="2412")
1203 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1204 identity="pap user", anonymous_identity="ttls",
1205 password="password", phase2="auth=PAP",
1206 ca_cert="auth_serv/ca-incorrect.pem",
1207 only_add_network=True, scan_freq="2412")
1208
1209 dev[0].request("DISCONNECT")
1210 dev[0].dump_monitor()
1211 dev[0].select_network(id, freq="2412")
1212
1213 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1214 if ev is None:
1215 raise Exception("EAP-TTLS not re-started")
1216
1217 ev = dev[0].wait_disconnected(timeout=15)
1218 if "reason=23" not in ev:
1219 raise Exception("Proper reason code for disconnection not reported")
1220
1221 def test_ap_wpa2_eap_tls_diff_ca_trust2(dev, apdev):
1222 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1223 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1224 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1225 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1226 identity="pap user", anonymous_identity="ttls",
1227 password="password", phase2="auth=PAP",
1228 wait_connect=True, scan_freq="2412")
1229 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1230 identity="pap user", anonymous_identity="ttls",
1231 password="password", phase2="auth=PAP",
1232 ca_cert="auth_serv/ca-incorrect.pem",
1233 only_add_network=True, scan_freq="2412")
1234
1235 dev[0].request("DISCONNECT")
1236 dev[0].dump_monitor()
1237 dev[0].select_network(id, freq="2412")
1238
1239 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1240 if ev is None:
1241 raise Exception("EAP-TTLS not re-started")
1242
1243 ev = dev[0].wait_disconnected(timeout=15)
1244 if "reason=23" not in ev:
1245 raise Exception("Proper reason code for disconnection not reported")
1246
1247 def test_ap_wpa2_eap_tls_diff_ca_trust3(dev, apdev):
1248 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1249 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1250 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1251 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1252 identity="pap user", anonymous_identity="ttls",
1253 password="password", phase2="auth=PAP",
1254 ca_cert="auth_serv/ca.pem",
1255 wait_connect=True, scan_freq="2412")
1256 dev[0].request("DISCONNECT")
1257 dev[0].dump_monitor()
1258 dev[0].set_network_quoted(id, "ca_cert", "auth_serv/ca-incorrect.pem")
1259 dev[0].select_network(id, freq="2412")
1260
1261 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout=15)
1262 if ev is None:
1263 raise Exception("EAP-TTLS not re-started")
1264
1265 ev = dev[0].wait_disconnected(timeout=15)
1266 if "reason=23" not in ev:
1267 raise Exception("Proper reason code for disconnection not reported")
1268
1269 def test_ap_wpa2_eap_tls_neg_suffix_match(dev, apdev):
1270 """WPA2-Enterprise negative test - domain suffix mismatch"""
1271 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1272 hostapd.add_ap(apdev[0]['ifname'], params)
1273 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1274 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1275 password="password", phase2="auth=MSCHAPV2",
1276 ca_cert="auth_serv/ca.pem",
1277 domain_suffix_match="incorrect.example.com",
1278 wait_connect=False, scan_freq="2412")
1279
1280 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1281 if ev is None:
1282 raise Exception("Association and EAP start timed out")
1283
1284 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1285 if ev is None:
1286 raise Exception("EAP method selection timed out")
1287 if "TTLS" not in ev:
1288 raise Exception("Unexpected EAP method")
1289
1290 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1291 "CTRL-EVENT-EAP-SUCCESS",
1292 "CTRL-EVENT-EAP-FAILURE",
1293 "CTRL-EVENT-CONNECTED",
1294 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1295 if ev is None:
1296 raise Exception("EAP result timed out")
1297 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1298 raise Exception("TLS certificate error not reported")
1299 if "Domain suffix mismatch" not in ev:
1300 raise Exception("Domain suffix mismatch not reported")
1301
1302 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1303 "CTRL-EVENT-EAP-FAILURE",
1304 "CTRL-EVENT-CONNECTED",
1305 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1306 if ev is None:
1307 raise Exception("EAP result(2) timed out")
1308 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1309 raise Exception("EAP failure not reported")
1310
1311 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1312 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1313 if ev is None:
1314 raise Exception("EAP result(3) timed out")
1315 if "CTRL-EVENT-DISCONNECTED" not in ev:
1316 raise Exception("Disconnection not reported")
1317
1318 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1319 if ev is None:
1320 raise Exception("Network block disabling not reported")
1321
1322 def test_ap_wpa2_eap_tls_neg_domain_match(dev, apdev):
1323 """WPA2-Enterprise negative test - domain mismatch"""
1324 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1325 hostapd.add_ap(apdev[0]['ifname'], params)
1326 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1327 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1328 password="password", phase2="auth=MSCHAPV2",
1329 ca_cert="auth_serv/ca.pem",
1330 domain_match="w1.fi",
1331 wait_connect=False, scan_freq="2412")
1332
1333 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1334 if ev is None:
1335 raise Exception("Association and EAP start timed out")
1336
1337 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1338 if ev is None:
1339 raise Exception("EAP method selection timed out")
1340 if "TTLS" not in ev:
1341 raise Exception("Unexpected EAP method")
1342
1343 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1344 "CTRL-EVENT-EAP-SUCCESS",
1345 "CTRL-EVENT-EAP-FAILURE",
1346 "CTRL-EVENT-CONNECTED",
1347 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1348 if ev is None:
1349 raise Exception("EAP result timed out")
1350 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1351 raise Exception("TLS certificate error not reported")
1352 if "Domain mismatch" not in ev:
1353 raise Exception("Domain mismatch not reported")
1354
1355 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1356 "CTRL-EVENT-EAP-FAILURE",
1357 "CTRL-EVENT-CONNECTED",
1358 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1359 if ev is None:
1360 raise Exception("EAP result(2) timed out")
1361 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1362 raise Exception("EAP failure not reported")
1363
1364 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1365 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1366 if ev is None:
1367 raise Exception("EAP result(3) timed out")
1368 if "CTRL-EVENT-DISCONNECTED" not in ev:
1369 raise Exception("Disconnection not reported")
1370
1371 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1372 if ev is None:
1373 raise Exception("Network block disabling not reported")
1374
1375 def test_ap_wpa2_eap_tls_neg_subject_match(dev, apdev):
1376 """WPA2-Enterprise negative test - subject mismatch"""
1377 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1378 hostapd.add_ap(apdev[0]['ifname'], params)
1379 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1380 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1381 password="password", phase2="auth=MSCHAPV2",
1382 ca_cert="auth_serv/ca.pem",
1383 subject_match="/C=FI/O=w1.fi/CN=example.com",
1384 wait_connect=False, scan_freq="2412")
1385
1386 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1387 if ev is None:
