]>
git.ipfire.org Git - thirdparty/hostap.git/blob - tests/hwsim/test_ap_eap.py
1 # -*- coding: utf-8 -*-
2 # WPA2-Enterprise tests
3 # Copyright (c) 2013-2015, Jouni Malinen <j@w1.fi>
5 # This software may be distributed under the terms of the BSD license.
6 # See README for more details.
13 logger
= logging
.getLogger()
18 from utils
import HwsimSkip
, alloc_fail
19 from test_ap_psk
import check_mib
, find_wpas_process
, read_process_memory
, verify_not_present
, get_key_locations
21 def check_hlr_auc_gw_support():
22 if not os
.path
.exists("/tmp/hlr_auc_gw.sock"):
23 raise HwsimSkip("No hlr_auc_gw available")
25 def check_eap_capa(dev
, method
):
26 res
= dev
.get_capability("eap")
28 raise HwsimSkip("EAP method %s not supported in the build" % method
)
30 def check_subject_match_support(dev
):
31 tls
= dev
.request("GET tls_library")
32 if not tls
.startswith("OpenSSL"):
33 raise HwsimSkip("subject_match not supported with this TLS library: " + tls
)
35 def check_altsubject_match_support(dev
):
36 tls
= dev
.request("GET tls_library")
37 if not tls
.startswith("OpenSSL"):
38 raise HwsimSkip("altsubject_match not supported with this TLS library: " + tls
)
40 def check_domain_match_full(dev
):
41 tls
= dev
.request("GET tls_library")
42 if not tls
.startswith("OpenSSL"):
43 raise HwsimSkip("domain_suffix_match requires full match with this TLS library: " + tls
)
45 def check_cert_probe_support(dev
):
46 tls
= dev
.request("GET tls_library")
47 if not tls
.startswith("OpenSSL"):
48 raise HwsimSkip("Certificate probing not supported with this TLS library: " + tls
)
51 with
open(fname
, "r") as f
:
62 return base64
.b64decode(cert
)
64 def eap_connect(dev
, ap
, method
, identity
,
65 sha256
=False, expect_failure
=False, local_error_report
=False,
67 hapd
= hostapd
.Hostapd(ap
['ifname'])
68 id = dev
.connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
69 eap
=method
, identity
=identity
,
70 wait_connect
=False, scan_freq
="2412", ieee80211w
="1",
72 eap_check_auth(dev
, method
, True, sha256
=sha256
,
73 expect_failure
=expect_failure
,
74 local_error_report
=local_error_report
)
77 ev
= hapd
.wait_event([ "AP-STA-CONNECTED" ], timeout
=5)
79 raise Exception("No connection event received from hostapd")
82 def eap_check_auth(dev
, method
, initial
, rsn
=True, sha256
=False,
83 expect_failure
=False, local_error_report
=False):
84 ev
= dev
.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
86 raise Exception("Association and EAP start timed out")
87 ev
= dev
.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
89 raise Exception("EAP method selection timed out")
91 raise Exception("Unexpected EAP method")
93 ev
= dev
.wait_event(["CTRL-EVENT-EAP-FAILURE"])
95 raise Exception("EAP failure timed out")
96 ev
= dev
.wait_disconnected(timeout
=10)
97 if not local_error_report
:
98 if "reason=23" not in ev
:
99 raise Exception("Proper reason code for disconnection not reported")
101 ev
= dev
.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
103 raise Exception("EAP success timed out")
106 ev
= dev
.wait_event(["CTRL-EVENT-CONNECTED"], timeout
=10)
108 ev
= dev
.wait_event(["WPA: Key negotiation completed"], timeout
=10)
110 raise Exception("Association with the AP timed out")
111 status
= dev
.get_status()
112 if status
["wpa_state"] != "COMPLETED":
113 raise Exception("Connection not completed")
115 if status
["suppPortStatus"] != "Authorized":
116 raise Exception("Port not authorized")
117 if method
not in status
["selectedMethod"]:
118 raise Exception("Incorrect EAP method status")
120 e
= "WPA2-EAP-SHA256"
122 e
= "WPA2/IEEE 802.1X/EAP"
124 e
= "WPA/IEEE 802.1X/EAP"
125 if status
["key_mgmt"] != e
:
126 raise Exception("Unexpected key_mgmt status: " + status
["key_mgmt"])
129 def eap_reauth(dev
, method
, rsn
=True, sha256
=False, expect_failure
=False):
130 dev
.request("REAUTHENTICATE")
131 return eap_check_auth(dev
, method
, False, rsn
=rsn
, sha256
=sha256
,
132 expect_failure
=expect_failure
)
134 def test_ap_wpa2_eap_sim(dev
, apdev
):
135 """WPA2-Enterprise connection using EAP-SIM"""
136 check_hlr_auc_gw_support()
137 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
138 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
139 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
140 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
141 hwsim_utils
.test_connectivity(dev
[0], hapd
)
142 eap_reauth(dev
[0], "SIM")
144 eap_connect(dev
[1], apdev
[0], "SIM", "1232010000000001",
145 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
146 eap_connect(dev
[2], apdev
[0], "SIM", "1232010000000002",
147 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
150 logger
.info("Negative test with incorrect key")
151 dev
[0].request("REMOVE_NETWORK all")
152 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
153 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
156 logger
.info("Invalid GSM-Milenage key")
157 dev
[0].request("REMOVE_NETWORK all")
158 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
159 password
="ffdca4eda45b53cf0f12d7c9c3bc6a",
162 logger
.info("Invalid GSM-Milenage key(2)")
163 dev
[0].request("REMOVE_NETWORK all")
164 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
165 password
="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581",
168 logger
.info("Invalid GSM-Milenage key(3)")
169 dev
[0].request("REMOVE_NETWORK all")
170 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
171 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q",
174 logger
.info("Invalid GSM-Milenage key(4)")
175 dev
[0].request("REMOVE_NETWORK all")
176 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
177 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581",
180 logger
.info("Missing key configuration")
181 dev
[0].request("REMOVE_NETWORK all")
182 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
185 def test_ap_wpa2_eap_sim_sql(dev
, apdev
, params
):
186 """WPA2-Enterprise connection using EAP-SIM (SQL)"""
187 check_hlr_auc_gw_support()
191 raise HwsimSkip("No sqlite3 module available")
192 con
= sqlite3
.connect(os
.path
.join(params
['logdir'], "hostapd.db"))
193 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
194 params
['auth_server_port'] = "1814"
195 hostapd
.add_ap(apdev
[0]['ifname'], params
)
196 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
197 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
199 logger
.info("SIM fast re-authentication")
200 eap_reauth(dev
[0], "SIM")
202 logger
.info("SIM full auth with pseudonym")
205 cur
.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
206 eap_reauth(dev
[0], "SIM")
208 logger
.info("SIM full auth with permanent identity")
211 cur
.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
212 cur
.execute("DELETE FROM pseudonyms WHERE permanent='1232010000000000'")
213 eap_reauth(dev
[0], "SIM")
215 logger
.info("SIM reauth with mismatching MK")
218 cur
.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='1232010000000000'")
219 eap_reauth(dev
[0], "SIM", expect_failure
=True)
220 dev
[0].request("REMOVE_NETWORK all")
222 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
223 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
226 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
227 eap_reauth(dev
[0], "SIM")
230 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
231 logger
.info("SIM reauth with mismatching counter")
232 eap_reauth(dev
[0], "SIM")
233 dev
[0].request("REMOVE_NETWORK all")
235 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
236 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
239 cur
.execute("UPDATE reauth SET counter='1001' WHERE permanent='1232010000000000'")
240 logger
.info("SIM reauth with max reauth count reached")
241 eap_reauth(dev
[0], "SIM")
243 def test_ap_wpa2_eap_sim_config(dev
, apdev
):
244 """EAP-SIM configuration options"""
245 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
246 hostapd
.add_ap(apdev
[0]['ifname'], params
)
247 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="SIM",
248 identity
="1232010000000000",
249 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
250 phase1
="sim_min_num_chal=1",
251 wait_connect
=False, scan_freq
="2412")
252 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout
=10)
254 raise Exception("No EAP error message seen")
255 dev
[0].request("REMOVE_NETWORK all")
257 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="SIM",
258 identity
="1232010000000000",
259 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
260 phase1
="sim_min_num_chal=4",
261 wait_connect
=False, scan_freq
="2412")
262 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout
=10)
264 raise Exception("No EAP error message seen (2)")
265 dev
[0].request("REMOVE_NETWORK all")
267 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
268 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
269 phase1
="sim_min_num_chal=2")
270 eap_connect(dev
[1], apdev
[0], "SIM", "1232010000000000",
271 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
272 anonymous_identity
="345678")
274 def test_ap_wpa2_eap_sim_ext(dev
, apdev
):
275 """WPA2-Enterprise connection using EAP-SIM and external GSM auth"""
277 _test_ap_wpa2_eap_sim_ext(dev
, apdev
)
279 dev
[0].request("SET external_sim 0")
281 def _test_ap_wpa2_eap_sim_ext(dev
, apdev
):
282 check_hlr_auc_gw_support()
283 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
284 hostapd
.add_ap(apdev
[0]['ifname'], params
)
285 dev
[0].request("SET external_sim 1")
286 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
287 identity
="1232010000000000",
288 wait_connect
=False, scan_freq
="2412")
289 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=15)
291 raise Exception("Network connected timed out")
293 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
295 raise Exception("Wait for external SIM processing request timed out")
297 if p
[1] != "GSM-AUTH":
298 raise Exception("Unexpected CTRL-REQ-SIM type")
299 rid
= p
[0].split('-')[3]
302 resp
= "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
303 # This will fail during processing, but the ctrl_iface command succeeds
304 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-AUTH:" + resp
)
305 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
307 raise Exception("EAP failure not reported")
308 dev
[0].request("DISCONNECT")
309 dev
[0].wait_disconnected()
312 dev
[0].select_network(id, freq
="2412")
313 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
315 raise Exception("Wait for external SIM processing request timed out")
317 if p
[1] != "GSM-AUTH":
318 raise Exception("Unexpected CTRL-REQ-SIM type")
319 rid
= p
[0].split('-')[3]
320 # This will fail during GSM auth validation
321 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:q"):
322 raise Exception("CTRL-RSP-SIM failed")
323 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
325 raise Exception("EAP failure not reported")
326 dev
[0].request("DISCONNECT")
327 dev
[0].wait_disconnected()
330 dev
[0].select_network(id, freq
="2412")
331 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
333 raise Exception("Wait for external SIM processing request timed out")
335 if p
[1] != "GSM-AUTH":
336 raise Exception("Unexpected CTRL-REQ-SIM type")
337 rid
= p
[0].split('-')[3]
338 # This will fail during GSM auth validation
339 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:34"):
340 raise Exception("CTRL-RSP-SIM failed")
341 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
343 raise Exception("EAP failure not reported")
344 dev
[0].request("DISCONNECT")
345 dev
[0].wait_disconnected()
348 dev
[0].select_network(id, freq
="2412")
349 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
351 raise Exception("Wait for external SIM processing request timed out")
353 if p
[1] != "GSM-AUTH":
354 raise Exception("Unexpected CTRL-REQ-SIM type")
355 rid
= p
[0].split('-')[3]
356 # This will fail during GSM auth validation
357 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677"):
358 raise Exception("CTRL-RSP-SIM failed")
359 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
361 raise Exception("EAP failure not reported")
362 dev
[0].request("DISCONNECT")
363 dev
[0].wait_disconnected()
366 dev
[0].select_network(id, freq
="2412")
367 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
369 raise Exception("Wait for external SIM processing request timed out")
371 if p
[1] != "GSM-AUTH":
372 raise Exception("Unexpected CTRL-REQ-SIM type")
373 rid
= p
[0].split('-')[3]
374 # This will fail during GSM auth validation
375 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677:q"):
376 raise Exception("CTRL-RSP-SIM failed")
377 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
379 raise Exception("EAP failure not reported")
380 dev
[0].request("DISCONNECT")
381 dev
[0].wait_disconnected()
384 dev
[0].select_network(id, freq
="2412")
385 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
387 raise Exception("Wait for external SIM processing request timed out")
389 if p
[1] != "GSM-AUTH":
390 raise Exception("Unexpected CTRL-REQ-SIM type")
391 rid
= p
[0].split('-')[3]
392 # This will fail during GSM auth validation
393 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677:00112233"):
394 raise Exception("CTRL-RSP-SIM failed")
395 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
397 raise Exception("EAP failure not reported")
398 dev
