]>
git.ipfire.org Git - thirdparty/hostap.git/blob - tests/hwsim/test_ap_eap.py
3 # WPA2-Enterprise tests
4 # Copyright (c) 2013-2014, Jouni Malinen <j@w1.fi>
6 # This software may be distributed under the terms of the BSD license.
7 # See README for more details.
12 logger
= logging
.getLogger()
18 def eap_connect(dev
, ap
, method
, identity
, anonymous_identity
=None,
20 phase1
=None, phase2
=None, ca_cert
=None,
21 domain_suffix_match
=None, password_hex
=None,
22 client_cert
=None, private_key
=None, sha256
=False,
23 fragment_size
=None, expect_failure
=False,
24 local_error_report
=False,
25 ca_cert2
=None, client_cert2
=None, private_key2
=None,
27 hapd
= hostapd
.Hostapd(ap
['ifname'])
28 id = dev
.connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
29 eap
=method
, identity
=identity
,
30 anonymous_identity
=anonymous_identity
,
31 password
=password
, phase1
=phase1
, phase2
=phase2
,
32 ca_cert
=ca_cert
, domain_suffix_match
=domain_suffix_match
,
33 wait_connect
=False, scan_freq
="2412",
34 password_hex
=password_hex
,
35 client_cert
=client_cert
, private_key
=private_key
,
36 ieee80211w
="1", fragment_size
=fragment_size
,
37 ca_cert2
=ca_cert2
, client_cert2
=client_cert2
,
38 private_key2
=private_key2
, pac_file
=pac_file
)
39 eap_check_auth(dev
, method
, True, sha256
=sha256
,
40 expect_failure
=expect_failure
,
41 local_error_report
=local_error_report
)
44 ev
= hapd
.wait_event([ "AP-STA-CONNECTED" ], timeout
=5)
46 raise Exception("No connection event received from hostapd")
49 def eap_check_auth(dev
, method
, initial
, rsn
=True, sha256
=False,
50 expect_failure
=False, local_error_report
=False):
51 ev
= dev
.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
53 raise Exception("Association and EAP start timed out")
54 ev
= dev
.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
56 raise Exception("EAP method selection timed out")
58 raise Exception("Unexpected EAP method")
60 ev
= dev
.wait_event(["CTRL-EVENT-EAP-FAILURE"])
62 raise Exception("EAP failure timed out")
63 ev
= dev
.wait_event(["CTRL-EVENT-DISCONNECTED"])
65 raise Exception("Disconnection timed out")
66 if not local_error_report
:
67 if "reason=23" not in ev
:
68 raise Exception("Proper reason code for disconnection not reported")
70 ev
= dev
.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
72 raise Exception("EAP success timed out")
75 ev
= dev
.wait_event(["CTRL-EVENT-CONNECTED"], timeout
=10)
77 ev
= dev
.wait_event(["WPA: Key negotiation completed"], timeout
=10)
79 raise Exception("Association with the AP timed out")
80 status
= dev
.get_status()
81 if status
["wpa_state"] != "COMPLETED":
82 raise Exception("Connection not completed")
84 if status
["suppPortStatus"] != "Authorized":
85 raise Exception("Port not authorized")
86 if method
not in status
["selectedMethod"]:
87 raise Exception("Incorrect EAP method status")
91 e
= "WPA2/IEEE 802.1X/EAP"
93 e
= "WPA/IEEE 802.1X/EAP"
94 if status
["key_mgmt"] != e
:
95 raise Exception("Unexpected key_mgmt status: " + status
["key_mgmt"])
97 def eap_reauth(dev
, method
, rsn
=True, sha256
=False):
98 dev
.request("REAUTHENTICATE")
99 eap_check_auth(dev
, method
, False, rsn
=rsn
, sha256
=sha256
)
101 def test_ap_wpa2_eap_sim(dev
, apdev
):
102 """WPA2-Enterprise connection using EAP-SIM"""
103 if not os
.path
.exists("/tmp/hlr_auc_gw.sock"):
104 logger
.info("No hlr_auc_gw available");
106 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
107 hostapd
.add_ap(apdev
[0]['ifname'], params
)
108 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
109 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
110 hwsim_utils
.test_connectivity(dev
[0].ifname
, apdev
[0]['ifname'])
111 eap_reauth(dev
[0], "SIM")
113 logger
.info("Negative test with incorrect key")
114 dev
[0].request("REMOVE_NETWORK all")
115 eap_connect(dev
[0], apdev
[0], "SIM", "1232010000000000",
116 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
