]>
git.ipfire.org Git - thirdparty/hostap.git/blob - tests/hwsim/test_ap_eap.py
1 # -*- coding: utf-8 -*-
2 # WPA2-Enterprise tests
3 # Copyright (c) 2013-2014, Jouni Malinen <j@w1.fi>
5 # This software may be distributed under the terms of the BSD license.
6 # See README for more details.
12 logger
= logging
. getLogger ()
17 from test_ap_psk
import check_mib
20 with
open ( fname
, "r" ) as f
:
31 return base64
. b64decode ( cert
)
33 def eap_connect ( dev
, ap
, method
, identity
,
34 sha256
= False , expect_failure
= False , local_error_report
= False ,
36 hapd
= hostapd
. Hostapd ( ap
[ 'ifname' ])
37 id = dev
. connect ( "test-wpa2-eap" , key_mgmt
= "WPA-EAP WPA-EAP-SHA256" ,
38 eap
= method
, identity
= identity
,
39 wait_connect
= False , scan_freq
= "2412" , ieee80211w
= "1" ,
41 eap_check_auth ( dev
, method
, True , sha256
= sha256
,
42 expect_failure
= expect_failure
,
43 local_error_report
= local_error_report
)
46 ev
= hapd
. wait_event ([ "AP-STA-CONNECTED" ], timeout
= 5 )
48 raise Exception ( "No connection event received from hostapd" )
51 def eap_check_auth ( dev
, method
, initial
, rsn
= True , sha256
= False ,
52 expect_failure
= False , local_error_report
= False ):
53 ev
= dev
. wait_event ([ "CTRL-EVENT-EAP-STARTED" ], timeout
= 10 )
55 raise Exception ( "Association and EAP start timed out" )
56 ev
= dev
. wait_event ([ "CTRL-EVENT-EAP-METHOD" ], timeout
= 10 )
58 raise Exception ( "EAP method selection timed out" )
60 raise Exception ( "Unexpected EAP method" )
62 ev
= dev
. wait_event ([ "CTRL-EVENT-EAP-FAILURE" ])
64 raise Exception ( "EAP failure timed out" )
65 ev
= dev
. wait_event ([ "CTRL-EVENT-DISCONNECTED" ])
67 raise Exception ( "Disconnection timed out" )
68 if not local_error_report
:
69 if "reason=23" not in ev
:
70 raise Exception ( "Proper reason code for disconnection not reported" )
72 ev
= dev
. wait_event ([ "CTRL-EVENT-EAP-SUCCESS" ], timeout
= 10 )
74 raise Exception ( "EAP success timed out" )
77 ev
= dev
. wait_event ([ "CTRL-EVENT-CONNECTED" ], timeout
= 10 )
79 ev
= dev
. wait_event ([ "WPA: Key negotiation completed" ], timeout
= 10 )
81 raise Exception ( "Association with the AP timed out" )
82 status
= dev
. get_status ()
83 if status
[ "wpa_state" ] != "COMPLETED" :
84 raise Exception ( "Connection not completed" )
86 if status
[ "suppPortStatus" ] != "Authorized" :
87 raise Exception ( "Port not authorized" )
88 if method
not in status
[ "selectedMethod" ]:
89 raise Exception ( "Incorrect EAP method status" )
93 e
= "WPA2/IEEE 802.1X/EAP"
95 e
= "WPA/IEEE 802.1X/EAP"
96 if status
[ "key_mgmt" ] != e
:
97 raise Exception ( "Unexpected key_mgmt status: " + status
[ "key_mgmt" ])
99 def eap_reauth ( dev
, method
, rsn
= True , sha256
= False , expect_failure
= False ):
100 dev
. request ( "REAUTHENTICATE" )
101 eap_check_auth ( dev
, method
, False , rsn
= rsn
, sha256
= sha256
,
102 expect_failure
= expect_failure
)
104 def test_ap_wpa2_eap_sim ( dev
, apdev
):
105 """WPA2-Enterprise connection using EAP-SIM"""
106 if not os
. path
. exists ( "/tmp/hlr_auc_gw.sock" ):
107 logger
. info ( "No hlr_auc_gw available" );
109 params
= hostapd
. wpa2_eap_params ( ssid
= "test-wpa2-eap" )
110 hostapd
. add_ap ( apdev
[ 0 ][ 'ifname' ], params
)
111 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "SIM" , "1232010000000000" ,
112 password
= "90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581" )
113 hwsim_utils
. test_connectivity ( dev
[ 0 ]. ifname
, apdev
[ 0 ][ 'ifname' ])
114 eap_reauth ( dev
[ 0 ], "SIM" )
116 eap_connect ( dev
[ 1 ], apdev
[ 0 ], "SIM" , "1232010000000001" ,
117 password
= "90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581" )
118 eap_connect ( dev
[ 2 ], apdev
[ 0 ], "SIM" , "1232010000000002" ,
119 password
= "90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581" ,
122 logger
. info ( "Negative test with incorrect key" )
123 dev
[ 0 ]. request ( "REMOVE_NETWORK all" )
124 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "SIM" , "1232010000000000" ,
125 password
= "ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581" ,
128 logger
. info ( "Invalid GSM-Milenage key" )
129 dev
[ 0 ]. request ( "REMOVE_NETWORK all" )
130 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "SIM" , "1232010000000000" ,
131 password
= "ffdca4eda45b53cf0f12d7c9c3bc6a" ,
134 logger
. info ( "Invalid GSM-Milenage key(2)" )
135 dev
[ 0 ]. request ( "REMOVE_NETWORK all" )
136 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "SIM" , "1232010000000000" ,
137 password
= "ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581" ,
140 logger
. info ( "Invalid GSM-Milenage key(3)" )
141 dev
[ 0 ]. request ( "REMOVE_NETWORK all" )
142 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "SIM" , "1232010000000000" ,
143 password
= "ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q" ,
146 logger
. info ( "Invalid GSM-Milenage key(4)" )
147 dev
[ 0 ]. request ( "REMOVE_NETWORK all" )
148 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "SIM" , "1232010000000000" ,
149 password
= "ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581" ,
152 logger
. info ( "Missing key configuration" )
153 dev
[ 0 ]. request ( "REMOVE_NETWORK all" )
154 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "SIM" , "1232010000000000" ,
157 def test_ap_wpa2_eap_sim_sql ( dev
, apdev
, params
):
158 """WPA2-Enterprise connection using EAP-SIM (SQL)"""
159 if not os
. path
. exists ( "/tmp/hlr_auc_gw.sock" ):
160 logger
. info ( "No hlr_auc_gw available" );
166 con
= sqlite3
. connect ( os
. path
. join ( params
[ 'logdir' ], "hostapd.db" ))
167 params
= hostapd
. wpa2_eap_params ( ssid
= "test-wpa2-eap" )
168 params
[ 'auth_server_port' ] = "1814"
169 hostapd
. add_ap ( apdev
[ 0 ][ 'ifname' ], params
)
170 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "SIM" , "1232010000000000" ,
171 password
= "90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581" )
173 logger
. info ( "SIM fast re-authentication" )
174 eap_reauth ( dev
[ 0 ], "SIM" )
176 logger
. info ( "SIM full auth with pseudonym" )
179 cur
. execute ( "DELETE FROM reauth WHERE permanent='1232010000000000'" )
180 eap_reauth ( dev
[ 0 ], "SIM" )
182 logger
. info ( "SIM full auth with permanent identity" )
185 cur
. execute ( "DELETE FROM reauth WHERE permanent='1232010000000000'" )
186 cur
. execute ( "DELETE FROM pseudonyms WHERE permanent='1232010000000000'" )
187 eap_reauth ( dev
[ 0 ], "SIM" )
189 logger
. info ( "SIM reauth with mismatching MK" )
192 cur
. execute ( "UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='1232010000000000'" )
193 eap_reauth ( dev
[ 0 ], "SIM" , expect_failure
= True )
194 dev
[ 0 ]. request ( "REMOVE_NETWORK all" )
196 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "SIM" , "1232010000000000" ,
197 password
= "90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581" )
200 cur
. execute ( "UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'" )
201 eap_reauth ( dev
[ 0 ], "SIM" )
204 cur
. execute ( "UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'" )
205 logger
. info ( "SIM reauth with mismatching counter" )
206 eap_reauth ( dev
[ 0 ], "SIM" )
207 dev
[ 0 ]. request ( "REMOVE_NETWORK all" )
209 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "SIM" , "1232010000000000" ,
210 password
= "90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581" )
213 cur
. execute ( "UPDATE reauth SET counter='1001' WHERE permanent='1232010000000000'" )
214 logger
. info ( "SIM reauth with max reauth count reached" )
215 eap_reauth ( dev
[ 0 ], "SIM" )
217 def test_ap_wpa2_eap_sim_config ( dev
, apdev
):
218 """EAP-SIM configuration options"""
219 params
= hostapd
. wpa2_eap_params ( ssid
= "test-wpa2-eap" )
220 hostapd
. add_ap ( apdev
[ 0 ][ 'ifname' ], params
)
221 dev
[ 0 ]. connect ( "test-wpa2-eap" , key_mgmt
= "WPA-EAP" , eap
= "SIM" ,
222 identity
= "1232010000000000" ,
223 password
= "90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581" ,
224 phase1
= "sim_min_num_chal=1" ,
225 wait_connect
= False , scan_freq
= "2412" )
226 ev
= dev
[ 0 ]. wait_event ([ "EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)" ], timeout
= 10 )
228 raise Exception ( "No EAP error message seen" )
229 dev
[ 0 ]. request ( "REMOVE_NETWORK all" )
231 dev
[ 0 ]. connect ( "test-wpa2-eap" , key_mgmt
= "WPA-EAP" , eap
= "SIM" ,
232 identity
= "1232010000000000" ,
233 password
= "90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581" ,
234 phase1
= "sim_min_num_chal=4" ,
235 wait_connect
= False , scan_freq
= "2412" )
236 ev
= dev
[ 0 ]. wait_event ([ "EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)" ], timeout
= 10 )
238 raise Exception ( "No EAP error message seen (2)" )
239 dev
[ 0 ]. request ( "REMOVE_NETWORK all" )
241 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "SIM" , "1232010000000000" ,
242 password
= "90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581" ,
243 phase1
= "sim_min_num_chal=2" )
244 eap_connect ( dev
[ 1 ], apdev
[ 0 ], "SIM" , "1232010000000000" ,
245 password
= "90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581" ,
246 anonymous_identity
= "345678" )
248 def test_ap_wpa2_eap_sim_ext ( dev
, apdev
):
249 """WPA2-Enterprise connection using EAP-SIM and external GSM auth"""
250 if not os
. path
. exists ( "/tmp/hlr_auc_gw.sock" ):
251 logger
. info ( "No hlr_auc_gw available" );
253 params
= hostapd
. wpa2_eap_params ( ssid
= "test-wpa2-eap" )
254 hostapd
. add_ap ( apdev
[ 0 ][ 'ifname' ], params
)
255 dev
[ 0 ]. request ( "SET external_sim 1" )
256 id = dev
[ 0 ]. connect ( "test-wpa2-eap" , eap
= "SIM" , key_mgmt
= "WPA-EAP" ,
257 identity
= "1232010000000000" ,
258 wait_connect
= False , scan_freq
= "2412" )
259 ev
= dev
[ 0 ]. wait_event ([ "CTRL-EVENT-EAP-METHOD" ], timeout
= 15 )
261 raise Exception ( "Network connected timed out" )
263 ev
= dev
[ 0 ]. wait_event ([ "CTRL-REQ-SIM" ], timeout
= 15 )
265 raise Exception ( "Wait for external SIM processing request timed out" )
267 if p
[ 1 ] != "GSM-AUTH" :
268 raise Exception ( "Unexpected CTRL-REQ-SIM type" )
269 rid
= p
[ 0 ]. split ( '-' )[ 3 ]
272 resp
= "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
273 # This will fail during processing, but the ctrl_iface command succeeds
274 dev
[ 0 ]. request ( "CTRL-RSP-SIM-" + rid
+ ":UMTS-AUTH:" + resp
)
275 ev
= dev
[ 0 ]. wait_event ([ "CTRL-EVENT-EAP-FAILURE" ], timeout
= 15 )
277 raise Exception ( "EAP failure not reported" )
278 dev
[ 0 ]. request ( "DISCONNECT" )
280 dev
[ 0 ]. select_network ( id , freq
= "2412" )
281 ev
= dev
[ 0 ]. wait_event ([ "CTRL-REQ-SIM" ], timeout
= 15 )
283 raise Exception ( "Wait for external SIM processing request timed out" )
285 if p
[ 1 ] != "GSM-AUTH" :
286 raise Exception ( "Unexpected CTRL-REQ-SIM type" )
287 rid
= p
[ 0 ]. split ( '-' )[ 3 ]
288 # This will fail during GSM auth validation
289 if "OK" not in dev
[ 0 ]. request ( "CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:q" ):
290 raise Exception ( "CTRL-RSP-SIM failed" )
291 ev
= dev
[ 0 ]. wait_event ([ "CTRL-EVENT-EAP-FAILURE" ], timeout
= 15 )
293 raise Exception ( "EAP failure not reported" )
294 dev
[ 0 ]. request ( "DISCONNECT" )
296 dev
[ 0 ]. select_network ( id , freq
= "2412" )
297 ev
= dev
[ 0 ]. wait_event ([ "CTRL-REQ-SIM" ], timeout
= 15 )
299 raise Exception ( "Wait for external SIM processing request timed out" )
301 if p
[ 1 ] != "GSM-AUTH" :
302 raise Exception ( "Unexpected CTRL-REQ-SIM type" )
303 rid
= p
[ 0 ]. split ( '-' )[ 3 ]
304 # This will fail during GSM auth validation
305 if "OK" not in dev
[ 0 ]. request ( "CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:34" ):
306 raise Exception ( "CTRL-RSP-SIM failed" )
307 ev
= dev
[ 0 ]. wait_event ([ "CTRL-EVENT-EAP-FAILURE" ], timeout
= 15 )
309 raise Exception ( "EAP failure not reported" )
310 dev
[ 0 ]. request ( "DISCONNECT" )
312 dev
[ 0 ]. select_network ( id , freq
= "2412" )
313 ev
= dev
[ 0 ]. wait_event ([ "CTRL-REQ-SIM" ], timeout
= 15 )
315 raise Exception ( "Wait for external SIM processing request timed out" )
317 if p
[ 1 ] != "GSM-AUTH" :
318 raise Exception ( "Unexpected CTRL-REQ-SIM type" )
319 rid
= p
[ 0 ]. split ( '-' )[ 3 ]
320 # This will fail during GSM auth validation
321 if "OK" not in dev
[ 0 ]. request ( "CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677" ):