1388 raise Exception("Association and EAP start timed out")
1389
1390 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
1391 "EAP: Failed to initialize EAP method"], timeout=10)
1392 if ev is None:
1393 raise Exception("EAP method selection timed out")
1394 if "EAP: Failed to initialize EAP method" in ev:
1395 tls = dev[0].request("GET tls_library")
1396 if tls.startswith("OpenSSL"):
1397 raise Exception("Failed to select EAP method")
1398 logger.info("subject_match not supported - connection failed, so test succeeded")
1399 return
1400 if "TTLS" not in ev:
1401 raise Exception("Unexpected EAP method")
1402
1403 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1404 "CTRL-EVENT-EAP-SUCCESS",
1405 "CTRL-EVENT-EAP-FAILURE",
1406 "CTRL-EVENT-CONNECTED",
1407 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1408 if ev is None:
1409 raise Exception("EAP result timed out")
1410 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1411 raise Exception("TLS certificate error not reported")
1412 if "Subject mismatch" not in ev:
1413 raise Exception("Subject mismatch not reported")
1414
1415 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1416 "CTRL-EVENT-EAP-FAILURE",
1417 "CTRL-EVENT-CONNECTED",
1418 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1419 if ev is None:
1420 raise Exception("EAP result(2) timed out")
1421 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1422 raise Exception("EAP failure not reported")
1423
1424 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1425 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1426 if ev is None:
1427 raise Exception("EAP result(3) timed out")
1428 if "CTRL-EVENT-DISCONNECTED" not in ev:
1429 raise Exception("Disconnection not reported")
1430
1431 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1432 if ev is None:
1433 raise Exception("Network block disabling not reported")
1434
1435 def test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev):
1436 """WPA2-Enterprise negative test - altsubject mismatch"""
1437 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1438 hostapd.add_ap(apdev[0]['ifname'], params)
1439
1440 tests = [ "incorrect.example.com",
1441 "DNS:incorrect.example.com",
1442 "DNS:w1.fi",
1443 "DNS:erver.w1.fi" ]
1444 for match in tests:
1445 _test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev, match)
1446
1447 def _test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev, match):
1448 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1449 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1450 password="password", phase2="auth=MSCHAPV2",
1451 ca_cert="auth_serv/ca.pem",
1452 altsubject_match=match,
1453 wait_connect=False, scan_freq="2412")
1454
1455 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1456 if ev is None:
1457 raise Exception("Association and EAP start timed out")
1458
1459 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD",
1460 "EAP: Failed to initialize EAP method"], timeout=10)
1461 if ev is None:
1462 raise Exception("EAP method selection timed out")
1463 if "EAP: Failed to initialize EAP method" in ev:
1464 tls = dev[0].request("GET tls_library")
1465 if tls.startswith("OpenSSL"):
1466 raise Exception("Failed to select EAP method")
1467 logger.info("altsubject_match not supported - connection failed, so test succeeded")
1468 return
1469 if "TTLS" not in ev:
1470 raise Exception("Unexpected EAP method")
1471
1472 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1473 "CTRL-EVENT-EAP-SUCCESS",
1474 "CTRL-EVENT-EAP-FAILURE",
1475 "CTRL-EVENT-CONNECTED",
1476 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1477 if ev is None:
1478 raise Exception("EAP result timed out")
1479 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1480 raise Exception("TLS certificate error not reported")
1481 if "AltSubject mismatch" not in ev:
1482 raise Exception("altsubject mismatch not reported")
1483
1484 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1485 "CTRL-EVENT-EAP-FAILURE",
1486 "CTRL-EVENT-CONNECTED",
1487 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1488 if ev is None:
1489 raise Exception("EAP result(2) timed out")
1490 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1491 raise Exception("EAP failure not reported")
1492
1493 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1494 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1495 if ev is None:
1496 raise Exception("EAP result(3) timed out")
1497 if "CTRL-EVENT-DISCONNECTED" not in ev:
1498 raise Exception("Disconnection not reported")
1499
1500 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1501 if ev is None:
1502 raise Exception("Network block disabling not reported")
1503
1504 dev[0].request("REMOVE_NETWORK all")
1505
1506 def test_ap_wpa2_eap_unauth_tls(dev, apdev):
1507 """WPA2-Enterprise connection using UNAUTH-TLS"""
1508 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1509 hostapd.add_ap(apdev[0]['ifname'], params)
1510 eap_connect(dev[0], apdev[0], "UNAUTH-TLS", "unauth-tls",
1511 ca_cert="auth_serv/ca.pem")
1512 eap_reauth(dev[0], "UNAUTH-TLS")
1513
1514 def test_ap_wpa2_eap_ttls_server_cert_hash(dev, apdev):
1515 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash"""
1516 check_cert_probe_support(dev[0])
1517 srv_cert_hash = "1477c9cd88391609444b83eca45c4f9f324e3051c5c31fc233ac6aede30ce7cd"
1518 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1519 hostapd.add_ap(apdev[0]['ifname'], params)
1520 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1521 identity="probe", ca_cert="probe://",
1522 wait_connect=False, scan_freq="2412")
1523 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1524 if ev is None:
1525 raise Exception("Association and EAP start timed out")
1526 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT depth=0"], timeout=10)
1527 if ev is None:
1528 raise Exception("No peer server certificate event seen")
1529 if "hash=" + srv_cert_hash not in ev:
1530 raise Exception("Expected server certificate hash not reported")
1531 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
1532 if ev is None:
1533 raise Exception("EAP result timed out")
1534 if "Server certificate chain probe" not in ev:
1535 raise Exception("Server certificate probe not reported")
1536 dev[0].wait_disconnected(timeout=10)
1537 dev[0].request("REMOVE_NETWORK all")
1538
1539 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1540 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1541 password="password", phase2="auth=MSCHAPV2",
1542 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
1543 wait_connect=False, scan_freq="2412")
1544 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1545 if ev is None:
1546 raise Exception("Association and EAP start timed out")
1547 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
1548 if ev is None:
1549 raise Exception("EAP result timed out")
1550 if "Server certificate mismatch" not in ev:
1551 raise Exception("Server certificate mismatch not reported")
1552 dev[0].wait_disconnected(timeout=10)
1553 dev[0].request("REMOVE_NETWORK all")
1554
1555 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
1556 anonymous_identity="ttls", password="password",
1557 ca_cert="hash://server/sha256/" + srv_cert_hash,
1558 phase2="auth=MSCHAPV2")
1559
1560 def test_ap_wpa2_eap_ttls_server_cert_hash_invalid(dev, apdev):
1561 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash (invalid config)"""
1562 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1563 hostapd.add_ap(apdev[0]['ifname'], params)
1564 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1565 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1566 password="password", phase2="auth=MSCHAPV2",
