]>
git.ipfire.org Git - thirdparty/hostap.git/blob - tests/hwsim/test_ap_eap.py
1 # -*- coding: utf-8 -*-
2 # WPA2-Enterprise tests
3 # Copyright (c) 2013-2015, Jouni Malinen <j@w1.fi>
5 # This software may be distributed under the terms of the BSD license.
6 # See README for more details.
13 logger
= logging
.getLogger()
20 from utils
import HwsimSkip
, alloc_fail
, fail_test
, skip_with_fips
, wait_fail_trigger
21 from wpasupplicant
import WpaSupplicant
22 from test_ap_psk
import check_mib
, find_wpas_process
, read_process_memory
, verify_not_present
, get_key_locations
, set_test_assoc_ie
26 openssl_imported
= True
28 openssl_imported
= False
30 def check_hlr_auc_gw_support():
31 if not os
.path
.exists("/tmp/hlr_auc_gw.sock"):
32 raise HwsimSkip("No hlr_auc_gw available")
34 def check_eap_capa(dev
, method
):
35 res
= dev
.get_capability("eap")
37 raise HwsimSkip("EAP method %s not supported in the build" % method
)
39 def check_subject_match_support(dev
):
40 tls
= dev
.request("GET tls_library")
41 if not tls
.startswith("OpenSSL"):
42 raise HwsimSkip("subject_match not supported with this TLS library: " + tls
)
44 def check_altsubject_match_support(dev
):
45 tls
= dev
.request("GET tls_library")
46 if not tls
.startswith("OpenSSL"):
47 raise HwsimSkip("altsubject_match not supported with this TLS library: " + tls
)
49 def check_domain_match(dev
):
50 tls
= dev
.request("GET tls_library")
51 if tls
.startswith("internal"):
52 raise HwsimSkip("domain_match not supported with this TLS library: " + tls
)
54 def check_domain_suffix_match(dev
):
55 tls
= dev
.request("GET tls_library")
56 if tls
.startswith("internal"):
57 raise HwsimSkip("domain_suffix_match not supported with this TLS library: " + tls
)
59 def check_domain_match_full(dev
):
60 tls
= dev
.request("GET tls_library")
61 if not tls
.startswith("OpenSSL"):
62 raise HwsimSkip("domain_suffix_match requires full match with this TLS library: " + tls
)
64 def check_cert_probe_support(dev
):
65 tls
= dev
.request("GET tls_library")
66 if not tls
.startswith("OpenSSL") and not tls
.startswith("internal"):
67 raise HwsimSkip("Certificate probing not supported with this TLS library: " + tls
)
69 def check_ext_cert_check_support(dev
):
70 tls
= dev
.request("GET tls_library")
71 if not tls
.startswith("OpenSSL"):
72 raise HwsimSkip("ext_cert_check not supported with this TLS library: " + tls
)
74 def check_ocsp_support(dev
):
75 tls
= dev
.request("GET tls_library")
76 if tls
.startswith("internal"):
77 raise HwsimSkip("OCSP not supported with this TLS library: " + tls
)
78 #if "BoringSSL" in tls:
79 # raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
81 def check_pkcs12_support(dev
):
82 tls
= dev
.request("GET tls_library")
83 if tls
.startswith("internal"):
84 raise HwsimSkip("PKCS#12 not supported with this TLS library: " + tls
)
86 def check_dh_dsa_support(dev
):
87 tls
= dev
.request("GET tls_library")
88 if tls
.startswith("internal"):
89 raise HwsimSkip("DH DSA not supported with this TLS library: " + tls
)
92 with
open(fname
, "r") as f
:
101 if "-----BEGIN" in l
:
103 return base64
.b64decode(cert
)
105 def eap_connect(dev
, ap
, method
, identity
,
106 sha256
=False, expect_failure
=False, local_error_report
=False,
107 maybe_local_error
=False, **kwargs
):
108 hapd
= hostapd
.Hostapd(ap
['ifname'])
109 id = dev
.connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
110 eap
=method
, identity
=identity
,
111 wait_connect
=False, scan_freq
="2412", ieee80211w
="1",
113 eap_check_auth(dev
, method
, True, sha256
=sha256
,
114 expect_failure
=expect_failure
,
115 local_error_report
=local_error_report
,
116 maybe_local_error
=maybe_local_error
)
119 ev
= hapd
.wait_event([ "AP-STA-CONNECTED" ], timeout
=5)
121 raise Exception("No connection event received from hostapd")
124 def eap_check_auth(dev
, method
, initial
, rsn
=True, sha256
=False,
125 expect_failure
=False, local_error_report
=False,
126 maybe_local_error
=False):
127 ev
= dev
.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
129 raise Exception("Association and EAP start timed out")
130 ev
= dev
.wait_event(["CTRL-EVENT-EAP-METHOD",
131 "CTRL-EVENT-EAP-FAILURE"], timeout
=10)
133 raise Exception("EAP method selection timed out")
134 if "CTRL-EVENT-EAP-FAILURE" in ev
:
135 if maybe_local_error
:
137 raise Exception("Could not select EAP method")
139 raise Exception("Unexpected EAP method")
141 ev
= dev
.wait_event(["CTRL-EVENT-EAP-FAILURE"])
143 raise Exception("EAP failure timed out")
144 ev
= dev
.wait_disconnected(timeout
=10)
145 if maybe_local_error
and "locally_generated=1" in ev
:
147 if not local_error_report
:
148 if "reason=23" not in ev
:
149 raise Exception("Proper reason code for disconnection not reported")
151 ev
= dev
.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
153 raise Exception("EAP success timed out")
156 ev
= dev
.wait_event(["CTRL-EVENT-CONNECTED"], timeout
=10)
158 ev
= dev
.wait_event(["WPA: Key negotiation completed"], timeout
=10)
160 raise Exception("Association with the AP timed out")
161 status
= dev
.get_status()
162 if status
["wpa_state"] != "COMPLETED":
163 raise Exception("Connection not completed")
165 if status
["suppPortStatus"] != "Authorized":
166 raise Exception("Port not authorized")
167 if method
not in status
["selectedMethod"]:
168 raise Exception("Incorrect EAP method status")
170 e
= "WPA2-EAP-SHA256"
172 e
= "WPA2/IEEE 802.1X/EAP"
174 e
= "WPA/IEEE 802.1X/EAP"
175 if status
["key_mgmt"] != e
:
176 raise Exception("Unexpected key_mgmt status: " + status
["key_mgmt"])
179 def eap_reauth(dev
, method
, rsn
=True, sha256
=False, expect_failure
=False):
180 dev
.request("REAUTHENTICATE")
181 return eap_check_auth(dev
, method
, False, rsn
=rsn
, sha256
=sha256
,
182 expect_failure
=expect_failure
)
184 def test_ap_wpa2_eap_sim(dev
, apdev
):
185 """WPA2-Enterprise connection using EAP-SIM"""
186 check_hlr_auc_gw_support()
187 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
188 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
189 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
190 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
191 hwsim_utils
.test_connectivity(dev
[0], hapd
)
192 eap_reauth(dev
[0], "SIM")
194 eap_connect(dev
[1], apdev
[0], "SIM", "1232010000000001",
195 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
196 eap_connect(dev
[2], apdev
[0], "SIM", "1232010000000002",
197 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
200 logger
.info("Negative test with incorrect key")
201 dev
[0].request("REMOVE_NETWORK all")
202 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
203 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
206 logger
.info("Invalid GSM-Milenage key")
207 dev
[0].request("REMOVE_NETWORK all")
208 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
209 password
="ffdca4eda45b53cf0f12d7c9c3bc6a",
212 logger
.info("Invalid GSM-Milenage key(2)")
213 dev
[0].request("REMOVE_NETWORK all")
214 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
215 password
="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581",
218 logger
.info("Invalid GSM-Milenage key(3)")
219 dev
[0].request("REMOVE_NETWORK all")
220 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
221 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q",
224 logger
.info("Invalid GSM-Milenage key(4)")
225 dev
[0].request("REMOVE_NETWORK all")
226 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
227 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581",
230 logger
.info("Missing key configuration")
231 dev
[0].request("REMOVE_NETWORK all")
232 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
235 def test_ap_wpa2_eap_sim_sql(dev
, apdev
, params
):
236 """WPA2-Enterprise connection using EAP-SIM (SQL)"""
237 check_hlr_auc_gw_support()
241 raise HwsimSkip("No sqlite3 module available")
242 con
= sqlite3
.connect(os
.path
.join(params
['logdir'], "hostapd.db"))
243 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
244 params
['auth_server_port'] = "1814"
245 hostapd
.add_ap(apdev
[0]['ifname'], params
)
246 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
247 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
249 logger
.info("SIM fast re-authentication")
250 eap_reauth(dev
[0], "SIM")
252 logger
.info("SIM full auth with pseudonym")
255 cur
.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
256 eap_reauth(dev
[0], "SIM")
258 logger
.info("SIM full auth with permanent identity")
261 cur
.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
262 cur
.execute("DELETE FROM pseudonyms WHERE permanent='1232010000000000'")
263 eap_reauth(dev
[0], "SIM")
265 logger
.info("SIM reauth with mismatching MK")
268 cur
.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='1232010000000000'")
269 eap_reauth(dev
[0], "SIM", expect_failure
=True)
270 dev
[0].request("REMOVE_NETWORK all")
272 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
273 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
276 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
277 eap_reauth(dev
[0], "SIM")
280 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
281 logger
.info("SIM reauth with mismatching counter")
282 eap_reauth(dev
[0], "SIM")
283 dev
[0].request("REMOVE_NETWORK all")
285 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
286 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
289 cur
.execute("UPDATE reauth SET counter='1001' WHERE permanent='1232010000000000'")
290 logger
.info("SIM reauth with max reauth count reached")
291 eap_reauth(dev
[0], "SIM")
293 def test_ap_wpa2_eap_sim_config(dev
, apdev
):
294 """EAP-SIM configuration options"""
295 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
296 hostapd
.add_ap(apdev
[0]['ifname'], params
)
297 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="SIM",
298 identity
="1232010000000000",
299 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
300 phase1
="sim_min_num_chal=1",
301 wait_connect
=False, scan_freq
="2412")
302 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout
=10)
304 raise Exception("No EAP error message seen")
305 dev
[0].request("REMOVE_NETWORK all")
307 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="SIM",
308 identity
="1232010000000000",
309 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
310 phase1
="sim_min_num_chal=4",
311 wait_connect
=False, scan_freq
="2412")
312 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout
=10)
314 raise Exception("No EAP error message seen (2)")
315 dev
[0].request("REMOVE_NETWORK all")
317 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
318 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
319 phase1
="sim_min_num_chal=2")
320 eap_connect(dev
[1], apdev
[0], "SIM", "1232010000000000",
321 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
322 anonymous_identity
="345678")
324 def test_ap_wpa2_eap_sim_ext(dev
, apdev
):
325 """WPA2-Enterprise connection using EAP-SIM and external GSM auth"""
327 _test_ap_wpa2_eap_sim_ext(dev
, apdev
)
329 dev
[0].request("SET external_sim 0")
331 def _test_ap_wpa2_eap_sim_ext(dev
, apdev
):
332 check_hlr_auc_gw_support()
333 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
334 hostapd
.add_ap(apdev
[0]['ifname'], params
)
335 dev
[0].request("SET external_sim 1")
336 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
337 identity
="1232010000000000",
338 wait_connect
=False, scan_freq
="2412")
339 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=15)
341 raise Exception("Network connected timed out")
343 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
345 raise Exception("Wait for external SIM processing request timed out")
347 if p
[1] != "GSM-AUTH":
348 raise Exception("Unexpected CTRL-REQ-SIM type")
349 rid
= p
[0].split('-')[3]
352 resp
= "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
353 # This will fail during processing, but the ctrl_iface command succeeds
354 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-AUTH:" + resp
)
355 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
357 raise Exception("EAP failure not reported")
358 dev
[0].request("DISCONNECT")
359 dev
[0].wait_disconnected()
362 dev
[0].select_network(id, freq
="2412")
363 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
365 raise Exception("Wait for external SIM processing request timed out")
367 if p
[1] != "GSM-AUTH":
368 raise Exception("Unexpected CTRL-REQ-SIM type")
369 rid
= p
[0].split('-')[3]
370 # This will fail during GSM auth validation
371 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:q"):
372 raise Exception("CTRL-RSP-SIM failed")
373 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
375 raise Exception("EAP failure not reported")
376 dev
[0].request("DISCONNECT")
377 dev
[0].wait_disconnected()
380 dev
[0].select_network(id, freq
="2412")
381 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
383 raise Exception("Wait for external SIM processing request timed out")
385 if p
[1] != "GSM-AUTH":
386 raise Exception("Unexpected CTRL-REQ-SIM type")
387 rid
= p
[0].split('-')[3]
388 # This will fail during GSM auth validation
389 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:34"):
390 raise Exception("CTRL-RSP-SIM failed")
391 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
393 raise Exception("EAP failure not reported")
394 dev
[0].request("DISCONNECT")
395 dev
[0].wait_disconnected()
398 dev
[0].select_network(id, freq
="2412")
399 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
401 raise Exception("Wait for external SIM processing request timed out")
403 if p
[1] != "GSM-AUTH":
404 raise Exception("Unexpected CTRL-REQ-SIM type")
405 rid
= p
[0].split('-')[3]
406 # This will fail during GSM auth validation
407 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677"):
408 raise Exception("CTRL-RSP-SIM failed")
409 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
411 raise Exception("EAP failure not reported")
412 dev
[0].request("DISCONNECT")
413 dev
[0].wait_disconnected()
416 dev
[0].select_network(id, freq
="2412")
417 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
419 raise Exception("Wait for external SIM processing request timed out")
421 if p
[1] != "GSM-AUTH":
422 raise Exception("Unexpected CTRL-REQ-SIM type")
423 rid
= p
[0].split('-')[3]
424 # This will fail during GSM auth validation
425 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677:q"):
426 raise Exception("CTRL-RSP-SIM failed")
427 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
429 raise Exception("EAP failure not reported")
430 dev
[0].request("DISCONNECT")
431 dev
[0].wait_disconnected()
434 dev
[0].select_network(id, freq
="2412")
435 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
437 raise Exception("Wait for external SIM processing request timed out")
439 if p
[1] != "GSM-AUTH":
440 raise Exception("Unexpected CTRL-REQ-SIM type")
441 rid
= p
[0].split('-')[3]
442 # This will fail during GSM auth validation
443 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677:00112233"):
444 raise Exception("CTRL-RSP-SIM failed")
445 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
447 raise Exception("EAP failure not reported")
448 dev
[0].request("DISCONNECT")
449 dev
[0].wait_disconnected()
452 dev
[0].select_network(id, freq
="2412")
453 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
455 raise Exception("Wait for external SIM processing request timed out")
457 if p
[1] != "GSM-AUTH":
458 raise Exception("Unexpected CTRL-REQ-SIM type")
459 rid
= p
[0].split('-')[3]
460 # This will fail during GSM auth validation
461 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677:00112233:q"):
462 raise Exception("CTRL-RSP-SIM failed")
463 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
465 raise Exception("EAP failure not reported")
467 def test_ap_wpa2_eap_sim_oom(dev
, apdev
):
468 """EAP-SIM and OOM"""
469 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
470 hostapd
.add_ap(apdev
[0]['ifname'], params
)
471 tests
= [ (1, "milenage_f2345"),
472 (2, "milenage_f2345"),
473 (3, "milenage_f2345"),
474 (4, "milenage_f2345"),
475 (5, "milenage_f2345"),
476 (6, "milenage_f2345"),
477 (7, "milenage_f2345"),
478 (8, "milenage_f2345"),
479 (9, "milenage_f2345"),
480 (10, "milenage_f2345"),
481 (11, "milenage_f2345"),
482 (12, "milenage_f2345") ]
483 for count
, func
in tests
:
484 with
alloc_fail(dev
[0], count
, func
):
485 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="SIM",
486 identity
="1232010000000000",
487 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
488 wait_connect
=False, scan_freq
="2412")
489 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=5)
491 raise Exception("EAP method not selected")
492 dev
[0].wait_disconnected()
493 dev
[0].request("REMOVE_NETWORK all")
495 def test_ap_wpa2_eap_aka(dev
, apdev
):
496 """WPA2-Enterprise connection using EAP-AKA"""
497 check_hlr_auc_gw_support()
498 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
499 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
500 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
501 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
502 hwsim_utils
.test_connectivity(dev
[0], hapd
)
503 eap_reauth(dev
[0], "AKA")
505 logger
.info("Negative test with incorrect key")
506 dev
[0].request("REMOVE_NETWORK all")
507 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
508 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
511 logger
.info("Invalid Milenage key")
512 dev
[0].request("REMOVE_NETWORK all")
513 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
514 password
="ffdca4eda45b53cf0f12d7c9c3bc6a",
517 logger
.info("Invalid Milenage key(2)")
518 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
519 password
="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581:000000000123",
522 logger
.info("Invalid Milenage key(3)")
523 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
524 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q:000000000123",
527 logger
.info("Invalid Milenage key(4)")
528 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
529 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:00000000012q",
532 logger
.info("Invalid Milenage key(5)")
533 dev
[0].request("REMOVE_NETWORK all")
534 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
535 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581q000000000123",
538 logger
.info("Invalid Milenage key(6)")
539 dev
[0].request("REMOVE_NETWORK all")
540 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
541 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581q000000000123",
544 logger
.info("Missing key configuration")
545 dev
[0].request("REMOVE_NETWORK all")
546 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
549 def test_ap_wpa2_eap_aka_sql(dev
, apdev
, params
):
550 """WPA2-Enterprise connection using EAP-AKA (SQL)"""
551 check_hlr_auc_gw_support()
555 raise HwsimSkip("No sqlite3 module available")
556 con
= sqlite3
.connect(os
.path
.join(params
['logdir'], "hostapd.db"))
557 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
558 params
['auth_server_port'] = "1814"
559 hostapd
.add_ap(apdev
[0]['ifname'], params
)
560 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
561 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
563 logger
.info("AKA fast re-authentication")
564 eap_reauth(dev
[0], "AKA")
566 logger
.info("AKA full auth with pseudonym")
569 cur
.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
570 eap_reauth(dev
[0], "AKA")
572 logger
.info("AKA full auth with permanent identity")
575 cur
.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
576 cur
.execute("DELETE FROM pseudonyms WHERE permanent='0232010000000000'")
577 eap_reauth(dev
[0], "AKA")
579 logger
.info("AKA reauth with mismatching MK")
582 cur
.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='0232010000000000'")
583 eap_reauth(dev
[0], "AKA", expect_failure
=True)
584 dev
[0].request("REMOVE_NETWORK all")
586 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
587 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
590 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
591 eap_reauth(dev
[0], "AKA")
594 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
595 logger
.info("AKA reauth with mismatching counter")
596 eap_reauth(dev
[0], "AKA")
597 dev
[0].request("REMOVE_NETWORK all")
599 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
600 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
603 cur
.execute("UPDATE reauth SET counter='1001' WHERE permanent='0232010000000000'")
604 logger
.info("AKA reauth with max reauth count reached")
605 eap_reauth(dev
[0], "AKA")
607 def test_ap_wpa2_eap_aka_config(dev
, apdev
):
608 """EAP-AKA configuration options"""
609 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
610 hostapd
.add_ap(apdev
[0]['ifname'], params
)
611 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
612 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
613 anonymous_identity
="2345678")
615 def test_ap_wpa2_eap_aka_ext(dev
, apdev
):
616 """WPA2-Enterprise connection using EAP-AKA and external UMTS auth"""
618 _test_ap_wpa2_eap_aka_ext(dev
, apdev
)
620 dev
[0].request("SET external_sim 0")
622 def _test_ap_wpa2_eap_aka_ext(dev
, apdev
):
623 check_hlr_auc_gw_support()
624 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
625 hostapd
.add_ap(apdev
[0]['ifname'], params
)
626 dev
[0].request("SET external_sim 1")
627 id = dev
[0].connect("test-wpa2-eap", eap
="AKA", key_mgmt
="WPA-EAP",
628 identity
="0232010000000000",
629 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
630 wait_connect
=False, scan_freq
="2412")
631 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=15)
633 raise Exception("Network connected timed out")
635 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
637 raise Exception("Wait for external SIM processing request timed out")
639 if p
[1] != "UMTS-AUTH":
640 raise Exception("Unexpected CTRL-REQ-SIM type")
641 rid
= p
[0].split('-')[3]
644 resp
= "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
645 # This will fail during processing, but the ctrl_iface command succeeds
646 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
647 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
649 raise Exception("EAP failure not reported")
650 dev
[0].request("DISCONNECT")
651 dev
[0].wait_disconnected()
653 dev
[0].dump_monitor()
655 dev
[0].select_network(id, freq
="2412")
656 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
658 raise Exception("Wait for external SIM processing request timed out")
660 if p
[1] != "UMTS-AUTH":
661 raise Exception("Unexpected CTRL-REQ-SIM type")
662 rid
= p
[0].split('-')[3]
663 # This will fail during UMTS auth validation
664 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-AUTS:112233445566778899aabbccddee"):
665 raise Exception("CTRL-RSP-SIM failed")
666 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
668 raise Exception("Wait for external SIM processing request timed out")
670 if p
[1] != "UMTS-AUTH":