322 raise Exception ( "CTRL-RSP-SIM failed" )
323 ev
= dev
[ 0 ]. wait_event ([ "CTRL-EVENT-EAP-FAILURE" ], timeout
= 15 )
325 raise Exception ( "EAP failure not reported" )
326 dev
[ 0 ]. request ( "DISCONNECT" )
328 dev
[ 0 ]. select_network ( id , freq
= "2412" )
329 ev
= dev
[ 0 ]. wait_event ([ "CTRL-REQ-SIM" ], timeout
= 15 )
331 raise Exception ( "Wait for external SIM processing request timed out" )
333 if p
[ 1 ] != "GSM-AUTH" :
334 raise Exception ( "Unexpected CTRL-REQ-SIM type" )
335 rid
= p
[ 0 ]. split ( '-' )[ 3 ]
336 # This will fail during GSM auth validation
337 if "OK" not in dev
[ 0 ]. request ( "CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677:q" ):
338 raise Exception ( "CTRL-RSP-SIM failed" )
339 ev
= dev
[ 0 ]. wait_event ([ "CTRL-EVENT-EAP-FAILURE" ], timeout
= 15 )
341 raise Exception ( "EAP failure not reported" )
342 dev
[ 0 ]. request ( "DISCONNECT" )
344 dev
[ 0 ]. select_network ( id , freq
= "2412" )
345 ev
= dev
[ 0 ]. wait_event ([ "CTRL-REQ-SIM" ], timeout
= 15 )
347 raise Exception ( "Wait for external SIM processing request timed out" )
349 if p
[ 1 ] != "GSM-AUTH" :
350 raise Exception ( "Unexpected CTRL-REQ-SIM type" )
351 rid
= p
[ 0 ]. split ( '-' )[ 3 ]
352 # This will fail during GSM auth validation
353 if "OK" not in dev
[ 0 ]. request ( "CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677:00112233" ):
354 raise Exception ( "CTRL-RSP-SIM failed" )
355 ev
= dev
[ 0 ]. wait_event ([ "CTRL-EVENT-EAP-FAILURE" ], timeout
= 15 )
357 raise Exception ( "EAP failure not reported" )
358 dev
[ 0 ]. request ( "DISCONNECT" )
360 dev
[ 0 ]. select_network ( id , freq
= "2412" )
361 ev
= dev
[ 0 ]. wait_event ([ "CTRL-REQ-SIM" ], timeout
= 15 )
363 raise Exception ( "Wait for external SIM processing request timed out" )
365 if p
[ 1 ] != "GSM-AUTH" :
366 raise Exception ( "Unexpected CTRL-REQ-SIM type" )
367 rid
= p
[ 0 ]. split ( '-' )[ 3 ]
368 # This will fail during GSM auth validation
369 if "OK" not in dev
[ 0 ]. request ( "CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677:00112233:q" ):
370 raise Exception ( "CTRL-RSP-SIM failed" )
371 ev
= dev
[ 0 ]. wait_event ([ "CTRL-EVENT-EAP-FAILURE" ], timeout
= 15 )
373 raise Exception ( "EAP failure not reported" )
375 def test_ap_wpa2_eap_aka ( dev
, apdev
):
376 """WPA2-Enterprise connection using EAP-AKA"""
377 if not os
. path
. exists ( "/tmp/hlr_auc_gw.sock" ):
378 logger
. info ( "No hlr_auc_gw available" );
380 params
= hostapd
. wpa2_eap_params ( ssid
= "test-wpa2-eap" )
381 hostapd
. add_ap ( apdev
[ 0 ][ 'ifname' ], params
)
382 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "AKA" , "0232010000000000" ,
383 password
= "90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123" )
384 hwsim_utils
. test_connectivity ( dev
[ 0 ]. ifname
, apdev
[ 0 ][ 'ifname' ])
385 eap_reauth ( dev
[ 0 ], "AKA" )
387 logger
. info ( "Negative test with incorrect key" )
388 dev
[ 0 ]. request ( "REMOVE_NETWORK all" )
389 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "AKA" , "0232010000000000" ,
390 password
= "ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123" ,
393 logger
. info ( "Invalid Milenage key" )
394 dev
[ 0 ]. request ( "REMOVE_NETWORK all" )
395 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "AKA" , "0232010000000000" ,
396 password
= "ffdca4eda45b53cf0f12d7c9c3bc6a" ,
399 logger
. info ( "Invalid Milenage key(2)" )
400 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "AKA" , "0232010000000000" ,
401 password
= "ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581:000000000123" ,
404 logger
. info ( "Invalid Milenage key(3)" )
405 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "AKA" , "0232010000000000" ,
406 password
= "ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q:000000000123" ,
409 logger
. info ( "Invalid Milenage key(4)" )
410 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "AKA" , "0232010000000000" ,
411 password
= "ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:00000000012q" ,
414 logger
. info ( "Invalid Milenage key(5)" )
415 dev
[ 0 ]. request ( "REMOVE_NETWORK all" )
416 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "AKA" , "0232010000000000" ,
417 password
= "ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581q000000000123" ,
420 logger
. info ( "Invalid Milenage key(6)" )
421 dev
[ 0 ]. request ( "REMOVE_NETWORK all" )
422 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "AKA" , "0232010000000000" ,
423 password
= "ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581q000000000123" ,
426 logger
. info ( "Missing key configuration" )
427 dev
[ 0 ]. request ( "REMOVE_NETWORK all" )
428 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "AKA" , "0232010000000000" ,
431 def test_ap_wpa2_eap_aka_sql ( dev
, apdev
, params
):
432 """WPA2-Enterprise connection using EAP-AKA (SQL)"""
433 if not os
. path
. exists ( "/tmp/hlr_auc_gw.sock" ):
434 logger
. info ( "No hlr_auc_gw available" );
440 con
= sqlite3
. connect ( os
. path
. join ( params
[ 'logdir' ], "hostapd.db" ))
441 params
= hostapd
. wpa2_eap_params ( ssid
= "test-wpa2-eap" )
442 params
[ 'auth_server_port' ] = "1814"
443 hostapd
. add_ap ( apdev
[ 0 ][ 'ifname' ], params
)
444 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "AKA" , "0232010000000000" ,
445 password
= "90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123" )
447 logger
. info ( "AKA fast re-authentication" )
448 eap_reauth ( dev
[ 0 ], "AKA" )
450 logger
. info ( "AKA full auth with pseudonym" )
453 cur
. execute ( "DELETE FROM reauth WHERE permanent='0232010000000000'" )
454 eap_reauth ( dev
[ 0 ], "AKA" )
456 logger
. info ( "AKA full auth with permanent identity" )
459 cur
. execute ( "DELETE FROM reauth WHERE permanent='0232010000000000'" )
460 cur
. execute ( "DELETE FROM pseudonyms WHERE permanent='0232010000000000'" )
461 eap_reauth ( dev
[ 0 ], "AKA" )
463 logger
. info ( "AKA reauth with mismatching MK" )
466 cur
. execute ( "UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='0232010000000000'" )
467 eap_reauth ( dev
[ 0 ], "AKA" , expect_failure
= True )
468 dev
[ 0 ]. request ( "REMOVE_NETWORK all" )
470 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "AKA" , "0232010000000000" ,
471 password
= "90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123" )
474 cur
. execute ( "UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'" )
475 eap_reauth ( dev
[ 0 ], "AKA" )
478 cur
. execute ( "UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'" )
479 logger
. info ( "AKA reauth with mismatching counter" )
480 eap_reauth ( dev
[ 0 ], "AKA" )
481 dev
[ 0 ]. request ( "REMOVE_NETWORK all" )
483 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "AKA" , "0232010000000000" ,
484 password
= "90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123" )
487 cur
. execute ( "UPDATE reauth SET counter='1001' WHERE permanent='0232010000000000'" )
488 logger
. info ( "AKA reauth with max reauth count reached" )
489 eap_reauth ( dev
[ 0 ], "AKA" )
491 def test_ap_wpa2_eap_aka_config ( dev
, apdev
):
492 """EAP-AKA configuration options"""
493 params
= hostapd
. wpa2_eap_params ( ssid
= "test-wpa2-eap" )
494 hostapd
. add_ap ( apdev
[ 0 ][ 'ifname' ], params
)
495 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "AKA" , "0232010000000000" ,
496 password
= "90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123" ,
497 anonymous_identity
= "2345678" )
499 def test_ap_wpa2_eap_aka_ext ( dev
, apdev
):
500 """WPA2-Enterprise connection using EAP-AKA and external UMTS auth"""
501 if not os
. path
. exists ( "/tmp/hlr_auc_gw.sock" ):
502 logger
. info ( "No hlr_auc_gw available" );
504 params
= hostapd
. wpa2_eap_params ( ssid
= "test-wpa2-eap" )
505 hostapd
. add_ap ( apdev
[ 0 ][ 'ifname' ], params
)
506 dev
[ 0 ]. request ( "SET external_sim 1" )
507 id = dev
[ 0 ]. connect ( "test-wpa2-eap" , eap
= "AKA" , key_mgmt
= "WPA-EAP" ,
508 identity
= "0232010000000000" ,
509 password
= "90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123" ,
510 wait_connect
= False , scan_freq
= "2412" )
511 ev
= dev
[ 0 ]. wait_event ([ "CTRL-EVENT-EAP-METHOD" ], timeout
= 15 )
513 raise Exception ( "Network connected timed out" )
515 ev
= dev
[ 0 ]. wait_event ([ "CTRL-REQ-SIM" ], timeout
= 15 )
517 raise Exception ( "Wait for external SIM processing request timed out" )
519 if p
[ 1 ] != "UMTS-AUTH" :
520 raise Exception ( "Unexpected CTRL-REQ-SIM type" )
521 rid
= p
[ 0 ]. split ( '-' )[ 3 ]
524 resp
= "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
525 # This will fail during processing, but the ctrl_iface command succeeds
526 dev
[ 0 ]. request ( "CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
527 ev
= dev
[ 0 ]. wait_event ([ "CTRL-EVENT-EAP-FAILURE" ], timeout
= 15 )
529 raise Exception ( "EAP failure not reported" )
530 dev
[ 0 ]. request ( "DISCONNECT" )
532 dev
[ 0 ]. request ( "REASSOCIATE" )
533 ev
= dev
[ 0 ]. wait_event ([ "CTRL-REQ-SIM" ], timeout
= 15 )
535 raise Exception ( "Wait for external SIM processing request timed out" )
537 if p
[ 1 ] != "UMTS-AUTH" :
538 raise Exception ( "Unexpected CTRL-REQ-SIM type" )
539 rid
= p
[ 0 ]. split ( '-' )[ 3 ]
540 # This will fail during UMTS auth validation
541 if "OK" not in dev
[ 0 ]. request ( "CTRL-RSP-SIM-" + rid
+ ":UMTS-AUTH:" + resp
):
542 raise Exception ( "CTRL-RSP-SIM failed" )
543 ev
= dev
[ 0 ]. wait_event ([ "CTRL-EVENT-EAP-FAILURE" ], timeout
= 15 )
545 raise Exception ( "EAP failure not reported" )
546 dev
[ 0 ]. request ( "DISCONNECT" )
548 dev
[ 0 ]. select_network ( id , freq
= "2412" )
549 ev
= dev
[ 0 ]. wait_event ([ "CTRL-REQ-SIM" ], timeout
= 15 )
551 raise Exception ( "Wait for external SIM processing request timed out" )
553 if p
[ 1 ] != "UMTS-AUTH" :
554 raise Exception ( "Unexpected CTRL-REQ-SIM type" )
555 rid
= p
[ 0 ]. split ( '-' )[ 3 ]
556 # This will fail during UMTS auth validation
557 if "OK" not in dev
[ 0 ]. request ( "CTRL-RSP-SIM-" + rid
+ ":UMTS-AUTS:112233445566778899aabbccddee" ):
558 raise Exception ( "CTRL-RSP-SIM failed" )
559 ev
= dev
[ 0 ]. wait_event ([ "CTRL-REQ-SIM" ], timeout
= 15 )
561 raise Exception ( "Wait for external SIM processing request timed out" )
563 if p
[ 1 ] != "UMTS-AUTH" :
564 raise Exception ( "Unexpected CTRL-REQ-SIM type" )
565 rid
= p
[ 0 ]. split ( '-' )[ 3 ]
566 # This will fail during UMTS auth validation
567 if "OK" not in dev
[ 0 ]. request ( "CTRL-RSP-SIM-" + rid
+ ":UMTS-AUTS:12" ):
568 raise Exception ( "CTRL-RSP-SIM failed" )
569 ev
= dev
[ 0 ]. wait_event ([ "CTRL-EVENT-EAP-FAILURE" ], timeout
= 15 )
571 raise Exception ( "EAP failure not reported" )
572 dev
[ 0 ]. request ( "DISCONNECT" )
574 dev
[ 0 ]. select_network ( id , freq
= "2412" )
575 ev
= dev
[ 0 ]. wait_event ([ "CTRL-REQ-SIM" ], timeout
= 15 )
577 raise Exception ( "Wait for external SIM processing request timed out" )
579 if p
[ 1 ] != "UMTS-AUTH" :
580 raise Exception ( "Unexpected CTRL-REQ-SIM type" )
581 rid
= p
[ 0 ]. split ( '-' )[ 3 ]
582 # This will fail during UMTS auth validation
583 if "OK" not in dev
[ 0 ]. request ( "CTRL-RSP-SIM-" + rid
+ ":UMTS-AUTH:34" ):
584 raise Exception ( "CTRL-RSP-SIM failed" )
585 ev
= dev
[ 0 ]. wait_event ([ "CTRL-EVENT-EAP-FAILURE" ], timeout
= 15 )
587 raise Exception ( "EAP failure not reported" )
588 dev
[ 0 ]. request ( "DISCONNECT" )
590 dev
[ 0 ]. select_network ( id , freq
= "2412" )
591 ev
= dev
[ 0 ]. wait_event ([ "CTRL-REQ-SIM" ], timeout
= 15 )
593 raise Exception ( "Wait for external SIM processing request timed out" )
595 if p
[ 1 ] != "UMTS-AUTH" :
596 raise Exception ( "Unexpected CTRL-REQ-SIM type" )
597 rid
= p
[ 0 ]. split ( '-' )[ 3 ]
598 # This will fail during UMTS auth validation
599 if "OK" not in dev
[ 0 ]. request ( "CTRL-RSP-SIM-" + rid
+ ":UMTS-AUTH:00112233445566778899aabbccddeeff.00112233445566778899aabbccddeeff:0011223344" ):
600 raise Exception ( "CTRL-RSP-SIM failed" )
601 ev
= dev
[ 0 ]. wait_event ([ "CTRL-EVENT-EAP-FAILURE" ], timeout
= 15 )
603 raise Exception ( "EAP failure not reported" )
604 dev
[ 0 ]. request ( "DISCONNECT" )
606 dev
[ 0 ]. select_network ( id , freq
= "2412" )
607 ev
= dev
[ 0 ]. wait_event ([ "CTRL-REQ-SIM" ], timeout
= 15 )
609 raise Exception ( "Wait for external SIM processing request timed out" )
611 if p
[ 1 ] != "UMTS-AUTH" :
612 raise Exception ( "Unexpected CTRL-REQ-SIM type" )
