]>
git.ipfire.org Git - thirdparty/hostap.git/blob - tests/hwsim/test_ap_eap.py
1 # -*- coding: utf-8 -*-
2 # WPA2-Enterprise tests
3 # Copyright (c) 2013-2015, Jouni Malinen <j@w1.fi>
5 # This software may be distributed under the terms of the BSD license.
6 # See README for more details.
13 logger
= logging
.getLogger()
22 from utils
import HwsimSkip
, alloc_fail
, fail_test
, skip_with_fips
, wait_fail_trigger
23 from wpasupplicant
import WpaSupplicant
24 from test_ap_psk
import check_mib
, find_wpas_process
, read_process_memory
, verify_not_present
, get_key_locations
, set_test_assoc_ie
28 openssl_imported
= True
30 openssl_imported
= False
32 def check_hlr_auc_gw_support():
33 if not os
.path
.exists("/tmp/hlr_auc_gw.sock"):
34 raise HwsimSkip("No hlr_auc_gw available")
36 def check_eap_capa(dev
, method
):
37 res
= dev
.get_capability("eap")
39 raise HwsimSkip("EAP method %s not supported in the build" % method
)
41 def check_subject_match_support(dev
):
42 tls
= dev
.request("GET tls_library")
43 if not tls
.startswith("OpenSSL"):
44 raise HwsimSkip("subject_match not supported with this TLS library: " + tls
)
46 def check_altsubject_match_support(dev
):
47 tls
= dev
.request("GET tls_library")
48 if not tls
.startswith("OpenSSL"):
49 raise HwsimSkip("altsubject_match not supported with this TLS library: " + tls
)
51 def check_domain_match(dev
):
52 tls
= dev
.request("GET tls_library")
53 if tls
.startswith("internal"):
54 raise HwsimSkip("domain_match not supported with this TLS library: " + tls
)
56 def check_domain_suffix_match(dev
):
57 tls
= dev
.request("GET tls_library")
58 if tls
.startswith("internal"):
59 raise HwsimSkip("domain_suffix_match not supported with this TLS library: " + tls
)
61 def check_domain_match_full(dev
):
62 tls
= dev
.request("GET tls_library")
63 if not tls
.startswith("OpenSSL"):
64 raise HwsimSkip("domain_suffix_match requires full match with this TLS library: " + tls
)
66 def check_cert_probe_support(dev
):
67 tls
= dev
.request("GET tls_library")
68 if not tls
.startswith("OpenSSL") and not tls
.startswith("internal"):
69 raise HwsimSkip("Certificate probing not supported with this TLS library: " + tls
)
71 def check_ext_cert_check_support(dev
):
72 tls
= dev
.request("GET tls_library")
73 if not tls
.startswith("OpenSSL"):
74 raise HwsimSkip("ext_cert_check not supported with this TLS library: " + tls
)
76 def check_ocsp_support(dev
):
77 tls
= dev
.request("GET tls_library")
78 #if tls.startswith("internal"):
79 # raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
80 #if "BoringSSL" in tls:
81 # raise HwsimSkip("OCSP not supported with this TLS library: " + tls)
83 def check_pkcs5_v15_support(dev
):
84 tls
= dev
.request("GET tls_library")
85 if "BoringSSL" in tls
:
86 raise HwsimSkip("PKCS#5 v1.5 not supported with this TLS library: " + tls
)
88 def check_ocsp_multi_support(dev
):
89 tls
= dev
.request("GET tls_library")
90 if not tls
.startswith("internal"):
91 raise HwsimSkip("OCSP-multi not supported with this TLS library: " + tls
)
92 as_hapd
= hostapd
.Hostapd("as")
93 res
= as_hapd
.request("GET tls_library")
95 if not res
.startswith("internal"):
96 raise HwsimSkip("Authentication server does not support ocsp_multi")
98 def check_pkcs12_support(dev
):
99 tls
= dev
.request("GET tls_library")
100 #if tls.startswith("internal"):
101 # raise HwsimSkip("PKCS#12 not supported with this TLS library: " + tls)
103 def check_dh_dsa_support(dev
):
104 tls
= dev
.request("GET tls_library")
105 if tls
.startswith("internal"):
106 raise HwsimSkip("DH DSA not supported with this TLS library: " + tls
)
109 with
open(fname
, "r") as f
:
110 lines
= f
.readlines()
118 if "-----BEGIN" in l
:
120 return base64
.b64decode(cert
)
122 def eap_connect(dev
, hapd
, method
, identity
,
123 sha256
=False, expect_failure
=False, local_error_report
=False,
124 maybe_local_error
=False, **kwargs
):
125 id = dev
.connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
126 eap
=method
, identity
=identity
,
127 wait_connect
=False, scan_freq
="2412", ieee80211w
="1",
129 eap_check_auth(dev
, method
, True, sha256
=sha256
,
130 expect_failure
=expect_failure
,
131 local_error_report
=local_error_report
,
132 maybe_local_error
=maybe_local_error
)
135 ev
= hapd
.wait_event([ "AP-STA-CONNECTED" ], timeout
=5)
137 raise Exception("No connection event received from hostapd")
140 def eap_check_auth(dev
, method
, initial
, rsn
=True, sha256
=False,
141 expect_failure
=False, local_error_report
=False,
142 maybe_local_error
=False):
143 ev
= dev
.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
145 raise Exception("Association and EAP start timed out")
146 ev
= dev
.wait_event(["CTRL-EVENT-EAP-METHOD",
147 "CTRL-EVENT-EAP-FAILURE"], timeout
=10)
149 raise Exception("EAP method selection timed out")
150 if "CTRL-EVENT-EAP-FAILURE" in ev
:
151 if maybe_local_error
:
153 raise Exception("Could not select EAP method")
155 raise Exception("Unexpected EAP method")
157 ev
= dev
.wait_event(["CTRL-EVENT-EAP-FAILURE"])
159 raise Exception("EAP failure timed out")
160 ev
= dev
.wait_disconnected(timeout
=10)
161 if maybe_local_error
and "locally_generated=1" in ev
:
163 if not local_error_report
:
164 if "reason=23" not in ev
:
165 raise Exception("Proper reason code for disconnection not reported")
167 ev
= dev
.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
169 raise Exception("EAP success timed out")
172 ev
= dev
.wait_event(["CTRL-EVENT-CONNECTED"], timeout
=10)
174 ev
= dev
.wait_event(["WPA: Key negotiation completed"], timeout
=10)
176 raise Exception("Association with the AP timed out")
177 status
= dev
.get_status()
178 if status
["wpa_state"] != "COMPLETED":
179 raise Exception("Connection not completed")
181 if status
["suppPortStatus"] != "Authorized":
182 raise Exception("Port not authorized")
183 if "selectedMethod" not in status
:
184 logger
.info("Status: " + str(status
))
185 raise Exception("No selectedMethod in status")
186 if method
not in status
["selectedMethod"]:
187 raise Exception("Incorrect EAP method status")
189 e
= "WPA2-EAP-SHA256"
191 e
= "WPA2/IEEE 802.1X/EAP"
193 e
= "WPA/IEEE 802.1X/EAP"
194 if status
["key_mgmt"] != e
:
195 raise Exception("Unexpected key_mgmt status: " + status
["key_mgmt"])
198 def eap_reauth(dev
, method
, rsn
=True, sha256
=False, expect_failure
=False):
199 dev
.request("REAUTHENTICATE")
200 return eap_check_auth(dev
, method
, False, rsn
=rsn
, sha256
=sha256
,
201 expect_failure
=expect_failure
)
203 def test_ap_wpa2_eap_sim(dev
, apdev
):
204 """WPA2-Enterprise connection using EAP-SIM"""
205 check_hlr_auc_gw_support()
206 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
207 hapd
= hostapd
.add_ap(apdev
[0], params
)
208 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
209 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
210 hwsim_utils
.test_connectivity(dev
[0], hapd
)
211 eap_reauth(dev
[0], "SIM")
213 eap_connect(dev
[1], hapd
, "SIM", "1232010000000001",
214 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
215 eap_connect(dev
[2], hapd
, "SIM", "1232010000000002",
216 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
219 logger
.info("Negative test with incorrect key")
220 dev
[0].request("REMOVE_NETWORK all")
221 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
222 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
225 logger
.info("Invalid GSM-Milenage key")
226 dev
[0].request("REMOVE_NETWORK all")
227 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
228 password
="ffdca4eda45b53cf0f12d7c9c3bc6a",
231 logger
.info("Invalid GSM-Milenage key(2)")
232 dev
[0].request("REMOVE_NETWORK all")
233 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
234 password
="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581",
237 logger
.info("Invalid GSM-Milenage key(3)")
238 dev
[0].request("REMOVE_NETWORK all")
239 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
240 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q",
243 logger
.info("Invalid GSM-Milenage key(4)")
244 dev
[0].request("REMOVE_NETWORK all")
245 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
246 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581",
249 logger
.info("Missing key configuration")
250 dev
[0].request("REMOVE_NETWORK all")
251 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
254 def test_ap_wpa2_eap_sim_sql(dev
, apdev
, params
):
255 """WPA2-Enterprise connection using EAP-SIM (SQL)"""
256 check_hlr_auc_gw_support()
260 raise HwsimSkip("No sqlite3 module available")
261 con
= sqlite3
.connect(os
.path
.join(params
['logdir'], "hostapd.db"))
262 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
263 params
['auth_server_port'] = "1814"
264 hapd
= hostapd
.add_ap(apdev
[0], params
)
265 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
266 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
268 logger
.info("SIM fast re-authentication")
269 eap_reauth(dev
[0], "SIM")
271 logger
.info("SIM full auth with pseudonym")
274 cur
.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
275 eap_reauth(dev
[0], "SIM")
277 logger
.info("SIM full auth with permanent identity")
280 cur
.execute("DELETE FROM reauth WHERE permanent='1232010000000000'")
281 cur
.execute("DELETE FROM pseudonyms WHERE permanent='1232010000000000'")
282 eap_reauth(dev
[0], "SIM")
284 logger
.info("SIM reauth with mismatching MK")
287 cur
.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='1232010000000000'")
288 eap_reauth(dev
[0], "SIM", expect_failure
=True)
289 dev
[0].request("REMOVE_NETWORK all")
291 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
292 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
295 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
296 eap_reauth(dev
[0], "SIM")
299 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='1232010000000000'")
300 logger
.info("SIM reauth with mismatching counter")
301 eap_reauth(dev
[0], "SIM")
302 dev
[0].request("REMOVE_NETWORK all")
304 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
305 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
308 cur
.execute("UPDATE reauth SET counter='1001' WHERE permanent='1232010000000000'")
309 logger
.info("SIM reauth with max reauth count reached")
310 eap_reauth(dev
[0], "SIM")
312 def test_ap_wpa2_eap_sim_config(dev
, apdev
):
313 """EAP-SIM configuration options"""
314 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
315 hapd
= hostapd
.add_ap(apdev
[0], params
)
316 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="SIM",
317 identity
="1232010000000000",
318 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
319 phase1
="sim_min_num_chal=1",
320 wait_connect
=False, scan_freq
="2412")
321 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout
=10)
323 raise Exception("No EAP error message seen")
324 dev
[0].request("REMOVE_NETWORK all")
326 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="SIM",
327 identity
="1232010000000000",
328 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
329 phase1
="sim_min_num_chal=4",
330 wait_connect
=False, scan_freq
="2412")
331 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 18 (SIM)"], timeout
=10)
333 raise Exception("No EAP error message seen (2)")
334 dev
[0].request("REMOVE_NETWORK all")
336 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
337 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
338 phase1
="sim_min_num_chal=2")
339 eap_connect(dev
[1], hapd
, "SIM", "1232010000000000",
340 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
341 anonymous_identity
="345678")
343 def test_ap_wpa2_eap_sim_ext(dev
, apdev
):
344 """WPA2-Enterprise connection using EAP-SIM and external GSM auth"""
346 _test_ap_wpa2_eap_sim_ext(dev
, apdev
)
348 dev
[0].request("SET external_sim 0")
350 def _test_ap_wpa2_eap_sim_ext(dev
, apdev
):
351 check_hlr_auc_gw_support()
352 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
353 hostapd
.add_ap(apdev
[0], params
)
354 dev
[0].request("SET external_sim 1")
355 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
356 identity
="1232010000000000",
357 wait_connect
=False, scan_freq
="2412")
358 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=15)
360 raise Exception("Network connected timed out")
362 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
364 raise Exception("Wait for external SIM processing request timed out")
366 if p
[1] != "GSM-AUTH":
367 raise Exception("Unexpected CTRL-REQ-SIM type")
368 rid
= p
[0].split('-')[3]
371 resp
= "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
372 # This will fail during processing, but the ctrl_iface command succeeds
373 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-AUTH:" + resp
)
374 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
376 raise Exception("EAP failure not reported")
377 dev
[0].request("DISCONNECT")
378 dev
[0].wait_disconnected()
381 dev
[0].select_network(id, freq
="2412")
382 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
384 raise Exception("Wait for external SIM processing request timed out")
386 if p
[1] != "GSM-AUTH":
387 raise Exception("Unexpected CTRL-REQ-SIM type")
388 rid
= p
[0].split('-')[3]
389 # This will fail during GSM auth validation
390 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:q"):
391 raise Exception("CTRL-RSP-SIM failed")
392 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
394 raise Exception("EAP failure not reported")
395 dev
[0].request("DISCONNECT")
396 dev
[0].wait_disconnected()
399 dev
[0].select_network(id, freq
="2412")
400 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
402 raise Exception("Wait for external SIM processing request timed out")
404 if p
[1] != "GSM-AUTH":
405 raise Exception("Unexpected CTRL-REQ-SIM type")
406 rid
= p
[0].split('-')[3]
407 # This will fail during GSM auth validation
408 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:34"):
409 raise Exception("CTRL-RSP-SIM failed")
410 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
412 raise Exception("EAP failure not reported")
413 dev
[0].request("DISCONNECT")
414 dev
[0].wait_disconnected()
417 dev
[0].select_network(id, freq
="2412")
418 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
420 raise Exception("Wait for external SIM processing request timed out")
422 if p
[1] != "GSM-AUTH":
423 raise Exception("Unexpected CTRL-REQ-SIM type")
424 rid
= p
[0].split('-')[3]
425 # This will fail during GSM auth validation
426 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677"):
427 raise Exception("CTRL-RSP-SIM failed")
428 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
430 raise Exception("EAP failure not reported")
431 dev
[0].request("DISCONNECT")
432 dev
[0].wait_disconnected()
435 dev
[0].select_network(id, freq
="2412")
436 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
438 raise Exception("Wait for external SIM processing request timed out")
440 if p
[1] != "GSM-AUTH":
441 raise Exception("Unexpected CTRL-REQ-SIM type")
442 rid
= p
[0].split('-')[3]
443 # This will fail during GSM auth validation
444 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677:q"):
445 raise Exception("CTRL-RSP-SIM failed")
446 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
448 raise Exception("EAP failure not reported")
449 dev
[0].request("DISCONNECT")
450 dev
[0].wait_disconnected()
453 dev
[0].select_network(id, freq
="2412")
454 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
456 raise Exception("Wait for external SIM processing request timed out")
458 if p
[1] != "GSM-AUTH":
459 raise Exception("Unexpected CTRL-REQ-SIM type")
460 rid
= p
[0].split('-')[3]
461 # This will fail during GSM auth validation
462 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677:00112233"):
463 raise Exception("CTRL-RSP-SIM failed")
464 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
466 raise Exception("EAP failure not reported")
467 dev
[0].request("DISCONNECT")
468 dev
[0].wait_disconnected()
471 dev
[0].select_network(id, freq
="2412")
472 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
474 raise Exception("Wait for external SIM processing request timed out")
476 if p
[1] != "GSM-AUTH":
477 raise Exception("Unexpected CTRL-REQ-SIM type")
478 rid
= p
[0].split('-')[3]
479 # This will fail during GSM auth validation
480 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:0011223344556677:00112233:q"):
481 raise Exception("CTRL-RSP-SIM failed")
482 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
484 raise Exception("EAP failure not reported")
486 def test_ap_wpa2_eap_sim_ext_replace_sim(dev
, apdev
):
487 """EAP-SIM with external GSM auth and replacing SIM without clearing pseudonym id"""
489 _test_ap_wpa2_eap_sim_ext_replace_sim(dev
, apdev
)
491 dev
[0].request("SET external_sim 0")
493 def _test_ap_wpa2_eap_sim_ext_replace_sim(dev
, apdev
):
494 check_hlr_auc_gw_support()
495 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
496 hostapd
.add_ap(apdev
[0], params
)
497 dev
[0].request("SET external_sim 1")
498 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
499 identity
="1232010000000000",
500 wait_connect
=False, scan_freq
="2412")
502 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
504 raise Exception("Wait for external SIM processing request timed out")
506 if p
[1] != "GSM-AUTH":
507 raise Exception("Unexpected CTRL-REQ-SIM type")
508 rid
= p
[0].split('-')[3]
509 rand
= p
[2].split(' ')[0]
511 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
513 "auth_serv/hlr_auc_gw.milenage_db",
514 "GSM-AUTH-REQ 232010000000000 " + rand
])
515 if "GSM-AUTH-RESP" not in res
:
516 raise Exception("Unexpected hlr_auc_gw response")
517 resp
= res
.split(' ')[2].rstrip()
519 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
520 dev
[0].wait_connected(timeout
=15)
521 dev
[0].request("DISCONNECT")
522 dev
[0].wait_disconnected()
524 # Replace SIM, but forget to drop the previous pseudonym identity
525 dev
[0].set_network_quoted(id, "identity", "1232010000000009")
526 dev
[0].select_network(id, freq
="2412")
528 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
530 raise Exception("Wait for external SIM processing request timed out")
532 if p
[1] != "GSM-AUTH":
533 raise Exception("Unexpected CTRL-REQ-SIM type")
534 rid
= p
[0].split('-')[3]
535 rand
= p
[2].split(' ')[0]
537 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
539 "auth_serv/hlr_auc_gw.milenage_db",
540 "GSM-AUTH-REQ 232010000000009 " + rand
])
541 if "GSM-AUTH-RESP" not in res
:
542 raise Exception("Unexpected hlr_auc_gw response")
543 resp
= res
.split(' ')[2].rstrip()
545 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
546 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
548 raise Exception("EAP-Failure not reported")
549 dev
[0].request("DISCONNECT")
550 dev
[0].wait_disconnected()
552 def test_ap_wpa2_eap_sim_ext_replace_sim2(dev
, apdev
):
553 """EAP-SIM with external GSM auth and replacing SIM and clearing pseudonym identity"""
555 _test_ap_wpa2_eap_sim_ext_replace_sim2(dev
, apdev
)
557 dev
[0].request("SET external_sim 0")
559 def _test_ap_wpa2_eap_sim_ext_replace_sim2(dev
, apdev
):
560 check_hlr_auc_gw_support()
561 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
562 hostapd
.add_ap(apdev
[0], params
)
563 dev
[0].request("SET external_sim 1")
564 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
565 identity
="1232010000000000",
566 wait_connect
=False, scan_freq
="2412")
568 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
570 raise Exception("Wait for external SIM processing request timed out")
572 if p
[1] != "GSM-AUTH":
573 raise Exception("Unexpected CTRL-REQ-SIM type")
574 rid
= p
[0].split('-')[3]
575 rand
= p
[2].split(' ')[0]
577 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
579 "auth_serv/hlr_auc_gw.milenage_db",
580 "GSM-AUTH-REQ 232010000000000 " + rand
])
581 if "GSM-AUTH-RESP" not in res
:
582 raise Exception("Unexpected hlr_auc_gw response")
583 resp
= res
.split(' ')[2].rstrip()
585 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
586 dev
[0].wait_connected(timeout
=15)
587 dev
[0].request("DISCONNECT")
588 dev
[0].wait_disconnected()
590 # Replace SIM and drop the previous pseudonym identity
591 dev
[0].set_network_quoted(id, "identity", "1232010000000009")
592 dev
[0].set_network(id, "anonymous_identity", "NULL")
593 dev
[0].select_network(id, freq
="2412")
595 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
597 raise Exception("Wait for external SIM processing request timed out")
599 if p
[1] != "GSM-AUTH":
600 raise Exception("Unexpected CTRL-REQ-SIM type")
601 rid
= p
[0].split('-')[3]
602 rand
= p
[2].split(' ')[0]
604 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
606 "auth_serv/hlr_auc_gw.milenage_db",
607 "GSM-AUTH-REQ 232010000000009 " + rand
])
608 if "GSM-AUTH-RESP" not in res
:
609 raise Exception("Unexpected hlr_auc_gw response")
610 resp
= res
.split(' ')[2].rstrip()
612 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
613 dev
[0].wait_connected()
614 dev
[0].request("DISCONNECT")
615 dev
[0].wait_disconnected()
617 def test_ap_wpa2_eap_sim_ext_replace_sim3(dev
, apdev
):
618 """EAP-SIM with external GSM auth, replacing SIM, and no identity in config"""
620 _test_ap_wpa2_eap_sim_ext_replace_sim3(dev
, apdev
)
622 dev
[0].request("SET external_sim 0")
624 def _test_ap_wpa2_eap_sim_ext_replace_sim3(dev
, apdev
):
625 check_hlr_auc_gw_support()
626 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
627 hostapd
.add_ap(apdev
[0], params
)
628 dev
[0].request("SET external_sim 1")
629 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
630 wait_connect
=False, scan_freq
="2412")
632 ev
= dev
[0].wait_event(["CTRL-REQ-IDENTITY"])
634 raise Exception("Request for identity timed out")
635 rid
= ev
.split(':')[0].split('-')[-1]
636 dev
[0].request("CTRL-RSP-IDENTITY-" + rid
+ ":1232010000000000")
638 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
640 raise Exception("Wait for external SIM processing request timed out")
642 if p
[1] != "GSM-AUTH":
643 raise Exception("Unexpected CTRL-REQ-SIM type")
644 rid
= p
[0].split('-')[3]
645 rand
= p
[2].split(' ')[0]
647 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
649 "auth_serv/hlr_auc_gw.milenage_db",
650 "GSM-AUTH-REQ 232010000000000 " + rand
])
651 if "GSM-AUTH-RESP" not in res
:
652 raise Exception("Unexpected hlr_auc_gw response")
653 resp
= res
.split(' ')[2].rstrip()
655 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
656 dev
[0].wait_connected(timeout
=15)
657 dev
[0].request("DISCONNECT")
658 dev
[0].wait_disconnected()
660 # Replace SIM and drop the previous permanent and pseudonym identities
661 dev
[0].set_network(id, "identity", "NULL")
662 dev
[0].set_network(id, "anonymous_identity", "NULL")
663 dev
[0].select_network(id, freq
="2412")
665 ev
= dev
[0].wait_event(["CTRL-REQ-IDENTITY"])
667 raise Exception("Request for identity timed out")
668 rid
= ev
.split(':')[0].split('-')[-1]
669 dev
[0].request("CTRL-RSP-IDENTITY-" + rid
+ ":1232010000000009")
671 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
673 raise Exception("Wait for external SIM processing request timed out")
675 if p
[1] != "GSM-AUTH":
676 raise Exception("Unexpected CTRL-REQ-SIM type")
677 rid
= p
[0].split('-')[3]
678 rand
= p
[2].split(' ')[0]
680 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
682 "auth_serv/hlr_auc_gw.milenage_db",
683 "GSM-AUTH-REQ 232010000000009 " + rand
])
684 if "GSM-AUTH-RESP" not in res
:
685 raise Exception("Unexpected hlr_auc_gw response")
686 resp
= res
.split(' ')[2].rstrip()
688 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
689 dev
[0].wait_connected()
690 dev
[0].request("DISCONNECT")
691 dev
[0].wait_disconnected()
693 def test_ap_wpa2_eap_sim_ext_auth_fail(dev
, apdev
):
694 """EAP-SIM with external GSM auth and auth failing"""
696 _test_ap_wpa2_eap_sim_ext_auth_fail(dev
, apdev
)
698 dev
[0].request("SET external_sim 0")
700 def _test_ap_wpa2_eap_sim_ext_auth_fail(dev
, apdev
):
701 check_hlr_auc_gw_support()
702 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
703 hostapd
.add_ap(apdev
[0], params
)
704 dev
[0].request("SET external_sim 1")
705 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
706 identity
="1232010000000000",
707 wait_connect
=False, scan_freq
="2412")
709 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
711 raise Exception("Wait for external SIM processing request timed out")
713 rid
= p
[0].split('-')[3]
714 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-FAIL")
715 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=5)
717 raise Exception("EAP failure not reported")
718 dev
[0].request("REMOVE_NETWORK all")
719 dev
[0].wait_disconnected()
721 def test_ap_wpa2_eap_sim_change_bssid(dev
, apdev
):
722 """EAP-SIM and external GSM auth to check fast reauth with bssid change"""
724 _test_ap_wpa2_eap_sim_change_bssid(dev
, apdev
)
726 dev
[0].request("SET external_sim 0")
728 def _test_ap_wpa2_eap_sim_change_bssid(dev
, apdev
):
729 check_hlr_auc_gw_support()
730 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
731 hostapd
.add_ap(apdev
[0], params
)
732 dev
[0].request("SET external_sim 1")
733 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
734 identity
="1232010000000000",
735 wait_connect
=False, scan_freq
="2412")
737 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
739 raise Exception("Wait for external SIM processing request timed out")
741 if p
[1] != "GSM-AUTH":
742 raise Exception("Unexpected CTRL-REQ-SIM type")
743 rid
= p
[0].split('-')[3]
744 rand
= p
[2].split(' ')[0]
746 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
748 "auth_serv/hlr_auc_gw.milenage_db",
749 "GSM-AUTH-REQ 232010000000000 " + rand
])
750 if "GSM-AUTH-RESP" not in res
:
751 raise Exception("Unexpected hlr_auc_gw response")
752 resp
= res
.split(' ')[2].rstrip()
754 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
755 dev
[0].wait_connected(timeout
=15)
757 # Verify that EAP-SIM Reauthentication can be used after a profile change
758 # that does not affect EAP parameters.