671 raise Exception("Unexpected CTRL-REQ-SIM type")
672 rid
= p
[0].split('-')[3]
673 # This will fail during UMTS auth validation
674 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-AUTS:12"):
675 raise Exception("CTRL-RSP-SIM failed")
676 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
678 raise Exception("EAP failure not reported")
679 dev
[0].request("DISCONNECT")
680 dev
[0].wait_disconnected()
682 dev
[0].dump_monitor()
684 tests
= [ ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344",
686 ":UMTS-AUTH:00112233445566778899aabbccddeeff.00112233445566778899aabbccddeeff:0011223344",
687 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddee:0011223344",
688 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff.0011223344",
689 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff0011223344",
690 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:001122334q" ]
692 dev
[0].select_network(id, freq
="2412")
693 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
695 raise Exception("Wait for external SIM processing request timed out")
697 if p
[1] != "UMTS-AUTH":
698 raise Exception("Unexpected CTRL-REQ-SIM type")
699 rid
= p
[0].split('-')[3]
700 # This will fail during UMTS auth validation
701 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ t
):
702 raise Exception("CTRL-RSP-SIM failed")
703 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
705 raise Exception("EAP failure not reported")
706 dev
[0].request("DISCONNECT")
707 dev
[0].wait_disconnected()
709 dev
[0].dump_monitor()
711 def test_ap_wpa2_eap_aka_prime(dev
, apdev
):
712 """WPA2-Enterprise connection using EAP-AKA'"""
713 check_hlr_auc_gw_support()
714 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
715 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
716 eap_connect(dev
[0], apdev
[0], "AKA'", "6555444333222111",
717 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
718 hwsim_utils
.test_connectivity(dev
[0], hapd
)
719 eap_reauth(dev
[0], "AKA'")
721 logger
.info("EAP-AKA' bidding protection when EAP-AKA enabled as well")
722 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="AKA' AKA",
723 identity
="6555444333222111@both",
724 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
725 wait_connect
=False, scan_freq
="2412")
726 dev
[1].wait_connected(timeout
=15)
728 logger
.info("Negative test with incorrect key")
729 dev
[0].request("REMOVE_NETWORK all")
730 eap_connect(dev
[0], apdev
[0], "AKA'", "6555444333222111",
731 password
="ff22250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
734 def test_ap_wpa2_eap_aka_prime_sql(dev
, apdev
, params
):
735 """WPA2-Enterprise connection using EAP-AKA' (SQL)"""
736 check_hlr_auc_gw_support()
740 raise HwsimSkip("No sqlite3 module available")
741 con
= sqlite3
.connect(os
.path
.join(params
['logdir'], "hostapd.db"))
742 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
743 params
['auth_server_port'] = "1814"
744 hostapd
.add_ap(apdev
[0]['ifname'], params
)
745 eap_connect(dev
[0], apdev
[0], "AKA'", "6555444333222111",
746 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
748 logger
.info("AKA' fast re-authentication")
749 eap_reauth(dev
[0], "AKA'")
751 logger
.info("AKA' full auth with pseudonym")
754 cur
.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
755 eap_reauth(dev
[0], "AKA'")
757 logger
.info("AKA' full auth with permanent identity")
760 cur
.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
761 cur
.execute("DELETE FROM pseudonyms WHERE permanent='6555444333222111'")
762 eap_reauth(dev
[0], "AKA'")
764 logger
.info("AKA' reauth with mismatching k_aut")
767 cur
.execute("UPDATE reauth SET k_aut='0000000000000000000000000000000000000000000000000000000000000000' WHERE permanent='6555444333222111'")
768 eap_reauth(dev
[0], "AKA'", expect_failure
=True)
769 dev
[0].request("REMOVE_NETWORK all")
771 eap_connect(dev
[0], apdev
[0], "AKA'", "6555444333222111",
772 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
775 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
776 eap_reauth(dev
[0], "AKA'")
779 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
780 logger
.info("AKA' reauth with mismatching counter")
781 eap_reauth(dev
[0], "AKA'")
782 dev
[0].request("REMOVE_NETWORK all")
784 eap_connect(dev
[0], apdev
[0], "AKA'", "6555444333222111",
785 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
788 cur
.execute("UPDATE reauth SET counter='1001' WHERE permanent='6555444333222111'")
789 logger
.info("AKA' reauth with max reauth count reached")
790 eap_reauth(dev
[0], "AKA'")
792 def test_ap_wpa2_eap_ttls_pap(dev
, apdev
):
793 """WPA2-Enterprise connection using EAP-TTLS/PAP"""
794 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
795 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
796 key_mgmt
= hapd
.get_config()['key_mgmt']
797 if key_mgmt
.split(' ')[0] != "WPA-EAP":
798 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt
)
799 eap_connect(dev
[0], apdev
[0], "TTLS", "pap user",
800 anonymous_identity
="ttls", password
="password",
801 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
802 hwsim_utils
.test_connectivity(dev
[0], hapd
)
803 eap_reauth(dev
[0], "TTLS")
804 check_mib(dev
[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-1"),
805 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-1") ])
807 def test_ap_wpa2_eap_ttls_pap_subject_match(dev
, apdev
):
808 """WPA2-Enterprise connection using EAP-TTLS/PAP and (alt)subject_match"""
809 check_subject_match_support(dev
[0])
810 check_altsubject_match_support(dev
[0])
811 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
812 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
813 eap_connect(dev
[0], apdev
[0], "TTLS", "pap user",
814 anonymous_identity
="ttls", password
="password",
815 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
816 subject_match
="/C=FI/O=w1.fi/CN=server.w1.fi",
817 altsubject_match
="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/")
818 eap_reauth(dev
[0], "TTLS")
820 def test_ap_wpa2_eap_ttls_pap_incorrect_password(dev
, apdev
):
821 """WPA2-Enterprise connection using EAP-TTLS/PAP - incorrect password"""
822 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
823 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
824 eap_connect(dev
[0], apdev
[0], "TTLS", "pap user",
825 anonymous_identity
="ttls", password
="wrong",
826 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
828 eap_connect(dev
[1], apdev
[0], "TTLS", "user",
829 anonymous_identity
="ttls", password
="password",
830 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
833 def test_ap_wpa2_eap_ttls_chap(dev
, apdev
):
834 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
835 skip_with_fips(dev
[0])
836 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
837 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
838 eap_connect(dev
[0], apdev
[0], "TTLS", "chap user",
839 anonymous_identity
="ttls", password
="password",
840 ca_cert
="auth_serv/ca.der", phase2
="auth=CHAP")
841 hwsim_utils
.test_connectivity(dev
[0], hapd
)
842 eap_reauth(dev
[0], "TTLS")
844 def test_ap_wpa2_eap_ttls_chap_altsubject_match(dev
, apdev
):
845 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
846 skip_with_fips(dev
[0])
847 check_altsubject_match_support(dev
[0])
848 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
849 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
850 eap_connect(dev
[0], apdev
[0], "TTLS", "chap user",
851 anonymous_identity
="ttls", password
="password",
852 ca_cert
="auth_serv/ca.der", phase2
="auth=CHAP",
853 altsubject_match
="EMAIL:noone@example.com;URI:http://example.com/;DNS:server.w1.fi")
854 eap_reauth(dev
[0], "TTLS")
856 def test_ap_wpa2_eap_ttls_chap_incorrect_password(dev
, apdev
):
857 """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
858 skip_with_fips(dev
[0])
859 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
860 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
861 eap_connect(dev
[0], apdev
[0], "TTLS", "chap user",
862 anonymous_identity
="ttls", password
="wrong",
863 ca_cert
="auth_serv/ca.pem", phase2
="auth=CHAP",
865 eap_connect(dev
[1], apdev
[0], "TTLS", "user",
866 anonymous_identity
="ttls", password
="password",
867 ca_cert
="auth_serv/ca.pem", phase2
="auth=CHAP",
870 def test_ap_wpa2_eap_ttls_mschap(dev
, apdev
):
871 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP"""
872 skip_with_fips(dev
[0])
873 check_domain_suffix_match(dev
[0])
874 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
875 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
876 eap_connect(dev
[0], apdev
[0], "TTLS", "mschap user",
877 anonymous_identity
="ttls", password
="password",
878 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
879 domain_suffix_match
="server.w1.fi")
880 hwsim_utils
.test_connectivity(dev
[0], hapd
)
881 eap_reauth(dev
[0], "TTLS")
882 dev
[0].request("REMOVE_NETWORK all")
883 eap_connect(dev
[0], apdev
[0], "TTLS", "mschap user",
884 anonymous_identity
="ttls", password
="password",
885 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
888 def test_ap_wpa2_eap_ttls_mschap_incorrect_password(dev
, apdev
):
889 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP - incorrect password"""
890 skip_with_fips(dev
[0])
891 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
892 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
893 eap_connect(dev
[0], apdev
[0], "TTLS", "mschap user",
894 anonymous_identity
="ttls", password
="wrong",
895 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
897 eap_connect(dev
[1], apdev
[0], "TTLS", "user",
898 anonymous_identity
="ttls", password
="password",
899 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
901 eap_connect(dev
[2], apdev
[0], "TTLS", "no such user",
902 anonymous_identity
="ttls", password
="password",
903 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
906 def test_ap_wpa2_eap_ttls_mschapv2(dev
, apdev
):
907 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
908 check_domain_suffix_match(dev
[0])
909 check_eap_capa(dev
[0], "MSCHAPV2")
910 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
911 hostapd
.add_ap(apdev
[0]['ifname'], params
)
912 hapd
= hostapd
.Hostapd(apdev
[0]['ifname'])
913 eap_connect(dev
[0], apdev
[0], "TTLS", "DOMAIN\mschapv2 user",
914 anonymous_identity
="ttls", password
="password",
915 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
916 domain_suffix_match
="server.w1.fi")
917 hwsim_utils
.test_connectivity(dev
[0], hapd
)
918 sta1
= hapd
.get_sta(dev
[0].p2p_interface_addr())
919 eapol1
= hapd
.get_sta(dev
[0].p2p_interface_addr(), info
="eapol")
920 eap_reauth(dev
[0], "TTLS")
921 sta2
= hapd
.get_sta(dev
[0].p2p_interface_addr())
922 eapol2
= hapd
.get_sta(dev
[0].p2p_interface_addr(), info
="eapol")
923 if int(sta2
['dot1xAuthEapolFramesRx']) <= int(sta1
['dot1xAuthEapolFramesRx']):
924 raise Exception("dot1xAuthEapolFramesRx did not increase")
925 if int(eapol2
['authAuthEapStartsWhileAuthenticated']) < 1:
926 raise Exception("authAuthEapStartsWhileAuthenticated did not increase")
927 if int(eapol2
['backendAuthSuccesses']) <= int(eapol1
['backendAuthSuccesses']):
928 raise Exception("backendAuthSuccesses did not increase")
930 logger
.info("Password as hash value")
931 dev
[0].request("REMOVE_NETWORK all")
932 eap_connect(dev
[0], apdev
[0], "TTLS", "DOMAIN\mschapv2 user",
933 anonymous_identity
="ttls",
934 password_hex
="hash:8846f7eaee8fb117ad06bdd830b7586c",
935 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
937 def test_ap_wpa2_eap_ttls_mschapv2_suffix_match(dev
, apdev
):
938 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
939 check_domain_match_full(dev
[0])
940 skip_with_fips(dev
[0])
941 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
942 hostapd
.add_ap(apdev
[0]['ifname'], params
)
943 hapd
= hostapd
.Hostapd(apdev
[0]['ifname'])
944 eap_connect(dev
[0], apdev
[0], "TTLS", "DOMAIN\mschapv2 user",
945 anonymous_identity
="ttls", password
="password",
946 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
947 domain_suffix_match
="w1.fi")
948 hwsim_utils
.test_connectivity(dev
[0], hapd
)
949 eap_reauth(dev
[0], "TTLS")
951 def test_ap_wpa2_eap_ttls_mschapv2_domain_match(dev
, apdev
):
952 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 (domain_match)"""
953 check_domain_match(dev
[0])
954 skip_with_fips(dev
[0])
955 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
956 hostapd
.add_ap(apdev
[0]['ifname'], params
)
957 hapd
= hostapd
.Hostapd(apdev
[0]['ifname'])
958 eap_connect(dev
[0], apdev
[0], "TTLS", "DOMAIN\mschapv2 user",
959 anonymous_identity
="ttls", password
="password",
960 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
961 domain_match
="Server.w1.fi")
962 hwsim_utils
.test_connectivity(dev
[0], hapd
)
963 eap_reauth(dev
[0], "TTLS")
965 def test_ap_wpa2_eap_ttls_mschapv2_incorrect_password(dev
, apdev
):
966 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 - incorrect password"""
967 skip_with_fips(dev
[0])
968 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
969 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
970 eap_connect(dev
[0], apdev
[0], "TTLS", "DOMAIN\mschapv2 user",
971 anonymous_identity
="ttls", password
="password1",
972 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
974 eap_connect(dev
[1], apdev
[0], "TTLS", "user",
975 anonymous_identity
="ttls", password
="password",
976 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
979 def test_ap_wpa2_eap_ttls_mschapv2_utf8(dev
, apdev
):
980 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 and UTF-8 password"""
981 skip_with_fips(dev
[0])
982 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
983 hostapd
.add_ap(apdev
[0]['ifname'], params
)
984 hapd
= hostapd
.Hostapd(apdev
[0]['ifname'])
985 eap_connect(dev
[0], apdev
[0], "TTLS", "utf8-user-hash",
986 anonymous_identity
="ttls", password
="secret-åäö-€-password",
987 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
988 eap_connect(dev
[1], apdev
[0], "TTLS", "utf8-user",
989 anonymous_identity
="ttls",
990 password_hex
="hash:bd5844fad2489992da7fe8c5a01559cf",
991 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
992 for p
in [ "80", "41c041e04141e041", 257*"41" ]:
993 dev
[2].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
994 eap
="TTLS", identity
="utf8-user-hash",
995 anonymous_identity
="ttls", password_hex
=p
,
996 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
997 wait_connect
=False, scan_freq
="2412")
998 ev
= dev
[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=1)
1000 raise Exception("No failure reported")
1001 dev
[2].request("REMOVE_NETWORK all")
1002 dev
[2].wait_disconnected()
1004 def test_ap_wpa2_eap_ttls_eap_gtc(dev
, apdev
):
1005 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC"""
1006 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1007 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1008 eap_connect(dev
[0], apdev
[0], "TTLS", "user",
1009 anonymous_identity
="ttls", password
="password",
1010 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC")
1011 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1012 eap_reauth(dev
[0], "TTLS")
1014 def test_ap_wpa2_eap_ttls_eap_gtc_incorrect_password(dev
, apdev
):
1015 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - incorrect password"""
1016 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1017 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1018 eap_connect(dev
[0], apdev
[0], "TTLS", "user",
1019 anonymous_identity
="ttls", password
="wrong",
1020 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
1021 expect_failure
=True)
1023 def test_ap_wpa2_eap_ttls_eap_gtc_no_password(dev
, apdev
):
1024 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - no password"""
1025 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1026 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1027 eap_connect(dev
[0], apdev
[0], "TTLS", "user-no-passwd",
1028 anonymous_identity
="ttls", password
="password",
1029 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
1030 expect_failure
=True)
1032 def test_ap_wpa2_eap_ttls_eap_gtc_server_oom(dev
, apdev
):
1033 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - server OOM"""
1034 params
= int_eap_server_params()
1035 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1036 with
alloc_fail(hapd
, 1, "eap_gtc_init"):
1037 eap_connect(dev
[0], apdev
[0], "TTLS", "user",
1038 anonymous_identity
="ttls", password
="password",
1039 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
1040 expect_failure
=True)
1041 dev
[0].request("REMOVE_NETWORK all")
1043 with
alloc_fail(hapd
, 1, "eap_gtc_buildReq"):
1044 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1045 eap
="TTLS", identity
="user",
1046 anonymous_identity
="ttls", password
="password",
1047 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
1048 wait_connect
=False, scan_freq
="2412")
1049 # This would eventually time out, but we can stop after having reached
1050 # the allocation failure.
1053 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1056 def test_ap_wpa2_eap_ttls_eap_md5(dev
, apdev
):
1057 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5"""
1058 check_eap_capa(dev
[0], "MD5")
1059 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1060 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1061 eap_connect(dev
[0], apdev
[0], "TTLS", "user",
1062 anonymous_identity
="ttls", password
="password",
1063 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5")
1064 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1065 eap_reauth(dev
[0], "TTLS")
1067 def test_ap_wpa2_eap_ttls_eap_md5_incorrect_password(dev
, apdev
):
1068 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - incorrect password"""
1069 check_eap_capa(dev
[0], "MD5")
1070 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1071 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1072 eap_connect(dev
[0], apdev
[0], "TTLS", "user",
1073 anonymous_identity
="ttls", password
="wrong",
1074 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5",
1075 expect_failure
=True)
1077 def test_ap_wpa2_eap_ttls_eap_md5_no_password(dev
, apdev
):
1078 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - no password"""
1079 check_eap_capa(dev
[0], "MD5")
1080 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1081 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1082 eap_connect(dev
[0], apdev
[0], "TTLS", "user-no-passwd",
1083 anonymous_identity
="ttls", password
="password",
1084 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5",
1085 expect_failure
=True)
1087 def test_ap_wpa2_eap_ttls_eap_md5_server_oom(dev
, apdev
):
1088 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - server OOM"""
1089 check_eap_capa(dev
[0], "MD5")
1090 params
= int_eap_server_params()
1091 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1092 with
alloc_fail(hapd
, 1, "eap_md5_init"):
1093 eap_connect(dev
[0], apdev
[0], "TTLS", "user",
1094 anonymous_identity
="ttls", password
="password",
1095 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5",
1096 expect_failure
=True)
1097 dev
[0].request("REMOVE_NETWORK all")
1099 with
alloc_fail(hapd
, 1, "eap_md5_buildReq"):
1100 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1101 eap
="TTLS", identity
="user",
1102 anonymous_identity
="ttls", password
="password",
1103 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5",
1104 wait_connect
=False, scan_freq
="2412")
1105 # This would eventually time out, but we can stop after having reached
1106 # the allocation failure.
1109 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1112 def test_ap_wpa2_eap_ttls_eap_mschapv2(dev
, apdev
):
1113 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2"""
1114 check_eap_capa(dev
[0], "MSCHAPV2")
1115 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1116 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1117 eap_connect(dev
[0], apdev
[0], "TTLS", "user",
1118 anonymous_identity
="ttls", password
="password",
1119 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2")
1120 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1121 eap_reauth(dev
[0], "TTLS")
1123 logger
.info("Negative test with incorrect password")
1124 dev
[0].request("REMOVE_NETWORK all")
1125 eap_connect(dev
[0], apdev
[0], "TTLS", "user",
1126 anonymous_identity
="ttls", password
="password1",
1127 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1128 expect_failure
=True)
1130 def test_ap_wpa2_eap_ttls_eap_mschapv2_no_password(dev
, apdev
):
1131 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - no password"""
1132 check_eap_capa(dev
[0], "MSCHAPV2")
1133 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1134 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1135 eap_connect(dev
[0], apdev
[0], "TTLS", "user-no-passwd",
1136 anonymous_identity
="ttls", password
="password",
1137 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1138 expect_failure
=True)
1140 def test_ap_wpa2_eap_ttls_eap_mschapv2_server_oom(dev
, apdev
):
1141 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - server OOM"""
1142 check_eap_capa(dev
[0], "MSCHAPV2")
1143 params
= int_eap_server_params()
1144 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1145 with
alloc_fail(hapd
, 1, "eap_mschapv2_init"):
1146 eap_connect(dev
[0], apdev
[0], "TTLS", "user",
1147 anonymous_identity
="ttls", password
="password",
1148 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1149 expect_failure
=True)
1150 dev
[0].request("REMOVE_NETWORK all")
1152 with
alloc_fail(hapd
, 1, "eap_mschapv2_build_challenge"):
1153 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1154 eap
="TTLS", identity
="user",
1155 anonymous_identity
="ttls", password
="password",
1156 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1157 wait_connect
=False, scan_freq
="2412")
1158 # This would eventually time out, but we can stop after having reached
1159 # the allocation failure.
1162 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1164 dev
[0].request("REMOVE_NETWORK all")
1166 with
alloc_fail(hapd
, 1, "eap_mschapv2_build_success_req"):
1167 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1168 eap
="TTLS", identity
="user",
1169 anonymous_identity
="ttls", password
="password",
1170 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1171 wait_connect
=False, scan_freq
="2412")
1172 # This would eventually time out, but we can stop after having reached
1173 # the allocation failure.
1176 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1178 dev
[0].request("REMOVE_NETWORK all")
1180 with
alloc_fail(hapd
, 1, "eap_mschapv2_build_failure_req"):
1181 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1182 eap
="TTLS", identity
="user",
1183 anonymous_identity
="ttls", password
="wrong",
1184 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1185 wait_connect
=False, scan_freq
="2412")
1186 # This would eventually time out, but we can stop after having reached
1187 # the allocation failure.