119 def test_ap_wpa2_eap_aka(dev
, apdev
):
120 """WPA2-Enterprise connection using EAP-AKA"""
121 if not os
.path
.exists("/tmp/hlr_auc_gw.sock"):
122 logger
.info("No hlr_auc_gw available");
124 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
125 hostapd
.add_ap(apdev
[0]['ifname'], params
)
126 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
127 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
128 hwsim_utils
.test_connectivity(dev
[0].ifname
, apdev
[0]['ifname'])
129 eap_reauth(dev
[0], "AKA")
131 logger
.info("Negative test with incorrect key")
132 dev
[0].request("REMOVE_NETWORK all")
133 eap_connect(dev
[0], apdev
[0], "AKA", "0232010000000000",
134 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
137 def test_ap_wpa2_eap_aka_prime(dev
, apdev
):
138 """WPA2-Enterprise connection using EAP-AKA'"""
139 if not os
.path
.exists("/tmp/hlr_auc_gw.sock"):
140 logger
.info("No hlr_auc_gw available");
142 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
143 hostapd
.add_ap(apdev
[0]['ifname'], params
)
144 eap_connect(dev
[0], apdev
[0], "AKA'", "6555444333222111",
145 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
146 hwsim_utils
.test_connectivity(dev
[0].ifname
, apdev
[0]['ifname'])
147 eap_reauth(dev
[0], "AKA'")
149 logger
.info("Negative test with incorrect key")
150 dev
[0].request("REMOVE_NETWORK all")
151 eap_connect(dev
[0], apdev
[0], "AKA'", "6555444333222111",
152 password
="ff22250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
155 def test_ap_wpa2_eap_ttls_pap(dev
, apdev
):
156 """WPA2-Enterprise connection using EAP-TTLS/PAP"""
157 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
158 hostapd
.add_ap(apdev
[0]['ifname'], params
)
159 eap_connect(dev
[0], apdev
[0], "TTLS", "pap user",
160 anonymous_identity
="ttls", password
="password",
161 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
162 hwsim_utils
.test_connectivity(dev
[0].ifname
, apdev
[0]['ifname'])
163 eap_reauth(dev
[0], "TTLS")
165 def test_ap_wpa2_eap_ttls_chap(dev
, apdev
):
166 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
167 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
168 hostapd
.add_ap(apdev
[0]['ifname'], params
)
169 eap_connect(dev
[0], apdev
[0], "TTLS", "chap user",
170 anonymous_identity
="ttls", password
="password",
171 ca_cert
="auth_serv/ca.pem", phase2
="auth=CHAP")
172 hwsim_utils
.test_connectivity(dev
[0].ifname
, apdev
[0]['ifname'])
173 eap_reauth(dev
[0], "TTLS")
175 def test_ap_wpa2_eap_ttls_mschap(dev
, apdev
):
176 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP"""
177 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
178 hostapd
.add_ap(apdev
[0]['ifname'], params
)
179 eap_connect(dev
[0], apdev
[0], "TTLS", "mschap user",
180 anonymous_identity
="ttls", password
="password",
181 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
182 domain_suffix_match
="server.w1.fi")
183 hwsim_utils
.test_connectivity(dev
[0].ifname
, apdev
[0]['ifname'])
184 eap_reauth(dev
[0], "TTLS")
185 dev
[0].request("REMOVE_NETWORK all")
186 eap_connect(dev
[0], apdev
[0], "TTLS", "mschap user",
187 anonymous_identity
="ttls", password
="password",
188 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
191 def test_ap_wpa2_eap_ttls_mschapv2(dev
, apdev
):
192 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
193 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
194 hostapd
.add_ap(apdev
[0]['ifname'], params
)
195 hapd
= hostapd
.Hostapd(apdev
[0]['ifname'])
196 eap_connect(dev
[0], apdev
[0], "TTLS", "DOMAIN\mschapv2 user",
197 anonymous_identity
="ttls", password
="password",
198 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
199 domain_suffix_match
="w1.fi")
200 hwsim_utils
.test_connectivity(dev
[0].ifname
, apdev
[0]['ifname'])
201 sta1
= hapd
.get_sta(dev
[0].p2p_interface_addr())
202 eapol1
= hapd
.get_sta(dev
[0].p2p_interface_addr(), info