[0].request("DISCONNECT")
399 dev
[0].wait_disconnected()
402 dev
[0].select_network(id, freq
="2412")
403 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
405 raise Exception("Wait for external SIM processing request timed out")
407 if p
[1] != "GSM-AUTH":
408 raise Exception("Unexpected CTRL-REQ-SIM type")
409 rid
= p
[0].split('-')[3]
410 # This will fail during GSM auth validation
411 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677:00112233:q"):
412 raise Exception("CTRL-RSP-SIM failed")
413 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
415 raise Exception("EAP failure not reported")
417 def test_ap_wpa2_eap_aka(dev
, apdev
):
418 """WPA2-Enterprise connection using EAP-AKA"""
419 check_hlr_auc_gw_support()
420 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
421 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
422 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
423 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
424 hwsim_utils
.test_connectivity(dev
[0], hapd
)
425 eap_reauth(dev
[0], "AKA")
427 logger
.info("Negative test with incorrect key")
428 dev
[0].request("REMOVE_NETWORK all")
429 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
430 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
433 logger
.info("Invalid Milenage key")
434 dev
[0].request("REMOVE_NETWORK all")
435 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
436 password
="ffdca4eda45b53cf0f12d7c9c3bc6a",
439 logger
.info("Invalid Milenage key(2)")
440 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
441 password
="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581:000000000123",
444 logger
.info("Invalid Milenage key(3)")
445 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
446 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q:000000000123",
449 logger
.info("Invalid Milenage key(4)")
450 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
451 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:00000000012q",
454 logger
.info("Invalid Milenage key(5)")
455 dev
[0].request("REMOVE_NETWORK all")
456 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
457 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581q000000000123",
460 logger
.info("Invalid Milenage key(6)")
461 dev
[0].request("REMOVE_NETWORK all")
462 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
463 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581q000000000123",
466 logger
.info("Missing key configuration")
467 dev
[0].request("REMOVE_NETWORK all")
468 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
471 def test_ap_wpa2_eap_aka_sql(dev
, apdev
, params
):
472 """WPA2-Enterprise connection using EAP-AKA (SQL)"""
473 check_hlr_auc_gw_support()
477 raise HwsimSkip("No sqlite3 module available")
478 con
= sqlite3
.connect(os
.path
.join(params
['logdir'], "hostapd.db"))
479 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
480 params
['auth_server_port'] = "1814"
481 hostapd
.add_ap(apdev
[0]['ifname'], params
)
482 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
483 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
485 logger
.info("AKA fast re-authentication")
486 eap_reauth(dev
[0], "AKA")
488 logger
.info("AKA full auth with pseudonym")
491 cur
.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
492 eap_reauth(dev
[0], "AKA")
494 logger
.info("AKA full auth with permanent identity")
497 cur
.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
498 cur
.execute("DELETE FROM pseudonyms WHERE permanent='0232010000000000'")
499 eap_reauth(dev
[0], "AKA")
501 logger
.info("AKA reauth with mismatching MK")
504 cur
.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='0232010000000000'")
505 eap_reauth(dev
[0], "AKA", expect_failure
=True)
506 dev
[0].request("REMOVE_NETWORK all")
508 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
509 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
512 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
513 eap_reauth(dev
[0], "AKA")
516 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
517 logger
.info("AKA reauth with mismatching counter")
518 eap_reauth(dev
[0], "AKA")
519 dev
[0].request("REMOVE_NETWORK all")
521 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
522 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
525 cur
.execute("UPDATE reauth SET counter='1001' WHERE permanent='0232010000000000'")
526 logger
.info("AKA reauth with max reauth count reached")
527 eap_reauth(dev
[0], "AKA")
529 def test_ap_wpa2_eap_aka_config(dev
, apdev
):
530 """EAP-AKA configuration options"""
531 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
532 hostapd
.add_ap(apdev
[0]['ifname'], params
)
533 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
534 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
535 anonymous_identity
="2345678")
537 def test_ap_wpa2_eap_aka_ext(dev
, apdev
):
538 """WPA2-Enterprise connection using EAP-AKA and external UMTS auth"""
540 _test_ap_wpa2_eap_aka_ext(dev
, apdev
)
542 dev
[0].request("SET external_sim 0")
544 def _test_ap_wpa2_eap_aka_ext(dev
, apdev
):
545 check_hlr_auc_gw_support()
546 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
547 hostapd
.add_ap(apdev
[0]['ifname'], params
)
548 dev
[0].request("SET external_sim 1")
549 id = dev
[0].connect("test-wpa2-eap", eap
="AKA", key_mgmt
="WPA-EAP",
550 identity
="0232010000000000",
551 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
552 wait_connect
=False, scan_freq
="2412")
553 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=15)
555 raise Exception("Network connected timed out")
557 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
559 raise Exception("Wait for external SIM processing request timed out")
561 if p
[1] != "UMTS-AUTH":
562 raise Exception("Unexpected CTRL-REQ-SIM type")
563 rid
= p
[0].split('-')[3]
566 resp
= "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
567 # This will fail during processing, but the ctrl_iface command succeeds
568 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
569 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
571 raise Exception("EAP failure not reported")
572 dev
[0].request("DISCONNECT")
573 dev
[0].wait_disconnected()
576 dev
[0].select_network(id, freq
="2412")
577 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
579 raise Exception("Wait for external SIM processing request timed out")
581 if p
[1] != "UMTS-AUTH":
582 raise Exception("Unexpected CTRL-REQ-SIM type")
583 rid
= p
[0].split('-')[3]
584 # This will fail during UMTS auth validation
585 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-AUTS:112233445566778899aabbccddee"):
586 raise Exception("CTRL-RSP-SIM failed")
587 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
589 raise Exception("Wait for external SIM processing request timed out")
591 if p
[1] != "UMTS-AUTH":
592 raise Exception("Unexpected CTRL-REQ-SIM type")
593 rid
= p
[0].split('-')[3]
594 # This will fail during UMTS auth validation
595 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-AUTS:12"):
596 raise Exception("CTRL-RSP-SIM failed")
597 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
599 raise Exception("EAP failure not reported")
600 dev
[0].request("DISCONNECT")
601 dev
[0].wait_disconnected()
604 tests
= [ ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344",
606 ":UMTS-AUTH:00112233445566778899aabbccddeeff.00112233445566778899aabbccddeeff:0011223344",
607 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddee:0011223344",
608 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff.0011223344",
609 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff0011223344",
610 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:001122334q" ]
612 dev
[0].select_network(id, freq
="2412")
613 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
615 raise Exception("Wait for external SIM processing request timed out")
617 if p
[1] != "UMTS-AUTH":
618 raise Exception("Unexpected CTRL-REQ-SIM type")
619 rid
= p
[0].split('-')[3]
620 # This will fail during UMTS auth validation
621 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ t
):
622 raise Exception("CTRL-RSP-SIM failed")
623 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
625 raise Exception("EAP failure not reported")
626 dev
[0].request("DISCONNECT")
627 dev
[0].wait_disconnected()
630 def test_ap_wpa2_eap_aka_prime(dev
, apdev
):
631 """WPA2-Enterprise connection using EAP-AKA'"""
632 check_hlr_auc_gw_support()
633 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
634 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
635 eap_connect(dev
[0], apdev
[0], "AKA'", "6555444333222111",
636 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
637 hwsim_utils
.test_connectivity(dev
[0], hapd
)
638 eap_reauth(dev
[0], "AKA'")
640 logger
.info("EAP-AKA' bidding protection when EAP-AKA enabled as well")
641 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="AKA' AKA",
642 identity
="6555444333222111@both",
643 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
644 wait_connect
=False, scan_freq
="2412")
645 dev
[1].wait_connected(timeout
=15)
647 logger
.info("Negative test with incorrect key")
648 dev
[0].request("REMOVE_NETWORK all")
649 eap_connect(dev
[0], apdev
[0], "AKA'", "6555444333222111",
650 password
="ff22250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
653 def test_ap_wpa2_eap_aka_prime_sql(dev
, apdev
, params
):
654 """WPA2-Enterprise connection using EAP-AKA' (SQL)"""
655 check_hlr_auc_gw_support()
659 raise HwsimSkip("No sqlite3 module available")
660 con
= sqlite3
.connect(os
.path
.join(params
['logdir'], "hostapd.db"))
661 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
662 params
['auth_server_port'] = "1814"
663 hostapd
.add_ap(apdev
[0]['ifname'], params
)
664 eap_connect(dev
[0], apdev
[0], "AKA'", "6555444333222111",
665 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
667 logger
.info("AKA' fast re-authentication")
668 eap_reauth(dev
[0], "AKA'")
670 logger
.info("AKA' full auth with pseudonym")
673 cur
.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
674 eap_reauth(dev
[0], "AKA'")
676 logger
.info("AKA' full auth with permanent identity")
679 cur
.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
680 cur
.execute("DELETE FROM pseudonyms WHERE permanent='6555444333222111'")
681 eap_reauth(dev
[0], "AKA'")
683 logger
.info("AKA' reauth with mismatching k_aut")
686 cur
.execute("UPDATE reauth SET k_aut='0000000000000000000000000000000000000000000000000000000000000000' WHERE permanent='6555444333222111'")
687 eap_reauth(dev
[0], "AKA'", expect_failure
=True)
688 dev
[0].request("REMOVE_NETWORK all")
690 eap_connect(dev
[0], apdev
[0], "AKA'", "6555444333222111",
691 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
694 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
695 eap_reauth(dev
[0], "AKA'")
698 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
699 logger
.info("AKA' reauth with mismatching counter")
700 eap_reauth(dev
[0], "AKA'")
701 dev
[0].request("REMOVE_NETWORK all")
703 eap_connect(dev
[0], apdev
[0], "AKA'", "6555444333222111",
704 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
707 cur
.execute("UPDATE reauth SET counter='1001' WHERE permanent='6555444333222111'")
708 logger
.info("AKA' reauth with max reauth count reached")
709 eap_reauth(dev
[0], "AKA'")
711 def test_ap_wpa2_eap_ttls_pap(dev
, apdev
):
712 """WPA2-Enterprise connection using EAP-TTLS/PAP"""
713 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
714 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
715 key_mgmt
= hapd
.get_config()['key_mgmt']
716 if key_mgmt
.split(' ')[0] != "WPA-EAP":
717 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt
)
718 eap_connect(dev
[0], apdev
[0], "TTLS", "pap user",
719 anonymous_identity
="ttls", password
="password",
720 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
721 hwsim_utils
.test_connectivity(dev
[0], hapd
)
722 eap_reauth(dev
[0], "TTLS")
723 check_mib(dev
[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-1"),
724 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-1") ])
726 def test_ap_wpa2_eap_ttls_pap_subject_match(dev
, apdev
):
727 """WPA2-Enterprise connection using EAP-TTLS/PAP and (alt)subject_match"""
728 check_subject_match_support(dev
[0])
729 check_altsubject_match_support(dev
[0])
730 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
731 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
732 eap_connect(dev
[0], apdev
[0], "TTLS", "pap user",
733 anonymous_identity
="ttls", password
="password",
734 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
735 subject_match
="/C=FI/O=w1.fi/CN=server.w1.fi",
736 altsubject_match
="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/")
737 eap_reauth(dev
[0], "TTLS")
739 def test_ap_wpa2_eap_ttls_pap_incorrect_password(dev
, apdev
):
740 """WPA2-Enterprise connection using EAP-TTLS/PAP - incorrect password"""
741 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
742 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
743 eap_connect(dev
[0], apdev
[0], "TTLS", "pap user",
744 anonymous_identity
="ttls", password
="wrong",
745 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
747 eap_connect(dev
[1], apdev
[0], "TTLS", "user",
748 anonymous_identity
="ttls", password
="password",
749 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
752 def test_ap_wpa2_eap_ttls_chap(dev