1190 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1192 dev
[0].request("REMOVE_NETWORK all")
1194 def test_ap_wpa2_eap_ttls_eap_aka(dev
, apdev
):
1195 """WPA2-Enterprise connection using EAP-TTLS/EAP-AKA"""
1196 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1197 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1198 eap_connect(dev
[0], apdev
[0], "TTLS", "0232010000000000",
1199 anonymous_identity
="0232010000000000@ttls",
1200 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1201 ca_cert
="auth_serv/ca.pem", phase2
="autheap=AKA")
1203 def test_ap_wpa2_eap_peap_eap_aka(dev
, apdev
):
1204 """WPA2-Enterprise connection using EAP-PEAP/EAP-AKA"""
1205 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1206 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1207 eap_connect(dev
[0], apdev
[0], "PEAP", "0232010000000000",
1208 anonymous_identity
="0232010000000000@peap",
1209 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1210 ca_cert
="auth_serv/ca.pem", phase2
="auth=AKA")
1212 def test_ap_wpa2_eap_fast_eap_aka(dev
, apdev
):
1213 """WPA2-Enterprise connection using EAP-FAST/EAP-AKA"""
1214 check_eap_capa(dev
[0], "FAST")
1215 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1216 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1217 eap_connect(dev
[0], apdev
[0], "FAST", "0232010000000000",
1218 anonymous_identity
="0232010000000000@fast",
1219 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1220 phase1
="fast_provisioning=2",
1221 pac_file
="blob://fast_pac_auth_aka",
1222 ca_cert
="auth_serv/ca.pem", phase2
="auth=AKA")
1224 def test_ap_wpa2_eap_peap_eap_mschapv2(dev
, apdev
):
1225 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
1226 check_eap_capa(dev
[0], "MSCHAPV2")
1227 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1228 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1229 eap_connect(dev
[0], apdev
[0], "PEAP", "user",
1230 anonymous_identity
="peap", password
="password",
1231 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1232 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1233 eap_reauth(dev
[0], "PEAP")
1234 dev
[0].request("REMOVE_NETWORK all")
1235 eap_connect(dev
[0], apdev
[0], "PEAP", "user",
1236 anonymous_identity
="peap", password
="password",
1237 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1238 fragment_size
="200")
1240 logger
.info("Password as hash value")
1241 dev
[0].request("REMOVE_NETWORK all")
1242 eap_connect(dev
[0], apdev
[0], "PEAP", "user",
1243 anonymous_identity
="peap",
1244 password_hex
="hash:8846f7eaee8fb117ad06bdd830b7586c",
1245 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1247 logger
.info("Negative test with incorrect password")
1248 dev
[0].request("REMOVE_NETWORK all")
1249 eap_connect(dev
[0], apdev
[0], "PEAP", "user",
1250 anonymous_identity
="peap", password
="password1",
1251 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1252 expect_failure
=True)
1254 def test_ap_wpa2_eap_peap_eap_mschapv2_domain(dev
, apdev
):
1255 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 with domain"""
1256 check_eap_capa(dev
[0], "MSCHAPV2")
1257 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1258 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1259 eap_connect(dev
[0], apdev
[0], "PEAP", "DOMAIN\user3",
1260 anonymous_identity
="peap", password
="password",
1261 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1262 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1263 eap_reauth(dev
[0], "PEAP")
1265 def test_ap_wpa2_eap_peap_eap_mschapv2_incorrect_password(dev
, apdev
):
1266 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 - incorrect password"""
1267 check_eap_capa(dev
[0], "MSCHAPV2")
1268 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1269 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1270 eap_connect(dev
[0], apdev
[0], "PEAP", "user",
1271 anonymous_identity
="peap", password
="wrong",
1272 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1273 expect_failure
=True)
1275 def test_ap_wpa2_eap_peap_crypto_binding(dev
, apdev
):
1276 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding"""
1277 check_eap_capa(dev
[0], "MSCHAPV2")
1278 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1279 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1280 eap_connect(dev
[0], apdev
[0], "PEAP", "user", password
="password",
1281 ca_cert
="auth_serv/ca.pem",
1282 phase1
="peapver=0 crypto_binding=2",
1283 phase2
="auth=MSCHAPV2")
1284 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1285 eap_reauth(dev
[0], "PEAP")
1287 eap_connect(dev
[1], apdev
[0], "PEAP", "user", password
="password",
1288 ca_cert
="auth_serv/ca.pem",
1289 phase1
="peapver=0 crypto_binding=1",
1290 phase2
="auth=MSCHAPV2")
1291 eap_connect(dev
[2], apdev
[0], "PEAP", "user", password
="password",
1292 ca_cert
="auth_serv/ca.pem",
1293 phase1
="peapver=0 crypto_binding=0",
1294 phase2
="auth=MSCHAPV2")
1296 def test_ap_wpa2_eap_peap_crypto_binding_server_oom(dev
, apdev
):
1297 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding with server OOM"""
1298 check_eap_capa(dev
[0], "MSCHAPV2")
1299 params
= int_eap_server_params()
1300 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1301 with
alloc_fail(hapd
, 1, "eap_mschapv2_getKey"):
1302 eap_connect(dev
[0], apdev
[0], "PEAP", "user", password
="password",
1303 ca_cert
="auth_serv/ca.pem",
1304 phase1
="peapver=0 crypto_binding=2",
1305 phase2
="auth=MSCHAPV2",
1306 expect_failure
=True, local_error_report
=True)
1308 def test_ap_wpa2_eap_peap_params(dev
, apdev
):
1309 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and various parameters"""
1310 check_eap_capa(dev
[0], "MSCHAPV2")
1311 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1312 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1313 eap_connect(dev
[0], apdev
[0], "PEAP", "user",
1314 anonymous_identity
="peap", password
="password",
1315 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1316 phase1
="peapver=0 peaplabel=1",
1317 expect_failure
=True)
1318 dev
[0].request("REMOVE_NETWORK all")
1319 eap_connect(dev
[1], apdev
[0], "PEAP", "user", password
="password",
1320 ca_cert
="auth_serv/ca.pem",
1321 phase1
="peap_outer_success=1",
1322 phase2
="auth=MSCHAPV2")
1323 eap_connect(dev
[2], apdev
[0], "PEAP", "user", password
="password",
1324 ca_cert
="auth_serv/ca.pem",
1325 phase1
="peap_outer_success=2",
1326 phase2
="auth=MSCHAPV2")
1327 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
1329 anonymous_identity
="peap", password
="password",
1330 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1331 phase1
="peapver=1 peaplabel=1",
1332 wait_connect
=False, scan_freq
="2412")
1333 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=15)
1335 raise Exception("No EAP success seen")
1336 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout
=1)
1338 raise Exception("Unexpected connection")
1340 def test_ap_wpa2_eap_peap_eap_tls(dev
, apdev
):
1341 """WPA2-Enterprise connection using EAP-PEAP/EAP-TLS"""
1342 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1343 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1344 eap_connect(dev
[0], apdev
[0], "PEAP", "cert user",
1345 ca_cert
="auth_serv/ca.pem", phase2
="auth=TLS",
1346 ca_cert2
="auth_serv/ca.pem",
1347 client_cert2
="auth_serv/user.pem",
1348 private_key2
="auth_serv/user.key")
1349 eap_reauth(dev
[0], "PEAP")
1351 def test_ap_wpa2_eap_tls(dev
, apdev
):
1352 """WPA2-Enterprise connection using EAP-TLS"""
1353 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1354 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1355 eap_connect(dev
[0], apdev
[0], "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
1356 client_cert
="auth_serv/user.pem",
1357 private_key
="auth_serv/user.key")
1358 eap_reauth(dev
[0], "TLS")
1360 def test_eap_tls_pkcs8_pkcs5_v2_des3(dev
, apdev
):
1361 """WPA2-Enterprise connection using EAP-TLS and PKCS #8, PKCS #5 v2 DES3 key"""
1362 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1363 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1364 eap_connect(dev
[0], apdev
[0], "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
1365 client_cert
="auth_serv/user.pem",
1366 private_key
="auth_serv/user.key.pkcs8",
1367 private_key_passwd
="whatever")
1369 def test_eap_tls_pkcs8_pkcs5_v15(dev
, apdev
):
1370 """WPA2-Enterprise connection using EAP-TLS and PKCS #8, PKCS #5 v1.5 key"""
1371 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1372 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1373 eap_connect(dev
[0], apdev
[0], "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
1374 client_cert
="auth_serv/user.pem",
1375 private_key
="auth_serv/user.key.pkcs8.pkcs5v15",
1376 private_key_passwd
="whatever")
1378 def test_ap_wpa2_eap_tls_blob(dev
, apdev
):
1379 """WPA2-Enterprise connection using EAP-TLS and config blobs"""
1380 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1381 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1382 cert
= read_pem("auth_serv/ca.pem")
1383 if "OK" not in dev
[0].request("SET blob cacert " + cert
.encode("hex")):
1384 raise Exception("Could not set cacert blob")
1385 cert
= read_pem("auth_serv/user.pem")
1386 if "OK" not in dev
[0].request("SET blob usercert " + cert
.encode("hex")):
1387 raise Exception("Could not set usercert blob")
1388 key
= read_pem("auth_serv/user.rsa-key")
1389 if "OK" not in dev
[0].request("SET blob userkey " + key
.encode("hex")):
1390 raise Exception("Could not set cacert blob")
1391 eap_connect(dev
[0], apdev
[0], "TLS", "tls user", ca_cert
="blob://cacert",
1392 client_cert
="blob://usercert",
1393 private_key
="blob://userkey")
1395 def test_ap_wpa2_eap_tls_pkcs12(dev
, apdev
):
1396 """WPA2-Enterprise connection using EAP-TLS and PKCS#12"""
1397 check_pkcs12_support(dev
[0])
1398 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1399 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1400 eap_connect(dev
[0], apdev
[0], "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
1401 private_key
="auth_serv/user.pkcs12",
1402 private_key_passwd
="whatever")
1403 dev
[0].request("REMOVE_NETWORK all")
1404 dev
[0].wait_disconnected()
1406 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
1407 identity
="tls user",
1408 ca_cert
="auth_serv/ca.pem",
1409 private_key
="auth_serv/user.pkcs12",
1410 wait_connect
=False, scan_freq
="2412")
1411 ev
= dev
[0].wait_event(["CTRL-REQ-PASSPHRASE"])
1413 raise Exception("Request for private key passphrase timed out")
1414 id = ev
.split(':')[0].split('-')[-1]
1415 dev
[0].request("CTRL-RSP-PASSPHRASE-" + id + ":whatever")
1416 dev
[0].wait_connected(timeout
=10)
1417 dev
[0].request("REMOVE_NETWORK all")
1418 dev
[0].wait_disconnected()
1420 # Run this twice to verify certificate chain handling with OpenSSL. Use two
1421 # different files to cover both cases of the extra certificate being the
1422 # one that signed the client certificate and it being unrelated to the
1423 # client certificate.
1424 for pkcs12
in "auth_serv/user2.pkcs12", "auth_serv/user3.pkcs12":
1426 eap_connect(dev
[0], apdev
[0], "TLS", "tls user",
1427 ca_cert
="auth_serv/ca.pem",
1429 private_key_passwd
="whatever")
1430 dev
[0].request("REMOVE_NETWORK all")
1431 dev
[0].wait_disconnected()
1433 def test_ap_wpa2_eap_tls_pkcs12_blob(dev
, apdev
):
1434 """WPA2-Enterprise connection using EAP-TLS and PKCS#12 from configuration blob"""
1435 check_pkcs12_support(dev
[0])
1436 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1437 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1438 cert
= read_pem("auth_serv/ca.pem")
1439 if "OK" not in dev
[0].request("SET blob cacert " + cert
.encode("hex")):
1440 raise Exception("Could not set cacert blob")
1441 with
open("auth_serv/user.pkcs12", "rb") as f
:
1442 if "OK" not in dev
[0].request("SET blob pkcs12 " + f
.read().encode("hex")):
1443 raise Exception("Could not set pkcs12 blob")
1444 eap_connect(dev
[0], apdev
[0], "TLS", "tls user", ca_cert
="blob://cacert",
1445 private_key
="blob://pkcs12",
1446 private_key_passwd
="whatever")
1448 def test_ap_wpa2_eap_tls_neg_incorrect_trust_root(dev
, apdev
):
1449 """WPA2-Enterprise negative test - incorrect trust root"""
1450 check_eap_capa(dev
[0], "MSCHAPV2")
1451 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1452 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1453 cert
= read_pem("auth_serv/ca-incorrect.pem")
1454 if "OK" not in dev
[0].request("SET blob cacert " + cert
.encode("hex")):
1455 raise Exception("Could not set cacert blob")
1456 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1457 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
1458 password
="password", phase2
="auth=MSCHAPV2",
1459 ca_cert
="blob://cacert",
1460 wait_connect
=False, scan_freq
="2412")
1461 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1462 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
1463 password
="password", phase2
="auth=MSCHAPV2",
1464 ca_cert
="auth_serv/ca-incorrect.pem",
1465 wait_connect
=False, scan_freq
="2412")
1467 for dev
in (dev
[0], dev
[1]):
1468 ev
= dev
.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
1470 raise Exception("Association and EAP start timed out")
1472 ev
= dev
.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
1474 raise Exception("EAP method selection timed out")
1475 if "TTLS" not in ev
:
1476 raise Exception("Unexpected EAP method")
1478 ev
= dev
.wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1479 "CTRL-EVENT-EAP-SUCCESS",
1480 "CTRL-EVENT-EAP-FAILURE",
1481 "CTRL-EVENT-CONNECTED",
1482 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1484 raise Exception("EAP result timed out")
1485 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
1486 raise Exception("TLS certificate error not reported")
1488 ev
= dev
.wait_event(["CTRL-EVENT-EAP-SUCCESS",
1489 "CTRL-EVENT-EAP-FAILURE",
1490 "CTRL-EVENT-CONNECTED",
1491 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1493 raise Exception("EAP result(2) timed out")
1494 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
1495 raise Exception("EAP failure not reported")
1497 ev
= dev
.wait_event(["CTRL-EVENT-CONNECTED",
1498 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1500 raise Exception("EAP result(3) timed out")
1501 if "CTRL-EVENT-DISCONNECTED" not in ev
:
1502 raise Exception("Disconnection not reported")
1504 ev
= dev
.wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
1506 raise Exception("Network block disabling not reported")
1508 def test_ap_wpa2_eap_tls_diff_ca_trust(dev
, apdev
):
1509 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1510 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1511 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1512 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1513 identity
="pap user", anonymous_identity
="ttls",
1514 password
="password", phase2
="auth=PAP",
1515 ca_cert
="auth_serv/ca.pem",
1516 wait_connect
=True, scan_freq
="2412")
1517 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1518 identity
="pap user", anonymous_identity
="ttls",
1519 password
="password", phase2
="auth=PAP",
1520 ca_cert
="auth_serv/ca-incorrect.pem",
1521 only_add_network
=True, scan_freq
="2412")
1523 dev
[0].request("DISCONNECT")
1524 dev
[0].wait_disconnected()
1525 dev
[0].dump_monitor()
1526 dev
[0].select_network(id, freq
="2412")
1528 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout
=15)
1530 raise Exception("EAP-TTLS not re-started")
1532 ev
= dev
[0].wait_disconnected(timeout
=15)
1533 if "reason=23" not in ev
:
1534 raise Exception("Proper reason code for disconnection not reported")
1536 def test_ap_wpa2_eap_tls_diff_ca_trust2(dev
, apdev
):
1537 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1538 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1539 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1540 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1541 identity
="pap user", anonymous_identity
="ttls",
1542 password
="password", phase2
="auth=PAP",
1543 wait_connect
=True, scan_freq
="2412")
1544 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1545 identity
="pap user", anonymous_identity
="ttls",
1546 password
="password", phase2
="auth=PAP",
1547 ca_cert
="auth_serv/ca-incorrect.pem",
1548 only_add_network
=True, scan_freq
="2412")
1550 dev
[0].request("DISCONNECT")
1551 dev
[0].wait_disconnected()
1552 dev
[0].dump_monitor()
1553 dev
[0].select_network(id, freq
="2412")
1555 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout
=15)
1557 raise Exception("EAP-TTLS not re-started")
1559 ev
= dev
[0].wait_disconnected(timeout
=15)
1560 if "reason=23" not in ev
:
1561 raise Exception("Proper reason code for disconnection not reported")
1563 def test_ap_wpa2_eap_tls_diff_ca_trust3(dev
, apdev
):
1564 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1565 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1566 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1567 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1568 identity
="pap user", anonymous_identity
="ttls",
1569 password
="password", phase2
="auth=PAP",
1570 ca_cert
="auth_serv/ca.pem",
1571 wait_connect
=True, scan_freq
="2412")
1572 dev
[0].request("DISCONNECT")
1573 dev
[0].wait_disconnected()
1574 dev
[0].dump_monitor()
1575 dev
[0].set_network_quoted(id, "ca_cert", "auth_serv/ca-incorrect.pem")
1576 dev
[0].select_network(id, freq
="2412")
1578 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout
=15)
1580 raise Exception("EAP-TTLS not re-started")
1582 ev
= dev
[0].wait_disconnected(timeout
=15)
1583 if "reason=23" not in ev
:
1584 raise Exception("Proper reason code for disconnection not reported")
1586 def test_ap_wpa2_eap_tls_neg_suffix_match(dev
, apdev
):
1587 """WPA2-Enterprise negative test - domain suffix mismatch"""
1588 check_domain_suffix_match(dev
[0])
1589 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1590 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1591 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1592 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
1593 password
="password", phase2
="auth=MSCHAPV2",
1594 ca_cert
="auth_serv/ca.pem",
1595 domain_suffix_match
="incorrect.example.com",
1596 wait_connect
=False, scan_freq
="2412")
1598 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
1600 raise Exception("Association and EAP start timed out")
1602 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
1604 raise Exception("EAP method selection timed out")
1605 if "TTLS" not in ev
:
1606 raise Exception("Unexpected EAP method")
1608 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1609 "CTRL-EVENT-EAP-SUCCESS",
1610 "CTRL-EVENT-EAP-FAILURE",
1611 "CTRL-EVENT-CONNECTED",
1612 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1614 raise Exception("EAP result timed out")
1615 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
1616 raise Exception("TLS certificate error not reported")
1617 if "Domain suffix mismatch" not in ev
:
1618 raise Exception("Domain suffix mismatch not reported")
1620 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1621 "CTRL-EVENT-EAP-FAILURE",
1622 "CTRL-EVENT-CONNECTED",
1623 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1625 raise Exception("EAP result(2) timed out")
1626 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
1627 raise Exception("EAP failure not reported")
1629 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
1630 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1632 raise Exception("EAP result(3) timed out")
1633 if "CTRL-EVENT-DISCONNECTED" not in ev
:
1634 raise Exception("Disconnection not reported")
1636 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
1638 raise Exception("Network block disabling not reported")
1640 def test_ap_wpa2_eap_tls_neg_domain_match(dev
, apdev
):
1641 """WPA2-Enterprise negative test - domain mismatch"""
1642 check_domain_match(dev
[0])
1643 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1644 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1645 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1646 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
1647 password
="password", phase2
="auth=MSCHAPV2",
1648 ca_cert
="auth_serv/ca.pem",
1649 domain_match
="w1.fi",
1650 wait_connect
=False, scan_freq
="2412")
1652 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
1654 raise Exception("Association and EAP start timed out")
1656 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
1658 raise Exception("EAP method selection timed out")
1659 if "TTLS" not in ev
:
1660 raise Exception("Unexpected EAP method")
1662 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1663 "CTRL-EVENT-EAP-SUCCESS",
1664 "CTRL-EVENT-EAP-FAILURE",
1665 "CTRL-EVENT-CONNECTED",
1666 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1668 raise Exception("EAP result timed out")
1669 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
1670 raise Exception("TLS certificate error not reported")
1671 if "Domain mismatch" not in ev
:
1672 raise Exception("Domain mismatch not reported")
1674 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1675 "CTRL-EVENT-EAP-FAILURE",
1676 "CTRL-EVENT-CONNECTED",
1677 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1679 raise Exception("EAP result(2) timed out")
1680 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
1681 raise Exception("EAP failure not reported")
1683 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
1684 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1686 raise Exception("EAP result(3) timed out")
1687 if "CTRL-EVENT-DISCONNECTED" not in ev
:
1688 raise Exception("Disconnection not reported")
1690 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
1692 raise Exception("Network block disabling not reported")
1694 def test_ap_wpa2_eap_tls_neg_subject_match(dev
, apdev
):
1695 """WPA2-Enterprise negative test - subject mismatch"""
1696 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1697 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1698 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1699 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
1700 password
="password", phase2
="auth=MSCHAPV2",
1701 ca_cert
="auth_serv/ca.pem",
1702 subject_match
="/C=FI/O=w1.fi/CN=example.com",
1703 wait_connect
=False, scan_freq
="2412")
1705 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
1707 raise Exception("Association and EAP start timed out")
1709 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD",
1710 "EAP: Failed to initialize EAP method"], timeout
=10)
1712 raise Exception("EAP method selection timed out")
1713 if "EAP: Failed to initialize EAP method" in ev
:
1714 tls
= dev
[0].request("GET tls_library")
1715 if tls
.startswith("OpenSSL"):
1716 raise Exception("Failed to select EAP method")
1717 logger
.info("subject_match not supported - connection failed, so test succeeded")
1719 if "TTLS" not in ev
:
1720 raise Exception("Unexpected EAP method")
1722 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1723 "CTRL-EVENT-EAP-SUCCESS",
1724 "CTRL-EVENT-EAP-FAILURE",
1725 "CTRL-EVENT-CONNECTED",
