]> git.ipfire.org Git - thirdparty/hostap.git/blob - tests/hwsim/test_ap_eap.py
projects / thirdparty / hostap.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
tests: EAP-SIM external_sim error cases
[thirdparty/hostap.git] / tests / hwsim / test_ap_eap.py
1 # -*- coding: utf-8 -*-
2 # WPA2-Enterprise tests
3 # Copyright (c) 2013-2014, Jouni Malinen <j@w1.fi>
4 #
5 # This software may be distributed under the terms of the BSD license.
6 # See README for more details.
7
8 import base64
9 import time
10 import subprocess
11 import logging
12 logger = logging.getLogger()
13 import os
14
15 import hwsim_utils
16 import hostapd
17 from test_ap_psk import check_mib
18
19 def read_pem(fname):
20 with open(fname, "r") as f:
21 lines = f.readlines()
22 copy = False
23 cert = ""
24 for l in lines:
25 if "-----END" in l:
26 break
27 if copy:
28 cert = cert + l
29 if "-----BEGIN" in l:
30 copy = True
31 return base64.b64decode(cert)
32
33 def eap_connect(dev, ap, method, identity,
34 sha256=False, expect_failure=False, local_error_report=False,
35 **kwargs):
36 hapd = hostapd.Hostapd(ap['ifname'])
37 id = dev.connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
38 eap=method, identity=identity,
39 wait_connect=False, scan_freq="2412", ieee80211w="1",
40 **kwargs)
41 eap_check_auth(dev, method, True, sha256=sha256,
42 expect_failure=expect_failure,
43 local_error_report=local_error_report)
44 if expect_failure:
45 return id
46 ev = hapd.wait_event([ "AP-STA-CONNECTED" ], timeout=5)
47 if ev is None:
48 raise Exception("No connection event received from hostapd")
49 return id
50
51 def eap_check_auth(dev, method, initial, rsn=True, sha256=False,
52 expect_failure=False, local_error_report=False):
53 ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
54 if ev is None:
55 raise Exception("Association and EAP start timed out")
56 ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
57 if ev is None:
58 raise Exception("EAP method selection timed out")
59 if method not in ev:
60 raise Exception("Unexpected EAP method")
61 if expect_failure:
62 ev = dev.wait_event(["CTRL-EVENT-EAP-FAILURE"])
63 if ev is None:
64 raise Exception("EAP failure timed out")
65 ev = dev.wait_event(["CTRL-EVENT-DISCONNECTED"])
66 if ev is None:
67 raise Exception("Disconnection timed out")
68 if not local_error_report:
69 if "reason=23" not in ev:
70 raise Exception("Proper reason code for disconnection not reported")
71 return
72 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
73 if ev is None:
74 raise Exception("EAP success timed out")
75
76 if initial:
77 ev = dev.wait_event(["CTRL-EVENT-CONNECTED"], timeout=10)
78 else:
79 ev = dev.wait_event(["WPA: Key negotiation completed"], timeout=10)
80 if ev is None:
81 raise Exception("Association with the AP timed out")
82 status = dev.get_status()
83 if status["wpa_state"] != "COMPLETED":
84 raise Exception("Connection not completed")
85
86 if status["suppPortStatus"] != "Authorized":
87 raise Exception("Port not authorized")
88 if method not in status["selectedMethod"]:
89 raise Exception("Incorrect EAP method status")
90 if sha256:
91 e = "WPA2-EAP-SHA256"
92 elif rsn:
93 e = "WPA2/IEEE 802.1X/EAP"
94 else:
95 e = "WPA/IEEE 802.1X/EAP"
96 if status["key_mgmt"] != e:
97 raise Exception("Unexpected key_mgmt status: " + status["key_mgmt"])
98
99 def eap_reauth(dev, method, rsn=True, sha256=False, expect_failure=False):
100 dev.request("REAUTHENTICATE")
101 eap_check_auth(dev, method, False, rsn=rsn, sha256=sha256,
102 expect_failure=expect_failure)
103
104 def test_ap_wpa2_eap_sim(dev, apdev):
105 """WPA2-Enterprise connection using EAP-SIM"""
106 if not os.path.exists("/tmp/hlr_auc_gw.sock"):
107 logger.info("No hlr_auc_gw available");
108 return "skip"
109 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
110 hostapd.add_ap(apdev[0]['ifname'], params)
111 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
112 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
113 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
114 eap_reauth(dev[0], "SIM")
115
116 eap_connect(dev[1], apdev[0], "SIM", "1232010000000001",
117 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
118 eap_connect(dev[2], apdev[0], "SIM", "1232010000000002",
119 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
120 expect_failure=True)
121
122 logger.info("Negative test with incorrect key")
123 dev[0].request("REMOVE_NETWORK all")
124 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
125 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
126 expect_failure=True)
127
128 logger.info("Invalid GSM-Milenage key")
129 dev[0].request("REMOVE_NETWORK all")
130 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
131 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
132 expect_failure=True)
133
134 logger.info("Invalid GSM-Milenage key(2)")
135 dev[0].request("REMOVE_NETWORK all")
136 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
137 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581",
138 expect_failure=True)
139
140 logger.info("Invalid GSM-Milenage key(3)")
141 dev[0].request("REMOVE_NETWORK all")
142 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
143 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q",
144 expect_failure=True)
145
146 logger.info("Invalid GSM-Milenage key(4)")
147 dev[0].request("REMOVE_NETWORK all")
148 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
149 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581",
150 expect_failure=True)
151
152 logger.info("Missing key configuration")
153 dev[0].request("REMOVE_NETWORK all")
154 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
155 expect_failure=True)
156
157 def test_ap_wpa2_eap_sim_sql(dev, apdev, params):
158 """WPA2-Enterprise connection using EAP-SIM (SQL)"""
159 if not os.path.exists("/tmp/hlr_auc_gw.sock"):
160 logger.info("No hlr_auc_gw available");
161 return "skip"
162 try:
163 import sqlite3
164 except ImportError:
165 return "skip"
166 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
167 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
168 params['auth_server_port'] = "1814"
169 hostapd.add_ap(apdev[0]['ifname'], params)
170 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
171 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
172
173 logger.info("SIM fast re-authentication")
174 eap_reauth(dev[0], "SIM")
175
176 logger.info("SIM full auth with pseudonym")
177 with con:
178 cur = con.cursor()
179 cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
180 eap_reauth(dev[0], "SIM")
181
182 logger.info("SIM full auth with permanent identity")
183 with con:
184 cur = con.cursor()
185 cur.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
186 cur.execute("DELETE FROM pseudonyms WHERE permanent='1232010000000000'")
187 eap_reauth(dev[0], "SIM")
188
189 logger.info("SIM reauth with mismatching MK")
190 with con:
191 cur = con.cursor()
192 cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='1232010000000000'")
193 eap_reauth(dev[0], "SIM", expect_failure=True)
194 dev[0].request("REMOVE_NETWORK all")
195
196 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
197 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
198 with con:
199 cur = con.cursor()
200 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
201 eap_reauth(dev[0], "SIM")
202 with con:
203 cur = con.cursor()
204 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
205 logger.info("SIM reauth with mismatching counter")
206 eap_reauth(dev[0], "SIM")
207 dev[0].request("REMOVE_NETWORK all")
208
209 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
210 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
211 with con:
212 cur = con.cursor()
213 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='1232010000000000'")
214 logger.info("SIM reauth with max reauth count reached")
215 eap_reauth(dev[0], "SIM")
216
217 def test_ap_wpa2_eap_sim_config(dev, apdev):
218 """EAP-SIM configuration options"""
219 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
220 hostapd.add_ap(apdev[0]['ifname'], params)
221 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
222 identity="1232010000000000",
223 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
224 phase1="sim_min_num_chal=1",
225 wait_connect=False, scan_freq="2412")
226 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
227 if ev is None:
228 raise Exception("No EAP error message seen")
229 dev[0].request("REMOVE_NETWORK all")
230
231 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="SIM",
232 identity="1232010000000000",
233 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
234 phase1="sim_min_num_chal=4",
235 wait_connect=False, scan_freq="2412")
236 ev = dev[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout=10)
237 if ev is None:
238 raise Exception("No EAP error message seen (2)")
239 dev[0].request("REMOVE_NETWORK all")
240
241 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
242 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
243 phase1="sim_min_num_chal=2")
244 eap_connect(dev[1], apdev[0], "SIM", "1232010000000000",
245 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
246 anonymous_identity="345678")
247
248 def test_ap_wpa2_eap_sim_ext(dev, apdev):
249 """WPA2-Enterprise connection using EAP-SIM and external GSM auth"""
250 if not os.path.exists("/tmp/hlr_auc_gw.sock"):
251 logger.info("No hlr_auc_gw available");
252 return "skip"
253 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
254 hostapd.add_ap(apdev[0]['ifname'], params)
255 dev[0].request("SET external_sim 1")
256 id = dev[0].connect("test-wpa2-eap", eap="SIM", key_mgmt="WPA-EAP",
257 identity="1232010000000000",
258 wait_connect=False, scan_freq="2412")
259 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
260 if ev is None:
261 raise Exception("Network connected timed out")
262
263 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
264 if ev is None:
265 raise Exception("Wait for external SIM processing request timed out")
266 p = ev.split(':', 2)
267 if p[1] != "GSM-AUTH":
268 raise Exception("Unexpected CTRL-REQ-SIM type")
269 rid = p[0].split('-')[3]
270
271 # IK:CK:RES
272 resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
273 # This will fail during processing, but the ctrl_iface command succeeds
274 dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTH:" + resp)
275 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
276 if ev is None:
277 raise Exception("EAP failure not reported")
278 dev[0].request("DISCONNECT")
279
280 dev[0].select_network(id, freq="2412")
281 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
282 if ev is None:
283 raise Exception("Wait for external SIM processing request timed out")
284 p = ev.split(':', 2)
285 if p[1] != "GSM-AUTH":
286 raise Exception("Unexpected CTRL-REQ-SIM type")
287 rid = p[0].split('-')[3]
288 # This will fail during GSM auth validation
289 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:q"):
290 raise Exception("CTRL-RSP-SIM failed")
291 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
292 if ev is None:
293 raise Exception("EAP failure not reported")
294 dev[0].request("DISCONNECT")
295
296 dev[0].select_network(id, freq="2412")
297 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
298 if ev is None:
299 raise Exception("Wait for external SIM processing request timed out")
300 p = ev.split(':', 2)
301 if p[1] != "GSM-AUTH":
302 raise Exception("Unexpected CTRL-REQ-SIM type")
303 rid = p[0].split('-')[3]
304 # This will fail during GSM auth validation
305 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:34"):