="eapol")
203 eap_reauth(dev
[0], "TTLS")
204 sta2
= hapd
.get_sta(dev
[0].p2p_interface_addr())
205 eapol2
= hapd
.get_sta(dev
[0].p2p_interface_addr(), info
="eapol")
206 if int(sta2
['dot1xAuthEapolFramesRx']) <= int(sta1
['dot1xAuthEapolFramesRx']):
207 raise Exception("dot1xAuthEapolFramesRx did not increase")
208 if int(eapol2
['authAuthEapStartsWhileAuthenticated']) < 1:
209 raise Exception("authAuthEapStartsWhileAuthenticated did not increase")
210 if int(eapol2
['backendAuthSuccesses']) <= int(eapol1
['backendAuthSuccesses']):
211 raise Exception("backendAuthSuccesses did not increase")
213 logger
.info("Password as hash value")
214 dev
[0].request("REMOVE_NETWORK all")
215 eap_connect(dev
[0], apdev
[0], "TTLS", "DOMAIN\mschapv2 user",
216 anonymous_identity
="ttls",
217 password_hex
="hash:8846f7eaee8fb117ad06bdd830b7586c",
218 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
220 logger
.info("Negative test with incorrect password")
221 dev
[0].request("REMOVE_NETWORK all")
222 eap_connect(dev
[0], apdev
[0], "TTLS", "DOMAIN\mschapv2 user",
223 anonymous_identity
="ttls", password
="password1",
224 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
227 def test_ap_wpa2_eap_ttls_eap_gtc(dev
, apdev
):
228 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC"""
229 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
230 hostapd
.add_ap(apdev
[0]['ifname'], params
)
231 eap_connect(dev
[0], apdev
[0], "TTLS", "user",
232 anonymous_identity
="ttls", password
="password",
233 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC")
234 hwsim_utils
.test_connectivity(dev
[0].ifname
, apdev
[0]['ifname'])
235 eap_reauth(dev
[0], "TTLS")
237 def test_ap_wpa2_eap_ttls_eap_md5(dev
, apdev
):
238 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5"""
239 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
240 hostapd
.add_ap(apdev
[0]['ifname'], params
)
241 eap_connect(dev
[0], apdev
[0], "TTLS", "user",
242 anonymous_identity
="ttls", password
="password",
243 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5")
244 hwsim_utils
.test_connectivity(dev
[0].ifname
, apdev
[0]['ifname'])
245 eap_reauth(dev
[0], "TTLS")
247 def test_ap_wpa2_eap_ttls_eap_mschapv2(dev
, apdev
):
248 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2"""
249 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
250 hostapd
.add_ap(apdev
[0]['ifname'], params
)
251 eap_connect(dev
[0], apdev
[0], "TTLS", "user",
252 anonymous_identity
="ttls", password
="password",
253 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2")
254 hwsim_utils
.test_connectivity(dev
[0].ifname
, apdev
[0]['ifname'])
255 eap_reauth(dev
[0], "TTLS")
257 logger
.info("Negative test with incorrect password")
258 dev
[0].request("REMOVE_NETWORK all")
259 eap_connect(dev
[0], apdev
[0], "TTLS", "user",
260 anonymous_identity
="ttls", password
="password1",
261 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
264 def test_ap_wpa2_eap_peap_eap_mschapv2(dev
, apdev
):
265 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
266 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
267 hostapd
.add_ap(apdev
[0]['ifname'], params
)
268 eap_connect(dev
[0], apdev
[0], "PEAP", "user",
269 anonymous_identity
="peap", password
="password",
270 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
271 hwsim_utils
.test_connectivity(dev
[0].ifname
, apdev
[0]['ifname'])
272 eap_reauth(dev
[0], "PEAP")
273 dev
[0].request("REMOVE_NETWORK all")
274 eap_connect(dev
[0], apdev
[0], "PEAP", "user",
275 anonymous_identity
="peap", password
="password",
276 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
279 logger
.info("Password as hash value")
280 dev
[0].request("REMOVE_NETWORK all")
281 eap_connect(dev
[0], apdev
[0], "PEAP", "user",
282 anonymous_identity
="peap",
283 password_hex
="hash:8846f7eaee8fb117ad06bdd830b7586c",
284 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
286 logger