, apdev
):
753 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
754 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
755 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
756 eap_connect(dev
[0], apdev
[0], "TTLS", "chap user",
757 anonymous_identity
="ttls", password
="password",
758 ca_cert
="auth_serv/ca.der", phase2
="auth=CHAP")
759 hwsim_utils
.test_connectivity(dev
[0], hapd
)
760 eap_reauth(dev
[0], "TTLS")
762 def test_ap_wpa2_eap_ttls_chap_altsubject_match(dev
, apdev
):
763 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
764 check_altsubject_match_support(dev
[0])
765 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
766 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
767 eap_connect(dev
[0], apdev
[0], "TTLS", "chap user",
768 anonymous_identity
="ttls", password
="password",
769 ca_cert
="auth_serv/ca.der", phase2
="auth=CHAP",
770 altsubject_match
="EMAIL:noone@example.com;URI:http://example.com/;DNS:server.w1.fi")
771 eap_reauth(dev
[0], "TTLS")
773 def test_ap_wpa2_eap_ttls_chap_incorrect_password(dev
, apdev
):
774 """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
775 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
776 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
777 eap_connect(dev
[0], apdev
[0], "TTLS", "chap user",
778 anonymous_identity
="ttls", password
="wrong",
779 ca_cert
="auth_serv/ca.pem", phase2
="auth=CHAP",
781 eap_connect(dev
[1], apdev
[0], "TTLS", "user",
782 anonymous_identity
="ttls", password
="password",
783 ca_cert
="auth_serv/ca.pem", phase2
="auth=CHAP",
786 def test_ap_wpa2_eap_ttls_mschap(dev
, apdev
):
787 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP"""
788 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
789 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
790 eap_connect(dev
[0], apdev
[0], "TTLS", "mschap user",
791 anonymous_identity
="ttls", password
="password",
792 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
793 domain_suffix_match
="server.w1.fi")
794 hwsim_utils
.test_connectivity(dev
[0], hapd
)
795 eap_reauth(dev
[0], "TTLS")
796 dev
[0].request("REMOVE_NETWORK all")
797 eap_connect(dev
[0], apdev
[0], "TTLS", "mschap user",
798 anonymous_identity
="ttls", password
="password",
799 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
802 def test_ap_wpa2_eap_ttls_mschap_incorrect_password(dev
, apdev
):
803 """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
804 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
805 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
806 eap_connect(dev
[0], apdev
[0], "TTLS", "mschap user",
807 anonymous_identity
="ttls", password
="wrong",
808 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
810 eap_connect(dev
[1], apdev
[0], "TTLS", "user",
811 anonymous_identity
="ttls", password
="password",
812 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
814 eap_connect(dev
[2], apdev
[0], "TTLS", "no such user",
815 anonymous_identity
="ttls", password
="password",
816 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
819 def test_ap_wpa2_eap_ttls_mschapv2(dev
, apdev
):
820 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
821 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
822 hostapd
.add_ap(apdev
[0]['ifname'], params
)
823 hapd
= hostapd
.Hostapd(apdev
[0]['ifname'])
824 eap_connect(dev
[0], apdev
[0], "TTLS", "DOMAIN\mschapv2 user",
825 anonymous_identity
="ttls", password
="password",
826 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
827 domain_suffix_match
="server.w1.fi")
828 hwsim_utils
.test_connectivity(dev
[0], hapd
)
829 sta1
= hapd
.get_sta(dev
[0].p2p_interface_addr())
830 eapol1
= hapd
.get_sta(dev
[0].p2p_interface_addr(), info
="eapol")
831 eap_reauth(dev
[0], "TTLS")
832 sta2
= hapd
.get_sta(dev
[0].p2p_interface_addr())
833 eapol2
= hapd
.get_sta(dev
[0].p2p_interface_addr(), info
="eapol")
834 if int(sta2
['dot1xAuthEapolFramesRx']) <= int(sta1
['dot1xAuthEapolFramesRx']):
835 raise Exception("dot1xAuthEapolFramesRx did not increase")
836 if int(eapol2
['authAuthEapStartsWhileAuthenticated']) < 1:
837 raise Exception("authAuthEapStartsWhileAuthenticated did not increase")
838 if int(eapol2
['backendAuthSuccesses']) <= int(eapol1
['backendAuthSuccesses']):
839 raise Exception("backendAuthSuccesses did not increase")
841 logger
.info("Password as hash value")
842 dev
[0].request("REMOVE_NETWORK all")
843 eap_connect(dev
[0], apdev
[0], "TTLS", "DOMAIN\mschapv2 user",
844 anonymous_identity
="ttls",
845 password_hex
="hash:8846f7eaee8fb117ad06bdd830b7586c",
846 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
848 def test_ap_wpa2_eap_ttls_mschapv2_suffix_match(dev
, apdev
):
849 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
850 check_domain_match_full(dev
[0])
851 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
852 hostapd
.add_ap(apdev
[0]['ifname'], params
)
853 hapd
= hostapd
.Hostapd(apdev
[0]['ifname'])
854 eap_connect(dev
[0], apdev
[0], "TTLS", "DOMAIN\mschapv2 user",
855 anonymous_identity
="ttls", password
="password",
856 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
857 domain_suffix_match
="w1.fi")
858 hwsim_utils
.test_connectivity(dev
[0], hapd
)
859 eap_reauth(dev
[0], "TTLS")
861 def test_ap_wpa2_eap_ttls_mschapv2_domain_match(dev
, apdev
):
862 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 (domain_match)"""
863 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
864 hostapd
.add_ap(apdev
[0]['ifname'], params
)
865 hapd
= hostapd
.Hostapd(apdev
[0]['ifname'])
866 eap_connect(dev
[0], apdev
[0], "TTLS", "DOMAIN\mschapv2 user",
867 anonymous_identity
="ttls", password
="password",
868 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
869 domain_match
="Server.w1.fi")
870 hwsim_utils
.test_connectivity(dev
[0], hapd
)
871 eap_reauth(dev
[0], "TTLS")
873 def test_ap_wpa2_eap_ttls_mschapv2_incorrect_password(dev
, apdev
):
874 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 - incorrect password"""
875 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
876 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
877 eap_connect(dev
[0], apdev
[0], "TTLS", "DOMAIN\mschapv2 user",
878 anonymous_identity
="ttls", password
="password1",
879 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
881 eap_connect(dev
[1], apdev
[0], "TTLS", "user",
882 anonymous_identity
="ttls", password
="password",
883 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
886 def test_ap_wpa2_eap_ttls_mschapv2_utf8(dev
, apdev
):
887 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 and UTF-8 password"""
888 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
889 hostapd
.add_ap(apdev
[0]['ifname'], params
)
890 hapd
= hostapd
.Hostapd(apdev
[0]['ifname'])
891 eap_connect(dev
[0], apdev
[0], "TTLS", "utf8-user-hash",
892 anonymous_identity
="ttls", password
="secret-åäö-€-password",
893 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
894 eap_connect(dev
[1], apdev
[0], "TTLS", "utf8-user",
895 anonymous_identity
="ttls",
896 password_hex
="hash:bd5844fad2489992da7fe8c5a01559cf",
897 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
899 def test_ap_wpa2_eap_ttls_eap_gtc(dev
, apdev
):
900 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC"""
901 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
902 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
903 eap_connect(dev
[0], apdev
[0], "TTLS", "user",
904 anonymous_identity
="ttls", password
="password",
905 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC")
906 hwsim_utils
.test_connectivity(dev
[0], hapd
)
907 eap_reauth(dev
[0], "TTLS")
909 def test_ap_wpa2_eap_ttls_eap_md5(dev
, apdev
):
910 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5"""
911 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
912 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
913 eap_connect(dev
[0], apdev
[0], "TTLS", "user",
914 anonymous_identity
="ttls", password
="password",
915 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5")
916 hwsim_utils
.test_connectivity(dev
[0], hapd
)
917 eap_reauth(dev
[0], "TTLS")
919 def test_ap_wpa2_eap_ttls_eap_md5_incorrect_password(dev
, apdev
):
920 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - incorrect password"""
921 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
922 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
923 eap_connect(dev
[0], apdev
[0], "TTLS", "user",
924 anonymous_identity
="ttls", password
="wrong",
925 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5",
928 def test_ap_wpa2_eap_ttls_eap_md5_server_oom(dev
, apdev
):
929 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - server OOM"""
930 params
= int_eap_server_params()
931 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
932 with
alloc_fail(hapd
, 1, "eap_md5_init"):
933 eap_connect(dev
[0], apdev
[0], "TTLS", "user",
934 anonymous_identity
="ttls", password
="password",
935 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5",
937 dev
[0].request("REMOVE_NETWORK all")
939 with
alloc_fail(hapd
, 1, "eap_md5_buildReq"):
940 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
941 eap
="TTLS", identity
="user",
942 anonymous_identity
="ttls", password
="password",
943 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5",
944 wait_connect
=False, scan_freq
="2412")
945 # This would eventually time out, but we can stop after having reached
946 # the allocation failure.
949 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
952 def test_ap_wpa2_eap_ttls_eap_mschapv2(dev
, apdev
):
953 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2"""
954 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
955 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
956 eap_connect(dev
[0], apdev
[0], "TTLS", "user",
957 anonymous_identity
="ttls", password
="password",
958 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2")
959 hwsim_utils
.test_connectivity(dev
[0], hapd
)
960 eap_reauth(dev
[0], "TTLS")
962 logger
.info("Negative test with incorrect password")
963 dev
[0].request("REMOVE_NETWORK all")
964 eap_connect(dev
[0], apdev
[0], "TTLS", "user",
965 anonymous_identity
="ttls", password
="password1",
966 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
969 def test_ap_wpa2_eap_ttls_eap_aka(dev
, apdev
):
970 """WPA2-Enterprise connection using EAP-TTLS/EAP-AKA"""
971 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
972 hostapd
.add_ap(apdev
[0]['ifname'], params
)
973 eap_connect(dev
[0], apdev
[0], "TTLS", "0232010000000000",
974 anonymous_identity
="0232010000000000@ttls",
975 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
976 ca_cert
="auth_serv/ca.pem", phase2
="autheap=AKA")
978 def test_ap_wpa2_eap_peap_eap_aka(dev
, apdev
):
979 """WPA2-Enterprise connection using EAP-PEAP/EAP-AKA"""
980 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
981 hostapd
.add_ap(apdev
[0]['ifname'], params
)
982 eap_connect(dev
[0], apdev
[0], "PEAP", "0232010000000000",
983 anonymous_identity
="0232010000000000@peap",
984 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
985 ca_cert
="auth_serv/ca.pem", phase2
="auth=AKA")
987 def test_ap_wpa2_eap_fast_eap_aka(dev
, apdev
):
988 """WPA2-Enterprise connection using EAP-FAST/EAP-AKA"""
989 check_eap_capa(dev
[0], "FAST")
990 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
991 hostapd
.add_ap(apdev
[0]['ifname'], params
)
992 eap_connect(dev
[0], apdev
[0], "FAST", "0232010000000000",
993 anonymous_identity
="0232010000000000@fast",
994 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
995 phase1
="fast_provisioning=2",
996 pac_file
="blob://fast_pac_auth_aka",
997 ca_cert
="auth_serv/ca.pem", phase2
="auth=AKA")
999 def test_ap_wpa2_eap_peap_eap_mschapv2(dev
, apdev
):
1000 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
1001 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1002 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1003 eap_connect(dev
[0], apdev
[0], "PEAP", "user",
1004 anonymous_identity
="peap", password
="password",
1005 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1006 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1007 eap_reauth(dev
[0], "PEAP")
1008 dev
[0].request("REMOVE_NETWORK all")
1009 eap_connect(dev
[0], apdev
[0], "PEAP", "user",
1010 anonymous_identity
="peap", password
="password",
1011 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1012 fragment_size
="200")
1014 logger
.info("Password as hash value")
1015 dev
[0].request("REMOVE_NETWORK all")
1016 eap_connect(dev
[0], apdev
[0], "PEAP", "user",
1017 anonymous_identity
="peap",
1018 password_hex
="hash:8846f7eaee8fb117ad06bdd830b7586c",
1019 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1021 logger
.info("Negative test with incorrect password")
1022 dev
[0].request("REMOVE_NETWORK all")
1023 eap_connect(dev
[0], apdev
[0], "PEAP", "user",
1024 anonymous_identity
="peap", password
="password1",
1025 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1026 expect_failure
=True)
1028 def test_ap_wpa2_eap_peap_crypto_binding(dev
, apdev
):
1029 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding"""
1030 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1031 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1032 eap_connect(dev
[0], apdev
[0], "PEAP", "user", password
="password",
1033 ca_cert
="auth_serv/ca.pem",
1034 phase1
="peapver=0 crypto_binding=2",