1567 ca_cert="hash://server/md5/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
1568 wait_connect=False, scan_freq="2412")
1569 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1570 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1571 password="password", phase2="auth=MSCHAPV2",
1572 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca",
1573 wait_connect=False, scan_freq="2412")
1574 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1575 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1576 password="password", phase2="auth=MSCHAPV2",
1577 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6Q",
1578 wait_connect=False, scan_freq="2412")
1579 for i in range(0, 3):
1580 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1581 if ev is None:
1582 raise Exception("Association and EAP start timed out")
1583 ev = dev[i].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 21 (TTLS)"], timeout=5)
1584 if ev is None:
1585 raise Exception("Did not report EAP method initialization failure")
1586
1587 def test_ap_wpa2_eap_pwd(dev, apdev):
1588 """WPA2-Enterprise connection using EAP-pwd"""
1589 check_eap_capa(dev[0], "PWD")
1590 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1591 hostapd.add_ap(apdev[0]['ifname'], params)
1592 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
1593 eap_reauth(dev[0], "PWD")
1594 dev[0].request("REMOVE_NETWORK all")
1595
1596 eap_connect(dev[1], apdev[0], "PWD",
1597 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
1598 password="secret password",
1599 fragment_size="90")
1600
1601 logger.info("Negative test with incorrect password")
1602 eap_connect(dev[2], apdev[0], "PWD", "pwd user", password="secret-password",
1603 expect_failure=True, local_error_report=True)
1604
1605 eap_connect(dev[0], apdev[0], "PWD",
1606 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
1607 password="secret password",
1608 fragment_size="31")
1609
1610 def test_ap_wpa2_eap_pwd_groups(dev, apdev):
1611 """WPA2-Enterprise connection using various EAP-pwd groups"""
1612 check_eap_capa(dev[0], "PWD")
1613 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1614 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1615 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
1616 for i in [ 19, 20, 21, 25, 26 ]:
1617 params['pwd_group'] = str(i)
1618 hostapd.add_ap(apdev[0]['ifname'], params)
1619 dev[0].request("REMOVE_NETWORK all")
1620 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
1621
1622 def test_ap_wpa2_eap_pwd_invalid_group(dev, apdev):
1623 """WPA2-Enterprise connection using invalid EAP-pwd group"""
1624 check_eap_capa(dev[0], "PWD")
1625 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1626 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1627 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
1628 params['pwd_group'] = "0"
1629 hostapd.add_ap(apdev[0]['ifname'], params)
1630 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PWD",
1631 identity="pwd user", password="secret password",
1632 scan_freq="2412", wait_connect=False)
1633 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
1634 if ev is None:
1635 raise Exception("Timeout on EAP failure report")
1636
1637 def test_ap_wpa2_eap_pwd_as_frag(dev, apdev):
1638 """WPA2-Enterprise connection using EAP-pwd with server fragmentation"""
1639 check_eap_capa(dev[0], "PWD")
1640 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1641 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1642 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1643 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
1644 "pwd_group": "19", "fragment_size": "40" }
1645 hostapd.add_ap(apdev[0]['ifname'], params)
1646 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
1647
1648 def test_ap_wpa2_eap_gpsk(dev, apdev):
1649 """WPA2-Enterprise connection using EAP-GPSK"""
1650 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1651 hostapd.add_ap(apdev[0]['ifname'], params)
1652 id = eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
1653 password="abcdefghijklmnop0123456789abcdef")
1654 eap_reauth(dev[0], "GPSK")
1655
1656 logger.info("Test forced algorithm selection")
1657 for phase1 in [ "cipher=1", "cipher=2" ]:
1658 dev[0].set_network_quoted(id, "phase1", phase1)
1659 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
1660 if ev is None:
1661 raise Exception("EAP success timed out")
1662 dev[0].wait_connected(timeout=10)
1663
1664 logger.info("Test failed algorithm negotiation")
1665 dev[0].set_network_quoted(id, "phase1", "cipher=9")
1666 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
1667 if ev is None:
1668 raise Exception("EAP failure timed out")
1669
1670 logger.info("Negative test with incorrect password")
1671 dev[0].request("REMOVE_NETWORK all")
1672 eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
1673 password="ffcdefghijklmnop0123456789abcdef",
1674 expect_failure=True)
1675
1676 def test_ap_wpa2_eap_sake(dev, apdev):
1677 """WPA2-Enterprise connection using EAP-SAKE"""
1678 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1679 hostapd.add_ap(apdev[0]['ifname'], params)
1680 eap_connect(dev[0], apdev[0], "SAKE", "sake user",
1681 password_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
1682 eap_reauth(dev[0], "SAKE")
1683
1684 logger.info("Negative test with incorrect password")
1685 dev[0].request("REMOVE_NETWORK all")
1686 eap_connect(dev[0], apdev[0], "SAKE", "sake user",
1687 password_hex="ff23456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
1688 expect_failure=True)
1689
1690 def test_ap_wpa2_eap_eke(dev, apdev):
1691 """WPA2-Enterprise connection using EAP-EKE"""
1692 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1693 hostapd.add_ap(apdev[0]['ifname'], params)
1694 id = eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello")
1695 eap_reauth(dev[0], "EKE")
1696
1697 logger.info("Test forced algorithm selection")
1698 for phase1 in [ "dhgroup=5 encr=1 prf=2 mac=2",
1699 "dhgroup=4 encr=1 prf=2 mac=2",
1700 "dhgroup=3 encr=1 prf=2 mac=2",
1701 "dhgroup=3 encr=1 prf=1 mac=1" ]:
1702 dev[0].set_network_quoted(id, "phase1", phase1)
1703 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
1704 if ev is None:
1705 raise Exception("EAP success timed out")
1706 dev[0].wait_connected(timeout=10)
1707
1708 logger.info("Test failed algorithm negotiation")
1709 dev[0].set_network_quoted(id, "phase1", "dhgroup=9 encr=9 prf=9 mac=9")
1710 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
1711 if ev is None:
1712 raise Exception("EAP failure timed out")
1713
1714 logger.info("Negative test with incorrect password")
1715 dev[0].request("REMOVE_NETWORK all")
1716 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello1",
1717 expect_failure=True)
1718
1719 def test_ap_wpa2_eap_ikev2(dev, apdev):
1720 """WPA2-Enterprise connection using EAP-IKEv2"""
1721 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1722 hostapd.add_ap(apdev[0]['ifname'], params)
1723 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
1724 password="ike password")
1725 eap_reauth(dev[0], "IKEV2")
1726 dev[0].request("REMOVE_NETWORK all")
1727 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
1728 password="ike password", fragment_size="50")
1729
1730 logger.info("Negative test with incorrect password")
1731 dev[0].request("REMOVE_NETWORK all")
1732 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
1733 password="ike-password", expect_failure=True)
1734
1735 def test_ap_wpa2_eap_ikev2_as_frag(dev, apdev):