306 raise Exception("CTRL-RSP-SIM failed")
307 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
308 if ev is None:
309 raise Exception("EAP failure not reported")
310 dev[0].request("DISCONNECT")
311
312 dev[0].select_network(id, freq="2412")
313 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
314 if ev is None:
315 raise Exception("Wait for external SIM processing request timed out")
316 p = ev.split(':', 2)
317 if p[1] != "GSM-AUTH":
318 raise Exception("Unexpected CTRL-REQ-SIM type")
319 rid = p[0].split('-')[3]
320 # This will fail during GSM auth validation
321 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677"):
322 raise Exception("CTRL-RSP-SIM failed")
323 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
324 if ev is None:
325 raise Exception("EAP failure not reported")
326 dev[0].request("DISCONNECT")
327
328 dev[0].select_network(id, freq="2412")
329 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
330 if ev is None:
331 raise Exception("Wait for external SIM processing request timed out")
332 p = ev.split(':', 2)
333 if p[1] != "GSM-AUTH":
334 raise Exception("Unexpected CTRL-REQ-SIM type")
335 rid = p[0].split('-')[3]
336 # This will fail during GSM auth validation
337 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:q"):
338 raise Exception("CTRL-RSP-SIM failed")
339 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
340 if ev is None:
341 raise Exception("EAP failure not reported")
342 dev[0].request("DISCONNECT")
343
344 dev[0].select_network(id, freq="2412")
345 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
346 if ev is None:
347 raise Exception("Wait for external SIM processing request timed out")
348 p = ev.split(':', 2)
349 if p[1] != "GSM-AUTH":
350 raise Exception("Unexpected CTRL-REQ-SIM type")
351 rid = p[0].split('-')[3]
352 # This will fail during GSM auth validation
353 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233"):
354 raise Exception("CTRL-RSP-SIM failed")
355 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
356 if ev is None:
357 raise Exception("EAP failure not reported")
358 dev[0].request("DISCONNECT")
359
360 dev[0].select_network(id, freq="2412")
361 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
362 if ev is None:
363 raise Exception("Wait for external SIM processing request timed out")
364 p = ev.split(':', 2)
365 if p[1] != "GSM-AUTH":
366 raise Exception("Unexpected CTRL-REQ-SIM type")
367 rid = p[0].split('-')[3]
368 # This will fail during GSM auth validation
369 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:0011223344556677:00112233:q"):
370 raise Exception("CTRL-RSP-SIM failed")
371 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
372 if ev is None:
373 raise Exception("EAP failure not reported")
374
375 def test_ap_wpa2_eap_aka(dev, apdev):
376 """WPA2-Enterprise connection using EAP-AKA"""
377 if not os.path.exists("/tmp/hlr_auc_gw.sock"):
378 logger.info("No hlr_auc_gw available");
379 return "skip"
380 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
381 hostapd.add_ap(apdev[0]['ifname'], params)
382 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
383 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
384 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
385 eap_reauth(dev[0], "AKA")
386
387 logger.info("Negative test with incorrect key")
388 dev[0].request("REMOVE_NETWORK all")
389 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
390 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
391 expect_failure=True)
392
393 logger.info("Invalid Milenage key")
394 dev[0].request("REMOVE_NETWORK all")
395 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
396 password="ffdca4eda45b53cf0f12d7c9c3bc6a",
397 expect_failure=True)
398
399 logger.info("Invalid Milenage key(2)")
400 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
401 password="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581:000000000123",
402 expect_failure=True)
403
404 logger.info("Invalid Milenage key(3)")
405 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
406 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q:000000000123",
407 expect_failure=True)
408
409 logger.info("Invalid Milenage key(4)")
410 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
411 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:00000000012q",
412 expect_failure=True)
413
414 logger.info("Invalid Milenage key(5)")
415 dev[0].request("REMOVE_NETWORK all")
416 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
417 password="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581q000000000123",
418 expect_failure=True)
419
420 logger.info("Invalid Milenage key(6)")
421 dev[0].request("REMOVE_NETWORK all")
422 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
423 password="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581q000000000123",
424 expect_failure=True)
425
426 logger.info("Missing key configuration")
427 dev[0].request("REMOVE_NETWORK all")
428 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
429 expect_failure=True)
430
431 def test_ap_wpa2_eap_aka_sql(dev, apdev, params):
432 """WPA2-Enterprise connection using EAP-AKA (SQL)"""
433 if not os.path.exists("/tmp/hlr_auc_gw.sock"):
434 logger.info("No hlr_auc_gw available");
435 return "skip"
436 try:
437 import sqlite3
438 except ImportError:
439 return "skip"
440 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
441 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
442 params['auth_server_port'] = "1814"
443 hostapd.add_ap(apdev[0]['ifname'], params)
444 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
445 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
446
447 logger.info("AKA fast re-authentication")
448 eap_reauth(dev[0], "AKA")
449
450 logger.info("AKA full auth with pseudonym")
451 with con:
452 cur = con.cursor()
453 cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
454 eap_reauth(dev[0], "AKA")
455
456 logger.info("AKA full auth with permanent identity")
457 with con:
458 cur = con.cursor()
459 cur.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
460 cur.execute("DELETE FROM pseudonyms WHERE permanent='0232010000000000'")
461 eap_reauth(dev[0], "AKA")
462
463 logger.info("AKA reauth with mismatching MK")
464 with con:
465 cur = con.cursor()
466 cur.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='0232010000000000'")
467 eap_reauth(dev[0], "AKA", expect_failure=True)
468 dev[0].request("REMOVE_NETWORK all")
469
470 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
471 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
472 with con:
473 cur = con.cursor()
474 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
475 eap_reauth(dev[0], "AKA")
476 with con:
477 cur = con.cursor()
478 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
479 logger.info("AKA reauth with mismatching counter")
480 eap_reauth(dev[0], "AKA")
481 dev[0].request("REMOVE_NETWORK all")
482
483 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
484 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
485 with con:
486 cur = con.cursor()
487 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='0232010000000000'")
488 logger.info("AKA reauth with max reauth count reached")
489 eap_reauth(dev[0], "AKA")
490
491 def test_ap_wpa2_eap_aka_config(dev, apdev):
492 """EAP-AKA configuration options"""
493 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
494 hostapd.add_ap(apdev[0]['ifname'], params)
495 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
496 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
497 anonymous_identity="2345678")
498
499 def test_ap_wpa2_eap_aka_ext(dev, apdev):
500 """WPA2-Enterprise connection using EAP-AKA and external UMTS auth"""
501 if not os.path.exists("/tmp/hlr_auc_gw.sock"):
502 logger.info("No hlr_auc_gw available");
503 return "skip"
504 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
505 hostapd.add_ap(apdev[0]['ifname'], params)
506 dev[0].request("SET external_sim 1")
507 id = dev[0].connect("test-wpa2-eap", eap="AKA", key_mgmt="WPA-EAP",
508 identity="0232010000000000",
509 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
510 wait_connect=False, scan_freq="2412")
511 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=15)
512 if ev is None:
513 raise Exception("Network connected timed out")
514
515 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
516 if ev is None:
517 raise Exception("Wait for external SIM processing request timed out")
518 p = ev.split(':', 2)
519 if p[1] != "UMTS-AUTH":
520 raise Exception("Unexpected CTRL-REQ-SIM type")
521 rid = p[0].split('-')[3]
522
523 # IK:CK:RES
524 resp = "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
525 # This will fail during processing, but the ctrl_iface command succeeds
526 dev[0].request("CTRL-RSP-SIM-" + rid + ":GSM-AUTH:" + resp)
527 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
528 if ev is None:
529 raise Exception("EAP failure not reported")
530 dev[0].request("DISCONNECT")
531
532 dev[0].request("REASSOCIATE")
533 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
534 if ev is None:
535 raise Exception("Wait for external SIM processing request timed out")
536 p = ev.split(':', 2)
537 if p[1] != "UMTS-AUTH":
538 raise Exception("Unexpected CTRL-REQ-SIM type")
539 rid = p[0].split('-')[3]
540 # This will fail during UMTS auth validation
541 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTH:" + resp):
542 raise Exception("CTRL-RSP-SIM failed")
543 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
544 if ev is None:
545 raise Exception("EAP failure not reported")
546 dev[0].request("DISCONNECT")
547
548 dev[0].select_network(id, freq="2412")
549 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
550 if ev is None:
551 raise Exception("Wait for external SIM processing request timed out")
552 p = ev.split(':', 2)
553 if p[1] != "UMTS-AUTH":
554 raise Exception("Unexpected CTRL-REQ-SIM type")
555 rid = p[0].split('-')[3]
556 # This will fail during UMTS auth validation
557 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:112233445566778899aabbccddee"):
558 raise Exception("CTRL-RSP-SIM failed")
559 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
560 if ev is None:
561 raise Exception("Wait for external SIM processing request timed out")
562 p = ev.split(':', 2)
563 if p[1] != "UMTS-AUTH":
564 raise Exception("Unexpected CTRL-REQ-SIM type")
565 rid = p[0].split('-')[3]
566 # This will fail during UMTS auth validation
567 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTS:12"):
568 raise Exception("CTRL-RSP-SIM failed")
569 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
570 if ev is None:
571 raise Exception("EAP failure not reported")
572 dev[0].request("DISCONNECT")
573
574 dev[0].select_network(id, freq="2412")
575 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
576 if ev is None:
577 raise Exception("Wait for external SIM processing request timed out")
578 p = ev.split(':', 2)
579 if p[1] != "UMTS-AUTH":
580 raise Exception("Unexpected CTRL-REQ-SIM type")
581 rid = p[0].split('-')[3]
582 # This will fail during UMTS auth validation
583 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTH:34"):
584 raise Exception("CTRL-RSP-SIM failed")
585 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
586 if ev is None:
587 raise Exception("EAP failure not reported")
588 dev[0].request("DISCONNECT")
589
590 dev[0].select_network(id, freq="2412")
591 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
592 if ev is None:
593 raise Exception("Wait for external SIM processing request timed out")
594 p = ev.split(':', 2)