1035 phase2
="auth=MSCHAPV2")
1036 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1037 eap_reauth(dev
[0], "PEAP")
1039 eap_connect(dev
[1], apdev
[0], "PEAP", "user", password
="password",
1040 ca_cert
="auth_serv/ca.pem",
1041 phase1
="peapver=0 crypto_binding=1",
1042 phase2
="auth=MSCHAPV2")
1043 eap_connect(dev
[2], apdev
[0], "PEAP", "user", password
="password",
1044 ca_cert
="auth_serv/ca.pem",
1045 phase1
="peapver=0 crypto_binding=0",
1046 phase2
="auth=MSCHAPV2")
1048 def test_ap_wpa2_eap_peap_params(dev
, apdev
):
1049 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and various parameters"""
1050 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1051 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1052 eap_connect(dev
[0], apdev
[0], "PEAP", "user",
1053 anonymous_identity
="peap", password
="password",
1054 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1055 phase1
="peapver=0 peaplabel=1",
1056 expect_failure
=True)
1057 dev
[0].request("REMOVE_NETWORK all")
1058 eap_connect(dev
[1], apdev
[0], "PEAP", "user", password
="password",
1059 ca_cert
="auth_serv/ca.pem",
1060 phase1
="peap_outer_success=1",
1061 phase2
="auth=MSCHAPV2")
1062 eap_connect(dev
[2], apdev
[0], "PEAP", "user", password
="password",
1063 ca_cert
="auth_serv/ca.pem",
1064 phase1
="peap_outer_success=2",
1065 phase2
="auth=MSCHAPV2")
1066 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
1068 anonymous_identity
="peap", password
="password",
1069 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1070 phase1
="peapver=1 peaplabel=1",
1071 wait_connect
=False, scan_freq
="2412")
1072 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=15)
1074 raise Exception("No EAP success seen")
1075 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout
=1)
1077 raise Exception("Unexpected connection")
1079 def test_ap_wpa2_eap_peap_eap_tls(dev
, apdev
):
1080 """WPA2-Enterprise connection using EAP-PEAP/EAP-TLS"""
1081 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1082 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1083 eap_connect(dev
[0], apdev
[0], "PEAP", "cert user",
1084 ca_cert
="auth_serv/ca.pem", phase2
="auth=TLS",
1085 ca_cert2
="auth_serv/ca.pem",
1086 client_cert2
="auth_serv/user.pem",
1087 private_key2
="auth_serv/user.key")
1088 eap_reauth(dev
[0], "PEAP")
1090 def test_ap_wpa2_eap_tls(dev
, apdev
):
1091 """WPA2-Enterprise connection using EAP-TLS"""
1092 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1093 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1094 eap_connect(dev
[0], apdev
[0], "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
1095 client_cert
="auth_serv/user.pem",
1096 private_key
="auth_serv/user.key")
1097 eap_reauth(dev
[0], "TLS")
1099 def test_ap_wpa2_eap_tls_blob(dev
, apdev
):
1100 """WPA2-Enterprise connection using EAP-TLS and config blobs"""
1101 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1102 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1103 cert
= read_pem("auth_serv/ca.pem")
1104 if "OK" not in dev
[0].request("SET blob cacert " + cert
.encode("hex")):
1105 raise Exception("Could not set cacert blob")
1106 cert
= read_pem("auth_serv/user.pem")
1107 if "OK" not in dev
[0].request("SET blob usercert " + cert
.encode("hex")):
1108 raise Exception("Could not set usercert blob")
1109 key
= read_pem("auth_serv/user.rsa-key")
1110 if "OK" not in dev
[0].request("SET blob userkey " + key
.encode("hex")):
1111 raise Exception("Could not set cacert blob")
1112 eap_connect(dev
[0], apdev
[0], "TLS", "tls user", ca_cert
="blob://cacert",
1113 client_cert
="blob://usercert",
1114 private_key
="blob://userkey")
1116 def test_ap_wpa2_eap_tls_pkcs12(dev
, apdev
):
1117 """WPA2-Enterprise connection using EAP-TLS and PKCS#12"""
1118 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1119 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1120 eap_connect(dev
[0], apdev
[0], "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
1121 private_key
="auth_serv/user.pkcs12",
1122 private_key_passwd
="whatever")
1123 dev
[0].request("REMOVE_NETWORK all")
1124 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
1125 identity
="tls user",
1126 ca_cert
="auth_serv/ca.pem",
1127 private_key
="auth_serv/user.pkcs12",
1128 wait_connect
=False, scan_freq
="2412")
1129 ev
= dev
[0].wait_event(["CTRL-REQ-PASSPHRASE"])
1131 raise Exception("Request for private key passphrase timed out")
1132 id = ev
.split(':')[0].split('-')[-1]
1133 dev
[0].request("CTRL-RSP-PASSPHRASE-" + id + ":whatever")
1134 dev
[0].wait_connected(timeout
=10)
1136 def test_ap_wpa2_eap_tls_pkcs12_blob(dev
, apdev
):
1137 """WPA2-Enterprise connection using EAP-TLS and PKCS#12 from configuration blob"""
1138 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1139 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1140 cert
= read_pem("auth_serv/ca.pem")
1141 if "OK" not in dev
[0].request("SET blob cacert " + cert
.encode("hex")):
1142 raise Exception("Could not set cacert blob")
1143 with
open("auth_serv/user.pkcs12", "rb") as f
:
1144 if "OK" not in dev
[0].request("SET blob pkcs12 " + f
.read().encode("hex")):
1145 raise Exception("Could not set pkcs12 blob")
1146 eap_connect(dev
[0], apdev
[0], "TLS", "tls user", ca_cert
="blob://cacert",
1147 private_key
="blob://pkcs12",
1148 private_key_passwd
="whatever")
1150 def test_ap_wpa2_eap_tls_neg_incorrect_trust_root(dev
, apdev
):
1151 """WPA2-Enterprise negative test - incorrect trust root"""
1152 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1153 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1154 cert
= read_pem("auth_serv/ca-incorrect.pem")
1155 if "OK" not in dev
[0].request("SET blob cacert " + cert
.encode("hex")):
1156 raise Exception("Could not set cacert blob")
1157 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1158 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
1159 password
="password", phase2
="auth=MSCHAPV2",
1160 ca_cert
="blob://cacert",
1161 wait_connect
=False, scan_freq
="2412")
1162 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1163 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
1164 password
="password", phase2
="auth=MSCHAPV2",
1165 ca_cert
="auth_serv/ca-incorrect.pem",
1166 wait_connect
=False, scan_freq
="2412")
1168 for dev
in (dev
[0], dev
[1]):
1169 ev
= dev
.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
1171 raise Exception("Association and EAP start timed out")
1173 ev
= dev
.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
1175 raise Exception("EAP method selection timed out")
1176 if "TTLS" not in ev
:
1177 raise Exception("Unexpected EAP method")
1179 ev
= dev
.wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1180 "CTRL-EVENT-EAP-SUCCESS",
1181 "CTRL-EVENT-EAP-FAILURE",
1182 "CTRL-EVENT-CONNECTED",
1183 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1185 raise Exception("EAP result timed out")
1186 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
1187 raise Exception("TLS certificate error not reported")
1189 ev
= dev
.wait_event(["CTRL-EVENT-EAP-SUCCESS",
1190 "CTRL-EVENT-EAP-FAILURE",
1191 "CTRL-EVENT-CONNECTED",
1192 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1194 raise Exception("EAP result(2) timed out")
1195 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
1196 raise Exception("EAP failure not reported")
1198 ev
= dev
.wait_event(["CTRL-EVENT-CONNECTED",
1199 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1201 raise Exception("EAP result(3) timed out")
1202 if "CTRL-EVENT-DISCONNECTED" not in ev
:
1203 raise Exception("Disconnection not reported")
1205 ev
= dev
.wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
1207 raise Exception("Network block disabling not reported")
1209 def test_ap_wpa2_eap_tls_diff_ca_trust(dev
, apdev
):
1210 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1211 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1212 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1213 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1214 identity
="pap user", anonymous_identity
="ttls",
1215 password
="password", phase2
="auth=PAP",
1216 ca_cert
="auth_serv/ca.pem",
1217 wait_connect
=True, scan_freq
="2412")
1218 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1219 identity
="pap user", anonymous_identity
="ttls",
1220 password
="password", phase2
="auth=PAP",
1221 ca_cert
="auth_serv/ca-incorrect.pem",
1222 only_add_network
=True, scan_freq
="2412")
1224 dev
[0].request("DISCONNECT")
1225 dev
[0].wait_disconnected()
1226 dev
[0].dump_monitor()
1227 dev
[0].select_network(id, freq
="2412")
1229 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout
=15)
1231 raise Exception("EAP-TTLS not re-started")
1233 ev
= dev
[0].wait_disconnected(timeout
=15)
1234 if "reason=23" not in ev
:
1235 raise Exception("Proper reason code for disconnection not reported")
1237 def test_ap_wpa2_eap_tls_diff_ca_trust2(dev
, apdev
):
1238 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1239 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1240 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1241 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1242 identity
="pap user", anonymous_identity
="ttls",
1243 password
="password", phase2
="auth=PAP",
1244 wait_connect
=True, scan_freq
="2412")
1245 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1246 identity
="pap user", anonymous_identity
="ttls",
1247 password
="password", phase2
="auth=PAP",
1248 ca_cert
="auth_serv/ca-incorrect.pem",
1249 only_add_network
=True, scan_freq
="2412")
1251 dev
[0].request("DISCONNECT")
1252 dev
[0].wait_disconnected()
1253 dev
[0].dump_monitor()
1254 dev
[0].select_network(id, freq
="2412")
1256 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout
=15)
1258 raise Exception("EAP-TTLS not re-started")
1260 ev
= dev
[0].wait_disconnected(timeout
=15)
1261 if "reason=23" not in ev
:
1262 raise Exception("Proper reason code for disconnection not reported")
1264 def test_ap_wpa2_eap_tls_diff_ca_trust3(dev
, apdev
):
1265 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
1266 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1267 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1268 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1269 identity
="pap user", anonymous_identity
="ttls",
1270 password
="password", phase2
="auth=PAP",
1271 ca_cert
="auth_serv/ca.pem",
1272 wait_connect
=True, scan_freq
="2412")
1273 dev
[0].request("DISCONNECT")
1274 dev
[0].wait_disconnected()
1275 dev
[0].dump_monitor()
1276 dev
[0].set_network_quoted(id, "ca_cert", "auth_serv/ca-incorrect.pem")
1277 dev
[0].select_network(id, freq
="2412")
1279 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout
=15)
1281 raise Exception("EAP-TTLS not re-started")
1283 ev
= dev
[0].wait_disconnected(timeout
=15)
1284 if "reason=23" not in ev
:
1285 raise Exception("Proper reason code for disconnection not reported")
1287 def test_ap_wpa2_eap_tls_neg_suffix_match(dev
, apdev
):
1288 """WPA2-Enterprise negative test - domain suffix mismatch"""
1289 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1290 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1291 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1292 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
1293 password
="password", phase2
="auth=MSCHAPV2",
1294 ca_cert
="auth_serv/ca.pem",
1295 domain_suffix_match
="incorrect.example.com",
1296 wait_connect
=False, scan_freq
="2412")
1298 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
1300 raise Exception("Association and EAP start timed out")
1302 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
1304 raise Exception("EAP method selection timed out")
1305 if "TTLS" not in ev
:
1306 raise Exception("Unexpected EAP method")
1308 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1309 "CTRL-EVENT-EAP-SUCCESS",
1310 "CTRL-EVENT-EAP-FAILURE",
1311 "CTRL-EVENT-CONNECTED",
1312 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1314 raise Exception("EAP result timed out")
1315 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
1316 raise Exception("TLS certificate error not reported")
1317 if "Domain suffix mismatch" not in ev
:
1318 raise Exception("Domain suffix mismatch not reported")
1320 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1321 "CTRL-EVENT-EAP-FAILURE",
1322 "CTRL-EVENT-CONNECTED",
1323 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1325 raise Exception("EAP result(2) timed out")
1326 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
1327 raise Exception("EAP failure not reported")
1329 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
1330 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1332 raise Exception("EAP result(3) timed out")
1333 if "CTRL-EVENT-DISCONNECTED" not in ev
:
1334 raise Exception("Disconnection not reported")
1336 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
1338 raise Exception("Network block disabling not reported")
1340 def test_ap_wpa2_eap_tls_neg_domain_match(dev
, apdev
):
1341 """WPA2-Enterprise negative test - domain mismatch"""
1342 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1343 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1344 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1345 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
1346 password
="password", phase2
="auth=MSCHAPV2",
1347 ca_cert