1736 """WPA2-Enterprise connection using EAP-IKEv2 with server fragmentation"""
1737 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1738 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1739 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1740 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
1741 "fragment_size": "50" }
1742 hostapd.add_ap(apdev[0]['ifname'], params)
1743 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
1744 password="ike password")
1745 eap_reauth(dev[0], "IKEV2")
1746
1747 def test_ap_wpa2_eap_pax(dev, apdev):
1748 """WPA2-Enterprise connection using EAP-PAX"""
1749 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1750 hostapd.add_ap(apdev[0]['ifname'], params)
1751 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
1752 password_hex="0123456789abcdef0123456789abcdef")
1753 eap_reauth(dev[0], "PAX")
1754
1755 logger.info("Negative test with incorrect password")
1756 dev[0].request("REMOVE_NETWORK all")
1757 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
1758 password_hex="ff23456789abcdef0123456789abcdef",
1759 expect_failure=True)
1760
1761 def test_ap_wpa2_eap_psk(dev, apdev):
1762 """WPA2-Enterprise connection using EAP-PSK"""
1763 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1764 params["wpa_key_mgmt"] = "WPA-EAP-SHA256"
1765 params["ieee80211w"] = "2"
1766 hostapd.add_ap(apdev[0]['ifname'], params)
1767 eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
1768 password_hex="0123456789abcdef0123456789abcdef", sha256=True)
1769 eap_reauth(dev[0], "PSK", sha256=True)
1770 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-5"),
1771 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-5") ])
1772
1773 bss = dev[0].get_bss(apdev[0]['bssid'])
1774 if 'flags' not in bss:
1775 raise Exception("Could not get BSS flags from BSS table")
1776 if "[WPA2-EAP-SHA256-CCMP]" not in bss['flags']:
1777 raise Exception("Unexpected BSS flags: " + bss['flags'])
1778
1779 logger.info("Negative test with incorrect password")
1780 dev[0].request("REMOVE_NETWORK all")
1781 eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
1782 password_hex="ff23456789abcdef0123456789abcdef", sha256=True,
1783 expect_failure=True)
1784
1785 def test_ap_wpa_eap_peap_eap_mschapv2(dev, apdev):
1786 """WPA-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
1787 params = hostapd.wpa_eap_params(ssid="test-wpa-eap")
1788 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1789 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="PEAP",
1790 identity="user", password="password", phase2="auth=MSCHAPV2",
1791 ca_cert="auth_serv/ca.pem", wait_connect=False,
1792 scan_freq="2412")
1793 eap_check_auth(dev[0], "PEAP", True, rsn=False)
1794 hwsim_utils.test_connectivity(dev[0], hapd)
1795 eap_reauth(dev[0], "PEAP", rsn=False)
1796 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-50-f2-1"),
1797 ("dot11RSNAAuthenticationSuiteSelected", "00-50-f2-1") ])
1798
1799 def test_ap_wpa2_eap_interactive(dev, apdev):
1800 """WPA2-Enterprise connection using interactive identity/password entry"""
1801 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1802 hostapd.add_ap(apdev[0]['ifname'], params)
1803 hapd = hostapd.Hostapd(apdev[0]['ifname'])
1804
1805 tests = [ ("Connection with dynamic TTLS/MSCHAPv2 password entry",
1806 "TTLS", "ttls", "DOMAIN\mschapv2 user", "auth=MSCHAPV2",
1807 None, "password"),
1808 ("Connection with dynamic TTLS/MSCHAPv2 identity and password entry",
1809 "TTLS", "ttls", None, "auth=MSCHAPV2",
1810 "DOMAIN\mschapv2 user", "password"),
1811 ("Connection with dynamic TTLS/EAP-MSCHAPv2 password entry",
1812 "TTLS", "ttls", "user", "autheap=MSCHAPV2", None, "password"),
1813 ("Connection with dynamic TTLS/EAP-MD5 password entry",
1814 "TTLS", "ttls", "user", "autheap=MD5", None, "password"),
1815 ("Connection with dynamic PEAP/EAP-MSCHAPv2 password entry",
1816 "PEAP", None, "user", "auth=MSCHAPV2", None, "password"),
1817 ("Connection with dynamic PEAP/EAP-GTC password entry",
1818 "PEAP", None, "user", "auth=GTC", None, "password") ]
1819 for [desc,eap,anon,identity,phase2,req_id,req_pw] in tests:
1820 logger.info(desc)
1821 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap=eap,
1822 anonymous_identity=anon, identity=identity,
1823 ca_cert="auth_serv/ca.pem", phase2=phase2,
1824 wait_connect=False, scan_freq="2412")
1825 if req_id:
1826 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
1827 if ev is None:
1828 raise Exception("Request for identity timed out")
1829 id = ev.split(':')[0].split('-')[-1]
1830 dev[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id)
1831 ev = dev[0].wait_event(["CTRL-REQ-PASSWORD","CTRL-REQ-OTP"])
1832 if ev is None:
1833 raise Exception("Request for password timed out")
1834 id = ev.split(':')[0].split('-')[-1]
1835 type = "OTP" if "CTRL-REQ-OTP" in ev else "PASSWORD"
1836 dev[0].request("CTRL-RSP-" + type + "-" + id + ":" + req_pw)
1837 dev[0].wait_connected(timeout=10)
1838 dev[0].request("REMOVE_NETWORK all")
1839
1840 def test_ap_wpa2_eap_vendor_test(dev, apdev):
1841 """WPA2-Enterprise connection using EAP vendor test"""
1842 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1843 hostapd.add_ap(apdev[0]['ifname'], params)
1844 eap_connect(dev[0], apdev[0], "VENDOR-TEST", "vendor-test")
1845 eap_reauth(dev[0], "VENDOR-TEST")
1846
1847 def test_ap_wpa2_eap_fast_mschapv2_unauth_prov(dev, apdev):
1848 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and unauthenticated provisioning"""
1849 check_eap_capa(dev[0], "FAST")
1850 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1851 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1852 eap_connect(dev[0], apdev[0], "FAST", "user",
1853 anonymous_identity="FAST", password="password",
1854 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1855 phase1="fast_provisioning=1", pac_file="blob://fast_pac")
1856 hwsim_utils.test_connectivity(dev[0], hapd)
1857 res = eap_reauth(dev[0], "FAST")
1858 if res['tls_session_reused'] != '1':
1859 raise Exception("EAP-FAST could not use PAC session ticket")
1860
1861 def test_ap_wpa2_eap_fast_pac_file(dev, apdev, params):
1862 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and PAC file"""
1863 check_eap_capa(dev[0], "FAST")
1864 pac_file = os.path.join(params['logdir'], "fast.pac")
1865 pac_file2 = os.path.join(params['logdir'], "fast-bin.pac")
1866 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1867 hostapd.add_ap(apdev[0]['ifname'], params)
1868
1869 try:
1870 eap_connect(dev[0], apdev[0], "FAST", "user",
1871 anonymous_identity="FAST", password="password",
1872 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1873 phase1="fast_provisioning=1", pac_file=pac_file)
1874 with open(pac_file, "r") as f:
1875 data = f.read()
1876 if "wpa_supplicant EAP-FAST PAC file - version 1" not in data:
1877 raise Exception("PAC file header missing")
1878 if "PAC-Key=" not in data:
1879 raise Exception("PAC-Key missing from PAC file")
1880 dev[0].request("REMOVE_NETWORK all")
1881 eap_connect(dev[0], apdev[0], "FAST", "user",
1882 anonymous_identity="FAST", password="password",
1883 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1884 pac_file=pac_file)
1885
1886 eap_connect(dev[1], apdev[0], "FAST", "user",
1887 anonymous_identity="FAST", password="password",
1888 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1889 phase1="fast_provisioning=1 fast_pac_format=binary",
1890 pac_file=pac_file2)
1891 dev[1].request("REMOVE_NETWORK all")
1892 eap_connect(dev[1], apdev[0], "FAST", "user",
1893 anonymous_identity="FAST", password="password",