595 if p[1] != "UMTS-AUTH":
596 raise Exception("Unexpected CTRL-REQ-SIM type")
597 rid = p[0].split('-')[3]
598 # This will fail during UMTS auth validation
599 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTH:00112233445566778899aabbccddeeff.00112233445566778899aabbccddeeff:0011223344"):
600 raise Exception("CTRL-RSP-SIM failed")
601 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
602 if ev is None:
603 raise Exception("EAP failure not reported")
604 dev[0].request("DISCONNECT")
605
606 dev[0].select_network(id, freq="2412")
607 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
608 if ev is None:
609 raise Exception("Wait for external SIM processing request timed out")
610 p = ev.split(':', 2)
611 if p[1] != "UMTS-AUTH":
612 raise Exception("Unexpected CTRL-REQ-SIM type")
613 rid = p[0].split('-')[3]
614 # This will fail during UMTS auth validation
615 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddee:0011223344"):
616 raise Exception("CTRL-RSP-SIM failed")
617 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
618 if ev is None:
619 raise Exception("EAP failure not reported")
620 dev[0].request("DISCONNECT")
621
622 dev[0].select_network(id, freq="2412")
623 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
624 if ev is None:
625 raise Exception("Wait for external SIM processing request timed out")
626 p = ev.split(':', 2)
627 if p[1] != "UMTS-AUTH":
628 raise Exception("Unexpected CTRL-REQ-SIM type")
629 rid = p[0].split('-')[3]
630 # This will fail during UMTS auth validation
631 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff.0011223344"):
632 raise Exception("CTRL-RSP-SIM failed")
633 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
634 if ev is None:
635 raise Exception("EAP failure not reported")
636 dev[0].request("DISCONNECT")
637
638 dev[0].select_network(id, freq="2412")
639 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
640 if ev is None:
641 raise Exception("Wait for external SIM processing request timed out")
642 p = ev.split(':', 2)
643 if p[1] != "UMTS-AUTH":
644 raise Exception("Unexpected CTRL-REQ-SIM type")
645 rid = p[0].split('-')[3]
646 # This will fail during UMTS auth validation
647 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff0011223344"):
648 raise Exception("CTRL-RSP-SIM failed")
649 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
650 if ev is None:
651 raise Exception("EAP failure not reported")
652 dev[0].request("DISCONNECT")
653
654 dev[0].select_network(id, freq="2412")
655 ev = dev[0].wait_event(["CTRL-REQ-SIM"], timeout=15)
656 if ev is None:
657 raise Exception("Wait for external SIM processing request timed out")
658 p = ev.split(':', 2)
659 if p[1] != "UMTS-AUTH":
660 raise Exception("Unexpected CTRL-REQ-SIM type")
661 rid = p[0].split('-')[3]
662 # This will fail during UMTS auth validation
663 if "OK" not in dev[0].request("CTRL-RSP-SIM-" + rid + ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:001122334q"):
664 raise Exception("CTRL-RSP-SIM failed")
665 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=15)
666 if ev is None:
667 raise Exception("EAP failure not reported")
668
669 def test_ap_wpa2_eap_aka_prime(dev, apdev):
670 """WPA2-Enterprise connection using EAP-AKA'"""
671 if not os.path.exists("/tmp/hlr_auc_gw.sock"):
672 logger.info("No hlr_auc_gw available");
673 return "skip"
674 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
675 hostapd.add_ap(apdev[0]['ifname'], params)
676 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
677 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
678 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
679 eap_reauth(dev[0], "AKA'")
680
681 logger.info("EAP-AKA' bidding protection when EAP-AKA enabled as well")
682 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="AKA' AKA",
683 identity="6555444333222111@both",
684 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
685 wait_connect=False, scan_freq="2412")
686 ev = dev[1].wait_event(["CTRL-EVENT-CONNECTED"], timeout=15)
687 if ev is None:
688 raise Exception("Connection with the AP timed out")
689
690 logger.info("Negative test with incorrect key")
691 dev[0].request("REMOVE_NETWORK all")
692 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
693 password="ff22250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
694 expect_failure=True)
695
696 def test_ap_wpa2_eap_aka_prime_sql(dev, apdev, params):
697 """WPA2-Enterprise connection using EAP-AKA' (SQL)"""
698 if not os.path.exists("/tmp/hlr_auc_gw.sock"):
699 logger.info("No hlr_auc_gw available");
700 return "skip"
701 try:
702 import sqlite3
703 except ImportError:
704 return "skip"
705 con = sqlite3.connect(os.path.join(params['logdir'], "hostapd.db"))
706 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
707 params['auth_server_port'] = "1814"
708 hostapd.add_ap(apdev[0]['ifname'], params)
709 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
710 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
711
712 logger.info("AKA' fast re-authentication")
713 eap_reauth(dev[0], "AKA'")
714
715 logger.info("AKA' full auth with pseudonym")
716 with con:
717 cur = con.cursor()
718 cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
719 eap_reauth(dev[0], "AKA'")
720
721 logger.info("AKA' full auth with permanent identity")
722 with con:
723 cur = con.cursor()
724 cur.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
725 cur.execute("DELETE FROM pseudonyms WHERE permanent='6555444333222111'")
726 eap_reauth(dev[0], "AKA'")
727
728 logger.info("AKA' reauth with mismatching k_aut")
729 with con:
730 cur = con.cursor()
731 cur.execute("UPDATE reauth SET k_aut='0000000000000000000000000000000000000000000000000000000000000000' WHERE permanent='6555444333222111'")
732 eap_reauth(dev[0], "AKA'", expect_failure=True)
733 dev[0].request("REMOVE_NETWORK all")
734
735 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
736 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
737 with con:
738 cur = con.cursor()
739 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
740 eap_reauth(dev[0], "AKA'")
741 with con:
742 cur = con.cursor()
743 cur.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
744 logger.info("AKA' reauth with mismatching counter")
745 eap_reauth(dev[0], "AKA'")
746 dev[0].request("REMOVE_NETWORK all")
747
748 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
749 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
750 with con:
751 cur = con.cursor()
752 cur.execute("UPDATE reauth SET counter='1001' WHERE permanent='6555444333222111'")
753 logger.info("AKA' reauth with max reauth count reached")
754 eap_reauth(dev[0], "AKA'")
755
756 def test_ap_wpa2_eap_ttls_pap(dev, apdev):
757 """WPA2-Enterprise connection using EAP-TTLS/PAP"""
758 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
759 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
760 key_mgmt = hapd.get_config()['key_mgmt']
761 if key_mgmt.split(' ')[0] != "WPA-EAP":
762 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt)
763 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
764 anonymous_identity="ttls", password="password",
765 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
766 subject_match="/C=FI/O=w1.fi/CN=server.w1.fi",
767 altsubject_match="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/")
768 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
769 eap_reauth(dev[0], "TTLS")
770 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-1"),
771 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-1") ])
772
773 def test_ap_wpa2_eap_ttls_pap_incorrect_password(dev, apdev):
774 """WPA2-Enterprise connection using EAP-TTLS/PAP - incorrect password"""
775 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
776 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
777 eap_connect(dev[0], apdev[0], "TTLS", "pap user",
778 anonymous_identity="ttls", password="wrong",
779 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
780 expect_failure=True)
781 eap_connect(dev[1], apdev[0], "TTLS", "user",
782 anonymous_identity="ttls", password="password",
783 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
784 expect_failure=True)
785
786 def test_ap_wpa2_eap_ttls_chap(dev, apdev):
787 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
788 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
789 hostapd.add_ap(apdev[0]['ifname'], params)
790 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
791 anonymous_identity="ttls", password="password",
792 ca_cert="auth_serv/ca.der", phase2="auth=CHAP",
793 altsubject_match="EMAIL:noone@example.com;URI:http://example.com/;DNS:server.w1.fi")
794 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
795 eap_reauth(dev[0], "TTLS")
796
797 def test_ap_wpa2_eap_ttls_chap_incorrect_password(dev, apdev):
798 """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
799 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
800 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
801 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
802 anonymous_identity="ttls", password="wrong",
803 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
804 expect_failure=True)
805 eap_connect(dev[1], apdev[0], "TTLS", "user",
806 anonymous_identity="ttls", password="password",
807 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP",
808 expect_failure=True)
809
810 def test_ap_wpa2_eap_ttls_mschap(dev, apdev):
811 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP"""
812 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
813 hostapd.add_ap(apdev[0]['ifname'], params)
814 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
815 anonymous_identity="ttls", password="password",
816 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
817 domain_suffix_match="server.w1.fi")
818 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
819 eap_reauth(dev[0], "TTLS")
820 dev[0].request("REMOVE_NETWORK all")
821 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
822 anonymous_identity="ttls", password="password",
823 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
824 fragment_size="200")
825
826 def test_ap_wpa2_eap_ttls_mschap_incorrect_password(dev, apdev):
827 """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
828 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
829 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
830 eap_connect(dev[0], apdev[0], "TTLS", "mschap user",
831 anonymous_identity="ttls", password="wrong",
832 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
833 expect_failure=True)
834 eap_connect(dev[1], apdev[0], "TTLS", "user",
835 anonymous_identity="ttls", password="password",
836 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
837 expect_failure=True)
838 eap_connect(dev[2], apdev[0], "TTLS", "no such user",
839 anonymous_identity="ttls", password="password",
840 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
841 expect_failure=True)
842
843 def test_ap_wpa2_eap_ttls_mschapv2(dev, apdev):
844 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
845 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
846 hostapd.add_ap(apdev[0]['ifname'], params)
847 hapd = hostapd.Hostapd(apdev[0]['ifname'])
848 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
849 anonymous_identity="ttls", password="password",
850 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
851 domain_suffix_match="w1.fi")
852 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
853 sta1 = hapd.get_sta(dev[0].p2p_interface_addr())
854 eapol1 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
855 eap_reauth(dev[0], "TTLS")
