]> git.ipfire.org Git - thirdparty/hostap.git/blob - tests/hwsim/test_ap_eap.py
projects / thirdparty / hostap.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
tests: EAP-FAST
[thirdparty/hostap.git] / tests / hwsim / test_ap_eap.py
1 #!/usr/bin/python
2 #
3 # WPA2-Enterprise tests
4 # Copyright (c) 2013-2014, Jouni Malinen <j@w1.fi>
5 #
6 # This software may be distributed under the terms of the BSD license.
7 # See README for more details.
8
9 import time
10 import subprocess
11 import logging
12 logger = logging.getLogger()
13 import os.path
14
15 import hwsim_utils
16 import hostapd
17
18 def eap_connect(dev, ap, method, identity, anonymous_identity=None,
19 password=None,
20 phase1=None, phase2=None, ca_cert=None,
21 domain_suffix_match=None, password_hex=None,
22 client_cert=None, private_key=None, sha256=False,
23 fragment_size=None, expect_failure=False,
24 local_error_report=False,
25 ca_cert2=None, client_cert2=None, private_key2=None,
26 pac_file=None):
27 hapd = hostapd.Hostapd(ap['ifname'])
28 id = dev.connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
29 eap=method, identity=identity,
30 anonymous_identity=anonymous_identity,
31 password=password, phase1=phase1, phase2=phase2,
32 ca_cert=ca_cert, domain_suffix_match=domain_suffix_match,
33 wait_connect=False, scan_freq="2412",
34 password_hex=password_hex,
35 client_cert=client_cert, private_key=private_key,
36 ieee80211w="1", fragment_size=fragment_size,
37 ca_cert2=ca_cert2, client_cert2=client_cert2,
38 private_key2=private_key2, pac_file=pac_file)
39 eap_check_auth(dev, method, True, sha256=sha256,
40 expect_failure=expect_failure,
41 local_error_report=local_error_report)
42 if expect_failure:
43 return id
44 ev = hapd.wait_event([ "AP-STA-CONNECTED" ], timeout=5)
45 if ev is None:
46 raise Exception("No connection event received from hostapd")
47 return id
48
49 def eap_check_auth(dev, method, initial, rsn=True, sha256=False,
50 expect_failure=False, local_error_report=False):
51 ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
52 if ev is None:
53 raise Exception("Association and EAP start timed out")
54 ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
55 if ev is None:
56 raise Exception("EAP method selection timed out")
57 if method not in ev:
58 raise Exception("Unexpected EAP method")
59 if expect_failure:
60 ev = dev.wait_event(["CTRL-EVENT-EAP-FAILURE"])
61 if ev is None:
62 raise Exception("EAP failure timed out")
63 ev = dev.wait_event(["CTRL-EVENT-DISCONNECTED"])
64 if ev is None:
65 raise Exception("Disconnection timed out")
66 if not local_error_report:
67 if "reason=23" not in ev:
68 raise Exception("Proper reason code for disconnection not reported")
69 return
70 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
71 if ev is None:
72 raise Exception("EAP success timed out")
73
74 if initial:
75 ev = dev.wait_event(["CTRL-EVENT-CONNECTED"], timeout=10)
76 else:
77 ev = dev.wait_event(["WPA: Key negotiation completed"], timeout=10)
78 if ev is None:
79 raise Exception("Association with the AP timed out")
80 status = dev.get_status()
81 if status["wpa_state"] != "COMPLETED":
82 raise Exception("Connection not completed")
83
84 if status["suppPortStatus"] != "Authorized":
85 raise Exception("Port not authorized")
86 if method not in status["selectedMethod"]:
87 raise Exception("Incorrect EAP method status")
88 if sha256:
89 e = "WPA2-EAP-SHA256"
90 elif rsn:
91 e = "WPA2/IEEE 802.1X/EAP"
92 else:
93 e = "WPA/IEEE 802.1X/EAP"
94 if status["key_mgmt"] != e:
95 raise Exception("Unexpected key_mgmt status: " + status["key_mgmt"])
96
97 def eap_reauth(dev, method, rsn=True, sha256=False):
98 dev.request("REAUTHENTICATE")
99 eap_check_auth(dev, method, False, rsn=rsn, sha256=sha256)
100
101 def test_ap_wpa2_eap_sim(dev, apdev):
102 """WPA2-Enterprise connection using EAP-SIM"""
103 if not os.path.exists("/tmp/hlr_auc_gw.sock"):
104 logger.info("No hlr_auc_gw available");
105 return "skip"
106 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
107 hostapd.add_ap(apdev[0]['ifname'], params)