613 rid
= p
[ 0 ]. split ( '-' )[ 3 ]
614 # This will fail during UMTS auth validation
615 if "OK" not in dev
[ 0 ]. request ( "CTRL-RSP-SIM-" + rid
+ ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddee:0011223344" ):
616 raise Exception ( "CTRL-RSP-SIM failed" )
617 ev
= dev
[ 0 ]. wait_event ([ "CTRL-EVENT-EAP-FAILURE" ], timeout
= 15 )
619 raise Exception ( "EAP failure not reported" )
620 dev
[ 0 ]. request ( "DISCONNECT" )
622 dev
[ 0 ]. select_network ( id , freq
= "2412" )
623 ev
= dev
[ 0 ]. wait_event ([ "CTRL-REQ-SIM" ], timeout
= 15 )
625 raise Exception ( "Wait for external SIM processing request timed out" )
627 if p
[ 1 ] != "UMTS-AUTH" :
628 raise Exception ( "Unexpected CTRL-REQ-SIM type" )
629 rid
= p
[ 0 ]. split ( '-' )[ 3 ]
630 # This will fail during UMTS auth validation
631 if "OK" not in dev
[ 0 ]. request ( "CTRL-RSP-SIM-" + rid
+ ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff.0011223344" ):
632 raise Exception ( "CTRL-RSP-SIM failed" )
633 ev
= dev
[ 0 ]. wait_event ([ "CTRL-EVENT-EAP-FAILURE" ], timeout
= 15 )
635 raise Exception ( "EAP failure not reported" )
636 dev
[ 0 ]. request ( "DISCONNECT" )
638 dev
[ 0 ]. select_network ( id , freq
= "2412" )
639 ev
= dev
[ 0 ]. wait_event ([ "CTRL-REQ-SIM" ], timeout
= 15 )
641 raise Exception ( "Wait for external SIM processing request timed out" )
643 if p
[ 1 ] != "UMTS-AUTH" :
644 raise Exception ( "Unexpected CTRL-REQ-SIM type" )
645 rid
= p
[ 0 ]. split ( '-' )[ 3 ]
646 # This will fail during UMTS auth validation
647 if "OK" not in dev
[ 0 ]. request ( "CTRL-RSP-SIM-" + rid
+ ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff0011223344" ):
648 raise Exception ( "CTRL-RSP-SIM failed" )
649 ev
= dev
[ 0 ]. wait_event ([ "CTRL-EVENT-EAP-FAILURE" ], timeout
= 15 )
651 raise Exception ( "EAP failure not reported" )
652 dev
[ 0 ]. request ( "DISCONNECT" )
654 dev
[ 0 ]. select_network ( id , freq
= "2412" )
655 ev
= dev
[ 0 ]. wait_event ([ "CTRL-REQ-SIM" ], timeout
= 15 )
657 raise Exception ( "Wait for external SIM processing request timed out" )
659 if p
[ 1 ] != "UMTS-AUTH" :
660 raise Exception ( "Unexpected CTRL-REQ-SIM type" )
661 rid
= p
[ 0 ]. split ( '-' )[ 3 ]
662 # This will fail during UMTS auth validation
663 if "OK" not in dev
[ 0 ]. request ( "CTRL-RSP-SIM-" + rid
+ ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:001122334q" ):
664 raise Exception ( "CTRL-RSP-SIM failed" )
665 ev
= dev
[ 0 ]. wait_event ([ "CTRL-EVENT-EAP-FAILURE" ], timeout
= 15 )
667 raise Exception ( "EAP failure not reported" )
669 def test_ap_wpa2_eap_aka_prime ( dev
, apdev
):
670 """WPA2-Enterprise connection using EAP-AKA'"""
671 if not os
. path
. exists ( "/tmp/hlr_auc_gw.sock" ):
672 logger
. info ( "No hlr_auc_gw available" );
674 params
= hostapd
. wpa2_eap_params ( ssid
= "test-wpa2-eap" )
675 hostapd
. add_ap ( apdev
[ 0 ][ 'ifname' ], params
)
676 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "AKA'" , "6555444333222111" ,
677 password
= "5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123" )
678 hwsim_utils
. test_connectivity ( dev
[ 0 ]. ifname
, apdev
[ 0 ][ 'ifname' ])
679 eap_reauth ( dev
[ 0 ], "AKA'" )
681 logger
. info ( "EAP-AKA' bidding protection when EAP-AKA enabled as well" )
682 dev
[ 1 ]. connect ( "test-wpa2-eap" , key_mgmt
= "WPA-EAP" , eap
= "AKA' AKA" ,
683 identity
= "6555444333222111@both" ,
684 password
= "5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123" ,
685 wait_connect
= False , scan_freq
= "2412" )
686 ev
= dev
[ 1 ]. wait_event ([ "CTRL-EVENT-CONNECTED" ], timeout
= 15 )
688 raise Exception ( "Connection with the AP timed out" )
690 logger
. info ( "Negative test with incorrect key" )
691 dev
[ 0 ]. request ( "REMOVE_NETWORK all" )
692 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "AKA'" , "6555444333222111" ,
693 password
= "ff22250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123" ,
696 def test_ap_wpa2_eap_aka_prime_sql ( dev
, apdev
, params
):
697 """WPA2-Enterprise connection using EAP-AKA' (SQL)"""
698 if not os
. path
. exists ( "/tmp/hlr_auc_gw.sock" ):
699 logger
. info ( "No hlr_auc_gw available" );
705 con
= sqlite3
. connect ( os
. path
. join ( params
[ 'logdir' ], "hostapd.db" ))
706 params
= hostapd
. wpa2_eap_params ( ssid
= "test-wpa2-eap" )
707 params
[ 'auth_server_port' ] = "1814"
708 hostapd
. add_ap ( apdev
[ 0 ][ 'ifname' ], params
)
709 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "AKA'" , "6555444333222111" ,
710 password
= "5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123" )
712 logger
. info ( "AKA' fast re-authentication" )
713 eap_reauth ( dev
[ 0 ], "AKA'" )
715 logger
. info ( "AKA' full auth with pseudonym" )
718 cur
. execute ( "DELETE FROM reauth WHERE permanent='6555444333222111'" )
719 eap_reauth ( dev
[ 0 ], "AKA'" )
721 logger
. info ( "AKA' full auth with permanent identity" )
724 cur
. execute ( "DELETE FROM reauth WHERE permanent='6555444333222111'" )
725 cur
. execute ( "DELETE FROM pseudonyms WHERE permanent='6555444333222111'" )
726 eap_reauth ( dev
[ 0 ], "AKA'" )
728 logger
. info ( "AKA' reauth with mismatching k_aut" )
731 cur
. execute ( "UPDATE reauth SET k_aut='0000000000000000000000000000000000000000000000000000000000000000' WHERE permanent='6555444333222111'" )
732 eap_reauth ( dev
[ 0 ], "AKA'" , expect_failure
= True )
733 dev
[ 0 ]. request ( "REMOVE_NETWORK all" )
735 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "AKA'" , "6555444333222111" ,
736 password
= "5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123" )
739 cur
. execute ( "UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'" )
740 eap_reauth ( dev
[ 0 ], "AKA'" )
743 cur
. execute ( "UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'" )
744 logger
. info ( "AKA' reauth with mismatching counter" )
745 eap_reauth ( dev
[ 0 ], "AKA'" )
746 dev
[ 0 ]. request ( "REMOVE_NETWORK all" )
748 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "AKA'" , "6555444333222111" ,
749 password
= "5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123" )
752 cur
. execute ( "UPDATE reauth SET counter='1001' WHERE permanent='6555444333222111'" )
753 logger
. info ( "AKA' reauth with max reauth count reached" )
754 eap_reauth ( dev
[ 0 ], "AKA'" )
756 def test_ap_wpa2_eap_ttls_pap ( dev
, apdev
):
757 """WPA2-Enterprise connection using EAP-TTLS/PAP"""
758 params
= hostapd
. wpa2_eap_params ( ssid
= "test-wpa2-eap" )
759 hapd
= hostapd
. add_ap ( apdev
[ 0 ][ 'ifname' ], params
)
760 key_mgmt
= hapd
. get_config ()[ 'key_mgmt' ]
761 if key_mgmt
. split ( ' ' )[ 0 ] != "WPA-EAP" :
762 raise Exception ( "Unexpected GET_CONFIG(key_mgmt): " + key_mgmt
)
763 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "TTLS" , "pap user" ,
764 anonymous_identity
= "ttls" , password
= "password" ,
765 ca_cert
= "auth_serv/ca.pem" , phase2
= "auth=PAP" ,
766 subject_match
= "/C=FI/O=w1.fi/CN=server.w1.fi" ,
767 altsubject_match
= "EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/" )
768 hwsim_utils
. test_connectivity ( dev
[ 0 ]. ifname
, apdev
[ 0 ][ 'ifname' ])
769 eap_reauth ( dev
[ 0 ], "TTLS" )
770 check_mib ( dev
[ 0 ], [ ( "dot11RSNAAuthenticationSuiteRequested" , "00-0f-ac-1" ),
771 ( "dot11RSNAAuthenticationSuiteSelected" , "00-0f-ac-1" ) ])
773 def test_ap_wpa2_eap_ttls_pap_incorrect_password ( dev
, apdev
):
774 """WPA2-Enterprise connection using EAP-TTLS/PAP - incorrect password"""
775 params
= hostapd
. wpa2_eap_params ( ssid
= "test-wpa2-eap" )
776 hapd
= hostapd
. add_ap ( apdev
[ 0 ][ 'ifname' ], params
)
777 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "TTLS" , "pap user" ,
778 anonymous_identity
= "ttls" , password
= "wrong" ,
779 ca_cert
= "auth_serv/ca.pem" , phase2
= "auth=PAP" ,
781 eap_connect ( dev
[ 1 ], apdev
[ 0 ], "TTLS" , "user" ,
782 anonymous_identity
= "ttls" , password
= "password" ,
783 ca_cert
= "auth_serv/ca.pem" , phase2
= "auth=PAP" ,
786 def test_ap_wpa2_eap_ttls_chap ( dev
, apdev
):
787 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
788 params
= hostapd
. wpa2_eap_params ( ssid
= "test-wpa2-eap" )
789 hostapd
. add_ap ( apdev
[ 0 ][ 'ifname' ], params
)
790 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "TTLS" , "chap user" ,
791 anonymous_identity
= "ttls" , password
= "password" ,
792 ca_cert
= "auth_serv/ca.der" , phase2
= "auth=CHAP" ,
793 altsubject_match
= "EMAIL:noone@example.com;URI:http://example.com/;DNS:server.w1.fi" )
794 hwsim_utils
. test_connectivity ( dev
[ 0 ]. ifname
, apdev
[ 0 ][ 'ifname' ])
795 eap_reauth ( dev
[ 0 ], "TTLS" )
797 def test_ap_wpa2_eap_ttls_chap_incorrect_password ( dev
, apdev
):
798 """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
799 params
= hostapd
. wpa2_eap_params ( ssid
= "test-wpa2-eap" )
800 hapd
= hostapd
. add_ap ( apdev
[ 0 ][ 'ifname' ], params
)
801 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "TTLS" , "chap user" ,
802 anonymous_identity
= "ttls" , password
= "wrong" ,
803 ca_cert
= "auth_serv/ca.pem" , phase2
= "auth=CHAP" ,
805 eap_connect ( dev
[ 1 ], apdev
[ 0 ], "TTLS" , "user" ,
806 anonymous_identity
= "ttls" , password
= "password" ,
807 ca_cert
= "auth_serv/ca.pem" , phase2
= "auth=CHAP" ,
810 def test_ap_wpa2_eap_ttls_mschap ( dev
, apdev
):
811 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP"""
812 params
= hostapd
. wpa2_eap_params ( ssid
= "test-wpa2-eap" )
813 hostapd
. add_ap ( apdev
[ 0 ][ 'ifname' ], params
)
814 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "TTLS" , "mschap user" ,
815 anonymous_identity
= "ttls" , password
= "password" ,
816 ca_cert
= "auth_serv/ca.pem" , phase2
= "auth=MSCHAP" ,
817 domain_suffix_match
= "server.w1.fi" )
818 hwsim_utils
. test_connectivity ( dev
[ 0 ]. ifname
, apdev
[ 0 ][ 'ifname' ])
819 eap_reauth ( dev
[ 0 ], "TTLS" )
820 dev
[ 0 ]. request ( "REMOVE_NETWORK all" )
821 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "TTLS" , "mschap user" ,
822 anonymous_identity
= "ttls" , password
= "password" ,
823 ca_cert
= "auth_serv/ca.pem" , phase2
= "auth=MSCHAP" ,
826 def test_ap_wpa2_eap_ttls_mschap_incorrect_password ( dev
, apdev
):
827 """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
828 params
= hostapd
. wpa2_eap_params ( ssid
= "test-wpa2-eap" )
829 hapd
= hostapd
. add_ap ( apdev
[ 0 ][ 'ifname' ], params
)
830 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "TTLS" , "mschap user" ,
831 anonymous_identity
= "ttls" , password
= "wrong" ,
832 ca_cert
= "auth_serv/ca.pem" , phase2
= "auth=MSCHAP" ,
834 eap_connect ( dev
[ 1 ], apdev
[ 0 ], "TTLS" , "user" ,
835 anonymous_identity
= "ttls" , password
= "password" ,
836 ca_cert
= "auth_serv/ca.pem" , phase2
= "auth=MSCHAP" ,
838 eap_connect ( dev
[ 2 ], apdev
[ 0 ], "TTLS" , "no such user" ,
839 anonymous_identity
= "ttls" , password
= "password" ,
840 ca_cert
= "auth_serv/ca.pem" , phase2
= "auth=MSCHAP" ,
843 def test_ap_wpa2_eap_ttls_mschapv2 ( dev
, apdev
):
844 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
845 params
= hostapd
. wpa2_eap_params ( ssid
= "test-wpa2-eap" )
846 hostapd
. add_ap ( apdev
[ 0 ][ 'ifname' ], params
)
847 hapd
= hostapd
. Hostapd ( apdev
[ 0 ][ 'ifname' ])
848 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "TTLS" , "DOMAIN\mschapv2 user" ,
849 anonymous_identity
= "ttls" , password
= "password" ,
850 ca_cert
= "auth_serv/ca.pem" , phase2
= "auth=MSCHAPV2" ,
851 domain_suffix_match
= "w1.fi" )
852 hwsim_utils
. test_connectivity ( dev
[ 0 ]. ifname
, apdev
[ 0 ][ 'ifname' ])
853 sta1
= hapd
. get_sta ( dev
[ 0 ]. p2p_interface_addr ())
854 eapol1
= hapd
. get_sta ( dev
[ 0 ]. p2p_interface_addr (), info
= "eapol" )
855 eap_reauth ( dev
[ 0 ], "TTLS" )
856 sta2
= hapd
. get_sta ( dev
[ 0 ]. p2p_interface_addr ())
857 eapol2
= hapd
. get_sta ( dev
[ 0 ]. p2p_interface_addr (), info
= "eapol" )
858 if int ( sta2
[ 'dot1xAuthEapolFramesRx' ]) <= int ( sta1
[ 'dot1xAuthEapolFramesRx' ]):
859 raise Exception ( "dot1xAuthEapolFramesRx did not increase" )
860 if int ( eapol2
[ 'authAuthEapStartsWhileAuthenticated' ]) < 1 :
861 raise Exception ( "authAuthEapStartsWhileAuthenticated did not increase" )
862 if int ( eapol2
[ 'backendAuthSuccesses' ]) <= int ( eapol1
[ 'backendAuthSuccesses' ]):
863 raise Exception ( "backendAuthSuccesses did not increase" )
865 logger
. info ( "Password as hash value" )
866 dev