856 sta2 = hapd.get_sta(dev[0].p2p_interface_addr())
857 eapol2 = hapd.get_sta(dev[0].p2p_interface_addr(), info="eapol")
858 if int(sta2['dot1xAuthEapolFramesRx']) <= int(sta1['dot1xAuthEapolFramesRx']):
859 raise Exception("dot1xAuthEapolFramesRx did not increase")
860 if int(eapol2['authAuthEapStartsWhileAuthenticated']) < 1:
861 raise Exception("authAuthEapStartsWhileAuthenticated did not increase")
862 if int(eapol2['backendAuthSuccesses']) <= int(eapol1['backendAuthSuccesses']):
863 raise Exception("backendAuthSuccesses did not increase")
864
865 logger.info("Password as hash value")
866 dev[0].request("REMOVE_NETWORK all")
867 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
868 anonymous_identity="ttls",
869 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
870 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
871
872 def test_ap_wpa2_eap_ttls_mschapv2_incorrect_password(dev, apdev):
873 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 - incorrect password"""
874 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
875 hapd = hostapd.add_ap(apdev[0]['ifname'], params)
876 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
877 anonymous_identity="ttls", password="password1",
878 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
879 expect_failure=True)
880 eap_connect(dev[1], apdev[0], "TTLS", "user",
881 anonymous_identity="ttls", password="password",
882 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
883 expect_failure=True)
884
885 def test_ap_wpa2_eap_ttls_mschapv2_utf8(dev, apdev):
886 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 and UTF-8 password"""
887 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
888 hostapd.add_ap(apdev[0]['ifname'], params)
889 hapd = hostapd.Hostapd(apdev[0]['ifname'])
890 eap_connect(dev[0], apdev[0], "TTLS", "utf8-user-hash",
891 anonymous_identity="ttls", password="secret-åäö-€-password",
892 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
893 eap_connect(dev[1], apdev[0], "TTLS", "utf8-user",
894 anonymous_identity="ttls",
895 password_hex="hash:bd5844fad2489992da7fe8c5a01559cf",
896 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
897
898 def test_ap_wpa2_eap_ttls_eap_gtc(dev, apdev):
899 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC"""
900 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
901 hostapd.add_ap(apdev[0]['ifname'], params)
902 eap_connect(dev[0], apdev[0], "TTLS", "user",
903 anonymous_identity="ttls", password="password",
904 ca_cert="auth_serv/ca.pem", phase2="autheap=GTC")
905 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
906 eap_reauth(dev[0], "TTLS")
907
908 def test_ap_wpa2_eap_ttls_eap_md5(dev, apdev):
909 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5"""
910 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
911 hostapd.add_ap(apdev[0]['ifname'], params)
912 eap_connect(dev[0], apdev[0], "TTLS", "user",
913 anonymous_identity="ttls", password="password",
914 ca_cert="auth_serv/ca.pem", phase2="autheap=MD5")
915 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
916 eap_reauth(dev[0], "TTLS")
917
918 def test_ap_wpa2_eap_ttls_eap_mschapv2(dev, apdev):
919 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2"""
920 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
921 hostapd.add_ap(apdev[0]['ifname'], params)
922 eap_connect(dev[0], apdev[0], "TTLS", "user",
923 anonymous_identity="ttls", password="password",
924 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2")
925 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
926 eap_reauth(dev[0], "TTLS")
927
928 logger.info("Negative test with incorrect password")
929 dev[0].request("REMOVE_NETWORK all")
930 eap_connect(dev[0], apdev[0], "TTLS", "user",
931 anonymous_identity="ttls", password="password1",
932 ca_cert="auth_serv/ca.pem", phase2="autheap=MSCHAPV2",
933 expect_failure=True)
934
935 def test_ap_wpa2_eap_ttls_eap_aka(dev, apdev):
936 """WPA2-Enterprise connection using EAP-TTLS/EAP-AKA"""
937 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
938 hostapd.add_ap(apdev[0]['ifname'], params)
939 eap_connect(dev[0], apdev[0], "TTLS", "0232010000000000",
940 anonymous_identity="0232010000000000@ttls",
941 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
942 ca_cert="auth_serv/ca.pem", phase2="autheap=AKA")
943
944 def test_ap_wpa2_eap_peap_eap_aka(dev, apdev):
945 """WPA2-Enterprise connection using EAP-PEAP/EAP-AKA"""
946 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
947 hostapd.add_ap(apdev[0]['ifname'], params)
948 eap_connect(dev[0], apdev[0], "PEAP", "0232010000000000",
949 anonymous_identity="0232010000000000@peap",
950 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
951 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
952
953 def test_ap_wpa2_eap_fast_eap_aka(dev, apdev):
954 """WPA2-Enterprise connection using EAP-FAST/EAP-AKA"""
955 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
956 hostapd.add_ap(apdev[0]['ifname'], params)
957 eap_connect(dev[0], apdev[0], "FAST", "0232010000000000",
958 anonymous_identity="0232010000000000@fast",
959 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
960 phase1="fast_provisioning=2",
961 pac_file="blob://fast_pac_auth_aka",
962 ca_cert="auth_serv/ca.pem", phase2="auth=AKA")
963
964 def test_ap_wpa2_eap_peap_eap_mschapv2(dev, apdev):
965 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
966 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
967 hostapd.add_ap(apdev[0]['ifname'], params)
968 eap_connect(dev[0], apdev[0], "PEAP", "user",
969 anonymous_identity="peap", password="password",
970 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
971 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
972 eap_reauth(dev[0], "PEAP")
973 dev[0].request("REMOVE_NETWORK all")
974 eap_connect(dev[0], apdev[0], "PEAP", "user",
975 anonymous_identity="peap", password="password",
976 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
977 fragment_size="200")
978
979 logger.info("Password as hash value")
980 dev[0].request("REMOVE_NETWORK all")
981 eap_connect(dev[0], apdev[0], "PEAP", "user",
982 anonymous_identity="peap",
983 password_hex="hash:8846f7eaee8fb117ad06bdd830b7586c",
984 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
985
986 logger.info("Negative test with incorrect password")
987 dev[0].request("REMOVE_NETWORK all")
988 eap_connect(dev[0], apdev[0], "PEAP", "user",
989 anonymous_identity="peap", password="password1",
990 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
991 expect_failure=True)
992
993 def test_ap_wpa2_eap_peap_crypto_binding(dev, apdev):
994 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding"""
995 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
996 hostapd.add_ap(apdev[0]['ifname'], params)
997 eap_connect(dev[0], apdev[0], "PEAP", "user", password="password",
998 ca_cert="auth_serv/ca.pem",
999 phase1="peapver=0 crypto_binding=2",
1000 phase2="auth=MSCHAPV2")
1001 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
1002 eap_reauth(dev[0], "PEAP")
1003
1004 eap_connect(dev[1], apdev[0], "PEAP", "user", password="password",
1005 ca_cert="auth_serv/ca.pem",
1006 phase1="peapver=0 crypto_binding=1",
1007 phase2="auth=MSCHAPV2")
1008 eap_connect(dev[2], apdev[0], "PEAP", "user", password="password",
1009 ca_cert="auth_serv/ca.pem",
1010 phase1="peapver=0 crypto_binding=0",
1011 phase2="auth=MSCHAPV2")
1012
1013 def test_ap_wpa2_eap_peap_params(dev, apdev):
1014 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and various parameters"""
1015 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1016 hostapd.add_ap(apdev[0]['ifname'], params)
1017 eap_connect(dev[0], apdev[0], "PEAP", "user",
1018 anonymous_identity="peap", password="password",
1019 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1020 phase1="peapver=0 peaplabel=1",
1021 expect_failure=True)
1022 dev[0].request("REMOVE_NETWORK all")
1023 eap_connect(dev[1], apdev[0], "PEAP", "user", password="password",
1024 ca_cert="auth_serv/ca.pem",
1025 phase1="peap_outer_success=1",
1026 phase2="auth=MSCHAPV2")
1027 eap_connect(dev[2], apdev[0], "PEAP", "user", password="password",
1028 ca_cert="auth_serv/ca.pem",
1029 phase1="peap_outer_success=2",
1030 phase2="auth=MSCHAPV2")
1031 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PEAP",
1032 identity="user",
1033 anonymous_identity="peap", password="password",
1034 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1035 phase1="peapver=1 peaplabel=1",
1036 wait_connect=False, scan_freq="2412")
1037 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
1038 if ev is None:
1039 raise Exception("No EAP success seen")
1040 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=1)
1041 if ev is not None:
1042 raise Exception("Unexpected connection")
1043
1044 def test_ap_wpa2_eap_peap_eap_tls(dev, apdev):
1045 """WPA2-Enterprise connection using EAP-PEAP/EAP-TLS"""
1046 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1047 hostapd.add_ap(apdev[0]['ifname'], params)
1048 eap_connect(dev[0], apdev[0], "PEAP", "cert user",
1049 ca_cert="auth_serv/ca.pem", phase2="auth=TLS",
1050 ca_cert2="auth_serv/ca.pem",
1051 client_cert2="auth_serv/user.pem",
1052 private_key2="auth_serv/user.key")
1053 eap_reauth(dev[0], "PEAP")
1054
1055 def test_ap_wpa2_eap_tls(dev, apdev):
1056 """WPA2-Enterprise connection using EAP-TLS"""
1057 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1058 hostapd.add_ap(apdev[0]['ifname'], params)
1059 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1060 client_cert="auth_serv/user.pem",
1061 private_key="auth_serv/user.key")
1062 eap_reauth(dev[0], "TLS")
1063
1064 def test_ap_wpa2_eap_tls_blob(dev, apdev):
1065 """WPA2-Enterprise connection using EAP-TLS and config blobs"""
1066 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1067 hostapd.add_ap(apdev[0]['ifname'], params)
1068 cert = read_pem("auth_serv/ca.pem")
1069 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1070 raise Exception("Could not set cacert blob")
1071 cert = read_pem("auth_serv/user.pem")
1072 if "OK" not in dev[0].request("SET blob usercert " + cert.encode("hex")):
1073 raise Exception("Could not set usercert blob")
1074 key = read_pem("auth_serv/user.key")
1075 if "OK" not in dev[0].request("SET blob userkey " + key.encode("hex")):
1076 raise Exception("Could not set cacert blob")
1077 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="blob://cacert",
1078 client_cert="blob://usercert",
1079 private_key="blob://userkey")
1080
1081 def test_ap_wpa2_eap_tls_pkcs12(dev, apdev):
1082 """WPA2-Enterprise connection using EAP-TLS and PKCS#12"""
1083 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1084 hostapd.add_ap(apdev[0]['ifname'], params)
1085 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1086 private_key="auth_serv/user.pkcs12",
1087 private_key_passwd="whatever")
1088 dev[0].request("REMOVE_NETWORK all")
1089 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
1090 identity="tls user",
1091 ca_cert="auth_serv/ca.pem",
1092 private_key="auth_serv/user.pkcs12",
1093 wait_connect=False, scan_freq="2412")
1094 ev = dev[0].wait_event(["CTRL-REQ-PASSPHRASE"])
1095 if ev is None:
1096 raise Exception("Request for private key passphrase timed out")
1097 id = ev.split(':')[0].split('-')[-1]
1098 dev[0].request("CTRL-RSP-PASSPHRASE-" + id + ":whatever")
1099 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=10)
1100 if ev is None:
1101 raise Exception("Connection timed out")
1102
1103 def test_ap_wpa2_eap_tls_pkcs12_blob(dev, apdev):
1104 """WPA2-Enterprise connection using EAP-TLS and PKCS#12 from configuration blob"""