108 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
109 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
110 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
111 eap_reauth(dev[0], "SIM")
112
113 logger.info("Negative test with incorrect key")
114 dev[0].request("REMOVE_NETWORK all")
115 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
116 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
117 expect_failure=True)
118
119 def test_ap_wpa2_eap_aka(dev, apdev):
120 """WPA2-Enterprise connection using EAP-AKA"""
121 if not os.path.exists("/tmp/hlr_auc_gw.sock"):
122 logger.info("No hlr_auc_gw available");
123 return "skip"
124 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
125 hostapd.add_ap(apdev[0]['ifname'], params)
126 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
127 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
128 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
129 eap_reauth(dev[0], "AKA")
130
131 logger.info("Negative test with incorrect key")
132 dev[0].request("REMOVE_NETWORK all")
133 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
134 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
135 expect_failure=True)
136
137 def test_ap_wpa2_eap_aka_prime(dev, apdev):
138 """WPA2-Enterprise connection using EAP-AKA'"""
139 if not os.path.exists("/tmp/hlr_auc_gw.sock"):
140 logger.info("No hlr_auc_gw available");
141 return "skip"
142 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
143 hostapd.add_ap(apdev[0]['ifname'], params)
144 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
145 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
146 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
147 eap_reauth(dev[0], "AKA'")
148
149 logger.info("Negative test with incorrect key")
150 dev[0].request("REMOVE_NETWORK all")
151 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
152 password="ff22250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
153 expect_failure=True)
154
155 def test_ap_wpa2_eap_ttls_pap(dev, apdev):
156 """WPA2-Enterprise connection using EAP-TTLS/PAP"""
157 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
158 hostapd.add_ap(apdev[0]['ifname'], params)
159 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
160 anonymous_identity="ttls", password="password",
161 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
162 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
163 eap_reauth(dev[0], "TTLS")
164
165 def test_ap_wpa2_eap_ttls_chap(dev, apdev):
166 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
167 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
168 hostapd.add_ap(apdev[0]['ifname'], params)
169 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
170 anonymous_identity="ttls", password="password",
171 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP")
172 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
173 eap_reauth(dev[0], "TTLS")
174
175 def test_ap_wpa2_eap_ttls_mschap(dev, apdev):
176 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP"""
177 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
178 hostapd.add_ap(apdev[0]['ifname'], params)
179 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
180 anonymous_identity="ttls", password="password",
181 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
182 domain_suffix_match="server.w1.fi")
183 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
184 eap_reauth(dev[0], "TTLS")
185 dev[0].request("REMOVE_NETWORK all")
186 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
187 anonymous_identity="ttls", password="password",
188 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
189 fragment_size="200")
190
191 def test_ap_wpa2_eap_ttls_mschapv2(dev, apdev):
192 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
193 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
194 hostapd.add_ap(apdev[0]['ifname'], params)
195 hapd = hostapd.Hostapd(apdev[0]['ifname'])
196 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
197 anonymous_identity="ttls", password="password",