759 dev
[0].set_network(id, "bssid", "any")
760 eap_reauth(dev
[0], "SIM")
762 def test_ap_wpa2_eap_sim_no_change_set(dev
, apdev
):
763 """EAP-SIM and external GSM auth to check fast reauth with no-change SET_NETWORK"""
765 _test_ap_wpa2_eap_sim_no_change_set(dev
, apdev
)
767 dev
[0].request("SET external_sim 0")
769 def _test_ap_wpa2_eap_sim_no_change_set(dev
, apdev
):
770 check_hlr_auc_gw_support()
771 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
772 hostapd
.add_ap(apdev
[0], params
)
773 dev
[0].request("SET external_sim 1")
774 id = dev
[0].connect("test-wpa2-eap", eap
="SIM", key_mgmt
="WPA-EAP",
775 identity
="1232010000000000",
776 wait_connect
=False, scan_freq
="2412")
778 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
780 raise Exception("Wait for external SIM processing request timed out")
782 if p
[1] != "GSM-AUTH":
783 raise Exception("Unexpected CTRL-REQ-SIM type")
784 rid
= p
[0].split('-')[3]
785 rand
= p
[2].split(' ')[0]
787 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
789 "auth_serv/hlr_auc_gw.milenage_db",
790 "GSM-AUTH-REQ 232010000000000 " + rand
])
791 if "GSM-AUTH-RESP" not in res
:
792 raise Exception("Unexpected hlr_auc_gw response")
793 resp
= res
.split(' ')[2].rstrip()
795 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
796 dev
[0].wait_connected(timeout
=15)
798 # Verify that EAP-SIM Reauthentication can be used after network profile
799 # SET_NETWORK commands that do not actually change previously set
801 dev
[0].set_network(id, "key_mgmt", "WPA-EAP")
802 dev
[0].set_network(id, "eap", "SIM")
803 dev
[0].set_network_quoted(id, "identity", "1232010000000000")
804 dev
[0].set_network_quoted(id, "ssid", "test-wpa2-eap")
805 eap_reauth(dev
[0], "SIM")
807 def test_ap_wpa2_eap_sim_oom(dev
, apdev
):
808 """EAP-SIM and OOM"""
809 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
810 hostapd
.add_ap(apdev
[0], params
)
811 tests
= [ (1, "milenage_f2345"),
812 (2, "milenage_f2345"),
813 (3, "milenage_f2345"),
814 (4, "milenage_f2345"),
815 (5, "milenage_f2345"),
816 (6, "milenage_f2345"),
817 (7, "milenage_f2345"),
818 (8, "milenage_f2345"),
819 (9, "milenage_f2345"),
820 (10, "milenage_f2345"),
821 (11, "milenage_f2345"),
822 (12, "milenage_f2345") ]
823 for count
, func
in tests
:
824 with
fail_test(dev
[0], count
, func
):
825 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="SIM",
826 identity
="1232010000000000",
827 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
828 wait_connect
=False, scan_freq
="2412")
829 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=5)
831 raise Exception("EAP method not selected")
832 dev
[0].wait_disconnected()
833 dev
[0].request("REMOVE_NETWORK all")
835 def test_ap_wpa2_eap_aka(dev
, apdev
):
836 """WPA2-Enterprise connection using EAP-AKA"""
837 check_hlr_auc_gw_support()
838 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
839 hapd
= hostapd
.add_ap(apdev
[0], params
)
840 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
841 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
842 hwsim_utils
.test_connectivity(dev
[0], hapd
)
843 eap_reauth(dev
[0], "AKA")
845 logger
.info("Negative test with incorrect key")
846 dev
[0].request("REMOVE_NETWORK all")
847 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
848 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
851 logger
.info("Invalid Milenage key")
852 dev
[0].request("REMOVE_NETWORK all")
853 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
854 password
="ffdca4eda45b53cf0f12d7c9c3bc6a",
857 logger
.info("Invalid Milenage key(2)")
858 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
859 password
="ffdca4eda45b53cf0f12d7c9c3bc6a8q:cb9cccc4b9258e6dca4760379fb82581:000000000123",
862 logger
.info("Invalid Milenage key(3)")
863 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
864 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb8258q:000000000123",
867 logger
.info("Invalid Milenage key(4)")
868 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
869 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:00000000012q",
872 logger
.info("Invalid Milenage key(5)")
873 dev
[0].request("REMOVE_NETWORK all")
874 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
875 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581q000000000123",
878 logger
.info("Invalid Milenage key(6)")
879 dev
[0].request("REMOVE_NETWORK all")
880 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
881 password
="ffdca4eda45b53cf0f12d7c9c3bc6a89qcb9cccc4b9258e6dca4760379fb82581q000000000123",
884 logger
.info("Missing key configuration")
885 dev
[0].request("REMOVE_NETWORK all")
886 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
889 def test_ap_wpa2_eap_aka_sql(dev
, apdev
, params
):
890 """WPA2-Enterprise connection using EAP-AKA (SQL)"""
891 check_hlr_auc_gw_support()
895 raise HwsimSkip("No sqlite3 module available")
896 con
= sqlite3
.connect(os
.path
.join(params
['logdir'], "hostapd.db"))
897 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
898 params
['auth_server_port'] = "1814"
899 hapd
= hostapd
.add_ap(apdev
[0], params
)
900 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
901 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
903 logger
.info("AKA fast re-authentication")
904 eap_reauth(dev
[0], "AKA")
906 logger
.info("AKA full auth with pseudonym")
909 cur
.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
910 eap_reauth(dev
[0], "AKA")
912 logger
.info("AKA full auth with permanent identity")
915 cur
.execute("DELETE FROM reauth WHERE permanent='0232010000000000'")
916 cur
.execute("DELETE FROM pseudonyms WHERE permanent='0232010000000000'")
917 eap_reauth(dev
[0], "AKA")
919 logger
.info("AKA reauth with mismatching MK")
922 cur
.execute("UPDATE reauth SET mk='0000000000000000000000000000000000000000' WHERE permanent='0232010000000000'")
923 eap_reauth(dev
[0], "AKA", expect_failure
=True)
924 dev
[0].request("REMOVE_NETWORK all")
926 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
927 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
930 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
931 eap_reauth(dev
[0], "AKA")
934 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='0232010000000000'")
935 logger
.info("AKA reauth with mismatching counter")
936 eap_reauth(dev
[0], "AKA")
937 dev
[0].request("REMOVE_NETWORK all")
939 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
940 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
943 cur
.execute("UPDATE reauth SET counter='1001' WHERE permanent='0232010000000000'")
944 logger
.info("AKA reauth with max reauth count reached")
945 eap_reauth(dev
[0], "AKA")
947 def test_ap_wpa2_eap_aka_config(dev
, apdev
):
948 """EAP-AKA configuration options"""
949 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
950 hapd
= hostapd
.add_ap(apdev
[0], params
)
951 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
952 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
953 anonymous_identity
="2345678")
955 def test_ap_wpa2_eap_aka_ext(dev
, apdev
):
956 """WPA2-Enterprise connection using EAP-AKA and external UMTS auth"""
958 _test_ap_wpa2_eap_aka_ext(dev
, apdev
)
960 dev
[0].request("SET external_sim 0")
962 def _test_ap_wpa2_eap_aka_ext(dev
, apdev
):
963 check_hlr_auc_gw_support()
964 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
965 hostapd
.add_ap(apdev
[0], params
)
966 dev
[0].request("SET external_sim 1")
967 id = dev
[0].connect("test-wpa2-eap", eap
="AKA", key_mgmt
="WPA-EAP",
968 identity
="0232010000000000",
969 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
970 wait_connect
=False, scan_freq
="2412")
971 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=15)
973 raise Exception("Network connected timed out")
975 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
977 raise Exception("Wait for external SIM processing request timed out")
979 if p
[1] != "UMTS-AUTH":
980 raise Exception("Unexpected CTRL-REQ-SIM type")
981 rid
= p
[0].split('-')[3]
984 resp
= "00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344"
985 # This will fail during processing, but the ctrl_iface command succeeds
986 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
987 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
989 raise Exception("EAP failure not reported")
990 dev
[0].request("DISCONNECT")
991 dev
[0].wait_disconnected()
993 dev
[0].dump_monitor()
995 dev
[0].select_network(id, freq
="2412")
996 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
998 raise Exception("Wait for external SIM processing request timed out")
1000 if p
[1] != "UMTS-AUTH":
1001 raise Exception("Unexpected CTRL-REQ-SIM type")
1002 rid
= p
[0].split('-')[3]
1003 # This will fail during UMTS auth validation
1004 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-AUTS:112233445566778899aabbccddee"):
1005 raise Exception("CTRL-RSP-SIM failed")
1006 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1008 raise Exception("Wait for external SIM processing request timed out")
1009 p
= ev
.split(':', 2)
1010 if p
[1] != "UMTS-AUTH":
1011 raise Exception("Unexpected CTRL-REQ-SIM type")
1012 rid
= p
[0].split('-')[3]
1013 # This will fail during UMTS auth validation
1014 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-AUTS:12"):
1015 raise Exception("CTRL-RSP-SIM failed")
1016 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
1018 raise Exception("EAP failure not reported")
1019 dev
[0].request("DISCONNECT")
1020 dev
[0].wait_disconnected()
1022 dev
[0].dump_monitor()
1024 tests
= [ ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:0011223344",
1026 ":UMTS-AUTH:00112233445566778899aabbccddeeff.00112233445566778899aabbccddeeff:0011223344",
1027 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddee:0011223344",
1028 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff.0011223344",
1029 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff0011223344",
1030 ":UMTS-AUTH:00112233445566778899aabbccddeeff:00112233445566778899aabbccddeeff:001122334q" ]
1032 dev
[0].select_network(id, freq
="2412")
1033 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1035 raise Exception("Wait for external SIM processing request timed out")
1036 p
= ev
.split(':', 2)
1037 if p
[1] != "UMTS-AUTH":
1038 raise Exception("Unexpected CTRL-REQ-SIM type")
1039 rid
= p
[0].split('-')[3]
1040 # This will fail during UMTS auth validation
1041 if "OK" not in dev
[0].request("CTRL-RSP-SIM-" + rid
+ t
):
1042 raise Exception("CTRL-RSP-SIM failed")
1043 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
1045 raise Exception("EAP failure not reported")
1046 dev
[0].request("DISCONNECT")
1047 dev
[0].wait_disconnected()
1049 dev
[0].dump_monitor()
1051 def test_ap_wpa2_eap_aka_ext_auth_fail(dev
, apdev
):
1052 """EAP-AKA with external UMTS auth and auth failing"""
1054 _test_ap_wpa2_eap_aka_ext_auth_fail(dev
, apdev
)
1056 dev
[0].request("SET external_sim 0")
1058 def _test_ap_wpa2_eap_aka_ext_auth_fail(dev
, apdev
):
1059 check_hlr_auc_gw_support()
1060 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1061 hostapd
.add_ap(apdev
[0], params
)
1062 dev
[0].request("SET external_sim 1")
1063 id = dev
[0].connect("test-wpa2-eap", eap
="AKA", key_mgmt
="WPA-EAP",
1064 identity
="0232010000000000",
1065 wait_connect
=False, scan_freq
="2412")
1067 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1069 raise Exception("Wait for external SIM processing request timed out")
1070 p
= ev
.split(':', 2)
1071 rid
= p
[0].split('-')[3]
1072 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-FAIL")
1073 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=5)
1075 raise Exception("EAP failure not reported")
1076 dev
[0].request("REMOVE_NETWORK all")
1077 dev
[0].wait_disconnected()
1079 def test_ap_wpa2_eap_aka_prime(dev
, apdev
):
1080 """WPA2-Enterprise connection using EAP-AKA'"""
1081 check_hlr_auc_gw_support()
1082 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1083 hapd
= hostapd
.add_ap(apdev
[0], params
)
1084 eap_connect(dev
[0], hapd
, "AKA'", "6555444333222111",
1085 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1086 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1087 eap_reauth(dev
[0], "AKA'")
1089 logger
.info("EAP-AKA' bidding protection when EAP-AKA enabled as well")
1090 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="AKA' AKA",
1091 identity
="6555444333222111@both",
1092 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
1093 wait_connect
=False, scan_freq
="2412")
1094 dev
[1].wait_connected(timeout
=15)
1096 logger
.info("Negative test with incorrect key")
1097 dev
[0].request("REMOVE_NETWORK all")
1098 eap_connect(dev
[0], hapd
, "AKA'", "6555444333222111",
1099 password
="ff22250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
1100 expect_failure
=True)
1102 def test_ap_wpa2_eap_aka_prime_sql(dev
, apdev
, params
):
1103 """WPA2-Enterprise connection using EAP-AKA' (SQL)"""
1104 check_hlr_auc_gw_support()
1108 raise HwsimSkip("No sqlite3 module available")
1109 con
= sqlite3
.connect(os
.path
.join(params
['logdir'], "hostapd.db"))
1110 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1111 params
['auth_server_port'] = "1814"
1112 hapd
= hostapd
.add_ap(apdev
[0], params
)
1113 eap_connect(dev
[0], hapd
, "AKA'", "6555444333222111",
1114 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1116 logger
.info("AKA' fast re-authentication")
1117 eap_reauth(dev
[0], "AKA'")
1119 logger
.info("AKA' full auth with pseudonym")
1122 cur
.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
1123 eap_reauth(dev
[0], "AKA'")
1125 logger
.info("AKA' full auth with permanent identity")
1128 cur
.execute("DELETE FROM reauth WHERE permanent='6555444333222111'")
1129 cur
.execute("DELETE FROM pseudonyms WHERE permanent='6555444333222111'")
1130 eap_reauth(dev
[0], "AKA'")
1132 logger
.info("AKA' reauth with mismatching k_aut")
1135 cur
.execute("UPDATE reauth SET k_aut='0000000000000000000000000000000000000000000000000000000000000000' WHERE permanent='6555444333222111'")
1136 eap_reauth(dev
[0], "AKA'", expect_failure
=True)
1137 dev
[0].request("REMOVE_NETWORK all")
1139 eap_connect(dev
[0], hapd
, "AKA'", "6555444333222111",
1140 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1143 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
1144 eap_reauth(dev
[0], "AKA'")
1147 cur
.execute("UPDATE reauth SET counter='10' WHERE permanent='6555444333222111'")
1148 logger
.info("AKA' reauth with mismatching counter")
1149 eap_reauth(dev
[0], "AKA'")
1150 dev
[0].request("REMOVE_NETWORK all")
1152 eap_connect(dev
[0], hapd
, "AKA'", "6555444333222111",
1153 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
1156 cur
.execute("UPDATE reauth SET counter='1001' WHERE permanent='6555444333222111'")
1157 logger
.info("AKA' reauth with max reauth count reached")
1158 eap_reauth(dev
[0], "AKA'")
1160 def test_ap_wpa2_eap_aka_prime_ext_auth_fail(dev
, apdev
):
1161 """EAP-AKA' with external UMTS auth and auth failing"""
1163 _test_ap_wpa2_eap_aka_prime_ext_auth_fail(dev
, apdev
)
1165 dev
[0].request("SET external_sim 0")
1167 def _test_ap_wpa2_eap_aka_prime_ext_auth_fail(dev
, apdev
):
1168 check_hlr_auc_gw_support()
1169 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1170 hostapd
.add_ap(apdev
[0], params
)
1171 dev
[0].request("SET external_sim 1")
1172 id = dev
[0].connect("test-wpa2-eap", eap
="AKA'", key_mgmt
="WPA-EAP",
1173 identity
="6555444333222111",
1174 wait_connect
=False, scan_freq
="2412")
1176 ev
= dev
[0].wait_event(["CTRL-REQ-SIM"], timeout
=15)
1178 raise Exception("Wait for external SIM processing request timed out")
1179 p
= ev
.split(':', 2)
1180 rid
= p
[0].split('-')[3]
1181 dev
[0].request("CTRL-RSP-SIM-" + rid
+ ":UMTS-FAIL")
1182 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=5)
1184 raise Exception("EAP failure not reported")
1185 dev
[0].request("REMOVE_NETWORK all")
1186 dev
[0].wait_disconnected()
1188 def test_ap_wpa2_eap_ttls_pap(dev
, apdev
):
1189 """WPA2-Enterprise connection using EAP-TTLS/PAP"""
1190 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1191 hapd
= hostapd
.add_ap(apdev
[0], params
)
1192 key_mgmt
= hapd
.get_config()['key_mgmt']
1193 if key_mgmt
.split(' ')[0] != "WPA-EAP":
1194 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt
)
1195 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
1196 anonymous_identity
="ttls", password
="password",
1197 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
1198 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1199 eap_reauth(dev
[0], "TTLS")
1200 check_mib(dev
[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-1"),
1201 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-1") ])
1203 def test_ap_wpa2_eap_ttls_pap_subject_match(dev
, apdev
):
1204 """WPA2-Enterprise connection using EAP-TTLS/PAP and (alt)subject_match"""
1205 check_subject_match_support(dev
[0])
1206 check_altsubject_match_support(dev
[0])
1207 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1208 hapd
= hostapd
.add_ap(apdev
[0], params
)
1209 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
1210 anonymous_identity
="ttls", password
="password",
1211 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
1212 subject_match
="/C=FI/O=w1.fi/CN=server.w1.fi",
1213 altsubject_match
="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/")
1214 eap_reauth(dev
[0], "TTLS")
1216 def test_ap_wpa2_eap_ttls_pap_incorrect_password(dev
, apdev
):
1217 """WPA2-Enterprise connection using EAP-TTLS/PAP - incorrect password"""
1218 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1219 hapd
= hostapd
.add_ap(apdev
[0], params
)
1220 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
1221 anonymous_identity
="ttls", password
="wrong",
1222 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
1223 expect_failure
=True)
1224 eap_connect(dev
[1], hapd
, "TTLS", "user",
1225 anonymous_identity
="ttls", password
="password",
1226 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
1227 expect_failure
=True)
1229 def test_ap_wpa2_eap_ttls_chap(dev
, apdev
):
1230 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
1231 skip_with_fips(dev
[0])
1232 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1233 hapd
= hostapd
.add_ap(apdev
[0], params
)
1234 eap_connect(dev
[0], hapd
, "TTLS", "chap user",
1235 anonymous_identity
="ttls", password
="password",
1236 ca_cert
="auth_serv/ca.der", phase2
="auth=CHAP")
1237 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1238 eap_reauth(dev
[0], "TTLS")
1240 def test_ap_wpa2_eap_ttls_chap_altsubject_match(dev
, apdev
):
1241 """WPA2-Enterprise connection using EAP-TTLS/CHAP"""
1242 skip_with_fips(dev
[0])
1243 check_altsubject_match_support(dev
[0])
1244 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1245 hapd
= hostapd
.add_ap(apdev
[0], params
)
1246 eap_connect(dev
[0], hapd
, "TTLS", "chap user",
1247 anonymous_identity
="ttls", password
="password",
1248 ca_cert
="auth_serv/ca.der", phase2
="auth=CHAP",
1249 altsubject_match
="EMAIL:noone@example.com;URI:http://example.com/;DNS:server.w1.fi")
1250 eap_reauth(dev
[0], "TTLS")
1252 def test_ap_wpa2_eap_ttls_chap_incorrect_password(dev
, apdev
):
1253 """WPA2-Enterprise connection using EAP-TTLS/CHAP - incorrect password"""
1254 skip_with_fips(dev
[0])
1255 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1256 hapd
= hostapd
.add_ap(apdev
[0], params
)
1257 eap_connect(dev
[0], hapd
, "TTLS", "chap user",
1258 anonymous_identity
="ttls", password
="wrong",
1259 ca_cert
="auth_serv/ca.pem", phase2
="auth=CHAP",
1260 expect_failure
=True)
1261 eap_connect(dev
[1], hapd
, "TTLS", "user",
1262 anonymous_identity
="ttls", password
="password",
1263 ca_cert
="auth_serv/ca.pem", phase2
="auth=CHAP",
1264 expect_failure
=True)
1266 def test_ap_wpa2_eap_ttls_mschap(dev
, apdev
):
1267 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP"""
1268 skip_with_fips(dev
[0])
1269 check_domain_suffix_match(dev
[0])
1270 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1271 hapd
= hostapd
.add_ap(apdev
[0], params
)
1272 eap_connect(dev
[0], hapd
, "TTLS", "mschap user",
1273 anonymous_identity
="ttls", password
="password",
1274 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
1275 domain_suffix_match
="server.w1.fi")
1276 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1277 eap_reauth(dev
[0], "TTLS")
1278 dev
[0].request("REMOVE_NETWORK all")
1279 eap_connect(dev
[0], hapd
, "TTLS", "mschap user",
1280 anonymous_identity
="ttls", password
="password",
1281 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
1282 fragment_size
="200")
1283 dev
[0].request("REMOVE_NETWORK all")
1284 dev
[0].wait_disconnected()
1285 eap_connect(dev
[0], hapd
, "TTLS", "mschap user",
1286 anonymous_identity
="ttls",
1287 password_hex
="hash:8846f7eaee8fb117ad06bdd830b7586c",
1288 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP")
1290 def test_ap_wpa2_eap_ttls_mschap_incorrect_password(dev
, apdev
):
1291 """WPA2-Enterprise connection using EAP-TTLS/MSCHAP - incorrect password"""
1292 skip_with_fips(dev
[0])
1293 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1294 hapd
= hostapd
.add_ap(apdev
[0], params
)
1295 eap_connect(dev
[0], hapd
, "TTLS", "mschap user",
1296 anonymous_identity
="ttls", password
="wrong",
1297 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
1298 expect_failure
=True)
1299 eap_connect(dev
[1], hapd
, "TTLS", "user",
1300 anonymous_identity
="ttls", password
="password",
1301 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
1302 expect_failure
=True)
1303 eap_connect(dev
[2], hapd
, "TTLS", "no such user",
1304 anonymous_identity
="ttls", password
="password",
1305 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
1306 expect_failure
=True)
1308 def test_ap_wpa2_eap_ttls_mschapv2(dev
, apdev
):
1309 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
1310 check_domain_suffix_match(dev
[0])
1311 check_eap_capa(dev
[0], "MSCHAPV2")
1312 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1313 hapd
= hostapd
.add_ap(apdev
[0], params
)
1314 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
1315 anonymous_identity
="ttls", password
="password",
1316 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1317 domain_suffix_match
="server.w1.fi")
1318 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1319 sta1
= hapd
.get_sta(dev
[0].p2p_interface_addr())
1320 eapol1
= hapd
.get_sta(dev
[0].p2p_interface_addr(), info
="eapol")
1321 eap_reauth(dev
[0], "TTLS")
1322 sta2
= hapd
.get_sta(dev
[0].p2p_interface_addr())
1323 eapol2
= hapd
.get_sta(dev
[0].p2p_interface_addr(), info
="eapol")
1324 if int(sta2
['dot1xAuthEapolFramesRx']) <= int(sta1
['dot1xAuthEapolFramesRx']):
1325 raise Exception("dot1xAuthEapolFramesRx did not increase")
1326 if int(eapol2
['authAuthEapStartsWhileAuthenticated']) < 1:
1327 raise Exception("authAuthEapStartsWhileAuthenticated did not increase")
1328 if int(eapol2
['backendAuthSuccesses']) <= int(eapol1
['backendAuthSuccesses']):
1329 raise Exception("backendAuthSuccesses did not increase")
1331 logger
.info("Password as hash value")
1332 dev
[0].request("REMOVE_NETWORK all")
1333 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
1334 anonymous_identity
="ttls",
1335 password_hex
="hash:8846f7eaee8fb117ad06bdd830b7586c",
1336 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1338 def test_ap_wpa2_eap_ttls_invalid_phase2(dev
, apdev
):
1339 """EAP-TTLS with invalid phase2 parameter values"""
1340 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1341 hostapd
.add_ap(apdev
[0], params
)
1342 tests
= [ "auth=MSCHAPv2", "auth=MSCHAPV2 autheap=MD5",
1343 "autheap=MD5 auth=MSCHAPV2", "auth=PAP auth=CHAP",
1344 "autheap=MD5 autheap=FOO autheap=MSCHAPV2" ]
1346 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
1347 identity
="DOMAIN\mschapv2 user",
1348 anonymous_identity
="ttls", password
="password",
1349 ca_cert
="auth_serv/ca.pem", phase2
=t
,
1350 wait_connect
=False, scan_freq
="2412")
1351 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD"], timeout
=10)
1352 if ev
is None or "method=21" not in ev
:
1353 raise Exception("EAP-TTLS not started")
1354 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method",
1355 "CTRL-EVENT-CONNECTED"], timeout
=5)
1356 if ev
is None or "CTRL-EVENT-CONNECTED" in ev
:
1357 raise Exception("No EAP-TTLS failure reported for phase2=" + t
)
1358 dev
[0].request("REMOVE_NETWORK all")
1359 dev
[0].wait_disconnected()
1360 dev
[0].dump_monitor()
1362 def test_ap_wpa2_eap_ttls_mschapv2_suffix_match(dev
, apdev
):
1363 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2"""
1364 check_domain_match_full(dev
[0])
1365 skip_with_fips(dev
[0])
1366 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1367 hapd
= hostapd
.add_ap(apdev
[0], params
)
1368 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
1369 anonymous_identity
="ttls", password
="password",
1370 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1371 domain_suffix_match
="w1.fi")
1372 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1373 eap_reauth(dev
[0], "TTLS")
1375 def test_ap_wpa2_eap_ttls_mschapv2_domain_match(dev
, apdev
):
1376 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 (domain_match)"""
1377 check_domain_match(dev
[0])
1378 skip_with_fips(dev
[0])
1379 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1380 hapd
= hostapd
.add_ap(apdev
[0], params
)
1381 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
1382 anonymous_identity
="ttls", password
="password",
1383 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1384 domain_match
="Server.w1.fi")
1385 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1386 eap_reauth(dev
[0], "TTLS")
1388 def test_ap_wpa2_eap_ttls_mschapv2_incorrect_password(dev
, apdev
):
1389 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 - incorrect password"""
1390 skip_with_fips(dev
[0])
1391 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1392 hapd
= hostapd
.add_ap(apdev
[0], params
)
1393 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
1394 anonymous_identity
="ttls", password
="password1",
1395 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1396 expect_failure
=True)
1397 eap_connect(dev
[1], hapd
, "TTLS", "user",
1398 anonymous_identity
="ttls", password
="password",
1399 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1400 expect_failure
=True)
1402 def test_ap_wpa2_eap_ttls_mschapv2_utf8(dev
, apdev
):
1403 """WPA2-Enterprise connection using EAP-TTLS/MSCHAPv2 and UTF-8 password"""
1404 skip_with_fips(dev
[0])
1405 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1406 hapd
= hostapd
.add_ap(apdev
[0], params
)
1407 eap_connect(dev
[0], hapd
, "TTLS", "utf8-user-hash",
1408 anonymous_identity
="ttls", password
="secret-åäö-€-password",
1409 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1410 eap_connect(dev
[1], hapd
, "TTLS", "utf8-user",
1411 anonymous_identity
="ttls",
1412 password_hex
="hash:bd5844fad2489992da7fe8c5a01559cf",
1413 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1414 for p
in [ "80", "41c041e04141e041", 257*"41" ]:
1415 dev
[2].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
1416 eap
="TTLS", identity
="utf8-user-hash",
1417 anonymous_identity
="ttls", password_hex
=p
,
1418 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1419 wait_connect
=False, scan_freq
="2412")
1420 ev
= dev
[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=1)
1422 raise Exception("No failure reported")
1423 dev
[2].request("REMOVE_NETWORK all")
1424 dev
[2].wait_disconnected()
1426 def test_ap_wpa2_eap_ttls_eap_gtc(dev
, apdev
):
1427 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC"""
1428 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1429 hapd
= hostapd
.add_ap(apdev
[0], params
)
1430 eap_connect(dev
[0], hapd
, "TTLS", "user",
1431 anonymous_identity
="ttls", password
="password",
1432 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC")
1433 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1434 eap_reauth(dev
[0], "TTLS")
1436 def test_ap_wpa2_eap_ttls_eap_gtc_incorrect_password(dev
, apdev
):
1437 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - incorrect password"""
1438 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1439 hapd
= hostapd
.add_ap(apdev
[0], params
)
1440 eap_connect(dev
[0], hapd
, "TTLS", "user",
1441 anonymous_identity
="ttls", password
="wrong",
1442 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
1443 expect_failure
=True)
1445 def test_ap_wpa2_eap_ttls_eap_gtc_no_password(dev
, apdev
):
1446 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - no password"""
1447 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1448 hapd
= hostapd
.add_ap(apdev
[0], params
)
1449 eap_connect(dev
[0], hapd
, "TTLS", "user-no-passwd",
1450 anonymous_identity
="ttls", password
="password",
1451 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
1452 expect_failure
=True)
1454 def test_ap_wpa2_eap_ttls_eap_gtc_server_oom(dev
, apdev
):
1455 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC - server OOM"""
1456 params
= int_eap_server_params()
1457 hapd
= hostapd
.add_ap(apdev
[0], params
)
1458 with
alloc_fail(hapd
, 1, "eap_gtc_init"):
1459 eap_connect(dev
[0], hapd
, "TTLS", "user",
1460 anonymous_identity
="ttls", password
="password",
1461 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
1462 expect_failure
=True)
1463 dev
[0].request("REMOVE_NETWORK all")
1465 with
alloc_fail(hapd
, 1, "eap_gtc_buildReq"):
1466 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1467 eap
="TTLS", identity
="user",
1468 anonymous_identity
="ttls", password
="password",
1469 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
1470 wait_connect
=False, scan_freq
="2412")
1471 # This would eventually time out, but we can stop after having reached
1472 # the allocation failure.
1475 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1478 def test_ap_wpa2_eap_ttls_eap_gtc_oom(dev
, apdev
):
1479 """WPA2-Enterprise connection using EAP-TTLS/EAP-GTC (OOM)"""
1480 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1481 hapd
= hostapd
.add_ap(apdev
[0], params
)
1483 tests
= [ "eap_gtc_init",
1484 "eap_msg_alloc;eap_gtc_process" ]
1486 with
alloc_fail(dev
[0], 1, func
):
1487 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
1489 eap
="TTLS", identity
="user",
1490 anonymous_identity
="ttls", password
="password",
1491 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC",
1493 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
1494 dev
[0].request("REMOVE_NETWORK all")
1495 dev
[0].wait_disconnected()
1497 def test_ap_wpa2_eap_ttls_eap_md5(dev
, apdev
):
1498 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5"""
1499 check_eap_capa(dev
[0], "MD5")
1500 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1501 hapd
= hostapd
.add_ap(apdev
[0], params
)
1502 eap_connect(dev
[0], hapd
, "TTLS", "user",
1503 anonymous_identity
="ttls", password
="password",
1504 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5")
1505 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1506 eap_reauth(dev
[0], "TTLS")
1508 def test_ap_wpa2_eap_ttls_eap_md5_incorrect_password(dev
, apdev
):
1509 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - incorrect password"""
1510 check_eap_capa(dev
[0], "MD5")
1511 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1512 hapd
= hostapd
.add_ap(apdev
[0], params
)
1513 eap_connect(dev
[0], hapd
, "TTLS", "user",
1514 anonymous_identity
="ttls", password
="wrong",
1515 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5",
1516 expect_failure
=True)
1518 def test_ap_wpa2_eap_ttls_eap_md5_no_password(dev
, apdev
):
1519 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - no password"""
1520 check_eap_capa(dev
[0], "MD5")
1521 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1522 hapd
= hostapd
.add_ap(apdev
[0], params
)
1523 eap_connect(dev
[0], hapd
, "TTLS", "user-no-passwd",
1524 anonymous_identity
="ttls", password
="password",
1525 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5",
1526 expect_failure
=True)
1528 def test_ap_wpa2_eap_ttls_eap_md5_server_oom(dev
, apdev
):
1529 """WPA2-Enterprise connection using EAP-TTLS/EAP-MD5 - server OOM"""
1530 check_eap_capa(dev
[0], "MD5")
1531 params
= int_eap_server_params()
1532 hapd
= hostapd
.add_ap(apdev
[0], params
)
1533 with
alloc_fail(hapd
, 1, "eap_md5_init"):
1534 eap_connect(dev
[0], hapd
, "TTLS", "user",
1535 anonymous_identity
="ttls", password
="password",
1536 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5",
1537 expect_failure
=True)
1538 dev
[0].request("REMOVE_NETWORK all")
1540 with
alloc_fail(hapd
, 1, "eap_md5_buildReq"):
1541 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1542 eap
="TTLS", identity
="user",
1543 anonymous_identity
="ttls", password
="password",
1544 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MD5",
1545 wait_connect
=False, scan_freq
="2412")
1546 # This would eventually time out, but we can stop after having reached
1547 # the allocation failure.
1550 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1553 def test_ap_wpa2_eap_ttls_eap_mschapv2(dev
, apdev
):
1554 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2"""
1555 check_eap_capa(dev
[0], "MSCHAPV2")
1556 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1557 hapd
= hostapd
.add_ap(apdev
[0], params
)
1558 eap_connect(dev
[0], hapd
, "TTLS", "user",
1559 anonymous_identity
="ttls", password
="password",
1560 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2")
1561 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1562 eap_reauth(dev
[0], "TTLS")
1564 logger
.info("Negative test with incorrect password")
1565 dev
[0].request("REMOVE_NETWORK all")
1566 eap_connect(dev
[0], hapd
, "TTLS", "user",
1567 anonymous_identity
="ttls", password
="password1",
1568 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1569 expect_failure
=True)
1571 def test_ap_wpa2_eap_ttls_eap_mschapv2_no_password(dev
, apdev
):
1572 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - no password"""
1573 check_eap_capa(dev
[0], "MSCHAPV2")
1574 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1575 hapd
= hostapd
.add_ap(apdev
[0], params
)
1576 eap_connect(dev
[0], hapd
, "TTLS", "user-no-passwd",
1577 anonymous_identity
="ttls", password
="password",
1578 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1579 expect_failure
=True)
1581 def test_ap_wpa2_eap_ttls_eap_mschapv2_server_oom(dev
, apdev
):
1582 """WPA2-Enterprise connection using EAP-TTLS/EAP-MSCHAPv2 - server OOM"""
1583 check_eap_capa(dev
[0], "MSCHAPV2")
1584 params
= int_eap_server_params()
1585 hapd
= hostapd
.add_ap(apdev
[0], params
)
1586 with
alloc_fail(hapd
, 1, "eap_mschapv2_init"):
1587 eap_connect(dev
[0], hapd
, "TTLS", "user",
1588 anonymous_identity
="ttls", password
="password",
1589 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1590 expect_failure
=True)
1591 dev
[0].request("REMOVE_NETWORK all")
1593 with
alloc_fail(hapd
, 1, "eap_mschapv2_build_challenge"):
1594 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1595 eap
="TTLS", identity
="user",
1596 anonymous_identity
="ttls", password
="password",
1597 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1598 wait_connect
=False, scan_freq
="2412")
1599 # This would eventually time out, but we can stop after having reached
1600 # the allocation failure.
1603 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1605 dev
[0].request("REMOVE_NETWORK all")
1607 with
alloc_fail(hapd
, 1, "eap_mschapv2_build_success_req"):
1608 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1609 eap
="TTLS", identity
="user",
1610 anonymous_identity
="ttls", password
="password",
1611 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1612 wait_connect
=False, scan_freq
="2412")
1613 # This would eventually time out, but we can stop after having reached
1614 # the allocation failure.
1617 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1619 dev
[0].request("REMOVE_NETWORK all")
1621 with
alloc_fail(hapd
, 1, "eap_mschapv2_build_failure_req"):
1622 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
1623 eap
="TTLS", identity
="user",
1624 anonymous_identity
="ttls", password
="wrong",
1625 ca_cert
="auth_serv/ca.pem", phase2
="autheap=MSCHAPV2",
1626 wait_connect
=False, scan_freq
="2412")
1627 # This would eventually time out, but we can stop after having reached
1628 # the allocation failure.