[ 0 ]. request ( "REMOVE_NETWORK all" )
867 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "TTLS" , "DOMAIN\mschapv2 user" ,
868 anonymous_identity
= "ttls" ,
869 password_hex
= "hash:8846f7eaee8fb117ad06bdd830b7586c" ,
870 ca_cert
= "auth_serv/ca.pem" , phase2
= "auth=MSCHAPV2" )
872 def test_ap_wpa2_eap_ttls_mschapv2_incorrect_password ( dev
, apdev
):
873 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 - incorrect password"""
874 params
= hostapd
. wpa2_eap_params ( ssid
= "test-wpa2-eap" )
875 hapd
= hostapd
. add_ap ( apdev
[ 0 ][ 'ifname' ], params
)
876 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "TTLS" , "DOMAIN\mschapv2 user" ,
877 anonymous_identity
= "ttls" , password
= "password1" ,
878 ca_cert
= "auth_serv/ca.pem" , phase2
= "auth=MSCHAPV2" ,
880 eap_connect ( dev
[ 1 ], apdev
[ 0 ], "TTLS" , "user" ,
881 anonymous_identity
= "ttls" , password
= "password" ,
882 ca_cert
= "auth_serv/ca.pem" , phase2
= "auth=MSCHAPV2" ,
885 def test_ap_wpa2_eap_ttls_mschapv2_utf8 ( dev
, apdev
):
886 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 and UTF-8 password"""
887 params
= hostapd
. wpa2_eap_params ( ssid
= "test-wpa2-eap" )
888 hostapd
. add_ap ( apdev
[ 0 ][ 'ifname' ], params
)
889 hapd
= hostapd
. Hostapd ( apdev
[ 0 ][ 'ifname' ])
890 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "TTLS" , "utf8-user-hash" ,
891 anonymous_identity
= "ttls" , password
= "secret-åäö-€-password" ,
892 ca_cert
= "auth_serv/ca.pem" , phase2
= "auth=MSCHAPV2" )
893 eap_connect ( dev
[ 1 ], apdev
[ 0 ], "TTLS" , "utf8-user" ,
894 anonymous_identity
= "ttls" ,
895 password_hex
= "hash:bd5844fad2489992da7fe8c5a01559cf" ,
896 ca_cert
= "auth_serv/ca.pem" , phase2
= "auth=MSCHAPV2" )
898 def test_ap_wpa2_eap_ttls_eap_gtc ( dev
, apdev
):
899 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC"""
900 params
= hostapd
. wpa2_eap_params ( ssid
= "test-wpa2-eap" )
901 hostapd
. add_ap ( apdev
[ 0 ][ 'ifname' ], params
)
902 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "TTLS" , "user" ,
903 anonymous_identity
= "ttls" , password
= "password" ,
904 ca_cert
= "auth_serv/ca.pem" , phase2
= "autheap=GTC" )
905 hwsim_utils
. test_connectivity ( dev
[ 0 ]. ifname
, apdev
[ 0 ][ 'ifname' ])
906 eap_reauth ( dev
[ 0 ], "TTLS" )
908 def test_ap_wpa2_eap_ttls_eap_md5 ( dev
, apdev
):
909 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5"""
910 params
= hostapd
. wpa2_eap_params ( ssid
= "test-wpa2-eap" )
911 hostapd
. add_ap ( apdev
[ 0 ][ 'ifname' ], params
)
912 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "TTLS" , "user" ,
913 anonymous_identity
= "ttls" , password
= "password" ,
914 ca_cert
= "auth_serv/ca.pem" , phase2
= "autheap=MD5" )
915 hwsim_utils
. test_connectivity ( dev
[ 0 ]. ifname
, apdev
[ 0 ][ 'ifname' ])
916 eap_reauth ( dev
[ 0 ], "TTLS" )
918 def test_ap_wpa2_eap_ttls_eap_mschapv2 ( dev
, apdev
):
919 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2"""
920 params
= hostapd
. wpa2_eap_params ( ssid
= "test-wpa2-eap" )
921 hostapd
. add_ap ( apdev
[ 0 ][ 'ifname' ], params
)
922 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "TTLS" , "user" ,
923 anonymous_identity
= "ttls" , password
= "password" ,
924 ca_cert
= "auth_serv/ca.pem" , phase2
= "autheap=MSCHAPV2" )
925 hwsim_utils
. test_connectivity ( dev
[ 0 ]. ifname
, apdev
[ 0 ][ 'ifname' ])
926 eap_reauth ( dev
[ 0 ], "TTLS" )
928 logger
. info ( "Negative test with incorrect password" )
929 dev
[ 0 ]. request ( "REMOVE_NETWORK all" )
930 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "TTLS" , "user" ,
931 anonymous_identity
= "ttls" , password
= "password1" ,
932 ca_cert
= "auth_serv/ca.pem" , phase2
= "autheap=MSCHAPV2" ,
935 def test_ap_wpa2_eap_ttls_eap_aka ( dev
, apdev
):
936 """WPA2-Enterprise connection using EAP-TTLS/EAP-AKA"""
937 params
= hostapd
. wpa2_eap_params ( ssid
= "test-wpa2-eap" )
938 hostapd
. add_ap ( apdev
[ 0 ][ 'ifname' ], params
)
939 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "TTLS" , "0232010000000000" ,
940 anonymous_identity
= "0232010000000000@ttls" ,
941 password
= "90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123" ,
942 ca_cert
= "auth_serv/ca.pem" , phase2
= "autheap=AKA" )
944 def test_ap_wpa2_eap_peap_eap_aka ( dev
, apdev
):
945 """WPA2-Enterprise connection using EAP-PEAP/EAP-AKA"""
946 params
= hostapd
. wpa2_eap_params ( ssid
= "test-wpa2-eap" )
947 hostapd
. add_ap ( apdev
[ 0 ][ 'ifname' ], params
)
948 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "PEAP" , "0232010000000000" ,
949 anonymous_identity
= "0232010000000000@peap" ,
950 password
= "90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123" ,
951 ca_cert
= "auth_serv/ca.pem" , phase2
= "auth=AKA" )
953 def test_ap_wpa2_eap_fast_eap_aka ( dev
, apdev
):
954 """WPA2-Enterprise connection using EAP-FAST/EAP-AKA"""
955 params
= hostapd
. wpa2_eap_params ( ssid
= "test-wpa2-eap" )
956 hostapd
. add_ap ( apdev
[ 0 ][ 'ifname' ], params
)
957 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "FAST" , "0232010000000000" ,
958 anonymous_identity
= "0232010000000000@fast" ,
959 password
= "90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123" ,
960 phase1
= "fast_provisioning=2" ,
961 pac_file
= "blob://fast_pac_auth_aka" ,
962 ca_cert
= "auth_serv/ca.pem" , phase2
= "auth=AKA" )
964 def test_ap_wpa2_eap_peap_eap_mschapv2 ( dev
, apdev
):
965 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
966 params
= hostapd
. wpa2_eap_params ( ssid
= "test-wpa2-eap" )
967 hostapd
. add_ap ( apdev
[ 0 ][ 'ifname' ], params
)
968 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "PEAP" , "user" ,
969 anonymous_identity
= "peap" , password
= "password" ,
970 ca_cert
= "auth_serv/ca.pem" , phase2
= "auth=MSCHAPV2" )
971 hwsim_utils
. test_connectivity ( dev
[ 0 ]. ifname
, apdev
[ 0 ][ 'ifname' ])
972 eap_reauth ( dev
[ 0 ], "PEAP" )
973 dev
[ 0 ]. request ( "REMOVE_NETWORK all" )
974 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "PEAP" , "user" ,
975 anonymous_identity
= "peap" , password
= "password" ,
976 ca_cert
= "auth_serv/ca.pem" , phase2
= "auth=MSCHAPV2" ,
979 logger
. info ( "Password as hash value" )
980 dev
[ 0 ]. request ( "REMOVE_NETWORK all" )
981 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "PEAP" , "user" ,
982 anonymous_identity
= "peap" ,
983 password_hex
= "hash:8846f7eaee8fb117ad06bdd830b7586c" ,
984 ca_cert
= "auth_serv/ca.pem" , phase2
= "auth=MSCHAPV2" )
986 logger
. info ( "Negative test with incorrect password" )
987 dev
[ 0 ]. request ( "REMOVE_NETWORK all" )
988 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "PEAP" , "user" ,
989 anonymous_identity
= "peap" , password
= "password1" ,
990 ca_cert
= "auth_serv/ca.pem" , phase2
= "auth=MSCHAPV2" ,
993 def test_ap_wpa2_eap_peap_crypto_binding ( dev
, apdev
):
994 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding"""
995 params
= hostapd
. wpa2_eap_params ( ssid
= "test-wpa2-eap" )
996 hostapd
. add_ap ( apdev
[ 0 ][ 'ifname' ], params
)
997 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "PEAP" , "user" , password
= "password" ,
998 ca_cert
= "auth_serv/ca.pem" ,
999 phase1
= "peapver=0 crypto_binding=2" ,
1000 phase2
= "auth=MSCHAPV2" )
1001 hwsim_utils
. test_connectivity ( dev
[ 0 ]. ifname
, apdev
[ 0 ][ 'ifname' ])
1002 eap_reauth ( dev
[ 0 ], "PEAP" )
1004 eap_connect ( dev
[ 1 ], apdev
[ 0 ], "PEAP" , "user" , password
= "password" ,
1005 ca_cert
= "auth_serv/ca.pem" ,
1006 phase1
= "peapver=0 crypto_binding=1" ,
1007 phase2
= "auth=MSCHAPV2" )
1008 eap_connect ( dev
[ 2 ], apdev
[ 0 ], "PEAP" , "user" , password
= "password" ,
1009 ca_cert
= "auth_serv/ca.pem" ,
1010 phase1
= "peapver=0 crypto_binding=0" ,
1011 phase2
= "auth=MSCHAPV2" )
1013 def test_ap_wpa2_eap_peap_params ( dev
, apdev
):
1014 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and various parameters"""
1015 params
= hostapd
. wpa2_eap_params ( ssid
= "test-wpa2-eap" )
1016 hostapd
. add_ap ( apdev
[ 0 ][ 'ifname' ], params
)
1017 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "PEAP" , "user" ,
1018 anonymous_identity
= "peap" , password
= "password" ,
1019 ca_cert
= "auth_serv/ca.pem" , phase2
= "auth=MSCHAPV2" ,
1020 phase1
= "peapver=0 peaplabel=1" ,
1021 expect_failure
= True )
1022 dev
[ 0 ]. request ( "REMOVE_NETWORK all" )
1023 eap_connect ( dev
[ 1 ], apdev
[ 0 ], "PEAP" , "user" , password
= "password" ,
1024 ca_cert
= "auth_serv/ca.pem" ,
1025 phase1
= "peap_outer_success=1" ,
1026 phase2
= "auth=MSCHAPV2" )
1027 eap_connect ( dev
[ 2 ], apdev
[ 0 ], "PEAP" , "user" , password
= "password" ,
1028 ca_cert
= "auth_serv/ca.pem" ,
1029 phase1
= "peap_outer_success=2" ,
1030 phase2
= "auth=MSCHAPV2" )
1031 dev
[ 0 ]. connect ( "test-wpa2-eap" , key_mgmt
= "WPA-EAP" , eap
= "PEAP" ,
1033 anonymous_identity
= "peap" , password
= "password" ,
1034 ca_cert
= "auth_serv/ca.pem" , phase2
= "auth=MSCHAPV2" ,
1035 phase1
= "peapver=1 peaplabel=1" ,
1036 wait_connect
= False , scan_freq
= "2412" )
1037 ev
= dev
[ 0 ]. wait_event ([ "CTRL-EVENT-EAP-SUCCESS" ], timeout
= 15 )
1039 raise Exception ( "No EAP success seen" )
1040 ev
= dev
[ 0 ]. wait_event ([ "CTRL-EVENT-CONNECTED" ], timeout
= 1 )
1042 raise Exception ( "Unexpected connection" )
1044 def test_ap_wpa2_eap_peap_eap_tls ( dev
, apdev
):
1045 """WPA2-Enterprise connection using EAP-PEAP/EAP-TLS"""
1046 params
= hostapd
. wpa2_eap_params ( ssid
= "test-wpa2-eap" )
1047 hostapd
. add_ap ( apdev
[ 0 ][ 'ifname' ], params
)
1048 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "PEAP" , "cert user" ,
1049 ca_cert
= "auth_serv/ca.pem" , phase2
= "auth=TLS" ,
1050 ca_cert2
= "auth_serv/ca.pem" ,
1051 client_cert2
= "auth_serv/user.pem" ,
1052 private_key2
= "auth_serv/user.key" )
1053 eap_reauth ( dev
[ 0 ], "PEAP" )
1055 def test_ap_wpa2_eap_tls ( dev
, apdev
):
1056 """WPA2-Enterprise connection using EAP-TLS"""
1057 params
= hostapd
. wpa2_eap_params ( ssid
= "test-wpa2-eap" )
1058 hostapd
. add_ap ( apdev
[ 0 ][ 'ifname' ], params
)
1059 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "TLS" , "tls user" , ca_cert
= "auth_serv/ca.pem" ,
1060 client_cert
= "auth_serv/user.pem" ,
1061 private_key
= "auth_serv/user.key" )
1062 eap_reauth ( dev
[ 0 ], "TLS" )
1064 def test_ap_wpa2_eap_tls_blob ( dev
, apdev
):
1065 """WPA2-Enterprise connection using EAP-TLS and config blobs"""
1066 params
= hostapd
. wpa2_eap_params ( ssid
= "test-wpa2-eap" )
1067 hostapd
. add_ap ( apdev
[ 0 ][ 'ifname' ], params
)
1068 cert
= read_pem ( "auth_serv/ca.pem" )
1069 if "OK" not in dev
[ 0 ]. request ( "SET blob cacert " + cert
. encode ( "hex" )):
1070 raise Exception ( "Could not set cacert blob" )
1071 cert
= read_pem ( "auth_serv/user.pem" )
1072 if "OK" not in dev
[ 0 ]. request ( "SET blob usercert " + cert
. encode ( "hex" )):
1073 raise Exception ( "Could not set usercert blob" )
1074 key
= read_pem ( "auth_serv/user.key" )
1075 if "OK" not in dev
[ 0 ]. request ( "SET blob userkey " + key
. encode ( "hex" )):
1076 raise Exception ( "Could not set cacert blob" )
1077 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "TLS" , "tls user" , ca_cert
= "blob://cacert" ,
1078 client_cert
= "blob://usercert" ,
1079 private_key
= "blob://userkey" )
1081 def test_ap_wpa2_eap_tls_pkcs12 ( dev
, apdev
):
1082 """WPA2-Enterprise connection using EAP-TLS and PKCS#12"""
1083 params
= hostapd
. wpa2_eap_params ( ssid
= "test-wpa2-eap" )
1084 hostapd
. add_ap ( apdev
[ 0 ][ 'ifname' ], params
)
1085 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "TLS" , "tls user" , ca_cert
= "auth_serv/ca.pem" ,
1086 private_key
= "auth_serv/user.pkcs12" ,
1087 private_key_passwd
= "whatever" )
1088 dev
[ 0 ]. request ( "REMOVE_NETWORK all" )
1089 dev
[ 0 ]. connect ( "test-wpa2-eap" , key_mgmt
= "WPA-EAP" , eap
= "TLS" ,
1090 identity
= "tls user" ,
1091 ca_cert
= "auth_serv/ca.pem" ,
1092 private_key
= "auth_serv/user.pkcs12" ,
1093 wait_connect
= False , scan_freq
= "2412" )
1094 ev
= dev
[ 0 ]. wait_event ([ "CTRL-REQ-PASSPHRASE" ])
1096 raise Exception ( "Request for private key passphrase timed out" )
1097 id = ev
. split ( ':' )[ 0 ]. split ( '-' )[- 1 ]
1098 dev
[ 0 ]. request ( "CTRL-RSP-PASSPHRASE-" + id + ":whatever" )
1099 ev
= dev
[ 0 ]. wait_event ([ "CTRL-EVENT-CONNECTED" ], timeout
= 10 )
1101 raise Exception ( "Connection timed out" )
1103 def test_ap_wpa2_eap_tls_pkcs12_blob ( dev