198 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
199 domain_suffix_match="w1.fi")
200 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
201 sta1 = hapd.get_sta(dev[0].p2p_interface_addr())
202 eapol1 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
203 eap_reauth(dev[0], "TTLS")
204 sta2 = hapd.get_sta(dev[0].p2p_interface_addr())
205 eapol2 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
206 if int(sta2['dot1xAuthEapolFramesRx']) <= int(sta1['dot1xAuthEapolFramesRx']):
207 raise Exception("dot1xAuthEapolFramesRx did not increase")
208 if int(eapol2['authAuthEapStartsWhileAuthenticated']) < 1:
209 raise Exception("authAuthEapStartsWhileAuthenticated did not increase")
210 if int(eapol2['backendAuthSuccesses']) <= int(eapol1['backendAuthSuccesses']):
211 raise Exception("backendAuthSuccesses did not increase")
212
213 logger.info("Password as hash value")
214 dev[0].request("REMOVE_NETWORK all")
215 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
216 anonymous_identity="ttls",
217 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
218 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
219
220 logger.info("Negative test with incorrect password")
221 dev[0].request("REMOVE_NETWORK all")
222 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
223 anonymous_identity="ttls", password="password1",
224 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
225 expect_failure=True)
226
227 def test_ap_wpa2_eap_ttls_eap_gtc(dev, apdev):
228 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC"""
229 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
230 hostapd.add_ap(apdev[0]['ifname'], params)
231 eap_connect(dev[0], apdev[0], "TTLS", "user",
232 anonymous_identity="ttls", password="password",
233 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC")
234 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
235 eap_reauth(dev[0], "TTLS")
236
237 def test_ap_wpa2_eap_ttls_eap_md5(dev, apdev):
238 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5"""
239 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
240 hostapd.add_ap(apdev[0]['ifname'], params)
241 eap_connect(dev[0], apdev[0], "TTLS", "user",
242 anonymous_identity="ttls", password="password",
243 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5")
244 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
245 eap_reauth(dev[0], "TTLS")
246
247 def test_ap_wpa2_eap_ttls_eap_mschapv2(dev, apdev):
248 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2"""
249 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
250 hostapd.add_ap(apdev[0]['ifname'], params)
251 eap_connect(dev[0], apdev[0], "TTLS", "user",
252 anonymous_identity="ttls", password="password",
253 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2")
254 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
255 eap_reauth(dev[0], "TTLS")
256
257 logger.info("Negative test with incorrect password")
258 dev[0].request("REMOVE_NETWORK all")
259 eap_connect(dev[0], apdev[0], "TTLS", "user",
260 anonymous_identity="ttls", password="password1",
261 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
262 expect_failure=True)
263
264 def test_ap_wpa2_eap_peap_eap_mschapv2(dev, apdev):
265 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
266 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
267 hostapd.add_ap(apdev[0]['ifname'], params)
268 eap_connect(dev[0], apdev[0], "PEAP", "user",
269 anonymous_identity="peap", password="password",
270 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
271 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
272 eap_reauth(dev[0], "PEAP")
273 dev[0].request("REMOVE_NETWORK all")
274 eap_connect(dev[0], apdev[0], "PEAP", "user",
275 anonymous_identity="peap", password="password",
276 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
277 fragment_size="200")
278
279 logger.info("Password as hash value")
280 dev[0].request("REMOVE_NETWORK all")
281 eap_connect(dev[0], apdev[0], "PEAP", "user",
282 anonymous_identity="peap",