1631 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
1633 dev
[0].request("REMOVE_NETWORK all")
1635 def test_ap_wpa2_eap_ttls_eap_sim(dev
, apdev
):
1636 """WPA2-Enterprise connection using EAP-TTLS/EAP-SIM"""
1637 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1638 hapd
= hostapd
.add_ap(apdev
[0], params
)
1639 eap_connect(dev
[0], hapd
, "TTLS", "1232010000000000",
1640 anonymous_identity
="1232010000000000@ttls",
1641 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1642 ca_cert
="auth_serv/ca.pem", phase2
="autheap=SIM")
1643 eap_reauth(dev
[0], "TTLS")
1645 def run_ext_sim_auth(dev
):
1646 ev
= dev
.wait_event(["CTRL-REQ-SIM"], timeout
=15)
1648 raise Exception("Wait for external SIM processing request timed out")
1649 p
= ev
.split(':', 2)
1650 if p
[1] != "GSM-AUTH":
1651 raise Exception("Unexpected CTRL-REQ-SIM type")
1652 rid
= p
[0].split('-')[3]
1653 rand
= p
[2].split(' ')[0]
1655 res
= subprocess
.check_output(["../../hostapd/hlr_auc_gw",
1657 "auth_serv/hlr_auc_gw.milenage_db",
1658 "GSM-AUTH-REQ 232010000000000 " + rand
])
1659 if "GSM-AUTH-RESP" not in res
:
1660 raise Exception("Unexpected hlr_auc_gw response")
1661 resp
= res
.split(' ')[2].rstrip()
1663 dev
.request("CTRL-RSP-SIM-" + rid
+ ":GSM-AUTH:" + resp
)
1664 dev
.wait_connected(timeout
=15)
1667 dev
.request("REAUTHENTICATE")
1668 ev
= dev
.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=5)
1670 raise Exception("EAP reauthentication did not succeed")
1671 ev
= dev
.wait_event(["WPA: Key negotiation completed"], timeout
=5)
1673 raise Exception("Key negotiation did not complete")
1676 def test_ap_wpa2_eap_ttls_eap_sim_ext(dev
, apdev
):
1677 """WPA2-Enterprise connection using EAP-TTLS/EAP-SIM and external GSM auth"""
1678 check_hlr_auc_gw_support()
1680 run_ap_wpa2_eap_ttls_eap_sim_ext(dev
, apdev
)
1682 dev
[0].request("SET external_sim 0")
1684 def run_ap_wpa2_eap_ttls_eap_sim_ext(dev
, apdev
):
1685 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1686 hapd
= hostapd
.add_ap(apdev
[0], params
)
1687 dev
[0].request("SET external_sim 1")
1688 dev
[0].connect("test-wpa2-eap", eap
="TTLS", key_mgmt
="WPA-EAP",
1689 identity
="1232010000000000",
1690 anonymous_identity
="1232010000000000@ttls",
1691 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1692 ca_cert
="auth_serv/ca.pem", phase2
="autheap=SIM",
1693 wait_connect
=False, scan_freq
="2412")
1694 run_ext_sim_auth(dev
[0])
1696 def test_ap_wpa2_eap_peap_eap_sim(dev
, apdev
):
1697 """WPA2-Enterprise connection using EAP-PEAP/EAP-SIM"""
1698 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1699 hapd
= hostapd
.add_ap(apdev
[0], params
)
1700 eap_connect(dev
[0], hapd
, "PEAP", "1232010000000000",
1701 anonymous_identity
="1232010000000000@peap",
1702 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1703 ca_cert
="auth_serv/ca.pem", phase2
="auth=SIM")
1704 eap_reauth(dev
[0], "PEAP")
1706 def test_ap_wpa2_eap_peap_eap_sim_ext(dev
, apdev
):
1707 """WPA2-Enterprise connection using EAP-PEAP/EAP-SIM and external GSM auth"""
1708 check_hlr_auc_gw_support()
1710 run_ap_wpa2_eap_peap_eap_sim_ext(dev
, apdev
)
1712 dev
[0].request("SET external_sim 0")
1714 def run_ap_wpa2_eap_peap_eap_sim_ext(dev
, apdev
):
1715 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1716 hapd
= hostapd
.add_ap(apdev
[0], params
)
1717 dev
[0].request("SET external_sim 1")
1718 dev
[0].connect("test-wpa2-eap", eap
="PEAP", key_mgmt
="WPA-EAP",
1719 identity
="1232010000000000",
1720 anonymous_identity
="1232010000000000@peap",
1721 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1722 ca_cert
="auth_serv/ca.pem", phase2
="auth=SIM",
1723 wait_connect
=False, scan_freq
="2412")
1724 run_ext_sim_auth(dev
[0])
1726 def test_ap_wpa2_eap_fast_eap_sim(dev
, apdev
):
1727 """WPA2-Enterprise connection using EAP-FAST/EAP-SIM"""
1728 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1729 hapd
= hostapd
.add_ap(apdev
[0], params
)
1730 eap_connect(dev
[0], hapd
, "FAST", "1232010000000000",
1731 anonymous_identity
="1232010000000000@fast",
1732 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1733 phase1
="fast_provisioning=2",
1734 pac_file
="blob://fast_pac_auth_sim",
1735 ca_cert
="auth_serv/ca.pem", phase2
="auth=SIM")
1736 eap_reauth(dev
[0], "FAST")
1738 def test_ap_wpa2_eap_fast_eap_sim_ext(dev
, apdev
):
1739 """WPA2-Enterprise connection using EAP-FAST/EAP-SIM and external GSM auth"""
1740 check_hlr_auc_gw_support()
1742 run_ap_wpa2_eap_fast_eap_sim_ext(dev
, apdev
)
1744 dev
[0].request("SET external_sim 0")
1746 def run_ap_wpa2_eap_fast_eap_sim_ext(dev
, apdev
):
1747 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1748 hapd
= hostapd
.add_ap(apdev
[0], params
)
1749 dev
[0].request("SET external_sim 1")
1750 dev
[0].connect("test-wpa2-eap", eap
="PEAP", key_mgmt
="WPA-EAP",
1751 identity
="1232010000000000",
1752 anonymous_identity
="1232010000000000@peap",
1753 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
1754 phase1
="fast_provisioning=2",
1755 pac_file
="blob://fast_pac_auth_sim",
1756 ca_cert
="auth_serv/ca.pem", phase2
="auth=SIM",
1757 wait_connect
=False, scan_freq
="2412")
1758 run_ext_sim_auth(dev
[0])
1760 def test_ap_wpa2_eap_ttls_eap_aka(dev
, apdev
):
1761 """WPA2-Enterprise connection using EAP-TTLS/EAP-AKA"""
1762 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1763 hapd
= hostapd
.add_ap(apdev
[0], params
)
1764 eap_connect(dev
[0], hapd
, "TTLS", "0232010000000000",
1765 anonymous_identity
="0232010000000000@ttls",
1766 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1767 ca_cert
="auth_serv/ca.pem", phase2
="autheap=AKA")
1768 eap_reauth(dev
[0], "TTLS")
1770 def test_ap_wpa2_eap_peap_eap_aka(dev
, apdev
):
1771 """WPA2-Enterprise connection using EAP-PEAP/EAP-AKA"""
1772 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1773 hapd
= hostapd
.add_ap(apdev
[0], params
)
1774 eap_connect(dev
[0], hapd
, "PEAP", "0232010000000000",
1775 anonymous_identity
="0232010000000000@peap",
1776 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1777 ca_cert
="auth_serv/ca.pem", phase2
="auth=AKA")
1778 eap_reauth(dev
[0], "PEAP")
1780 def test_ap_wpa2_eap_fast_eap_aka(dev
, apdev
):
1781 """WPA2-Enterprise connection using EAP-FAST/EAP-AKA"""
1782 check_eap_capa(dev
[0], "FAST")
1783 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1784 hapd
= hostapd
.add_ap(apdev
[0], params
)
1785 eap_connect(dev
[0], hapd
, "FAST", "0232010000000000",
1786 anonymous_identity
="0232010000000000@fast",
1787 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
1788 phase1
="fast_provisioning=2",
1789 pac_file
="blob://fast_pac_auth_aka",
1790 ca_cert
="auth_serv/ca.pem", phase2
="auth=AKA")
1791 eap_reauth(dev
[0], "FAST")
1793 def test_ap_wpa2_eap_peap_eap_mschapv2(dev
, apdev
):
1794 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
1795 check_eap_capa(dev
[0], "MSCHAPV2")
1796 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1797 hapd
= hostapd
.add_ap(apdev
[0], params
)
1798 eap_connect(dev
[0], hapd
, "PEAP", "user",
1799 anonymous_identity
="peap", password
="password",
1800 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1801 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1802 eap_reauth(dev
[0], "PEAP")
1803 dev
[0].request("REMOVE_NETWORK all")
1804 eap_connect(dev
[0], hapd
, "PEAP", "user",
1805 anonymous_identity
="peap", password
="password",
1806 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1807 fragment_size
="200")
1809 logger
.info("Password as hash value")
1810 dev
[0].request("REMOVE_NETWORK all")
1811 eap_connect(dev
[0], hapd
, "PEAP", "user",
1812 anonymous_identity
="peap",
1813 password_hex
="hash:8846f7eaee8fb117ad06bdd830b7586c",
1814 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1816 logger
.info("Negative test with incorrect password")
1817 dev
[0].request("REMOVE_NETWORK all")
1818 eap_connect(dev
[0], hapd
, "PEAP", "user",
1819 anonymous_identity
="peap", password
="password1",
1820 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1821 expect_failure
=True)
1823 def test_ap_wpa2_eap_peap_eap_mschapv2_domain(dev
, apdev
):
1824 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 with domain"""
1825 check_eap_capa(dev
[0], "MSCHAPV2")
1826 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1827 hapd
= hostapd
.add_ap(apdev
[0], params
)
1828 eap_connect(dev
[0], hapd
, "PEAP", "DOMAIN\user3",
1829 anonymous_identity
="peap", password
="password",
1830 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
1831 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1832 eap_reauth(dev
[0], "PEAP")
1834 def test_ap_wpa2_eap_peap_eap_mschapv2_incorrect_password(dev
, apdev
):
1835 """WPA2-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2 - incorrect password"""
1836 check_eap_capa(dev
[0], "MSCHAPV2")
1837 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1838 hapd
= hostapd
.add_ap(apdev
[0], params
)
1839 eap_connect(dev
[0], hapd
, "PEAP", "user",
1840 anonymous_identity
="peap", password
="wrong",
1841 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1842 expect_failure
=True)
1844 def test_ap_wpa2_eap_peap_crypto_binding(dev
, apdev
):
1845 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding"""
1846 check_eap_capa(dev
[0], "MSCHAPV2")
1847 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1848 hapd
= hostapd
.add_ap(apdev
[0], params
)
1849 eap_connect(dev
[0], hapd
, "PEAP", "user", password
="password",
1850 ca_cert
="auth_serv/ca.pem",
1851 phase1
="peapver=0 crypto_binding=2",
1852 phase2
="auth=MSCHAPV2")
1853 hwsim_utils
.test_connectivity(dev
[0], hapd
)
1854 eap_reauth(dev
[0], "PEAP")
1856 eap_connect(dev
[1], hapd
, "PEAP", "user", password
="password",
1857 ca_cert
="auth_serv/ca.pem",
1858 phase1
="peapver=0 crypto_binding=1",
1859 phase2
="auth=MSCHAPV2")
1860 eap_connect(dev
[2], hapd
, "PEAP", "user", password
="password",
1861 ca_cert
="auth_serv/ca.pem",
1862 phase1
="peapver=0 crypto_binding=0",
1863 phase2
="auth=MSCHAPV2")
1865 def test_ap_wpa2_eap_peap_crypto_binding_server_oom(dev
, apdev
):
1866 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and crypto binding with server OOM"""
1867 check_eap_capa(dev
[0], "MSCHAPV2")
1868 params
= int_eap_server_params()
1869 hapd
= hostapd
.add_ap(apdev
[0], params
)
1870 with
alloc_fail(hapd
, 1, "eap_mschapv2_getKey"):
1871 eap_connect(dev
[0], hapd
, "PEAP", "user", password
="password",
1872 ca_cert
="auth_serv/ca.pem",
1873 phase1
="peapver=0 crypto_binding=2",
1874 phase2
="auth=MSCHAPV2",
1875 expect_failure
=True, local_error_report
=True)
1877 def test_ap_wpa2_eap_peap_params(dev
, apdev
):
1878 """WPA2-Enterprise connection using EAP-PEAPv0/EAP-MSCHAPv2 and various parameters"""
1879 check_eap_capa(dev
[0], "MSCHAPV2")
1880 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1881 hapd
= hostapd
.add_ap(apdev
[0], params
)
1882 eap_connect(dev
[0], hapd
, "PEAP", "user",
1883 anonymous_identity
="peap", password
="password",
1884 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1885 phase1
="peapver=0 peaplabel=1",
1886 expect_failure
=True)
1887 dev
[0].request("REMOVE_NETWORK all")
1888 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
1890 anonymous_identity
="peap", password
="password",
1891 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1892 phase1
="peap_outer_success=0",
1893 wait_connect
=False, scan_freq
="2412")
1894 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=15)
1896 raise Exception("No EAP success seen")
1897 # This won't succeed to connect with peap_outer_success=0, so stop here.
1898 dev
[0].request("REMOVE_NETWORK all")
1899 dev
[0].wait_disconnected()
1900 eap_connect(dev
[1], hapd
, "PEAP", "user", password
="password",
1901 ca_cert
="auth_serv/ca.pem",
1902 phase1
="peap_outer_success=1",
1903 phase2
="auth=MSCHAPV2")
1904 eap_connect(dev
[2], hapd
, "PEAP", "user", password
="password",
1905 ca_cert
="auth_serv/ca.pem",
1906 phase1
="peap_outer_success=2",
1907 phase2
="auth=MSCHAPV2")
1908 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
1910 anonymous_identity
="peap", password
="password",
1911 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1912 phase1
="peapver=1 peaplabel=1",
1913 wait_connect
=False, scan_freq
="2412")
1914 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=15)
1916 raise Exception("No EAP success seen")
1917 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED"], timeout
=1)
1919 raise Exception("Unexpected connection")
1921 tests
= [ ("peap-ver0", ""),
1923 ("peap-ver0", "peapver=0"),
1924 ("peap-ver1", "peapver=1") ]
1925 for anon
,phase1
in tests
:
1926 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
1927 identity
="user", anonymous_identity
=anon
,
1928 password
="password", phase1
=phase1
,
1929 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1931 dev
[0].request("REMOVE_NETWORK all")
1932 dev
[0].wait_disconnected()
1934 tests
= [ ("peap-ver0", "peapver=1"),
1935 ("peap-ver1", "peapver=0") ]
1936 for anon
,phase1
in tests
:
1937 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
1938 identity
="user", anonymous_identity
=anon
,
1939 password
="password", phase1
=phase1
,
1940 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
1941 wait_connect
=False, scan_freq
="2412")
1942 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
1944 raise Exception("No EAP-Failure seen")
1945 dev
[0].request("REMOVE_NETWORK all")
1946 dev
[0].wait_disconnected()
1948 eap_connect(dev
[0], hapd
, "PEAP", "user", password
="password",
1949 ca_cert
="auth_serv/ca.pem",
1950 phase1
="tls_allow_md5=1 tls_disable_session_ticket=1 tls_disable_tlsv1_0=0 tls_disable_tlsv1_1=0 tls_disable_tlsv1_2=0 tls_ext_cert_check=0",
1951 phase2
="auth=MSCHAPV2")
1953 def test_ap_wpa2_eap_peap_eap_tls(dev
, apdev
):
1954 """WPA2-Enterprise connection using EAP-PEAP/EAP-TLS"""
1955 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1956 hapd
= hostapd
.add_ap(apdev
[0], params
)
1957 eap_connect(dev
[0], hapd
, "PEAP", "cert user",
1958 ca_cert
="auth_serv/ca.pem", phase2
="auth=TLS",
1959 ca_cert2
="auth_serv/ca.pem",
1960 client_cert2
="auth_serv/user.pem",
1961 private_key2
="auth_serv/user.key")
1962 eap_reauth(dev
[0], "PEAP")
1964 def test_ap_wpa2_eap_tls(dev
, apdev
):
1965 """WPA2-Enterprise connection using EAP-TLS"""
1966 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1967 hapd
= hostapd
.add_ap(apdev
[0], params
)
1968 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
1969 client_cert
="auth_serv/user.pem",
1970 private_key
="auth_serv/user.key")
1971 eap_reauth(dev
[0], "TLS")
1973 def test_eap_tls_pkcs8_pkcs5_v2_des3(dev
, apdev
):
1974 """WPA2-Enterprise connection using EAP-TLS and PKCS #8, PKCS #5 v2 DES3 key"""
1975 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1976 hapd
= hostapd
.add_ap(apdev
[0], params
)
1977 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
1978 client_cert
="auth_serv/user.pem",
1979 private_key
="auth_serv/user.key.pkcs8",
1980 private_key_passwd
="whatever")
1982 def test_eap_tls_pkcs8_pkcs5_v15(dev
, apdev
):
1983 """WPA2-Enterprise connection using EAP-TLS and PKCS #8, PKCS #5 v1.5 key"""
1984 check_pkcs5_v15_support(dev
[0])
1985 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1986 hapd
= hostapd
.add_ap(apdev
[0], params
)
1987 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
1988 client_cert
="auth_serv/user.pem",
1989 private_key
="auth_serv/user.key.pkcs8.pkcs5v15",
1990 private_key_passwd
="whatever")
1992 def test_ap_wpa2_eap_tls_blob(dev
, apdev
):
1993 """WPA2-Enterprise connection using EAP-TLS and config blobs"""
1994 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
1995 hapd
= hostapd
.add_ap(apdev
[0], params
)
1996 cert
= read_pem("auth_serv/ca.pem")
1997 if "OK" not in dev
[0].request("SET blob cacert " + cert
.encode("hex")):
1998 raise Exception("Could not set cacert blob")
1999 cert
= read_pem("auth_serv/user.pem")
2000 if "OK" not in dev
[0].request("SET blob usercert " + cert
.encode("hex")):
2001 raise Exception("Could not set usercert blob")
2002 key
= read_pem("auth_serv/user.rsa-key")
2003 if "OK" not in dev
[0].request("SET blob userkey " + key
.encode("hex")):
2004 raise Exception("Could not set cacert blob")
2005 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="blob://cacert",
2006 client_cert
="blob://usercert",
2007 private_key
="blob://userkey")
2009 def test_ap_wpa2_eap_tls_blob_missing(dev
, apdev
):
2010 """EAP-TLS and config blob missing"""
2011 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2012 hostapd
.add_ap(apdev
[0], params
)
2013 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2014 identity
="tls user",
2015 ca_cert
="blob://testing-blob-does-not-exist",
2016 client_cert
="blob://testing-blob-does-not-exist",
2017 private_key
="blob://testing-blob-does-not-exist",
2018 wait_connect
=False, scan_freq
="2412")
2019 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method"], timeout
=10)
2021 raise Exception("EAP failure not reported")
2022 dev
[0].request("REMOVE_NETWORK all")
2023 dev
[0].wait_disconnected()
2025 def test_ap_wpa2_eap_tls_with_tls_len(dev
, apdev
):
2026 """EAP-TLS and TLS Message Length in unfragmented packets"""
2027 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2028 hapd
= hostapd
.add_ap(apdev
[0], params
)
2029 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
2030 phase1
="include_tls_length=1",
2031 client_cert
="auth_serv/user.pem",
2032 private_key
="auth_serv/user.key")
2034 def test_ap_wpa2_eap_tls_pkcs12(dev
, apdev
):
2035 """WPA2-Enterprise connection using EAP-TLS and PKCS#12"""
2036 check_pkcs12_support(dev
[0])
2037 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2038 hapd
= hostapd
.add_ap(apdev
[0], params
)
2039 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
2040 private_key
="auth_serv/user.pkcs12",
2041 private_key_passwd
="whatever")
2042 dev
[0].request("REMOVE_NETWORK all")
2043 dev
[0].wait_disconnected()
2045 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
2046 identity
="tls user",
2047 ca_cert
="auth_serv/ca.pem",
2048 private_key
="auth_serv/user.pkcs12",
2049 wait_connect
=False, scan_freq
="2412")
2050 ev
= dev
[0].wait_event(["CTRL-REQ-PASSPHRASE"])
2052 raise Exception("Request for private key passphrase timed out")
2053 id = ev
.split(':')[0].split('-')[-1]
2054 dev
[0].request("CTRL-RSP-PASSPHRASE-" + id + ":whatever")
2055 dev
[0].wait_connected(timeout
=10)
2056 dev
[0].request("REMOVE_NETWORK all")
2057 dev
[0].wait_disconnected()
2059 # Run this twice to verify certificate chain handling with OpenSSL. Use two
2060 # different files to cover both cases of the extra certificate being the
2061 # one that signed the client certificate and it being unrelated to the
2062 # client certificate.
2063 for pkcs12
in "auth_serv/user2.pkcs12", "auth_serv/user3.pkcs12":
2065 eap_connect(dev
[0], hapd
, "TLS", "tls user",
2066 ca_cert
="auth_serv/ca.pem",
2068 private_key_passwd
="whatever")
2069 dev
[0].request("REMOVE_NETWORK all")
2070 dev
[0].wait_disconnected()
2072 def test_ap_wpa2_eap_tls_pkcs12_blob(dev
, apdev
):
2073 """WPA2-Enterprise connection using EAP-TLS and PKCS#12 from configuration blob"""
2074 check_pkcs12_support(dev
[0])
2075 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2076 hapd
= hostapd
.add_ap(apdev
[0], params
)
2077 cert
= read_pem("auth_serv/ca.pem")
2078 if "OK" not in dev
[0].request("SET blob cacert " + cert
.encode("hex")):
2079 raise Exception("Could not set cacert blob")
2080 with
open("auth_serv/user.pkcs12", "rb") as f
:
2081 if "OK" not in dev
[0].request("SET blob pkcs12 " + f
.read().encode("hex")):
2082 raise Exception("Could not set pkcs12 blob")
2083 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="blob://cacert",
2084 private_key
="blob://pkcs12",
2085 private_key_passwd
="whatever")
2087 def test_ap_wpa2_eap_tls_neg_incorrect_trust_root(dev
, apdev
):
2088 """WPA2-Enterprise negative test - incorrect trust root"""
2089 check_eap_capa(dev
[0], "MSCHAPV2")
2090 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2091 hostapd
.add_ap(apdev
[0], params
)
2092 cert
= read_pem("auth_serv/ca-incorrect.pem")
2093 if "OK" not in dev
[0].request("SET blob cacert " + cert
.encode("hex")):
2094 raise Exception("Could not set cacert blob")
2095 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2096 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2097 password
="password", phase2
="auth=MSCHAPV2",
2098 ca_cert
="blob://cacert",
2099 wait_connect
=False, scan_freq
="2412")
2100 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2101 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2102 password
="password", phase2
="auth=MSCHAPV2",
2103 ca_cert
="auth_serv/ca-incorrect.pem",
2104 wait_connect
=False, scan_freq
="2412")
2106 for dev
in (dev
[0], dev
[1]):
2107 ev
= dev
.wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2109 raise Exception("Association and EAP start timed out")
2111 ev
= dev
.wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
2113 raise Exception("EAP method selection timed out")
2114 if "TTLS" not in ev
:
2115 raise Exception("Unexpected EAP method")
2117 ev
= dev
.wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2118 "CTRL-EVENT-EAP-SUCCESS",
2119 "CTRL-EVENT-EAP-FAILURE",
2120 "CTRL-EVENT-CONNECTED",
2121 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2123 raise Exception("EAP result timed out")
2124 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
2125 raise Exception("TLS certificate error not reported")
2127 ev
= dev
.wait_event(["CTRL-EVENT-EAP-SUCCESS",
2128 "CTRL-EVENT-EAP-FAILURE",
2129 "CTRL-EVENT-CONNECTED",
2130 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2132 raise Exception("EAP result(2) timed out")
2133 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
2134 raise Exception("EAP failure not reported")
2136 ev
= dev
.wait_event(["CTRL-EVENT-CONNECTED",
2137 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2139 raise Exception("EAP result(3) timed out")
2140 if "CTRL-EVENT-DISCONNECTED" not in ev
:
2141 raise Exception("Disconnection not reported")
2143 ev
= dev
.wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
2145 raise Exception("Network block disabling not reported")
2147 def test_ap_wpa2_eap_tls_diff_ca_trust(dev
, apdev
):
2148 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
2149 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2150 hapd
= hostapd
.add_ap(apdev
[0], params
)
2151 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2152 identity
="pap user", anonymous_identity
="ttls",
2153 password
="password", phase2
="auth=PAP",
2154 ca_cert
="auth_serv/ca.pem",
2155 wait_connect
=True, scan_freq
="2412")
2156 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2157 identity
="pap user", anonymous_identity
="ttls",
2158 password
="password", phase2
="auth=PAP",
2159 ca_cert
="auth_serv/ca-incorrect.pem",
2160 only_add_network
=True, scan_freq
="2412")
2162 dev
[0].request("DISCONNECT")
2163 dev
[0].wait_disconnected()
2164 dev
[0].dump_monitor()
2165 dev
[0].select_network(id, freq
="2412")
2167 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout
=15)
2169 raise Exception("EAP-TTLS not re-started")
2171 ev
= dev
[0].wait_disconnected(timeout
=15)
2172 if "reason=23" not in ev
:
2173 raise Exception("Proper reason code for disconnection not reported")
2175 def test_ap_wpa2_eap_tls_diff_ca_trust2(dev
, apdev
):
2176 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
2177 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2178 hapd
= hostapd
.add_ap(apdev
[0], params
)
2179 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2180 identity
="pap user", anonymous_identity
="ttls",
2181 password
="password", phase2
="auth=PAP",
2182 wait_connect
=True, scan_freq
="2412")
2183 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2184 identity
="pap user", anonymous_identity
="ttls",
2185 password
="password", phase2
="auth=PAP",
2186 ca_cert
="auth_serv/ca-incorrect.pem",
2187 only_add_network
=True, scan_freq
="2412")
2189 dev
[0].request("DISCONNECT")
2190 dev
[0].wait_disconnected()
2191 dev
[0].dump_monitor()
2192 dev
[0].select_network(id, freq
="2412")
2194 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout
=15)
2196 raise Exception("EAP-TTLS not re-started")
2198 ev
= dev
[0].wait_disconnected(timeout
=15)
2199 if "reason=23" not in ev
:
2200 raise Exception("Proper reason code for disconnection not reported")
2202 def test_ap_wpa2_eap_tls_diff_ca_trust3(dev
, apdev
):
2203 """WPA2-Enterprise connection using EAP-TTLS/PAP and different CA trust"""
2204 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2205 hapd
= hostapd
.add_ap(apdev
[0], params
)
2206 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2207 identity
="pap user", anonymous_identity
="ttls",
2208 password
="password", phase2
="auth=PAP",
2209 ca_cert
="auth_serv/ca.pem",
2210 wait_connect
=True, scan_freq
="2412")
2211 dev
[0].request("DISCONNECT")
2212 dev
[0].wait_disconnected()
2213 dev
[0].dump_monitor()
2214 dev
[0].set_network_quoted(id, "ca_cert", "auth_serv/ca-incorrect.pem")
2215 dev
[0].select_network(id, freq
="2412")
2217 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=21"], timeout
=15)
2219 raise Exception("EAP-TTLS not re-started")
2221 ev
= dev
[0].wait_disconnected(timeout
=15)
2222 if "reason=23" not in ev
:
2223 raise Exception("Proper reason code for disconnection not reported")
2225 def test_ap_wpa2_eap_tls_neg_suffix_match(dev
, apdev
):
2226 """WPA2-Enterprise negative test - domain suffix mismatch"""
2227 check_domain_suffix_match(dev
[0])
2228 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2229 hostapd
.add_ap(apdev
[0], params
)
2230 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2231 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2232 password
="password", phase2
="auth=MSCHAPV2",
2233 ca_cert
="auth_serv/ca.pem",
2234 domain_suffix_match
="incorrect.example.com",
2235 wait_connect
=False, scan_freq
="2412")
2237 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2239 raise Exception("Association and EAP start timed out")
2241 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
2243 raise Exception("EAP method selection timed out")
2244 if "TTLS" not in ev
:
2245 raise Exception("Unexpected EAP method")
2247 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2248 "CTRL-EVENT-EAP-SUCCESS",
2249 "CTRL-EVENT-EAP-FAILURE",
2250 "CTRL-EVENT-CONNECTED",
2251 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2253 raise Exception("EAP result timed out")
2254 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
2255 raise Exception("TLS certificate error not reported")
2256 if "Domain suffix mismatch" not in ev
:
2257 raise Exception("Domain suffix mismatch not reported")
2259 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2260 "CTRL-EVENT-EAP-FAILURE",
2261 "CTRL-EVENT-CONNECTED",
2262 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2264 raise Exception("EAP result(2) timed out")
2265 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
2266 raise Exception("EAP failure not reported")
2268 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
2269 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2271 raise Exception("EAP result(3) timed out")
2272 if "CTRL-EVENT-DISCONNECTED" not in ev
:
2273 raise Exception("Disconnection not reported")
2275 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
2277 raise Exception("Network block disabling not reported")
2279 def test_ap_wpa2_eap_tls_neg_domain_match(dev
, apdev
):
2280 """WPA2-Enterprise negative test - domain mismatch"""
2281 check_domain_match(dev
[0])
2282 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2283 hostapd
.add_ap(apdev
[0], params
)
2284 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2285 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2286 password
="password", phase2
="auth=MSCHAPV2",
2287 ca_cert
="auth_serv/ca.pem",
2288 domain_match
="w1.fi",
2289 wait_connect
=False, scan_freq
="2412")
2291 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2293 raise Exception("Association and EAP start timed out")
2295 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
2297 raise Exception("EAP method selection timed out")
2298 if "TTLS" not in ev
:
2299 raise Exception("Unexpected EAP method")
2301 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2302 "CTRL-EVENT-EAP-SUCCESS",
2303 "CTRL-EVENT-EAP-FAILURE",
2304 "CTRL-EVENT-CONNECTED",
2305 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2307 raise Exception("EAP result timed out")
2308 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
2309 raise Exception("TLS certificate error not reported")
2310 if "Domain mismatch" not in ev
:
2311 raise Exception("Domain mismatch not reported")
2313 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2314 "CTRL-EVENT-EAP-FAILURE",
2315 "CTRL-EVENT-CONNECTED",
2316 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2318 raise Exception("EAP result(2) timed out")
2319 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
2320 raise Exception("EAP failure not reported")
2322 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
2323 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2325 raise Exception("EAP result(3) timed out")
2326 if "CTRL-EVENT-DISCONNECTED" not in ev
:
2327 raise Exception("Disconnection not reported")
2329 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
2331 raise Exception("Network block disabling not reported")
2333 def test_ap_wpa2_eap_tls_neg_subject_match(dev
, apdev
):
2334 """WPA2-Enterprise negative test - subject mismatch"""
2335 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2336 hostapd
.add_ap(apdev
[0], params
)
2337 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2338 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2339 password
="password", phase2
="auth=MSCHAPV2",
2340 ca_cert
="auth_serv/ca.pem",
2341 subject_match
="/C=FI/O=w1.fi/CN=example.com",
2342 wait_connect
=False, scan_freq
="2412")
2344 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2346 raise Exception("Association and EAP start timed out")
2348 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD",
2349 "EAP: Failed to initialize EAP method"], timeout
=10)
2351 raise Exception("EAP method selection timed out")
2352 if "EAP: Failed to initialize EAP method" in ev
:
2353 tls
= dev
[0].request("GET tls_library")
2354 if tls
.startswith("OpenSSL"):
2355 raise Exception("Failed to select EAP method")
2356 logger
.info("subject_match not supported - connection failed, so test succeeded")
2358 if "TTLS" not in ev
:
2359 raise Exception("Unexpected EAP method")
2361 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2362 "CTRL-EVENT-EAP-SUCCESS",
2363 "CTRL-EVENT-EAP-FAILURE",
2364 "CTRL-EVENT-CONNECTED",
2365 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2367 raise Exception("EAP result timed out")