1726 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1728 raise Exception("EAP result timed out")
1729 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
1730 raise Exception("TLS certificate error not reported")
1731 if "Subject mismatch" not in ev
:
1732 raise Exception("Subject mismatch not reported")
1734 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1735 "CTRL-EVENT-EAP-FAILURE",
1736 "CTRL-EVENT-CONNECTED",
1737 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1739 raise Exception("EAP result(2) timed out")
1740 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
1741 raise Exception("EAP failure not reported")
1743 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
1744 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1746 raise Exception("EAP result(3) timed out")
1747 if "CTRL-EVENT-DISCONNECTED" not in ev
:
1748 raise Exception("Disconnection not reported")
1750 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
1752 raise Exception("Network block disabling not reported")
1754 def test_ap_wpa2_eap_tls_neg_altsubject_match(dev
, apdev
):
1755 """WPA2-Enterprise negative test - altsubject mismatch"""
1756 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1757 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1759 tests
= [ "incorrect.example.com",
1760 "DNS:incorrect.example.com",
1764 _test_ap_wpa2_eap_tls_neg_altsubject_match(dev
, apdev
, match
)
1766 def _test_ap_wpa2_eap_tls_neg_altsubject_match(dev
, apdev
, match
):
1767 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1768 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
1769 password
="password", phase2
="auth=MSCHAPV2",
1770 ca_cert
="auth_serv/ca.pem",
1771 altsubject_match
=match
,
1772 wait_connect
=False, scan_freq
="2412")
1774 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
1776 raise Exception("Association and EAP start timed out")
1778 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD",
1779 "EAP: Failed to initialize EAP method"], timeout
=10)
1781 raise Exception("EAP method selection timed out")
1782 if "EAP: Failed to initialize EAP method" in ev
:
1783 tls
= dev
[0].request("GET tls_library")
1784 if tls
.startswith("OpenSSL"):
1785 raise Exception("Failed to select EAP method")
1786 logger
.info("altsubject_match not supported - connection failed, so test succeeded")
1788 if "TTLS" not in ev
:
1789 raise Exception("Unexpected EAP method")
1791 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1792 "CTRL-EVENT-EAP-SUCCESS",
1793 "CTRL-EVENT-EAP-FAILURE",
1794 "CTRL-EVENT-CONNECTED",
1795 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1797 raise Exception("EAP result timed out")
1798 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
1799 raise Exception("TLS certificate error not reported")
1800 if "AltSubject mismatch" not in ev
:
1801 raise Exception("altsubject mismatch not reported")
1803 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1804 "CTRL-EVENT-EAP-FAILURE",
1805 "CTRL-EVENT-CONNECTED",
1806 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1808 raise Exception("EAP result(2) timed out")
1809 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
1810 raise Exception("EAP failure not reported")
1812 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
1813 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1815 raise Exception("EAP result(3) timed out")
1816 if "CTRL-EVENT-DISCONNECTED" not in ev
:
1817 raise Exception("Disconnection not reported")
1819 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
1821 raise Exception("Network block disabling not reported")
1823 dev
[0].request("REMOVE_NETWORK all")
1825 def test_ap_wpa2_eap_unauth_tls(dev
, apdev
):
1826 """WPA2-Enterprise connection using UNAUTH-TLS"""
1827 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1828 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1829 eap_connect(dev
[0], apdev
[0], "UNAUTH-TLS", "unauth-tls",
1830 ca_cert
="auth_serv/ca.pem")
1831 eap_reauth(dev
[0], "UNAUTH-TLS")
1833 def test_ap_wpa2_eap_ttls_server_cert_hash(dev
, apdev
):
1834 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash"""
1835 check_cert_probe_support(dev
[0])
1836 skip_with_fips(dev
[0])
1837 srv_cert_hash
= "e75bd454c7b02d312e5006d75067c28ffa5baea422effeb2bbd572179cd000ca"
1838 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1839 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1840 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1841 identity
="probe", ca_cert
="probe://",
1842 wait_connect
=False, scan_freq
="2412")
1843 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
1845 raise Exception("Association and EAP start timed out")
1846 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT depth=0"], timeout
=10)
1848 raise Exception("No peer server certificate event seen")
1849 if "hash=" + srv_cert_hash
not in ev
:
1850 raise Exception("Expected server certificate hash not reported")
1851 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout
=10)
1853 raise Exception("EAP result timed out")
1854 if "Server certificate chain probe" not in ev
:
1855 raise Exception("Server certificate probe not reported")
1856 dev
[0].wait_disconnected(timeout
=10)
1857 dev
[0].request("REMOVE_NETWORK all")
1859 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1860 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
1861 password
="password", phase2
="auth=MSCHAPV2",
1862 ca_cert
="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
1863 wait_connect
=False, scan_freq
="2412")
1864 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
1866 raise Exception("Association and EAP start timed out")
1867 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout
=10)
1869 raise Exception("EAP result timed out")
1870 if "Server certificate mismatch" not in ev
:
1871 raise Exception("Server certificate mismatch not reported")
1872 dev
[0].wait_disconnected(timeout
=10)
1873 dev
[0].request("REMOVE_NETWORK all")
1875 eap_connect(dev
[0], apdev
[0], "TTLS", "DOMAIN\mschapv2 user",
1876 anonymous_identity
="ttls", password
="password",
1877 ca_cert
="hash://server/sha256/" + srv_cert_hash
,
1878 phase2
="auth=MSCHAPV2")
1880 def test_ap_wpa2_eap_ttls_server_cert_hash_invalid(dev
, apdev
):
1881 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash (invalid config)"""
1882 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1883 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1884 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1885 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
1886 password
="password", phase2
="auth=MSCHAPV2",
1887 ca_cert
="hash://server/md5/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
1888 wait_connect
=False, scan_freq
="2412")
1889 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1890 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
1891 password
="password", phase2
="auth=MSCHAPV2",
1892 ca_cert
="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca",
1893 wait_connect
=False, scan_freq
="2412")
1894 dev
[2].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1895 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
1896 password
="password", phase2
="auth=MSCHAPV2",
1897 ca_cert
="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6Q",
1898 wait_connect
=False, scan_freq
="2412")
1899 for i
in range(0, 3):
1900 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
1902 raise Exception("Association and EAP start timed out")
1903 ev
= dev
[i
].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 21 (TTLS)"], timeout
=5)
1905 raise Exception("Did not report EAP method initialization failure")
1907 def test_ap_wpa2_eap_pwd(dev
, apdev
):
1908 """WPA2-Enterprise connection using EAP-pwd"""
1909 check_eap_capa(dev
[0], "PWD")
1910 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1911 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1912 eap_connect(dev
[0], apdev
[0], "PWD", "pwd user", password
="secret password")
1913 eap_reauth(dev
[0], "PWD")
1914 dev
[0].request("REMOVE_NETWORK all")
1916 eap_connect(dev
[1], apdev
[0], "PWD",
1917 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
1918 password
="secret password",
1921 logger
.info("Negative test with incorrect password")
1922 eap_connect(dev
[2], apdev
[0], "PWD", "pwd user", password
="secret-password",
1923 expect_failure
=True, local_error_report
=True)
1925 eap_connect(dev
[0], apdev
[0], "PWD",
1926 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
1927 password
="secret password",
1930 def test_ap_wpa2_eap_pwd_nthash(dev
, apdev
):
1931 """WPA2-Enterprise connection using EAP-pwd and NTHash"""
1932 check_eap_capa(dev
[0], "PWD")
1933 skip_with_fips(dev
[0])
1934 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1935 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1936 eap_connect(dev
[0], apdev
[0], "PWD", "pwd-hash", password
="secret password")
1937 eap_connect(dev
[1], apdev
[0], "PWD", "pwd-hash",
1938 password_hex
="hash:e3718ece8ab74792cbbfffd316d2d19a")
1939 eap_connect(dev
[2], apdev
[0], "PWD", "pwd user",
1940 password_hex
="hash:e3718ece8ab74792cbbfffd316d2d19a",
1941 expect_failure
=True, local_error_report
=True)
1943 def test_ap_wpa2_eap_pwd_groups(dev
, apdev
):
1944 """WPA2-Enterprise connection using various EAP-pwd groups"""
1945 check_eap_capa(dev
[0], "PWD")
1946 tls
= dev
[0].request("GET tls_library")
1947 params
= { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1948 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1949 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
1950 groups
= [ 19, 20, 21, 25, 26 ]
1951 if tls
.startswith("OpenSSL") and "build=OpenSSL 1.0.2" in tls
and "run=OpenSSL 1.0.2" in tls
:
1952 logger
.info("Add Brainpool EC groups since OpenSSL is new enough")
1953 groups
+= [ 27, 28, 29, 30 ]
1955 logger
.info("Group %d" % i
)
1956 params
['pwd_group'] = str(i
)
1957 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1959 eap_connect(dev
[0], apdev
[0], "PWD", "pwd user",
1960 password
="secret password")
1961 dev
[0].request("REMOVE_NETWORK all")
1962 dev
[0].wait_disconnected()
1963 dev
[0].dump_monitor()
1965 if "BoringSSL" in tls
and i
in [ 25 ]:
1966 logger
.info("Ignore connection failure with group %d with BoringSSL" % i
)
1967 dev
[0].request("DISCONNECT")
1969 dev
[0].request("REMOVE_NETWORK all")
1970 dev
[0].dump_monitor()
1974 def test_ap_wpa2_eap_pwd_invalid_group(dev
, apdev
):
1975 """WPA2-Enterprise connection using invalid EAP-pwd group"""
1976 check_eap_capa(dev
[0], "PWD")
1977 params
= { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1978 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1979 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
1980 params
['pwd_group'] = "0"
1981 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1982 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PWD",
1983 identity
="pwd user", password
="secret password",
1984 scan_freq
="2412", wait_connect
=False)
1985 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
1987 raise Exception("Timeout on EAP failure report")
1989 def test_ap_wpa2_eap_pwd_as_frag(dev
, apdev
):
1990 """WPA2-Enterprise connection using EAP-pwd with server fragmentation"""
1991 check_eap_capa(dev
[0], "PWD")
1992 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1993 params
= { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1994 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1995 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
1996 "pwd_group": "19", "fragment_size": "40" }
1997 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1998 eap_connect(dev
[0], apdev
[0], "PWD", "pwd user", password
="secret password")
2000 def test_ap_wpa2_eap_gpsk(dev
, apdev
):
2001 """WPA2-Enterprise connection using EAP-GPSK"""
2002 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2003 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2004 id = eap_connect(dev
[0], apdev
[0], "GPSK", "gpsk user",
2005 password
="abcdefghijklmnop0123456789abcdef")
2006 eap_reauth(dev
[0], "GPSK")
2008 logger
.info("Test forced algorithm selection")
2009 for phase1
in [ "cipher=1", "cipher=2" ]:
2010 dev
[0].set_network_quoted(id, "phase1", phase1
)
2011 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
2013 raise Exception("EAP success timed out")
2014 dev
[0].wait_connected(timeout
=10)
2016 logger
.info("Test failed algorithm negotiation")
2017 dev
[0].set_network_quoted(id, "phase1", "cipher=9")
2018 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
2020 raise Exception("EAP failure timed out")
2022 logger
.info("Negative test with incorrect password")
2023 dev
[0].request("REMOVE_NETWORK all")
2024 eap_connect(dev
[0], apdev
[0], "GPSK", "gpsk user",
2025 password
="ffcdefghijklmnop0123456789abcdef",
2026 expect_failure
=True)
2028 def test_ap_wpa2_eap_sake(dev
, apdev
):
2029 """WPA2-Enterprise connection using EAP-SAKE"""
2030 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2031 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2032 eap_connect(dev
[0], apdev
[0], "SAKE", "sake user",
2033 password_hex
="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
2034 eap_reauth(dev
[0], "SAKE")
2036 logger
.info("Negative test with incorrect password")
2037 dev
[0].request("REMOVE_NETWORK all")
2038 eap_connect(dev
[0], apdev
[0], "SAKE", "sake user",
2039 password_hex
="ff23456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
2040 expect_failure
=True)
2042 def test_ap_wpa2_eap_eke(dev
, apdev
):
2043 """WPA2-Enterprise connection using EAP-EKE"""
2044 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2045 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2046 id = eap_connect(dev
[0], apdev
[0], "EKE", "eke user", password
="hello")
2047 eap_reauth(dev
[0], "EKE")
2049 logger
.info("Test forced algorithm selection")
2050 for phase1
in [ "dhgroup=5 encr=1 prf=2 mac=2",
2051 "dhgroup=4 encr=1 prf=2 mac=2",
2052 "dhgroup=3 encr=1 prf=2 mac=2",
2053 "dhgroup=3 encr=1 prf=1 mac=1" ]:
2054 dev
[0].set_network_quoted(id, "phase1", phase1
)
2055 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
2057 raise Exception("EAP success timed out")
2058 dev
[0].wait_connected(timeout
=10)
2060 logger
.info("Test failed algorithm negotiation")
2061 dev
[0].set_network_quoted(id, "phase1", "dhgroup=9 encr=9 prf=9 mac=9")
2062 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
2064 raise Exception("EAP failure timed out")
2066 logger
.info("Negative test with incorrect password")
2067 dev
[0].request("REMOVE_NETWORK all")
2068 eap_connect(dev
[0], apdev
[0], "EKE", "eke user", password
="hello1",
2069 expect_failure
=True)
2071 def test_ap_wpa2_eap_eke_serverid_nai(dev
, apdev
):
2072 """WPA2-Enterprise connection using EAP-EKE with serverid NAI"""
2073 params
= int_eap_server_params()
2074 params
['server_id'] = 'example.server@w1.fi'
2075 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2076 eap_connect(dev
[0], apdev
[0], "EKE", "eke user", password
="hello")
2078 def test_ap_wpa2_eap_eke_server_oom(dev
, apdev
):
2079 """WPA2-Enterprise connection using EAP-EKE with server OOM"""
2080 params
= int_eap_server_params()
2081 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
2082 dev
[0].scan_for_bss(apdev
[0]['bssid'], freq
=2412)
2084 for count
,func
in [ (1, "eap_eke_build_commit"),
2085 (2, "eap_eke_build_commit"),
2086 (3, "eap_eke_build_commit"),
2087 (1, "eap_eke_build_confirm"),
2088 (2, "eap_eke_build_confirm"),
2089 (1, "eap_eke_process_commit"),
2090 (2, "eap_eke_process_commit"),
2091 (1, "eap_eke_process_confirm"),
2092 (1, "eap_eke_process_identity"),
2093 (2, "eap_eke_process_identity"),
2094 (3, "eap_eke_process_identity"),
2095 (4, "eap_eke_process_identity") ]:
2096 with
alloc_fail(hapd
, count
, func
):
2097 eap_connect(dev
[0], apdev
[0], "EKE", "eke user", password
="hello",
2098 expect_failure
=True)
2099 dev
[0].request("REMOVE_NETWORK all")
2101 for count
,func
,pw
in [ (1, "eap_eke_init", "hello"),
2102 (1, "eap_eke_get_session_id", "hello"),
2103 (1, "eap_eke_getKey", "hello"),
2104 (1, "eap_eke_build_msg", "hello"),
2105 (1, "eap_eke_build_failure", "wrong"),
2106 (1, "eap_eke_build_identity", "hello"),
2107 (2, "eap_eke_build_identity", "hello") ]:
2108 with
alloc_fail(hapd
, count
, func
):
2109 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
2110 eap
="EKE", identity
="eke user", password
=pw
,
2111 wait_connect
=False, scan_freq
="2412")
2112 # This would eventually time out, but we can stop after having
2113 # reached the allocation failure.
2116 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
2118 dev
[0].request("REMOVE_NETWORK all")
2120 for count
in range(1, 1000):
2122 with
alloc_fail(hapd
, count
, "eap_server_sm_step"):
2123 dev
[0].connect("test-wpa2-eap",
2124 key_mgmt
="WPA-EAP WPA-EAP-SHA256",
2125 eap
="EKE", identity
="eke user", password
=pw
,
2126 wait_connect
=False, scan_freq
="2412")
2127 # This would eventually time out, but we can stop after having
2128 # reached the allocation failure.
2131 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
2133 dev
[0].request("REMOVE_NETWORK all")
2134 except Exception, e
:
2135 if str(e
) == "Allocation failure did not trigger":
2137 raise Exception("Too few allocation failures")
2138 logger
.info("%d allocation failures tested" % (count
- 1))
2142 def test_ap_wpa2_eap_ikev2(dev
, apdev
):
2143 """WPA2-Enterprise connection using EAP-IKEv2"""
2144 check_eap_capa(dev
[0], "IKEV2")
2145 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2146 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2147 eap_connect(dev
[0], apdev
[0], "IKEV2", "ikev2 user",
2148 password
="ike password")
2149 eap_reauth(dev
[0], "IKEV2")
2150 dev
[0].request("REMOVE_NETWORK all")
2151 eap_connect(dev
[0], apdev
[0], "IKEV2", "ikev2 user",
2152 password
="ike password", fragment_size
="50")
2154 logger
.info("Negative test with incorrect password")
2155 dev
[0].request("REMOVE_NETWORK all")
2156 eap_connect(dev
[0], apdev
[0], "IKEV2", "ikev2 user",
2157 password
="ike-password", expect_failure
=True)
2159 def test_ap_wpa2_eap_ikev2_as_frag(dev
, apdev
):
2160 """WPA2-Enterprise connection using EAP-IKEv2 with server fragmentation"""
2161 check_eap_capa(dev
[0], "IKEV2")
2162 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2163 params
= { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2164 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2165 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2166 "fragment_size": "50" }
2167 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2168 eap_connect(dev
[0], apdev
[0], "IKEV2", "ikev2 user",
2169 password
="ike password")
2170 eap_reauth(dev
[0], "IKEV2")
2172 def test_ap_wpa2_eap_ikev2_oom(dev
, apdev
):
2173 """WPA2-Enterprise connection using EAP-IKEv2 and OOM"""
2174 check_eap_capa(dev
[0], "IKEV2")
2175 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2176 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2178 tests
= [ (1, "dh_init"),
2180 (1, "dh_derive_shared") ]
2181 for count
, func
in tests
:
2182 with
alloc_fail(dev
[0], count
, func
):
2183 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="IKEV2",
2184 identity
="ikev2 user", password
="ike password",
2185 wait_connect
=False, scan_freq
="2412")
2186 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=5)
2188 raise Exception("EAP method not selected")
2190 if "0:" in dev
[0].request("GET_ALLOC_FAIL"):
2193 dev
[0].request("REMOVE_NETWORK all")
2195 tests
= [ (1, "os_get_random;dh_init") ]
2196 for count
, func
in tests
:
2197 with
fail_test(dev
[0], count
, func
):
2198 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="IKEV2",
2199 identity
="ikev2 user", password
="ike password",
2200 wait_connect
=False, scan_freq
="2412")
2201 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=5)
2203 raise Exception("EAP method not selected")
2205 if "0:" in dev
[0].request("GET_FAIL"):
2208 dev
[0].request("REMOVE_NETWORK all")
2210 def test_ap_wpa2_eap_pax(dev
, apdev
):
2211 """WPA2-Enterprise connection using EAP-PAX"""
2212 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2213 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2214 eap_connect(dev
[0], apdev
[0], "PAX", "pax.user@example.com",
2215 password_hex
="0123456789abcdef0123456789abcdef")
2216 eap_reauth(dev
[0], "PAX")
2218 logger
.info("Negative test with incorrect password")
2219 dev
[0].request("REMOVE_NETWORK all")
2220 eap_connect(dev
[0], apdev
[0], "PAX", "pax.user@example.com",
2221 password_hex
="ff23456789abcdef0123456789abcdef",
2222 expect_failure
=True)
2224 def test_ap_wpa2_eap_psk(dev
, apdev
):
2225 """WPA2-Enterprise connection using EAP-PSK"""
2226 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2227 params
["wpa_key_mgmt"] = "WPA-EAP-SHA256"
2228 params
["ieee80211w"] = "2"
2229 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2230 eap_connect(dev
[0], apdev
[0], "PSK", "psk.user@example.com",
2231 password_hex
="0123456789abcdef0123456789abcdef", sha256
=True)
2232 eap_reauth(dev
[0], "PSK", sha256
=True)
2233 check_mib(dev
[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-5"),
2234 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-5") ])
2236 bss
= dev
[0].get_bss(apdev
[0]['bssid'])
2237 if 'flags' not in bss
:
2238 raise Exception("Could not get BSS flags from BSS table")
2239 if "[WPA2-EAP-SHA256-CCMP]" not in bss
['flags']:
2240 raise Exception("Unexpected BSS flags: " + bss
['flags'])
2242 logger
.info("Negative test with incorrect password")
2243 dev
[0].request("REMOVE_NETWORK all")
2244 eap_connect(dev
[0], apdev
[0], "PSK", "psk.user@example.com",
2245 password_hex
="ff23456789abcdef0123456789abcdef", sha256
=True,
2246 expect_failure
=True)
2248 def test_ap_wpa2_eap_psk_oom(dev
, apdev
):
2249 """WPA2-Enterprise connection using EAP-PSK and OOM"""
2250 skip_with_fips(dev
[0])
2251 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2252 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2253 tests
= [ (1, "aes_128_ctr_encrypt;aes_128_eax_encrypt"),
2254 (1, "omac1_aes_128;aes_128_eax_encrypt"),
2255 (2, "omac1_aes_128;aes_128_eax_encrypt"),
2256 (3, "omac1_aes_128;aes_128_eax_encrypt"),
2257 (1, "=aes_128_eax_encrypt"),
2258 (1, "omac1_aes_vector"),
2259 (1, "aes_128_ctr_encrypt;aes_128_eax_decrypt"),
2260 (1, "omac1_aes_128;aes_128_eax_decrypt"),
2261 (2, "omac1_aes_128;aes_128_eax_decrypt"),
2262 (3, "omac1_aes_128;aes_128_eax_decrypt"),
2263 (1, "=aes_128_eax_decrypt") ]
2264 for count
, func
in tests
:
2265 with
alloc_fail(dev
[0], count
, func
):
2266 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PSK",
2267 identity
="psk.user@example.com",
2268 password_hex
="0123456789abcdef0123456789abcdef",
2269 wait_connect
=False, scan_freq
="2412")
2270 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=5)
2272 raise Exception("EAP method not selected")
2274 if "0:" in dev
[0].request("GET_ALLOC_FAIL"):
2277 dev
[0].request("REMOVE_NETWORK all")
2279 with
alloc_fail(dev
[0], 1, "aes_128_encrypt_block"):
2280 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PSK",
2281 identity
="psk.user@example.com",
2282 password_hex