283 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
284 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
285
286 logger.info("Negative test with incorrect password")
287 dev[0].request("REMOVE_NETWORK all")
288 eap_connect(dev[0], apdev[0], "PEAP", "user",
289 anonymous_identity="peap", password="password1",
290 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
291 expect_failure=True)
292
293 def test_ap_wpa2_eap_peap_crypto_binding(dev, apdev):
294 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding"""
295 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
296 hostapd.add_ap(apdev[0]['ifname'], params)
297 eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
298 ca_cert="auth_serv/ca.pem",
299 phase1="peapver=0 crypto_binding=2",
300 phase2="auth=MSCHAPV2")
301 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
302 eap_reauth(dev[0], "PEAP")
303
304 def test_ap_wpa2_eap_peap_eap_tls(dev, apdev):
305 """WPA2-Enterprise connection using EAP-PEAP/EAP-TLS"""
306 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
307 hostapd.add_ap(apdev[0]['ifname'], params)
308 eap_connect(dev[0], apdev[0], "PEAP", "cert user",
309 ca_cert="auth_serv/ca.pem", phase2="auth=TLS",
310 ca_cert2="auth_serv/ca.pem",
311 client_cert2="auth_serv/user.pem",
312 private_key2="auth_serv/user.key")
313 eap_reauth(dev[0], "PEAP")
314
315 def test_ap_wpa2_eap_tls(dev, apdev):
316 """WPA2-Enterprise connection using EAP-TLS"""
317 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
318 hostapd.add_ap(apdev[0]['ifname'], params)
319 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
320 client_cert="auth_serv/user.pem",
321 private_key="auth_serv/user.key")
322 eap_reauth(dev[0], "TLS")
323
324 def test_ap_wpa2_eap_tls_neg_incorrect_trust_root(dev, apdev):
325 """WPA2-Enterprise negative test - incorrect trust root"""
326 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
327 hostapd.add_ap(apdev[0]['ifname'], params)
328 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
329 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
330 password="password", phase2="auth=MSCHAPV2",
331 ca_cert="auth_serv/ca-incorrect.pem",
332 wait_connect=False, scan_freq="2412")
333
334 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
335 if ev is None:
336 raise Exception("Association and EAP start timed out")
337
338 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
339 if ev is None:
340 raise Exception("EAP method selection timed out")
341 if "TTLS" not in ev:
342 raise Exception("Unexpected EAP method")
343
344 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
345 "CTRL-EVENT-EAP-SUCCESS",
346 "CTRL-EVENT-EAP-FAILURE",
347 "CTRL-EVENT-CONNECTED",
348 "CTRL-EVENT-DISCONNECTED"], timeout=10)
349 if ev is None:
350 raise Exception("EAP result timed out")
351 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
352 raise Exception("TLS certificate error not reported")
353
354 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
355 "CTRL-EVENT-EAP-FAILURE",
356 "CTRL-EVENT-CONNECTED",
357 "CTRL-EVENT-DISCONNECTED"], timeout=10)
358 if ev is None:
359 raise Exception("EAP result(2) timed out")
360 if "CTRL-EVENT-EAP-FAILURE" not in ev:
361 raise Exception("EAP failure not reported")
362
363 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
364 "CTRL-EVENT-DISCONNECTED"], timeout=10)
365 if ev is None:
366 raise Exception("EAP result(3) timed out")
367 if "CTRL-EVENT-DISCONNECTED" not in ev:
368 raise Exception("Disconnection not reported")
369
370 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
371 if ev is None:
372 raise Exception("Network block disabling not reported")
373
374 def test_ap_wpa2_eap_tls_neg_suffix_match(dev, apdev):
375 """WPA2-Enterprise negative test - domain suffix mismatch"""
376 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
377 hostapd.add_ap(apdev[0]['ifname'], params)
378 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
379 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
380 password="password", phase2="auth=MSCHAPV2",