="auth_serv/ca.pem",
1348 domain_match
="w1.fi",
1349 wait_connect
=False, scan_freq
="2412")
1351 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
1353 raise Exception("Association and EAP start timed out")
1355 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
1357 raise Exception("EAP method selection timed out")
1358 if "TTLS" not in ev
:
1359 raise Exception("Unexpected EAP method")
1361 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1362 "CTRL-EVENT-EAP-SUCCESS",
1363 "CTRL-EVENT-EAP-FAILURE",
1364 "CTRL-EVENT-CONNECTED",
1365 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1367 raise Exception("EAP result timed out")
1368 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
1369 raise Exception("TLS certificate error not reported")
1370 if "Domain mismatch" not in ev
:
1371 raise Exception("Domain mismatch not reported")
1373 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1374 "CTRL-EVENT-EAP-FAILURE",
1375 "CTRL-EVENT-CONNECTED",
1376 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1378 raise Exception("EAP result(2) timed out")
1379 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
1380 raise Exception("EAP failure not reported")
1382 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
1383 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1385 raise Exception("EAP result(3) timed out")
1386 if "CTRL-EVENT-DISCONNECTED" not in ev
:
1387 raise Exception("Disconnection not reported")
1389 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
1391 raise Exception("Network block disabling not reported")
1393 def test_ap_wpa2_eap_tls_neg_subject_match(dev
, apdev
):
1394 """WPA2-Enterprise negative test - subject mismatch"""
1395 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1396 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1397 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1398 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
1399 password
="password", phase2
="auth=MSCHAPV2",
1400 ca_cert
="auth_serv/ca.pem",
1401 subject_match
="/C=FI/O=w1.fi/CN=example.com",
1402 wait_connect
=False, scan_freq
="2412")
1404 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
1406 raise Exception("Association and EAP start timed out")
1408 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD",
1409 "EAP: Failed to initialize EAP method"], timeout
=10)
1411 raise Exception("EAP method selection timed out")
1412 if "EAP: Failed to initialize EAP method" in ev
:
1413 tls
= dev
[0].request("GET tls_library")
1414 if tls
.startswith("OpenSSL"):
1415 raise Exception("Failed to select EAP method")
1416 logger
.info("subject_match not supported - connection failed, so test succeeded")
1418 if "TTLS" not in ev
:
1419 raise Exception("Unexpected EAP method")
1421 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1422 "CTRL-EVENT-EAP-SUCCESS",
1423 "CTRL-EVENT-EAP-FAILURE",
1424 "CTRL-EVENT-CONNECTED",
1425 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1427 raise Exception("EAP result timed out")
1428 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
1429 raise Exception("TLS certificate error not reported")
1430 if "Subject mismatch" not in ev
:
1431 raise Exception("Subject mismatch not reported")
1433 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1434 "CTRL-EVENT-EAP-FAILURE",
1435 "CTRL-EVENT-CONNECTED",
1436 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1438 raise Exception("EAP result(2) timed out")
1439 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
1440 raise Exception("EAP failure not reported")
1442 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
1443 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1445 raise Exception("EAP result(3) timed out")
1446 if "CTRL-EVENT-DISCONNECTED" not in ev
:
1447 raise Exception("Disconnection not reported")
1449 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
1451 raise Exception("Network block disabling not reported")
1453 def test_ap_wpa2_eap_tls_neg_altsubject_match(dev
, apdev
):
1454 """WPA2-Enterprise negative test - altsubject mismatch"""
1455 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1456 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1458 tests
= [ "incorrect.example.com",
1459 "DNS:incorrect.example.com",
1463 _test_ap_wpa2_eap_tls_neg_altsubject_match(dev
, apdev
, match
)
1465 def _test_ap_wpa2_eap_tls_neg_altsubject_match(dev
, apdev
, match
):
1466 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1467 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
1468 password
="password", phase2
="auth=MSCHAPV2",
1469 ca_cert
="auth_serv/ca.pem",
1470 altsubject_match
=match
,
1471 wait_connect
=False, scan_freq
="2412")
1473 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
1475 raise Exception("Association and EAP start timed out")
1477 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD",
1478 "EAP: Failed to initialize EAP method"], timeout
=10)
1480 raise Exception("EAP method selection timed out")
1481 if "EAP: Failed to initialize EAP method" in ev
:
1482 tls
= dev
[0].request("GET tls_library")
1483 if tls
.startswith("OpenSSL"):
1484 raise Exception("Failed to select EAP method")
1485 logger
.info("altsubject_match not supported - connection failed, so test succeeded")
1487 if "TTLS" not in ev
:
1488 raise Exception("Unexpected EAP method")
1490 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1491 "CTRL-EVENT-EAP-SUCCESS",
1492 "CTRL-EVENT-EAP-FAILURE",
1493 "CTRL-EVENT-CONNECTED",
1494 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1496 raise Exception("EAP result timed out")
1497 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
1498 raise Exception("TLS certificate error not reported")
1499 if "AltSubject mismatch" not in ev
:
1500 raise Exception("altsubject mismatch not reported")
1502 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1503 "CTRL-EVENT-EAP-FAILURE",
1504 "CTRL-EVENT-CONNECTED",
1505 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1507 raise Exception("EAP result(2) timed out")
1508 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
1509 raise Exception("EAP failure not reported")
1511 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
1512 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
1514 raise Exception("EAP result(3) timed out")
1515 if "CTRL-EVENT-DISCONNECTED" not in ev
:
1516 raise Exception("Disconnection not reported")
1518 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
1520 raise Exception("Network block disabling not reported")
1522 dev
[0].request("REMOVE_NETWORK all")
1524 def test_ap_wpa2_eap_unauth_tls(dev
, apdev
):
1525 """WPA2-Enterprise connection using UNAUTH-TLS"""
1526 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1527 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1528 eap_connect(dev
[0], apdev
[0], "UNAUTH-TLS", "unauth-tls",
1529 ca_cert
="auth_serv/ca.pem")
1530 eap_reauth(dev
[0], "UNAUTH-TLS")
1532 def test_ap_wpa2_eap_ttls_server_cert_hash(dev
, apdev
):
1533 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash"""
1534 check_cert_probe_support(dev
[0])
1535 srv_cert_hash
= "1477c9cd88391609444b83eca45c4f9f324e3051c5c31fc233ac6aede30ce7cd"
1536 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1537 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1538 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1539 identity
="probe", ca_cert
="probe://",
1540 wait_connect
=False, scan_freq
="2412")
1541 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
1543 raise Exception("Association and EAP start timed out")
1544 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT depth=0"], timeout
=10)
1546 raise Exception("No peer server certificate event seen")
1547 if "hash=" + srv_cert_hash
not in ev
:
1548 raise Exception("Expected server certificate hash not reported")
1549 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout
=10)
1551 raise Exception("EAP result timed out")
1552 if "Server certificate chain probe" not in ev
:
1553 raise Exception("Server certificate probe not reported")
1554 dev
[0].wait_disconnected(timeout
=10)
1555 dev
[0].request("REMOVE_NETWORK all")
1557 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1558 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
1559 password
="password", phase2
="auth=MSCHAPV2",
1560 ca_cert
="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
1561 wait_connect
=False, scan_freq
="2412")
1562 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
1564 raise Exception("Association and EAP start timed out")
1565 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout
=10)
1567 raise Exception("EAP result timed out")
1568 if "Server certificate mismatch" not in ev
:
1569 raise Exception("Server certificate mismatch not reported")
1570 dev
[0].wait_disconnected(timeout
=10)
1571 dev
[0].request("REMOVE_NETWORK all")
1573 eap_connect(dev
[0], apdev
[0], "TTLS", "DOMAIN\mschapv2 user",
1574 anonymous_identity
="ttls", password
="password",
1575 ca_cert
="hash://server/sha256/" + srv_cert_hash
,
1576 phase2
="auth=MSCHAPV2")
1578 def test_ap_wpa2_eap_ttls_server_cert_hash_invalid(dev
, apdev
):
1579 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash (invalid config)"""
1580 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1581 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1582 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1583 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
1584 password
="password", phase2
="auth=MSCHAPV2",
1585 ca_cert
="hash://server/md5/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
1586 wait_connect
=False, scan_freq
="2412")
1587 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1588 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
1589 password
="password", phase2
="auth=MSCHAPV2",
1590 ca_cert
="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca",
1591 wait_connect
=False, scan_freq
="2412")
1592 dev
[2].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1593 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
1594 password
="password", phase2
="auth=MSCHAPV2",
1595 ca_cert
="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6Q",
1596 wait_connect
=False, scan_freq
="2412")
1597 for i
in range(0, 3):
1598 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
1600 raise Exception("Association and EAP start timed out")
1601 ev
= dev
[i
].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 21 (TTLS)"], timeout
=5)
1603 raise Exception("Did not report EAP method initialization failure")
1605 def test_ap_wpa2_eap_pwd(dev
, apdev
):
1606 """WPA2-Enterprise connection using EAP-pwd"""
1607 check_eap_capa(dev
[0], "PWD")
1608 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1609 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1610 eap_connect(dev
[0], apdev
[0], "PWD", "pwd user", password
="secret password")
1611 eap_reauth(dev
[0], "PWD")
1612 dev
[0].request("REMOVE_NETWORK all")
1614 eap_connect(dev
[1], apdev
[0], "PWD",
1615 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
1616 password
="secret password",
1619 logger
.info("Negative test with incorrect password")
1620 eap_connect(dev
[2], apdev
[0], "PWD", "pwd user", password
="secret-password",
1621 expect_failure
=True, local_error_report
=True)
1623 eap_connect(dev
[0], apdev
[0], "PWD",
1624 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
1625 password
="secret password",
1628 def test_ap_wpa2_eap_pwd_groups(dev
, apdev
):
1629 """WPA2-Enterprise connection using various EAP-pwd groups"""
1630 check_eap_capa(dev
[0], "PWD")
1631 params
= { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1632 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1633 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
1634 for i
in [ 19, 20, 21, 25, 26 ]:
1635 params
['pwd_group'] = str(i
)
1636 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1637 dev
[0].request("REMOVE_NETWORK all")
1638 eap_connect(dev
[0], apdev
[0], "PWD", "pwd user", password
="secret password")
1640 def test_ap_wpa2_eap_pwd_invalid_group(dev
, apdev
):
1641 """WPA2-Enterprise connection using invalid EAP-pwd group"""
1642 check_eap_capa(dev
[0], "PWD")
1643 params
= { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1644 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1645 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
1646 params
['pwd_group'] = "0"
1647 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1648 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PWD",
1649 identity
="pwd user", password
="secret password",
1650 scan_freq
="2412", wait_connect
=False)
1651 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
1653 raise Exception("Timeout on EAP failure report")
1655 def test_ap_wpa2_eap_pwd_as_frag(dev
, apdev
):
1656 """WPA2-Enterprise connection using EAP-pwd with server fragmentation"""
1657 check_eap_capa(dev
[0], "PWD")
1658 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1659 params
= { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1660 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1661 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
1662 "pwd_group": "19", "fragment_size": "40" }
1663 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1664 eap_connect(dev
[0], apdev
[0], "PWD", "pwd user", password
="secret password")
1666 def test_ap_wpa2_eap_gpsk(dev
, apdev
):
1667 """WPA2-Enterprise connection using EAP-GPSK"""