1105 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1106 hostapd.add_ap(apdev[0]['ifname'], params)
1107 cert = read_pem("auth_serv/ca.pem")
1108 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1109 raise Exception("Could not set cacert blob")
1110 with open("auth_serv/user.pkcs12", "rb") as f:
1111 if "OK" not in dev[0].request("SET blob pkcs12 " + f.read().encode("hex")):
1112 raise Exception("Could not set pkcs12 blob")
1113 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="blob://cacert",
1114 private_key="blob://pkcs12",
1115 private_key_passwd="whatever")
1116
1117 def test_ap_wpa2_eap_tls_neg_incorrect_trust_root(dev, apdev):
1118 """WPA2-Enterprise negative test - incorrect trust root"""
1119 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1120 hostapd.add_ap(apdev[0]['ifname'], params)
1121 cert = read_pem("auth_serv/ca-incorrect.pem")
1122 if "OK" not in dev[0].request("SET blob cacert " + cert.encode("hex")):
1123 raise Exception("Could not set cacert blob")
1124 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1125 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1126 password="password", phase2="auth=MSCHAPV2",
1127 ca_cert="blob://cacert",
1128 wait_connect=False, scan_freq="2412")
1129 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1130 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1131 password="password", phase2="auth=MSCHAPV2",
1132 ca_cert="auth_serv/ca-incorrect.pem",
1133 wait_connect=False, scan_freq="2412")
1134
1135 for dev in (dev[0], dev[1]):
1136 ev = dev.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1137 if ev is None:
1138 raise Exception("Association and EAP start timed out")
1139
1140 ev = dev.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1141 if ev is None:
1142 raise Exception("EAP method selection timed out")
1143 if "TTLS" not in ev:
1144 raise Exception("Unexpected EAP method")
1145
1146 ev = dev.wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1147 "CTRL-EVENT-EAP-SUCCESS",
1148 "CTRL-EVENT-EAP-FAILURE",
1149 "CTRL-EVENT-CONNECTED",
1150 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1151 if ev is None:
1152 raise Exception("EAP result timed out")
1153 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1154 raise Exception("TLS certificate error not reported")
1155
1156 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS",
1157 "CTRL-EVENT-EAP-FAILURE",
1158 "CTRL-EVENT-CONNECTED",
1159 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1160 if ev is None:
1161 raise Exception("EAP result(2) timed out")
1162 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1163 raise Exception("EAP failure not reported")
1164
1165 ev = dev.wait_event(["CTRL-EVENT-CONNECTED",
1166 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1167 if ev is None:
1168 raise Exception("EAP result(3) timed out")
1169 if "CTRL-EVENT-DISCONNECTED" not in ev:
1170 raise Exception("Disconnection not reported")
1171
1172 ev = dev.wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1173 if ev is None:
1174 raise Exception("Network block disabling not reported")
1175
1176 def test_ap_wpa2_eap_tls_neg_suffix_match(dev, apdev):
1177 """WPA2-Enterprise negative test - domain suffix mismatch"""
1178 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1179 hostapd.add_ap(apdev[0]['ifname'], params)
1180 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1181 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1182 password="password", phase2="auth=MSCHAPV2",
1183 ca_cert="auth_serv/ca.pem",
1184 domain_suffix_match="incorrect.example.com",
1185 wait_connect=False, scan_freq="2412")
1186
1187 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1188 if ev is None:
1189 raise Exception("Association and EAP start timed out")
1190
1191 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1192 if ev is None:
1193 raise Exception("EAP method selection timed out")
1194 if "TTLS" not in ev:
1195 raise Exception("Unexpected EAP method")
1196
1197 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1198 "CTRL-EVENT-EAP-SUCCESS",
1199 "CTRL-EVENT-EAP-FAILURE",
1200 "CTRL-EVENT-CONNECTED",
1201 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1202 if ev is None:
1203 raise Exception("EAP result timed out")
1204 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1205 raise Exception("TLS certificate error not reported")
1206 if "Domain suffix mismatch" not in ev:
1207 raise Exception("Domain suffix mismatch not reported")
1208
1209 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1210 "CTRL-EVENT-EAP-FAILURE",
1211 "CTRL-EVENT-CONNECTED",
1212 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1213 if ev is None:
1214 raise Exception("EAP result(2) timed out")
1215 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1216 raise Exception("EAP failure not reported")
1217
1218 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1219 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1220 if ev is None:
1221 raise Exception("EAP result(3) timed out")
1222 if "CTRL-EVENT-DISCONNECTED" not in ev:
1223 raise Exception("Disconnection not reported")
1224
1225 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1226 if ev is None:
1227 raise Exception("Network block disabling not reported")
1228
1229 def test_ap_wpa2_eap_tls_neg_subject_match(dev, apdev):
1230 """WPA2-Enterprise negative test - subject mismatch"""
1231 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1232 hostapd.add_ap(apdev[0]['ifname'], params)
1233 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1234 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1235 password="password", phase2="auth=MSCHAPV2",
1236 ca_cert="auth_serv/ca.pem",
1237 subject_match="/C=FI/O=w1.fi/CN=example.com",
1238 wait_connect=False, scan_freq="2412")
1239
1240 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1241 if ev is None:
1242 raise Exception("Association and EAP start timed out")
1243
1244 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1245 if ev is None:
1246 raise Exception("EAP method selection timed out")
1247 if "TTLS" not in ev:
1248 raise Exception("Unexpected EAP method")
1249
1250 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1251 "CTRL-EVENT-EAP-SUCCESS",
1252 "CTRL-EVENT-EAP-FAILURE",
1253 "CTRL-EVENT-CONNECTED",
1254 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1255 if ev is None:
1256 raise Exception("EAP result timed out")
1257 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1258 raise Exception("TLS certificate error not reported")
1259 if "Subject mismatch" not in ev:
1260 raise Exception("Subject mismatch not reported")
1261
1262 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1263 "CTRL-EVENT-EAP-FAILURE",
1264 "CTRL-EVENT-CONNECTED",
1265 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1266 if ev is None:
1267 raise Exception("EAP result(2) timed out")
1268 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1269 raise Exception("EAP failure not reported")
1270
1271 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1272 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1273 if ev is None:
1274 raise Exception("EAP result(3) timed out")
1275 if "CTRL-EVENT-DISCONNECTED" not in ev:
1276 raise Exception("Disconnection not reported")
1277
1278 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1279 if ev is None:
1280 raise Exception("Network block disabling not reported")
1281
1282 def test_ap_wpa2_eap_tls_neg_altsubject_match(dev, apdev):
1283 """WPA2-Enterprise negative test - altsubject mismatch"""
1284 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1285 hostapd.add_ap(apdev[0]['ifname'], params)
1286 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1287 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1288 password="password", phase2="auth=MSCHAPV2",
1289 ca_cert="auth_serv/ca.pem",
1290 altsubject_match="incorrect.example.com",
1291 wait_connect=False, scan_freq="2412")
1292
1293 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1294 if ev is None:
1295 raise Exception("Association and EAP start timed out")
1296
1297 ev = dev[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
1298 if ev is None:
1299 raise Exception("EAP method selection timed out")
1300 if "TTLS" not in ev:
1301 raise Exception("Unexpected EAP method")
1302
1303 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
1304 "CTRL-EVENT-EAP-SUCCESS",
1305 "CTRL-EVENT-EAP-FAILURE",
1306 "CTRL-EVENT-CONNECTED",
1307 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1308 if ev is None:
1309 raise Exception("EAP result timed out")
1310 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev:
1311 raise Exception("TLS certificate error not reported")
1312 if "AltSubject mismatch" not in ev:
1313 raise Exception("altsubject mismatch not reported")
1314
1315 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
1316 "CTRL-EVENT-EAP-FAILURE",
1317 "CTRL-EVENT-CONNECTED",
1318 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1319 if ev is None:
1320 raise Exception("EAP result(2) timed out")
1321 if "CTRL-EVENT-EAP-FAILURE" not in ev:
1322 raise Exception("EAP failure not reported")
1323
1324 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED",
1325 "CTRL-EVENT-DISCONNECTED"], timeout=10)
1326 if ev is None:
1327 raise Exception("EAP result(3) timed out")
1328 if "CTRL-EVENT-DISCONNECTED" not in ev:
1329 raise Exception("Disconnection not reported")
1330
1331 ev = dev[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout=10)
1332 if ev is None:
1333 raise Exception("Network block disabling not reported")
1334
1335 def test_ap_wpa2_eap_unauth_tls(dev, apdev):
1336 """WPA2-Enterprise connection using UNAUTH-TLS"""
1337 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1338 hostapd.add_ap(apdev[0]['ifname'], params)
1339 eap_connect(dev[0], apdev[0], "UNAUTH-TLS", "unauth-tls",
1340 ca_cert="auth_serv/ca.pem")
1341 eap_reauth(dev[0], "UNAUTH-TLS")
1342
1343 def test_ap_wpa2_eap_ttls_server_cert_hash(dev, apdev):
1344 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash"""
1345 srv_cert_hash = "0a3f81f63569226657a069855bb13f3b922670437a2b87585a4734f70ac7315b"
1346 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1347 hostapd.add_ap(apdev[0]['ifname'], params)
1348 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1349 identity="probe", ca_cert="probe://",
1350 wait_connect=False, scan_freq="2412")
1351 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1352 if ev is None:
1353 raise Exception("Association and EAP start timed out")
1354 ev = dev[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT depth=0"], timeout=10)
1355 if ev is None:
1356 raise Exception("No peer server certificate event seen")
1357 if "hash=" + srv_cert_hash not in ev:
1358 raise Exception("Expected server certificate hash not reported")
1359 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
1360 if ev is None:
1361 raise Exception("EAP result timed out")
1362 if "Server certificate chain probe" not in ev:
1363 raise Exception("Server certificate probe not reported")
1364 ev = dev[0].wait_event(["CTRL-EVENT-DISCONNECTED"], timeout=10)
1365 if ev is None:
1366 raise Exception("Disconnection event not seen")
1367 dev[0].request("REMOVE_NETWORK all")
1368
1369 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1370 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1371 password="password", phase2="auth=MSCHAPV2",
1372 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
1373 wait_connect=False, scan_freq="2412")
1374 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1375 if ev is None:
1376 raise Exception("Association and EAP start timed out")