1894 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1895 phase1="fast_pac_format=binary",
1896 pac_file=pac_file2)
1897 finally:
1898 subprocess.call(['sudo', 'rm', pac_file])
1899 subprocess.call(['sudo', 'rm', pac_file2])
1900
1901 def test_ap_wpa2_eap_fast_binary_pac(dev, apdev):
1902 """WPA2-Enterprise connection using EAP-FAST and binary PAC format"""
1903 check_eap_capa(dev[0], "FAST")
1904 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1905 hostapd.add_ap(apdev[0]['ifname'], params)
1906 eap_connect(dev[0], apdev[0], "FAST", "user",
1907 anonymous_identity="FAST", password="password",
1908 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1909 phase1="fast_provisioning=1 fast_max_pac_list_len=1 fast_pac_format=binary",
1910 pac_file="blob://fast_pac_bin")
1911 res = eap_reauth(dev[0], "FAST")
1912 if res['tls_session_reused'] != '1':
1913 raise Exception("EAP-FAST could not use PAC session ticket")
1914
1915 def test_ap_wpa2_eap_fast_missing_pac_config(dev, apdev):
1916 """WPA2-Enterprise connection using EAP-FAST and missing PAC config"""
1917 check_eap_capa(dev[0], "FAST")
1918 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1919 hostapd.add_ap(apdev[0]['ifname'], params)
1920
1921 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
1922 identity="user", anonymous_identity="FAST",
1923 password="password",
1924 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1925 pac_file="blob://fast_pac_not_in_use",
1926 wait_connect=False, scan_freq="2412")
1927 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
1928 if ev is None:
1929 raise Exception("Timeout on EAP failure report")
1930 dev[0].request("REMOVE_NETWORK all")
1931
1932 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
1933 identity="user", anonymous_identity="FAST",
1934 password="password",
1935 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1936 wait_connect=False, scan_freq="2412")
1937 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
1938 if ev is None:
1939 raise Exception("Timeout on EAP failure report")
1940
1941 def test_ap_wpa2_eap_fast_gtc_auth_prov(dev, apdev):
1942 """WPA2-Enterprise connection using EAP-FAST/GTC and authenticated provisioning"""
1943 check_eap_capa(dev[0], "FAST")
1944 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1945 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
1946 eap_connect(dev[0], apdev[0], "FAST", "user",
1947 anonymous_identity="FAST", password="password",
1948 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
1949 phase1="fast_provisioning=2", pac_file="blob://fast_pac_auth")
1950 hwsim_utils.test_connectivity(dev[0], hapd)
1951 res = eap_reauth(dev[0], "FAST")
1952 if res['tls_session_reused'] != '1':
1953 raise Exception("EAP-FAST could not use PAC session ticket")
1954
1955 def test_ap_wpa2_eap_tls_ocsp(dev, apdev):
1956 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP"""
1957 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1958 hostapd.add_ap(apdev[0]['ifname'], params)
1959 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1960 private_key="auth_serv/user.pkcs12",
1961 private_key_passwd="whatever", ocsp=2)
1962
1963 def int_eap_server_params():
1964 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1965 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1966 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
1967 "ca_cert": "auth_serv/ca.pem",
1968 "server_cert": "auth_serv/server.pem",
1969 "private_key": "auth_serv/server.key" }
1970 return params
1971
1972 def test_ap_wpa2_eap_tls_ocsp_invalid(dev, apdev):
1973 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP response"""
1974 params = int_eap_server_params()
1975 params["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-invalid"
1976 hostapd.add_ap(apdev[0]['ifname'], params)
1977 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
1978 identity="tls user", ca_cert="auth_serv/ca.pem",
1979 private_key="auth_serv/user.pkcs12",
1980 private_key_passwd="whatever", ocsp=2,
1981 wait_connect=False, scan_freq="2412")
1982 count = 0
1983 while True:
1984 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
1985 if ev is None:
1986 raise Exception("Timeout on EAP status")
1987 if 'bad certificate status response' in ev:
1988 break
1989 count = count + 1
1990 if count > 10:
1991 raise Exception("Unexpected number of EAP status messages")
1992
1993 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
1994 if ev is None:
1995 raise Exception("Timeout on EAP failure report")
1996
1997 def test_ap_wpa2_eap_ttls_ocsp_revoked(dev, apdev, params):
1998 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
1999 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-revoked.der")
2000 if not os.path.exists(ocsp):
2001 raise HwsimSkip("No OCSP response available")
2002 params = int_eap_server_params()
2003 params["ocsp_stapling_response"] = ocsp
2004 hostapd.add_ap(apdev[0]['ifname'], params)
2005 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2006 identity="pap user", ca_cert="auth_serv/ca.pem",
2007 anonymous_identity="ttls", password="password",
2008 phase2="auth=PAP", ocsp=2,
2009 wait_connect=False, scan_freq="2412")
2010 count = 0
2011 while True:
2012 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2013 if ev is None:
2014 raise Exception("Timeout on EAP status")
2015 if 'bad certificate status response' in ev:
2016 break
2017 if 'certificate revoked' in ev:
2018 break
2019 count = count + 1
2020 if count > 10:
2021 raise Exception("Unexpected number of EAP status messages")
2022
2023 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2024 if ev is None:
2025 raise Exception("Timeout on EAP failure report")
2026
2027 def test_ap_wpa2_eap_ttls_ocsp_unknown(dev, apdev, params):
2028 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2029 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
2030 if not os.path.exists(ocsp):
2031 raise HwsimSkip("No OCSP response available")
2032 params = int_eap_server_params()
2033 params["ocsp_stapling_response"] = ocsp
2034 hostapd.add_ap(apdev[0]['ifname'], params)
2035 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2036 identity="pap user", ca_cert="auth_serv/ca.pem",
2037 anonymous_identity="ttls", password="password",
2038 phase2="auth=PAP", ocsp=2,
2039 wait_connect=False, scan_freq="2412")
2040 count = 0
2041 while True:
2042 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2043 if ev is None:
2044 raise Exception("Timeout on EAP status")
2045 if 'bad certificate status response' in ev:
2046 break
2047 count = count + 1
2048 if count > 10:
2049 raise Exception("Unexpected number of EAP status messages")
2050
2051 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2052 if ev is None:
2053 raise Exception("Timeout on EAP failure report")
2054
2055 def test_ap_wpa2_eap_ttls_optional_ocsp_unknown(dev, apdev, params):
2056 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2057 ocsp = os.path.join(params['logdir'], "ocsp-server-cache-unknown.der")
2058 if not os.path.exists(ocsp):
2059 raise HwsimSkip("No OCSP response available")
2060 params = int_eap_server_params()
2061 params["ocsp_stapling_response"] = ocsp
2062 hostapd.add_ap(apdev[0]['ifname'], params)
2063 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2064 identity="pap user", ca_cert="auth_serv/ca.pem",
2065 anonymous_identity="ttls", password="password",
2066 phase2="auth=PAP", ocsp=1, scan_freq="2412")
2067
2068 def test_ap_wpa2_eap_tls_domain_suffix_match_cn_full(dev, apdev):
2069 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
2070 params = int_eap_server_params()