2368 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
2369 raise Exception("TLS certificate error not reported")
2370 if "Subject mismatch" not in ev
:
2371 raise Exception("Subject mismatch not reported")
2373 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2374 "CTRL-EVENT-EAP-FAILURE",
2375 "CTRL-EVENT-CONNECTED",
2376 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2378 raise Exception("EAP result(2) timed out")
2379 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
2380 raise Exception("EAP failure not reported")
2382 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
2383 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2385 raise Exception("EAP result(3) timed out")
2386 if "CTRL-EVENT-DISCONNECTED" not in ev
:
2387 raise Exception("Disconnection not reported")
2389 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
2391 raise Exception("Network block disabling not reported")
2393 def test_ap_wpa2_eap_tls_neg_altsubject_match(dev
, apdev
):
2394 """WPA2-Enterprise negative test - altsubject mismatch"""
2395 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2396 hostapd
.add_ap(apdev
[0], params
)
2398 tests
= [ "incorrect.example.com",
2399 "DNS:incorrect.example.com",
2403 _test_ap_wpa2_eap_tls_neg_altsubject_match(dev
, apdev
, match
)
2405 def _test_ap_wpa2_eap_tls_neg_altsubject_match(dev
, apdev
, match
):
2406 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2407 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2408 password
="password", phase2
="auth=MSCHAPV2",
2409 ca_cert
="auth_serv/ca.pem",
2410 altsubject_match
=match
,
2411 wait_connect
=False, scan_freq
="2412")
2413 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2415 raise Exception("Association and EAP start timed out")
2417 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD",
2418 "EAP: Failed to initialize EAP method"], timeout
=10)
2420 raise Exception("EAP method selection timed out")
2421 if "EAP: Failed to initialize EAP method" in ev
:
2422 tls
= dev
[0].request("GET tls_library")
2423 if tls
.startswith("OpenSSL"):
2424 raise Exception("Failed to select EAP method")
2425 logger
.info("altsubject_match not supported - connection failed, so test succeeded")
2427 if "TTLS" not in ev
:
2428 raise Exception("Unexpected EAP method")
2430 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR",
2431 "CTRL-EVENT-EAP-SUCCESS",
2432 "CTRL-EVENT-EAP-FAILURE",
2433 "CTRL-EVENT-CONNECTED",
2434 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2436 raise Exception("EAP result timed out")
2437 if "CTRL-EVENT-EAP-TLS-CERT-ERROR" not in ev
:
2438 raise Exception("TLS certificate error not reported")
2439 if "AltSubject mismatch" not in ev
:
2440 raise Exception("altsubject mismatch not reported")
2442 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
2443 "CTRL-EVENT-EAP-FAILURE",
2444 "CTRL-EVENT-CONNECTED",
2445 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2447 raise Exception("EAP result(2) timed out")
2448 if "CTRL-EVENT-EAP-FAILURE" not in ev
:
2449 raise Exception("EAP failure not reported")
2451 ev
= dev
[0].wait_event(["CTRL-EVENT-CONNECTED",
2452 "CTRL-EVENT-DISCONNECTED"], timeout
=10)
2454 raise Exception("EAP result(3) timed out")
2455 if "CTRL-EVENT-DISCONNECTED" not in ev
:
2456 raise Exception("Disconnection not reported")
2458 ev
= dev
[0].wait_event(["CTRL-EVENT-SSID-TEMP-DISABLED"], timeout
=10)
2460 raise Exception("Network block disabling not reported")
2462 dev
[0].request("REMOVE_NETWORK all")
2464 def test_ap_wpa2_eap_unauth_tls(dev
, apdev
):
2465 """WPA2-Enterprise connection using UNAUTH-TLS"""
2466 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2467 hapd
= hostapd
.add_ap(apdev
[0], params
)
2468 eap_connect(dev
[0], hapd
, "UNAUTH-TLS", "unauth-tls",
2469 ca_cert
="auth_serv/ca.pem")
2470 eap_reauth(dev
[0], "UNAUTH-TLS")
2472 def test_ap_wpa2_eap_ttls_server_cert_hash(dev
, apdev
):
2473 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash"""
2474 check_cert_probe_support(dev
[0])
2475 skip_with_fips(dev
[0])
2476 srv_cert_hash
= "bdb9cb55d3df278e52a071abf58e7f0238fbec3ad8fb2c254742f63562628272"
2477 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2478 hapd
= hostapd
.add_ap(apdev
[0], params
)
2479 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2480 identity
="probe", ca_cert
="probe://",
2481 wait_connect
=False, scan_freq
="2412")
2482 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2484 raise Exception("Association and EAP start timed out")
2485 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT depth=0"], timeout
=10)
2487 raise Exception("No peer server certificate event seen")
2488 if "hash=" + srv_cert_hash
not in ev
:
2489 raise Exception("Expected server certificate hash not reported")
2490 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout
=10)
2492 raise Exception("EAP result timed out")
2493 if "Server certificate chain probe" not in ev
:
2494 raise Exception("Server certificate probe not reported")
2495 dev
[0].wait_disconnected(timeout
=10)
2496 dev
[0].request("REMOVE_NETWORK all")
2498 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2499 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2500 password
="password", phase2
="auth=MSCHAPV2",
2501 ca_cert
="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
2502 wait_connect
=False, scan_freq
="2412")
2503 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2505 raise Exception("Association and EAP start timed out")
2506 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"], timeout
=10)
2508 raise Exception("EAP result timed out")
2509 if "Server certificate mismatch" not in ev
:
2510 raise Exception("Server certificate mismatch not reported")
2511 dev
[0].wait_disconnected(timeout
=10)
2512 dev
[0].request("REMOVE_NETWORK all")
2514 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
2515 anonymous_identity
="ttls", password
="password",
2516 ca_cert
="hash://server/sha256/" + srv_cert_hash
,
2517 phase2
="auth=MSCHAPV2")
2519 def test_ap_wpa2_eap_ttls_server_cert_hash_invalid(dev
, apdev
):
2520 """WPA2-Enterprise connection using EAP-TTLS and server certificate hash (invalid config)"""
2521 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2522 hostapd
.add_ap(apdev
[0], params
)
2523 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2524 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2525 password
="password", phase2
="auth=MSCHAPV2",
2526 ca_cert
="hash://server/md5/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6a",
2527 wait_connect
=False, scan_freq
="2412")
2528 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2529 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2530 password
="password", phase2
="auth=MSCHAPV2",
2531 ca_cert
="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca",
2532 wait_connect
=False, scan_freq
="2412")
2533 dev
[2].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
2534 identity
="DOMAIN\mschapv2 user", anonymous_identity
="ttls",
2535 password
="password", phase2
="auth=MSCHAPV2",
2536 ca_cert
="hash://server/sha256/5a1bc1296205e6fdbe3979728efe3920798885c1c4590b5f90f43222d239ca6Q",
2537 wait_connect
=False, scan_freq
="2412")
2538 for i
in range(0, 3):
2539 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
2541 raise Exception("Association and EAP start timed out")
2542 ev
= dev
[i
].wait_event(["EAP: Failed to initialize EAP method: vendor 0 method 21 (TTLS)"], timeout
=5)
2544 raise Exception("Did not report EAP method initialization failure")
2546 def test_ap_wpa2_eap_pwd(dev
, apdev
):
2547 """WPA2-Enterprise connection using EAP-pwd"""
2548 check_eap_capa(dev
[0], "PWD")
2549 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2550 hapd
= hostapd
.add_ap(apdev
[0], params
)
2551 eap_connect(dev
[0], hapd
, "PWD", "pwd user", password
="secret password")
2552 eap_reauth(dev
[0], "PWD")
2553 dev
[0].request("REMOVE_NETWORK all")
2555 eap_connect(dev
[1], hapd
, "PWD",
2556 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
2557 password
="secret password",
2560 logger
.info("Negative test with incorrect password")
2561 eap_connect(dev
[2], hapd
, "PWD", "pwd user", password
="secret-password",
2562 expect_failure
=True, local_error_report
=True)
2564 eap_connect(dev
[0], hapd
, "PWD",
2565 "pwd.user@test123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890.example.com",
2566 password
="secret password",
2569 def test_ap_wpa2_eap_pwd_nthash(dev
, apdev
):
2570 """WPA2-Enterprise connection using EAP-pwd and NTHash"""
2571 check_eap_capa(dev
[0], "PWD")
2572 skip_with_fips(dev
[0])
2573 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2574 hapd
= hostapd
.add_ap(apdev
[0], params
)
2575 eap_connect(dev
[0], hapd
, "PWD", "pwd-hash", password
="secret password")
2576 eap_connect(dev
[1], hapd
, "PWD", "pwd-hash",
2577 password_hex
="hash:e3718ece8ab74792cbbfffd316d2d19a")
2578 eap_connect(dev
[2], hapd
, "PWD", "pwd user",
2579 password_hex
="hash:e3718ece8ab74792cbbfffd316d2d19a",
2580 expect_failure
=True, local_error_report
=True)
2582 def test_ap_wpa2_eap_pwd_groups(dev
, apdev
):
2583 """WPA2-Enterprise connection using various EAP-pwd groups"""
2584 check_eap_capa(dev
[0], "PWD")
2585 tls
= dev
[0].request("GET tls_library")
2586 params
= { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2587 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2588 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
2589 groups
= [ 19, 20, 21, 25, 26 ]
2590 if tls
.startswith("OpenSSL") and "build=OpenSSL 1.0.2" in tls
and "run=OpenSSL 1.0.2" in tls
:
2591 logger
.info("Add Brainpool EC groups since OpenSSL is new enough")
2592 groups
+= [ 27, 28, 29, 30 ]
2594 logger
.info("Group %d" % i
)
2595 params
['pwd_group'] = str(i
)
2596 hapd
= hostapd
.add_ap(apdev
[0], params
)
2598 eap_connect(dev
[0], hapd
, "PWD", "pwd user",
2599 password
="secret password")
2600 dev
[0].request("REMOVE_NETWORK all")
2601 dev
[0].wait_disconnected()
2602 dev
[0].dump_monitor()
2604 if "BoringSSL" in tls
and i
in [ 25 ]:
2605 logger
.info("Ignore connection failure with group %d with BoringSSL" % i
)
2606 dev
[0].request("DISCONNECT")
2608 dev
[0].request("REMOVE_NETWORK all")
2609 dev
[0].dump_monitor()
2613 def test_ap_wpa2_eap_pwd_invalid_group(dev
, apdev
):
2614 """WPA2-Enterprise connection using invalid EAP-pwd group"""
2615 check_eap_capa(dev
[0], "PWD")
2616 params
= { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2617 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2618 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf" }
2619 params
['pwd_group'] = "0"
2620 hostapd
.add_ap(apdev
[0], params
)
2621 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PWD",
2622 identity
="pwd user", password
="secret password",
2623 scan_freq
="2412", wait_connect
=False)
2624 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
2626 raise Exception("Timeout on EAP failure report")
2628 def test_ap_wpa2_eap_pwd_as_frag(dev
, apdev
):
2629 """WPA2-Enterprise connection using EAP-pwd with server fragmentation"""
2630 check_eap_capa(dev
[0], "PWD")
2631 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2632 params
= { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2633 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2634 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2635 "pwd_group": "19", "fragment_size": "40" }
2636 hapd
= hostapd
.add_ap(apdev
[0], params
)
2637 eap_connect(dev
[0], hapd
, "PWD", "pwd user", password
="secret password")
2639 def test_ap_wpa2_eap_gpsk(dev
, apdev
):
2640 """WPA2-Enterprise connection using EAP-GPSK"""
2641 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2642 hapd
= hostapd
.add_ap(apdev
[0], params
)
2643 id = eap_connect(dev
[0], hapd
, "GPSK", "gpsk user",
2644 password
="abcdefghijklmnop0123456789abcdef")
2645 eap_reauth(dev
[0], "GPSK")
2647 logger
.info("Test forced algorithm selection")
2648 for phase1
in [ "cipher=1", "cipher=2" ]:
2649 dev
[0].set_network_quoted(id, "phase1", phase1
)
2650 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
2652 raise Exception("EAP success timed out")
2653 dev
[0].wait_connected(timeout
=10)
2655 logger
.info("Test failed algorithm negotiation")
2656 dev
[0].set_network_quoted(id, "phase1", "cipher=9")
2657 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
2659 raise Exception("EAP failure timed out")
2661 logger
.info("Negative test with incorrect password")
2662 dev
[0].request("REMOVE_NETWORK all")
2663 eap_connect(dev
[0], hapd
, "GPSK", "gpsk user",
2664 password
="ffcdefghijklmnop0123456789abcdef",
2665 expect_failure
=True)
2667 def test_ap_wpa2_eap_sake(dev
, apdev
):
2668 """WPA2-Enterprise connection using EAP-SAKE"""
2669 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2670 hapd
= hostapd
.add_ap(apdev
[0], params
)
2671 eap_connect(dev
[0], hapd
, "SAKE", "sake user",
2672 password_hex
="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
2673 eap_reauth(dev
[0], "SAKE")
2675 logger
.info("Negative test with incorrect password")
2676 dev
[0].request("REMOVE_NETWORK all")
2677 eap_connect(dev
[0], hapd
, "SAKE", "sake user",
2678 password_hex
="ff23456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
2679 expect_failure
=True)
2681 def test_ap_wpa2_eap_eke(dev
, apdev
):
2682 """WPA2-Enterprise connection using EAP-EKE"""
2683 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2684 hapd
= hostapd
.add_ap(apdev
[0], params
)
2685 id = eap_connect(dev
[0], hapd
, "EKE", "eke user", password
="hello")
2686 eap_reauth(dev
[0], "EKE")
2688 logger
.info("Test forced algorithm selection")
2689 for phase1
in [ "dhgroup=5 encr=1 prf=2 mac=2",
2690 "dhgroup=4 encr=1 prf=2 mac=2",
2691 "dhgroup=3 encr=1 prf=2 mac=2",
2692 "dhgroup=3 encr=1 prf=1 mac=1" ]:
2693 dev
[0].set_network_quoted(id, "phase1", phase1
)
2694 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
2696 raise Exception("EAP success timed out")
2697 dev
[0].wait_connected(timeout
=10)
2699 logger
.info("Test failed algorithm negotiation")
2700 dev
[0].set_network_quoted(id, "phase1", "dhgroup=9 encr=9 prf=9 mac=9")
2701 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
2703 raise Exception("EAP failure timed out")
2705 logger
.info("Negative test with incorrect password")
2706 dev
[0].request("REMOVE_NETWORK all")
2707 eap_connect(dev
[0], hapd
, "EKE", "eke user", password
="hello1",
2708 expect_failure
=True)
2710 def test_ap_wpa2_eap_eke_many(dev
, apdev
, params
):
2711 """WPA2-Enterprise connection using EAP-EKE (many connections) [long]"""
2712 if not params
['long']:
2713 raise HwsimSkip("Skip test case with long duration due to --long not specified")
2714 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2715 hostapd
.add_ap(apdev
[0], params
)
2718 for i
in range(100):
2720 dev
[j
].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="EKE",
2721 identity
="eke user", password
="hello",
2722 phase1
="dhgroup=3 encr=1 prf=1 mac=1",
2723 scan_freq
="2412", wait_connect
=False)
2725 ev
= dev
[j
].wait_event(["CTRL-EVENT-CONNECTED",
2726 "CTRL-EVENT-DISCONNECTED"], timeout
=15)
2728 raise Exception("No connected/disconnected event")
2729 if "CTRL-EVENT-DISCONNECTED" in ev
:
2731 # The RADIUS server limits on active sessions can be hit when
2732 # going through this test case, so try to give some more time
2733 # for the server to remove sessions.
2734 logger
.info("Failed to connect i=%d j=%d" % (i
, j
))
2735 dev
[j
].request("REMOVE_NETWORK all")
2739 dev
[j
].request("REMOVE_NETWORK all")
2740 dev
[j
].wait_disconnected()
2741 dev
[j
].dump_monitor()
2742 logger
.info("Total success=%d failure=%d" % (success
, fail
))
2744 def test_ap_wpa2_eap_eke_serverid_nai(dev
, apdev
):
2745 """WPA2-Enterprise connection using EAP-EKE with serverid NAI"""
2746 params
= int_eap_server_params()
2747 params
['server_id'] = 'example.server@w1.fi'
2748 hapd
= hostapd
.add_ap(apdev
[0], params
)
2749 eap_connect(dev
[0], hapd
, "EKE", "eke user", password
="hello")
2751 def test_ap_wpa2_eap_eke_server_oom(dev
, apdev
):
2752 """WPA2-Enterprise connection using EAP-EKE with server OOM"""
2753 params
= int_eap_server_params()
2754 hapd
= hostapd
.add_ap(apdev
[0], params
)
2755 dev
[0].scan_for_bss(apdev
[0]['bssid'], freq
=2412)
2757 for count
,func
in [ (1, "eap_eke_build_commit"),
2758 (2, "eap_eke_build_commit"),
2759 (3, "eap_eke_build_commit"),
2760 (1, "eap_eke_build_confirm"),
2761 (2, "eap_eke_build_confirm"),
2762 (1, "eap_eke_process_commit"),
2763 (2, "eap_eke_process_commit"),
2764 (1, "eap_eke_process_confirm"),
2765 (1, "eap_eke_process_identity"),
2766 (2, "eap_eke_process_identity"),
2767 (3, "eap_eke_process_identity"),
2768 (4, "eap_eke_process_identity") ]:
2769 with
alloc_fail(hapd
, count
, func
):
2770 eap_connect(dev
[0], hapd
, "EKE", "eke user", password
="hello",
2771 expect_failure
=True)
2772 dev
[0].request("REMOVE_NETWORK all")
2774 for count
,func
,pw
in [ (1, "eap_eke_init", "hello"),
2775 (1, "eap_eke_get_session_id", "hello"),
2776 (1, "eap_eke_getKey", "hello"),
2777 (1, "eap_eke_build_msg", "hello"),
2778 (1, "eap_eke_build_failure", "wrong"),
2779 (1, "eap_eke_build_identity", "hello"),
2780 (2, "eap_eke_build_identity", "hello") ]:
2781 with
alloc_fail(hapd
, count
, func
):
2782 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
2783 eap
="EKE", identity
="eke user", password
=pw
,
2784 wait_connect
=False, scan_freq
="2412")
2785 # This would eventually time out, but we can stop after having
2786 # reached the allocation failure.
2789 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
2791 dev
[0].request("REMOVE_NETWORK all")
2793 for count
in range(1, 1000):
2795 with
alloc_fail(hapd
, count
, "eap_server_sm_step"):
2796 dev
[0].connect("test-wpa2-eap",
2797 key_mgmt
="WPA-EAP WPA-EAP-SHA256",
2798 eap
="EKE", identity
="eke user", password
=pw
,
2799 wait_connect
=False, scan_freq
="2412")
2800 # This would eventually time out, but we can stop after having
2801 # reached the allocation failure.
2804 if hapd
.request("GET_ALLOC_FAIL").startswith('0'):
2806 dev
[0].request("REMOVE_NETWORK all")
2807 except Exception, e
:
2808 if str(e
) == "Allocation failure did not trigger":
2810 raise Exception("Too few allocation failures")
2811 logger
.info("%d allocation failures tested" % (count
- 1))
2815 def test_ap_wpa2_eap_ikev2(dev
, apdev
):
2816 """WPA2-Enterprise connection using EAP-IKEv2"""
2817 check_eap_capa(dev
[0], "IKEV2")
2818 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2819 hapd
= hostapd
.add_ap(apdev
[0], params
)
2820 eap_connect(dev
[0], hapd
, "IKEV2", "ikev2 user",
2821 password
="ike password")
2822 eap_reauth(dev
[0], "IKEV2")
2823 dev
[0].request("REMOVE_NETWORK all")
2824 eap_connect(dev
[0], hapd
, "IKEV2", "ikev2 user",
2825 password
="ike password", fragment_size
="50")
2827 logger
.info("Negative test with incorrect password")
2828 dev
[0].request("REMOVE_NETWORK all")
2829 eap_connect(dev
[0], hapd
, "IKEV2", "ikev2 user",
2830 password
="ike-password", expect_failure
=True)
2831 dev
[0].request("REMOVE_NETWORK all")
2833 eap_connect(dev
[0], hapd
, "IKEV2", "ikev2 user",
2834 password
="ike password", fragment_size
="0")
2835 dev
[0].request("REMOVE_NETWORK all")
2836 dev
[0].wait_disconnected()
2838 def test_ap_wpa2_eap_ikev2_as_frag(dev
, apdev
):
2839 """WPA2-Enterprise connection using EAP-IKEv2 with server fragmentation"""
2840 check_eap_capa(dev
[0], "IKEV2")
2841 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2842 params
= { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
2843 "rsn_pairwise": "CCMP", "ieee8021x": "1",
2844 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
2845 "fragment_size": "50" }
2846 hapd
= hostapd
.add_ap(apdev
[0], params
)
2847 eap_connect(dev
[0], hapd
, "IKEV2", "ikev2 user",
2848 password
="ike password")
2849 eap_reauth(dev
[0], "IKEV2")
2851 def test_ap_wpa2_eap_ikev2_oom(dev
, apdev
):
2852 """WPA2-Enterprise connection using EAP-IKEv2 and OOM"""
2853 check_eap_capa(dev
[0], "IKEV2")
2854 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2855 hostapd
.add_ap(apdev
[0], params
)
2857 tests
= [ (1, "dh_init"),
2859 (1, "dh_derive_shared") ]
2860 for count
, func
in tests
:
2861 with
alloc_fail(dev
[0], count
, func
):
2862 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="IKEV2",
2863 identity
="ikev2 user", password
="ike password",
2864 wait_connect
=False, scan_freq
="2412")
2865 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=5)
2867 raise Exception("EAP method not selected")
2869 if "0:" in dev
[0].request("GET_ALLOC_FAIL"):
2872 dev
[0].request("REMOVE_NETWORK all")
2874 tests
= [ (1, "os_get_random;dh_init") ]
2875 for count
, func
in tests
:
2876 with
fail_test(dev
[0], count
, func
):
2877 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="IKEV2",
2878 identity
="ikev2 user", password
="ike password",
2879 wait_connect
=False, scan_freq
="2412")
2880 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=5)
2882 raise Exception("EAP method not selected")
2884 if "0:" in dev
[0].request("GET_FAIL"):
2887 dev
[0].request("REMOVE_NETWORK all")
2889 def test_ap_wpa2_eap_pax(dev
, apdev
):
2890 """WPA2-Enterprise connection using EAP-PAX"""
2891 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2892 hapd
= hostapd
.add_ap(apdev
[0], params
)
2893 eap_connect(dev
[0], hapd
, "PAX", "pax.user@example.com",
2894 password_hex
="0123456789abcdef0123456789abcdef")
2895 eap_reauth(dev
[0], "PAX")
2897 logger
.info("Negative test with incorrect password")
2898 dev
[0].request("REMOVE_NETWORK all")
2899 eap_connect(dev
[0], hapd
, "PAX", "pax.user@example.com",
2900 password_hex
="ff23456789abcdef0123456789abcdef",
2901 expect_failure
=True)
2903 def test_ap_wpa2_eap_psk(dev
, apdev
):
2904 """WPA2-Enterprise connection using EAP-PSK"""
2905 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2906 params
["wpa_key_mgmt"] = "WPA-EAP-SHA256"
2907 params
["ieee80211w"] = "2"
2908 hapd
= hostapd
.add_ap(apdev
[0], params
)
2909 eap_connect(dev
[0], hapd
, "PSK", "psk.user@example.com",
2910 password_hex
="0123456789abcdef0123456789abcdef", sha256
=True)
2911 eap_reauth(dev
[0], "PSK", sha256
=True)
2912 check_mib(dev
[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-0f-ac-5"),
2913 ("dot11RSNAAuthenticationSuiteSelected", "00-0f-ac-5") ])
2915 bss
= dev
[0].get_bss(apdev
[0]['bssid'])
2916 if 'flags' not in bss
:
2917 raise Exception("Could not get BSS flags from BSS table")
2918 if "[WPA2-EAP-SHA256-CCMP]" not in bss
['flags']:
2919 raise Exception("Unexpected BSS flags: " + bss
['flags'])
2921 logger
.info("Negative test with incorrect password")
2922 dev
[0].request("REMOVE_NETWORK all")
2923 eap_connect(dev
[0], hapd
, "PSK", "psk.user@example.com",
2924 password_hex
="ff23456789abcdef0123456789abcdef", sha256
=True,
2925 expect_failure
=True)
2927 def test_ap_wpa2_eap_psk_oom(dev
, apdev
):
2928 """WPA2-Enterprise connection using EAP-PSK and OOM"""
2929 skip_with_fips(dev
[0])
2930 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
2931 hostapd
.add_ap(apdev
[0], params
)
2932 tests
= [ (1, "=aes_128_eax_encrypt"),
2933 (1, "=aes_128_eax_decrypt") ]
2934 for count
, func
in tests
:
2935 with
alloc_fail(dev
[0], count
, func
):
2936 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PSK",
2937 identity
="psk.user@example.com",
2938 password_hex
="0123456789abcdef0123456789abcdef",
2939 wait_connect
=False, scan_freq
="2412")
2940 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=5)
2942 raise Exception("EAP method not selected")
2943 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL",
2944 note
="Failure not triggered: %d:%s" % (count
, func
))
2945 dev
[0].request("REMOVE_NETWORK all")
2946 dev
[0].wait_disconnected()
2948 tests
= [ (1, "aes_ctr_encrypt;aes_128_eax_encrypt"),
2949 (1, "omac1_aes_128;aes_128_eax_encrypt"),
2950 (2, "omac1_aes_128;aes_128_eax_encrypt"),
2951 (3, "omac1_aes_128;aes_128_eax_encrypt"),
2952 (1, "omac1_aes_vector"),
2953 (1, "omac1_aes_128;aes_128_eax_decrypt"),
2954 (2, "omac1_aes_128;aes_128_eax_decrypt"),
2955 (3, "omac1_aes_128;aes_128_eax_decrypt"),
2956 (1, "aes_ctr_encrypt;aes_128_eax_decrypt") ]
2957 for count
, func
in tests
:
2958 with
fail_test(dev
[0], count
, func
):
2959 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PSK",
2960 identity
="psk.user@example.com",
2961 password_hex
="0123456789abcdef0123456789abcdef",
2962 wait_connect
=False, scan_freq
="2412")
2963 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=5)
2965 raise Exception("EAP method not selected")
2966 wait_fail_trigger(dev
[0], "GET_FAIL",
2967 note
="Failure not triggered: %d:%s" % (count
, func
))
2968 dev
[0].request("REMOVE_NETWORK all")
2969 dev
[0].wait_disconnected()
2971 with
fail_test(dev
[0], 1, "aes_128_encrypt_block"):
2972 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PSK",
2973 identity
="psk.user@example.com",
2974 password_hex
="0123456789abcdef0123456789abcdef",
2975 wait_connect
=False, scan_freq
="2412")
2976 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
2978 raise Exception("EAP method failure not reported")
2979 dev
[0].request("REMOVE_NETWORK all")
2980 dev
[0].wait_disconnected()
2982 def test_ap_wpa_eap_peap_eap_mschapv2(dev
, apdev
):
2983 """WPA-Enterprise connection using EAP-PEAP/EAP-MSCHAPv2"""
2984 check_eap_capa(dev
[0], "MSCHAPV2")
2985 params
= hostapd
.wpa_eap_params(ssid
="test-wpa-eap")
2986 hapd
= hostapd
.add_ap(apdev
[0], params
)
2987 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
2988 identity
="user", password
="password", phase2
="auth=MSCHAPV2",
2989 ca_cert
="auth_serv/ca.pem", wait_connect
=False,
2991 eap_check_auth(dev
[0], "PEAP", True, rsn
=False)
2992 hwsim_utils
.test_connectivity(dev
[0], hapd
)
2993 eap_reauth(dev
[0], "PEAP", rsn
=False)
2994 check_mib(dev
[0], [ ("dot11RSNAAuthenticationSuiteRequested", "00-50-f2-1"),
2995 ("dot11RSNAAuthenticationSuiteSelected", "00-50-f2-1") ])
2996 status
= dev
[0].get_status(extra
="VERBOSE")
2997 if 'portControl' not in status
:
2998 raise Exception("portControl missing from STATUS-VERBOSE")
2999 if status
['portControl'] != 'Auto':
3000 raise Exception("Unexpected portControl value: " + status
['portControl'])
3001 if 'eap_session_id' not in status
:
3002 raise Exception("eap_session_id missing from STATUS-VERBOSE")
3003 if not status
['eap_session_id'].startswith("19"):
3004 raise Exception("Unexpected eap_session_id value: " + status
['eap_session_id'])
3006 def test_ap_wpa2_eap_interactive(dev
, apdev
):
3007 """WPA2-Enterprise connection using interactive identity/password entry"""
3008 check_eap_capa(dev
[0], "MSCHAPV2")
3009 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3010 hapd
= hostapd
.add_ap(apdev
[0], params
)
3012 tests
= [ ("Connection with dynamic TTLS/MSCHAPv2 password entry",
3013 "TTLS", "ttls", "DOMAIN\mschapv2 user", "auth=MSCHAPV2",
3015 ("Connection with dynamic TTLS/MSCHAPv2 identity and password entry",
3016 "TTLS", "ttls", None, "auth=MSCHAPV2",
3017 "DOMAIN\mschapv2 user", "password"),
3018 ("Connection with dynamic TTLS/EAP-MSCHAPv2 password entry",
3019 "TTLS", "ttls", "user", "autheap=MSCHAPV2", None, "password"),
3020 ("Connection with dynamic TTLS/EAP-MD5 password entry",
3021 "TTLS", "ttls", "user", "autheap=MD5", None, "password"),
3022 ("Connection with dynamic PEAP/EAP-MSCHAPv2 password entry",
3023 "PEAP", None, "user", "auth=MSCHAPV2", None, "password"),
3024 ("Connection with dynamic PEAP/EAP-GTC password entry",
3025 "PEAP", None, "user", "auth=GTC", None, "password") ]
3026 for [desc
,eap
,anon
,identity
,phase2
,req_id
,req_pw
] in tests
:
3028 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
=eap
,
3029 anonymous_identity
=anon
, identity
=identity
,
3030 ca_cert
="auth_serv/ca.pem", phase2
=phase2
,
3031 wait_connect
=False, scan_freq
="2412")
3033 ev
= dev
[0].wait_event(["CTRL-REQ-IDENTITY"])
3035 raise Exception("Request for identity timed out")
3036 id = ev
.split(':')[0].split('-')[-1]
3037 dev
[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id
)
3038 ev
= dev
[0].wait_event(["CTRL-REQ-PASSWORD","CTRL-REQ-OTP"])
3040 raise Exception("Request for password timed out")
3041 id = ev
.split(':')[0].split('-')[-1]
3042 type = "OTP" if "CTRL-REQ-OTP" in ev
else "PASSWORD"
3043 dev
[0].request("CTRL-RSP-" + type + "-" + id + ":" + req_pw
)
3044 dev
[0].wait_connected(timeout
=10)
3045 dev
[0].request("REMOVE_NETWORK all")
3047 def test_ap_wpa2_eap_ext_enable_network_while_connected(dev
, apdev
):
3048 """WPA2-Enterprise interactive identity entry and ENABLE_NETWORK"""
3049 check_eap_capa(dev
[0], "MSCHAPV2")
3050 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3051 hapd
= hostapd
.add_ap(apdev
[0], params
)
3053 id_other
= dev
[0].connect("other", key_mgmt
="NONE", scan_freq
="2412",
3054 only_add_network
=True)
3056 req_id
= "DOMAIN\mschapv2 user"
3057 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
3058 anonymous_identity
="ttls", identity
=None,
3059 password
="password",
3060 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3061 wait_connect
=False, scan_freq
="2412")
3062 ev
= dev
[0].wait_event(["CTRL-REQ-IDENTITY"])
3064 raise Exception("Request for identity timed out")
3065 id = ev
.split(':')[0].split('-')[-1]
3066 dev
[0].request("CTRL-RSP-IDENTITY-" + id + ":" + req_id
)
3067 dev
[0].wait_connected(timeout
=10)
3069 if "OK" not in dev
[0].request("ENABLE_NETWORK " + str(id_other
)):
3070 raise Exception("Failed to enable network")
3071 ev
= dev
[0].wait_event(["SME: Trying to authenticate"], timeout
=1)
3073 raise Exception("Unexpected reconnection attempt on ENABLE_NETWORK")
3074 dev
[0].request("REMOVE_NETWORK all")
3076 def test_ap_wpa2_eap_vendor_test(dev
, apdev
):
3077 """WPA2-Enterprise connection using EAP vendor test"""
3078 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3079 hapd
= hostapd
.add_ap(apdev
[0], params
)
3080 eap_connect(dev
[0], hapd
, "VENDOR-TEST", "vendor-test")
3081 eap_reauth(dev
[0], "VENDOR-TEST")
3082 eap_connect(dev
[1], hapd
, "VENDOR-TEST", "vendor-test",
3085 def test_ap_wpa2_eap_vendor_test_oom(dev
, apdev
):
3086 """WPA2-Enterprise connection using EAP vendor test (OOM)"""
3087 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3088 hostapd
.add_ap(apdev
[0], params
)
3090 tests
= [ "eap_vendor_test_init",
3091 "eap_msg_alloc;eap_vendor_test_process",
3092 "eap_vendor_test_getKey" ]
3094 with
alloc_fail(dev
[0], 1, func
):
3095 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
3097 eap
="VENDOR-TEST", identity
="vendor-test",
3099 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
3100 dev
[0].request("REMOVE_NETWORK all")
3101 dev
[0].wait_disconnected()
3103 def test_ap_wpa2_eap_fast_mschapv2_unauth_prov(dev
, apdev
):
3104 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and unauthenticated provisioning"""
3105 check_eap_capa(dev
[0], "FAST")