1668 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1669 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1670 id = eap_connect(dev
[0], apdev
[0], "GPSK", "gpsk user",
1671 password
="abcdefghijklmnop0123456789abcdef")
1672 eap_reauth(dev
[0], "GPSK")
1674 logger
.info("Test forced algorithm selection")
1675 for phase1
in [ "cipher=1", "cipher=2" ]:
1676 dev
[0].set_network_quoted(id, "phase1", phase1
)
1677 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
1679 raise Exception("EAP success timed out")
1680 dev
[0].wait_connected(timeout
=10)
1682 logger
.info("Test failed algorithm negotiation")
1683 dev
[0].set_network_quoted(id, "phase1", "cipher=9")
1684 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
1686 raise Exception("EAP failure timed out")
1688 logger
.info("Negative test with incorrect password")
1689 dev
[0].request("REMOVE_NETWORK all")
1690 eap_connect(dev
[0], apdev
[0], "GPSK", "gpsk user",
1691 password
="ffcdefghijklmnop0123456789abcdef",
1692 expect_failure
=True)
1694 def test_ap_wpa2_eap_sake(dev
, apdev
):
1695 """WPA2-Enterprise connection using EAP-SAKE"""
1696 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1697 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1698 eap_connect(dev
[0], apdev
[0], "SAKE", "sake user",
1699 password_hex
="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
1700 eap_reauth(dev
[0], "SAKE")
1702 logger
.info("Negative test with incorrect password")
1703 dev
[0].request("REMOVE_NETWORK all")
1704 eap_connect(dev
[0], apdev
[0], "SAKE", "sake user",
1705 password_hex
="ff23456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
1706 expect_failure
=True)
1708 def test_ap_wpa2_eap_eke(dev
, apdev
):
1709 """WPA2-Enterprise connection using EAP-EKE"""
1710 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1711 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1712 id = eap_connect(dev
[0], apdev
[0], "EKE", "eke user", password
="hello")
1713 eap_reauth(dev
[0], "EKE")
1715 logger
.info("Test forced algorithm selection")
1716 for phase1
in [ "dhgroup=5 encr=1 prf=2 mac=2",
1717 "dhgroup=4 encr=1 prf=2 mac=2",
1718 "dhgroup=3 encr=1 prf=2 mac=2",
1719 "dhgroup=3 encr=1 prf=1 mac=1" ]:
1720 dev
[0].set_network_quoted(id, "phase1", phase1
)
1721 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
1723 raise Exception("EAP success timed out")
1724 dev
[0].wait_connected(timeout
=10)
1726 logger
.info("Test failed algorithm negotiation")
1727 dev
[0].set_network_quoted(id, "phase1", "dhgroup=9 encr=9 prf=9 mac=9")
1728 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
1730 raise Exception("EAP failure timed out")
1732 logger
.info("Negative test with incorrect password")
1733 dev
[0].request("REMOVE_NETWORK all")
1734 eap_connect(dev
[0], apdev
[0], "EKE", "eke user", password
="hello1",
1735 expect_failure
=True)
1737 def test_ap_wpa2_eap_ikev2(dev
, apdev
):
1738 """WPA2-Enterprise connection using EAP-IKEv2"""
1739 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1740 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1741 eap_connect(dev
[0], apdev
[0], "IKEV2", "ikev2 user",
1742 password
="ike password")
1743 eap_reauth(dev
[0], "IKEV2")
1744 dev
[0].request("REMOVE_NETWORK all")
1745 eap_connect(dev
[0], apdev
[0], "IKEV2", "ikev2 user",
1746 password
="ike password", fragment_size
="50")
1748 logger
.info("Negative test with incorrect password")
1749 dev
[0].request("REMOVE_NETWORK all")
1750 eap_connect(dev
[0], apdev
[0], "IKEV2", "ikev2 user",
1751 password
="ike-password", expect_failure
=True)
1753 def test_ap_wpa2_eap_ikev2_as_frag(dev
, apdev
):
1754 """WPA2-Enterprise connection using EAP-IKEv2 with server fragmentation"""
1755 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1756 params
= { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1757 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1758 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
1759 "fragment_size": "50" }
1760 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1761 eap_connect(dev
[0], apdev
[0], "IKEV2", "ikev2 user",
1762 password
="ike password")
1763 eap_reauth(dev
[0], "IKEV2")
1765 def test_ap_wpa2_eap_pax(dev
, apdev
):
1766 """WPA2-Enterprise connection using EAP-PAX"""
1767 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1768 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1769 eap_connect(dev
[0], apdev
[0], "PAX", "pax.user@example.com",
1770 password_hex
="0123456789abcdef0123456789abcdef")
1771 eap_reauth(dev
[0], "PAX")
1773 logger
.info("Negative test with incorrect password")
1774 dev
[0].request("REMOVE_NETWORK all")
1775 eap_connect(dev
[0], apdev
[0], "PAX", "pax.user@example.com",
1776 password_hex
="ff23456789abcdef0123456789abcdef",
1777 expect_failure
=True)
1779 def test_ap_wpa2_eap_psk(dev
, apdev
):
1780 """WPA2-Enterprise connection using EAP-PSK"""
1781 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1782 params
["wpa_key_mgmt"] = "WPA-EAP-SHA256"
1783 params
["ieee80211w"] = "2"
1784 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1785 eap_connect(dev
[0], apdev
[0], "PSK", "psk.user@example.com",
1786 password_hex
="0123456789abcdef0123456789abcdef", sha256
=True)
1787 eap_reauth(dev
[0], "PSK", sha256
=True)
1788 check_mib(dev
[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-5"),
1789 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-5") ])
1791 bss
= dev
[0].get_bss(apdev
[0]['bssid'])
1792 if 'flags' not in bss
:
1793 raise Exception("Could not get BSS flags from BSS table")
1794 if "[WPA2-EAP-SHA256-CCMP]" not in bss
['flags']:
1795 raise Exception("Unexpected BSS flags: " + bss
['flags'])
1797 logger
.info("Negative test with incorrect password")
1798 dev
[0].request("REMOVE_NETWORK all")
1799 eap_connect(dev
[0], apdev
[0], "PSK", "psk.user@example.com",
1800 password_hex
="ff23456789abcdef0123456789abcdef", sha256
=True,
1801 expect_failure
=True)
1803 def test_ap_wpa_eap_peap_eap_mschapv2(dev
, apdev
):
1804 """WPA-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
1805 params
= hostapd
.wpa_eap_params(ssid
="test-wpa-eap")
1806 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1807 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
1808 identity
="user", password
="password", phase2
="auth=MSCHAPV2",
1809 ca_cert
="auth_serv/ca.pem", wait_connect
=False,
1811 eap_check_auth(dev
[0], "PEAP", True, rsn
=False)
1812 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1813 eap_reauth(dev
[0], "PEAP", rsn
=False)
1814 check_mib(dev
[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-50-f2-1"),
1815 ("dot11RSNAAuthenticationSuiteSelected", "00-50-f2-1") ])
1817 def test_ap_wpa2_eap_interactive(dev
, apdev
):
1818 """WPA2-Enterprise connection using interactive identity/password entry"""
1819 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1820 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1821 hapd
= hostapd
.Hostapd(apdev
[0]['ifname'])
1823 tests
= [ ("Connection with dynamic TTLS/MSCHAPv2 password entry",
1824 "TTLS", "ttls", "DOMAIN\mschapv2 user", "auth=MSCHAPV2",
1826 ("Connection with dynamic TTLS/MSCHAPv2 identity and password entry",
1827 "TTLS", "ttls", None, "auth=MSCHAPV2",
1828 "DOMAIN\mschapv2 user", "password"),
1829 ("Connection with dynamic TTLS/EAP-MSCHAPv2 password entry",
1830 "TTLS", "ttls", "user", "autheap=MSCHAPV2", None, "password"),
1831 ("Connection with dynamic TTLS/EAP-MD5 password entry",
1832 "TTLS", "ttls", "user", "autheap=MD5", None, "password"),
1833 ("Connection with dynamic PEAP/EAP-MSCHAPv2 password entry",
1834 "PEAP", None, "user", "auth=MSCHAPV2", None, "password"),
1835 ("Connection with dynamic PEAP/EAP-GTC password entry",
1836 "PEAP", None, "user", "auth=GTC", None, "password") ]
1837 for [desc
,eap
,anon
,identity
,phase2
,req_id
,req_pw
] in tests
:
1839 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
=eap
,
1840 anonymous_identity
=anon
, identity
=identity
,
1841 ca_cert
="auth_serv/ca.pem", phase2
=phase2
,
1842 wait_connect
=False, scan_freq
="2412")
1844 ev
= dev
[0].wait_event(["CTRL-REQ-IDENTITY"])
1846 raise Exception("Request for identity timed out")
1847 id = ev
.split(':')[0].split('-')[-1]
1848 dev
[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id
)
1849 ev
= dev
[0].wait_event(["CTRL-REQ-PASSWORD","CTRL-REQ-OTP"])
1851 raise Exception("Request for password timed out")
1852 id = ev
.split(':')[0].split('-')[-1]
1853 type = "OTP" if "CTRL-REQ-OTP" in ev
else "PASSWORD"
1854 dev
[0].request("CTRL-RSP-" + type + "-" + id + ":" + req_pw
)
1855 dev
[0].wait_connected(timeout
=10)
1856 dev
[0].request("REMOVE_NETWORK all")
1858 def test_ap_wpa2_eap_vendor_test(dev
, apdev
):
1859 """WPA2-Enterprise connection using EAP vendor test"""
1860 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1861 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1862 eap_connect(dev
[0], apdev
[0], "VENDOR-TEST", "vendor-test")
1863 eap_reauth(dev
[0], "VENDOR-TEST")
1865 def test_ap_wpa2_eap_fast_mschapv2_unauth_prov(dev
, apdev
):
1866 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and unauthenticated provisioning"""
1867 check_eap_capa(dev
[0], "FAST")
1868 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1869 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1870 eap_connect(dev
[0], apdev
[0], "FAST", "user",
1871 anonymous_identity
="FAST", password
="password",
1872 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1873 phase1
="fast_provisioning=1", pac_file
="blob://fast_pac")
1874 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1875 res
= eap_reauth(dev
[0], "FAST")
1876 if res
['tls_session_reused'] != '1':
1877 raise Exception("EAP-FAST could not use PAC session ticket")
1879 def test_ap_wpa2_eap_fast_pac_file(dev
, apdev
, params
):
1880 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and PAC file"""
1881 check_eap_capa(dev
[0], "FAST")
1882 pac_file
= os
.path
.join(params
['logdir'], "fast.pac")
1883 pac_file2
= os
.path
.join(params
['logdir'], "fast-bin.pac")
1884 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1885 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1888 eap_connect(dev
[0], apdev
[0], "FAST", "user",
1889 anonymous_identity
="FAST", password
="password",
1890 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1891 phase1
="fast_provisioning=1", pac_file
=pac_file
)
1892 with
open(pac_file
, "r") as f
:
1894 if "wpa_supplicant EAP-FAST PAC file - version 1" not in data
:
1895 raise Exception("PAC file header missing")
1896 if "PAC-Key=" not in data
:
1897 raise Exception("PAC-Key missing from PAC file")
1898 dev
[0].request("REMOVE_NETWORK all")
1899 eap_connect(dev
[0], apdev
[0], "FAST", "user",
1900 anonymous_identity
="FAST", password
="password",
1901 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1904 eap_connect(dev
[1], apdev
[0], "FAST", "user",
1905 anonymous_identity
="FAST", password
="password",
1906 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1907 phase1
="fast_provisioning=1 fast_pac_format=binary",
1909 dev
[1].request("REMOVE_NETWORK all")
1910 eap_connect(dev
[1], apdev
[0], "FAST", "user",
1911 anonymous_identity
="FAST", password
="password",
1912 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1913 phase1
="fast_pac_format=binary",
1916 subprocess
.call(['sudo', 'rm', pac_file
])
1917 subprocess
.call(['sudo', 'rm', pac_file2
])
1919 def test_ap_wpa2_eap_fast_binary_pac(dev
, apdev
):
1920 """WPA2-Enterprise connection using EAP-FAST and binary PAC format"""
1921 check_eap_capa(dev
[0], "FAST")
1922 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1923 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1924 eap_connect(dev
[0], apdev
[0], "FAST", "user",
1925 anonymous_identity
="FAST", password
="password",
1926 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1927 phase1
="fast_provisioning=1 fast_max_pac_list_len=1 fast_pac_format=binary",
1928 pac_file
="blob://fast_pac_bin")
1929 res
= eap_reauth(dev
[0], "FAST")
1930 if res
['tls_session_reused'] != '1':
1931 raise Exception("EAP-FAST could not use PAC session ticket")
1933 def test_ap_wpa2_eap_fast_missing_pac_config(dev
, apdev
):
1934 """WPA2-Enterprise connection using EAP-FAST and missing PAC config"""
1935 check_eap_capa(dev
[0], "FAST")
1936 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1937 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1939 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
1940 identity
="user", anonymous_identity
="FAST",
1941 password
="password",
1942 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1943 pac_file
="blob://fast_pac_not_in_use",
1944 wait_connect
=False, scan_freq
="2412")
1945 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
1947 raise Exception("Timeout on EAP failure report")
1948 dev
[0].request("REMOVE_NETWORK all")
1950 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
1951 identity
="user", anonymous_identity
="FAST",
1952 password
="password",
1953 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1954 wait_connect
=False, scan_freq
="2412")
1955 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
1957 raise Exception("Timeout on EAP failure report")
1959 def test_ap_wpa2_eap_fast_gtc_auth_prov(dev
, apdev
):
1960 """WPA2-Enterprise connection using EAP-FAST/GTC and authenticated provisioning"""
1961 check_eap_capa(dev
[0], "FAST")