2071 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2072 params["private_key"] = "auth_serv/server-no-dnsname.key"
2073 hostapd.add_ap(apdev[0]['ifname'], params)
2074 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2075 identity="tls user", ca_cert="auth_serv/ca.pem",
2076 private_key="auth_serv/user.pkcs12",
2077 private_key_passwd="whatever",
2078 domain_suffix_match="server3.w1.fi",
2079 scan_freq="2412")
2080
2081 def test_ap_wpa2_eap_tls_domain_match_cn(dev, apdev):
2082 """WPA2-Enterprise using EAP-TLS and domainmatch (CN)"""
2083 params = int_eap_server_params()
2084 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2085 params["private_key"] = "auth_serv/server-no-dnsname.key"
2086 hostapd.add_ap(apdev[0]['ifname'], params)
2087 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2088 identity="tls user", ca_cert="auth_serv/ca.pem",
2089 private_key="auth_serv/user.pkcs12",
2090 private_key_passwd="whatever",
2091 domain_match="server3.w1.fi",
2092 scan_freq="2412")
2093
2094 def test_ap_wpa2_eap_tls_domain_suffix_match_cn(dev, apdev):
2095 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
2096 check_domain_match_full(dev[0])
2097 params = int_eap_server_params()
2098 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2099 params["private_key"] = "auth_serv/server-no-dnsname.key"
2100 hostapd.add_ap(apdev[0]['ifname'], params)
2101 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2102 identity="tls user", ca_cert="auth_serv/ca.pem",
2103 private_key="auth_serv/user.pkcs12",
2104 private_key_passwd="whatever",
2105 domain_suffix_match="w1.fi",
2106 scan_freq="2412")
2107
2108 def test_ap_wpa2_eap_tls_domain_suffix_mismatch_cn(dev, apdev):
2109 """WPA2-Enterprise using EAP-TLS and domain suffix mismatch (CN)"""
2110 params = int_eap_server_params()
2111 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2112 params["private_key"] = "auth_serv/server-no-dnsname.key"
2113 hostapd.add_ap(apdev[0]['ifname'], params)
2114 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2115 identity="tls user", ca_cert="auth_serv/ca.pem",
2116 private_key="auth_serv/user.pkcs12",
2117 private_key_passwd="whatever",
2118 domain_suffix_match="example.com",
2119 wait_connect=False,
2120 scan_freq="2412")
2121 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2122 identity="tls user", ca_cert="auth_serv/ca.pem",
2123 private_key="auth_serv/user.pkcs12",
2124 private_key_passwd="whatever",
2125 domain_suffix_match="erver3.w1.fi",
2126 wait_connect=False,
2127 scan_freq="2412")
2128 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2129 if ev is None:
2130 raise Exception("Timeout on EAP failure report")
2131 ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2132 if ev is None:
2133 raise Exception("Timeout on EAP failure report (2)")
2134
2135 def test_ap_wpa2_eap_tls_domain_mismatch_cn(dev, apdev):
2136 """WPA2-Enterprise using EAP-TLS and domain mismatch (CN)"""
2137 params = int_eap_server_params()
2138 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
2139 params["private_key"] = "auth_serv/server-no-dnsname.key"
2140 hostapd.add_ap(apdev[0]['ifname'], params)
2141 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2142 identity="tls user", ca_cert="auth_serv/ca.pem",
2143 private_key="auth_serv/user.pkcs12",
2144 private_key_passwd="whatever",
2145 domain_match="example.com",
2146 wait_connect=False,
2147 scan_freq="2412")
2148 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
2149 identity="tls user", ca_cert="auth_serv/ca.pem",
2150 private_key="auth_serv/user.pkcs12",
2151 private_key_passwd="whatever",
2152 domain_match="w1.fi",
2153 wait_connect=False,
2154 scan_freq="2412")
2155 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2156 if ev is None:
2157 raise Exception("Timeout on EAP failure report")
2158 ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2159 if ev is None:
2160 raise Exception("Timeout on EAP failure report (2)")
2161
2162 def test_ap_wpa2_eap_ttls_expired_cert(dev, apdev):
2163 """WPA2-Enterprise using EAP-TTLS and expired certificate"""
2164 params = int_eap_server_params()
2165 params["server_cert"] = "auth_serv/server-expired.pem"
2166 params["private_key"] = "auth_serv/server-expired.key"
2167 hostapd.add_ap(apdev[0]['ifname'], params)
2168 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2169 identity="mschap user", password="password",
2170 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2171 wait_connect=False,
2172 scan_freq="2412")
2173 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"])
2174 if ev is None:
2175 raise Exception("Timeout on EAP certificate error report")
2176 if "reason=4" not in ev or "certificate has expired" not in ev:
2177 raise Exception("Unexpected failure reason: " + ev)
2178 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2179 if ev is None:
2180 raise Exception("Timeout on EAP failure report")
2181
2182 def test_ap_wpa2_eap_ttls_ignore_expired_cert(dev, apdev):
2183 """WPA2-Enterprise using EAP-TTLS and ignore certificate expiration"""
2184 params = int_eap_server_params()
2185 params["server_cert"] = "auth_serv/server-expired.pem"
2186 params["private_key"] = "auth_serv/server-expired.key"
2187 hostapd.add_ap(apdev[0]['ifname'], params)
2188 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2189 identity="mschap user", password="password",
2190 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2191 phase1="tls_disable_time_checks=1",
2192 scan_freq="2412")
2193
2194 def test_ap_wpa2_eap_ttls_server_cert_eku_client(dev, apdev):
2195 """WPA2-Enterprise using EAP-TTLS and server cert with client EKU"""
2196 params = int_eap_server_params()
2197 params["server_cert"] = "auth_serv/server-eku-client.pem"
2198 params["private_key"] = "auth_serv/server-eku-client.key"
2199 hostapd.add_ap(apdev[0]['ifname'], params)
2200 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2201 identity="mschap user", password="password",
2202 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2203 wait_connect=False,
2204 scan_freq="2412")
2205 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2206 if ev is None:
2207 raise Exception("Timeout on EAP failure report")
2208
2209 def test_ap_wpa2_eap_ttls_server_cert_eku_client_server(dev, apdev):
2210 """WPA2-Enterprise using EAP-TTLS and server cert with client and server EKU"""
2211 params = int_eap_server_params()
2212 params["server_cert"] = "auth_serv/server-eku-client-server.pem"
2213 params["private_key"] = "auth_serv/server-eku-client-server.key"
2214 hostapd.add_ap(apdev[0]['ifname'], params)
2215 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2216 identity="mschap user", password="password",
2217 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2218 scan_freq="2412")
2219
2220 def test_ap_wpa2_eap_ttls_server_pkcs12(dev, apdev):
2221 """WPA2-Enterprise using EAP-TTLS and server PKCS#12 file"""
2222 params = int_eap_server_params()
2223 del params["server_cert"]
2224 params["private_key"] = "auth_serv/server.pkcs12"
2225 hostapd.add_ap(apdev[0]['ifname'], params)
2226 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2227 identity="mschap user", password="password",
2228 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2229 scan_freq="2412")
2230
2231 def test_ap_wpa2_eap_ttls_dh_params(dev, apdev):
2232 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params"""
2233 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2234 hostapd.add_ap(apdev[0]['ifname'], params)
2235 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
2236 anonymous_identity="ttls", password="password",
2237 ca_cert="auth_serv/ca.der", phase2="auth=CHAP",