3106 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3107 hapd
= hostapd
.add_ap(apdev
[0], params
)
3108 eap_connect(dev
[0], hapd
, "FAST", "user",
3109 anonymous_identity
="FAST", password
="password",
3110 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3111 phase1
="fast_provisioning=1", pac_file
="blob://fast_pac")
3112 hwsim_utils
.test_connectivity(dev
[0], hapd
)
3113 res
= eap_reauth(dev
[0], "FAST")
3114 if res
['tls_session_reused'] != '1':
3115 raise Exception("EAP-FAST could not use PAC session ticket")
3117 def test_ap_wpa2_eap_fast_pac_file(dev
, apdev
, params
):
3118 """WPA2-Enterprise connection using EAP-FAST/MSCHAPv2 and PAC file"""
3119 check_eap_capa(dev
[0], "FAST")
3120 pac_file
= os
.path
.join(params
['logdir'], "fast.pac")
3121 pac_file2
= os
.path
.join(params
['logdir'], "fast-bin.pac")
3122 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3123 hapd
= hostapd
.add_ap(apdev
[0], params
)
3126 eap_connect(dev
[0], hapd
, "FAST", "user",
3127 anonymous_identity
="FAST", password
="password",
3128 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3129 phase1
="fast_provisioning=1", pac_file
=pac_file
)
3130 with
open(pac_file
, "r") as f
:
3132 if "wpa_supplicant EAP-FAST PAC file - version 1" not in data
:
3133 raise Exception("PAC file header missing")
3134 if "PAC-Key=" not in data
:
3135 raise Exception("PAC-Key missing from PAC file")
3136 dev
[0].request("REMOVE_NETWORK all")
3137 eap_connect(dev
[0], hapd
, "FAST", "user",
3138 anonymous_identity
="FAST", password
="password",
3139 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3142 eap_connect(dev
[1], hapd
, "FAST", "user",
3143 anonymous_identity
="FAST", password
="password",
3144 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3145 phase1
="fast_provisioning=1 fast_pac_format=binary",
3147 dev
[1].request("REMOVE_NETWORK all")
3148 eap_connect(dev
[1], hapd
, "FAST", "user",
3149 anonymous_identity
="FAST", password
="password",
3150 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3151 phase1
="fast_pac_format=binary",
3159 os
.remove(pac_file2
)
3163 def test_ap_wpa2_eap_fast_binary_pac(dev
, apdev
):
3164 """WPA2-Enterprise connection using EAP-FAST and binary PAC format"""
3165 check_eap_capa(dev
[0], "FAST")
3166 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3167 hapd
= hostapd
.add_ap(apdev
[0], params
)
3168 eap_connect(dev
[0], hapd
, "FAST", "user",
3169 anonymous_identity
="FAST", password
="password",
3170 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3171 phase1
="fast_provisioning=1 fast_max_pac_list_len=1 fast_pac_format=binary",
3172 pac_file
="blob://fast_pac_bin")
3173 res
= eap_reauth(dev
[0], "FAST")
3174 if res
['tls_session_reused'] != '1':
3175 raise Exception("EAP-FAST could not use PAC session ticket")
3177 # Verify fast_max_pac_list_len=0 special case
3178 dev
[0].request("REMOVE_NETWORK all")
3179 dev
[0].wait_disconnected()
3180 eap_connect(dev
[0], hapd
, "FAST", "user",
3181 anonymous_identity
="FAST", password
="password",
3182 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3183 phase1
="fast_provisioning=1 fast_max_pac_list_len=0 fast_pac_format=binary",
3184 pac_file
="blob://fast_pac_bin")
3186 def test_ap_wpa2_eap_fast_missing_pac_config(dev
, apdev
):
3187 """WPA2-Enterprise connection using EAP-FAST and missing PAC config"""
3188 check_eap_capa(dev
[0], "FAST")
3189 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3190 hostapd
.add_ap(apdev
[0], params
)
3192 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3193 identity
="user", anonymous_identity
="FAST",
3194 password
="password",
3195 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3196 pac_file
="blob://fast_pac_not_in_use",
3197 wait_connect
=False, scan_freq
="2412")
3198 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3200 raise Exception("Timeout on EAP failure report")
3201 dev
[0].request("REMOVE_NETWORK all")
3203 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3204 identity
="user", anonymous_identity
="FAST",
3205 password
="password",
3206 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3207 wait_connect
=False, scan_freq
="2412")
3208 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3210 raise Exception("Timeout on EAP failure report")
3212 def test_ap_wpa2_eap_fast_binary_pac_errors(dev
, apdev
):
3213 """EAP-FAST and binary PAC errors"""
3214 check_eap_capa(dev
[0], "FAST")
3215 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3216 hapd
= hostapd
.add_ap(apdev
[0], params
)
3218 tests
= [ (1, "=eap_fast_save_pac_bin"),
3219 (1, "eap_fast_write_pac"),
3220 (2, "eap_fast_write_pac"), ]
3221 for count
, func
in tests
:
3222 if "OK" not in dev
[0].request("SET blob fast_pac_bin_errors "):
3223 raise Exception("Could not set blob")
3225 with
alloc_fail(dev
[0], count
, func
):
3226 eap_connect(dev
[0], hapd
, "FAST", "user",
3227 anonymous_identity
="FAST", password
="password",
3228 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3229 phase1
="fast_provisioning=1 fast_pac_format=binary",
3230 pac_file
="blob://fast_pac_bin_errors")
3231 dev
[0].request("REMOVE_NETWORK all")
3232 dev
[0].wait_disconnected()
3234 tests
= [ "00", "000000000000", "6ae4920c0001",
3236 "6ae4920c0000" + "0000" + 32*"00" + "ffff" + "0000",
3237 "6ae4920c0000" + "0000" + 32*"00" + "0001" + "0000",
3238 "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0001",
3239 "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0008" + "00040000" + "0007000100"]
3241 if "OK" not in dev
[0].request("SET blob fast_pac_bin_errors " + t
):
3242 raise Exception("Could not set blob")
3244 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3245 identity
="user", anonymous_identity
="FAST",
3246 password
="password",
3247 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3248 phase1
="fast_provisioning=1 fast_pac_format=binary",
3249 pac_file
="blob://fast_pac_bin_errors",
3250 scan_freq
="2412", wait_connect
=False)
3251 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method"],
3254 raise Exception("Failure not reported")
3255 dev
[0].request("REMOVE_NETWORK all")
3256 dev
[0].wait_disconnected()
3258 pac
= "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0000"
3259 tests
= [ (1, "eap_fast_load_pac_bin"),
3260 (2, "eap_fast_load_pac_bin"),
3261 (3, "eap_fast_load_pac_bin") ]
3262 for count
, func
in tests
:
3263 if "OK" not in dev
[0].request("SET blob fast_pac_bin_errors " + pac
):
3264 raise Exception("Could not set blob")
3266 with
alloc_fail(dev
[0], count
, func
):
3267 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3268 identity
="user", anonymous_identity
="FAST",
3269 password
="password",
3270 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3271 phase1
="fast_provisioning=1 fast_pac_format=binary",
3272 pac_file
="blob://fast_pac_bin_errors",
3273 scan_freq
="2412", wait_connect
=False)
3274 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method"],
3277 raise Exception("Failure not reported")
3278 dev
[0].request("REMOVE_NETWORK all")
3279 dev
[0].wait_disconnected()
3281 pac
= "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0005" + "0011223344"
3282 if "OK" not in dev
[0].request("SET blob fast_pac_bin_errors " + pac
):
3283 raise Exception("Could not set blob")
3285 eap_connect(dev
[0], hapd
, "FAST", "user",
3286 anonymous_identity
="FAST", password
="password",
3287 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3288 phase1
="fast_provisioning=1 fast_pac_format=binary",
3289 pac_file
="blob://fast_pac_bin_errors")
3290 dev
[0].request("REMOVE_NETWORK all")
3291 dev
[0].wait_disconnected()
3293 pac
= "6ae4920c0000" + "0000" + 32*"00" + "0000" + "0009" + "00040000" + "0007000100"
3294 tests
= [ (1, "eap_fast_pac_get_a_id"),
3295 (2, "eap_fast_pac_get_a_id") ]
3296 for count
, func
in tests
:
3297 if "OK" not in dev
[0].request("SET blob fast_pac_bin_errors " + pac
):
3298 raise Exception("Could not set blob")
3299 with
alloc_fail(dev
[0], count
, func
):
3300 eap_connect(dev
[0], hapd
, "FAST", "user",
3301 anonymous_identity
="FAST", password
="password",
3302 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3303 phase1
="fast_provisioning=1 fast_pac_format=binary",
3304 pac_file
="blob://fast_pac_bin_errors")
3305 dev
[0].request("REMOVE_NETWORK all")
3306 dev
[0].wait_disconnected()
3308 def test_ap_wpa2_eap_fast_text_pac_errors(dev
, apdev
):
3309 """EAP-FAST and text PAC errors"""
3310 check_eap_capa(dev
[0], "FAST")
3311 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3312 hostapd
.add_ap(apdev
[0], params
)
3314 tests
= [ (1, "eap_fast_parse_hex;eap_fast_parse_pac_key"),
3315 (1, "eap_fast_parse_hex;eap_fast_parse_pac_opaque"),
3316 (1, "eap_fast_parse_hex;eap_fast_parse_a_id"),
3317 (1, "eap_fast_parse_start"),
3318 (1, "eap_fast_save_pac") ]
3319 for count
, func
in tests
:
3320 dev
[0].request("FLUSH")
3321 if "OK" not in dev
[0].request("SET blob fast_pac_text_errors "):
3322 raise Exception("Could not set blob")
3324 with
alloc_fail(dev
[0], count
, func
):
3325 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3326 identity
="user", anonymous_identity
="FAST",
3327 password
="password",
3328 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3329 phase1
="fast_provisioning=1",
3330 pac_file
="blob://fast_pac_text_errors",
3331 scan_freq
="2412", wait_connect
=False)
3332 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
3333 dev
[0].request("REMOVE_NETWORK all")
3334 dev
[0].wait_disconnected()
3336 pac
= "wpa_supplicant EAP-FAST PAC file - version 1\n"
3340 if "OK" not in dev
[0].request("SET blob fast_pac_text_errors " + pac
.encode("hex")):
3341 raise Exception("Could not set blob")
3343 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3344 identity
="user", anonymous_identity
="FAST",
3345 password
="password",
3346 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3347 phase1
="fast_provisioning=1",
3348 pac_file
="blob://fast_pac_text_errors",
3349 scan_freq
="2412", wait_connect
=False)
3350 ev
= dev
[0].wait_event(["EAP: Failed to initialize EAP method"], timeout
=5)
3352 raise Exception("Failure not reported")
3353 dev
[0].request("REMOVE_NETWORK all")
3354 dev
[0].wait_disconnected()
3356 dev
[0].request("FLUSH")
3357 if "OK" not in dev
[0].request("SET blob fast_pac_text_errors "):
3358 raise Exception("Could not set blob")
3360 with
alloc_fail(dev
[0], 1, "eap_fast_add_pac_data"):
3362 params
= int_eap_server_params()
3363 params
['ssid'] = "test-wpa2-eap-2"
3364 params
['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3365 params
['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3366 params
['eap_fast_a_id_info'] = "test server %d" % i
3368 hapd2
= hostapd
.add_ap(apdev
[1], params
)
3370 dev
[0].connect("test-wpa2-eap-2", key_mgmt
="WPA-EAP", eap
="FAST",
3371 identity
="user", anonymous_identity
="FAST",
3372 password
="password",
3373 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3374 phase1
="fast_provisioning=1",
3375 pac_file
="blob://fast_pac_text_errors",
3376 scan_freq
="2412", wait_connect
=False)
3377 dev
[0].wait_connected()
3378 dev
[0].request("REMOVE_NETWORK all")
3379 dev
[0].wait_disconnected()
3383 def test_ap_wpa2_eap_fast_pac_truncate(dev
, apdev
):
3384 """EAP-FAST and PAC list truncation"""
3385 check_eap_capa(dev
[0], "FAST")
3386 if "OK" not in dev
[0].request("SET blob fast_pac_truncate "):
3387 raise Exception("Could not set blob")
3389 params
= int_eap_server_params()
3390 params
['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3391 params
['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3392 params
['eap_fast_a_id_info'] = "test server %d" % i
3393 hapd
= hostapd
.add_ap(apdev
[0], params
)
3395 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3396 identity
="user", anonymous_identity
="FAST",
3397 password
="password",
3398 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3399 phase1
="fast_provisioning=1 fast_max_pac_list_len=2",
3400 pac_file
="blob://fast_pac_truncate",
3401 scan_freq
="2412", wait_connect
=False)
3402 dev
[0].wait_connected()
3403 dev
[0].request("REMOVE_NETWORK all")
3404 dev
[0].wait_disconnected()
3408 def test_ap_wpa2_eap_fast_pac_refresh(dev
, apdev
):
3409 """EAP-FAST and PAC refresh"""
3410 check_eap_capa(dev
[0], "FAST")
3411 if "OK" not in dev
[0].request("SET blob fast_pac_refresh "):
3412 raise Exception("Could not set blob")
3414 params
= int_eap_server_params()
3415 params
['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3416 params
['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3417 params
['eap_fast_a_id_info'] = "test server %d" % i
3418 params
['pac_key_refresh_time'] = "1"
3419 params
['pac_key_lifetime'] = "10"
3420 hapd
= hostapd
.add_ap(apdev
[0], params
)
3422 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3423 identity
="user", anonymous_identity
="FAST",
3424 password
="password",
3425 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3426 phase1
="fast_provisioning=1",
3427 pac_file
="blob://fast_pac_refresh",
3428 scan_freq
="2412", wait_connect
=False)
3429 dev
[0].wait_connected()
3430 dev
[0].request("REMOVE_NETWORK all")
3431 dev
[0].wait_disconnected()
3436 params
= int_eap_server_params()
3437 params
['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3438 params
['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3439 params
['eap_fast_a_id_info'] = "test server %d" % i
3440 params
['pac_key_refresh_time'] = "10"
3441 params
['pac_key_lifetime'] = "10"
3442 hapd
= hostapd
.add_ap(apdev
[0], params
)
3444 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3445 identity
="user", anonymous_identity
="FAST",
3446 password
="password",
3447 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3448 phase1
="fast_provisioning=1",
3449 pac_file
="blob://fast_pac_refresh",
3450 scan_freq
="2412", wait_connect
=False)
3451 dev
[0].wait_connected()
3452 dev
[0].request("REMOVE_NETWORK all")
3453 dev
[0].wait_disconnected()
3457 def test_ap_wpa2_eap_fast_pac_lifetime(dev
, apdev
):
3458 """EAP-FAST and PAC lifetime"""
3459 check_eap_capa(dev
[0], "FAST")
3460 if "OK" not in dev
[0].request("SET blob fast_pac_refresh "):
3461 raise Exception("Could not set blob")
3464 params
= int_eap_server_params()
3465 params
['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3466 params
['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3467 params
['eap_fast_a_id_info'] = "test server %d" % i
3468 params
['pac_key_refresh_time'] = "0"
3469 params
['pac_key_lifetime'] = "2"
3470 hapd
= hostapd
.add_ap(apdev
[0], params
)
3472 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3473 identity
="user", anonymous_identity
="FAST",
3474 password
="password",
3475 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3476 phase1
="fast_provisioning=2",
3477 pac_file
="blob://fast_pac_refresh",
3478 scan_freq
="2412", wait_connect
=False)
3479 dev
[0].wait_connected()
3480 dev
[0].request("DISCONNECT")
3481 dev
[0].wait_disconnected()
3484 dev
[0].request("PMKSA_FLUSH")
3485 dev
[0].request("RECONNECT")
3486 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
3488 raise Exception("No EAP-Failure seen after expired PAC")
3489 dev
[0].request("DISCONNECT")
3490 dev
[0].wait_disconnected()
3492 dev
[0].select_network(id)
3493 dev
[0].wait_connected()
3494 dev
[0].request("REMOVE_NETWORK all")
3495 dev
[0].wait_disconnected()
3497 def test_ap_wpa2_eap_fast_gtc_auth_prov(dev
, apdev
):
3498 """WPA2-Enterprise connection using EAP-FAST/GTC and authenticated provisioning"""
3499 check_eap_capa(dev
[0], "FAST")
3500 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3501 hapd
= hostapd
.add_ap(apdev
[0], params
)
3502 eap_connect(dev
[0], hapd
, "FAST", "user",
3503 anonymous_identity
="FAST", password
="password",
3504 ca_cert
="auth_serv/ca.pem", phase2
="auth=GTC",
3505 phase1
="fast_provisioning=2", pac_file
="blob://fast_pac_auth")
3506 hwsim_utils
.test_connectivity(dev
[0], hapd
)
3507 res
= eap_reauth(dev
[0], "FAST")
3508 if res
['tls_session_reused'] != '1':
3509 raise Exception("EAP-FAST could not use PAC session ticket")
3511 def test_ap_wpa2_eap_fast_gtc_identity_change(dev
, apdev
):
3512 """WPA2-Enterprise connection using EAP-FAST/GTC and identity changing"""
3513 check_eap_capa(dev
[0], "FAST")
3514 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3515 hapd
= hostapd
.add_ap(apdev
[0], params
)
3516 id = eap_connect(dev
[0], hapd
, "FAST", "user",
3517 anonymous_identity
="FAST", password
="password",
3518 ca_cert
="auth_serv/ca.pem", phase2
="auth=GTC",
3519 phase1
="fast_provisioning=2",
3520 pac_file
="blob://fast_pac_auth")
3521 dev
[0].set_network_quoted(id, "identity", "user2")
3522 dev
[0].wait_disconnected()
3523 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=15)
3525 raise Exception("EAP-FAST not started")
3526 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=5)
3528 raise Exception("EAP failure not reported")
3529 dev
[0].wait_disconnected()
3531 def test_ap_wpa2_eap_fast_prf_oom(dev
, apdev
):
3532 """WPA2-Enterprise connection using EAP-FAST and OOM in PRF"""
3533 check_eap_capa(dev
[0], "FAST")
3534 tls
= dev
[0].request("GET tls_library")
3535 if tls
.startswith("OpenSSL"):
3536 func
= "tls_connection_get_eap_fast_key"
3538 elif tls
.startswith("internal"):
3539 func
= "tls_connection_prf"
3542 raise HwsimSkip("Unsupported TLS library")
3543 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3544 hapd
= hostapd
.add_ap(apdev
[0], params
)
3545 with
alloc_fail(dev
[0], count
, func
):
3546 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3547 identity
="user", anonymous_identity
="FAST",
3548 password
="password", ca_cert
="auth_serv/ca.pem",
3550 phase1
="fast_provisioning=2",
3551 pac_file
="blob://fast_pac_auth",
3552 wait_connect
=False, scan_freq
="2412")
3553 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=15)
3555 raise Exception("EAP failure not reported")
3556 dev
[0].request("DISCONNECT")
3558 def test_ap_wpa2_eap_fast_server_oom(dev
, apdev
):
3559 """EAP-FAST/MSCHAPv2 and server OOM"""
3560 check_eap_capa(dev
[0], "FAST")
3562 params
= int_eap_server_params()
3563 params
['dh_file'] = 'auth_serv/dh.conf'
3564 params
['pac_opaque_encr_key'] = '000102030405060708090a0b0c0d0e0f'
3565 params
['eap_fast_a_id'] = '1011'
3566 params
['eap_fast_a_id_info'] = 'another test server'
3567 hapd
= hostapd
.add_ap(apdev
[0], params
)
3569 with
alloc_fail(hapd
, 1, "tls_session_ticket_ext_cb"):
3570 id = eap_connect(dev
[0], hapd
, "FAST", "user",
3571 anonymous_identity
="FAST", password
="password",
3572 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3573 phase1
="fast_provisioning=1",
3574 pac_file
="blob://fast_pac",
3575 expect_failure
=True)
3576 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
3578 raise Exception("No EAP failure reported")
3579 dev
[0].wait_disconnected()
3580 dev
[0].request("DISCONNECT")
3582 dev
[0].select_network(id, freq
="2412")
3584 def test_ap_wpa2_eap_fast_cipher_suites(dev
, apdev
):
3585 """EAP-FAST and different TLS cipher suites"""
3586 check_eap_capa(dev
[0], "FAST")
3587 tls
= dev
[0].request("GET tls_library")
3588 if not tls
.startswith("OpenSSL"):
3589 raise HwsimSkip("TLS library is not OpenSSL: " + tls
)
3591 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3592 hapd
= hostapd
.add_ap(apdev
[0], params
)
3594 dev
[0].request("SET blob fast_pac_ciphers ")
3595 eap_connect(dev
[0], hapd
, "FAST", "user",
3596 anonymous_identity
="FAST", password
="password",
3597 ca_cert
="auth_serv/ca.pem", phase2
="auth=GTC",
3598 phase1
="fast_provisioning=2",
3599 pac_file
="blob://fast_pac_ciphers")
3600 res
= dev
[0].get_status_field('EAP TLS cipher')
3601 dev
[0].request("REMOVE_NETWORK all")
3602 dev
[0].wait_disconnected()
3603 if res
!= "DHE-RSA-AES256-SHA":
3604 raise Exception("Unexpected cipher suite for provisioning: " + res
)
3606 tests
= [ "DHE-RSA-AES128-SHA",
3610 "DHE-RSA-AES256-SHA" ]
3611 for cipher
in tests
:
3612 dev
[0].dump_monitor()
3613 logger
.info("Testing " + cipher
)
3615 eap_connect(dev
[0], hapd
, "FAST", "user",
3616 openssl_ciphers
=cipher
,
3617 anonymous_identity
="FAST", password
="password",
3618 ca_cert
="auth_serv/ca.pem", phase2
="auth=GTC",
3619 pac_file
="blob://fast_pac_ciphers")
3620 except Exception, e
:
3621 if "Could not select EAP method" in str(e
) and cipher
== "RC4-SHA":
3622 tls
= dev
[0].request("GET tls_library")
3623 if "run=OpenSSL 1.1" in tls
:
3624 logger
.info("Allow failure due to missing TLS library support")
3625 dev
[0].request("REMOVE_NETWORK all")
3626 dev
[0].wait_disconnected()
3629 res
= dev
[0].get_status_field('EAP TLS cipher')
3630 dev
[0].request("REMOVE_NETWORK all")
3631 dev
[0].wait_disconnected()
3633 raise Exception("Unexpected TLS cipher info (configured %s): %s" % (cipher
, res
))
3635 def test_ap_wpa2_eap_fast_prov(dev
, apdev
):
3636 """EAP-FAST and provisioning options"""
3637 check_eap_capa(dev
[0], "FAST")
3638 if "OK" not in dev
[0].request("SET blob fast_pac_prov "):
3639 raise Exception("Could not set blob")
3642 params
= int_eap_server_params()
3643 params
['disable_pmksa_caching'] = '1'
3644 params
['pac_opaque_encr_key'] = "000102030405060708090a0b0c0dff%02x" % i
3645 params
['eap_fast_a_id'] = "101112131415161718191a1b1c1dff%02x" % i
3646 params
['eap_fast_a_id_info'] = "test server %d" % i
3647 params
['eap_fast_prov'] = "0"
3648 hapd
= hostapd
.add_ap(apdev
[0], params
)
3650 logger
.info("Provisioning attempt while server has provisioning disabled")
3651 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
3652 identity
="user", anonymous_identity
="FAST",
3653 password
="password",
3654 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
3655 phase1
="fast_provisioning=2",
3656 pac_file
="blob://fast_pac_prov",
3657 scan_freq
="2412", wait_connect
=False)
3658 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3661 raise Exception("EAP result not reported")
3662 if "parameter='failure'" not in ev
:
3663 raise Exception("Unexpected EAP result: " + ev
)
3664 dev
[0].wait_disconnected()
3665 dev
[0].request("DISCONNECT")
3666 dev
[0].dump_monitor()
3669 logger
.info("Authenticated provisioning")
3670 hapd
.set("eap_fast_prov", "2")
3673 dev
[0].select_network(id, freq
="2412")
3674 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3677 raise Exception("EAP result not reported")
3678 if "parameter='success'" not in ev
:
3679 raise Exception("Unexpected EAP result: " + ev
)
3680 dev
[0].wait_connected()
3681 dev
[0].request("DISCONNECT")
3682 dev
[0].wait_disconnected()
3683 dev
[0].dump_monitor()
3686 logger
.info("Provisioning disabled - using previously provisioned PAC")
3687 hapd
.set("eap_fast_prov", "0")
3690 dev
[0].select_network(id, freq
="2412")
3691 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3694 raise Exception("EAP result not reported")
3695 if "parameter='success'" not in ev
:
3696 raise Exception("Unexpected EAP result: " + ev
)
3697 dev
[0].wait_connected()
3698 dev
[0].request("DISCONNECT")
3699 dev
[0].wait_disconnected()
3700 dev
[0].dump_monitor()
3702 logger
.info("Drop PAC and verify connection failure")
3703 if "OK" not in dev
[0].request("SET blob fast_pac_prov "):
3704 raise Exception("Could not set blob")
3706 dev
[0].select_network(id, freq
="2412")
3707 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3710 raise Exception("EAP result not reported")
3711 if "parameter='failure'" not in ev
:
3712 raise Exception("Unexpected EAP result: " + ev
)
3713 dev
[0].wait_disconnected()
3714 dev
[0].request("DISCONNECT")
3715 dev
[0].dump_monitor()
3718 logger
.info("Anonymous provisioning")
3719 hapd
.set("eap_fast_prov", "1")
3721 dev
[0].set_network_quoted(id, "phase1", "fast_provisioning=1")
3722 dev
[0].select_network(id, freq
="2412")
3723 # Anonymous provisioning results in EAP-Failure first
3724 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3727 raise Exception("EAP result not reported")
3728 if "parameter='failure'" not in ev
:
3729 raise Exception("Unexpected EAP result: " + ev
)
3730 dev
[0].wait_disconnected()
3731 # And then the actual data connection
3732 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3735 raise Exception("EAP result not reported")
3736 if "parameter='success'" not in ev
:
3737 raise Exception("Unexpected EAP result: " + ev
)
3738 dev
[0].wait_connected()
3739 dev
[0].request("DISCONNECT")
3740 dev
[0].wait_disconnected()
3741 dev
[0].dump_monitor()
3744 logger
.info("Provisioning disabled - using previously provisioned PAC")
3745 hapd
.set("eap_fast_prov", "0")
3748 dev
[0].select_network(id, freq
="2412")
3749 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS status='completion'"],
3752 raise Exception("EAP result not reported")
3753 if "parameter='success'" not in ev
:
3754 raise Exception("Unexpected EAP result: " + ev
)
3755 dev
[0].wait_connected()
3756 dev
[0].request("DISCONNECT")
3757 dev
[0].wait_disconnected()
3758 dev
[0].dump_monitor()
3760 def test_ap_wpa2_eap_tls_ocsp(dev
, apdev
):
3761 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP"""
3762 check_ocsp_support(dev
[0])
3763 check_pkcs12_support(dev
[0])
3764 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3765 hapd
= hostapd
.add_ap(apdev
[0], params
)
3766 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
3767 private_key
="auth_serv/user.pkcs12",
3768 private_key_passwd
="whatever", ocsp
=2)
3770 def test_ap_wpa2_eap_tls_ocsp_multi(dev
, apdev
):
3771 """WPA2-Enterprise connection using EAP-TLS and verifying OCSP-multi"""
3772 check_ocsp_multi_support(dev
[0])
3773 check_pkcs12_support(dev
[0])
3775 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
3776 hapd
= hostapd
.add_ap(apdev
[0], params
)
3777 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
3778 private_key
="auth_serv/user.pkcs12",
3779 private_key_passwd
="whatever", ocsp
=2)
3781 def int_eap_server_params():
3782 params
= { "ssid": "test-wpa2-eap", "wpa": "2", "wpa_key_mgmt": "WPA-EAP",
3783 "rsn_pairwise": "CCMP", "ieee8021x": "1",
3784 "eap_server": "1", "eap_user_file": "auth_serv/eap_user.conf",
3785 "ca_cert": "auth_serv/ca.pem",
3786 "server_cert": "auth_serv/server.pem",
3787 "private_key": "auth_serv/server.key",
3788 "dh_file": "auth_serv/dh.conf" }
3791 def test_ap_wpa2_eap_tls_ocsp_key_id(dev
, apdev
, params
):
3792 """EAP-TLS and OCSP certificate signed OCSP response using key ID"""
3793 check_ocsp_support(dev
[0])
3794 ocsp
= os
.path
.join(params
['logdir'], "ocsp-server-cache-key-id.der")
3795 if not os
.path
.exists(ocsp
):
3796 raise HwsimSkip("No OCSP response available")
3797 params
= int_eap_server_params()
3798 params
["ocsp_stapling_response"] = ocsp
3799 hostapd
.add_ap(apdev
[0], params
)
3800 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3801 identity
="tls user", ca_cert
="auth_serv/ca.pem",
3802 private_key
="auth_serv/user.pkcs12",
3803 private_key_passwd
="whatever", ocsp
=2,
3806 def test_ap_wpa2_eap_tls_ocsp_ca_signed_good(dev
, apdev
, params
):
3807 """EAP-TLS and CA signed OCSP response (good)"""
3808 check_ocsp_support(dev
[0])
3809 ocsp
= os
.path
.join(params
['logdir'], "ocsp-resp-ca-signed.der")
3810 if not os
.path
.exists(ocsp
):
3811 raise HwsimSkip("No OCSP response available")
3812 params
= int_eap_server_params()
3813 params
["ocsp_stapling_response"] = ocsp
3814 hostapd
.add_ap(apdev
[0], params
)
3815 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3816 identity
="tls user", ca_cert
="auth_serv/ca.pem",
3817 private_key
="auth_serv/user.pkcs12",
3818 private_key_passwd
="whatever", ocsp
=2,
3821 def test_ap_wpa2_eap_tls_ocsp_ca_signed_revoked(dev
, apdev
, params
):
3822 """EAP-TLS and CA signed OCSP response (revoked)"""
3823 check_ocsp_support(dev
[0])
3824 ocsp
= os
.path
.join(params
['logdir'], "ocsp-resp-ca-signed-revoked.der")
3825 if not os
.path
.exists(ocsp
):
3826 raise HwsimSkip("No OCSP response available")
3827 params
= int_eap_server_params()
3828 params
["ocsp_stapling_response"] = ocsp
3829 hostapd
.add_ap(apdev
[0], params
)
3830 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3831 identity
="tls user", ca_cert
="auth_serv/ca.pem",
3832 private_key
="auth_serv/user.pkcs12",
3833 private_key_passwd
="whatever", ocsp
=2,
3834 wait_connect
=False, scan_freq
="2412")
3837 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3839 raise Exception("Timeout on EAP status")
3840 if 'bad certificate status response' in ev
:
3842 if 'certificate revoked' in ev
:
3846 raise Exception("Unexpected number of EAP status messages")
3848 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3850 raise Exception("Timeout on EAP failure report")
3852 def test_ap_wpa2_eap_tls_ocsp_ca_signed_unknown(dev
, apdev
, params
):
3853 """EAP-TLS and CA signed OCSP response (unknown)"""
3854 check_ocsp_support(dev
[0])
3855 ocsp
= os
.path
.join(params
['logdir'], "ocsp-resp-ca-signed-unknown.der")
3856 if not os
.path
.exists(ocsp
):
3857 raise HwsimSkip("No OCSP response available")
3858 params
= int_eap_server_params()
3859 params
["ocsp_stapling_response"] = ocsp
3860 hostapd
.add_ap(apdev
[0], params
)
3861 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3862 identity
="tls user", ca_cert
="auth_serv/ca.pem",
3863 private_key
="auth_serv/user.pkcs12",
3864 private_key_passwd
="whatever", ocsp
=2,
3865 wait_connect
=False, scan_freq
="2412")
3868 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3870 raise Exception("Timeout on EAP status")
3871 if 'bad certificate status response' in ev
:
3875 raise Exception("Unexpected number of EAP status messages")
3877 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3879 raise Exception("Timeout on EAP failure report")
3881 def test_ap_wpa2_eap_tls_ocsp_server_signed(dev
, apdev
, params
):
3882 """EAP-TLS and server signed OCSP response"""
3883 check_ocsp_support(dev
[0])
3884 ocsp
= os
.path
.join(params
['logdir'], "ocsp-resp-server-signed.der")
3885 if not os
.path
.exists(ocsp
):
3886 raise HwsimSkip("No OCSP response available")
3887 params
= int_eap_server_params()
3888 params
["ocsp_stapling_response"] = ocsp
3889 hostapd
.add_ap(apdev
[0], params
)
3890 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3891 identity
="tls user", ca_cert
="auth_serv/ca.pem",
3892 private_key
="auth_serv/user.pkcs12",
3893 private_key_passwd
="whatever", ocsp
=2,
3894 wait_connect
=False, scan_freq
="2412")
3897 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3899 raise Exception("Timeout on EAP status")
3900 if 'bad certificate status response' in ev
:
3904 raise Exception("Unexpected number of EAP status messages")
3906 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3908 raise Exception("Timeout on EAP failure report")
3910 def test_ap_wpa2_eap_tls_ocsp_invalid_data(dev
, apdev
):
3911 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP data"""
3912 check_ocsp_support(dev
[0])
3913 params
= int_eap_server_params()
3914 params