.info("Negative test with incorrect password")
287 dev
[0].request("REMOVE_NETWORK all")
288 eap_connect(dev
[0], apdev
[0], "PEAP", "user",
289 anonymous_identity
="peap", password
="password1",
290 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
293 def test_ap_wpa2_eap_peap_crypto_binding(dev
, apdev
):
294 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding"""
295 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
296 hostapd
.add_ap(apdev
[0]['ifname'], params
)
297 eap_connect(dev
[0], apdev
[0], "PEAP", "user", password
="password",
298 ca_cert
="auth_serv/ca.pem",
299 phase1
="peapver=0 crypto_binding=2",
300 phase2
="auth=MSCHAPV2")
301 hwsim_utils
.test_connectivity(dev
[0].ifname
, apdev
[0]['ifname'])
302 eap_reauth(dev
[0], "PEAP")
304 def test_ap_wpa2_eap_peap_eap_tls(dev
, apdev
):
305 """WPA2-Enterprise connection using EAP-PEAP/EAP-TLS"""
306 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
307 hostapd
.add_ap(apdev
[0]['ifname'], params
)
308 eap_connect(dev
[0], apdev
[0], "PEAP", "cert user",
309 ca_cert
="auth_serv/ca.pem", phase2
="auth=TLS",
310 ca_cert2
="auth_serv/ca.pem",
311 client_cert2
="auth_serv/user.pem",
312 private_key2
="auth_serv/user.key")
313 eap_reauth(dev
[0], "PEAP")
315 def test_ap_wpa2_eap_tls(dev
, apdev
):
316 """WPA2-Enterprise connection using EAP-TLS"""
317 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
318 hostapd
.add_ap(apdev
[0]['ifname'], params
)
319 eap_connect(dev
[0], apdev
[0], "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
320 client_cert
="auth_serv/user.pem",
321 private_key
="auth_serv/user.key")
322 eap_reauth(dev
[0], "TLS")
324 def test_ap_wpa2_eap_tls_neg_incorrect_trust_root(dev
, apdev
):
325 """WPA2-Enterprise negative test - incorrect trust root"""
326 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
327 hostapd
.add_ap(apdev
[0]['ifname'], params
)
328 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
329 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
330 password
="password", phase2
="auth=MSCHAPV2",
331 ca_cert
="auth_serv/ca-incorrect.pem",
332 wait_connect
=False, scan_freq
="2412")
334 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
336 raise Exception("Association and EAP start timed out")
338 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
340 raise Exception("EAP method selection timed out")
342 raise Exception("Unexpected EAP method")
344 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
345 "CTRL-EVENT-EAP-SUCCESS",
346 "CTRL-EVENT-EAP-FAILURE",
347 "CTRL-EVENT-CONNECTED",
348 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
350 raise Exception("EAP result timed out")
351 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
352 raise Exception("TLS certificate error not reported")
354 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
355 "CTRL-EVENT-EAP-FAILURE",
356 "CTRL-EVENT-CONNECTED",
357 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
359 raise Exception("EAP result(2) timed out")
360 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
361 raise Exception("EAP failure not reported")
363 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
364 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
366 raise Exception("EAP result(3) timed out")
367 if "CTRL-EVENT-DISCONNECTED" not in ev
:
368 raise Exception("Disconnection not reported")
370 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
372 raise Exception("Network block disabling not reported")
374 def test_ap_wpa2_eap_tls_neg_suffix_match(dev
, apdev
):
375 """WPA2-Enterprise negative test - domain suffix mismatch"""
376 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
377 hostapd
.add_ap(apdev
[0]['ifname'], params
)
378 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
379 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
380 password
="password", phase2
="auth=MSCHAPV2",
381 ca_cert
="auth_serv/ca.pem",