2238 dh_file="auth_serv/dh.conf")
2239
2240 def test_ap_wpa2_eap_ttls_dh_params_blob(dev, apdev):
2241 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params from blob"""
2242 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2243 hostapd.add_ap(apdev[0]['ifname'], params)
2244 dh = read_pem("auth_serv/dh.conf")
2245 if "OK" not in dev[0].request("SET blob dhparams " + dh.encode("hex")):
2246 raise Exception("Could not set dhparams blob")
2247 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
2248 anonymous_identity="ttls", password="password",
2249 ca_cert="auth_serv/ca.der", phase2="auth=CHAP",
2250 dh_file="blob://dhparams")
2251
2252 def test_ap_wpa2_eap_reauth(dev, apdev):
2253 """WPA2-Enterprise and Authenticator forcing reauthentication"""
2254 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2255 params['eap_reauth_period'] = '2'
2256 hostapd.add_ap(apdev[0]['ifname'], params)
2257 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2258 password_hex="0123456789abcdef0123456789abcdef")
2259 logger.info("Wait for reauthentication")
2260 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
2261 if ev is None:
2262 raise Exception("Timeout on reauthentication")
2263 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
2264 if ev is None:
2265 raise Exception("Timeout on reauthentication")
2266 for i in range(0, 20):
2267 state = dev[0].get_status_field("wpa_state")
2268 if state == "COMPLETED":
2269 break
2270 time.sleep(0.1)
2271 if state != "COMPLETED":
2272 raise Exception("Reauthentication did not complete")
2273
2274 def test_ap_wpa2_eap_request_identity_message(dev, apdev):
2275 """Optional displayable message in EAP Request-Identity"""
2276 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2277 params['eap_message'] = 'hello\\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com'
2278 hostapd.add_ap(apdev[0]['ifname'], params)
2279 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
2280 password_hex="0123456789abcdef0123456789abcdef")
2281
2282 def test_ap_wpa2_eap_sim_aka_result_ind(dev, apdev):
2283 """WPA2-Enterprise using EAP-SIM/AKA and protected result indication"""
2284 check_hlr_auc_gw_support()
2285 params = int_eap_server_params()
2286 params['eap_sim_db'] = "unix:/tmp/hlr_auc_gw.sock"
2287 params['eap_sim_aka_result_ind'] = "1"
2288 hostapd.add_ap(apdev[0]['ifname'], params)
2289
2290 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
2291 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
2292 phase1="result_ind=1")
2293 eap_reauth(dev[0], "SIM")
2294 eap_connect(dev[1], apdev[0], "SIM", "1232010000000000",
2295 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
2296
2297 dev[0].request("REMOVE_NETWORK all")
2298 dev[1].request("REMOVE_NETWORK all")
2299
2300 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
2301 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
2302 phase1="result_ind=1")
2303 eap_reauth(dev[0], "AKA")
2304 eap_connect(dev[1], apdev[0], "AKA", "0232010000000000",
2305 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
2306
2307 dev[0].request("REMOVE_NETWORK all")
2308 dev[1].request("REMOVE_NETWORK all")
2309
2310 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
2311 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
2312 phase1="result_ind=1")
2313 eap_reauth(dev[0], "AKA'")
2314 eap_connect(dev[1], apdev[0], "AKA'", "6555444333222111",
2315 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
2316
2317 def test_ap_wpa2_eap_too_many_roundtrips(dev, apdev):
2318 """WPA2-Enterprise connection resulting in too many EAP roundtrips"""
2319 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2320 hostapd.add_ap(apdev[0]['ifname'], params)
2321 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
2322 eap="TTLS", identity="mschap user",
2323 wait_connect=False, scan_freq="2412", ieee80211w="1",
2324 anonymous_identity="ttls", password="password",
2325 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2326 fragment_size="10")
2327 ev = dev[0].wait_event(["EAP: more than"], timeout=20)
2328 if ev is None:
2329 raise Exception("EAP roundtrip limit not reached")
2330
2331 def test_ap_wpa2_eap_expanded_nak(dev, apdev):
2332 """WPA2-Enterprise connection with EAP resulting in expanded NAK"""
2333 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2334 hostapd.add_ap(apdev[0]['ifname'], params)
2335 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
2336 eap="PSK", identity="vendor-test",
2337 password_hex="ff23456789abcdef0123456789abcdef",
2338 wait_connect=False)
2339
2340 found = False
2341 for i in range(0, 5):
2342 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"], timeout=10)
2343 if ev is None:
2344 raise Exception("Association and EAP start timed out")
2345 if "refuse proposed method" in ev:
2346 found = True
2347 break
2348 if not found:
2349 raise Exception("Unexpected EAP status: " + ev)
2350
2351 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2352 if ev is None:
2353 raise Exception("EAP failure timed out")
2354
2355 def test_ap_wpa2_eap_sql(dev, apdev, params):
2356 """WPA2-Enterprise connection using SQLite for user DB"""
2357 try:
2358 import sqlite3
2359 except ImportError:
2360 raise HwsimSkip("No sqlite3 module available")
2361 dbfile = os.path.join(params['logdir'], "eap-user.db")
2362 try:
2363 os.remove(dbfile)
2364 except:
2365 pass
2366 con = sqlite3.connect(dbfile)
2367 with con:
2368 cur = con.cursor()
2369 cur.execute("CREATE TABLE users(identity TEXT PRIMARY KEY, methods TEXT, password TEXT, remediation TEXT, phase2 INTEGER)")
2370 cur.execute("CREATE TABLE wildcards(identity TEXT PRIMARY KEY, methods TEXT)")
2371 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-pap','TTLS-PAP','password',1)")
2372 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-chap','TTLS-CHAP','password',1)")
2373 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschap','TTLS-MSCHAP','password',1)")
2374 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschapv2','TTLS-MSCHAPV2','password',1)")
2375 cur.execute("INSERT INTO wildcards(identity,methods) VALUES ('','TTLS,TLS')")
2376 cur.execute("CREATE TABLE authlog(timestamp TEXT, session TEXT, nas_ip TEXT, username TEXT, note TEXT)")
2377
2378 try:
2379 params = int_eap_server_params()
2380 params["eap_user_file"] = "sqlite:" + dbfile
2381 hostapd.add_ap(apdev[0]['ifname'], params)
2382 eap_connect(dev[0], apdev[0], "TTLS", "user-mschapv2",
2383 anonymous_identity="ttls", password="password",
2384 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
2385 dev[0].request("REMOVE_NETWORK all")
2386 eap_connect(dev[1], apdev[0], "TTLS", "user-mschap",
2387 anonymous_identity="ttls", password="password",
2388 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP")
2389 dev[1].request("REMOVE_NETWORK all")
2390 eap_connect(dev[0], apdev[0], "TTLS", "user-chap",
2391 anonymous_identity="ttls", password="password",
2392 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP")
2393 eap_connect(dev[1], apdev[0], "TTLS", "user-pap",
2394 anonymous_identity="ttls", password="password",
2395 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
2396 finally:
2397 os.remove(dbfile)
2398
2399 def test_ap_wpa2_eap_non_ascii_identity(dev, apdev):
2400 """WPA2-Enterprise connection attempt using non-ASCII identity"""
2401 params = int_eap_server_params()
2402 hostapd.add_ap(apdev[0]['ifname'], params)
2403 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2404 identity="\x80", password="password", wait_connect=False)
2405 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2406 identity="a\x80", password="password", wait_connect=False)