["ocsp_stapling_response"] = "auth_serv/ocsp-req.der"
3915 hostapd
.add_ap(apdev
[0], params
)
3916 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3917 identity
="tls user", ca_cert
="auth_serv/ca.pem",
3918 private_key
="auth_serv/user.pkcs12",
3919 private_key_passwd
="whatever", ocsp
=2,
3920 wait_connect
=False, scan_freq
="2412")
3923 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3925 raise Exception("Timeout on EAP status")
3926 if 'bad certificate status response' in ev
:
3930 raise Exception("Unexpected number of EAP status messages")
3932 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3934 raise Exception("Timeout on EAP failure report")
3936 def test_ap_wpa2_eap_tls_ocsp_invalid(dev
, apdev
):
3937 """WPA2-Enterprise connection using EAP-TLS and invalid OCSP response"""
3938 check_ocsp_support(dev
[0])
3939 params
= int_eap_server_params()
3940 params
["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-invalid"
3941 hostapd
.add_ap(apdev
[0], params
)
3942 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3943 identity
="tls user", ca_cert
="auth_serv/ca.pem",
3944 private_key
="auth_serv/user.pkcs12",
3945 private_key_passwd
="whatever", ocsp
=2,
3946 wait_connect
=False, scan_freq
="2412")
3949 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3951 raise Exception("Timeout on EAP status")
3952 if 'bad certificate status response' in ev
:
3956 raise Exception("Unexpected number of EAP status messages")
3958 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3960 raise Exception("Timeout on EAP failure report")
3962 def test_ap_wpa2_eap_tls_ocsp_unknown_sign(dev
, apdev
):
3963 """WPA2-Enterprise connection using EAP-TLS and unknown OCSP signer"""
3964 check_ocsp_support(dev
[0])
3965 params
= int_eap_server_params()
3966 params
["ocsp_stapling_response"] = "auth_serv/ocsp-server-cache.der-unknown-sign"
3967 hostapd
.add_ap(apdev
[0], params
)
3968 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
3969 identity
="tls user", ca_cert
="auth_serv/ca.pem",
3970 private_key
="auth_serv/user.pkcs12",
3971 private_key_passwd
="whatever", ocsp
=2,
3972 wait_connect
=False, scan_freq
="2412")
3975 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
3977 raise Exception("Timeout on EAP status")
3978 if 'bad certificate status response' in ev
:
3982 raise Exception("Unexpected number of EAP status messages")
3984 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
3986 raise Exception("Timeout on EAP failure report")
3988 def test_ap_wpa2_eap_ttls_ocsp_revoked(dev
, apdev
, params
):
3989 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
3990 check_ocsp_support(dev
[0])
3991 ocsp
= os
.path
.join(params
['logdir'], "ocsp-server-cache-revoked.der")
3992 if not os
.path
.exists(ocsp
):
3993 raise HwsimSkip("No OCSP response available")
3994 params
= int_eap_server_params()
3995 params
["ocsp_stapling_response"] = ocsp
3996 hostapd
.add_ap(apdev
[0], params
)
3997 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
3998 identity
="pap user", ca_cert
="auth_serv/ca.pem",
3999 anonymous_identity
="ttls", password
="password",
4000 phase2
="auth=PAP", ocsp
=2,
4001 wait_connect
=False, scan_freq
="2412")
4004 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4006 raise Exception("Timeout on EAP status")
4007 if 'bad certificate status response' in ev
:
4009 if 'certificate revoked' in ev
:
4013 raise Exception("Unexpected number of EAP status messages")
4015 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4017 raise Exception("Timeout on EAP failure report")
4019 def test_ap_wpa2_eap_ttls_ocsp_unknown(dev
, apdev
, params
):
4020 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
4021 check_ocsp_support(dev
[0])
4022 ocsp
= os
.path
.join(params
['logdir'], "ocsp-server-cache-unknown.der")
4023 if not os
.path
.exists(ocsp
):
4024 raise HwsimSkip("No OCSP response available")
4025 params
= int_eap_server_params()
4026 params
["ocsp_stapling_response"] = ocsp
4027 hostapd
.add_ap(apdev
[0], params
)
4028 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4029 identity
="pap user", ca_cert
="auth_serv/ca.pem",
4030 anonymous_identity
="ttls", password
="password",
4031 phase2
="auth=PAP", ocsp
=2,
4032 wait_connect
=False, scan_freq
="2412")
4035 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"])
4037 raise Exception("Timeout on EAP status")
4038 if 'bad certificate status response' in ev
:
4042 raise Exception("Unexpected number of EAP status messages")
4044 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4046 raise Exception("Timeout on EAP failure report")
4048 def test_ap_wpa2_eap_ttls_optional_ocsp_unknown(dev
, apdev
, params
):
4049 """WPA2-Enterprise connection using EAP-TTLS and OCSP status revoked"""
4050 ocsp
= os
.path
.join(params
['logdir'], "ocsp-server-cache-unknown.der")
4051 if not os
.path
.exists(ocsp
):
4052 raise HwsimSkip("No OCSP response available")
4053 params
= int_eap_server_params()
4054 params
["ocsp_stapling_response"] = ocsp
4055 hostapd
.add_ap(apdev
[0], params
)
4056 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4057 identity
="pap user", ca_cert
="auth_serv/ca.pem",
4058 anonymous_identity
="ttls", password
="password",
4059 phase2
="auth=PAP", ocsp
=1, scan_freq
="2412")
4061 def test_ap_wpa2_eap_tls_intermediate_ca(dev
, apdev
, params
):
4062 """EAP-TLS with intermediate server/user CA"""
4063 params
= int_eap_server_params()
4064 params
["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
4065 params
["server_cert"] = "auth_serv/iCA-server/server.pem"
4066 params
["private_key"] = "auth_serv/iCA-server/server.key"
4067 hostapd
.add_ap(apdev
[0], params
)
4068 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4069 identity
="tls user",
4070 ca_cert
="auth_serv/iCA-user/ca-and-root.pem",
4071 client_cert
="auth_serv/iCA-user/user.pem",
4072 private_key
="auth_serv/iCA-user/user.key",
4075 def root_ocsp(cert
):
4076 ca
= "auth_serv/ca.pem"
4078 fd2
, fn2
= tempfile
.mkstemp()
4081 arg
= [ "openssl", "ocsp", "-reqout", fn2
, "-issuer", ca
, "-cert", cert
,
4082 "-no_nonce", "-sha256", "-text" ]
4083 cmd
= subprocess
.Popen(arg
, stdout
=subprocess
.PIPE
,
4084 stderr
=subprocess
.PIPE
)
4085 res
= cmd
.stdout
.read() + "\n" + cmd
.stderr
.read()
4088 logger
.info("OCSP request:\n" + res
)
4090 fd
, fn
= tempfile
.mkstemp()
4092 arg
= [ "openssl", "ocsp", "-index", "auth_serv/rootCA/index.txt",
4093 "-rsigner", ca
, "-rkey", "auth_serv/ca-key.pem",
4094 "-CA", ca
, "-issuer", ca
, "-verify_other", ca
, "-trust_other",
4095 "-ndays", "7", "-reqin", fn2
, "-resp_no_certs", "-respout", fn
,
4097 cmd
= subprocess
.Popen(arg
, stdout
=subprocess
.PIPE
,
4098 stderr
=subprocess
.PIPE
)
4099 res
= cmd
.stdout
.read() + "\n" + cmd
.stderr
.read()
4102 logger
.info("OCSP response:\n" + res
)
4107 prefix
= "auth_serv/iCA-server/"
4108 ca
= prefix
+ "cacert.pem"
4109 cert
= prefix
+ cert
4111 fd2
, fn2
= tempfile
.mkstemp()
4114 arg
= [ "openssl", "ocsp", "-reqout", fn2
, "-issuer", ca
, "-cert", cert
,
4115 "-no_nonce", "-sha256", "-text" ]
4116 cmd
= subprocess
.Popen(arg
, stdout
=subprocess
.PIPE
,
4117 stderr
=subprocess
.PIPE
)
4118 res
= cmd
.stdout
.read() + "\n" + cmd
.stderr
.read()
4121 logger
.info("OCSP request:\n" + res
)
4123 fd
, fn
= tempfile
.mkstemp()
4125 arg
= [ "openssl", "ocsp", "-index", prefix
+ "index.txt",
4126 "-rsigner", ca
, "-rkey", prefix
+ "private/cakey.pem",
4127 "-CA", ca
, "-issuer", ca
, "-verify_other", ca
, "-trust_other",
4128 "-ndays", "7", "-reqin", fn2
, "-resp_no_certs", "-respout", fn
,
4130 cmd
= subprocess
.Popen(arg
, stdout
=subprocess
.PIPE
,
4131 stderr
=subprocess
.PIPE
)
4132 res
= cmd
.stdout
.read() + "\n" + cmd
.stderr
.read()
4135 logger
.info("OCSP response:\n" + res
)
4139 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp(dev
, apdev
, params
):
4140 """EAP-TLS with intermediate server/user CA and OCSP on server certificate"""
4141 params
= int_eap_server_params()
4142 params
["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
4143 params
["server_cert"] = "auth_serv/iCA-server/server.pem"
4144 params
["private_key"] = "auth_serv/iCA-server/server.key"
4145 fn
= ica_ocsp("server.pem")
4146 params
["ocsp_stapling_response"] = fn
4148 hostapd
.add_ap(apdev
[0], params
)
4149 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4150 identity
="tls user",
4151 ca_cert
="auth_serv/iCA-user/ca-and-root.pem",
4152 client_cert
="auth_serv/iCA-user/user.pem",
4153 private_key
="auth_serv/iCA-user/user.key",
4154 scan_freq
="2412", ocsp
=2)
4158 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_revoked(dev
, apdev
, params
):
4159 """EAP-TLS with intermediate server/user CA and OCSP on revoked server certificate"""
4160 params
= int_eap_server_params()
4161 params
["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
4162 params
["server_cert"] = "auth_serv/iCA-server/server-revoked.pem"
4163 params
["private_key"] = "auth_serv/iCA-server/server-revoked.key"
4164 fn
= ica_ocsp("server-revoked.pem")
4165 params
["ocsp_stapling_response"] = fn
4167 hostapd
.add_ap(apdev
[0], params
)
4168 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4169 identity
="tls user",
4170 ca_cert
="auth_serv/iCA-user/ca-and-root.pem",
4171 client_cert
="auth_serv/iCA-user/user.pem",
4172 private_key
="auth_serv/iCA-user/user.key",
4173 scan_freq
="2412", ocsp
=1, wait_connect
=False)
4176 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS",
4177 "CTRL-EVENT-EAP-SUCCESS"])
4179 raise Exception("Timeout on EAP status")
4180 if "CTRL-EVENT-EAP-SUCCESS" in ev
:
4181 raise Exception("Unexpected EAP-Success")
4182 if 'bad certificate status response' in ev
:
4184 if 'certificate revoked' in ev
:
4188 raise Exception("Unexpected number of EAP status messages")
4190 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4192 raise Exception("Timeout on EAP failure report")
4193 dev
[0].request("REMOVE_NETWORK all")
4194 dev
[0].wait_disconnected()
4198 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_multi_missing_resp(dev
, apdev
, params
):
4199 """EAP-TLS with intermediate server/user CA and OCSP multi missing response"""
4200 check_ocsp_support(dev
[0])
4201 check_ocsp_multi_support(dev
[0])
4203 params
= int_eap_server_params()
4204 params
["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
4205 params
["server_cert"] = "auth_serv/iCA-server/server.pem"
4206 params
["private_key"] = "auth_serv/iCA-server/server.key"
4207 fn
= ica_ocsp("server.pem")
4208 params
["ocsp_stapling_response"] = fn
4210 hostapd
.add_ap(apdev
[0], params
)
4211 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4212 identity
="tls user",
4213 ca_cert
="auth_serv/iCA-user/ca-and-root.pem",
4214 client_cert
="auth_serv/iCA-user/user.pem",
4215 private_key
="auth_serv/iCA-user/user.key",
4216 scan_freq
="2412", ocsp
=3, wait_connect
=False)
4219 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS",
4220 "CTRL-EVENT-EAP-SUCCESS"])
4222 raise Exception("Timeout on EAP status")
4223 if "CTRL-EVENT-EAP-SUCCESS" in ev
:
4224 raise Exception("Unexpected EAP-Success")
4225 if 'bad certificate status response' in ev
:
4227 if 'certificate revoked' in ev
:
4231 raise Exception("Unexpected number of EAP status messages")
4233 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4235 raise Exception("Timeout on EAP failure report")
4236 dev
[0].request("REMOVE_NETWORK all")
4237 dev
[0].wait_disconnected()
4241 def test_ap_wpa2_eap_tls_intermediate_ca_ocsp_multi(dev
, apdev
, params
):
4242 """EAP-TLS with intermediate server/user CA and OCSP multi OK"""
4243 check_ocsp_support(dev
[0])
4244 check_ocsp_multi_support(dev
[0])
4246 params
= int_eap_server_params()
4247 params
["ca_cert"] = "auth_serv/iCA-server/ca-and-root.pem"
4248 params
["server_cert"] = "auth_serv/iCA-server/server.pem"
4249 params
["private_key"] = "auth_serv/iCA-server/server.key"
4250 fn
= ica_ocsp("server.pem")
4251 fn2
= root_ocsp("auth_serv/iCA-server/cacert.pem")
4252 params
["ocsp_stapling_response"] = fn
4254 with
open(fn
, "r") as f
:
4255 resp_server
= f
.read()
4256 with
open(fn2
, "r") as f
:
4259 fd3
, fn3
= tempfile
.mkstemp()
4261 f
= os
.fdopen(fd3
, 'w')
4262 f
.write(struct
.pack(">L", len(resp_server
))[1:4])
4263 f
.write(resp_server
)
4264 f
.write(struct
.pack(">L", len(resp_ica
))[1:4])
4268 params
["ocsp_stapling_response_multi"] = fn3
4270 hostapd
.add_ap(apdev
[0], params
)
4271 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4272 identity
="tls user",
4273 ca_cert
="auth_serv/iCA-user/ca-and-root.pem",
4274 client_cert
="auth_serv/iCA-user/user.pem",
4275 private_key
="auth_serv/iCA-user/user.key",
4276 scan_freq
="2412", ocsp
=3)
4277 dev
[0].request("REMOVE_NETWORK all")
4278 dev
[0].wait_disconnected()
4284 def test_ap_wpa2_eap_tls_ocsp_multi_revoked(dev
, apdev
, params
):
4285 """EAP-TLS and CA signed OCSP multi response (revoked)"""
4286 check_ocsp_support(dev
[0])
4287 check_ocsp_multi_support(dev
[0])
4289 ocsp_revoked
= os
.path
.join(params
['logdir'],
4290 "ocsp-resp-ca-signed-revoked.der")
4291 if not os
.path
.exists(ocsp_revoked
):
4292 raise HwsimSkip("No OCSP response (revoked) available")
4293 ocsp_unknown
= os
.path
.join(params
['logdir'],
4294 "ocsp-resp-ca-signed-unknown.der")
4295 if not os
.path
.exists(ocsp_unknown
):
4296 raise HwsimSkip("No OCSP response(unknown) available")
4298 with
open(ocsp_revoked
, "r") as f
:
4299 resp_revoked
= f
.read()
4300 with
open(ocsp_unknown
, "r") as f
:
4301 resp_unknown
= f
.read()
4303 fd
, fn
= tempfile
.mkstemp()
4305 # This is not really a valid order of the OCSPResponse items in the
4306 # list, but this works for now to verify parsing and processing of
4307 # multiple responses.
4308 f
= os
.fdopen(fd
, 'w')
4309 f
.write(struct
.pack(">L", len(resp_unknown
))[1:4])
4310 f
.write(resp_unknown
)
4311 f
.write(struct
.pack(">L", len(resp_revoked
))[1:4])
4312 f
.write(resp_revoked
)
4313 f
.write(struct
.pack(">L", 0)[1:4])
4314 f
.write(struct
.pack(">L", len(resp_unknown
))[1:4])
4315 f
.write(resp_unknown
)
4318 params
= int_eap_server_params()
4319 params
["ocsp_stapling_response_multi"] = fn
4320 hostapd
.add_ap(apdev
[0], params
)
4321 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4322 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4323 private_key
="auth_serv/user.pkcs12",
4324 private_key_passwd
="whatever", ocsp
=1,
4325 wait_connect
=False, scan_freq
="2412")
4328 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS",
4329 "CTRL-EVENT-EAP-SUCCESS"])
4331 raise Exception("Timeout on EAP status")
4332 if "CTRL-EVENT-EAP-SUCCESS" in ev
:
4333 raise Exception("Unexpected EAP-Success")
4334 if 'bad certificate status response' in ev
:
4336 if 'certificate revoked' in ev
:
4340 raise Exception("Unexpected number of EAP status messages")
4344 def test_ap_wpa2_eap_tls_domain_suffix_match_cn_full(dev
, apdev
):
4345 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
4346 check_domain_match_full(dev
[0])
4347 params
= int_eap_server_params()
4348 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
4349 params
["private_key"] = "auth_serv/server-no-dnsname.key"
4350 hostapd
.add_ap(apdev
[0], params
)
4351 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4352 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4353 private_key
="auth_serv/user.pkcs12",
4354 private_key_passwd
="whatever",
4355 domain_suffix_match
="server3.w1.fi",
4358 def test_ap_wpa2_eap_tls_domain_match_cn(dev
, apdev
):
4359 """WPA2-Enterprise using EAP-TLS and domainmatch (CN)"""
4360 check_domain_match(dev
[0])
4361 params
= int_eap_server_params()
4362 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
4363 params
["private_key"] = "auth_serv/server-no-dnsname.key"
4364 hostapd
.add_ap(apdev
[0], params
)
4365 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4366 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4367 private_key
="auth_serv/user.pkcs12",
4368 private_key_passwd
="whatever",
4369 domain_match
="server3.w1.fi",
4372 def test_ap_wpa2_eap_tls_domain_suffix_match_cn(dev
, apdev
):
4373 """WPA2-Enterprise using EAP-TLS and domain suffix match (CN)"""
4374 check_domain_match_full(dev
[0])
4375 params
= int_eap_server_params()
4376 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
4377 params
["private_key"] = "auth_serv/server-no-dnsname.key"
4378 hostapd
.add_ap(apdev
[0], params
)
4379 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4380 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4381 private_key
="auth_serv/user.pkcs12",
4382 private_key_passwd
="whatever",
4383 domain_suffix_match
="w1.fi",
4386 def test_ap_wpa2_eap_tls_domain_suffix_mismatch_cn(dev
, apdev
):
4387 """WPA2-Enterprise using EAP-TLS and domain suffix mismatch (CN)"""
4388 check_domain_suffix_match(dev
[0])
4389 params
= int_eap_server_params()
4390 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
4391 params
["private_key"] = "auth_serv/server-no-dnsname.key"
4392 hostapd
.add_ap(apdev
[0], params
)
4393 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4394 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4395 private_key
="auth_serv/user.pkcs12",
4396 private_key_passwd
="whatever",
4397 domain_suffix_match
="example.com",
4400 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4401 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4402 private_key
="auth_serv/user.pkcs12",
4403 private_key_passwd
="whatever",
4404 domain_suffix_match
="erver3.w1.fi",
4407 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4409 raise Exception("Timeout on EAP failure report")
4410 ev
= dev
[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4412 raise Exception("Timeout on EAP failure report (2)")
4414 def test_ap_wpa2_eap_tls_domain_mismatch_cn(dev
, apdev
):
4415 """WPA2-Enterprise using EAP-TLS and domain mismatch (CN)"""
4416 check_domain_match(dev
[0])
4417 params
= int_eap_server_params()
4418 params
["server_cert"] = "auth_serv/server-no-dnsname.pem"
4419 params
["private_key"] = "auth_serv/server-no-dnsname.key"
4420 hostapd
.add_ap(apdev
[0], params
)
4421 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4422 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4423 private_key
="auth_serv/user.pkcs12",
4424 private_key_passwd
="whatever",
4425 domain_match
="example.com",
4428 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
4429 identity
="tls user", ca_cert
="auth_serv/ca.pem",
4430 private_key
="auth_serv/user.pkcs12",
4431 private_key_passwd
="whatever",
4432 domain_match
="w1.fi",
4435 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4437 raise Exception("Timeout on EAP failure report")
4438 ev
= dev
[1].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4440 raise Exception("Timeout on EAP failure report (2)")
4442 def test_ap_wpa2_eap_ttls_expired_cert(dev
, apdev
):
4443 """WPA2-Enterprise using EAP-TTLS and expired certificate"""
4444 skip_with_fips(dev
[0])
4445 params
= int_eap_server_params()
4446 params
["server_cert"] = "auth_serv/server-expired.pem"
4447 params
["private_key"] = "auth_serv/server-expired.key"
4448 hostapd
.add_ap(apdev
[0], params
)
4449 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4450 identity
="mschap user", password
="password",
4451 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4454 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-TLS-CERT-ERROR"])
4456 raise Exception("Timeout on EAP certificate error report")
4457 if "reason=4" not in ev
or "certificate has expired" not in ev
:
4458 raise Exception("Unexpected failure reason: " + ev
)
4459 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4461 raise Exception("Timeout on EAP failure report")
4463 def test_ap_wpa2_eap_ttls_ignore_expired_cert(dev
, apdev
):
4464 """WPA2-Enterprise using EAP-TTLS and ignore certificate expiration"""
4465 skip_with_fips(dev
[0])
4466 params
= int_eap_server_params()
4467 params
["server_cert"] = "auth_serv/server-expired.pem"
4468 params
["private_key"] = "auth_serv/server-expired.key"
4469 hostapd
.add_ap(apdev
[0], params
)
4470 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4471 identity
="mschap user", password
="password",
4472 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4473 phase1
="tls_disable_time_checks=1",
4476 def test_ap_wpa2_eap_ttls_long_duration(dev
, apdev
):
4477 """WPA2-Enterprise using EAP-TTLS and long certificate duration"""
4478 skip_with_fips(dev
[0])
4479 params
= int_eap_server_params()
4480 params
["server_cert"] = "auth_serv/server-long-duration.pem"
4481 params
["private_key"] = "auth_serv/server-long-duration.key"
4482 hostapd
.add_ap(apdev
[0], params
)
4483 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4484 identity
="mschap user", password
="password",
4485 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4488 def test_ap_wpa2_eap_ttls_server_cert_eku_client(dev
, apdev
):
4489 """WPA2-Enterprise using EAP-TTLS and server cert with client EKU"""
4490 skip_with_fips(dev
[0])
4491 params
= int_eap_server_params()
4492 params
["server_cert"] = "auth_serv/server-eku-client.pem"
4493 params
["private_key"] = "auth_serv/server-eku-client.key"
4494 hostapd
.add_ap(apdev
[0], params
)
4495 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4496 identity
="mschap user", password
="password",
4497 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4500 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4502 raise Exception("Timeout on EAP failure report")
4504 def test_ap_wpa2_eap_ttls_server_cert_eku_client_server(dev
, apdev
):
4505 """WPA2-Enterprise using EAP-TTLS and server cert with client and server EKU"""
4506 skip_with_fips(dev
[0])
4507 params
= int_eap_server_params()
4508 params
["server_cert"] = "auth_serv/server-eku-client-server.pem"
4509 params
["private_key"] = "auth_serv/server-eku-client-server.key"
4510 hostapd
.add_ap(apdev
[0], params
)
4511 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4512 identity
="mschap user", password
="password",
4513 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4516 def test_ap_wpa2_eap_ttls_server_pkcs12(dev
, apdev
):
4517 """WPA2-Enterprise using EAP-TTLS and server PKCS#12 file"""
4518 skip_with_fips(dev
[0])
4519 params
= int_eap_server_params()
4520 del params
["server_cert"]
4521 params
["private_key"] = "auth_serv/server.pkcs12"
4522 hostapd
.add_ap(apdev
[0], params
)
4523 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4524 identity
="mschap user", password
="password",
4525 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4528 def test_ap_wpa2_eap_ttls_server_pkcs12_extra(dev
, apdev
):
4529 """EAP-TTLS and server PKCS#12 file with extra certs"""
4530 skip_with_fips(dev
[0])
4531 params
= int_eap_server_params()
4532 del params
["server_cert"]
4533 params
["private_key"] = "auth_serv/server-extra.pkcs12"
4534 params
["private_key_passwd"] = "whatever"
4535 hostapd
.add_ap(apdev
[0], params
)
4536 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4537 identity
="mschap user", password
="password",
4538 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4541 def test_ap_wpa2_eap_ttls_dh_params(dev
, apdev
):
4542 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params"""
4543 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4544 hapd
= hostapd
.add_ap(apdev
[0], params
)
4545 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
4546 anonymous_identity
="ttls", password
="password",
4547 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP",
4548 dh_file
="auth_serv/dh.conf")
4550 def test_ap_wpa2_eap_ttls_dh_params_dsa(dev
, apdev
):
4551 """WPA2-Enterprise connection using EAP-TTLS and setting DH params (DSA)"""
4552 check_dh_dsa_support(dev
[0])
4553 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4554 hapd
= hostapd
.add_ap(apdev
[0], params
)
4555 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
4556 anonymous_identity
="ttls", password
="password",
4557 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP",
4558 dh_file
="auth_serv/dsaparam.pem")
4560 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev
, apdev
):
4561 """EAP-TTLS and DH params file not found"""
4562 skip_with_fips(dev
[0])
4563 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4564 hostapd
.add_ap(apdev
[0], params
)
4565 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4566 identity
="mschap user", password
="password",
4567 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4568 dh_file
="auth_serv/dh-no-such-file.conf",
4569 scan_freq
="2412", wait_connect
=False)
4570 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4572 raise Exception("EAP failure timed out")
4573 dev
[0].request("REMOVE_NETWORK all")
4574 dev
[0].wait_disconnected()
4576 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev
, apdev
):
4577 """EAP-TTLS and invalid DH params file"""
4578 skip_with_fips(dev
[0])
4579 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4580 hostapd
.add_ap(apdev
[0], params
)
4581 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4582 identity
="mschap user", password
="password",
4583 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4584 dh_file
="auth_serv/ca.pem",
4585 scan_freq
="2412", wait_connect
=False)
4586 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4588 raise Exception("EAP failure timed out")
4589 dev
[0].request("REMOVE_NETWORK all")
4590 dev
[0].wait_disconnected()
4592 def test_ap_wpa2_eap_ttls_dh_params_blob(dev
, apdev
):
4593 """WPA2-Enterprise connection using EAP-TTLS/CHAP and setting DH params from blob"""
4594 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4595 hapd
= hostapd
.add_ap(apdev
[0], params
)
4596 dh
= read_pem("auth_serv/dh2.conf")
4597 if "OK" not in dev
[0].request("SET blob dhparams " + dh
.encode("hex")):
4598 raise Exception("Could not set dhparams blob")
4599 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
4600 anonymous_identity
="ttls", password
="password",
4601 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP",
4602 dh_file
="blob://dhparams")
4604 def test_ap_wpa2_eap_ttls_dh_params_server(dev
, apdev
):
4605 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams"""
4606 params
= int_eap_server_params()
4607 params
["dh_file"] = "auth_serv/dh2.conf"
4608 hapd
= hostapd
.add_ap(apdev
[0], params
)
4609 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
4610 anonymous_identity
="ttls", password
="password",
4611 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP")
4613 def test_ap_wpa2_eap_ttls_dh_params_dsa_server(dev
, apdev
):
4614 """WPA2-Enterprise using EAP-TTLS and alternative server dhparams (DSA)"""
4615 params
= int_eap_server_params()
4616 params
["dh_file"] = "auth_serv/dsaparam.pem"
4617 hapd
= hostapd
.add_ap(apdev
[0], params
)
4618 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
4619 anonymous_identity
="ttls", password
="password",
4620 ca_cert
="auth_serv/ca.der", phase2
="auth=PAP")
4622 def test_ap_wpa2_eap_ttls_dh_params_not_found(dev
, apdev
):
4623 """EAP-TLS server and dhparams file not found"""
4624 params
= int_eap_server_params()
4625 params
["dh_file"] = "auth_serv/dh-no-such-file.conf"
4626 hapd
= hostapd
.add_ap(apdev
[0], params
, no_enable
=True)
4627 if "FAIL" not in hapd
.request("ENABLE"):
4628 raise Exception("Invalid configuration accepted")
4630 def test_ap_wpa2_eap_ttls_dh_params_invalid(dev
, apdev
):
4631 """EAP-TLS server and invalid dhparams file"""
4632 params
= int_eap_server_params()
4633 params
["dh_file"] = "auth_serv/ca.pem"
4634 hapd
= hostapd
.add_ap(apdev
[0], params
, no_enable
=True)
4635 if "FAIL" not in hapd
.request("ENABLE"):
4636 raise Exception("Invalid configuration accepted")
4638 def test_ap_wpa2_eap_reauth(dev
, apdev
):
4639 """WPA2-Enterprise and Authenticator forcing reauthentication"""
4640 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4641 params
['eap_reauth_period'] = '2'
4642 hapd
= hostapd
.add_ap(apdev
[0], params
)
4643 eap_connect(dev
[0], hapd
, "PAX", "pax.user@example.com",
4644 password_hex
="0123456789abcdef0123456789abcdef")
4645 logger
.info("Wait for reauthentication")
4646 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=10)
4648 raise Exception("Timeout on reauthentication")
4649 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
4651 raise Exception("Timeout on reauthentication")
4652 for i
in range(0, 20):
4653 state
= dev
[0].get_status_field("wpa_state")
4654 if state
== "COMPLETED":
4657 if state
!= "COMPLETED":
4658 raise Exception("Reauthentication did not complete")
4660 def test_ap_wpa2_eap_request_identity_message(dev
, apdev
):
4661 """Optional displayable message in EAP Request-Identity"""
4662 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4663 params
['eap_message'] = 'hello\\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com'
4664 hapd
= hostapd
.add_ap(apdev
[0], params
)
4665 eap_connect(dev
[0], hapd
, "PAX", "pax.user@example.com",
4666 password_hex
="0123456789abcdef0123456789abcdef")
4668 def test_ap_wpa2_eap_sim_aka_result_ind(dev
, apdev
):
4669 """WPA2-Enterprise using EAP-SIM/AKA and protected result indication"""
4670 check_hlr_auc_gw_support()
4671 params
= int_eap_server_params()
4672 params
['eap_sim_db'] = "unix:/tmp/hlr_auc_gw.sock"
4673 params
['eap_sim_aka_result_ind'] = "1"
4674 hapd
= hostapd
.add_ap(apdev
[0], params
)
4676 eap_connect(dev
[0], hapd
, "SIM", "1232010000000000",
4677 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
4678 phase1
="result_ind=1")
4679 eap_reauth(dev
[0], "SIM")
4680 eap_connect(dev
[1], hapd
, "SIM", "1232010000000000",
4681 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
4683 dev
[0].request("REMOVE_NETWORK all")
4684 dev
[1].request("REMOVE_NETWORK all")
4686 eap_connect(dev
[0], hapd
, "AKA", "0232010000000000",
4687 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123",
4688 phase1
="result_ind=1")
4689 eap_reauth(dev
[0], "AKA")
4690 eap_connect(dev
[1], hapd
, "AKA", "0232010000000000",
4691 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
4693 dev
[0].request("REMOVE_NETWORK all")
4694 dev
[1].request("REMOVE_NETWORK all")
4696 eap_connect(dev
[0], hapd
, "AKA'", "6555444333222111",
4697 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123",
4698 phase1
="result_ind=1")
4699 eap_reauth(dev
[0], "AKA'")
4700 eap_connect(dev
[1], hapd
, "AKA'", "6555444333222111",
4701 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
4703 def test_ap_wpa2_eap_sim_zero_db_timeout(dev
, apdev
):
4704 """WPA2-Enterprise using EAP-SIM with zero database timeout"""
4705 check_hlr_auc_gw_support()
4706 params
= int_eap_server_params()
4707 params
['eap_sim_db'] = "unix:/tmp/hlr_auc_gw.sock"
4708 params
['eap_sim_db_timeout'] = "0"
4709 params
['disable_pmksa_caching'] = '1'
4710 hapd
= hostapd
.add_ap(apdev
[0], params
)
4712 # Run multiple iterations to make it more likely to hit the case where the
4713 # DB request times out and response is lost.