1377 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout=10)
1378 if ev is None:
1379 raise Exception("EAP result timed out")
1380 if "Server certificate mismatch" not in ev:
1381 raise Exception("Server certificate mismatch not reported")
1382 ev = dev[0].wait_event(["CTRL-EVENT-DISCONNECTED"], timeout=10)
1383 if ev is None:
1384 raise Exception("Disconnection event not seen")
1385 dev[0].request("REMOVE_NETWORK all")
1386
1387 eap_connect(dev[0], apdev[0], "TTLS", "DOMAIN\mschapv2 user",
1388 anonymous_identity="ttls", password="password",
1389 ca_cert="hash://server/sha256/" + srv_cert_hash,
1390 phase2="auth=MSCHAPV2")
1391
1392 def test_ap_wpa2_eap_ttls_server_cert_hash_invalid(dev, apdev):
1393 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash (invalid config)"""
1394 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1395 hostapd.add_ap(apdev[0]['ifname'], params)
1396 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1397 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1398 password="password", phase2="auth=MSCHAPV2",
1399 ca_cert="hash://server/md5/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
1400 wait_connect=False, scan_freq="2412")
1401 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1402 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1403 password="password", phase2="auth=MSCHAPV2",
1404 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca",
1405 wait_connect=False, scan_freq="2412")
1406 dev[2].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1407 identity="DOMAIN\mschapv2 user", anonymous_identity="ttls",
1408 password="password", phase2="auth=MSCHAPV2",
1409 ca_cert="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6Q",
1410 wait_connect=False, scan_freq="2412")
1411 for i in range(0, 3):
1412 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1413 if ev is None:
1414 raise Exception("Association and EAP start timed out")
1415 ev = dev[i].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 21 (TTLS)"], timeout=5)
1416 if ev is None:
1417 raise Exception("Did not report EAP method initialization failure")
1418
1419 def test_ap_wpa2_eap_pwd(dev, apdev):
1420 """WPA2-Enterprise connection using EAP-pwd"""
1421 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1422 hostapd.add_ap(apdev[0]['ifname'], params)
1423 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
1424 eap_reauth(dev[0], "PWD")
1425 dev[0].request("REMOVE_NETWORK all")
1426
1427 eap_connect(dev[1], apdev[0], "PWD",
1428 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
1429 password="secret password",
1430 fragment_size="90")
1431
1432 logger.info("Negative test with incorrect password")
1433 eap_connect(dev[2], apdev[0], "PWD", "pwd user", password="secret-password",
1434 expect_failure=True, local_error_report=True)
1435
1436 eap_connect(dev[0], apdev[0], "PWD",
1437 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
1438 password="secret password",
1439 fragment_size="31")
1440
1441 def test_ap_wpa2_eap_pwd_groups(dev, apdev):
1442 """WPA2-Enterprise connection using various EAP-pwd groups"""
1443 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1444 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1445 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
1446 for i in [ 19, 20, 21, 25, 26 ]:
1447 params['pwd_group'] = str(i)
1448 hostapd.add_ap(apdev[0]['ifname'], params)
1449 dev[0].request("REMOVE_NETWORK all")
1450 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
1451
1452 def test_ap_wpa2_eap_pwd_invalid_group(dev, apdev):
1453 """WPA2-Enterprise connection using invalid EAP-pwd group"""
1454 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1455 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1456 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
1457 params['pwd_group'] = "0"
1458 hostapd.add_ap(apdev[0]['ifname'], params)
1459 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="PWD",
1460 identity="pwd user", password="secret password",
1461 scan_freq="2412", wait_connect=False)
1462 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
1463 if ev is None:
1464 raise Exception("Timeout on EAP failure report")
1465
1466 def test_ap_wpa2_eap_pwd_as_frag(dev, apdev):
1467 """WPA2-Enterprise connection using EAP-pwd with server fragmentation"""
1468 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1469 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1470 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1471 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
1472 "pwd_group": "19", "fragment_size": "40" }
1473 hostapd.add_ap(apdev[0]['ifname'], params)
1474 eap_connect(dev[0], apdev[0], "PWD", "pwd user", password="secret password")
1475
1476 def test_ap_wpa2_eap_gpsk(dev, apdev):
1477 """WPA2-Enterprise connection using EAP-GPSK"""
1478 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1479 hostapd.add_ap(apdev[0]['ifname'], params)
1480 id = eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
1481 password="abcdefghijklmnop0123456789abcdef")
1482 eap_reauth(dev[0], "GPSK")
1483
1484 logger.info("Test forced algorithm selection")
1485 for phase1 in [ "cipher=1", "cipher=2" ]:
1486 dev[0].set_network_quoted(id, "phase1", phase1)
1487 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
1488 if ev is None:
1489 raise Exception("EAP success timed out")
1490 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=10)
1491 if ev is None:
1492 raise Exception("Association with the AP timed out")
1493
1494 logger.info("Test failed algorithm negotiation")
1495 dev[0].set_network_quoted(id, "phase1", "cipher=9")
1496 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
1497 if ev is None:
1498 raise Exception("EAP failure timed out")
1499
1500 logger.info("Negative test with incorrect password")
1501 dev[0].request("REMOVE_NETWORK all")
1502 eap_connect(dev[0], apdev[0], "GPSK", "gpsk user",
1503 password="ffcdefghijklmnop0123456789abcdef",
1504 expect_failure=True)
1505
1506 def test_ap_wpa2_eap_sake(dev, apdev):
1507 """WPA2-Enterprise connection using EAP-SAKE"""
1508 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1509 hostapd.add_ap(apdev[0]['ifname'], params)
1510 eap_connect(dev[0], apdev[0], "SAKE", "sake user",
1511 password_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
1512 eap_reauth(dev[0], "SAKE")
1513
1514 logger.info("Negative test with incorrect password")
1515 dev[0].request("REMOVE_NETWORK all")
1516 eap_connect(dev[0], apdev[0], "SAKE", "sake user",
1517 password_hex="ff23456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
1518 expect_failure=True)
1519
1520 def test_ap_wpa2_eap_eke(dev, apdev):
1521 """WPA2-Enterprise connection using EAP-EKE"""
1522 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1523 hostapd.add_ap(apdev[0]['ifname'], params)
1524 id = eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello")
1525 eap_reauth(dev[0], "EKE")
1526
1527 logger.info("Test forced algorithm selection")
1528 for phase1 in [ "dhgroup=5 encr=1 prf=2 mac=2",
1529 "dhgroup=4 encr=1 prf=2 mac=2",
1530 "dhgroup=3 encr=1 prf=2 mac=2",
1531 "dhgroup=3 encr=1 prf=1 mac=1" ]:
1532 dev[0].set_network_quoted(id, "phase1", phase1)
1533 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
1534 if ev is None:
1535 raise Exception("EAP success timed out")
1536 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=10)
1537 if ev is None:
1538 raise Exception("Association with the AP timed out")
1539
1540 logger.info("Test failed algorithm negotiation")
1541 dev[0].set_network_quoted(id, "phase1", "dhgroup=9 encr=9 prf=9 mac=9")
1542 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout=10)
1543 if ev is None:
1544 raise Exception("EAP failure timed out")
1545
1546 logger.info("Negative test with incorrect password")
1547 dev[0].request("REMOVE_NETWORK all")
1548 eap_connect(dev[0], apdev[0], "EKE", "eke user", password="hello1",
1549 expect_failure=True)
1550
1551 def test_ap_wpa2_eap_ikev2(dev, apdev):
1552 """WPA2-Enterprise connection using EAP-IKEv2"""
1553 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1554 hostapd.add_ap(apdev[0]['ifname'], params)
1555 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
1556 password="ike password")
1557 eap_reauth(dev[0], "IKEV2")
1558 dev[0].request("REMOVE_NETWORK all")
1559 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
1560 password="ike password", fragment_size="50")
1561
1562 logger.info("Negative test with incorrect password")
1563 dev[0].request("REMOVE_NETWORK all")
1564 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
1565 password="ike-password", expect_failure=True)
1566
1567 def test_ap_wpa2_eap_ikev2_as_frag(dev, apdev):
1568 """WPA2-Enterprise connection using EAP-IKEv2 with server fragmentation"""
1569 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1570 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1571 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1572 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
1573 "fragment_size": "50" }
1574 hostapd.add_ap(apdev[0]['ifname'], params)
1575 eap_connect(dev[0], apdev[0], "IKEV2", "ikev2 user",
1576 password="ike password")
1577 eap_reauth(dev[0], "IKEV2")
1578
1579 def test_ap_wpa2_eap_pax(dev, apdev):
1580 """WPA2-Enterprise connection using EAP-PAX"""
1581 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1582 hostapd.add_ap(apdev[0]['ifname'], params)
1583 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
1584 password_hex="0123456789abcdef0123456789abcdef")
1585 eap_reauth(dev[0], "PAX")
1586
1587 logger.info("Negative test with incorrect password")
1588 dev[0].request("REMOVE_NETWORK all")
1589 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
1590 password_hex="ff23456789abcdef0123456789abcdef",
1591 expect_failure=True)
1592
1593 def test_ap_wpa2_eap_psk(dev, apdev):
1594 """WPA2-Enterprise connection using EAP-PSK"""
1595 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1596 params["wpa_key_mgmt"] = "WPA-EAP-SHA256"
1597 params["ieee80211w"] = "2"
1598 hostapd.add_ap(apdev[0]['ifname'], params)
1599 eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
1600 password_hex="0123456789abcdef0123456789abcdef", sha256=True)
1601 eap_reauth(dev[0], "PSK", sha256=True)
1602 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-5"),
1603 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-5") ])
1604
1605 logger.info("Negative test with incorrect password")
1606 dev[0].request("REMOVE_NETWORK all")
1607 eap_connect(dev[0], apdev[0], "PSK", "psk.user@example.com",
1608 password_hex="ff23456789abcdef0123456789abcdef", sha256=True,
1609 expect_failure=True)
1610
1611 def test_ap_wpa_eap_peap_eap_mschapv2(dev, apdev):
1612 """WPA-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
1613 params = hostapd.wpa_eap_params(ssid="test-wpa-eap")
1614 hostapd.add_ap(apdev[0]['ifname'], params)
1615 dev[0].connect("test-wpa-eap", key_mgmt="WPA-EAP", eap="PEAP",
1616 identity="user", password="password", phase2="auth=MSCHAPV2",
1617 ca_cert="auth_serv/ca.pem", wait_connect=False,
1618 scan_freq="2412")
1619 eap_check_auth(dev[0], "PEAP", True, rsn=False)
1620 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
1621 eap_reauth(dev[0], "PEAP", rsn=False)
1622 check_mib(dev[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-50-f2-1"),
1623 ("dot11RSNAAuthenticationSuiteSelected", "00-50-f2-1") ])
1624
1625 def test_ap_wpa2_eap_interactive(dev, apdev):
1626 """WPA2-Enterprise connection using interactive identity/password entry"""
1627 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1628 hostapd.add_ap(apdev[0]['ifname'], params)