2407 for i in range(0, 2):
2408 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
2409 if ev is None:
2410 raise Exception("Association and EAP start timed out")
2411 ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
2412 if ev is None:
2413 raise Exception("EAP method selection timed out")
2414
2415 def test_ap_wpa2_eap_non_ascii_identity2(dev, apdev):
2416 """WPA2-Enterprise connection attempt using non-ASCII identity"""
2417 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2418 hostapd.add_ap(apdev[0]['ifname'], params)
2419 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2420 identity="\x80", password="password", wait_connect=False)
2421 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2422 identity="a\x80", password="password", wait_connect=False)
2423 for i in range(0, 2):
2424 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
2425 if ev is None:
2426 raise Exception("Association and EAP start timed out")
2427 ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
2428 if ev is None:
2429 raise Exception("EAP method selection timed out")
2430
2431 def test_openssl_cipher_suite_config_wpas(dev, apdev):
2432 """OpenSSL cipher suite configuration on wpa_supplicant"""
2433 tls = dev[0].request("GET tls_library")
2434 if not tls.startswith("OpenSSL"):
2435 raise HwsimSkip("TLS library is not OpenSSL: " + tls)
2436 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2437 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2438 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
2439 anonymous_identity="ttls", password="password",
2440 openssl_ciphers="AES128",
2441 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
2442 eap_connect(dev[1], apdev[0], "TTLS", "pap user",
2443 anonymous_identity="ttls", password="password",
2444 openssl_ciphers="EXPORT",
2445 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
2446 expect_failure=True)
2447
2448 def test_openssl_cipher_suite_config_hapd(dev, apdev):
2449 """OpenSSL cipher suite configuration on hostapd"""
2450 tls = dev[0].request("GET tls_library")
2451 if not tls.startswith("OpenSSL"):
2452 raise HwsimSkip("wpa_supplicant TLS library is not OpenSSL: " + tls)
2453 params = int_eap_server_params()
2454 params['openssl_ciphers'] = "AES256"
2455 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
2456 tls = hapd.request("GET tls_library")
2457 if not tls.startswith("OpenSSL"):
2458 raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls)
2459 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
2460 anonymous_identity="ttls", password="password",
2461 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
2462 eap_connect(dev[1], apdev[0], "TTLS", "pap user",
2463 anonymous_identity="ttls", password="password",
2464 openssl_ciphers="AES128",
2465 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
2466 expect_failure=True)
2467 eap_connect(dev[2], apdev[0], "TTLS", "pap user",
2468 anonymous_identity="ttls", password="password",
2469 openssl_ciphers="HIGH:!ADH",
2470 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
2471
2472 def test_wpa2_eap_ttls_pap_key_lifetime_in_memory(dev, apdev, params):
2473 """Key lifetime in memory with WPA2-Enterprise using EAP-TTLS/PAP"""
2474 p = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2475 hapd = hostapd.add_ap(apdev[0]['ifname'], p)
2476 password = "63d2d21ac3c09ed567ee004a34490f1d16e7fa5835edf17ddba70a63f1a90a25"
2477 pid = find_wpas_process(dev[0])
2478 id = eap_connect(dev[0], apdev[0], "TTLS", "pap-secret",
2479 anonymous_identity="ttls", password=password,
2480 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
2481 time.sleep(0.1)
2482 buf = read_process_memory(pid, password)
2483
2484 dev[0].request("DISCONNECT")
2485 dev[0].wait_disconnected()
2486
2487 dev[0].relog()
2488 msk = None
2489 emsk = None
2490 pmk = None
2491 ptk = None
2492 gtk = None
2493 with open(os.path.join(params['logdir'], 'log0'), 'r') as f:
2494 for l in f.readlines():
2495 if "EAP-TTLS: Derived key - hexdump" in l:
2496 val = l.strip().split(':')[3].replace(' ', '')
2497 msk = binascii.unhexlify(val)
2498 if "EAP-TTLS: Derived EMSK - hexdump" in l:
2499 val = l.strip().split(':')[3].replace(' ', '')
2500 emsk = binascii.unhexlify(val)
2501 if "WPA: PMK - hexdump" in l:
2502 val = l.strip().split(':')[3].replace(' ', '')
2503 pmk = binascii.unhexlify(val)
2504 if "WPA: PTK - hexdump" in l:
2505 val = l.strip().split(':')[3].replace(' ', '')
2506 ptk = binascii.unhexlify(val)
2507 if "WPA: Group Key - hexdump" in l:
2508 val = l.strip().split(':')[3].replace(' ', '')
2509 gtk = binascii.unhexlify(val)
2510 if not msk or not emsk or not pmk or not ptk or not gtk:
2511 raise Exception("Could not find keys from debug log")
2512 if len(gtk) != 16:
2513 raise Exception("Unexpected GTK length")
2514
2515 kck = ptk[0:16]
2516 kek = ptk[16:32]
2517 tk = ptk[32:48]
2518
2519 fname = os.path.join(params['logdir'],
2520 'wpa2_eap_ttls_pap_key_lifetime_in_memory.memctx-')
2521
2522 logger.info("Checking keys in memory while associated")
2523 get_key_locations(buf, password, "Password")
2524 get_key_locations(buf, pmk, "PMK")
2525 get_key_locations(buf, msk, "MSK")
2526 get_key_locations(buf, emsk, "EMSK")
2527 if password not in buf:
2528 raise HwsimSkip("Password not found while associated")
2529 if pmk not in buf:
2530 raise HwsimSkip("PMK not found while associated")
2531 if kck not in buf:
2532 raise Exception("KCK not found while associated")
2533 if kek not in buf:
2534 raise Exception("KEK not found while associated")
2535 if tk in buf:
2536 raise Exception("TK found from memory")
2537 if gtk in buf:
2538 raise Exception("GTK found from memory")
2539
2540 logger.info("Checking keys in memory after disassociation")
2541 buf = read_process_memory(pid, password)
2542
2543 # Note: Password is still present in network configuration
2544 # Note: PMK is in PMKSA cache and EAP fast re-auth data
2545
2546 get_key_locations(buf, password, "Password")
2547 get_key_locations(buf, pmk, "PMK")
2548 get_key_locations(buf, msk, "MSK")
2549 get_key_locations(buf, emsk, "EMSK")
2550 verify_not_present(buf, kck, fname, "KCK")
2551 verify_not_present(buf, kek, fname, "KEK")
2552 verify_not_present(buf, tk, fname, "TK")
2553 verify_not_present(buf, gtk, fname, "GTK")
2554
2555 dev[0].request("PMKSA_FLUSH")
2556 dev[0].set_network_quoted(id, "identity", "foo")
2557 logger.info("Checking keys in memory after PMKSA cache and EAP fast reauth flush")
2558 buf = read_process_memory(pid, password)
2559 get_key_locations(buf, password, "Password")
2560 get_key_locations(buf, pmk, "PMK")
2561 get_key_locations(buf, msk, "MSK")
2562 get_key_locations(buf, emsk, "EMSK")
2563 verify_not_present(buf, pmk, fname, "PMK")
2564
2565 dev[0].request("REMOVE_NETWORK all")
2566
2567 logger.info("Checking keys in memory after network profile removal")
2568 buf = read_process_memory(pid, password)
2569
2570 get_key_locations(buf, password, "Password")
2571 get_key_locations(buf, pmk, "PMK")
2572 get_key_locations(buf, msk, "MSK")
2573 get_key_locations(buf, emsk, "EMSK")
2574 verify_not_present(buf, password, fname, "password")
2575 verify_not_present(buf, pmk, fname, "PMK")
2576 verify_not_present(buf, kck, fname, "KCK")
2577 verify_not_present(buf, kek, fname, "KEK")
2578 verify_not_present(buf, tk, fname, "TK")
2579 verify_not_present(buf, gtk, fname, "GTK")
2580 verify_not_present(buf, msk, fname, "MSK")
2581 verify_not_present(buf, emsk, fname, "EMSK")
Unnamed repository; edit this file 'description' to name the repository.