, apdev
):
1104 """WPA2-Enterprise connection using EAP-TLS and PKCS#12 from configuration blob"""
1105 params
= hostapd
. wpa2_eap_params ( ssid
= "test-wpa2-eap" )
1106 hostapd
. add_ap ( apdev
[ 0 ][ 'ifname' ], params
)
1107 cert
= read_pem ( "auth_serv/ca.pem" )
1108 if "OK" not in dev
[ 0 ]. request ( "SET blob cacert " + cert
. encode ( "hex" )):
1109 raise Exception ( "Could not set cacert blob" )
1110 with
open ( "auth_serv/user.pkcs12" , "rb" ) as f
:
1111 if "OK" not in dev
[ 0 ]. request ( "SET blob pkcs12 " + f
. read (). encode ( "hex" )):
1112 raise Exception ( "Could not set pkcs12 blob" )
1113 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "TLS" , "tls user" , ca_cert
= "blob://cacert" ,
1114 private_key
= "blob://pkcs12" ,
1115 private_key_passwd
= "whatever" )
1117 def test_ap_wpa2_eap_tls_neg_incorrect_trust_root ( dev
, apdev
):
1118 """WPA2-Enterprise negative test - incorrect trust root"""
1119 params
= hostapd
. wpa2_eap_params ( ssid
= "test-wpa2-eap" )
1120 hostapd
. add_ap ( apdev
[ 0 ][ 'ifname' ], params
)
1121 cert
= read_pem ( "auth_serv/ca-incorrect.pem" )
1122 if "OK" not in dev
[ 0 ]. request ( "SET blob cacert " + cert
. encode ( "hex" )):
1123 raise Exception ( "Could not set cacert blob" )
1124 dev
[ 0 ]. connect ( "test-wpa2-eap" , key_mgmt
= "WPA-EAP" , eap
= "TTLS" ,
1125 identity
= "DOMAIN\mschapv2 user" , anonymous_identity
= "ttls" ,
1126 password
= "password" , phase2
= "auth=MSCHAPV2" ,
1127 ca_cert
= "blob://cacert" ,
1128 wait_connect
= False , scan_freq
= "2412" )
1129 dev
[ 1 ]. connect ( "test-wpa2-eap" , key_mgmt
= "WPA-EAP" , eap
= "TTLS" ,
1130 identity
= "DOMAIN\mschapv2 user" , anonymous_identity
= "ttls" ,
1131 password
= "password" , phase2
= "auth=MSCHAPV2" ,
1132 ca_cert
= "auth_serv/ca-incorrect.pem" ,
1133 wait_connect
= False , scan_freq
= "2412" )
1135 for dev
in ( dev
[ 0 ], dev
[ 1 ]):
1136 ev
= dev
. wait_event ([ "CTRL-EVENT-EAP-STARTED" ], timeout
= 10 )
1138 raise Exception ( "Association and EAP start timed out" )
1140 ev
= dev
. wait_event ([ "CTRL-EVENT-EAP-METHOD" ], timeout
= 10 )
1142 raise Exception ( "EAP method selection timed out" )
1143 if "TTLS" not in ev
:
1144 raise Exception ( "Unexpected EAP method" )
1146 ev
= dev
. wait_event ([ "CTRL-EVENT-EAP-TLS-CERT-ERROR" ,
1147 "CTRL-EVENT-EAP-SUCCESS" ,
1148 "CTRL-EVENT-EAP-FAILURE" ,
1149 "CTRL-EVENT-CONNECTED" ,
1150 "CTRL-EVENT-DISCONNECTED" ], timeout
= 10 )
1152 raise Exception ( "EAP result timed out" )
1153 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
1154 raise Exception ( "TLS certificate error not reported" )
1156 ev
= dev
. wait_event ([ "CTRL-EVENT-EAP-SUCCESS" ,
1157 "CTRL-EVENT-EAP-FAILURE" ,
1158 "CTRL-EVENT-CONNECTED" ,
1159 "CTRL-EVENT-DISCONNECTED" ], timeout
= 10 )
1161 raise Exception ( "EAP result(2) timed out" )
1162 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
1163 raise Exception ( "EAP failure not reported" )
1165 ev
= dev
. wait_event ([ "CTRL-EVENT-CONNECTED" ,
1166 "CTRL-EVENT-DISCONNECTED" ], timeout
= 10 )
1168 raise Exception ( "EAP result(3) timed out" )
1169 if "CTRL-EVENT-DISCONNECTED" not in ev
:
1170 raise Exception ( "Disconnection not reported" )
1172 ev
= dev
. wait_event ([ "CTRL-EVENT-SSID-TEMP-DISABLED" ], timeout
= 10 )
1174 raise Exception ( "Network block disabling not reported" )
1176 def test_ap_wpa2_eap_tls_neg_suffix_match ( dev
, apdev
):
1177 """WPA2-Enterprise negative test - domain suffix mismatch"""
1178 params
= hostapd
. wpa2_eap_params ( ssid
= "test-wpa2-eap" )
1179 hostapd
. add_ap ( apdev
[ 0 ][ 'ifname' ], params
)
1180 dev
[ 0 ]. connect ( "test-wpa2-eap" , key_mgmt
= "WPA-EAP" , eap
= "TTLS" ,
1181 identity
= "DOMAIN\mschapv2 user" , anonymous_identity
= "ttls" ,
1182 password
= "password" , phase2
= "auth=MSCHAPV2" ,
1183 ca_cert
= "auth_serv/ca.pem" ,
1184 domain_suffix_match
= "incorrect.example.com" ,
1185 wait_connect
= False , scan_freq
= "2412" )
1187 ev
= dev
[ 0 ]. wait_event ([ "CTRL-EVENT-EAP-STARTED" ], timeout
= 10 )
1189 raise Exception ( "Association and EAP start timed out" )
1191 ev
= dev
[ 0 ]. wait_event ([ "CTRL-EVENT-EAP-METHOD" ], timeout
= 10 )
1193 raise Exception ( "EAP method selection timed out" )
1194 if "TTLS" not in ev
:
1195 raise Exception ( "Unexpected EAP method" )
1197 ev
= dev
[ 0 ]. wait_event ([ "CTRL-EVENT-EAP-TLS-CERT-ERROR" ,
1198 "CTRL-EVENT-EAP-SUCCESS" ,
1199 "CTRL-EVENT-EAP-FAILURE" ,
1200 "CTRL-EVENT-CONNECTED" ,
1201 "CTRL-EVENT-DISCONNECTED" ], timeout
= 10 )
1203 raise Exception ( "EAP result timed out" )
1204 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
1205 raise Exception ( "TLS certificate error not reported" )
1206 if "Domain suffix mismatch" not in ev
:
1207 raise Exception ( "Domain suffix mismatch not reported" )
1209 ev
= dev
[ 0 ]. wait_event ([ "CTRL-EVENT-EAP-SUCCESS" ,
1210 "CTRL-EVENT-EAP-FAILURE" ,
1211 "CTRL-EVENT-CONNECTED" ,
1212 "CTRL-EVENT-DISCONNECTED" ], timeout
= 10 )
1214 raise Exception ( "EAP result(2) timed out" )
1215 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
1216 raise Exception ( "EAP failure not reported" )
1218 ev
= dev
[ 0 ]. wait_event ([ "CTRL-EVENT-CONNECTED" ,
1219 "CTRL-EVENT-DISCONNECTED" ], timeout
= 10 )
1221 raise Exception ( "EAP result(3) timed out" )
1222 if "CTRL-EVENT-DISCONNECTED" not in ev
:
1223 raise Exception ( "Disconnection not reported" )
1225 ev
= dev
[ 0 ]. wait_event ([ "CTRL-EVENT-SSID-TEMP-DISABLED" ], timeout
= 10 )
1227 raise Exception ( "Network block disabling not reported" )
1229 def test_ap_wpa2_eap_tls_neg_subject_match ( dev
, apdev
):
1230 """WPA2-Enterprise negative test - subject mismatch"""
1231 params
= hostapd
. wpa2_eap_params ( ssid
= "test-wpa2-eap" )
1232 hostapd
. add_ap ( apdev
[ 0 ][ 'ifname' ], params
)
1233 dev
[ 0 ]. connect ( "test-wpa2-eap" , key_mgmt
= "WPA-EAP" , eap
= "TTLS" ,
1234 identity
= "DOMAIN\mschapv2 user" , anonymous_identity
= "ttls" ,
1235 password
= "password" , phase2
= "auth=MSCHAPV2" ,
1236 ca_cert
= "auth_serv/ca.pem" ,
1237 subject_match
= "/C=FI/O=w1.fi/CN=example.com" ,
1238 wait_connect
= False , scan_freq
= "2412" )
1240 ev
= dev
[ 0 ]. wait_event ([ "CTRL-EVENT-EAP-STARTED" ], timeout
= 10 )
1242 raise Exception ( "Association and EAP start timed out" )
1244 ev
= dev
[ 0 ]. wait_event ([ "CTRL-EVENT-EAP-METHOD" ], timeout
= 10 )
1246 raise Exception ( "EAP method selection timed out" )
1247 if "TTLS" not in ev
:
1248 raise Exception ( "Unexpected EAP method" )
1250 ev
= dev
[ 0 ]. wait_event ([ "CTRL-EVENT-EAP-TLS-CERT-ERROR" ,
1251 "CTRL-EVENT-EAP-SUCCESS" ,
1252 "CTRL-EVENT-EAP-FAILURE" ,
1253 "CTRL-EVENT-CONNECTED" ,
1254 "CTRL-EVENT-DISCONNECTED" ], timeout
= 10 )
1256 raise Exception ( "EAP result timed out" )
1257 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
1258 raise Exception ( "TLS certificate error not reported" )
1259 if "Subject mismatch" not in ev
:
1260 raise Exception ( "Subject mismatch not reported" )
1262 ev
= dev
[ 0 ]. wait_event ([ "CTRL-EVENT-EAP-SUCCESS" ,
1263 "CTRL-EVENT-EAP-FAILURE" ,
1264 "CTRL-EVENT-CONNECTED" ,
1265 "CTRL-EVENT-DISCONNECTED" ], timeout
= 10 )
1267 raise Exception ( "EAP result(2) timed out" )
1268 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
1269 raise Exception ( "EAP failure not reported" )
1271 ev
= dev
[ 0 ]. wait_event ([ "CTRL-EVENT-CONNECTED" ,
1272 "CTRL-EVENT-DISCONNECTED" ], timeout
= 10 )
1274 raise Exception ( "EAP result(3) timed out" )
1275 if "CTRL-EVENT-DISCONNECTED" not in ev
:
1276 raise Exception ( "Disconnection not reported" )
1278 ev
= dev
[ 0 ]. wait_event ([ "CTRL-EVENT-SSID-TEMP-DISABLED" ], timeout
= 10 )
1280 raise Exception ( "Network block disabling not reported" )
1282 def test_ap_wpa2_eap_tls_neg_altsubject_match ( dev
, apdev
):
1283 """WPA2-Enterprise negative test - altsubject mismatch"""
1284 params
= hostapd
. wpa2_eap_params ( ssid
= "test-wpa2-eap" )
1285 hostapd
. add_ap ( apdev
[ 0 ][ 'ifname' ], params
)
1286 dev
[ 0 ]. connect ( "test-wpa2-eap" , key_mgmt
= "WPA-EAP" , eap
= "TTLS" ,
1287 identity
= "DOMAIN\mschapv2 user" , anonymous_identity
= "ttls" ,
1288 password
= "password" , phase2
= "auth=MSCHAPV2" ,
1289 ca_cert
= "auth_serv/ca.pem" ,
1290 altsubject_match
= "incorrect.example.com" ,
1291 wait_connect
= False , scan_freq
= "2412" )
1293 ev
= dev
[ 0 ]. wait_event ([ "CTRL-EVENT-EAP-STARTED" ], timeout
= 10 )
1295 raise Exception ( "Association and EAP start timed out" )
1297 ev
= dev
[ 0 ]. wait_event ([ "CTRL-EVENT-EAP-METHOD" ], timeout
= 10 )
1299 raise Exception ( "EAP method selection timed out" )
1300 if "TTLS" not in ev
:
1301 raise Exception ( "Unexpected EAP method" )
1303 ev
= dev
[ 0 ]. wait_event ([ "CTRL-EVENT-EAP-TLS-CERT-ERROR" ,
1304 "CTRL-EVENT-EAP-SUCCESS" ,
1305 "CTRL-EVENT-EAP-FAILURE" ,
1306 "CTRL-EVENT-CONNECTED" ,
1307 "CTRL-EVENT-DISCONNECTED" ], timeout
= 10 )
1309 raise Exception ( "EAP result timed out" )
1310 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
1311 raise Exception ( "TLS certificate error not reported" )
1312 if "AltSubject mismatch" not in ev
:
1313 raise Exception ( "altsubject mismatch not reported" )
1315 ev
= dev
[ 0 ]. wait_event ([ "CTRL-EVENT-EAP-SUCCESS" ,
1316 "CTRL-EVENT-EAP-FAILURE" ,
1317 "CTRL-EVENT-CONNECTED" ,
1318 "CTRL-EVENT-DISCONNECTED" ], timeout
= 10 )
1320 raise Exception ( "EAP result(2) timed out" )
1321 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
1322 raise Exception ( "EAP failure not reported" )
1324 ev
= dev
[ 0 ]. wait_event ([ "CTRL-EVENT-CONNECTED" ,
1325 "CTRL-EVENT-DISCONNECTED" ], timeout
= 10 )
1327 raise Exception ( "EAP result(3) timed out" )
1328 if "CTRL-EVENT-DISCONNECTED" not in ev
:
1329 raise Exception ( "Disconnection not reported" )
1331 ev
= dev
[ 0 ]. wait_event ([ "CTRL-EVENT-SSID-TEMP-DISABLED" ], timeout
= 10 )
1333 raise Exception ( "Network block disabling not reported" )
1335 def test_ap_wpa2_eap_unauth_tls ( dev
, apdev
):
1336 """WPA2-Enterprise connection using UNAUTH-TLS"""
1337 params
= hostapd
. wpa2_eap_params ( ssid
= "test-wpa2-eap" )
1338 hostapd
. add_ap ( apdev
[ 0 ][ 'ifname' ], params
)
1339 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "UNAUTH-TLS" , "unauth-tls" ,
1340 ca_cert
= "auth_serv/ca.pem" )
1341 eap_reauth ( dev
[ 0 ], "UNAUTH-TLS" )
1343 def test_ap_wpa2_eap_ttls_server_cert_hash ( dev
, apdev
):
1344 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash"""
1345 srv_cert_hash
= "0a3f81f63569226657a069855bb13f3b922670437a2b87585a4734f70ac7315b"
1346 params
= hostapd
. wpa2_eap_params ( ssid
= "test-wpa2-eap" )
1347 hostapd
. add_ap ( apdev
[ 0 ][ 'ifname' ], params
)
1348 dev
[ 0 ]. connect ( "test-wpa2-eap" , key_mgmt
= "WPA-EAP" , eap
= "TTLS" ,
1349 identity
= "probe" , ca_cert
= "probe://" ,
1350 wait_connect
= False , scan_freq
= "2412" )
1351 ev
= dev
[ 0 ]. wait_event ([ "CTRL-EVENT-EAP-STARTED" ], timeout
= 10 )
1353 raise Exception ( "Association and EAP start timed out" )
1354 ev
= dev
[ 0 ]. wait_event ([ "CTRL-EVENT-EAP-PEER-CERT depth=0" ], timeout
= 10 )
1356 raise Exception ( "No peer server certificate event seen" )
1357 if "hash=" + srv_cert_hash
not in ev
:
1358 raise Exception ( "Expected server certificate hash not reported" )
1359 ev
= dev
[ 0 ]. wait_event ([ "CTRL-EVENT-EAP-TLS-CERT-ERROR" ], timeout
= 10 )
1361 raise Exception ( "EAP result timed out" )
1362 if "Server certificate chain probe" not in ev
:
1363 raise Exception ( "Server certificate probe not reported" )
1364 ev
= dev
[ 0 ]. wait_event ([ "CTRL-EVENT-DISCONNECTED" ], timeout
= 10 )
1366 raise Exception ( "Disconnection event not seen" )
1367 dev
[ 0 ]. request ( "REMOVE_NETWORK all" )
1369 dev
[ 0 ]. connect ( "test-wpa2-eap" , key_mgmt
= "WPA-EAP" , eap
= "TTLS" ,
1370 identity
= "DOMAIN\mschapv2 user" , anonymous_identity
= "ttls" ,
1371 password
= "password" , phase2
= "auth=MSCHAPV2" ,
1372 ca_cert
= "hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a" ,
1373 wait_connect
= False , scan_freq
= "2412" )
1374 ev
= dev
[ 0 ]. wait_event ([ "CTRL-EVENT-EAP-STARTED" ], timeout
= 10 )
1376 raise Exception ( "Association and EAP start timed out" )
1377 ev
= dev
[ 0 ]. wait_event ([ "CTRL-EVENT-EAP-TLS-CERT-ERROR" ], timeout
= 10 )
1379 raise Exception ( "EAP result timed out" )
1380 if "Server certificate mismatch" not in ev
:
1381 raise Exception ( "Server certificate mismatch not reported" )