1962 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1963 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
1964 eap_connect(dev
[0], apdev
[0], "FAST", "user",
1965 anonymous_identity
="FAST", password
="password",
1966 ca_cert
="auth_serv/ca.pem", phase2
="auth=GTC",
1967 phase1
="fast_provisioning=2", pac_file
="blob://fast_pac_auth")
1968 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1969 res
= eap_reauth(dev
[0], "FAST")
1970 if res
['tls_session_reused'] != '1':
1971 raise Exception("EAP-FAST could not use PAC session ticket")
1973 def test_ap_wpa2_eap_tls_ocsp(dev
, apdev
):
1974 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP"""
1975 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1976 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1977 eap_connect(dev
[0], apdev
[0], "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
1978 private_key
="auth_serv/user.pkcs12",
1979 private_key_passwd
="whatever", ocsp
=2)
1981 def int_eap_server_params():
1982 params
= { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1983 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1984 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
1985 "ca_cert": "auth_serv/ca.pem",
1986 "server_cert": "auth_serv/server.pem",
1987 "private_key": "auth_serv/server.key" }
1990 def test_ap_wpa2_eap_tls_ocsp_invalid(dev
, apdev
):
1991 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP response"""
1992 params
= int_eap_server_params()
1993 params
["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-invalid"
1994 hostapd
.add_ap(apdev
[0]['ifname'], params
)
1995 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
1996 identity
="tls user", ca_cert
="auth_serv/ca.pem",
1997 private_key
="auth_serv/user.pkcs12",
1998 private_key_passwd
="whatever", ocsp
=2,
1999 wait_connect
=False, scan_freq
="2412")
2002 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2004 raise Exception("Timeout on EAP status")
2005 if 'bad certificate status response' in ev
:
2009 raise Exception("Unexpected number of EAP status messages")
2011 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2013 raise Exception("Timeout on EAP failure report")
2015 def test_ap_wpa2_eap_ttls_ocsp_revoked(dev
, apdev
, params
):
2016 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2017 ocsp
= os
.path
.join(params
['logdir'], "ocsp-server-cache-revoked.der")
2018 if not os
.path
.exists(ocsp
):
2019 raise HwsimSkip("No OCSP response available")
2020 params
= int_eap_server_params()
2021 params
["ocsp_stapling_response"] = ocsp
2022 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2023 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2024 identity
="pap user", ca_cert
="auth_serv/ca.pem",
2025 anonymous_identity
="ttls", password
="password",
2026 phase2
="auth=PAP", ocsp
=2,
2027 wait_connect
=False, scan_freq
="2412")
2030 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2032 raise Exception("Timeout on EAP status")
2033 if 'bad certificate status response' in ev
:
2035 if 'certificate revoked' in ev
:
2039 raise Exception("Unexpected number of EAP status messages")
2041 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2043 raise Exception("Timeout on EAP failure report")
2045 def test_ap_wpa2_eap_ttls_ocsp_unknown(dev
, apdev
, params
):
2046 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2047 ocsp
= os
.path
.join(params
['logdir'], "ocsp-server-cache-unknown.der")
2048 if not os
.path
.exists(ocsp
):
2049 raise HwsimSkip("No OCSP response available")
2050 params
= int_eap_server_params()
2051 params
["ocsp_stapling_response"] = ocsp
2052 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2053 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2054 identity
="pap user", ca_cert
="auth_serv/ca.pem",
2055 anonymous_identity
="ttls", password
="password",
2056 phase2
="auth=PAP", ocsp
=2,
2057 wait_connect
=False, scan_freq
="2412")
2060 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
2062 raise Exception("Timeout on EAP status")
2063 if 'bad certificate status response' in ev
:
2067 raise Exception("Unexpected number of EAP status messages")
2069 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2071 raise Exception("Timeout on EAP failure report")
2073 def test_ap_wpa2_eap_ttls_optional_ocsp_unknown(dev
, apdev
, params
):
2074 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
2075 ocsp
= os
.path
.join(params
['logdir'], "ocsp-server-cache-unknown.der")
2076 if not os
.path
.exists(ocsp
):
2077 raise HwsimSkip("No OCSP response available")
2078 params
= int_eap_server_params()
2079 params
["ocsp_stapling_response"] = ocsp
2080 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2081 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2082 identity
="pap user", ca_cert
="auth_serv/ca.pem",
2083 anonymous_identity
="ttls", password
="password",
2084 phase2
="auth=PAP", ocsp
=1, scan_freq
="2412")
2086 def test_ap_wpa2_eap_tls_domain_suffix_match_cn_full(dev
, apdev
):
2087 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
2088 params
= int_eap_server_params()
2089 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
2090 params
["private_key"] = "auth_serv/server-no-dnsname.key"
2091 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2092 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2093 identity
="tls user", ca_cert
="auth_serv/ca.pem",
2094 private_key
="auth_serv/user.pkcs12",
2095 private_key_passwd
="whatever",
2096 domain_suffix_match
="server3.w1.fi",
2099 def test_ap_wpa2_eap_tls_domain_match_cn(dev
, apdev
):
2100 """WPA2-Enterprise using EAP-TLS and domainmatch (CN)"""
2101 params
= int_eap_server_params()
2102 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
2103 params
["private_key"] = "auth_serv/server-no-dnsname.key"
2104 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2105 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2106 identity
="tls user", ca_cert
="auth_serv/ca.pem",
2107 private_key
="auth_serv/user.pkcs12",
2108 private_key_passwd
="whatever",
2109 domain_match
="server3.w1.fi",
2112 def test_ap_wpa2_eap_tls_domain_suffix_match_cn(dev
, apdev
):
2113 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
2114 check_domain_match_full(dev
[0])
2115 params
= int_eap_server_params()
2116 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
2117 params
["private_key"] = "auth_serv/server-no-dnsname.key"
2118 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2119 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2120 identity
="tls user", ca_cert
="auth_serv/ca.pem",
2121 private_key
="auth_serv/user.pkcs12",
2122 private_key_passwd
="whatever",
2123 domain_suffix_match
="w1.fi",
2126 def test_ap_wpa2_eap_tls_domain_suffix_mismatch_cn(dev
, apdev
):
2127 """WPA2-Enterprise using EAP-TLS and domain suffix mismatch (CN)"""
2128 params
= int_eap_server_params()
2129 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
2130 params
["private_key"] = "auth_serv/server-no-dnsname.key"
2131 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2132 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2133 identity
="tls user", ca_cert
="auth_serv/ca.pem",
2134 private_key
="auth_serv/user.pkcs12",
2135 private_key_passwd
="whatever",
2136 domain_suffix_match
="example.com",
2139 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2140 identity
="tls user", ca_cert
="auth_serv/ca.pem",
2141 private_key
="auth_serv/user.pkcs12",
2142 private_key_passwd
="whatever",
2143 domain_suffix_match
="erver3.w1.fi",
2146 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2148 raise Exception("Timeout on EAP failure report")
2149 ev
= dev
[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2151 raise Exception("Timeout on EAP failure report (2)")
2153 def test_ap_wpa2_eap_tls_domain_mismatch_cn(dev
, apdev
):
2154 """WPA2-Enterprise using EAP-TLS and domain mismatch (CN)"""
2155 params
= int_eap_server_params()
2156 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
2157 params
["private_key"] = "auth_serv/server-no-dnsname.key"
2158 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2159 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2160 identity
="tls user", ca_cert
="auth_serv/ca.pem",
2161 private_key
="auth_serv/user.pkcs12",
2162 private_key_passwd
="whatever",
2163 domain_match
="example.com",
2166 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2167 identity
="tls user", ca_cert
="auth_serv/ca.pem",
2168 private_key
="auth_serv/user.pkcs12",
2169 private_key_passwd
="whatever",
2170 domain_match
="w1.fi",
2173 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2175 raise Exception("Timeout on EAP failure report")
2176 ev
= dev
[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2178 raise Exception("Timeout on EAP failure report (2)")
2180 def test_ap_wpa2_eap_ttls_expired_cert(dev
, apdev
):
2181 """WPA2-Enterprise using EAP-TTLS and expired certificate"""
2182 params
= int_eap_server_params()
2183 params
["server_cert"] = "auth_serv/server-expired.pem"
2184 params
["private_key"] = "auth_serv/server-expired.key"
2185 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2186 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2187 identity
="mschap user", password
="password",
2188 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
2191 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"])
2193 raise Exception("Timeout on EAP certificate error report")
2194 if "reason=4" not in ev
or "certificate has expired" not in ev
:
2195 raise Exception("Unexpected failure reason: " + ev
)
2196 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2198 raise Exception("Timeout on EAP failure report")
2200 def test_ap_wpa2_eap_ttls_ignore_expired_cert(dev
, apdev
):
2201 """WPA2-Enterprise using EAP-TTLS and ignore certificate expiration"""
2202 params
= int_eap_server_params()
2203 params
["server_cert"] = "auth_serv/server-expired.pem"
2204 params
["private_key"] = "auth_serv/server-expired.key"
2205 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2206 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2207 identity
="mschap user", password
="password",
2208 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
2209 phase1
="tls_disable_time_checks=1",
2212 def test_ap_wpa2_eap_ttls_server_cert_eku_client(dev
, apdev
):
2213 """WPA2-Enterprise using EAP-TTLS and server cert with client EKU"""
2214 params
= int_eap_server_params()
2215 params
["server_cert"] = "auth_serv/server-eku-client.pem"
2216 params
["private_key"] = "auth_serv/server-eku-client.key"
2217 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2218 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2219 identity
="mschap user", password
="password",
2220 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
2223 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2225 raise Exception("Timeout on EAP failure report")
2227 def test_ap_wpa2_eap_ttls_server_cert_eku_client_server(dev
, apdev
):
2228 """WPA2-Enterprise using EAP-TTLS and server cert with client and server EKU"""
2229 params
= int_eap_server_params()
2230 params
["server_cert"] = "auth_serv/server-eku-client-server.pem"
2231 params
["private_key"] = "auth_serv/server-eku-client-server.key"
2232 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2233 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2234 identity
="mschap user", password
="password",
2235 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
2238 def test_ap_wpa2_eap_ttls_server_pkcs12(dev
, apdev
):
2239 """WPA2-Enterprise using EAP-TTLS and server PKCS#12 file"""
2240 params
= int_eap_server_params()
2241 del params
["server_cert"]
2242 params
["private_key"] = "auth_serv/server.pkcs12"
2243 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2244 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2245 identity
="mschap user", password
="password",
2246 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
2249 def test_ap_wpa2_eap_ttls_dh_params(dev
, apdev
):
2250 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params"""
2251 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2252 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2253 eap_connect(dev
[0], apdev
[0], "TTLS", "chap user",
2254 anonymous_identity
="ttls", password
="password",
2255 ca_cert
="auth_serv/ca.der", phase2
="auth=CHAP",
2256 dh_file
="auth_serv/dh.conf")
2258 def test_ap_wpa2_eap_ttls_dh_params_blob(dev
, apdev
):
2259 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params from blob"""
2260 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2261 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2262 dh
= read_pem("auth_serv/dh.conf")
2263 if "OK" not in dev
[0].request("SET blob dhparams " + dh
.encode("hex")):
2264 raise Exception("Could not set dhparams blob")
2265 eap_connect(dev
[0], apdev
[0], "TTLS", "chap user",
2266 anonymous_identity
="ttls", password
="password",
2267 ca_cert
="auth_serv/ca.der", phase2
="auth=CHAP",
2268 dh_file
="blob://dhparams")
2270 def test_ap_wpa2_eap_reauth(dev
, apdev
):
2271 """WPA2-Enterprise and Authenticator forcing reauthentication"""
2272 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2273 params
['eap_reauth_period'] = '2'
2274 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2275 eap_connect(dev
[0], apdev
[0], "PAX", "pax.user@example.com",
2276 password_hex
="0123456789abcdef0123456789abcdef")
2277 logger