1629 hapd = hostapd.Hostapd(apdev[0]['ifname'])
1630
1631 tests = [ ("Connection with dynamic TTLS/MSCHAPv2 password entry",
1632 "TTLS", "ttls", "DOMAIN\mschapv2 user", "auth=MSCHAPV2",
1633 None, "password"),
1634 ("Connection with dynamic TTLS/MSCHAPv2 identity and password entry",
1635 "TTLS", "ttls", None, "auth=MSCHAPV2",
1636 "DOMAIN\mschapv2 user", "password"),
1637 ("Connection with dynamic TTLS/EAP-MSCHAPv2 password entry",
1638 "TTLS", "ttls", "user", "autheap=MSCHAPV2", None, "password"),
1639 ("Connection with dynamic TTLS/EAP-MD5 password entry",
1640 "TTLS", "ttls", "user", "autheap=MD5", None, "password"),
1641 ("Connection with dynamic PEAP/EAP-MSCHAPv2 password entry",
1642 "PEAP", None, "user", "auth=MSCHAPV2", None, "password"),
1643 ("Connection with dynamic PEAP/EAP-GTC password entry",
1644 "PEAP", None, "user", "auth=GTC", None, "password") ]
1645 for [desc,eap,anon,identity,phase2,req_id,req_pw] in tests:
1646 logger.info(desc)
1647 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap=eap,
1648 anonymous_identity=anon, identity=identity,
1649 ca_cert="auth_serv/ca.pem", phase2=phase2,
1650 wait_connect=False, scan_freq="2412")
1651 if req_id:
1652 ev = dev[0].wait_event(["CTRL-REQ-IDENTITY"])
1653 if ev is None:
1654 raise Exception("Request for identity timed out")
1655 id = ev.split(':')[0].split('-')[-1]
1656 dev[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id)
1657 ev = dev[0].wait_event(["CTRL-REQ-PASSWORD","CTRL-REQ-OTP"])
1658 if ev is None:
1659 raise Exception("Request for password timed out")
1660 id = ev.split(':')[0].split('-')[-1]
1661 type = "OTP" if "CTRL-REQ-OTP" in ev else "PASSWORD"
1662 dev[0].request("CTRL-RSP-" + type + "-" + id + ":" + req_pw)
1663 ev = dev[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout=10)
1664 if ev is None:
1665 raise Exception("Connection timed out")
1666 dev[0].request("REMOVE_NETWORK all")
1667
1668 def test_ap_wpa2_eap_vendor_test(dev, apdev):
1669 """WPA2-Enterprise connection using EAP vendor test"""
1670 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1671 hostapd.add_ap(apdev[0]['ifname'], params)
1672 eap_connect(dev[0], apdev[0], "VENDOR-TEST", "vendor-test")
1673 eap_reauth(dev[0], "VENDOR-TEST")
1674
1675 def test_ap_wpa2_eap_fast_mschapv2_unauth_prov(dev, apdev):
1676 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and unauthenticated provisioning"""
1677 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1678 hostapd.add_ap(apdev[0]['ifname'], params)
1679 eap_connect(dev[0], apdev[0], "FAST", "user",
1680 anonymous_identity="FAST", password="password",
1681 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1682 phase1="fast_provisioning=1", pac_file="blob://fast_pac")
1683 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
1684 eap_reauth(dev[0], "FAST")
1685
1686 def test_ap_wpa2_eap_fast_pac_file(dev, apdev, params):
1687 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and PAC file"""
1688 pac_file = os.path.join(params['logdir'], "fast.pac")
1689 pac_file2 = os.path.join(params['logdir'], "fast-bin.pac")
1690 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1691 hostapd.add_ap(apdev[0]['ifname'], params)
1692
1693 try:
1694 eap_connect(dev[0], apdev[0], "FAST", "user",
1695 anonymous_identity="FAST", password="password",
1696 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1697 phase1="fast_provisioning=1", pac_file=pac_file)
1698 with open(pac_file, "r") as f:
1699 data = f.read()
1700 if "wpa_supplicant EAP-FAST PAC file - version 1" not in data:
1701 raise Exception("PAC file header missing")
1702 if "PAC-Key=" not in data:
1703 raise Exception("PAC-Key missing from PAC file")
1704 dev[0].request("REMOVE_NETWORK all")
1705 eap_connect(dev[0], apdev[0], "FAST", "user",
1706 anonymous_identity="FAST", password="password",
1707 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1708 pac_file=pac_file)
1709
1710 eap_connect(dev[1], apdev[0], "FAST", "user",
1711 anonymous_identity="FAST", password="password",
1712 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1713 phase1="fast_provisioning=1 fast_pac_format=binary",
1714 pac_file=pac_file2)
1715 dev[1].request("REMOVE_NETWORK all")
1716 eap_connect(dev[1], apdev[0], "FAST", "user",
1717 anonymous_identity="FAST", password="password",
1718 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1719 phase1="fast_pac_format=binary",
1720 pac_file=pac_file2)
1721 finally:
1722 subprocess.call(['sudo', 'rm', pac_file])
1723 subprocess.call(['sudo', 'rm', pac_file2])
1724
1725 def test_ap_wpa2_eap_fast_binary_pac(dev, apdev):
1726 """WPA2-Enterprise connection using EAP-FAST and binary PAC format"""
1727 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1728 hostapd.add_ap(apdev[0]['ifname'], params)
1729 eap_connect(dev[0], apdev[0], "FAST", "user",
1730 anonymous_identity="FAST", password="password",
1731 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1732 phase1="fast_provisioning=1 fast_max_pac_list_len=1 fast_pac_format=binary",
1733 pac_file="blob://fast_pac_bin")
1734 eap_reauth(dev[0], "FAST")
1735
1736 def test_ap_wpa2_eap_fast_missing_pac_config(dev, apdev):
1737 """WPA2-Enterprise connection using EAP-FAST and missing PAC config"""
1738 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1739 hostapd.add_ap(apdev[0]['ifname'], params)
1740
1741 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
1742 identity="user", anonymous_identity="FAST",
1743 password="password",
1744 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1745 pac_file="blob://fast_pac_not_in_use",
1746 wait_connect=False, scan_freq="2412")
1747 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
1748 if ev is None:
1749 raise Exception("Timeout on EAP failure report")
1750 dev[0].request("REMOVE_NETWORK all")
1751
1752 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="FAST",
1753 identity="user", anonymous_identity="FAST",
1754 password="password",
1755 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2",
1756 wait_connect=False, scan_freq="2412")
1757 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
1758 if ev is None:
1759 raise Exception("Timeout on EAP failure report")
1760
1761 def test_ap_wpa2_eap_fast_gtc_auth_prov(dev, apdev):
1762 """WPA2-Enterprise connection using EAP-FAST/GTC and authenticated provisioning"""
1763 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1764 hostapd.add_ap(apdev[0]['ifname'], params)
1765 eap_connect(dev[0], apdev[0], "FAST", "user",
1766 anonymous_identity="FAST", password="password",
1767 ca_cert="auth_serv/ca.pem", phase2="auth=GTC",
1768 phase1="fast_provisioning=2", pac_file="blob://fast_pac_auth")
1769 hwsim_utils.test_connectivity(dev[0].ifname, apdev[0]['ifname'])
1770 eap_reauth(dev[0], "FAST")
1771
1772 def test_ap_wpa2_eap_tls_ocsp(dev, apdev):
1773 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP"""
1774 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1775 hostapd.add_ap(apdev[0]['ifname'], params)
1776 eap_connect(dev[0], apdev[0], "TLS", "tls user", ca_cert="auth_serv/ca.pem",
1777 private_key="auth_serv/user.pkcs12",
1778 private_key_passwd="whatever", ocsp=2)
1779
1780 def int_eap_server_params():
1781 params = { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
1782 "rsn_pairwise": "CCMP", "ieee8021x": "1",
1783 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
1784 "ca_cert": "auth_serv/ca.pem",
1785 "server_cert": "auth_serv/server.pem",
1786 "private_key": "auth_serv/server.key" }
1787 return params
1788
1789 def test_ap_wpa2_eap_tls_ocsp_invalid(dev, apdev):
1790 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP response"""
1791 params = int_eap_server_params()
1792 params["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-invalid"
1793 hostapd.add_ap(apdev[0]['ifname'], params)
1794 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
1795 identity="tls user", ca_cert="auth_serv/ca.pem",
1796 private_key="auth_serv/user.pkcs12",
1797 private_key_passwd="whatever", ocsp=2,
1798 wait_connect=False, scan_freq="2412")
1799 count = 0
1800 while True:
1801 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
1802 if ev is None:
1803 raise Exception("Timeout on EAP status")
1804 if 'bad certificate status response' in ev:
1805 break
1806 count = count + 1
1807 if count > 10:
1808 raise Exception("Unexpected number of EAP status messages")
1809
1810 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
1811 if ev is None:
1812 raise Exception("Timeout on EAP failure report")
1813
1814 def test_ap_wpa2_eap_tls_domain_suffix_match_cn(dev, apdev):
1815 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
1816 params = int_eap_server_params()
1817 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
1818 params["private_key"] = "auth_serv/server-no-dnsname.key"
1819 hostapd.add_ap(apdev[0]['ifname'], params)
1820 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
1821 identity="tls user", ca_cert="auth_serv/ca.pem",
1822 private_key="auth_serv/user.pkcs12",
1823 private_key_passwd="whatever",
1824 domain_suffix_match="server3.w1.fi",
1825 scan_freq="2412")
1826 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
1827 identity="tls user", ca_cert="auth_serv/ca.pem",
1828 private_key="auth_serv/user.pkcs12",
1829 private_key_passwd="whatever",
1830 domain_suffix_match="w1.fi",
1831 scan_freq="2412")
1832
1833 def test_ap_wpa2_eap_tls_domain_suffix_mismatch_cn(dev, apdev):
1834 """WPA2-Enterprise using EAP-TLS and domain suffix mismatch (CN)"""
1835 params = int_eap_server_params()
1836 params["server_cert"] = "auth_serv/server-no-dnsname.pem"
1837 params["private_key"] = "auth_serv/server-no-dnsname.key"
1838 hostapd.add_ap(apdev[0]['ifname'], params)
1839 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
1840 identity="tls user", ca_cert="auth_serv/ca.pem",
1841 private_key="auth_serv/user.pkcs12",
1842 private_key_passwd="whatever",
1843 domain_suffix_match="example.com",
1844 wait_connect=False,
1845 scan_freq="2412")
1846 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TLS",
1847 identity="tls user", ca_cert="auth_serv/ca.pem",
1848 private_key="auth_serv/user.pkcs12",
1849 private_key_passwd="whatever",
1850 domain_suffix_match="erver3.w1.fi",
1851 wait_connect=False,
1852 scan_freq="2412")
1853 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
1854 if ev is None:
1855 raise Exception("Timeout on EAP failure report")
1856 ev = dev[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
1857 if ev is None:
1858 raise Exception("Timeout on EAP failure report (2)")
1859
1860 def test_ap_wpa2_eap_ttls_expired_cert(dev, apdev):
1861 """WPA2-Enterprise using EAP-TTLS and expired certificate"""
1862 params = int_eap_server_params()
1863 params["server_cert"] = "auth_serv/server-expired.pem"
1864 params["private_key"] = "auth_serv/server-expired.key"
1865 hostapd.add_ap(apdev[0]['ifname'], params)
1866 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1867 identity="mschap user", password="password",
1868 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
1869 wait_connect=False,
1870 scan_freq="2412")
1871 ev = dev[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"])
1872 if ev is None:
1873 raise Exception("Timeout on EAP certificate error report")
1874 if "reason=4" not in ev or "certificate has expired" not in ev:
1875 raise Exception("Unexpected failure reason: " + ev)
1876 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
1877 if ev is None:
1878 raise Exception("Timeout on EAP failure report")
1879
1880 def test_ap_wpa2_eap_ttls_ignore_expired_cert(dev, apdev):