381 ca_cert="auth_serv/ca.pem",
382 domain_suffix_match="incorrect.example.com",
383 wait_connect=False, scan_freq="2412")
384
385 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
386 if ev is None:
387 raise Exception("Association and EAP start timed out")
388
389 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
390 if ev is None:
391 raise Exception("EAP method selection timed out")
392 if "TTLS" not in ev:
393 raise Exception("Unexpected EAP method")
394
395 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
396 "CTRL-EVENT-EAP-SUCCESS",
397 "CTRL-EVENT-EAP-FAILURE",
398 "CTRL-EVENT-CONNECTED",
399 "CTRL-EVENT-DISCONNECTED"], timeout=10)
400 if ev is None:
401 raise Exception("EAP result timed out")
402 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
403 raise Exception("TLS certificate error not reported")
404 if "Domain suffix mismatch" not in ev:
405 raise Exception("Domain suffix mismatch not reported")
406
407 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
408 "CTRL-EVENT-EAP-FAILURE",
409 "CTRL-EVENT-CONNECTED",
410 "CTRL-EVENT-DISCONNECTED"], timeout=10)
411 if ev is None:
412 raise Exception("EAP result(2) timed out")
413 if "CTRL-EVENT-EAP-FAILURE" not in ev:
414 raise Exception("EAP failure not reported")
415
416 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
417 "CTRL-EVENT-DISCONNECTED"], timeout=10)
418 if ev is None:
419 raise Exception("EAP result(3) timed out")
420 if "CTRL-EVENT-DISCONNECTED" not in ev:
421 raise Exception("Disconnection not reported")
422
423 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
424 if ev is None:
425 raise Exception("Network block disabling not reported")
426
427 def test_ap_wpa2_eap_pwd(dev, apdev):
428 """WPA2-Enterprise connection using EAP-pwd"""
429 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
430 hostapd.add_ap(apdev[0]['ifname'], params)
431 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
432 eap_reauth(dev[0], "PWD")
433
434 dev[0].request("REMOVE_NETWORK all")
435 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password",
436 fragment_size="90")
437
438 logger.info("Negative test with incorrect password")
439 dev[0].request("REMOVE_NETWORK all")
440 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret-password",
441 expect_failure=True, local_error_report=True)
442
443 def test_ap_wpa2_eap_pwd_groups(dev, apdev):
444 """WPA2-Enterprise connection using various EAP-pwd groups"""
445 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
446 "rsn_pairwise": "CCMP", "ieee8021x": "1",
447 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
448 for i in [ 19, 20, 21, 25, 26 ]:
449 params['pwd_group'] = str(i)
450 hostapd.add_ap(apdev[0]['ifname'], params)
451 dev[0].request("REMOVE_NETWORK all")
452 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
453
454 def test_ap_wpa2_eap_gpsk(dev, apdev):
455 """WPA2-Enterprise connection using EAP-GPSK"""
456 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
457 hostapd.add_ap(apdev[0]['ifname'], params)
458 id = eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
459 password="abcdefghijklmnop0123456789abcdef")
460 eap_reauth(dev[0], "GPSK")
461
462 logger.info("Test forced algorithm selection")
463 for phase1 in [ "cipher=1", "cipher=2" ]:
464 dev[0].set_network_quoted(id, "phase1", phase1)
465 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
466 if ev is None:
467 raise Exception("EAP success timed out")
468 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=10)
469 if ev is None:
470 raise Exception("Association with the AP timed out")
471
472 logger.info("Test failed algorithm negotiation")
473 dev[0].set_network_quoted(id, "phase1", "cipher=9")
474 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
475 if ev is None:
476 raise Exception("EAP failure timed out")
477
478 logger.info("Negative test with incorrect password")
479 dev[0].request("REMOVE_NETWORK all")
480 eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
481 password="ffcdefghijklmnop0123456789abcdef",
482 expect_failure=True)