="0123456789abcdef0123456789abcdef",
2283 wait_connect
=False, scan_freq
="2412")
2284 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
2286 raise Exception("EAP method failure not reported")
2287 dev
[0].request("REMOVE_NETWORK all")
2289 def test_ap_wpa_eap_peap_eap_mschapv2(dev
, apdev
):
2290 """WPA-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
2291 check_eap_capa(dev
[0], "MSCHAPV2")
2292 params
= hostapd
.wpa_eap_params(ssid
="test-wpa-eap")
2293 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
2294 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
2295 identity
="user", password
="password", phase2
="auth=MSCHAPV2",
2296 ca_cert
="auth_serv/ca.pem", wait_connect
=False,
2298 eap_check_auth(dev
[0], "PEAP", True, rsn
=False)
2299 hwsim_utils
.test_connectivity(dev
[0], hapd
)
2300 eap_reauth(dev
[0], "PEAP", rsn
=False)
2301 check_mib(dev
[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-50-f2-1"),
2302 ("dot11RSNAAuthenticationSuiteSelected", "00-50-f2-1") ])
2303 status
= dev
[0].get_status(extra
="VERBOSE")
2304 if 'portControl' not in status
:
2305 raise Exception("portControl missing from STATUS-VERBOSE")
2306 if status
['portControl'] != 'Auto':
2307 raise Exception("Unexpected portControl value: " + status
['portControl'])
2308 if 'eap_session_id' not in status
:
2309 raise Exception("eap_session_id missing from STATUS-VERBOSE")
2310 if not status
['eap_session_id'].startswith("19"):
2311 raise Exception("Unexpected eap_session_id value: " + status
['eap_session_id'])
2313 def test_ap_wpa2_eap_interactive(dev
, apdev
):
2314 """WPA2-Enterprise connection using interactive identity/password entry"""
2315 check_eap_capa(dev
[0], "MSCHAPV2")
2316 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2317 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2318 hapd
= hostapd
.Hostapd(apdev
[0]['ifname'])
2320 tests
= [ ("Connection with dynamic TTLS/MSCHAPv2 password entry",
2321 "TTLS", "ttls", "DOMAIN\mschapv2 user", "auth=MSCHAPV2",
2323 ("Connection with dynamic TTLS/MSCHAPv2 identity and password entry",
2324 "TTLS", "ttls", None, "auth=MSCHAPV2",
2325 "DOMAIN\mschapv2 user", "password"),
2326 ("Connection with dynamic TTLS/EAP-MSCHAPv2 password entry",
2327 "TTLS", "ttls", "user", "autheap=MSCHAPV2", None, "password"),
2328 ("Connection with dynamic TTLS/EAP-MD5 password entry",
2329 "TTLS", "ttls", "user", "autheap=MD5", None, "password"),
2330 ("Connection with dynamic PEAP/EAP-MSCHAPv2 password entry",
2331 "PEAP", None, "user", "auth=MSCHAPV2", None, "password"),
2332 ("Connection with dynamic PEAP/EAP-GTC password entry",
2333 "PEAP", None, "user", "auth=GTC", None, "password") ]
2334 for [desc
,eap
,anon
,identity
,phase2
,req_id
,req_pw
] in tests
:
2336 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
=eap
,
2337 anonymous_identity
=anon
, identity
=identity
,
2338 ca_cert
="auth_serv/ca.pem", phase2
=phase2
,
2339 wait_connect
=False, scan_freq
="2412")
2341 ev
= dev
[0].wait_event(["CTRL-REQ-IDENTITY"])
2343 raise Exception("Request for identity timed out")
2344 id = ev
.split(':')[0].split('-')[-1]
2345 dev
[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id
)
2346 ev
= dev
[0].wait_event(["CTRL-REQ-PASSWORD","CTRL-REQ-OTP"])
2348 raise Exception("Request for password timed out")
2349 id = ev
.split(':')[0].split('-')[-1]
2350 type = "OTP" if "CTRL-REQ-OTP" in ev
else "PASSWORD"
2351 dev
[0].request("CTRL-RSP-" + type + "-" + id + ":" + req_pw
)
2352 dev
[0].wait_connected(timeout
=10)
2353 dev
[0].request("REMOVE_NETWORK all")
2355 def test_ap_wpa2_eap_ext_enable_network_while_connected(dev
, apdev
):
2356 """WPA2-Enterprise interactive identity entry and ENABLE_NETWORK"""
2357 check_eap_capa(dev
[0], "MSCHAPV2")
2358 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2359 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2360 hapd
= hostapd
.Hostapd(apdev
[0]['ifname'])
2362 id_other
= dev
[0].connect("other", key_mgmt
="NONE", scan_freq
="2412",
2363 only_add_network
=True)
2365 req_id
= "DOMAIN\mschapv2 user"
2366 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2367 anonymous_identity
="ttls", identity
=None,
2368 password
="password",
2369 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2370 wait_connect
=False, scan_freq
="2412")
2371 ev
= dev
[0].wait_event(["CTRL-REQ-IDENTITY"])
2373 raise Exception("Request for identity timed out")
2374 id = ev
.split(':')[0].split('-')[-1]
2375 dev
[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id
)
2376 dev
[0].wait_connected(timeout
=10)
2378 if "OK" not in dev
[0].request("ENABLE_NETWORK " + str(id_other
)):
2379 raise Exception("Failed to enable network")
2380 ev
= dev
[0].wait_event(["SME: Trying to authenticate"], timeout
=1)
2382 raise Exception("Unexpected reconnection attempt on ENABLE_NETWORK")
2383 dev
[0].request("REMOVE_NETWORK all")
2385 def test_ap_wpa2_eap_vendor_test(dev
, apdev
):
2386 """WPA2-Enterprise connection using EAP vendor test"""
2387 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2388 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2389 eap_connect(dev
[0], apdev
[0], "VENDOR-TEST", "vendor-test")
2390 eap_reauth(dev
[0], "VENDOR-TEST")
2391 eap_connect(dev
[1], apdev
[0], "VENDOR-TEST", "vendor-test",
2394 def test_ap_wpa2_eap_fast_mschapv2_unauth_prov(dev
, apdev
):
2395 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and unauthenticated provisioning"""
2396 check_eap_capa(dev
[0], "FAST")
2397 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2398 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
2399 eap_connect(dev
[0], apdev
[0], "FAST", "user",
2400 anonymous_identity
="FAST", password
="password",
2401 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2402 phase1
="fast_provisioning=1", pac_file
="blob://fast_pac")
2403 hwsim_utils
.test_connectivity(dev
[0], hapd
)
2404 res
= eap_reauth(dev
[0], "FAST")
2405 if res
['tls_session_reused'] != '1':
2406 raise Exception("EAP-FAST could not use PAC session ticket")
2408 def test_ap_wpa2_eap_fast_pac_file(dev
, apdev
, params
):
2409 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and PAC file"""
2410 check_eap_capa(dev
[0], "FAST")
2411 pac_file
= os
.path
.join(params
['logdir'], "fast.pac")
2412 pac_file2
= os
.path
.join(params
['logdir'], "fast-bin.pac")
2413 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2414 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2417 eap_connect(dev
[0], apdev
[0], "FAST", "user",
2418 anonymous_identity
="FAST", password
="password",
2419 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2420 phase1
="fast_provisioning=1", pac_file
=pac_file
)
2421 with
open(pac_file
, "r") as f
:
2423 if "wpa_supplicant EAP-FAST PAC file - version 1" not in data
:
2424 raise Exception("PAC file header missing")
2425 if "PAC-Key=" not in data
:
2426 raise Exception("PAC-Key missing from PAC file")
2427 dev
[0].request("REMOVE_NETWORK all")
2428 eap_connect(dev
[0], apdev
[0], "FAST", "user",
2429 anonymous_identity
="FAST", password
="password",
2430 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2433 eap_connect(dev
[1], apdev
[0], "FAST", "user",
2434 anonymous_identity
="FAST", password
="password",
2435 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2436 phase1
="fast_provisioning=1 fast_pac_format=binary",
2438 dev
[1].request("REMOVE_NETWORK all")
2439 eap_connect(dev
[1], apdev
[0], "FAST", "user",
2440 anonymous_identity
="FAST", password
="password",
2441 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2442 phase1
="fast_pac_format=binary",
2450 os
.remove(pac_file2
)
2454 def test_ap_wpa2_eap_fast_binary_pac(dev
, apdev
):
2455 """WPA2-Enterprise connection using EAP-FAST and binary PAC format"""
2456 check_eap_capa(dev
[0], "FAST")
2457 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2458 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2459 eap_connect(dev
[0], apdev
[0], "FAST", "user",
2460 anonymous_identity
="FAST", password
="password",
2461 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2462 phase1
="fast_provisioning=1 fast_max_pac_list_len=1 fast_pac_format=binary",
2463 pac_file
="blob://fast_pac_bin")
2464 res
= eap_reauth(dev
[0], "FAST")
2465 if res
['tls_session_reused'] != '1':
2466 raise Exception("EAP-FAST could not use PAC session ticket")
2468 def test_ap_wpa2_eap_fast_missing_pac_config(dev
, apdev
):
2469 """WPA2-Enterprise connection using EAP-FAST and missing PAC config"""
2470 check_eap_capa(dev
[0], "FAST")
2471 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2472 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2474 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
2475 identity
="user", anonymous_identity
="FAST",
2476 password
="password",
2477 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2478 pac_file
="blob://fast_pac_not_in_use",
2479 wait_connect
=False, scan_freq
="2412")
2480 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2482 raise Exception("Timeout on EAP failure report")
2483 dev
[0].request("REMOVE_NETWORK all")
2485 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
2486 identity
="user", anonymous_identity
="FAST",
2487 password
="password",
2488 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2489 wait_connect
=False, scan_freq
="2412")
2490 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2492 raise Exception("Timeout on EAP failure report")
2494 def test_ap_wpa2_eap_fast_gtc_auth_prov(dev
, apdev
):
2495 """WPA2-Enterprise connection using EAP-FAST/GTC and authenticated provisioning"""
2496 check_eap_capa(dev
[0], "FAST")
2497 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2498 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
2499 eap_connect(dev
[0], apdev
[0], "FAST", "user",
2500 anonymous_identity
="FAST", password
="password",
2501 ca_cert
="auth_serv/ca.pem", phase2
="auth=GTC",
2502 phase1
="fast_provisioning=2", pac_file
="blob://fast_pac_auth")
2503 hwsim_utils
.test_connectivity(dev
[0], hapd
)
2504 res
= eap_reauth(dev
[0], "FAST")
2505 if res
['tls_session_reused'] != '1':
2506 raise Exception("EAP-FAST could not use PAC session ticket")
2508 def test_ap_wpa2_eap_fast_gtc_identity_change(dev
, apdev
):
2509 """WPA2-Enterprise connection using EAP-FAST/GTC and identity changing"""
2510 check_eap_capa(dev
[0], "FAST")
2511 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2512 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
2513 id = eap_connect(dev
[0], apdev
[0], "FAST", "user",
2514 anonymous_identity
="FAST", password
="password",
2515 ca_cert
="auth_serv/ca.pem", phase2
="auth=GTC",
2516 phase1
="fast_provisioning=2",
2517 pac_file
="blob://fast_pac_auth")
2518 dev
[0].set_network_quoted(id, "identity", "user2")
2519 dev
[0].wait_disconnected()
2520 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=15)
2522 raise Exception("EAP-FAST not started")
2523 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=5)
2525 raise Exception("EAP failure not reported")
2526 dev
[0].wait_disconnected()
2528 def test_ap_wpa2_eap_fast_prf_oom(dev
, apdev
):
2529 """WPA2-Enterprise connection using EAP-FAST and OOM in PRF"""
2530 check_eap_capa(dev
[0], "FAST")
2531 tls
= dev
[0].request("GET tls_library")
2532 if tls
.startswith("OpenSSL"):
2533 func
= "openssl_tls_prf"
2535 elif tls
.startswith("internal"):
2536 func
= "tls_connection_prf"
2539 raise HwsimSkip("Unsupported TLS library")
2540 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2541 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
2542 with
alloc_fail(dev
[0], count
, func
):
2543 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
2544 identity
="user", anonymous_identity
="FAST",
2545 password
="password", ca_cert
="auth_serv/ca.pem",
2547 phase1
="fast_provisioning=2",
2548 pac_file
="blob://fast_pac_auth",
2549 wait_connect
=False, scan_freq
="2412")
2550 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
2552 raise Exception("EAP failure not reported")
2553 dev
[0].request("DISCONNECT")
2555 def test_ap_wpa2_eap_fast_server_oom(dev
, apdev
):
2556 """EAP-FAST/MSCHAPv2 and server OOM"""
2557 check_eap_capa(dev
[0], "FAST")
2559 params
= int_eap_server_params()
2560 params
['dh_file'] = 'auth_serv/dh.conf'
2561 params
['pac_opaque_encr_key'] = '000102030405060708090a0b0c0d0e0f'
2562 params
['eap_fast_a_id'] = '1011'
2563 params
['eap_fast_a_id_info'] = 'another test server'
2564 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
2566 with
alloc_fail(hapd
, 1, "tls_session_ticket_ext_cb"):
2567 id = eap_connect(dev
[0], apdev
[0], "FAST", "user",
2568 anonymous_identity
="FAST", password
="password",
2569 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
2570 phase1
="fast_provisioning=1",
2571 pac_file
="blob://fast_pac",
2572 expect_failure
=True)
2573 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
2575 raise Exception("No EAP failure reported")
2576 dev
[0].wait_disconnected()
2577 dev
[0].request("DISCONNECT")
2579 dev
[0].select_network(id, freq
="2412")
2581 def test_ap_wpa2_eap_tls_ocsp(dev
, apdev
):
2582 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP"""
2583 check_ocsp_support(dev
[0])
2584 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2585 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2586 eap_connect(dev
[0], apdev
[0], "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
2587 private_key
="auth_serv/user.pkcs12",
2588 private_key_passwd
="whatever", ocsp
=2)
2590 def int_eap_server_params():
2591 params
= { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2592 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2593 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2594 "ca_cert": "auth_serv/ca.pem",
2595 "server_cert": "auth_serv/server.pem",
2596 "private_key": "auth_serv/server.key" }
2599 def test_ap_wpa2_eap_tls_ocsp_ca_signed_good(dev
, apdev
, params
):
2600 """EAP-TLS and CA signed OCSP response (good)"""
2601 check_ocsp_support(dev
[0])
2602 ocsp
= os
.path
.join(params
['logdir'], "ocsp-resp-ca-signed.der")
2603 if not os
.path
.exists(ocsp
):
2604 raise HwsimSkip("No OCSP response available")
2605 params
= int_eap_server_params()
2606 params
["ocsp_stapling_response"] = ocsp
2607 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2608 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2609 identity
="tls user", ca_cert
="auth_serv/ca.pem",
2610 private_key
="auth_serv/user.pkcs12",
2611 private_key_passwd
="whatever", ocsp
=2,
2614 def test_ap_wpa2_eap_tls_ocsp_ca_signed_revoked(dev
, apdev
, params
):
2615 """EAP-TLS and CA signed OCSP response (revoked)"""
2616 check_ocsp_support(dev
[0])
2617 ocsp
= os
.path
.join(params
['logdir'], "ocsp-resp-ca-signed-revoked.der")
2618 if not os
.path
.exists(ocsp
):
2619 raise HwsimSkip("No OCSP response available")
2620 params
= int_eap_server_params()
2621 params
["ocsp_stapling_response"] = ocsp
2622 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2623 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2624 identity
="tls user", ca_cert
="auth_serv/ca.pem",
2625 private_key
="auth_serv/user.pkcs12",
2626 private_key_passwd
="whatever", ocsp
=2,
2627 wait_connect
=False, scan_freq
="2412")
2630 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2632 raise Exception("Timeout on EAP status")
2633 if 'bad certificate status response' in ev
:
2635 if 'certificate revoked' in ev
:
2639 raise Exception("Unexpected number of EAP status messages")
2641 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2643 raise Exception("Timeout on EAP failure report")
2645 def test_ap_wpa2_eap_tls_ocsp_ca_signed_unknown(dev
, apdev
, params
):
2646 """EAP-TLS and CA signed OCSP response (unknown)"""
2647 check_ocsp_support(dev
[0])
2648 ocsp
= os
.path
.join(params
['logdir'], "ocsp-resp-ca-signed-unknown.der")
2649 if not os
.path
.exists(ocsp
):
2650 raise HwsimSkip("No OCSP response available")
2651 params
= int_eap_server_params()
2652 params
["ocsp_stapling_response"] = ocsp
2653 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2654 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2655 identity
="tls user", ca_cert
="auth_serv/ca.pem",
2656 private_key
="auth_serv/user.pkcs12",
2657 private_key_passwd
="whatever", ocsp
=2,
2658 wait_connect
=False, scan_freq
="2412")
2661 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2663 raise Exception("Timeout on EAP status")
2664 if 'bad certificate status response' in ev
:
2668 raise Exception("Unexpected number of EAP status messages")
2670 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2672 raise Exception("Timeout on EAP failure report")
2674 def test_ap_wpa2_eap_tls_ocsp_server_signed(dev
, apdev
, params
):
2675 """EAP-TLS and server signed OCSP response"""
2676 check_ocsp_support(dev
[0])
2677 ocsp
= os
.path
.join(params
['logdir'], "ocsp-resp-server-signed.der")
2678 if not os
.path
.exists(ocsp
):
2679 raise HwsimSkip("No OCSP response available")
2680 params
= int_eap_server_params()
2681 params
["ocsp_stapling_response"] = ocsp
2682 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2683 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2684 identity
="tls user", ca_cert
="auth_serv/ca.pem",
2685 private_key
="auth_serv/user.pkcs12",
2686 private_key_passwd
="whatever", ocsp
=2,
2687 wait_connect
=False, scan_freq
="2412")
2690 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2692 raise Exception("Timeout on EAP status")
2693 if 'bad certificate status response' in ev
:
2697 raise Exception("Unexpected number of EAP status messages")
2699 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2701 raise Exception("Timeout on EAP failure report")
2703 def test_ap_wpa2_eap_tls_ocsp_invalid_data(dev
, apdev
):
2704 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP data"""
2705 check_ocsp_support(dev
[0])
2706 params
= int_eap_server_params()
2707 params
["ocsp_stapling_response"] = "auth_serv/ocsp-req.der"
2708 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2709 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2710 identity
="tls user", ca_cert
="auth_serv/ca.pem",
2711 private_key
="auth_serv/user.pkcs12",
2712 private_key_passwd
="whatever", ocsp
=2,
2713 wait_connect
=False, scan_freq
="2412")
2716 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2718 raise Exception("Timeout on EAP status")
2719 if 'bad certificate status response' in ev
:
2723 raise Exception("Unexpected number of EAP status messages")
2725 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2727 raise Exception("Timeout on EAP failure report")
2729 def test_ap_wpa2_eap_tls_ocsp_invalid(dev
, apdev
):
2730 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP response"""
2731 check_ocsp_support(dev
[0])
2732 params
= int_eap_server_params()
2733 params
["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-invalid"
2734 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2735 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2736 identity
="tls user", ca_cert
="auth_serv/ca.pem",
2737 private_key
="auth_serv/user.pkcs12",
2738 private_key_passwd
="whatever", ocsp
=2,
2739 wait_connect
=False, scan_freq
="2412")
2742 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2744 raise Exception("Timeout on EAP status")
2745 if 'bad certificate status response' in ev
:
2749 raise Exception("Unexpected number of EAP status messages")
2751 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2753 raise Exception("Timeout on EAP failure report")
2755 def test_ap_wpa2_eap_tls_ocsp_unknown_sign(dev
, apdev
):
2756 """WPA2-Enterprise connection using EAP-TLS and unknown OCSP signer"""
2757 check_ocsp_support(dev
[0])
2758 params
= int_eap_server_params()
2759 params
["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-unknown-sign"
2760 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2761 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2762 identity
="tls user", ca_cert
="auth_serv/ca.pem",
2763 private_key
="auth_serv/user.pkcs12",
2764 private_key_passwd
="whatever", ocsp
=2,
2765 wait_connect
=False, scan_freq
="2412")
2768 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2770 raise Exception("Timeout on EAP status")
2771 if 'bad certificate status response' in ev
:
2775 raise Exception("Unexpected number of EAP status messages")
2777 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2779 raise Exception("Timeout on EAP failure report")
2781 def test_ap_wpa2_eap_ttls_ocsp_revoked(dev
, apdev
, params
):
2782 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2783 check_ocsp_support(dev
[0])
2784 ocsp
= os
.path
.join(params
['logdir'], "ocsp-server-cache-revoked.der")
2785 if not os
.path
.exists(ocsp
):
2786 raise HwsimSkip("No OCSP response available")
2787 params
= int_eap_server_params()
2788 params
["ocsp_stapling_response"] = ocsp
2789 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2790 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2791 identity
="pap user", ca_cert
="auth_serv/ca.pem",
2792 anonymous_identity
="ttls", password
="password",
2793 phase2
="auth=PAP", ocsp
=2,
2794 wait_connect
=False, scan_freq
="2412")
2797 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2799 raise Exception("Timeout on EAP status")
2800 if 'bad certificate status response' in ev
:
2802 if 'certificate revoked' in ev
:
2806 raise Exception("Unexpected number of EAP status messages")
2808 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2810 raise Exception("Timeout on EAP failure report")
2812 def test_ap_wpa2_eap_ttls_ocsp_unknown(dev
, apdev
, params
):
2813 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2814 check_ocsp_support(dev
[0])
2815 ocsp
= os
.path
.join(params
['logdir'], "ocsp-server-cache-unknown.der")
2816 if not os
.path
.exists(ocsp
):
2817 raise HwsimSkip("No OCSP response available")
2818 params
= int_eap_server_params()
2819 params
["ocsp_stapling_response"] = ocsp
2820 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2821 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2822 identity
="pap user", ca_cert
="auth_serv/ca.pem",
2823 anonymous_identity
="ttls", password
="password",
2824 phase2
="auth=PAP", ocsp
=2,
2825 wait_connect
=False, scan_freq
="2412")
2828 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2830 raise Exception("Timeout on EAP status")
2831 if 'bad certificate status response' in ev
:
2835 raise Exception("Unexpected number of EAP status messages")
2837 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2839 raise Exception("Timeout on EAP failure report")
2841 def test_ap_wpa2_eap_ttls_optional_ocsp_unknown(dev
, apdev
, params
):
2842 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2843 ocsp
= os
.path
.join(params
['logdir'], "ocsp-server-cache-unknown.der")
2844 if not os
.path
.exists(ocsp
):
2845 raise HwsimSkip("No OCSP response available")
2846 params
= int_eap_server_params()
2847 params
["ocsp_stapling_response"] = ocsp
2848 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2849 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2850 identity
="pap user", ca_cert
="auth_serv/ca.pem",
2851 anonymous_identity
="ttls", password
="password",
2852 phase2