382 domain_suffix_match
="incorrect.example.com",
383 wait_connect
=False, scan_freq
="2412")
385 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
387 raise Exception("Association and EAP start timed out")
389 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
391 raise Exception("EAP method selection timed out")
393 raise Exception("Unexpected EAP method")
395 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
396 "CTRL-EVENT-EAP-SUCCESS",
397 "CTRL-EVENT-EAP-FAILURE",
398 "CTRL-EVENT-CONNECTED",
399 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
401 raise Exception("EAP result timed out")
402 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
403 raise Exception("TLS certificate error not reported")
404 if "Domain suffix mismatch" not in ev
:
405 raise Exception("Domain suffix mismatch not reported")
407 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
408 "CTRL-EVENT-EAP-FAILURE",
409 "CTRL-EVENT-CONNECTED",
410 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
412 raise Exception("EAP result(2) timed out")
413 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
414 raise Exception("EAP failure not reported")
416 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
417 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
419 raise Exception("EAP result(3) timed out")
420 if "CTRL-EVENT-DISCONNECTED" not in ev
:
421 raise Exception("Disconnection not reported")
423 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
425 raise Exception("Network block disabling not reported")
427 def test_ap_wpa2_eap_pwd(dev
, apdev
):
428 """WPA2-Enterprise connection using EAP-pwd"""
429 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
430 hostapd
.add_ap(apdev
[0]['ifname'], params
)
431 eap_connect(dev
[0], apdev
[0], "PWD", "pwd user", password
="secret password")
432 eap_reauth(dev
[0], "PWD")
434 dev
[0].request("REMOVE_NETWORK all")
435 eap_connect(dev
[0], apdev
[0], "PWD", "pwd user", password
="secret password",
438 logger
.info("Negative test with incorrect password")
439 dev
[0].request("REMOVE_NETWORK all")
440 eap_connect(dev
[0], apdev
[0], "PWD", "pwd user", password
="secret-password",
441 expect_failure
=True, local_error_report
=True)
443 def test_ap_wpa2_eap_pwd_groups(dev
, apdev
):
444 """WPA2-Enterprise connection using various EAP-pwd groups"""
445 params
= { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
446 "rsn_pairwise": "CCMP", "ieee8021x": "1",
447 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
448 for i
in [ 19, 20, 21, 25, 26 ]:
449 params
['pwd_group'] = str(i
)
450 hostapd
.add_ap(apdev
[0]['ifname'], params
)
451 dev
[0].request("REMOVE_NETWORK all")
452 eap_connect(dev
[0], apdev
[0], "PWD", "pwd user", password
="secret password")
454 def test_ap_wpa2_eap_gpsk(dev
, apdev
):
455 """WPA2-Enterprise connection using EAP-GPSK"""
456 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
457 hostapd
.add_ap(apdev
[0]['ifname'], params
)
458 id = eap_connect(dev
[0], apdev
[0], "GPSK", "gpsk user",
459 password
="abcdefghijklmnop0123456789abcdef")
460 eap_reauth(dev
[0], "GPSK")
462 logger
.info("Test forced algorithm selection")
463 for phase1
in [ "cipher=1", "cipher=2" ]:
464 dev
[0].set_network_quoted(id, "phase1", phase1
)
465 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
467 raise Exception("EAP success timed out")
468 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout
=10)
470 raise Exception("Association with the AP timed out")
472 logger
.info("Test failed algorithm negotiation")
473 dev
[0].set_network_quoted(id, "phase1", "cipher=9")
474 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
476 raise Exception("EAP failure timed out")
478 logger
.info("Negative test with incorrect password")
479 dev
[0].request("REMOVE_NETWORK all")
480 eap_connect(dev
[0], apdev
[0], "GPSK", "gpsk user",
481 password
="ffcdefghijklmnop0123456789abcdef",
484 def test_ap_wpa2_eap_sake(dev