483
484 def test_ap_wpa2_eap_sake(dev, apdev):
485 """WPA2-Enterprise connection using EAP-SAKE"""
486 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
487 hostapd.add_ap(apdev[0]['ifname'], params)
488 eap_connect(dev[0], apdev[0], "SAKE", "sake user",
489 password_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
490 eap_reauth(dev[0], "SAKE")
491
492 logger.info("Negative test with incorrect password")
493 dev[0].request("REMOVE_NETWORK all")
494 eap_connect(dev[0], apdev[0], "SAKE", "sake user",
495 password_hex="ff23456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
496 expect_failure=True)
497
498 def test_ap_wpa2_eap_eke(dev, apdev):
499 """WPA2-Enterprise connection using EAP-EKE"""
500 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
501 hostapd.add_ap(apdev[0]['ifname'], params)
502 id = eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello")
503 eap_reauth(dev[0], "EKE")
504
505 logger.info("Test forced algorithm selection")
506 for phase1 in [ "dhgroup=5 encr=1 prf=2 mac=2",
507 "dhgroup=4 encr=1 prf=2 mac=2",
508 "dhgroup=3 encr=1 prf=2 mac=2",
509 "dhgroup=3 encr=1 prf=1 mac=1" ]:
510 dev[0].set_network_quoted(id, "phase1", phase1)
511 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
512 if ev is None:
513 raise Exception("EAP success timed out")
514 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=10)
515 if ev is None:
516 raise Exception("Association with the AP timed out")
517
518 logger.info("Test failed algorithm negotiation")
519 dev[0].set_network_quoted(id, "phase1", "dhgroup=9 encr=9 prf=9 mac=9")
520 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
521 if ev is None:
522 raise Exception("EAP failure timed out")
523
524 logger.info("Negative test with incorrect password")
525 dev[0].request("REMOVE_NETWORK all")
526 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello1",
527 expect_failure=True)
528
529 def test_ap_wpa2_eap_ikev2(dev, apdev):
530 """WPA2-Enterprise connection using EAP-IKEv2"""
531 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
532 hostapd.add_ap(apdev[0]['ifname'], params)
533 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
534 password="ike password")
535 eap_reauth(dev[0], "IKEV2")
536 dev[0].request("REMOVE_NETWORK all")
537 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
538 password="ike password", fragment_size="250")
539
540 logger.info("Negative test with incorrect password")
541 dev[0].request("REMOVE_NETWORK all")
542 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
543 password="ike-password", expect_failure=True)
544
545 def test_ap_wpa2_eap_pax(dev, apdev):
546 """WPA2-Enterprise connection using EAP-PAX"""
547 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
548 hostapd.add_ap(apdev[0]['ifname'], params)
549 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
550 password_hex="0123456789abcdef0123456789abcdef")
551 eap_reauth(dev[0], "PAX")
552
553 logger.info("Negative test with incorrect password")
554 dev[0].request("REMOVE_NETWORK all")
555 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
556 password_hex="ff23456789abcdef0123456789abcdef",
557 expect_failure=True)
558
559 def test_ap_wpa2_eap_psk(dev, apdev):
560 """WPA2-Enterprise connection using EAP-PSK"""
561 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
562 params["wpa_key_mgmt"] = "WPA-EAP-SHA256"
563 params["ieee80211w"] = "2"
564 hostapd.add_ap(apdev[0]['ifname'], params)
565 eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
566 password_hex="0123456789abcdef0123456789abcdef", sha256=True)
567 eap_reauth(dev[0], "PSK", sha256=True)
568
569 logger.info("Negative test with incorrect password")
570 dev[0].request("REMOVE_NETWORK all")
571 eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
572 password_hex="ff23456789abcdef0123456789abcdef", sha256=True,
573 expect_failure=True)
574
575 def test_ap_wpa_eap_peap_eap_mschapv2(dev, apdev):
576 """WPA-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
577 params = hostapd.wpa_eap_params(ssid="test-wpa-eap")