4716 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="SIM",
4717 identity
="1232010000000000",
4718 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
4719 wait_connect
=False, scan_freq
="2412")
4720 ev
= dev
[0].wait_event([ "CTRL-EVENT-CONNECTED",
4721 "CTRL-EVENT-DISCONNECTED" ],
4724 raise Exception("No connection result")
4725 dev
[0].request("REMOVE_NETWORK all")
4726 if "CTRL-EVENT-DISCONNECTED" in ev
:
4728 dev
[0].wait_disconnected()
4731 def test_ap_wpa2_eap_too_many_roundtrips(dev
, apdev
):
4732 """WPA2-Enterprise connection resulting in too many EAP roundtrips"""
4733 skip_with_fips(dev
[0])
4734 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4735 hostapd
.add_ap(apdev
[0], params
)
4736 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
4737 eap
="TTLS", identity
="mschap user",
4738 wait_connect
=False, scan_freq
="2412", ieee80211w
="1",
4739 anonymous_identity
="ttls", password
="password",
4740 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
4742 ev
= dev
[0].wait_event(["EAP: more than",
4743 "CTRL-EVENT-EAP-SUCCESS"], timeout
=20)
4744 if ev
is None or "EAP: more than" not in ev
:
4745 raise Exception("EAP roundtrip limit not reached")
4747 def test_ap_wpa2_eap_expanded_nak(dev
, apdev
):
4748 """WPA2-Enterprise connection with EAP resulting in expanded NAK"""
4749 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4750 hostapd
.add_ap(apdev
[0], params
)
4751 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
4752 eap
="PSK", identity
="vendor-test",
4753 password_hex
="ff23456789abcdef0123456789abcdef",
4757 for i
in range(0, 5):
4758 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-STATUS"], timeout
=16)
4760 raise Exception("Association and EAP start timed out")
4761 if "refuse proposed method" in ev
:
4765 raise Exception("Unexpected EAP status: " + ev
)
4767 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"])
4769 raise Exception("EAP failure timed out")
4771 def test_ap_wpa2_eap_sql(dev
, apdev
, params
):
4772 """WPA2-Enterprise connection using SQLite for user DB"""
4773 skip_with_fips(dev
[0])
4777 raise HwsimSkip("No sqlite3 module available")
4778 dbfile
= os
.path
.join(params
['logdir'], "eap-user.db")
4783 con
= sqlite3
.connect(dbfile
)
4786 cur
.execute("CREATE TABLE users(identity TEXT PRIMARY KEY, methods TEXT, password TEXT, remediation TEXT, phase2 INTEGER)")
4787 cur
.execute("CREATE TABLE wildcards(identity TEXT PRIMARY KEY, methods TEXT)")
4788 cur
.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-pap','TTLS-PAP','password',1)")
4789 cur
.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-chap','TTLS-CHAP','password',1)")
4790 cur
.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschap','TTLS-MSCHAP','password',1)")
4791 cur
.execute("INSERT INTO users(identity,methods,password,phase2) VALUES ('user-mschapv2','TTLS-MSCHAPV2','password',1)")
4792 cur
.execute("INSERT INTO wildcards(identity,methods) VALUES ('','TTLS,TLS')")
4793 cur
.execute("CREATE TABLE authlog(timestamp TEXT, session TEXT, nas_ip TEXT, username TEXT, note TEXT)")
4796 params
= int_eap_server_params()
4797 params
["eap_user_file"] = "sqlite:" + dbfile
4798 hapd
= hostapd
.add_ap(apdev
[0], params
)
4799 eap_connect(dev
[0], hapd
, "TTLS", "user-mschapv2",
4800 anonymous_identity
="ttls", password
="password",
4801 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
4802 dev
[0].request("REMOVE_NETWORK all")
4803 eap_connect(dev
[1], hapd
, "TTLS", "user-mschap",
4804 anonymous_identity
="ttls", password
="password",
4805 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP")
4806 dev
[1].request("REMOVE_NETWORK all")
4807 eap_connect(dev
[0], hapd
, "TTLS", "user-chap",
4808 anonymous_identity
="ttls", password
="password",
4809 ca_cert
="auth_serv/ca.pem", phase2
="auth=CHAP")
4810 eap_connect(dev
[1], hapd
, "TTLS", "user-pap",
4811 anonymous_identity
="ttls", password
="password",
4812 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
4816 def test_ap_wpa2_eap_non_ascii_identity(dev
, apdev
):
4817 """WPA2-Enterprise connection attempt using non-ASCII identity"""
4818 params
= int_eap_server_params()
4819 hostapd
.add_ap(apdev
[0], params
)
4820 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4821 identity
="\x80", password
="password", wait_connect
=False)
4822 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4823 identity
="a\x80", password
="password", wait_connect
=False)
4824 for i
in range(0, 2):
4825 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
4827 raise Exception("Association and EAP start timed out")
4828 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
4830 raise Exception("EAP method selection timed out")
4832 def test_ap_wpa2_eap_non_ascii_identity2(dev
, apdev
):
4833 """WPA2-Enterprise connection attempt using non-ASCII identity"""
4834 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4835 hostapd
.add_ap(apdev
[0], params
)
4836 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4837 identity
="\x80", password
="password", wait_connect
=False)
4838 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4839 identity
="a\x80", password
="password", wait_connect
=False)
4840 for i
in range(0, 2):
4841 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-STARTED"], timeout
=16)
4843 raise Exception("Association and EAP start timed out")
4844 ev
= dev
[i
].wait_event(["CTRL-EVENT-EAP-METHOD"], timeout
=10)
4846 raise Exception("EAP method selection timed out")
4848 def test_openssl_cipher_suite_config_wpas(dev
, apdev
):
4849 """OpenSSL cipher suite configuration on wpa_supplicant"""
4850 tls
= dev
[0].request("GET tls_library")
4851 if not tls
.startswith("OpenSSL"):
4852 raise HwsimSkip("TLS library is not OpenSSL: " + tls
)
4853 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4854 hapd
= hostapd
.add_ap(apdev
[0], params
)
4855 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
4856 anonymous_identity
="ttls", password
="password",
4857 openssl_ciphers
="AES128",
4858 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
4859 eap_connect(dev
[1], hapd
, "TTLS", "pap user",
4860 anonymous_identity
="ttls", password
="password",
4861 openssl_ciphers
="EXPORT",
4862 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
4863 expect_failure
=True, maybe_local_error
=True)
4864 dev
[2].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
4865 identity
="pap user", anonymous_identity
="ttls",
4866 password
="password",
4867 openssl_ciphers
="FOO",
4868 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
4870 ev
= dev
[2].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
4872 raise Exception("EAP failure after invalid openssl_ciphers not reported")
4873 dev
[2].request("DISCONNECT")
4875 def test_openssl_cipher_suite_config_hapd(dev
, apdev
):
4876 """OpenSSL cipher suite configuration on hostapd"""
4877 tls
= dev
[0].request("GET tls_library")
4878 if not tls
.startswith("OpenSSL"):
4879 raise HwsimSkip("wpa_supplicant TLS library is not OpenSSL: " + tls
)
4880 params
= int_eap_server_params()
4881 params
['openssl_ciphers'] = "AES256"
4882 hapd
= hostapd
.add_ap(apdev
[0], params
)
4883 tls
= hapd
.request("GET tls_library")
4884 if not tls
.startswith("OpenSSL"):
4885 raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls
)
4886 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
4887 anonymous_identity
="ttls", password
="password",
4888 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
4889 eap_connect(dev
[1], hapd
, "TTLS", "pap user",
4890 anonymous_identity
="ttls", password
="password",
4891 openssl_ciphers
="AES128",
4892 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
4893 expect_failure
=True)
4894 eap_connect(dev
[2], hapd
, "TTLS", "pap user",
4895 anonymous_identity
="ttls", password
="password",
4896 openssl_ciphers
="HIGH:!ADH",
4897 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
4899 params
['openssl_ciphers'] = "FOO"
4900 hapd2
= hostapd
.add_ap(apdev
[1], params
, no_enable
=True)
4901 if "FAIL" not in hapd2
.request("ENABLE"):
4902 raise Exception("Invalid openssl_ciphers value accepted")
4904 def test_wpa2_eap_ttls_pap_key_lifetime_in_memory(dev
, apdev
, params
):
4905 """Key lifetime in memory with WPA2-Enterprise using EAP-TTLS/PAP"""
4906 p
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
4907 hapd
= hostapd
.add_ap(apdev
[0], p
)
4908 password
= "63d2d21ac3c09ed567ee004a34490f1d16e7fa5835edf17ddba70a63f1a90a25"
4909 pid
= find_wpas_process(dev
[0])
4910 id = eap_connect(dev
[0], hapd
, "TTLS", "pap-secret",
4911 anonymous_identity
="ttls", password
=password
,
4912 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
4913 # The decrypted copy of GTK is freed only after the CTRL-EVENT-CONNECTED
4914 # event has been delivered, so verify that wpa_supplicant has returned to
4915 # eloop before reading process memory.
4918 buf
= read_process_memory(pid
, password
)
4920 dev
[0].request("DISCONNECT")
4921 dev
[0].wait_disconnected()
4929 with
open(os
.path
.join(params
['logdir'], 'log0'), 'r') as f
:
4930 for l
in f
.readlines():
4931 if "EAP-TTLS: Derived key - hexdump" in l
:
4932 val
= l
.strip().split(':')[3].replace(' ', '')
4933 msk
= binascii
.unhexlify(val
)
4934 if "EAP-TTLS: Derived EMSK - hexdump" in l
:
4935 val
= l
.strip().split(':')[3].replace(' ', '')
4936 emsk
= binascii
.unhexlify(val
)
4937 if "WPA: PMK - hexdump" in l
:
4938 val
= l
.strip().split(':')[3].replace(' ', '')
4939 pmk
= binascii
.unhexlify(val
)
4940 if "WPA: PTK - hexdump" in l
:
4941 val
= l
.strip().split(':')[3].replace(' ', '')
4942 ptk
= binascii
.unhexlify(val
)
4943 if "WPA: Group Key - hexdump" in l
:
4944 val
= l
.strip().split(':')[3].replace(' ', '')
4945 gtk
= binascii
.unhexlify(val
)
4946 if not msk
or not emsk
or not pmk
or not ptk
or not gtk
:
4947 raise Exception("Could not find keys from debug log")
4949 raise Exception("Unexpected GTK length")
4955 fname
= os
.path
.join(params
['logdir'],
4956 'wpa2_eap_ttls_pap_key_lifetime_in_memory.memctx-')
4958 logger
.info("Checking keys in memory while associated")
4959 get_key_locations(buf
, password
, "Password")
4960 get_key_locations(buf
, pmk
, "PMK")
4961 get_key_locations(buf
, msk
, "MSK")
4962 get_key_locations(buf
, emsk
, "EMSK")
4963 if password
not in buf
:
4964 raise HwsimSkip("Password not found while associated")
4966 raise HwsimSkip("PMK not found while associated")
4968 raise Exception("KCK not found while associated")
4970 raise Exception("KEK not found while associated")
4972 raise Exception("TK found from memory")
4974 get_key_locations(buf
, gtk
, "GTK")
4975 raise Exception("GTK found from memory")
4977 logger
.info("Checking keys in memory after disassociation")
4978 buf
= read_process_memory(pid
, password
)
4980 # Note: Password is still present in network configuration
4981 # Note: PMK is in PMKSA cache and EAP fast re-auth data
4983 get_key_locations(buf
, password
, "Password")
4984 get_key_locations(buf
, pmk
, "PMK")
4985 get_key_locations(buf
, msk
, "MSK")
4986 get_key_locations(buf
, emsk
, "EMSK")
4987 verify_not_present(buf
, kck
, fname
, "KCK")
4988 verify_not_present(buf
, kek
, fname
, "KEK")
4989 verify_not_present(buf
, tk
, fname
, "TK")
4990 verify_not_present(buf
, gtk
, fname
, "GTK")
4992 dev
[0].request("PMKSA_FLUSH")
4993 dev
[0].set_network_quoted(id, "identity", "foo")
4994 logger
.info("Checking keys in memory after PMKSA cache and EAP fast reauth flush")
4995 buf
= read_process_memory(pid
, password
)
4996 get_key_locations(buf
, password
, "Password")
4997 get_key_locations(buf
, pmk
, "PMK")
4998 get_key_locations(buf
, msk
, "MSK")
4999 get_key_locations(buf
, emsk
, "EMSK")
5000 verify_not_present(buf
, pmk
, fname
, "PMK")
5002 dev
[0].request("REMOVE_NETWORK all")
5004 logger
.info("Checking keys in memory after network profile removal")
5005 buf
= read_process_memory(pid
, password
)
5007 get_key_locations(buf
, password
, "Password")
5008 get_key_locations(buf
, pmk
, "PMK")
5009 get_key_locations(buf
, msk
, "MSK")
5010 get_key_locations(buf
, emsk
, "EMSK")
5011 verify_not_present(buf
, password
, fname
, "password")
5012 verify_not_present(buf
, pmk
, fname
, "PMK")
5013 verify_not_present(buf
, kck
, fname
, "KCK")
5014 verify_not_present(buf
, kek
, fname
, "KEK")
5015 verify_not_present(buf
, tk
, fname
, "TK")
5016 verify_not_present(buf
, gtk
, fname
, "GTK")
5017 verify_not_present(buf
, msk
, fname
, "MSK")
5018 verify_not_present(buf
, emsk
, fname
, "EMSK")
5020 def test_ap_wpa2_eap_unexpected_wep_eapol_key(dev
, apdev
):
5021 """WPA2-Enterprise connection and unexpected WEP EAPOL-Key"""
5022 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5023 hapd
= hostapd
.add_ap(apdev
[0], params
)
5024 bssid
= apdev
[0]['bssid']
5025 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
5026 anonymous_identity
="ttls", password
="password",
5027 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
5029 # Send unexpected WEP EAPOL-Key; this gets dropped
5030 res
= dev
[0].request("EAPOL_RX " + bssid
+ " 0203002c0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000")
5032 raise Exception("EAPOL_RX to wpa_supplicant failed")
5034 def test_ap_wpa2_eap_in_bridge(dev
, apdev
):
5035 """WPA2-EAP and wpas interface in a bridge"""
5039 _test_ap_wpa2_eap_in_bridge(dev
, apdev
)
5041 subprocess
.call(['ip', 'link', 'set', 'dev', br_ifname
, 'down'])
5042 subprocess
.call(['brctl', 'delif', br_ifname
, ifname
])
5043 subprocess
.call(['brctl', 'delbr', br_ifname
])
5044 subprocess
.call(['iw', ifname
, 'set', '4addr', 'off'])
5046 def _test_ap_wpa2_eap_in_bridge(dev
, apdev
):
5047 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5048 hapd
= hostapd
.add_ap(apdev
[0], params
)
5052 wpas
= WpaSupplicant(global_iface
='/tmp/wpas-wlan5')
5053 subprocess
.call(['brctl', 'addbr', br_ifname
])
5054 subprocess
.call(['brctl', 'setfd', br_ifname
, '0'])
5055 subprocess
.call(['ip', 'link', 'set', 'dev', br_ifname
, 'up'])
5056 subprocess
.call(['iw', ifname
, 'set', '4addr', 'on'])
5057 subprocess
.check_call(['brctl', 'addif', br_ifname
, ifname
])
5058 wpas
.interface_add(ifname
, br_ifname
=br_ifname
)
5061 id = eap_connect(wpas
, hapd
, "PAX", "pax.user@example.com",
5062 password_hex
="0123456789abcdef0123456789abcdef")
5064 eap_reauth(wpas
, "PAX")
5066 # Try again as a regression test for packet socket workaround
5067 eap_reauth(wpas
, "PAX")
5069 wpas
.request("DISCONNECT")
5070 wpas
.wait_disconnected()
5072 wpas
.request("RECONNECT")
5073 wpas
.wait_connected()
5076 def test_ap_wpa2_eap_session_ticket(dev
, apdev
):
5077 """WPA2-Enterprise connection using EAP-TTLS and TLS session ticket enabled"""
5078 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5079 hapd
= hostapd
.add_ap(apdev
[0], params
)
5080 key_mgmt
= hapd
.get_config()['key_mgmt']
5081 if key_mgmt
.split(' ')[0] != "WPA-EAP":
5082 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt
)
5083 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
5084 anonymous_identity
="ttls", password
="password",
5085 ca_cert
="auth_serv/ca.pem",
5086 phase1
="tls_disable_session_ticket=0", phase2
="auth=PAP")
5087 eap_reauth(dev
[0], "TTLS")
5089 def test_ap_wpa2_eap_no_workaround(dev
, apdev
):
5090 """WPA2-Enterprise connection using EAP-TTLS and eap_workaround=0"""
5091 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5092 hapd
= hostapd
.add_ap(apdev
[0], params
)
5093 key_mgmt
= hapd
.get_config()['key_mgmt']
5094 if key_mgmt
.split(' ')[0] != "WPA-EAP":
5095 raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt
)
5096 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
5097 anonymous_identity
="ttls", password
="password",
5098 ca_cert
="auth_serv/ca.pem", eap_workaround
='0',
5100 eap_reauth(dev
[0], "TTLS")
5102 def test_ap_wpa2_eap_tls_check_crl(dev
, apdev
):
5103 """EAP-TLS and server checking CRL"""
5104 params
= int_eap_server_params()
5105 params
['check_crl'] = '1'
5106 hapd
= hostapd
.add_ap(apdev
[0], params
)
5108 # check_crl=1 and no CRL available --> reject connection
5109 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5110 client_cert
="auth_serv/user.pem",
5111 private_key
="auth_serv/user.key", expect_failure
=True)
5112 dev
[0].request("REMOVE_NETWORK all")
5115 hapd
.set("ca_cert", "auth_serv/ca-and-crl.pem")
5118 # check_crl=1 and valid CRL --> accept
5119 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5120 client_cert
="auth_serv/user.pem",
5121 private_key
="auth_serv/user.key")
5122 dev
[0].request("REMOVE_NETWORK all")
5125 hapd
.set("check_crl", "2")
5128 # check_crl=2 and valid CRL --> accept
5129 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5130 client_cert
="auth_serv/user.pem",
5131 private_key
="auth_serv/user.key")
5132 dev
[0].request("REMOVE_NETWORK all")
5134 def test_ap_wpa2_eap_tls_oom(dev
, apdev
):
5135 """EAP-TLS and OOM"""
5136 check_subject_match_support(dev
[0])
5137 check_altsubject_match_support(dev
[0])
5138 check_domain_match(dev
[0])
5139 check_domain_match_full(dev
[0])
5141 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5142 hostapd
.add_ap(apdev
[0], params
)
5144 tests
= [ (1, "tls_connection_set_subject_match"),
5145 (2, "tls_connection_set_subject_match"),
5146 (3, "tls_connection_set_subject_match"),
5147 (4, "tls_connection_set_subject_match") ]
5148 for count
, func
in tests
:
5149 with
alloc_fail(dev
[0], count
, func
):
5150 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
5151 identity
="tls user", ca_cert
="auth_serv/ca.pem",
5152 client_cert
="auth_serv/user.pem",
5153 private_key
="auth_serv/user.key",
5154 subject_match
="/C=FI/O=w1.fi/CN=server.w1.fi",
5155 altsubject_match
="EMAIL:noone@example.com;DNS:server.w1.fi;URI:http://example.com/",
5156 domain_suffix_match
="server.w1.fi",
5157 domain_match
="server.w1.fi",
5158 wait_connect
=False, scan_freq
="2412")
5159 # TLS parameter configuration error results in CTRL-REQ-PASSPHRASE
5160 ev
= dev
[0].wait_event(["CTRL-REQ-PASSPHRASE"], timeout
=5)
5162 raise Exception("No passphrase request")
5163 dev
[0].request("REMOVE_NETWORK all")
5164 dev
[0].wait_disconnected()
5166 def test_ap_wpa2_eap_tls_macacl(dev
, apdev
):
5167 """WPA2-Enterprise connection using MAC ACL"""
5168 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5169 params
["macaddr_acl"] = "2"
5170 hapd
= hostapd
.add_ap(apdev
[0], params
)
5171 eap_connect(dev
[1], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5172 client_cert
="auth_serv/user.pem",
5173 private_key
="auth_serv/user.key")
5175 def test_ap_wpa2_eap_oom(dev
, apdev
):
5176 """EAP server and OOM"""
5177 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5178 hapd
= hostapd
.add_ap(apdev
[0], params
)
5179 dev
[0].scan_for_bss(apdev
[0]['bssid'], freq
=2412)
5181 with
alloc_fail(hapd
, 1, "eapol_auth_alloc"):
5182 # The first attempt fails, but STA will send EAPOL-Start to retry and
5184 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
5185 identity
="tls user", ca_cert
="auth_serv/ca.pem",
5186 client_cert
="auth_serv/user.pem",
5187 private_key
="auth_serv/user.key",
5190 def check_tls_ver(dev
, hapd
, phase1
, expected
):
5191 eap_connect(dev
, hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5192 client_cert
="auth_serv/user.pem",
5193 private_key
="auth_serv/user.key",
5195 ver
= dev
.get_status_field("eap_tls_version")
5197 raise Exception("Unexpected TLS version (expected %s): %s" % (expected
, ver
))
5199 def test_ap_wpa2_eap_tls_versions(dev
, apdev
):
5200 """EAP-TLS and TLS version configuration"""
5201 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5202 hapd
= hostapd
.add_ap(apdev
[0], params
)
5204 tls
= dev
[0].request("GET tls_library")
5205 if tls
.startswith("OpenSSL"):
5206 if "build=OpenSSL 1.0.2" in tls
and "run=OpenSSL 1.0.2" in tls
:
5207 check_tls_ver(dev
[0], hapd
,
5208 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1",
5210 elif tls
.startswith("internal"):
5211 check_tls_ver(dev
[0], hapd
,
5212 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1", "TLSv1.2")
5213 check_tls_ver(dev
[1], hapd
,
5214 "tls_disable_tlsv1_0=1 tls_disable_tlsv1_2=1", "TLSv1.1")
5215 check_tls_ver(dev
[2], hapd
,
5216 "tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1", "TLSv1")
5218 def test_rsn_ie_proto_eap_sta(dev
, apdev
):
5219 """RSN element protocol testing for EAP cases on STA side"""
5220 bssid
= apdev
[0]['bssid']
5221 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5222 # This is the RSN element used normally by hostapd
5223 params
['own_ie_override'] = '30140100000fac040100000fac040100000fac010c00'
5224 hapd
= hostapd
.add_ap(apdev
[0], params
)
5225 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
5226 identity
="gpsk user",
5227 password
="abcdefghijklmnop0123456789abcdef",
5230 tests
= [ ('No RSN Capabilities field',
5231 '30120100000fac040100000fac040100000fac01'),
5232 ('No AKM Suite fields',
5233 '300c0100000fac040100000fac04'),
5234 ('No Pairwise Cipher Suite fields',
5235 '30060100000fac04'),
5236 ('No Group Data Cipher Suite field',
5238 for txt
,ie
in tests
:
5239 dev
[0].request("DISCONNECT")
5240 dev
[0].wait_disconnected()
5243 hapd
.set('own_ie_override', ie
)
5245 dev
[0].request("BSS_FLUSH 0")
5246 dev
[0].scan_for_bss(bssid
, 2412, force_scan
=True, only_new
=True)
5247 dev
[0].select_network(id, freq
=2412)
5248 dev
[0].wait_connected()
5250 dev
[0].request("DISCONNECT")
5251 dev
[0].wait_disconnected()
5252 dev
[0].flush_scan_cache()
5254 def check_tls_session_resumption_capa(dev
, hapd
):
5255 tls
= hapd
.request("GET tls_library")
5256 if not tls
.startswith("OpenSSL"):
5257 raise HwsimSkip("hostapd TLS library is not OpenSSL: " + tls
)
5259 tls
= dev
.request("GET tls_library")
5260 if not tls
.startswith("OpenSSL"):
5261 raise HwsimSkip("Session resumption not supported with this TLS library: " + tls
)
5263 def test_eap_ttls_pap_session_resumption(dev
, apdev
):
5264 """EAP-TTLS/PAP session resumption"""
5265 params
= int_eap_server_params()
5266 params
['tls_session_lifetime'] = '60'
5267 hapd
= hostapd
.add_ap(apdev
[0], params
)
5268 check_tls_session_resumption_capa(dev
[0], hapd
)
5269 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
5270 anonymous_identity
="ttls", password
="password",
5271 ca_cert
="auth_serv/ca.pem", eap_workaround
='0',
5273 if dev
[0].get_status_field("tls_session_reused") != '0':
5274 raise Exception("Unexpected session resumption on the first connection")
5276 dev
[0].request("REAUTHENTICATE")
5277 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5279 raise Exception("EAP success timed out")
5280 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5282 raise Exception("Key handshake with the AP timed out")
5283 if dev
[0].get_status_field("tls_session_reused") != '1':
5284 raise Exception("Session resumption not used on the second connection")
5286 def test_eap_ttls_chap_session_resumption(dev
, apdev
):
5287 """EAP-TTLS/CHAP session resumption"""
5288 params
= int_eap_server_params()
5289 params
['tls_session_lifetime'] = '60'
5290 hapd
= hostapd
.add_ap(apdev
[0], params
)
5291 check_tls_session_resumption_capa(dev
[0], hapd
)
5292 eap_connect(dev
[0], hapd
, "TTLS", "chap user",
5293 anonymous_identity
="ttls", password
="password",
5294 ca_cert
="auth_serv/ca.der", phase2
="auth=CHAP")
5295 if dev
[0].get_status_field("tls_session_reused") != '0':
5296 raise Exception("Unexpected session resumption on the first connection")
5298 dev
[0].request("REAUTHENTICATE")
5299 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5301 raise Exception("EAP success timed out")
5302 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5304 raise Exception("Key handshake with the AP timed out")
5305 if dev
[0].get_status_field("tls_session_reused") != '1':
5306 raise Exception("Session resumption not used on the second connection")
5308 def test_eap_ttls_mschap_session_resumption(dev
, apdev
):
5309 """EAP-TTLS/MSCHAP session resumption"""
5310 check_domain_suffix_match(dev
[0])
5311 params
= int_eap_server_params()
5312 params
['tls_session_lifetime'] = '60'
5313 hapd
= hostapd
.add_ap(apdev
[0], params
)
5314 check_tls_session_resumption_capa(dev
[0], hapd
)
5315 eap_connect(dev
[0], hapd
, "TTLS", "mschap user",
5316 anonymous_identity
="ttls", password
="password",
5317 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAP",
5318 domain_suffix_match
="server.w1.fi")
5319 if dev
[0].get_status_field("tls_session_reused") != '0':
5320 raise Exception("Unexpected session resumption on the first connection")
5322 dev
[0].request("REAUTHENTICATE")
5323 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5325 raise Exception("EAP success timed out")
5326 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5328 raise Exception("Key handshake with the AP timed out")
5329 if dev
[0].get_status_field("tls_session_reused") != '1':
5330 raise Exception("Session resumption not used on the second connection")
5332 def test_eap_ttls_mschapv2_session_resumption(dev
, apdev
):
5333 """EAP-TTLS/MSCHAPv2 session resumption"""
5334 check_domain_suffix_match(dev
[0])
5335 check_eap_capa(dev
[0], "MSCHAPV2")
5336 params
= int_eap_server_params()
5337 params
['tls_session_lifetime'] = '60'
5338 hapd
= hostapd
.add_ap(apdev
[0], params
)
5339 check_tls_session_resumption_capa(dev
[0], hapd
)
5340 eap_connect(dev
[0], hapd
, "TTLS", "DOMAIN\mschapv2 user",
5341 anonymous_identity
="ttls", password
="password",
5342 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
5343 domain_suffix_match
="server.w1.fi")
5344 if dev
[0].get_status_field("tls_session_reused") != '0':
5345 raise Exception("Unexpected session resumption on the first connection")
5347 dev
[0].request("REAUTHENTICATE")
5348 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5350 raise Exception("EAP success timed out")
5351 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5353 raise Exception("Key handshake with the AP timed out")
5354 if dev
[0].get_status_field("tls_session_reused") != '1':
5355 raise Exception("Session resumption not used on the second connection")
5357 def test_eap_ttls_eap_gtc_session_resumption(dev
, apdev
):
5358 """EAP-TTLS/EAP-GTC session resumption"""
5359 params
= int_eap_server_params()
5360 params
['tls_session_lifetime'] = '60'
5361 hapd
= hostapd
.add_ap(apdev
[0], params
)
5362 check_tls_session_resumption_capa(dev
[0], hapd
)
5363 eap_connect(dev
[0], hapd
, "TTLS", "user",
5364 anonymous_identity
="ttls", password
="password",
5365 ca_cert
="auth_serv/ca.pem", phase2
="autheap=GTC")
5366 if dev
[0].get_status_field("tls_session_reused") != '0':
5367 raise Exception("Unexpected session resumption on the first connection")
5369 dev
[0].request("REAUTHENTICATE")
5370 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5372 raise Exception("EAP success timed out")
5373 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5375 raise Exception("Key handshake with the AP timed out")
5376 if dev
[0].get_status_field("tls_session_reused") != '1':
5377 raise Exception("Session resumption not used on the second connection")
5379 def test_eap_ttls_no_session_resumption(dev
, apdev
):
5380 """EAP-TTLS session resumption disabled on server"""
5381 params
= int_eap_server_params()
5382 params
['tls_session_lifetime'] = '0'
5383 hapd
= hostapd
.add_ap(apdev
[0], params
)
5384 eap_connect(dev
[0], hapd
, "TTLS", "pap user",
5385 anonymous_identity
="ttls", password
="password",
5386 ca_cert
="auth_serv/ca.pem", eap_workaround
='0',
5388 if dev
[0].get_status_field("tls_session_reused") != '0':
5389 raise Exception("Unexpected session resumption on the first connection")
5391 dev
[0].request("REAUTHENTICATE")
5392 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5394 raise Exception("EAP success timed out")
5395 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5397 raise Exception("Key handshake with the AP timed out")
5398 if dev
[0].get_status_field("tls_session_reused") != '0':
5399 raise Exception("Unexpected session resumption on the second connection")
5401 def test_eap_peap_session_resumption(dev
, apdev
):
5402 """EAP-PEAP session resumption"""
5403 params
= int_eap_server_params()
5404 params
['tls_session_lifetime'] = '60'
5405 hapd
= hostapd
.add_ap(apdev
[0], params
)
5406 check_tls_session_resumption_capa(dev
[0], hapd
)
5407 eap_connect(dev
[0], hapd
, "PEAP", "user",
5408 anonymous_identity
="peap", password
="password",
5409 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
5410 if dev
[0].get_status_field("tls_session_reused") != '0':
5411 raise Exception("Unexpected session resumption on the first connection")
5413 dev
[0].request("REAUTHENTICATE")
5414 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5416 raise Exception("EAP success timed out")
5417 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5419 raise Exception("Key handshake with the AP timed out")
5420 if dev
[0].get_status_field("tls_session_reused") != '1':
5421 raise Exception("Session resumption not used on the second connection")
5423 def test_eap_peap_session_resumption_crypto_binding(dev
, apdev
):
5424 """EAP-PEAP session resumption with crypto binding"""
5425 params
= int_eap_server_params()
5426 params
['tls_session_lifetime'] = '60'
5427 hapd
= hostapd
.add_ap(apdev
[0], params
)
5428 check_tls_session_resumption_capa(dev
[0], hapd
)
5429 eap_connect(dev
[0], hapd
, "PEAP", "user",
5430 anonymous_identity
="peap", password
="password",
5431 phase1
="peapver=0 crypto_binding=2",
5432 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
5433 if dev
[0].get_status_field("tls_session_reused") != '0':
5434 raise Exception("Unexpected session resumption on the first connection")
5436 dev
[0].request("REAUTHENTICATE")
5437 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5439 raise Exception("EAP success timed out")
5440 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5442 raise Exception("Key handshake with the AP timed out")
5443 if dev
[0].get_status_field("tls_session_reused") != '1':
5444 raise Exception("Session resumption not used on the second connection")
5446 def test_eap_peap_no_session_resumption(dev
, apdev
):
5447 """EAP-PEAP session resumption disabled on server"""
5448 params
= int_eap_server_params()
5449 hapd
= hostapd
.add_ap(apdev
[0], params
)
5450 eap_connect(dev
[0], hapd
, "PEAP", "user",
5451 anonymous_identity
="peap", password
="password",
5452 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2")
5453 if dev
[0].get_status_field("tls_session_reused") != '0':
5454 raise Exception("Unexpected session resumption on the first connection")
5456 dev
[0].request("REAUTHENTICATE")
5457 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5459 raise Exception("EAP success timed out")
5460 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5462 raise Exception("Key handshake with the AP timed out")