, apdev
):
485 """WPA2-Enterprise connection using EAP-SAKE"""
486 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
487 hostapd
.add_ap(apdev
[0]['ifname'], params
)
488 eap_connect(dev
[0], apdev
[0], "SAKE", "sake user",
489 password_hex
="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
490 eap_reauth(dev
[0], "SAKE")
492 logger
.info("Negative test with incorrect password")
493 dev
[0].request("REMOVE_NETWORK all")
494 eap_connect(dev
[0], apdev
[0], "SAKE", "sake user",
495 password_hex
="ff23456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
498 def test_ap_wpa2_eap_eke(dev
, apdev
):
499 """WPA2-Enterprise connection using EAP-EKE"""
500 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
501 hostapd
.add_ap(apdev
[0]['ifname'], params
)
502 id = eap_connect(dev
[0], apdev
[0], "EKE", "eke user", password
="hello")
503 eap_reauth(dev
[0], "EKE")
505 logger
.info("Test forced algorithm selection")
506 for phase1
in [ "dhgroup=5 encr=1 prf=2 mac=2",
507 "dhgroup=4 encr=1 prf=2 mac=2",
508 "dhgroup=3 encr=1 prf=2 mac=2",
509 "dhgroup=3 encr=1 prf=1 mac=1" ]:
510 dev
[0].set_network_quoted(id, "phase1", phase1
)
511 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
513 raise Exception("EAP success timed out")
514 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout
=10)
516 raise Exception("Association with the AP timed out")
518 logger
.info("Test failed algorithm negotiation")
519 dev
[0].set_network_quoted(id, "phase1", "dhgroup=9 encr=9 prf=9 mac=9")
520 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
522 raise Exception("EAP failure timed out")
524 logger
.info("Negative test with incorrect password")
525 dev
[0].request("REMOVE_NETWORK all")
526 eap_connect(dev
[0], apdev
[0], "EKE", "eke user", password
="hello1",
529 def test_ap_wpa2_eap_ikev2(dev
, apdev
):
530 """WPA2-Enterprise connection using EAP-IKEv2"""
531 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
532 hostapd
.add_ap(apdev
[0]['ifname'], params
)
533 eap_connect(dev
[0], apdev
[0], "IKEV2", "ikev2 user",
534 password
="ike password")
535 eap_reauth(dev
[0], "IKEV2")
536 dev
[0].request("REMOVE_NETWORK all")
537 eap_connect(dev
[0], apdev
[0], "IKEV2", "ikev2 user",
538 password
="ike password", fragment_size
="250")
540 logger
.info("Negative test with incorrect password")
541 dev
[0].request("REMOVE_NETWORK all")
542 eap_connect(dev
[0], apdev
[0], "IKEV2", "ikev2 user",
543 password
="ike-password", expect_failure
=True)
545 def test_ap_wpa2_eap_pax(dev
, apdev
):
546 """WPA2-Enterprise connection using EAP-PAX"""
547 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
548 hostapd
.add_ap(apdev
[0]['ifname'], params
)
549 eap_connect(dev
[0], apdev
[0], "PAX", "pax.user@example.com",
550 password_hex
="0123456789abcdef0123456789abcdef")
551 eap_reauth(dev
[0], "PAX")
553 logger
.info("Negative test with incorrect password")
554 dev
[0].request("REMOVE_NETWORK all")
555 eap_connect(dev
[0], apdev
[0], "PAX", "pax.user@example.com",
556 password_hex
="ff23456789abcdef0123456789abcdef",
559 def test_ap_wpa2_eap_psk(dev
, apdev
):
560 """WPA2-Enterprise connection using EAP-PSK"""
561 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
562 params
["wpa_key_mgmt"] = "WPA-EAP-SHA256"
563 params
["ieee80211w"] = "2"
564 hostapd
.add_ap(apdev
[0]['ifname'], params
)
565 eap_connect(dev
[0], apdev
[0], "PSK", "psk.user@example.com",
566 password_hex
="0123456789abcdef0123456789abcdef", sha256
=True)
567 eap_reauth(dev
[0], "PSK", sha256
=True)
569 logger
.info("Negative test with incorrect password")
570 dev
[0].request("REMOVE_NETWORK all")
571 eap_connect(dev
[0], apdev
[0], "PSK", "psk.user@example.com",
572 password_hex
="ff23456789abcdef0123456789abcdef", sha256
=True,
575 def test_ap_wpa_eap_peap_eap_mschapv2(dev
, apdev
):
576 """WPA-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
577 params
= hostapd
.wpa_eap_params(ssid
="test-wpa-eap")