578 hostapd.add_ap(apdev[0]['ifname'], params)
579 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="PEAP",
580 identity="user", password="password", phase2="auth=MSCHAPV2",
581 ca_cert="auth_serv/ca.pem", wait_connect=False,
582 scan_freq="2412")
583 eap_check_auth(dev[0], "PEAP", True, rsn=False)
584 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
585 eap_reauth(dev[0], "PEAP", rsn=False)
586
587 def test_ap_wpa2_eap_interactive(dev, apdev):
588 """WPA2-Enterprise connection using interactive identity/password entry"""
589 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
590 hostapd.add_ap(apdev[0]['ifname'], params)
591 hapd = hostapd.Hostapd(apdev[0]['ifname'])
592
593 tests = [ ("Connection with dynamic TTLS/MSCHAPv2 password entry",
594 "TTLS", "ttls", "DOMAIN\mschapv2 user", "auth=MSCHAPV2",
595 None, "password"),
596 ("Connection with dynamic TTLS/MSCHAPv2 identity and password entry",
597 "TTLS", "ttls", None, "auth=MSCHAPV2",
598 "DOMAIN\mschapv2 user", "password"),
599 ("Connection with dynamic TTLS/EAP-MSCHAPv2 password entry",
600 "TTLS", "ttls", "user", "autheap=MSCHAPV2", None, "password"),
601 ("Connection with dynamic TTLS/EAP-MD5 password entry",
602 "TTLS", "ttls", "user", "autheap=MD5", None, "password"),
603 ("Connection with dynamic PEAP/EAP-MSCHAPv2 password entry",
604 "PEAP", None, "user", "auth=MSCHAPV2", None, "password"),
605 ("Connection with dynamic PEAP/EAP-GTC password entry",
606 "PEAP", None, "user", "auth=GTC", None, "password") ]
607 for [desc,eap,anon,identity,phase2,req_id,req_pw] in tests:
608 logger.info(desc)
609 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap=eap,
610 anonymous_identity=anon, identity=identity,
611 ca_cert="auth_serv/ca.pem", phase2=phase2,
612 wait_connect=False, scan_freq="2412")
613 if req_id:
614 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
615 if ev is None:
616 raise Exception("Request for identity timed out")
617 id = ev.split(':')[0].split('-')[-1]
618 dev[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id)
619 ev = dev[0].wait_event(["CTRL-REQ-PASSWORD","CTRL-REQ-OTP"])
620 if ev is None:
621 raise Exception("Request for password timed out")
622 id = ev.split(':')[0].split('-')[-1]
623 type = "OTP" if "CTRL-REQ-OTP" in ev else "PASSWORD"
624 dev[0].request("CTRL-RSP-" + type + "-" + id + ":" + req_pw)
625 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=10)
626 if ev is None:
627 raise Exception("Connection timed out")
628 dev[0].request("REMOVE_NETWORK all")
629
630 def test_ap_wpa2_eap_vendor_test(dev, apdev):
631 """WPA2-Enterprise connection using EAP vendor test"""
632 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
633 hostapd.add_ap(apdev[0]['ifname'], params)
634 eap_connect(dev[0], apdev[0], "VENDOR-TEST", "vendor-test")
635 eap_reauth(dev[0], "VENDOR-TEST")
636
637 def test_ap_wpa2_eap_fast_mschapv2_unauth_prov(dev, apdev):
638 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and unauthenticated provisioning"""
639 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
640 hostapd.add_ap(apdev[0]['ifname'], params)
641 eap_connect(dev[0], apdev[0], "FAST", "user",
642 anonymous_identity="FAST", password="password",
643 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
644 phase1="fast_provisioning=1", pac_file="blob://fast_pac")
645 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
646 eap_reauth(dev[0], "FAST")
647
648 def test_ap_wpa2_eap_fast_gtc_auth_prov(dev, apdev):
649 """WPA2-Enterprise connection using EAP-FAST/GTC and authenticated provisioning"""
650 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
651 hostapd.add_ap(apdev[0]['ifname'], params)
652 eap_connect(dev[0], apdev[0], "FAST", "user",
653 anonymous_identity="FAST", password="password",
654 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
655 phase1="fast_provisioning=2", pac_file="blob://fast_pac_auth")
656 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
657 eap_reauth(dev[0], "FAST")
Unnamed repository; edit this file 'description' to name the repository.