1382 ev
= dev
[ 0 ]. wait_event ([ "CTRL-EVENT-DISCONNECTED" ], timeout
= 10 )
1384 raise Exception ( "Disconnection event not seen" )
1385 dev
[ 0 ]. request ( "REMOVE_NETWORK all" )
1387 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "TTLS" , "DOMAIN\mschapv2 user" ,
1388 anonymous_identity
= "ttls" , password
= "password" ,
1389 ca_cert
= "hash://server/sha256/" + srv_cert_hash
,
1390 phase2
= "auth=MSCHAPV2" )
1392 def test_ap_wpa2_eap_ttls_server_cert_hash_invalid ( dev
, apdev
):
1393 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash (invalid config)"""
1394 params
= hostapd
. wpa2_eap_params ( ssid
= "test-wpa2-eap" )
1395 hostapd
. add_ap ( apdev
[ 0 ][ 'ifname' ], params
)
1396 dev
[ 0 ]. connect ( "test-wpa2-eap" , key_mgmt
= "WPA-EAP" , eap
= "TTLS" ,
1397 identity
= "DOMAIN\mschapv2 user" , anonymous_identity
= "ttls" ,
1398 password
= "password" , phase2
= "auth=MSCHAPV2" ,
1399 ca_cert
= "hash://server/md5/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a" ,
1400 wait_connect
= False , scan_freq
= "2412" )
1401 dev
[ 1 ]. connect ( "test-wpa2-eap" , key_mgmt
= "WPA-EAP" , eap
= "TTLS" ,
1402 identity
= "DOMAIN\mschapv2 user" , anonymous_identity
= "ttls" ,
1403 password
= "password" , phase2
= "auth=MSCHAPV2" ,
1404 ca_cert
= "hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca" ,
1405 wait_connect
= False , scan_freq
= "2412" )
1406 dev
[ 2 ]. connect ( "test-wpa2-eap" , key_mgmt
= "WPA-EAP" , eap
= "TTLS" ,
1407 identity
= "DOMAIN\mschapv2 user" , anonymous_identity
= "ttls" ,
1408 password
= "password" , phase2
= "auth=MSCHAPV2" ,
1409 ca_cert
= "hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6Q" ,
1410 wait_connect
= False , scan_freq
= "2412" )
1411 for i
in range ( 0 , 3 ):
1412 ev
= dev
[ i
]. wait_event ([ "CTRL-EVENT-EAP-STARTED" ], timeout
= 10 )
1414 raise Exception ( "Association and EAP start timed out" )
1415 ev
= dev
[ i
]. wait_event ([ "EAP: Failed to initialize EAP method: vendor 0 method 21 (TTLS)" ], timeout
= 5 )
1417 raise Exception ( "Did not report EAP method initialization failure" )
1419 def test_ap_wpa2_eap_pwd ( dev
, apdev
):
1420 """WPA2-Enterprise connection using EAP-pwd"""
1421 params
= hostapd
. wpa2_eap_params ( ssid
= "test-wpa2-eap" )
1422 hostapd
. add_ap ( apdev
[ 0 ][ 'ifname' ], params
)
1423 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "PWD" , "pwd user" , password
= "secret password" )
1424 eap_reauth ( dev
[ 0 ], "PWD" )
1425 dev
[ 0 ]. request ( "REMOVE_NETWORK all" )
1427 eap_connect ( dev
[ 1 ], apdev
[ 0 ], "PWD" ,
1428 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com" ,
1429 password
= "secret password" ,
1432 logger
. info ( "Negative test with incorrect password" )
1433 eap_connect ( dev
[ 2 ], apdev
[ 0 ], "PWD" , "pwd user" , password
= "secret-password" ,
1434 expect_failure
= True , local_error_report
= True )
1436 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "PWD" ,
1437 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com" ,
1438 password
= "secret password" ,
1441 def test_ap_wpa2_eap_pwd_groups ( dev
, apdev
):
1442 """WPA2-Enterprise connection using various EAP-pwd groups"""
1443 params
= { "ssid" : "test-wpa2-eap" , "wpa" : "2" , "wpa_key_mgmt" : "WPA-EAP" ,
1444 "rsn_pairwise" : "CCMP" , "ieee8021x" : "1" ,
1445 "eap_server" : "1" , "eap_user_file" : "auth_serv/eap_user.conf" }
1446 for i
in [ 19 , 20 , 21 , 25 , 26 ]:
1447 params
[ 'pwd_group' ] = str ( i
)
1448 hostapd
. add_ap ( apdev
[ 0 ][ 'ifname' ], params
)
1449 dev
[ 0 ]. request ( "REMOVE_NETWORK all" )
1450 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "PWD" , "pwd user" , password
= "secret password" )
1452 def test_ap_wpa2_eap_pwd_invalid_group ( dev
, apdev
):
1453 """WPA2-Enterprise connection using invalid EAP-pwd group"""
1454 params
= { "ssid" : "test-wpa2-eap" , "wpa" : "2" , "wpa_key_mgmt" : "WPA-EAP" ,
1455 "rsn_pairwise" : "CCMP" , "ieee8021x" : "1" ,
1456 "eap_server" : "1" , "eap_user_file" : "auth_serv/eap_user.conf" }
1457 params
[ 'pwd_group' ] = "0"
1458 hostapd
. add_ap ( apdev
[ 0 ][ 'ifname' ], params
)
1459 dev
[ 0 ]. connect ( "test-wpa2-eap" , key_mgmt
= "WPA-EAP" , eap
= "PWD" ,
1460 identity
= "pwd user" , password
= "secret password" ,
1461 scan_freq
= "2412" , wait_connect
= False )
1462 ev
= dev
[ 0 ]. wait_event ([ "CTRL-EVENT-EAP-FAILURE" ])
1464 raise Exception ( "Timeout on EAP failure report" )
1466 def test_ap_wpa2_eap_pwd_as_frag ( dev
, apdev
):
1467 """WPA2-Enterprise connection using EAP-pwd with server fragmentation"""
1468 params
= hostapd
. wpa2_eap_params ( ssid
= "test-wpa2-eap" )
1469 params
= { "ssid" : "test-wpa2-eap" , "wpa" : "2" , "wpa_key_mgmt" : "WPA-EAP" ,
1470 "rsn_pairwise" : "CCMP" , "ieee8021x" : "1" ,
1471 "eap_server" : "1" , "eap_user_file" : "auth_serv/eap_user.conf" ,
1472 "pwd_group" : "19" , "fragment_size" : "40" }
1473 hostapd
. add_ap ( apdev
[ 0 ][ 'ifname' ], params
)
1474 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "PWD" , "pwd user" , password
= "secret password" )
1476 def test_ap_wpa2_eap_gpsk ( dev
, apdev
):
1477 """WPA2-Enterprise connection using EAP-GPSK"""
1478 params
= hostapd
. wpa2_eap_params ( ssid
= "test-wpa2-eap" )
1479 hostapd
. add_ap ( apdev
[ 0 ][ 'ifname' ], params
)
1480 id = eap_connect ( dev
[ 0 ], apdev
[ 0 ], "GPSK" , "gpsk user" ,
1481 password
= "abcdefghijklmnop0123456789abcdef" )
1482 eap_reauth ( dev
[ 0 ], "GPSK" )
1484 logger
. info ( "Test forced algorithm selection" )
1485 for phase1
in [ "cipher=1" , "cipher=2" ]:
1486 dev
[ 0 ]. set_network_quoted ( id , "phase1" , phase1
)
1487 ev
= dev
[ 0 ]. wait_event ([ "CTRL-EVENT-EAP-SUCCESS" ], timeout
= 10 )
1489 raise Exception ( "EAP success timed out" )
1490 ev
= dev
[ 0 ]. wait_event ([ "CTRL-EVENT-CONNECTED" ], timeout
= 10 )
1492 raise Exception ( "Association with the AP timed out" )
1494 logger
. info ( "Test failed algorithm negotiation" )
1495 dev
[ 0 ]. set_network_quoted ( id , "phase1" , "cipher=9" )
1496 ev
= dev
[ 0 ]. wait_event ([ "CTRL-EVENT-EAP-FAILURE" ], timeout
= 10 )
1498 raise Exception ( "EAP failure timed out" )
1500 logger
. info ( "Negative test with incorrect password" )
1501 dev
[ 0 ]. request ( "REMOVE_NETWORK all" )
1502 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "GPSK" , "gpsk user" ,
1503 password
= "ffcdefghijklmnop0123456789abcdef" ,
1504 expect_failure
= True )
1506 def test_ap_wpa2_eap_sake ( dev
, apdev
):
1507 """WPA2-Enterprise connection using EAP-SAKE"""
1508 params
= hostapd
. wpa2_eap_params ( ssid
= "test-wpa2-eap" )
1509 hostapd
. add_ap ( apdev
[ 0 ][ 'ifname' ], params
)
1510 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "SAKE" , "sake user" ,
1511 password_hex
= "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef" )
1512 eap_reauth ( dev
[ 0 ], "SAKE" )
1514 logger
. info ( "Negative test with incorrect password" )
1515 dev
[ 0 ]. request ( "REMOVE_NETWORK all" )
1516 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "SAKE" , "sake user" ,
1517 password_hex
= "ff23456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef" ,
1518 expect_failure
= True )
1520 def test_ap_wpa2_eap_eke ( dev
, apdev
):
1521 """WPA2-Enterprise connection using EAP-EKE"""
1522 params
= hostapd
. wpa2_eap_params ( ssid
= "test-wpa2-eap" )
1523 hostapd
. add_ap ( apdev
[ 0 ][ 'ifname' ], params
)
1524 id = eap_connect ( dev
[ 0 ], apdev
[ 0 ], "EKE" , "eke user" , password
= "hello" )
1525 eap_reauth ( dev
[ 0 ], "EKE" )
1527 logger
. info ( "Test forced algorithm selection" )
1528 for phase1
in [ "dhgroup=5 encr=1 prf=2 mac=2" ,
1529 "dhgroup=4 encr=1 prf=2 mac=2" ,
1530 "dhgroup=3 encr=1 prf=2 mac=2" ,
1531 "dhgroup=3 encr=1 prf=1 mac=1" ]:
1532 dev
[ 0 ]. set_network_quoted ( id , "phase1" , phase1
)
1533 ev
= dev
[ 0 ]. wait_event ([ "CTRL-EVENT-EAP-SUCCESS" ], timeout
= 10 )
1535 raise Exception ( "EAP success timed out" )
1536 ev
= dev
[ 0 ]. wait_event ([ "CTRL-EVENT-CONNECTED" ], timeout
= 10 )
1538 raise Exception ( "Association with the AP timed out" )
1540 logger
. info ( "Test failed algorithm negotiation" )
1541 dev
[ 0 ]. set_network_quoted ( id , "phase1" , "dhgroup=9 encr=9 prf=9 mac=9" )
1542 ev
= dev
[ 0 ]. wait_event ([ "CTRL-EVENT-EAP-FAILURE" ], timeout
= 10 )
1544 raise Exception ( "EAP failure timed out" )
1546 logger
. info ( "Negative test with incorrect password" )
1547 dev
[ 0 ]. request ( "REMOVE_NETWORK all" )
1548 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "EKE" , "eke user" , password
= "hello1" ,
1549 expect_failure
= True )
1551 def test_ap_wpa2_eap_ikev2 ( dev
, apdev
):
1552 """WPA2-Enterprise connection using EAP-IKEv2"""
1553 params
= hostapd
. wpa2_eap_params ( ssid
= "test-wpa2-eap" )
1554 hostapd
. add_ap ( apdev
[ 0 ][ 'ifname' ], params
)
1555 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "IKEV2" , "ikev2 user" ,
1556 password
= "ike password" )
1557 eap_reauth ( dev
[ 0 ], "IKEV2" )
1558 dev
[ 0 ]. request ( "REMOVE_NETWORK all" )
1559 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "IKEV2" , "ikev2 user" ,
1560 password
= "ike password" , fragment_size
= "50" )
1562 logger
. info ( "Negative test with incorrect password" )
1563 dev
[ 0 ]. request ( "REMOVE_NETWORK all" )
1564 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "IKEV2" , "ikev2 user" ,
1565 password
= "ike-password" , expect_failure
= True )
1567 def test_ap_wpa2_eap_ikev2_as_frag ( dev
, apdev
):
1568 """WPA2-Enterprise connection using EAP-IKEv2 with server fragmentation"""
1569 params
= hostapd
. wpa2_eap_params ( ssid
= "test-wpa2-eap" )
1570 params
= { "ssid" : "test-wpa2-eap" , "wpa" : "2" , "wpa_key_mgmt" : "WPA-EAP" ,
1571 "rsn_pairwise" : "CCMP" , "ieee8021x" : "1" ,
1572 "eap_server" : "1" , "eap_user_file" : "auth_serv/eap_user.conf" ,
1573 "fragment_size" : "50" }
1574 hostapd
. add_ap ( apdev
[ 0 ][ 'ifname' ], params
)
1575 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "IKEV2" , "ikev2 user" ,
1576 password
= "ike password" )
1577 eap_reauth ( dev
[ 0 ], "IKEV2" )
1579 def test_ap_wpa2_eap_pax ( dev
, apdev
):
1580 """WPA2-Enterprise connection using EAP-PAX"""
1581 params
= hostapd
. wpa2_eap_params ( ssid
= "test-wpa2-eap" )
1582 hostapd
. add_ap ( apdev
[ 0 ][ 'ifname' ], params
)
1583 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "PAX" , "pax.user@example.com" ,
1584 password_hex
= "0123456789abcdef0123456789abcdef" )
1585 eap_reauth ( dev
[ 0 ], "PAX" )
1587 logger
. info ( "Negative test with incorrect password" )
1588 dev
[ 0 ]. request ( "REMOVE_NETWORK all" )
1589 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "PAX" , "pax.user@example.com" ,
1590 password_hex
= "ff23456789abcdef0123456789abcdef" ,
1591 expect_failure
= True )
1593 def test_ap_wpa2_eap_psk ( dev
, apdev
):
1594 """WPA2-Enterprise connection using EAP-PSK"""
1595 params
= hostapd
. wpa2_eap_params ( ssid
= "test-wpa2-eap" )
1596 params
[ "wpa_key_mgmt" ] = "WPA-EAP-SHA256"
1597 params
[ "ieee80211w" ] = "2"
1598 hostapd
. add_ap ( apdev
[ 0 ][ 'ifname' ], params
)
1599 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "PSK" , "psk.user@example.com" ,
1600 password_hex
= "0123456789abcdef0123456789abcdef" , sha256
= True )
1601 eap_reauth ( dev
[ 0 ], "PSK" , sha256
= True )
1602 check_mib ( dev
[ 0 ], [ ( "dot11RSNAAuthenticationSuiteRequested" , "00-0f-ac-5" ),
1603 ( "dot11RSNAAuthenticationSuiteSelected" , "00-0f-ac-5" ) ])
1605 logger
. info ( "Negative test with incorrect password" )
1606 dev
[ 0 ]. request ( "REMOVE_NETWORK all" )
1607 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "PSK" , "psk.user@example.com" ,
1608 password_hex
= "ff23456789abcdef0123456789abcdef" , sha256
= True ,
1609 expect_failure
= True )
1611 def test_ap_wpa_eap_peap_eap_mschapv2 ( dev
, apdev
):
1612 """WPA-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
1613 params
= hostapd
. wpa_eap_params ( ssid
= "test-wpa-eap" )
1614 hostapd
. add_ap ( apdev
[ 0 ][ 'ifname' ], params
)
1615 dev
[ 0 ]. connect ( "test-wpa-eap" , key_mgmt
= "WPA-EAP" , eap
= "PEAP" ,
1616 identity
= "user" , password
= "password" , phase2
= "auth=MSCHAPV2" ,
1617 ca_cert
= "auth_serv/ca.pem" , wait_connect
= False ,
1619 eap_check_auth ( dev
[ 0 ], "PEAP" , True , rsn
= False )
1620 hwsim_utils
. test_connectivity ( dev
[ 0 ]. ifname
, apdev
[ 0 ][ 'ifname' ])
1621 eap_reauth ( dev