578 hostapd
.add_ap(apdev
[0]['ifname'], params
)
579 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
580 identity
="user", password
="password", phase2
="auth=MSCHAPV2",
581 ca_cert
="auth_serv/ca.pem", wait_connect
=False,
583 eap_check_auth(dev
[0], "PEAP", True, rsn
=False)
584 hwsim_utils
.test_connectivity(dev
[0].ifname
, apdev
[0]['ifname'])
585 eap_reauth(dev
[0], "PEAP", rsn
=False)
587 def test_ap_wpa2_eap_interactive(dev
, apdev
):
588 """WPA2-Enterprise connection using interactive identity/password entry"""
589 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
590 hostapd
.add_ap(apdev
[0]['ifname'], params
)
591 hapd
= hostapd
.Hostapd(apdev
[0]['ifname'])
593 tests
= [ ("Connection with dynamic TTLS/MSCHAPv2 password entry",
594 "TTLS", "ttls", "DOMAIN\mschapv2 user", "auth=MSCHAPV2",
596 ("Connection with dynamic TTLS/MSCHAPv2 identity and password entry",
597 "TTLS", "ttls", None, "auth=MSCHAPV2",
598 "DOMAIN\mschapv2 user", "password"),
599 ("Connection with dynamic TTLS/EAP-MSCHAPv2 password entry",
600 "TTLS", "ttls", "user", "autheap=MSCHAPV2", None, "password"),
601 ("Connection with dynamic TTLS/EAP-MD5 password entry",
602 "TTLS", "ttls", "user", "autheap=MD5", None, "password"),
603 ("Connection with dynamic PEAP/EAP-MSCHAPv2 password entry",
604 "PEAP", None, "user", "auth=MSCHAPV2", None, "password"),
605 ("Connection with dynamic PEAP/EAP-GTC password entry",
606 "PEAP", None, "user", "auth=GTC", None, "password") ]
607 for [desc
,eap
,anon
,identity
,phase2
,req_id
,req_pw
] in tests
:
609 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
=eap
,
610 anonymous_identity
=anon
, identity
=identity
,
611 ca_cert
="auth_serv/ca.pem", phase2
=phase2
,
612 wait_connect
=False, scan_freq
="2412")
614 ev
= dev
[0].wait_event(["CTRL-REQ-IDENTITY"])
616 raise Exception("Request for identity timed out")
617 id = ev
.split(':')[0].split('-')[-1]
618 dev
[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id
)
619 ev
= dev
[0].wait_event(["CTRL-REQ-PASSWORD","CTRL-REQ-OTP"])
621 raise Exception("Request for password timed out")
622 id = ev
.split(':')[0].split('-')[-1]
623 type = "OTP" if "CTRL-REQ-OTP" in ev
else "PASSWORD"
624 dev
[0].request("CTRL-RSP-" + type + "-" + id + ":" + req_pw
)
625 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout
=10)
627 raise Exception("Connection timed out")
628 dev
[0].request("REMOVE_NETWORK all")
630 def test_ap_wpa2_eap_vendor_test(dev
, apdev
):
631 """WPA2-Enterprise connection using EAP vendor test"""
632 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
633 hostapd
.add_ap(apdev
[0]['ifname'], params
)
634 eap_connect(dev
[0], apdev
[0], "VENDOR-TEST", "vendor-test")
635 eap_reauth(dev
[0], "VENDOR-TEST")
637 def test_ap_wpa2_eap_fast_mschapv2_unauth_prov(dev
, apdev
):
638 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and unauthenticated provisioning"""
639 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
640 hostapd
.add_ap(apdev
[0]['ifname'], params
)
641 eap_connect(dev
[0], apdev
[0], "FAST", "user",
642 anonymous_identity
="FAST", password
="password",
643 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
644 phase1
="fast_provisioning=1", pac_file
="blob://fast_pac")
645 hwsim_utils
.test_connectivity(dev
[0].ifname
, apdev
[0]['ifname'])
646 eap_reauth(dev
[0], "FAST")
648 def test_ap_wpa2_eap_fast_gtc_auth_prov(dev
, apdev
):
649 """WPA2-Enterprise connection using EAP-FAST/GTC and authenticated provisioning"""
650 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
651 hostapd
.add_ap(apdev
[0]['ifname'], params
)
652 eap_connect(dev
[0], apdev
[0], "FAST", "user",
653 anonymous_identity
="FAST", password
="password",
654 ca_cert
="auth_serv/ca.pem", phase2
="auth=GTC",
655 phase1
="fast_provisioning=2", pac_file
="blob://fast_pac_auth")
656 hwsim_utils
.test_connectivity(dev
[0].ifname
, apdev
[0]['ifname'])
657 eap_reauth(dev
[0], "FAST")