="auth=PAP", ocsp
=1, scan_freq
="2412")
2854 def test_ap_wpa2_eap_tls_domain_suffix_match_cn_full(dev
, apdev
):
2855 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
2856 check_domain_match_full(dev
[0])
2857 params
= int_eap_server_params()
2858 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
2859 params
["private_key"] = "auth_serv/server-no-dnsname.key"
2860 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2861 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2862 identity
="tls user", ca_cert
="auth_serv/ca.pem",
2863 private_key
="auth_serv/user.pkcs12",
2864 private_key_passwd
="whatever",
2865 domain_suffix_match
="server3.w1.fi",
2868 def test_ap_wpa2_eap_tls_domain_match_cn(dev
, apdev
):
2869 """WPA2-Enterprise using EAP-TLS and domainmatch (CN)"""
2870 check_domain_match(dev
[0])
2871 params
= int_eap_server_params()
2872 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
2873 params
["private_key"] = "auth_serv/server-no-dnsname.key"
2874 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2875 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2876 identity
="tls user", ca_cert
="auth_serv/ca.pem",
2877 private_key
="auth_serv/user.pkcs12",
2878 private_key_passwd
="whatever",
2879 domain_match
="server3.w1.fi",
2882 def test_ap_wpa2_eap_tls_domain_suffix_match_cn(dev
, apdev
):
2883 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
2884 check_domain_match_full(dev
[0])
2885 params
= int_eap_server_params()
2886 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
2887 params
["private_key"] = "auth_serv/server-no-dnsname.key"
2888 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2889 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2890 identity
="tls user", ca_cert
="auth_serv/ca.pem",
2891 private_key
="auth_serv/user.pkcs12",
2892 private_key_passwd
="whatever",
2893 domain_suffix_match
="w1.fi",
2896 def test_ap_wpa2_eap_tls_domain_suffix_mismatch_cn(dev
, apdev
):
2897 """WPA2-Enterprise using EAP-TLS and domain suffix mismatch (CN)"""
2898 check_domain_suffix_match(dev
[0])
2899 params
= int_eap_server_params()
2900 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
2901 params
["private_key"] = "auth_serv/server-no-dnsname.key"
2902 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2903 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2904 identity
="tls user", ca_cert
="auth_serv/ca.pem",
2905 private_key
="auth_serv/user.pkcs12",
2906 private_key_passwd
="whatever",
2907 domain_suffix_match
="example.com",
2910 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2911 identity
="tls user", ca_cert
="auth_serv/ca.pem",
2912 private_key
="auth_serv/user.pkcs12",
2913 private_key_passwd
="whatever",
2914 domain_suffix_match
="erver3.w1.fi",
2917 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2919 raise Exception("Timeout on EAP failure report")
2920 ev
= dev
[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2922 raise Exception("Timeout on EAP failure report (2)")
2924 def test_ap_wpa2_eap_tls_domain_mismatch_cn(dev
, apdev
):
2925 """WPA2-Enterprise using EAP-TLS and domain mismatch (CN)"""
2926 check_domain_match(dev
[0])
2927 params
= int_eap_server_params()
2928 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
2929 params
["private_key"] = "auth_serv/server-no-dnsname.key"
2930 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2931 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2932 identity
="tls user", ca_cert
="auth_serv/ca.pem",
2933 private_key
="auth_serv/user.pkcs12",
2934 private_key_passwd
="whatever",
2935 domain_match
="example.com",
2938 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2939 identity
="tls user", ca_cert
="auth_serv/ca.pem",
2940 private_key
="auth_serv/user.pkcs12",
2941 private_key_passwd
="whatever",
2942 domain_match
="w1.fi",
2945 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2947 raise Exception("Timeout on EAP failure report")
2948 ev
= dev
[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2950 raise Exception("Timeout on EAP failure report (2)")
2952 def test_ap_wpa2_eap_ttls_expired_cert(dev
, apdev
):
2953 """WPA2-Enterprise using EAP-TTLS and expired certificate"""
2954 skip_with_fips(dev
[0])
2955 params
= int_eap_server_params()
2956 params
["server_cert"] = "auth_serv/server-expired.pem"
2957 params
["private_key"] = "auth_serv/server-expired.key"
2958 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2959 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2960 identity
="mschap user", password
="password",
2961 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
2964 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"])
2966 raise Exception("Timeout on EAP certificate error report")
2967 if "reason=4" not in ev
or "certificate has expired" not in ev
:
2968 raise Exception("Unexpected failure reason: " + ev
)
2969 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2971 raise Exception("Timeout on EAP failure report")
2973 def test_ap_wpa2_eap_ttls_ignore_expired_cert(dev
, apdev
):
2974 """WPA2-Enterprise using EAP-TTLS and ignore certificate expiration"""
2975 skip_with_fips(dev
[0])
2976 params
= int_eap_server_params()
2977 params
["server_cert"] = "auth_serv/server-expired.pem"
2978 params
["private_key"] = "auth_serv/server-expired.key"
2979 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2980 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2981 identity
="mschap user", password
="password",
2982 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
2983 phase1
="tls_disable_time_checks=1",
2986 def test_ap_wpa2_eap_ttls_long_duration(dev
, apdev
):
2987 """WPA2-Enterprise using EAP-TTLS and long certificate duration"""
2988 skip_with_fips(dev
[0])
2989 params
= int_eap_server_params()
2990 params
["server_cert"] = "auth_serv/server-long-duration.pem"
2991 params
["private_key"] = "auth_serv/server-long-duration.key"
2992 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2993 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2994 identity
="mschap user", password
="password",
2995 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
2998 def test_ap_wpa2_eap_ttls_server_cert_eku_client(dev
, apdev
):
2999 """WPA2-Enterprise using EAP-TTLS and server cert with client EKU"""
3000 skip_with_fips(dev
[0])
3001 params
= int_eap_server_params()
3002 params
["server_cert"] = "auth_serv/server-eku-client.pem"
3003 params
["private_key"] = "auth_serv/server-eku-client.key"
3004 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3005 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
3006 identity
="mschap user", password
="password",
3007 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
3010 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3012 raise Exception("Timeout on EAP failure report")
3014 def test_ap_wpa2_eap_ttls_server_cert_eku_client_server(dev
, apdev
):
3015 """WPA2-Enterprise using EAP-TTLS and server cert with client and server EKU"""
3016 skip_with_fips(dev
[0])
3017 params
= int_eap_server_params()
3018 params
["server_cert"] = "auth_serv/server-eku-client-server.pem"
3019 params
["private_key"] = "auth_serv/server-eku-client-server.key"
3020 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3021 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
3022 identity
="mschap user", password
="password",
3023 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
3026 def test_ap_wpa2_eap_ttls_server_pkcs12(dev
, apdev
):
3027 """WPA2-Enterprise using EAP-TTLS and server PKCS#12 file"""
3028 skip_with_fips(dev
[0])
3029 params
= int_eap_server_params()
3030 del params
["server_cert"]
3031 params
["private_key"] = "auth_serv/server.pkcs12"
3032 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3033 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
3034 identity
="mschap user", password
="password",
3035 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
3038 def test_ap_wpa2_eap_ttls_dh_params(dev
, apdev
):
3039 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params"""
3040 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3041 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3042 eap_connect(dev
[0], apdev
[0], "TTLS", "pap user",
3043 anonymous_identity
="ttls", password
="password",
3044 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP",
3045 dh_file
="auth_serv/dh.conf")
3047 def test_ap_wpa2_eap_ttls_dh_params_dsa(dev
, apdev
):
3048 """WPA2-Enterprise connection using EAP-TTLS and setting DH params (DSA)"""
3049 check_dh_dsa_support(dev
[0])
3050 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3051 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3052 eap_connect(dev
[0], apdev
[0], "TTLS", "pap user",
3053 anonymous_identity
="ttls", password
="password",
3054 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP",
3055 dh_file
="auth_serv/dsaparam.pem")
3057 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev
, apdev
):
3058 """EAP-TTLS and DH params file not found"""
3059 skip_with_fips(dev
[0])
3060 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3061 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3062 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
3063 identity
="mschap user", password
="password",
3064 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
3065 dh_file
="auth_serv/dh-no-such-file.conf",
3066 scan_freq
="2412", wait_connect
=False)
3067 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3069 raise Exception("EAP failure timed out")
3070 dev
[0].request("REMOVE_NETWORK all")
3071 dev
[0].wait_disconnected()
3073 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev
, apdev
):
3074 """EAP-TTLS and invalid DH params file"""
3075 skip_with_fips(dev
[0])
3076 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3077 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3078 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
3079 identity
="mschap user", password
="password",
3080 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
3081 dh_file
="auth_serv/ca.pem",
3082 scan_freq
="2412", wait_connect
=False)
3083 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3085 raise Exception("EAP failure timed out")
3086 dev
[0].request("REMOVE_NETWORK all")
3087 dev
[0].wait_disconnected()
3089 def test_ap_wpa2_eap_ttls_dh_params_blob(dev
, apdev
):
3090 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params from blob"""
3091 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3092 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3093 dh
= read_pem("auth_serv/dh2.conf")
3094 if "OK" not in dev
[0].request("SET blob dhparams " + dh
.encode("hex")):
3095 raise Exception("Could not set dhparams blob")
3096 eap_connect(dev
[0], apdev
[0], "TTLS", "pap user",
3097 anonymous_identity
="ttls", password
="password",
3098 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP",
3099 dh_file
="blob://dhparams")
3101 def test_ap_wpa2_eap_ttls_dh_params_server(dev
, apdev
):
3102 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams"""
3103 params
= int_eap_server_params()
3104 params
["dh_file"] = "auth_serv/dh2.conf"
3105 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3106 eap_connect(dev
[0], apdev
[0], "TTLS", "pap user",
3107 anonymous_identity
="ttls", password
="password",
3108 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP")
3110 def test_ap_wpa2_eap_ttls_dh_params_dsa_server(dev
, apdev
):
3111 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams (DSA)"""
3112 params
= int_eap_server_params()
3113 params
["dh_file"] = "auth_serv/dsaparam.pem"
3114 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3115 eap_connect(dev
[0], apdev
[0], "TTLS", "pap user",
3116 anonymous_identity
="ttls", password
="password",
3117 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP")
3119 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev
, apdev
):
3120 """EAP-TLS server and dhparams file not found"""
3121 params
= int_eap_server_params()
3122 params
["dh_file"] = "auth_serv/dh-no-such-file.conf"
3123 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
, no_enable
=True)
3124 if "FAIL" not in hapd
.request("ENABLE"):
3125 raise Exception("Invalid configuration accepted")
3127 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev
, apdev
):
3128 """EAP-TLS server and invalid dhparams file"""
3129 params
= int_eap_server_params()
3130 params
["dh_file"] = "auth_serv/ca.pem"
3131 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
, no_enable
=True)
3132 if "FAIL" not in hapd
.request("ENABLE"):
3133 raise Exception("Invalid configuration accepted")
3135 def test_ap_wpa2_eap_reauth(dev
, apdev
):
3136 """WPA2-Enterprise and Authenticator forcing reauthentication"""
3137 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3138 params
['eap_reauth_period'] = '2'
3139 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3140 eap_connect(dev
[0], apdev
[0], "PAX", "pax.user@example.com",
3141 password_hex
="0123456789abcdef0123456789abcdef")
3142 logger
.info("Wait for reauthentication")
3143 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
3145 raise Exception("Timeout on reauthentication")
3146 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
3148 raise Exception("Timeout on reauthentication")
3149 for i
in range(0, 20):
3150 state
= dev
[0].get_status_field("wpa_state")
3151 if state
== "COMPLETED":
3154 if state
!= "COMPLETED":
3155 raise Exception("Reauthentication did not complete")
3157 def test_ap_wpa2_eap_request_identity_message(dev
, apdev
):
3158 """Optional displayable message in EAP Request-Identity"""
3159 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3160 params
['eap_message'] = 'hello\\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com'
3161 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3162 eap_connect(dev
[0], apdev
[0], "PAX", "pax.user@example.com",
3163 password_hex
="0123456789abcdef0123456789abcdef")
3165 def test_ap_wpa2_eap_sim_aka_result_ind(dev
, apdev
):
3166 """WPA2-Enterprise using EAP-SIM/AKA and protected result indication"""
3167 check_hlr_auc_gw_support()
3168 params
= int_eap_server_params()
3169 params
['eap_sim_db'] = "unix:/tmp/hlr_auc_gw.sock"
3170 params
['eap_sim_aka_result_ind'] = "1"
3171 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3173 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
3174 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
3175 phase1
="result_ind=1")
3176 eap_reauth(dev
[0], "SIM")
3177 eap_connect(dev
[1], apdev
[0], "SIM", "1232010000000000",
3178 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
3180 dev
[0].request("REMOVE_NETWORK all")
3181 dev
[1].request("REMOVE_NETWORK all")
3183 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
3184 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
3185 phase1
="result_ind=1")
3186 eap_reauth(dev
[0], "AKA")
3187 eap_connect(dev
[1], apdev
[0], "AKA", "0232010000000000",
3188 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
3190 dev
[0].request("REMOVE_NETWORK all")
3191 dev
[1].request("REMOVE_NETWORK all")
3193 eap_connect(dev
[0], apdev
[0], "AKA'", "6555444333222111",
3194 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
3195 phase1
="result_ind=1")
3196 eap_reauth(dev
[0], "AKA'")
3197 eap_connect(dev
[1], apdev
[0], "AKA'", "6555444333222111",
3198 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
3200 def test_ap_wpa2_eap_too_many_roundtrips(dev
, apdev
):
3201 """WPA2-Enterprise connection resulting in too many EAP roundtrips"""
3202 skip_with_fips(dev
[0])
3203 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3204 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3205 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
3206 eap
="TTLS", identity
="mschap user",
3207 wait_connect
=False, scan_freq
="2412", ieee80211w
="1",
3208 anonymous_identity
="ttls", password
="password",
3209 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
3211 ev
= dev
[0].wait_event(["EAP: more than"], timeout
=20)
3213 raise Exception("EAP roundtrip limit not reached")
3215 def test_ap_wpa2_eap_expanded_nak(dev
, apdev
):
3216 """WPA2-Enterprise connection with EAP resulting in expanded NAK"""
3217 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3218 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3219 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
3220 eap
="PSK", identity
="vendor-test",
3221 password_hex
="ff23456789abcdef0123456789abcdef",
3225 for i
in range(0, 5):
3226 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"], timeout
=10)
3228 raise Exception("Association and EAP start timed out")
3229 if "refuse proposed method" in ev
:
3233 raise Exception("Unexpected EAP status: " + ev
)
3235 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3237 raise Exception("EAP failure timed out")
3239 def test_ap_wpa2_eap_sql(dev
, apdev
, params
):
3240 """WPA2-Enterprise connection using SQLite for user DB"""
3241 skip_with_fips(dev
[0])
3245 raise HwsimSkip("No sqlite3 module available")
3246 dbfile
= os
.path
.join(params
['logdir'], "eap-user.db")
3251 con
= sqlite3
.connect(dbfile
)
3254 cur
.execute("CREATE TABLE users(identity TEXT PRIMARY KEY, methods TEXT, password TEXT, remediation TEXT, phase2 INTEGER)")
3255 cur
.execute("CREATE TABLE wildcards(identity TEXT PRIMARY KEY, methods TEXT)")
3256 cur
.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-pap','TTLS-PAP','password',1)")
3257 cur
.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-chap','TTLS-CHAP','password',1)")
3258 cur
.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschap','TTLS-MSCHAP','password',1)")
3259 cur
.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschapv2','TTLS-MSCHAPV2','password',1)")
3260 cur
.execute("INSERT INTO wildcards(identity,methods) VALUES ('','TTLS,TLS')")
3261 cur
.execute("CREATE TABLE authlog(timestamp TEXT, session TEXT, nas_ip TEXT, username TEXT, note TEXT)")
3264 params
= int_eap_server_params()
3265 params
["eap_user_file"] = "sqlite:" + dbfile
3266 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3267 eap_connect(dev
[0], apdev
[0], "TTLS", "user-mschapv2",
3268 anonymous_identity
="ttls", password
="password",
3269 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
3270 dev
[0].request("REMOVE_NETWORK all")
3271 eap_connect(dev
[1], apdev
[0], "TTLS", "user-mschap",
3272 anonymous_identity
="ttls", password
="password",
3273 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP")
3274 dev
[1].request("REMOVE_NETWORK all")
3275 eap_connect(dev
[0], apdev
[0], "TTLS", "user-chap",
3276 anonymous_identity
="ttls", password
="password",
3277 ca_cert
="auth_serv/ca.pem", phase2
="auth=CHAP")
3278 eap_connect(dev
[1], apdev
[0], "TTLS", "user-pap",
3279 anonymous_identity
="ttls", password
="password",
3280 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
3284 def test_ap_wpa2_eap_non_ascii_identity(dev
, apdev
):
3285 """WPA2-Enterprise connection attempt using non-ASCII identity"""
3286 params
= int_eap_server_params()
3287 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3288 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
3289 identity
="\x80", password
="password", wait_connect
=False)
3290 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
3291 identity
="a\x80", password
="password", wait_connect
=False)
3292 for i
in range(0, 2):
3293 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
3295 raise Exception("Association and EAP start timed out")
3296 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
3298 raise Exception("EAP method selection timed out")
3300 def test_ap_wpa2_eap_non_ascii_identity2(dev
, apdev
):
3301 """WPA2-Enterprise connection attempt using non-ASCII identity"""
3302 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3303 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3304 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
3305 identity
="\x80", password
="password", wait_connect
=False)
3306 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
3307 identity
="a\x80", password
="password", wait_connect
=False)
3308 for i
in range(0, 2):
3309 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
3311 raise Exception("Association and EAP start timed out")
3312 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
3314 raise Exception("EAP method selection timed out")
3316 def test_openssl_cipher_suite_config_wpas(dev
, apdev
):
3317 """OpenSSL cipher suite configuration on wpa_supplicant"""
3318 tls
= dev
[0].request("GET tls_library")
3319 if not tls
.startswith("OpenSSL"):
3320 raise HwsimSkip("TLS library is not OpenSSL: " + tls
)
3321 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3322 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
3323 eap_connect(dev
[0], apdev
[0], "TTLS", "pap user",
3324 anonymous_identity
="ttls", password
="password",
3325 openssl_ciphers
="AES128",
3326 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
3327 eap_connect(dev
[1], apdev
[0], "TTLS", "pap user",
3328 anonymous_identity
="ttls", password
="password",
3329 openssl_ciphers
="EXPORT",
3330 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
3331 expect_failure
=True, maybe_local_error
=True)
3332 dev
[2].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
3333 identity
="pap user", anonymous_identity
="ttls",
3334 password
="password",
3335 openssl_ciphers
="FOO",
3336 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
3338 ev
= dev
[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
3340 raise Exception("EAP failure after invalid openssl_ciphers not reported")
3341 dev
[2].request("DISCONNECT")
3343 def test_openssl_cipher_suite_config_hapd(dev
, apdev
):
3344 """OpenSSL cipher suite configuration on hostapd"""
3345 tls
= dev
[0].request("GET tls_library")
3346 if not tls
.startswith("OpenSSL"):
3347 raise HwsimSkip("wpa_supplicant TLS library is not OpenSSL: " + tls
)
3348 params
= int_eap_server_params()
3349 params
['openssl_ciphers'] = "AES256"
3350 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
3351 tls
= hapd
.request("GET tls_library")
3352 if not tls
.startswith("OpenSSL"):
3353 raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls
)
3354 eap_connect(dev
[0], apdev
[0], "TTLS", "pap user",
3355 anonymous_identity
="ttls", password
="password",
3356 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
3357 eap_connect(dev
[1], apdev
[0], "TTLS", "pap user",
3358 anonymous_identity
="ttls", password
="password",
3359 openssl_ciphers
="AES128",
3360 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
3361 expect_failure
=True)
3362 eap_connect(dev
[2], apdev
[0], "TTLS", "pap user",
3363 anonymous_identity
="ttls", password
="password",
3364 openssl_ciphers
="HIGH:!ADH",
3365 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
3367 params
['openssl_ciphers'] = "FOO"
3368 hapd2
= hostapd
.add_ap(apdev
[1]['ifname'], params
, no_enable
=True)
3369 if "FAIL" not in hapd2
.request("ENABLE"):
3370 raise Exception("Invalid openssl_ciphers value accepted")
3372 def test_wpa2_eap_ttls_pap_key_lifetime_in_memory(dev
, apdev
, params
):
3373 """Key lifetime in memory with WPA2-Enterprise using EAP-TTLS/PAP"""