[ 0 ], "PEAP" , rsn
= False )
1622 check_mib ( dev
[ 0 ], [ ( "dot11RSNAAuthenticationSuiteRequested" , "00-50-f2-1" ),
1623 ( "dot11RSNAAuthenticationSuiteSelected" , "00-50-f2-1" ) ])
1625 def test_ap_wpa2_eap_interactive ( dev
, apdev
):
1626 """WPA2-Enterprise connection using interactive identity/password entry"""
1627 params
= hostapd
. wpa2_eap_params ( ssid
= "test-wpa2-eap" )
1628 hostapd
. add_ap ( apdev
[ 0 ][ 'ifname' ], params
)
1629 hapd
= hostapd
. Hostapd ( apdev
[ 0 ][ 'ifname' ])
1631 tests
= [ ( "Connection with dynamic TTLS/MSCHAPv2 password entry" ,
1632 "TTLS" , "ttls" , "DOMAIN\mschapv2 user" , "auth=MSCHAPV2" ,
1634 ( "Connection with dynamic TTLS/MSCHAPv2 identity and password entry" ,
1635 "TTLS" , "ttls" , None , "auth=MSCHAPV2" ,
1636 "DOMAIN\mschapv2 user" , "password" ),
1637 ( "Connection with dynamic TTLS/EAP-MSCHAPv2 password entry" ,
1638 "TTLS" , "ttls" , "user" , "autheap=MSCHAPV2" , None , "password" ),
1639 ( "Connection with dynamic TTLS/EAP-MD5 password entry" ,
1640 "TTLS" , "ttls" , "user" , "autheap=MD5" , None , "password" ),
1641 ( "Connection with dynamic PEAP/EAP-MSCHAPv2 password entry" ,
1642 "PEAP" , None , "user" , "auth=MSCHAPV2" , None , "password" ),
1643 ( "Connection with dynamic PEAP/EAP-GTC password entry" ,
1644 "PEAP" , None , "user" , "auth=GTC" , None , "password" ) ]
1645 for [ desc
, eap
, anon
, identity
, phase2
, req_id
, req_pw
] in tests
:
1647 dev
[ 0 ]. connect ( "test-wpa2-eap" , key_mgmt
= "WPA-EAP" , eap
= eap
,
1648 anonymous_identity
= anon
, identity
= identity
,
1649 ca_cert
= "auth_serv/ca.pem" , phase2
= phase2
,
1650 wait_connect
= False , scan_freq
= "2412" )
1652 ev
= dev
[ 0 ]. wait_event ([ "CTRL-REQ-IDENTITY" ])
1654 raise Exception ( "Request for identity timed out" )
1655 id = ev
. split ( ':' )[ 0 ]. split ( '-' )[- 1 ]
1656 dev
[ 0 ]. request ( "CTRL-RSP-IDENTITY-" + id + ":" + req_id
)
1657 ev
= dev
[ 0 ]. wait_event ([ "CTRL-REQ-PASSWORD" , "CTRL-REQ-OTP" ])
1659 raise Exception ( "Request for password timed out" )
1660 id = ev
. split ( ':' )[ 0 ]. split ( '-' )[- 1 ]
1661 type = "OTP" if "CTRL-REQ-OTP" in ev
else "PASSWORD"
1662 dev
[ 0 ]. request ( "CTRL-RSP-" + type + "-" + id + ":" + req_pw
)
1663 ev
= dev
[ 0 ]. wait_event ([ "CTRL-EVENT-CONNECTED" ], timeout
= 10 )
1665 raise Exception ( "Connection timed out" )
1666 dev
[ 0 ]. request ( "REMOVE_NETWORK all" )
1668 def test_ap_wpa2_eap_vendor_test ( dev
, apdev
):
1669 """WPA2-Enterprise connection using EAP vendor test"""
1670 params
= hostapd
. wpa2_eap_params ( ssid
= "test-wpa2-eap" )
1671 hostapd
. add_ap ( apdev
[ 0 ][ 'ifname' ], params
)
1672 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "VENDOR-TEST" , "vendor-test" )
1673 eap_reauth ( dev
[ 0 ], "VENDOR-TEST" )
1675 def test_ap_wpa2_eap_fast_mschapv2_unauth_prov ( dev
, apdev
):
1676 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and unauthenticated provisioning"""
1677 params
= hostapd
. wpa2_eap_params ( ssid
= "test-wpa2-eap" )
1678 hostapd
. add_ap ( apdev
[ 0 ][ 'ifname' ], params
)
1679 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "FAST" , "user" ,
1680 anonymous_identity
= "FAST" , password
= "password" ,
1681 ca_cert
= "auth_serv/ca.pem" , phase2
= "auth=MSCHAPV2" ,
1682 phase1
= "fast_provisioning=1" , pac_file
= "blob://fast_pac" )
1683 hwsim_utils
. test_connectivity ( dev
[ 0 ]. ifname
, apdev
[ 0 ][ 'ifname' ])
1684 eap_reauth ( dev
[ 0 ], "FAST" )
1686 def test_ap_wpa2_eap_fast_pac_file ( dev
, apdev
, params
):
1687 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and PAC file"""
1688 pac_file
= os
. path
. join ( params
[ 'logdir' ], "fast.pac" )
1689 pac_file2
= os
. path
. join ( params
[ 'logdir' ], "fast-bin.pac" )
1690 params
= hostapd
. wpa2_eap_params ( ssid
= "test-wpa2-eap" )
1691 hostapd
. add_ap ( apdev
[ 0 ][ 'ifname' ], params
)
1694 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "FAST" , "user" ,
1695 anonymous_identity
= "FAST" , password
= "password" ,
1696 ca_cert
= "auth_serv/ca.pem" , phase2
= "auth=MSCHAPV2" ,
1697 phase1
= "fast_provisioning=1" , pac_file
= pac_file
)
1698 with
open ( pac_file
, "r" ) as f
:
1700 if "wpa_supplicant EAP-FAST PAC file - version 1" not in data
:
1701 raise Exception ( "PAC file header missing" )
1702 if "PAC-Key=" not in data
:
1703 raise Exception ( "PAC-Key missing from PAC file" )
1704 dev
[ 0 ]. request ( "REMOVE_NETWORK all" )
1705 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "FAST" , "user" ,
1706 anonymous_identity
= "FAST" , password
= "password" ,
1707 ca_cert
= "auth_serv/ca.pem" , phase2
= "auth=MSCHAPV2" ,
1710 eap_connect ( dev
[ 1 ], apdev
[ 0 ], "FAST" , "user" ,
1711 anonymous_identity
= "FAST" , password
= "password" ,
1712 ca_cert
= "auth_serv/ca.pem" , phase2
= "auth=MSCHAPV2" ,
1713 phase1
= "fast_provisioning=1 fast_pac_format=binary" ,
1715 dev
[ 1 ]. request ( "REMOVE_NETWORK all" )
1716 eap_connect ( dev
[ 1 ], apdev
[ 0 ], "FAST" , "user" ,
1717 anonymous_identity
= "FAST" , password
= "password" ,
1718 ca_cert
= "auth_serv/ca.pem" , phase2
= "auth=MSCHAPV2" ,
1719 phase1
= "fast_pac_format=binary" ,
1722 subprocess
. call ([ 'sudo' , 'rm' , pac_file
])
1723 subprocess
. call ([ 'sudo' , 'rm' , pac_file2
])
1725 def test_ap_wpa2_eap_fast_binary_pac ( dev
, apdev
):
1726 """WPA2-Enterprise connection using EAP-FAST and binary PAC format"""
1727 params
= hostapd
. wpa2_eap_params ( ssid
= "test-wpa2-eap" )
1728 hostapd
. add_ap ( apdev
[ 0 ][ 'ifname' ], params
)
1729 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "FAST" , "user" ,
1730 anonymous_identity
= "FAST" , password
= "password" ,
1731 ca_cert
= "auth_serv/ca.pem" , phase2
= "auth=MSCHAPV2" ,
1732 phase1
= "fast_provisioning=1 fast_max_pac_list_len=1 fast_pac_format=binary" ,
1733 pac_file
= "blob://fast_pac_bin" )
1734 eap_reauth ( dev
[ 0 ], "FAST" )
1736 def test_ap_wpa2_eap_fast_missing_pac_config ( dev
, apdev
):
1737 """WPA2-Enterprise connection using EAP-FAST and missing PAC config"""
1738 params
= hostapd
. wpa2_eap_params ( ssid
= "test-wpa2-eap" )
1739 hostapd
. add_ap ( apdev
[ 0 ][ 'ifname' ], params
)
1741 dev
[ 0 ]. connect ( "test-wpa2-eap" , key_mgmt
= "WPA-EAP" , eap
= "FAST" ,
1742 identity
= "user" , anonymous_identity
= "FAST" ,
1743 password
= "password" ,
1744 ca_cert
= "auth_serv/ca.pem" , phase2
= "auth=MSCHAPV2" ,
1745 pac_file
= "blob://fast_pac_not_in_use" ,
1746 wait_connect
= False , scan_freq
= "2412" )
1747 ev
= dev
[ 0 ]. wait_event ([ "CTRL-EVENT-EAP-FAILURE" ])
1749 raise Exception ( "Timeout on EAP failure report" )
1750 dev
[ 0 ]. request ( "REMOVE_NETWORK all" )
1752 dev
[ 0 ]. connect ( "test-wpa2-eap" , key_mgmt
= "WPA-EAP" , eap
= "FAST" ,
1753 identity
= "user" , anonymous_identity
= "FAST" ,
1754 password
= "password" ,
1755 ca_cert
= "auth_serv/ca.pem" , phase2
= "auth=MSCHAPV2" ,
1756 wait_connect
= False , scan_freq
= "2412" )
1757 ev
= dev
[ 0 ]. wait_event ([ "CTRL-EVENT-EAP-FAILURE" ])
1759 raise Exception ( "Timeout on EAP failure report" )
1761 def test_ap_wpa2_eap_fast_gtc_auth_prov ( dev
, apdev
):
1762 """WPA2-Enterprise connection using EAP-FAST/GTC and authenticated provisioning"""
1763 params
= hostapd
. wpa2_eap_params ( ssid
= "test-wpa2-eap" )
1764 hostapd
. add_ap ( apdev
[ 0 ][ 'ifname' ], params
)
1765 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "FAST" , "user" ,
1766 anonymous_identity
= "FAST" , password
= "password" ,
1767 ca_cert
= "auth_serv/ca.pem" , phase2
= "auth=GTC" ,
1768 phase1
= "fast_provisioning=2" , pac_file
= "blob://fast_pac_auth" )
1769 hwsim_utils
. test_connectivity ( dev
[ 0 ]. ifname
, apdev
[ 0 ][ 'ifname' ])
1770 eap_reauth ( dev
[ 0 ], "FAST" )
1772 def test_ap_wpa2_eap_tls_ocsp ( dev
, apdev
):
1773 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP"""
1774 params
= hostapd
. wpa2_eap_params ( ssid
= "test-wpa2-eap" )
1775 hostapd
. add_ap ( apdev
[ 0 ][ 'ifname' ], params
)
1776 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "TLS" , "tls user" , ca_cert
= "auth_serv/ca.pem" ,
1777 private_key
= "auth_serv/user.pkcs12" ,
1778 private_key_passwd
= "whatever" , ocsp
= 2 )
1780 def int_eap_server_params ():
1781 params
= { "ssid" : "test-wpa2-eap" , "wpa" : "2" , "wpa_key_mgmt" : "WPA-EAP" ,
1782 "rsn_pairwise" : "CCMP" , "ieee8021x" : "1" ,
1783 "eap_server" : "1" , "eap_user_file" : "auth_serv/eap_user.conf" ,
1784 "ca_cert" : "auth_serv/ca.pem" ,
1785 "server_cert" : "auth_serv/server.pem" ,
1786 "private_key" : "auth_serv/server.key" }
1789 def test_ap_wpa2_eap_tls_ocsp_invalid ( dev
, apdev
):
1790 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP response"""
1791 params
= int_eap_server_params ()
1792 params
[ "ocsp_stapling_response" ] = "auth_serv/ocsp-server-cache.der-invalid"
1793 hostapd
. add_ap ( apdev
[ 0 ][ 'ifname' ], params
)
1794 dev
[ 0 ]. connect ( "test-wpa2-eap" , key_mgmt
= "WPA-EAP" , eap
= "TLS" ,
1795 identity
= "tls user" , ca_cert
= "auth_serv/ca.pem" ,
1796 private_key
= "auth_serv/user.pkcs12" ,
1797 private_key_passwd
= "whatever" , ocsp
= 2 ,
1798 wait_connect
= False , scan_freq
= "2412" )
1801 ev
= dev
[ 0 ]. wait_event ([ "CTRL-EVENT-EAP-STATUS" ])
1803 raise Exception ( "Timeout on EAP status" )
1804 if 'bad certificate status response' in ev
:
1808 raise Exception ( "Unexpected number of EAP status messages" )
1810 ev
= dev
[ 0 ]. wait_event ([ "CTRL-EVENT-EAP-FAILURE" ])
1812 raise Exception ( "Timeout on EAP failure report" )
1814 def test_ap_wpa2_eap_tls_domain_suffix_match_cn ( dev
, apdev
):
1815 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
1816 params
= int_eap_server_params ()
1817 params
[ "server_cert" ] = "auth_serv/server-no-dnsname.pem"
1818 params
[ "private_key" ] = "auth_serv/server-no-dnsname.key"
1819 hostapd
. add_ap ( apdev
[ 0 ][ 'ifname' ], params
)
1820 dev
[ 0 ]. connect ( "test-wpa2-eap" , key_mgmt
= "WPA-EAP" , eap
= "TLS" ,
1821 identity
= "tls user" , ca_cert
= "auth_serv/ca.pem" ,
1822 private_key
= "auth_serv/user.pkcs12" ,
1823 private_key_passwd
= "whatever" ,
1824 domain_suffix_match
= "server3.w1.fi" ,
1826 dev
[ 1 ]. connect ( "test-wpa2-eap" , key_mgmt
= "WPA-EAP" , eap
= "TLS" ,
1827 identity
= "tls user" , ca_cert
= "auth_serv/ca.pem" ,
1828 private_key
= "auth_serv/user.pkcs12" ,
1829 private_key_passwd
= "whatever" ,
1830 domain_suffix_match
= "w1.fi" ,
1833 def test_ap_wpa2_eap_tls_domain_suffix_mismatch_cn ( dev
, apdev
):
1834 """WPA2-Enterprise using EAP-TLS and domain suffix mismatch (CN)"""
1835 params
= int_eap_server_params ()
1836 params
[ "server_cert" ] = "auth_serv/server-no-dnsname.pem"
1837 params
[ "private_key" ] = "auth_serv/server-no-dnsname.key"
1838 hostapd
. add_ap ( apdev
[ 0 ][ 'ifname' ], params
)
1839 dev
[ 0 ]. connect ( "test-wpa2-eap" , key_mgmt
= "WPA-EAP" , eap
= "TLS" ,
1840 identity
= "tls user" , ca_cert
= "auth_serv/ca.pem" ,
1841 private_key
= "auth_serv/user.pkcs12" ,
1842 private_key_passwd
= "whatever" ,
1843 domain_suffix_match
= "example.com" ,
1846 dev
[ 1 ]. connect ( "test-wpa2-eap" , key_mgmt
= "WPA-EAP" , eap
= "TLS" ,
1847 identity
= "tls user" , ca_cert
= "auth_serv/ca.pem" ,
1848 private_key
= "auth_serv/user.pkcs12" ,
1849 private_key_passwd
= "whatever" ,
1850 domain_suffix_match
= "erver3.w1.fi" ,
1853 ev
= dev
[ 0 ]. wait_event ([ "CTRL-EVENT-EAP-FAILURE" ])
1855 raise Exception ( "Timeout on EAP failure report" )
1856 ev
= dev
[ 1 ]. wait_event ([ "CTRL-EVENT-EAP-FAILURE" ])
1858 raise Exception ( "Timeout on EAP failure report (2)" )
1860 def test_ap_wpa2_eap_ttls_expired_cert ( dev
, apdev
):
1861 """WPA2-Enterprise using EAP-TTLS and expired certificate"""
1862 params
= int_eap_server_params ()
1863 params
[ "server_cert" ] = "auth_serv/server-expired.pem"
1864 params
[ "private_key" ] = "auth_serv/server-expired.key"
1865 hostapd
. add_ap ( apdev
[ 0 ][ 'ifname' ], params
)
1866 dev
[ 0 ]. connect ( "test-wpa2-eap" , key_mgmt
= "WPA-EAP" , eap
= "TTLS" ,
1867 identity
= "mschap user" , password
= "password" ,
1868 ca_cert
= "auth_serv/ca.pem" , phase2
= "auth=MSCHAP" ,
1871 ev
= dev
[ 0 ]. wait_event ([ "CTRL-EVENT-EAP-TLS-CERT-ERROR" ])
1873 raise Exception ( "Timeout on EAP certificate error report" )
1874 if "reason=4" not in ev
or "certificate has expired" not in ev
:
1875 raise Exception ( "Unexpected failure reason: " + ev
)
1876 ev
= dev