.info("Wait for reauthentication")
2278 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
2280 raise Exception("Timeout on reauthentication")
2281 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
2283 raise Exception("Timeout on reauthentication")
2284 for i
in range(0, 20):
2285 state
= dev
[0].get_status_field("wpa_state")
2286 if state
== "COMPLETED":
2289 if state
!= "COMPLETED":
2290 raise Exception("Reauthentication did not complete")
2292 def test_ap_wpa2_eap_request_identity_message(dev
, apdev
):
2293 """Optional displayable message in EAP Request-Identity"""
2294 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2295 params
['eap_message'] = 'hello\\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com'
2296 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2297 eap_connect(dev
[0], apdev
[0], "PAX", "pax.user@example.com",
2298 password_hex
="0123456789abcdef0123456789abcdef")
2300 def test_ap_wpa2_eap_sim_aka_result_ind(dev
, apdev
):
2301 """WPA2-Enterprise using EAP-SIM/AKA and protected result indication"""
2302 check_hlr_auc_gw_support()
2303 params
= int_eap_server_params()
2304 params
['eap_sim_db'] = "unix:/tmp/hlr_auc_gw.sock"
2305 params
['eap_sim_aka_result_ind'] = "1"
2306 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2308 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
2309 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
2310 phase1
="result_ind=1")
2311 eap_reauth(dev
[0], "SIM")
2312 eap_connect(dev
[1], apdev
[0], "SIM", "1232010000000000",
2313 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
2315 dev
[0].request("REMOVE_NETWORK all")
2316 dev
[1].request("REMOVE_NETWORK all")
2318 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
2319 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
2320 phase1
="result_ind=1")
2321 eap_reauth(dev
[0], "AKA")
2322 eap_connect(dev
[1], apdev
[0], "AKA", "0232010000000000",
2323 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
2325 dev
[0].request("REMOVE_NETWORK all")
2326 dev
[1].request("REMOVE_NETWORK all")
2328 eap_connect(dev
[0], apdev
[0], "AKA'", "6555444333222111",
2329 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
2330 phase1
="result_ind=1")
2331 eap_reauth(dev
[0], "AKA'")
2332 eap_connect(dev
[1], apdev
[0], "AKA'", "6555444333222111",
2333 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
2335 def test_ap_wpa2_eap_too_many_roundtrips(dev
, apdev
):
2336 """WPA2-Enterprise connection resulting in too many EAP roundtrips"""
2337 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2338 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2339 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
2340 eap
="TTLS", identity
="mschap user",
2341 wait_connect
=False, scan_freq
="2412", ieee80211w
="1",
2342 anonymous_identity
="ttls", password
="password",
2343 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
2345 ev
= dev
[0].wait_event(["EAP: more than"], timeout
=20)
2347 raise Exception("EAP roundtrip limit not reached")
2349 def test_ap_wpa2_eap_expanded_nak(dev
, apdev
):
2350 """WPA2-Enterprise connection with EAP resulting in expanded NAK"""
2351 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2352 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2353 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
2354 eap
="PSK", identity
="vendor-test",
2355 password_hex
="ff23456789abcdef0123456789abcdef",
2359 for i
in range(0, 5):
2360 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"], timeout
=10)
2362 raise Exception("Association and EAP start timed out")
2363 if "refuse proposed method" in ev
:
2367 raise Exception("Unexpected EAP status: " + ev
)
2369 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2371 raise Exception("EAP failure timed out")
2373 def test_ap_wpa2_eap_sql(dev
, apdev
, params
):
2374 """WPA2-Enterprise connection using SQLite for user DB"""
2378 raise HwsimSkip("No sqlite3 module available")
2379 dbfile
= os
.path
.join(params
['logdir'], "eap-user.db")
2384 con
= sqlite3
.connect(dbfile
)
2387 cur
.execute("CREATE TABLE users(identity TEXT PRIMARY KEY, methods TEXT, password TEXT, remediation TEXT, phase2 INTEGER)")
2388 cur
.execute("CREATE TABLE wildcards(identity TEXT PRIMARY KEY, methods TEXT)")
2389 cur
.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-pap','TTLS-PAP','password',1)")
2390 cur
.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-chap','TTLS-CHAP','password',1)")
2391 cur
.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschap','TTLS-MSCHAP','password',1)")
2392 cur
.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschapv2','TTLS-MSCHAPV2','password',1)")
2393 cur
.execute("INSERT INTO wildcards(identity,methods) VALUES ('','TTLS,TLS')")
2394 cur
.execute("CREATE TABLE authlog(timestamp TEXT, session TEXT, nas_ip TEXT, username TEXT, note TEXT)")
2397 params
= int_eap_server_params()
2398 params
["eap_user_file"] = "sqlite:" + dbfile
2399 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2400 eap_connect(dev
[0], apdev
[0], "TTLS", "user-mschapv2",
2401 anonymous_identity
="ttls", password
="password",
2402 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
2403 dev
[0].request("REMOVE_NETWORK all")
2404 eap_connect(dev
[1], apdev
[0], "TTLS", "user-mschap",
2405 anonymous_identity
="ttls", password
="password",
2406 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP")
2407 dev
[1].request("REMOVE_NETWORK all")
2408 eap_connect(dev
[0], apdev
[0], "TTLS", "user-chap",
2409 anonymous_identity
="ttls", password
="password",
2410 ca_cert
="auth_serv/ca.pem", phase2
="auth=CHAP")
2411 eap_connect(dev
[1], apdev
[0], "TTLS", "user-pap",
2412 anonymous_identity
="ttls", password
="password",
2413 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
2417 def test_ap_wpa2_eap_non_ascii_identity(dev
, apdev
):
2418 """WPA2-Enterprise connection attempt using non-ASCII identity"""
2419 params
= int_eap_server_params()
2420 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2421 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2422 identity
="\x80", password
="password", wait_connect
=False)
2423 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2424 identity
="a\x80", password
="password", wait_connect
=False)
2425 for i
in range(0, 2):
2426 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
2428 raise Exception("Association and EAP start timed out")
2429 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
2431 raise Exception("EAP method selection timed out")
2433 def test_ap_wpa2_eap_non_ascii_identity2(dev
, apdev
):
2434 """WPA2-Enterprise connection attempt using non-ASCII identity"""
2435 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2436 hostapd
.add_ap(apdev
[0]['ifname'], params
)
2437 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2438 identity
="\x80", password
="password", wait_connect
=False)
2439 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2440 identity
="a\x80", password
="password", wait_connect
=False)
2441 for i
in range(0, 2):
2442 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
2444 raise Exception("Association and EAP start timed out")
2445 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
2447 raise Exception("EAP method selection timed out")
2449 def test_openssl_cipher_suite_config_wpas(dev
, apdev
):
2450 """OpenSSL cipher suite configuration on wpa_supplicant"""
2451 tls
= dev
[0].request("GET tls_library")
2452 if not tls
.startswith("OpenSSL"):
2453 raise HwsimSkip("TLS library is not OpenSSL: " + tls
)
2454 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2455 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
2456 eap_connect(dev
[0], apdev
[0], "TTLS", "pap user",
2457 anonymous_identity
="ttls", password
="password",
2458 openssl_ciphers
="AES128",
2459 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
2460 eap_connect(dev
[1], apdev
[0], "TTLS", "pap user",
2461 anonymous_identity
="ttls", password
="password",
2462 openssl_ciphers
="EXPORT",
2463 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
2464 expect_failure
=True)
2466 def test_openssl_cipher_suite_config_hapd(dev
, apdev
):
2467 """OpenSSL cipher suite configuration on hostapd"""
2468 tls
= dev
[0].request("GET tls_library")
2469 if not tls
.startswith("OpenSSL"):
2470 raise HwsimSkip("wpa_supplicant TLS library is not OpenSSL: " + tls
)
2471 params
= int_eap_server_params()
2472 params
['openssl_ciphers'] = "AES256"
2473 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], params
)
2474 tls
= hapd
.request("GET tls_library")
2475 if not tls
.startswith("OpenSSL"):
2476 raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls
)
2477 eap_connect(dev
[0], apdev
[0], "TTLS", "pap user",
2478 anonymous_identity
="ttls", password
="password",
2479 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
2480 eap_connect(dev
[1], apdev
[0], "TTLS", "pap user",
2481 anonymous_identity
="ttls", password
="password",
2482 openssl_ciphers
="AES128",
2483 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
2484 expect_failure
=True)
2485 eap_connect(dev
[2], apdev
[0], "TTLS", "pap user",
2486 anonymous_identity
="ttls", password
="password",
2487 openssl_ciphers
="HIGH:!ADH",
2488 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
2490 def test_wpa2_eap_ttls_pap_key_lifetime_in_memory(dev
, apdev
, params
):
2491 """Key lifetime in memory with WPA2-Enterprise using EAP-TTLS/PAP"""
2492 p
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2493 hapd
= hostapd
.add_ap(apdev
[0]['ifname'], p
)
2494 password
= "63d2d21ac3c09ed567ee004a34490f1d16e7fa5835edf17ddba70a63f1a90a25"
2495 pid
= find_wpas_process(dev
[0])
2496 id = eap_connect(dev
[0], apdev
[0], "TTLS", "pap-secret",
2497 anonymous_identity
="ttls", password
=password
,
2498 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
2500 buf
= read_process_memory(pid
, password
)
2502 dev
[0].request("DISCONNECT")
2503 dev
[0].wait_disconnected()
2511 with
open(os
.path
.join(params
['logdir'], 'log0'), 'r') as f
:
2512 for l
in f
.readlines():
2513 if "EAP-TTLS: Derived key - hexdump" in l
:
2514 val
= l
.strip().split(':')[3].replace(' ', '')
2515 msk
= binascii
.unhexlify(val
)
2516 if "EAP-TTLS: Derived EMSK - hexdump" in l
:
2517 val
= l
.strip().split(':')[3].replace(' ', '')
2518 emsk
= binascii
.unhexlify(val
)
2519 if "WPA: PMK - hexdump" in l
:
2520 val
= l
.strip().split(':')[3].replace(' ', '')
2521 pmk
= binascii
.unhexlify(val
)
2522 if "WPA: PTK - hexdump" in l
:
2523 val
= l
.strip().split(':')[3].replace(' ', '')
2524 ptk
= binascii
.unhexlify(val
)
2525 if "WPA: Group Key - hexdump" in l
:
2526 val
= l
.strip().split(':')[3].replace(' ', '')
2527 gtk
= binascii
.unhexlify(val
)
2528 if not msk
or not emsk
or not pmk
or not ptk
or not gtk
:
2529 raise Exception("Could not find keys from debug log")
2531 raise Exception("Unexpected GTK length")
2537 fname
= os
.path
.join(params
['logdir'],
2538 'wpa2_eap_ttls_pap_key_lifetime_in_memory.memctx-')
2540 logger
.info("Checking keys in memory while associated")
2541 get_key_locations(buf
, password
, "Password")
2542 get_key_locations(buf
, pmk
, "PMK")
2543 get_key_locations(buf
, msk
, "MSK")
2544 get_key_locations(buf
, emsk
, "EMSK")
2545 if password
not in buf
:
2546 raise HwsimSkip("Password not found while associated")
2548 raise HwsimSkip("PMK not found while associated")
2550 raise Exception("KCK not found while associated")
2552 raise Exception("KEK not found while associated")
2554 raise Exception("TK found from memory")
2556 raise Exception("GTK found from memory")
2558 logger
.info("Checking keys in memory after disassociation")
2559 buf
= read_process_memory(pid
, password
)
2561 # Note: Password is still present in network configuration
2562 # Note: PMK is in PMKSA cache and EAP fast re-auth data
2564 get_key_locations(buf
, password
, "Password")
2565 get_key_locations(buf
, pmk
, "PMK")
2566 get_key_locations(buf
, msk
, "MSK")
2567 get_key_locations(buf
, emsk
, "EMSK")
2568 verify_not_present(buf
, kck
, fname
, "KCK")
2569 verify_not_present(buf
, kek
, fname
, "KEK")
2570 verify_not_present(buf
, tk
, fname
, "TK")
2571 verify_not_present(buf
, gtk
, fname
, "GTK")
2573 dev
[0].request("PMKSA_FLUSH")
2574 dev
[0].set_network_quoted(id, "identity", "foo")
2575 logger
.info("Checking keys in memory after PMKSA cache and EAP fast reauth flush")
2576 buf
= read_process_memory(pid
, password
)
2577 get_key_locations(buf
, password
, "Password")
2578 get_key_locations(buf
, pmk
, "PMK")
2579 get_key_locations(buf
, msk
, "MSK")
2580 get_key_locations(buf
, emsk
, "EMSK")
2581 verify_not_present(buf
, pmk
, fname
, "PMK")
2583 dev
[0].request("REMOVE_NETWORK all")
2585 logger
.info("Checking keys in memory after network profile removal")
2586 buf
= read_process_memory(pid
, password
)
2588 get_key_locations(buf
, password
, "Password")
2589 get_key_locations(buf
, pmk
, "PMK")
2590 get_key_locations(buf
, msk
, "MSK")
2591 get_key_locations(buf
, emsk
, "EMSK")
2592 verify_not_present(buf
, password
, fname
, "password")
2593 verify_not_present(buf
, pmk
, fname
, "PMK")
2594 verify_not_present(buf
, kck
, fname
, "KCK")
2595 verify_not_present(buf
, kek
, fname
, "KEK")
2596 verify_not_present(buf
, tk
, fname
, "TK")
2597 verify_not_present(buf
, gtk
, fname
, "GTK")
2598 verify_not_present(buf
, msk
, fname
, "MSK")
2599 verify_not_present(buf
, emsk
, fname
, "EMSK")