1881 """WPA2-Enterprise using EAP-TTLS and ignore certificate expiration"""
1882 params = int_eap_server_params()
1883 params["server_cert"] = "auth_serv/server-expired.pem"
1884 params["private_key"] = "auth_serv/server-expired.key"
1885 hostapd.add_ap(apdev[0]['ifname'], params)
1886 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1887 identity="mschap user", password="password",
1888 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
1889 phase1="tls_disable_time_checks=1",
1890 scan_freq="2412")
1891
1892 def test_ap_wpa2_eap_ttls_server_cert_eku_client(dev, apdev):
1893 """WPA2-Enterprise using EAP-TTLS and server cert with client EKU"""
1894 params = int_eap_server_params()
1895 params["server_cert"] = "auth_serv/server-eku-client.pem"
1896 params["private_key"] = "auth_serv/server-eku-client.key"
1897 hostapd.add_ap(apdev[0]['ifname'], params)
1898 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1899 identity="mschap user", password="password",
1900 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
1901 wait_connect=False,
1902 scan_freq="2412")
1903 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
1904 if ev is None:
1905 raise Exception("Timeout on EAP failure report")
1906
1907 def test_ap_wpa2_eap_ttls_server_cert_eku_client_server(dev, apdev):
1908 """WPA2-Enterprise using EAP-TTLS and server cert with client and server EKU"""
1909 params = int_eap_server_params()
1910 params["server_cert"] = "auth_serv/server-eku-client-server.pem"
1911 params["private_key"] = "auth_serv/server-eku-client-server.key"
1912 hostapd.add_ap(apdev[0]['ifname'], params)
1913 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1914 identity="mschap user", password="password",
1915 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
1916 scan_freq="2412")
1917
1918 def test_ap_wpa2_eap_ttls_server_pkcs12(dev, apdev):
1919 """WPA2-Enterprise using EAP-TTLS and server PKCS#12 file"""
1920 params = int_eap_server_params()
1921 del params["server_cert"]
1922 params["private_key"] = "auth_serv/server.pkcs12"
1923 hostapd.add_ap(apdev[0]['ifname'], params)
1924 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
1925 identity="mschap user", password="password",
1926 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
1927 scan_freq="2412")
1928
1929 def test_ap_wpa2_eap_ttls_dh_params(dev, apdev):
1930 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params"""
1931 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1932 hostapd.add_ap(apdev[0]['ifname'], params)
1933 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
1934 anonymous_identity="ttls", password="password",
1935 ca_cert="auth_serv/ca.der", phase2="auth=CHAP",
1936 dh_file="auth_serv/dh.conf")
1937
1938 def test_ap_wpa2_eap_ttls_dh_params_blob(dev, apdev):
1939 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params from blob"""
1940 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1941 hostapd.add_ap(apdev[0]['ifname'], params)
1942 dh = read_pem("auth_serv/dh.conf")
1943 if "OK" not in dev[0].request("SET blob dhparams " + dh.encode("hex")):
1944 raise Exception("Could not set dhparams blob")
1945 eap_connect(dev[0], apdev[0], "TTLS", "chap user",
1946 anonymous_identity="ttls", password="password",
1947 ca_cert="auth_serv/ca.der", phase2="auth=CHAP",
1948 dh_file="blob://dhparams")
1949
1950 def test_ap_wpa2_eap_reauth(dev, apdev):
1951 """WPA2-Enterprise and Authenticator forcing reauthentication"""
1952 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1953 params['eap_reauth_period'] = '2'
1954 hostapd.add_ap(apdev[0]['ifname'], params)
1955 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
1956 password_hex="0123456789abcdef0123456789abcdef")
1957 logger.info("Wait for reauthentication")
1958 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
1959 if ev is None:
1960 raise Exception("Timeout on reauthentication")
1961 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=10)
1962 if ev is None:
1963 raise Exception("Timeout on reauthentication")
1964 for i in range(0, 20):
1965 state = dev[0].get_status_field("wpa_state")
1966 if state == "COMPLETED":
1967 break
1968 time.sleep(0.1)
1969 if state != "COMPLETED":
1970 raise Exception("Reauthentication did not complete")
1971
1972 def test_ap_wpa2_eap_request_identity_message(dev, apdev):
1973 """Optional displayable message in EAP Request-Identity"""
1974 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
1975 params['eap_message'] = 'hello\\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com'
1976 hostapd.add_ap(apdev[0]['ifname'], params)
1977 eap_connect(dev[0], apdev[0], "PAX", "pax.user@example.com",
1978 password_hex="0123456789abcdef0123456789abcdef")
1979
1980 def test_ap_wpa2_eap_sim_aka_result_ind(dev, apdev):
1981 """WPA2-Enterprise using EAP-SIM/AKA and protected result indication"""
1982 if not os.path.exists("/tmp/hlr_auc_gw.sock"):
1983 logger.info("No hlr_auc_gw available");
1984 return "skip"
1985 params = int_eap_server_params()
1986 params['eap_sim_db'] = "unix:/tmp/hlr_auc_gw.sock"
1987 params['eap_sim_aka_result_ind'] = "1"
1988 hostapd.add_ap(apdev[0]['ifname'], params)
1989
1990 eap_connect(dev[0], apdev[0], "SIM", "1232010000000000",
1991 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1992 phase1="result_ind=1")
1993 eap_reauth(dev[0], "SIM")
1994 eap_connect(dev[1], apdev[0], "SIM", "1232010000000000",
1995 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
1996
1997 dev[0].request("REMOVE_NETWORK all")
1998 dev[1].request("REMOVE_NETWORK all")
1999
2000 eap_connect(dev[0], apdev[0], "AKA", "0232010000000000",
2001 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
2002 phase1="result_ind=1")
2003 eap_reauth(dev[0], "AKA")
2004 eap_connect(dev[1], apdev[0], "AKA", "0232010000000000",
2005 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
2006
2007 dev[0].request("REMOVE_NETWORK all")
2008 dev[1].request("REMOVE_NETWORK all")
2009
2010 eap_connect(dev[0], apdev[0], "AKA'", "6555444333222111",
2011 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
2012 phase1="result_ind=1")
2013 eap_reauth(dev[0], "AKA'")
2014 eap_connect(dev[1], apdev[0], "AKA'", "6555444333222111",
2015 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
2016
2017 def test_ap_wpa2_eap_too_many_roundtrips(dev, apdev):
2018 """WPA2-Enterprise connection resulting in too many EAP roundtrips"""
2019 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2020 hostapd.add_ap(apdev[0]['ifname'], params)
2021 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
2022 eap="TTLS", identity="mschap user",
2023 wait_connect=False, scan_freq="2412", ieee80211w="1",
2024 anonymous_identity="ttls", password="password",
2025 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP",
2026 fragment_size="10")
2027 ev = dev[0].wait_event(["EAP: more than"], timeout=20)
2028 if ev is None:
2029 raise Exception("EAP roundtrip limit not reached")
2030
2031 def test_ap_wpa2_eap_expanded_nak(dev, apdev):
2032 """WPA2-Enterprise connection with EAP resulting in expanded NAK"""
2033 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2034 hostapd.add_ap(apdev[0]['ifname'], params)
2035 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP WPA-EAP-SHA256",
2036 eap="PSK", identity="vendor-test",
2037 password_hex="ff23456789abcdef0123456789abcdef",
2038 wait_connect=False)
2039
2040 found = False
2041 for i in range(0, 5):
2042 ev = dev[0].wait_event(["CTRL-EVENT-EAP-STATUS"], timeout=10)
2043 if ev is None:
2044 raise Exception("Association and EAP start timed out")
2045 if "refuse proposed method" in ev:
2046 found = True
2047 break
2048 if not found:
2049 raise Exception("Unexpected EAP status: " + ev)
2050
2051 ev = dev[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2052 if ev is None:
2053 raise Exception("EAP failure timed out")
2054
2055 def test_ap_wpa2_eap_sql(dev, apdev, params):
2056 """WPA2-Enterprise connection using SQLite for user DB"""
2057 try:
2058 import sqlite3
2059 except ImportError:
2060 return "skip"
2061 dbfile = os.path.join(params['logdir'], "eap-user.db")
2062 try:
2063 os.remove(dbfile)
2064 except:
2065 pass
2066 con = sqlite3.connect(dbfile)
2067 with con:
2068 cur = con.cursor()
2069 cur.execute("CREATE TABLE users(identity TEXT PRIMARY KEY, methods TEXT, password TEXT, remediation TEXT, phase2 INTEGER)")
2070 cur.execute("CREATE TABLE wildcards(identity TEXT PRIMARY KEY, methods TEXT)")
2071 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-pap','TTLS-PAP','password',1)")
2072 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-chap','TTLS-CHAP','password',1)")
2073 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschap','TTLS-MSCHAP','password',1)")
2074 cur.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschapv2','TTLS-MSCHAPV2','password',1)")
2075 cur.execute("INSERT INTO wildcards(identity,methods) VALUES ('','TTLS,TLS')")
2076 cur.execute("CREATE TABLE authlog(timestamp TEXT, session TEXT, nas_ip TEXT, username TEXT, note TEXT)")
2077
2078 try:
2079 params = int_eap_server_params()
2080 params["eap_user_file"] = "sqlite:" + dbfile
2081 hostapd.add_ap(apdev[0]['ifname'], params)
2082 eap_connect(dev[0], apdev[0], "TTLS", "user-mschapv2",
2083 anonymous_identity="ttls", password="password",
2084 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAPV2")
2085 dev[0].request("REMOVE_NETWORK all")
2086 eap_connect(dev[1], apdev[0], "TTLS", "user-mschap",
2087 anonymous_identity="ttls", password="password",
2088 ca_cert="auth_serv/ca.pem", phase2="auth=MSCHAP")
2089 dev[1].request("REMOVE_NETWORK all")
2090 eap_connect(dev[0], apdev[0], "TTLS", "user-chap",
2091 anonymous_identity="ttls", password="password",
2092 ca_cert="auth_serv/ca.pem", phase2="auth=CHAP")
2093 eap_connect(dev[1], apdev[0], "TTLS", "user-pap",
2094 anonymous_identity="ttls", password="password",
2095 ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
2096 finally:
2097 os.remove(dbfile)
2098
2099 def test_ap_wpa2_eap_non_ascii_identity(dev, apdev):
2100 """WPA2-Enterprise connection attempt using non-ASCII identity"""
2101 params = int_eap_server_params()
2102 hostapd.add_ap(apdev[0]['ifname'], params)
2103 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2104 identity="\x80", password="password", wait_connect=False)
2105 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2106 identity="a\x80", password="password", wait_connect=False)
2107 for i in range(0, 2):
2108 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
2109 if ev is None:
2110 raise Exception("Association and EAP start timed out")
2111 ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
2112 if ev is None:
2113 raise Exception("EAP method selection timed out")
2114
2115 def test_ap_wpa2_eap_non_ascii_identity2(dev, apdev):
2116 """WPA2-Enterprise connection attempt using non-ASCII identity"""
2117 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
2118 hostapd.add_ap(apdev[0]['ifname'], params)
2119 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2120 identity="\x80", password="password", wait_connect=False)
2121 dev[1].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
2122 identity="a\x80", password="password", wait_connect=False)
2123 for i in range(0, 2):
2124 ev = dev[i].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout=10)
2125 if ev is None:
2126 raise Exception("Association and EAP start timed out")
2127 ev = dev[i].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout=10)
2128 if ev is None:
2129 raise Exception("EAP method selection timed out")
Unnamed repository; edit this file 'description' to name the repository.