[ 0 ]. wait_event ([ "CTRL-EVENT-EAP-FAILURE" ])
1878 raise Exception ( "Timeout on EAP failure report" )
1880 def test_ap_wpa2_eap_ttls_ignore_expired_cert ( dev
, apdev
):
1881 """WPA2-Enterprise using EAP-TTLS and ignore certificate expiration"""
1882 params
= int_eap_server_params ()
1883 params
[ "server_cert" ] = "auth_serv/server-expired.pem"
1884 params
[ "private_key" ] = "auth_serv/server-expired.key"
1885 hostapd
. add_ap ( apdev
[ 0 ][ 'ifname' ], params
)
1886 dev
[ 0 ]. connect ( "test-wpa2-eap" , key_mgmt
= "WPA-EAP" , eap
= "TTLS" ,
1887 identity
= "mschap user" , password
= "password" ,
1888 ca_cert
= "auth_serv/ca.pem" , phase2
= "auth=MSCHAP" ,
1889 phase1
= "tls_disable_time_checks=1" ,
1892 def test_ap_wpa2_eap_ttls_server_cert_eku_client ( dev
, apdev
):
1893 """WPA2-Enterprise using EAP-TTLS and server cert with client EKU"""
1894 params
= int_eap_server_params ()
1895 params
[ "server_cert" ] = "auth_serv/server-eku-client.pem"
1896 params
[ "private_key" ] = "auth_serv/server-eku-client.key"
1897 hostapd
. add_ap ( apdev
[ 0 ][ 'ifname' ], params
)
1898 dev
[ 0 ]. connect ( "test-wpa2-eap" , key_mgmt
= "WPA-EAP" , eap
= "TTLS" ,
1899 identity
= "mschap user" , password
= "password" ,
1900 ca_cert
= "auth_serv/ca.pem" , phase2
= "auth=MSCHAP" ,
1903 ev
= dev
[ 0 ]. wait_event ([ "CTRL-EVENT-EAP-FAILURE" ])
1905 raise Exception ( "Timeout on EAP failure report" )
1907 def test_ap_wpa2_eap_ttls_server_cert_eku_client_server ( dev
, apdev
):
1908 """WPA2-Enterprise using EAP-TTLS and server cert with client and server EKU"""
1909 params
= int_eap_server_params ()
1910 params
[ "server_cert" ] = "auth_serv/server-eku-client-server.pem"
1911 params
[ "private_key" ] = "auth_serv/server-eku-client-server.key"
1912 hostapd
. add_ap ( apdev
[ 0 ][ 'ifname' ], params
)
1913 dev
[ 0 ]. connect ( "test-wpa2-eap" , key_mgmt
= "WPA-EAP" , eap
= "TTLS" ,
1914 identity
= "mschap user" , password
= "password" ,
1915 ca_cert
= "auth_serv/ca.pem" , phase2
= "auth=MSCHAP" ,
1918 def test_ap_wpa2_eap_ttls_server_pkcs12 ( dev
, apdev
):
1919 """WPA2-Enterprise using EAP-TTLS and server PKCS#12 file"""
1920 params
= int_eap_server_params ()
1921 del params
[ "server_cert" ]
1922 params
[ "private_key" ] = "auth_serv/server.pkcs12"
1923 hostapd
. add_ap ( apdev
[ 0 ][ 'ifname' ], params
)
1924 dev
[ 0 ]. connect ( "test-wpa2-eap" , key_mgmt
= "WPA-EAP" , eap
= "TTLS" ,
1925 identity
= "mschap user" , password
= "password" ,
1926 ca_cert
= "auth_serv/ca.pem" , phase2
= "auth=MSCHAP" ,
1929 def test_ap_wpa2_eap_ttls_dh_params ( dev
, apdev
):
1930 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params"""
1931 params
= hostapd
. wpa2_eap_params ( ssid
= "test-wpa2-eap" )
1932 hostapd
. add_ap ( apdev
[ 0 ][ 'ifname' ], params
)
1933 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "TTLS" , "chap user" ,
1934 anonymous_identity
= "ttls" , password
= "password" ,
1935 ca_cert
= "auth_serv/ca.der" , phase2
= "auth=CHAP" ,
1936 dh_file
= "auth_serv/dh.conf" )
1938 def test_ap_wpa2_eap_ttls_dh_params_blob ( dev
, apdev
):
1939 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params from blob"""
1940 params
= hostapd
. wpa2_eap_params ( ssid
= "test-wpa2-eap" )
1941 hostapd
. add_ap ( apdev
[ 0 ][ 'ifname' ], params
)
1942 dh
= read_pem ( "auth_serv/dh.conf" )
1943 if "OK" not in dev
[ 0 ]. request ( "SET blob dhparams " + dh
. encode ( "hex" )):
1944 raise Exception ( "Could not set dhparams blob" )
1945 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "TTLS" , "chap user" ,
1946 anonymous_identity
= "ttls" , password
= "password" ,
1947 ca_cert
= "auth_serv/ca.der" , phase2
= "auth=CHAP" ,
1948 dh_file
= "blob://dhparams" )
1950 def test_ap_wpa2_eap_reauth ( dev
, apdev
):
1951 """WPA2-Enterprise and Authenticator forcing reauthentication"""
1952 params
= hostapd
. wpa2_eap_params ( ssid
= "test-wpa2-eap" )
1953 params
[ 'eap_reauth_period' ] = '2'
1954 hostapd
. add_ap ( apdev
[ 0 ][ 'ifname' ], params
)
1955 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "PAX" , "pax.user@example.com" ,
1956 password_hex
= "0123456789abcdef0123456789abcdef" )
1957 logger
. info ( "Wait for reauthentication" )
1958 ev
= dev
[ 0 ]. wait_event ([ "CTRL-EVENT-EAP-STARTED" ], timeout
= 10 )
1960 raise Exception ( "Timeout on reauthentication" )
1961 ev
= dev
[ 0 ]. wait_event ([ "CTRL-EVENT-EAP-SUCCESS" ], timeout
= 10 )
1963 raise Exception ( "Timeout on reauthentication" )
1964 for i
in range ( 0 , 20 ):
1965 state
= dev
[ 0 ]. get_status_field ( "wpa_state" )
1966 if state
== "COMPLETED" :
1969 if state
!= "COMPLETED" :
1970 raise Exception ( "Reauthentication did not complete" )
1972 def test_ap_wpa2_eap_request_identity_message ( dev
, apdev
):
1973 """Optional displayable message in EAP Request-Identity"""
1974 params
= hostapd
. wpa2_eap_params ( ssid
= "test-wpa2-eap" )
1975 params
[ 'eap_message' ] = 'hello \\ 0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com'
1976 hostapd
. add_ap ( apdev
[ 0 ][ 'ifname' ], params
)
1977 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "PAX" , "pax.user@example.com" ,
1978 password_hex
= "0123456789abcdef0123456789abcdef" )
1980 def test_ap_wpa2_eap_sim_aka_result_ind ( dev
, apdev
):
1981 """WPA2-Enterprise using EAP-SIM/AKA and protected result indication"""
1982 if not os
. path
. exists ( "/tmp/hlr_auc_gw.sock" ):
1983 logger
. info ( "No hlr_auc_gw available" );
1985 params
= int_eap_server_params ()
1986 params
[ 'eap_sim_db' ] = "unix:/tmp/hlr_auc_gw.sock"
1987 params
[ 'eap_sim_aka_result_ind' ] = "1"
1988 hostapd
. add_ap ( apdev
[ 0 ][ 'ifname' ], params
)
1990 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "SIM" , "1232010000000000" ,
1991 password
= "90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581" ,
1992 phase1
= "result_ind=1" )
1993 eap_reauth ( dev
[ 0 ], "SIM" )
1994 eap_connect ( dev
[ 1 ], apdev
[ 0 ], "SIM" , "1232010000000000" ,
1995 password
= "90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581" )
1997 dev
[ 0 ]. request ( "REMOVE_NETWORK all" )
1998 dev
[ 1 ]. request ( "REMOVE_NETWORK all" )
2000 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "AKA" , "0232010000000000" ,
2001 password
= "90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123" ,
2002 phase1
= "result_ind=1" )
2003 eap_reauth ( dev
[ 0 ], "AKA" )
2004 eap_connect ( dev
[ 1 ], apdev
[ 0 ], "AKA" , "0232010000000000" ,
2005 password
= "90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123" )
2007 dev
[ 0 ]. request ( "REMOVE_NETWORK all" )
2008 dev
[ 1 ]. request ( "REMOVE_NETWORK all" )
2010 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "AKA'" , "6555444333222111" ,
2011 password
= "5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123" ,
2012 phase1
= "result_ind=1" )
2013 eap_reauth ( dev
[ 0 ], "AKA'" )
2014 eap_connect ( dev
[ 1 ], apdev
[ 0 ], "AKA'" , "6555444333222111" ,
2015 password
= "5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123" )
2017 def test_ap_wpa2_eap_too_many_roundtrips ( dev
, apdev
):
2018 """WPA2-Enterprise connection resulting in too many EAP roundtrips"""
2019 params
= hostapd
. wpa2_eap_params ( ssid
= "test-wpa2-eap" )
2020 hostapd
. add_ap ( apdev
[ 0 ][ 'ifname' ], params
)
2021 dev
[ 0 ]. connect ( "test-wpa2-eap" , key_mgmt
= "WPA-EAP WPA-EAP-SHA256" ,
2022 eap
= "TTLS" , identity
= "mschap user" ,
2023 wait_connect
= False , scan_freq
= "2412" , ieee80211w
= "1" ,
2024 anonymous_identity
= "ttls" , password
= "password" ,
2025 ca_cert
= "auth_serv/ca.pem" , phase2
= "auth=MSCHAP" ,
2027 ev
= dev
[ 0 ]. wait_event ([ "EAP: more than" ], timeout
= 20 )
2029 raise Exception ( "EAP roundtrip limit not reached" )
2031 def test_ap_wpa2_eap_expanded_nak ( dev
, apdev
):
2032 """WPA2-Enterprise connection with EAP resulting in expanded NAK"""
2033 params
= hostapd
. wpa2_eap_params ( ssid
= "test-wpa2-eap" )
2034 hostapd
. add_ap ( apdev
[ 0 ][ 'ifname' ], params
)
2035 dev
[ 0 ]. connect ( "test-wpa2-eap" , key_mgmt
= "WPA-EAP WPA-EAP-SHA256" ,
2036 eap
= "PSK" , identity
= "vendor-test" ,
2037 password_hex
= "ff23456789abcdef0123456789abcdef" ,
2041 for i
in range ( 0 , 5 ):
2042 ev
= dev
[ 0 ]. wait_event ([ "CTRL-EVENT-EAP-STATUS" ], timeout
= 10 )
2044 raise Exception ( "Association and EAP start timed out" )
2045 if "refuse proposed method" in ev
:
2049 raise Exception ( "Unexpected EAP status: " + ev
)
2051 ev
= dev
[ 0 ]. wait_event ([ "CTRL-EVENT-EAP-FAILURE" ])
2053 raise Exception ( "EAP failure timed out" )
2055 def test_ap_wpa2_eap_sql ( dev
, apdev
, params
):
2056 """WPA2-Enterprise connection using SQLite for user DB"""
2061 dbfile
= os
. path
. join ( params
[ 'logdir' ], "eap-user.db" )
2066 con
= sqlite3
. connect ( dbfile
)
2069 cur
. execute ( "CREATE TABLE users(identity TEXT PRIMARY KEY, methods TEXT, password TEXT, remediation TEXT, phase2 INTEGER)" )
2070 cur
. execute ( "CREATE TABLE wildcards(identity TEXT PRIMARY KEY, methods TEXT)" )
2071 cur
. execute ( "INSERT INTO users(identity,methods,password,phase2) VALUES ('user-pap','TTLS-PAP','password',1)" )
2072 cur
. execute ( "INSERT INTO users(identity,methods,password,phase2) VALUES ('user-chap','TTLS-CHAP','password',1)" )
2073 cur
. execute ( "INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschap','TTLS-MSCHAP','password',1)" )
2074 cur
. execute ( "INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschapv2','TTLS-MSCHAPV2','password',1)" )
2075 cur
. execute ( "INSERT INTO wildcards(identity,methods) VALUES ('','TTLS,TLS')" )
2076 cur
. execute ( "CREATE TABLE authlog(timestamp TEXT, session TEXT, nas_ip TEXT, username TEXT, note TEXT)" )
2079 params
= int_eap_server_params ()
2080 params
[ "eap_user_file" ] = "sqlite:" + dbfile
2081 hostapd
. add_ap ( apdev
[ 0 ][ 'ifname' ], params
)
2082 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "TTLS" , "user-mschapv2" ,
2083 anonymous_identity
= "ttls" , password
= "password" ,
2084 ca_cert
= "auth_serv/ca.pem" , phase2
= "auth=MSCHAPV2" )
2085 dev
[ 0 ]. request ( "REMOVE_NETWORK all" )
2086 eap_connect ( dev
[ 1 ], apdev
[ 0 ], "TTLS" , "user-mschap" ,
2087 anonymous_identity
= "ttls" , password
= "password" ,
2088 ca_cert
= "auth_serv/ca.pem" , phase2
= "auth=MSCHAP" )
2089 dev
[ 1 ]. request ( "REMOVE_NETWORK all" )
2090 eap_connect ( dev
[ 0 ], apdev
[ 0 ], "TTLS" , "user-chap" ,
2091 anonymous_identity
= "ttls" , password
= "password" ,
2092 ca_cert
= "auth_serv/ca.pem" , phase2
= "auth=CHAP" )
2093 eap_connect ( dev
[ 1 ], apdev
[ 0 ], "TTLS" , "user-pap" ,
2094 anonymous_identity
= "ttls" , password
= "password" ,
2095 ca_cert
= "auth_serv/ca.pem" , phase2
= "auth=PAP" )
2099 def test_ap_wpa2_eap_non_ascii_identity ( dev
, apdev
):
2100 """WPA2-Enterprise connection attempt using non-ASCII identity"""
2101 params
= int_eap_server_params ()
2102 hostapd
. add_ap ( apdev
[ 0 ][ 'ifname' ], params
)
2103 dev
[ 0 ]. connect ( "test-wpa2-eap" , key_mgmt
= "WPA-EAP" , eap
= "TTLS" ,
2104 identity
= " \x80 " , password
= "password" , wait_connect
= False )
2105 dev
[ 1 ]. connect ( "test-wpa2-eap" , key_mgmt
= "WPA-EAP" , eap
= "TTLS" ,
2106 identity
= "a \x80 " , password
= "password" , wait_connect
= False )
2107 for i
in range ( 0 , 2 ):
2108 ev
= dev
[ i
]. wait_event ([ "CTRL-EVENT-EAP-STARTED" ], timeout
= 10 )
2110 raise Exception ( "Association and EAP start timed out" )
2111 ev
= dev
[ i
]. wait_event ([ "CTRL-EVENT-EAP-METHOD" ], timeout
= 10 )
2113 raise Exception ( "EAP method selection timed out" )
2115 def test_ap_wpa2_eap_non_ascii_identity2 ( dev
, apdev
):
2116 """WPA2-Enterprise connection attempt using non-ASCII identity"""
2117 params
= hostapd
. wpa2_eap_params ( ssid
= "test-wpa2-eap" )
2118 hostapd
. add_ap ( apdev
[ 0 ][ 'ifname' ], params
)
2119 dev
[ 0 ]. connect ( "test-wpa2-eap" , key_mgmt
= "WPA-EAP" , eap
= "TTLS" ,
2120 identity
= " \x80 " , password
= "password" , wait_connect
= False )
2121 dev
[ 1 ]. connect ( "test-wpa2-eap" , key_mgmt
= "WPA-EAP" , eap
= "TTLS" ,
2122 identity
= "a \x80 " , password
= "password" , wait_connect
= False )
2123 for i
in range ( 0 , 2 ):
2124 ev
= dev
[ i
]. wait_event ([ "CTRL-EVENT-EAP-STARTED" ], timeout
= 10 )
2126 raise Exception ( "Association and EAP start timed out" )
2127 ev
= dev
[ i
]. wait_event ([ "CTRL-EVENT-EAP-METHOD" ], timeout
= 10 )
2129 raise Exception ( "EAP method selection timed out" )