3374 p
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3375 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], p
)
3376 password
= "63d2d21ac3c09ed567ee004a34490f1d16e7fa5835edf17ddba70a63f1a90a25"
3377 pid
= find_wpas_process(dev
[0])
3378 id = eap_connect(dev
[0], apdev
[0], "TTLS", "pap-secret",
3379 anonymous_identity
="ttls", password
=password
,
3380 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
3382 buf
= read_process_memory(pid
, password
)
3384 dev
[0].request("DISCONNECT")
3385 dev
[0].wait_disconnected()
3393 with
open(os
.path
.join(params
['logdir'], 'log0'), 'r') as f
:
3394 for l
in f
.readlines():
3395 if "EAP-TTLS: Derived key - hexdump" in l
:
3396 val
= l
.strip().split(':')[3].replace(' ', '')
3397 msk
= binascii
.unhexlify(val
)
3398 if "EAP-TTLS: Derived EMSK - hexdump" in l
:
3399 val
= l
.strip().split(':')[3].replace(' ', '')
3400 emsk
= binascii
.unhexlify(val
)
3401 if "WPA: PMK - hexdump" in l
:
3402 val
= l
.strip().split(':')[3].replace(' ', '')
3403 pmk
= binascii
.unhexlify(val
)
3404 if "WPA: PTK - hexdump" in l
:
3405 val
= l
.strip().split(':')[3].replace(' ', '')
3406 ptk
= binascii
.unhexlify(val
)
3407 if "WPA: Group Key - hexdump" in l
:
3408 val
= l
.strip().split(':')[3].replace(' ', '')
3409 gtk
= binascii
.unhexlify(val
)
3410 if not msk
or not emsk
or not pmk
or not ptk
or not gtk
:
3411 raise Exception("Could not find keys from debug log")
3413 raise Exception("Unexpected GTK length")
3419 fname
= os
.path
.join(params
['logdir'],
3420 'wpa2_eap_ttls_pap_key_lifetime_in_memory.memctx-')
3422 logger
.info("Checking keys in memory while associated")
3423 get_key_locations(buf
, password
, "Password")
3424 get_key_locations(buf
, pmk
, "PMK")
3425 get_key_locations(buf
, msk
, "MSK")
3426 get_key_locations(buf
, emsk
, "EMSK")
3427 if password
not in buf
:
3428 raise HwsimSkip("Password not found while associated")
3430 raise HwsimSkip("PMK not found while associated")
3432 raise Exception("KCK not found while associated")
3434 raise Exception("KEK not found while associated")
3436 raise Exception("TK found from memory")
3438 get_key_locations(buf
, gtk
, "GTK")
3439 raise Exception("GTK found from memory")
3441 logger
.info("Checking keys in memory after disassociation")
3442 buf
= read_process_memory(pid
, password
)
3444 # Note: Password is still present in network configuration
3445 # Note: PMK is in PMKSA cache and EAP fast re-auth data
3447 get_key_locations(buf
, password
, "Password")
3448 get_key_locations(buf
, pmk
, "PMK")
3449 get_key_locations(buf
, msk
, "MSK")
3450 get_key_locations(buf
, emsk
, "EMSK")
3451 verify_not_present(buf
, kck
, fname
, "KCK")
3452 verify_not_present(buf
, kek
, fname
, "KEK")
3453 verify_not_present(buf
, tk
, fname
, "TK")
3454 verify_not_present(buf
, gtk
, fname
, "GTK")
3456 dev
[0].request("PMKSA_FLUSH")
3457 dev
[0].set_network_quoted(id, "identity", "foo")
3458 logger
.info("Checking keys in memory after PMKSA cache and EAP fast reauth flush")
3459 buf
= read_process_memory(pid
, password
)
3460 get_key_locations(buf
, password
, "Password")
3461 get_key_locations(buf
, pmk
, "PMK")
3462 get_key_locations(buf
, msk
, "MSK")
3463 get_key_locations(buf
, emsk
, "EMSK")
3464 verify_not_present(buf
, pmk
, fname
, "PMK")
3466 dev
[0].request("REMOVE_NETWORK all")
3468 logger
.info("Checking keys in memory after network profile removal")
3469 buf
= read_process_memory(pid
, password
)
3471 get_key_locations(buf
, password
, "Password")
3472 get_key_locations(buf
, pmk
, "PMK")
3473 get_key_locations(buf
, msk
, "MSK")
3474 get_key_locations(buf
, emsk
, "EMSK")
3475 verify_not_present(buf
, password
, fname
, "password")
3476 verify_not_present(buf
, pmk
, fname
, "PMK")
3477 verify_not_present(buf
, kck
, fname
, "KCK")
3478 verify_not_present(buf
, kek
, fname
, "KEK")
3479 verify_not_present(buf
, tk
, fname
, "TK")
3480 verify_not_present(buf
, gtk
, fname
, "GTK")
3481 verify_not_present(buf
, msk
, fname
, "MSK")
3482 verify_not_present(buf
, emsk
, fname
, "EMSK")
3484 def test_ap_wpa2_eap_unexpected_wep_eapol_key(dev
, apdev
):
3485 """WPA2-Enterprise connection and unexpected WEP EAPOL-Key"""
3486 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3487 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
3488 bssid
= apdev
[0]['bssid']
3489 eap_connect(dev
[0], apdev
[0], "TTLS", "pap user",
3490 anonymous_identity
="ttls", password
="password",
3491 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
3493 # Send unexpected WEP EAPOL-Key; this gets dropped
3494 res
= dev
[0].request("EAPOL_RX " + bssid
+ " 0203002c0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
3496 raise Exception("EAPOL_RX to wpa_supplicant failed")
3498 def test_ap_wpa2_eap_in_bridge(dev
, apdev
):
3499 """WPA2-EAP and wpas interface in a bridge"""
3503 _test_ap_wpa2_eap_in_bridge(dev
, apdev
)
3505 subprocess
.call(['ip', 'link', 'set', 'dev', br_ifname
, 'down'])
3506 subprocess
.call(['brctl', 'delif', br_ifname
, ifname
])
3507 subprocess
.call(['brctl', 'delbr', br_ifname
])
3508 subprocess
.call(['iw', ifname
, 'set', '4addr', 'off'])
3510 def _test_ap_wpa2_eap_in_bridge(dev
, apdev
):
3511 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3512 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
3516 wpas
= WpaSupplicant(global_iface
='/tmp/wpas-wlan5')
3517 subprocess
.call(['brctl', 'addbr', br_ifname
])
3518 subprocess
.call(['brctl', 'setfd', br_ifname
, '0'])
3519 subprocess
.call(['ip', 'link', 'set', 'dev', br_ifname
, 'up'])
3520 subprocess
.call(['iw', ifname
, 'set', '4addr', 'on'])
3521 subprocess
.check_call(['brctl', 'addif', br_ifname
, ifname
])
3522 wpas
.interface_add(ifname
, br_ifname
=br_ifname
)
3525 id = eap_connect(wpas
, apdev
[0], "PAX", "pax.user@example.com",
3526 password_hex
="0123456789abcdef0123456789abcdef")
3528 eap_reauth(wpas
, "PAX")
3530 # Try again as a regression test for packet socket workaround
3531 eap_reauth(wpas
, "PAX")
3533 wpas
.request("DISCONNECT")
3534 wpas
.wait_disconnected()
3536 wpas
.request("RECONNECT")
3537 wpas
.wait_connected()
3540 def test_ap_wpa2_eap_session_ticket(dev
, apdev
):
3541 """WPA2-Enterprise connection using EAP-TTLS and TLS session ticket enabled"""
3542 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3543 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
3544 key_mgmt
= hapd
.get_config()['key_mgmt']
3545 if key_mgmt
.split(' ')[0] != "WPA-EAP":
3546 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt
)
3547 eap_connect(dev
[0], apdev
[0], "TTLS", "pap user",
3548 anonymous_identity
="ttls", password
="password",
3549 ca_cert
="auth_serv/ca.pem",
3550 phase1
="tls_disable_session_ticket=0", phase2
="auth=PAP")
3551 eap_reauth(dev
[0], "TTLS")
3553 def test_ap_wpa2_eap_no_workaround(dev
, apdev
):
3554 """WPA2-Enterprise connection using EAP-TTLS and eap_workaround=0"""
3555 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3556 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
3557 key_mgmt
= hapd
.get_config()['key_mgmt']
3558 if key_mgmt
.split(' ')[0] != "WPA-EAP":
3559 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt
)
3560 eap_connect(dev
[0], apdev
[0], "TTLS", "pap user",
3561 anonymous_identity
="ttls", password
="password",
3562 ca_cert
="auth_serv/ca.pem", eap_workaround
='0',
3564 eap_reauth(dev
[0], "TTLS")
3566 def test_ap_wpa2_eap_tls_check_crl(dev
, apdev
):
3567 """EAP-TLS and server checking CRL"""
3568 params
= int_eap_server_params()
3569 params
['check_crl'] = '1'
3570 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
3572 # check_crl=1 and no CRL available --> reject connection
3573 eap_connect(dev
[0], apdev
[0], "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
3574 client_cert
="auth_serv/user.pem",
3575 private_key
="auth_serv/user.key", expect_failure
=True)
3576 dev
[0].request("REMOVE_NETWORK all")
3579 hapd
.set("ca_cert", "auth_serv/ca-and-crl.pem")
3582 # check_crl=1 and valid CRL --> accept
3583 eap_connect(dev
[0], apdev
[0], "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
3584 client_cert
="auth_serv/user.pem",
3585 private_key
="auth_serv/user.key")
3586 dev
[0].request("REMOVE_NETWORK all")
3589 hapd
.set("check_crl", "2")
3592 # check_crl=2 and valid CRL --> accept
3593 eap_connect(dev
[0], apdev
[0], "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
3594 client_cert
="auth_serv/user.pem",
3595 private_key
="auth_serv/user.key")
3596 dev
[0].request("REMOVE_NETWORK all")
3598 def test_ap_wpa2_eap_tls_oom(dev
, apdev
):
3599 """EAP-TLS and OOM"""
3600 check_subject_match_support(dev
[0])
3601 check_altsubject_match_support(dev
[0])
3602 check_domain_match(dev
[0])
3603 check_domain_match_full(dev
[0])
3605 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3606 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3608 tests
= [ (1, "tls_connection_set_subject_match"),
3609 (2, "tls_connection_set_subject_match"),
3610 (3, "tls_connection_set_subject_match"),
3611 (4, "tls_connection_set_subject_match") ]
3612 for count
, func
in tests
:
3613 with
alloc_fail(dev
[0], count
, func
):
3614 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3615 identity
="tls user", ca_cert
="auth_serv/ca.pem",
3616 client_cert
="auth_serv/user.pem",
3617 private_key
="auth_serv/user.key",
3618 subject_match
="/C=FI/O=w1.fi/CN=server.w1.fi",
3619 altsubject_match
="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/",
3620 domain_suffix_match
="server.w1.fi",
3621 domain_match
="server.w1.fi",
3622 wait_connect
=False, scan_freq
="2412")
3623 # TLS parameter configuration error results in CTRL-REQ-PASSPHRASE
3624 ev
= dev
[0].wait_event(["CTRL-REQ-PASSPHRASE"], timeout
=5)
3626 raise Exception("No passphrase request")
3627 dev
[0].request("REMOVE_NETWORK all")
3628 dev
[0].wait_disconnected()
3630 def test_ap_wpa2_eap_tls_macacl(dev
, apdev
):
3631 """WPA2-Enterprise connection using MAC ACL"""
3632 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3633 params
["macaddr_acl"] = "2"
3634 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3635 eap_connect(dev
[1], apdev
[0], "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
3636 client_cert
="auth_serv/user.pem",
3637 private_key
="auth_serv/user.key")
3639 def test_ap_wpa2_eap_oom(dev
, apdev
):
3640 """EAP server and OOM"""
3641 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3642 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
3643 dev
[0].scan_for_bss(apdev
[0]['bssid'], freq
=2412)
3645 with
alloc_fail(hapd
, 1, "eapol_auth_alloc"):
3646 # The first attempt fails, but STA will send EAPOL-Start to retry and
3648 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3649 identity
="tls user", ca_cert
="auth_serv/ca.pem",
3650 client_cert
="auth_serv/user.pem",
3651 private_key
="auth_serv/user.key",
3654 def check_tls_ver(dev
, ap
, phase1
, expected
):
3655 eap_connect(dev
, ap
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
3656 client_cert
="auth_serv/user.pem",
3657 private_key
="auth_serv/user.key",
3659 ver
= dev
.get_status_field("eap_tls_version")
3661 raise Exception("Unexpected TLS version (expected %s): %s" % (expected
, ver
))
3663 def test_ap_wpa2_eap_tls_versions(dev
, apdev
):
3664 """EAP-TLS and TLS version configuration"""
3665 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3666 hostapd
.add_ap(apdev
[0]['ifname'], params
)
3668 tls
= dev
[0].request("GET tls_library")
3669 if tls
.startswith("OpenSSL"):
3670 if "build=OpenSSL 1.0.2" in tls
and "run=OpenSSL 1.0.2" in tls
:
3671 check_tls_ver(dev
[0], apdev
[0],
3672 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1",
3674 elif tls
.startswith("internal"):
3675 check_tls_ver(dev
[0], apdev
[0],
3676 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1", "TLSv1.2")
3677 check_tls_ver(dev
[1], apdev
[0],
3678 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_2=1", "TLSv1.1")
3679 check_tls_ver(dev
[2], apdev
[0],
3680 "tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1", "TLSv1")
3682 def test_rsn_ie_proto_eap_sta(dev
, apdev
):
3683 """RSN element protocol testing for EAP cases on STA side"""
3684 bssid
= apdev
[0]['bssid']
3685 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3686 # This is the RSN element used normally by hostapd
3687 params
['own_ie_override'] = '30140100000fac040100000fac040100000fac010c00'
3688 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
3689 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
3690 identity
="gpsk user",
3691 password
="abcdefghijklmnop0123456789abcdef",
3694 tests
= [ ('No RSN Capabilities field',
3695 '30120100000fac040100000fac040100000fac01'),
3696 ('No AKM Suite fields',
3697 '300c0100000fac040100000fac04'),
3698 ('No Pairwise Cipher Suite fields',
3699 '30060100000fac04'),
3700 ('No Group Data Cipher Suite field',
3702 for txt
,ie
in tests
:
3703 dev
[0].request("DISCONNECT")
3704 dev
[0].wait_disconnected()
3707 hapd
.set('own_ie_override', ie
)
3709 dev
[0].request("BSS_FLUSH 0")
3710 dev
[0].scan_for_bss(bssid
, 2412, force_scan
=True, only_new
=True)
3711 dev
[0].select_network(id, freq
=2412)
3712 dev
[0].wait_connected()
3714 def check_tls_session_resumption_capa(dev
, hapd
):
3715 tls
= hapd
.request("GET tls_library")
3716 if not tls
.startswith("OpenSSL"):
3717 raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls
)
3719 tls
= dev
.request("GET tls_library")
3720 if not tls
.startswith("OpenSSL"):
3721 raise HwsimSkip("Session resumption not supported with this TLS library: " + tls
)
3723 def test_eap_ttls_pap_session_resumption(dev
, apdev
):
3724 """EAP-TTLS/PAP session resumption"""
3725 params
= int_eap_server_params()
3726 params
['tls_session_lifetime'] = '60'
3727 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
3728 check_tls_session_resumption_capa(dev
[0], hapd
)
3729 eap_connect(dev
[0], apdev
[0], "TTLS", "pap user",
3730 anonymous_identity
="ttls", password
="password",
3731 ca_cert
="auth_serv/ca.pem", eap_workaround
='0',
3733 if dev
[0].get_status_field("tls_session_reused") != '0':
3734 raise Exception("Unexpected session resumption on the first connection")
3736 dev
[0].request("REAUTHENTICATE")
3737 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
3739 raise Exception("EAP success timed out")
3740 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
3742 raise Exception("Key handshake with the AP timed out")
3743 if dev
[0].get_status_field("tls_session_reused") != '1':
3744 raise Exception("Session resumption not used on the second connection")
3746 def test_eap_ttls_chap_session_resumption(dev
, apdev
):
3747 """EAP-TTLS/CHAP session resumption"""
3748 params
= int_eap_server_params()
3749 params
['tls_session_lifetime'] = '60'
3750 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
3751 check_tls_session_resumption_capa(dev
[0], hapd
)
3752 eap_connect(dev
[0], apdev
[0], "TTLS", "chap user",
3753 anonymous_identity
="ttls", password
="password",
3754 ca_cert
="auth_serv/ca.der", phase2
="auth=CHAP")
3755 if dev
[0].get_status_field("tls_session_reused") != '0':
3756 raise Exception("Unexpected session resumption on the first connection")
3758 dev
[0].request("REAUTHENTICATE")
3759 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
3761 raise Exception("EAP success timed out")
3762 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
3764 raise Exception("Key handshake with the AP timed out")
3765 if dev
[0].get_status_field("tls_session_reused") != '1':
3766 raise Exception("Session resumption not used on the second connection")
3768 def test_eap_ttls_mschap_session_resumption(dev
, apdev
):
3769 """EAP-TTLS/MSCHAP session resumption"""
3770 check_domain_suffix_match(dev
[0])
3771 params
= int_eap_server_params()
3772 params
['tls_session_lifetime'] = '60'
3773 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
3774 check_tls_session_resumption_capa(dev
[0], hapd
)
3775 eap_connect(dev
[0], apdev
[0], "TTLS", "mschap user",
3776 anonymous_identity
="ttls", password
="password",
3777 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
3778 domain_suffix_match
="server.w1.fi")
3779 if dev
[0].get_status_field("tls_session_reused") != '0':
3780 raise Exception("Unexpected session resumption on the first connection")
3782 dev
[0].request("REAUTHENTICATE")
3783 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
3785 raise Exception("EAP success timed out")
3786 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
3788 raise Exception("Key handshake with the AP timed out")
3789 if dev
[0].get_status_field("tls_session_reused") != '1':
3790 raise Exception("Session resumption not used on the second connection")
3792 def test_eap_ttls_mschapv2_session_resumption(dev
, apdev
):
3793 """EAP-TTLS/MSCHAPv2 session resumption"""
3794 check_domain_suffix_match(dev
[0])
3795 check_eap_capa(dev
[0], "MSCHAPV2")
3796 params
= int_eap_server_params()
3797 params
['tls_session_lifetime'] = '60'
3798 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
3799 check_tls_session_resumption_capa(dev
[0], hapd
)
3800 eap_connect(dev
[0], apdev
[0], "TTLS", "DOMAIN\mschapv2 user",
3801 anonymous_identity
="ttls", password
="password",
3802 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3803 domain_suffix_match
="server.w1.fi")
3804 if dev
[0].get_status_field("tls_session_reused") != '0':
3805 raise Exception("Unexpected session resumption on the first connection")
3807 dev
[0].request("REAUTHENTICATE")
3808 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
3810 raise Exception("EAP success timed out")
3811 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
3813 raise Exception("Key handshake with the AP timed out")
3814 if dev
[0].get_status_field("tls_session_reused") != '1':
3815 raise Exception("Session resumption not used on the second connection")
3817 def test_eap_ttls_eap_gtc_session_resumption(dev
, apdev
):
3818 """EAP-TTLS/EAP-GTC session resumption"""
3819 params
= int_eap_server_params()
3820 params
['tls_session_lifetime'] = '60'
3821 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
3822 check_tls_session_resumption_capa(dev
[0], hapd
)
3823 eap_connect(dev
[0], apdev
[0], "TTLS", "user",
3824 anonymous_identity
="ttls", password
="password",
3825 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC")
3826 if dev
[0].get_status_field("tls_session_reused") != '0':
3827 raise Exception("Unexpected session resumption on the first connection")
3829 dev
[0].request("REAUTHENTICATE")
3830 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
3832 raise Exception("EAP success timed out")
3833 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
3835 raise Exception("Key handshake with the AP timed out")
3836 if dev
[0].get_status_field("tls_session_reused") != '1':
3837 raise Exception("Session resumption not used on the second connection")
3839 def test_eap_ttls_no_session_resumption(dev
, apdev
):
3840 """EAP-TTLS session resumption disabled on server"""
3841 params
= int_eap_server_params()
3842 params
['tls_session_lifetime'] = '0'
3843 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
3844 eap_connect(dev
[0], apdev
[0], "TTLS", "pap user",
3845 anonymous_identity
="ttls", password
="password",
3846 ca_cert
="auth_serv/ca.pem", eap_workaround
='0',
3848 if dev
[0].get_status_field("tls_session_reused") != '0':
3849 raise Exception("Unexpected session resumption on the first connection")
3851 dev
[0].request("REAUTHENTICATE")
3852 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
3854 raise Exception("EAP success timed out")
3855 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
3857 raise Exception("Key handshake with the AP timed out")
3858 if dev
[0].get_status_field("tls_session_reused") != '0':
3859 raise Exception("Unexpected session resumption on the second connection")
3861 def test_eap_peap_session_resumption(dev
, apdev
):
3862 """EAP-PEAP session resumption"""
3863 params
= int_eap_server_params()
3864 params
['tls_session_lifetime'] = '60'
3865 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
3866 check_tls_session_resumption_capa(dev
[0], hapd
)
3867 eap_connect(dev
[0], apdev
[0], "PEAP", "user",
3868 anonymous_identity
="peap", password
="password",
3869 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
3870 if dev
[0].get_status_field("tls_session_reused") != '0':
3871 raise Exception("Unexpected session resumption on the first connection")
3873 dev
[0].request("REAUTHENTICATE")
3874 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
3876 raise Exception("EAP success timed out")
3877 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
3879 raise Exception("Key handshake with the AP timed out")
3880 if dev
[0].get_status_field("tls_session_reused") != '1':
3881 raise Exception("Session resumption not used on the second connection")
3883 def test_eap_peap_no_session_resumption(dev
, apdev
):
3884 """EAP-PEAP session resumption disabled on server"""
3885 params
= int_eap_server_params()
3886 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
3887 eap_connect(dev
[0], apdev
[0], "PEAP", "user",
3888 anonymous_identity
="peap", password
="password",
3889 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
3890 if dev
[0].get_status_field("tls_session_reused") != '0':
3891 raise Exception("Unexpected session resumption on the first connection")
3893 dev
[0].request("REAUTHENTICATE")
3894 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
3896 raise Exception("EAP success timed out")
3897 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
3899 raise Exception("Key handshake with the AP timed out")
3900 if dev
[0].get_status_field("tls_session_reused") != '0':
3901 raise Exception("Unexpected session resumption on the second connection")
3903 def test_eap_tls_session_resumption(dev
, apdev
):
3904 """EAP-TLS session resumption"""
3905 params
= int_eap_server_params()
3906 params
['tls_session_lifetime'] = '60'
3907 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
3908 check_tls_session_resumption_capa(dev
[0], hapd
)
3909 eap_connect(dev
[0], apdev
[0], "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
3910 client_cert
="auth_serv/user.pem",
3911 private_key
="auth_serv/user.key")
3912 if dev
[0].get_status_field("tls_session_reused") != '0':
3913 raise Exception("Unexpected session resumption on the first connection")
3915 dev
[0].request("REAUTHENTICATE")
3916 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
3918 raise Exception("EAP success timed out")
3919 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
3921 raise Exception("Key handshake with the AP timed out")
3922 if dev
[0].get_status_field("tls_session_reused") != '1':
3923 raise Exception("Session resumption not used on the second connection")
3925 dev
[0].request("REAUTHENTICATE")
3926 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
3928 raise Exception("EAP success timed out")
3929 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
3931 raise Exception("Key handshake with the AP timed out")
3932 if dev
[0].get_status_field("tls_session_reused") != '1':
3933 raise Exception("Session resumption not used on the third connection")