5463 if dev
[0].get_status_field("tls_session_reused") != '0':
5464 raise Exception("Unexpected session resumption on the second connection")
5466 def test_eap_tls_session_resumption(dev
, apdev
):
5467 """EAP-TLS session resumption"""
5468 params
= int_eap_server_params()
5469 params
['tls_session_lifetime'] = '60'
5470 hapd
= hostapd
.add_ap(apdev
[0], params
)
5471 check_tls_session_resumption_capa(dev
[0], hapd
)
5472 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5473 client_cert
="auth_serv/user.pem",
5474 private_key
="auth_serv/user.key")
5475 if dev
[0].get_status_field("tls_session_reused") != '0':
5476 raise Exception("Unexpected session resumption on the first connection")
5478 dev
[0].request("REAUTHENTICATE")
5479 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5481 raise Exception("EAP success timed out")
5482 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5484 raise Exception("Key handshake with the AP timed out")
5485 if dev
[0].get_status_field("tls_session_reused") != '1':
5486 raise Exception("Session resumption not used on the second connection")
5488 dev
[0].request("REAUTHENTICATE")
5489 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5491 raise Exception("EAP success timed out")
5492 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5494 raise Exception("Key handshake with the AP timed out")
5495 if dev
[0].get_status_field("tls_session_reused") != '1':
5496 raise Exception("Session resumption not used on the third connection")
5498 def test_eap_tls_session_resumption_expiration(dev
, apdev
):
5499 """EAP-TLS session resumption"""
5500 params
= int_eap_server_params()
5501 params
['tls_session_lifetime'] = '1'
5502 hapd
= hostapd
.add_ap(apdev
[0], params
)
5503 check_tls_session_resumption_capa(dev
[0], hapd
)
5504 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5505 client_cert
="auth_serv/user.pem",
5506 private_key
="auth_serv/user.key")
5507 if dev
[0].get_status_field("tls_session_reused") != '0':
5508 raise Exception("Unexpected session resumption on the first connection")
5510 # Allow multiple attempts since OpenSSL may not expire the cached entry
5515 dev
[0].request("REAUTHENTICATE")
5516 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5518 raise Exception("EAP success timed out")
5519 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5521 raise Exception("Key handshake with the AP timed out")
5522 if dev
[0].get_status_field("tls_session_reused") == '0':
5524 if dev
[0].get_status_field("tls_session_reused") != '0':
5525 raise Exception("Session resumption used after lifetime expiration")
5527 def test_eap_tls_no_session_resumption(dev
, apdev
):
5528 """EAP-TLS session resumption disabled on server"""
5529 params
= int_eap_server_params()
5530 hapd
= hostapd
.add_ap(apdev
[0], params
)
5531 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5532 client_cert
="auth_serv/user.pem",
5533 private_key
="auth_serv/user.key")
5534 if dev
[0].get_status_field("tls_session_reused") != '0':
5535 raise Exception("Unexpected session resumption on the first connection")
5537 dev
[0].request("REAUTHENTICATE")
5538 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5540 raise Exception("EAP success timed out")
5541 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5543 raise Exception("Key handshake with the AP timed out")
5544 if dev
[0].get_status_field("tls_session_reused") != '0':
5545 raise Exception("Unexpected session resumption on the second connection")
5547 def test_eap_tls_session_resumption_radius(dev
, apdev
):
5548 """EAP-TLS session resumption (RADIUS)"""
5549 params
= { "ssid": "as", "beacon_int": "2000",
5550 "radius_server_clients": "auth_serv/radius_clients.conf",
5551 "radius_server_auth_port": '18128',
5553 "eap_user_file": "auth_serv/eap_user.conf",
5554 "ca_cert": "auth_serv/ca.pem",
5555 "server_cert": "auth_serv/server.pem",
5556 "private_key": "auth_serv/server.key",
5557 "tls_session_lifetime": "60" }
5558 authsrv
= hostapd
.add_ap(apdev
[1], params
)
5559 check_tls_session_resumption_capa(dev
[0], authsrv
)
5561 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5562 params
['auth_server_port'] = "18128"
5563 hapd
= hostapd
.add_ap(apdev
[0], params
)
5564 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5565 client_cert
="auth_serv/user.pem",
5566 private_key
="auth_serv/user.key")
5567 if dev
[0].get_status_field("tls_session_reused") != '0':
5568 raise Exception("Unexpected session resumption on the first connection")
5570 dev
[0].request("REAUTHENTICATE")
5571 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5573 raise Exception("EAP success timed out")
5574 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5576 raise Exception("Key handshake with the AP timed out")
5577 if dev
[0].get_status_field("tls_session_reused") != '1':
5578 raise Exception("Session resumption not used on the second connection")
5580 def test_eap_tls_no_session_resumption_radius(dev
, apdev
):
5581 """EAP-TLS session resumption disabled (RADIUS)"""
5582 params
= { "ssid": "as", "beacon_int": "2000",
5583 "radius_server_clients": "auth_serv/radius_clients.conf",
5584 "radius_server_auth_port": '18128',
5586 "eap_user_file": "auth_serv/eap_user.conf",
5587 "ca_cert": "auth_serv/ca.pem",
5588 "server_cert": "auth_serv/server.pem",
5589 "private_key": "auth_serv/server.key",
5590 "tls_session_lifetime": "0" }
5591 hostapd
.add_ap(apdev
[1], params
)
5593 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5594 params
['auth_server_port'] = "18128"
5595 hapd
= hostapd
.add_ap(apdev
[0], params
)
5596 eap_connect(dev
[0], hapd
, "TLS", "tls user", ca_cert
="auth_serv/ca.pem",
5597 client_cert
="auth_serv/user.pem",
5598 private_key
="auth_serv/user.key")
5599 if dev
[0].get_status_field("tls_session_reused") != '0':
5600 raise Exception("Unexpected session resumption on the first connection")
5602 dev
[0].request("REAUTHENTICATE")
5603 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
5605 raise Exception("EAP success timed out")
5606 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"], timeout
=10)
5608 raise Exception("Key handshake with the AP timed out")
5609 if dev
[0].get_status_field("tls_session_reused") != '0':
5610 raise Exception("Unexpected session resumption on the second connection")
5612 def test_eap_mschapv2_errors(dev
, apdev
):
5613 """EAP-MSCHAPv2 error cases"""
5614 check_eap_capa(dev
[0], "MSCHAPV2")
5615 check_eap_capa(dev
[0], "FAST")
5617 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa-eap")
5618 hapd
= hostapd
.add_ap(apdev
[0], params
)
5619 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
5620 identity
="phase1-user", password
="password",
5622 dev
[0].request("REMOVE_NETWORK all")
5623 dev
[0].wait_disconnected()
5625 tests
= [ (1, "hash_nt_password_hash;mschapv2_derive_response"),
5626 (1, "nt_password_hash;mschapv2_derive_response"),
5627 (1, "nt_password_hash;=mschapv2_derive_response"),
5628 (1, "generate_nt_response;mschapv2_derive_response"),
5629 (1, "generate_authenticator_response;mschapv2_derive_response"),
5630 (1, "nt_password_hash;=mschapv2_derive_response"),
5631 (1, "get_master_key;mschapv2_derive_response"),
5632 (1, "os_get_random;eap_mschapv2_challenge_reply") ]
5633 for count
, func
in tests
:
5634 with
fail_test(dev
[0], count
, func
):
5635 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
5636 identity
="phase1-user", password
="password",
5637 wait_connect
=False, scan_freq
="2412")
5638 wait_fail_trigger(dev
[0], "GET_FAIL")
5639 dev
[0].request("REMOVE_NETWORK all")
5640 dev
[0].wait_disconnected()
5642 tests
= [ (1, "hash_nt_password_hash;mschapv2_derive_response"),
5643 (1, "hash_nt_password_hash;=mschapv2_derive_response"),
5644 (1, "generate_nt_response_pwhash;mschapv2_derive_response"),
5645 (1, "generate_authenticator_response_pwhash;mschapv2_derive_response") ]
5646 for count
, func
in tests
:
5647 with
fail_test(dev
[0], count
, func
):
5648 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
5649 identity
="phase1-user",
5650 password_hex
="hash:8846f7eaee8fb117ad06bdd830b7586c",
5651 wait_connect
=False, scan_freq
="2412")
5652 wait_fail_trigger(dev
[0], "GET_FAIL")
5653 dev
[0].request("REMOVE_NETWORK all")
5654 dev
[0].wait_disconnected()
5656 tests
= [ (1, "eap_mschapv2_init"),
5657 (1, "eap_msg_alloc;eap_mschapv2_challenge_reply"),
5658 (1, "eap_msg_alloc;eap_mschapv2_success"),
5659 (1, "eap_mschapv2_getKey") ]
5660 for count
, func
in tests
:
5661 with
alloc_fail(dev
[0], count
, func
):
5662 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
5663 identity
="phase1-user", password
="password",
5664 wait_connect
=False, scan_freq
="2412")
5665 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
5666 dev
[0].request("REMOVE_NETWORK all")
5667 dev
[0].wait_disconnected()
5669 tests
= [ (1, "eap_msg_alloc;eap_mschapv2_failure") ]
5670 for count
, func
in tests
:
5671 with
alloc_fail(dev
[0], count
, func
):
5672 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="MSCHAPV2",
5673 identity
="phase1-user", password
="wrong password",
5674 wait_connect
=False, scan_freq
="2412")
5675 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
5676 dev
[0].request("REMOVE_NETWORK all")
5677 dev
[0].wait_disconnected()
5679 tests
= [ (2, "eap_mschapv2_init"),
5680 (3, "eap_mschapv2_init") ]
5681 for count
, func
in tests
:
5682 with
alloc_fail(dev
[0], count
, func
):
5683 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="FAST",
5684 anonymous_identity
="FAST", identity
="user",
5685 password
="password",
5686 ca_cert
="auth_serv/ca.pem", phase2
="auth=MSCHAPV2",
5687 phase1
="fast_provisioning=1",
5688 pac_file
="blob://fast_pac",
5689 wait_connect
=False, scan_freq
="2412")
5690 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
5691 dev
[0].request("REMOVE_NETWORK all")
5692 dev
[0].wait_disconnected()
5694 def test_eap_gpsk_errors(dev
, apdev
):
5695 """EAP-GPSK error cases"""
5696 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa-eap")
5697 hapd
= hostapd
.add_ap(apdev
[0], params
)
5698 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
5699 identity
="gpsk user",
5700 password
="abcdefghijklmnop0123456789abcdef",
5702 dev
[0].request("REMOVE_NETWORK all")
5703 dev
[0].wait_disconnected()
5705 tests
= [ (1, "os_get_random;eap_gpsk_send_gpsk_2", None),
5706 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2",
5708 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2",
5710 (1, "eap_gpsk_derive_keys_helper", None),
5711 (2, "eap_gpsk_derive_keys_helper", None),
5712 (1, "eap_gpsk_compute_mic_aes;eap_gpsk_compute_mic;eap_gpsk_send_gpsk_2",
5714 (1, "hmac_sha256;eap_gpsk_compute_mic;eap_gpsk_send_gpsk_2",
5716 (1, "eap_gpsk_compute_mic;eap_gpsk_validate_gpsk_3_mic", None),
5717 (1, "eap_gpsk_compute_mic;eap_gpsk_send_gpsk_4", None),
5718 (1, "eap_gpsk_derive_mid_helper", None) ]
5719 for count
, func
, phase1
in tests
:
5720 with
fail_test(dev
[0], count
, func
):
5721 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
5722 identity
="gpsk user",
5723 password
="abcdefghijklmnop0123456789abcdef",
5725 wait_connect
=False, scan_freq
="2412")
5726 wait_fail_trigger(dev
[0], "GET_FAIL")
5727 dev
[0].request("REMOVE_NETWORK all")
5728 dev
[0].wait_disconnected()
5730 tests
= [ (1, "eap_gpsk_init"),
5731 (2, "eap_gpsk_init"),
5732 (3, "eap_gpsk_init"),
5733 (1, "eap_gpsk_process_id_server"),
5734 (1, "eap_msg_alloc;eap_gpsk_send_gpsk_2"),
5735 (1, "eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2"),
5736 (1, "eap_gpsk_derive_mid_helper;eap_gpsk_derive_session_id;eap_gpsk_send_gpsk_2"),
5737 (1, "eap_gpsk_derive_keys"),
5738 (1, "eap_gpsk_derive_keys_helper"),
5739 (1, "eap_msg_alloc;eap_gpsk_send_gpsk_4"),
5740 (1, "eap_gpsk_getKey"),
5741 (1, "eap_gpsk_get_emsk"),
5742 (1, "eap_gpsk_get_session_id") ]
5743 for count
, func
in tests
:
5744 with
alloc_fail(dev
[0], count
, func
):
5745 dev
[0].request("ERP_FLUSH")
5746 dev
[0].connect("test-wpa-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
5747 identity
="gpsk user", erp
="1",
5748 password
="abcdefghijklmnop0123456789abcdef",
5749 wait_connect
=False, scan_freq
="2412")
5750 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
5751 dev
[0].request("REMOVE_NETWORK all")
5752 dev
[0].wait_disconnected()
5754 def test_ap_wpa2_eap_sim_db(dev
, apdev
, params
):
5755 """EAP-SIM DB error cases"""
5756 sockpath
= '/tmp/hlr_auc_gw.sock-test'
5761 hparams
= int_eap_server_params()
5762 hparams
['eap_sim_db'] = 'unix:' + sockpath
5763 hapd
= hostapd
.add_ap(apdev
[0], hparams
)
5765 # Initial test with hlr_auc_gw socket not available
5766 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP WPA-EAP-SHA256",
5767 eap
="SIM", identity
="1232010000000000",
5768 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581",
5769 scan_freq
="2412", wait_connect
=False)
5770 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
5772 raise Exception("EAP-Failure not reported")
5773 dev
[0].wait_disconnected()
5774 dev
[0].request("DISCONNECT")
5776 # Test with invalid responses and response timeout
5778 class test_handler(SocketServer
.DatagramRequestHandler
):
5780 data
= self
.request
[0].strip()
5781 socket
= self
.request
[1]
5782 logger
.debug("Received hlr_auc_gw request: " + data
)
5783 # EAP-SIM DB: Failed to parse response string
5784 socket
.sendto("FOO", self
.client_address
)
5785 # EAP-SIM DB: Failed to parse response string
5786 socket
.sendto("FOO 1", self
.client_address
)
5787 # EAP-SIM DB: Unknown external response
5788 socket
.sendto("FOO 1 2", self
.client_address
)
5789 logger
.info("No proper response - wait for pending eap_sim_db request timeout")
5791 server
= SocketServer
.UnixDatagramServer(sockpath
, test_handler
)
5794 dev
[0].select_network(id)
5795 server
.handle_request()
5796 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=10)
5798 raise Exception("EAP-Failure not reported")
5799 dev
[0].wait_disconnected()
5800 dev
[0].request("DISCONNECT")
5802 # Test with a valid response
5804 class test_handler2(SocketServer
.DatagramRequestHandler
):
5806 data
= self
.request
[0].strip()
5807 socket
= self
.request
[1]
5808 logger
.debug("Received hlr_auc_gw request: " + data
)
5809 fname
= os
.path
.join(params
['logdir'],
5810 'hlr_auc_gw.milenage_db')
5811 cmd
= subprocess
.Popen(['../../hostapd/hlr_auc_gw',
5813 stdout
=subprocess
.PIPE
)
5814 res
= cmd
.stdout
.read().strip()
5816 logger
.debug("hlr_auc_gw response: " + res
)
5817 socket
.sendto(res
, self
.client_address
)
5819 server
.RequestHandlerClass
= test_handler2
5821 dev
[0].select_network(id)
5822 server
.handle_request()
5823 dev
[0].wait_connected()
5824 dev
[0].request("DISCONNECT")
5825 dev
[0].wait_disconnected()
5827 def test_eap_tls_sha512(dev
, apdev
, params
):
5828 """EAP-TLS with SHA512 signature"""
5829 params
= int_eap_server_params()
5830 params
["ca_cert"] = "auth_serv/sha512-ca.pem"
5831 params
["server_cert"] = "auth_serv/sha512-server.pem"
5832 params
["private_key"] = "auth_serv/sha512-server.key"
5833 hostapd
.add_ap(apdev
[0], params
)
5835 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
5836 identity
="tls user sha512",
5837 ca_cert
="auth_serv/sha512-ca.pem",
5838 client_cert
="auth_serv/sha512-user.pem",
5839 private_key
="auth_serv/sha512-user.key",
5841 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
5842 identity
="tls user sha512",
5843 ca_cert
="auth_serv/sha512-ca.pem",
5844 client_cert
="auth_serv/sha384-user.pem",
5845 private_key
="auth_serv/sha384-user.key",
5848 def test_eap_tls_sha384(dev
, apdev
, params
):
5849 """EAP-TLS with SHA384 signature"""
5850 params
= int_eap_server_params()
5851 params
["ca_cert"] = "auth_serv/sha512-ca.pem"
5852 params
["server_cert"] = "auth_serv/sha384-server.pem"
5853 params
["private_key"] = "auth_serv/sha384-server.key"
5854 hostapd
.add_ap(apdev
[0], params
)
5856 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
5857 identity
="tls user sha512",
5858 ca_cert
="auth_serv/sha512-ca.pem",
5859 client_cert
="auth_serv/sha512-user.pem",
5860 private_key
="auth_serv/sha512-user.key",
5862 dev
[1].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
5863 identity
="tls user sha512",
5864 ca_cert
="auth_serv/sha512-ca.pem",
5865 client_cert
="auth_serv/sha384-user.pem",
5866 private_key
="auth_serv/sha384-user.key",
5869 def test_ap_wpa2_eap_assoc_rsn(dev
, apdev
):
5870 """WPA2-Enterprise AP and association request RSN IE differences"""
5871 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
5872 hostapd
.add_ap(apdev
[0], params
)
5874 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap-11w")
5875 params
["ieee80211w"] = "2"
5876 hostapd
.add_ap(apdev
[1], params
)
5878 # Success cases with optional RSN IE fields removed one by one
5879 tests
= [ ("Normal wpa_supplicant assoc req RSN IE",
5880 "30140100000fac040100000fac040100000fac010000"),
5881 ("Extra PMKIDCount field in RSN IE",
5882 "30160100000fac040100000fac040100000fac0100000000"),
5883 ("Extra Group Management Cipher Suite in RSN IE",
5884 "301a0100000fac040100000fac040100000fac0100000000000fac06"),
5885 ("Extra undefined extension field in RSN IE",
5886 "301c0100000fac040100000fac040100000fac0100000000000fac061122"),
5887 ("RSN IE without RSN Capabilities",
5888 "30120100000fac040100000fac040100000fac01"),
5889 ("RSN IE without AKM", "300c0100000fac040100000fac04"),
5890 ("RSN IE without pairwise", "30060100000fac04"),
5891 ("RSN IE without group", "30020100") ]
5892 for title
, ie
in tests
:
5894 set_test_assoc_ie(dev
[0], ie
)
5895 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
5896 identity
="gpsk user",
5897 password
="abcdefghijklmnop0123456789abcdef",
5899 dev
[0].request("REMOVE_NETWORK all")
5900 dev
[0].wait_disconnected()
5902 tests
= [ ("Normal wpa_supplicant assoc req RSN IE",
5903 "30140100000fac040100000fac040100000fac01cc00"),
5904 ("Group management cipher included in assoc req RSN IE",
5905 "301a0100000fac040100000fac040100000fac01cc000000000fac06") ]
5906 for title
, ie
in tests
:
5908 set_test_assoc_ie(dev
[0], ie
)
5909 dev
[0].connect("test-wpa2-eap-11w", key_mgmt
="WPA-EAP", ieee80211w
="1",
5910 eap
="GPSK", identity
="gpsk user",
5911 password
="abcdefghijklmnop0123456789abcdef",
5913 dev
[0].request("REMOVE_NETWORK all")
5914 dev
[0].wait_disconnected()
5916 tests
= [ ("Invalid group cipher", "30060100000fac02", 41),
5917 ("Invalid pairwise cipher", "300c0100000fac040100000fac02", 42) ]
5918 for title
, ie
, status
in tests
:
5920 set_test_assoc_ie(dev
[0], ie
)
5921 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="GPSK",
5922 identity
="gpsk user",
5923 password
="abcdefghijklmnop0123456789abcdef",
5924 scan_freq
="2412", wait_connect
=False)
5925 ev
= dev
[0].wait_event(["CTRL-EVENT-ASSOC-REJECT"])
5927 raise Exception("Association rejection not reported")
5928 if "status_code=" + str(status
) not in ev
:
5929 raise Exception("Unexpected status code: " + ev
)
5930 dev
[0].request("REMOVE_NETWORK all")
5931 dev
[0].dump_monitor()
5933 tests
= [ ("Management frame protection not enabled",
5934 "30140100000fac040100000fac040100000fac010000", 31),
5935 ("Unsupported management group cipher",
5936 "301a0100000fac040100000fac040100000fac01cc000000000fac0b", 31) ]
5937 for title
, ie
, status
in tests
:
5939 set_test_assoc_ie(dev
[0], ie
)
5940 dev
[0].connect("test-wpa2-eap-11w", key_mgmt
="WPA-EAP", ieee80211w
="1",
5941 eap
="GPSK", identity
="gpsk user",
5942 password
="abcdefghijklmnop0123456789abcdef",
5943 scan_freq
="2412", wait_connect
=False)
5944 ev
= dev
[0].wait_event(["CTRL-EVENT-ASSOC-REJECT"])
5946 raise Exception("Association rejection not reported")
5947 if "status_code=" + str(status
) not in ev
:
5948 raise Exception("Unexpected status code: " + ev
)
5949 dev
[0].request("REMOVE_NETWORK all")
5950 dev
[0].dump_monitor()
5952 def test_eap_tls_ext_cert_check(dev
, apdev
):
5953 """EAP-TLS and external server certification validation"""
5954 # With internal server certificate chain validation
5955 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
5956 identity
="tls user",
5957 ca_cert
="auth_serv/ca.pem",
5958 client_cert
="auth_serv/user.pem",
5959 private_key
="auth_serv/user.key",
5960 phase1
="tls_ext_cert_check=1", scan_freq
="2412",
5961 only_add_network
=True)
5962 run_ext_cert_check(dev
, apdev
, id)
5964 def test_eap_ttls_ext_cert_check(dev
, apdev
):
5965 """EAP-TTLS and external server certification validation"""
5966 # Without internal server certificate chain validation
5967 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
5968 identity
="pap user", anonymous_identity
="ttls",
5969 password
="password", phase2
="auth=PAP",
5970 phase1
="tls_ext_cert_check=1", scan_freq
="2412",
5971 only_add_network
=True)
5972 run_ext_cert_check(dev
, apdev
, id)
5974 def test_eap_peap_ext_cert_check(dev
, apdev
):
5975 """EAP-PEAP and external server certification validation"""
5976 # With internal server certificate chain validation
5977 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
5978 identity
="user", anonymous_identity
="peap",
5979 ca_cert
="auth_serv/ca.pem",
5980 password
="password", phase2
="auth=MSCHAPV2",
5981 phase1
="tls_ext_cert_check=1", scan_freq
="2412",
5982 only_add_network
=True)
5983 run_ext_cert_check(dev
, apdev
, id)
5985 def test_eap_fast_ext_cert_check(dev
, apdev
):
5986 """EAP-FAST and external server certification validation"""
5987 check_eap_capa(dev
[0], "FAST")
5988 # With internal server certificate chain validation
5989 dev
[0].request("SET blob fast_pac_auth_ext ")
5990 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="FAST",
5991 identity
="user", anonymous_identity
="FAST",
5992 ca_cert
="auth_serv/ca.pem",
5993 password
="password", phase2
="auth=GTC",
5994 phase1
="tls_ext_cert_check=1 fast_provisioning=2",
5995 pac_file
="blob://fast_pac_auth_ext",
5997 only_add_network
=True)
5998 run_ext_cert_check(dev
, apdev
, id)
6000 def run_ext_cert_check(dev
, apdev
, net_id
):
6001 check_ext_cert_check_support(dev
[0])
6002 if not openssl_imported
:
6003 raise HwsimSkip("OpenSSL python method not available")
6005 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
6006 hapd
= hostapd
.add_ap(apdev
[0], params
)
6008 dev
[0].select_network(net_id
)
6011 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-PEER-CERT",
6012 "CTRL-REQ-EXT_CERT_CHECK",
6013 "CTRL-EVENT-EAP-SUCCESS"], timeout
=10)
6015 raise Exception("No peer server certificate event seen")
6016 if "CTRL-EVENT-EAP-PEER-CERT" in ev
:
6019 vals
= ev
.split(' ')
6021 if v
.startswith("depth="):
6022 depth
= int(v
.split('=')[1])
6023 elif v
.startswith("cert="):
6024 cert
= v
.split('=')[1]
6025 if depth
is not None and cert
:
6026 certs
[depth
] = binascii
.unhexlify(cert
)
6027 elif "CTRL-EVENT-EAP-SUCCESS" in ev
:
6028 raise Exception("Unexpected EAP-Success")
6029 elif "CTRL-REQ-EXT_CERT_CHECK" in ev
:
6030 id = ev
.split(':')[0].split('-')[-1]
6033 raise Exception("Server certificate not received")
6035 raise Exception("Server certificate issuer not received")
6037 cert
= OpenSSL
.crypto
.load_certificate(OpenSSL
.crypto
.FILETYPE_ASN1
,
6039 cn
= cert
.get_subject().commonName
6040 logger
.info("Server certificate CN=" + cn
)
6042 issuer
= OpenSSL
.crypto
.load_certificate(OpenSSL
.crypto
.FILETYPE_ASN1
,
6044 icn
= issuer
.get_subject().commonName
6045 logger
.info("Issuer certificate CN=" + icn
)
6047 if cn
!= "server.w1.fi":
6048 raise Exception("Unexpected server certificate CN: " + cn
)
6049 if icn
!= "Root CA":
6050 raise Exception("Unexpected server certificate issuer CN: " + icn
)
6052 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=0.1)
6054 raise Exception("Unexpected EAP-Success before external check result indication")
6056 dev
[0].request("CTRL-RSP-EXT_CERT_CHECK-" + id + ":good")
6057 dev
[0].wait_connected()
6059 dev
[0].request("DISCONNECT")
6060 dev
[0].wait_disconnected()
6061 if "FAIL" in dev
[0].request("PMKSA_FLUSH"):
6062 raise Exception("PMKSA_FLUSH failed")
6063 dev
[0].request("SET blob fast_pac_auth_ext ")
6064 dev
[0].request("RECONNECT")
6066 ev
= dev
[0].wait_event(["CTRL-REQ-EXT_CERT_CHECK"], timeout
=10)
6068 raise Exception("No peer server certificate event seen (2)")
6069 id = ev
.split(':')[0].split('-')[-1]
6070 dev
[0].request("CTRL-RSP-EXT_CERT_CHECK-" + id + ":bad")
6071 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-FAILURE"], timeout
=5)
6073 raise Exception("EAP-Failure not reported")
6074 dev
[0].request("REMOVE_NETWORK all")
6075 dev
[0].wait_disconnected()
6077 def test_eap_tls_errors(dev
, apdev
):
6078 """EAP-TLS error cases"""
6079 params
= int_eap_server_params()
6080 params
['fragment_size'] = '100'
6081 hostapd
.add_ap(apdev
[0], params
)
6082 with
alloc_fail(dev
[0], 1,
6083 "eap_peer_tls_reassemble_fragment"):
6084 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6085 identity
="tls user", ca_cert
="auth_serv/ca.pem",
6086 client_cert
="auth_serv/user.pem",
6087 private_key
="auth_serv/user.key",
6088 wait_connect
=False, scan_freq
="2412")
6089 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6090 dev
[0].request("REMOVE_NETWORK all")
6091 dev
[0].wait_disconnected()
6093 with
alloc_fail(dev
[0], 1, "eap_tls_init"):
6094 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6095 identity
="tls user", ca_cert
="auth_serv/ca.pem",
6096 client_cert
="auth_serv/user.pem",
6097 private_key
="auth_serv/user.key",
6098 wait_connect
=False, scan_freq
="2412")
6099 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6100 dev
[0].request("REMOVE_NETWORK all")
6101 dev
[0].wait_disconnected()
6103 with
alloc_fail(dev
[0], 1, "eap_peer_tls_ssl_init"):
6104 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6105 identity
="tls user", ca_cert
="auth_serv/ca.pem",
6106 client_cert
="auth_serv/user.pem",
6107 private_key
="auth_serv/user.key",
6109 wait_connect
=False, scan_freq
="2412")
6110 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6111 ev
= dev
[0].wait_event(["CTRL-REQ-PIN"], timeout
=5)
6113 raise Exception("No CTRL-REQ-PIN seen")
6114 dev
[0].request("REMOVE_NETWORK all")
6115 dev
[0].wait_disconnected()
6117 tests
= [ "eap_peer_tls_derive_key;eap_tls_success",
6118 "eap_peer_tls_derive_session_id;eap_tls_success",
6121 "eap_tls_get_session_id" ]
6123 with
alloc_fail(dev
[0], 1, func
):
6124 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TLS",
6125 identity
="tls user", ca_cert
="auth_serv/ca.pem",
6126 client_cert
="auth_serv/user.pem",
6127 private_key
="auth_serv/user.key",
6129 wait_connect
=False, scan_freq
="2412")
6130 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6131 dev
[0].request("REMOVE_NETWORK all")
6132 dev
[0].wait_disconnected()
6134 with
alloc_fail(dev
[0], 1, "eap_unauth_tls_init"):
6135 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="UNAUTH-TLS",
6136 identity
="unauth-tls", ca_cert
="auth_serv/ca.pem",
6137 wait_connect
=False, scan_freq
="2412")
6138 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6139 dev
[0].request("REMOVE_NETWORK all")
6140 dev
[0].wait_disconnected()
6142 with
alloc_fail(dev
[0], 1, "eap_peer_tls_ssl_init;eap_unauth_tls_init"):
6143 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="UNAUTH-TLS",
6144 identity
="unauth-tls", ca_cert
="auth_serv/ca.pem",
6145 wait_connect
=False, scan_freq
="2412")
6146 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6147 dev
[0].request("REMOVE_NETWORK all")
6148 dev
[0].wait_disconnected()
6150 with
alloc_fail(dev
[0], 1, "eap_wfa_unauth_tls_init"):
6151 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
6152 eap
="WFA-UNAUTH-TLS",
6153 identity
="osen@example.com", ca_cert
="auth_serv/ca.pem",
6154 wait_connect
=False, scan_freq
="2412")
6155 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6156 dev
[0].request("REMOVE_NETWORK all")
6157 dev
[0].wait_disconnected()
6159 with
alloc_fail(dev
[0], 1, "eap_peer_tls_ssl_init;eap_wfa_unauth_tls_init"):
6160 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
6161 eap
="WFA-UNAUTH-TLS",
6162 identity
="osen@example.com", ca_cert
="auth_serv/ca.pem",
6163 wait_connect
=False, scan_freq
="2412")
6164 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
6165 dev
[0].request("REMOVE_NETWORK all")
6166 dev
[0].wait_disconnected()
6168 def test_ap_wpa2_eap_status(dev
, apdev
):
6169 """EAP state machine status information"""
6170 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
6171 hostapd
.add_ap(apdev
[0], params
)
6172 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="PEAP",
6173 identity
="cert user",
6174 ca_cert
="auth_serv/ca.pem", phase2
="auth=TLS",
6175 ca_cert2
="auth_serv/ca.pem",
6176 client_cert2
="auth_serv/user.pem",
6177 private_key2
="auth_serv/user.key",
6178 scan_freq
="2412", wait_connect
=False)
6184 selected_methods
= []
6185 for i
in range(100000):
6186 s
= dev
[0].get_status(extra
="VERBOSE")
6187 if 'EAP state' in s
:
6188 state
= s
['EAP state']
6190 if state
not in states
:
6191 states
.append(state
)
6192 if state
== "SUCCESS":
6195 if 'methodState' in s
:
6196 val
= s
['methodState']
6197 if val
not in method_states
:
6198 method_states
.append(val
)
6201 if val
not in decisions
:
6202 decisions
.append(val
)
6203 if 'reqMethod' in s
:
6204 val
= s
['reqMethod']
6205 if val
not in req_methods
:
6206 req_methods
.append(val
)
6207 if 'selectedMethod' in s
:
6208 val
= s
['selectedMethod']
6209 if val
not in selected_methods
:
6210 selected_methods
.append(val
)
6211 logger
.info("Iterations: %d" % i
)
6212 logger
.info("EAP states: " + str(states
))
6213 logger
.info("methodStates: " + str(method_states
))
6214 logger
.info("decisions: " + str(decisions
))
6215 logger
.info("reqMethods: " + str(req_methods
))
6216 logger
.info("selectedMethods: " + str(selected_methods
))
6218 raise Exception("EAP did not succeed")
6219 dev
[0].wait_connected()
6220 dev
[0].request("REMOVE_NETWORK all")
6221 dev
[0].wait_disconnected()
6223 def test_ap_wpa2_eap_gpsk_ptk_rekey_ap(dev
, apdev
):
6224 """WPA2-Enterprise with EAP-GPSK and PTK rekey enforced by AP"""
6225 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
6226 params
['wpa_ptk_rekey'] = '2'
6227 hapd
= hostapd
.add_ap(apdev
[0], params
)
6228 id = eap_connect(dev
[0], hapd
, "GPSK", "gpsk user",
6229 password
="abcdefghijklmnop0123456789abcdef")
6230 ev
= dev
[0].wait_event(["WPA: Key negotiation completed"])
6232 raise Exception("PTK rekey timed out")
6233 hwsim_utils
.test_connectivity(dev
[0], hapd
)
6235 def test_ap_wpa2_eap_wildcard_ssid(dev
, apdev
):
6236 """WPA2-Enterprise connection using EAP-GPSK and wildcard SSID"""
6237 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
6238 hapd
= hostapd
.add_ap(apdev
[0], params
)
6239 dev
[0].connect(bssid
=apdev
[0]['bssid'], key_mgmt
="WPA-EAP", eap
="GPSK",
6240 identity
="gpsk user",
6241 password
="abcdefghijklmnop0123456789abcdef",