3935 def test_eap_tls_session_resumption_expiration(dev
, apdev
):
3936 """EAP-TLS session resumption"""
3937 params
= int_eap_server_params()
3938 params
['tls_session_lifetime'] = '1'
3939 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
3940 check_tls_session_resumption_capa(dev
[0], hapd
)
3941 eap_connect(dev
[0], apdev
[0], "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
3942 client_cert
="auth_serv/user.pem",
3943 private_key
="auth_serv/user.key")
3944 if dev
[0].get_status_field("tls_session_reused") != '0':
3945 raise Exception("Unexpected session resumption on the first connection")
3947 # Allow multiple attempts since OpenSSL may not expire the cached entry
3952 dev
[0].request("REAUTHENTICATE")
3953 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
3955 raise Exception("EAP success timed out")
3956 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
3958 raise Exception("Key handshake with the AP timed out")
3959 if dev
[0].get_status_field("tls_session_reused") == '0':
3961 if dev
[0].get_status_field("tls_session_reused") != '0':
3962 raise Exception("Session resumption used after lifetime expiration")
3964 def test_eap_tls_no_session_resumption(dev
, apdev
):
3965 """EAP-TLS session resumption disabled on server"""
3966 params
= int_eap_server_params()
3967 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
3968 eap_connect(dev
[0], apdev
[0], "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
3969 client_cert
="auth_serv/user.pem",
3970 private_key
="auth_serv/user.key")
3971 if dev
[0].get_status_field("tls_session_reused") != '0':
3972 raise Exception("Unexpected session resumption on the first connection")
3974 dev
[0].request("REAUTHENTICATE")
3975 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
3977 raise Exception("EAP success timed out")
3978 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
3980 raise Exception("Key handshake with the AP timed out")
3981 if dev
[0].get_status_field("tls_session_reused") != '0':
3982 raise Exception("Unexpected session resumption on the second connection")
3984 def test_eap_tls_session_resumption_radius(dev
, apdev
):
3985 """EAP-TLS session resumption (RADIUS)"""
3986 params
= { "ssid": "as", "beacon_int": "2000",
3987 "radius_server_clients": "auth_serv/radius_clients.conf",
3988 "radius_server_auth_port": '18128',
3990 "eap_user_file": "auth_serv/eap_user.conf",
3991 "ca_cert": "auth_serv/ca.pem",
3992 "server_cert": "auth_serv/server.pem",
3993 "private_key": "auth_serv/server.key",
3994 "tls_session_lifetime": "60" }
3995 authsrv
= hostapd
.add_ap(apdev
[1]['ifname'], params
)
3996 check_tls_session_resumption_capa(dev
[0], authsrv
)
3998 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3999 params
['auth_server_port'] = "18128"
4000 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
4001 eap_connect(dev
[0], apdev
[0], "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
4002 client_cert
="auth_serv/user.pem",
4003 private_key
="auth_serv/user.key")
4004 if dev
[0].get_status_field("tls_session_reused") != '0':
4005 raise Exception("Unexpected session resumption on the first connection")
4007 dev
[0].request("REAUTHENTICATE")
4008 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
4010 raise Exception("EAP success timed out")
4011 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
4013 raise Exception("Key handshake with the AP timed out")
4014 if dev
[0].get_status_field("tls_session_reused") != '1':
4015 raise Exception("Session resumption not used on the second connection")
4017 def test_eap_tls_no_session_resumption_radius(dev
, apdev
):
4018 """EAP-TLS session resumption disabled (RADIUS)"""
4019 params
= { "ssid": "as", "beacon_int": "2000",
4020 "radius_server_clients": "auth_serv/radius_clients.conf",
4021 "radius_server_auth_port": '18128',
4023 "eap_user_file": "auth_serv/eap_user.conf",
4024 "ca_cert": "auth_serv/ca.pem",
4025 "server_cert": "auth_serv/server.pem",
4026 "private_key": "auth_serv/server.key",
4027 "tls_session_lifetime": "0" }
4028 hostapd
.add_ap(apdev
[1]['ifname'], params
)
4030 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4031 params
['auth_server_port'] = "18128"
4032 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
4033 eap_connect(dev
[0], apdev
[0], "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
4034 client_cert
="auth_serv/user.pem",
4035 private_key
="auth_serv/user.key")
4036 if dev
[0].get_status_field("tls_session_reused") != '0':
4037 raise Exception("Unexpected session resumption on the first connection")
4039 dev
[0].request("REAUTHENTICATE")
4040 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
4042 raise Exception("EAP success timed out")
4043 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
4045 raise Exception("Key handshake with the AP timed out")
4046 if dev
[0].get_status_field("tls_session_reused") != '0':
4047 raise Exception("Unexpected session resumption on the second connection")
4049 def test_eap_mschapv2_errors(dev
, apdev
):
4050 """EAP-MSCHAPv2 error cases"""
4051 check_eap_capa(dev
[0], "MSCHAPV2")
4052 check_eap_capa(dev
[0], "FAST")
4054 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa-eap")
4055 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
4056 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
4057 identity
="phase1-user", password
="password",
4059 dev
[0].request("REMOVE_NETWORK all")
4060 dev
[0].wait_disconnected()
4062 tests
= [ (1, "hash_nt_password_hash;mschapv2_derive_response"),
4063 (1, "nt_password_hash;mschapv2_derive_response"),
4064 (1, "nt_password_hash;=mschapv2_derive_response"),
4065 (1, "generate_nt_response;mschapv2_derive_response"),
4066 (1, "generate_authenticator_response;mschapv2_derive_response"),
4067 (1, "nt_password_hash;=mschapv2_derive_response"),
4068 (1, "get_master_key;mschapv2_derive_response"),
4069 (1, "os_get_random;eap_mschapv2_challenge_reply") ]
4070 for count
, func
in tests
:
4071 with
fail_test(dev
[0], count
, func
):
4072 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
4073 identity
="phase1-user", password
="password",
4074 wait_connect
=False, scan_freq
="2412")
4075 wait_fail_trigger(dev
[0], "GET_FAIL")
4076 dev
[0].request("REMOVE_NETWORK all")
4077 dev
[0].wait_disconnected()
4079 tests
= [ (1, "hash_nt_password_hash;mschapv2_derive_response"),
4080 (1, "hash_nt_password_hash;=mschapv2_derive_response"),
4081 (1, "generate_nt_response_pwhash;mschapv2_derive_response"),
4082 (1, "generate_authenticator_response_pwhash;mschapv2_derive_response") ]
4083 for count
, func
in tests
:
4084 with
fail_test(dev
[0], count
, func
):
4085 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
4086 identity
="phase1-user",
4087 password_hex
="hash:8846f7eaee8fb117ad06bdd830b7586c",
4088 wait_connect
=False, scan_freq
="2412")
4089 wait_fail_trigger(dev
[0], "GET_FAIL")
4090 dev
[0].request("REMOVE_NETWORK all")
4091 dev
[0].wait_disconnected()
4093 tests
= [ (1, "eap_mschapv2_init"),
4094 (1, "eap_msg_alloc;eap_mschapv2_challenge_reply"),
4095 (1, "eap_msg_alloc;eap_mschapv2_success"),
4096 (1, "eap_mschapv2_getKey") ]
4097 for count
, func
in tests
:
4098 with
alloc_fail(dev
[0], count
, func
):
4099 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
4100 identity
="phase1-user", password
="password",
4101 wait_connect
=False, scan_freq
="2412")
4102 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
4103 dev
[0].request("REMOVE_NETWORK all")
4104 dev
[0].wait_disconnected()
4106 tests
= [ (1, "eap_msg_alloc;eap_mschapv2_failure") ]
4107 for count
, func
in tests
:
4108 with
alloc_fail(dev
[0], count
, func
):
4109 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
4110 identity
="phase1-user", password
="wrong password",
4111 wait_connect
=False, scan_freq
="2412")
4112 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
4113 dev
[0].request("REMOVE_NETWORK all")
4114 dev
[0].wait_disconnected()
4116 tests
= [ (2, "eap_mschapv2_init"),
4117 (3, "eap_mschapv2_init") ]
4118 for count
, func
in tests
:
4119 with
alloc_fail(dev
[0], count
, func
):
4120 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="FAST",
4121 anonymous_identity
="FAST", identity
="user",
4122 password
="password",
4123 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
4124 phase1
="fast_provisioning=1",
4125 pac_file
="blob://fast_pac",
4126 wait_connect
=False, scan_freq
="2412")
4127 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
4128 dev
[0].request("REMOVE_NETWORK all")
4129 dev
[0].wait_disconnected()
4131 def test_eap_gpsk_errors(dev
, apdev
):
4132 """EAP-GPSK error cases"""
4133 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa-eap")
4134 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
4135 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
4136 identity
="gpsk user",
4137 password
="abcdefghijklmnop0123456789abcdef",
4139 dev
[0].request("REMOVE_NETWORK all")
4140 dev
[0].wait_disconnected()
4142 tests
= [ (1, "os_get_random;eap_gpsk_send_gpsk_2", None),
4143 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2",
4145 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2",
4147 (1, "eap_gpsk_derive_keys_helper", None),
4148 (2, "eap_gpsk_derive_keys_helper", None),
4149 (1, "eap_gpsk_compute_mic_aes;eap_gpsk_compute_mic;eap_gpsk_send_gpsk_2",
4151 (1, "hmac_sha256;eap_gpsk_compute_mic;eap_gpsk_send_gpsk_2",
4153 (1, "eap_gpsk_compute_mic;eap_gpsk_validate_gpsk_3_mic", None),
4154 (1, "eap_gpsk_compute_mic;eap_gpsk_send_gpsk_4", None),
4155 (1, "eap_gpsk_derive_mid_helper", None) ]
4156 for count
, func
, phase1
in tests
:
4157 with
fail_test(dev
[0], count
, func
):
4158 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
4159 identity
="gpsk user",
4160 password
="abcdefghijklmnop0123456789abcdef",
4162 wait_connect
=False, scan_freq
="2412")
4163 wait_fail_trigger(dev
[0], "GET_FAIL")
4164 dev
[0].request("REMOVE_NETWORK all")
4165 dev
[0].wait_disconnected()
4167 tests
= [ (1, "eap_gpsk_init"),
4168 (2, "eap_gpsk_init"),
4169 (3, "eap_gpsk_init"),
4170 (1, "eap_gpsk_process_id_server"),
4171 (1, "eap_msg_alloc;eap_gpsk_send_gpsk_2"),
4172 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2"),
4173 (1, "eap_gpsk_derive_mid_helper;eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2"),
4174 (1, "eap_gpsk_derive_keys"),
4175 (1, "eap_gpsk_derive_keys_helper"),
4176 (1, "eap_msg_alloc;eap_gpsk_send_gpsk_4"),
4177 (1, "eap_gpsk_getKey"),
4178 (1, "eap_gpsk_get_emsk"),
4179 (1, "eap_gpsk_get_session_id") ]
4180 for count
, func
in tests
:
4181 with
alloc_fail(dev
[0], count
, func
):
4182 dev
[0].request("ERP_FLUSH")
4183 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
4184 identity
="gpsk user", erp
="1",
4185 password
="abcdefghijklmnop0123456789abcdef",
4186 wait_connect
=False, scan_freq
="2412")
4187 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
4188 dev
[0].request("REMOVE_NETWORK all")
4189 dev
[0].wait_disconnected()
4191 def test_ap_wpa2_eap_sim_db(dev
, apdev
, params
):
4192 """EAP-SIM DB error cases"""
4193 sockpath
= '/tmp/hlr_auc_gw.sock-test'
4198 hparams
= int_eap_server_params()
4199 hparams
['eap_sim_db'] = 'unix:' + sockpath
4200 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], hparams
)
4202 # Initial test with hlr_auc_gw socket not available
4203 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
4204 eap
="SIM", identity
="1232010000000000",
4205 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
4206 scan_freq
="2412", wait_connect
=False)
4207 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
4209 raise Exception("EAP-Failure not reported")
4210 dev
[0].wait_disconnected()
4211 dev
[0].request("DISCONNECT")
4213 # Test with invalid responses and response timeout
4215 class test_handler(SocketServer
.DatagramRequestHandler
):
4217 data
= self
.request
[0].strip()
4218 socket
= self
.request
[1]
4219 logger
.debug("Received hlr_auc_gw request: " + data
)
4220 # EAP-SIM DB: Failed to parse response string
4221 socket
.sendto("FOO", self
.client_address
)
4222 # EAP-SIM DB: Failed to parse response string
4223 socket
.sendto("FOO 1", self
.client_address
)
4224 # EAP-SIM DB: Unknown external response
4225 socket
.sendto("FOO 1 2", self
.client_address
)
4226 logger
.info("No proper response - wait for pending eap_sim_db request timeout")
4228 server
= SocketServer
.UnixDatagramServer(sockpath
, test_handler
)
4231 dev
[0].select_network(id)
4232 server
.handle_request()
4233 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
4235 raise Exception("EAP-Failure not reported")
4236 dev
[0].wait_disconnected()
4237 dev
[0].request("DISCONNECT")
4239 # Test with a valid response
4241 class test_handler2(SocketServer
.DatagramRequestHandler
):
4243 data
= self
.request
[0].strip()
4244 socket
= self
.request
[1]
4245 logger
.debug("Received hlr_auc_gw request: " + data
)
4246 fname
= os
.path
.join(params
['logdir'],
4247 'hlr_auc_gw.milenage_db')
4248 cmd
= subprocess
.Popen(['../../hostapd/hlr_auc_gw',
4250 stdout
=subprocess
.PIPE
)
4251 res
= cmd
.stdout
.read().strip()
4253 logger
.debug("hlr_auc_gw response: " + res
)
4254 socket
.sendto(res
, self
.client_address
)
4256 server
.RequestHandlerClass
= test_handler2
4258 dev
[0].select_network(id)
4259 server
.handle_request()
4260 dev
[0].wait_connected()
4261 dev
[0].request("DISCONNECT")
4262 dev
[0].wait_disconnected()
4264 def test_eap_tls_sha512(dev
, apdev
, params
):
4265 """EAP-TLS with SHA512 signature"""
4266 params
= int_eap_server_params()
4267 params
["ca_cert"] = "auth_serv/sha512-ca.pem"
4268 params
["server_cert"] = "auth_serv/sha512-server.pem"
4269 params
["private_key"] = "auth_serv/sha512-server.key"
4270 hostapd
.add_ap(apdev
[0]['ifname'], params
)
4272 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4273 identity
="tls user sha512",
4274 ca_cert
="auth_serv/sha512-ca.pem",
4275 client_cert
="auth_serv/sha512-user.pem",
4276 private_key
="auth_serv/sha512-user.key",
4278 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4279 identity
="tls user sha512",
4280 ca_cert
="auth_serv/sha512-ca.pem",
4281 client_cert
="auth_serv/sha384-user.pem",
4282 private_key
="auth_serv/sha384-user.key",
4285 def test_eap_tls_sha384(dev
, apdev
, params
):
4286 """EAP-TLS with SHA384 signature"""
4287 params
= int_eap_server_params()
4288 params
["ca_cert"] = "auth_serv/sha512-ca.pem"
4289 params
["server_cert"] = "auth_serv/sha384-server.pem"
4290 params
["private_key"] = "auth_serv/sha384-server.key"
4291 hostapd
.add_ap(apdev
[0]['ifname'], params
)
4293 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4294 identity
="tls user sha512",
4295 ca_cert
="auth_serv/sha512-ca.pem",
4296 client_cert
="auth_serv/sha512-user.pem",
4297 private_key
="auth_serv/sha512-user.key",
4299 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4300 identity
="tls user sha512",
4301 ca_cert
="auth_serv/sha512-ca.pem",
4302 client_cert
="auth_serv/sha384-user.pem",
4303 private_key
="auth_serv/sha384-user.key",
4306 def test_ap_wpa2_eap_assoc_rsn(dev
, apdev
):
4307 """WPA2-Enterprise AP and association request RSN IE differences"""
4308 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4309 hostapd
.add_ap(apdev
[0]['ifname'], params
)
4311 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap-11w")
4312 params
["ieee80211w"] = "2"
4313 hostapd
.add_ap(apdev
[1]['ifname'], params
)
4315 # Success cases with optional RSN IE fields removed one by one
4316 tests
= [ ("Normal wpa_supplicant assoc req RSN IE",
4317 "30140100000fac040100000fac040100000fac010000"),
4318 ("Extra PMKIDCount field in RSN IE",
4319 "30160100000fac040100000fac040100000fac0100000000"),
4320 ("Extra Group Management Cipher Suite in RSN IE",
4321 "301a0100000fac040100000fac040100000fac0100000000000fac06"),
4322 ("Extra undefined extension field in RSN IE",
4323 "301c0100000fac040100000fac040100000fac0100000000000fac061122"),
4324 ("RSN IE without RSN Capabilities",
4325 "30120100000fac040100000fac040100000fac01"),
4326 ("RSN IE without AKM", "300c0100000fac040100000fac04"),
4327 ("RSN IE without pairwise", "30060100000fac04"),
4328 ("RSN IE without group", "30020100") ]
4329 for title
, ie
in tests
:
4331 set_test_assoc_ie(dev
[0], ie
)
4332 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
4333 identity
="gpsk user",
4334 password
="abcdefghijklmnop0123456789abcdef",
4336 dev
[0].request("REMOVE_NETWORK all")
4337 dev
[0].wait_disconnected()
4339 tests
= [ ("Normal wpa_supplicant assoc req RSN IE",
4340 "30140100000fac040100000fac040100000fac01cc00"),
4341 ("Group management cipher included in assoc req RSN IE",
4342 "301a0100000fac040100000fac040100000fac01cc000000000fac06") ]
4343 for title
, ie
in tests
:
4345 set_test_assoc_ie(dev
[0], ie
)
4346 dev
[0].connect("test-wpa2-eap-11w", key_mgmt
="WPA-EAP", ieee80211w
="1",
4347 eap
="GPSK", identity
="gpsk user",
4348 password
="abcdefghijklmnop0123456789abcdef",
4350 dev
[0].request("REMOVE_NETWORK all")
4351 dev
[0].wait_disconnected()
4353 tests
= [ ("Invalid group cipher", "30060100000fac02", 41),
4354 ("Invalid pairwise cipher", "300c0100000fac040100000fac02", 42) ]
4355 for title
, ie
, status
in tests
:
4357 set_test_assoc_ie(dev
[0], ie
)
4358 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
4359 identity
="gpsk user",
4360 password
="abcdefghijklmnop0123456789abcdef",
4361 scan_freq
="2412", wait_connect
=False)
4362 ev
= dev
[0].wait_event(["CTRL-EVENT-ASSOC-REJECT"])
4364 raise Exception("Association rejection not reported")
4365 if "status_code=" + str(status
) not in ev
:
4366 raise Exception("Unexpected status code: " + ev
)
4367 dev
[0].request("REMOVE_NETWORK all")
4368 dev
[0].dump_monitor()
4370 tests
= [ ("Management frame protection not enabled",
4371 "30140100000fac040100000fac040100000fac010000", 31),
4372 ("Unsupported management group cipher",
4373 "301a0100000fac040100000fac040100000fac01cc000000000fac0b", 31) ]
4374 for title
, ie
, status
in tests
:
4376 set_test_assoc_ie(dev
[0], ie
)
4377 dev
[0].connect("test-wpa2-eap-11w", key_mgmt
="WPA-EAP", ieee80211w
="1",
4378 eap
="GPSK", identity
="gpsk user",
4379 password
="abcdefghijklmnop0123456789abcdef",
4380 scan_freq
="2412", wait_connect
=False)
4381 ev
= dev
[0].wait_event(["CTRL-EVENT-ASSOC-REJECT"])
4383 raise Exception("Association rejection not reported")
4384 if "status_code=" + str(status
) not in ev
:
4385 raise Exception("Unexpected status code: " + ev
)
4386 dev
[0].request("REMOVE_NETWORK all")
4387 dev
[0].dump_monitor()
4389 def test_eap_tls_ext_cert_check(dev
, apdev
):
4390 """EAP-TLS and external server certification validation"""
4391 # With internal server certificate chain validation
4392 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4393 identity
="tls user",
4394 ca_cert
="auth_serv/ca.pem",
4395 client_cert
="auth_serv/user.pem",
4396 private_key
="auth_serv/user.key",
4397 phase1
="tls_ext_cert_check=1", scan_freq
="2412",
4398 only_add_network
=True)
4399 run_ext_cert_check(dev
, apdev
, id)
4401 def test_eap_ttls_ext_cert_check(dev
, apdev
):
4402 """EAP-TTLS and external server certification validation"""
4403 # Without internal server certificate chain validation
4404 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4405 identity
="pap user", anonymous_identity
="ttls",
4406 password
="password", phase2
="auth=PAP",
4407 phase1
="tls_ext_cert_check=1", scan_freq
="2412",
4408 only_add_network
=True)
4409 run_ext_cert_check(dev
, apdev
, id)
4411 def test_eap_peap_ext_cert_check(dev
, apdev
):
4412 """EAP-PEAP and external server certification validation"""
4413 # With internal server certificate chain validation
4414 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
4415 identity
="user", anonymous_identity
="peap",
4416 ca_cert
="auth_serv/ca.pem",
4417 password
="password", phase2
="auth=MSCHAPV2",
4418 phase1
="tls_ext_cert_check=1", scan_freq
="2412",
4419 only_add_network
=True)
4420 run_ext_cert_check(dev
, apdev
, id)
4422 def test_eap_fast_ext_cert_check(dev
, apdev
):
4423 """EAP-FAST and external server certification validation"""
4424 check_eap_capa(dev
[0], "FAST")
4425 # With internal server certificate chain validation
4426 dev
[0].request("SET blob fast_pac_auth_ext ")
4427 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
4428 identity
="user", anonymous_identity
="FAST",
4429 ca_cert
="auth_serv/ca.pem",
4430 password
="password", phase2
="auth=GTC",
4431 phase1
="tls_ext_cert_check=1 fast_provisioning=2",
4432 pac_file
="blob://fast_pac_auth_ext",
4434 only_add_network
=True)
4435 run_ext_cert_check(dev
, apdev
, id)
4437 def run_ext_cert_check(dev
, apdev
, net_id
):
4438 check_ext_cert_check_support(dev
[0])
4439 if not openssl_imported
:
4440 raise HwsimSkip("OpenSSL python method not available")
4442 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4443 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
4445 dev
[0].select_network(net_id
)
4448 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT",
4449 "CTRL-REQ-EXT_CERT_CHECK",
4450 "CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
4452 raise Exception("No peer server certificate event seen")
4453 if "CTRL-EVENT-EAP-PEER-CERT" in ev
:
4456 vals
= ev
.split(' ')
4458 if v
.startswith("depth="):
4459 depth
= int(v
.split('=')[1])
4460 elif v
.startswith("cert="):
4461 cert
= v
.split('=')[1]
4462 if depth
is not None and cert
:
4463 certs
[depth
] = binascii
.unhexlify(cert
)
4464 elif "CTRL-EVENT-EAP-SUCCESS" in ev
:
4465 raise Exception("Unexpected EAP-Success")
4466 elif "CTRL-REQ-EXT_CERT_CHECK" in ev
:
4467 id = ev
.split(':')[0].split('-')[-1]
4470 raise Exception("Server certificate not received")
4472 raise Exception("Server certificate issuer not received")
4474 cert
= OpenSSL
.crypto
.load_certificate(OpenSSL
.crypto
.FILETYPE_ASN1
,
4476 cn
= cert
.get_subject().commonName
4477 logger
.info("Server certificate CN=" + cn
)
4479 issuer
= OpenSSL
.crypto
.load_certificate(OpenSSL
.crypto
.FILETYPE_ASN1
,
4481 icn
= issuer
.get_subject().commonName
4482 logger
.info("Issuer certificate CN=" + icn
)
4484 if cn
!= "server.w1.fi":
4485 raise Exception("Unexpected server certificate CN: " + cn
)
4486 if icn
!= "Root CA":
4487 raise Exception("Unexpected server certificate issuer CN: " + icn
)
4489 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=0.1)
4491 raise Exception("Unexpected EAP-Success before external check result indication")
4493 dev
[0].request("CTRL-RSP-EXT_CERT_CHECK-" + id + ":good")
4494 dev
[0].wait_connected()
4496 dev
[0].request("DISCONNECT")
4497 dev
[0].wait_disconnected()
4498 if "FAIL" in dev
[0].request("PMKSA_FLUSH"):
4499 raise Exception("PMKSA_FLUSH failed")
4500 dev
[0].request("SET blob fast_pac_auth_ext ")
4501 dev
[0].request("RECONNECT")
4503 ev
= dev
[0].wait_event(["CTRL-REQ-EXT_CERT_CHECK"], timeout
=10)
4505 raise Exception("No peer server certificate event seen (2)")
4506 id = ev
.split(':')[0].split('-')[-1]
4507 dev
[0].request("CTRL-RSP-EXT_CERT_CHECK-" + id + ":bad")
4508 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=5)
4510 raise Exception("EAP-Failure not reported")
4511 dev
[0].request("REMOVE_NETWORK all")
4512 dev
[0].wait_disconnected()